08-30-2010 10:54 AM - edited 03-11-2019 11:32 AM
I am trying to upgrade from a Pix501 to a new ASA 5510. I ran the
pixtoasa tool and now have the following
configuration:
ASA Version 7.2(2)
boot system disk0:/asa831-k8.bin
:::: Interface mapping - {'ethernet1': 'Ethernet0/1', 'ethernet0': 'Ethernet0/0'}
:::: Original Interface id ethernet0
interface Ethernet0/0
ip address 216.x.x.x 255.255.255.252
nameif outside
security-level 0
speed auto
duplex auto
no shutdown
:::: Original Interface id ethernet1
interface Ethernet0/1
ip address 192.168.1.2 255.255.255.0
nameif inside
security-level 100
speed 100
duplex full
no shutdown
enable password ******************* encrypted
passwd ******************* encrypted
hostname JMSBCFW
domain-name JMS
names
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any source-quench
access-list outside_in permit tcp any interface outside eq 1000
access-list outside_in permit tcp any interface outside eq 1001
access-list outside_in permit tcp any interface outside eq 1002
access-list outside_in permit tcp any interface outside eq 1003
access-list outside_in permit tcp any interface outside eq 1004
access-list outside_in permit tcp any interface outside eq 1005
access-list outside_in permit tcp any interface outside eq 1006
access-list outside_in permit tcp any interface outside eq 1007
access-list outside_in permit tcp any interface outside eq 1008
access-list outside_in permit tcp any interface outside eq 1009
access-list outside_in permit tcp any interface outside eq 1010
access-list outside_in permit tcp any interface outside eq 1011
access-list outside_in permit tcp any interface outside eq 1012
access-list outbound permit tcp any any
access-list outbound permit ip any any
access-list HCA_cryptomap permit ip 10.129.64.0 255.255.255.252 170.x.x.x 255.255.255.128
access-list HCA permit ip 192.168.1.0 255.255.255.0 170.x.x.x 255.255.255.128
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip audit info action alarm
ip audit attack action alarm
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 10.129.64.1
nat (inside) 2 10.129.64.0 255.255.255.252 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.55 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1000 192.168.1.4 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1001 192.168.1.67 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1002 192.168.1.85 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1003 192.168.1.29 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1004 192.168.1.12 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1005 192.168.1.64 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1006 192.168.1.62 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1007 192.168.1.18 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1008 192.168.1.70 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1009 192.168.1.68 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1010 192.168.1.44 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1011 192.168.1.37 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1012 192.168.1.73 3389 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 216.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.168.1.4 source inside
http server enable
http 192.168.1.3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
:::: Not supported - floodguard enable
:::: sysopt renamed from 'sysopt connection permit-ipsec' to 'sysopt connection permit-vpn'
sysopt connection permit-vpn
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map hca 10 ipsec-isakmp
crypto map hca 10 match address HCA_cryptomap
crypto map hca 10 set peer 199.x.x.x
crypto map hca 10 set transform-set myset
crypto map hca interface outside
isakmp enable outside
:::: Your key is set to all STARS(*) Please fix!'isakmp key ******** address 199.x.x.x netmask 255.255.255.255'
isakmp key ******** address 199.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
username admin password ******************** encrypted privilege 2
terminal width 90
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect esmtp
inspect sqlnet
inspect tftp
!
service-policy global_policy global
I tested the ASA5510 and was only able to get out (ping or otherwise) from the internal IP of 192.168.1.4. This was also the first box I tried to get out on, all others would not ping or anything. Is this a NAT issue? Is there something I neglected to do in the conversion? Forgive my crude configuration of individual user access to their desktops (RDP sessions) but I have been having to use the console port in PIX to set those up for the past year.
Any help will be greatly appreciated. Thank You!
08-30-2010 11:07 AM
Hi,
Add ICMP inspection to be able to PING from the internal network to the internet
policy-map global_policy
class inspection_default
inspect icmp
All your internal LAN should be able to have Internet because of these commands:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Federico.
08-30-2010 11:56 AM
Thanks for the reply Federico. So there is nothing special I need to do for the NAT commands between the PIX and ASA? Is there a special order for NAT1, NAT2 and so on... I will add the command you suggested and try again.
Mike
08-30-2010 04:17 PM
Can you clear up some questions Mike. I see the boot is set to ASA 8.3.1, but you have pre 8.3.1 NAT configurations. What image are you currently running? Are you trying to ping from an inside host to the internet or from the ASA?
08-31-2010 08:07 AM
Hi Edward, I did nothing to the configuration as it was in the PIX, other than run the PIXTOASA.exe conversion utility. Is there something I else I should do for the NAT configuration in the ASA? I don't have it handy, but I am pretty sure it is running the 831 image. Please pardon my ignorance on the subject, I am by no means proficient in firewall setup. Yes, I was trying to ping from inside to internet. I was able to ping and get to internet only from 192.168.1.4, which happens to be the server and the first machine I tried to use. Any other LAN machine was unable to ping out (used 4.2.2.2). I would appreciate any light you can shed on the subject.
Regards,
Mike Townsend
08-31-2010 08:25 AM
I agree with Edward, you configuration set up pre 8.3(1) , so you have two choises :-
1> run code version that is pre 8.3.
2> change the nat set up to post 8.3(1) using following link :-
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html
Thanks
Manish
08-31-2010 11:27 AM
Assuming my LAN is 192.168.1.1 through 255 and there may be 100 users connected to the outside at any given time, would either of these configurations work:
# object network my-outside-ips
# range 10.1.1.1 10.1.1.101
# object network my-inside-net
# subnet 192.168.1.0 255.255.255.0
# nat (inside,outside) dynamic my-outside-ips
My understanding of this example is that there would be a pool of addresses 10.1.1.1 through 101, which each would be assigned individually to inside>out traffic. Would port 80 and 25 be separate connections per inside IP?
OR
# object network my-inside-net
# subnet 192.168.1.0 255.255.255.0
# nat (inside,outside) dynamic interface
My understanding of this example is that it translates any inside>out traffic to use the public IP (interface) address?
OR
If I flashed back to say 8.2 would I be able to use the converted PIX configuration I currently have?
08-31-2010 10:49 AM
Hi Mike...
Kay...just focusing on the NAT, I see the following:
global (outside) 1 interface
global (outside) 2 10.129.64.1
nat (inside) 2 10.129.64.0 255.255.255.252 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
From what I see configured just based on the nat configurations I see, I would not expect a NAT issue if you are pinging from another machine on the 192.168.1.0 network. Are the other machines you pinging from on the 192.168.1.0 network? Do you have any logs from the ASA showing that the issue is NAT? Collect the logs from the ASA and verify the issue is NAT.
08-31-2010 10:58 AM
Hi !
I donot see command "nat-control" in the configuration, so please enable "nat-control" , this will enable nat/pat for devices accessing the internet from inside network.
Thanks
Manish
08-31-2010 11:33 AM
Mike ! I would say you should try running a pre 8.3 code as it is very new code and not only does it changes the nat configuration it also changes the acl configuration. I would say change the code , issue command nat-control and we will troubleshoot it from there.
I am not familiar with 8.3 as of right now , try to set it up in test set up right now myself .
Thanks
Manish
08-31-2010 11:41 AM
I am going to try the nat-control command and then the ping process from inside IPs. I will post the results. It may be Monday before I am able to do so, as I have to do request the temporary outage on the company network. Thanks to all who are following this thread and supporting my effort to upgrade from the PIX to ASA5510.
Regards,
Mike Townsend
08-31-2010 11:43 AM
Oh yeah, and I will take it back to say ASA 8.0 ???
08-31-2010 11:52 AM
Any code is fine Mike. Was curious if you collected those logs?
08-31-2010 11:59 AM
Thanks! No, unfortunately I only provide onsite service to that office every Friday. I was planning on configuring the 5510 before I went to save time and test it early Friday before the office opens. I should have known better than to try the bleeding edge version of ASA. Reading up on 8.0 right now.... Thanks for your help. If there are problems I will post logs when I return with results.
Thanks guys!!!
Mike T
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: