Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Testing a Firewall upgrade from PIX 7.0.2 to ASA 8.4.5

I have upgraded from PIX 7.0.2, to ASA 8.4.5, and had some issues regarding the NAMES list, setup NETWORK-OBJECTS to get the HOSTS in the access-list added to the ASA.

The PIX script contained no NAT, only access-list, and when the script was copied onto the ASA, it was taken successfully.

 

I was wondering what methods are available to test the script I have compiled on the ASA, prior to switching from the PIX onto the ASA? what processes are normal to confirm the Firewall is operational, and the rulesets working ? any ideas / tools / commands would be welcome.

 

2 ACCEPTED SOLUTIONS

Accepted Solutions

There are changes in the NAT

There are changes in the NAT syntax & Object Grouping. Also on VPN configurations.....

You need to make sure that certain things are taken care in new ASA which runs in 8.4 Version.

 

I have attached reference for NAT changes pre and post 8.3, which might be helpful for you.

 

Using the packet tracer command you can check the NAT rules are working and ACL is working fine.

 

packet tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/p.html#wp1878788

Hope this helps....

Regards

Karthik

Silver

If you have the configuration

If you have the configuration I can upload it to an ASA that supports this code and migrate the configuration, but I believe that we discontinued the migration tool.

 

You can email me at jumora@cisco.com, try to grasp a more system running configuration so that if you have any type of VPN configuration pre-share keys are sent in clear text and not with ****.

Value our effort and rate the assistance!
4 REPLIES

There are changes in the NAT

There are changes in the NAT syntax & Object Grouping. Also on VPN configurations.....

You need to make sure that certain things are taken care in new ASA which runs in 8.4 Version.

 

I have attached reference for NAT changes pre and post 8.3, which might be helpful for you.

 

Using the packet tracer command you can check the NAT rules are working and ACL is working fine.

 

packet tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/p.html#wp1878788

Hope this helps....

Regards

Karthik

New Member

Karthik,      Really

Karthik,

      Really appreciate your response, it is very informative ..

       There is many objects, and 14 ACLs, so packet tracer would be cumbersome ... was thinking more something like Firewall Migration Support tool in Solarwinds

http://www.solarwinds.com/firewall-security-manager.aspx

   Or freeware tools, similar to Router Audit Tool

 

http://ncat.sourceforge.net/

      anyone ideas on this, or suggestions?

 

 

 

 

 

 

Silver

If you have the configuration

If you have the configuration I can upload it to an ASA that supports this code and migrate the configuration, but I believe that we discontinued the migration tool.

 

You can email me at jumora@cisco.com, try to grasp a more system running configuration so that if you have any type of VPN configuration pre-share keys are sent in clear text and not with ****.

Value our effort and rate the assistance!
Silver

FYI: If there is NAT involved

FYI: If there is NAT involved on a lower security interface that maps addresses with NAT the ACL no longer points to the global translated address it point to the private IP since NAT happens before ACLs.

Value our effort and rate the assistance!
118
Views
0
Helpful
4
Replies
CreatePlease login to create content