ASA Config Question (Weird)

mark.bottoroff — Fri, 21 Feb 2020 12:42:55 GMT

This is hard to explain but here I go -

At our Colo in TX we have a Cisco PIX I am upgrading to a Cisco ASA5520. Here is what I need help with. Since NAT commands have change in the new version, 8.4.4.1 I want to run the old-pix and the new-asa5520 in parallel, I was thinking I could avoid downtime and headaches...

We have 2 public supplied IP blocks – Since I do not want to publish my external IP's in a forum I will just use some off the top of my head

•1. 207.218.56.32 /30
•2. 207.108.206.192/26

The first block is directly connect to the PIX firewall (207.218.56.34) and the Upstream Internet providers gateway (207.218.56.33). The other block is routed to the outside interface of the PIX firewall, everything works, we have several public outside addresses that staticly map to DMZ IP's on the PIX FW.

So far so good…

Here is where I get lost. We have another firewall for another division of our company that need their own security… For whatever reason… This firewall, (another ASA, but this one is a 5510), is assigned an IP from the /26 IP address range - 207.218.206.254. Even-though there is no physical network I can communicate "ping"between 207.218.56.34 (OLD-PIX) and 207.218.206.254 (ASA5510 separte company disvisions).

Pix – Firewall

Current IP Addresses:

Interface Name IP address Subnet mask

Ethernet0 outside 207.218.56.34 255.255.255.252

Ethernet1 inside 172.16.13.240 255.255.252.0

Ethernet2 dmz 192.168.0.1 255.255.255.0

Ping to production ASA5510

old-pix-fw# ping outside 207.108.206.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 207.108.206.254, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Ping to test New ASA5520 (The one that will replace the PIX)

old-pix-fw# ping outside 207.218.206.246

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 207.218.206.246, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Existing ASA5510 (working) – another-asa-1

Current IP Addresses:

Interface Name IP address Subnet mask

Ethernet0/0 Outside 207.218.206.254 255.255.255.192

Ethernet0/1 inside 172.16.13.22 255.255.252.0

Ethernet0/2 DMZ 192.168.0.254 255.255.255.0

another-asa-1# sh run | in route

route Outside 0.0.0.0 0.0.0.0 207.248.122.56.34 1

route inside 172.16.0.0 255.255.0.0 172.16.13.37 1

route inside 172.20.0.0 255.255.0.0 172.16.13.37 1

route inside 172.23.0.0 255.255.252.0 172.16.13.37 1

New ASA - Testing to replace PIX (Not working)

Current IP Addresses:

Interface Name IP address Subnet mask

GigabitEthernet0/0 outside 207.218.206.246 255.255.255.192

GigabitEthernet0/1 inside 172.16.13.235 255.255.252.0

GigabitEthernet0/2 dmz 192.168.0.250 255.255.255.0

PHHColo-ASA5520-1# sh run | in route

route outside 0.0.0.0 0.0.0.0 207.218.56.34 1

route inside 172.20.0.0 255.255.252.0 172.16.13.37 1

route inside 172.20.4.0 255.255.252.0 172.16.13.37 1

route inside 172.23.0.0 255.255.252.0 172.16.13.37 1

I just don’t understand both the new-ASA and the another-ASA are configured thet same. and the PIX is configured that same for both as well.

I hope this is not too confusing, but it’s difficult to explain in just a few words.

Thanks,

Mark

ASA Config Question (Weird)

mark.bottoroff — Thu, 23 Aug 2012 15:41:23 GMT

This has already been covered - 8.4(3) changed ARP or non connected subnets. I hope they change it back.Downgrading to 8.4(2).

Mark

topic ASA Config Question (Weird) in Network Security

ASA Config Question (Weird)

ASA Config Question (Weird)