Reload problem

[kerna]

Hi,





Some background on the problem. Two Cisco Secure Pix firewall's running OS 6.0(1).





One pix is live, the other is in failover.





We have a VPN Setup between the server's behind the pix and another vpn which is a Checkpoint 4.1 vpn.





If we do a reload on the Pix, no outbound connections are allowed. There is a nat rule in the pix which allow traffic to leave which will not be natted, this is required for the vpn.

The nat statement say:

nat (DMZ-Mgt) 0 access-list 115

When that statement is there on load time, no outbound connections are allowed be made.

If I remove the nat statement above, I can make outbound connections.

Would anyone have seem a problem such as this, or have any idea's on it.

Thank's,

gerard

 

[yizhar]

HI.

Please post a more complete configuration.
You can replace IP addresses, but please explain what each subnet means.
Do you have a STATIC statement for the internal VPN server?
Is the IP of the VPN server a registered one?

What do you mean no outbound connections are allowed -
connections through the VPN tunnel?
connections not going through the VPN?
can the VPN server itself go out?

Have you tried rulling out the fail-over, by disabling it and then reloading and testing? Is it a statefull failover?

If you reload the pix, then wait about 10 minnutes, is it working now?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar