Migrating PIX 501 configuration to ASA 5515-x configuration

Answered Question
Dec 10th, 2013
User Badges:

    Hello,


              I have been working on this migrating from a PIX 501 to ASA 5515-x. I have been greatly helped by a Cisco support team member. They gave me


  the instructions of how to migrate after I showed them the "run" config of the PIX and ASA. Upon entering the info to the ASA I ran into a problem with


  one of the command strings. It seems that the command "static", when used in the string "nat (inside,outside) static etc" is no longer used in ASA.


  I just want to "mirror" the PIX config to the ASA. I did recieve from our NEW ISP, the info to plug in the ASA for the fiber optic line that is being installed


  now. My questions are: 1. why doest the "static" work in ASA and what is the correct syntax? 2. I will post the NEW ip info for the new fiber line, instead


  of mirroring the PIX, how would I just plug the NEW info in the ASA?.


   Thanks,

     Joseph



     Here is what I sent the cisco rep first...



OrthoPIX# sh startup-config

: Saved

: Written by enable_15 at 11:32:25.032 UTC Mon Dec 9 2013

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password NDa1RppHr2jz7Cnk encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname OrthoPIX

domain-name sbcglobal.net

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list outside permit tcp any host 66.xxx.xxx.xxx eq 3389

access-list 101 deny ip 10.10.10.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list nonat deny ip 10.10.10.0 255.255.255.0 10.10.15.0 255.255.255.0

pager lines 24

logging on

logging buffered debugging

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 66.xxx.xxx.xxx 255.255.xxx.xxx

ip address inside 10.10.10.251 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 66.xxx.xxx.xxx 3389 10.10.10.253 3389 netmask 255.25

5.255.255 0 0

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 66.xxx.xxx.xxx 15

route inside 10.10.11.0 255.255.255.0 10.10.10.254 1

route inside 10.10.12.0 255.255.255.0 10.10.10.254 1

route inside 10.10.20.4 255.255.255.252 10.10.10.254 1

route inside 10.10.30.4 255.255.255.252 10.10.10.254 1

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:01:00 absolute

timeout xlate 0:01:00

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer 65.69.93.98

crypto map transam 1 set transform-set myset

crypto map transam interface outside

isakmp key ******** address 65.69.93.98 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 167.1.162.167 255.255.255.255 outside

ssh timeout 60

dhcpd ping_timeout 750

terminal width 80


Here is the original ASA config I sent...


Result of the command: "show run"


: Saved

:

ASA Version 8.6(1)2

!

hostname ciscoasa

enable password NDa1RppHr2jz7Cnk encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif Port0/0

security-level 0

ip address dhcp setroute

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

pager lines 24

logging asdm informational

mtu management 1500

mtu Port0/0 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface Port0/0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 2

Cryptochecksum:c5af97904bf21e317a1006e9b3901aa1

: end



Here is what the Cisco rep said I should do to "mirror" both configs...



Hi,




I am not sure what your situation with the "outside" interface is. The PIX has staticly configured IP address and default route while the ASA at the moment has DHCP.




I will consider that the ASA should use the same configuration as the PIX




PHYSICAL INTERFACES




interface GigabitEthernet0/0


nameif outside


ip address 66.136.x.x 255.255.255.248




interface GigabitEthernet0/1


no shutdown


nameif inside


ip address 10.10.10.251 255.255.255.0




STATIC ROUTES




route outside 0.0.0.0 0.0.0.0 66.136.xxx.xxx 15




route inside 10.10.11.0 255.255.255.0 10.10.10.254 1


route inside 10.10.12.0 255.255.255.0 10.10.10.254 1


route inside 10.10.20.4 255.255.255.252 10.10.10.254 1


route inside 10.10.30.4 255.255.255.252 10.10.10.254 1




STATIC PAT (PORT FORWARD)




object network STATIC-PAT-RDP


host 10.10.10.253


nat (inside,outside) static 66.136.x.x service tcp 3389 3389






EXTERNAL ACCESS-LIST




access-list outside permit tcp any object STATIC-PAT-RDP eq 3389




access-group outside in interface outside






DYNAMIC PAT




nat (inside,outside) after-auto source dynamic any interface






NAT0 / NAT EXEMPT FOR L2L VPN




object network LAN


subnet 10.10.10.0 255.255.255.0




object network REMOTE-LAN


subnet 10.10.15.0 255.255.255.0




nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN






L2L VPN CONFIGURATION




access-list L2L-VPN remark L2L VPN Encryption Domain


access-list L2L-VPN permit ip 10.10.10.0 255.255.255.0 10.10.15.0 255.255.255.0




crypto ipsec ikev1 transform-set DES esp-des esp-md5-hmac




crypto map transam 1 match address L2L-VPN


crypto map transam 1 set peer 65.69.93.98


crypto map transam 1 set ikev1 transform-set DES


crypto map transam interface outside




crypto isakmp identity address




crypto ikev1 policy


authentication pre-share


encryption des


hash md5


group 1


lifetime 1000




crypto ikev1 enable outside




tunnel-group 65.69.93.98 type ipsec-l2l


tunnel-group 65.69.93.98 ipsec-attributes


ikev1 pre-shared-key <presharedkey/PSK>






The above should be most of the configurations from PIX to the new ASA format



The line with "nat (inside,outside) static 66.136.x.x service tcp 3389 3389" the ASA has a problem with "static" in the command, the help says it's not used anymore. So what is the correct syntax?


Here is how the ASA looks now....



ciscoasa# sh run

: Saved

:

ASA Version 8.6(1)2

!

hostname OrthoPIX

domain-name sbcglobal.net

enable password NDa1RppHr2jz7Cnk encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

mac-address 0009.e8bf.6edc

nameif outside

security-level 0

ip address 6x.xxx.xxx.xxx 255.255.255.xxx

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.10.10.251 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 1xx.xxx.xx.xx

name-server 1xx.xxx.xx.xxx

domain-name sbcglobal.net

object network STATIC-PAT-RDP

host 10.10.10.253

access-list outside extended permit tcp any object STATIC-PAT-RDP

access-list outside extended permit tcp any object STATIC-PAT-RDP eq 3389

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

nat (inside,outside) after-auto source dynamic any interface

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 6x.xxx.xxx.xxx 15

route inside 10.10.11.0 255.255.255.0 10.10.10.254 1

route inside 10.10.12.0 255.255.255.0 10.10.10.254 1

route inside 10.10.20.0 255.255.255.0 10.10.10.254 1

route inside 10.10.30.0 255.255.255.0 10.10.10.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart


telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 2

Cryptochecksum:201bf8315b82ffb0f158046489b5f512

: end


What am I doing wrong?, I know it's me because I'm still "rusty" on the ASA commands. Also, here is the new info for the new ip network we are recieving....



WAN IP: 12.XXX.XXX.XXX


Host Router Name: <HOSTNAME>


New IP Block: 12.XXX.XXX.XXX/28


Default Gateway GE-0/0: 12.XXX.XXX.XXX


Your 1st Network Device: 12.XXX.XXX.XXX


Subnet Mask: 255.255.255.XXX


DNS Resolvers: 12.XXX.XXX.XXX    12.XXX.XXX.XXX




Usable IP's: 12.XXX.XXX.XXX thru XXX



What do I need to do in order to just use the NEW ip info instead of the OLD PIX config info?


Thanks,

  Joseph

Correct Answer by Jouni Forss about 3 years 8 months ago

Hi,


From your earlier messages I gathered that you were allocated a small public subnet from the ISP providing the fiber connection? Or is it a single IP address from the subnet only?


You should simply configure the IP address to the current "outside" interface with the "ip address" command like I described above. You should also change the default route to point to the new ISP connections gateway IP address with the "route outside 0.0.0.0 0.0.0.0 " command I mentioned above.


Your change also involved changing the NAT IP address in the RDP Static PAT configuration since it uses an IP address from the original. Also mentioned this in the above post.


These are naturally best done on site since you naturally would loose any remote management connection to the ASA while changing the IP addresses and routes


With regards to the DNS. You dont really need to tell the ASA the DNS servers unless you use the ASA as a DHCP server for the LAN users. The new ISP DNS server should be configured on the device that currently gives IP addresses to the LAN hosts or if staticly configured then it would need to be changed on the actual hosts.


- Jouni

Correct Answer by Jouni Forss about 3 years 8 months ago

Hi,


Seems the IP address you are using is actually the same IP address that is configured in your "outside" interface.


Enter this command under the "object" instead.


object network STATIC-PAT-RDP

  nat (inside,outside) static interface service tcp 3389 3389


The parameter "interface" will tell the ASA to use the "outside" interface IP address as the NAT IP Address.


- Jouni

Correct Answer by Jouni Forss about 3 years 8 months ago

Hi,


The Static PAT (Port Forward) that was done in the old configuration format with the "static" command is done in the following way in the new configuration. I mentioned this in the previous discussion


It seems to me that you have not entered the "nat" command under the "object network STATIC-PAT-RDP"


STATIC PAT (PORT FORWARD)


object network STATIC-PAT-RDP

host 10.10.10.253

nat (inside,outside) static 66.136.x.x service tcp 3389 3389


If the ASA has not accepted the "nat" command it might mean that you entered it outside the "object" configuration mode. You first have to move under the "object"


object network STATIC-PAT-RDP


Then you enter the "nat" command next


nat (inside,outside) static 66.136.x.x service tcp 3389 3389



Then again you mention that your ISP is changing so you wont be able to use the above public IP address anymore. You have to replace it with a new IP address


There is really nothing special with changing the configurations of your external interface for the new ISP


The below first removes the current IP address from the interface and configures the new public IP address from the ISP. It then removes the old default route and enters the new default route. Naturally you will have to use the actual/correct IP address in your commands.


interface GigabitEthernet0/0

no ip address 6x.xxx.xxx.xxx 255.255.255.xxx

ip address 12.x.x.a 255.255.255.x


no route outside 0.0.0.0 0.0.0.0 6x.xxx.xxx.xxx 15

route outside 0.0.0.0 0.0.0.0 12.x.x.y


You will also need to change the Static PAT (Port Forward) configurations public IP address from before


Again we move under the "object" configuration mode and then remove the old "nat" command and enter a new "nat" command


object network STATIC-PAT-RDP

no nat (inside,outside) static 66.136.x.x service tcp 3389 3389

nat (inside,outside) static 12.x.x.b service tcp 3389 3389


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Jouni Forss Tue, 12/10/2013 - 09:40
User Badges:
  • Super Bronze, 10000 points or more

Hi,


The Static PAT (Port Forward) that was done in the old configuration format with the "static" command is done in the following way in the new configuration. I mentioned this in the previous discussion


It seems to me that you have not entered the "nat" command under the "object network STATIC-PAT-RDP"


STATIC PAT (PORT FORWARD)


object network STATIC-PAT-RDP

host 10.10.10.253

nat (inside,outside) static 66.136.x.x service tcp 3389 3389


If the ASA has not accepted the "nat" command it might mean that you entered it outside the "object" configuration mode. You first have to move under the "object"


object network STATIC-PAT-RDP


Then you enter the "nat" command next


nat (inside,outside) static 66.136.x.x service tcp 3389 3389



Then again you mention that your ISP is changing so you wont be able to use the above public IP address anymore. You have to replace it with a new IP address


There is really nothing special with changing the configurations of your external interface for the new ISP


The below first removes the current IP address from the interface and configures the new public IP address from the ISP. It then removes the old default route and enters the new default route. Naturally you will have to use the actual/correct IP address in your commands.


interface GigabitEthernet0/0

no ip address 6x.xxx.xxx.xxx 255.255.255.xxx

ip address 12.x.x.a 255.255.255.x


no route outside 0.0.0.0 0.0.0.0 6x.xxx.xxx.xxx 15

route outside 0.0.0.0 0.0.0.0 12.x.x.y


You will also need to change the Static PAT (Port Forward) configurations public IP address from before


Again we move under the "object" configuration mode and then remove the old "nat" command and enter a new "nat" command


object network STATIC-PAT-RDP

no nat (inside,outside) static 66.136.x.x service tcp 3389 3389

nat (inside,outside) static 12.x.x.b service tcp 3389 3389


- Jouni

orthostlgrp1 Tue, 12/10/2013 - 10:11
User Badges:

Hello Jouni,



         Thanks you so much for your reply!, here is what happens when I follow the instructions you gave with the "nat"


  command under the "object" configuration....



  

OrthoPIX> enable
Password: ***********
OrthoPIX# config t
OrthoPIX(config)# obj
OrthoPIX(config)# object netwo
OrthoPIX(config)# object network S
OrthoPIX(config)# object network STATIC-PAT-RDP
OrthoPIX(config-network-object)# host 10.10.10.253
OrthoPIX(config-network-object)# nat (i
OrthoPIX(config-network-object)# nat (inside,o
OrthoPIX(config-network-object)# nat (inside,outside) static 66.xxx.xxx.xxx se$
ERROR: Address 66.xxx.xxx.xxx overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

OrthoPIX(config-network-object)#


Was I suppose to "activate" nat???



Thanks,

Joseph

Correct Answer
Jouni Forss Tue, 12/10/2013 - 10:14
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Seems the IP address you are using is actually the same IP address that is configured in your "outside" interface.


Enter this command under the "object" instead.


object network STATIC-PAT-RDP

  nat (inside,outside) static interface service tcp 3389 3389


The parameter "interface" will tell the ASA to use the "outside" interface IP address as the NAT IP Address.


- Jouni

orthostlgrp1 Tue, 12/10/2013 - 10:21
User Badges:

  Hello,


        Thanks again Jouni!, that was it!. Now I have to go on-site and test it out.



     Thank you so much!,


         Joseph

orthostlgrp1 Tue, 12/10/2013 - 16:13
User Badges:

  Hello,


      I'm starting to "see" what you meant by "what my "outside" consists of". The AT&T fiber guys came out and we speed tested the new network and everything is great. Now, when I plugged the "fibers" GE 0/0 into the ASA's GE 0/0 I have a

"amber light" showing on the "spd" side of the port. The Fiber's GE has a static IP tied to it. I don't think I have my configuration setup for the "fiber's static ip". So basically AT&T has a fiber router and it is going to deliver internet to my ASA. How should I setup my "outside" port to talk to THEIR "outside" port??? Also what is the correct command to input DNS into a router???



   Thanks,

     Joseph

Joseph Green Tue, 12/10/2013 - 19:42
User Badges:

  Hello Jouni,



        Thinking about it further, when I tested the speedtest, I plugged my laptop in and entered basic ip info. I have yet to

configure a "Gateway or Router" to the ASA configuration. How would I go about configuring the ASA to point to a Gateway?.


  Thanks,

    Joseph

Correct Answer
Jouni Forss Wed, 12/11/2013 - 06:03
User Badges:
  • Super Bronze, 10000 points or more

Hi,


From your earlier messages I gathered that you were allocated a small public subnet from the ISP providing the fiber connection? Or is it a single IP address from the subnet only?


You should simply configure the IP address to the current "outside" interface with the "ip address" command like I described above. You should also change the default route to point to the new ISP connections gateway IP address with the "route outside 0.0.0.0 0.0.0.0 " command I mentioned above.


Your change also involved changing the NAT IP address in the RDP Static PAT configuration since it uses an IP address from the original. Also mentioned this in the above post.


These are naturally best done on site since you naturally would loose any remote management connection to the ASA while changing the IP addresses and routes


With regards to the DNS. You dont really need to tell the ASA the DNS servers unless you use the ASA as a DHCP server for the LAN users. The new ISP DNS server should be configured on the device that currently gives IP addresses to the LAN hosts or if staticly configured then it would need to be changed on the actual hosts.


- Jouni

Joseph Green Wed, 12/11/2013 - 06:26
User Badges:

  Hello Jouni,


             Thank you for your reply!, yes you are right. Last night after looking over all my configs and your notes I noticed


  my route wasn't configured properly to point to the ISP router from the ASA. I did change the NAT IP as well. Also, like


  you stated, the 2600 router that DHCP's the offices still had the OLD DNS ip's and not the new ones. After fixings configs


  and rebooting router, all is well now, so it seems. lol. Thank you for all your help and notes, I'm learning so much as an


  Admin working with Cisco equipment. Really apprecitate it!


  Thank you,


       Joseph

Actions

This Discussion