cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
620
Views
0
Helpful
10
Replies

Migrating From PIX 520(Version 5.2(3)) in ASA5550-BUN-K9 (7.1(2))

m-daja
Level 1
Level 1

Hi

Due to the fact that pix520 (version 5.2(3)) is not supported more i have decided to go in ASA5550-BUN-K9 (7.1(2))

I have performed one copy & paste of the configuration(including extended in my access-lists),excluding inspect esmtp (no fixup protocol smtp 25 is already configured in my pix 520).After realizing the cable connection disconnecting the cables from pix i have not good results:

I can't browse internet through proxy

I can't send e-mails outside

Connectivity from in to out is like blocked and access lists does not show hits

I have already added inspect http

but i see that is a kind of traffic blocked [%ASA-4-106023 =i not sure this can help you]

I'm not sure that is problem of service global policy or something else.ASA configuration is performed with simple access-lists extended and no with object-groups.[When i turned back my connection i need to reload my pix 520 because the outside interface did not respond to the pings from my outside router fa0/0

10 Replies 10

andrew.prince
Level 10
Level 10

Without seeing the config - I think your issue lies with your NAT config.

I suggest you look in that direction - or post your config for review.

HTH>

Hi Andrew Thanks For Your Reply Dear Sir

I think that nat is ok for the whole lan

(Just take a look to the notepad file)

Do you think that i can modify my nat or to connect the inside interface with another ip address inside the lan in order to leave time to this to reply with the whole network because 10 minutes are not enough to complete the transition with the same configurations

Thank You Sir

You have a NAT mis-configuration, on your outbound and your inbound.

What IP address space do you currently have in the .240 range?

for the internal to external NAT I would have as an example I would have something like:-

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 217.24.240.1 255.255.255.240

nat (inside) 2 0.0.0.0 0.0.0.0

global (outside) 1 interface

global (outside) 2 217.24.240.2

~~~******~~~

For the acl:-

static (dmz1,outside) 217.24.240.ggg 217.24.240.ggg netmask 255.255.255.255

access-list acl_out extended permit udp any host 217.24.240.ggg eq domain

THIS MAKES NO SENSE

static (inside,dmz1) 217.24.240.ver www.ww1.ser.roa netmask 255.255.255.255

access-list acl_inside extended permit ip host www.ww1.ser.roa any

I think is incorrect, if you want internal servers to access a proxy server in the DMZ? the NAT is wrong.

What are you actually trying to do?

Thanks for your suggestion but my proxy server

is not in the dmz zone but in the internal zone and in order to communicate as it needs communication also with dns i need first to translate it at the dmz public zone (for the DNS) and for the www it goes through nat outside.This is the sense. As for the global nat due to the fact that i have a lot of traffic going in internet i need to have a bundle of addresses to do the nat(proxy connection is included when goes out for www)so this is the fact that i do not use my external ip for nat.As for the line static (dmz1 out) if you will notice this is udp port 53 so it's domain no proxy.It's correct

MEHMET,

static (dmz1,outside) 217.24.240.ggg 217.24.240.ggg netmask 255.255.255.255

This indicates you have allocated a subnet to the DMZ from the 217.24.240.x - is this correct? As you are translating 217.24.240.ggg that sits in the DMZ to the outside?

access-list acl_out extended permit udp any host 217.24.240.ggg eq domain

This indicates you want to allow any device the query this server via DNS? is this correct?

static (inside,dmz1) 217.24.240.ver www.ww1.ser.roa netmask 255.255.255.255

Indicates that whatever server IP address www.ww1.ser.roa it will be translated to 217.24.240.ver when it enters the DMZ - is this correct???? I think this is wrong.

For the ggg host this is correct that is my dns so each dns has realtionships with my dns

+outside mail(realy) server

www.ww1.ser.roa is the web proxy server and it goes in dmz segment to contact dns only

If i start one web connection my proxy get one of my nat addresses bundle and goes out for the www (i'm i clear)

I am confused - perhaps another netpro reading this will understand and help you.

Do not be confused

Internal mail server + Domain server goes in dmz translated from pix(private-public)

In dmz they meet public domain + public mail server

this public ip are translated outside also from pix

if i will go to my internal proxy this catch one ip address from the nat pool and i.m able to open the internet site right now

But i need also dns to open internet so proxy goes in dmz to meet the dns

The nat is ok and i have connected asa with the same config as pix but with another internal ip address (from yesterday) to see if this needs time to replicate with my network because is an copy paste of the configuration and the fact that asa do not want to pass www traffic from in to out is strange for me and seems as nat problem (as U said=note at the end of cisco pdf books) (but i don't think so)

Hi ..

I suggest you posting a sanitized config and a visio diagram .. that will help !!!

Hi Andrew

Said honestly i use always comand line interface (not GUI via ASDM)

I have readed cisco Document ID: 63880

The response maybe is in page 9 point 11

I have already investigated via asdm connectivity from my laptop connecting it via cross cable with asa5550 internal interface and the box was checked(by default).This explains why NAT has found problems.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: