Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pix 501 configuration to ASA 5515-x...

Hello,

     I'm an Administrator and have a client that is running a T1 (point to point) with a 501 Pix box as the firewall between the Dsl and internal network.

We are switching over to Fiber Optic (Client has 3 locations all tap into a central database) at the hub office and eventually will change over to a  

VPN network. I have purchased an ASA 5515-x, current pix box is giving me trouble, which also lies the problem. When I took over my client's

Administration for his network, I found out that although I have access to all the Cisco routers on the network ( (1)17XX, (2) 2600's), I or anyone

that  I talked to has access to the Pix box? I would like, for the time being, put the ASA inplace of the Pix as the firewall for the T1. Until we decide if

we are going to do IPSEC W/client or L2TP... I have searched and found other articles on migrating from Pix to ASA, but also learned the Pix we

have is too old. My questions are: Is there any way to retrieve the configuration file from the Pix manually even though I don't know the passwd? or

do I have to build the firewall from the ground up? (i did hit the reset button a couple of times before as well as pulling the power, reason was, it just

started only allowing certain people internet access from inside, anybody with remote access outside can remote in no problem. Just randomly

drops people on the inside). Reboot the Pix and everyone is happy for about an hour, then previous senario comes back. I can work my way around

the CLI no problem, but I'm new to Cisco's ASDM as well as the new commands

Thanks

  • Firewalling
5 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Pix 501 configuration to ASA 5515-x...

Hi,

Seems to me that your first step should be trying to get access to the PIX itself to determine the current configuration

Here is one guide how you can reset the passwords on the PIX

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_password_recovery09186a008009478b.shtml

I have used it a couple of times in the past (long time ago) and it worked well then.

Though for this you need to know the software version the PIX is running on. I am wondering if you would be able to see the booting software when booting the PIX while connected to it trough console.

You might also want to try the some usual login username/passwords while attempting to connect to the PIX through the console. I guess if its on default settings it might not ask you for a username at all and you might be able to just use "enable" and not enter any password at all and press enter.

To be honest, I can't remember anymore

- Jouni

Super Bronze

Pix 501 configuration to ASA 5515-x...

Hi,

Sorry for getting back to you only now.

Did you already solve the problem?

If not, can you get the configuration from the PIX with some "show" command like

show run

or

show configuration

If you can get the whole configuration of the PIX (remove sensitive information) then I could tell you the corresponding configurations you would need on the new ASA.

- Jouni

Super Bronze

Pix 501 configuration to ASA 5515-x...

Hi,

I am not sure what your situation with the "outside" interface is. The PIX has staticly configured IP address and default route while the ASA at the moment has DHCP.

I will consider that the ASA should use the same configuration as the PIX

PHYSICAL INTERFACES

interface GigabitEthernet0/0

nameif outside

ip address 66.136.x.x 255.255.255.248

interface GigabitEthernet0/1

no shutdown

nameif inside

ip address 10.10.10.251 255.255.255.0

STATIC ROUTES

route outside 0.0.0.0 0.0.0.0 66.136.xxx.xxx 15

route inside 10.10.11.0 255.255.255.0 10.10.10.254 1

route inside 10.10.12.0 255.255.255.0 10.10.10.254 1

route inside 10.10.20.4 255.255.255.252 10.10.10.254 1

route inside 10.10.30.4 255.255.255.252 10.10.10.254 1

STATIC PAT (PORT FORWARD)

object network STATIC-PAT-RDP

host 10.10.10.253

nat (inside,outside) static 66.136.x.x service tcp 3389 3389

EXTERNAL ACCESS-LIST

access-list outside permit tcp any object STATIC-PAT-RDP eq 3389

access-group outside in interface outside

DYNAMIC PAT

nat (inside,outside) after-auto source dynamic any interface

NAT0 / NAT EXEMPT FOR L2L VPN

object network LAN

subnet 10.10.10.0 255.255.255.0

object network REMOTE-LAN

subnet 10.10.15.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

L2L VPN CONFIGURATION

access-list L2L-VPN remark L2L VPN Encryption Domain

access-list L2L-VPN permit ip 10.10.10.0 255.255.255.0 10.10.15.0 255.255.255.0

crypto ipsec ikev1 transform-set DES esp-des esp-md5-hmac

crypto map transam 1 match address L2L-VPN

crypto map transam 1 set peer 65.69.93.98

crypto map transam 1 set ikev1 transform-set DES

crypto map transam interface outside

crypto isakmp identity address

crypto ikev1 policy

authentication pre-share

encryption des

hash md5

group 1

lifetime 1000

crypto ikev1 enable outside

tunnel-group 65.69.93.98 type ipsec-l2l

tunnel-group 65.69.93.98 ipsec-attributes

ikev1 pre-shared-key

The above should be most of the configurations from PIX to the new ASA format

We cant see the PSK of the L2L VPN connection and I am not sure if software that old has the command that would show the PSK in clear text.

The above configuration presumes that you use the staticly configured IP addresses of the interfaces and the static routes and not DHCP like its now.

Naturally the ASA should also be connected to the same devices on same ports from "inside" and "outside".

You should also set the management related commands "ssh" , "http" or "telnet" as you wish.

- Jouni

Super Bronze

Pix 501 configuration to ASA 5515-x...

Hi,

The L2L VPN configurations seems to be configured so a local network 10.10.10.0/24 can connect to a remote network 10.10.15.0/24 security/encrypted through the public Internet. The L2L VPN is usually used to connect remote sites of a company or perhaps provide a secure connection to third party site to access some services/resources.

I assume that the PIX is still in use in the network and the ASA is waiting to get placed to the network?

If so then I would try these commands to see if the VPN is active. Naturally it might not be all the time unless its actively used

show crypto isakmp sa

show crypto ipsec sa

The L2L VPN configuration is in no way mandatory for the normal operation of the firewall. As I said its there to provide connection between to sites securely through the Internet. Naturally the another big thing related to it is the fact that these 2 private network ranges can communicate directly through this L2L VPN connection which would not be possible directly through the Internet since the private ranges are not routable through Internet.

With regards to the MAC address situation you can indeed configure the PIX MAC address on the ASAs external interface.

First check the output of this command on the PIX

show interface

Find the correct interface and its output and check for the MAC address

Then go to the ASA under the interface configuration mode of the correct interface and enter

mac-address aaaa.bbbb.cccc

Where the aaaa.bbbb.cccc is naturally the MAC address that you checked from the current PIX firewall

Hope this helps

Please do remember to mark replys as the correct answer if they answered your question.

Feel free to ask more if needed though

- Jouni

Super Bronze

Pix 501 configuration to ASA 5515-x...

Hi,

PSK / Pre-shared-key is essentially a password that is configured on both ends of the L2L VPN connection. (On both of the VPN devices)

Hopefully you have documented the current PSK so it can be inserted to the configuration on the ASA. Or perhaps you have the contact information of the remote site so you can change it? Or perhaps the remote site is under your management also and you can simply change the PSK on both ends to something new when replacing the firewall at this site.

On a very very quick glance I found this that gives a basic desciption of PSK (its part of an old Cisco Press book)

http://www.ciscopress.com/articles/article.asp?p=24833&seqNum=5

- Jouni

16 REPLIES
Super Bronze

Pix 501 configuration to ASA 5515-x...

Hi,

Seems to me that your first step should be trying to get access to the PIX itself to determine the current configuration

Here is one guide how you can reset the passwords on the PIX

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_password_recovery09186a008009478b.shtml

I have used it a couple of times in the past (long time ago) and it worked well then.

Though for this you need to know the software version the PIX is running on. I am wondering if you would be able to see the booting software when booting the PIX while connected to it trough console.

You might also want to try the some usual login username/passwords while attempting to connect to the PIX through the console. I guess if its on default settings it might not ask you for a username at all and you might be able to just use "enable" and not enter any password at all and press enter.

To be honest, I can't remember anymore

- Jouni

New Member

Pix 501 configuration to ASA 5515-x...

Jouni,

           First off, let me thank you for the article. It was EXACTLY what I was looking for. I have run into another issue though. The PIX 501 is running ver 6.2, I was able to get to "config" ability and I saw the outside and inside ip's that were being used. I didn't see a command to "show" the WHOLE configuration of the device, it's so old I don't even know if one ever exsited. Now the "inside" interface had a non-routable static ip for the "inside" network. The T1 router is running DHCP for the network. Would the PIX be running NAT? I don't know if NAT was setup on the 2600 T1 router along side the DHCP server. How would I find out?. I'm trying to "mirror" the configuration from the 501 PIX box to a ASA 5515-x box.

Thank you again for all your help,

Much appreciated,

  OrthoAdmin

New Member

Pix 501 configuration to ASA 5515-x...

I think I found my problem... ACL's... I need an access-list setup for the ASA that mirrors the PIX..

Super Bronze

Pix 501 configuration to ASA 5515-x...

Hi,

Sorry for getting back to you only now.

Did you already solve the problem?

If not, can you get the configuration from the PIX with some "show" command like

show run

or

show configuration

If you can get the whole configuration of the PIX (remove sensitive information) then I could tell you the corresponding configurations you would need on the new ASA.

- Jouni

New Member

Pix 501 configuration to ASA 5515-x...

Hello,

             No I haven't solved it yet. Here is the show run for the PIX.

 

OrthoPIX(config)# show run

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password NDa1RppHr2jz7Cnk encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname OrthoPIX

domain-name sbcglobal.net

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list outside permit tcp any host 66.136.xxx.xxx eq 3389

access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list nonat permit ip 10.10.10.0 255.255.255.0 10.10.15.0 255.255.255.0

pager lines 24

logging on

logging buffered debugging

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 66.136.xxx.xxx 255.255.255.248

ip address inside 10.10.10.251 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 66.136.xxx.xxx 3389 10.10.10.253 3389 netmask 255.25

5.255.255 0 0

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 66.136.xxx.xxx 15

route inside 10.10.11.0 255.255.255.0 10.10.10.254 1

route inside 10.10.12.0 255.255.255.0 10.10.10.254 1

route inside 10.10.20.4 255.255.255.252 10.10.10.254 1

route inside 10.10.30.4 255.255.255.252 10.10.10.254 1

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:01:00 absolute

timeout xlate 0:01:00

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer 65.69.93.98

crypto map transam 1 set transform-set myset

crypto map transam interface outside

isakmp enable outside

isakmp key ******** address 65.69.93.98 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 167.1.162.167 255.255.255.255 outside

ssh timeout 60

dhcpd ping_timeout 750

terminal width 80

Cryptochecksum:4e26e0b8ee57c83fdbcd71fbadf5ef8e

: end

OrthoPIX(config)# show run

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password NDa1RppHr2jz7Cnk encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname OrthoPIX

domain-name sbcglobal.net

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list outside permit tcp any host 66.136.xxx.xxx eq 3389

access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list nonat permit ip 10.10.10.0 255.255.255.0 10.10.15.0 255.255.255.0

pager lines 24

logging on

logging buffered debugging

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 66.136.xxx.xxx 255.255.255.248

ip address inside 10.10.10.251 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 66.136.xxx.xxx 3389 10.10.10.253 3389 netmask 255.25

5.255.255 0 0

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 66.136.xxx.xxx 15

route inside 10.10.11.0 255.255.255.0 10.10.10.254 1

route inside 10.10.12.0 255.255.255.0 10.10.10.254 1

route inside 10.10.20.4 255.255.255.252 10.10.10.254 1

route inside 10.10.30.4 255.255.255.252 10.10.10.254 1

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:01:00 absolute

timeout xlate 0:01:00

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer 65.69.93.98

crypto map transam 1 set transform-set myset

crypto map transam interface outside

isakmp enable outside

isakmp key ******** address 65.69.93.98 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 167.1.162.167 255.255.255.255 outside

ssh timeout 60

dhcpd ping_timeout 750

terminal width 80

Cryptochecksum:4e26e0b8ee57c83fdbcd71fbadf5ef8e

: end

New Member

Pix 501 configuration to ASA 5515-x...

Here is the show run for ASA 5515-x

Result of the command: "show run"

: Saved
:
ASA Version 8.6(1)2
!
hostname ciscoasa
enable password NDa1RppHr2jz7Cnk encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif Port0/0
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
mtu Port0/0 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface Port0/0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:c5af97904bf21e317a1006e9b3901aa1
: end

Super Bronze

Pix 501 configuration to ASA 5515-x...

Hi,

I am not sure what your situation with the "outside" interface is. The PIX has staticly configured IP address and default route while the ASA at the moment has DHCP.

I will consider that the ASA should use the same configuration as the PIX

PHYSICAL INTERFACES

interface GigabitEthernet0/0

nameif outside

ip address 66.136.x.x 255.255.255.248

interface GigabitEthernet0/1

no shutdown

nameif inside

ip address 10.10.10.251 255.255.255.0

STATIC ROUTES

route outside 0.0.0.0 0.0.0.0 66.136.xxx.xxx 15

route inside 10.10.11.0 255.255.255.0 10.10.10.254 1

route inside 10.10.12.0 255.255.255.0 10.10.10.254 1

route inside 10.10.20.4 255.255.255.252 10.10.10.254 1

route inside 10.10.30.4 255.255.255.252 10.10.10.254 1

STATIC PAT (PORT FORWARD)

object network STATIC-PAT-RDP

host 10.10.10.253

nat (inside,outside) static 66.136.x.x service tcp 3389 3389

EXTERNAL ACCESS-LIST

access-list outside permit tcp any object STATIC-PAT-RDP eq 3389

access-group outside in interface outside

DYNAMIC PAT

nat (inside,outside) after-auto source dynamic any interface

NAT0 / NAT EXEMPT FOR L2L VPN

object network LAN

subnet 10.10.10.0 255.255.255.0

object network REMOTE-LAN

subnet 10.10.15.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

L2L VPN CONFIGURATION

access-list L2L-VPN remark L2L VPN Encryption Domain

access-list L2L-VPN permit ip 10.10.10.0 255.255.255.0 10.10.15.0 255.255.255.0

crypto ipsec ikev1 transform-set DES esp-des esp-md5-hmac

crypto map transam 1 match address L2L-VPN

crypto map transam 1 set peer 65.69.93.98

crypto map transam 1 set ikev1 transform-set DES

crypto map transam interface outside

crypto isakmp identity address

crypto ikev1 policy

authentication pre-share

encryption des

hash md5

group 1

lifetime 1000

crypto ikev1 enable outside

tunnel-group 65.69.93.98 type ipsec-l2l

tunnel-group 65.69.93.98 ipsec-attributes

ikev1 pre-shared-key

The above should be most of the configurations from PIX to the new ASA format

We cant see the PSK of the L2L VPN connection and I am not sure if software that old has the command that would show the PSK in clear text.

The above configuration presumes that you use the staticly configured IP addresses of the interfaces and the static routes and not DHCP like its now.

Naturally the ASA should also be connected to the same devices on same ports from "inside" and "outside".

You should also set the management related commands "ssh" , "http" or "telnet" as you wish.

- Jouni

New Member

Pix 501 configuration to ASA 5515-x...

Hello,

    First off thank you for the info! I'm learning alot!. The "outside" is AT&T, which was setup YEARS ago, before I came around. I noticed as well the L2L VPN configuration and was wondering WHY it would be configured? Is it nessasary for the "WAN" cards?. Also, I was reading some Cisco documents and it stated that even though I can configure the ASA 5515, the ISP has the MAC address of the PIX and until THEY change their side it's really not going to get a ping from them. My question is: Is there a way to MAC address clone the MAC address they already have?.

Thanks again,

   Joseph

Super Bronze

Pix 501 configuration to ASA 5515-x...

Hi,

The L2L VPN configurations seems to be configured so a local network 10.10.10.0/24 can connect to a remote network 10.10.15.0/24 security/encrypted through the public Internet. The L2L VPN is usually used to connect remote sites of a company or perhaps provide a secure connection to third party site to access some services/resources.

I assume that the PIX is still in use in the network and the ASA is waiting to get placed to the network?

If so then I would try these commands to see if the VPN is active. Naturally it might not be all the time unless its actively used

show crypto isakmp sa

show crypto ipsec sa

The L2L VPN configuration is in no way mandatory for the normal operation of the firewall. As I said its there to provide connection between to sites securely through the Internet. Naturally the another big thing related to it is the fact that these 2 private network ranges can communicate directly through this L2L VPN connection which would not be possible directly through the Internet since the private ranges are not routable through Internet.

With regards to the MAC address situation you can indeed configure the PIX MAC address on the ASAs external interface.

First check the output of this command on the PIX

show interface

Find the correct interface and its output and check for the MAC address

Then go to the ASA under the interface configuration mode of the correct interface and enter

mac-address aaaa.bbbb.cccc

Where the aaaa.bbbb.cccc is naturally the MAC address that you checked from the current PIX firewall

Hope this helps

Please do remember to mark replys as the correct answer if they answered your question.

Feel free to ask more if needed though

- Jouni

397
Views
0
Helpful
16
Replies
This widget could not be displayed.