04-23-2015 08:06 AM - edited 03-11-2019 10:49 PM
we have two firewall
the Old Firewall (PIX) is NATTED (Globally) inside with interface for most of the network segments which include many applications and other resources.
now if I migrate all the configurations on New firewall (ASA) and shut down the old Firewall PIX it might break applications that required that outside interface IP address.
I can think of two solutions:
as of solution 1 I don't know what happen if I change the ip address of new firewall old firewall.....will it totally break the ASA or its just interface and will take it and start working........
I cant do sub-interfaces because its in the same subnet....nor additional interface address or secondary address...wont work
any suggestions and the best way to deal with it.
04-23-2015 10:31 AM
05-15-2015 08:51 AM
hey I hope you are doing good, successfully I have upgrade the firewall to asa 9 there are some issues kindly can you help
SCANARIO:
we have setup all the traffic from inside to go outside for internet and Nat the network segments that we want to provide the internet and other services.
we have inside users that usually connects to the server on internet via client workflows with static port, I have added one single rule for it
any permit inside to go outside to server on port tcp 1234
now the issue starts like this all the users connect in the morning and suddenly some of the users out of 10/8 are kicked out and two remain connected to the server. anyone new or old cant log in to the server.
after some time like 1 2 3 hour it start working again....I am trying to see whats wrong on my network side if there is or firewall so that I can fix that ...
kindly help or guide
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Hi Usman,
You can use the PIX ip on your new ASA(create object) and use it for NAT. No need to define it on the interface. ASA will nat it and answer arp for this IP. Depending upon your requirement you can even use the PIX IP on outside interface but your existing rules will be impacted too. Clear xlate if you chose the latter and it should work fine. If you chose the former ensure that routing is properly taken care of and it should work just fine.
Regards,
Kanwal
Note: Please mark answers if they are helpful.