Hello Alan,

I dont think I understand your question.

So you have copy the configuration of one of your ASAs to a new one, obviusly you have changed the IP address and the ACLs, Nats,etc.

Now you want to test if everything will work fine.

Please let me know if I understood wrong but as I can see what you need to do is:

On the Macbook you should have an ip address on the same range that the interface on the ASA is directly connected to and also that interface as a default gateway.

On the ASA have a:

route outside 0.0.0.0 0.0.0.0 134.5.169.97

Nat (inside)  1 0.0.0.0

Global (Outside) 1 interface

If you like you can attach to this discussion both running-configurations so I can take a deeper look into this.

Hope this helps.

Regards,

Thanks for your response.

You are correct, except for 2 small things. I have not yet changed the external IP range of the new ASA5510 as yet. I want to test it before I start making changes to ensure the restore was 100% succesful. I've also trimmed the ruleset to get rid of objects/rules not needed at the new data center.

I've tested the internal (ETH0/0 192.168.83.0) to DMZ0 (192.168.84.0) successfully, but I want to test from my laptop going through the WAN (ETH0/3) to test the allowed connectivity from outside to internal servers and services (including and especially VPN client connectivity).

My WAN0 interface is configured as follows:

interface Ethernet0/3

description Internet

speed 100

duplex full

nameif wan0

security-level 0

ip address 134.5.169.98 255.255.255.224

route wan0 0.0.0.0 0.0.0.0 134.5.169.97 1

Once this has been done successfully I will then change the external WAN IP configuration, and the internal network IP ranges, and then test everything again, to ensure that the firewall is properly configured for the new environment.

I can't even make it to first base. Even though I have set my macbooks EN0 (wired ethernet) interface to an IP of 134.5.169.10/255.255.255.0 with a gateway of 134.5.169.97 (also tried .98) I cannot connect to any IP within the firewall, including the external IP of 134.5.169.98. I disable the wireless interface to ensure it does not interfere with the testing.

As mentioned above, I've tried setting the route to force all traffic through the interface (sudo route add 0.0.0.0/1 134.5.169.97)

When I try to telnet to any of the external IP's on the FW (including gateway and IP of the WAN interface), I get a "route not found" error.

What could I be doing wrong? Is my macbooks network config incorrect?

I have added my config as an attachment for your review.

Thanks in advance for any help and advise.

Hello Alan,

So the outside interface of the ASA goes to the gateway 134.5.169.97 right?

If this is the case you have a mac connected to 134.5.169.97 to the default gateway to check if you can access the internal networks. There are other ways to test this, just to let you know you are not going to be allowed to telnet the outside interface of an ASA, you only can SSH it.

Checking the configuration everything  seems to be fine.

Now just to let you know you can run packet-tracers wich are an amazing troubleshooting tool  to test the configuration of the ASA

As an example lets say you want to test the connectivity  to 184.78.81.199  wich is  192.168.84.111

So this is the command to see if a user on the outside comming from the ip address 4.2.2.2 on port 1025 going to 184.78.81.199 on port 80.

Packet-tracer input outside tcp 4.2.2.2 1025 184.78.81.99 80

This will show you an output that will let you know if the Nat, the ACL , inspections, routes ,etc are fine.

You can give it a try to this tool

Hope this helps

Regards,

Thank you for your advise. I was so close, and your advice got me over the line.

I was using an IP out of the Firewall's WAN IP range  thinking that that was the only way to test the firewall as an external  untrusted user, and could not get through.

By using an  IP within the range I could successfully connect to internal servers  allowed by the ACL, as well as authenticate and connect to the VPN.

I have now changed the external IP range to the new one, and have also tested that successfully.

One thing I did have to do was the re-add the group  password for the VPN group I was connecting as. I guess that was not  migrated over successfully. Once I changed it, I was able to connect  fine.

Are there any other gotcha's I should know about (passwords, or configs that may not be migrated that i need to rectify?

Points awarded.

Hello Alan,

I am glad that everything is working fine now, yes the packet tracer is an amazing tool that can show you how the connections are being handled by the ASA.

The passwords may generate an issue, this because you are coping them to the new config, and when you copy the whole configuration you might copy the Hashed input instead of the real password, this is why you had the issue with the VPN, and remember that any string of data has a different Message Digest or Hashed. So I would definetly take a look at the passwords, usernames. besides that Everything should work the way it is.

Hope you have a great day.

Julio

Thanks Julio,

All VPN user passwords seemed to come across fine (at least mine did).

Using the "more system:running-config" command I was able to get the VPN tunnel passwords that I will re-add to the new firewall.

Thanks again for your help.

Alan

Hello Alan,

Perfect, I am glad everything worked.

It was a pleasure to help, any other question just let me know.

Regards,

Julio