Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Replacing PIX with ASA issue

Hi

I am experiencing issues at a site where I need to replace an ageing PIX 506e with an ASA 5505.

The current setup looks like this:

pby.jpg                  

The PIX is used for site-to-site VPN connection via the WAN 2 link.  The WAN 1 link is used for general Internet connectivity.

I don't have access to the Draytek Router as it is supported by a 3rd party, but I believe it uses static routing to direct the relevant traffic to/from the PIX.

When I replace the PIX with the ASA, the inside i/f connection experiences dropouts - but no errors show in the logs.

The only significant difference I can see in the config is that the ASA utilises VLans for the inside & outside interface configs - I used the PIX-to-ASA Migration tool to make the initial configuration on the ASA.

In tests, if I only connect the inside i/f of the ASA, pings from the LAN are stable.  Once I connect the outside i/f, pings timeout approx 80% of the time.

Could anyone offer any advice please?

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Replacing PIX with ASA issue

Phil,

I think I know why. The ASA firewall uses the same mac-address for both Vlans, so that can mess the hell up with that router (if it is using switchports). If it is using interfaces it shouldnt cause a problem.

If you do a show interface and look for the mac-addresses of both vlans, you will see what I am talking about.

Based on your diagram, I think that is the problem.

Solution, Assign the physical mac-address of the port that is connected to the outside to the respective vlan ID. You can see the physical mac-address using the show version command.

Let me know how it goes.

Mike

Mike
2 REPLIES
Cisco Employee

Replacing PIX with ASA issue

Phil,

I think I know why. The ASA firewall uses the same mac-address for both Vlans, so that can mess the hell up with that router (if it is using switchports). If it is using interfaces it shouldnt cause a problem.

If you do a show interface and look for the mac-addresses of both vlans, you will see what I am talking about.

Based on your diagram, I think that is the problem.

Solution, Assign the physical mac-address of the port that is connected to the outside to the respective vlan ID. You can see the physical mac-address using the show version command.

Let me know how it goes.

Mike

Mike
New Member

Replacing PIX with ASA issue

Mike, many thanks for this info - I will mark it as correct answer when I get the chance to test (I am out of the country at the moment), but feel very confident that it will solve the issue.

Again, thank you.

Phil

453
Views
0
Helpful
2
Replies