Upgrading from PIX to ASA 5512X

Hi everyone,
We are in the middle of upgrading from two PIX's to some new ASA5512X's. To give you some background on the situation we are upgrading these since the PIXs are fairly old. We had one extra that we had to use since one PIX has failed already. The guy that implemented the PIXs orginally was learning how to do so as he went so there is alot of needless config in the PIX, atleast from what I can tell. Another guy that works with me has done some configuration on the new ASAs and has done the majority of it so far. Today we went to install the new ASAs and switch everything over hoping it would work, but that didn't happen. It seems that there is something wrong with our NAT and ACLs somewhere along the lines. The way our network is laid out is that we have two school campus with a site-to-site VPN one is 172.17.0.0/16 and the other is 172.18.0.0/16. We also have a remote-access VPN on both ASA's. When we connected the new ASAs up and brought up the interfaces, nothing on the inside could ping the internet nor the other side. The VPN showed active on the ASA's and each ASA could ping the others outside interface, but that was it. I have posted the configs below. If anyone could help out I would GREATLY appreciate it! Thank you in advance!
ASA1:
: Saved
: Written by enable_15 at 04:26:18.240 CDT Tue Mar 12 2013
ASA Version 8.6(1)2
hostname dallasroadASA
enable password **** encrypted
passwd **** encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 70.x.x.x 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.18.1.1 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 172.18.2.21
name-server 172.18.2.20
object network WS_VLAN2
subnet 172.17.2.0 255.255.255.0
object network WS_VLAN3
subnet 172.17.3.0 255.255.255.0
object network WS_VLAN4
subnet 172.17.4.0 255.255.255.0
object network WS_VLAN5
subnet 172.17.5.0 255.255.255.0
object network WS_VLAN6
subnet 172.17.6.0 255.255.255.0
object network WS_VLAN7
subnet 172.17.7.0 255.255.255.0
object network WS_VLAN8
subnet 172.17.8.0 255.255.255.0
object network WS_VLAN9
subnet 172.17.9.0 255.255.255.0
object network WS_VLAN10
subnet 172.17.10.0 255.255.255.0
object network WS_VLAN11
subnet 172.17.11.0 255.255.255.0
object network WS_VLAN12
subnet 172.17.12.0 255.255.255.0
object network WS_VLAN13
subnet 172.17.13.0 255.255.255.0
object network WS_VLAN14
subnet 172.17.14.0 255.255.255.0
object network WS_VLAN15
subnet 172.17.15.0 255.255.255.0
object network WS_VLAN16
subnet 172.17.16.0 255.255.255.0
object network DR_VLAN2
subnet 172.18.2.0 255.255.255.0
object network DR_VLAN3
subnet 172.18.3.0 255.255.255.0
object network DR_VLAN4
subnet 172.18.4.0 255.255.255.0
object network DR_VLAN5
subnet 172.18.5.0 255.255.255.0
object network DR_VLAN6
subnet 172.18.6.0 255.255.255.0
object network DR_VLAN7
subnet 172.18.7.0 255.255.255.0
object network DR_VLAN8
subnet 172.18.8.0 255.255.255.0
object network DR_VLAN9
subnet 172.18.9.0 255.255.255.0
object network DR_VLAN10
subnet 172.18.10.0 255.255.255.0
object network DR_CORE_SW
host 172.18.2.1
object network dallasdns02_internal
host 172.18.2.21
object network faithdallas03_internal
host 172.18.2.20
object network dns_external
host 70.x.x.x
object network WorthStreet
subnet 172.17.0.0 255.255.0.0
object network DallasRoad
subnet 172.18.0.0 255.255.0.0
object-group network DALLAS_VLANS
network-object object DR_VLAN10
network-object object DR_VLAN2
network-object object DR_VLAN3
network-object object DR_VLAN4
network-object object DR_VLAN5
network-object object DR_VLAN6
network-object object DR_VLAN7
network-object object DR_VLAN8
network-object object DR_VLAN9
object-group network WORTH_VLANS
network-object object WS_VLAN10
network-object object WS_VLAN11
network-object object WS_VLAN12
network-object object WS_VLAN13
network-object object WS_VLAN14
network-object object WS_VLAN15
network-object object WS_VLAN16
network-object object WS_VLAN2
network-object object WS_VLAN3
network-object object WS_VLAN4
network-object object WS_VLAN5
network-object object WS_VLAN6
network-object object WS_VLAN7
network-object object WS_VLAN8
network-object object WS_VLAN9
object-group network dallasitnetwork
network-object host 172.18.2.20
network-object host 172.18.2.40
object-group protocol tcpudp
protocol-object udp
protocol-object tcp
object-group network dallasroaddns
network-object host 172.18.2.20
network-object host 172.18.2.21
object-group service tcpservices tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq ssh
object-group network remotevpnnetwork
network-object 172.18.50.0 255.255.255.0
access-list L2LAccesslist extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list NONAT extended permit ip any 172.18.50.0 255.255.255.0
access-list inside_inbound_access extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list inside_inbound_access extended permit ip object-group dallasitnetwork any
access-list inside_inbound_access extended permit object-group tcpudp object-group dallasroaddns any eq domain
access-list inside_inbound_access extended permit ip host 172.18.4.10 any
access-list inside_inbound_access extended deny object-group tcpudp any any eq domain
access-list inside_inbound_access extended deny tcp any any eq smtp
access-list inside_inbound_access extended permit ip any any
access-list outside_inbound_access extended permit tcp any host 70.x.x.x object-group tcpservices
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnaddresspool 172.18.50.0-172.18.50.255
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static dallasdns02_internal dns_external
nat (inside,outside) source static faithdallas03_internal dns_external
nat (inside,outside) source dynamic any interface
nat (any,outside) source static remotevpnnetwork remotevpnnetwork destination static remotevpnnetwork remotevpnnetwork description NONAT for remote vpn users
nat (inside,outside) source static DallasRoad DallasRoad destination static WorthStreet WorthStreet
access-group outside_inbound_access in interface outside
access-group inside_inbound_access in interface inside
route outside 0.0.0.0 0.0.0.0 70.x.x.x 1
route inside 172.18.0.0 255.255.0.0 172.18.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map CISCOMAP
map-name VPNALLOW IETF-Radius-Class
map-value VPNALLOW FALSE NOACESS
map-value VPNALLOW TRUE ALLOWACCESS
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 172.17.2.28
server-port 389
ldap-base-dn DC=campus,DC=fcschool,DC=org
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ****
ldap-login-dn CN=fcsadmin,CN=Users,DC=campus,DC=fcschool,DC=org
server-type microsoft
ldap-attribute-map CISCOMAP
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.17.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address L2LAccesslist
crypto map outside_map 10 set peer 71.x.x.x
crypto map outside_map 10 set ikev1 transform-set myset
crypto map outside_map 10 set reverse-route
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 172.18.0.0 255.255.0.0 inside
ssh 172.17.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1
group-policy DfltGrpPolicy attributes
dns-server value 172.18.2.20
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
password-storage enable
group-policy DallasRoad internal
group-policy DallasRoad attributes
dns-server value 172.18.2.20 172.18.2.21
password-storage enable
default-domain value campus.fcschool.org
group-policy ALLOWACCESS internal
group-policy ALLOWACCESS attributes
banner value Now connected to the FCS Network
vpn-tunnel-protocol ikev1
username iwerkadmin password i6vIlW5ctGaR0l7n encrypted privilege 15
tunnel-group remoteaccessvpn type remote-access
tunnel-group remoteaccessvpn general-attributes
address-pool vpnaddresspool
authentication-server-group LDAP
tunnel-group 71.x.x.x type ipsec-l2l
tunnel-group 71.x.x.x ipsec-attributes
ikev1 pre-shared-key ****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:fd69fbd7a2cb0a6a125308dd85302198
: end
ASA2:
: Saved
: Written by enable_15 at 09:27:47.579 UTC Tue Mar 12 2013
ASA Version 8.6(1)2
hostname worthstreetASA
enable password **** encrypted
passwd **** encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 71.x.x.x 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.17.1.1 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 172.17.2.23
name-server 172.17.2.28
object network mail_external
host 71.x.x.x
object network mail_internal
host 172.17.2.57
object network faweb_external
host 71.x.x.x
object network netclassroom_external
host 71.x.x.x
object network blackbaud_external
host 71.x.x.x
object network netclassroom_internal
host 172.17.2.41
object network nagios
host 208.x.x.x
object network DallasRoad_ASA
host 70.x.x.x
object network WS_VLAN2
subnet 172.17.2.0 255.255.255.0
object network WS_VLAN3
subnet 172.17.3.0 255.255.255.0
object network WS_VLAN4
subnet 172.17.4.0 255.255.255.0
object network WS_VLAN5
subnet 172.17.5.0 255.255.255.0
object network WS_VLAN6
subnet 172.17.6.0 255.255.255.0
object network WS_VLAN7
subnet 172.17.7.0 255.255.255.0
object network WS_VLAN8
subnet 172.17.8.0 255.255.255.0
object network WS_VLAN9
subnet 172.17.9.0 255.255.255.0
object network WS_VLAN10
subnet 172.17.10.0 255.255.255.0
object network WS_VLAN11
subnet 172.17.11.0 255.255.255.0
object network WS_VLAN12
subnet 172.17.12.0 255.255.255.0
object network WS_VLAN13
subnet 172.17.13.0 255.255.255.0
object network WS_VLAN14
subnet 172.17.14.0 255.255.255.0
object network WS_VLAN15
subnet 172.17.15.0 255.255.255.0
object network WS_VLAN16
subnet 172.17.16.0 255.255.255.0
object network DR_VLAN2
subnet 172.18.2.0 255.255.255.0
object network DR_VLAN3
subnet 172.18.3.0 255.255.255.0
object network DR_VLAN4
subnet 172.18.4.0 255.255.255.0
object network DR_VLAN5
subnet 172.18.5.0 255.255.255.0
object network DR_VLAN6
subnet 172.18.6.0 255.255.255.0
object network DR_VLAN7
subnet 172.18.7.0 255.255.255.0
object network DR_VLAN8
subnet 172.18.8.0 255.255.255.0
object network DR_VLAN9
subnet 172.18.9.0 255.255.255.0
object network DR_VLAN10
subnet 172.18.10.0 255.255.255.0
object network WS_CORE_SW
host 172.17.2.1
object network blackbaud_internal
host 172.17.2.26
object network spiceworks_internal
host 172.17.2.15
object network faweb_internal
host 172.17.2.31
object network spiceworks_external
host 71.x.x.x
object network WorthStreet
subnet 172.17.0.0 255.255.0.0
object network DallasRoad
subnet 172.18.0.0 255.255.0.0
object network remotevpnnetwork
subnet 172.17.50.0 255.255.255.0
object-group icmp-type echo_svc_group
icmp-object echo
icmp-object echo-reply
object-group service mail.fcshool.org_svc_group
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service nagios_svc_group tcp
port-object eq 12489
object-group service http_s_svc_group tcp
port-object eq www
port-object eq https
object-group network DALLAS_VLANS
network-object object DR_VLAN10
network-object object DR_VLAN2
network-object object DR_VLAN3
network-object object DR_VLAN4
network-object object DR_VLAN5
network-object object DR_VLAN6
network-object object DR_VLAN7
network-object object DR_VLAN8
network-object object DR_VLAN9
object-group network WORTH_VLANS
network-object object WS_VLAN10
network-object object WS_VLAN11
network-object object WS_VLAN12
network-object object WS_VLAN13
network-object object WS_VLAN14
network-object object WS_VLAN15
network-object object WS_VLAN16
network-object object WS_VLAN2
network-object object WS_VLAN3
network-object object WS_VLAN4
network-object object WS_VLAN5
network-object object WS_VLAN6
network-object object WS_VLAN7
network-object object WS_VLAN8
network-object object WS_VLAN9
object-group network MailServers
network-object host 172.17.2.57
network-object host 172.17.2.58
network-object host 172.17.2.17
object-group protocol DM_INLINE_PROTOCOL
protocol-object ip
protocol-object udp
protocol-object tcp
object-group network DNS_Servers
network-object host 172.17.2.23
network-object host 172.17.2.28
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit object-group mail.fcshool.org_svc_group any object mail_internal
access-list outside_access_in extended permit tcp object nagios object mail_internal object-group nagios_svc_group
access-list outside_access_in extended permit tcp any object faweb_external object-group http_s_svc_group
access-list outside_access_in extended permit tcp any object netclassroom_external object-group http_s_svc_group
access-list outside_access_in extended permit tcp any object blackbaud_external eq https
access-list outside_access_in extended permit tcp any object spiceworks_external object-group http_s_svc_group
access-list L2LAccesslist extended permit ip 172.17.0.0 255.255.0.0 172.18.0.0 255.255.0.0
access-list inside_inbound extended permit object-group TCPUDP object-group DNS_Servers any eq domain
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL host 172.17.15.10 any inactive
access-list inside_access_in extended permit tcp object-group MailServers any eq smtp
access-list inside_access_in extended permit tcp host 172.17.14.10 any eq smtp
access-list inside_access_in extended deny object-group TCPUDP any any eq domain
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list vpn_access extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnaddresspool 172.17.50.1-172.17.50.255
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static mail_internal mail_external
nat (inside,outside) source static netclassroom_internal netclassroom_external
nat (inside,outside) source static faweb_internal faweb_external
nat (inside,outside) source static spiceworks_internal interface
nat (inside,outside) source static blackbaud_internal blackbaud_external
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static WorthStreet WorthStreet destination static DallasRoad DallasRoad
nat (any,outside) source static remotevpnnetwork remotevpnnetwork destination static remotevpnnetwork remotevpnnetwork description NONAT for remote vpn users
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 71.x.x.x 1
route inside 172.17.0.0 255.255.0.0 172.17.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map CISCOMAP
map-name VPNALLOW IETF-Radius-Class
map-value VPNALLOW FALSE NOACESS
map-value VPNALLOW TRUE ALLOWACCESS
dynamic-access-policy-record DfltAccessPolicy
network-acl vpn_access
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 172.17.2.28
ldap-base-dn DC=campus,DC=fcschool,DC=org
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password Iw@FCS730w
ldap-login-dn CN=VPN Admin,CN=Users,DC=campus,DC=fcschool,DC=org
server-type microsoft
ldap-attribute-map CISCOMAP
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.17.0.0 255.255.0.0 inside
http 172.18.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address L2LAccesslist
crypto map outside_map 10 set peer 70.x.x.x
crypto map outside_map 10 set ikev1 transform-set myset
crypto map outside_map 10 set reverse-route
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet 172.17.0.0 255.255.0.0 inside
telnet 172.18.0.0 255.255.0.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 172.17.0.0 255.255.0.0 inside
ssh 172.18.0.0 255.255.0.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
webvpn
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1
group-policy ALLOWACCESS internal
group-policy ALLOWACCESS attributes
banner value Now connected to the FCS Network
vpn-tunnel-protocol ikev1
username iwerkadmin password i6vIlW5ctGaR0l7n encrypted privilege 15
tunnel-group 70.x.x.x type ipsec-l2l
tunnel-group 70.x.x.x ipsec-attributes
ikev1 pre-shared-key FC$vpnn3tw0rk
tunnel-group remoteaccessvpn type remote-access
tunnel-group remoteaccessvpn general-attributes
address-pool vpnaddresspool
authentication-server-group LDAP
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b599ba0f719f39b213e7f01fe55588ac
: end

Hi Derrick,
I just did the same for a customer; replaced 2 PIX515s failover cluster with 5512X. The NAT change is major with ASAs version 8.3 and later...
here's what you need: a manual NAT rule called twice NAT (policy NAT or NONAT is the old terminology) for the VPNs to work. also add the no-proxy-arp keyword:
nat (inside,outside) source static INSIDE_NETWORKS INSIDE_NETWORKS VPN_NETWORKS VPN_NETWORKS no-proxy-arp
nat (inside,outside) source static INSIDE_NETWORKS INSIDE_NETWORKS RA_VPN_NETWORKS RA_VPN_NETWORKS no-proxy-arp
then the dynamic PAT for internet access (after the twice NATs for VPN); could be a manual NAT like you did, or preferred an object NAT.
you did:
nat (inside,outside) source dynamic any interface
would also work with object nat:
object network INSIDE_NETWORKS
subnet ...
nat (inside,outside) dynamic interface
Same on the other side (except the networks are reversed since the inside network is now what the other side refers to as vpn network and vice versa)
If you don't put the no-proxy-arp, your NAT configuration will cause network issues.
also to be able to pass pings through ASA, add the following:
policy-map global_policy
class inspection_default
inspect icmp
The asa will do some basic inspection of the ICMP protocol with that config ex. it will make sure there is 1 echo-reply for each echo-request...
hope that helps,
Patrick

Similar Messages

Testing a Firewall upgrade from PIX 7.0.2 to ASA 8.4.5

I have upgraded from PIX 7.0.2, to ASA 8.4.5, and had some issues regarding the NAMES list, setup NETWORK-OBJECTS to get the HOSTS in the access-list added to the ASA.
The PIX script contained no NAT, only access-list, and when the script was copied onto the ASA, it was taken successfully.
I was wondering what methods are available to test the script I have compiled on the ASA, prior to switching from the PIX onto the ASA? what processes are normal to confirm the Firewall is operational, and the rulesets working ? any ideas / tools / commands would be welcome.

There are changes in the NAT syntax & Object Grouping. Also on VPN configurations.....
You need to make sure that certain things are taken care in new ASA which runs in 8.4 Version.
I have attached reference for NAT changes pre and post 8.3, which might be helpful for you.
Using the packet tracer command you can check the NAT rules are working and ACL is working fine.
packet tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/p.html#wp1878788
Hope this helps....
Regards
Karthik

Link to configuration convertor tool from PIX to ASA

Hi,
I have been looking unsuccessfully for the Cisco tool that take the PIX config an dconvert it to ASA (PIX 5125 to ASA 5520). I was wondering if I need that and if its a Yes, where I can find that Tool on the Cisco Site please?
Regards,
Masood

hello again,
this cofiguration has really confused me since it has the standby keyword under the inside interface!? I do not want to change any configs under the inside interface of my current PIX confiuration.
Would you please be able to tell me what I need to type on the ASAs to configure them for this cable based failover?
here is what the link you suggested has listed which ias confusing since it has the standby keyowrd under the inside interface?
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253
no shut
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
no shut
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2
no shut interface Ethernet0/0
nameif outside
security-level 0
ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253
no shut
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
no shut
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2
no shut
and the STANDBY:
failover
failover lan unit secondary
failover lan interface failover Ethernet0/3
failover key *****
failover interface ip failover 192.168.55.1 255.255.255.0 standby 192.168.55.2
Now, I already have the configs from PIX 525 which I am going to paste directly onto the ASA which has been doengraded to 8.2.3.
so how does it works with the failover configuration?
can you please advise on how I go about the followings:
1- configure failover before I past the PIX config onto the ASA?
2- paste config for PIX 525 onto the ASA which I have already downgraded the ASA to 8.2.3 version.
Please advise.
Regards,
Masood

Upgrade from FWSM to ASA 5555Xs

Hello,
We would like to decommision our FWSMs and upgrade to the ASA 5555Xs. This leads me to ask the following: What would be the most efficient way of doing this without any interruption to production? Has anyone successfully acomplished this? If you have please share your experiences and caveats involved in this project.
Thanks!

There will be some downtime.
1. You can configure the 5555s ahead of time off line as a failover pair with the same config as in the FWSM pair.
2. On the day of cut over. Power down the FWSMs and plug the ASAs into the network.
3. If the config is the same and same IP address is used on the ASAs then, clear the ARP cache on all adjacent L3 devices.
4. Test connectivity.
There will be slight downtime which cannot be avoided. This cannot be hitless when are you are switching platforms.
-Kureli
Checkout my breakout session at Cisco Live 2013, Orlando, Florida.
BRKSEC-2024 Deploying Next-Generation Firewall Services on the ASA
Room 314A Tuesday, June 25 3:00 PM - 4:30 PM

ASA 5520 Upgrade From 8.2 to 9.1

To All Pro's Out There,
I have 2 x ASA 5520 in Active/Standby state (Routed, Single context) running 8.2(3) image. They are working great and everybody is happy. Now it's time for us to upgrade to the latest and greatest version: 9.1 and as you know there are some architectural changes Cisco made to NAT statements and Access Lists. As one can tell, we have a monster environment in terms of NAT statements and access list that are currently configured on the appliances.
In order to make the upgrade process "less" painful, I was able to find a loaner ASA 5520 device so I can practice the upgrade process offline and if needed, I use it in production (in conjunction with existing Primary and Secondary devices) should it be helpful. I currently don't have any plans on how to move forward with these 3 devices and put together an smooth upgrade. I am asking advice from experts that perhaps have done this in the past and know some Do's and Don’ts and can provide me some options toward getting best result: Minimum downtime and Smooth upgrade.
I appreciate all the help in advance.

Hi,
My personal approach from the start has been to learn the new NAT configuration format on the ASA CLI and manually convert the configurations for the new ASA software. I am under the impression that the automatic conversion that the ASA does by rebooting straight into a new software level causes quite a lot of configurations and they arent really optimal.
In your case it seems that you have a pretty much better situation than most people that dont have the chance to use a test device to test out the setup before actually putting it in production.
What you can basically do is
Insert the 8.2 configuration to the test ASA and boot it straight to the higher software levels and see what the conversion has done to the ASA configurations.
You can use "packet-tracer" command to test if correct NAT rules are still hit after the conversion
So far I have been lucky in the sense that most of the upgrades I have done have involved new hardware which has basically let me configure everything ready and just switch devices for the customer. So far everything has went really well and there has been only a 1-2 mistakes in NAT configurations because of misstyping some IP address or interface name which basically resulted from a lot of copy/paste when building the configurations. And these couple of mistakes have been from around 150 firewall migrations (of which most from FWSM Security Context to a ASA Security Context)
If you have time to put into this then I would suggest you try to learn the new NAT format and write your NAT configurations yourself. Converting the existing configurations should essentially give you the tools to then maintain that firewall configuration easily in the future and apply that knowledge elsewhere.
If you want to read a bit about the new NAT configuration format then I would suggest having a look at the NAT 8.3+ document I made:
https://supportforums.cisco.com/docs/DOC-31116
My personal approach when starting to convert NAT configurations for the upgrade is
Collect all NAT configurations from the current ASA including any ACLs associated with the Policy type NATs and NAT0 configurations
Divide NAT configurations based on type
Dynamic NAT/PAT
Static NAT
Static PAT
NAT0
All Policy Dynamic/Static NAT/PAT
Learn the basic configuration format for each type of NAT configuration
Start by converting the easiest NAT configurations
Dynamic NAT/PAT
Static NAT/PAT
Next convert the NAT0 configurations
And finally go through the Policy NAT/PAT configurations
Finally go through the interface ACLs and change them to use the real IP address as the destination in all cases since the NAT IP address is not used anymore. In most common screnarios this basically usually only involves modifying the "outside" interfaces ACL but depending if the customer has some other links to external resourses then its highly likely that same type of ACL changes are required on those interfaces also.
The most important thing is to understand how the NAT is currently working and then configure the new NAT configuration to match that. Again, the "packet-tracer" command is a great tool to confirm that everything is working as expected.
One very important thing to notice also is that you might have a very large number of Identity NAT configurations between your local networks interfaces of the ASA.
For example
static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
In the new software you can pretty much leave all of these out. If you dont need to perform NAT between your local interfaces then you simply leave out all NAT configurations.
Naturally you can also use these forums to ask help with NAT configuration conversions. Even though its a very common topic, I dont personally mind helping out with those.
So to summarize
Try out the ASAs automatic configuration conversion when simply booting to new software levels on the test ASA you have
Learn the new NAT configuration format
Ask for help here on CSC about NAT configuration formats and help with converting old to new configurations.
Personally if I was looking at a samekind of upgrade (which I will probably be looking at again soon) I would personally do the following
Convert the configurations manually
Lab/test the configurations on an test ASA
During Failover pairs upgrade I would remove the Standby device from network, erase its configurations, reboot it to new software, insert manually written configurations.
Put the upgraded ASA to the device rack and have cables ready connected to the customer devices if possible (or use existing ones)
Disconnect currently active ASA running 8.2 and connect the new ASA to the network while clearing ARP on the connected routers to avoid any problems with traffic forwarding.
Test connectivity and monitor ASAs connection and xlate tables to confirm everything is working
Will add more later if anything comes to mind as its getting quite late here
Hope this helps
- Jouni

After upgrading from ASA 8.2 to 9.1(2) not able to get web site

Dears,
ASA Version has been upgraded from 8.2 to 9.1(2). Since then, website is not accessible from outside.
Diagnosis:
Many web sites are deployed behind the ASA. When anyone accesses website from outside, the following error is reported: The page cannot be displayed. No issues have been reported with any other websites.
In the ASA, two different public subnets are in use in order to allow accessing the website from the public domain. No issues have been reported so far with the first subnet. The website is mapped to a public address in the second subnet. When the website is mapped to an IP address in the working subnet, the website is accessible from outside. As a workaround, this is applied and the website is up and running.
As the website is working fine with the second subnet, NAT and ACL configuration is fine. We have turned on logging in the ASDM, but no traffic was observed on the ASA for the non-working subnet. On the other hand, the traffic was noticed on the ASDM for the working subnet.
The working subnet is XX.YY.XX.X
Non working subnet is XX.YY.YY.X
The outside interface ip is XX.YY.XX.X (Working Subnet)
Tried to assign one ip address to the PC from non working subnet and connected to the Switch , its pinging from outside

Hi
Have you tried using packet tracer?

ASA Firewall Upgrade from 8.2,8.4, to 9.0

Dear All ,
we have five firewalls with the following details:
First Firewall
Hardware:   ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.4(3) ,Device Manager Version 6.4(7)
    my question can i upgrade ASA IOS 8.4(3) to 9.0 directly without any issues also can i upgrade Device manager 6.4(7) to 7.0 without upgrading the       ASA IOS itself
Second Firewall
Hardware:   ASA5520,2048 MB RAM, CPU Pentium 4 2000MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.2(3) ,Device Manager Version
6.2(3)
my question can i upgrade ASA IOS 8.2(3) to 9.0 directly without any issues also can i upgrade Device manager 6.2(3) to 7.0 without upgrading the       ASA IOS itself
Third Firewall
Hardware:   ASA5520,2048 MB RAM, CPU Pentium 4 2000MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.4(3) ,Device Manager Version 6.4(7)
my question can i upgrade ASA IOS 8.4(3) to 9.0 directly without any issues also can i upgrade Device manager 6.4(7) to 7.0 without upgrading the       ASA IOS itself
Fourth Firewall
Hardware:   ASA5520,2048 MB RAM, CPU Pentium 4 2000MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.4(3) ,Device Manager Version 6.4(7)
my question can i upgrade ASA IOS 8.4(3) to 9.0 directly without any issues also can i upgrade Device manager 6.4(7) to 7.0 without upgrading the       ASA IOS itself
fifth Firewall:
Hardware:   ASA5520,2048 MB RAM, CPU Pentium 4 2000MHz, Flash 256MB , BIOS Flash1024KB , ASA IOS 8.2(3) ,Device Manager Version 6.2(3)
my question can i upgrade ASA IOS 8.2(3) to 9.0 directly without any issues also can i upgrade Device manager 6.2(3) to 7.0 without upgrading the       ASA IOS itself
please help i am doing the upgrading remotely using the ASDM and i don't want to do any upgrade could result disconnectivity.
Best regards

Hi Basel,
Honestly, I wouldn't suggest a direct upgrade from 8.2 to 9.0. This is a *major* upgrade. The recommended path to reach 9.0 would be from 8.2-->8.4-->9.0
Here are the release notes for 9.0:
http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp690047
Per above document:
If you are upgrading from a pre-8.3 release, see also the Cisco ASA 5500 Migration Guide to Version 8.3 and Later
for important information about migrating your configuration.
Once you are on 8.3/8.4 (I would suggest 8.4 as a lot of issues were fixed post 8.3 as that was a huge transition from 8.2) upgrade to 9.0 is fairly simple.
Major part is upgrade from 8.2 to 8.4 as configuration changes and few things can be broken as a result. I would highly recommend you to check these docs before attempting an upgrade and also do it with some maintenence window so as to correct things in case they broke:
Following doc talks about 8.3 but it is applicable to direct upgrade to 8.4 as well:
https://supportforums.cisco.com/docs/DOC-12690
Release notes for 8.4:
http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html
Sourav

ASA 5520 upgrade from 8.4.6 to 9.1.2

Dear All,
I am having ASA 5520 in Active Standby failover configuration . I want to know if I can upgrade it from 8.4.6 to 9.1.2 using the zero downtime upgrade process mentioned on cisco site .
Below is the process :
Upgrade an Active/Standby Failover Configuration
Complete these steps in order to upgrade two units in an       Active/Standby failover configuration:
Download the new software to both units, and specify the new image to           load with the boot system command.
Refer to           Upgrade           a Software Image and ASDM Image using CLI for more           information.
Reload the standby unit to boot the new image by entering the           failover           reload-standby command on the active unit as shown           below:
active#failover reload-standby
When the standby unit has finished reloading and is in the Standby           Ready state, force the active unit to fail over to the standby unit by entering           the no           failover active command on the active unit.
active#no failover active
Note: Use the show             failover command in order to verify that the standby unit             is in the Standby Ready state.
Reload the former active unit (now the new standby unit) by entering           the reload command:
newstandby#reload
When the new standby unit has finished reloading and is in the           Standby Ready state, return the original active unit to active status by           entering the failover           active command:
newstandby#failover active
This completes the process of upgrading an Active/Standby Failover       pair.
Also after upgrade are there any changes required after IOS migration ( i.e are there any changes in the command line of 8.4.6 and 9.1.2 )
It is mentioned on cisco site that
Major Release
—You can upgrade from the last minor           release of the previous version to the next major release. For example, you can           upgrade from 7.9 to 8.0, assuming that 7.9 is the last minor version in the 7.x           release.

Hi Tushar,
The steps you mentioned are perfectly fine. There is no major difference in the commands of the 2 versions, it's just that in access-rule from 9.1 you have to any4 instead of any for ipv4 and any6 for ipv6. During conversion it will get convert automatically.
Also, please refer to the following document (release notes of 9.1.2) for viewing the new features added in that version:
http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp685480
- Prateek Verma

Cisco ASA Upgrade from 7.0(8) to 8.2(1)

Hi, i need to upgrade my 5510 ASA from 7.0(8) to 8.2(1) ( Please note its different query from my last thread)
what i found online is i will have to do this upgrade in sequence, that is
7.0.x -> 7.2.x --> 8.0.x --> 8.2.1
is that correct?
or i will go to 7.1.x first? like this
7.0.x--> 7.1.x -> 7.2.x --> 8.0.x --> 8.1.x--> 8.2.1
Please guide, Also i am assuming, reboot required after every upgrade right?

ok, i found something on another Cisco document. that is what i thought
To ensure that your configuration updates correctly, you must upgrade to each major release in turn. Therefore, to upgrade from Version 7.0 to Version 8.2, first upgrade from 7.0 to 7.1, then from 7.1 to 7.2, and finally from Version 7.2 to Version 8.2 (8.1 was only available on the ASA 5580). "

Upgrading from SSM-10 to ASA 5525x

We are upgrading from an ASA 5510 with a SSM-10 module to the 5525x ips. Can we simply copy the config from the SSM-10 to the 5525x?

Please refer the below document for the details regarding the catalog conversions.
http://helpx.adobe.com/photoshop-elements/kb/common-catalog-issues-upgrade-elements.html

PIX 515 issue after trying to upgrade from 601 to 622

Hello,
I am having the following problem on my Cisco PIX 515:
I had been running:
Cisco Secure PIX Firewall Version 6.0(1)
PIX Device Manager Version 1.0(1)
Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB
I upgraded the PIX to pix622.bin. That seemed to work, but the PIX did not boot after reload.
So I reverted it to pix601.bin.
That seemed to work, and my configuration file was still in place and all my services worked as before.
However, upon reload I get the following error:
Reading 2445824 bytes of image from flash.
32MB RAM
imgsum_config: sumval(0x1f8e) md5(0x95937073 0x75b817db 0x54d7811a 0xba7d0214)
imgsum_verify: chksum(0x 0) md5(0xf9d77cec 0xfca32e88 0xb13f21e9 0xfa81733b)
Panic: kernel - The checksum verification for this image failed.
Thoughts? Help?

You get this error using the console right?
Mike

ASA 5585 IOS upgradation from 8.2(5) to 9.0(2)

Hi,
I am getting below warning messages when i am doing IOS upgradation of ASA5585.The current version of IOS is 8.2(5) and the converted version is 9.0(2). I would like to know whether i can ignore the warnings and move on with new version or need to do any manual changes in configuration.
This is my internet firewall which has DMZ as well.
WARNING: MIGRATION: ACE converted to real IP/port values based on
dynamic/static Policy NAT. The new ACE(s) need to be checked for enforcing policy NAT ACL
Thanks
Soumya

Hi ,
Sorry, I forgot to mention that we have upgraded from 8.2->8.4.6>9.02.
We have multiple warning messages like below. A huge number of inbound access rules have been created in new version and we are worried whether this will creat a security loop.
WARNING: MIGRATION: ACE converted to real IP/port values based on
dynamic/static Policy NAT. The new ACE(s) need to be checked for enforcing policy NAT ACL
216.163.252.25
8.2(5)
access-list outside extended permit udp host 216.163.252.25 host 203.99.194.163
access-list outside extended permit esp host 216.163.252.25 host 203.99.194.163
access-list Metlife-VPN extended permit ip 10.239.48.0 255.255.255.0 host 216.163.252.25
access-list Metlife-VPN extended permit ip 10.237.164.0 255.255.254.0 host 216.163.252.25
access-list Metlife-VPN extended permit ip 10.229.32.0 255.255.255.192 host 216.163.252.25
access-list Metlife-VPN extended permit esp 10.229.32.0 255.255.255.192 host 216.163.252.25
access-list Metlife-VPN extended permit ip 10.242.146.0 255.255.255.0 host 216.163.252.25
access-list Metlife-VPN extended permit esp 10.242.146.0 255.255.255.0 host 216.163.252.25
access-list Metlife-VPN extended permit esp 10.239.48.0 255.255.255.0 host 216.163.252.25
access-list Metlife-VPN extended permit ip 10.237.241.0 255.255.255.0 host 216.163.252.25
access-list Metlife-VPN extended permit ip 10.230.107.128 255.255.255.224 host 216.163.252.25
access-list inside1 extended permit udp 10.237.164.0 255.255.254.0 host 216.163.252.25
access-list inside1 extended permit ip 10.229.32.0 255.255.255.192 host 216.163.252.25
access-list inside1 extended permit ip 10.242.146.0 255.255.255.0 host 216.163.252.25
access-list inside1 extended permit esp 10.242.146.0 255.255.255.0 host 216.163.252.25
access-list inside1 extended permit ip 10.239.48.0 255.255.255.0 host 216.163.252.25
access-list inside1 extended permit esp 10.239.48.0 255.255.255.0 host 216.163.252.25
access-list inside1 extended permit ip host 10.239.23.177 host 216.163.252.25
access-list outside extended permit ip any host 203.99.194.163
9.0(2)
object network obj-216.163.252.25
host 216.163.252.25
access-list Metlife-VPN extended permit ip 10.239.48.0 255.255.255.0 host 216.163.252.25
access-list Metlife-VPN extended permit ip 10.237.164.0 255.255.254.0 host 216.163.252.25
access-list Metlife-VPN extended permit ip 10.229.32.0 255.255.255.192 host 216.163.252.25
access-list Metlife-VPN extended permit esp 10.229.32.0 255.255.255.192 host 216.163.252.25
access-list Metlife-VPN extended permit ip 10.242.146.0 255.255.255.0 host 216.163.252.25
access-list Metlife-VPN extended permit esp 10.242.146.0 255.255.255.0 host 216.163.252.25
access-list Metlife-VPN extended permit esp 10.239.48.0 255.255.255.0 host 216.163.252.25
access-list Metlife-VPN extended permit ip 10.237.241.0 255.255.255.0 host 216.163.252.25
access-list Metlife-VPN extended permit ip 10.230.107.128 255.255.255.224 host 216.163.252.25
access-list outside extended permit udp host 216.163.252.25 host 10.239.23.56
access-list outside extended permit udp host 216.163.252.25 host 10.239.23.72
access-list outside extended permit udp host 216.163.252.25 10.239.24.0 255.255.255.0
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.15
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.94
access-list outside extended permit udp host 216.163.252.25 host 10.239.24.138
access-list outside extended permit udp host 216.163.252.25 10.239.23.0 255.255.255.0
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.101
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.208
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.20
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.78
access-list outside extended permit udp host 216.163.252.25 10.239.48.0 255.255.255.0
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.73
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.204
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.178
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.187
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.28
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.144
access-list outside extended permit udp host 216.163.252.25 host 10.239.48.105
access-list outside extended permit udp host 216.163.252.25 10.237.23.0 255.255.255.0
access-list outside extended permit udp host 216.163.252.25 host 10.237.23.179
access-list outside extended permit udp host 216.163.252.25 10.237.164.0 255.255.254.0
access-list outside extended permit udp host 216.163.252.25 10.239.50.0 255.255.255.0
access-list outside extended permit udp host 216.163.252.25 host 10.239.50.46
access-list outside extended permit udp host 216.163.252.25 host 10.237.165.120
access-list outside extended permit udp host 216.163.252.25 10.239.50.0 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 host 10.239.50.11
access-list outside extended permit udp host 216.163.252.25 host 10.239.48.142
access-list outside extended permit udp host 216.163.252.25 host 10.239.48.12
access-list outside extended permit udp host 216.163.252.25 host 10.239.50.45
access-list outside extended permit udp host 216.163.252.25 host 10.237.173.12
access-list outside extended permit udp host 216.163.252.25 host 10.237.164.72
access-list outside extended permit udp host 216.163.252.25 host 10.237.173.13
access-list outside extended permit udp host 216.163.252.25 host 10.239.20.145
access-list outside extended permit udp host 216.163.252.25 host 10.239.41.23
access-list outside extended permit udp host 216.163.252.25 host 10.242.8.128
access-list outside extended permit udp host 216.163.252.25 host 10.242.8.146
access-list outside extended permit udp host 216.163.252.25 host 10.242.8.137
access-list outside extended permit udp host 216.163.252.25 host 10.242.8.144
access-list outside extended permit udp host 216.163.252.25 10.230.144.64 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 10.229.32.0 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 10.242.50.0 255.255.255.0
access-list outside extended permit udp host 216.163.252.25 host 10.242.8.153
access-list outside extended permit udp host 216.163.252.25 host 10.242.50.68
access-list outside extended permit udp host 216.163.252.25 host 10.232.8.176
access-list outside extended permit udp host 216.163.252.25 10.242.0.128 255.255.255.128
access-list outside extended permit udp host 216.163.252.25 host 10.230.107.198
access-list outside extended permit udp host 216.163.252.25 host 10.230.107.199
access-list outside extended permit udp host 216.163.252.25 host 10.230.107.201
access-list outside extended permit udp host 216.163.252.25 10.230.107.192 255.255.255.224
access-list outside extended permit udp host 216.163.252.25 host 10.230.107.202
access-list outside extended permit udp host 216.163.252.25 10.237.226.0 255.255.255.224
access-list outside extended permit udp host 216.163.252.25 10.242.146.0 255.255.255.0
access-list outside extended permit udp host 216.163.252.25 host 10.230.107.197
access-list outside extended permit udp host 216.163.252.25 host 10.229.59.109
access-list outside extended permit udp host 216.163.252.25 10.242.97.128 255.255.255.128
access-list outside extended permit udp host 216.163.252.25 10.242.36.64 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 10.237.241.0 255.255.255.0
access-list outside extended permit udp host 216.163.252.25 host 10.237.241.14
access-list outside extended permit udp host 216.163.252.25 host 10.237.241.68
access-list outside extended permit udp host 216.163.252.25 host 10.237.241.94
access-list outside extended permit udp host 216.163.252.25 host 10.237.173.15
access-list outside extended permit udp host 216.163.252.25 10.242.212.0 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 10.242.51.128 255.255.255.128
access-list outside extended permit udp host 216.163.252.25 10.242.210.192 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 host 10.242.146.18
access-list outside extended permit udp host 216.163.252.25 host 10.239.23.168
access-list outside extended permit udp host 216.163.252.25 host 10.239.48.31
access-list outside extended permit udp host 216.163.252.25 host 10.242.195.204
access-list outside extended permit udp host 216.163.252.25 10.242.195.192 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 10.230.241.0 255.255.255.0
access-list outside extended permit udp host 216.163.252.25 10.230.103.128 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 host 10.230.107.144
access-list outside extended permit udp host 216.163.252.25 10.230.107.128 255.255.255.224
access-list outside extended permit udp host 216.163.252.25 10.211.202.224 255.255.255.240
access-list outside extended permit udp host 216.163.252.25 host 10.211.211.221
access-list outside extended permit udp host 216.163.252.25 host 10.229.34.43
access-list outside extended permit udp host 216.163.252.25 host 10.229.34.49
access-list outside extended permit udp host 216.163.252.25 host 10.232.38.160
access-list outside extended permit udp host 216.163.252.25 host 10.232.130.93
access-list outside extended permit udp host 216.163.252.25 host 10.233.38.151
access-list outside extended permit udp host 216.163.252.25 host 10.236.147.50
access-list outside extended permit udp host 216.163.252.25 host 10.236.147.71
access-list outside extended permit udp host 216.163.252.25 host 10.236.147.83
access-list outside extended permit udp host 216.163.252.25 host 10.236.180.4
access-list outside extended permit udp host 216.163.252.25 host 10.237.9.83
access-list outside extended permit udp host 216.163.252.25 host 10.237.9.93
access-list outside extended permit udp host 216.163.252.25 host 10.237.77.39
access-list outside extended permit udp host 216.163.252.25 host 10.237.77.74
access-list outside extended permit udp host 216.163.252.25 host 10.237.77.76
access-list outside extended permit udp host 216.163.252.25 host 10.237.173.8
access-list outside extended permit udp host 216.163.252.25 host 10.237.241.24
access-list outside extended permit udp host 216.163.252.25 host 10.237.241.183
access-list outside extended permit udp host 216.163.252.25 host 10.239.23.13
access-list outside extended permit udp host 216.163.252.25 host 10.239.23.71
access-list outside extended permit udp host 216.163.252.25 host 10.239.23.108
access-list outside extended permit udp host 216.163.252.25 host 10.239.23.109
access-list outside extended permit udp host 216.163.252.25 host 10.239.23.120
access-list outside extended permit udp host 216.163.252.25 host 10.239.23.170
access-list outside extended permit udp host 216.163.252.25 host 10.239.24.26
access-list outside extended permit udp host 216.163.252.25 host 10.239.24.158
access-list outside extended permit udp host 216.163.252.25 host 10.239.24.222
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.20
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.34
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.41
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.42
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.52
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.60
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.64
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.73
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.81
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.82
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.90
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.114
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.141
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.151
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.155
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.205
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.224
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.233
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.238
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.239
access-list outside extended permit udp host 216.163.252.25 host 10.239.30.251
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.26
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.52
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.57
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.72
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.90
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.93
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.107
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.161
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.171
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.184
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.185
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.196
access-list outside extended permit udp host 216.163.252.25 host 10.239.31.208
access-list outside extended permit udp host 216.163.252.25 host 10.239.38.17
access-list outside extended permit udp host 216.163.252.25 host 10.239.41.34
access-list outside extended permit udp host 216.163.252.25 host 10.239.41.68
access-list outside extended permit udp host 216.163.252.25 host 10.239.41.72
access-list outside extended permit udp host 216.163.252.25 host 10.239.41.78
access-list outside extended permit udp host 216.163.252.25 host 10.239.48.143
access-list outside extended permit udp host 216.163.252.25 host 10.239.50.10
access-list outside extended permit udp host 216.163.252.25 host 10.239.50.15
access-list outside extended permit udp host 216.163.252.25 host 10.239.50.31
access-list outside extended permit udp host 216.163.252.25 host 10.239.50.35
access-list outside extended permit udp host 216.163.252.25 host 10.239.50.52
access-list outside extended permit udp host 216.163.252.25 host 10.239.60.100
access-list outside extended permit udp host 216.163.252.25 host 10.239.67.18
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.17
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.23
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.34
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.42
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.53
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.75
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.76
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.77
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.114
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.117
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.118
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.120
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.136
access-list outside extended permit udp host 216.163.252.25 host 10.239.96.143
access-list outside extended permit udp host 216.163.252.25 host 10.239.98.15
access-list outside extended permit udp host 216.163.252.25 host 10.239.98.17
access-list outside extended permit udp host 216.163.252.25 host 10.239.98.35
access-list outside extended permit udp host 216.163.252.25 host 10.239.98.48
access-list outside extended permit udp host 216.163.252.25 host 10.239.98.90
access-list outside extended permit udp host 216.163.252.25 host 10.239.98.116
access-list outside extended permit udp host 216.163.252.25 host 10.239.98.140
access-list outside extended permit udp host 216.163.252.25 host 10.239.98.168
access-list outside extended permit udp host 216.163.252.25 host 10.239.98.183
access-list outside extended permit udp host 216.163.252.25 host 10.242.8.26
access-list outside extended permit udp host 216.163.252.25 host 10.242.8.53
access-list outside extended permit udp host 216.163.252.25 host 10.242.11.29
access-list outside extended permit udp host 216.163.252.25 host 10.242.11.31
access-list outside extended permit udp host 216.163.252.25 host 10.242.11.80
access-list outside extended permit udp host 216.163.252.25 host 10.242.11.81
access-list outside extended permit udp host 216.163.252.25 host 10.242.22.133
access-list outside extended permit udp host 216.163.252.25 host 10.242.22.134
access-list outside extended permit udp host 216.163.252.25 host 10.242.22.154
access-list outside extended permit udp host 216.163.252.25 host 10.242.36.76
access-list outside extended permit udp host 216.163.252.25 host 10.242.36.79
access-list outside extended permit udp host 216.163.252.25 host 10.242.36.118
access-list outside extended permit udp host 216.163.252.25 host 10.242.146.29
access-list outside extended permit udp host 216.163.252.25 host 10.242.158.227
access-list outside extended permit udp host 216.163.252.25 host 10.242.195.197
access-list outside extended permit udp host 216.163.252.25 host 207.41.226.145
access-list outside extended permit udp host 216.163.252.25 10.233.38.144 255.255.255.248
access-list outside extended permit udp host 216.163.252.25 10.230.132.160 255.255.255.224
access-list outside extended permit udp host 216.163.252.25 10.230.134.0 255.255.255.224
access-list outside extended permit udp host 216.163.252.25 10.242.68.160 255.255.255.224
access-list outside extended permit udp host 216.163.252.25 10.233.38.150 255.255.255.222
access-list outside extended permit udp host 216.163.252.25 10.229.144.0 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 10.236.84.64 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 10.237.84.128 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 10.239.47.192 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 10.242.90.64 255.255.255.192
access-list outside extended permit udp host 216.163.252.25 10.230.137.128 255.255.255.128
access-list outside extended permit udp host 216.163.252.25 10.239.56.0 255.255.255.128
access-list outside extended permit udp host 216.163.252.25 10.237.22.0 255.255.255.0
access-list outside extended permit esp host 216.163.252.25 host 10.239.23.56
access-list outside extended permit esp host 216.163.252.25 host 10.239.23.72
access-list outside extended permit esp host 216.163.252.25 10.239.24.0 255.255.255.0
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.15
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.94
access-list outside extended permit esp host 216.163.252.25 host 10.239.24.138
access-list outside extended permit esp host 216.163.252.25 10.239.23.0 255.255.255.0
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.101
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.208
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.20
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.78
access-list outside extended permit esp host 216.163.252.25 10.239.48.0 255.255.255.0
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.73
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.204
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.178
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.187
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.28
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.144
access-list outside extended permit esp host 216.163.252.25 host 10.239.48.105
access-list outside extended permit esp host 216.163.252.25 10.237.23.0 255.255.255.0
access-list outside extended permit esp host 216.163.252.25 host 10.237.23.179
access-list outside extended permit esp host 216.163.252.25 10.237.164.0 255.255.254.0
access-list outside extended permit esp host 216.163.252.25 10.239.50.0 255.255.255.0
access-list outside extended permit esp host 216.163.252.25 host 10.239.50.46
access-list outside extended permit esp host 216.163.252.25 host 10.237.165.120
access-list outside extended permit esp host 216.163.252.25 10.239.50.0 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 host 10.239.50.11
access-list outside extended permit esp host 216.163.252.25 host 10.239.48.142
access-list outside extended permit esp host 216.163.252.25 host 10.239.48.12
access-list outside extended permit esp host 216.163.252.25 host 10.239.50.45
access-list outside extended permit esp host 216.163.252.25 host 10.237.173.12
access-list outside extended permit esp host 216.163.252.25 host 10.237.164.72
access-list outside extended permit esp host 216.163.252.25 host 10.237.173.13
access-list outside extended permit esp host 216.163.252.25 host 10.239.20.145
access-list outside extended permit esp host 216.163.252.25 host 10.239.41.23
access-list outside extended permit esp host 216.163.252.25 host 10.242.8.128
access-list outside extended permit esp host 216.163.252.25 host 10.242.8.146
access-list outside extended permit esp host 216.163.252.25 host 10.242.8.137
access-list outside extended permit esp host 216.163.252.25 host 10.242.8.144
access-list outside extended permit esp host 216.163.252.25 10.230.144.64 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 10.229.32.0 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 10.242.50.0 255.255.255.0
access-list outside extended permit esp host 216.163.252.25 host 10.242.8.153
access-list outside extended permit esp host 216.163.252.25 host 10.242.50.68
access-list outside extended permit esp host 216.163.252.25 host 10.232.8.176
access-list outside extended permit esp host 216.163.252.25 10.242.0.128 255.255.255.128
access-list outside extended permit esp host 216.163.252.25 host 10.230.107.198
access-list outside extended permit esp host 216.163.252.25 host 10.230.107.199
access-list outside extended permit esp host 216.163.252.25 host 10.230.107.201
access-list outside extended permit esp host 216.163.252.25 10.230.107.192 255.255.255.224
access-list outside extended permit esp host 216.163.252.25 host 10.230.107.202
access-list outside extended permit esp host 216.163.252.25 10.237.226.0 255.255.255.224
access-list outside extended permit esp host 216.163.252.25 10.242.146.0 255.255.255.0
access-list outside extended permit esp host 216.163.252.25 host 10.230.107.197
access-list outside extended permit esp host 216.163.252.25 host 10.229.59.109
access-list outside extended permit esp host 216.163.252.25 10.242.97.128 255.255.255.128
access-list outside extended permit esp host 216.163.252.25 10.242.36.64 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 10.237.241.0 255.255.255.0
access-list outside extended permit esp host 216.163.252.25 host 10.237.241.14
access-list outside extended permit esp host 216.163.252.25 host 10.237.241.68
access-list outside extended permit esp host 216.163.252.25 host 10.237.241.94
access-list outside extended permit esp host 216.163.252.25 host 10.237.173.15
access-list outside extended permit esp host 216.163.252.25 10.242.212.0 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 10.242.51.128 255.255.255.128
access-list outside extended permit esp host 216.163.252.25 10.242.210.192 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 host 10.242.146.18
access-list outside extended permit esp host 216.163.252.25 host 10.239.23.168
access-list outside extended permit esp host 216.163.252.25 host 10.239.48.31
access-list outside extended permit esp host 216.163.252.25 host 10.242.195.204
access-list outside extended permit esp host 216.163.252.25 10.242.195.192 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 10.230.241.0 255.255.255.0
access-list outside extended permit esp host 216.163.252.25 10.230.103.128 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 host 10.230.107.144
access-list outside extended permit esp host 216.163.252.25 10.230.107.128 255.255.255.224
access-list outside extended permit esp host 216.163.252.25 10.211.202.224 255.255.255.240
access-list outside extended permit esp host 216.163.252.25 host 10.211.211.221
access-list outside extended permit esp host 216.163.252.25 host 10.229.34.43
access-list outside extended permit esp host 216.163.252.25 host 10.229.34.49
access-list outside extended permit esp host 216.163.252.25 host 10.232.38.160
access-list outside extended permit esp host 216.163.252.25 host 10.232.130.93
access-list outside extended permit esp host 216.163.252.25 host 10.233.38.151
access-list outside extended permit esp host 216.163.252.25 host 10.236.147.50
access-list outside extended permit esp host 216.163.252.25 host 10.236.147.71
access-list outside extended permit esp host 216.163.252.25 host 10.236.147.83
access-list outside extended permit esp host 216.163.252.25 host 10.236.180.4
access-list outside extended permit esp host 216.163.252.25 host 10.237.9.83
access-list outside extended permit esp host 216.163.252.25 host 10.237.9.93
access-list outside extended permit esp host 216.163.252.25 host 10.237.77.39
access-list outside extended permit esp host 216.163.252.25 host 10.237.77.74
access-list outside extended permit esp host 216.163.252.25 host 10.237.77.76
access-list outside extended permit esp host 216.163.252.25 host 10.237.173.8
access-list outside extended permit esp host 216.163.252.25 host 10.237.241.24
access-list outside extended permit esp host 216.163.252.25 host 10.237.241.183
access-list outside extended permit esp host 216.163.252.25 host 10.239.23.13
access-list outside extended permit esp host 216.163.252.25 host 10.239.23.71
access-list outside extended permit esp host 216.163.252.25 host 10.239.23.108
access-list outside extended permit esp host 216.163.252.25 host 10.239.23.109
access-list outside extended permit esp host 216.163.252.25 host 10.239.23.120
access-list outside extended permit esp host 216.163.252.25 host 10.239.23.170
access-list outside extended permit esp host 216.163.252.25 host 10.239.24.26
access-list outside extended permit esp host 216.163.252.25 host 10.239.24.158
access-list outside extended permit esp host 216.163.252.25 host 10.239.24.222
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.20
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.34
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.41
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.42
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.52
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.60
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.64
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.73
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.81
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.82
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.90
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.114
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.141
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.151
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.155
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.205
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.224
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.233
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.238
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.239
access-list outside extended permit esp host 216.163.252.25 host 10.239.30.251
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.26
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.52
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.57
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.72
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.90
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.93
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.107
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.161
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.171
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.184
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.185
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.196
access-list outside extended permit esp host 216.163.252.25 host 10.239.31.208
access-list outside extended permit esp host 216.163.252.25 host 10.239.38.17
access-list outside extended permit esp host 216.163.252.25 host 10.239.41.34
access-list outside extended permit esp host 216.163.252.25 host 10.239.41.68
access-list outside extended permit esp host 216.163.252.25 host 10.239.41.72
access-list outside extended permit esp host 216.163.252.25 host 10.239.41.78
access-list outside extended permit esp host 216.163.252.25 host 10.239.48.143
access-list outside extended permit esp host 216.163.252.25 host 10.239.50.10
access-list outside extended permit esp host 216.163.252.25 host 10.239.50.15
access-list outside extended permit esp host 216.163.252.25 host 10.239.50.31
access-list outside extended permit esp host 216.163.252.25 host 10.239.50.35
access-list outside extended permit esp host 216.163.252.25 host 10.239.50.52
access-list outside extended permit esp host 216.163.252.25 host 10.239.60.100
access-list outside extended permit esp host 216.163.252.25 host 10.239.67.18
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.17
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.23
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.34
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.42
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.53
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.75
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.76
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.77
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.114
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.117
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.118
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.120
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.136
access-list outside extended permit esp host 216.163.252.25 host 10.239.96.143
access-list outside extended permit esp host 216.163.252.25 host 10.239.98.15
access-list outside extended permit esp host 216.163.252.25 host 10.239.98.17
access-list outside extended permit esp host 216.163.252.25 host 10.239.98.35
access-list outside extended permit esp host 216.163.252.25 host 10.239.98.48
access-list outside extended permit esp host 216.163.252.25 host 10.239.98.90
access-list outside extended permit esp host 216.163.252.25 host 10.239.98.116
access-list outside extended permit esp host 216.163.252.25 host 10.239.98.140
access-list outside extended permit esp host 216.163.252.25 host 10.239.98.168
access-list outside extended permit esp host 216.163.252.25 host 10.239.98.183
access-list outside extended permit esp host 216.163.252.25 host 10.242.8.26
access-list outside extended permit esp host 216.163.252.25 host 10.242.8.53
access-list outside extended permit esp host 216.163.252.25 host 10.242.11.29
access-list outside extended permit esp host 216.163.252.25 host 10.242.11.31
access-list outside extended permit esp host 216.163.252.25 host 10.242.11.80
access-list outside extended permit esp host 216.163.252.25 host 10.242.11.81
access-list outside extended permit esp host 216.163.252.25 host 10.242.22.133
access-list outside extended permit esp host 216.163.252.25 host 10.242.22.134
access-list outside extended permit esp host 216.163.252.25 host 10.242.22.154
access-list outside extended permit esp host 216.163.252.25 host 10.242.36.76
access-list outside extended permit esp host 216.163.252.25 host 10.242.36.79
access-list outside extended permit esp host 216.163.252.25 host 10.242.36.118
access-list outside extended permit esp host 216.163.252.25 host 10.242.146.29
access-list outside extended permit esp host 216.163.252.25 host 10.242.158.227
access-list outside extended permit esp host 216.163.252.25 host 10.242.195.197
access-list outside extended permit esp host 216.163.252.25 host 207.41.226.145
access-list outside extended permit esp host 216.163.252.25 10.233.38.144 255.255.255.248
access-list outside extended permit esp host 216.163.252.25 10.230.132.160 255.255.255.224
access-list outside extended permit esp host 216.163.252.25 10.230.134.0 255.255.255.224
access-list outside extended permit esp host 216.163.252.25 10.242.68.160 255.255.255.224
access-list outside extended permit esp host 216.163.252.25 10.233.38.150 255.255.255.222
access-list outside extended permit esp host 216.163.252.25 10.229.144.0 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 10.236.84.64 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 10.237.84.128 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 10.239.47.192 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 10.242.90.64 255.255.255.192
access-list outside extended permit esp host 216.163.252.25 10.230.137.128 255.255.255.128
access-list outside extended permit esp host 216.163.252.25 10.239.56.0 255.255.255.128
access-list outside extended permit esp host 216.163.252.25 10.237.22.0 255.255.255.0
access-list inside1 extended permit udp 10.237.164.0 255.255.254.0 host 216.163.252.25
access-list inside1 extended permit ip 10.229.32.0 255.255.255.192 host 216.163.252.25
access-list inside1 extended permit ip 10.242.146.0 255.255.255.0 host 216.163.252.25
access-list inside1 extended permit esp 10.242.146.0 255.255.255.0 host 216.163.252.25
access-list inside1 extended permit ip 10.239.48.0 255.255.255.0 host 216.163.252.25
access-list inside1 extended permit esp 10.239.48.0 255.255.255.0 host 216.163.252.25
access-list inside1 extended permit ip host 10.239.23.177 host 216.163.252.25
nat (inside,outside) source dynamic obj-10.239.48.0 obj-203.99.194.163 destination static obj-216.163.252.25 obj-216.163.252.25
nat (inside,outside) source dynamic obj-10.237.164.0-01 obj-203.99.194.163 destination static obj-216.163.252.25 obj-216.163.252.25
nat (inside,outside) source dynamic obj-10.229.32.0 obj-203.99.194.163 destination static obj-216.163.252.25 obj-216.163.252.25
nat (inside,outside) source dynamic obj-10.242.146.0 obj-203.99.194.163 destination static obj-216.163.252.25 obj-216.163.252.25
nat (inside,outside) source dynamic obj-10.237.241.0 obj-203.99.194.163 destination static obj-216.163.252.25 obj-216.163.252.25
nat (inside,outside) source dynamic obj-10.230.107.128 obj-203.99.194.163 destination static obj-216.163.252.25 obj-216.163.252.25

Can't Send or Receive Email from Exchange behind ASA 5510 with CSC SSM

We are upgrading from a Pix 515e to a ASA 5510 with CSC SSM. We cannot send outbound email or receive any email from the outside world. I have placed a call with Cisco Support with no luck. Here is a copy of my config: Any Help would be appreciated.
show config
: Saved
: Written by enable_15 at 07:17:44.760 CST Wed Jan 18 2012
ASA Version 8.4(3)
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 216.XXX.XXX.XXX 255.XXX.XXX.XXX
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.5 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
<--- More --->
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object network obj-192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0
<--- More --->
object network obj-192.168.9.2
host 192.168.9.2
object network obj-192.168.1.65
host 192.168.1.65
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network obj-192.168.6.0
subnet 192.168.6.0 255.255.255.0
object network obj-192.168.8.0
subnet 192.168.8.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
object-group network Red-Condor
description Email Filtering
network-object host 66.234.112.69
network-object host 66.234.112.89
object-group service NetLink tcp
<--- More --->
port-object eq 36001
object-group network AECSouth
network-object 192.168.11.0 255.255.255.0
object-group service Email_Filter tcp-udp
port-object eq 389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_0 tcp
group-object Email_Filter
port-object eq pop3
port-object eq smtp
object-group network Exchange-Server
description Exchange Server
network-object host 192.168.1.65
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
access-list outside_access extended permit tcp any object obj-192.168.9.2
access-list outside_access extended permit icmp any any
access-list outside_access extended permit tcp any object-group Exchange-Server eq https
access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp
access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3
access-list outside_access extended permit object-group TCPUDP object-group Red-Condor object-group Exchange-Server object-group Email_Filter
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
<--- More --->
pager lines 24
logging enable
logging console debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnpool 192.168.5.1-192.168.5.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
object network obj-192.168.9.2
nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp
object network obj-192.168.1.65
nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp
object network obj-192.168.1.0
nat (inside,outside) dynamic interface
object network obj-192.168.2.0
nat (inside,outside) dynamic interface
object network obj-192.168.3.0
<--- More --->
nat (inside,outside) dynamic interface
object network obj-192.168.6.0
nat (inside,outside) dynamic interface
object network obj-192.168.8.0
nat (inside,outside) dynamic interface
access-group outside_access in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 216.XXX.XXX.XXX 1
route inside 192.168.0.0 255.255.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server isaconn protocol radius
aaa-server isaconn (inside) host 192.168.1.9
timeout 5
key XXXXXXX
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
<--- More --->
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set AEC esp-des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca server
shutdown
<--- More --->
smtp from-address [email protected]
crypto ca certificate chain _SmartCallHome_ServerCA
certificate
quit
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 208.66.175.36 source outside prefer
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
<--- More --->
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
<--- More --->
inspect netbios
inspect tftp
inspect ip-options
class global-class
csc fail-close
service-policy global_policy global
prompt hostname context
call-home reporting anonymous

Hello Scott,
So Exchange server ip is obj-192.168.1.65 natted to 216.x.x.x
object network obj-192.168.1.65
"nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp"
The ACL says
access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp
access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3
From witch ip addresses are you trying to send traffic to the exchange server?
Please do a packet-tracer and give us the output
packet-tracer input outside tcp x.x.x.x( Outside host ip) 1025 216.x.x.x.x 25
Regards,
Julio
Rate helpful posts!!!

RemoteApps not working after upgrade from 8.0 to 8.4

Hi
I hope someone can shed a little light on a problem that I can't seem to get to the bottom of.
We have a 5510 ASA that was running 8.0 and were using it for clientless VPN access. Through this, we published bookmarks that linked to an internal Microsoft 2008R2 RemoteApps server, which users logged on to and then launched RemoteApps (basically being RDP sessions to apps on the server).
All worked fine until we upgraded to 8.4 over the weekend and we now can't launch the RemoteApps. We can still login through the ASA, still click a bookmark to take us to the RemoteApps server's webpage, still then authenticate against the domain fine and still see the published apps. The problem now is when we launch the apps we get "this computer can't connect to the remote computer" messages and the app fails to launch. Nothing has changed on the RemoteApp server side, only the upgrade to 8.4.
Has anyone had any experience of this happening, or any clues on what to look for? Have verified that DNS lookups internally work fine form the ASA and have tried changing hostnames, IP addresses etc on the RemoteApps server with little success. I'm wondering if there was a new feature or difference between 8.0 and 8.4 that has stopped something passthing through properly.
Thanks in advance
Neil

Hi Mike
Thanks for the reply.
I've tested two bookmarked links on the ASA and looked at the packet capture as each goes through:
1. bookmark rdp://servername - this connects an rdp session fine, using IE on the client and an ActiveX rdp session. I can see 3389 traffic from the internal ASA interface to the internal server (and 443 from ASA outside to the external client).
2. bookmark https://servername/rdweb - this connects to the servers RemoteApps webpage fine, I login, and then try and launch a RemoteApp, which fails. I see no 3389 traffic at all on either side, only 443 traffic.
So I can get an ActiveX RDP session to happen from my client PC, through the ASA and onto the internal server, but only if I do it directly, not if I hop to the server first and launch the RemoteApp (which is basically an RDP session).
Cheers
Neil

Why is implicit deny missing from outside int incoming access rules after upgrade from 8.25 to 9.1?

i have just noticed that after upgarde of image and asdm to 911 and 711, the implicit deny acl is missing from the outside interface. Is this deliberate or a poor upgrade. i am upgrading from 8.25 normally, depends what the reseller sends me.
should this be happening or am i upgrading in too large a jump?
thanks,
david

Hi,
Would really see some screencapture / output of the thing you are referring to.
I imagine that you are perhaps referring to something related to ASDM? I dont personally really use ASDM at all for ASA configurations to I am not up to date on the possible problems it might have or changes made to its interface.
I am not sure if you have an ACL attached to the "outside" interface? If so then I think the ASDM should show the Implicit Deny at the end while this wont show on the CLI side at all.
I did just check my own ASA at home which is running 9.0(2) and ASDM 7.1(2) at the moment and it doesnt show an Implicit Deny for my LAN or WAN interfaces ACL.
Though the basic ACL operation is still in effect. If its not allowed in the ACL then its blocked by Implicit Deny. This can be confirmed with "packet-tracer" test on your firewall also.
- Jouni

Upgrading from PIX to ASA 5512X

Similar Messages

Maybe you are looking for