So when i do ping SRVR 4.2.2.2 on the fwsm it is actually trying to send the
traffic out of the SRVR and not source the traffic from SRVR interface ?
Thx
Aamir
Sent from my iPhone
On Nov 25, 2011, at 4:19 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:
> Aamir,
>
> Your issue is routing! Your FWSM will not send out traffic for that IP
(4.2.2.2) out of the SRVR interface - simple! Regardless of what you have on
the VLAN and what function they server.
>
> Why? Because when the FWSM makes a routing decision the exit interface that
matches that destination (4.2.2.2) is the Inside interface, due to the default
route configured.
>
> Check your logic there.
>
> Sadiq
>
> On Fri, Nov 25, 2011 at 10:49 AM, Aamir Aziz <aamiraz77_at_gmail.com> wrote:
> Basically 4.2.2.2is the internet address which i use to verify if traffic is
able to go to the internet. The reason why i am sourcing from SRVR interface
(10.10.2.0) is because i have servers in that vlan and they are unable to
access the internet. Infact they are not able to ping any vlan (10.10.1.1) on
the core swith. As for routing the FWSM has a default route to the core switch
and the core switch has a route back to the SRVR Vlan (10.10.2.0).
>
> ip route 10.10.2.0 255.255.255.0 Vlan 175
>
> So i cant figure out whats the issue. Can anyone check the config of FWSM
and verify if its ok?
>
> thanks,
> Aamir
>
>
>
> On Nov 24, 2011, at 4:19 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:
>
>> Hi Aamir,
>>
>> Your issue is basically routing.
>>
>> On the FWSM, these are your available routes:
>>
>> 0.0.0.0/0 via inside, static default
>> 10.10.3.0/24 via SRVR-mgmt, connected
>> 10.10.2.0/24 via SRVR, connected
>> 10.10.75.0/24 via inside, connected
>>
>> At least from your information, on the Core switch, you have:
>> 10.10.75.0/24 via vlan175, connected
>> 10.10.1.0/24 via vlan100, connected
>>
>> So, you are pinging
>> 1. 4.2.2.2 on the SRVR interface. There are 2 issues here. The first is
that that exit interface is wrong. The FWSM does not have a route to 4.2.2.2
via the SRVR interface and it would therefore drop the packet. The correct
interface to out would be the inside interface because it has the deault
route. The second issue is actually a question: where exactly on the network
is 4.2.2.2 device located? does it have a route back to the core switch or
FWSM?
>>
>> 2. 10.10.1.1 via the SRVR interface. The same conditions as above apply
here as well. You need to put the right interface on the ping command and also
determine the reverse connectivity from the devices you are trying to ping.
>>
>> Why dont you just do a ping 4.2.2.2/10.10.1.1 without specifying the exit
interface?
>>
>> HTH
>> Sadiq
>>
>> On Thu, Nov 24, 2011 at 11:20 AM, Farrukh Haroon <farrukhharoon_at_gmail.com>
wrote:
>> Dear Aamir
>>
>> The interface you show on the switch has IP 10.10.1.1, but the IP you are
>> pinging is 10.10.10.1, , is that intentional or by mistake?
>>
>> Also try to ping from any server in SRVR zone to the core switch IP and
see
>> if that works
>>
>> Regards
>>
>> Farrukh
>>
>> On Thu, Nov 24, 2011 at 12:06 PM, Aamir Aziz <aamiraz77_at_gmail.com> wrote:
>>
>> > But i should still be able to pin 10.10.1.1 from FWSM which is on core
>> > switch?
>> >
>> > On Thu, Nov 24, 2011 at 12:01 PM, Segun Daini <segundaini_at_gmail.com>
>> > wrote:
>> > > Hi Aziz,
>> > > The FWSM unlike the router will check the route to the IP you need to
>> > reach.
>> > > In this case, 4.2.2.2's output interface is inside, this is why it
will
>> > not
>> > > work for the other interfaces.
>> > > Regards.
>> > >
>> > > On Thu, Nov 24, 2011 at 8:50 AM, Aamir Aziz <aamiraz77_at_gmail.com>
wrote:
>> > >>
>> > >> Dear *,
>> > >>
>> > >> I have a simple setup with a core switch and FWSM. From the FWSM I am
>> > >> able to ping from the inside interface (interface between FWSM and
>> > >> MSFC) of the FWSM to other vlan on the core switch and to the
internet
>> > >> however when i source the ping from another vlan of FWSM to internet
>> > >> or other vlan of core switch, no reply. Here is my config on FWSM:
>> > >>
>> > >> FWSM-1# sh run
>> > >> : Saved
>> > >> :
>> > >> FWSM Version 4.0(4)
>> > >> !
>> > >> hostname FWSM-1
>> > >> enable password 8Ry2YjIyt7RRXU24 encrypted
>> > >> names
>> > >> dns-guard
>> > >> !
>> > >> interface Vlan102
>> > >> description *** Servers ***
>> > >> nameif SRVR
>> > >> security-level 50
>> > >> ip address 10.10.2.1 255.255.255.0
>> > >> !
>> > >> interface Vlan103
>> > >> description *** Servers Mgmt ***
>> > >> nameif SRVR-mgmt
>> > >> security-level 50
>> > >> ip address 10.10.3.1 255.255.255.0
>> > >> !
>> > >> interface Vlan174
>> > >> description LAN/STATE Failover Interface
>> > >> !
>> > >> interface Vlan175
>> > >> description *** Inside Interface to MSFC ***
>> > >> nameif inside
>> > >> security-level 100
>> > >> ip address 10.10.75.2 255.255.255.0
>> > >> !
>> > >> passwd 2KFQnbNIdI.2KYOU encrypted
>> > >> ftp mode passive
>> > >> same-security-traffic permit inter-interface
>> > >> access-list inside-in extended permit ip any any
>> > >> access-list inside-in extended permit icmp any any
>> > >> access-list SRVR-in extended permit ip any any
>> > >> access-list SRVR-mgmt-in extended permit ip any any
>> > >> access-list SRVR extended permit icmp any any
>> > >> access-list SRVR-mgmt extended permit icmp any any
>> > >> pager lines 24
>> > >> mtu SRVR 1500
>> > >> mtu SRVR-mgmt 1500
>> > >> mtu inside 1500
>> > >> failover
>> > >> failover lan unit primary
>> > >> failover lan interface FAIL Vlan174
>> > >> failover key *****
>> > >> failover replication http
>> > >> failover link FAIL Vlan174
>> > >> failover interface ip FAIL 192.168.74.1 255.255.255.252 standby
>> > >> 192.168.74.2
>> > >> icmp permit any echo SRVR
>> > >> icmp permit any SRVR
>> > >> icmp permit any echo SRVR-mgmt
>> > >> icmp permit any SRVR-mgmt
>> > >> icmp permit any inside
>> > >> no asdm history enable
>> > >> arp timeout 14400
>> > >> access-group SRVR-in in interface SRVR
>> > >> access-group SRVR-mgmt-in in interface SRVR-mgmt
>> > >> access-group inside-in in interface inside
>> > >> route inside 0.0.0.0 0.0.0.0 10.10.75.1 1
>> > >> timeout xlate 3:00:00
>> > >> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
>> > >> timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
>> > >> timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
>> > >> timeout sip-invite 0:03:00 sip-disconnect 0:02:00
>> > >> timeout uauth 0:05:00 absolute
>> > >> http 10.10.0.0 255.255.0.0 SRVR
>> > >> http 10.10.0.0 255.255.0.0 inside
>> > >> no snmp-server location
>> > >> no snmp-server contact
>> > >> snmp-server enable traps snmp authentication linkup linkdown
coldstart
>> > >> service reset no-connection
>> > >> telnet 10.10.0.0 255.255.0.0 SRVR
>> > >> telnet 10.10.0.0 255.255.0.0 SRVR-mgmt
>> > >> telnet 10.10.0.0 255.255.0.0 inside
>> > >> telnet timeout 5
>> > >> ssh timeout 5
>> > >> console timeout 0
>> > >> !
>> > >> class-map inspection_default
>> > >> match default-inspection-traffic
>> > >> !
>> > >> !
>> > >> policy-map global_policy
>> > >> class inspection_default
>> > >> inspect dns maximum-length 512
>> > >> inspect ftp
>> > >> inspect h323 h225
>> > >> inspect h323 ras
>> > >> inspect netbios
>> > >> inspect rsh
>> > >> inspect skinny
>> > >> inspect smtp
>> > >> inspect sqlnet
>> > >> inspect sunrpc
>> > >> inspect tftp
>> > >> inspect sip
>> > >> inspect xdmcp
>> > >> !
>> > >> service-policy global_policy global
>> > >> prompt hostname context
>> > >> Cryptochecksum:0cc9eda46d5882ff1d4d2d7046e76c30
>> > >> : end
>> > >> FWSM-1#
>> > >>
>> > >> FWSM-1# ping inside 4.2.2.2
>> > >> Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
>> > >> !!!!!
>> > >> Success rate is 100 percent (5/5), round-trip min/avg/max =
130/140/150
>> > ms
>> > >> FWSM-1# ping in
>> > >> FWSM-1# ping inside 10.10.10.1
>> > >> Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
>> > >> !!!!!
>> > >> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
>> > >> FWSM-1# ping in
>> > >> FWSM-1# ping SRV 4.2.2.2
>> > >>
>> > >> FWSM-1# ping SRVR 4.2.2.2
>> > >> Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
>> > >> ?????
>> > >> Success rate is 0 percent (0/5)
>> > >> FWSM-1# ping SRVR 10.10.10.1
>> > >> Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
>> > >> ?????
>> > >>
>> > >>
>> > >> Core Switch:
>> > >>
>> > >> interface Vlan175
>> > >> description *** Connected to FWSM ***
>> > >> ip address 10.10.75.1 255.255.255.0
>> > >> end
>> > >>
>> > >> interface Vlan100
>> > >> description *** NQA-mgmt ***
>> > >> ip address 10.10.1.1 255.255.255.0
>> > >> end
>> > >>
>> > >> ip route 10.10.2.0 255.255.255.0 Vlan175
>> > >> ip route 10.10.3.0 255.255.255.0 Vlan175
>> > >>
>> > >>
>> > >> Any help is appreciated as this is the first time i am configuring
FWSM.
>> > >>
>> > >> Thanks,
>> > >> Aamir
>> > >>
>> > >>
>> > >> Blogs and organic groups at http://www.ccie.net
>> > >>
>> > >>
Received on Fri Nov 25 2011 - 19:22:23 ART
This archive was generated by hypermail 2.2.0 : Thu Dec 01 2011 - 06:29:31 ART