Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 251
  • Last Modified:

Upgrading from pix501 to 515e question

We have a pix501 with 6.3(5)   We are going to change the device out for a 515e also with 6.3(5)  


My question is whats the best way to copy the config over to the new device so all our configurations work they way they should?  I tried to use the PDM but the 515e isnt working the same way the 501 was.  THe main issue is the following.  on the ouside interface of the PIX501 i have three differnt public IPS that have certian ports forwared to differnt internal servers.  This behavior doesnt want to work on the 515e.   THis is the Config from the 501 in question that works just fine on the 501 but when i copy and paste to the 515e the routes to the 192.168.101.4 server do not work  matter of fact when i copy this to the 515e the 192.168.101.4 server loses internet access until i remove the following line "static (inside,outside) XX.XX.206.36 exch-server netmask 255.255.255.255 0 0 "


name 192.168.101.2 web-server
name 192.168.101.4 exch-server

access-list outside_access_in2 permit tcp any interface outside eq www
access-list outside_access_in2 permit tcp any interface outside eq https
access-list outside_access_in2 permit tcp any interface outside eq pptp

access-list outside_access_in2 permit tcp any host XX.XX.206.36 eq smtp
access-list outside_access_in2 permit tcp any host XX.XX.206.36 eq www
access-list outside_access_in2 permit tcp any host XX.XX.206.36 eq https
access-list outside_access_in2 permit tcp any host XX.XX.206.36 eq pptp
access-list outside_access_in2 permit tcp any host XX.XX.206.36 eq ftp
access-list outside_access_in2 permit tcp any host XX.XX.206.36 eq 990
access-list outside_access_in2 permit tcp any host XX.XX.206.36 range 1024 1050
access-list outside_access_in2 permit tcp any host XX.XX.206.36 eq 4343
access-list outside_access_in2 permit tcp any host XX.XX.206.36 eq pop3
access-list outside_access_in2 permit tcp any host XX.XX.206.36 eq 4433
access-list outside_access_in2 permit tcp any host XX.XX.206.37 eq www
access-list outside_access_in2 permit tcp any host XX.XX.206.37 eq https


ip address outside XX.XX.206.35 255.255.255.224
ip address inside 192.168.101.1 255.255.255.0



nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 web-server 3389 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 1723 web-server 1723 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.101.204 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.101.204 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp web-server pptp netmask 255.255.255.255 0 0
static (inside,outside) XX.XX.206.36 exch-server netmask 255.255.255.255 0 0
static (inside,outside) XX.XX.206.37 192.168.101.205 netmask 255.255.255.255 0 0
access-group outside_access_in2 in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.206.33 1

0
adpro
Asked:
adpro
2 Solutions
 
Darkstriker69Commented:
It sounds like a NATing issue. You have alot of open ports to your exchange server so it may be easier to add your exchange server to the nat exempt list than it would be to make a static command for each port.

access-list inside_outbound_nat0_acl permit ip host exch-server any

otherwise you need a static command for each port as you have done with your web server

Darkstriker69

0
 
HarsemCommented:
Hello,
the only config from what you have posted that you cannot simply copy & paste is the config of the IP addresses. On the 515e these are configured per interface, such as:
interface Ethernet0
 nameif outside
 security-level 0
 ip address XX.XX.206.35 255.255.255.224

interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.101.1 255.255.255.0

Seeing as you have not pasted the whole config I am guessing a little bit with the rest here. Do you have a line in your 515e config saying:
nat-control
also - would it be possible to have all of your NAT config? as there is some missing in the above.

Hope this helps

Jens
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now