I am in the process of upgrading a Cisco PIX 506 to a 506e, however, I am not having much luck. I copied the existing PIX configuration from the 506 to the new PIX, with the exception of the ALIAS statement. These were removed since the web based configuration tool doesn't support it. Based on the configuration, this shouldn't be a problem however. For some reason the 506 was setup to do reverse NAT, and this function is not neccessary based on the environment and network. We are however, using static NAT.
Here's what happens. When I plug in the new 506e, most everyone can access the outside interface and reach the Internet. However, certain IP addresses (I've found two so far) are blocked. Those that can access the Internet can't access the internal web server accept by IP address. They receive an error when using a name. Outside folks can access the internal websites without a hitch.
I tried adding the DNS option to my NAT statement, and this allowed access to the internal servers by name, but then no one could access the OUTSIDE interface.
If I plug the original PIX 506 back in, everything works fine. I have been over my configuration many times, and nothing stands out as being different.
Any ideas....I would appreciate any help I could get.
It would be interesting to see both configuration (post it here, taking out any sensitive info), also if you have a router in front of the pix can you clear the ARP on the router and also on the pix too.
Thanks for responding. The PIX firewall is the only device on the perimeter. There isn't another router. I would prefer to send the configs directly to you verses posting them on the forum. Let me know if this is ok to do. I appreciate you taking the time to help me with this.
No problem, send to firstname.lastname@example.org and I'll take a look. What I ment by clearing the ARP on the router is to clear the ARP on your perimeter router that connects to your ISP. It would be intresting to see your network topology too.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...