Pix 506 configuration to a ASA5510

todd_price · ‎11-09-2006

Im looking for a tool or something that I can convert my PIX 506(rev 6.3(5)) configuration to a ASA 5510 (rev 7.0(4)). Is there a easy way of doing this?

mlowery · ‎11-23-2006

No, but the commands are not that different.

a.kiprawih · ‎11-23-2006

Post the config so we can help you to convert it.

HTH

AK

yellandm1 · ‎11-29-2006

Similar delema

Im goin gfrom a 520 to a 5520 with little to no luck any help would be greatful

a.kiprawih · ‎11-29-2006

Are you having problem with the config, or issue allowing traffic in/out of the ASA?

Most of the PIX config already transfered to ASA, and looks ok.

yellandm1 · ‎11-30-2006

Having problems getting any traffic to the out bound once I stated moving the pix config over. I did't config the original so there atually may be an issue on the pix config that could be causing the issue on the asa Im just not seeing it.....:(

jgervia_2 · ‎11-30-2006

Hello,

Your configuration looks fine. Can you check some basic connectivity issues (ping things on all interfaces, check to see if you get arp entries). It may be something as simple as cabling

Also, I tried pinging the ip addresses on your outside interface (the 208 range) - check with your provider to make sure there isn't an issue - they say that network is unreachable - which means they might have an issue (or that network is off an interface on that router that is down)

C:\Documents and Settings>ping 208.35.55.3

Pinging 208.35.55.3 with 32 bytes of data:

Reply from 144.232.200.42: Destination net unreachable.

Ping statistics for 208.35.55.3:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

Control-C

^C

C:\Documents and Settings>ping 208.35.55.254

Pinging 208.35.55.254 with 32 bytes of data:

Reply from 144.232.200.42: Destination net unreachable.

--Jason

Please rate this message if it solved some or all of your issue/question.

yellandm1 · ‎11-30-2006

network is up and running on the Pix, you cant ping from the outside do to another layer of control, do a swap to the asa and nothing no dmz access no out bound traffic. same network cables. Log wise I get errors in refraance to missing routes....

jgervia_2 · ‎11-30-2006

Hello,

Can you paste us the exact log message?

yellandm1 · ‎11-30-2006

not in the office today, ice storm...

the erros Im recieving are in referance attempts made to the syslog server on the 10 network, not route to destination then fail or something on thoughs lines. thats whyy I started looking back at the config, I currently cant ping anything from each zone, meaning 10 can t ping 172, 172 cant ping each other how ever I show traffic between the 2 dmz'z. Static issue?

jgervia_2 · ‎11-30-2006

Hello,

It does sound like you have a nat issue of some sort, but without seeing the exact log message i can't really tell you what it is.

What I would do is remove these to statics:

no static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

nostatic (inside,dmz2) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

And turn off nat-control (which is what you were doing basically with those statics anyway)

no nat-control

Assuming your DMZ hosts know to route the 10.x traffic back to the firewall, your access lists should allow this to work.

--Jason

Please rate if this message if it helped solve some or all of your issue.

yellandm1 · ‎12-07-2006

arp cache on the router... thanks for the time

todd_price · ‎11-30-2006

Im all set. Thanks for the response.