We have two ASA 5510 devices. Both configured exactly the same. One is working, the other isn't. We plug ASA (2) in to the network and unplug ASA (1) and we can ping internally, and to our DMZ, but we can't browse to the web. We go back to ASA (1) and all is fine.
Any suggestions? NB: We are not using anything as fancy as Failover - just manually unplugging one and plugging the other one in.
What/Who are you using for an Internet connection? Some broadband ISP's here in the US cache + restrict the MAC address of a customer firewall/router to ensure that only 1 device gets Internet service.
Thanks for the suggestion. I don't think this can be the problem though, as we moved from a PIX to the ASA last year, and it worked.
Thanks. I have tried pinging google and various other sites, with no luck.
However, on our test firewall (2) we have managed to get to the outside world, by entering this into the config:
global (outside) 1 interface
So, we can now browse the web, but only if we bypass our proxy server. If we try to go through the proxy, it still fails. But we are making progress!
are you making sure all the arp caches everywhere are flushing out? i always manually flush all the directly connected devices' arp caches when i change out firewalls. it takes too long for arp tables to update otherwise.
Thanks for your reply, and apologies for taking a while to respond. I have flushed arp on the proxy server, but not on the asa device itself. I will give this a try.
Hi. We tried again today. No luck. I cleared arp on the proxy server, flushed DNS as well. Still nothing. As I said, we can web browse if we bypass proxy. We can't go through the proxy or get our exchange server to talk to the outside world. Both these servers are mapped in the firewall config with internal and external ip addresses.
Are you connecting the Internet link directly on the ASA or it is behind the Router .
I think its an ARP issue.try to clear the ARO cache of the Router
Hi - thanks for the reply. The ASA is behind a router. We have no access to the router, however. I'm pretty sure the initial work on our ASA did not involve any work on the router at all.