I upgraded from 6.2 to 6.3 - went without any problems. After rebooting the firewall, all internet connetivity is gone. I can not connect from inside out, but can connect from DMZ to the inside. I cleared the xl table, rebooted the servers, rebooted the firewall again... no luck. Any ideas on what could cause this? How to back rev and get out of this mess?
Can you ping the external default gateway from the Pix?
Are there entries in the xlate table for traffic attempting to go out? [show xlate]
What do the logs say? Any errors or denies?
You can downgrade the firewall the same way you upgraded it. It's best if you backed up your config and restore it, but unless you're using some odd feature that was deprecated there shouldn't be any issue to just continue with the existing config that's on there.
Rather than downgrading, I suggest we just fix the problem with 6.3.
from the firewall, I can not ping the public switch, the perimeter router (default gateway), or anything "outside".
I can vpn from home... the public vpn connection comes in on a different network (different default gateway) and lands outside the firewall... the inside interface of the vpn resides in the DMZ... once I have the vpn connection, i can establish vnc connections to machines "inside" the firewall...
It is a PIX 525... I can't reach the logs from home... I am going in shortly and will check the logs...
Was able to restore... I was upgrading to 6.3(3)109. I finally back rev'd to 6.3(1). It removed the fixup dns command and fixup tftp command... after I did a wr mem and reloaded... it worked... Odd, when I was going through the config when it was at 6.3(3)109, I saw the fixup dns maximum-length 512 command and removed it... it still didn't fix it... when I originally reloaded after back rev'ing to 6.3(1), this is the error that appeared....
Configuration Compatibility Warning:
The version 6.3(3)109 configuration may contain syntax that is
not backward compatible with the 6.3(1) image that is loaded.
bad protocol dns
Config Error -- fixup protocol dns maximum-length 512
bad protocol tftp
Config Error -- fixup protocol tftp 69
..................Warning : IP and subnetmask form invalid pair indicating broad
It stripped the commands out, I saved it, reloaded and all is well...
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :