Convert ASA 8.2 to 9.1
Is there a conversion tool? It would make my life a lot easier to convert 43 firewalls with failovers. Thank you in advance for your help and assistance.
Hi,
To my knowledge there are none.
The ASA will automatically convert the configuration. Though I cant say for sure what kind of software jump can be or does it matter even.
I have personally gone the route of manually rewriting NAT/ACL rules for each firewall.(And any other affected configurations) (In the process of migrating FWSM -> ASA still, now approx. 150 firewalls done)
So sadly I cant help you with finding a tool for it.
I will however link a document I made about the new NAT format
https://supportforums.cisco.com/docs/DOC-31116
And other good document that compares the old/new NAT format
https://supportforums.cisco.com/docs/DOC-9129
Naturally if you want to confirm some certain NAT configurations I'm sure you can find help here but so far I havent seen any conversion tool but havent really looked for one either.
The "risky" way would be to upgrade the failover pairs in steady software jumps and let the ASA automatically convert configurations. (To my understanding there has been some problems with NAT0 conversions in some of the first software jumps). The main reason originally for not letting ASA automatically conver the configurations was that I wanted to learn the new NAT format before using it. Also I dont quite like the output of the automatic conversion of the NAT rules.
- Jouni
Similar Messages
-
Converting a Palo Alto Firewall to a Cisco ASA - recommendations?
I've seen some tools for converting ASA's to PA... but not the other way around. Anyone come up with a good method? (scripts, tools, etc?)
Thanks in advance!Hi,
I couldn't find any. May be someone else has it but google didn't show up anything for me:) nor did internal search. I would suggest contacting your account team and see if they can assist you with migration.
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
Converting config from Juniper netscreen to ASA 5585 8.4
Does anyone know who to convert config form a Juniper Netscreen Firewall to a ASA? We are trying to get rid of the netscreen firewalls at our location and replace them with ASA's.
Here is the new self-service tool that Cisco has released to convert to any vendor firewalls to Cisco ASA.
Currently it supports Juniper ScreenOS and CheckPoint to Cisco ASA conversion.
Link to the original post:
https://supportforums.cisco.com/community/netpro/security/firewall/blog/2013/09/27/conversion-tool-juniper-screenos-to-cisco-asa
Link to the tool itself:
https://fwmig.cisco.com -
ASA 5505 speed reduction when connected to a Planet fiber converter
Hi!
We have many customers running ASA 5505, and a number of them are running 100 Mbit connections. This normally works fine. But recently, our ISP has started setting up all new fiber connections using a Planet fiber to RJ converter (Before they used Cisco switches), and with those, the locations only get around 50-60 Mbit. We have done all the testing - force port speed and duplex settings, test with a PC directly connected to the converter etc. And the connection allways runs 100 Mbit. And the ASA's themselves also run 100 Mbit when connected to anything else than the Planet converter. We have for now circumvented the problem by placing a simple L2 switch between the converter and the ASA's, but this is not an ideal solution as it adds another single point of failure element etc.
Any ideas?The Express units can extend wireless on the TC or each other.. but they cannot extend wireless on the Asus anyway..
So the setup is Asus--TC (that has to be ethernet) The TC in bridge mode.
Then TC -- express can be done by ethernet in roaming mode as bob listed above or extend wireless.
I am guessing.. what model are the express units.. they are older Gen1 N model ??
IMHO the TC is simply no longer viable.. replace it with one express as the AP and extend it with the other Express.. see if that works better.
But I would be trying to use the wireless just from the AC66U.
I would also force the Asus back to 20mhz on the 2.4ghz band.. so you can provide adequate channel separation.. 40mhz wireless on 2.4ghz works poorly anyway because you have too much wifi .. there is very limited number of non-overlapping channels.. ie 3. 11, 6 and 1. -
Converting PIX/ASA logs into CSV
I work as a network forensics analyst for a gov't agency. We are getting large amounts of PIX and ASA logs being pushed to our Syslog server. I'm trying to create a script to parse/convert the standard PIX/ASA logs into CSV files in order to assist with integration to other products. Has anyone had success with this, or have a perl / shell script(awk grep, etc) written for this task? I would like to capture as much data as possible.
What syslog server are you using? The free kiwi syslog has an option to spin a new file based on the time or day to a text file automatically which can be archived later. Seems like kiwi can export in .csv format. http://www.kiwisyslog.com/help/syslogwebaccess/index.html?export_to_csv.htm
-KS -
I am just about to start on a project where we are moving from Old Cyberguard firewalls to ASA 5520 firewalls, I was wondering if anyone has a rule base converstion tool that would be able to do a lot of the basic work? And so of the NAT conversions?
Hello Glenn
To be honest with you I do not think there is a convertion tool from that firewall to our ASA.
I would recommend to read and analize the configuration guides for the ASA or if you have any question related to the ASA setup let us know.
We will be more than glad to help!!
Regards,
Do rate all the helpful posts
Julio -
NAT 8.0 to 9.2 convert help
I have the below config on ASA 8.0 I need to convert it to 9.2
name 10.2.17.80 BV-DVR
name 10.2.13.80 SE-DVR
name 10.2.23.80 ES-DVR
name 10.2.10.80 NW-DVR
name 10.2.10.81 NW-DVR2
name 10.2.1.76 C-DVR1
name 10.2.1.78 C-DVR2
name 10.2.1.80 C-DVR3
name 10.2.19.80 WS-DVR1
name 10.2.19.81 WS-DVR2
name 10.2.15.80 SW-DVR
name 10.2.11.80 M-DVR
object-group network Camera_DVRs
network-object host SE-DVR
network-object host BV-DVR
network-object host ES-DVR
network-object host C-DVR1
network-object host C-DVR2
network-object host C-DVR3
network-object host WS-DVR1
network-object host WS-DVR2
network-object host NW-DVR
network-object host NW-DVR2
network-object host SW-DVR
network-object host M-DVR
object-group service DM_INLINE_TCP_2 tcp
port-object eq 8000
port-object eq www
port-object eq 8001
port-object eq 8100
port-object eq 8101
port-object eq 8200
port-object eq 8201
port-object eq 8202
port-object eq 8203
port-object eq 8300
port-object eq 8301
port-object eq 8400
port-object eq 8401
port-object eq 8402
port-object eq 8403
port-object eq 8404
port-object eq 8405
port-object eq 8500
port-object eq 8501
port-object eq 8502
port-object eq 8503
port-object eq 8600
port-object eq 8700
object-group service DM_INLINE_TCP_3 tcp
port-object eq 8000
port-object eq www
port-object eq 8300
port-object eq 8301
port-object eq 8400
port-object eq 8401
port-object eq 8402
port-object eq 8403
port-object eq 8404
port-object eq 8405
port-object eq 8500
port-object eq 8501
port-object eq 8502
port-object eq 8503
port-object eq 8600
port-object eq 8700
access-list 200 extended permit tcp any host 1.1.1.172 object-group DM_INLINE_TCP_2
access-list 200 extended permit tcp object-group Camera_DVRs host 1.1.1.172 object-group DM_INLINE_TCP_3
static (inside,outside) tcp 1.1.1.172 8000 BV-DVR 8000 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8001 BV-DVR 8001 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8100 SE-DVR 8100 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8101 SE-DVR 8101 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8200 NW-DVR 8200 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8201 NW-DVR 8201 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8202 NW-DVR2 8202 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8203 NW-DVR2 8203 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8300 ES-DVR 8300 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8301 ES-DVR 8301 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8400 C-DVR1 8400 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8401 C-DVR1 8401 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8402 C-DVR2 8402 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8403 C-DVR2 8403 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8404 C-DVR3 8404 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8405 C-DVR3 8405 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8500 WS-DVR1 8500 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8501 WS-DVR1 8501 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8502 WS-DVR2 8502 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8503 WS-DVR2 8503 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8600 M-DVR 8600 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.172 8700 SW-DVR 8700 netmask 255.255.255.255
Here is a bit of what I think I need to do....
object network OBJ-10.2.17.80
host 10.2.17.80
object network OBJ-1.1.1.172
host 1.1.1.172
object service OBJ-TCP-8000
service TCP source eq 8000
object service OBJ-TCP-8000
service TCP source eq 8000
nat (inside,outside) source static OBJ-10.2.17.80 OBJ-1.1.1.172 service OBJ-TCP-8000 OBJ-TCP-8000
access-list outside_access_in extended permit tcp any4 object OBJ-10.2.17.80 eq 8000
Thanks,
MikeI did not create the above config, If I did I would never have "DM_INLINE" on anything. It is a default naming for Cisco when objects are created via ASDM and lazy or inexperienced engineers do not correct that. Also auditors do not like such in-descriptive names. I do not like this default behavior at all and do most everything via CLI, much better and much more control. It would be better when using ASDM and creating these it does not put a default name in but forces you to enter something.
Mike -
ASA 5520 Upgrade From 8.2 to 9.1
To All Pro's Out There,
I have 2 x ASA 5520 in Active/Standby state (Routed, Single context) running 8.2(3) image. They are working great and everybody is happy. Now it's time for us to upgrade to the latest and greatest version: 9.1 and as you know there are some architectural changes Cisco made to NAT statements and Access Lists. As one can tell, we have a monster environment in terms of NAT statements and access list that are currently configured on the appliances.
In order to make the upgrade process "less" painful, I was able to find a loaner ASA 5520 device so I can practice the upgrade process offline and if needed, I use it in production (in conjunction with existing Primary and Secondary devices) should it be helpful. I currently don't have any plans on how to move forward with these 3 devices and put together an smooth upgrade. I am asking advice from experts that perhaps have done this in the past and know some Do's and Don’ts and can provide me some options toward getting best result: Minimum downtime and Smooth upgrade.
I appreciate all the help in advance.Hi,
My personal approach from the start has been to learn the new NAT configuration format on the ASA CLI and manually convert the configurations for the new ASA software. I am under the impression that the automatic conversion that the ASA does by rebooting straight into a new software level causes quite a lot of configurations and they arent really optimal.
In your case it seems that you have a pretty much better situation than most people that dont have the chance to use a test device to test out the setup before actually putting it in production.
What you can basically do is
Insert the 8.2 configuration to the test ASA and boot it straight to the higher software levels and see what the conversion has done to the ASA configurations.
You can use "packet-tracer" command to test if correct NAT rules are still hit after the conversion
So far I have been lucky in the sense that most of the upgrades I have done have involved new hardware which has basically let me configure everything ready and just switch devices for the customer. So far everything has went really well and there has been only a 1-2 mistakes in NAT configurations because of misstyping some IP address or interface name which basically resulted from a lot of copy/paste when building the configurations. And these couple of mistakes have been from around 150 firewall migrations (of which most from FWSM Security Context to a ASA Security Context)
If you have time to put into this then I would suggest you try to learn the new NAT format and write your NAT configurations yourself. Converting the existing configurations should essentially give you the tools to then maintain that firewall configuration easily in the future and apply that knowledge elsewhere.
If you want to read a bit about the new NAT configuration format then I would suggest having a look at the NAT 8.3+ document I made:
https://supportforums.cisco.com/docs/DOC-31116
My personal approach when starting to convert NAT configurations for the upgrade is
Collect all NAT configurations from the current ASA including any ACLs associated with the Policy type NATs and NAT0 configurations
Divide NAT configurations based on type
Dynamic NAT/PAT
Static NAT
Static PAT
NAT0
All Policy Dynamic/Static NAT/PAT
Learn the basic configuration format for each type of NAT configuration
Start by converting the easiest NAT configurations
Dynamic NAT/PAT
Static NAT/PAT
Next convert the NAT0 configurations
And finally go through the Policy NAT/PAT configurations
Finally go through the interface ACLs and change them to use the real IP address as the destination in all cases since the NAT IP address is not used anymore. In most common screnarios this basically usually only involves modifying the "outside" interfaces ACL but depending if the customer has some other links to external resourses then its highly likely that same type of ACL changes are required on those interfaces also.
The most important thing is to understand how the NAT is currently working and then configure the new NAT configuration to match that. Again, the "packet-tracer" command is a great tool to confirm that everything is working as expected.
One very important thing to notice also is that you might have a very large number of Identity NAT configurations between your local networks interfaces of the ASA.
For example
static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
In the new software you can pretty much leave all of these out. If you dont need to perform NAT between your local interfaces then you simply leave out all NAT configurations.
Naturally you can also use these forums to ask help with NAT configuration conversions. Even though its a very common topic, I dont personally mind helping out with those.
So to summarize
Try out the ASAs automatic configuration conversion when simply booting to new software levels on the test ASA you have
Learn the new NAT configuration format
Ask for help here on CSC about NAT configuration formats and help with converting old to new configurations.
Personally if I was looking at a samekind of upgrade (which I will probably be looking at again soon) I would personally do the following
Convert the configurations manually
Lab/test the configurations on an test ASA
During Failover pairs upgrade I would remove the Standby device from network, erase its configurations, reboot it to new software, insert manually written configurations.
Put the upgraded ASA to the device rack and have cables ready connected to the customer devices if possible (or use existing ones)
Disconnect currently active ASA running 8.2 and connect the new ASA to the network while clearing ARP on the connected routers to avoid any problems with traffic forwarding.
Test connectivity and monitor ASAs connection and xlate tables to confirm everything is working
Will add more later if anything comes to mind as its getting quite late here
Hope this helps
- Jouni -
Upgrade from 8.2 to 8.6 for new ASA 5515X
Hello,
My customer has a rather complex configuration on an ASA 5510 running version 8.2
They are migrating to new ASA 5515X models which of course only version support 8.6
How can i convert the configuration from 8.2 to 8.6 since the new ASA's do not support the earlier versions?
The X series seems to be a great option for new deployments but what about replacements of existing older models?
Thanks for any ideas everyone!
ChrisHello,
I would say go to 8.4 From there you will have the same syntax.
There will be new commands and features on 8.6... That for sure but you are going to be on the same path.
Any other question..Sure ..Just remember to rate all of the helpul posts
Julio -
ASA 5505 VPN Group Policies (RADIUS) and tunnel group
I have a single ASA firewall protecting a small private developing network, and I need it in order to access remotely to two distinct network spaces both of wich are VLAN tagged: 1 is LAN and 3 is management. Each net has its own IP address space and DNS server.
I'd like to set up Anyconnect to land on lan 1, and SSL VPN in order to see the IPMI and management websites sitting on VLAN 3. In order to make things "safer" I have found a free OTP solution, OpenOTP, and I decided to implement it on a virtual machine, setting up a radius bridge to allow user authentication for VPN. I can pass wichever attribute I'd like to using this radius bridge (for example "Class" or "Group-Policy" or whatever is included in the radius dictionaries).
Actually all I need is quite simple. I have to segregate my remote users in 2 groups, one for Anyconnect, and one for SSL based on the radius response from authentication. (I don't need authorization nor accounting) I'm no Cisco Pro, what I've learnt is based on direct "on the field" experience.
I'm using two radius users for testing right now, one is called "kaisaron78" associated to a group policy "RemoteAC" and a second one called "manintra" associated to a group policy called "SSLPolicy". "kaisaron78" after logging in should only see the Anyconnect "deployment portal", while "manintra" should see the webvpn portal populated with the links specified in the URL list "Management_List". However, no matter what I do, I only see the default "clean" webvpn page. This is an example of "sh vpn-sessiondb webvpn" for both users..
Session Type: WebVPN
Username : kaisaron78 Index : 1
Public IP : 172.16.0.3
Protocol : Clientless
License : AnyConnect Premium
Encryption : Clientless: (1)RC4 Hashing : Clientless: (1)SHA1
Bytes Tx : 518483 Bytes Rx : 37549
Group Policy : RemoteAC Tunnel Group : DefaultWEBVPNGroup
Login Time : 10:59:33 CEDT Mon Aug 18 2014
Duration : 0h:00m:23s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a801fa0000100053f1c075
Security Grp : none
Asa5505# sh vpn-sessiondb webvpn
Session Type: WebVPN
Username : manintra Index : 2
Public IP : 172.16.0.3
Protocol : Clientless
License : AnyConnect Premium
Encryption : Clientless: (1)RC4 Hashing : Clientless: (1)SHA1
Bytes Tx : 238914 Bytes Rx : 10736
Group Policy : SSLPolicy Tunnel Group : DefaultWEBVPNGroup
Login Time : 11:01:02 CEDT Mon Aug 18 2014
Duration : 0h:00m:05s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a801fa0000200053f1c0ce
Security Grp : none
As you can see, it seems like the policies are assigned correctly by radius attribute Group-Policy. However, for example you'll notice no vlan mapping, even if I have declared them explicit in group policies themselves. This is the webvpn section of the CLI script I used to setup remote access.
! ADDRESS POOLS AND NAT
names
ip local pool AnyConnect_Pool 192.168.10.1-192.168.10.20 mask 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_27
subnet 192.168.10.0 255.255.255.224
access-list Split_Tunnel_Anyconnect standard permit 192.168.1.0 255.255.255.0
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.10.0_27 NETWORK_OBJ_192.168.10.0_27 no-proxy-arp route-lookup
! RADIUS SETUP
aaa-server OpenOTP protocol radius
aaa-server OpenOTP (inside) host 192.168.1.8
key ******
authentication-port 1812
accounting-port 1814
radius-common-pw ******
acl-netmask-convert auto-detect
webvpn
port 10443
enable outside
dtls port 10443
anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
anyconnect profiles AnyConnect_Profile_client_profile disk0:/AnyConnect_Profile_client_profile.xml
anyconnect enable
! LOCAL POLICIES
group-policy SSLPolicy internal
group-policy SSLPolicy attributes
vpn-tunnel-protocol ssl-clientless
vlan 3
dns-server value 10.5.1.5
default-domain value management.local
webvpn
url-list value Management_List
group-policy RemoteAC internal
group-policy RemoteAC attributes
vpn-tunnel-protocol ikev2 ssl-client
vlan 1
address-pools value AnyConnect_Pool
dns-server value 192.168.1.4
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_Anyconnect
default-domain value home.local
webvpn
anyconnect profiles value AnyConnect_Profile_client_profile type user
group-policy SSLLockdown internal
group-policy SSLLockdown attributes
vpn-simultaneous-logins 0
! DEFAULT TUNNEL
tunnel-group DefaultRAGroup general-attributes
authentication-server-group OpenOTP
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group OpenOTP
tunnel-group VPN_Tunnel type remote-access
tunnel-group VPN_Tunnel general-attributes
authentication-server-group OpenOTP
default-group-policy SSLLockdown
!END
I had to set up DefaultWEBVPNGroup and RAGroup that way otherwise I couldn't authenticate using radius (login failed every time). Seems like in ASDM the VPN_Tunnel isn't assigned to AnyConnect nor to Clientless VPN client profiles. Do I have to disable both default tunnel groups and set VPN_Tunnel as default on both connections in ASDM ? I know I'm doing something wrong but I can't see where the problem is. I'm struggling since may the 2nd on this, and I really need to finish setting this up ASAP!!!!
Any help will be more than appreciated.
Cesare GiulianiOk, it makes sense.
Last question then I'll try and report any success / failure. In this Cisco webpage, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html#wp1661512 there's a list of supported radius attributes. Actually I'm using number 25 Group-Policy, in order to get the correct group policy assigned to users. I see, in that list an attribute 146 Tunnel-Group-Name. Will it work out for the purpose you explained in the previous post ? I mean, if I set up two tunnel groups instead of 1, 1 for anyconnect with its own alias and its own url, and 1 for SSL VPN again with its own alias and url, do you think that using that attribute will place my users logging in into the correct tunnel group ?
Thank you again for your precious and kind help, and for your patience as well!
Cesare Giuliani -
ASA 5520 upgrade from 8.4.6 to 9.1.2
Dear All,
I am having ASA 5520 in Active Standby failover configuration . I want to know if I can upgrade it from 8.4.6 to 9.1.2 using the zero downtime upgrade process mentioned on cisco site .
Below is the process :
Upgrade an Active/Standby Failover Configuration
Complete these steps in order to upgrade two units in an Active/Standby failover configuration:
Download the new software to both units, and specify the new image to load with the boot system command.
Refer to Upgrade a Software Image and ASDM Image using CLI for more information.
Reload the standby unit to boot the new image by entering the failover reload-standby command on the active unit as shown below:
active#failover reload-standby
When the standby unit has finished reloading and is in the Standby Ready state, force the active unit to fail over to the standby unit by entering the no failover active command on the active unit.
active#no failover active
Note: Use the show failover command in order to verify that the standby unit is in the Standby Ready state.
Reload the former active unit (now the new standby unit) by entering the reload command:
newstandby#reload
When the new standby unit has finished reloading and is in the Standby Ready state, return the original active unit to active status by entering the failover active command:
newstandby#failover active
This completes the process of upgrading an Active/Standby Failover pair.
Also after upgrade are there any changes required after IOS migration ( i.e are there any changes in the command line of 8.4.6 and 9.1.2 )
It is mentioned on cisco site that
Major Release
—You can upgrade from the last minor release of the previous version to the next major release. For example, you can upgrade from 7.9 to 8.0, assuming that 7.9 is the last minor version in the 7.x release.Hi Tushar,
The steps you mentioned are perfectly fine. There is no major difference in the commands of the 2 versions, it's just that in access-rule from 9.1 you have to any4 instead of any for ipv4 and any6 for ipv6. During conversion it will get convert automatically.
Also, please refer to the following document (release notes of 9.1.2) for viewing the new features added in that version:
http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp685480
- Prateek Verma -
NAT configuration on PIX to ASA
Hi,
I have below configuration on my PIX 8.0 which I want to convert into ASA 9.1 :
nat (Cust-DMZ) 0 access-list Cust-DMZ_nat0_outbound
access-list Cust-DMZ_nat0_outbound extended permit ip host 10.2.1.175 host 10.10.49.30
access-list Cust-DMZ_nat0_outbound extended permit ip host 1.1.1.58 host 1.1.1.57
access-list Cust-DMZ_nat0_outbound extended permit ip host 172.29.83.2 host 172.29.83.1
access-list Cust-DMZ_nat0_outbound extended permit ip host 202.138.123.75 host 10.10.11.20
access-list Cust-DMZ_nat0_outbound extended permit ip host 10.14.1.11 host 10.10.50.150
And, there is no "NAT (global) 0 " command in PIX for this configuration.
How can I use this in ASA..?
Regards,
NinadHi,
The configurations is going to be bigger atleast. I did like the NAT0 more in the old software when you could use the ACL configuration to handle it and not bloat the NAT configuration needlesly.
There are some strange ACEs in that ACL. I mean the rules where the source and destination seem to be either from the same subnet or just simply host address (perhaps loopback interface IP addresses somewhere in the network?) that wouldnt expect to use the firewall to communicate? Though I will assume those configurations are needed.
You could try the following configuration though I naturally suggest perhaps coming with some other naming policy for the "object" configuration if needed.
object network HOST-10.2.1.175
host 10.2.1.175
object network HOST-10.10.49.30
host 10.10.49.30
object network HOST-1.1.1.58
host 1.1.1.58
object network HOST-1.1.1.57
host 1.1.1.57
object network HOST-172.29.83.2
host 172.29.83.2
object network HOST-172.29.83.1
host 172.29.83.1
object network HOST-202.138.123.75
host 202.138.123.75
object network HOST-10.10.11.20
host 10.10.11.20
object network HOST-10.14.1.11
host 10.14.1.11
object network HOST-10.10.50.150
host 10.10.50.150
nat (Cust-DMZ,any) source static HOST-10.2.1.175 HOST-10.2.1.175 destination static HOST-10.10.49.30 HOST-10.10.49.30
nat (Cust-DMZ,any) source static HOST-1.1.1.58 HOST-1.1.1.58 destination static HOST-1.1.1.57 HOST-1.1.1.57
nat (Cust-DMZ,any) source static HOST-172.29.83.2 HOST-172.29.83.2 destination static HOST-172.29.83.1 HOST-172.29.83.1
nat (Cust-DMZ,any) source static HOST-202.138.123.75 HOST-202.138.123.75 destination static HOST-10.10.11.20 HOST-10.10.11.20
nat (Cust-DMZ,any) source static HOST-10.14.1.11 HOST-10.14.1.11 destination static HOST-10.10.50.150 HOST-10.10.50.150
Notice that I configured the destination interface as "any". With that setting it should define the destination interface based on your ASAs routing table. I personally tend to define that interface but can't do that in this case as I cant see your routing configuration or routing table.
If you want to read up some on the new NAT configuration format you can check a document that I wrote in 2013.
Sadly the update to these forums also changed the layout of the document a bit some things aren't really as I wish them to be.
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Hope this helps :)
- Jouni -
NAT Problems Converting from 7.2(2) to 8.6(1)2
I am trying to replace an ASA 5510 running 7.2(2) with an ASA 5515x running 8.6(1)2. The problem I am having is that the NAT entries are not working on the ASA 5515x. Is there anything that needs to be considered when moving the configuration from the ASA 5510 to the ASA 5515x.
Hi,
ASAs NAT configuration format went under a big change when going from 8.2 to 8.3. The NAT configuration format changed completely and therefore none of the old NAT configurations work anymore. These are "global" , "nat" and "static". Actual NAT configurations start with the command "nat" though but otherwise in a totally different format.
Your new ASA 5500-X series firewall can only use 8.6 or above software level. That is its "oldest" software. Therefore you cant use your old configuration on it. People who simply upgrade software on the original ASA5500 series will be able to just boot their ASA to the new software. Though while the ASA then migrates the NAT configurations to the new format, the results arent always the best.
One major change would also be ACLs. In the new software you will always use the real IP address in the interface ACL when allowing traffic somewhere. So even if you were allowing traffic to some server (that has a Static NAT configured on the ASA) you would now use the real IP address as the destination rather than the NAT IP address. This is mainly due to the fact that ASA handles NAT before ACL now in the new software.
There is also some minor changes to the commands related to VPN configurations.
But the above are the biggest changes.
How large NAT configuration do you have on the original ASA5510? If we are not talking about a huge configuration I could probably help with converting the NAT configurations.
Here is a document I wrote about the new NAT configuration format
https://supportforums.cisco.com/docs/DOC-31116
Here is also a good document that might help you compare the old and new NAT configuration formats
https://supportforums.cisco.com/docs/DOC-9129
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni -
ASA 8.2 configuration for an ASA 9.1.(1) device
Hello, I have a configuration file from a 5510 running ASA ver 8.2
I have a brand new ASA5525 running ASA ver 9.1(1)
It is my understanding the configuration syntax is different between these versions
I need to take this config I have and somehow auto-format it to work with 9.1(1). Upgrade is not an option since the firewall is already on 9.1(1)
Anyone know how would I go about this?Hi,
I think you can use this Document to understand the Syntax changes and you will find the corresponding syntax for ASA 9.x as well.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/upgrading/migrating.html
Also , you can check out this Automated tool as well:-
http://www.tunnelsup.com/nat-converter
I would recommend going through and manually converting the configuration to prevent any errors.
Thanks and Regards,
Vibhor Amrodia -
What are best practices for connecting asa to nexus 5000
just trying to get a feel for the best way to connect redundant asa to redundant nexus 5000
using a vpc vlan is fine, but then running a routing protocol isn't supported, so putting static routes on 5000 works, but it doesn't support ip sla yet so you cant really stop distributing the default if your internet goes down. just looking for what was recommended.you want to test RAC upgrade on NON RAC database. If you ask me that is a risk but it depends on may things
Application configuration - If your application is configured for RAC, FAN etc. you cannot test it on non RAC systems
Cluster upgrade - If your standalone database is RAC one node you can probably test your cluster upgrade there. If you have non RAC database then you will not be able to test cluster upgrade or CRS
Database upgrade - There are differences when you upgrade RAC vs non RAC database which you will not be able to test
I think the best way for you is to convert your standalone database to RAC one node database and test it. that will take you close to multi node RAC
Maybe you are looking for
-
Hi.. I have a KT4V with an AMDXP2600 and everything is fine except the USB ports. I am having a problem with voltage. I have installed the usb 2 patch and XP service pack 1. Whenever I plug my usb hard drive (2.5" laptop type) into the usb port (any
-
Hi, I am having a problem getting my emac desktop to show up. It seems to be taking a long time to load up with a grey screen apple symbol and winding circle, then to the next screen which has the mac OS X square and loading bar -- then to the deskto
-
Combining 2 Shipments into 1 Shipment
Hello, I'm attempting to create the following functionality: - 1 shipment with 5 deliveries (Shipment 1) - 1 shipment with 5 deliveries (Shipment 2) - 1 mass shipment including above 2 shipments (Shipment 3, which is Shipment 1 + Shipment 2) Is th
-
Hi all. I am convinced someone in my neighborhood has compromised my current WEP encryption for my D-Link AirPlus Extreme G wireless network. I'd like to switch to WPA, and I know how to do it. The problem is that whenever I try to access 192.168.1.1
-
Hi, I am getting PDF content using servlet reponse into an iFrame. I would like to remove the navigation panels of the PDF Window and was wondering, if there is a way to specify the parameters. Thanks