cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
490
Views
0
Helpful
4
Replies

Testing a Firewall upgrade from PIX 7.0.2 to ASA 8.4.5

Ed OLeary
Level 1
Level 1

I have upgraded from PIX 7.0.2, to ASA 8.4.5, and had some issues regarding the NAMES list, setup NETWORK-OBJECTS to get the HOSTS in the access-list added to the ASA.

The PIX script contained no NAT, only access-list, and when the script was copied onto the ASA, it was taken successfully.

 

I was wondering what methods are available to test the script I have compiled on the ASA, prior to switching from the PIX onto the ASA? what processes are normal to confirm the Firewall is operational, and the rulesets working ? any ideas / tools / commands would be welcome.

 

2 Accepted Solutions

Accepted Solutions

nkarthikeyan
Level 7
Level 7

There are changes in the NAT syntax & Object Grouping. Also on VPN configurations.....

You need to make sure that certain things are taken care in new ASA which runs in 8.4 Version.

 

I have attached reference for NAT changes pre and post 8.3, which might be helpful for you.

 

Using the packet tracer command you can check the NAT rules are working and ACL is working fine.

 

packet tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/p.html#wp1878788

Hope this helps....

Regards

Karthik

View solution in original post

If you have the configuration I can upload it to an ASA that supports this code and migrate the configuration, but I believe that we discontinued the migration tool.

 

You can email me at jumora@cisco.com, try to grasp a more system running configuration so that if you have any type of VPN configuration pre-share keys are sent in clear text and not with ****.

Value our effort and rate the assistance!

View solution in original post

4 Replies 4

nkarthikeyan
Level 7
Level 7

There are changes in the NAT syntax & Object Grouping. Also on VPN configurations.....

You need to make sure that certain things are taken care in new ASA which runs in 8.4 Version.

 

I have attached reference for NAT changes pre and post 8.3, which might be helpful for you.

 

Using the packet tracer command you can check the NAT rules are working and ACL is working fine.

 

packet tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/p.html#wp1878788

Hope this helps....

Regards

Karthik

Karthik,

      Really appreciate your response, it is very informative ..

       There is many objects, and 14 ACLs, so packet tracer would be cumbersome ... was thinking more something like Firewall Migration Support tool in Solarwinds

http://www.solarwinds.com/firewall-security-manager.aspx

   Or freeware tools, similar to Router Audit Tool

 

http://ncat.sourceforge.net/

      anyone ideas on this, or suggestions?

 

 

 

 

 

 

If you have the configuration I can upload it to an ASA that supports this code and migrate the configuration, but I believe that we discontinued the migration tool.

 

You can email me at jumora@cisco.com, try to grasp a more system running configuration so that if you have any type of VPN configuration pre-share keys are sent in clear text and not with ****.

Value our effort and rate the assistance!

FYI: If there is NAT involved on a lower security interface that maps addresses with NAT the ACL no longer points to the global translated address it point to the private IP since NAT happens before ACLs.

Value our effort and rate the assistance!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: