Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Replacing Netscreen 5XP with Cisco 515E

Posted on 2004-11-07
7
Medium Priority
?
481 Views
Last Modified: 2013-11-16
Hi, I am replacing a Netscreen 5XP firewall with Cisco 515E. The netscreen has been working properly for the past 3 years and it is still functioning well but I need more robust device. I setup the Cisco and tested it by attaching two laptops, one to the interface 0 and the second to interface 1. They worked properly and I was able to access services "inside". I also called Cisco and had them verify the configuration as I am installing that firewall into the production env. They confirmed that everything was perfect.
After I installed the firewall by replacing them, I have run into problems. When I unplog the netscreen and plug in the cisco box, I am able to browse internally but people outside are unable to access any of the services such as www, https, VPN or 3389. Again I called Cisco and they went over the configuration just to confirm that it is perfect. They suggested that I am having problems because of the ARP table on the router before the firewall. The router is provided by the datacenter so I don't have access to it and Ican get it cleared. Is there only one router that I would normally have to have them clear?I want to see if you have any suggestions.
Appreciate all help.
0
Comment
Question by:gzejer
  • 4
  • 3
7 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12520455
Yes, that is a very good suggestion to clear the arp cache in the router directly connected to the PIX outside interface.
If you can't get it cleared, just give it some time to clear itself.

Also, make sure you do NOT have this line in your PIX:

   sysopt noproxarp outside

>When I unplog the netscreen and plug in the cisco box,
Can you be more specific in your procedure? Do you power off the Netscreen completely?

Is the inside iP address of the PIX the same as the netscreen? is this PIX IP the default gateway for the servers?
The servers also have an arp cache, but normally with shorter timouts than the router, so they should clear themselves.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12520461
One other thing to check is potential duplex mismatch between the PIX outside interface and the switch/hub/xover cable direct to router? How are you connected?
0
 

Author Comment

by:gzejer
ID: 12520568
I shut down the netscreen firewall completely and unplog it from the network.I connect the cisco firewall in its place and to the same switch. The configuration stays the same. Both firewalls use the same gateway inside and the IP address of the inside interface is the same for both firewalls. So basicly the configuration is the same.

The outside interface is connected to the patch panel with a staight cable and the inside interface is connected to the switch with a straight cable as well. It is rather strange because I have the netscreen connected with a crossover right now but when I connected the cisco pix the same way the inside interface did not respond and I did not get a link.

0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 79

Expert Comment

by:lrmoore
ID: 12520624
PIX to switch is always straight through cable.
What is between the patch panel that the outside interface plugs into and the next hop router?
Did you possibly have the crossover cable on the OUTside interface? Have you tried this?
0
 

Author Comment

by:gzejer
ID: 12520668
I did try it and it did not work. I was not getting the link light on the firewall. I only have access to the patch panel and nothing beyond that. I know that there is a router but othwise I don't know the topology. Everything passed the patch pannel and router belong to the datacenter.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12520684
OK, then it must be the arp cache on the router. Have you hooked it up and then waited 10-15 minutes?
0
 

Author Comment

by:gzejer
ID: 12520800
I did try waiting about 20min but nothing happened and  since it is located in the datacenterI had to switch back to the netscreen. I am going to test it again in about 30min
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question