04-30-2012 02:32 AM - edited 03-11-2019 03:59 PM
Hi
I am experiencing issues at a site where I need to replace an ageing PIX 506e with an ASA 5505.
The current setup looks like this:
The PIX is used for site-to-site VPN connection via the WAN 2 link. The WAN 1 link is used for general Internet connectivity.
I don't have access to the Draytek Router as it is supported by a 3rd party, but I believe it uses static routing to direct the relevant traffic to/from the PIX.
When I replace the PIX with the ASA, the inside i/f connection experiences dropouts - but no errors show in the logs.
The only significant difference I can see in the config is that the ASA utilises VLans for the inside & outside interface configs - I used the PIX-to-ASA Migration tool to make the initial configuration on the ASA.
In tests, if I only connect the inside i/f of the ASA, pings from the LAN are stable. Once I connect the outside i/f, pings timeout approx 80% of the time.
Could anyone offer any advice please?
Solved! Go to Solution.
05-02-2012 08:31 PM
Phil,
I think I know why. The ASA firewall uses the same mac-address for both Vlans, so that can mess the hell up with that router (if it is using switchports). If it is using interfaces it shouldnt cause a problem.
If you do a show interface and look for the mac-addresses of both vlans, you will see what I am talking about.
Based on your diagram, I think that is the problem.
Solution, Assign the physical mac-address of the port that is connected to the outside to the respective vlan ID. You can see the physical mac-address using the show version command.
Let me know how it goes.
Mike
05-02-2012 08:31 PM
Phil,
I think I know why. The ASA firewall uses the same mac-address for both Vlans, so that can mess the hell up with that router (if it is using switchports). If it is using interfaces it shouldnt cause a problem.
If you do a show interface and look for the mac-addresses of both vlans, you will see what I am talking about.
Based on your diagram, I think that is the problem.
Solution, Assign the physical mac-address of the port that is connected to the outside to the respective vlan ID. You can see the physical mac-address using the show version command.
Let me know how it goes.
Mike
05-03-2012 12:45 AM
Mike, many thanks for this info - I will mark it as correct answer when I get the chance to test (I am out of the country at the moment), but feel very confident that it will solve the issue.
Again, thank you.
Phil
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide