Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
994
Views
5
Helpful
1
Replies

migration from Cisco Router to Cisco ASA

TECH-JEFF
Level 1
Level 1

‎12-12-2017 02:48 PM - edited ‎03-05-2019 09:38 AM

Hi, just want to ask some help for some codes/lines. Here's my situation, the client currently has 2 devices:

 

1. Cisco ASA (Main branch) 9.1(6)

2. Cisco Router 2801 with IOS ver 12.4(3d)

 

They've decided to decommission the Cisco Router 2801 and replace it with the Cisco ASA (existing) coz the Cisco ASA is being replaced by a different brand. So basically copy the configs from the router to the ASA. As I was browsing over the router's config, I saw some lines which I'm not that familiar on the router since these configs will be copied or should have an equivalent as soon as the ASA replace this device. Appreciate if someone can give me some tips or correct me if I'm doing it wrong.

 

Ok, the first one would be I saw some codes like:

 

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

 

and so on so forth, from what I understand from my research, this one's is like filtering the packets that will be allowed or denied, did I get this correct?

 

The next one would be the ACL or accesslist, I'm not advanced when it comes to ACL but most of my colleagues are actually saying that this is a very useful code. Here it goes

 

ip access-list extended XXX_XXXXX --> the X's I'm assuming are the letters/chars/name of the ACL

 permit icmp any any     --> I'm assuming they allow ping/tracert on any ip's

ip access-list extended NAT

 deny     ip 10.10.10.0 0.0.0.255 10.125.85.0 0.0.0.255     -->

1. in this line, they denied subnet of     10.10.10.0 but I don't understand why 0.0.0.255 for the subnet?

2. 10.125.85.0(sample network from the Cisco ASA-Main Branch) it also used 0.0.0.255, is 0.0.0.255 the same as /8 subnet?

 deny     ip 192.168.55.0 0.0.0.255 10.125.85.0 0.0.0.255     --> 

 deny     ip 192.168.55.0 0.0.0.255 10.125.86.0 0.0.0.255

1. 192.168.55.0 is the LAN IP set on the Router in the branch office. Is this line debying any LAN IP from the router denying access to the Main office LAN 10.125.85.0? and why 0.0.0.255 subnet as well?

 deny ip 192.168.55.0 0.0.0.255 10.125.86.0 0.0.0.255
 permit ip 10.10.10.0 0.0.0.255 any
 permit ip 192.168.55.0 0.0.0.255 any     --> these 3 lines are kind of confusing

 

ip access-list extended OUTSIDE

 deny ip 0.0.0.0 0.255.255.255 any log     --> I'm assuming any network can't just go out to the internet and the log is the traffic log
 deny ip 10.0.0.0 0.255.255.255 any log
 deny ip 127.0.0.0 0.255.255.255 any log
 deny ip 169.254.0.0 0.0.255.255 any log
 deny ip 172.16.0.0 0.15.255.255 any log
 deny ip 192.0.0.0 0.0.0.255 any log
 deny ip 192.0.2.0 0.0.0.255 any log
 deny ip 192.168.0.0 0.0.255.255 any log
 deny ip 198.18.0.0 0.1.255.255 any log
 deny ip 198.51.100.0 0.0.0.255 any log
deny ip 203.0.113.0 0.0.0.255 any log
deny ip 224.0.0.0 31.255.255.255 any log
remark Permit VPN Traffic
permit udp any host <77.77.777.77> eq non500-isakmp     --> 77.xxx.xxx.xxx is the WAN IP of the branch office where the router is
permit udp any host 77.77.777.77 eq isakmp
permit esp any host 77.77.777.77
remark Permit ICMP
permit icmp any host 77.77.777.77 echo-reply
permit icmp any host 77.77.777.77 time-exceeded
permit icmp any host 77.77.777.77 unreachable
permit icmp any host 77.77.777.77 echo
permit tcp any host 77.77.777.77 eq 22
remark Deny IPs
deny ip any any log
ip access-list extended VPN2MAIN
permit ip 10.10.10.0 0.0.0.255 10.125.85.0 0.0.0.255
permit ip 192.168.55.0 0.0.0.255 10.125.85.0 0.0.0.255
permit ip 192.168.55.0 0.0.0.255 10.125.86.0 0.0.0.255
!
access-list 99 permit 65.x.x.x
access-list 99 permit 57.x.x.x
access-list 99 permit 66.666.666.666     --> this is the Main Branch IP where the Cisco ASA is
access-list 99 permit 216.x.x.x 0.0.0.255     --> this one is a dns server
access-list 99 permit 192.168.55.0 0.0.0.255     -->LAN IP of the router
!

Thanks

TECH-JEFF

Jefferson Co
Labels:
0 Helpful
1 Reply 1

Flavio Miranda
VIP
VIP

‎12-12-2017 08:47 PM

Hi @TECH-JEFF

 ASA and router is quite different. I'll try to help you:

Inspection:

  This how firewall track connections and is useful for connectionless protocols like udp. It is not a filter.

 

1. in this line, they denied subnet of     10.10.10.0 but I don't understand why 0.0.0.255 for the subnet?

They probably is denying this network from being natted. It means, there will be no NAT for those IP.

 

 

2. 10.125.85.0(sample network from the Cisco ASA-Main Branch) it also used 0.0.0.255, is 0.0.0.255 the same as /8 subnet?

Nop. This means that all first three octets must match and the last one don't.

 

 

1. 192.168.55.0 is the LAN IP set on the Router in the branch office. Is this line debying any LAN IP from the router denying access to the Main office LAN 10.125.85.0? and why 0.0.0.255 subnet as well?

 deny ip 192.168.55.0 0.0.0.255 10.125.86.0 0.0.0.255
 permit ip 10.10.10.0 0.0.0.255 any
 permit ip 192.168.55.0 0.0.0.255 any     --> these 3 lines are kind of confusing

 

About the wildcard mask is the same for previous question.

This ACL is deny and host on the 192 network to communicate with host on 10 network but is allowing them to communicate with everything else.

 

This cover the main question. Keep in mind that firewall is quite different so try to implement on ASA and let me know about specific doubts.

 

 

-If I helped you somehow, please, rate it as useful.-

 

 

 

 

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card