Pinging Through The Fwsm - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 17
Monitoring and Troubleshooting the Firewall Services Module
Pinging Through the FWSM
After you successfully ping the FWSM interfaces, you should make sure traffic can pass successfully
through the FWSM. For routed mode, this test shows that NAT is working correctly. For transparent
mode, which does not use NAT, this test confirms that the FWSM is operating correctly; if the ping fails
in transparent mode, contact technical support.
You should originate pings from hosts that are normally allowed to access remote networks; you do not
need to ping from outside to inside, for example, if you do not allow any outside hosts to access the
inside.
To ping between hosts on different interfaces, follow these steps:
Step 1
To add an ACL allowing ICMP from any source host, enter the following command:
FWSM/contexta(config)# access-list ICMPTEST extended permit icmp any any
Step 2
To assign the ACL to each source interface, enter the following command:
FWSM/contexta(config)# access-group ICMPTEST in interface interface_name
Repeat this command for each source interface.
To enable the ICMP inspection engine, so ICMP responses are allowed back to the source host, enter the
Step 3
following command:
FWSM/contexta(config)# fixup protocol icmp
Alternatively, you can also apply the ICMPTEST ACL to the destination interface to allow ICMP traffic
back through the FWSM.
Ping from the host or router through the source interface to another host or router on another interface.
Step 4
Repeat this step for as many interface pairs as you want to check.
If the ping succeeds, you see a system message confirming the address translation for routed mode
(305009 or 305011) and that an ICMP connection was established (302020). You can also enter the
show xlate and show conns commands to view this information.
If the ping fails for transparent mode, contact technical support.
For routed mode, the ping might fail because NAT is not configured correctly. (See
case, you see a system message showing that the NAT translation failed (305005 or 305006). If the ping
is from an outside host to an inside host, and you do not have a static translation, you see message
106010: deny inbound icmp.
The FWSM only shows ICMP debug messages for pings to the FWSM interfaces, and not for pings
Note
through the FWSM to other hosts.
Figure 17-5 Ping Failure Because the FWSM is not Translating Addresses
Host
OL-6392-01
Ping
Router
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
Troubleshooting the Firewall Services Module
FWSM
Router
Figure
17-5.) In this
Host
17-7
Advertisement
Table of Contents
Troubleshooting
