cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
494
Views
0
Helpful
5
Replies

new firewalls don't pass traffic?

tprendergast
Level 3
Level 3

I installed new 525s with FoS7.0.4 to replace my two 515s with FoS6.3. However, the 525s wont pass traffic or reply to inside devices when pinged/etc. I verified that the configs are identical (as much as possible with the syntax changes). The primary 525 can ping the outside world fine, and the inside world fine (and the DMZ). The hosts inside cant ping outside. I verified that the ACLs were applied to the correct interfaces, and I saw no odd logging errors. Is it possible that there is some convergence time across the switch fabric of the new mac/ip entry for the new firewall inside interface? Other ideas?

5 Replies 5

Fernando_Meza
Level 7
Level 7

Hi .. it wouldbe helpful is you post the 525 PIX's config

Yeah, it will take quite a bit of tidying up to be net-safe. I'm looking for a general indication, since the configs are the exact same as the 515s (only diff is the change in syntax).

Hiya- you'll need to have an acl for the return ICMP traffic, sort of like:

-access-list outside_access_in extended permit icmp any any

-access-group outside_access_in in interface outside

I've just done this in 7.0.x and can confirm it does allow returning icmp traffic to an inside host.

I cant recall if 6.x treated things in the same way. Like yourself, I've just carried out an upgrade, but there were some new requirements as well, hence the return ICMP rule.

HTH- RMIID!

Gary

I solved my own issue, and it had nothing to do with ACLs and such... In fact, the exact same config and setup went in perfectly this time. I think it was just an arp related issue.

So, you didn't do anything in particular. I am having the same problem and am guessing that it is an ARP issue. What did you do to resolve? Reboot switch, router that the pix points to for it's route outside. Reboot IPS if you have one. Let me know.