Also,

You L2L VPN configuration is missing the "match address" on the "crypto map" configurations. The ACL that defines the tunneled/protected/encrypted traffic.

crypto map OUR_TO_CUSTOMER_SITE 1 match address

crypto map OUR_TO_CUSTOMER_SITE 1 set peer CUSTOMER_VPN_PEER

crypto map OUR_TO_CUSTOMER_SITE 1 set ikev1 transform-set FirstSet

Also missing

crypto ikev1 enable outside

EDIT: I think this was actually in the configuration. Not just spending enough time looking

- Jouni

Again also,

I think you are missing the command that attaches the "crypto map" to an interface

crypto map OUR_TO_CUSTOMER_SITE interface outside

- Jouni

Sorry for the multiple answers

I think I would reconfigure the default PAT with "after-auto" parameter. This is because if you just entered the NAT0 configurations I suggested to the configuration the default pat would still override them

Change this

nat (inside,outside) source dynamic OUR_INTERNAL_NETWORK interface

To this

nat (inside,outside) after-auto source dynamic OUR_INTERNAL_NETWORK interface

Appriciate the ratings. Always give more motivation and energy to keep posting here. Naturally cant expect ratings unless actually being helpfull.

- Jouni

To be honest I cant give you any good advice on getting this done really easily.

I have decided to personally convert any old setup by hand without any help from ASA converting the configurations or using any other program or anything to that direction. This reason initially was partially that I wanted to know how it works and was not content with "just getting it to work"

I am currently in the process of migrating our old FWSMs to ASA. Though in my case the software jump would correspond to ASA 8.0/8.2 -> 8.3

So far I have converted around 150 firewalls, around 100 more to go (Security Context in a FWSM in multiple context mode)

As I volunteered to take this task at work and was the only person setting up the new devices I had a good opportunity to test and lab the new software. I personally just practiced as much as I needed to understand the basics of the differences with the software. CSC has also been a good place to find something new to test and play around with that I might not think of myself.

I have been considering maybe creating documents on the CSC about the new 8.3+ NAT configuration format and perhaps some kind of migration guide. But time will tell if I find a situation where I get them started. Starting is always the hardest thing

- Jouni

To be honest the one crucial thing preventing from doing this "easily" is the fact that we are also talking about PIX firewalls.

PIX Firewalls you can update to about 8.0 if am not mistaken. So the PIX might be able to automatically convert the configuration as far as that with just updating the device and letting it handle the configuration coverting upon reboot to new software.

Now if we are talking about ASA5500 -series (not the X -series) you could naturally drop those 8.0 configurations again to ASA running perhaps even 8.2 software. Then you could boot that ASA to the new software (software level by software level) and again the ASA would continue what you started with the PIX. Automatically converting the configuration upon reboot to new software.

The reason why this wouldnt be possible when migrating to new ASA5500-X would be because to my understanding they dont support below 8.6 software. So no way to insert the whole configuration.

Then again if you have a spare ASA laying around that can be booted to new software (has enough RAM) then you could use this ASA to convert every configuration for you, provided you had the configuration in 8.0 format atleast.

Some of the above things I cant say for 100% sure since I havent done them like this myself.

- Jouni

I guess you are also missing the Client VPN configurations

Probably something like this

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  ikev1 transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map OUR_TO_CUSTOMER_SITE 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

group-policy OURVPN-GP internal

group-policy OURVPN-GP attributes

  vpn-tunnel-protocol ikev1

tunnel-group OURVPN type remote-access

tunnel-group OURVPN general-attributes

default-group-policy OURVPN-GP

address-pool CUST_VPN_DHCP

tunnel-group OURVPN ipsec-attributes

ikev1 pre-shared-key

- Jouni