Firewall Wizards mailing list archives
Re: PIX 515 7.1 vs: 8.0
From: Brian Blater <brb.lists () gmail com>
Date: Thu, 17 Mar 2011 09:01:51 -0400
On Tue, Mar 15, 2011 at 4:07 PM, Kevin Horvath <kevin.horvath () gmail com> wrote:
1) enable local buffer logging, manually add a host with IP on the inside, then try to access something on the internet, and view your logs for errors, view your connection table "show conn det", and your xlate table to see where the issue is. 2) add a default route to the outside interface, everything else appears directly connected so you dont need routes for those (you can verify your route table with "sh route"). 3) as someone mentioned, looks like you have dhcpd enabled for the dmz and vonage interfaces and not the inside. Add a entry for the inside as well. On Sat, Mar 12, 2011 at 12:54 AM, Christopher J. Wargaski <wargo1 () gmail com> wrote:Hey Brian-- Configuration-wise you should have no problems with 8.0 if you know 7.1. You appear to have NAT configured correctly. You ACLs look good too. what I do not see are any route statements--do you have a default route set? Also, you should increase the message-length maximum to 4096 given the rollout of DNSsec. cjw
Thank you for everyone's input. I've been working on this the last few days and this is what I've found so far. 1. DHCP for the inside is handled by a server on the inside network so I'm not using the FW for DHCP on the inside. 2. Default route - yes, the default route was not defined at the time I grabbed the config for the e-mail. It is defined now. 3. After being really puzzled by this issue I decided to go back to the basics and removed all the ACLs etc to make sure nothing was screwed up and as Christopher said, the config is correct. 4. Since #3 above didn't change anything I decided to pull the 4FE-PIX66 card and put in a 1FE card just to check everything. Low and behold the DMZ port worked without issue. 5. Figured the 4FE card was bad and got another one. Installed that in the PIX and it does not work either. With the 4FE installed if you look at the interface it shows the port down, but the config has the port active. So, now I'm wondering why the PIX I have will not support the 4FE card. The PIX is a 515E with the unrestricted license with 256M of memory. The PIX also has a VAC+. I've tried the 4FE in both slots and without the VAC+ card and it just refuses to work. I guess I could have 2 bad 4FEs, but I think that is unlikely. Can anyone think of what else I'm missing from the PIX that would cause the 4FE not to work at all? Thanks, Brian _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX 515 7.1 vs: 8.0 Brian Blater (Mar 11)
- Re: PIX 515 7.1 vs: 8.0 John Morrison (Mar 15)
- Re: PIX 515 7.1 vs: 8.0 Christopher J. Wargaski (Mar 15)
- Re: PIX 515 7.1 vs: 8.0 Kevin Horvath (Mar 17)
- Re: PIX 515 7.1 vs: 8.0 Brian Blater (Mar 19)
- Re: PIX 515 7.1 vs: 8.0 Christopher J. Wargaski (Mar 22)
- Re: PIX 515 7.1 vs: 8.0 Brian Blater (Mar 22)
- Re: PIX 515 7.1 vs: 8.0 Christopher J. Wargaski (Mar 22)
- Re: PIX 515 7.1 vs: 8.0 Kevin Horvath (Mar 17)
- Re: PIX 515 7.1 vs: 8.0 John Morrison (Mar 22)
- Re: PIX 515 7.1 vs: 8.0 Brian Blater (Mar 22)