Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
759
Views
0
Helpful
5
Replies

Upgrading from PIX to ASA 5512X

Go to solution
derrmart
Cisco Employee
Cisco Employee

‎03-13-2013 06:18 PM - edited ‎03-11-2019 06:13 PM

Hi everyone,

We are in the middle of upgrading from two PIX's to some new ASA5512X's. To give you some background on the situation we are upgrading these since the PIXs are fairly old. We had one extra that we had to use since one PIX has failed already. The guy that implemented the PIXs orginally was learning how to do so as he went so there is alot of needless config in the PIX, atleast from what I can tell. Another guy that works with me has done some configuration on the new ASAs and has done the majority of it so far. Today we went to install the new ASAs and switch everything over hoping it would work, but that didn't happen. It seems that there is something wrong with our NAT and ACLs somewhere along the lines. The way our network is laid out is that we have two school campus with a site-to-site VPN one is 172.17.0.0/16 and the other is 172.18.0.0/16. We also have a remote-access VPN on both ASA's. When we connected the new ASAs up and brought up the interfaces, nothing on the inside could ping the internet nor the other side. The VPN showed active on the ASA's and each ASA could ping the others outside interface, but that was it. I have posted the configs below. If anyone could help out I would GREATLY appreciate it! Thank you in advance!

ASA1:

: Saved

: Written by enable_15 at 04:26:18.240 CDT Tue Mar 12 2013

!

ASA Version 8.6(1)2

!

hostname dallasroadASA

enable password **** encrypted

passwd **** encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 70.x.x.x 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.18.1.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 172.18.2.21

name-server 172.18.2.20

object network WS_VLAN2

subnet 172.17.2.0 255.255.255.0

object network WS_VLAN3

subnet 172.17.3.0 255.255.255.0

object network WS_VLAN4

subnet 172.17.4.0 255.255.255.0

object network WS_VLAN5

subnet 172.17.5.0 255.255.255.0

object network WS_VLAN6

subnet 172.17.6.0 255.255.255.0

object network WS_VLAN7

subnet 172.17.7.0 255.255.255.0

object network WS_VLAN8

subnet 172.17.8.0 255.255.255.0

object network WS_VLAN9

subnet 172.17.9.0 255.255.255.0

object network WS_VLAN10

subnet 172.17.10.0 255.255.255.0

object network WS_VLAN11

subnet 172.17.11.0 255.255.255.0

object network WS_VLAN12

subnet 172.17.12.0 255.255.255.0

object network WS_VLAN13

subnet 172.17.13.0 255.255.255.0

object network WS_VLAN14

subnet 172.17.14.0 255.255.255.0

object network WS_VLAN15

subnet 172.17.15.0 255.255.255.0

object network WS_VLAN16

subnet 172.17.16.0 255.255.255.0

object network DR_VLAN2

subnet 172.18.2.0 255.255.255.0

object network DR_VLAN3

subnet 172.18.3.0 255.255.255.0

object network DR_VLAN4

subnet 172.18.4.0 255.255.255.0

object network DR_VLAN5

subnet 172.18.5.0 255.255.255.0

object network DR_VLAN6

subnet 172.18.6.0 255.255.255.0

object network DR_VLAN7

subnet 172.18.7.0 255.255.255.0

object network DR_VLAN8

subnet 172.18.8.0 255.255.255.0

object network DR_VLAN9

subnet 172.18.9.0 255.255.255.0

object network DR_VLAN10

subnet 172.18.10.0 255.255.255.0

object network DR_CORE_SW

host 172.18.2.1

object network dallasdns02_internal

host 172.18.2.21

object network faithdallas03_internal

host 172.18.2.20

object network dns_external

host 70.x.x.x

object network WorthStreet

subnet 172.17.0.0 255.255.0.0

object network DallasRoad

subnet 172.18.0.0 255.255.0.0

object-group network DALLAS_VLANS

network-object object DR_VLAN10

network-object object DR_VLAN2

network-object object DR_VLAN3

network-object object DR_VLAN4

network-object object DR_VLAN5

network-object object DR_VLAN6

network-object object DR_VLAN7

network-object object DR_VLAN8

network-object object DR_VLAN9

object-group network WORTH_VLANS

network-object object WS_VLAN10

network-object object WS_VLAN11

network-object object WS_VLAN12

network-object object WS_VLAN13

network-object object WS_VLAN14

network-object object WS_VLAN15

network-object object WS_VLAN16

network-object object WS_VLAN2

network-object object WS_VLAN3

network-object object WS_VLAN4

network-object object WS_VLAN5

network-object object WS_VLAN6

network-object object WS_VLAN7

network-object object WS_VLAN8

network-object object WS_VLAN9

object-group network dallasitnetwork

network-object host 172.18.2.20

network-object host 172.18.2.40

object-group protocol tcpudp

protocol-object udp

protocol-object tcp

object-group network dallasroaddns

network-object host 172.18.2.20

network-object host 172.18.2.21

object-group service tcpservices tcp

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq ssh

object-group network remotevpnnetwork

network-object 172.18.50.0 255.255.255.0

access-list L2LAccesslist extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0

access-list NONAT extended permit ip any 172.18.50.0 255.255.255.0

access-list inside_inbound_access extended permit ip 172.18.0.0 255.255.0.0 172.17.0.0 255.255.0.0

access-list inside_inbound_access extended permit ip object-group dallasitnetwork any

access-list inside_inbound_access extended permit object-group tcpudp object-group dallasroaddns any eq domain

access-list inside_inbound_access extended permit ip host 172.18.4.10 any

access-list inside_inbound_access extended deny object-group tcpudp any any eq domain

access-list inside_inbound_access extended deny tcp any any eq smtp

access-list inside_inbound_access extended permit ip any any

access-list outside_inbound_access extended permit tcp any host 70.x.x.x object-group tcpservices

pager lines 24

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnaddresspool 172.18.50.0-172.18.50.255

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static dallasdns02_internal dns_external

nat (inside,outside) source static faithdallas03_internal dns_external

nat (inside,outside) source dynamic any interface

nat (any,outside) source static remotevpnnetwork remotevpnnetwork destination static remotevpnnetwork remotevpnnetwork description NONAT for remote vpn users

nat (inside,outside) source static DallasRoad DallasRoad destination static WorthStreet WorthStreet

access-group outside_inbound_access in interface outside

access-group inside_inbound_access in interface inside

route outside 0.0.0.0 0.0.0.0 70.x.x.x 1

route inside 172.18.0.0 255.255.0.0 172.18.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

ldap attribute-map CISCOMAP

  map-name  VPNALLOW IETF-Radius-Class

  map-value VPNALLOW FALSE NOACESS

  map-value VPNALLOW TRUE ALLOWACCESS

dynamic-access-policy-record DfltAccessPolicy

aaa-server LDAP protocol ldap

aaa-server LDAP (inside) host 172.17.2.28

server-port 389

ldap-base-dn DC=campus,DC=fcschool,DC=org

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password ****

ldap-login-dn CN=fcsadmin,CN=Users,DC=campus,DC=fcschool,DC=org

server-type microsoft

ldap-attribute-map CISCOMAP

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 172.17.11.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac

crypto map outside_map 10 match address L2LAccesslist

crypto map outside_map 10 set peer 71.x.x.x

crypto map outside_map 10 set ikev1 transform-set myset

crypto map outside_map 10 set reverse-route

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 172.18.0.0 255.255.0.0 inside

ssh 172.17.0.0 255.255.0.0 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy NOACCESS internal

group-policy NOACCESS attributes

vpn-simultaneous-logins 0

vpn-tunnel-protocol ikev1

group-policy DfltGrpPolicy attributes

dns-server value 172.18.2.20

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless

password-storage enable

group-policy DallasRoad internal

group-policy DallasRoad attributes

dns-server value 172.18.2.20 172.18.2.21

password-storage enable

default-domain value campus.fcschool.org

group-policy ALLOWACCESS internal

group-policy ALLOWACCESS attributes

banner value Now connected to the FCS Network

vpn-tunnel-protocol ikev1

username iwerkadmin password i6vIlW5ctGaR0l7n encrypted privilege 15

tunnel-group remoteaccessvpn type remote-access

tunnel-group remoteaccessvpn general-attributes

address-pool vpnaddresspool

authentication-server-group LDAP

tunnel-group 71.x.x.x type ipsec-l2l

tunnel-group 71.x.x.x ipsec-attributes

ikev1 pre-shared-key ****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:fd69fbd7a2cb0a6a125308dd85302198

: end

ASA2:

: Saved

: Written by enable_15 at 09:27:47.579 UTC Tue Mar 12 2013

!

ASA Version 8.6(1)2

!

hostname worthstreetASA

enable password **** encrypted

passwd **** encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 71.x.x.x 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.17.1.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa861-2-smp-k8.bin

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server 172.17.2.23

name-server 172.17.2.28

object network mail_external

host 71.x.x.x

object network mail_internal

host 172.17.2.57

object network faweb_external

host 71.x.x.x

object network netclassroom_external

host 71.x.x.x

object network blackbaud_external

host 71.x.x.x

object network netclassroom_internal

host 172.17.2.41

object network nagios

host 208.x.x.x

object network DallasRoad_ASA

host 70.x.x.x

object network WS_VLAN2

subnet 172.17.2.0 255.255.255.0

object network WS_VLAN3

subnet 172.17.3.0 255.255.255.0

object network WS_VLAN4

subnet 172.17.4.0 255.255.255.0

object network WS_VLAN5

subnet 172.17.5.0 255.255.255.0

object network WS_VLAN6

subnet 172.17.6.0 255.255.255.0

object network WS_VLAN7

subnet 172.17.7.0 255.255.255.0

object network WS_VLAN8

subnet 172.17.8.0 255.255.255.0

object network WS_VLAN9

subnet 172.17.9.0 255.255.255.0

object network WS_VLAN10

subnet 172.17.10.0 255.255.255.0

object network WS_VLAN11

subnet 172.17.11.0 255.255.255.0

object network WS_VLAN12

subnet 172.17.12.0 255.255.255.0

object network WS_VLAN13

subnet 172.17.13.0 255.255.255.0

object network WS_VLAN14

subnet 172.17.14.0 255.255.255.0

object network WS_VLAN15

subnet 172.17.15.0 255.255.255.0

object network WS_VLAN16

subnet 172.17.16.0 255.255.255.0

object network DR_VLAN2

subnet 172.18.2.0 255.255.255.0

object network DR_VLAN3

subnet 172.18.3.0 255.255.255.0

object network DR_VLAN4

subnet 172.18.4.0 255.255.255.0

object network DR_VLAN5

subnet 172.18.5.0 255.255.255.0

object network DR_VLAN6

subnet 172.18.6.0 255.255.255.0

object network DR_VLAN7

subnet 172.18.7.0 255.255.255.0

object network DR_VLAN8

subnet 172.18.8.0 255.255.255.0

object network DR_VLAN9

subnet 172.18.9.0 255.255.255.0

object network DR_VLAN10

subnet 172.18.10.0 255.255.255.0

object network WS_CORE_SW

host 172.17.2.1

object network blackbaud_internal

host 172.17.2.26

object network spiceworks_internal

host 172.17.2.15

object network faweb_internal

host 172.17.2.31

object network spiceworks_external

host 71.x.x.x

object network WorthStreet

subnet 172.17.0.0 255.255.0.0

object network DallasRoad

subnet 172.18.0.0 255.255.0.0

object network remotevpnnetwork

subnet 172.17.50.0 255.255.255.0

object-group icmp-type echo_svc_group

icmp-object echo

icmp-object echo-reply

object-group service mail.fcshool.org_svc_group

service-object icmp

service-object icmp echo

service-object icmp echo-reply

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq imap4

service-object tcp destination eq pop3

service-object tcp destination eq smtp

object-group service nagios_svc_group tcp

port-object eq 12489

object-group service http_s_svc_group tcp

port-object eq www

port-object eq https

object-group network DALLAS_VLANS

network-object object DR_VLAN10

network-object object DR_VLAN2

network-object object DR_VLAN3

network-object object DR_VLAN4

network-object object DR_VLAN5

network-object object DR_VLAN6

network-object object DR_VLAN7

network-object object DR_VLAN8

network-object object DR_VLAN9

object-group network WORTH_VLANS

network-object object WS_VLAN10

network-object object WS_VLAN11

network-object object WS_VLAN12

network-object object WS_VLAN13

network-object object WS_VLAN14

network-object object WS_VLAN15

network-object object WS_VLAN16

network-object object WS_VLAN2

network-object object WS_VLAN3

network-object object WS_VLAN4

network-object object WS_VLAN5

network-object object WS_VLAN6

network-object object WS_VLAN7

network-object object WS_VLAN8

network-object object WS_VLAN9

object-group network MailServers

network-object host 172.17.2.57

network-object host 172.17.2.58

network-object host 172.17.2.17

object-group protocol DM_INLINE_PROTOCOL

protocol-object ip

protocol-object udp

protocol-object tcp

object-group network DNS_Servers

network-object host 172.17.2.23

network-object host 172.17.2.28

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_access_in extended permit object-group mail.fcshool.org_svc_group any object mail_internal

access-list outside_access_in extended permit tcp object nagios object mail_internal object-group nagios_svc_group

access-list outside_access_in extended permit tcp any object faweb_external object-group http_s_svc_group

access-list outside_access_in extended permit tcp any object netclassroom_external object-group http_s_svc_group

access-list outside_access_in extended permit tcp any object blackbaud_external eq https

access-list outside_access_in extended permit tcp any object spiceworks_external object-group http_s_svc_group

access-list L2LAccesslist extended permit ip 172.17.0.0 255.255.0.0 172.18.0.0 255.255.0.0

access-list inside_inbound extended permit object-group TCPUDP object-group DNS_Servers any eq domain

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL host 172.17.15.10 any inactive

access-list inside_access_in extended permit tcp object-group MailServers any eq smtp

access-list inside_access_in extended permit tcp host 172.17.14.10 any eq smtp

access-list inside_access_in extended deny object-group TCPUDP any any eq domain

access-list inside_access_in extended deny tcp any any eq smtp

access-list inside_access_in extended permit ip any any

access-list vpn_access extended permit ip any any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnaddresspool 172.17.50.1-172.17.50.255

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static mail_internal mail_external

nat (inside,outside) source static netclassroom_internal netclassroom_external

nat (inside,outside) source static faweb_internal faweb_external

nat (inside,outside) source static spiceworks_internal interface

nat (inside,outside) source static blackbaud_internal blackbaud_external

nat (inside,outside) source dynamic any interface

nat (inside,outside) source static WorthStreet WorthStreet destination static DallasRoad DallasRoad

nat (any,outside) source static remotevpnnetwork remotevpnnetwork destination static remotevpnnetwork remotevpnnetwork description NONAT for remote vpn users

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 71.x.x.x 1

route inside 172.17.0.0 255.255.0.0 172.17.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

ldap attribute-map CISCOMAP

  map-name  VPNALLOW IETF-Radius-Class

  map-value VPNALLOW FALSE NOACESS

  map-value VPNALLOW TRUE ALLOWACCESS

dynamic-access-policy-record DfltAccessPolicy

network-acl vpn_access

aaa-server LDAP protocol ldap

aaa-server LDAP (inside) host 172.17.2.28

ldap-base-dn DC=campus,DC=fcschool,DC=org

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password Iw@FCS730w

ldap-login-dn CN=VPN Admin,CN=Users,DC=campus,DC=fcschool,DC=org

server-type microsoft

ldap-attribute-map CISCOMAP

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 172.17.0.0 255.255.0.0 inside

http 172.18.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac

crypto map outside_map 10 match address L2LAccesslist

crypto map outside_map 10 set peer 70.x.x.x

crypto map outside_map 10 set ikev1 transform-set myset

crypto map outside_map 10 set reverse-route

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

telnet 172.17.0.0 255.255.0.0 inside

telnet 172.18.0.0 255.255.0.0 inside

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 172.17.0.0 255.255.0.0 inside

ssh 172.18.0.0 255.255.0.0 inside

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access management

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption aes256-sha1 aes128-sha1 3des-sha1

webvpn

group-policy NOACCESS internal

group-policy NOACCESS attributes

vpn-simultaneous-logins 0

vpn-tunnel-protocol ikev1

group-policy ALLOWACCESS internal

group-policy ALLOWACCESS attributes

banner value Now connected to the FCS Network

vpn-tunnel-protocol ikev1

username iwerkadmin password i6vIlW5ctGaR0l7n encrypted privilege 15

tunnel-group 70.x.x.x type ipsec-l2l

tunnel-group 70.x.x.x ipsec-attributes

ikev1 pre-shared-key FC$vpnn3tw0rk

tunnel-group remoteaccessvpn type remote-access

tunnel-group remoteaccessvpn general-attributes

address-pool vpnaddresspool

authentication-server-group LDAP

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:b599ba0f719f39b213e7f01fe55588ac

: end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Patrick Moubarak
Level 4
Level 4

‎03-13-2013 08:11 PM

Hi Derrick,

I just did the same for a customer; replaced 2 PIX515s failover cluster with 5512X. The NAT change is major with ASAs version 8.3 and later...

here's what you need: a manual NAT rule called twice NAT (policy NAT or NONAT is the old terminology) for the VPNs to work. also add the no-proxy-arp keyword:

nat (inside,outside) source static INSIDE_NETWORKS INSIDE_NETWORKS VPN_NETWORKS VPN_NETWORKS no-proxy-arp

nat (inside,outside) source static INSIDE_NETWORKS INSIDE_NETWORKS RA_VPN_NETWORKS RA_VPN_NETWORKS no-proxy-arp

then the dynamic PAT for internet access (after the twice NATs for VPN); could be a manual NAT like you did, or preferred an object NAT.

you did:

nat (inside,outside) source dynamic any interface

would also work with object nat:

object network INSIDE_NETWORKS

subnet ...

nat (inside,outside) dynamic interface

Same on the other side (except the networks are reversed since the inside network is now what the other side refers to as vpn network and vice versa)

If you don't put the no-proxy-arp, your NAT configuration will cause network issues.

also to be able to pass pings through ASA, add the following:

policy-map global_policy

class inspection_default

  inspect icmp

The asa will do some basic inspection of the ICMP protocol with that config ex. it will make sure there is 1 echo-reply for each echo-request...

hope that helps,

Patrick

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Patrick Moubarak
Level 4
Level 4

‎03-13-2013 08:11 PM

Hi Derrick,

I just did the same for a customer; replaced 2 PIX515s failover cluster with 5512X. The NAT change is major with ASAs version 8.3 and later...

here's what you need: a manual NAT rule called twice NAT (policy NAT or NONAT is the old terminology) for the VPNs to work. also add the no-proxy-arp keyword:

nat (inside,outside) source static INSIDE_NETWORKS INSIDE_NETWORKS VPN_NETWORKS VPN_NETWORKS no-proxy-arp

nat (inside,outside) source static INSIDE_NETWORKS INSIDE_NETWORKS RA_VPN_NETWORKS RA_VPN_NETWORKS no-proxy-arp

then the dynamic PAT for internet access (after the twice NATs for VPN); could be a manual NAT like you did, or preferred an object NAT.

you did:

nat (inside,outside) source dynamic any interface

would also work with object nat:

object network INSIDE_NETWORKS

subnet ...

nat (inside,outside) dynamic interface

Same on the other side (except the networks are reversed since the inside network is now what the other side refers to as vpn network and vice versa)

If you don't put the no-proxy-arp, your NAT configuration will cause network issues.

also to be able to pass pings through ASA, add the following:

policy-map global_policy

class inspection_default

  inspect icmp

The asa will do some basic inspection of the ICMP protocol with that config ex. it will make sure there is 1 echo-reply for each echo-request...

hope that helps,

Patrick

0 Helpful

Go to solution
derrmart
Cisco Employee
Cisco Employee
In response to Patrick Moubarak

‎03-14-2013 08:17 AM

Patrick,

Thank you for the reply! I will add those commands and change the config and see what happens. Also as for the ACLs, do you think those look correct? Like as in nothing should really be much of an issue with NAT/PAT?

Thanks,

Derrick

0 Helpful

Go to solution
Patrick Moubarak
Level 4
Level 4
In response to derrmart

‎03-14-2013 08:20 AM

your inside acl has a permit ip any any so no traffic should be denied (except DNS and SMTP in the previous deny statements)...

0 Helpful

Go to solution
derrmart
Cisco Employee
Cisco Employee
In response to Patrick Moubarak

‎03-14-2013 08:32 AM

Patrick,

Ok cool. One more question. With me statically natting our servers, can that be done with object NAT?

Like:

object network outside_server1_IP

host 70.x.x.x

object network server1

host 192.168.1.50

nat (inside,outside) static outside_IP

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to derrmart

‎03-14-2013 10:59 AM

Hi Derrick,

Yes that is one way to set up a static translation on the ASA.

Please check this out:

Information About NAT

ASA Pre-8.3 to 8.3 NAT configuration examples

HTH.

Portu.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card