We need your assistance to resolve our problem. Attachment file is the running configuration for your reference. This is regarding the PIX 515 E firewall. The Problem is as follows: Scenarios are: we have two different ISP, both the links are working fine if we terminated into cisco Router 2800. If I terminated the ISP 1 Link into Pix firewall. Almost last ten days there is no issue. Internet working fine in the inside network. But from the last two day I have facing a problem that I can access web sites in the Firewall. But not in the inside Network. If I change the ISP 1 link to ISP 2 Link . It is working fine. I can access the internet in inside. Nothing I had changed. Only the connectivity and the IP address. But we need to run the ISP 1 link in the firewall. Please suggest the necessary changes for successful running of the link from inside also.
ISP 1 Link address Details :
ip address outside 22.214.171.124 255.255.255.240 global (outside) 1 126.96.36.199 route outside 0.0.0.0 0.0.0.0 188.8.131.52 1
ISP 2 Link address Details :
ip address outside 184.108.40.206 255.0.0.0 global (outside) 1 220.127.116.11 route outside 0.0.0.0 0.0.0.0 18.104.22.168 1
- If you need clarification, ask it in the comment box above.
- Better answers use proper spelling and grammar.
- Provide details, support with references or personal experience.
Tell us some more! Your answer needs to include more details to help people.You can't post answers that contain an email address.Please enter a valid email address.The email address entered is already associated to an account.Login to postPlease use English characters only.
Tip: The max point reward for answering a question is 15.
Best way to migrate is to take the configuration of the old PIX and TFTP it to a PC or other server for safe keeping.
Then boot up the ASA in a lab environment and TFTP the configuration to the new unit and reboot. There will be some commands that don't translate correctly, but you can compare the configurations to each other to make sure all the access lists and NAT statements get transferred across.
Keep in mind that the PIX and the ASA name their interfaces differently, so there may be errors when you transfer the configuration. You can edit the configuration offline with something like Notepad and change the names of the interfaces to have it work.
you can only block orkut sites that you know by IP but the Pix alone cannot do it since it requires an application like websense to do URL filtering. If you have the IPs and need help creating the ACLs, feel free to let me know
Here's a real simple problem to your remote access problems. Go to: http://www.logmein.com Sign up for a free acct, download/install their free software on your Server. Now go over to your laptop, login to your new logmein acct. In the next page, you'll see your Server listed. Click on it - follow instructions to connect. This will tunnel through whatever stuff you have on your network! Trust me - esp. in your scenario, this is *by far* the *simplest remote connect you'll ever perform! And it just .... works! Everytime.
You don't need a translation going from a lower security level to a higher one. You will also need a nat line for the dmz so that pc's on the dmz will be translated outbound. The only connection that will work on the dmz is the webserver when he's sending traffic outbound with a source port of 80. Something like:
nat (DMZ) 101 10.10.0.0 255.255.255.0
Other than that, it looks like it should be working. You've got permission, a route, and a translation. Maybe "clear local-host 10.10.0.2" to get rid of any bad xlates and try again. Check debg level syslogs, run packet captures, "clear asp drop" then "show asp drop" after an attempt?