Problem with "alias" after migrating config from PIX 6.3 to FWSM 3.1
I've been running two firewalls for some time now, one Pix serving our web applications and one FWSM serving both users and some web application servers.
After the migration the FWSM is set up like this
During the migration I pretty much copied all the statics, access-lists and alias entires and adapted them for the FWSM interface names before applying them. No errors there.
Now the old alias commands from the PIX are causing me alot of headache.
The commands I copied lookes something like alias(applicationNetInterface) insideIP OutsideIP. alias(ClientNetInterface) insideIP OutsideIP. Seems ok to me.
But running these on the FWSM causes problems for my incoming internet visitors. I've set up a testing system using 3G and at some point after doing clear xlate I can no longer access my web from my testing system. Nothing in the logs indicating translation errors.
The show connection does however give me strange input.
My static for the web service is like this: static (SERVER,INTERNET) 22.214.171.124 10.91.1.200
But I get connection entries from the outside for both the inside and outside IP
sh conn | include 126.96.36.199
TCP out 188.8.131.52:1916 in 184.108.40.206:80 idle 0:00:12
TCP out 220.127.116.11:1259 in 18.104.22.168:80
sh conn | include 10.91.1.200
TCP out 22.214.171.124:4610 in 10.91.1.200:80 idle 0:00:36
How could this be? On the Pix I used the alias command to allow application servers to resolve the web address to an inside address, something I still need to do, and had no problem with the setup.
Re: Problem with "alias" after migrating config from PIX 6.3 to
The application servers maybe resolving the web addresses using internal DNS cache. Thsi could be the reason you are still able to see the inbound and outbound connections. The FWSM has nothing to do in this case.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...