cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
723
Views
0
Helpful
2
Replies

Replacing PIX with ASA issue

Phil Smith
Level 1
Level 1

Hi

I am experiencing issues at a site where I need to replace an ageing PIX 506e with an ASA 5505.

The current setup looks like this:

pby.jpg                  

The PIX is used for site-to-site VPN connection via the WAN 2 link.  The WAN 1 link is used for general Internet connectivity.

I don't have access to the Draytek Router as it is supported by a 3rd party, but I believe it uses static routing to direct the relevant traffic to/from the PIX.

When I replace the PIX with the ASA, the inside i/f connection experiences dropouts - but no errors show in the logs.

The only significant difference I can see in the config is that the ASA utilises VLans for the inside & outside interface configs - I used the PIX-to-ASA Migration tool to make the initial configuration on the ASA.

In tests, if I only connect the inside i/f of the ASA, pings from the LAN are stable.  Once I connect the outside i/f, pings timeout approx 80% of the time.

Could anyone offer any advice please?

1 Accepted Solution

Accepted Solutions

Maykol Rojas
Cisco Employee
Cisco Employee

Phil,

I think I know why. The ASA firewall uses the same mac-address for both Vlans, so that can mess the hell up with that router (if it is using switchports). If it is using interfaces it shouldnt cause a problem.

If you do a show interface and look for the mac-addresses of both vlans, you will see what I am talking about.

Based on your diagram, I think that is the problem.

Solution, Assign the physical mac-address of the port that is connected to the outside to the respective vlan ID. You can see the physical mac-address using the show version command.

Let me know how it goes.

Mike

Mike

View solution in original post

2 Replies 2

Maykol Rojas
Cisco Employee
Cisco Employee

Phil,

I think I know why. The ASA firewall uses the same mac-address for both Vlans, so that can mess the hell up with that router (if it is using switchports). If it is using interfaces it shouldnt cause a problem.

If you do a show interface and look for the mac-addresses of both vlans, you will see what I am talking about.

Based on your diagram, I think that is the problem.

Solution, Assign the physical mac-address of the port that is connected to the outside to the respective vlan ID. You can see the physical mac-address using the show version command.

Let me know how it goes.

Mike

Mike

Mike, many thanks for this info - I will mark it as correct answer when I get the chance to test (I am out of the country at the moment), but feel very confident that it will solve the issue.

Again, thank you.

Phil

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: