ASA 8.2 to 8.4 conversion help needed!

Jon Diers · ‎11-14-2016

I am having issues with a site to site tunnel between an ASA and a CheckPoint firewall. All of the devices on 8.2 work fine but the new ones are not working. Part of the config is not being copied over so I was hoping to get some help in the conversion of it. Here is the code on the firewalls that work. I know it is sloppy, sorry.

object-group network TUNNELINSIDE
network-object host 192.168.149.11
network-object host 192.168.149.20
network-object host 192.168.149.43
network-object host 192.168.149.44
object-group network TUNNELOUTSIDE
network-object fake ip 1
network-object fake ip 2
access-list outside_cryptomap extended permit ip object-group TUNNELINSIDE object-group TUNNELOUTSIDE
access-list outside_access_in extended permit ip object-group TUNNELOUTSIDE any
access-list inside_nat0_outbound extended permit ip object-group TUNNELINSIDE object-group TUNNELOUTSIDE
access-list inside_nat0_outbound_1 extended permit ip object-group TUNNELINSIDE object-group TUNNELOUTSIDE
access-group outside_access_in in interface outside
Global (outside) 2 outsidetunnel netmask 255.0.0.0
Nat (inside) 1 192.168.149.11 255.255.255.255
Nat (inside) 1 192.168.149.20 255.255.255.255
Nat (inside) 1 192.168.149.43 255.255.255.255
Nat (inside) 1 192.168.149.44 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound_1

The objects in TUNNELINSIDE are supposed to be able to connect back to our HQ without VPN connection and everyone else would use a VPN if they needed to connect.

Thanks in advance.

johnlloyd_13 · ‎11-14-2016

hi,

you can use Cisco's free FW migration tool.

see helpful link for sample:

http://ccnpsecuritywannabe.blogspot.com/2016/01/cisco-asa-firewall-migration-tool.html

Jon Diers · ‎11-15-2016

Don't you have to be a Cisco Partner to use that? I am not..

craig.cordts · ‎11-16-2016

You will need a CCO account but you do not need to be a Partner.

Craig