Migrating from a PIX 501 to ASA 5505

Unanswered Question
Jan 22nd, 2011

Well, I'm just having a complete blast doing this. We are pulled the plug on our PIX 501 as its not letting us use all 100Mbit that our cable provider is now piping to us. I read the conversion guide but it made no mention of the 501's. Only the 515's or newer.

The ASA 5505 is putting up a little bit of a fight (This what I get for failing my CCNA??)

After refusing to configure the LAN ip address to something other than what it was shipped with, I broke down and connected to the management console and forced an IP address on the LAN side. Now I reset my default config and everyone can get on the internet.

Life's good... Until the ISP cuts you off because you forgot to set your static IP. Oh, and by the way, they dont support Cisco gear.

When I attempt to assign the IP to the outside interface, it accepts without a hitch, but everything grinds to a halt. I cannot have this, as I have off-site users that operate with dedicated ports using Remote Desktop.  I've attempted to set the IP via both ASDM and management console. I've tried setting a static route, but that doesnt give me any love either.

Im running ASA Version 8.2(1) and ASDM Version 6.2(1)

Once I get the static IP set and working properly, I can tackle moving the port configs.

If someone can tell me what I'm doing wrong, it would be greatly appreciated.

-Joe

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (2 ratings)
joseph.harder Sat, 01/22/2011 - 12:48

Okay, this is very odd.

I manually issued the command "route outside 0.0.0.0 0.0.0.0 70.x.x.97" to the router via the console and it now works with a static IP address. But yet, when I attempt to do this with the ASDM via CLI or the Visual interface, it doesnt work.

Is something getting lost in translation or am I pulling a noobish mistake?

joseph.harder Mon, 01/24/2011 - 11:01

I've done my best to not molest the config too much for diagnostic

purposes. IP and serial numbers are obviously masked for safety

reasons.

Since I did the initial config via management port, settings are

staying what I've set them at and communications is flowing properly.

I may have inadvertently panicked durring initial configuration,

thinking I had broken something, somewhere.

--

: Saved

:

ASA Version 8.2(1)

!

hostname ASA5505

enable password W3HbHchof2CuwrYs encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.0.144 fantasticfour

name 192.168.0.5 msabackupdc

name 192.168.0.14 phoenix

name 192.168.0.34 KonikaMinolta750

name 192.168.0.30 KonikaMinoltaC550

name 192.168.0.133 cadaver

name 192.168.0.11 postal5

name 192.168.0.182 extreme

name 192.168.0.183 piggy

name 192.168.0.147 sugar

name 192.168.0.161 great-stuff

name 192.168.0.231 pinktoe

name 192.168.0.103 rainyday

name 192.168.0.187 runnerup

name 192.168.0.108 kramer

name 192.168.0.129 hagrid

name 192.168.0.139 butterball

name 192.168.0.148 curley

name 192.168.0.138 saturn

name 192.168.0.128 pizzahut

name 192.168.0.115 seasnake

name 192.168.0.106 badger

name 192.168.0.197 knibbler

name 192.168.0.127 chinook

name 192.168.0.145 tinytim

name 192.168.0.223 msa-223

name 192.168.0.239 max

name 192.168.0.140 mrbig

name 192.168.0.126 cobolt

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 70.derp.derp.109 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit tcp any any eq ftp

access-list inside_access_in extended permit tcp any any eq https

access-list inside_access_in extended permit udp host phoenix any eq domain

access-list inside_access_in extended permit udp host msabackupdc any eq domain

access-list inside_access_in extended permit udp host msabackupdc any eq time

access-list inside_access_in extended permit udp host phoenix any eq time

access-list inside_access_in extended permit udp host cadaver any

access-list inside_access_in remark Rouse 3, First Floor Copier

access-list inside_access_in extended permit tcp host KonikaMinolta750

any eq 465

access-list inside_access_in remark Rouse 3, Second Floor Copier

access-list inside_access_in extended permit tcp host

KonikaMinoltaC550 any eq 465

access-list inside_access_in extended permit tcp host postal5 any eq 465

access-list inside_access_in extended permit tcp host postal5 any eq 587

access-list outside_access_in extended permit tcp any any eq 3182

access-list outside_access_in extended permit tcp any any eq 3118

access-list outside_access_in extended permit tcp any any eq 3245

access-list outside_access_in extended permit tcp any any eq 3129

access-list outside_access_in extended permit tcp any any eq 3261

access-list outside_access_in extended permit tcp any any eq 3958

access-list outside_access_in extended permit tcp any any eq 3188

access-list outside_access_in extended permit tcp any any eq 3999

access-list outside_access_in extended permit tcp any any eq 3259

access-list outside_access_in extended permit tcp any any eq 3146

access-list outside_access_in extended permit tcp any any eq 3233

access-list outside_access_in extended permit tcp any any eq 3241

access-list outside_access_in extended permit tcp any any eq 3121

access-list outside_access_in extended permit tcp any any eq 3122

access-list outside_access_in extended permit tcp any any eq 3184

access-list outside_access_in extended permit tcp any any eq 3120

access-list outside_access_in extended permit tcp any any eq 3204

access-list outside_access_in extended permit tcp any any eq 3234

access-list outside_access_in extended permit tcp any any eq 3243

access-list outside_access_in extended permit tcp any any eq 3244

access-list outside_access_in extended permit tcp any any eq 3189

access-list outside_access_in extended permit tcp any any eq 3237

access-list outside_access_in extended permit tcp any any eq 3135

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip verify reverse-path interface outside

ip verify reverse-path interface inside

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3182 piggy 3182 netmask 255.255.255.255

static (inside,outside) tcp interface 3118 sugar 3118 netmask 255.255.255.255

static (inside,outside) tcp interface 3129 great-stuff 3129 netmask

255.255.255.255

static (inside,outside) tcp interface 3261 pinktoe 3261 netmask 255.255.255.255

static (inside,outside) tcp interface 3958 rainyday 3958 netmask

255.255.255.255

static (inside,outside) tcp interface 3188 runnerup 3188 netmask

255.255.255.255

static (inside,outside) tcp interface 3245 extreme 3245 netmask 255.255.255.255

static (inside,outside) tcp interface 3999 kramer 3999 netmask 255.255.255.255

static (inside,outside) tcp interface 3259 hagrid 3259 netmask 255.255.255.255

static (inside,outside) tcp interface 3146 butterball 3146 netmask

255.255.255.255

static (inside,outside) tcp interface 3233 curley 3233 netmask 255.255.255.255

static (inside,outside) tcp interface 3241 fantasticfour 3241 netmask

255.255.255.255

static (inside,outside) tcp interface 3121 saturn 3121 netmask 255.255.255.255

static (inside,outside) tcp interface 3122 pizzahut 3122 netmask

255.255.255.255

static (inside,outside) tcp interface 3184 seasnake 3184 netmask

255.255.255.255

static (inside,outside) tcp interface 3120 badger 3120 netmask 255.255.255.255

static (inside,outside) tcp interface 3204 knibbler 3204 netmask

255.255.255.255

static (inside,outside) tcp interface 3234 chinook 3234 netmask 255.255.255.255

static (inside,outside) tcp interface 3243 tinytim 3243 netmask 255.255.255.255

static (inside,outside) tcp interface 3244 msa-223 3244 netmask 255.255.255.255

static (inside,outside) tcp interface 3189 max 3189 netmask 255.255.255.255

static (inside,outside) tcp interface 3237 mrbig 3237 netmask 255.255.255.255

static (inside,outside) tcp interface 3135 cobolt 3135 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 70.durr.hurr.97 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd auto_config outside

!

dhcpd address msabackupdc-192.168.0.254 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate

400 average-rate 200

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:c789da792dc37673a7b2cec00d2c76e4

: end

no asdm history enable

--

Result of the command: "show version"

Cisco Adaptive Security Appliance Software Version 8.2(1)

Device Manager Version 6.2(1)

Compiled on Tue 05-May-09 22:45 by builders

System image file is "disk0:/asa821-k8.bin"

Config file at boot was "startup-config"

ASA5505 up 2 days 2 hours

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision

0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Int: Internal-Data0/0 : address is c471.fe36.85d9, irq 11

1: Ext: Ethernet0/0 : address is c471.fe36.85d1, irq 255

2: Ext: Ethernet0/1 : address is c471.fe36.85d2, irq 255

3: Ext: Ethernet0/2 : address is c471.fe36.85d3, irq 255

4: Ext: Ethernet0/3 : address is c471.fe36.85d4, irq 255

5: Ext: Ethernet0/4 : address is c471.fe36.85d5, irq 255

6: Ext: Ethernet0/5 : address is c471.fe36.85d6, irq 255

7: Ext: Ethernet0/6 : address is c471.fe36.85d7, irq 255

8: Ext: Ethernet0/7 : address is c471.fe36.85d8, irq 255

9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255

10: Int: Not used : irq 255

11: Int: Not used : irq 255

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

SSL VPN Peers : 2

Total VPN Peers : 10

Dual ISPs : Disabled

VLAN Trunk Ports : 0

Shared License : Disabled

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

AnyConnect Essentials : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions : 2

Total UC Proxy Sessions : 2

Botnet Traffic Filter : Disabled

This platform has a Base license.

Serial Number: .= >

Running Activation Key: 0x1c01ea67 0xa8f805d1 0x68e119dc 0xacbcc8bc

0xcc37198b

Configuration register is 0x1

Configuration last modified by enable_15 at 19:06:34.039 EST Sat Jan 22 2011

On Sun, Jan 23, 2011 at 11:06 PM, rassoul.ghaznavi <

hobbe Mon, 01/24/2011 - 13:31

Hi Joseph

Not to be rude or anything like that but IF you are doing what I think you are doing then you are truly skating on thin ice.

IF you are letting people in to their desktops via remote desktop using this configuration I must strongly advice you to rethink.

The ASA has some excellent VPN features, both using SSL and using "normal" IPSEC tunnels to help you with securing the access to your network.

you can use these features to help you secure your network and users so that not anyone can start hacking your windows boxes.

(ipsec is the "better" solution in my personal view)

Let the firewall do what it does best and do not turn it into a swiss cheese.

if you need help setting it up let us know and I or someone else here will help you setup a config that works for your environment.

One of the best things with the asa I think is that aslong as you have not saved you can always reload and return to where you started your test configuration if you screw it up somewhere.

Or it could be that i am seeing things and am totaly wrong.

let us know if we can be of service.

Good luck

Hope this helps

joseph.harder Mon, 01/24/2011 - 15:51

As of yet, we've had no issue. , but your idea is very sound

hobbe. I would love to set up a vpn client to do this, rather than expose

each workstation. The workstation passwords here have quite obnoxious

password requirements, along with some decent hardening. Passwords that are

locked require admin intervention.

VPN's disconnect users from their home networks, so they cannot print

documents at their local pc. Ive been meaning to switch to things like thin

clients for the workers.

Locked doors keep honest people out. We have nothing to hide if they do get

in. Nothing more than useless autocad drawings and soil samples. Users let

me know right away when stuff breaks.

My biggest problem is Malware and rootkits that are sneaking in via infected

emails that postini dont catch.

On Mon, Jan 24, 2011 at 4:31 PM, hobbe <

hobbe Tue, 01/25/2011 - 00:04

IF the reason that you are not using vpn is that the users can not print on their local lan, that is a configurable option, you can allow split tunneling so the users can access the local lan or even the Internet.

True that locks keeps out honest people.

But it is also true that the low hanging fruit gets picked first.

Good luck

HTH

srkrehlik Sun, 01/23/2011 - 22:56

Joseph,

as much as I like most of what Cisco makes ASDM can be somewhat confusing. I recommend that you use CLI to do the basic configuration and use ASDM for maintenance of your CLI based configuration. It's been a while since I've had an ASA to work on "live" but if I recall ASDM does not directly apply all settings immediately.

When I was first presented with an ASA I spent a few days in the same type of situation you are in. While it is very similar to the PIX, the ASA with its enhanced features can be confusing. Even using CLI was a whole different experience, almost a combination of a PIX and a Router. Don't give up on the ASA or loose faith in your skils, it just takes a while to get the "feel" of it.

joseph.harder Mon, 01/24/2011 - 11:27

The 5505 is a much faster than the 501 and I like it a lot, but just the simplicity of the 501 kept me using it. I now have to update my documentation as the commands I've been using are now different.

PDM command is no longer supported. That one I learned before changing over.

ACCESS-LIST syntax is different. What does "extended" refer to? It was automattically added when I pasted it to the CLI in the ASDM.

---Before---

name 192.168.0.
pdm location 255.255.255.255 inside
access-list outside_access_in permit tcp any any eq
static (inside,outside) tcp interface netmask 255.255.255.255 0 0

---Now---

name 192.168.0.
access-list outside_access_in extended permit tcp any any eq

static (inside,outside) tcp interface netmask 255.255.255.255 0 0

Cadet Alain Mon, 01/24/2011 - 11:36

Hi,

extended vs standard:

extended can work at L4,src and dst IP as well as src and dst ports can be configured

standard: dst ip only, L3 only

Regards.

Alain.

Actions

Login or Register to take actions

This Discussion

Posted January 22, 2011 at 11:21 AM
Stats:
Replies:10 Avg. Rating:4
Views:745 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard