Converting Filters and Rules from 3030 to ASA 5550
We started looking at replacing our 3030's today and I got to the point to where we need to import all of our filters and rules from the 3030 into the 5550. I have 2 questions:
1. We checked the cisco site and found a document on conversion but it did not cover much with rules and filters. It just indicated that the ASA uses ACL's now. I looked at the ACL's but could not figure out how they related back to filters and rules like the 3030 has. Can someone explain this process?
2. Is there a way to do an "import" on the filters and rules to make this easy? We have tons of them.
As an example of what we are trying to do:
A contractor needs to VPN into our network and we want to allow him to only access a specific server.
In the VPN concentrator I would make a filter called "Contractor" and then make a rule allowing incoming access from him to the server and then outgoing access from the server to him. I would then apply this rule to the filter "Contractor". On my ACS server I would create another group called "ACSContractor". Under the properties of that group I would check the box for "filter-id" and then type in "Contractor". At this point they would be able to log in with this access.
Re: Converting Filters and Rules from 3030 to ASA 5550
I may have found something, is this what I would be doing?
Enforcing CSD Checks and Applying Policies via DAP
This example creates a DAP that checks that a user belongs to two specific AD/LDAP groups (Engineering and Employees) and a specific ASA tunnel group. It then applies an ACL to the user.
The ACLs that DAP applies control access to the resources. They override any ACLS defined the the group policy on the security appliance. In addition, the security appliance applied the regular AAA group policy inheritance rules and attributes for those that DAP does not define or control, examples being split tunneling lists, banner, and DNS.
As for migration tools I have not yet seen one out there, if you have smartnet perhaps asking TAC directly may have a solid answer on tools, as far as I know the convertion have to be done manually like you are doing it.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...