I configure my ASA 5520 using the command line, but I keep an https:// session open so I can use the packet tracer in order to perform virtual tests. Great.
So I check to see if my configuration will pass a simple http request from inside to outside (as allowed by my inside ACL). Sure enough, the packet tracer says packet will pass.
I wire in the firewall. I can ping the inside router from it. I can ping our ISP's router on the outside. It's definitely wired into the network. I try to pass an http request. The hitcount increments on the correct ACL entry.
But it doesn't work. And I'm not sure even what to look for at this point.
I put my packet sniffing kit in line between the firewall's outside interface and the ISP router's inside interface. Hey, the request does indeed get passed to the outside interface (just as th ASA claimed it would).
But no response.
Is there something I have to do to get the ISP router to "see" the new firewall?
What I do now is take down the old firewall and put the ASA in its place. Then I reboot the ASA in place figuring that will add the ASA to the upstream arp and mac address tables. But apparently that's not enough.
How can I get everyone upstream to talk to my new box?
Also: this is a hospital network so my swapouts must be limited to a few minutes of testing since we cannot be down for any long stretch. So after the failure, I put the old firewall back. It KINDA works (it'll pass and accept traffic but Remote Access clients fail). I reboot the old one in place and it works completely.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :