https://community.cisco.com/t5/network-security/migrating-from-a-pix-to-asa-access-lists-don-t-work/m-p/1752978#M533384 <HTML><HEAD></HEAD><BODY><P>Very good point Varun! But wouldn't I still see the traffic going to .137 in a capture? </P><P></P><P>I had to roll back and add the pix back since this is for an email server. I will try again tomorrow</P></BODY></HTML> Tue, 16 Aug 2011 18:19:21 GMT jomar050485 2011-08-16T18:19:21Z https://community.cisco.com/t5/network-security/migrating-from-a-pix-to-asa-access-lists-don-t-work/m-p/1752976#M533381 <P>Not sure why it doesn't work...I even created a capture of any any and the ASA doesn't even see the traffic to .137. It does see traffic to .136. As far as I can see, the config is identical. Packet Tracer says my config is good. Internet connectivity is good but I can't hit anything on .137. I have verified that the internal host is indeed open on those ports (as it works when the pix is in place and not when the asa is in place)</P><P></P><P>Can a fresh set of eyes help me?</P><P></P><P>I have attached the old pix config (firewallpix.txt), the new asa config (asa.txt) and the results of packet tracer (packettracer.txt)</P><P></P><P>Thanks in advanced!</P> Mon, 11 Mar 2019 21:12:41 GMT https://community.cisco.com/t5/network-security/migrating-from-a-pix-to-asa-access-lists-don-t-work/m-p/1752976#M533381 jomar050485 2019-03-11T21:12:41Z https://community.cisco.com/t5/network-security/migrating-from-a-pix-to-asa-access-lists-don-t-work/m-p/1752977#M533382 <HTML><HEAD></HEAD><BODY><P>Hi Jomar,</P><P></P><P>You migt just need to reload all the device, so that the arp tables are cleared and neqw arp entry for your ASA is craeted, try it and let me know if it works.</P><P></P><P>Thanks,</P><P>Varun</P><P></P><P>Please rate if helpful.</P></BODY></HTML> Tue, 16 Aug 2011 18:08:40 GMT https://community.cisco.com/t5/network-security/migrating-from-a-pix-to-asa-access-lists-don-t-work/m-p/1752977#M533382 varrao 2011-08-16T18:08:40Z https://community.cisco.com/t5/network-security/migrating-from-a-pix-to-asa-access-lists-don-t-work/m-p/1752978#M533384 <HTML><HEAD></HEAD><BODY><P>Very good point Varun! But wouldn't I still see the traffic going to .137 in a capture? </P><P></P><P>I had to roll back and add the pix back since this is for an email server. I will try again tomorrow</P></BODY></HTML> Tue, 16 Aug 2011 18:19:21 GMT https://community.cisco.com/t5/network-security/migrating-from-a-pix-to-asa-access-lists-don-t-work/m-p/1752978#M533384 jomar050485 2011-08-16T18:19:21Z https://community.cisco.com/t5/network-security/migrating-from-a-pix-to-asa-access-lists-don-t-work/m-p/1752979#M533387 <HTML><HEAD></HEAD><BODY><P>Yes, if the router still has the arp entrues for the pix device then you would not even see the packets reaching the ASA interface, so yes the captures are correct. The router woudl not know which interface to route the packets without the correct mac-address entry into the table. I am very positive this hould resolve it for you. You can try it and let me know the result.</P><P></P><P>-Varun</P></BODY></HTML> Tue, 16 Aug 2011 18:22:38 GMT https://community.cisco.com/t5/network-security/migrating-from-a-pix-to-asa-access-lists-don-t-work/m-p/1752979#M533387 varrao 2011-08-16T18:22:38Z https://community.cisco.com/t5/network-security/migrating-from-a-pix-to-asa-access-lists-don-t-work/m-p/1752980#M533389 <HTML><HEAD></HEAD><BODY><P>Thanks Varun.</P><P></P><P>There is no router involved though. Do you mean the ISP router? I can't clear those ARP entries. The ASA is directly connected to the smartjack.</P></BODY></HTML> Tue, 16 Aug 2011 19:27:06 GMT https://community.cisco.com/t5/network-security/migrating-from-a-pix-to-asa-access-lists-don-t-work/m-p/1752980#M533389 jomar050485 2011-08-16T19:27:06Z https://community.cisco.com/t5/network-security/migrating-from-a-pix-to-asa-access-lists-don-t-work/m-p/1752981#M533390 <HTML><HEAD></HEAD><BODY><P>You were correct. Client informed me of a modem that was on site. Once we restarted it, everything went well!</P><P></P><P>Thanks for the insight!</P></BODY></HTML> Wed, 17 Aug 2011 16:23:19 GMT https://community.cisco.com/t5/network-security/migrating-from-a-pix-to-asa-access-lists-don-t-work/m-p/1752981#M533390 jomar050485 2011-08-17T16:23:19Z https://community.cisco.com/t5/network-security/migrating-from-a-pix-to-asa-access-lists-don-t-work/m-p/1752982#M533391 <HTML><HEAD></HEAD><BODY><P>Glad it work well for you <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN>, thanks for the rating.</P><P></P><P>-Varun</P></BODY></HTML> Wed, 17 Aug 2011 16:29:26 GMT https://community.cisco.com/t5/network-security/migrating-from-a-pix-to-asa-access-lists-don-t-work/m-p/1752982#M533391 varrao 2011-08-17T16:29:26Z