Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1613
Views
0
Helpful
4
Replies

FWSM 3.1.4 to ASA SM 8.5.1 WIPED OFF ACLS !!!!

moorepl
Level 1
Level 1

‎09-28-2012 04:25 PM - edited ‎03-11-2019 05:01 PM

                   Hi Guys

Today we tried to convert 15 contexts sitting on a legacy 6509 with Sup2 running a FWSM to a new ASA SM sitting in a 6509E with a Sup2T. Trying to get the conversion to work took several attempts but when we did finally get somewhere and reloaded the box, I noticed on reboot after the Cisco Systems piece just before you are told to hit enter, we were still getting errors, but the conversion continued on through them and created all of the contexts.

However, when I examined the contexts I noticed that 90% of every ACL was removed ! I know the static (inside, outside) is replaced with the nat object, and host names are changed to objects in ACLs, but nowhere did I read that most of my ACLs would be completed cleared !

Has anybody any ideas on why this would happen ? I am migrating the client environment to the new 6509e Sup2T/ASA SM for real next weekend and am worried that I will have to rewrite all of the ACLs into the ASA beforehand.

Any guidance or support is greatly appreciated here. Thanks in advance guys

Paul.

Labels:
0 Helpful
4 Replies 4

Kureli Sankar
Cisco Employee
Cisco Employee

‎10-08-2012 11:39 AM

Paul,

I hope you used the migration tool to do the conversion for you.

http://www.cisco.com/en/US/docs/security/asa/migration/fwsm/fwsm2asasm.html#wp335030

I would suggest opening a TAC case so, we can get this addressed for you.

-Kureli

0 Helpful

DEAN WETHERALD
Level 1
Level 1

‎01-09-2013 02:30 PM

Paul,

Did you resolve this? I'm seeing the same issue whilst converting a multi-context FWSM.

Any feedback would be appreciated,

Dean

0 Helpful

moorepl
Level 1
Level 1
In response to DEAN WETHERALD

‎01-09-2013 04:01 PM

Hi Dean

There was no quick solution to the problem I'm afraid. The conversion tool completely wiped off the majority of rules.. any acl with syntax 'host' and hostname was wiped, you need to replace host with object, or use host and replace name with IP.

One way to get the bulk of the work done for you is to copy each context to a standalone ASA, and upgrade it from any version post 8.0 which is when Cisco introduced the whole 'object' syntax.

The otherthing to be mindful of is with the new IOS, the acl's must contain only the real addresses. So if you will need to change all of your acls to reflect only real addresses. The translation table will identify the traffic coming in the ingress interface as being destined for the NAT address, and it will allow it through once it sees the real address in the acl.

To be honest, the conversion tool presented more problems than solutions.

Watch out also for changes in the Global and NAT statements. If you are referencing an acl to match qualifying traffic, the new IOS will break out that line of config into every host it sees listed for that ACL, so the config becomes huge. I don't where the benefit is in this.

I think Cisco could have put more time and effort into providing clients with proper solutions to go from FWSM 3.14 to ASA Modules.

Best of luck with it.

Paul

0 Helpful

DEAN WETHERALD
Level 1
Level 1
In response to moorepl

‎01-10-2013 02:07 AM

Paul,

This is really useful information. At least now I can consider the best way forward. I just wish Cisco had outlined these issues more in the migration documentation.

Really appreciate your feedback.

All the best,

Dean

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card