[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 816
  • Last Modified:

Cisco PIX 501 - Verizon FIOS user limitation

We have recently converted from a T1 to Verizon FIOS and I am having problems getting our Cisco PIX 501 firewalls back online.  We have a 50 user PIX 501 that has been our primary firewall and a 10 user PIX 501 that is our backup device.  Since the cutover to FIOS, we have been unable to get the 50 user device to function properly.  The 10 user PIX runs fine.  We have 5 static IP addresses for different servers behind the firewall and for VPN users.  I have the exact same code in the 50 user PIX and when I connect it, I can not browse to the internet or get the traffic in to the different servers, etc.  I can ping out thru the telnet session, but that is all I can do.  I have tried cutting the config down to barebones and I still can not get out.  I even borrowed another 50 user PIX and tested it with the same results.  I spoke with Verizon tech support and they don't have any ideas.  Are there any suggested troubleshooting techniques that I should use to continue researching this?
Thanks
0
cconnard
Asked:
cconnard
  • 3
  • 3
1 Solution
 
lrmooreCommented:
Sounds like an arp cache issue with Verizon. The first one connected gets its mac address stuck in the Verizon arp cache for that IP address.
If there is a fios premises device that you can power cycle when you change the firewall, try doing that. Power it off, put the PIX in place, then power it back up.
0
 
cconnardAuthor Commented:
Thanks, I tried this with no success.  Spoke with Verizon and they restarted their Optical Network Terminal device on our premise as well and there was no effect.  I have tried to tracert and everything stops at the 50 user PIX.
0
 
lrmooreCommented:
The only difference between the two is the mac address.
You said you have multiple IP addresses. Try using a different outside interface IP with the same gateway.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
cconnardAuthor Commented:
I tried using a different ip address on the outside interface and as I worked thru that, I also changed the global command from      global (outside) 1 xx.xx.xx.xx      to    global (outside) 1 interface  and I was able to connect to the internet.  With this, I am now unable to get email traffic.     Additionally, the IOS version on the 10 user is V 6.3(5)  and the 50 user is v 6.3(4).  Is there a reason why the global (outside) 1 xx.xx.xx.xx command works differently in the older IOS?  
Thanks
0
 
lrmooreCommented:
6.3x definitely prefers the interface command
How do you have the static xlates configured? You can use the interface keyword in both the static and the acl. Example:
Suppose the IP address assigned to the interface is the same IP address as the MX record for email:

global (outside) 1 interface
nat (inside) 1 0 0 0
static (inside,outside) tcp interface smtp 192.168.1.99 smtp netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq smtp

0
 
DonbooCommented:
It shouldnt work differently from version 6.3(4) to 6.3(5) using   global (outside) 1 interface is just way of getting around DHCP on the outside interface instead of manually having to change the IP global pool.

Despite that it is a arp issue since your email address hasnĀ“t changed but still dosnt work. 1 thing you can do is to turn all the equipment between your pix and the ISP equipment off/on also the ISP equipment, that you have access to or you can leave the 50 urs pix online when you go home by the time you come back the next morning the arp of the 10 urs pix should have timed out.
0
 
cconnardAuthor Commented:
Thanks Irmoore!  Finalyy got around to testing this tonite and everything worked.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now