Hi, I hope someone can help me with a frustrating and time consuming issue I curreently have with getting Internet access on all our machines in the new infrastructure.
I have done a lot of trouble shooting with a network colleague, but hes not familiar with Pix or specialist firewall stuff.
The issue is as follows. My client is a small organisation which has recently upgraded and updated all its infrastucture to replace old kit.
We have set up new W2008 servers, a new AD, new DNS, DHCP, Hyper-V running Exchange 2010, Sharepoint 2010, CRM. All of this works great.
We have put in new switches, before the client had a very flat structure consisting of 1 VLAN and one 192.168.2.x subnet, hosting all computers, printers, etc.
Now they have 4 other vlans, a 3.x to host all new servers as above and to which all the users will migrate their pcs too.
4.x is for Iscsi
5.x is for WAP.
Up until Saturday morning, all was working fine, and so we removed the old kit from the racks, and prepared the room to move the new kit, which is sitting in a corner of the room, but all patched in to the network. We hoped to moed this over the last 2 days, but I have been stuck with a internet access issue and I cant work out whats went wrong or how to troubleshoot and get to the cause and fix.
There is a Pix 515E firewall, which is connected to Zyxel 300 and Zyxel 700 routers and then to the switches.
I have attached a diagram showing how the 4 switches are connected and the configs of these 4 swotches and the PIX.
In the diagram, A is the incoming line from the ISP, which goes to a 700 Zyxel Series router, and this is linked via a small ethernet cable to a port on a 300 Zyxel router. I am not sure why its this way, the ISP says there is only 1 router (the 700).
When I started here a few weeks back the original guy had left so I cant ask about the config. I managed to get the PIX password and get the config but I have to console to it as I cant access it via telnet like the other 4 switches, which I had set up.
Anyway the PIX is soon coming out and will be replaced with a TMG firewall solution. This is due to the PIX age.
I have a seperate EE question in to the forum to address a TLG NLB and teaming issue, so I cant replace the firewall just yet, though I may have to if I cant get the firewall working again.
On Saturday, power was lost to the routers and pix, and since we switched it on, we cant get internet access, yet our ISP and my colleague can remote on to the IP it seems.
Nothing was changed on the PIX recently, though in the last day I have changed its IP from 192.168.2.254 to 192.168.2.1 and back again during the troubleshooting.
I have attyached all the configs.
I am hoping that someone can look at the setup and say where the issue may be. Or be able to provide me with some PIX commands that I can use to troubleshoot the issue, I tried to ping out and do a tracert from the PIX, but I dont know the proper syntax.
The customer has 6 allocated IP addresses and as I say, up till Saturday and the switch off, all was fine.
The PIX is back online and pinging on the address 192.168.2.254.
This could be an issue with the ISP still, or with the set up. The equipment we took out should not have affected this routing or set up.
I really hope someone can help.
I plan to tomorrow build out the TMG firewall and try that and bypass the PIX. And I plan to maybe blow the config off the PIX as it contains old legacy VPN stuff and access lists whcih have never worked or been there for years, I just want simple set up NATing to the 6 addresses as shown in the config. We can add new VPN on the TMG later.
I just want to get internet access back to the new infrastructure asap. All internal DNS, etc working fine.
A few otehr points which may help, as I say the ISP thinks there is only 1 700 router, we dont know why there is a 300 there, but the PIX is attacdhed to that 300. When I took the cable out and put it in the 700 earlier, to bypass the 300, my colleague could not remote connect.
Putting it back allowed him to telnet from remote over tjhe internet, and the ISP believes traffic is passing.
We did get a small trickle of email coming in when I replaced the cable back to its original set up.
Previously mail coming when to 192.168.2.15 and 192.168.2.17, these machines are now away, and the mail should go to 192.168.3.21
We tested it on external address 178 as you can see from the config. We hope to replace the otehr 2 incomings NATS to 192.168.3.21 as well
vwswi01.txt vwswi02.txt vwswi03.txt vwswi04.txt Pix.txt