Yeah I can ping the servers from the new pix. They're plugged into a hub. Any other suggestions. Thanks for you help.

Hi,

Could you post your configs? Did you remember to setup the default gateway (route outside 0.0.0.0 0.0.0.0 x.x.x.x)?

Regards,

Mustafa

Yeah I did setup the default gateway. Here is a copy of my config.

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname S2i505

domain-name tmp

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list acl-out2 permit tcp any host Public IP eq ftp

access-list acl-out2 permit tcp any host Public IP eq www

access-list acl-out2 permit tcp any host Public IP eq pcanywhere-data

access-list acl-out2 permit tcp any host Public IP eq 5632

access-list acl-out2 permit udp any host Public IP eq 5631

access-list acl-out2 permit udp any host Public IP eq pcanywhere-status

access-list acl-out2 permit tcp any host Public IP eq www

access-list acl-out2 permit tcp any host Public IP eq www

access-list acl-out2 permit tcp any host Public IP eq www

access-list acl-out2 permit tcp any host Public IP eq smtp

access-list acl-out2 permit tcp any host Public IP eq pop3

access-list acl-out2 permit tcp any host Public IP eq www

access-list acl-out2 permit tcp any host Public IP eq 81

access-list acl-out2 permit tcp any host Public IP eq www

access-list acl-out2 permit tcp any host Public IP eq 81

access-list acl-out2 permit tcp any host Public IP eq ftp

access-list acl-out2 permit tcp any host Public IP eq 10000

access-list acl-out2 permit tcp any host Public IP eq 81

access-list acl-out2 permit tcp any host Public IP eq ftp

access-list acl-out2 permit tcp any host Public IP eq www

access-list acl-out2 permit tcp any host Public IP eq https

access-list acl-out2 permit tcp any host Public IP eq www

access-list acl-out2 permit tcp any host Public IP eq ftp

access-list acl-out2 permit tcp any host Public IP eq https

access-list acl-out2 permit tcp any host Public IP eq https

access-list acl-out2 permit tcp any host Public IP eq ftp

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside Public IP 255.x.x.240

ip address inside 192.168.13.252 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

nat (inside) 1 192.168.13.0 255.255.255.0 0 0

static (inside,outside) Public IP 192.168.13.12 netmask 255.255.255.255 0 0

static (inside,outside) Public IP 192.168.13.3 netmask 255.255.255.255 0 0

static (inside,outside) Public IP 192.168.13.57 netmask 255.255.255.255 0 0

static (inside,outside) Public IP 192.168.13.5 netmask 255.255.255.255 0 0

static (inside,outside) Public IP 192.168.13.19 netmask 255.255.255.255 0 0

static (inside,outside) Public IP 192.168.13.34 netmask 255.255.255.255 0 0

static (inside,outside) Public IP 192.168.13.249 netmask 255.255.255.255 0 0

static (inside,outside) Public IP 192.168.13.201 netmask 255.255.255.255 0 0

static (inside,outside) Public IP 192.168.13.144 netmask 255.255.255.255 0 0

access-group acl-out2 in interface outside

route outside 0.0.0.0 0.0.0.0 Public IP 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxx

: end

[OK]

Yeah I did setup the default gateway. Here is a copy of my config.

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password QiNlfwwAh4nfI824 encrypted

passwd lf0HKJBVW3M2jxM1 encrypted

hostname S2i505

domain-name tmp

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list acl-out2 permit tcp any host Public IP eq ftp

access-list acl-out2 permit tcp any host Public IP eq www

access-list acl-out2 permit tcp any host Public IP eq pcanywhere-data

access-list acl-out2 permit tcp any host Public IP eq 5632

access-list acl-out2 permit udp any host Public IP eq 5631

access-list acl-out2 permit udp any host Public IP eq pcanywhere-status

access-list acl-out2 permit tcp any host Public IP eq www

access-list acl-out2 permit tcp any host Public IP eq www

access-list acl-out2 permit tcp any host Public IP eq www

access-list acl-out2 permit tcp any host Public IP eq smtp

access-list acl-out2 permit tcp any host Public IP eq pop3

access-list acl-out2 permit tcp any host Public IP eq www

access-list acl-out2 permit tcp any host Public IP eq 81

access-list acl-out2 permit tcp any host Public IP eq www

access-list acl-out2 permit tcp any host Public IP eq 81

access-list acl-out2 permit tcp any host Public IP eq ftp

access-list acl-out2 permit tcp any host Public IP eq 10000

access-list acl-out2 permit tcp any host Public IP eq 81

access-list acl-out2 permit tcp any host Public IP eq ftp

access-list acl-out2 permit tcp any host Public IP eq www

access-list acl-out2 permit tcp any host Public IP eq https

access-list acl-out2 permit tcp any host Public IP eq www

access-list acl-out2 permit tcp any host Public IP eq ftp

access-list acl-out2 permit tcp any host Public IP eq https

access-list acl-out2 permit tcp any host Public IP eq https

access-list acl-out2 permit tcp any host Public IP eq ftp

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside Public IP 255.255.255.240

ip address inside 192.168.13.252 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

nat (inside) 1 192.168.13.0 255.255.255.0 0 0

static (inside,outside) Public IP 192.168.13.12 netmask 255.255.255.255 0 0

static (inside,outside) Public IP 192.168.13.3 netmask 255.255.255.255 0 0

static (inside,outside) Public IP 192.168.13.57 netmask 255.255.255.255 0 0

static (inside,outside) Public IP 192.168.13.5 netmask 255.255.255.255 0 0

static (inside,outside) Public IP 192.168.13.19 netmask 255.255.255.255 0 0

static (inside,outside) Public IP 192.168.13.34 netmask 255.255.255.255 0 0

static (inside,outside) Public IP 192.168.13.249 netmask 255.255.255.255 0 0

static (inside,outside) Public IP 192.168.13.201 netmask 255.255.255.255 0 0

static (inside,outside) Public IP 192.168.13.144 netmask 255.255.255.255 0 0

access-group acl-out2 in interface outside

route outside 0.0.0.0 0.0.0.0 Public IP 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

console timeout 0

terminal width 80

Cryptochecksum:efa81eec2b75dcf39d83175420a1bc3e

: end

[OK]

Hi,

You need to reset you Server maybe and your default router.

The arp table on the router is still reading the old PIX mac address

This is a common problem with replacing firewall.

Regards

Hi,

I've done that also, still no go.

Hi,

I've done that also, still no go.

Agree with soc@pipex.net, check the pix arp table (show arp) and verify all mac/ip entries match those of the internal servers. And, if the old pix is still connected, make sure it is not proxy-arping for any internal host, and that all hosts are using 192.168.13.252 for default-gateway.

I pointed the default gateway of my machine to the new pix. When I type "sh arp" I see the entry for my machine and my ISP's router. The old PIX is still connected, how can I make sure that it is not proxy-arping?

Proxy-arp can be disabled using:

sysopt noproxyarp inside

Also, you may need to clear arp cache on the old pix (clear arp) - this could be disruptive!

Since there is a "nat(inside)" statement without a corresponding "global" statement, are you testing this from any of the statically translated hosts?

ys i agree with soc@pipex.net..

global command is missing in your pix config.