Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
702
Views
0
Helpful
1
Replies

ASA Config Question (Weird)

mark.bottoroff
Level 1
Level 1

‎08-22-2012 04:29 PM - edited ‎02-21-2020 04:42 AM

This is hard to explain but here I go -

At our Colo in TX we have a Cisco PIX I am upgrading to a Cisco ASA5520. Here is what I need help with. Since NAT commands have change in the new version, 8.4.4.1 I want to run the old-pix and the new-asa5520 in parallel, I was thinking I could avoid downtime and headaches...

We have 2 public supplied IP blocks – Since I do not want to publish my external IP's in a forum I will just use some off the top of my head

  • •1. 207.218.56.32 /30
  • •2. 207.108.206.192/26

The first block is directly connect to the PIX firewall (207.218.56.34) and the Upstream Internet providers gateway (207.218.56.33). The other block is routed to the outside interface of the PIX firewall, everything works, we have several public outside addresses that staticly map to DMZ IP's on the PIX FW.

So far so good…

Here is where I get lost. We have another firewall for another division of our company that need their own security… For whatever reason… This firewall, (another ASA, but this one is a 5510), is assigned an IP from the /26 IP address range - 207.218.206.254. Even-though there is no physical network I can communicate "ping"between 207.218.56.34 (OLD-PIX) and 207.218.206.254 (ASA5510 separte company disvisions).

Pix – Firewall

Current IP Addresses:

Interface Name IP address Subnet mask

Ethernet0 outside 207.218.56.34 255.255.255.252

Ethernet1 inside 172.16.13.240 255.255.252.0

Ethernet2 dmz 192.168.0.1 255.255.255.0

Ping to production ASA5510

old-pix-fw# ping outside 207.108.206.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 207.108.206.254, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Ping to test New ASA5520 (The one that will replace the PIX)

old-pix-fw# ping outside 207.218.206.246

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 207.218.206.246, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Existing ASA5510 (working) – another-asa-1

Current IP Addresses:

Interface Name IP address Subnet mask

Ethernet0/0 Outside 207.218.206.254 255.255.255.192

Ethernet0/1 inside 172.16.13.22 255.255.252.0

Ethernet0/2 DMZ 192.168.0.254 255.255.255.0

another-asa-1# sh run | in route

route Outside 0.0.0.0 0.0.0.0 207.248.122.56.34 1

route inside 172.16.0.0 255.255.0.0 172.16.13.37 1

route inside 172.20.0.0 255.255.0.0 172.16.13.37 1

route inside 172.23.0.0 255.255.252.0 172.16.13.37 1

New ASA - Testing to replace PIX (Not working)

Current IP Addresses:

Interface Name IP address Subnet mask

GigabitEthernet0/0 outside 207.218.206.246 255.255.255.192

GigabitEthernet0/1 inside 172.16.13.235 255.255.252.0

GigabitEthernet0/2 dmz 192.168.0.250 255.255.255.0

PHHColo-ASA5520-1# sh run | in route

route outside 0.0.0.0 0.0.0.0 207.218.56.34 1

route inside 172.20.0.0 255.255.252.0 172.16.13.37 1

route inside 172.20.4.0 255.255.252.0 172.16.13.37 1

route inside 172.23.0.0 255.255.252.0 172.16.13.37 1

I just don’t understand both the new-ASA and the another-ASA are configured thet same. and the PIX is configured that same for both as well.

I hope this is not too confusing, but it’s difficult to explain in just a few words.

Thanks,

Mark

0 Helpful
1 Reply 1

mark.bottoroff
Level 1
Level 1

‎08-23-2012 08:41 AM

This has already been covered - 8.4(3) changed ARP or non connected subnets. I hope they change it back.Downgrading to 8.4(2).

Mark

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card