https://community.cisco.com/t5/network-security/replacing-pix-with-asa-issue/m-p/1941317#M437920 <HTML><HEAD></HEAD><BODY><P>Phil, </P><P></P><P>I think I know why. The ASA firewall uses the same mac-address for both Vlans, so that can mess the hell up with that router (if it is using switchports). If it is using interfaces it shouldnt cause a problem. </P><P></P><P>If you do a show interface and look for the mac-addresses of both vlans, you will see what I am talking about. </P><P></P><P>Based on your diagram, I think that is the problem. </P><P></P><P>Solution, Assign the physical mac-address of the port that is connected to the outside to the respective vlan ID. You can see the physical mac-address using the show version command. </P><P></P><P>Let me know how it goes. </P><P></P><P>Mike </P></BODY></HTML> Thu, 03 May 2012 03:31:31 GMT Maykol Rojas 2012-05-03T03:31:31Z https://community.cisco.com/t5/network-security/replacing-pix-with-asa-issue/m-p/1941316#M437919 <P>Hi</P><P></P><P>I am experiencing issues at a site where I need to replace an ageing PIX 506e with an ASA 5505.</P><P></P><P>The current setup looks like this:</P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/6/6/4/88466-pby.jpg" alt="pby.jpg" class="jive-image-thumbnail jive-image" onclick="" width="450" />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P><P>The PIX is used for site-to-site VPN connection via the WAN 2 link.&nbsp; The WAN 1 link is used for general Internet connectivity.</P><P></P><P>I don't have access to the Draytek Router as it is supported by a 3rd party, but I believe it uses static routing to direct the relevant traffic to/from the PIX.</P><P></P><P>When I replace the PIX with the ASA, the inside i/f connection experiences dropouts - but no errors show in the logs.</P><P></P><P>The only significant difference I can see in the config is that the ASA utilises VLans for the inside &amp; outside interface configs - I used the PIX-to-ASA Migration tool to make the initial configuration on the ASA.</P><P></P><P>In tests, if I only connect the inside i/f of the ASA, pings from the LAN are stable.&nbsp; Once I connect the outside i/f, pings timeout approx 80% of the time.</P><P></P><P>Could anyone offer any advice please?</P> Mon, 11 Mar 2019 22:59:47 GMT https://community.cisco.com/t5/network-security/replacing-pix-with-asa-issue/m-p/1941316#M437919 Phil Smith 2019-03-11T22:59:47Z https://community.cisco.com/t5/network-security/replacing-pix-with-asa-issue/m-p/1941317#M437920 <HTML><HEAD></HEAD><BODY><P>Phil, </P><P></P><P>I think I know why. The ASA firewall uses the same mac-address for both Vlans, so that can mess the hell up with that router (if it is using switchports). If it is using interfaces it shouldnt cause a problem. </P><P></P><P>If you do a show interface and look for the mac-addresses of both vlans, you will see what I am talking about. </P><P></P><P>Based on your diagram, I think that is the problem. </P><P></P><P>Solution, Assign the physical mac-address of the port that is connected to the outside to the respective vlan ID. You can see the physical mac-address using the show version command. </P><P></P><P>Let me know how it goes. </P><P></P><P>Mike </P></BODY></HTML> Thu, 03 May 2012 03:31:31 GMT https://community.cisco.com/t5/network-security/replacing-pix-with-asa-issue/m-p/1941317#M437920 Maykol Rojas 2012-05-03T03:31:31Z https://community.cisco.com/t5/network-security/replacing-pix-with-asa-issue/m-p/1941318#M437921 <HTML><HEAD></HEAD><BODY><P> Mike, many thanks for this info - I will mark it as correct answer when I get the chance to test (I am out of the country at the moment), but feel very confident that it will solve the issue.</P><P></P><P>Again, thank you.</P><P></P><P>Phil</P></BODY></HTML> Thu, 03 May 2012 07:45:28 GMT https://community.cisco.com/t5/network-security/replacing-pix-with-asa-issue/m-p/1941318#M437921 Phil Smith 2012-05-03T07:45:28Z