Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
763
Views
0
Helpful
2
Replies

Connection/Performance Problems after 6.3 to 7.2 upgrade

tunemore1
Level 1
Level 1

‎12-09-2006 06:20 PM - edited ‎03-11-2019 02:06 AM

Here is config on PIX515E wiht 7.2.2.

[The old config with 6.3.4 worked fine.]

After upgrade, access from outside stopped working. Here is the config with 2.2.

Any help? Thanks,

fw# sh run

: Saved

:

PIX Version 7.2(2)

!

hostname fw

names

dns-guard

!

interface Ethernet0

nameif outside

security-level 0

ip address 10.10.10.1 255.255.255.248

!

interface Ethernet1

nameif inside

security-level 100

ip address 172.17.17.1 255.255.248.0

!

interface Ethernet2

shutdown

nameif intf2

security-level 4

no ip address

!

ftp mode passive

!

access-list 111 extended permit tcp any host 10.10.10.1 eq 7700 log

access-list 111 extended permit udp any host 10.10.10.1 eq 6600 log

icmp unreachable rate-limit 1 burst-size 1

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 10.10.10.1 7700 172.17.2.111 7700 netmask 255.255.255.255

static (inside,outside) udp 10.10.10.1 6600 172.17.2.222 6600 netmask 255.255.255.255

access-group 111 in interface outside

route outside 0.0.0.0 0.0.0.0 10.10.10.254 1

route inside 172.17.0.0 255.255.0.0 172.17.17.254 1

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect http

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect sip

inspect xdmcp

!

service-policy global_policy global

fw#

Labels:
0 Helpful
2 Replies 2

jgervia_2
Level 1
Level 1

‎12-10-2006 01:31 PM

Hello,

Not sure if this is the issue or not, but a couple of things:

1) Your default route next hop is not on the same network as your firewall.

Your netmask on the outside interface (255.255.255.248) means that the only IP addresses that it can reach are 10.10.10.1 - 10.10.10.6, with 10.10.10.7 being the broadcast. However your default route

route outside 0.0.0.0 0.0.0.0 10.10.10.254 1

Says that the next hop is 10.10.10.254, which wouldn't be on the same network, unless you change the netmask.

Similarly, I'd check netmask on the inside interface to make sure you really want a 255.255.248.0 (8 Class Cs) local to that firewall interface.

Also - I'd check the log for any suspicious log entries - are you getting anything indicating no route

--Jason

Please rate this message if it helps solve some or all of your issue.

0 Helpful

tunemore1
Level 1
Level 1
In response to jgervia_2

‎12-10-2006 04:09 PM

It was typo, subnet mask should be 255.255.255.0 for outside interface.

Jason, thanks for reply. Do you have any idea?

Everything was ok after downgraded back to 6.3.4.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card