Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

new firewalls don't pass traffic?

I installed new 525s with FoS7.0.4 to replace my two 515s with FoS6.3. However, the 525s wont pass traffic or reply to inside devices when pinged/etc. I verified that the configs are identical (as much as possible with the syntax changes). The primary 525 can ping the outside world fine, and the inside world fine (and the DMZ). The hosts inside cant ping outside. I verified that the ACLs were applied to the correct interfaces, and I saw no odd logging errors. Is it possible that there is some convergence time across the switch fabric of the new mac/ip entry for the new firewall inside interface? Other ideas?

5 REPLIES

Re: new firewalls don't pass traffic?

Hi .. it wouldbe helpful is you post the 525 PIX's config

Re: new firewalls don't pass traffic?

Yeah, it will take quite a bit of tidying up to be net-safe. I'm looking for a general indication, since the configs are the exact same as the 515s (only diff is the change in syntax).

New Member

Re: new firewalls don't pass traffic?

Hiya- you'll need to have an acl for the return ICMP traffic, sort of like:

-access-list outside_access_in extended permit icmp any any

-access-group outside_access_in in interface outside

I've just done this in 7.0.x and can confirm it does allow returning icmp traffic to an inside host.

I cant recall if 6.x treated things in the same way. Like yourself, I've just carried out an upgrade, but there were some new requirements as well, hence the return ICMP rule.

HTH- RMIID!

Gary

Re: new firewalls don't pass traffic?

I solved my own issue, and it had nothing to do with ACLs and such... In fact, the exact same config and setup went in perfectly this time. I think it was just an arp related issue.

New Member

Re: new firewalls don't pass traffic?

So, you didn't do anything in particular. I am having the same problem and am guessing that it is an ARP issue. What did you do to resolve? Reboot switch, router that the pix points to for it's route outside. Reboot IPS if you have one. Let me know.

80
Views
0
Helpful
5
Replies