cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1113
Views
0
Helpful
5
Replies

PIX TO ASA Command Conversion Urgent!!

Charlie Mayes
Level 1
Level 1

Hello ALL,

My PIX 515E overheated and caught on fire. I have transferred all my configs from the PIX to a ASA 5505 Except

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

The ASA keeps telling me the

INFO: converting 'fixup protocol tftp 69' to MPF commands

I have no idea how to use the ASA commands to reproduce these settings. HELP!!

PIX PIX Version 6.3(3)

ASA 5505

6 8312832 May 09 2007 05:14:36 asa722-k8.bin

7 1868412 May 09 2007 05:14:50 securedesktop-asa-3.1.1.29-k9.pkg

8 398305 May 09 2007 05:15:04 sslclient-win-1.1.0.154.pkg

9 5623108 May 09 2007 05:16:06 asdm-522.bin

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

Charlie

Are you actually using any of the fixups or is it just part of the default config ?

The equivalent ASA default config is -

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

This should already be in the config. You only need to do further modification if you have changed any of the fixups on your original pix.

Does this make sense ?

Jon

I am not sure. That firewall was not configured by me originally. I am new to this organization and the network engineer left so nobody has a clue. I am just attempting to replace all the comfigs as they were. You are right I see the configs exactly were you told me they would be. Thanks for your help Jon.

Oh yeah the to statement at the bottom would not work in the ASA either. Do you know why?

conduit permit icmp any any

pdm history enable

Cryptochecksum:eac74af3bf43d37b42b1b6a3fc0f8b4d

Charlie

"conduit permit icmp any any"

won't work because the ASA doesn't use conduits. The equivalent is just an access-list ie.

access-list icmptraffic permit icmp any any

but you need to work out where it has been applied.

"pdm history enable"

won't work because the ASA uses ASDM not PDM.

I wouldn't worry about the fixups, they always appear in the config and a lot of the time there is no need to modify them so you just accept the defaults so you can do the same on the ASA. If something that relies on a fixup stops working that would be the time to worry :-).

As for the ICMP - not sure how this was applied on your previous pix.

Jon

Ok Cool. I have one more issue which so weird Jon. I am running the ASA in rouer mode but I still keep gettig this message.

This license does not allow configuring more than 2 interfaces with

nameif and without a "no forward" command on this interface or on 1 interface(s)

with nameif already configured.

I have configured the ip address, security-level and even added the inteface to the vlan but it will not let me name it. Crazy!! What is the issue here?

Charlie

The issue is that you have a 5505 with a basic license. And that basic license puts restrictions on the use of the third VLAN. I believe that if you add the no forward command to the interface then you will be able to name it.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: