I currently am running a Pix 515E and have configured an ASA 5520. I'm running them parallel to test the configuration before I migrate totally over to the ASA. I cannot get traffic from the inside to the outside through the ASA. Could this be from running both devices at the same time?
I believe that there is a core switch (10.140.0.22) in the path between the firewalls and the inside networks.
What are the routes configured on it?
Have u modified the default route on it to point to the new ASA as the next hop?
Thanks for your repsonse. 10.140.0.22 is a router that is routing internal networks as my border router is managed by AT&T and it's easier to add/change routes. That is the default gateway on my current systems but on the machine that I'm testing on I have the ASA 5520 as the default gateway. Any traffic from this test machine should be routing straight thought the ASA to the outside unless I've overlooked something??
So far so good. How about the router connected to the outside (22.214.171.124)? is there a static route with the ASA's outside interface IP address being the next hop?
That router is managed by AT&T and I don't think that there is a static route configured on it with the outside interface of the ASA 5520 as the next hop. Would I need a static route configured for both the 515 and the 5520 in that router for traffic to pass out through the 5520?
Sure mate. The problem here is with the return traffic. All traffic coming to your network is being routed to your old PIX 515. So you need to call AT&T to set a route for you pointing to the IP address of the new ASA as the next hop for your networks. However, i do believe that they will have to remove the static route pointing to the PIX 515 for the new setup to work, unless you use a dynamic routing protocol between the AT&T router, and both of your firewalls if you want both to work at the same time.
Cheers mate ;)
So even though I can connect to the outside interface in the 5520 (i.e webVPN)and access inside resources externally. Traffic that originates from the inside will try to return through the 515?
Most likely, yes. Since you haven't informed AT&T of your new setting, i'm sure all return traffic is going through the 515 at this moment.
Thanks very much for your responses. If this is the case What is the best way to test the configuration of the new firewall without bringing down connectivity or is that even possible?
I recommend you unplug the cable attached to the outside of the 515 and plug it to the outside of the ASA (with taking it's address as well) out of work hours.
I'm afraid there's no other way.
Well, i'm not sure how your connecting via webvpn. But for the ASA, its directly connected to AT&T's router, and your ASA will be reachable externally as a result. howerver, the issue will be with your inside networks, since the static routes on the AT&T router are pointing to the 515 as the next hop.