03-24-2008 05:35 AM - edited 02-20-2020 09:40 PM
Howdy,
I am unfamiliar with using ASA and find myself running into allot of errors so I though I would ask the experts.
I have several older(ish) routers that have ACL's on them that I would like to transfer to out new 5510 ASA but I am finding it's not as simply as cut and paste. For example.
When I use "established" in a new ACL it has no idea what I am typing. Is this no longer used?
Also in use in my current ACL's a line would look like this
Access-list 103 permit udp any 38.100.32.0 0.0.0.255 eq domain
But when I type that into my new 5510 I get an error that my IP address and Subnet mask doesn't pair. (I get the same error when I cut my old ACL into a text editor and then try to paste into my ASA 5510. What am I doing wrong?
If someone can either point in the right direction I would be very grateful. (with several ACL's needing to be moved over I am worried how much of it is no longer used or different.)
Thanks
Solved! Go to Solution.
03-24-2008 07:19 AM
No problem. glad to be of help.
03-24-2008 05:58 AM
Hi Shawn
Firstly you do not need the "established" keyword because the ASA is a stateful firewall so it will keep track of the TCP flags for you.
Secondly IOS subnet masks are reverse masks so
38.100.32.0 0.0.0.255 = on the ASA
38.100.32.0 255.255.255.0
You should be okay with the "domain" keyword but if not you need to know the actual port numbers - domain = 53 int this case.
Note if the reverse masks are not split on octet boundary ie.
0.0.0.31
easiest way to translate this to a normal mask is
31 + 1 = 32
256 - 32 = 224 so
255.255.255.224
works for other reverse masks as well eg.
0.0.0.63
63 + 1 = 64
256 - 64 = 192 so
255.255.255.192
HTH
Jon
03-24-2008 06:02 AM
That does help allot. I will do some editing and let you know how it works.
Thank you.
Shawn
03-24-2008 06:21 AM
Everything work well with the import of the ACL's from my Text Editor with two exceptions.
I noticed that non500-isakmp and netbios-ss are no longer options? Are they not needed? (of course if they are no then that is fine I just don't want to be leaving anything out.)
Thanks
Shawn
03-24-2008 06:25 AM
Shawn
What do you mean by non500-isakmp ?
If you are trying to use the actual names then they might not be recognised by the ASA, sorry not at work today.
Do you know the actual port numbers for non500-isakmp and netbios-ssn (which should be a port between 135 & 139 but i can never remember exactly which)
Jon
03-24-2008 07:15 AM
Jon,
I did what you recommended and added them by port numbers non500-isakmp = 4500
and netbios-ss = 150
Everything worked fine.
Thanks for your help.
03-24-2008 07:19 AM
No problem. glad to be of help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: