Convert ASA 8.2 to 9.1

Similar Messages

• Converting a Palo Alto Firewall to a Cisco ASA - recommendations?

  I've seen some tools for converting ASA's to PA... but not the other way around. Anyone come up with a good method? (scripts, tools, etc?)
  Thanks in advance!

  Hi,
  I couldn't find any. May be someone else has it but google didn't show up anything for me:) nor did internal search. I would suggest contacting your account team and see if they can assist you with migration.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Converting config from Juniper netscreen to ASA 5585 8.4

  Does anyone know who to convert config form a Juniper Netscreen Firewall  to a ASA? We are trying to get rid of the netscreen firewalls at our  location and replace them with ASA's.

  Here is the new self-service tool that Cisco has released to convert to any vendor firewalls to Cisco ASA.
  Currently it supports Juniper ScreenOS and CheckPoint to Cisco ASA conversion.
  Link to the original post:
  https://supportforums.cisco.com/community/netpro/security/firewall/blog/2013/09/27/conversion-tool-juniper-screenos-to-cisco-asa
  Link to the tool itself:
  https://fwmig.cisco.com

• ASA 5505 speed reduction when connected to a Planet fiber converter

  Hi!
  We have many customers running ASA 5505, and a number of them are running 100 Mbit connections. This normally works fine. But recently, our ISP has started setting up all new fiber connections using a Planet fiber to RJ converter (Before they used Cisco switches), and with those, the locations only get around 50-60 Mbit. We have done all the testing - force port speed and duplex settings, test with a PC directly connected to the converter etc. And the connection allways runs 100 Mbit. And the ASA's themselves also run 100 Mbit when connected to anything else than the Planet converter. We have for now circumvented the problem by placing a simple L2 switch between the converter and the ASA's, but this is not an ideal solution as it adds another single point of failure element etc.
  Any ideas?

  The Express units can extend wireless on the TC or each other.. but they cannot extend wireless on the Asus anyway..
  So the setup is Asus--TC (that has to be ethernet) The TC in bridge mode.
  Then TC -- express can be done by ethernet in roaming mode as bob listed above or extend wireless.
  I am guessing.. what model are the express units.. they are older Gen1 N model ??
  IMHO the TC is simply no longer viable.. replace it with one express as the AP and extend it with the other Express.. see if that works better.
  But I would be trying to use the wireless just from the AC66U.
  I would also force the Asus back to 20mhz on the 2.4ghz band.. so you can provide adequate channel separation.. 40mhz wireless on 2.4ghz works poorly anyway because you have too much wifi .. there is very limited number of non-overlapping channels.. ie 3. 11, 6 and 1.

• Converting PIX/ASA logs into CSV

  I work as a network forensics analyst for a gov't agency. We are getting large amounts of PIX and ASA logs being pushed to our Syslog server. I'm trying to create a script to parse/convert the standard PIX/ASA logs into CSV files in order to assist with integration to other products. Has anyone had success with this, or have a perl / shell script(awk grep, etc) written for this task?  I would like to capture as much data as possible.

  What syslog server are you using? The free kiwi syslog has an option to spin a new file based on the time or day to a text file automatically which can be archived later. Seems like kiwi can export in .csv format. http://www.kiwisyslog.com/help/syslogwebaccess/index.html?export_to_csv.htm
  -KS

• Converting to ASA rules base

  I am just about to start on a project where we are moving from Old Cyberguard firewalls to ASA 5520 firewalls, I was wondering if anyone has a rule base converstion tool that would be able to do a lot of the basic work? And so of the NAT conversions?

  Hello Glenn
  To be honest with you I do not think there is a convertion tool from that firewall to our ASA.
  I would recommend to read and analize the configuration guides for the ASA or if you have any question related to the ASA setup let us know.
  We will be more than glad to help!!
  Regards,
  Do rate all the helpful posts
  Julio

• NAT 8.0 to 9.2 convert help

  I have the below config on ASA 8.0 I need to convert it to 9.2
  name 10.2.17.80 BV-DVR
  name 10.2.13.80 SE-DVR
  name 10.2.23.80 ES-DVR
  name 10.2.10.80 NW-DVR
  name 10.2.10.81 NW-DVR2
  name 10.2.1.76 C-DVR1
  name 10.2.1.78 C-DVR2
  name 10.2.1.80 C-DVR3
  name 10.2.19.80 WS-DVR1
  name 10.2.19.81 WS-DVR2
  name 10.2.15.80 SW-DVR
  name 10.2.11.80 M-DVR
  object-group network Camera_DVRs
   network-object host SE-DVR
   network-object host BV-DVR
   network-object host ES-DVR
   network-object host C-DVR1
   network-object host C-DVR2
   network-object host C-DVR3
   network-object host WS-DVR1
   network-object host WS-DVR2
   network-object host NW-DVR
   network-object host NW-DVR2
   network-object host SW-DVR
   network-object host M-DVR
  object-group service DM_INLINE_TCP_2 tcp
   port-object eq 8000
   port-object eq www
   port-object eq 8001
   port-object eq 8100
   port-object eq 8101
   port-object eq 8200
   port-object eq 8201
   port-object eq 8202
   port-object eq 8203
   port-object eq 8300
   port-object eq 8301
   port-object eq 8400
   port-object eq 8401
   port-object eq 8402
   port-object eq 8403
   port-object eq 8404
   port-object eq 8405
   port-object eq 8500
   port-object eq 8501
   port-object eq 8502
   port-object eq 8503
   port-object eq 8600
   port-object eq 8700
  object-group service DM_INLINE_TCP_3 tcp
   port-object eq 8000
   port-object eq www
   port-object eq 8300
   port-object eq 8301
   port-object eq 8400
   port-object eq 8401
   port-object eq 8402
   port-object eq 8403
   port-object eq 8404
   port-object eq 8405
   port-object eq 8500
   port-object eq 8501
   port-object eq 8502
   port-object eq 8503
   port-object eq 8600
   port-object eq 8700
  access-list 200 extended permit tcp any host 1.1.1.172 object-group DM_INLINE_TCP_2
  access-list 200 extended permit tcp object-group Camera_DVRs host 1.1.1.172 object-group DM_INLINE_TCP_3
  static (inside,outside) tcp 1.1.1.172 8000 BV-DVR 8000 netmask 255.255.255.255
  static (inside,outside) tcp 1.1.1.172 8001 BV-DVR 8001 netmask 255.255.255.255
  static (inside,outside) tcp 1.1.1.172 8100 SE-DVR 8100 netmask 255.255.255.255
  static (inside,outside) tcp 1.1.1.172 8101 SE-DVR 8101 netmask 255.255.255.255
  static (inside,outside) tcp 1.1.1.172 8200 NW-DVR 8200 netmask 255.255.255.255
  static (inside,outside) tcp 1.1.1.172 8201 NW-DVR 8201 netmask 255.255.255.255
  static (inside,outside) tcp 1.1.1.172 8202 NW-DVR2 8202 netmask 255.255.255.255
  static (inside,outside) tcp 1.1.1.172 8203 NW-DVR2 8203 netmask 255.255.255.255
  static (inside,outside) tcp 1.1.1.172 8300 ES-DVR 8300 netmask 255.255.255.255
  static (inside,outside) tcp 1.1.1.172 8301 ES-DVR 8301 netmask 255.255.255.255
  static (inside,outside) tcp 1.1.1.172 8400 C-DVR1 8400 netmask 255.255.255.255
  static (inside,outside) tcp 1.1.1.172 8401 C-DVR1 8401 netmask 255.255.255.255
  static (inside,outside) tcp 1.1.1.172 8402 C-DVR2 8402 netmask 255.255.255.255
  static (inside,outside) tcp 1.1.1.172 8403 C-DVR2 8403 netmask 255.255.255.255
  static (inside,outside) tcp 1.1.1.172 8404 C-DVR3 8404 netmask 255.255.255.255
  static (inside,outside) tcp 1.1.1.172 8405 C-DVR3 8405 netmask 255.255.255.255
  static (inside,outside) tcp 1.1.1.172 8500 WS-DVR1 8500 netmask 255.255.255.255
  static (inside,outside) tcp 1.1.1.172 8501 WS-DVR1 8501 netmask 255.255.255.255
  static (inside,outside) tcp 1.1.1.172 8502 WS-DVR2 8502 netmask 255.255.255.255
  static (inside,outside) tcp 1.1.1.172 8503 WS-DVR2 8503 netmask 255.255.255.255
  static (inside,outside) tcp 1.1.1.172 8600 M-DVR 8600 netmask 255.255.255.255
  static (inside,outside) tcp 1.1.1.172 8700 SW-DVR 8700 netmask 255.255.255.255
  Here is a bit of what I think I need to do....
  object network OBJ-10.2.17.80
    host 10.2.17.80
  object network OBJ-1.1.1.172
    host 1.1.1.172
  object service OBJ-TCP-8000
    service TCP source eq 8000
  object service OBJ-TCP-8000
    service TCP source eq 8000
  nat (inside,outside) source static OBJ-10.2.17.80 OBJ-1.1.1.172 service OBJ-TCP-8000 OBJ-TCP-8000
  access-list outside_access_in extended permit tcp any4 object OBJ-10.2.17.80 eq 8000
  Thanks,
  Mike

  I did not create the above config, If I did I would never have "DM_INLINE" on anything. It is a default naming for Cisco when objects are created via ASDM and lazy or inexperienced engineers do not correct that. Also auditors do not like such in-descriptive names. I do not like this default behavior at all and do most everything via CLI, much better and much more control. It would be better when using ASDM and creating these it does not put a default name in but forces you to enter something.
  Mike

• ASA 5520 Upgrade From 8.2 to 9.1

  To All Pro's Out There,
  I have 2 x ASA 5520 in Active/Standby state (Routed, Single context) running 8.2(3) image. They are working great and everybody is happy. Now it's time for us to upgrade to the latest and greatest version: 9.1 and as you know there are some architectural changes Cisco made to NAT statements and Access Lists. As one can tell, we have a monster environment in terms of NAT statements and access list that are currently configured on the appliances.
  In order to make the upgrade process "less" painful, I was able to find a loaner ASA 5520 device so I can practice the upgrade process offline and if needed, I use it in production (in conjunction with existing Primary and Secondary devices) should it be helpful. I currently don't have any plans on how to move forward with these 3 devices and put together an smooth upgrade. I am asking advice from experts that perhaps have done this in the past and know some Do's and Don’ts and can provide me some options toward getting best result: Minimum downtime and Smooth upgrade.
  I appreciate all the help in advance.

  Hi,
  My personal approach from the start has been to learn the new NAT configuration format on the ASA CLI and manually convert the configurations for the new ASA software. I am under the impression that the automatic conversion that the ASA does by rebooting straight into a new software level causes quite a lot of configurations and they arent really optimal.
  In your case it seems that you have a pretty much better situation than most people that dont have the chance to use a test device to test out the setup before actually putting it in production.
  What you can basically do is
  Insert the 8.2 configuration to the test ASA and boot it straight to the higher software levels and see what the conversion has done to the ASA configurations.
  You can use "packet-tracer" command to test if correct NAT rules are still hit after the conversion
  So far I have been lucky in the sense that most of the upgrades I have done have involved new hardware which has basically let me configure everything ready and just switch devices for the customer. So far everything has went really well and there has been only a 1-2 mistakes in NAT configurations because of misstyping some IP address or interface name which basically resulted from a lot of copy/paste when building the configurations. And these couple of mistakes have been from around 150 firewall migrations (of which most from FWSM Security Context to a ASA Security Context)
  If you have time to put into this then I would suggest you try to learn the new NAT format and write your NAT configurations yourself. Converting the existing configurations should essentially give you the tools to then maintain that firewall configuration easily in the future and apply that knowledge elsewhere.
  If you want to read a bit about the new NAT configuration format then I would suggest having a look at the NAT 8.3+ document I made:
  https://supportforums.cisco.com/docs/DOC-31116
  My personal approach when starting to convert NAT configurations for the upgrade is
  Collect all NAT configurations from the current ASA including any ACLs associated with the Policy type NATs and NAT0 configurations
  Divide NAT configurations based on type   
  Dynamic NAT/PAT
  Static NAT
  Static PAT
  NAT0
  All Policy Dynamic/Static NAT/PAT
  Learn the basic configuration format for each type of NAT configuration
  Start by converting the easiest NAT configurations   
  Dynamic NAT/PAT
  Static NAT/PAT
  Next convert the NAT0 configurations
  And finally go through the Policy NAT/PAT configurations
  Finally go through the interface ACLs and change them to use the real IP address as the destination in all cases since the NAT IP address is not used anymore. In most common screnarios this basically usually only involves modifying the "outside" interfaces ACL but depending if the customer has some other links to external resourses then its highly likely that same type of ACL changes are required on those interfaces also.
  The most important thing is to understand how the NAT is currently working and then configure the new NAT configuration to match that. Again, the "packet-tracer" command is a great tool to confirm that everything is working as expected.
  One very important thing to notice also is that you might have a very large number of Identity NAT configurations between your local networks interfaces of the ASA.
  For example
  static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
  In the new software you can pretty much leave all of these out. If you dont need to perform NAT between your local interfaces then you simply leave out all NAT configurations.
  Naturally you can also use these forums to ask help with NAT configuration conversions. Even though its a very common topic, I dont personally mind helping out with those.
  So to summarize
  Try out the ASAs automatic configuration conversion when simply booting to new software levels on the test ASA you have
  Learn the new NAT configuration format
  Ask for help here on CSC about NAT configuration formats and help with converting old to new configurations.
  Personally if I was looking at a samekind of upgrade (which I will probably be looking at again soon) I would personally do the following
  Convert the configurations manually
  Lab/test the configurations on an test ASA
  During Failover pairs upgrade I would remove the Standby device from network, erase its configurations, reboot it to new software, insert manually written configurations.
  Put the upgraded ASA to the device rack and have cables ready connected to the customer devices if possible (or use existing ones)
  Disconnect currently active ASA running 8.2 and connect the new ASA to the network while clearing ARP on the connected routers to avoid any problems with traffic forwarding.
  Test connectivity and monitor ASAs connection and xlate tables to confirm everything is working
  Will add more later if anything comes to mind as its getting quite late here
  Hope this helps
  - Jouni

• Upgrade from 8.2 to 8.6 for new ASA 5515X

  Hello,
  My customer has a rather complex configuration on an ASA 5510 running version 8.2
  They are migrating to new ASA 5515X models which of course only version support 8.6
  How can i convert the configuration from 8.2 to 8.6 since the new ASA's do not support the earlier versions?
  The X series seems to be a great option for new deployments but what about replacements of existing older models?
  Thanks for any ideas everyone!
  Chris

  Hello,
  I would say go to 8.4 From there you will have the same syntax.
  There will be new commands and features on 8.6... That for sure but you are going to be on the same path.
  Any other question..Sure ..Just remember to rate all of the helpul posts
  Julio

• ASA 5505 VPN Group Policies (RADIUS) and tunnel group

  I have a single ASA firewall protecting a small private developing network, and I need it in order to access remotely to two distinct network spaces both of wich are VLAN tagged: 1 is LAN and 3 is management. Each net has its own IP address space and DNS server.
  I'd like to set up Anyconnect to land on lan 1, and SSL VPN in order to see the IPMI and management websites sitting on VLAN 3. In order to make things "safer" I have found a free OTP solution, OpenOTP, and I decided to implement it on a virtual machine, setting up a radius bridge to allow user authentication for VPN. I can pass wichever attribute I'd like to using this radius bridge (for example "Class" or "Group-Policy" or whatever is included in the radius dictionaries). 
  Actually all I need is quite simple. I have to segregate my remote users in 2 groups, one for Anyconnect, and one for SSL based on the radius response from authentication. (I don't need authorization nor accounting) I'm no Cisco Pro, what I've learnt is based on direct "on the field" experience.
  I'm using two radius users for testing right now, one is called "kaisaron78" associated to a group policy "RemoteAC" and a second one called "manintra" associated to a group policy called "SSLPolicy". "kaisaron78" after logging in should only see the Anyconnect "deployment portal", while "manintra" should see the webvpn portal populated with the links specified in the URL list "Management_List". However, no matter what I do, I only see the default "clean" webvpn page. This is an example of "sh vpn-sessiondb webvpn" for both users..
  Session Type: WebVPN
  Username     : kaisaron78             Index        : 1
  Public IP    : 172.16.0.3
  Protocol     : Clientless
  License      : AnyConnect Premium
  Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
  Bytes Tx     : 518483                 Bytes Rx     : 37549
  Group Policy : RemoteAC               Tunnel Group : DefaultWEBVPNGroup
  Login Time   : 10:59:33 CEDT Mon Aug 18 2014
  Duration     : 0h:00m:23s
  Inactivity   : 0h:00m:00s
  VLAN Mapping : N/A                    VLAN         : none
  Audt Sess ID : c0a801fa0000100053f1c075
  Security Grp : none
  Asa5505# sh vpn-sessiondb webvpn
  Session Type: WebVPN
  Username     : manintra               Index        : 2
  Public IP    : 172.16.0.3
  Protocol     : Clientless
  License      : AnyConnect Premium
  Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
  Bytes Tx     : 238914                 Bytes Rx     : 10736
  Group Policy : SSLPolicy              Tunnel Group : DefaultWEBVPNGroup
  Login Time   : 11:01:02 CEDT Mon Aug 18 2014
  Duration     : 0h:00m:05s
  Inactivity   : 0h:00m:00s
  VLAN Mapping : N/A                    VLAN         : none
  Audt Sess ID : c0a801fa0000200053f1c0ce
  Security Grp : none
  As you can see, it seems like the policies are assigned correctly by radius attribute Group-Policy. However, for example you'll notice no vlan mapping, even if I have declared them explicit in group policies themselves. This is the webvpn section of the CLI script I used to setup remote access.
  ! ADDRESS POOLS AND NAT
  names
  ip local pool AnyConnect_Pool 192.168.10.1-192.168.10.20 mask 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_27
   subnet 192.168.10.0 255.255.255.224
  access-list Split_Tunnel_Anyconnect standard permit 192.168.1.0 255.255.255.0
  nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.10.0_27 NETWORK_OBJ_192.168.10.0_27 no-proxy-arp route-lookup
  ! RADIUS SETUP
  aaa-server OpenOTP protocol radius
  aaa-server OpenOTP (inside) host 192.168.1.8
   key ******
   authentication-port 1812
   accounting-port 1814
   radius-common-pw ******
   acl-netmask-convert auto-detect
  webvpn
   port 10443
   enable outside
   dtls port 10443
   anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
   anyconnect profiles AnyConnect_Profile_client_profile disk0:/AnyConnect_Profile_client_profile.xml
   anyconnect enable
  ! LOCAL POLICIES
  group-policy SSLPolicy internal
  group-policy SSLPolicy attributes
   vpn-tunnel-protocol ssl-clientless
   vlan 3
   dns-server value 10.5.1.5
   default-domain value management.local
   webvpn
    url-list value Management_List
  group-policy RemoteAC internal
  group-policy RemoteAC attributes
   vpn-tunnel-protocol ikev2 ssl-client
   vlan 1
   address-pools value AnyConnect_Pool
   dns-server value 192.168.1.4
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value Split_Tunnel_Anyconnect
   default-domain value home.local
   webvpn
    anyconnect profiles value AnyConnect_Profile_client_profile type user
  group-policy SSLLockdown internal
  group-policy SSLLockdown attributes
    vpn-simultaneous-logins 0
  ! DEFAULT TUNNEL
  tunnel-group DefaultRAGroup general-attributes
   authentication-server-group OpenOTP
  tunnel-group DefaultWEBVPNGroup general-attributes
   authentication-server-group OpenOTP
  tunnel-group VPN_Tunnel type remote-access
  tunnel-group VPN_Tunnel general-attributes
   authentication-server-group OpenOTP
   default-group-policy SSLLockdown
  !END
  I had to set up DefaultWEBVPNGroup and RAGroup that way otherwise I couldn't authenticate using radius (login failed every time). Seems like in ASDM the VPN_Tunnel isn't assigned to AnyConnect nor to Clientless VPN client profiles. Do I have to disable both default tunnel groups and set VPN_Tunnel as default on both connections in ASDM ? I know I'm doing something wrong but I can't see where the problem is. I'm struggling since may the 2nd on this, and I really need to finish setting this up ASAP!!!!
  Any help will be more than appreciated.
  Cesare Giuliani

  Ok, it makes sense.
  Last question then I'll try and report any success / failure. In this Cisco webpage, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html#wp1661512 there's a list of supported radius attributes. Actually I'm using number 25 Group-Policy, in order to get the correct group policy assigned to users. I see, in that list an attribute 146 Tunnel-Group-Name. Will it work out for the purpose you explained in the previous post ? I mean, if I set up two tunnel groups instead of 1, 1 for anyconnect with its own alias and its own url, and 1 for SSL VPN again with its own alias and url, do you think that using that attribute will place my users logging in into the correct tunnel group ?
  Thank you again for your precious and kind help, and for your patience as well!
  Cesare Giuliani

• ASA 5520 upgrade from 8.4.6 to 9.1.2

  Dear All,
    I am having ASA 5520 in Active Standby failover configuration . I want to know if I can upgrade it from 8.4.6 to 9.1.2 using the zero downtime upgrade process mentioned on cisco site .
  Below is the process :
  Upgrade an Active/Standby Failover Configuration
  Complete these steps in order to upgrade two units in an       Active/Standby failover configuration:
  Download the new software to both units, and specify the new image to           load with the boot system command.
  Refer to           Upgrade           a Software Image and ASDM Image using CLI for more           information.
  Reload the standby unit to boot the new image by entering the           failover           reload-standby command on the active unit as shown           below:
  active#failover reload-standby
  When the standby unit has finished reloading and is in the Standby           Ready state, force the active unit to fail over to the standby unit by entering           the no           failover active command on the active unit.
  active#no failover active
  Note: Use the show             failover command in order to verify that the standby unit             is in the Standby Ready state.
  Reload the former active unit (now the new standby unit) by entering           the reload command:
  newstandby#reload
  When the new standby unit has finished reloading and is in the           Standby Ready state, return the original active unit to active status by           entering the failover           active command:
  newstandby#failover active
  This completes the process of upgrading an Active/Standby Failover       pair.
  Also after upgrade are there any changes required after IOS migration ( i.e are there any changes in the command line of 8.4.6 and 9.1.2 ) 
  It is mentioned on cisco site that
  Major Release
  —You can upgrade from the last minor           release of the previous version to the next major release. For example, you can           upgrade from 7.9 to 8.0, assuming that 7.9 is the last minor version in the 7.x           release. 

  Hi Tushar,
  The steps you mentioned are perfectly fine. There is no major difference in the commands of the 2 versions, it's just that in access-rule from 9.1 you have to any4 instead of any for ipv4 and any6 for ipv6. During conversion it will get convert automatically.
  Also, please refer to the following document (release notes of 9.1.2) for viewing the new features added in that version:
  http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp685480
  - Prateek Verma

• NAT configuration on PIX to ASA

  Hi,
  I have below configuration on my PIX 8.0 which I want to convert into ASA 9.1 :
   nat (Cust-DMZ) 0 access-list Cust-DMZ_nat0_outbound
  access-list Cust-DMZ_nat0_outbound extended permit ip host 10.2.1.175 host 10.10.49.30
  access-list Cust-DMZ_nat0_outbound extended permit ip host 1.1.1.58 host 1.1.1.57
  access-list Cust-DMZ_nat0_outbound extended permit ip host 172.29.83.2 host 172.29.83.1
  access-list Cust-DMZ_nat0_outbound extended permit ip host 202.138.123.75 host 10.10.11.20
  access-list Cust-DMZ_nat0_outbound extended permit ip host 10.14.1.11 host 10.10.50.150
  And, there is no "NAT (global) 0 " command in PIX for this configuration.
  How can I use this in ASA..?
  Regards,
  Ninad

  Hi,
  The configurations is going to be bigger atleast. I did like the NAT0 more in the old software when you could use the ACL configuration to handle it and not bloat the NAT configuration needlesly.
  There are some strange ACEs in that ACL. I mean the rules where the source and destination seem to be either from the same subnet or just simply host address (perhaps loopback interface IP addresses somewhere in the network?) that wouldnt expect to use the firewall to communicate? Though I will assume those configurations are needed.
  You could try the following configuration though I naturally suggest perhaps coming with some other naming policy for the "object" configuration if needed.
  object network HOST-10.2.1.175
   host 10.2.1.175
  object network HOST-10.10.49.30
   host 10.10.49.30
  object network HOST-1.1.1.58
   host 1.1.1.58
  object network HOST-1.1.1.57
   host 1.1.1.57
  object network HOST-172.29.83.2
   host 172.29.83.2
  object network HOST-172.29.83.1
   host 172.29.83.1
  object network HOST-202.138.123.75
   host 202.138.123.75
  object network HOST-10.10.11.20
   host 10.10.11.20
  object network HOST-10.14.1.11
   host 10.14.1.11
  object network HOST-10.10.50.150
   host 10.10.50.150
  nat (Cust-DMZ,any) source static HOST-10.2.1.175 HOST-10.2.1.175 destination static HOST-10.10.49.30 HOST-10.10.49.30
  nat (Cust-DMZ,any) source static HOST-1.1.1.58 HOST-1.1.1.58 destination static HOST-1.1.1.57 HOST-1.1.1.57
  nat (Cust-DMZ,any) source static HOST-172.29.83.2 HOST-172.29.83.2 destination static HOST-172.29.83.1 HOST-172.29.83.1
  nat (Cust-DMZ,any) source static HOST-202.138.123.75 HOST-202.138.123.75 destination static HOST-10.10.11.20 HOST-10.10.11.20
  nat (Cust-DMZ,any) source static HOST-10.14.1.11 HOST-10.14.1.11 destination static HOST-10.10.50.150 HOST-10.10.50.150
  Notice that I configured the destination interface as "any". With that setting it should define the destination interface based on your ASAs routing table. I personally tend to define that interface but can't do that in this case as I cant see your routing configuration or routing table.
  If you want to read up some on the new NAT configuration format you  can check a document that I wrote in 2013.
  Sadly the update to these forums also changed the layout of the document a bit some things aren't really as I wish them to be.
  https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
  Hope this helps :)
  - Jouni

• NAT Problems Converting from 7.2(2) to 8.6(1)2

                     I am trying to replace an ASA 5510 running 7.2(2) with an ASA 5515x running 8.6(1)2.  The problem I am having is that the NAT entries are not working on the ASA 5515x.  Is there anything that needs to be considered when moving the configuration from the ASA 5510 to the ASA 5515x.

  Hi,
  ASAs NAT configuration format went under a big change when going from 8.2 to 8.3. The NAT configuration format changed completely and therefore none of the old NAT configurations work anymore. These are "global" , "nat" and "static". Actual NAT configurations start with the command "nat" though but otherwise in a totally different format.
  Your new ASA 5500-X series firewall can only use 8.6 or above software level. That is its "oldest" software. Therefore you cant use your old configuration on it. People who simply upgrade software on the original ASA5500 series will be able to just boot their ASA to the new software. Though while the ASA then migrates the NAT configurations to the new format, the results arent always the best.
  One major change would also be ACLs. In the new software you will always use the real IP address in the interface ACL when allowing traffic somewhere. So even if you were allowing traffic to some server (that has a Static NAT configured on the ASA) you would now use the real IP address as the destination rather than the NAT IP address. This is mainly due to the fact that ASA handles NAT before ACL now in the new software.
  There is also some minor changes to the commands related to VPN configurations.
  But the above are the biggest changes.
  How large NAT configuration do you have on the original ASA5510? If we are not talking about a huge configuration I could probably help with converting the NAT configurations.
  Here is a document I wrote about the new NAT configuration format
  https://supportforums.cisco.com/docs/DOC-31116
  Here is also a good document that might help you compare the old and new NAT configuration formats
  https://supportforums.cisco.com/docs/DOC-9129
  Hope this helps
  Please do remember to mark a reply as the correct answer if it answered your question.
  Feel free to ask more if needed.
  - Jouni

• ASA 8.2 configuration for an ASA 9.1.(1) device

  Hello, I have a configuration file from a 5510 running ASA ver 8.2
  I have a brand new ASA5525 running ASA ver 9.1(1)
  It is my understanding the configuration syntax is different between these versions
  I need to take this config I have and somehow auto-format it to work with 9.1(1).  Upgrade is not an option since the firewall is already on 9.1(1)
  Anyone know how would I go about this?

  Hi,
  I think you can use this Document to understand the Syntax changes and you will find the corresponding syntax for ASA 9.x as well.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/upgrading/migrating.html
  Also , you can check out this Automated tool as well:-
  http://www.tunnelsup.com/nat-converter
  I would recommend going through and manually converting the configuration to prevent any errors.
  Thanks and Regards,
  Vibhor Amrodia

• What are best practices for connecting asa to nexus 5000

  just trying to get a feel for the best way to connect redundant asa to redundant nexus 5000
  using a vpc vlan is fine, but then running a routing protocol isn't supported, so putting static routes on 5000 works, but it doesn't support ip sla yet so you cant really stop distributing the default if your internet goes down. just looking for what was recommended.

  you want to test RAC upgrade on NON RAC database. If you ask me that is a risk but it depends on may things
  Application configuration - If your application is configured for RAC, FAN etc. you cannot test it on non RAC systems
  Cluster upgrade - If your standalone database is RAC one node you can probably test your cluster upgrade there. If you have non RAC database then you will not be able to test cluster upgrade or CRS
  Database upgrade - There are differences when you upgrade RAC vs non RAC database which you will not be able to test
  I think the best way for you is to convert your standalone database to RAC one node database and test it. that will take you close to multi node RAC