Re: [fw-wiz] PIX 515 7.1 vs: 8.0



On Tue, Mar 15, 2011 at 4:07 PM, Kevin Horvath <kevin.horvath@xxxxxxxxx> wrote:
1) enable local buffer logging, manually add a host with IP on the
inside, then try to access something on the internet, and view your
logs for errors, view your connection table "show conn det", and your
xlate table to see where the issue is.

2) add a default route to the outside interface, everything else
appears directly connected so you dont need routes for those (you can
verify your route table with "sh route").

3) as someone mentioned, looks like you have dhcpd enabled for the dmz
and vonage interfaces and not the inside.  Add a entry for the inside
as well.

On Sat, Mar 12, 2011 at 12:54 AM, Christopher J. Wargaski
<wargo1@xxxxxxxxx> wrote:
Hey Brian--
  Configuration-wise you should have no problems with 8.0 if you know 7.1.
   You appear to have NAT configured correctly. You ACLs look good too. what
I do not see are any route statements--do you have a default route set?
   Also, you should increase the message-length maximum to 4096 given the
rollout of DNSsec.

cjw

Thank you for everyone's input. I've been working on this the last few
days and this is what I've found so far.

1. DHCP for the inside is handled by a server on the inside network so
I'm not using the FW for DHCP on the inside.
2. Default route - yes, the default route was not defined at the time
I grabbed the config for the e-mail. It is defined now.
3. After being really puzzled by this issue I decided to go back to
the basics and removed all the ACLs etc to make sure nothing was
screwed up and as Christopher said, the config is correct.
4. Since #3 above didn't change anything I decided to pull the
4FE-PIX66 card and put in a 1FE card just to check everything. Low and
behold the DMZ port worked without issue.
5. Figured the 4FE card was bad and got another one. Installed that in
the PIX and it does not work either. With the 4FE installed if you
look at the interface it shows the port down, but the config has the
port active.

So, now I'm wondering why the PIX I have will not support the 4FE
card. The PIX is a 515E with the unrestricted license with 256M of
memory. The PIX also has a VAC+. I've tried the 4FE in both slots and
without the VAC+ card and it just refuses to work. I guess I could
have 2 bad 4FEs, but I think that is unlikely.

Can anyone think of what else I'm missing from the PIX that would
cause the 4FE not to work at all?

Thanks,
Brian
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] PIX 515 7.1 vs: 8.0
    ... verify your route table with "sh route"). ... 4FE-PIX66 card and put in a 1FE card just to check everything. ... behold the DMZ port worked without issue. ... the PIX and it does not work either. ...
    (Firewall-Wizards)
  • Config file for routing in debian
    ... Where does debian store it's config in for the routes that show up ... I have an eth0 card and running pppoe to connect to my ISp service. ... But the route that is already there is set to use the ip of the ...
    (Debian-User)
  • Re: question on adding static route
    ... My PIX IP is 10.101.66.139. ... > config a route for all traffic to 192.168.99.0 network going to the ... I can ping 10.101.66.139 but route add ...
    (comp.sys.hp.hpux)
  • Re: HSRP and Policy Route
    ... You can see in your config that both ... routers think they are the local owner of the 5.1 subnet, ... now I am taking only default route from the ISP's but I guess if I ... of the subnet as you are saying that when Core 2 owns the 5.X network, ...
    (comp.dcom.sys.cisco)
  • Re: Dual gateway configuration on ASA 5520
    ... have a default gateway on interface outside2, route ... PIX / ASA does not have source routing. ... The usual way of handling this sort of thing on PIX / ASA ... route to 10.3.x.x was through the outside2 interface so it would ...
    (comp.dcom.sys.cisco)