Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
4 posts • Page 1 of 1
I have two C6509-E switch outfitted with one FWSM per each. And use vlan 200 for outside between C6509 and FWSM. the snapshot of configure are as follows, but i can't ping the SVI of vlan 200 from FWSM. However "show arp" on c6509 indicate that C6509 has learned the correct MAC address of outside ip address.SW Configfirewall multiple-vlan-interfacesfirewall module 2 vlan-group 1firewall vlan-group 1 101,102,200,210-221FWSM configFWSM Version 2.3(4) <system>resource acl-partition 3enable password xxxpasswd xxxhostname Primaryftp mode passivepager lines 24logging buffer-size 4096class default limit-resource IPSec 5 limit-resource Mac-addresses 65535 limit-resource PDM 5 limit-resource SSH 5 limit-resource Telnet 5 limit-resource All 0!class low limit-resource All 5.0%!failoverfailover lan unit primaryfailover lan interface faillink vlan 101failover polltime unit 1 holdtime 15failover polltime interface 15failover interface-policy 50%failover replication httpfailover link statelink vlan 102failover interface ip faillink 172.16.17.1 255.255.255.252 standby 172.16.17.2failover interface ip statelink 172.16.17.5 255.255.255.252 standby 172.16.17.6arp timeout 14400!timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absoluteterminal width 80admin-context context-acontext context-a description used-for-backend-servers member default allocate-interface vlan200 allocate-interface vlan210-vlan215 allocate-acl-partition 0 config-url disk:/context-a.cfg!context admin member low config-url disk:/admin.cfg!Cryptochecksum:xxxFWSM Context-a ConfigPrimary/context-a# sho run: Saved:FWSM Version 2.3(4) <context>nameif vlan200 outside security0nameif vlan210 inside security100nameif vlan211 dmz1 security50nameif vlan212 dmz2 security50nameif vlan213 dmz3 security50enable password xxxpasswd xxxhostname context-afixup protocol dns maximum-length 512fixup protocol ftp 21fixup protocol h323 H225 1720fixup protocol h323 ras 1718-1719fixup protocol rsh 514fixup protocol sip 5060no fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521namesaccess-list deny-flow-max 4096access-list alert-interval 300access-list acl-in extended permit ip any any pager lines 24logging buffer-size 4096mtu outside 1500mtu inside 1500mtu dmz1 1500mtu dmz2 1500mtu dmz3 1500ip address outside 10.0.180.253 255.255.255.0 standby 10.0.180.254ip address inside 10.0.181.253 255.255.255.0 standby 10.0.181.254pdm location 10.0.181.0 255.255.255.0 insideno pdm history enablearp timeout 14400nat (inside) 0 0.0.0.0 0.0.0.0access-group acl-in in interface outsideaccess-group acl-in in interface inside!interface outside!!interface inside!!interface dmz1!! interface dmz2!!interface dmz3!!route outside 0.0.0.0 0.0.0.0 10.0.180.1 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absolute....floodguard enablefragment size 200 outsidefragment chain 24 outsidefragment size 200 insidefragment chain 24 insidefragment size 200 dmz1fragment chain 24 dmz1fragment size 200 dmz2fragment chain 24 dmz2fragment size 200 dmz3fragment chain 24 dmz3telnet 10.0.181.0 255.255.255.0 insidetelnet timeout 5ssh timeout 5terminal width 80And I can successfully ping the failover and statelnk ip address from FWSM each other.
Hi Try adding to the admin context "icmp permit any outside" You don't have to use "any", you can restrict it to only certain ip addresses. HTH Jon
in my config, the context-a is the admin-context and I have added the "permit ip any any" ACL both in outside and inside interface. So why still need add icmp related ACL? In addition, I restore the multiple context mode to single context mode and also correctly config the basic setting. But it still didn't work. I can successfuly ping the each other through the failover and stateful link.An interesting thing is when I execute the "show interface" command regardless on context or system execution space, it showed lots of packets were dropped except for under the edbc interface(internal interface connected to C6509 Switch). WHY?
Hi .. if you want to allow icmp traffic that terminates at the FWSM interfaces then you need to use the icmp command. The ACL are for traffic that traverses the FWSM.Quoted from FWSM Command reference Guide .."icmpTo configure access rules for Internet Control Message Protocol (ICMP) traffic that terminates at aninterface, use the icmp command. To remove access rules, use the no form of this command."I hope it helps .. please rate if it does !!!