topic Re: PIX TO ASA Command Conversion Urgent!! in Network Security

PIX TO ASA Command Conversion Urgent!!

Charlie Mayes — Mon, 11 Mar 2019 14:41:21 GMT

Hello ALL,

My PIX 515E overheated and caught on fire. I have transferred all my configs from the PIX to a ASA 5505 Except

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

The ASA keeps telling me the

INFO: converting 'fixup protocol tftp 69' to MPF commands

I have no idea how to use the ASA commands to reproduce these settings. HELP!!

PIX PIX Version 6.3(3)

ASA 5505

6 8312832 May 09 2007 05:14:36 asa722-k8.bin

7 1868412 May 09 2007 05:14:50 securedesktop-asa-3.1.1.29-k9.pkg

8 398305 May 09 2007 05:15:04 sslclient-win-1.1.0.154.pkg

9 5623108 May 09 2007 05:16:06 asdm-522.bin

Re: PIX TO ASA Command Conversion Urgent!!

Jon Marshall — Fri, 23 Jan 2009 18:36:31 GMT

Charlie

Are you actually using any of the fixups or is it just part of the default config ?

The equivalent ASA default config is -

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

This should already be in the config. You only need to do further modification if you have changed any of the fixups on your original pix.

Does this make sense ?

Jon

Re: PIX TO ASA Command Conversion Urgent!!

Charlie Mayes — Fri, 23 Jan 2009 18:57:14 GMT

I am not sure. That firewall was not configured by me originally. I am new to this organization and the network engineer left so nobody has a clue. I am just attempting to replace all the comfigs as they were. You are right I see the configs exactly were you told me they would be. Thanks for your help Jon.

Oh yeah the to statement at the bottom would not work in the ASA either. Do you know why?

conduit permit icmp any any

pdm history enable

Cryptochecksum:eac74af3bf43d37b42b1b6a3fc0f8b4d

Re: PIX TO ASA Command Conversion Urgent!!

Jon Marshall — Fri, 23 Jan 2009 19:04:11 GMT

Charlie

"conduit permit icmp any any"

won't work because the ASA doesn't use conduits. The equivalent is just an access-list ie.

access-list icmptraffic permit icmp any any

but you need to work out where it has been applied.

"pdm history enable"

won't work because the ASA uses ASDM not PDM.

I wouldn't worry about the fixups, they always appear in the config and a lot of the time there is no need to modify them so you just accept the defaults so you can do the same on the ASA. If something that relies on a fixup stops working that would be the time to worry :-).

As for the ICMP - not sure how this was applied on your previous pix.

Jon

Re: PIX TO ASA Command Conversion Urgent!!

Charlie Mayes — Fri, 23 Jan 2009 20:05:41 GMT

Ok Cool. I have one more issue which so weird Jon. I am running the ASA in rouer mode but I still keep gettig this message.

This license does not allow configuring more than 2 interfaces with

nameif and without a "no forward" command on this interface or on 1 interface(s)

with nameif already configured.

I have configured the ip address, security-level and even added the inteface to the vlan but it will not let me name it. Crazy!! What is the issue here?

Re: PIX TO ASA Command Conversion Urgent!!

Richard Burts — Mon, 26 Jan 2009 03:22:28 GMT

Charlie

The issue is that you have a 5505 with a basic license. And that basic license puts restrictions on the use of the third VLAN. I believe that if you add the no forward command to the interface then you will be able to name it.

HTH

Rick