Cisco Firewall :: NAT Command Conversion PIX 6.3 To ASA 8.4(2)
Dec 28, 2011
I am in the process of migrating a production firewall from PIX 6.3 to ASA 8.4(2). This is going to be a complete firewall rebuild and I will not be upgrading the configs because they have become out of date and very bloated. I am in the process of converting the NAT commands.[code] I am hoping these commands would be enough to replicate the previous functionality. I removed all the static identity NATs because NAT control is no longer in place so those rules are not required. Additionally I didn't re-create the rules that had NAT ID 0 or 1 because it didn't look like they were doing anything. correct way to do the static NAT commands at the bottom.
View 3 Replies
ADVERTISEMENT
Jun 13, 2011
I have 8.2 configuration that works:
global (inside) 1 192.168.1.1
nat (outside) 1 access-list Servers outside
static (inside,outside) 10.16.0.0 10.1.0.0 netmask 255.255.0.0
[Code]....
It is remote monitoring ASA, so I need to nat user networks (10.1.x.y, 10.2.x.y) to something that I can use (10.16.x.y, 10.17.x.y...)
Also, since it my device, I have them configure snmp and syslog server on client's network to use 192.168.1.1, so I have dynamic NAT for two SNMP servers and static NAT for one of them (which is syslog server).
create 8.4 version, so I can apply it? I tried few things, packet tracer shows that they are NATed, but I have only Denc packets, because hosts see request coming from my public IP...
View 5 Replies
View Related
Jun 6, 2013
I know that configuration in 8.2.x and 8.4.x is different in terms of NAT and object groups.
I just want to know is it possible to do a direct upgrade from 8.2.3 to 8.4.x ?Secondly, will ASA automatically convert all the configuration from 8.2 to 8.4 format during the reboot after the upgrade?
View 2 Replies
View Related
Nov 29, 2012
We have three Cisco ASA 5520 with 8.2 code in each tower. There are many configuration on the device hence we are using ip to Name to identify the naming conversion. Out of three one firewall naming conversion is not working, I mean after adding name for a IP it is not reflecting vpn tunnels or access lists or Nat config.
View 1 Replies
View Related
Nov 4, 2012
We are in the process of migrating to the ASA service modules on both our 6509E switches from our current FWSM. We have used the Cisco conversion tool and applied that to the service module. When viewing the context in ASDM we are unable to view the object names in the right hand pane.
On the FWSM I would see the following under Network Objects:
Network Objects
- JQ-Test
- JQ-Test2
- JQ-Test3
Network Object Group
+ JQ Group
- JQ-Test
- JQ-Test2
- JQ-Test3
Now I have run the conversion tool and applied that to the ASA's I now get the following results.
Network Objects
- 10.1.1.1
- 10.2.2.2
- 10.3.3.3
Network Object Group
+ JQ Group
- 10.1.1.1
- 10.2.2.2
- 10.3.3.3
I am aware that the naming convention on the ASA's are different to the FWSM as you can no longer use the "name 1.1.1.1 JQ-Test1" format but I was hoping that the conversion tool would do this for me.
Is there any way I can get the names of the object back without having to script something that takes the old FWSM format and convert it into an ASA format?
View 1 Replies
View Related
Feb 8, 2012
Is there a newer tool for current versions of Checkpoint to ASA 8.4? I notice a lot of similarity between checkpoint and 8.4 now, but I still have to do it all line by line which has become a PITA.
View 1 Replies
View Related
Jul 4, 2011
I am designing a new NAT configuration for an ASA 8.4
On my PIX 8.0 configuration I needed to allow bidirectional traffic between interfaces with different security levels. For example, Inside at 100 and dmz at 50.To accomplish this in 8.0 I used a static NAT command along with any necessary ACLs.
I now need to apply this same 8.0 config for 8.4. With the static command not availablein 8.4 I am unsure of which NAT commands to use to achieve the bidirectional traffic.
View 1 Replies
View Related
May 29, 2013
what the new command is for NAT in version 8.3?The config i have is from Version 7.2 and doesnt work on 8.3. [code]
View 12 Replies
View Related
Mar 10, 2013
I'm coming from a 5505/5510 ASA to a 5512x. I see the following 7.2 commands are now set with the NAT command in 8.6:
-------------begin 7.2 commands---------------------
global (outside) 1 interfaceglobal (inside) 10 interfaceglobal (wireless) 1 interfacenat (inside) 0 access-list nonatnat (inside) 1 192.168.3.0 255.255.255.0static (inside,outside) tcp interface www 192.168.3.114 www netmask 255.255.255.255static (inside,outside) udp interface 5008 192.168.3.117 5008 netmask 255.255.255.255static (inside,outside) tcp interface 3390 192.168.3.101 3389 netmask 255.255.255.255static (inside,outside) tcp interface h323 192.168.3.118 h323 netmask 255.255.255.255
--------------end 7.2 commands----------------------
View 10 Replies
View Related
May 17, 2012
Boss wants a listing of the firewall rules only. What's a command I can run that will give me a listing of this?If I can get an output of firewall rules only, via GUI, that'll work too. It just needs to end up with a printout on a piece of paper telling me what the firewall is doing.
View 17 Replies
View Related
Jan 15, 2012
What is the new configuration in ASA 8.4 to replace the old "nat 0" command.
View 1 Replies
View Related
Dec 5, 2012
want to know the command for configuring NAT on My ASA5505.
Local IP - 192.168.1.0/241
Public IP - 182.73.109.118 255.255.255.252
View 4 Replies
View Related
Nov 19, 2012
I have a PIX506E that was resently reset and it has version PIX Version 7.1(2) . It either uses some different commands or I am not using them correctly. [code]
View 2 Replies
View Related
Mar 5, 2011
i'm new with the asa's...i'm familiar with the FWSM's on 6500's and pix..I'm running Version 8.3(2) and i wanted to setup nat-control and use of identify nats for advertising inside subnets to my outside networks.
the old command was static(inside,outside) 10.x.x.x 10.x.x.x netmask 255.255.255.x i'm having a little difficulty decyphering the pdf about the static nat...the command itself is no longer used, nat-control is no longer used, but i'm not quite sure what the equivalent nat command is that equates to the old static inside,outside command.
View 8 Replies
View Related
May 28, 2012
How do you save the command output from the CLI to a file on flash?
With IOS, I would normally use a pipe command to redirect to tftp, but the ASA doesn't support this as far as I can tell. As a work around I was thinking I could save the output to flash and then tftp that file off the ASA.
View 5 Replies
View Related
Jun 11, 2012
we just bought a 2921 with the following modules: 4 port clear channel T1/E1 HWICSM-ES3G-24-P: EtherSwitch.I read some CISCO documents, and not be able to find what I need. I would prefer all instructions from you are for CLI interface.This is my first time to deal directly with T1, WIC and 2921 etc. The following is what I get from ATT, IP masked IP Address Block IP Address: 20.20.20.136/29 WAN Link Details: WAN Link IP Address:13.13.13.92 AR Serial INT IP Address:13.13.13.93 CR Serial INT IP Address:13.13.13.94 WAN Link Subnet Mask:255.255.255.252
A: how do I configure T1, what does "AR, CR" stands for, and do I need to use both IP addresses? What is the WAN Link IP for?
B: We have two T1 lines, so I should plug them both to the WIC, say port 0 and port 1, how to configure them?
C: how do I access the firewall from the command line?
D: I followed T1/E1 HWIC installation guide, and as soon as I add channel-group to the controller t1, the serial interface went down?
View 2 Replies
View Related
Oct 3, 2011
The firewall is running version #8.2 on ASA 5580. Address translation is not needed on Inside network and Outside network.But the customer has hundreds of static command as below.. [code] Can they all be removed and replace with one single command as below?
View 1 Replies
View Related
Sep 3, 2008
Before running firmware asa722-k8.bin and asdm-522.bin ASDM "asdm location" config lines were created when we created a network object. After the upgrade to asa722-k8.bin and asdm-522.bin this dissapeared.We recently upgraded to asa724-k8.bin and asdm-524.bin which brought those config lines back.So if "asdm location" is needed, if not can we make sure those lines wont pollute the config file?
View 3 Replies
View Related
Jul 9, 2012
Tried setting up a Shape Policy and it states its invalid. Worked fine on my 5520, just curious to know why its coming as invalid now
ciscoasa(config-pmap-c)# shape
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-pmap-c)# shape ?
ERROR: % Unrecognized command
View 11 Replies
View Related
Jan 23, 2012
So, I made the fatal mistake while consoled in to do a "Show Run". Now, it is just stuck in that cycle. I tried the usual "Ctrl+Shift+6" command, and even the "Ctrl+6" with no success.
View 5 Replies
View Related
Mar 1, 2010
We have an ASA 5540 failover bundle working in Active/Standby mode. On our active asa 5540 when the sh run command is issued it gets stuck and displays the output after more than 15-20 mins.. and it takes another 10-15 mins to get back to the prompt..
However on the standby asa 5540 if the sh run command is issued, it displays the ouput and comes back to the prompt (even though this also takes 2-3 seconds)
I have tried rebooting the active asa 5540.We are running asa version 8.2.2.
View 8 Replies
View Related
Oct 23, 2012
i am wanting to open up snmp on a pix 501 6.3 version. I am planning on doing it with the following configuration: [code]
I noticed you cannot specify RO on the snmp-server command with the older pix. I don't want this configuration to open up any write access to the pix. Is there a way to specify only read only for snmp
View 1 Replies
View Related
Aug 23, 2012
I need top open ports 80, 443 and 1882 to a specific external client (IP address).
View 8 Replies
View Related
May 7, 2013
i can't do it with ASDM and try to use command but still fail
nat (inside,outside) source static inside-10.18.20.162 4F-1.1.1.2
it is working fine for the above command if there is more than one public ip, in case 1.1.1.1 is for firewall interface public ip?if i have only one public ip and i would like to forward http traffic to my internal network? how can i use command to do that?
View 8 Replies
View Related
Nov 19, 2012
I would like to have these commands on our Firewall to avoid at least several students to use this service. How to translate this? It's apparently working great if I will use an Linux box or another firewall compatible with iptables.
iptables -I INPUT -s hotspotshield.com -j REJECT
iptables -I INPUT -s hotspotshield.net -j REJECT
iptables -I INPUT -s anchorfree.com -j REJECT
iptables -I INPUT -s anchorfree.net -j REJECT
iptables -I INPUT -s openvpn.net -j REJECT
iptables -I OUTPUT -d hotspotshield.com -j REJECT
iptables -I OUTPUT -d hotspotshield.net -j REJECT
iptables -I OUTPUT -d anchorfree.com -j REJECT
iptables -I OUTPUT -d anchorfree.net -j REJECT
iptables -I OUTPUT -d openvpn.net -j REJECT
View 1 Replies
View Related
Apr 28, 2012
I just tried to do a quick privilege level setup for a user to limit access to asa. User should be able to add nat's to configuration.ASA 8.4 is in question and trying the following does not seem to work:
privilege configure level 3 command object,gives me ,ERROR: specified command 'object' not found in any mode.It looks like localy this cannot be done or I am doing something wrong?
View 1 Replies
View Related
Nov 1, 2011
I have a core switch Cisco3750G with 4 SFP slot populated with GLC-SX-MM module.Now in these 4 fiber GLC-SX-MM modules 3 are connected to 3 floor switches which are having the same GLC-SX-MM.Each link is configured as a TRUNK and allowed only that floor VLAN and working fine.Now the 4th GLC-SX-MM module has to be connected to a single desk top PC using a FIBER to UTP convereter,which is SC to UTP .Now patch pannel is LC ,I used a LC to SC fiber patch cord,but link is not coming up,in this situation if I used both side SC convereter then link is up.
All 4th GLC-SX-MM modules are checked and it is working fine.Only the forth floor link is not coming up,if I use the UTP to Fiber SC type connector in the CORE switch for teh 4th Floor then it is working.How to resolve this issue,Whether I need to use the UTP to Fiber LC type convereter in the fourth floor instead of SC type converter,logically when I use the LC-SC type patch cord and connecting to SC type converter it should work.
View 2 Replies
View Related
Jan 13, 2009
What is the command for creating a user on an ASA 5500 running 7.2(3) that can only view the config but not make any changes?
View 8 Replies
View Related
May 14, 2012
how can i check that ASA is passing traffic? Also what command we can use to make sure VPN is working fine.
View 2 Replies
View Related
Oct 19, 2011
We are experiencing intermittent issues with the IPS on our ASA5585 vs 8.4(2). Probably something with the dataplane. So I want to keep debug cplane 255 activated and logged with log debug-trace setting to syslog server. But when session times out the debug command is cleared so the output stops. Since it is a intermittent issue I want to keep debug activated...Totally different behaviour then with routers which keeps it activated. how to keep debug activated on a ASA.
View 1 Replies
View Related
Jan 7, 2013
Need to check how many tunnels IPSEC are running over ASA 5520.Tried commands which we use on Routers no luck?
View 6 Replies
View Related
Feb 8, 2013
I am planning to get the unicast streams from different 2-3 sources over internet, and I am doing NAT for port-forwarding all those unicast streams to a one private IP. Attached is the setup for your understanding.Setup: - Both unicast streams will be hitting to One Public IP (3.3.3.2) on UDP/TCP Port 1234, 1236 & 1238 only & the same ports need to be forwarded to natted One Private IP (10.10.10.4)
1)NATTING these 2 unicast streams into one private IP(10.10.10.4) by checking Source & Destination based IPs and ports, but in below configuration I cannot achieve on checking Source & Destination based IPs and ports
Router configuration:-
interface GigabitEthernet0/0
description ***Connected to Internet ***
ip address 3.3.3.2 255.255.255.252
no ip redirects
no ip unreachables
[code]...
View 5 Replies
View Related
Sep 24, 2012
We are about ready to embark on moving all L2L and network extensions (Cisco ASA 5505s) from the Cisco VPN 3060 Concentrator to a Cisco ASA 5520. We would like to know if there is a simple method to doing this such as a converter? Also, are there any lessons learned? We are running 8.4.3 so we know that NAT configuration has differed. Can the configuration from the 3060 be modified in anyway in configuring the ASA?
View 4 Replies
View Related
