Solved: Migrating PIX 501 configuration to ASA 5515-x configuration

Joseph Green · ‎12-10-2013

Hello,

I have been working on this migrating from a PIX 501 to ASA 5515-x. I have been greatly helped by a Cisco support team member. They gave me

the instructions of how to migrate after I showed them the "run" config of the PIX and ASA. Upon entering the info to the ASA I ran into a problem with

one of the command strings. It seems that the command "static", when used in the string "nat (inside,outside) static etc" is no longer used in ASA.

I just want to "mirror" the PIX config to the ASA. I did recieve from our NEW ISP, the info to plug in the ASA for the fiber optic line that is being installed

now. My questions are: 1. why doest the "static" work in ASA and what is the correct syntax? 2. I will post the NEW ip info for the new fiber line, instead

of mirroring the PIX, how would I just plug the NEW info in the ASA?.

Thanks,

Joseph

Here is what I sent the cisco rep first...

OrthoPIX# sh startup-config

: Saved

: Written by enable_15 at 11:32:25.032 UTC Mon Dec 9 2013

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password NDa1RppHr2jz7Cnk encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname OrthoPIX

domain-name sbcglobal.net

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list outside permit tcp any host 66.xxx.xxx.xxx eq 3389

access-list 101 deny ip 10.10.10.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list nonat deny ip 10.10.10.0 255.255.255.0 10.10.15.0 255.255.255.0

pager lines 24

logging on

logging buffered debugging

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 66.xxx.xxx.xxx 255.255.xxx.xxx

ip address inside 10.10.10.251 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 66.xxx.xxx.xxx 3389 10.10.10.253 3389 netmask 255.25

5.255.255 0 0

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 66.xxx.xxx.xxx 15

route inside 10.10.11.0 255.255.255.0 10.10.10.254 1

route inside 10.10.12.0 255.255.255.0 10.10.10.254 1

route inside 10.10.20.4 255.255.255.252 10.10.10.254 1

route inside 10.10.30.4 255.255.255.252 10.10.10.254 1

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:01:00 absolute

timeout xlate 0:01:00

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer 65.69.93.98

crypto map transam 1 set transform-set myset

crypto map transam interface outside

isakmp key ******** address 65.69.93.98 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 167.1.162.167 255.255.255.255 outside

ssh timeout 60

dhcpd ping_timeout 750

terminal width 80

Here is the original ASA config I sent...

Result of the command: "show run"

: Saved

:

ASA Version 8.6(1)2

!

hostname ciscoasa

enable password NDa1RppHr2jz7Cnk encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif Port0/0

security-level 0

ip address dhcp setroute

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

pager lines 24

logging asdm informational

mtu management 1500

mtu Port0/0 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface Port0/0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 2

Cryptochecksum:c5af97904bf21e317a1006e9b3901aa1

: end

Here is what the Cisco rep said I should do to "mirror" both configs...

Hi,

I am not sure what your situation with the "outside" interface is. The PIX has staticly configured IP address and default route while the ASA at the moment has DHCP.

I will consider that the ASA should use the same configuration as the PIX

PHYSICAL INTERFACES

interface GigabitEthernet0/0

nameif outside

ip address 66.136.x.x 255.255.255.248

interface GigabitEthernet0/1

no shutdown

nameif inside

ip address 10.10.10.251 255.255.255.0

STATIC ROUTES

route outside 0.0.0.0 0.0.0.0 66.136.xxx.xxx 15

route inside 10.10.11.0 255.255.255.0 10.10.10.254 1

route inside 10.10.12.0 255.255.255.0 10.10.10.254 1

route inside 10.10.20.4 255.255.255.252 10.10.10.254 1

route inside 10.10.30.4 255.255.255.252 10.10.10.254 1

STATIC PAT (PORT FORWARD)

object network STATIC-PAT-RDP

host 10.10.10.253

nat (inside,outside) static 66.136.x.x service tcp 3389 3389

EXTERNAL ACCESS-LIST

access-list outside permit tcp any object STATIC-PAT-RDP eq 3389

access-group outside in interface outside

DYNAMIC PAT

nat (inside,outside) after-auto source dynamic any interface

NAT0 / NAT EXEMPT FOR L2L VPN

object network LAN

subnet 10.10.10.0 255.255.255.0

object network REMOTE-LAN

subnet 10.10.15.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

L2L VPN CONFIGURATION

access-list L2L-VPN remark L2L VPN Encryption Domain

access-list L2L-VPN permit ip 10.10.10.0 255.255.255.0 10.10.15.0 255.255.255.0

crypto ipsec ikev1 transform-set DES esp-des esp-md5-hmac

crypto map transam 1 match address L2L-VPN

crypto map transam 1 set peer 65.69.93.98

crypto map transam 1 set ikev1 transform-set DES

crypto map transam interface outside

crypto isakmp identity address

crypto ikev1 policy

authentication pre-share

encryption des

hash md5

group 1

lifetime 1000

crypto ikev1 enable outside

tunnel-group 65.69.93.98 type ipsec-l2l

tunnel-group 65.69.93.98 ipsec-attributes

ikev1 pre-shared-key <presharedkey/PSK>

The above should be most of the configurations from PIX to the new ASA format

The line with "nat (inside,outside) static 66.136.x.x service tcp 3389 3389" the ASA has a problem with "static" in the command, the help says it's not used anymore. So what is the correct syntax?

Here is how the ASA looks now....

ciscoasa# sh run

: Saved

:

ASA Version 8.6(1)2

!

hostname OrthoPIX

domain-name sbcglobal.net

enable password NDa1RppHr2jz7Cnk encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

mac-address 0009.e8bf.6edc

nameif outside

security-level 0

ip address 6x.xxx.xxx.xxx 255.255.255.xxx

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.10.10.251 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 1xx.xxx.xx.xx

name-server 1xx.xxx.xx.xxx

domain-name sbcglobal.net

object network STATIC-PAT-RDP

host 10.10.10.253

access-list outside extended permit tcp any object STATIC-PAT-RDP

access-list outside extended permit tcp any object STATIC-PAT-RDP eq 3389

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

nat (inside,outside) after-auto source dynamic any interface

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 6x.xxx.xxx.xxx 15

route inside 10.10.11.0 255.255.255.0 10.10.10.254 1

route inside 10.10.12.0 255.255.255.0 10.10.10.254 1

route inside 10.10.20.0 255.255.255.0 10.10.10.254 1

route inside 10.10.30.0 255.255.255.0 10.10.10.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 2

Cryptochecksum:201bf8315b82ffb0f158046489b5f512

: end

What am I doing wrong?, I know it's me because I'm still "rusty" on the ASA commands. Also, here is the new info for the new ip network we are recieving....

WAN IP: 12.XXX.XXX.XXX

Host Router Name: <HOSTNAME>

New IP Block: 12.XXX.XXX.XXX/28

Default Gateway GE-0/0: 12.XXX.XXX.XXX

Your 1st Network Device: 12.XXX.XXX.XXX

Subnet Mask: 255.255.255.XXX

DNS Resolvers: 12.XXX.XXX.XXX 12.XXX.XXX.XXX

Usable IP's: 12.XXX.XXX.XXX thru XXX

What do I need to do in order to just use the NEW ip info instead of the OLD PIX config info?

Thanks,

Joseph

Jouni Forss · ‎12-10-2013

Hi,

The Static PAT (Port Forward) that was done in the old configuration format with the "static" command is done in the following way in the new configuration. I mentioned this in the previous discussion

It seems to me that you have not entered the "nat" command under the "object network STATIC-PAT-RDP"

STATIC PAT (PORT FORWARD)

object network STATIC-PAT-RDP

host 10.10.10.253

nat (inside,outside) static 66.136.x.x service tcp 3389 3389

If the ASA has not accepted the "nat" command it might mean that you entered it outside the "object" configuration mode. You first have to move under the "object"

object network STATIC-PAT-RDP

Then you enter the "nat" command next

nat (inside,outside) static 66.136.x.x service tcp 3389 3389

Then again you mention that your ISP is changing so you wont be able to use the above public IP address anymore. You have to replace it with a new IP address

There is really nothing special with changing the configurations of your external interface for the new ISP

The below first removes the current IP address from the interface and configures the new public IP address from the ISP. It then removes the old default route and enters the new default route. Naturally you will have to use the actual/correct IP address in your commands.

interface GigabitEthernet0/0

no ip address 6x.xxx.xxx.xxx 255.255.255.xxx

ip address 12.x.x.a 255.255.255.x

no route outside 0.0.0.0 0.0.0.0 6x.xxx.xxx.xxx 15

route outside 0.0.0.0 0.0.0.0 12.x.x.y

You will also need to change the Static PAT (Port Forward) configurations public IP address from before

Again we move under the "object" configuration mode and then remove the old "nat" command and enter a new "nat" command

object network STATIC-PAT-RDP

no nat (inside,outside) static 66.136.x.x service tcp 3389 3389

nat (inside,outside) static 12.x.x.b service tcp 3389 3389

- Jouni

View solution in original post

Jouni Forss · ‎12-10-2013

Hi,

Seems the IP address you are using is actually the same IP address that is configured in your "outside" interface.

Enter this command under the "object" instead.

object network STATIC-PAT-RDP

nat (inside,outside) static interface service tcp 3389 3389

The parameter "interface" will tell the ASA to use the "outside" interface IP address as the NAT IP Address.

- Jouni

View solution in original post

Jouni Forss · ‎12-11-2013

Hi,

From your earlier messages I gathered that you were allocated a small public subnet from the ISP providing the fiber connection? Or is it a single IP address from the subnet only?

You should simply configure the IP address to the current "outside" interface with the "ip address" command like I described above. You should also change the default route to point to the new ISP connections gateway IP address with the "route outside 0.0.0.0 0.0.0.0 " command I mentioned above.

Your change also involved changing the NAT IP address in the RDP Static PAT configuration since it uses an IP address from the original. Also mentioned this in the above post.

These are naturally best done on site since you naturally would loose any remote management connection to the ASA while changing the IP addresses and routes

With regards to the DNS. You dont really need to tell the ASA the DNS servers unless you use the ASA as a DHCP server for the LAN users. The new ISP DNS server should be configured on the device that currently gives IP addresses to the LAN hosts or if staticly configured then it would need to be changed on the actual hosts.

- Jouni

View solution in original post

Jouni Forss · ‎12-10-2013

Hi,

The Static PAT (Port Forward) that was done in the old configuration format with the "static" command is done in the following way in the new configuration. I mentioned this in the previous discussion

It seems to me that you have not entered the "nat" command under the "object network STATIC-PAT-RDP"

STATIC PAT (PORT FORWARD)

object network STATIC-PAT-RDP

host 10.10.10.253

nat (inside,outside) static 66.136.x.x service tcp 3389 3389

If the ASA has not accepted the "nat" command it might mean that you entered it outside the "object" configuration mode. You first have to move under the "object"

object network STATIC-PAT-RDP

Then you enter the "nat" command next

nat (inside,outside) static 66.136.x.x service tcp 3389 3389

Then again you mention that your ISP is changing so you wont be able to use the above public IP address anymore. You have to replace it with a new IP address

There is really nothing special with changing the configurations of your external interface for the new ISP

The below first removes the current IP address from the interface and configures the new public IP address from the ISP. It then removes the old default route and enters the new default route. Naturally you will have to use the actual/correct IP address in your commands.

interface GigabitEthernet0/0

no ip address 6x.xxx.xxx.xxx 255.255.255.xxx

ip address 12.x.x.a 255.255.255.x

no route outside 0.0.0.0 0.0.0.0 6x.xxx.xxx.xxx 15

route outside 0.0.0.0 0.0.0.0 12.x.x.y

You will also need to change the Static PAT (Port Forward) configurations public IP address from before

Again we move under the "object" configuration mode and then remove the old "nat" command and enter a new "nat" command

object network STATIC-PAT-RDP

no nat (inside,outside) static 66.136.x.x service tcp 3389 3389

nat (inside,outside) static 12.x.x.b service tcp 3389 3389

- Jouni

orthostlgrp1 · ‎12-10-2013

Hello Jouni,

Thanks you so much for your reply!, here is what happens when I follow the instructions you gave with the "nat"

command under the "object" configuration....

OrthoPIX> enable
Password: ***********
OrthoPIX# config t
OrthoPIX(config)# obj
OrthoPIX(config)# object netwo
OrthoPIX(config)# object network S
OrthoPIX(config)# object network STATIC-PAT-RDP
OrthoPIX(config-network-object)# host 10.10.10.253
OrthoPIX(config-network-object)# nat (i
OrthoPIX(config-network-object)# nat (inside,o
OrthoPIX(config-network-object)# nat (inside,outside) static 66.xxx.xxx.xxx se$
ERROR: Address 66.xxx.xxx.xxx overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

OrthoPIX(config-network-object)#

Was I suppose to "activate" nat???

Thanks,

Joseph

Jouni Forss · ‎12-10-2013

Hi,

Seems the IP address you are using is actually the same IP address that is configured in your "outside" interface.

Enter this command under the "object" instead.

object network STATIC-PAT-RDP

nat (inside,outside) static interface service tcp 3389 3389

The parameter "interface" will tell the ASA to use the "outside" interface IP address as the NAT IP Address.

- Jouni

orthostlgrp1 · ‎12-10-2013

Hello,

Thanks again Jouni!, that was it!. Now I have to go on-site and test it out.

Thank you so much!,

Joseph

orthostlgrp1 · ‎12-10-2013

Hello,

I'm starting to "see" what you meant by "what my "outside" consists of". The AT&T fiber guys came out and we speed tested the new network and everything is great. Now, when I plugged the "fibers" GE 0/0 into the ASA's GE 0/0 I have a

"amber light" showing on the "spd" side of the port. The Fiber's GE has a static IP tied to it. I don't think I have my configuration setup for the "fiber's static ip". So basically AT&T has a fiber router and it is going to deliver internet to my ASA. How should I setup my "outside" port to talk to THEIR "outside" port??? Also what is the correct command to input DNS into a router???

Thanks,

Joseph

Joseph Green · ‎12-10-2013

Hello Jouni,

Thinking about it further, when I tested the speedtest, I plugged my laptop in and entered basic ip info. I have yet to

configure a "Gateway or Router" to the ASA configuration. How would I go about configuring the ASA to point to a Gateway?.

Thanks,

Joseph

Jouni Forss · ‎12-11-2013

Hi,

From your earlier messages I gathered that you were allocated a small public subnet from the ISP providing the fiber connection? Or is it a single IP address from the subnet only?

You should simply configure the IP address to the current "outside" interface with the "ip address" command like I described above. You should also change the default route to point to the new ISP connections gateway IP address with the "route outside 0.0.0.0 0.0.0.0 " command I mentioned above.

Your change also involved changing the NAT IP address in the RDP Static PAT configuration since it uses an IP address from the original. Also mentioned this in the above post.

These are naturally best done on site since you naturally would loose any remote management connection to the ASA while changing the IP addresses and routes

With regards to the DNS. You dont really need to tell the ASA the DNS servers unless you use the ASA as a DHCP server for the LAN users. The new ISP DNS server should be configured on the device that currently gives IP addresses to the LAN hosts or if staticly configured then it would need to be changed on the actual hosts.

- Jouni

Joseph Green · ‎12-11-2013

Hello Jouni,

Thank you for your reply!, yes you are right. Last night after looking over all my configs and your notes I noticed

my route wasn't configured properly to point to the ISP router from the ASA. I did change the NAT IP as well. Also, like

you stated, the 2600 router that DHCP's the offices still had the OLD DNS ip's and not the new ones. After fixings configs

and rebooting router, all is well now, so it seems. lol. Thank you for all your help and notes, I'm learning so much as an

Admin working with Cisco equipment. Really apprecitate it!

Thank you,

Joseph