maybe the title is not very clear, but I'll try to describe my problem here.
Currently we have a PIX 515e as our entry point. Our ISP give us an ethernet link that we plug in the Ethernet 0 port. In the Ethernet 1 port we plug a cable to our switch. We have a bunch of public IPs which are NATed by the PIX, for example, the IP 126.96.36.199 is our public IP, which is NATed to the inside server 192.168.192.58.
Recently we bought an ASA 5510. I exported the config of the PIX, and run the commands in the ASA. The ASA is still using version 7.0 so the commands are compatible (except for some but those are not a problem).
I tested the ASA using a laptop plugged in the outside interface, and a desktop plugged in the inside interface, there the NAT is working.
As we cannot take down the production PIX, not even the night, what we are trying to do is pre configure the ASA, take the ISP ethernet cable, plug it in the outside interface from the ASA, and take the cable from the switch then plug it in the inside interface.
The thing is when I do this, there is no traffic passing through, and the real-time log viewer in the ASDM isn't helping me, it only shows a lot of "Deny TCP (no connection) from *** to ***/80 flags FIN ACK on interface outside", but if I'm not mistaken these are normal since the ASA has no idea of the connections managed by the PIX.
Maybe there is nothing I'm missing in the configuration of the ASA, but I'm wondering, isn't it possible that the ASA take some time to handle all the connections ? We have approximatively 4000 HTTP connections passing through every 10 seconds.
There will definitely be no hot swapable from your PIX firewall to ASA firewall. Existing connection from the PIX firewall will definitely be broken after moving it to the ASA firewall. First of all, MAC address of all the neighbouring devices needs to be cleard because if you are configuring exactly the same ip addresses, then it needs to refresh the ARP entries before it can pass traffic again. All the existing connections from the PIX firewall will break as there is no stateful failover from your PIX firewall to the ASA firewall. All traffic needs to be reinitiated once it has been migrated to the ASA firewall, plus "clear arp" needs to be issued on all devices which are connected to the ASA interfaces, so they get the new ARP entry with the correct MAC address of the ASA.
In summary, you would need to organise for a down time.
Not just on the servers. "clear arp" needs to be issued on all adjacent layer 3 devices around the firewall. Either that or when you are ready turn the PIX off and turn the ASA back on. When the ASA comes up it will send grat arp and all the layer 3 devices will update their arp table.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :