Re: PIX 515 7.1 vs: 8.0

[John Morrison <john.morrison101 () gmail com>]

Brian,

The PIX guide (
http://www.cisco.com/en/US/docs/security/pix/pix70/hw/installation/guide/515.html)
says both the 4FE and 4FE-66 can be used with the unrestricted feature
license. A maximum of 6 ports can be used (2 built-in plus the 4FE). On the
4FE the ports are numbered 2, 3, 4, 5 from left to right. The info for the
4FE (
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080189f0a.html)
says it is fine in the 515/515E.

The VAC and VAC+ also can be used.

128MB RAM is enough for the features. Only the VAC appears to require at
least v6.3

It sounds right.







On 17 March 2011 13:01, Brian Blater <brb.lists () gmail com> wrote:

> On Tue, Mar 15, 2011 at 4:07 PM, Kevin Horvath <kevin.horvath () gmail com>
> wrote:
> > 1) enable local buffer logging, manually add a host with IP on the
> > inside, then try to access something on the internet, and view your
> > logs for errors, view your connection table "show conn det", and your
> > xlate table to see where the issue is.
> >
> > 2) add a default route to the outside interface, everything else
> > appears directly connected so you dont need routes for those (you can
> > verify your route table with "sh route").
> >
> > 3) as someone mentioned, looks like you have dhcpd enabled for the dmz
> > and vonage interfaces and not the inside.  Add a entry for the inside
> > as well.
> >
> > On Sat, Mar 12, 2011 at 12:54 AM, Christopher J. Wargaski
> > <wargo1 () gmail com> wrote:
> > > Hey Brian--
> > >   Configuration-wise you should have no problems with 8.0 if you know
> 7.1.
> > >    You appear to have NAT configured correctly. You ACLs look good too.
> what
> > > I do not see are any route statements--do you have a default route set?
> > >    Also, you should increase the message-length maximum to 4096 given
> the
> > > rollout of DNSsec.
> > >
> > > cjw
>
> Thank you for everyone's input. I've been working on this the last few
> days and this is what I've found so far.
>
> 1. DHCP for the inside is handled by a server on the inside network so
> I'm not using the FW for DHCP on the inside.
> 2. Default route - yes, the default route was not defined at the time
> I grabbed the config for the e-mail. It is defined now.
> 3. After being really puzzled by this issue I decided to go back to
> the basics and removed all the ACLs etc to make sure nothing was
> screwed up and as Christopher said, the config is correct.
> 4. Since #3 above didn't change anything I decided to pull the
> 4FE-PIX66 card and put in a 1FE card just to check everything. Low and
> behold the DMZ port worked without issue.
> 5. Figured the 4FE card was bad and got another one. Installed that in
> the PIX and it does not work either. With the 4FE installed if you
> look at the interface it shows the port down, but the config has the
> port active.
>
> So, now I'm wondering why the PIX I have will not support the 4FE
> card. The PIX is a 515E with the unrestricted license with 256M of
> memory. The PIX also has a VAC+. I've tried the 4FE in both slots and
> without the VAC+ card and it just refuses to work. I guess I could
> have 2 bad 4FEs, but I think that is unlikely.
>
> Can anyone think of what else I'm missing from the PIX that would
> cause the 4FE not to work at all?
>
> Thanks,
> Brian
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards