topic Still Learning ASA and need help in Network Security

Still Learning ASA and need help

burleyman — Tue, 12 Mar 2019 00:49:06 GMT

I am working on an ASA upgrade and am spinning my wheels. I need to convert a config that was running asa825-k8.bin and is now running asa911-k8.bin

Here is the config that needs to be converted. Most everything comes over fine I am having issues with the NAT, VPN and ACL's and it does not help I have not done a lot with them and I did not do the original config.

Treat the 172.30.1.0 and 200.200.0.0 addresses as Public and the 10.160.0.0 as private.

ASA Version 8.2(5)
!
hostname MYD-asa5505
domain-name MYDomain.dom
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
name 10.160.0.16 MYD-fs02
name 172.30.1.98 remote.MYDomain.com
name 172.30.1.99 mail.MYDomain.com
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport trunk native vlan 1
!
interface Vlan1
nameif inside
security-level 100
ip address 10.160.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address remote.MYDomain.com 255.255.255.248
!
interface Vlan5
nameif dmz
security-level 50
ip address 10.160.10.1 255.255.255.0
!
boot system disk0:/asa825-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.160.0.10
domain-name MYD.dom
access-list outside_access_in extended permit tcp 200.200.0.0 255.255.240.0 host mail.MYDomain.com eq smtp
access-list inside_nat0_outbound extended permit ip 10.160.0.0 255.255.255.0 192.168.44.0 255.255.255.0
access-list MYD-internal standard permit 10.160.0.0 255.255.255.0
pager lines 24
logging enable
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPNPOOL 192.168.44.1-192.168.44.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm location 10.160.0.10 255.255.255.255 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) mail.MYDomain.com MYD-fs02 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 172.30.1.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.160.0.0 255.255.255.0 inside
http 192.168.44.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xxxxxxxxxxxxxxxxxxxxx
<Output Omitted>
quit
no vpn-addr-assign dhcp
telnet timeout 45
ssh 10.160.0.0 255.255.255.0 inside
ssh 192.168.44.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 2
svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 3 regex "Intel Mac OS X"
svc image disk0:/anyconnect-macosx-powerpc-2.5.3055-k9.pkg 4 regex "PPC Mac OS X"
svc enable
group-policy DfltGrpPolicy attributes
dns-server value 10.160.0.16
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MYD-internal
default-domain value MYD.dom
address-pools value MYD-ssl-ip-pool
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value 10.160.0.16
vpn-tunnel-protocol svc
default-domain value MYD.dom
username xxxxxxx password xxxxxxxxxxxxxx encrypted
username xxxxxxx password xxxxxxxxxxxxxx encrypted
username xxxxxxx password xxxxxxxxxxxxxx encrypted
username xxxxxxx password xxxxxxxxxxxxxx encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPNPOOL
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias REMOTE enable
group-alias remote_local disable
!
!
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end

Thanks,

Mike

Still Learning ASA and need help

saurabhgoel169 — Sat, 19 Jan 2013 07:33:15 GMT

Hi,

NAT config is change in 8.3 or above version..

Please use the change the configuration of Object NAT as per 9.1 surely it will work for you..

Regards

Saurabh Goel

Re: Still Learning ASA and need help

Jouni Forss — Sat, 19 Jan 2013 09:24:27 GMT

Hi,

Your NAT configuration would be something like this

Basic PAT

object-group network DEFAULT-PAT-SOURCE

network-object 10.160.0.0 255.255.255.0

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Single Static + ACL

object network STATIC

host 10.160.0.16

nat (inside,outside) static 172.30.1.99 dns

access-list outside_access_in extended permit tcp 200.200.0.0 255.255.240.0 object STATIC eq smtp

NAT0 / NAT Exempt

object network LAN

subnet 10.160.0.0 255.255.255.0

object network VPN-POOL

subnet 192.168.44.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

Regarding the VPN. It seems you only probably use AnyConnect SSL VPN so you might not need to change that much.

The setting that defines which type of VPN is used has changed in the newer versions

There is no more vpn-tunnel-protocol svc or webvpn

There is now

ssl-client
ssl-clientless
ikev1
ikve2
l2tp-ipsec

Please let us know specifically what else is not working

Hopefully the above was helpfull

- Jouni

Still Learning ASA and need help

burleyman — Sat, 19 Jan 2013 14:06:47 GMT

Jouni,

Wow thank you very much. I am working on this now and will let you know how this works.

Mike

Still Learning ASA and need help

burleyman — Sun, 20 Jan 2013 15:59:26 GMT

Jouni,

That worked great! and I was able to do the VPN as well. I will post the config in a while for others to compare. Thanks for you help.

Mike