«

I have a PIX 515E that I am currently using as our main firewall,
attached to a T1. I am getting a 4mb connection (over 10mb ethernet)
at a colo facility, and I would like to move this PIX 515E over there.
In order to do this, I need to take a PIX 515 that I have and get it to
work identically. I have copy/pasted the config from the 515E to the
515, I have copy the 515E's config to a tftp server, and then download
it to the 515 by tftp. The PIX 515 is somewhat functional.

Each unit has 64MB RAM, 16MB Flash, UR License, VAC card, and 4 FE
card. The 515E has PIX OS 6.3(4), and the 515 has PIX OS 6.3(5). I
have used a diff to see if there are any major changes after loading,
and I see none. The PIX 515 works for access from Inside to DMZ and
Outside, and from the DMZ to Outside... but none of the ACLs work for
traffic from Outside to DMZ or Inside, or DMZ to Inside.

Any ideas?


Thanks,
Dustin

"Dustin" <> wrote in message
news: oups.com...
>I have a PIX 515E that I am currently using as our main firewall,
> attached to a T1. I am getting a 4mb connection (over 10mb ethernet)
> at a colo facility, and I would like to move this PIX 515E over there.
> In order to do this, I need to take a PIX 515 that I have and get it to
> work identically. I have copy/pasted the config from the 515E to the
> 515, I have copy the 515E's config to a tftp server, and then download
> it to the 515 by tftp. The PIX 515 is somewhat functional.
>
> Each unit has 64MB RAM, 16MB Flash, UR License, VAC card, and 4 FE
> card. The 515E has PIX OS 6.3(4), and the 515 has PIX OS 6.3(5). I
> have used a diff to see if there are any major changes after loading,
> and I see none. The PIX 515 works for access from Inside to DMZ and
> Outside, and from the DMZ to Outside... but none of the ACLs work for
> traffic from Outside to DMZ or Inside, or DMZ to Inside.
>
> Any ideas?
>
>
> Thanks,
> Dustin
>

Hi,

Should be identical. The only difference would be the 515E has a faster CPU
and can take more RAM from memory. Are all the interfaces called the same on
both PIX's? It maybe that your access lists arent bound to the right names
of the interface cards.

Cheers

Matt

I spoke with someone from TAC. She recommended that we reset the ARP
cache on our router. I did not think that this was a possible reason,
at first, because the PIX was forwarding outbound traffic properly.
Because of this, I was pretty sure that the ARP information has been
reset.

After looking at the ARP cache on our router, I saw that the default
cache is 4 hours, and that each IP that was being translated had a
separate entry (which does make sense). It is odd how you never really
think about certain basic things, because they rarely present problems.

I am going to make another go of it tomorrow morning, and I am going to
look at the ARP cache and reset if necesary.

"Dustin" <> wrote in message
news: oups.com...
>I spoke with someone from TAC. She recommended that we reset the ARP
> cache on our router. I did not think that this was a possible reason,
> at first, because the PIX was forwarding outbound traffic properly.
> Because of this, I was pretty sure that the ARP information has been
> reset.
>
> After looking at the ARP cache on our router, I saw that the default
> cache is 4 hours, and that each IP that was being translated had a
> separate entry (which does make sense). It is odd how you never really
> think about certain basic things, because they rarely present problems.
>
> I am going to make another go of it tomorrow morning, and I am going to
> look at the ARP cache and reset if necesary.
>

I was under the impression that the ARP cleared itself after a while or even
when you switch the PIX on/reboot it. I know that clear xlate is a good one
when your changing access lists but I thought they were not working at all
when you turned the PIX on?

Cheers

Matt