cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


461
Views
0
Helpful
21
Replies
Explorer

Pix 515 to ASA 5520 Migration - No outside traffic...

Hi,

We're in the process of migrating over to an ASA 5520 from a Pix 515. We've made several attempts and so far none have been successful.

I've used the pix to asa migration too and combed thoroughly through the resultant config and everything looks good, however the cutover never works. We're using the exact same IP's and simply moving the inside and outside cables to the new inside and outside ports on the ASA - and then restarting our router.

From the ASA I cannot ping to the internet if I specify to use the inside interface. I can ping both inside and outside addresses normally however.

Any help on where to start looking for an answer would be appreciated. I'm not sure how to debug the traffic going across the ASA.

21 REPLIES 21
Hall of Fame Guru

Re: Pix 515 to ASA 5520 Migration - No outside traffic...

Have you tried internet access from behind the inside interface of the ASA ie. from a client machine ?

Testing ping from the inside interface to outside is never a good test of connectivity.

What happens from a client behind the ASA, can you

1) connect to a URL

2) connect to IP address

If not could you post a sanitised config

Jon

Highlighted
Explorer

Re: Pix 515 to ASA 5520 Migration - No outside traffic...

Thanks, I did the extended ping from the inside interface as a test after not being able to surf or ping from a client machine.

Trying to surf from a client machine results in the generic "page cannot be displayed".

I'll attach a scrubbed config...let me know if you see anything we can change. The routing has been omitted as well, but it's identical to what was on the pix.

Hall of Fame Guru

Re: Pix 515 to ASA 5520 Migration - No outside traffic...

Okay, config looks okay to me.

What is the default-gateway of the inside clients ?

When you try to bring up a web page from a client does the traffic reach the ASA.

You mention that you are reloading the router but what about inside devices ie.

if the default-gateway of the clients is the ASA inside interface then all their arp caches will point to the old pix mac-address.

if the default-gateway of the inside clients is a L3 device inside your network then what about it's arp table needing updating.

Jon

Explorer

Re: Pix 515 to ASA 5520 Migration - No outside traffic...

All clients are configured to use our router as the default gateway. The router has ip route 0.0.0.0 0.0.0.0 pointing to the inside interface of the PIX/ASA.

The PIX/ASA has route outside 0.0.0.0 0.0.0.0 pointed to our ISP's router.

I'd assume rebooting the router would update it's ARP table...but it's something to check. We're going to try again here in a couple of minutes.

Hall of Fame Guru

Re: Pix 515 to ASA 5520 Migration - No outside traffic...

Actually you don't need to reboot the router, just use this command from the enable prompt

router# clear ip arp

Jon

Explorer

Re: Pix 515 to ASA 5520 Migration - No outside traffic...

Just a note, the ISP has a Cisco 3350 Switch as the access router...would I need to contact my ISP to have them make some changes?

Hall of Fame Guru

Re: Pix 515 to ASA 5520 Migration - No outside traffic...

I'm not clear on your topology setup but you should clear any arp tables that may have cached the old pix mac-address.

Jon

Explorer

Re: Pix 515 to ASA 5520 Migration - No outside traffic...

Some days I'm not clear on it either, I sort of inherited it. :)

Here's a rough sketch. I updated the arp on our Wan router and is still didn't work. I can't get into the ISP's managed device obviously but I'm wondering if that isn't an issue.

From the ASA I can ping the ISP's 3550, but still no internet.

Explorer

Re: Pix 515 to ASA 5520 Migration - No outside traffic...

Well it's spring break here so I have a week to get this running while school is out. Any further help would be awesome.

Re: Pix 515 to ASA 5520 Migration - No outside traffic...

Hi,

Have u configured the revers routes in ur asa towards ur internal router. or the ASA inside address is in the same subnet as the internal users.

Also if u r having public ip in ur exter interface of ASA u can use that for your nat global configuration also.

regards...

Explorer

Re: Pix 515 to ASA 5520 Migration - No outside traffic...

Yes, all the routes and nat are the same - imported from the pix.

Explorer

Re: Pix 515 to ASA 5520 Migration - No outside traffic...

Ok let me pose another question...once we have the ASA in place, what can we do to pinpoint where the issue is?

Re: Pix 515 to ASA 5520 Migration - No outside traffic...

hi,

u can run capture in ASA to check if traffic from hosts are coming to ASA or not destined for internet.

Regards

Rising star

Re: Pix 515 to ASA 5520 Migration - No outside traffic...

no global (outside) 1 xxxxxxxxxxx netmask xxxxxxxxx

global (outside) 1 interface

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here