Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ASA 8.2 to 9.1 migration rewrite

I'm migrating from 8.2 to 9.1.2 and would like some help rewriting my NAT....also just some general help w/ the config for optimization would be appreciated.

I tried just a straight upgrade last week and it broke all of my rules....should've researched it before a cutover [facepalm]

Config below:

sh run

: Saved

:

ASA Version 8.2(5)

!

hostname DATACENTER-5520

domain-name **********.org

enable password ********** encrypted

passwd ********** encrypted

names

name 10.0.1.26 ***********

name 10.9.0.0 ***********

name 10.0.6.0 **********

name 10.0.1.205 ************

name 10.0.6.135 ***********

name 72.246.43.98 *************

name 10.3.2.103 ***********

name 10.0.14.0 **********

name 10.3.1.117 **********

name 10.0.11.30 ********

name 10.0.14.158 ********

name 10.0.16.0 **************

name 10.9.3.23 ***********

name 10.0.11.47 ***********

name 10.0.245.0 ************

name 87.240.167.0 ********

name 87.240.160.0 ********

name 87.240.173.0 ********

name 87.240.0.0 *********

name 10.18.5.30 *********

dns-guard

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 64.***.***.*** 255.255.255.240

no pim

no igmp

no mfib forwarding

!

interface GigabitEthernet0/1

speed 1000

duplex full

nameif inside

security-level 100

ip address 10.0.255.3 255.255.255.248

no pim

no igmp

no mfib forwarding

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

nameif management

security-level 100

no ip address

no pim

no igmp

no mfib forwarding

management-only

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 10.0.1.11

name-server 10.0.1.12

domain-name *************.org

same-security-traffic permit intra-interface

object-group network CONNECT_TO_CANTON

network-object 10.0.1.0 255.255.255.0

network-object 10.1.1.0 255.255.255.0

network-object 10.4.0.0 255.255.0.0

object-group service OWA tcp

description ports needed for OWA

port-object eq https

port-object eq www

object-group network MAIN_CAMPUS

network-object 10.0.0.0 255.224.0.0

object-group network SMTPHOSTS

description Known Good SMTP Hosts

network-object host 10.0.1.14

network-object host 10.0.1.2

network-object host 10.8.1.9

network-object host ****

network-object host 10.0.1.25

network-object host 10.18.1.10

network-object COMMWLS 255.255.255.0

network-object 10.1.1.0 255.255.255.0

network-object host 10.0.11.43

network-object host *********

network-object host *********

network-object secure01 255.255.255.0

network-object host 10.0.1.18

network-object host *********

object-group service Torrent tcp-udp

description Bit Torrent

port-object eq 113

object-group network SMTPHOSTS_CAMPUS

network-object **** 255.255.254.0

network-object 10.0.8.0 255.255.255.0

network-object **** 255.255.0.0

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service Presidium tcp

port-object eq www

port-object eq https

port-object eq ssh

object-group network HCCStudent

description Blockage

network-object 10.0.10.0 255.255.255.0

network-object host 10.0.1.9

object-group service Plex tcp-udp

description Plex Server

port-object eq 32400

object-group service KronosTrain tcp-udp

port-object eq 1935

object-group network AUTHDNS

description 10.0.3.33

network-object host 10.0.1.11

network-object host 10.0.1.12

network-object host 10.0.1.8

network-object host 10.0.1.9

network-object host 10.0.3.31

network-object host 10.0.3.32

network-object host 10.0.3.33

network-object host 10.0.3.34

network-object 10.0.8.0 255.255.255.0

network-object 10.255.0.0 255.255.255.0

network-object ******* 255.255.255.0

network-object 10.0.255.0 255.255.255.248

network-object host 10.0.1.18

object-group service DM_INLINE_SERVICE_1

service-object udp eq dnsix

service-object tcp-udp eq domain

object-group service DM_INLINE_SERVICE_2

service-object tcp-udp eq domain

service-object udp eq dnsix

object-group service DM_INLINE_TCP_1 tcp

group-object KronosTrain

port-object eq https

object-group network Hacker-Block

description IP ranges to block

network-object *************02 255.255.255.0

network-object *************01 255.255.255.0

network-object *************03 255.255.255.0

network-object *************04 255.255.0.0

object-group network DM_INLINE_NETWORK_1

network-object host 10.0.1.18

network-object host ****

object-group service **** tcp-udp

port-object range 443 444

object-group service MC tcp-udp

port-object eq 25565

port-object eq 8123

access-list inside_nat0_outbound extended permit ip object-group CONNECT_TO_CANTON 10.255.0.0 255.255.255.0

access-list inside_nat0_outbound remark CLAND VPN

access-list inside_nat0_outbound extended permit ip object-group MAIN_CAMPUS 10.255.1.0 255.255.255.224

access-list inside_nat0_outbound remark IT VPN

access-list inside_nat0_outbound extended permit ip object-group MAIN_CAMPUS 10.255.1.32 255.255.255.224

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.240.0.0

access-list inside_nat0_outbound extended permit ip any 10.255.1.0 255.255.255.224

access-list cland802_splitTunnelAcl standard permit 10.0.0.0 255.224.0.0

access-list outside_cryptomap extended permit ip any 10.255.1.0 255.255.255.224

access-list outside_cryptomap extended permit ip any 10.255.1.32 255.255.255.224

access-list outside_access_in extended permit tcp any host ***.***.***.227 eq smtp

access-list outside_access_in extended permit tcp any host ***.***.***.228 object-group OWA

access-list outside_access_in extended permit tcp any host ***.***.***.229 eq https

access-list outside_access_in extended permit object-group TCPUDP any host ***.***.***.235 eq www

access-list outside_access_in extended permit object-group TCPUDP any host ***.***.***.237 object-group MC log d

isable

access-list outside_access_in extended permit object-group TCPUDP any host ***.***.***.237 eq www inactive

access-list outside_access_in extended permit udp any host ***.***.***.238 eq tftp log disable

access-list outside_access_in extended deny ip object-group Hacker-Block any inactive

access-list outside_access_in extended permit icmp any any

access-list HlandIT_splitTunnelAcl standard permit 10.0.0.0 255.224.0.0

access-list 111 extended permit object-group DM_INLINE_SERVICE_1 object-group AUTHDNS any log

access-list 111 extended deny object-group DM_INLINE_SERVICE_2 any any log

access-list 111 extended permit tcp object-group SMTPHOSTS any eq smtp log disable

access-list 111 extended deny tcp any any eq smtp log

access-list 111 extended permit ip any any

access-list Convergent_splitTunnelAcl standard permit any

access-list outside_cryptomap_1 extended permit ip any 10.255.1.0 255.255.255.224

access-list outside_cryptomap_2 extended permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.240.0.0

access-list 130 extended permit tcp object-group DM_INLINE_NETWORK_1 any eq smtp

access-list netflow-export extended permit ip any any

no pager

logging enable

logging timestamp

logging buffer-size 40960

logging buffered debugging

logging trap notifications

logging asdm informational

logging from-address asa@*************.org

logging recipient-address itstaff@*************.org level errors

logging host inside 10.0.1.35

logging permit-hostdown

no logging message 106015

no logging message 313001

no logging message 313008

no logging message 106023

no logging message 305012

no logging message 305011

no logging message 710003

no logging message 106100

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 304001

no logging message 609002

no logging message 609001

no logging message 302018

no logging message 302017

no logging message 302016

no logging message 302021

no logging message 302020

flow-export destination inside 10.0.1.9 2055

flow-export template timeout-rate 1

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool clandpool 10.255.1.1-10.255.1.31 mask 255.255.255.224

ip local pool hlanditpool 10.255.1.33-10.255.1.62 mask 255.255.255.224

ip verify reverse-path interface outside

ip verify reverse-path interface inside

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk1:/asdm-713.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

global (outside) 3 ***.***.***.227

global (outside) 5 ***.***.***.237 netmask 255.0.0.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 3 access-list 130

nat (inside) 1 10.0.0.0 255.0.0.0

static (inside,outside) ***.***.***.228 10.0.1.18 netmask 255.255.255.255

static (inside,outside) ***.***.***.227 10.0.1.2 netmask 255.255.255.255

static (inside,outside) ***.***.***.237 10.0.1.173 netmask 255.255.255.255

static (inside,outside) ***.***.***.229 10.8.1.9 netmask 255.255.255.255

static (inside,outside) ***.***.***.235 10.0.1.33 netmask 255.255.255.255

static (inside,outside) ***.***.***.238 10.0.2.2 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group 111 in interface inside

route outside 0.0.0.0 0.0.0.0 ***.***.***.225 1

route inside 10.0.0.0 255.0.0.0 10.0.255.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server ************* protocol tacacs+

aaa-server ************* (inside) host 10.0.1.3

key *****

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 10.0.1.3

key *****

radius-common-pw *****

aaa-server RADIUS (inside) host 10.0.1.11

key *****

aaa-server RADIUS (inside) host 10.0.1.12

key *****

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console ************* LOCAL

aaa authentication telnet console ************* LOCAL

aaa authentication ssh console ************* LOCAL

aaa authorization command ************* LOCAL

http server enable

http 10.0.0.0 255.0.0.0 inside

http 192.168.1.0 255.255.255.0 management

http 63.168.36.176 255.255.255.240 outside

snmp-server host inside 10.0.1.9 community ***** version 2c

snmp-server host inside 10.0.3.30 poll community ***** version 2c

snmp-server host inside 10.0.1.35 community *****

snmp-server location US

snmp-server contact Superman

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

sysopt connection tcpmss 0

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

ASA 8.2 to 9.1 migration rewrite

Hi,

Can help out with the NAT configurations.

So lets look at your Dynamic PAT configurations first

Dynamic PAT with ID5

  • Doesnt have a corresponding ID5 "nat" rule so this is useless even at the moment

global (outside) 5 ***.***.***.237 netmask 255.0.0.0

Default Dynamic PAT

Old

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0

New

object-group network DEFAULT-PAT-SOURCE

network-object 10.0.0.0 255.0.0.0

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

SMTP Dynamic Policy PAT

  • I actually think that atleast for the host 10.0.1.18 this will never be applied currently as it already has a Static NAT configured. Static NAT should override Dynamic Policy PAT. You can confirm this by using the "packet-tracer" command.

Old

global (outside) 3 ***.***.***.227

nat (inside) 3 access-list 130

access-list 130 extended permit tcp object-group DM_INLINE_NETWORK_1 any eq smtp

object-group network DM_INLINE_NETWORK_1

network-object host 10.0.1.18

network-object host ****

New

object-group network SMTP-PAT-SOURCE

network-object host 10.1.18

network-object host x.x.x.x

object service SMTP

service tcp destination eq smtp

object network SMTP-PAT

host x.x.x.227

nat (inside,outside) source dynamic SMTP-PAT-SOURCE SMTP-PAT service SMTP SMTP

Static NAT configurations

  • A VERY IMPORTANT thing to notice with Static NAT and the ACL allowing traffic to these server is the fact that in the new NAT and ACL format of the new software level you will have to allow the traffic to the REAL DESTINATION IP address of the server rather than the NAT.
  • You can replace "host x.x.x.x" with "object STATIC-X" in the ACL to achieve this

Old

static (inside,outside) ***.***.***.228 10.0.1.18 netmask 255.255.255.255

static (inside,outside) ***.***.***.227 10.0.1.2 netmask 255.255.255.255

static (inside,outside) ***.***.***.237 10.0.1.173 netmask 255.255.255.255

static (inside,outside) ***.***.***.229 10.8.1.9 netmask 255.255.255.255

static (inside,outside) ***.***.***.235 10.0.1.33 netmask 255.255.255.255

static (inside,outside) ***.***.***.238 10.0.2.2 netmask 255.255.255.255

New

object network STATIC-1

host 10.0.1.18

nat (inside,outside) static x.x.x.228

object network STATIC-2

host 10.0.1.2

nat (inside,outside) static x.x.x.227

object network STATIC-3

host 10.0.1.173

nat (inside,outside) static x.x.x.237

object network STATIC-4

host 10.8.1.9

nat (inside,outside) static x.x.x.229

object network STATIC-5

host 10.0.1.33

nat (inside,outside) static x.x.x.235

object network STATIC-6

host 10.0.2.2

nat (inside,outside) static x.x.x.238

NAT0 / NAT Exempt configurations

  • I left out configuration for the last line of the current NAT0 ACL. I'd rather specify specific source networks rather than any. So if you can do that you can follow the below logic to build the new rule
  • I reused some current "object-group" in the NAT configurations, therefore you wont have to enter them again. They are included twice (in the old and new) just to illustrate what is required for the configurations.

Old

access-list inside_nat0_outbound extended permit ip object-group CONNECT_TO_CANTON 10.255.0.0 255.255.255.0

access-list inside_nat0_outbound remark CLAND VPN

access-list inside_nat0_outbound extended permit ip object-group MAIN_CAMPUS 10.255.1.0 255.255.255.224

access-list inside_nat0_outbound remark IT VPN

access-list inside_nat0_outbound extended permit ip object-group MAIN_CAMPUS 10.255.1.32 255.255.255.224

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.240.0.0

access-list inside_nat0_outbound extended permit ip any 10.255.1.0 255.255.255.224

object-group network CONNECT_TO_CANTON

network-object 10.0.1.0 255.255.255.0

network-object 10.1.1.0 255.255.255.0

network-object 10.4.0.0 255.255.0.0

object-group network MAIN_CAMPUS

network-object 10.0.0.0 255.224.0.0

nat (inside) 0 access-list inside_nat0_outbound

New

object-group network CONNECT_TO_CANTON

network-object 10.0.1.0 255.255.255.0

network-object 10.1.1.0 255.255.255.0

network-object 10.4.0.0 255.255.0.0

object-group network CANTON

network-object 10.255.0.0 255.255.255.0

nat (inside,outside) source static CONNECT_TO_CANTON CONNECT_TO_CANTON destination static CANTON CANTON

object network CLAND-VPN

subnet 10.255.1.0 255.255.255.224

object-group network MAIN_CAMPUS

network-object 10.0.0.0 255.224.0.0

nat (inside,outside) source static MAIN_CAMPUS MAIN_CAMPUS destination static CLAND-VPN CLAND-VPN

object-group network MAIN_CAMPUS

network-object 10.0.0.0 255.224.0.0

object network IT-VPN

subnet 10.255.1.32 255.255.255.224

nat (inside,outside) source static MAIN_CAMPUS MAIN_CAMPUS destination static IT-VPN IT-VPN

object network NET-10.0.0.0-8BIT

subnet 10.0.0.0 255.0.0.0

object network NET-172.16.0-12BIT

subnet 172.16.0.0 255.240.0.0

nat (inside,outside) source static NET-10.0.0.0-8BIT NET-10.0.0.0-8BIT destination static NET-172.16.0-12BIT NET-172.16.0-12BIT

Otherwise the configurations havent changed that much. The VPN configurations have gone some minor changes related to ikev1 and ikev2.

Instead of "crypto isakmp policy 10" its now "crypto ikev1 policy 10" and so on

Also "pre-shared-key" is now "ikev1 pre-shared-key"

Also the "transform-set" both the actual transform set and the crypto map statement require the "ikev1" in between.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question and/or rate helpfull answers

Feel free to ask more if needed.

- Jouni

6 REPLIES
Super Bronze

ASA 8.2 to 9.1 migration rewrite

Hi,

Can help out with the NAT configurations.

So lets look at your Dynamic PAT configurations first

Dynamic PAT with ID5

  • Doesnt have a corresponding ID5 "nat" rule so this is useless even at the moment

global (outside) 5 ***.***.***.237 netmask 255.0.0.0

Default Dynamic PAT

Old

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0

New

object-group network DEFAULT-PAT-SOURCE

network-object 10.0.0.0 255.0.0.0

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

SMTP Dynamic Policy PAT

  • I actually think that atleast for the host 10.0.1.18 this will never be applied currently as it already has a Static NAT configured. Static NAT should override Dynamic Policy PAT. You can confirm this by using the "packet-tracer" command.

Old

global (outside) 3 ***.***.***.227

nat (inside) 3 access-list 130

access-list 130 extended permit tcp object-group DM_INLINE_NETWORK_1 any eq smtp

object-group network DM_INLINE_NETWORK_1

network-object host 10.0.1.18

network-object host ****

New

object-group network SMTP-PAT-SOURCE

network-object host 10.1.18

network-object host x.x.x.x

object service SMTP

service tcp destination eq smtp

object network SMTP-PAT

host x.x.x.227

nat (inside,outside) source dynamic SMTP-PAT-SOURCE SMTP-PAT service SMTP SMTP

Static NAT configurations

  • A VERY IMPORTANT thing to notice with Static NAT and the ACL allowing traffic to these server is the fact that in the new NAT and ACL format of the new software level you will have to allow the traffic to the REAL DESTINATION IP address of the server rather than the NAT.
  • You can replace "host x.x.x.x" with "object STATIC-X" in the ACL to achieve this

Old

static (inside,outside) ***.***.***.228 10.0.1.18 netmask 255.255.255.255

static (inside,outside) ***.***.***.227 10.0.1.2 netmask 255.255.255.255

static (inside,outside) ***.***.***.237 10.0.1.173 netmask 255.255.255.255

static (inside,outside) ***.***.***.229 10.8.1.9 netmask 255.255.255.255

static (inside,outside) ***.***.***.235 10.0.1.33 netmask 255.255.255.255

static (inside,outside) ***.***.***.238 10.0.2.2 netmask 255.255.255.255

New

object network STATIC-1

host 10.0.1.18

nat (inside,outside) static x.x.x.228

object network STATIC-2

host 10.0.1.2

nat (inside,outside) static x.x.x.227

object network STATIC-3

host 10.0.1.173

nat (inside,outside) static x.x.x.237

object network STATIC-4

host 10.8.1.9

nat (inside,outside) static x.x.x.229

object network STATIC-5

host 10.0.1.33

nat (inside,outside) static x.x.x.235

object network STATIC-6

host 10.0.2.2

nat (inside,outside) static x.x.x.238

NAT0 / NAT Exempt configurations

  • I left out configuration for the last line of the current NAT0 ACL. I'd rather specify specific source networks rather than any. So if you can do that you can follow the below logic to build the new rule
  • I reused some current "object-group" in the NAT configurations, therefore you wont have to enter them again. They are included twice (in the old and new) just to illustrate what is required for the configurations.

Old

access-list inside_nat0_outbound extended permit ip object-group CONNECT_TO_CANTON 10.255.0.0 255.255.255.0

access-list inside_nat0_outbound remark CLAND VPN

access-list inside_nat0_outbound extended permit ip object-group MAIN_CAMPUS 10.255.1.0 255.255.255.224

access-list inside_nat0_outbound remark IT VPN

access-list inside_nat0_outbound extended permit ip object-group MAIN_CAMPUS 10.255.1.32 255.255.255.224

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.240.0.0

access-list inside_nat0_outbound extended permit ip any 10.255.1.0 255.255.255.224

object-group network CONNECT_TO_CANTON

network-object 10.0.1.0 255.255.255.0

network-object 10.1.1.0 255.255.255.0

network-object 10.4.0.0 255.255.0.0

object-group network MAIN_CAMPUS

network-object 10.0.0.0 255.224.0.0

nat (inside) 0 access-list inside_nat0_outbound

New

object-group network CONNECT_TO_CANTON

network-object 10.0.1.0 255.255.255.0

network-object 10.1.1.0 255.255.255.0

network-object 10.4.0.0 255.255.0.0

object-group network CANTON

network-object 10.255.0.0 255.255.255.0

nat (inside,outside) source static CONNECT_TO_CANTON CONNECT_TO_CANTON destination static CANTON CANTON

object network CLAND-VPN

subnet 10.255.1.0 255.255.255.224

object-group network MAIN_CAMPUS

network-object 10.0.0.0 255.224.0.0

nat (inside,outside) source static MAIN_CAMPUS MAIN_CAMPUS destination static CLAND-VPN CLAND-VPN

object-group network MAIN_CAMPUS

network-object 10.0.0.0 255.224.0.0

object network IT-VPN

subnet 10.255.1.32 255.255.255.224

nat (inside,outside) source static MAIN_CAMPUS MAIN_CAMPUS destination static IT-VPN IT-VPN

object network NET-10.0.0.0-8BIT

subnet 10.0.0.0 255.0.0.0

object network NET-172.16.0-12BIT

subnet 172.16.0.0 255.240.0.0

nat (inside,outside) source static NET-10.0.0.0-8BIT NET-10.0.0.0-8BIT destination static NET-172.16.0-12BIT NET-172.16.0-12BIT

Otherwise the configurations havent changed that much. The VPN configurations have gone some minor changes related to ikev1 and ikev2.

Instead of "crypto isakmp policy 10" its now "crypto ikev1 policy 10" and so on

Also "pre-shared-key" is now "ikev1 pre-shared-key"

Also the "transform-set" both the actual transform set and the crypto map statement require the "ikev1" in between.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question and/or rate helpfull answers

Feel free to ask more if needed.

- Jouni

ASA 8.2 to 9.1 migration rewrite

Thanks for the help!

I'll try this later today at let you know.

- Jared for ITstaff

Super Bronze

ASA 8.2 to 9.1 migration rewrite

Hi,

Forgot to mention in the above post the following thing.

The above SMTP Dynamic Policy PAT rule is configured there in a way that it will override any Static NAT configured for the servers.

So if some server currently has a Static NAT it will use the public IP address defined in the Dynamic Policy PAT rule when its connecting to the Internet with SMTP. Otherwise it will use the Static NAT public IP address.

- Jouni

ASA 8.2 to 9.1 migration rewrite

I've taken the migrated config from when I did the cutover and  applied your suggestions.....I'm still unclear on the ACLs....do I still  need those?

: Saved

: Written by cland at 16:28:22.775 CDT Fri Jul 12 2013

!

ASA Version 9.1(2)

!

hostname DATACENTER-5520

domain-name **************

enable password ************** encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd ********* encrypted

names

name 10.0.1.26 EXHUB description EX Hub transport

name 10.9.0.0 FARM

name 10.0.6.0 WLAN

name 10.0.1.205 Lauirehome

name 10.0.6.135 BillJill

name 72.246.43.98 Foxnews description Foxnews

name 10.3.2.103 Jody_Office

name 10.0.14.0 COMMWLS

name 10.3.1.117 Lsharpenew

name 10.0.11.30 Lsharpev2

name 10.0.14.158 Sheila

name 10.0.16.0 hlandtv description hlandtv

name 10.9.3.23 Lindadesktop

name 10.0.11.47 Laurieoffice

name 10.0.245.0 secure01 description secure01

name 87.240.167.0 Russia01

name 87.240.160.0 Russia02

name 87.240.173.0 Russia03

name 87.240.0.0 Russia04

name 10.18.5.30 lsharpehome

dns-guard

ip local pool clandpool 10.255.1.1-10.255.1.31 mask 255.255.255.224

ip local pool hlanditpool 10.255.1.33-10.255.1.62 mask 255.255.255.224

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 64.111.61.226 255.255.255.240

no pim

no igmp

no mfib forwarding

!

interface GigabitEthernet0/1

speed 1000

duplex full

nameif inside

security-level 100

ip address 10.0.255.3 255.255.255.248

no pim

no igmp

no mfib forwarding

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

shutdown

nameif management

security-level 100

no ip address

no pim

no igmp

no mfib forwarding

!

boot system disk1:/asa912-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 10.0.1.11

name-server 10.0.1.12

name-server 10.0.1.8

name-server 10.0.1.9

domain-name **************

same-security-traffic permit intra-interface

object network COMMWLS

subnet 10.0.14.0 255.255.255.0

description Created during name migration

object network Lindadesktop

host 10.9.3.23

description Created during name migration

object network Laurieoffice

host 10.0.11.47

description Created during name migration

object network secure01

subnet 10.0.245.0 255.255.255.0

description Created during name migration

object network lsharpehome

host 10.18.5.30

description Created during name migration

object network WLAN

subnet 10.0.6.0 255.255.254.0

description Created during name migration

object network FARM

subnet 10.9.0.0 255.255.0.0

description Created during name migration

object network Barracuda

host 10.0.1.2

object network MineCraft

host 10.0.1.173

object network CreameryHST

host 10.8.1.9

object network obj-10.0.1.33

host 10.0.1.33

object network UC

host 10.0.2.2

object network obj-64.111.61.227

host 64.111.61.227

object service obj-tcp-eq-25

service tcp destination eq smtp

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-0.0.0.0

host 0.0.0.0

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object network Webmail

host 10.0.1.18

object network EX2013

host 10.0.1.18

object-group network DEFAULT-PAT-SOURCE

network-object 10.0.0.0 255.0.0.0

object-group network CONNECT_TO_CANTON

network-object 10.0.1.0 255.255.255.0

network-object 10.1.1.0 255.255.255.0

network-object 10.4.0.0 255.255.0.0

object-group network CANTON

network-object 10.255.0.0 255.255.255.0

object-group service OWA tcp

description ports needed for OWA

port-object eq https

port-object eq www

object-group network MAIN_CAMPUS

network-object 10.0.0.0 255.224.0.0

object network IT-VPN

subnet 10.255.1.32 255.255.255.224

object network NET-10.0.0.0-8BIT

subnet 10.0.0.0 255.0.0.0

object network NET-172.16.0-12BIT

subnet 172.16.0.0 255.240.0.0

object-group network SMTPHOSTS

description Known Good SMTP Hosts

network-object host 10.0.1.14

network-object host 10.0.1.2

network-object host 10.8.1.9

network-object host 10.18.1.10

network-object host 10.0.1.18

network-object 10.1.1.0 255.255.255.0

network-object host 10.0.11.43

network-object object Lindadesktop

network-object object Laurieoffice

network-object object secure01

network-object host 10.0.1.18

network-object object lsharpehome

object-group service Torrent tcp-udp

description Bit Torrent

port-object eq 113

object-group network SMTPHOSTS_CAMPUS

network-object object WLAN

network-object 10.0.8.0 255.255.255.0

network-object object FARM

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network HCCStudent

description Blockage

network-object 10.0.10.0 255.255.255.0

network-object host 10.0.1.9

object-group service Plex tcp-udp

description Plex Server

port-object eq 32400

object-group service KronosTrain tcp-udp

port-object eq 1935

object-group network AUTHDNS

description 10.0.3.33

network-object host 10.0.1.11

network-object host 10.0.1.12

network-object host 10.0.1.8

network-object host 10.0.1.9

network-object host 10.0.3.31

network-object host 10.0.3.32

network-object host 10.0.3.33

network-object host 10.0.3.34

network-object 10.0.8.0 255.255.255.0

network-object 10.255.0.0 255.255.255.0

network-object object secure01

network-object 10.0.255.0 255.255.255.248

network-object host 10.0.1.18

object-group service DM_INLINE_SERVICE_1

service-object udp destination eq dnsix

service-object tcp-udp destination eq domain

object-group service DM_INLINE_SERVICE_2

service-object tcp-udp destination eq domain

service-object udp destination eq dnsix

object-group service DM_INLINE_TCP_1 tcp

group-object KronosTrain

port-object eq https

object-group network DM_INLINE_NETWORK_1

network-object host 10.0.1.18

object-group service MC tcp-udp

port-object eq 25565

port-object eq 8123

access-list cland802_splitTunnelAcl standard permit 10.0.0.0 255.224.0.0

access-list HlandIT_splitTunnelAcl standard permit 10.0.0.0 255.224.0.0

access-list outside_cryptomap_2 extended permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.240.0.0

access-list outside_cryptomap extended permit ip any4 10.255.1.0 255.255.255.224

access-list outside_cryptomap extended permit ip any4 10.255.1.32 255.255.255.224

access-list outside_access_in extended permit tcp any4 host 64.111.61.227 eq smtp

access-list outside_access_in extended permit tcp any4 host 64.111.61.229 eq https

access-list outside_access_in extended permit object-group TCPUDP any4 host 64.111.61.235 eq www

access-list outside_access_in extended permit object-group TCPUDP any4 host 64.111.61.237 object-group MC log disable

access-list outside_access_in extended permit object-group TCPUDP any4 host 64.111.61.237 eq www inactive

access-list outside_access_in extended permit udp any4 host 64.111.61.238 eq tftp log disable

access-list outside_access_in extended deny ip object-group Hacker-Block any4 inactive

access-list outside_access_in extended permit icmp any4 any4

access-list outside_access_in extended permit tcp any object-group OWA object Webmail object-group OWA inactive

access-list 111 extended permit object-group DM_INLINE_SERVICE_1 object-group AUTHDNS any4 log

access-list 111 extended deny object-group DM_INLINE_SERVICE_2 any4 any4 log

access-list 111 extended permit tcp object-group SMTPHOSTS any4 eq smtp log disable

access-list 111 extended permit tcp any host 10.0.1.18 object-group OWA

access-list 111 extended deny tcp any4 any4 eq smtp log

access-list 111 extended permit ip any4 any4

access-list Convergent_splitTunnelAcl standard permit any4

access-list outside_cryptomap_1 extended permit ip any4 10.255.1.0 255.255.255.224

no pager

logging enable

logging timestamp

logging buffer-size 40960

logging buffered debugging

logging trap notifications

logging asdm informational

logging from-address asa@hlcommunity.org

logging recipient-address itstaff@hlcommunity.org level errors

logging permit-hostdown

flow-export destination inside 10.0.1.9 2055

flow-export template timeout-rate 1

mtu outside 1500

mtu inside 1500

mtu management 1500

ip verify reverse-path interface outside

ip verify reverse-path interface inside

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk1:/asdm-713.bin

asdm location 10.0.1.163 255.255.255.255 inside

asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

nat (inside,outside) source dynamic SMTP-PAT-SOURCE SMTP-PAT service SMTP SMTP

nat (inside,outside) source static CONNECT_TO_CANTON CONNECT_TO_CANTON destination static CANTON CANTON

nat (inside,outside) source static MAIN_CAMPUS MAIN_CAMPUS destination static CLAND-VPN CLAND-VPN

nat (inside,outside) source static MAIN_CAMPUS MAIN_CAMPUS destination static IT-VPN IT-VPN

nat (inside,outside) source static NET-10.0.0.0-8BIT NET-10.0.0.0-8BIT destination static NET-172.16.0-12BIT NET-172.16.0-12BIT

!

object network STATIC-1

host 10.0.1.18

nat (inside,outside) static 64.111.61.228

object network STATIC-2

host 10.0.1.2

nat (inside,outside) static 64.111.61.227

object network STATIC-3

host 10.0.1.173

nat (inside,outside) static 64.111.61.237

object network STATIC-4

host 10.8.1.9

nat (inside,outside) static 64.111.61.229

object network STATIC-5

host 10.0.1.33

nat (inside,outside) static 64.111.61.235

object network STATIC-6

host 10.0.2.2

nat (inside,outside) static 64.111.61.238

object-group network SMTP-PAT-SOURCE

network-object host 10.1.18

network-object host 64.111.61.227

object service SMTP

service tcp destination eq smtp

object network SMTP-PAT

host 61.111.64.227

access-group outside_access_in in interface outside

access-group 111 in interface inside

route outside 0.0.0.0 0.0.0.0 64.111.61.225 1

route inside 10.0.0.0 255.0.0.0 10.0.255.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server hlcommunity protocol tacacs+

aaa-server hlcommunity (inside) host 10.0.1.3

key cross4152

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 10.0.1.3

key cross4152

radius-common-pw cross4152

aaa-server RADIUS (inside) host 10.0.1.11

key cross4152

aaa-server RADIUS (inside) host 10.0.1.12

key cross4152

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console hlcommunity LOCAL

aaa authentication telnet console hlcommunity LOCAL

aaa authentication ssh console hlcommunity LOCAL

aaa authorization command hlcommunity LOCAL

http server enable

http 10.0.0.0 255.0.0.0 inside

http 192.168.1.0 255.255.255.0 management

http 63.168.36.176 255.255.255.240 outside

snmp-server host inside 10.0.1.9 community ciscoasa version 2c

snmp-server host inside 10.0.3.30 poll community hlro version 2c

snmp-server host inside 10.0.1.35 community presidium

snmp-server location US

snmp-server contact Superman

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

sysopt connection tcpmss 0

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto engine large-mod-accel

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 40 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_cryptomap_2

crypto map outside_map 1 set peer 69.148.165.226

crypto  map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA  ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA  ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map 40 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

subject-name CN=DATACENTER-5520

keypair proxykey

crl configure

crypto ca trustpoint phoneproxy_trustpoint

enrollment self

subject-name CN=DATACENTER-5520

keypair proxykey

crl configure

crypto ca trustpoint CAP-RTP-001_trustpoint

enrollment terminal

crl configure

crypto ca trustpoint CAP-RTP-002_trustpoint

enrollment terminal

crl configure

crypto ca trustpoint Cisco_Manufacturing_CA_trustpoint

enrollment terminal

crl configure

crypto ca trustpoint _internal_asdm_CTL_File_SAST_0

enrollment self

fqdn none

subject-name cn="_internal_asdm_CTL_File_SAST_0";ou="STG";o="Cisco Inc"

keypair _internal_asdm_CTL_File_SAST_0

crl configure

crypto ca trustpoint _internal_asdm_CTL_File_SAST_1

enrollment self

fqdn none

subject-name cn="_internal_asdm_CTL_File_SAST_1";ou="STG";o="Cisco Inc"

keypair _internal_asdm_CTL_File_SAST_1

crl configure

crypto ca trustpoint _internal_PP_asdm_CTL_File

enrollment self

fqdn none

subject-name cn="_internal_PP_asdm_CTL_File";ou="STG";o="Cisco Inc"

keypair _internal_PP_asdm_CTL_File

crl configure

crypto ca trustpoint localtrust

enrollment self

fqdn remote.hlcommunity.org

subject-name CN=remote.hlcommunity.org

keypair sslvpnkey

crl configure

crypto ca trustpool policy

crypto ca certificate chain phoneproxy_trustpoint

certificate 1f6dc84b

    3082020b 30820174 a0030201 0202041f 6dc84b30 0d06092a 864886f7 0d010104

    0500304a 31183016 06035504 03130f44 41544143 454e5445 522d3535 3230312e

    302c0609 2a864886 f70d0109 02161f44 41544143 454e5445 522d3535 32302e68

    6c636f6d 6d756e69 74792e6f 7267301e 170d3130 30343136 31333538 35355a17

    0d323030 34313331 33353835 355a304a 31183016 06035504 03130f44 41544143

    454e5445 522d3535 3230312e 302c0609 2a864886 f70d0109 02161f44 41544143

    454e5445 522d3535 32302e68 6c636f6d 6d756e69 74792e6f 72673081 9f300d06

    092a8648 86f70d01 01010500 03818d00 30818902 818100a3 b788f041 73915886

    ebeab00f 7a9096d9 e7849307 15aae048 12abea6d 70b9408e 5df5c519 2a6f6b8e

    65ca9255 4abdd025 64832034 fa83b5e9 3c680637 e003c622 0895b9e0 ce7c06af

    70844292 f27bdc02 dcebb53e 1bdc62a3 009fd8ed 980d427b 1bc81b52 58d5dd10

    361cbe47 dae14500 e74771c5 1a19841c 1d430f25 2485dd02 03010001 300d0609

    2a864886 f70d0101 04050003 81810055 a73b82e0 b8e0b53d de1e94fc 430a125f

    c4fccebd 8784ad40 2fb445af a99905e3 e071dfda bd2ced56 c35baca1 d3b881d3

    4043f95e a3ab7cd6 0ec56c26 fda97fdc 4a3cbc70 43ba0035 eee470b8 56af00c0

    f1580902 4b525252 bbcf8bef abb1e3c8 6c2c98a6 47a6653e 49cccb00 7a545b79

    8cf1d2dc 58bb2f0b fc9d499f 26a5b3

  quit

crypto ca certificate chain CAP-RTP-001_trustpoint

certificate ca 7612f960153d6f9f4e42202032b72356

    308203a8 30820290 a0030201 02021076 12f96015 3d6f9f4e 42202032 b7235630

    0d06092a 864886f7 0d010105 0500302e 31163014 06035504 0a130d43 6973636f

    20537973 74656d73 31143012 06035504 03130b43 41502d52 54502d30 3031301e

    170d3033 30323036 32333237 31335a17 0d323330 32303632 33333633 345a302e

    31163014 06035504 0a130d43 6973636f 20537973 74656d73 31143012 06035504

    03130b43 41502d52 54502d30 30313082 0120300d 06092a86 4886f70d 01010105

    00038201 0d003082 01080282 010100ac 55bbed18 de9b8709 ffbc8f2d 509ab83a

    21c1967f dea7f4b0 969694b7 80cc196a 463da516 54a28f47 5d903b5f 104a3d54

    a981389b 2fc7ac49 956262b8 1c143038 5345bb2e 273fa7a6 46860573 ce5c998d

    55de78aa 5a5cfe14 037d695b ac816409 c6211f0b 3bbf09cf b0bbb2d4 ac362f67

    0fd145f1 620852b3 1f07e2f1 aa74f150 367632ed a289e374 af0c5b78 ce7dfb9f

    c8ebbe54 6ecf4c77 99d6dc04 47476c0f 36e58a3b 6bcb24d7 6b6c84c2 7f61d326

    be7cb4a6 60cd6579 9e1e3a84 8153b750 5527e865 423be2b5 cb575453 5aa96093

    58b6a2e4 aa3ef081 c7068ec1 dd1ebdda 53e6f0d6 e2e0486b 109f1316 78c696a3

    cfba84cc 7094034f c1eb9f81 931acb02 0103a381 c33081c0 300b0603 551d0f04

    04030201 86300f06 03551d13 0101ff04 05300301 01ff301d 0603551d 0e041604

    14e917b1 82c71fcf aca91b6e f4a9269c 70ae05a0 9a306f06 03551d1f 04683066

    3064a062 a060862d 68747470 3a2f2f63 61702d72 74702d30 30312f43 65727445

    6e726f6c 6c2f4341 502d5254 502d3030 312e6372 6c862f66 696c653a 2f2f5c5c

    6361702d 7274702d 3030315c 43657274 456e726f 6c6c5c43 41502d52 54502d30

    30312e63 726c3010 06092b06 01040182 37150104 03020100 300d0609 2a864886

    f70d0101 05050003 82010100 ab64fdeb f60c32dc 360f0e10 5fe175fa 0d574ab5

    02acdca3 c7bbed15 a4431f20 7e9286f0 770929a2 17e4cdf4 f2629244 2f3575af

    e90c468c ae67ba08 aaa71c12 ba0c0e79 e6780a5c f814466c 326a4b56 73938380

    73a11aed f9b9de74 1195c48f 99454b8c 30732980 cd6e7123 8b3a6d68 80b97e00

    7f4bd4ba 0b5ab462 94d9167e 6d8d48f2 597cde61 25cfadcc 5bd141fb 210275a2

    0a4e3400 1428ba0f 69953bb5 50d21f78 43e3e563 98bcb2b1 a2d4864b 0616bacd

    a61cd9ae c5558a52 b5eeaa6a 08f96528 b1804b87 d26e4aee ab7affe9 2fd2a574

    bafe0028 96304a8b 13fb656d 8fc60094 d5a53d71 444b3cef 79343385 3778c193

    74a2a6ce dc56275c a20a303d

  quit

crypto ca certificate chain CAP-RTP-002_trustpoint

certificate ca 353fb24bd70f14a346c1f3a9ac725675

    308203a8 30820290 a0030201 02021035 3fb24bd7 0f14a346 c1f3a9ac 72567530

    0d06092a 864886f7 0d010105 0500302e 31163014 06035504 0a130d43 6973636f

    20537973 74656d73 31143012 06035504 03130b43 41502d52 54502d30 3032301e

    170d3033 31303130 32303138 34395a17 0d323331 30313032 30323733 375a302e

    31163014 06035504 0a130d43 6973636f 20537973 74656d73 31143012 06035504

    03130b43 41502d52 54502d30 30323082 0120300d 06092a86 4886f70d 01010105

    00038201 0d003082 01080282 010100c4 266504ad 7dc3fd8d 65556fa6 308fae95

    b570263b 575abd96 1cc8f394 5965d9d0 d8ce02b9 f808ccd6 b7cd8c46 24801878

    57dc4440 a7301ddf e40fb1ef 136212ec c4f3b50f bcafbb4b cd2e5826 34521b65

    01555fe4 d4206776 03368357 83932638 d6fc953f 3a179e44 67255a73 45c69dee

    fb4d221b 21d7a3ad 38184171 8fd8c271 42183e65 09461434 736c77cc f380eebf

    632c7b3f a5f92aa6 a8ef3490 8724a84f 4daf7fd7 0928f585 764d3558 3c0fe9af

    1ed8763f a299a802 970004ad 1912d265 7de335b4 bcb6f789 dc68b9fa c8fdf85e

    8a28ad8f 0f4883c0 77112a47 141dbee0 948fbe53 fe67b308 d40c8029 87bd790e

    cdab9fd7 a190c1a2 a462c5f2 4a6e0b02 0103a381 c33081c0 300b0603 551d0f04

    04030201 86300f06 03551d13 0101ff04 05300301 01ff301d 0603551d 0e041604

    1452922b e288ee2e 098a4e7e 702c56a5 9ab4d49b 96306f06 03551d1f 04683066

    3064a062 a060862d 68747470 3a2f2f63 61702d72 74702d30 30322f43 65727445

    6e726f6c 6c2f4341 502d5254 502d3030 322e6372 6c862f66 696c653a 2f2f5c5c

    6361702d 7274702d 3030325c 43657274 456e726f 6c6c5c43 41502d52 54502d30

    30322e63 726c3010 06092b06 01040182 37150104 03020100 300d0609 2a864886

    f70d0101 05050003 82010100 56838cef c4da3ad1 ea8fbb15 2ffe6ee5 50a1972b

    d4d7af1f d298892c d5a2a76b c3462866 13e0e55d dc0c4b92 5aa94b6e 69277f9b

    fc73c697 11266e19 451c0fab a55e6a28 901a48c5 b9911ee6 348a8920 0aede1e0

    b6ea781c ffd97ca4 b03c0e34 0e5b0649 8b0a34c9 b73a654e 09050c1f 4da53e44

    bf78443d b08c3a41 2eeeb873 78cb8089 34f9d16e 91512f0d 3a8674ad 0991ed1a

    92841e76 36d7740e cb787f11 685b9e9d 0c67e85d af6d05ba 3488e86d 7e2f7f65

    6918de0f bd3c7f67 d8a33f70 9c4a596e d9f62b3b 1edee854 d5882ad4 3d71f72b

    8fab7f3c 0b5f0759 d9828f83 954d7bb1 57a638ec 7d72bff1 8933c16f 760bca94

    4c5b1931 67947a4f 89a1bdb5

  quit

crypto ca certificate chain Cisco_Manufacturing_CA_trustpoint

certificate ca 6a6967b3000000000003

    308204d9 308203c1 a0030201 02020a6a 6967b300 00000000 03300d06 092a8648

    86f70d01 01050500 30353116 30140603 55040a13 0d436973 636f2053 79737465

    6d73311b 30190603 55040313 12436973 636f2052 6f6f7420 43412032 30343830

    1e170d30 35303631 30323231 3630315a 170d3239 30353134 32303235 34325a30

    39311630 14060355 040a130d 43697363 6f205379 7374656d 73311f30 1d060355

    04031316 43697363 6f204d61 6e756661 63747572 696e6720 43413082 0120300d

    06092a86 4886f70d 01010105 00038201 0d003082 01080282 010100a0 c5f7dc96

    943515f1 f4994ebb 9b41e17d db791691 bbf354f2 414a9432 6262c923 f79ae7bb

    9b79e807 294e30f5 ae1bc521 5646b0f8 f4e68e81 b816cca8 9b85d242 81db7ccb

    94a91161 121c5cea 33201c9a 16a77ddb 99066ae2 36afecf8 0aff9867 07f430ee

    a5f8881a aae8c73c 1cceee48 fdcd5c37 f186939e 3d71757d 34ee4b14 a9c0297b

    0510ef87 9e693130 f548363f d8abce15 e2e8589f 3e627104 8726a415 620125aa

    d5dfc9c9 5bb8c9a1 077bbe68 92939320 a86cbd15 75d3445d 454beca8 da60c7d8

    c8d5c8ed 41e1f55f 578e5332 9349d5d9 0ff836aa 07c43241 c5a7af1d 19fff673

    99395a73 67621334 0d1f5e95 70526417 06ec535c 5cdb6aea 35004102 0103a382

    01e73082 01e33012 0603551d 130101ff 04083006 0101ff02 0100301d 0603551d

    0e041604 14d0c522 26ab4f46 60ecae05 91c7dc5a d1b047f7 6c300b06 03551d0f

    04040302 01863010 06092b06 01040182 37150104 03020100 30190609 2b060104

    01823714 02040c1e 0a005300 75006200 43004130 1f060355 1d230418 30168014

    27f3c815 1e6e9a02 0916ad2b a089605f da7b2faa 30430603 551d1f04 3c303a30

    38a036a0 34863268 7474703a 2f2f7777 772e6369 73636f2e 636f6d2f 73656375

    72697479 2f706b69 2f63726c 2f637263 61323034 382e6372 6c305006 082b0601

    05050701 01044430 42304006 082b0601 05050730 02863468 7474703a 2f2f7777

    772e6369 73636f2e 636f6d2f 73656375 72697479 2f706b69 2f636572 74732f63

    72636132 3034382e 63657230 5c060355 1d200455 30533051 060a2b06 01040109

    15010200 30433041 06082b06 01050507 02011635 68747470 3a2f2f77 77772e63

    6973636f 2e636f6d 2f736563 75726974 792f706b 692f706f 6c696369 65732f69

    6e646578 2e68746d 6c305e06 03551d25 04573055 06082b06 01050507 03010608

    2b060105 05070302 06082b06 01050507 03050608 2b060105 05070306 06082b06

    01050507 0307060a 2b060104 0182370a 0301060a 2b060104 01823714 02010609

    2b060104 01823715 06300d06 092a8648 86f70d01 01050500 03820101 0030f330

    2d8cf2ca 374a6499 24290af2 86aa42d5 23e8a2ea 2b6f6923 7a828e1c 4c09cfa4

    4fab842f 37e96560 d19ac6d8 f30bf5de d027005c 6f1d91bd d14e5851 1dc9e3f7

    38e7d30b d168be8e 22a54b06 e1e6a4aa 337d1a75 ba26f370 c66100a5 c379265b

    a719d193 8dab9b10 11291fa1 82fdfd3c 4b6e65dc 934505e9 af336b67 23070686

    22daebdc 87cf5921 421ae9cf 707588e0 243d5d7d 4e963880 97d56ff0 9b71d8ba

    6019a5b0 6186addd 6566f6b9 27a2ee2f 619bbaa1 3061fdbe ac3514f9 b82d9706

    afc3ef6d cc3d3ceb 95e981d3 8a5eb6ce fa79a46b d7a25764 c43f4cc9 dbe882ec

    0166d410 88a256e5 3c57ede9 02a84891 6307ab61 264b1a13 9fe4dcda 5f

  quit

crypto ca certificate chain _internal_asdm_CTL_File_SAST_0

certificate 4a78c84b

    3082020d 30820176 a0030201 0202044a 78c84b30 0d06092a 864886f7 0d010104

    0500304b 31123010 06035504 0a130943 6973636f 20496e63 310c300a 06035504

    0b130353 54473127 30250603 55040314 1e5f696e 7465726e 616c5f61 73646d5f

    43544c5f 46696c65 5f534153 545f3030 1e170d31 30303431 36313434 3633345a

    170d3230 30343133 31343436 33345a30 4b311230 10060355 040a1309 43697363

    6f20496e 63310c30 0a060355 040b1303 53544731 27302506 03550403 141e5f69

    6e746572 6e616c5f 6173646d 5f43544c 5f46696c 655f5341 53545f30 30819f30

    0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00b17e49 4ce7c218

    4a3b9bb0 e5962aa2 13b79285 de1f0b90 caa00c0f 8938e7da 063945a4 2afe1cb5

    a9737b1a 1f94a8ff 04b6d270 473f3fc4 3e868b99 04cddd58 c0502a9f 49eaa437

    c2a65238 213fe51a 4f459b92 bd10e836 26ae54e7 93a22e91 a4b5d4f2 e8721bf2

    4796fb16 0e0d4cfb 683af21c 9fcb0150 389cb959 a2038c10 6d020301 0001300d

    06092a86 4886f70d 01010405 00038181 00986007 2bf46973 562c3b02 180a2eb6

    bc2f3d30 8b050825 b0d080cc 01cb4186 87626c22 d88876a6 6351bec5 8db11d24

    b17d8c78 c852b83a 26276505 2575d7b8 0823f87f 6e881db6 5f67c623 d13d5d92

    bd8006b6 dfa6883f 3f3288ab 3e3336e2 b30fb211 6aa5b564 1854d68a b1a7f42a

    e50a0e33 6c4728ae 72defabd 5077bf8f fe

  quit

crypto ca certificate chain _internal_asdm_CTL_File_SAST_1

certificate 4c78c84b

    3082020d 30820176 a0030201 0202044c 78c84b30 0d06092a 864886f7 0d010104

    0500304b 31123010 06035504 0a130943 6973636f 20496e63 310c300a 06035504

    0b130353 54473127 30250603 55040314 1e5f696e 7465726e 616c5f61 73646d5f

    43544c5f 46696c65 5f534153 545f3130 1e170d31 30303431 36313434 3633365a

    170d3230 30343133 31343436 33365a30 4b311230 10060355 040a1309 43697363

    6f20496e 63310c30 0a060355 040b1303 53544731 27302506 03550403 141e5f69

    6e746572 6e616c5f 6173646d 5f43544c 5f46696c 655f5341 53545f31 30819f30

    0d06092a 864886f7 0d010101 05000381 8d003081 89028181 009e0dd0 01938c21

    5f88e81b 52f1d27f bf97b065 9bff7209 14a9e308 0dba5e91 eed11926 4cfaa137

    a32c4d79 fa08d38e 8552cfd5 62f413da 25f6196d 415543f9 6dc41865 6e7b10f5

    83d231c2 d23a4aab 04f43168 5301f83b 6fe222a8 772124c3 c2e591b2 393474ad

    dae973c6 b664be2d 0666f766 af1a2444 7e2bd7cf fe58bc1f c3020301 0001300d

    06092a86 4886f70d 01010405 00038181 00942ba3 1e3046f9 d1ab2e99 d304aed4

    e39d12c1 0fef910d 8e66d851 12b10608 64106e11 fe1ac3f5 4a64dc1f b7c355c4

    d4cb036a 3c54fa39 a865ea45 33e208a2 f75f8771 252d70b4 798535b2 16731505

    d89a8f80 f50ac74d 5bc1a809 675651ab 51758497 0b36dc42 b13d07de fc380373

    580e0fda 463581c2 300ec50c d64ae43d 4a

  quit

crypto ca certificate chain _internal_PP_asdm_CTL_File

certificate 4d78c84b

    30820205 3082016e a0030201 0202044d 78c84b30 0d06092a 864886f7 0d010104

    05003047 31123010 06035504 0a130943 6973636f 20496e63 310c300a 06035504

    0b130353 54473123 30210603 55040314 1a5f696e 7465726e 616c5f50 505f6173

    646d5f43 544c5f46 696c6530 1e170d31 30303431 36313434 3633375a 170d3230

    30343133 31343436 33375a30 47311230 10060355 040a1309 43697363 6f20496e

    63310c30 0a060355 040b1303 53544731 23302106 03550403 141a5f69 6e746572

    6e616c5f 50505f61 73646d5f 43544c5f 46696c65 30819f30 0d06092a 864886f7

    0d010101 05000381 8d003081 89028181 00c8e06e 47b302ca 8ecb94b7 72a24923

    28138715 f2ac4367 f280576b 536107c0 9cf60a3d 7293c4f4 9681932a bfee87db

    897e53a0 b94964b4 df40f876 f2cbc9f7 87b4867c 9ad577ac de9645b7 856b3355

    ef2e8e54 deee79da ff91ac53 ec8e2a47 6dec9eb3 22a09051 b7f8c756 be02c258

    720f259a 28031ffc f133c920 ea0b2a72 71020301 0001300d 06092a86 4886f70d

    01010405 00038181 00a13db5 617e48b4 7747c05b 79019372 b3cf74c0 aead62a0

    4c33f155 27503f4d b7e9ed8f 122ebda0 56d7a510 f7989ac2 4edcbc1c 9a4083ff

    cc9e1afe 635a9fd4 985a6d69 1455090f a3fcac98 b7df9a81 a16920ce 67acc29e

    f5c41e56 f85369f5 487734d1 2912e607 ed4b405d 8dbcb551 aa78d7ec 73cf09c2

    71151b0c efe6f96e ec

  quit

crypto ca certificate chain localtrust

certificate 90b9b54f

    30820207 30820170 a0030201 02020490 b9b54f30 0d06092a 864886f7 0d010105

    05003048 311f301d 06035504 03131672 656d6f74 652e686c 636f6d6d 756e6974

    792e6f72 67312530 2306092a 864886f7 0d010902 16167265 6d6f7465 2e686c63

    6f6d6d75 6e697479 2e6f7267 301e170d 31323036 32393138 31373338 5a170d32

    32303632 37313831 3733385a 3048311f 301d0603 55040313 1672656d 6f74652e

    686c636f 6d6d756e 6974792e 6f726731 25302306 092a8648 86f70d01 09021616

    72656d6f 74652e68 6c636f6d 6d756e69 74792e6f 72673081 9f300d06 092a8648

    86f70d01 01010500 03818d00 30818902 818100a4 fa4cb368 1ee3d20b 694c7708

    0a84ad72 b6f40e45 ce5236bd 8d9ffea4 6eaa0f08 faa8dd43 2823c140 97eda909

    4c2e41bc fc10c17d f7b89051 ea6e704c bf3e972b d26282ce bf3c83d7 ffe131ac

    73dcb831 31b3c926 a6fbed55 9bff89db f7196aa8 f3fee89f d14d5343 43955e7b

    57a1cdf4 dbc5f96c 2efaff87 041c7a08 8dc57702 03010001 300d0609 2a864886

    f70d0101 05050003 81810068 38ee2db3 c2f191c1 6f6d1257 ff7c1ac1 c169117c

    92fbc59d a48b9b68 b60bfb33 6a4946dd 7acfed6d 8bda9a9d 2f9373a9 0b4fa907

    eb174c2f 8a27c6c7 4126c169 fd68b97d 9b73ef1a 70b0d967 00e42ece 0a7c77d9

    d45abb79 13b9da01 e33d15a8 5e91f5c2 6146701d a63794b7 ef5e964c 8e173c45

    68c41750 93fc92b0 a8fc5e

  quit

crypto ikev1 enable outside

crypto ikev1 am-disable

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

telnet 10.0.0.0 255.0.0.0 inside

telnet 192.168.1.0 255.255.255.0 management

telnet timeout 15

ssh 63.168.36.176 255.255.255.240 outside

ssh 10.1.1.0 255.255.255.0 inside

ssh 10.0.1.0 255.255.255.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 15

management-access management

!

tls-proxy Asa-tls-proxy

server trust-point _internal_PP_asdm_CTL_File

ctl-file asdm_CTL_File

record-entry cucm-tftp trustpoint phoneproxy_trustpoint address 64.111.61.238

no shutdown

!

phone-proxy asdm_phone-proxy

media-termination address 64.111.61.238

tftp-server address 10.0.2.2 interface inside

tftp-server address 10.0.2.3 interface inside

tls-proxy Asa-tls-proxy

cipc security-mode authenticated

ctl-file asdm_CTL_File

no disable service-settings

no threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

threat-detection rate scanning-threat rate-interval 1200 average-rate 1200 burst-rate 1200

threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 10.0.255.254 source inside prefer

ssl trust-point localtrust outside

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.6005-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy HlandIT internal

group-policy HlandIT attributes

dns-server value 10.0.1.11 10.0.1.12

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value HlandIT_splitTunnelAcl

default-domain value hlcommunity.org

group-policy Convergent internal

group-policy Convergent attributes

dns-server value 10.0.1.11 10.0.1.12

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Convergent_splitTunnelAcl

default-domain value hlcommunity.org

group-policy cland802 internal

group-policy cland802 attributes

dns-server value 10.0.1.11 10.0.1.12

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value cland802_splitTunnelAcl

default-domain value hlcommunity.org

username hland password ************ encrypted privilege 15

username cland password ************ encrypted privilege 15

tunnel-group cland802 type remote-access

tunnel-group cland802 general-attributes

address-pool clandpool

authentication-server-group RADIUS LOCAL

default-group-policy cland802

tunnel-group cland802 webvpn-attributes

group-alias VPNRA enable

tunnel-group cland802 ipsec-attributes

ikev1 pre-shared-key *********

tunnel-group HlandIT type remote-access

tunnel-group HlandIT general-attributes

address-pool hlanditpool

authentication-server-group hlcommunity LOCAL

default-group-policy HlandIT

tunnel-group HlandIT ipsec-attributes

ikev1 pre-shared-key *********

tunnel-group Convergent type remote-access

tunnel-group Convergent general-attributes

address-pool clandpool

default-group-policy Convergent

tunnel-group Convergent ipsec-attributes

ikev1 pre-shared-key **********

tunnel-group 69.148.165.226 type ipsec-l2l

tunnel-group 69.148.165.226 ipsec-attributes

ikev1 pre-shared-key **********

!

class-map sec_sip

match port tcp eq 5061

class-map netflow-export-class

match access-list netflow-export

class-map IPS_CLASS

match any

class-map sec_sccp

match port tcp eq 2443

class-map inspection_default

match default-inspection-traffic

!

!

policy-map phone_proxy

class sec_sccp

  inspect skinny phone-proxy asdm_phone-proxy

class sec_sip

  inspect sip phone-proxy asdm_phone-proxy

policy-map global-policy

class netflow-export-class

  flow-export event-type all destination 10.0.1.9

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 1500

policy-map asa_global_fw_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect http

class IPS_CLASS

  ips inline fail-open

!

service-policy asa_global_fw_policy global

service-policy phone_proxy interface outside

smtp-server 10.0.1.18

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege cmd level 3 mode exec command vpn-sessiondb

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command uauth

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command vpn-sessiondb

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:d36cdd058d5883260e7a1646b9379fa9

: end

Super Bronze

ASA 8.2 to 9.1 migration rewrite

Hi,

Yes, you will need the interface ACLs just like before.

The different is that in the 8.2 software level when you were allowing traffic to a NATed host, you used the NAT IP address of the host. For example allowing connections from Internet to the servers you have meant that you had to use their public NAT IP address in the "outside" interface ACL.

In the new software because of the NAT / ACL changes (or the change in the order they are processed by the ASA) you will now instead have to always allow the traffic to the REAL IP ADDRESS rather than the NAT IP ADDRESS.

So you will have to change your "outside" interface ACLs destination IP addresses to the REAL IP ADDRESS instead of the PUBLIC NAT IP ADDRESS.

- Jouni

ASA 8.2 to 9.1 migration rewrite

Thank you soooo much!

I'm going to try the cut over tonight.

- Jared

2548
Views
0
Helpful
6
Replies