I am upgrading our hardware from a PIX 506E to a 515E(6.3(5). I have a range of external IP addresses I use for services on the internal network. I had them working fine on the 506E. Once I moved to 515E I can not access anything from outside. I have had the ISP clear all ARP to make sure that would not cause a problem. I have looked over the configuration over and over with no success. I am sure the configuration is correct. Anyone have any advice or run into a similar problem?
Can you connect from inside to outside? If you are unable to connect from outside to inside, check your access-list that is applied to the outside interface. Also you will need static translations to connect to inside resources from outside.
Yes, I can connect from inside to outside. I can change the accesslist and static translation to the outside interfaces' ip. And can connect great. But once I change the Static External IP back to what I need, it will stop connecting. Logs do not show a connection was ever attempted. Just for a better example I have posted the outside and statics that I have.
Looking at your existing ACL, I think you don't need to use the same ACL you for both inside and outside interface. Outside ACL is meant to control incoming/inbound traffic into your network, while inside ACL is meant to control what traffic can go out from your internal/inside network.
The 1st statement 'permit ip any any' will overwrite other statement. It will permit access to your xx.3 - xx.7 hosts if the internet users know the public IP (can easily scan) without being restricted to use those specified ports.
For inside ACL, use different name/ID and specify permit ip any any and icmp any any for testing purposes, e.g:
access-list 100 permit ip any any
access-list 100 permit icmp any any
access-group 100 in interface inside
For the ACL 101, remove and paste the 1st permit ip any any statement so it will sit at the very end of the ACL. This will allow you to see the ACL statistics hitting your opened ports like 80 & 443 when you issue 'show access-list 101' command.
Then test access to, for example, accessing xx.xx.xx.5 via WWW & HTTPS from outside, as well as pinging its Public IP. Use the following commands to check the sessions:
sh access-list 101 -> look for any hitcount
sh conn | i 80 -> check incoming access to port 80 (www)
sh conn | i 443 -> check incoming access to port 443 (https)
If inbound access still failing, check the log for that server.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :