I'm testing connectivity with ping. Currently this is only a proof-of-concept lab so I only care about ICMP, we edit the access-lists to permit and deny whatever later.
Ping to the interface works because of the
Code:
icmp permit any echo blue
icmp permit any echo-reply blue
icmp permit any echo green
icmp permit any echo-reply green
What I want to get to work, is that all traffic coming in on blue destined to green to get NATed to the green interface or even to a pool of IPs on the green VLAN. The interfaces have the same security level configured, so as far as I understand, by default they aren't allowed to talk to eachother unless you use the
same-security-traffic permit inter-interface command. And according to Cisco
http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/intfce_f.html#wp1039276, NAT is optional when going between interfaces of the same security level. We need to NAT for our purpose.[/url]
If I remove the NAT commands from the FWSM, I can ping through it and can see hits on the ACL.
Code:
FWSM(config)# sh run global
FWSM(config)#
vrf-lab#sh ip route vrf blue 20.0.20.1
Routing entry for 20.0.20.0/24
Known via "ospf 10", distance 110, metric 11, type intra area
Redistributing via bgp 65001
Advertised by bgp 65001 match internal external 2
Last update from 10.0.10.254 on Vlan10, 01:23:41 ago
Routing Descriptor Blocks:
* 10.0.10.254, from 20.0.20.254, 01:23:41 ago, via Vlan10
Route metric is 11, traffic share count is 1
vrf-lab#ping vrf blue 20.0.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
FWSM(config)# sh access-list BLUEIN
access-list BLUEIN; 1 elements
access-list BLUEIN line 1 extended permit icmp any any (hitcnt=5) 0x9dab3f18
If I make one security-level higher than the other, NATing works.
Code:
FWSM(config)# sh nameif
Interface Name Security
Vlan10 blue 90
Vlan20 green 80
Vlan99 dfroute 0
FWSM(config)# sh run nat
nat (blue) 1 0.0.0.0 0.0.0.0
nat (green) 2 0.0.0.0 0.0.0.0
FWSM(config)# sh run global
global (green) 1 interface
FWSM(config)# clear access-list BLUEIN counters
FWSM(config)# clear access-list GREENIN counters
vrf-lab#ping vrf blue 20.0.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
vrf-lab#
[Resuming connection 1 to 127.0.0.41 ... ]
FWSM(config)# sh xlate
1 in use, 2 most used
PAT Global 20.0.20.254(1026) Local 10.0.10.1 ICMP id 79
FWSM(config)#
FWSM(config)# sh access-list BLUEIN
access-list BLUEIN; 1 elements
access-list BLUEIN line 1 extended permit icmp any any (hitcnt=5) 0x9dab3f18
FWSM(config)# sh access-list GREENIN
access-list GREENIN; 1 elements
access-list GREENIN line 1 extended permit icmp any any (hitcnt=5) 0xe6781713
Now if I try to ping through when it's configured so that blue traffic gets translated to the green interface and green traffic gets translated to the blue interface and they both are the same security level, NAT doesn't work.
Code:
FWSM(config)# sh access-list
access-list mode auto-commit
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list BLUEIN; 1 elements
access-list BLUEIN line 1 extended permit icmp any any (hitcnt=5) 0x9dab3f18
access-list GREENIN; 1 elements
access-list GREENIN line 1 extended permit icmp any any (hitcnt=5) 0xe6781713
FWSM(config)# clear xlate
FWSM(config)# clear access-list BLUEIN counters
FWSM(config)# clear access-list GREENIN counters
FWSM(config)# sh nameif
Interface Name Security
Vlan10 blue 80
Vlan20 green 80
Vlan99 dfroute 0
FWSM(config)# sh run global
global (blue) 2 interface
global (green) 1 interface
vrf-lab#ping vrf blue 20.0.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.20.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
vrf-lab#ping vrf green 10.0.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
vrf-lab#
[Resuming connection 1 to 127.0.0.41 ... ]
FWSM(config)# sh xlate
0 in use, 2 most used
FWSM(config)# sh access-list
access-list mode auto-commit
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list BLUEIN; 1 elements
access-list BLUEIN line 1 extended permit icmp any any (hitcnt=0) 0x9dab3f18
access-list GREENIN; 1 elements
access-list GREENIN line 1 extended permit icmp any any (hitcnt=0) 0xe6781713
In fact it's not even getting to the ACL check. From what I understand about how the FWSMs work, inbound traffic gets sanity checked. Then security checked to see if the source and destination meet the configured security levels and translation configurations. Then it runs through the ACL checks. It's almost like I haven't turned on the right switch, but the only one I know of is the
same-security-traffic permit inter-interface and it doesn't seem to be working correctly.
Anyone have experience doing translation through same security level interfaces?
Sorry for the long post, and again, thanks in advance.
Register
Search 
Login
