Re: FWSM from Jeferson Guardia on 2011-11-25 (Ccielab archives 11/2011)

From: Jeferson Guardia <jefersonf_at_gmail.com>
Date: Fri, 25 Nov 2011 09:01:23 -0200

Where is your NAT config applied?

- Jeferson

On 25/11/2011, at 08:49, Aamir Aziz <aamiraz77_at_gmail.com> wrote:

> Basically 4.2.2.2is the internet address which i use to verify if traffic
> is able to go to the internet. The reason why i am sourcing from SRVR
> interface (10.10.2.0) is because i have servers in that vlan and they are
> unable to access the internet. Infact they are not able to ping any vlan
> (10.10.1.1) on the core swith. As for routing the FWSM has a default route
> to the core switch and the core switch has a route back to the SRVR Vlan
> (10.10.2.0).
>
> ip route 10.10.2.0 255.255.255.0 Vlan 175
>
> So i cant figure out whats the issue. Can anyone check the config of FWSM
> and verify if its ok?
>
> thanks,
> Aamir
>
>
> On Nov 24, 2011, at 4:19 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:
>
> Hi Aamir,
>
> Your issue is basically routing.
>
> On the FWSM, these are your available routes:
>
> 0.0.0.0/0 via inside, static default
> 10.10.3.0/24 via SRVR-mgmt, connected
> 10.10.2.0/24 via SRVR, connected
> 10.10.75.0/24 via inside, connected
>
> At least from your information, on the Core switch, you have:
> 10.10.75.0/24 via vlan175, connected
> 10.10.1.0/24 via vlan100, connected
>
> So, you are pinging
> 1. 4.2.2.2 on the SRVR interface. There are 2 issues here. The first is
> that that exit interface is wrong. The FWSM does not have a route to
> 4.2.2.2 via the SRVR interface and it would therefore drop the packet. The
> correct interface to out would be the inside interface because it has the
> deault route. The second issue is actually a question: where exactly on the
> network is 4.2.2.2 device located? does it have a route back to the core
> switch or FWSM?
>
> 2. 10.10.1.1 via the SRVR interface. The same conditions as above apply
> here as well. You need to put the right interface on the ping command and
> also determine the reverse connectivity from the devices you are trying to
> ping.
>
> Why dont you just do a ping 4.2.2.2/10.10.1.1 without specifying the exit
> interface?
>
> HTH
> Sadiq
>
> On Thu, Nov 24, 2011 at 11:20 AM, Farrukh Haroon <farrukhharoon_at_gmail.com>wrote:
>
>> Dear Aamir
>>
>> The interface you show on the switch has IP 10.10.1.1, but the IP you are
>> pinging is 10.10.10.1, , is that intentional or by mistake?
>>
>> Also try to ping from any server in SRVR zone to the core switch IP and see
>> if that works
>>
>> Regards
>>
>> Farrukh
>>
>> On Thu, Nov 24, 2011 at 12:06 PM, Aamir Aziz <aamiraz77_at_gmail.com> wrote:
>>
>>> But i should still be able to pin 10.10.1.1 from FWSM which is on core
>>> switch?
>>>
>>> On Thu, Nov 24, 2011 at 12:01 PM, Segun Daini <segundaini_at_gmail.com>
>>> wrote:
>>>> Hi Aziz,
>>>> The FWSM unlike the router will check the route to the IP you need to
>>> reach.
>>>> In this case, 4.2.2.2's output interface is inside, this is why it will
>>> not
>>>> work for the other interfaces.
>>>> Regards.
>>>>
>>>> On Thu, Nov 24, 2011 at 8:50 AM, Aamir Aziz <aamiraz77_at_gmail.com>
>> wrote:
>>>>>
>>>>> Dear *,
>>>>>
>>>>> I have a simple setup with a core switch and FWSM. From the FWSM I am
>>>>> able to ping from the inside interface (interface between FWSM and
>>>>> MSFC) of the FWSM to other vlan on the core switch and to the internet
>>>>> however when i source the ping from another vlan of FWSM to internet
>>>>> or other vlan of core switch, no reply. Here is my config on FWSM:
>>>>>
>>>>> FWSM-1# sh run
>>>>> : Saved
>>>>> :
>>>>> FWSM Version 4.0(4)
>>>>> !
>>>>> hostname FWSM-1
>>>>> enable password 8Ry2YjIyt7RRXU24 encrypted
>>>>> names
>>>>> dns-guard
>>>>> !
>>>>> interface Vlan102
>>>>> description *** Servers ***
>>>>> nameif SRVR
>>>>> security-level 50
>>>>> ip address 10.10.2.1 255.255.255.0
>>>>> !
>>>>> interface Vlan103
>>>>> description *** Servers Mgmt ***
>>>>> nameif SRVR-mgmt
>>>>> security-level 50
>>>>> ip address 10.10.3.1 255.255.255.0
>>>>> !
>>>>> interface Vlan174
>>>>> description LAN/STATE Failover Interface
>>>>> !
>>>>> interface Vlan175
>>>>> description *** Inside Interface to MSFC ***
>>>>> nameif inside
>>>>> security-level 100
>>>>> ip address 10.10.75.2 255.255.255.0
>>>>> !
>>>>> passwd 2KFQnbNIdI.2KYOU encrypted
>>>>> ftp mode passive
>>>>> same-security-traffic permit inter-interface
>>>>> access-list inside-in extended permit ip any any
>>>>> access-list inside-in extended permit icmp any any
>>>>> access-list SRVR-in extended permit ip any any
>>>>> access-list SRVR-mgmt-in extended permit ip any any
>>>>> access-list SRVR extended permit icmp any any
>>>>> access-list SRVR-mgmt extended permit icmp any any
>>>>> pager lines 24
>>>>> mtu SRVR 1500
>>>>> mtu SRVR-mgmt 1500
>>>>> mtu inside 1500
>>>>> failover
>>>>> failover lan unit primary
>>>>> failover lan interface FAIL Vlan174
>>>>> failover key *****
>>>>> failover replication http
>>>>> failover link FAIL Vlan174
>>>>> failover interface ip FAIL 192.168.74.1 255.255.255.252 standby
>>>>> 192.168.74.2
>>>>> icmp permit any echo SRVR
>>>>> icmp permit any SRVR
>>>>> icmp permit any echo SRVR-mgmt
>>>>> icmp permit any SRVR-mgmt
>>>>> icmp permit any inside
>>>>> no asdm history enable
>>>>> arp timeout 14400
>>>>> access-group SRVR-in in interface SRVR
>>>>> access-group SRVR-mgmt-in in interface SRVR-mgmt
>>>>> access-group inside-in in interface inside
>>>>> route inside 0.0.0.0 0.0.0.0 10.10.75.1 1
>>>>> timeout xlate 3:00:00
>>>>> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
>>>>> timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
>>>>> timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
>>>>> timeout sip-invite 0:03:00 sip-disconnect 0:02:00
>>>>> timeout uauth 0:05:00 absolute
>>>>> http 10.10.0.0 255.255.0.0 SRVR
>>>>> http 10.10.0.0 255.255.0.0 inside
>>>>> no snmp-server location
>>>>> no snmp-server contact
>>>>> snmp-server enable traps snmp authentication linkup linkdown coldstart
>>>>> service reset no-connection
>>>>> telnet 10.10.0.0 255.255.0.0 SRVR
>>>>> telnet 10.10.0.0 255.255.0.0 SRVR-mgmt
>>>>> telnet 10.10.0.0 255.255.0.0 inside
>>>>> telnet timeout 5
>>>>> ssh timeout 5
>>>>> console timeout 0
>>>>> !
>>>>> class-map inspection_default
>>>>> match default-inspection-traffic
>>>>> !
>>>>> !
>>>>> policy-map global_policy
>>>>> class inspection_default
>>>>> inspect dns maximum-length 512
>>>>> inspect ftp
>>>>> inspect h323 h225
>>>>> inspect h323 ras
>>>>> inspect netbios
>>>>> inspect rsh
>>>>> inspect skinny
>>>>> inspect smtp
>>>>> inspect sqlnet
>>>>> inspect sunrpc
>>>>> inspect tftp
>>>>> inspect sip
>>>>> inspect xdmcp
>>>>> !
>>>>> service-policy global_policy global
>>>>> prompt hostname context
>>>>> Cryptochecksum:0cc9eda46d5882ff1d4d2d7046e76c30
>>>>> : end
>>>>> FWSM-1#
>>>>>
>>>>> FWSM-1# ping inside 4.2.2.2
>>>>> Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
>>>>> !!!!!
>>>>> Success rate is 100 percent (5/5), round-trip min/avg/max =
>> 130/140/150
>>> ms
>>>>> FWSM-1# ping in
>>>>> FWSM-1# ping inside 10.10.10.1
>>>>> Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
>>>>> !!!!!
>>>>> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
>>>>> FWSM-1# ping in
>>>>> FWSM-1# ping SRV 4.2.2.2
>>>>>
>>>>> FWSM-1# ping SRVR 4.2.2.2
>>>>> Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
>>>>> ?????
>>>>> Success rate is 0 percent (0/5)
>>>>> FWSM-1# ping SRVR 10.10.10.1
>>>>> Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
>>>>> ?????
>>>>>
>>>>>
>>>>> Core Switch:
>>>>>
>>>>> interface Vlan175
>>>>> description *** Connected to FWSM ***
>>>>> ip address 10.10.75.1 255.255.255.0
>>>>> end
>>>>>
>>>>> interface Vlan100
>>>>> description *** NQA-mgmt ***
>>>>> ip address 10.10.1.1 255.255.255.0
>>>>> end
>>>>>
>>>>> ip route 10.10.2.0 255.255.255.0 Vlan175
>>>>> ip route 10.10.3.0 255.255.255.0 Vlan175
>>>>>
>>>>>
>>>>> Any help is appreciated as this is the first time i am configuring
>> FWSM.
>>>>>
>>>>> Thanks,
>>>>> Aamir
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>>
>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> CCIEx2 (R&S|Sec) #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Nov 25 2011 - 09:01:23 ART

This archive was generated by hypermail 2.2.0 : Thu Dec 01 2011 - 06:29:31 ART