Link to home
Start Free TrialLog in
Avatar of irmando
irmando

asked on

Cannot ping inside interface on FWSM

Hi,

I am doing some test configuration.  Trying to ping all interfaces on the FWSM but not able to get response from the inside interface on the FWSM.  Configuration as follows (where relevant):
--cut--
interface Vlan26
 nameif inside
 security-level 100
 ip address 10.10.20.1 255.255.255.0 standby 10.10.20.2
!
interface Vlan27
 nameif outside
 security-level 0
 ip address 10.10.21.5 255.255.255.224 standby 10.10.21.6

icmp permit any inside
icmp permit any outside

nat (inside) 0 access-list acl_nonat

access-group acl_in in interface inside
access-group acl_out in interface outside

route outside 10.188.88.0 255.255.255.0 10.10.21.1 1
route outside 0.0.0.0 0.0.0.0 10.10.21.1 1

--cut--

i even tried to ping from the MSFC.  Ping to outside ip 10.10.21.5 is ok.  But 10.10.20.1 is not working.

Any advise?
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
Are you trying to ping from the outside?  If so, you can't.  Can you ping the inside IP from a host on the same subnet?
Avatar of irmando
irmando

ASKER

Hi JFrederick29,

From outside or inside can't.  The inside hosts has the inside interface IP of the FWSM as the default gateway. Host can't ping to this default gateway ip.

Why can't I ping this IP from outside ?  Shdn't the "icmp permit any inside" allow this?

Avatar of JFrederick29
JFrederick29
Flag of United States of America image
Okay, so a host with a 10.10.20.x IP address can't ping 10.10.20.1?  The "icmp permit any inside" should take care of it.  Can the Firewall ping a 10.10.20.x host?  Is the inside interface in the correct VLAN?  Does the PC have a good ARP entry for 10.10.20.1 or incomplete (arp -a)?

Try explicitly permitting "icmp any any" on the "acl_in" access-list although it shouldn't be required to ping the Firewall itself, just through the Firewall.
Avatar of irmando
irmando

ASKER

Hi JFrederick29,

The firewall can ping a 10.10.20.x host and outside host can also ping a 10.10.20.x host.  The logs on the context shows the following:

%FWSM-6-302020: Built inbound ICMP connection for faddr 192.168.65.66/512 gaddr 10.10.20.3/512 laddr 10.10.20.3/0
%FWSM-6-302021: Teardown ICMP connection for faddr 192.168.65.66/512 gaddr 10.10.20.3/512 laddr 10.10.20.3/0
%FWSM-3-305006: portmap translation creation failed for icmp src outside:192.168.65.66 dst inside:10.10.20.1 (type 8, code 0)
%FWSM-3-305006: portmap translation creation failed for icmp src outside:192.168.65.66 dst inside:10.10.20.1 (type 8, code 0)
%FWSM-3-305006: portmap translation creation failed for icmp src outside:192.168.65.66 dst inside:10.10.20.1 (type 8, code 0)
%FWSM-3-305006: portmap translation creation failed for icmp src outside:192.168.65.66 dst inside:10.10.20.1 (type 8, code 0)

192.168.65.66 is the host I am pinging from.  Can ping 10.10.20.3 from this host but not the gateway .1

Avatar of JFrederick29
JFrederick29
Flag of United States of America image
As you can see, you can ping through the FWSM but again it is normal that you are unable to ping the inside interface from the outside.

Q. I can ping the FWSM interface that is directly connected to my
network, but I am unable to ping other interfaces. Is this normal?

A. Yes. This is a builtin security mechanism that also exists on the PIX Firewall.
Avatar of irmando
irmando

ASKER

Hi JFrederick29,

But shouldn't 10.10.20.3 be able to ping it's gateway 10.10.20.1?  At the moment, hosts in 10.10.20.x cannot ping the gateway 10.10.20.1 which is the FWSM interface.
ASKER CERTIFIED SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of irmando
irmando

ASKER

JFrederick29, thanks.  It seems there was some misconfiguration on the clients hence it can't ping the inside interface from within.  you are right, only directly connected clients can ping to it.