Cisco 7604 Configuration Manual page 603

Chapter 26 Troubleshooting the Firewall Services Module
Figure 26-1 Network Sketch with Interfaces, Routers, and Hosts
Host
10.1.1.56
209.265.200.226
10.1.1.2
MSFC
209.165.201.2
192.168.1.2
209.165.201.1
dmz1
192.1
68.1.
dmz2
192.168.2.1
security40
192.168.0.1
security100
192.168.2.2
MSFC
10.1.2.2
10.1.2.90
Host
Ping each FWSM interface from the directly connected routers. For transparent mode, ping the
Step 2
management IP address.
This test ensures that the FWSM interfaces are active and that the interface configuration is correct.
A ping might fail if the FWSM interface is not active, the interface configuration is incorrect, or if a
switch between the FWSM and router is down (see
system log messages appear on the FWSM, because the packet never reaches it.
Figure 26-2
Host
If the ping reaches the FWSM, and the FWSM responds, you see debug messages like the following:
ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2
ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1
If the ping reply does not return to the router, then you might have a switch loop or redundant IP
addresses (see
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Host
209.265.200.230
10.1.3.2
MSFC
192.168.3.2
outside
dmz3
security0
192.1
68.3.
Routed FWSM
dmz4
192.168.4.1
inside
security80
192.168.4.2
192.168.0.2
MSFC
10.1.4.2
10.1.0.2
10.1.0.34
Host
Ping Failure at FWSM Interface
Ping
Figure 26-3).
Host
10.1.3.6
MSFC
MSFC
10.1.4.67
Host
Figure
MSFC
Testing Your Configuration
Host
209.165.201.24
209.165.201.1
MSFC
10.1.0.1
outside
security0
Transp. FWSM
10.1.0.3
inside
security100
10.1.0.2
MSFC
10.1.1.1
10.1.1.5
Host
26-2). In this case, no debug messages or
?
FWSM
26-3