[c-nsp] FWSM failover question...
Randy
randy_94108 at yahoo.com
Sat Oct 15 21:49:58 EDT 2011
Do you have the following in your FWSM config:
icmp permit any INSIDE
That is ; assuming you have the *appropriate* acl on the INSIDE int.
The dafault is deny all!
The same applies wrt *management* : identical to ASAs:
management-access INSIDE
and specify hosts:
ssh <a.b.c.c> 255.255.255.255 INSIDE
ssh <e.f.g.h> 255.255.255.255 INSIDE
HTH
./Randy
--- On Fri, 10/14/11, Jeff Kell <jeff-kell at utc.edu> wrote:
> From: Jeff Kell <jeff-kell at utc.edu>
> Subject: [c-nsp] FWSM failover question...
> To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Date: Friday, October 14, 2011, 4:44 PM
> Just finished
> configuration/installation of a secondary FWSM for
> failover (active/standby), but it is not behaving as
> expected (I have
> ASAs in similar configurations). There are standby
> IPs configured on
> the vlans, and they respond to pings from the 6500 itself,
> but not
> otherwise.
>
> The ARPs show up properly, but on the "show mac address"
> lists the
> primary MAC on each of the firewall-group vlans, but the
> secondary MAC
> only appears for the failover vlan.
>
> Is this normal? The ASAs answer on either address,
> and the MACs
> populate all their vlans. But not the FWSM.
>
> Jeff
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list