topic Re: ASA 5510-K8 (ver 9.1) to ASA 5516-FPWR-K9 (ver 9.8) Migration in Network Security

ASA 5510-K8 (ver 9.1) to ASA 5516-FPWR-K9 (ver 9.8) Migration

Aberdo — Fri, 21 Feb 2020 16:20:08 GMT

Hello Everyone,

I'm planning an ASA hardware migration from a ASA 5510-K8 v9.1(7)23, ADSM v7.5(2)153 to a ASA 5516-FPWR-K9 v9.8(2), ADSM v7.8(2), FirePOWER v6.2.2-81.

I'm pretty new to the ASAs and I would like to get your help/advise for a migration.

Areas of concern (current, but feel free to chime in if I should have something else on my radar)

1) Would I be able to copy/paste the config? Are there any issues with config translation (NAT or ACL) with the sw versions I am running? I believe I'll have to update FirePOWER to a newer version.

2) What do I need to be aware of when migrating from a device that does not have FirePOWER to a device that does use FirePOWER?

3) A primary function of this ASA is to support remote users using AnyConnect. Are there any special considerations I'll need to take into account?

Thank you so much in advance.

Re: ASA 5510-K8 (ver 9.1) to ASA 5516-FPWR-K9 (ver 9.8) Migration

Marvin Rhoads — Tue, 09 Oct 2018 15:47:04 GMT

That's a relatively straightforward migration.

1. NAT and ACL are OK to paste in as-is. You have to change your interface commands as the numberings is different in the ASA 5510 vs. the ASA 5516-X.

5510: GigabitEthernet 0/0 through GigabitEthernet 0/3 (assuming Security Plus license)

5516: Gigabit Ethernet 1/1 through Gigabit Ethernet 1/8

2. No big deal. Just add the standard bits on the 5516-X to select interesting traffic and redirect it to the Firepower module for inspection.

3. You need to be sure to migrate over the certificate. Depending on how it was issued, it may be easier to get one re-issued from your CA. (i.e. you will need the certificate private key). Your AnyConnect licenses need to be 4.x to be eligible to migrate them to a new appliance. If you are using a connection profile or a DAP policy you need to be sure to move those files over. Similarly you need to put the AnyConnect client images (pkg files) on the new ASA.

Re: ASA 5510-K8 (ver 9.1) to ASA 5516-FPWR-K9 (ver 9.8) Migration

Aberdo — Mon, 22 Oct 2018 13:34:08 GMT

Thank you Marvin, I appreciate your response. I'm good with number 1 and 3 but I'm unsure about number 2, could you elaborate more on "adding the standard bits" and "redirect interesting traffic to the Firepower module". Again I'm fairly new to the ASAs so my apologies for the gap in translation.

Re: ASA 5510-K8 (ver 9.1) to ASA 5516-FPWR-K9 (ver 9.8) Migration

Marvin Rhoads — Mon, 22 Oct 2018 13:50:18 GMT

You're welcome. Instructions for doing what I mentioned regarding traffic redirection can be found in the Quick Start Guide here:

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html#pgfId-150474

Basically you decide whether to inspect all traffic or a subset of it. In the latter case you specify it using an ACL. That's then called out in a class-map / policy map /service policy combination and those bits serve to send the selected traffic to the Firepower module for inspection and disposition.

Re: ASA 5510-K8 (ver 9.1) to ASA 5516-FPWR-K9 (ver 9.8) Migration

PRAVEENJ — Mon, 03 Dec 2018 09:55:51 GMT

Hello ,

I just migrated from from asa 5510 ver(9.1) to asa 5516 ver(9.8) . After migration our vpn clients can talk to the “File Server”, on the main site but they are not able to communicate with servers on the other sites. site to site has been configured and hair pinning is also enabled on the main server.

when i compared the running config of both the firewalls, i found below extra thing on asa 5516 which was not there in 5510,

object network obj_any

subnet 0.0.0.0 0.0.0.0

no failover
no monitor-interface service-module
arp rate-limit 16384
object network obj_any

nat (any,outside) dynamic interface

timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa authentication login-history
http 192.168.1.0 255.255.255.0 inet-backup
dhcpd auto_config outside
no tcp-inspection
inspect esmtp

can anyone please suggest the troubleshooting steps, thanks in advance.

Re: ASA 5510-K8 (ver 9.1) to ASA 5516-FPWR-K9 (ver 9.8) Migration

Marvin Rhoads — Mon, 03 Dec 2018 10:34:20 GMT

Make your your hairpin NAT statement ("nat (outside,outside)...") comes before the dynamic NAT statement you listed.

Re: ASA 5510-K8 (ver 9.1) to ASA 5516-FPWR-K9 (ver 9.8) Migration

PRAVEENJ — Mon, 03 Dec 2018 10:57:07 GMT

Hello marvin,

sorry there is no ("nat (outside,outside)...") statement in my configuration. The dynamic NAT statement that i listed before was automatically added in the new firewall, do i need to remove that..???

thank you so much for you quick response.

Re: ASA 5510-K8 (ver 9.1) to ASA 5516-FPWR-K9 (ver 9.8) Migration

Marvin Rhoads — Mon, 03 Dec 2018 13:18:21 GMT

Sorry - I incorrectly assumed you were using NAT.

If you're not using NAT then, yes - definitely remove that.

Re: ASA 5510-K8 (ver 9.1) to ASA 5516-FPWR-K9 (ver 9.8) Migration

PRAVEENJ — Mon, 03 Dec 2018 15:35:57 GMT

Yes we are using nat,but nat(outside, outside) statement is not there in configuration. Only nat(inside, outside) we are using...

Re: ASA 5510-K8 (ver 9.1) to ASA 5516-FPWR-K9 (ver 9.8) Migration

PRAVEENJ — Tue, 04 Dec 2018 04:38:08 GMT

hello marvin,

In show run, the NAT statement appears like below,

nat (inside,outside) source static Bangalore_To_Azure Bangalore_To_Azure destination static Azure_RANGES Azure_RANGES
nat (inside,outside) source static bangalore-ranges bangalore-ranges destination static dubai-ranges dubai-ranges no-proxy-arp route-lookup
nat (inside,outside) source static bangalore-ranges bangalore-ranges destination static london-ranges london-ranges no-proxy-arp route-lookup
nat (inside,outside) source static bangalore-ranges bangalore-ranges destination static chicago-ranges chicago-ranges no-proxy-arp route-lookup
nat (inside,outside) source static bangalore-ranges bangalore-ranges destination static singapore-ranges singapore-ranges no-proxy-arp route-lookup
nat (inside,outside) source static bangalore-ranges bangalore-ranges destination static sydney-ranges sydney-ranges no-proxy-arp route-lookup
nat (inside,outside) source static bangalore-ranges bangalore-ranges destination static capetown-ranges capetown-ranges no-proxy-arp route-lookup
nat (inside,outside) source static bangalore-ranges bangalore-ranges destination static lithuania-ranges lithuania-ranges no-proxy-arp route-lookup
nat (inside,outside) source static bangalore-ranges bangalore-ranges destination static remoteaccessvpn-ranges remoteaccessvpn-ranges no-proxy-arp route-lookup
nat (inside,outside) source static remoteaccessvpn-ranges remoteaccessvpn-ranges destination static singapore-ranges singapore-ranges no-proxy-arp route-lookup
nat (inside,outside) source static remoteaccessvpn-ranges remoteaccessvpn-ranges destination static london-ranges london-ranges no-proxy-arp route-lookup
nat (inside,outside) source static bangalore-ranges bangalore-ranges destination static shanghai-ranges shanghai-ranges no-proxy-arp route-lookup
nat (inside,outside) source static bangalore-ranges bangalore-ranges destination static santiago-ranges santiago-ranges no-proxy-arp route-lookup
nat (inside,outside) source static remoteaccessvpn-ranges remoteaccessvpn-ranges destination static chicago-ranges chicago-ranges no-proxy-arp route-lookup
nat (inside,outside) source static NONATSOURCES NONATSOURCES destination static NONATDESTINATIONS NONATDESTINATIONS no-proxy-arp route-lookup
nat (inside,inet-backup) source static NONATSOURCES NONATSOURCES destination static NONATDESTINATIONS NONATDESTINATIONS no-proxy-arp route-lookup
nat (inside,inet-backup) source static Bangalore_To_Azure Bangalore_To_Azure destination static Azure_RANGES Azure_RANGES
nat (inside,outside) source static Bangalore_To_Azure Bangalore_To_Azure destination static Azure_Dev_RANGES Azure_Dev_RANGES
nat (inside,outside) source static bangalore-ranges bangalore-ranges destination static lithuania_clientvpn_ranges lithuania_clientvpn_ranges no-proxy-arp route-lookup
nat (inside,outside) source static Bangalore_To_Azure Bangalore_To_Azure destination static Azure_PROD_SEA_RANGES Azure_PROD_SEA_RANGES
nat (inside,outside) source static Bangalore_To_Azure Bangalore_To_Azure destination static Azure_PROD_WE_RANGES Azure_PROD_WE_RANGES
nat (inside,outside) source static Bangalore_To_Azure Bangalore_To_Azure destination static Azure_Dev_WEU_RANGES Azure_Dev_WEU_RANGES
nat (inside,inet-backup) source static bangalore-ranges bangalore-ranges destination static london-ranges london-ranges no-proxy-arp route-lookup
nat (inside,outside) source static Bangalore_To_Azure Bangalore_To_Azure destination static Azure_BESPIN_WE_RANGES Azure_BESPIN_WE_RANGES
!
object network obj_any
nat (any,outside) dynamic interface
object network obj-192.168.48.20-ldap
nat (inside,outside) static interface service tcp ldap ldap
object network obj-192.168.48.20-https
nat (inside,outside) static xxx.xxx.xxx.xxx service tcp https https
object network OUTSIDE-RDP
nat (inside,inet-backup) static interface service tcp 3389 3389
!
nat (inside,outside) after-auto source dynamic any interface
nat (inside,inet-backup) after-auto source dynamic any interface

Re: ASA 5510-K8 (ver 9.1) to ASA 5516-FPWR-K9 (ver 9.8) Migration

PRAVEENJ — Tue, 04 Dec 2018 04:43:31 GMT

I am having issues getting my VPNclients to be able to hairpin. I had this functional on my 5510, and used the same configuration from the 5510 to establish the setup on the 5516. Clients are able to talk to resources on the LAN, but unable to get out to the internet on a hairpin.

WHEN I COMPARED THE RUNNING CONFIG OF BOTH 5510 AND 5516 I FOUND BELOW EXTRA LINES ON 5516.

object network obj_any

subnet 0.0.0.0 0.0.0.0

no failover
no monitor-interface service-module
arp rate-limit 16384
object network obj_any

nat (any,outside) dynamic interface

timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa authentication login-history
http 192.168.1.0 255.255.255.0 inet-backup
dhcpd auto_config outside
no tcp-inspection
inspect esmtp

Re: ASA 5510-K8 (ver 9.1) to ASA 5516-FPWR-K9 (ver 9.8) Migration

Marvin Rhoads — Tue, 04 Dec 2018 05:47:52 GMT

When you say VPN clients, do you mean remote access VPN using AnyConnect?

The situation is that when on VPN to the main site, they cannot reach hosts at a different site which is connected to the main site via a site-site VPN - correct?

We would need to see the NAT configuration as well as the ACL referenced by the split-tunnel section of the ASA configuration.

show run nat

show run group-policy | i split-tunnel

...plus the access-list as mentioned.

Re: ASA 5510-K8 (ver 9.1) to ASA 5516-FPWR-K9 (ver 9.8) Migration

PRAVEENJ — Tue, 04 Dec 2018 06:50:18 GMT

Hello marvin,

nat configuration details

access-group outsidein in interface outside
access-group inet-backupin in interface inet-backup
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1 track 1
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
route inet-backup 0.0.0.0 0.0.0.0 *.*.*.* 254
route inside 192.168.148.0 255.255.254.0 192.168.48.10 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10

group-policy | i split-tunnel

group-policy default_remoteaccess internal
group-policy default_remoteaccess attributes
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value default_remoteaccess_split
group-policy bangalore_remoteaccess internal
group-policy bangalore_remoteaccess attributes
dns-server value 192.168.48.20
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value default_remoteaccess_split
default-domain value ***.com

ACL referenced by the split-tunnel

access-list default_remoteaccess_split extended permit ip 192.168.48.0 255.255.255.0 xxx.xxx.xxx.xxx 255.255.255.0
access-list default_remoteaccess_split extended permit ip 192.168.42.0 255.255.255.0 xxx.xxx.xxx.xxx 255.255.255.0
access-list default_remoteaccess_split extended permit ip object-group london-ranges xxx.xxx.xxx.xxx 255.255.255.0
access-list default_remoteaccess_split extended permit ip 192.168.40.0 255.255.255.0 xxx.xxx.xxx.xxx 255.255.255.0
access-list default_remoteaccess_split extended permit ip 192.168.148.0 255.255.254.0 xxx.xxx.xxx.xxx 255.255.255.0
access-list default_remoteaccess_split extended permit ip object-group Azure_RANGES object-group VPNPOOL_BANGALORE
access-list default_remoteaccess_split extended permit ip object-group Azure_PROD_SEA_RANGES object-group VPNPOOL_BANGALORE
access-list default_remoteaccess_split extended permit ip object-group Azure_BESPIN_WE_RANGES object-group VPNPOOL_BANGALORE