06-28-2010 06:17 AM - edited 03-11-2019 11:04 AM
I managed to convert our old Pix config to our new ASA 5505 config, but when i take out our PIX firewall, and put in the new ASA, internet does not work. Can you please see what i done wrong? I am not an expert so please if you have a solution, be very detailed. TYIA!
Here is the pix config:
PIX Version 6.3(5) |
interface ethernet0 10baset |
interface ethernet1 100full |
nameif ethernet0 outside security0 |
nameif ethernet1 inside security100 |
enable password GWrHuOdSnP3vVpxD encrypted |
passwd GWrHuOdSnP3vVpxD encrypted |
hostname pixfirewall |
domain-name xxxxxxxxxx.org |
fixup protocol dns maximum-length 512 |
fixup protocol ftp 21 |
fixup protocol h323 h225 1720 |
fixup protocol h323 ras 1718-1719 |
fixup protocol http 80 |
fixup protocol ils 389 |
fixup protocol rsh 514 |
fixup protocol rtsp 554 |
fixup protocol sip 5060 |
fixup protocol sip udp 5060 |
fixup protocol skinny 2000 |
fixup protocol smtp 25 |
fixup protocol sqlnet 1521 |
fixup protocol tftp 69 |
names |
access-list aclin permit tcp any host xx.x.xx.218 eq 4899 |
access-list aclin permit tcp any host xx.x.xx.218 eq smtp |
access-list aclin permit tcp any host xx.x.xx.218 eq www |
access-list aclin permit tcp any host xx.x.xx.218 eq citrix-ica |
access-list aclin permit tcp host xx.x.xx.xx host xx.x.xx.218 eq ldap |
access-list aclin permit tcp any host xx.x.xx.220 eq 3389 |
access-list vpn_nat_acl permit ip 172.16.1.0 255.255.255.0 192.168.200.0 255.255.255.0 |
access-list outside_cryptomap_dyn_20 permit ip any 192.168.200.0 255.255.255.0 |
access-list jaremotes_splitTunnelAcl permit ip 172.16.1.0 255.255.255.0 any |
pager lines 24 |
mtu outside 1500 |
mtu inside 1500 |
ip address outside xx.x.xx.221 255.255.255.248 |
ip address inside 172.16.1.1 255.255.255.0 |
ip audit info action alarm |
ip audit attack action alarm |
ip local pool RemoteVPNPool 192.168.200.1-192.168.200.254 |
pdm logging informational 100 |
pdm history enable |
arp timeout 14400 |
global (outside) 1 interface |
nat (inside) 0 access-list vpn_nat_acl |
nat (inside) 1 0.0.0.0 0.0.0.0 0 0 |
static (inside,outside) xx.x.xx.218 172.16.1.2 netmask 255.255.255.255 0 0 |
static (inside,outside) xx.x.xx.219 172.16.1.3 netmask 255.255.255.255 0 0 |
static (inside,outside) xx.x.xx.220 172.16.1.4 netmask 255.255.255.255 0 0 |
access-group aclin in interface outside |
route outside 0.0.0.0 0.0.0.0 xx.x.xx.217 1 |
timeout xlate 0:05:00 |
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 |
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 |
timeout sip-disconnect 0:02:00 sip-invite 0:03:00 |
timeout uauth 0:05:00 absolute |
aaa-server TACACS+ protocol tacacs+ |
aaa-server TACACS+ max-failed-attempts 3 |
aaa-server TACACS+ deadtime 10 |
aaa-server RADIUS protocol radius |
aaa-server RADIUS max-failed-attempts 3 |
aaa-server RADIUS deadtime 10 |
aaa-server LOCAL protocol local |
http server enable |
http 192.168.1.0 255.255.255.0 inside |
http 172.16.1.0 255.255.255.0 inside |
no snmp-server location |
no snmp-server contact |
snmp-server community public |
no snmp-server enable traps |
floodguard enable |
sysopt connection permit-ipsec |
sysopt noproxyarp inside |
crypto ipsec transform-set strong esp-des esp-md5-hmac |
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 |
crypto dynamic-map outside_dyn_map 20 set transform-set strong |
crypto map toDayton 65535 ipsec-isakmp dynamic outside_dyn_map |
crypto map toDayton client configuration address initiate |
crypto map toDayton client configuration address respond |
crypto map toDayton interface outside |
isakmp enable outside |
isakmp key xxxxxxxxxxxx address 0.0.0.0 netmask 0.0.0.0 |
isakmp client configuration address-pool local RemoteVPNPool outside |
isakmp nat-traversal 20 |
isakmp policy 10 authentication pre-share |
isakmp policy 10 encryption des |
isakmp policy 10 hash md5 |
isakmp policy 10 group 1 |
isakmp policy 10 lifetime 86400 |
isakmp policy 15 authentication pre-share |
isakmp policy 15 encryption des |
isakmp policy 15 hash md5 |
isakmp policy 15 group 2 |
isakmp policy 15 lifetime 86400 |
vpngroup jaremotes address-pool RemoteVPNPool |
vpngroup jaremotes dns-server 172.16.1.2 |
vpngroup jaremotes default-domain xxxxxxxxxxx.ORG |
vpngroup jaremotes split-tunnel jaremotes_splitTunnelAcl |
vpngroup jaremotes idle-time 7200 |
vpngroup jaremotes password xxxxxxxxxxxxxx |
telnet 172.16.1.0 255.255.255.0 inside |
telnet timeout 5 |
ssh xx.x.xx.0 255.255.255.0 outside |
ssh timeout 5 |
console timeout 0 |
terminal width 80 |
Cryptochecksum:a939584ebafeaba60b199056eb90789a |
: end and here is the new ASA 5505 config: |
ASA Config
ASA Version 7.2(4)
!
hostname pixfirewall
domain-name jaxxxxxxxx.org
enable password GWrHuOdSnP3vVpxD encrypted
passwd GWrHuOdSnP3vVpxD encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.x.xx.221 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name jaxxxxxxxs.org
access-list aclin extended permit tcp any host xx.x.xx.218 eq 4899
access-list aclin extended permit tcp any host xx.x.xx.218 eq smtp
access-list aclin extended permit tcp any host xx.x.xx.218 eq www
access-list aclin extended permit tcp any host xx.x.xx.218 eq citrix-ica
access-list aclin extended permit tcp host 69.x.xx.23 host xx.x.xx.218 eq ldap
access-list aclin extended permit tcp any host xx.x.xx.220 eq 3389
access-list vpn_nat_acl extended permit ip 172.16.1.0 255.255.255.0 192.168.200.
0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.200.0 255.25
5.255.0
access-list jaremotes_splitTunnelAcl extended permit ip 172.16.1.0 255.255.255.0
any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteVPNPool 192.168.200.1-192.168.200.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpn_nat_acl
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) xx.x.xx.218 172.16.1.2 netmask 255.255.255.255
static (inside,outside) xx.x.xx.219 172.16.1.3 netmask 255.255.255.255
static (inside,outside) xx.x.xx.220 172.16.1.4 netmask 255.255.255.255
access-group aclin in interface outside
route outside 0.0.0.0 0.0.0.0 xx.x.xx.217 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set strong
crypto map toDayton 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map toDayton interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 15
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 172.16.1.0 255.255.255.0 inside
telnet timeout 5
ssh xx.x.70.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
group-policy jaremotes internal
group-policy jaremotes attributes
dns-server value 172.16.1.2
vpn-idle-timeout 120
split-tunnel-policy tunnelspecified
split-tunnel-network-list value jaremotes_splitTunnelAcl
default-domain value JASxxxxx.ORG
tunnel-group DefaultRAGroup general-attributes
address-pool (outside) RemoteVPNPool
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group jaremotes type ipsec-ra
tunnel-group jaremotes general-attributes
address-pool RemoteVPNPool
default-group-policy jaremotes
tunnel-group jaremotes ipsec-attributes
pre-shared-key *
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:3f5981080b7be5619f2b3ac81168202f
: end
service-policy global_policy global
prompt hostname context
Cryptochecksum:d88c038c3d1a8da0ac01ee9c767bd851
: end
06-28-2010 06:21 AM
The outside ip address on the ASA is different than the one on your pix.
06-28-2010 06:46 AM
Sorry i noticed i posted the wrong config - i just updated it. Any ideas now? thanks
06-28-2010 08:53 AM
Hi, make sure to clear the arp cache on the upstream device (x.x.x.217) after replacing the PIX with an ASA or simply reboot it.
Are you able to ping this device from your ASA?
06-28-2010 09:06 AM
i just restarted everything - still no internet - i will report back on ping in a while
06-28-2010 09:52 AM
pixfirewall# ping xx.x.xx.217
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to xx.x.xx.217, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
06-28-2010 11:31 AM
You will need to check the logs and packet captures on the ASA to see if it is receiving this traffic and if at all dropping any packets.
If you do not how to capture this information, please open a TAC case to investigate further.
Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: