01-23-2009 10:15 AM - edited 03-11-2019 07:41 AM
Hello ALL,
My PIX 515E overheated and caught on fire. I have transferred all my configs from the PIX to a ASA 5505 Except
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
The ASA keeps telling me the
INFO: converting 'fixup protocol tftp 69' to MPF commands
I have no idea how to use the ASA commands to reproduce these settings. HELP!!
PIX PIX Version 6.3(3)
ASA 5505
6 8312832 May 09 2007 05:14:36 asa722-k8.bin
7 1868412 May 09 2007 05:14:50 securedesktop-asa-3.1.1.29-k9.pkg
8 398305 May 09 2007 05:15:04 sslclient-win-1.1.0.154.pkg
9 5623108 May 09 2007 05:16:06 asdm-522.bin
01-23-2009 10:36 AM
Charlie
Are you actually using any of the fixups or is it just part of the default config ?
The equivalent ASA default config is -
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
This should already be in the config. You only need to do further modification if you have changed any of the fixups on your original pix.
Does this make sense ?
Jon
01-23-2009 10:57 AM
I am not sure. That firewall was not configured by me originally. I am new to this organization and the network engineer left so nobody has a clue. I am just attempting to replace all the comfigs as they were. You are right I see the configs exactly were you told me they would be. Thanks for your help Jon.
Oh yeah the to statement at the bottom would not work in the ASA either. Do you know why?
conduit permit icmp any any
pdm history enable
Cryptochecksum:eac74af3bf43d37b42b1b6a3fc0f8b4d
01-23-2009 11:04 AM
Charlie
"conduit permit icmp any any"
won't work because the ASA doesn't use conduits. The equivalent is just an access-list ie.
access-list icmptraffic permit icmp any any
but you need to work out where it has been applied.
"pdm history enable"
won't work because the ASA uses ASDM not PDM.
I wouldn't worry about the fixups, they always appear in the config and a lot of the time there is no need to modify them so you just accept the defaults so you can do the same on the ASA. If something that relies on a fixup stops working that would be the time to worry :-).
As for the ICMP - not sure how this was applied on your previous pix.
Jon
01-23-2009 12:05 PM
Ok Cool. I have one more issue which so weird Jon. I am running the ASA in rouer mode but I still keep gettig this message.
This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.
I have configured the ip address, security-level and even added the inteface to the vlan but it will not let me name it. Crazy!! What is the issue here?
01-25-2009 07:22 PM
Charlie
The issue is that you have a 5505 with a basic license. And that basic license puts restrictions on the use of the third VLAN. I believe that if you add the no forward command to the interface then you will be able to name it.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: