05-13-2014 02:07 PM - edited 03-11-2019 09:11 PM
I have upgraded from PIX 7.0.2, to ASA 8.4.5, and had some issues regarding the NAMES list, setup NETWORK-OBJECTS to get the HOSTS in the access-list added to the ASA.
The PIX script contained no NAT, only access-list, and when the script was copied onto the ASA, it was taken successfully.
I was wondering what methods are available to test the script I have compiled on the ASA, prior to switching from the PIX onto the ASA? what processes are normal to confirm the Firewall is operational, and the rulesets working ? any ideas / tools / commands would be welcome.
Solved! Go to Solution.
05-14-2014 02:59 AM
There are changes in the NAT syntax & Object Grouping. Also on VPN configurations.....
You need to make sure that certain things are taken care in new ASA which runs in 8.4 Version.
I have attached reference for NAT changes pre and post 8.3, which might be helpful for you.
Using the packet tracer command you can check the NAT rules are working and ACL is working fine.
packet tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/p.html#wp1878788
Hope this helps....
Regards
Karthik
05-14-2014 04:04 PM
If you have the configuration I can upload it to an ASA that supports this code and migrate the configuration, but I believe that we discontinued the migration tool.
You can email me at jumora@cisco.com, try to grasp a more system running configuration so that if you have any type of VPN configuration pre-share keys are sent in clear text and not with ****.
05-14-2014 02:59 AM
There are changes in the NAT syntax & Object Grouping. Also on VPN configurations.....
You need to make sure that certain things are taken care in new ASA which runs in 8.4 Version.
I have attached reference for NAT changes pre and post 8.3, which might be helpful for you.
Using the packet tracer command you can check the NAT rules are working and ACL is working fine.
packet tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/p.html#wp1878788
Hope this helps....
Regards
Karthik
05-14-2014 02:58 PM
Karthik,
Really appreciate your response, it is very informative ..
There is many objects, and 14 ACLs, so packet tracer would be cumbersome ... was thinking more something like Firewall Migration Support tool in Solarwinds
http://www.solarwinds.com/firewall-security-manager.aspx
Or freeware tools, similar to Router Audit Tool
http://ncat.sourceforge.net/
anyone ideas on this, or suggestions?
05-14-2014 04:04 PM
If you have the configuration I can upload it to an ASA that supports this code and migrate the configuration, but I believe that we discontinued the migration tool.
You can email me at jumora@cisco.com, try to grasp a more system running configuration so that if you have any type of VPN configuration pre-share keys are sent in clear text and not with ****.
05-14-2014 04:06 PM
FYI: If there is NAT involved on a lower security interface that maps addresses with NAT the ACL no longer points to the global translated address it point to the private IP since NAT happens before ACLs.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: