Migration watch Guard to asa

Similar Messages

• Migration cisco concentrator to ASA

  Hi,
  we want to migrate from concentrator to ASA.
  I know that there was a cisco internal tool to adapt the concentrator configuration.
  Is this tool still internal or could it be downloaded somewhere?
  Thanks for your help.

  Hi Martin,
  What version of Concentrator are you currently using?  If you are using a VPNC 3000 series, you can view the recommended upgrade path to an ASA via the following link  (see "Product Migration Options" at the bottom of the document)
  http://www.cisco.com/en/US/partner/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html
  Mike

• Migrating from FWSM to ASA Service Module (ASASM)

  I'm migrating from a failover pair of FWSM modules across to a failover pair of ASA Service Modules. In order to avoid a "big bang" switchover I intend to migrate subnets from one to the other over a protracted period.
  With that in mind, can anyone confirm whether there is any restriction on having FWSM and ASASM modules in the same chassis? A trawl of the relevant documentation hasn't revealed anything.
  In this specific case it is Catalyst 6509E VSS chassis pairs with Sup-2T.
  Thanks in advance.

  So long as the chassis has enough power to power these modules you are good.
  Upto 4 FWSMs can be installed in a chassis.
  Upto 4 ASA-SM modules can be installed in a chassis.
  FWSM:
  http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet0900aecd803e69c3.html
  • Up to 4 FWSMs (20 Gbps) per Catalyst 6500 chassis
  ASA-SM
  http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps11621/qa_c67-662207.html
  Q. How many ASA Services Modules can I place in a Cisco Catalyst 6500 Series chassis?
  A. Up to four independent ASA Services Modules can simultaneously run in a Cisco Catalyst 6500-E Series chassis.
  -Kureli
  Checkout my breakout session at Cisco Live 2013, Orlando, Florida.
  BRKSEC-2024 Deploying Next-Generation Firewall Services on the ASA 
  Room 314A Tuesday, June 25 3:00 PM - 4:30 PM

• Context Migration from FWSM to ASA

  Hi there ,
       What would be best way to migrate a Context from FWSM to ASA (non SM)  with minimal down time & effort .
  I am thinking of these steps :
  1) Preconfigure  the new ASA with the same IP-Address as FWSM for the interfaces (keep the ASA subinterfaces in shut state ) , configure Access rules .
       ( Want to retain same ip for the interfaces , since there are many hosts behind the FWSM with this gateway IP configured )
  2) Shut the context specific interfaces on FWSM & bring up the Context specific interfaces on the ASA.
     ( Also a query - If I introduce ASA into the Network with the same IP as of FWSM , though the interfaces would be in shut state , should i expect any IP Conflicts )
  Thanks

  Hi,
  Well you probably have the option to configure the old FWSMs interface MAC address to the ASAs corresponding interface manually, this way there will be no change in the ARP from the perspective of the server/host.
  I guess depending on if you have a single firewall or failover firewall the command is a bit different as you define either 1 or 2 MAC addresses.
  I think this was the command to modify the MAC address
  http://www.cisco.com/en/US/docs/security/asa/command-reference/m1.html#wp2111205
  - Jouni

• Migration ASA 8.6.1.10 to 9.0.2

  My question is:
  are there any specfic migration paths from ASA release 8.6 to 9.0
  I have observed that no migration is done for the object ANY to ANY4
  I have observerd that migration is done from ASA 8.4.6 to 9.0        

  Hi,
  To my understanding the 8.6 software level is basically the starting software level of the new ASA5500-X series
  I guess you could consider 8.3 or 8.4 the first new softwares of the original ASA5500 series.
  With that being said it would seem to me that if you have an ASA5500-X series device that there is not really any software jump you can do from 8.6 other than to 9.0 or 9.1 series software.
  I have mostly switched between 8.x and 9.x software on my test ASAs and have not faced any problems so far.
  It would seem strange to me that no ACL migration would be done from 8.6 to 9.0? The Release notes does suggest that this should happen. i do have a new ASA5515-X but havent had the time to test it much yet.
  - Jouni

• Dynamic PAT and Static NAT issue ASA 5515

  Hi All,
  Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!
  - Bhal

  Hi,
  I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.
  The very basic configured for Static NAT and Default PAT I would do in the following way
  object network STATIC
  host
  nat (inside,outside) static dns
  object-group network DEFAULT-PAT-SOURCE
  network-object
  nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
  The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)
  This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules
  You can also check out a NAT document I made regarding the new NAT configuration format and its operation.
  https://supportforums.cisco.com/docs/DOC-31116
  Hope this helps
  - Jouni

• Command to View LDAP Password on Cisco ASA 5520

  Hello
  I am migrating from a Cisco ASA 5520 (ASA version 8.4(6)5 to a Cisco ASA 5585. We have LDAP issues logging into to our vpn client software. I assume the LDAP password may be incorrectly entered on the new 5585. No service password- encryption or more running:config won't show the encrypted LDAP password. What is the command to view that?
  Thanks!
  Matt

  Thankyou Jennifer for the responds.
  Could you please help me on how to enable "memberOf" attribute on AD to be pushed to ASA for the OU matching.
  i have already set the "Remote Dialin" property of user account name "testvendor" in AD as "Allow Access" .It can be shown in the debug output as below.
  [454095] sAMAccountName: value = testvendor
  [454095] sAMAccountType: value = 805306368
  [454095] userPrincipalName: value = [email protected]
  [454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
  [454095] msNPAllowDialin: value = TRUE
  [454095] dSCorePropagationData: value = 20111026081253.0Z
  [454095] dSCorePropagationData: value = 20111026080938.0Z
  [454095] dSCorePropagationData: value = 16010101000417.0Z
  Is their any other settings that i need to do it on AD ?
  Kindly advice
  Regards
  Shiji

• Moving a 32 bit Oracle 9i database to 64 bit on a different server

  Hello,
  We have a 24 GB database with Oracle 9.2.0.7 (32 bit). As the hardware of this server is getting obsolete, it is planned to move this instance to another server, which has 64 bit Oracle software of same version (9.2.0.7). In this scenario what is the best way to move the instance?
  Is it only the full export from 32 bit server and import into 64 bit server(after creating the instance there)?
  Since this is a 24 GB database, and target server is 8 gb of ram, any pointers on how long the import process can take?
  There is a documentation to change word size, I can run utlirp.sql as suggested here:
  http://www.orafaq.com/forum/?t=rview&goto=258668#msg_258668
  But I have some doubts as I mentioned in that post. Can you please share your suggestions?
  Thanks,
  Nirav

  Hi
  Is there some document or steps to follow when creating the instance on the new server The database move is easy, and here is one way to move the schema, fast:
  http://www.dba-oracle.com/oracle_tips_db_copy.htm
  And then, you just run the script to change the wordsize for 64-bit:
  Also, after your migration, watch out for common performance issues:
  http://www.dba-oracle.com/t_bad_poor_performance_upgrade_migration_32_64_bit.htm
  Also, note that Oracle has changed the optimizer costing model from "IO" to CPU" in 10g, and shops that combine an upgrade to 64-bit servers with a 10g migration may want to look at changing the new default for _optimizer_cost_model.
  Going 64-bit means that you can now allocate very large RAM data buffers and increase your shared_pool_size above two gigabytes. However, it is important to remember that there are downsides to having a super-large db_cache_size. While direct access to data is done with hashing, there are times when the database must examine all of the blocks in the RAM cache. These types of database may not always benefit from an upgrade to a 64 bit server:
  Systems with high Invalidations: Whenever a program issues a truncated table, uses temporary tables, or runs a large data purge, Oracle must sweep all of the blocks in the db_cache_size to remove dirty blocks. This can cause excessive overhead for system with a db_cache_size greater than 10 gigabytes.
  High Update Systems: The database writer (DBWR) process must sweep all of the blocks in db_cache_size when performing an asynchronous write. Having a huge db_cache_size can cause excessive work for the database writer. Some shops dedicate a separate, smaller data buffer (of a different blocksize) for high-update objects.
  RAC systems: Oracle RAC and Grid does not perform optimally with super-large data buffer RAM, as available in 64-bit systems. You may experience high cross-instance calls when using a large db_cache_size in multiple RAC instances. This inter-instance "pinging" can cause excessive overhead, and that is why RAC DBA's try to segregate RAC instances to access specific areas of the database. This is why Oracle 10g grid server blades generally contain only 4-gig RAM.
  Hope this helps. . .
  Don Burleson
  Oracle Press author
  Author of “Oracle Tuning: The Definitive Reference”
  http://www.dba-oracle.com/bp/s_oracle_tuning_book.htm

• Phase 2 tunnel is not going up between PIX 525 and Watchguard

  Hi Folks,
  Can you please help me in knowing where is the problem liying, currently I am trying to establish a VPN tunnel between PIX firewall and Watchguard , all the parameters of both devices are the same though Phase two tunnel is not coming up.
  here is the debug :
  crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:500 dpt:500
  OAK_MM exchange
  ISAKMP (0): processing KE payload. message ID = 0
  ISAKMP (0): processing NONCE payload. message ID = 0
  ISAKMP (0:0): Detected NAT-D payload
  ISAKMP (0:0): NAT does not match MINE hash
  hash received: b3 8f bb 0 93 3b 65 e8 35 6f 54 6 c4 6f 59 cc
  my nat hash : dd 70 9 ac 35 58 40 da 3b 5b fc 1b 4c 87 d2 11
  ISAKMP (0:0): Detected NAT-D payload
  ISAKMP (0:0): NAT does not match HIS hash
  hash received: ba 72 c5 e 5b fb 88 f0 1e f7 8a ba c9 c6 c1 cc
  his nat hash : c 4c 89 a5 66 c1 dd 80 76 48 3f a5 b0 f0 56 ed
  ISAKMP (0:0): constructed HIS NAT-D
  ISAKMP (0:0): constructed MINE NAT-D
  return status is IKMP_NO_ERROR
  crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
  OAK_MM exchange
  ISAKMP (0): processing ID payload. message ID = 0
  ISAKMP (0): processing HASH payload. message ID = 0
  ISAKMP (0): SA has been authenticated
  ISAKMP: Created a peer struct for 212.37.17.43, peer port 37905
  ISAKMP: Locking UDP_ENC struct 0x3cbb634 from crypto_ikmp_udp_enc_ike_init, count 1
  ISAKMP (0): ID payload
  next-payload : 8
  type : 2
  protocol : 17
  port : 0
  length : 23
  ISAKMP (0): Total payload length: 27
  return status is IKMP_NO_ERROR
  ISAKMP (0): sending INITIAL_CONTACT notify
  ISAKMP (0): sending NOTIFY message 24578 protocol 1
  VPN Peer: ISAKMP: Added new peer: ip:212.37.17.43/4500 Total VPN Peers:16
  VPN Peer: ISAKMP: Peer ip:212.37.17.43/4500 Ref cnt incremented to:1 Total VPN Peers:16
  crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
  ISAKMP (0): processing NOTIFY payload 24578 protocol 1
  spi 0, message ID = 3168983470
  ISAKMP (0): processing notify INITIAL_CONTACT
  return status is IKMP_NO_ERR_NO_TRANS
  crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
  OAK_QM exchange
  oakley_process_quick_mode:
  OAK_QM_IDLE
  ISAKMP (0): processing SA payload. message ID = 484086886
  ISAKMP : Checking IPSec proposal 1
  ISAKMP: transform 1, ESP_3DES
  ISAKMP: attributes in transform:
  ISAKMP: SA life type in seconds
  ISAKMP: SA life duration (basic) of 28800
  ISAKMP: SA life type in kilobytes
  ISAKMP: SA life duration (basic) of 32000
  ISAKMP: encaps is 61433
  ISAKMP: authenticator is HMAC-MD5
  ISAKMP (0): atts not acceptable. Next payload is 0
  ISAKMP (0): SA not acceptable!
  ISAKMP (0): sending NOTIFY message 14 protocol 0
  return status is IKMP_ERR_NO_RETRANS
  crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
  ISAKMP: phase 2 packet is a duplicate of a previous packet
  ISAKMP: resending last response
  ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
  crypto_isakmp_process_block:src:212.37.17.43, dest:212.118.128.233 spt:4500 dpt:4500
  ISAKMP: phase 2 packet is a duplicate of a previous packet
  ISAKMP: resending last response
  crypto_isakmp_process_block:src:213.210.211.82, dest:212.118.128.233 spt:500 dpt:500
  ISAKMP (0): processing NOTIFY payload 36136 protocol 1
  spi 0, message ID = 287560609
  ISAMKP (0): received DPD_R_U_THERE from peer 213.210.211.82
  ISAKMP (0): sending NOTIFY message 36137 protocol 1
  return status is IKMP_NO_ERR_NO_TRANSdebug
  ISAKMP (0): retransmitting phase 1 (0)...
  Thanks,
  Ismail

  Hi Kanishka,
  The Phase 2 Parameters are the same also PFS is disabled !
  There are some curious things in the debug msg, could you please throw some light on them
  ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
  ISAKMP: encryption 3DES-CBC
  ISAKMP: hash MD5
  ISAKMP: auth pre-share
  ISAKMP: life type in seconds
  ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
  ISAKMP: default group 1
  ISAKMP (0): atts are acceptable. Next payload is 0
  ISAKMP (0): processing vendor id payload
  ISAKMP (0:0): vendor ID is NAT-T
  ISAKMP (0): processing vendor id payload
  what does the vendor ID is NAT-T above mean ? Is it say that both sides are using Nat traversal.
  Also in ecryption its says encryption 3DES-CBC
  i am not sure if this CBC is the culprit. Because thats what watchgaurd uses only it does not have an option for only 3DES.
  strange enought that Phase 1 is getting up, I am also questioning myself about the following message appearing in Phase 1:
  ISAKMP (0:0): Detected NAT-D payload
  ISAKMP (0:0): NAT does not match MINE hash
  hash received: b3 8f bb 0 93 3b 65 e8 35 6f 54 6 c4 6f 59 cc
  my nat hash : dd 70 9 ac 35 58 40 da 3b 5b fc 1b 4c 87 d2 11
  ISAKMP (0:0): Detected NAT-D payload
  ISAKMP (0:0): NAT does not match HIS hash
  hash received: ba 72 c5 e 5b fb 88 f0 1e f7 8a ba c9 c6 c1 cc
  his nat hash : c 4c 89 a5 66 c1 dd 80 76 48 3f a5 b0 f0 56 ed
  ISAKMP (0:0): constructed HIS NAT-D
  ISAKMP (0:0): constructed MINE NAT-D
  return status is IKMP_NO_ERROR
  how come Phase 1 is coming up though the PIX is claiming that his HASH is not the same as HIS HASH :(
  the log messages on WATCH GUARD states that there is no proposal chosen!
  why both firewalls are not friends?
  I appreciate any input

• Guest WLAN and DNS tunneling (IP over DNS with iodine, NSTX, etc)

  Hello,
  I'm trying to implement guest WLAN with web authentication on the WLC 2504. L3 for guests WLAN is terminated on ASA 5510 (as subinterface).
  All works pretty fine. Guests clients are prompted to enter login/password, guests are authenticated against ACS and so on.
  But I have a strange idea. How can I prevent unauthorised DNS tunneling from the guest network?
  I think that DNS tunneling can be prevented with dns-guard on ASA and dns inspections, e.g. drop dns packets larger then 512 bytes and perform deep inspection againd packets.
  Any ideas or advices?

  Hello,
  I'm trying to implement guest WLAN with web authentication on the WLC 2504. L3 for guests WLAN is terminated on ASA 5510 (as subinterface).
  All works pretty fine. Guests clients are prompted to enter login/password, guests are authenticated against ACS and so on.
  But I have a strange idea. How can I prevent unauthorised DNS tunneling from the guest network?
  I think that DNS tunneling can be prevented with dns-guard on ASA and dns inspections, e.g. drop dns packets larger then 512 bytes and perform deep inspection againd packets.
  Any ideas or advices?

• Using SQL Express with Legacy PB

  I have inherited a legacy system written in PowerBuilder which connects to an SQL Anywhere 5.5 database via ODBC. The Sybase drivers are not 64-Bit compatible so this system is throwing errors and there are no updated drivers available.  I do not currently
  have the budget to update the database to a current version of SQL Anywhere (which required /seat license) and I'm under the gun to get the system working on a 64-Bit PC.
  Advice, please!  Is MS SQL Express a good option?
  Thanks in advance.

  Hello,
  Microsoft has created the following technical document for migrating from Sybase Anywhere (ASA) to SQL Server 2008:
  http://download.microsoft.com/download/7/C/2/7C20B070-BFF8-44B4-BD7D-1B03DF50F924/MigrateSybaseASAtoSQLServer2008.docx
  Microsoft offers the SSMA for Sybase Tool to migrate from Sybase ASE to SQL Server too, but it is not clear to me it supports Sybase
  Anywhere (ASA). The following third party tool seems to offer migrating ASA objects and data to SQL Server.
  http://www.ispirer.com/products/sybase-to-sql-server-migration
  However, I don’t have any suggestions for you about the PowerBuilder application.
  Hope this helps.
  Regards,
  Alberto Morillo
  SQLCoffee.com

• ASA7.0(2) CA Trustpoint Configuration with Root and Subordinate CA

  I'm trying to replicate a configuration that was done on my Con3015 to my ASA5520. I was given 2 CA certificate's: A Root and Subordinate and was told to load both or it will not work.
  The ASA's use trustpoint configuration. I couldn't load both under one trustpoint so I created two trustpoints.
  After loading both CA certificates using file-based enrollment, which trustpoint do I create a PKCS#10 enrollment file against?
  Also, I don't understand how both trustpoints are associated. At the end I'd have 2 trustpoints (1 RootCA and 1 SubCA) but only 1 identity will be associate with 1 of the trustpoints.
  Is it necessary to add specific commands in the trustpoint configuration?
  Is it even necessary to have both CA certificates (Root and Sub CA) installed??

  Hello Aignacio,
  I have the same problem now. Did you find an solution. If yes could you please send me the prosedure for migrate from 3015 to asa in terms of ca config
  Thanks
  Dogan

• I am trying to configure a soho firewall appliance and lost my household network

  I am trying to re-configure my local wired network. It worked fine until I installed a Watch-Guard SOHO firewall appliance. I am working towards a VPN so I can have a family server for our children to share pictures of all the grandchildren without using email plus as network storage.
  == This happened ==
  Every time Firefox opened
  == when I tried to configure for SOHO

  Sorry, that's not a Firefox support issue.
  Try one of the support forums over here:
  http://www.dslreports.com/forums/all?cat=6

• When I try to download InDesign I receive a message to connect to the Internet

  The free indesign will not install. Creative Cloud keeps saying to reconnect to the internet

  Hi magic joe,
  You might want to refer the KB : http://helpx.adobe.com/x-productkb/policy-pricing/activation-network-issues.html
  Please check with you Network Admin if the Port 80 and 443 are open. Also, you need to have access to https://activate.adobe.com and https://lm.licenses.adobe.com. These currently resolve into 192.150.16.69 and 192.150.16.211 respectively.
  Also use the following host/port combinations when logging in to the Adobe Creative Cloud Desktop access app with an Adobe ID to download, install and activate the Creative Cloud membership.
  ccmdls.adobe.com:443 (2.20.221.235)
  ims-na1.adobelogin.com:443 (192.150.3.161)
  na1r.services.adobe.com:443 (192.150.3.51)
  prod-rel-ffc-ccm.oobesaas.adobe.com:443 (23.21.80.11)
  lm.licenses.adobe.com:443 (192.150.16.211)
  ccmdl.adobe.com:80 (80.239.221.9)
  swupmf.adobe.com:80 (2.20.211.235)
  swupdl.adobe.com:80 (80.239.221.58)
  Also, confirm with your Network Admin if the network has internet security software like Watch Guard installed. If so Adobe applications should be added to the exceptions list.

• Ftp mode passive

  Hello all,
  I have one issue. I have to migrate some customers from ASA 5510 /8.2(5)26 to FWSM /4.1(9) <context>. Passive mode is not working on FWSM.
  Config is same on both devices, NAT,ACL,inspection,routing..everything except one command ftp mode passive.
  Can command ftp mode passive cause the issue? Or this command is used for passive FTP from FW not thru FW?

  Hi,
  The configuration should only be related to the firewall device itself and not the connections going through it.
  I would suggest first monitoring the problematic connections through the logs.
  Or possible configuring traffic capture on the firewall device to see if there is any return traffic.
  Other than that should naturally confirm that no NAT configuration or their order isnt causing problems OR that there is no problem with routing.
  Why are you moving to the FWSM by the way? Its a product on its way out of the market and is replaced by the ASASM which again supports software levels past 8.2.
  Naturally if we are talking about existing equipment then its understandable, but otherwise ASASM or a separate new ASA would be a better choice for example because of the software levels supported.
  - Jouni