Re: FWSM

Hi Aamir,

Your issue is basically routing.

On the FWSM, these are your available routes:

0.0.0.0/0 via inside, static default
10.10.3.0/24 via SRVR-mgmt, connected
10.10.2.0/24 via SRVR, connected
10.10.75.0/24 via inside, connected

At least from your information, on the Core switch, you have:
10.10.75.0/24 via vlan175, connected
10.10.1.0/24 via vlan100, connected

So, you are pinging
1. 4.2.2.2 on the SRVR interface. There are 2 issues here. The first is
that that exit interface is wrong. The FWSM does not have a route to
4.2.2.2 via the SRVR interface and it would therefore drop the packet. The
correct interface to out would be the inside interface because it has the
deault route. The second issue is actually a question: where exactly on the
network is 4.2.2.2 device located? does it have a route back to the core
switch or FWSM?

2. 10.10.1.1 via the SRVR interface. The same conditions as above apply
here as well. You need to put the right interface on the ping command and
also determine the reverse connectivity from the devices you are trying to
ping.

Why dont you just do a ping 4.2.2.2/10.10.1.1 without specifying the exit
interface?

HTH
Sadiq

On Thu, Nov 24, 2011 at 11:20 AM, Farrukh Haroon <farrukhharoon_at_gmail.com>wrote:

> Dear Aamir
>
> The interface you show on the switch has IP 10.10.1.1, but the IP you are
> pinging is 10.10.10.1, , is that intentional or by mistake?
>
> Also try to ping from any server in SRVR zone to the core switch IP and see
> if that works
>
> Regards
>
> Farrukh
>
> On Thu, Nov 24, 2011 at 12:06 PM, Aamir Aziz <aamiraz77_at_gmail.com> wrote:
>
> > But i should still be able to pin 10.10.1.1 from FWSM which is on core
> > switch?
> >
> > On Thu, Nov 24, 2011 at 12:01 PM, Segun Daini <segundaini_at_gmail.com>
> > wrote:
> > > Hi Aziz,
> > > The FWSM unlike the router will check the route to the IP you need to
> > reach.
> > > In this case, 4.2.2.2's output interface is inside, this is why it will
> > not
> > > work for the other interfaces.
> > > Regards.
> > >
> > > On Thu, Nov 24, 2011 at 8:50 AM, Aamir Aziz <aamiraz77_at_gmail.com>
> wrote:
> > >>
> > >> Dear *,
> > >>
> > >> I have a simple setup with a core switch and FWSM. From the FWSM I am
> > >> able to ping from the inside interface (interface between FWSM and
> > >> MSFC) of the FWSM to other vlan on the core switch and to the internet
> > >> however when i source the ping from another vlan of FWSM to internet
> > >> or other vlan of core switch, no reply. Here is my config on FWSM:
> > >>
> > >> FWSM-1# sh run
> > >> : Saved
> > >> :
> > >> FWSM Version 4.0(4)
> > >> !
> > >> hostname FWSM-1
> > >> enable password 8Ry2YjIyt7RRXU24 encrypted
> > >> names
> > >> dns-guard
> > >> !
> > >> interface Vlan102
> > >> description *** Servers ***
> > >> nameif SRVR
> > >> security-level 50
> > >> ip address 10.10.2.1 255.255.255.0
> > >> !
> > >> interface Vlan103
> > >> description *** Servers Mgmt ***
> > >> nameif SRVR-mgmt
> > >> security-level 50
> > >> ip address 10.10.3.1 255.255.255.0
> > >> !
> > >> interface Vlan174
> > >> description LAN/STATE Failover Interface
> > >> !
> > >> interface Vlan175
> > >> description *** Inside Interface to MSFC ***
> > >> nameif inside
> > >> security-level 100
> > >> ip address 10.10.75.2 255.255.255.0
> > >> !
> > >> passwd 2KFQnbNIdI.2KYOU encrypted
> > >> ftp mode passive
> > >> same-security-traffic permit inter-interface
> > >> access-list inside-in extended permit ip any any
> > >> access-list inside-in extended permit icmp any any
> > >> access-list SRVR-in extended permit ip any any
> > >> access-list SRVR-mgmt-in extended permit ip any any
> > >> access-list SRVR extended permit icmp any any
> > >> access-list SRVR-mgmt extended permit icmp any any
> > >> pager lines 24
> > >> mtu SRVR 1500
> > >> mtu SRVR-mgmt 1500
> > >> mtu inside 1500
> > >> failover
> > >> failover lan unit primary
> > >> failover lan interface FAIL Vlan174
> > >> failover key *****
> > >> failover replication http
> > >> failover link FAIL Vlan174
> > >> failover interface ip FAIL 192.168.74.1 255.255.255.252 standby
> > >> 192.168.74.2
> > >> icmp permit any echo SRVR
> > >> icmp permit any SRVR
> > >> icmp permit any echo SRVR-mgmt
> > >> icmp permit any SRVR-mgmt
> > >> icmp permit any inside
> > >> no asdm history enable
> > >> arp timeout 14400
> > >> access-group SRVR-in in interface SRVR
> > >> access-group SRVR-mgmt-in in interface SRVR-mgmt
> > >> access-group inside-in in interface inside
> > >> route inside 0.0.0.0 0.0.0.0 10.10.75.1 1
> > >> timeout xlate 3:00:00
> > >> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> > >> timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
> > >> timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
> > >> timeout sip-invite 0:03:00 sip-disconnect 0:02:00
> > >> timeout uauth 0:05:00 absolute
> > >> http 10.10.0.0 255.255.0.0 SRVR
> > >> http 10.10.0.0 255.255.0.0 inside
> > >> no snmp-server location
> > >> no snmp-server contact
> > >> snmp-server enable traps snmp authentication linkup linkdown coldstart
> > >> service reset no-connection
> > >> telnet 10.10.0.0 255.255.0.0 SRVR
> > >> telnet 10.10.0.0 255.255.0.0 SRVR-mgmt
> > >> telnet 10.10.0.0 255.255.0.0 inside
> > >> telnet timeout 5
> > >> ssh timeout 5
> > >> console timeout 0
> > >> !
> > >> class-map inspection_default
> > >> match default-inspection-traffic
> > >> !
> > >> !
> > >> policy-map global_policy
> > >> class inspection_default
> > >> inspect dns maximum-length 512
> > >> inspect ftp
> > >> inspect h323 h225
> > >> inspect h323 ras
> > >> inspect netbios
> > >> inspect rsh
> > >> inspect skinny
> > >> inspect smtp
> > >> inspect sqlnet
> > >> inspect sunrpc
> > >> inspect tftp
> > >> inspect sip
> > >> inspect xdmcp
> > >> !
> > >> service-policy global_policy global
> > >> prompt hostname context
> > >> Cryptochecksum:0cc9eda46d5882ff1d4d2d7046e76c30
> > >> : end
> > >> FWSM-1#
> > >>
> > >> FWSM-1# ping inside 4.2.2.2
> > >> Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
> > >> !!!!!
> > >> Success rate is 100 percent (5/5), round-trip min/avg/max =
> 130/140/150
> > ms
> > >> FWSM-1# ping in
> > >> FWSM-1# ping inside 10.10.10.1
> > >> Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
> > >> !!!!!
> > >> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
> > >> FWSM-1# ping in
> > >> FWSM-1# ping SRV 4.2.2.2
> > >>
> > >> FWSM-1# ping SRVR 4.2.2.2
> > >> Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
> > >> ?????
> > >> Success rate is 0 percent (0/5)
> > >> FWSM-1# ping SRVR 10.10.10.1
> > >> Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
> > >> ?????
> > >>
> > >>
> > >> Core Switch:
> > >>
> > >> interface Vlan175
> > >> description *** Connected to FWSM ***
> > >> ip address 10.10.75.1 255.255.255.0
> > >> end
> > >>
> > >> interface Vlan100
> > >> description *** NQA-mgmt ***
> > >> ip address 10.10.1.1 255.255.255.0
> > >> end
> > >>
> > >> ip route 10.10.2.0 255.255.255.0 Vlan175
> > >> ip route 10.10.3.0 255.255.255.0 Vlan175
> > >>
> > >>
> > >> Any help is appreciated as this is the first time i am configuring
> FWSM.
> > >>
> > >> Thanks,
> > >> Aamir
> > >>
> > >>
> > >> Blogs and organic groups at http://www.ccie.net
> > >>
> > >>
> _______________________________________________________________________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net