tjwoollard
asked on
pix v asa
i am in the process of changing a pix firewall to an asa5525. i have configured the asa with an inside interface an a outside interface. I have also configured the CX module. i configured an ip address on the inside interface and simply plugged it into the switch stack(cisco) expecting to do some testing. However as soon as I did that the users complained about no internet access which is via a MS TMG server as a proxyserver. And they were right the ASA stopped the the TMG from passsing any traffic and it seemed to be trying to route the TCP packets itself. I stopped this behaviour by turning off the cx module. There was also some other weird things happening eg no users could print via the MS printserver. I have had to dis-connect the ASA now but I am not able to explain this effect. I did make sure the IP address was unique on the network so it is not an address issue.
ASKER
Hi there,
Sorry for not comming back on this but it seems the problem is a lot worse that I thought.
I have 2 ASA devices configured in fail-over active/passive mode. It is to replace a 2 PIX firewall device running in active/passive mode. I have recently plugged the ASA device into the Cisco switch stack. Th PIX is still plugged in but the ASA is on a different IP address.
There is a MS TMG server which comprises of 2 servers running in NLB mode. Also we have 2 MS Exchange CAS servers running in NLB mode. About 20 minutes after plugging in the ASA device these server stop responding. The respond to a PING but not at the application level. I did not make the ASA the default router for any device on the network but they seem to be doing something weird to the servers but there are no reported errors on any device. Any ideas ?
Sorry for not comming back on this but it seems the problem is a lot worse that I thought.
I have 2 ASA devices configured in fail-over active/passive mode. It is to replace a 2 PIX firewall device running in active/passive mode. I have recently plugged the ASA device into the Cisco switch stack. Th PIX is still plugged in but the ASA is on a different IP address.
There is a MS TMG server which comprises of 2 servers running in NLB mode. Also we have 2 MS Exchange CAS servers running in NLB mode. About 20 minutes after plugging in the ASA device these server stop responding. The respond to a PING but not at the application level. I did not make the ASA the default router for any device on the network but they seem to be doing something weird to the servers but there are no reported errors on any device. Any ideas ?
That is really strange.
a-So if the ASA FW are not powered on yet and plugged in, will the effect still occurred?
b-If the powered ASA FW is unplugged, will the servers go revert back to work properly as intended?
pretty tough to isolate but if static route is configured such that IP segment or VLAN for ASA FW is denied to access any routes to the existing servers and PIX, I dont see how it can create that effect. there may be some static routing that ASA FW is able to traffic out? or assume PIX FW ip due to ARP causing MAC confusion...
a-So if the ASA FW are not powered on yet and plugged in, will the effect still occurred?
b-If the powered ASA FW is unplugged, will the servers go revert back to work properly as intended?
pretty tough to isolate but if static route is configured such that IP segment or VLAN for ASA FW is denied to access any routes to the existing servers and PIX, I dont see how it can create that effect. there may be some static routing that ASA FW is able to traffic out? or assume PIX FW ip due to ARP causing MAC confusion...
ASKER
well it is the weirdest thing i have ever seen. if you unplug the ASA the problem disappears. If the interface is shutdown the problem does not occur. I have removed the static routes i had installed a and re-booted several times. Is it that the PIX is plugged into the same network ?. When I observe the ASA through ASDM it appears to be passing or at least monitoring traffic even though no devices a configured to use it. It is as if there is CDP configured and it is discovering the network. I am aware that CDP is not installed on ASA devices.
ASA should not be placed inline at all for a start and I supposed you shouldnt have PIX and ASA all at one switch. unplugging PIX may confused routes since PIX is likely the default gateway to each segments, the bouncer is controlling the traffic and PIX is the suspect. Maybe unplug PIX and see if the server behaviour for a while, plug in ASA FW to observe server, unplug ASA and observe server and plug in PIX FW. No change to any routes
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
thanks for sharing but just want to check if the suggestion from posting has assisted in any way?
ASKER
There is nothing wrong with the config or the device it is just that a PIX firewall can not be on the same network an an ASA device.
thanks and well received. As per last isolation testing stated to isolate them to verify if it work, have thought that helped though.
(pg 3)
To enable ASA CX debugging, enter the following command:
debug cxsc [error | event | message] - Enables debugs at error, event, or message level.
(pg 31-32) Problems with the Authentication Proxy
In this case, you may want to check the port used by TMG to ASA CX as compared to past TMG to PIX