cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
440
Views
0
Helpful
2
Replies

Converting Filters and Rules from 3030 to ASA 5550

aprather
Level 1
Level 1

Hi all,

We started looking at replacing our 3030's today and I got to the point to where we need to import all of our filters and rules from the 3030 into the 5550. I have 2 questions:

1. We checked the cisco site and found a document on conversion but it did not cover much with rules and filters. It just indicated that the ASA uses ACL's now. I looked at the ACL's but could not figure out how they related back to filters and rules like the 3030 has. Can someone explain this process?

2. Is there a way to do an "import" on the filters and rules to make this easy? We have tons of them.

As an example of what we are trying to do:

A contractor needs to VPN into our network and we want to allow him to only access a specific server.

In the VPN concentrator I would make a filter called "Contractor" and then make a rule allowing incoming access from him to the server and then outgoing access from the server to him. I would then apply this rule to the filter "Contractor". On my ACS server I would create another group called "ACSContractor". Under the properties of that group I would check the box for "filter-id" and then type in "Contractor". At this point they would be able to log in with this access.

Thanks in advance!

2 Replies 2

aprather
Level 1
Level 1

I may have found something, is this what I would be doing?

Enforcing CSD Checks and Applying Policies via DAP

This example creates a DAP that checks that a user belongs to two specific AD/LDAP groups (Engineering and Employees) and a specific ASA tunnel group. It then applies an ACL to the user.

The ACLs that DAP applies control access to the resources. They override any ACLS defined the the group policy on the security appliance. In addition, the security appliance applied the regular AAA group policy inheritance rules and attributes for those that DAP does not define or control, examples being split tunneling lists, banner, and DNS.

--------------------------------------------------------------------------------

Step 1 Navigate to the Add AAA attributes pane (Configuration > Remote Access VPN > Clientless SSL VPN Access > Dynamic Access Policies > Add/Edit Dynamic Access Policy > AAA Attributes section > Add AAA Attribute).

Step 2 For the AAA Attribute type, use the drop-down menu to select LDAP.

Step 3 In the Attribute ID field, enter memberOf, exactly as you see it here. Case is important.

Step 4 In the Value field, use the drop-down menu to select =, and in the adjacent text box enter Engineering.

Step 5 In the Attribute ID field, enter memberOf, exactly as you see it here. Case is important.

Step 6 In the Value field, use the drop-down menu to select =, and in the adjacent text box enter Employees.

Step 7 For the AAA attribute type, use the drop-down menu to select Cisco.

Step 8 Check the Tunnel group box, use the drop-down menu to select =, and in the adjacent drop down box select the appropriate tunnel group (connection policy).

Step 9 In the Network ACL Filters tab of the Access Policy Attributes area, select the ACLs to apply to users who meet the DAP criteria defined in the previous steps.

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/vpn_dap.html#wp1138433

Aaron,

I was preparing an answer for you but sounds like you did fine good info on DAP. Definatly look into DAP deployement.

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

There is also VPN filters - but DAP looks way much more extensive.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

As for migration tools I have not yet seen one out there, if you have smartnet perhaps asking TAC directly may have a solid answer on tools, as far as I know the convertion have to be done manually like you are doing it.

Regards

Jorge Rodriguez