Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7527
Views
0
Helpful
8
Replies

pix fixup protocol

Go to solution
lcaruso
Level 6
Level 6

‎02-15-2011 07:18 PM - edited ‎03-11-2019 12:51 PM

Hi,

I only have experience with ASAs and only recent code at that. I have a PIX506 running 6.3(4) that I will replace with an ASA.

Can please tell me what these fixup statements do (do they just turn a protocol on)?

fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

Also what is pdm (forerunner of ASDM)?

pdm location 192.168.253.0 255.255.255.0 inside
pdm location 192.168.254.1 255.255.255.255 inside
pdm location 192.168.254.4 255.255.255.255 inside
pdm logging informational 100
pdm history enable

Also what is floodguard?

floodguard enable

Also what does this sysopt statment do?

sysopt connection permit-ips
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎02-15-2011 07:27 PM

1) Fixup is the old way of configuring inspection. With ASA, all the fixup is replaced with MPF (Modular Policy Framework) - ie: policy map with class map and "inspect".

2) PDM is the old version of ASDM

3) Here is explaination on floodguard:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/df.html#wp1029632

And "floodguard" has been deprecated in ASA.

4) "sysopt connection permit-ipsec" is the same as the current command on ASA. I think you are missing the last 2 letters in that command.

Here is a migration from PIX to ASA guide that might help:

http://www.cisco.com/en/US/docs/security/asa/migration/guide/pix2asa.html

Hope that answers your questions.

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to lcaruso

‎02-15-2011 07:45 PM

Actually, there is no site-to-site configuration at all.

There is only 1 crypto map sequence (seq 10) --> crypto map clientname_map 10 ipsec-isakmp dynamic dynmap

and it's for dynamic map, therefore for remote VPN Client.

All the vpngroup commands are for VPN Client, that needs to be migrated to tunnel-group and group-policy accordingly.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎02-15-2011 07:27 PM

1) Fixup is the old way of configuring inspection. With ASA, all the fixup is replaced with MPF (Modular Policy Framework) - ie: policy map with class map and "inspect".

2) PDM is the old version of ASDM

3) Here is explaination on floodguard:

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/df.html#wp1029632

And "floodguard" has been deprecated in ASA.

4) "sysopt connection permit-ipsec" is the same as the current command on ASA. I think you are missing the last 2 letters in that command.

Here is a migration from PIX to ASA guide that might help:

http://www.cisco.com/en/US/docs/security/asa/migration/guide/pix2asa.html

Hope that answers your questions.

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Jennifer Halim

‎02-15-2011 07:30 PM

Thanks Jennifer--I appreciate your help!

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Jennifer Halim

‎02-15-2011 07:33 PM

One last question if I may be so lucky...it seems everything is here for site-to-site vpn execpt a peer address.

I see the remote vpn statements, but it also looks like someone may have wanted to setup a site-to-site tunnel but didn't complete the configuration.

Have I interpreted this correctly, or is there a complete config for a site-to-site tunnel in there? Thanks.

crypto ipsec transform-set clientname esp-3des esp-md5-hmac 
crypto dynamic-map dynmap 10 set transform-set clientname
crypto map clientname_map 10 ipsec-isakmp dynamic dynmap
crypto map clientname_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup 211offsite address-pool VPNpool
vpngroup 211offsite dns-server 192.168.254.9 192.168.254.8
vpngroup 211offsite wins-server 192.168.254.254
vpngroup 211offsite default-domain clientname.local
vpngroup 211offsite split-tunnel VPNClient
vpngroup 211offsite idle-time 1800
vpngroup 211offsite password ********
0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to lcaruso

‎02-15-2011 07:35 PM

Well it must have been a long day and it's getting late again...

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to lcaruso

‎02-15-2011 07:45 PM

Actually, there is no site-to-site configuration at all.

There is only 1 crypto map sequence (seq 10) --> crypto map clientname_map 10 ipsec-isakmp dynamic dynmap

and it's for dynamic map, therefore for remote VPN Client.

All the vpngroup commands are for VPN Client, that needs to be migrated to tunnel-group and group-policy accordingly.

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Jennifer Halim

‎02-15-2011 07:47 PM

thanks ...very late

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Jennifer Halim

‎02-15-2011 07:52 PM

appreciate the links!

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to lcaruso

‎02-15-2011 07:53 PM

Cheers, all the best with the migration..

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card