08-22-2012 04:29 PM - edited 02-21-2020 04:42 AM
This is hard to explain but here I go -
At our Colo in TX we have a Cisco PIX I am upgrading to a Cisco ASA5520. Here is what I need help with. Since NAT commands have change in the new version, 8.4.4.1 I want to run the old-pix and the new-asa5520 in parallel, I was thinking I could avoid downtime and headaches...
We have 2 public supplied IP blocks – Since I do not want to publish my external IP's in a forum I will just use some off the top of my head
The first block is directly connect to the PIX firewall (207.218.56.34) and the Upstream Internet providers gateway (207.218.56.33). The other block is routed to the outside interface of the PIX firewall, everything works, we have several public outside addresses that staticly map to DMZ IP's on the PIX FW.
So far so good…
Here is where I get lost. We have another firewall for another division of our company that need their own security… For whatever reason… This firewall, (another ASA, but this one is a 5510), is assigned an IP from the /26 IP address range - 207.218.206.254. Even-though there is no physical network I can communicate "ping"between 207.218.56.34 (OLD-PIX) and 207.218.206.254 (ASA5510 separte company disvisions).
Pix – Firewall
Current IP Addresses:
Interface Name IP address Subnet mask
Ethernet0 outside 207.218.56.34 255.255.255.252
Ethernet1 inside 172.16.13.240 255.255.252.0
Ethernet2 dmz 192.168.0.1 255.255.255.0
Ping to production ASA5510
old-pix-fw# ping outside 207.108.206.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 207.108.206.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Ping to test New ASA5520 (The one that will replace the PIX)
old-pix-fw# ping outside 207.218.206.246
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 207.218.206.246, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
Existing ASA5510 (working) – another-asa-1
Current IP Addresses:
Interface Name IP address Subnet mask
Ethernet0/0 Outside 207.218.206.254 255.255.255.192
Ethernet0/1 inside 172.16.13.22 255.255.252.0
Ethernet0/2 DMZ 192.168.0.254 255.255.255.0
another-asa-1# sh run | in route
route Outside 0.0.0.0 0.0.0.0 207.248.122.56.34 1
route inside 172.16.0.0 255.255.0.0 172.16.13.37 1
route inside 172.20.0.0 255.255.0.0 172.16.13.37 1
route inside 172.23.0.0 255.255.252.0 172.16.13.37 1
New ASA - Testing to replace PIX (Not working)
Current IP Addresses:
Interface Name IP address Subnet mask
GigabitEthernet0/0 outside 207.218.206.246 255.255.255.192
GigabitEthernet0/1 inside 172.16.13.235 255.255.252.0
GigabitEthernet0/2 dmz 192.168.0.250 255.255.255.0
PHHColo-ASA5520-1# sh run | in route
route outside 0.0.0.0 0.0.0.0 207.218.56.34 1
route inside 172.20.0.0 255.255.252.0 172.16.13.37 1
route inside 172.20.4.0 255.255.252.0 172.16.13.37 1
route inside 172.23.0.0 255.255.252.0 172.16.13.37 1
I just don’t understand both the new-ASA and the another-ASA are configured thet same. and the PIX is configured that same for both as well.
I hope this is not too confusing, but it’s difficult to explain in just a few words.
Thanks,
Mark
08-23-2012 08:41 AM
This has already been covered - 8.4(3) changed ARP or non connected subnets. I hope they change it back.Downgrading to 8.4(2).
Mark
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide