Solved: Pix 501 configuration to ASA 5515-x...

Joseph Green · ‎12-06-2013

Hello,

I'm an Administrator and have a client that is running a T1 (point to point) with a 501 Pix box as the firewall between the Dsl and internal network.

We are switching over to Fiber Optic (Client has 3 locations all tap into a central database) at the hub office and eventually will change over to a

VPN network. I have purchased an ASA 5515-x, current pix box is giving me trouble, which also lies the problem. When I took over my client's

Administration for his network, I found out that although I have access to all the Cisco routers on the network ( (1)17XX, (2) 2600's), I or anyone

that I talked to has access to the Pix box? I would like, for the time being, put the ASA inplace of the Pix as the firewall for the T1. Until we decide if

we are going to do IPSEC W/client or L2TP... I have searched and found other articles on migrating from Pix to ASA, but also learned the Pix we

have is too old. My questions are: Is there any way to retrieve the configuration file from the Pix manually even though I don't know the passwd? or

do I have to build the firewall from the ground up? (i did hit the reset button a couple of times before as well as pulling the power, reason was, it just

started only allowing certain people internet access from inside, anybody with remote access outside can remote in no problem. Just randomly

drops people on the inside). Reboot the Pix and everyone is happy for about an hour, then previous senario comes back. I can work my way around

the CLI no problem, but I'm new to Cisco's ASDM as well as the new commands

Thanks

Jouni Forss · ‎12-07-2013

Hi,

Seems to me that your first step should be trying to get access to the PIX itself to determine the current configuration

Here is one guide how you can reset the passwords on the PIX

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_password_recovery09186a008009478b.shtml

I have used it a couple of times in the past (long time ago) and it worked well then.

Though for this you need to know the software version the PIX is running on. I am wondering if you would be able to see the booting software when booting the PIX while connected to it trough console.

You might also want to try the some usual login username/passwords while attempting to connect to the PIX through the console. I guess if its on default settings it might not ask you for a username at all and you might be able to just use "enable" and not enter any password at all and press enter.

To be honest, I can't remember anymore

- Jouni

View solution in original post

Jouni Forss · ‎12-09-2013

Hi,

Sorry for getting back to you only now.

Did you already solve the problem?

If not, can you get the configuration from the PIX with some "show" command like

show run

or

show configuration

If you can get the whole configuration of the PIX (remove sensitive information) then I could tell you the corresponding configurations you would need on the new ASA.

- Jouni

View solution in original post

Jouni Forss · ‎12-09-2013

Hi,

I am not sure what your situation with the "outside" interface is. The PIX has staticly configured IP address and default route while the ASA at the moment has DHCP.

I will consider that the ASA should use the same configuration as the PIX

PHYSICAL INTERFACES

interface GigabitEthernet0/0

nameif outside

ip address 66.136.x.x 255.255.255.248

interface GigabitEthernet0/1

no shutdown

nameif inside

ip address 10.10.10.251 255.255.255.0

STATIC ROUTES

route outside 0.0.0.0 0.0.0.0 66.136.xxx.xxx 15

route inside 10.10.11.0 255.255.255.0 10.10.10.254 1

route inside 10.10.12.0 255.255.255.0 10.10.10.254 1

route inside 10.10.20.4 255.255.255.252 10.10.10.254 1

route inside 10.10.30.4 255.255.255.252 10.10.10.254 1

STATIC PAT (PORT FORWARD)

object network STATIC-PAT-RDP

host 10.10.10.253

nat (inside,outside) static 66.136.x.x service tcp 3389 3389

EXTERNAL ACCESS-LIST

access-list outside permit tcp any object STATIC-PAT-RDP eq 3389

access-group outside in interface outside

DYNAMIC PAT

nat (inside,outside) after-auto source dynamic any interface

NAT0 / NAT EXEMPT FOR L2L VPN

object network LAN

subnet 10.10.10.0 255.255.255.0

object network REMOTE-LAN

subnet 10.10.15.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

L2L VPN CONFIGURATION

access-list L2L-VPN remark L2L VPN Encryption Domain

access-list L2L-VPN permit ip 10.10.10.0 255.255.255.0 10.10.15.0 255.255.255.0

crypto ipsec ikev1 transform-set DES esp-des esp-md5-hmac

crypto map transam 1 match address L2L-VPN

crypto map transam 1 set peer 65.69.93.98

crypto map transam 1 set ikev1 transform-set DES

crypto map transam interface outside

crypto isakmp identity address

crypto ikev1 policy

authentication pre-share

encryption des

hash md5

group 1

lifetime 1000

crypto ikev1 enable outside

tunnel-group 65.69.93.98 type ipsec-l2l

tunnel-group 65.69.93.98 ipsec-attributes

ikev1 pre-shared-key

The above should be most of the configurations from PIX to the new ASA format

We cant see the PSK of the L2L VPN connection and I am not sure if software that old has the command that would show the PSK in clear text.

The above configuration presumes that you use the staticly configured IP addresses of the interfaces and the static routes and not DHCP like its now.

Naturally the ASA should also be connected to the same devices on same ports from "inside" and "outside".

You should also set the management related commands "ssh" , "http" or "telnet" as you wish.

- Jouni

View solution in original post

Jouni Forss · ‎12-09-2013

Hi,

The L2L VPN configurations seems to be configured so a local network 10.10.10.0/24 can connect to a remote network 10.10.15.0/24 security/encrypted through the public Internet. The L2L VPN is usually used to connect remote sites of a company or perhaps provide a secure connection to third party site to access some services/resources.

I assume that the PIX is still in use in the network and the ASA is waiting to get placed to the network?

If so then I would try these commands to see if the VPN is active. Naturally it might not be all the time unless its actively used

show crypto isakmp sa

show crypto ipsec sa

The L2L VPN configuration is in no way mandatory for the normal operation of the firewall. As I said its there to provide connection between to sites securely through the Internet. Naturally the another big thing related to it is the fact that these 2 private network ranges can communicate directly through this L2L VPN connection which would not be possible directly through the Internet since the private ranges are not routable through Internet.

With regards to the MAC address situation you can indeed configure the PIX MAC address on the ASAs external interface.

First check the output of this command on the PIX

show interface

Find the correct interface and its output and check for the MAC address

Then go to the ASA under the interface configuration mode of the correct interface and enter

mac-address aaaa.bbbb.cccc

Where the aaaa.bbbb.cccc is naturally the MAC address that you checked from the current PIX firewall

Hope this helps

Please do remember to mark replys as the correct answer if they answered your question.

Feel free to ask more if needed though

- Jouni

View solution in original post

Jouni Forss · ‎12-09-2013

Hi,

PSK / Pre-shared-key is essentially a password that is configured on both ends of the L2L VPN connection. (On both of the VPN devices)

Hopefully you have documented the current PSK so it can be inserted to the configuration on the ASA. Or perhaps you have the contact information of the remote site so you can change it? Or perhaps the remote site is under your management also and you can simply change the PSK on both ends to something new when replacing the firewall at this site.

On a very very quick glance I found this that gives a basic desciption of PSK (its part of an old Cisco Press book)

http://www.ciscopress.com/articles/article.asp?p=24833&seqNum=5

- Jouni

View solution in original post

Jouni Forss · ‎12-07-2013

Hi,

Seems to me that your first step should be trying to get access to the PIX itself to determine the current configuration

Here is one guide how you can reset the passwords on the PIX

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_password_recovery09186a008009478b.shtml

I have used it a couple of times in the past (long time ago) and it worked well then.

Though for this you need to know the software version the PIX is running on. I am wondering if you would be able to see the booting software when booting the PIX while connected to it trough console.

You might also want to try the some usual login username/passwords while attempting to connect to the PIX through the console. I guess if its on default settings it might not ask you for a username at all and you might be able to just use "enable" and not enter any password at all and press enter.

To be honest, I can't remember anymore

- Jouni

orthostlgrp1 · ‎12-07-2013

Jouni,

First off, let me thank you for the article. It was EXACTLY what I was looking for. I have run into another issue though. The PIX 501 is running ver 6.2, I was able to get to "config" ability and I saw the outside and inside ip's that were being used. I didn't see a command to "show" the WHOLE configuration of the device, it's so old I don't even know if one ever exsited. Now the "inside" interface had a non-routable static ip for the "inside" network. The T1 router is running DHCP for the network. Would the PIX be running NAT? I don't know if NAT was setup on the 2600 T1 router along side the DHCP server. How would I find out?. I'm trying to "mirror" the configuration from the 501 PIX box to a ASA 5515-x box.

Thank you again for all your help,

Much appreciated,

OrthoAdmin

Joseph Green · ‎12-08-2013

I think I found my problem... ACL's... I need an access-list setup for the ASA that mirrors the PIX..

Jouni Forss · ‎12-09-2013

Hi,

Sorry for getting back to you only now.

Did you already solve the problem?

If not, can you get the configuration from the PIX with some "show" command like

show run

or

show configuration

If you can get the whole configuration of the PIX (remove sensitive information) then I could tell you the corresponding configurations you would need on the new ASA.

- Jouni

orthostlgrp1 · ‎12-09-2013

Hello,

No I haven't solved it yet. Here is the show run for the PIX.

OrthoPIX(config)# show run

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password NDa1RppHr2jz7Cnk encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname OrthoPIX

domain-name sbcglobal.net

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list outside permit tcp any host 66.136.xxx.xxx eq 3389

access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list nonat permit ip 10.10.10.0 255.255.255.0 10.10.15.0 255.255.255.0

pager lines 24

logging on

logging buffered debugging

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 66.136.xxx.xxx 255.255.255.248

ip address inside 10.10.10.251 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 66.136.xxx.xxx 3389 10.10.10.253 3389 netmask 255.25

5.255.255 0 0

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 66.136.xxx.xxx 15

route inside 10.10.11.0 255.255.255.0 10.10.10.254 1

route inside 10.10.12.0 255.255.255.0 10.10.10.254 1

route inside 10.10.20.4 255.255.255.252 10.10.10.254 1

route inside 10.10.30.4 255.255.255.252 10.10.10.254 1

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:01:00 absolute

timeout xlate 0:01:00

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer 65.69.93.98

crypto map transam 1 set transform-set myset

crypto map transam interface outside

isakmp enable outside

isakmp key ******** address 65.69.93.98 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 167.1.162.167 255.255.255.255 outside

ssh timeout 60

dhcpd ping_timeout 750

terminal width 80

Cryptochecksum:4e26e0b8ee57c83fdbcd71fbadf5ef8e

: end

OrthoPIX(config)# show run

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password NDa1RppHr2jz7Cnk encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname OrthoPIX

domain-name sbcglobal.net

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list outside permit tcp any host 66.136.xxx.xxx eq 3389

access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.15.0 255.255.255.0

access-list nonat permit ip 10.10.10.0 255.255.255.0 10.10.15.0 255.255.255.0

pager lines 24

logging on

logging buffered debugging

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 66.136.xxx.xxx 255.255.255.248

ip address inside 10.10.10.251 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 66.136.xxx.xxx 3389 10.10.10.253 3389 netmask 255.25

5.255.255 0 0

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 66.136.xxx.xxx 15

route inside 10.10.11.0 255.255.255.0 10.10.10.254 1

route inside 10.10.12.0 255.255.255.0 10.10.10.254 1

route inside 10.10.20.4 255.255.255.252 10.10.10.254 1

route inside 10.10.30.4 255.255.255.252 10.10.10.254 1

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:01:00 absolute

timeout xlate 0:01:00

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer 65.69.93.98

crypto map transam 1 set transform-set myset

crypto map transam interface outside

isakmp enable outside

isakmp key ******** address 65.69.93.98 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 167.1.162.167 255.255.255.255 outside

ssh timeout 60

dhcpd ping_timeout 750

terminal width 80

Cryptochecksum:4e26e0b8ee57c83fdbcd71fbadf5ef8e

: end

orthostlgrp1 · ‎12-09-2013

Here is the show run for ASA 5515-x

Result of the command: "show run"

: Saved
:
ASA Version 8.6(1)2
!
hostname ciscoasa
enable password NDa1RppHr2jz7Cnk encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif Port0/0
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
mtu Port0/0 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface Port0/0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:c5af97904bf21e317a1006e9b3901aa1
: end

Jouni Forss · ‎12-09-2013

Hi,

I am not sure what your situation with the "outside" interface is. The PIX has staticly configured IP address and default route while the ASA at the moment has DHCP.

I will consider that the ASA should use the same configuration as the PIX

PHYSICAL INTERFACES

interface GigabitEthernet0/0

nameif outside

ip address 66.136.x.x 255.255.255.248

interface GigabitEthernet0/1

no shutdown

nameif inside

ip address 10.10.10.251 255.255.255.0

STATIC ROUTES

route outside 0.0.0.0 0.0.0.0 66.136.xxx.xxx 15

route inside 10.10.11.0 255.255.255.0 10.10.10.254 1

route inside 10.10.12.0 255.255.255.0 10.10.10.254 1

route inside 10.10.20.4 255.255.255.252 10.10.10.254 1

route inside 10.10.30.4 255.255.255.252 10.10.10.254 1

STATIC PAT (PORT FORWARD)

object network STATIC-PAT-RDP

host 10.10.10.253

nat (inside,outside) static 66.136.x.x service tcp 3389 3389

EXTERNAL ACCESS-LIST

access-list outside permit tcp any object STATIC-PAT-RDP eq 3389

access-group outside in interface outside

DYNAMIC PAT

nat (inside,outside) after-auto source dynamic any interface

NAT0 / NAT EXEMPT FOR L2L VPN

object network LAN

subnet 10.10.10.0 255.255.255.0

object network REMOTE-LAN

subnet 10.10.15.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

L2L VPN CONFIGURATION

access-list L2L-VPN remark L2L VPN Encryption Domain

access-list L2L-VPN permit ip 10.10.10.0 255.255.255.0 10.10.15.0 255.255.255.0

crypto ipsec ikev1 transform-set DES esp-des esp-md5-hmac

crypto map transam 1 match address L2L-VPN

crypto map transam 1 set peer 65.69.93.98

crypto map transam 1 set ikev1 transform-set DES

crypto map transam interface outside

crypto isakmp identity address

crypto ikev1 policy

authentication pre-share

encryption des

hash md5

group 1

lifetime 1000

crypto ikev1 enable outside

tunnel-group 65.69.93.98 type ipsec-l2l

tunnel-group 65.69.93.98 ipsec-attributes

ikev1 pre-shared-key

The above should be most of the configurations from PIX to the new ASA format

We cant see the PSK of the L2L VPN connection and I am not sure if software that old has the command that would show the PSK in clear text.

The above configuration presumes that you use the staticly configured IP addresses of the interfaces and the static routes and not DHCP like its now.

Naturally the ASA should also be connected to the same devices on same ports from "inside" and "outside".

You should also set the management related commands "ssh" , "http" or "telnet" as you wish.

- Jouni

Joseph Green · ‎12-09-2013

Hello,

First off thank you for the info! I'm learning alot!. The "outside" is AT&T, which was setup YEARS ago, before I came around. I noticed as well the L2L VPN configuration and was wondering WHY it would be configured? Is it nessasary for the "WAN" cards?. Also, I was reading some Cisco documents and it stated that even though I can configure the ASA 5515, the ISP has the MAC address of the PIX and until THEY change their side it's really not going to get a ping from them. My question is: Is there a way to MAC address clone the MAC address they already have?.

Thanks again,

Joseph

Jouni Forss · ‎12-09-2013

Hi,

The L2L VPN configurations seems to be configured so a local network 10.10.10.0/24 can connect to a remote network 10.10.15.0/24 security/encrypted through the public Internet. The L2L VPN is usually used to connect remote sites of a company or perhaps provide a secure connection to third party site to access some services/resources.

I assume that the PIX is still in use in the network and the ASA is waiting to get placed to the network?

If so then I would try these commands to see if the VPN is active. Naturally it might not be all the time unless its actively used

show crypto isakmp sa

show crypto ipsec sa

The L2L VPN configuration is in no way mandatory for the normal operation of the firewall. As I said its there to provide connection between to sites securely through the Internet. Naturally the another big thing related to it is the fact that these 2 private network ranges can communicate directly through this L2L VPN connection which would not be possible directly through the Internet since the private ranges are not routable through Internet.

With regards to the MAC address situation you can indeed configure the PIX MAC address on the ASAs external interface.

First check the output of this command on the PIX

show interface

Find the correct interface and its output and check for the MAC address

Then go to the ASA under the interface configuration mode of the correct interface and enter

mac-address aaaa.bbbb.cccc

Where the aaaa.bbbb.cccc is naturally the MAC address that you checked from the current PIX firewall

Hope this helps

Please do remember to mark replys as the correct answer if they answered your question.

Feel free to ask more if needed though

- Jouni

Joseph Green · ‎12-09-2013

Hello,

Sorry, I forgot to ask this as well. I don't understand the PSK fundamentals, is there a Cisco document explaining it in more detail?.

Thanks,

Joseph

Jouni Forss · ‎12-09-2013

Hi,

PSK / Pre-shared-key is essentially a password that is configured on both ends of the L2L VPN connection. (On both of the VPN devices)

Hopefully you have documented the current PSK so it can be inserted to the configuration on the ASA. Or perhaps you have the contact information of the remote site so you can change it? Or perhaps the remote site is under your management also and you can simply change the PSK on both ends to something new when replacing the firewall at this site.

On a very very quick glance I found this that gives a basic desciption of PSK (its part of an old Cisco Press book)

http://www.ciscopress.com/articles/article.asp?p=24833&seqNum=5

- Jouni

Joseph Green · ‎12-09-2013

Hello,

Sorry again, forgot to tell you the ASA wasn't configured yet, I just turned on one of the ports for DHCP through the ASDM, because I was going to input the Activation Key that I received from registering the ASA. Also, the owner told me that the "previous Administrator" was running some "illegal activities" through is connection. Could that "L2L VPN" configuration be connected to it? and just never shutdown/closed?

Thanks,

Joseph

Joseph Green · ‎12-09-2013

Hello,

How would I shutdown the L2L VPN services on the PIX?. I also recieved the info for the fiber optic that is being installed

WAN IP: 12.XXX.XXX.XXX

Host Router Name:

New IP Block: 12.XXX.XXX.XXX/28

Default Gateway GE-0/0: 12.XXX.XXX.XXX

Your 1st Network Device: 12.XXX.XXX.XXX

Subnet Mask: 255.255.255.XXX

DNS Resolvers: 12.XXX.XXX.XXX 12.XXX.XXX.XXX

Usable IP's: 12.XXX.XXX.XXX thru XXX

what would be the configuration for the ASA? replacing the 66.xxx.xxx.xxx with 12.xxx.xxx.xxx? in the commands?

Thanks again for all your help!,

Joseph

Joseph Green · ‎12-09-2013

Hello,

Thanks again for your help! from what info you supplied and further reading through Cisco's knowledge base, I was able to "deny" the access-list and remove the lines that "permited". I was also able to stop "crypto isakmp" service from running as well. Just wanted to thank you so much for all your help!

Thanks,

Joseph