Apologies in advance if this comes off like a totally boneheaded question! :-)
Our situation is that we currently have a PIX 501 firewall, and we're upgrading to an ASA 5505 because the PIX is getting a little long in the tooth and coming up on end-of-life in Cisco's product life cycle. I didn't set the PIX up to start with, and in fact, I've never done a firewall setup from scratch. But I've had no problems with Telnetting into the PIX and using the command line interface to tweak the settings, reboot the PIX, copy & paste the current settings into a text file, etc.
The problem I'm having with the ASDM in setting up the ASA is figuring out what settings from the PIX's CLI printout correspond to what screens in the Setup Wizard. Yes, I've RTFM'ed; but the manual hasn't been of much help in figuring that out, and neither has Cisco's online documentation. What I'm looking for is a step-by-step, "cookbook style" procedure for entering the correct information for the ASA via the wizard. Does any such thing exist, or is anyone here familiar enough with the wizard to offer some hints?
If the current settings from the PIX will help, I can post them. But I'd prefer to hold off on doing that (even redacting private info) until I'm sure it will actually help.
Also, the PIX is still fully functional, so I'm not in a screaming hurry to finish the ASA setup. I don't have a dead PIX and no Internet connection and a bunch of network users breating down my neck, but I'd still like to make some progress with the ASA.
I realize that's kind of a big general question, but here's some specific help I can use: out of the box, the 5505 has as its internal IP address 192.168.1.1, which means it sees itself as part of the 192.168.1.x network. Our network is 192.168.0.x, so I need to know how to change that in the ASA so I don't lock myself out of the ASDM every time I try to change the ASA's IP address. "Reset to factory default" has become a very helpful friend lately! :-)
Any assistance, advice, or links to helpful info are much appreciated. Thanks in advance!
If you are looking to configure the ASA to match the current PIX settings, then CLI is the better method for this. If you are fluent in firewall configuration, then the ASDM is easy to use.
Print out the configuration from the PIX, and print out the base configuration from the ASA. Look for the differences between the interfaces and make adjustments as needed. Aside from the actual interfaces, and how CRYPTO is configured, they are pretty much the same. The big difference I like is the fact that tab now completes the commands, and gives you some help. The 5505 uses VLANs instead of interfaces for the inside and outside, so where you see ip address inside, put that under interface vlan instead. Static mappings, ACL's are all the same, you can basically copy and paste them in. This also will give you an opportunity to clean up the config if you have a lot of ACL's by using object groups instead.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...