Cisco Firewall :: PIX To ASA5520 Migration Some Services Aren't Working
May 20, 2013
I've recently migrated a PIX 525 to ASA 5520, but for some reason (through ASA) the users from OUTSIDE aren't able access services published in DMZ as well as some DMZ servers aren't able to communicate to some OUTSIDE services.
-INSIDE to DMZ is working fine. (through ASA)
-INSIDE to OUTSIDE is working fine. (through ASA)
Below is the configuration from my PIX (where everything works just fine) as well as the one on the ASA (where there is a problem), what could be the cause?In the below case the DMZ hosts from 11.1.10.0 aren't able to access SMTP services (through ASA) and the OUTSIDE users aren't able to access DMZ web server (11.1.10.40) through ASA, this all just works fine with PIX.
object-group network inside_subnet_all network-object object inside_subnet_a network-object object inside_subnet_b network-object object inside_subnet_c network-object object inside_subnet_d network-object object inside_subnet_e network-object object inside_subnet_f network-object object inside_subnet_g network-object object inside_subnet_.access-list OUTSIDE extended permit tcp any object host-11.1.10.40 object- group WWW-HTTPS access-list DMZ extended permit object SMTP object dmz_subnet any access-list INSIDE extended permit ip
View 1 Replies
ADVERTISEMENT
Jun 23, 2012
I have 3 ASA5520, 2 of them running as remote access VPN, 1 of the ASA as site to site VPN. There are 2 different ISP's which are used between them. Can I consolidate all these services in 1 ASA5520, relating to configuration and whether the ASA could handle these services together without performance degradation. I forgot to mention even e-mail service and Internet browsing is also though one of the ASA. I was just wondering whether the configuration will get messy or is there a different approach to go about it. The OS on ASA's is 8.3.
View 1 Replies
View Related
Mar 11, 2013
we have installed and implemented a FWSM on cisco catalyst 6509E and defined two virtual contexts.one of contexts work as datacenter firewall. initially it is configured to allow all traffic to datacenter VLAN. (permit any any) on test, it worked fine, except for one problem: all web services had degradation in performance, all server-client (non web) services worked very fine. additionally all https servies worked well.
Users connect to the web server bypassing the proxy, web services are expected to act just like other ones.
View 1 Replies
View Related
Mar 24, 2013
I am running a Linksys Wireless G 2.4 GHz Broadband Router Model WRT54G. I am unable to open any ports. I upgraded to the latest firmware yesterday but still am unable to open any ports. I even turned off my Symantec Internet Security Suite Firewall but still am unable to open any ports.
View 1 Replies
View Related
Nov 29, 2012
best way to migrate to a new pool for remote access DHCP address assignment. We are currently using a /24 pool, allowing us 253 IP Addresses... during the recent hurricane we hit 250 IP Addresses used, and had to start asking users to connect to our backup ASA VPN device in another country, not an ideal solution. I'd like to expand our current VPN subnet to a /23, however I do not have a free /24 subnet above (or below) our current /24 subnet.
I can certainly allocate a new /23 subnet, but I am looking for the best migration plan with minimal downtime (no downtime would be preferred). Can I just add the new pool range to the tunnel-group RAVPN general-attributes section alongside the current pool, or should I just remove the old pool, log off all existing remote access VPN users and have them log on again to start using the new pool?We are running ASA Version 8.2(1).
View 2 Replies
View Related
Jan 16, 2012
I'm trying to configure an ASA 5520 with cut-through proxy feature. The user is required to be authenticated when trying to access an outside resource from the inside. This is a test lab before it is implemented in production. [code]
View 15 Replies
View Related
Aug 15, 2012
I have a cisco ASA5520 box running with IOS version8.2(5)13 where default policy map is applied globally. But I have not seen any traffic being inspected through included protocol defined under policy map.All configuration seems to be ok for me.
service-policy global_policy global
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 0, drop 0, reset-drop 0
[code]....
View 1 Replies
View Related
Mar 27, 2012
I can no longer SSH to a primary active firewall. It had all of a sudden stopped working. However I am able to SSH to the secondary standby firewall without any problems. I did try to regenerate the RSA key on the primary fw, but still unable to connect. The only way I can connect to it is by using telnet.
I ran the "show asp table socket" command and I'm seeing port 22 listening on the primary IP address (not the standby), foreign address is 0.0.0.0:*. I did a packet capture on port 22 on the inside inside, seeing my request hit the fw and then right away a reset back from the fw.
version 8.2.(5)
model ASA5520
I'm hitting a bug in the software version I'm running? Or what else can I check before rebooting the primary fw?
View 6 Replies
View Related
May 17, 2013
internet is working with the client except for gmail account using outlook 2010.
View 1 Replies
View Related
Oct 21, 2012
I have an ASA5520 with mobile VPN Ipsec.The "splitTunnelAcl" set the group is not working.
View 7 Replies
View Related
May 15, 2012
I have a Cisco ASA5520 that I have setup to allow a GRE tunnel through from a router at site B. This all works fine when I use the below NAT with associated router object on the inside
object network SWTEST nat (inside,outside) static interface
My problem comes in that this kills off my Cleintless VPN connection to the same firewall, I changed my NAT to point at another of my statically assigned IP addresses, and then nothing works. Can anyone help with what I've done wrong, or what i should do? My rule base allows any GRE in from the source, and rules all look fine.
View 2 Replies
View Related
May 31, 2011
Our firewall expert has gone off on long term illness leave and I am trying to pick up the pieces :-(
We have an ASA 5520 (local office) talking to another ASA (remote office) via a VPN Tunnel.
My 1st problem is that I cannot ping from my inside network (local) to the outside interface of my remote ASA.
My 2nd is that I have debug enabled on my rules but am not logging anything.
View 1 Replies
View Related
Aug 30, 2012
We have LMS 4.1 - it was working perfectly for some time - it was rebooted and now the services don't start correctly. I manually started most of the services but the Daemon service will not start.
The main page comes up and after I log in - all the sections list an error
'License Server / Deamon Manager is down. Please check license.log for more information'.
View 3 Replies
View Related
Feb 6, 2012
I have a Dell Desktop Studio running Windows Vista Home Premium 64-bit SP2.Since I got my PC new, almost 3 years ago, I have regularly gotten a Windows error "Advanced Networking Services stopped working." Windows never finds a solution when I click on that option. I've always ignored the message because I do no networking, but now I want to set up a wireless network so I can stream to my TV.
View 7 Replies
View Related
Feb 17, 2010
I'm trying to setup the SSL VPN portal:When I connect via HTTPS to the ASA5520 outside interface I get the login prompt and after successfully login it takes me directly to the Anyconnect client download (starts Anyconnect immediately) even though in the group policy is configured to not prompt the use to chose the post login and the post login is ste to go to Clientless SSL VPN Portal?
View 7 Replies
View Related
Mar 8, 2011
As we are all aware that the ASA8.3 has quite some changes interms of configuration method.
I would like to know if it is possible to use the pix to Asa conversion tool for 8.3 purpose.
View 2 Replies
View Related
Feb 12, 2013
I have old ASA with 8.0 configuration that includes huge number of ACL, NAT , VPNs , we got a new ASA with 8.6 , and we are planning to move the configuration to the new box , I'm wondering what is the best approach to do this , I'm thinking of one of the following scenarios1- downgrade the new ASA to 8.3 , the apply the config , remove the identity nat commands and names then upgrade to 8.6 and after that reconfigure the NAT rules and object groups .2- convert the old config manually to 8.6 code including NAT , object-group ,ACL and apply it to the new ASA ( this is going to be huge task). What are the commands that I have to look at when I convert to 8.6 and will the VPN configuration be affected ?
View 5 Replies
View Related
May 28, 2012
I have a PIX 515 with version 8.0(3). We buy a ASA 5525-X for replace the PIX.
The question is, what is the better method to migrade the configurations? Manually?
What is the better version for 5525-X? 8.6.1?
View 4 Replies
View Related
May 26, 2013
we noticed that the Cisco Secure Desktop / Hostscan is not working with Internet Explorer 10 on Windows7/Windows8.
As described here, the SSL VPN is/should working but no documentation about Cisco Secure Desktop / Hostscan. url...It's a Cisco ASA5520 with the lates release.
- ASA Version 9.1(2)
- ASDM 7.1(3)
- Cisco Secure Desktop csd_3.6.6249-k9.pkg
- Hostscan hostscan_3.1.03104-k9.pkg
View 5 Replies
View Related
Oct 25, 2012
I was trying to upgrade an ASA to from 8.2.4 to 8.4.4, and I began receiving the following migration errors (the IP addresses have been changed to protect the innocent):
ERROR: MIGRATION: The following ACE is partially/not migrated to Real IP, as it could result in more permissive policy. Please manually migrate this ACE. permit esp host 1.1.1.1 host 2.2.2.2
I got a TON of these, in fact the migration, and these errors ran for over 24 hours before I gave up, powercycled the unit and forced 8.2.4 to boot through ROMMON. This was a secondary unit, that's why I let it go this long.
What I don't understand is that we do not have anything in the configuration for ESP.
View 1 Replies
View Related
Oct 3, 2012
I don't seem to be able to find a migration utility for PIX rel 8.0.4 to ASA 8.6 is there one available will save a lot of time
View 1 Replies
View Related
Aug 26, 2012
Looking at migrating from the following:
PIX-515EPIX Security Appliance Software Version 8.0(4)Device Manager Version 6.1(5)51
to
ASA5515Cisco Adaptive Security Appliance Software Version 8.6(1)Device Manager Version 6.6(1)
Is this migration directly supported, or do I need to downgrade first?
View 5 Replies
View Related
Jan 23, 2013
I have ASA-AC-M-5520, can we migrate the license to ASA-AC-M-5585
View 1 Replies
View Related
Sep 24, 2012
I'm testing upgrading an ASA from 8.2.5 to 8.4.4. During the the upgrade, it change all of my ACL host entries to objects. But I noticed that the keyword "host" is still a valid option when creating an ACL.
I'm trying to understand why this change is made during the migration.
View 3 Replies
View Related
Apr 23, 2013
I am about to carry out a migration from ASA 5550 to ASA 5555-X, however I cannot find any detailed document or reliable tool for this migration.
View 4 Replies
View Related
Dec 18, 2012
We're migrating as mentioned in the subject and this new format is quite a departure from previous iOS versions so I thought I'd post the configs of the PIX and the ASA and ask if someone is willing to compare them and verify that it is correct and should be basically plug and play. The xxx.xxx.xxx are outside IP addresses and the yyy.yyy.yyy are inside addresses. .
Existing PIX config
PIX Version 6.3(4)
interface ethernet0 100full
[Code]......
View 2 Replies
View Related
Jan 15, 2013
i have configured remote access VPN to cisco ASA 5520, Cisco vpn client is connecting fine and both phases are coming up but ipsec phase packets are not encapsulating. and ima not able reach the remote subnets 192.168.10.0 and 192.168.180.0. [code]
View 4 Replies
View Related
Jan 22, 2013
Customer has a ASA5540 at their main location and need a new ASA5500 for a DR site.
Can I simply take a config file from an ASA5540 and easily drop it on an ASA5545-X or what ever?
They are going to be using it as a VPN concentrator primarily.
Or are there going to be issues since the 5540 is running 8.4(5) and the 5545-X? Or if they upgrade to 9,0(1) or higher, then they should be the same?
View 2 Replies
View Related
Nov 26, 2012
My company (in Healthcare) is going to be changing ISPs for our internet connectivity, and with this change comes a new external IP block. So I need a scheme to migrate over all of my existing VPN tunnels and other items over to new IP addresses. We do have an external router which I plan on doing a route-map to handle which traffic the ISP should go to based on IP. My big concern is for the ASA 5510. Can I setup a second outside interface on the new IP range? Then migrate my VPN tunnels over one-by-one? A drop-dead cutover date is just not possible with all of the external companies that I have to contact to get VPN tunnels updated with. If it's not possible, we have in our budget to get another 5510 next year as a redundant unit. I may be able to get that early and just migrate from one firewall to another.
View 3 Replies
View Related
Mar 23, 2011
in the ASA Migration Guide for Version 8.3 says about real ip address: "All of the access-listcommands used for these features are automatically migrated unless otherwise noted"
But my ACL's have not been migrated to real ip address. In my migration log:
INFO: NAT migration completed. Real IP migration logs: No ACL was changed as part of Real-ip migrationWhy?So, do I have to migrate them manually?
View 3 Replies
View Related
Feb 22, 2012
when I migrated the ASA config from 8.2 to 8.3, in all groups the group members has been replaced by the IP address object. However, the "name" for this object has been migrated, but there is the "object network name" configuration missing.
What I can do now is that I can open the new created object in the ASDM, search for the object with this IP address and then enter the object name I had before. When I apply the config, ASDM then creates the object and replaces all affected objects in all groups, by replacing the object group memeber "network-object host hostname" with "network-object object hostname".
Do you know if there exists an automated way, which checks all the groups for members "network-object host", creates the "object network" and replaces the "network-object hosts" with "network-object object" within the group? As long we have a lot of groups which contains partially > 50 members?
View 2 Replies
View Related
Jul 8, 2012
We currently have redundant FWSM's and are planning a migration to standalone ASA 5500 series firewalls. However, we have a complete VMWare environment and are looking at the Nexus 1000V. I understand the Nexus 1000V and VSG architecture and implementation, and I do understand that the ASA 1000V is designed for cloud environments. But I do have one question about the ASA 1000V.
Is it possible for an ASA 5500 series firewall to be replaced by an ASA 1000V? Basically, can an ASA 1000V be a sole firewall solution, or are ASA 5500's still needed? Is there a datasheet anywhere that compares the ASA 1000V and ASA 5500 series?
View 4 Replies
View Related
Apr 24, 2011
I have just upgraded a ASA5510 from 8.2 to 8.3 using migration tool.All seemed to go well, still double checking the config as this is a bench test of upgrade prior to filed upgrades.
Anyway one thing that is slightly frustrating is that the migration has expanded all of my access-lists, so we maybe had 10 lines of config relating to access-lists based on access-groups, now we have hundreds of lines.On ASDM this is bad enough but on CLI with show run its a bit of a bind.
Is there any way to un-expand the access list or do I simply delete and start again using my access groups.
View 2 Replies
View Related
