Trying to replace old firewall with shiny new ASA 5510.
When I put the ASA into production, the subnet x.x.1.0 that is on the inside interface (3-port ASA) works fine. We have an inside DNS server x.x.1.21 that all hosts look to.
There are no access lists on the inside interface of ASA yet. I have added "inspect icmp" and "inspect icmp-error" into its policy-map prior to all of this which seems to allow icmp now mostly.
I have several other subnets that are routed into the x.x.1.0 subnet via a Cisco 3550 router/switch. They have problems connecting to http with the ASA. My last test I went over to the x.x.5.0 subnet department after installing the ASA. One host worked fine, the other (of two hosts) did not. (Some other departments don't work at all).
From the x.x.5.0 subnet:
I can ping hosts on the x.x.1.0 network - just can't ping the one server x.x.1.21. In other words, when on a trouble host pc x.x.5.101, I can ping x.x.1.26 (cisco firewall inside interface), x.x.2.26 (another subnet), and x.x.1.1, the router/switch port that connects the x.x.5.0 subnet with x.x.1.0. - but not the one server x.x.1.21.
The other host on the x.x.5.0 can ping everything and get DNS requests. Works fine. Other subnets (x.x.10.0, 192.168.x.0) that have more segments behind them with routers get DNS blocked so have no connectivity to internet from any hosts on them.
Here's some deny statements from the ASA
Deny inbound UDP from x.x.1.21/137 to x.x.5.101/137 on interface inside
Deny inbound UDP from x.x.1.21/53 to x.x.5.101/1031 due to DNS Response
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :