Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
704
Views
0
Helpful
2
Replies

PIX515 to PIX525 migrate problem

jhs4709
Level 1
Level 1

‎12-08-2006 11:52 PM - edited ‎03-11-2019 02:06 AM

I have upgraded to PIX 525 7.2(2). When I did I used the same rules as on the 515. I know the fixup changed to inspect and have all working with the strange exception of VOIP and some special applications. one is with port 2000. I need to allow port 2000 to a specific PC, and have done so with an ACL entry.

object-group network Zap2it_host

description Zap2it allowed hosts

network-object 192.168.6.0 255.255.255.0

access-list OUT_to_IN extended permit tcp object-group Zap2it_host host 10.10.10.22 eq 2000

access-group OUT_to_IN in interface outside

All IPs are public and no NAT configured (only 2 interfaces inside and outside). However packets are dropped but do not reflect where they are dropped. A capture of both interfaces only shows traffic on the outside.

packets captured

1: 15:43:39.129754 192.168.6.5.3280 > 10.10.10.22.2000: S 3184932859:3184932859(0) win 25200 <mss 1460,nop,nop,sackOK>

Assistance will be greatly appreciated.

Regards,

Brad

Labels:
0 Helpful
2 Replies 2

CSCO10723456
Level 1
Level 1

‎12-11-2006 12:47 AM

Hi Brad,

maybe you can track the dropped traffic and check for the drop code, try using the "show asp-drop" command and monitor the increasing number when passing the port 2000 traffic to get the error code, that could give a hint on what is causing the traffic drop.

don't forget to clear the counter before beginning "clear asp-drop"

you can also capture the dropped traffic using the capture asp-drop command:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/c1_711.htm#wp2025431

hope that this helps.

Shadi'

0 Helpful

jhs4709
Level 1
Level 1
In response to CSCO10723456

‎12-11-2006 01:19 PM

Shadi,

Thanks for your reply, but we have the situation fixed now. The application I was using to upload files from outside the f/w to a machine on the inside used port 2000. We had port 2000 in the global inspection rules under skinny.

There was another issue with sip as well.

Removing the lines:

inspect skiny

inspect sip

from the global ploicy allowed the traffic to flow properly. Some how because the originating traffic was from the outside the inspection engine dropped it because of the handling of those ports.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card