• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1184
  • Last Modified:

Convert 515E Config to ASA 5510

I need help with converting the config of a 515E to a new ASA5510.

The ASA has the latest OS and PDM.

Here is the output from the sh version on the 515E...

Cisco PIX Firewall Version 6.3(1)
Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 19-Mar-03 11:49 by morlee

system up 1 min 30 secs

Hardware:   PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 000e.833e.efaf, irq 10
1: ethernet1: address is 000e.833e.efb0, irq 11
Licensed Features:
Failover:           Enabled
VPN-DES:            Enabled
VPN-3DES-AES:       Disabled
Maximum Interfaces: 6
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       Unlimited
Throughput:         Unlimited
IKE peers:          Unlimited

This PIX has an Unrestricted (UR) license.

Serial Number: 807463861 (0x3020ebb5)
Running Activation Key:
Configuration last modified by  at 23:28:16.000 MST Wed Feb 6 2036

...with a running config of....
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname domain
domain-name domain.com
clock timezone MST -7
clock summer-time MDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inside_outbound_nat0_acl permit ip any 192.168.1.96 255.255.255.224

access-list outside_cryptomap_dyn_20 deny ip any 192.168.1.96 255.255.255.224
access-list outside_access_in permit tcp any host 199.x.133.187 eq 3389
access-list outside_access_in permit tcp any host 199.x.133.186 eq telnet
access-list outside_access_in permit tcp any host 199.x.133.188 eq 3389
pager lines 24
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 199.x.133.186 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool WendysVPN-IP 192.168.1.99-192.168.1.124
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 192.168.1.5 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location ip 255.255.255.0 outside
pdm location ip 255.255.255.255 outside
pdm location 192.168.1.10 255.255.255.255 inside
pdm location 199.x.133.187 255.255.255.255 outside
pdm location 192.168.1.20 255.255.255.255 inside
pdm location 192.168.1.10 255.255.255.255 outside
pdm location 199.x.133.187 255.255.255.255 inside
pdm location 192.168.1.39 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 199.x.133.187 192.168.1.10 netmask 255.255.255.255 0 0

static (inside,outside) 199.x.133.188 192.168.1.39 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 199.x.133.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http ip 255.255.255.0 outside
http ip 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup domainVPN address-pool domainVPN-IP
vpngroup domainVPN dns-server 192.168.1.10
vpngroup domainVPN wins-server 192.168.1.10
vpngroup domainVPN default-domain domain.com
vpngroup domainVPN idle-time 1800
vpngroup domainVPN password ********
telnet ip  outside
telnet  ip outside
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh ip outside
ssh ip  outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP client configuration address local domainVPN-IP
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.1.10
vpdn group PPTP-VPDN-GROUP client configuration wins 192.168.1.10
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username eitg password *********
vpdn username fred password *********
vpdn username administrator password *********
vpdn enable outside
username
terminal width 80
Cryptochecksum:ebf01b5b4e422c4f2f42b591f26c7ba
: end

I tried copying portions of the config to the new device with the new port names; no love.

Thanks in advance,

0
cyberlew
Asked:
cyberlew
  • 8
  • 7
1 Solution
 
stressedout2004Commented:
To start off, ASA does not support PPTP. Other than that, the rest of the configuration is supported.
I would recommend copying the config block by block so it is easier to trace in case of any syntax error.
If you are using gigabit interface, then just replace the interface setting accordingly (as far as I know
5510 only has 10/100 interfaces). Also don't forget to replace the pre-shared key value with the value
of the vpngroup password. The fixup protocol is migrated by default to IP inspect so there's no need
to transfer them.  For HTTP access, do you have the ASDM already installed?

Here are the commands you need:

Block1:

interface ethernet0/0
nameif outside
security-level 0
ip address 199.x.133.186 255.255.255.248
no shutdown

Block2:

interface ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown

Block3:

route outside 0.0.0.0 0.0.0.0 199.x.133.185
icmp deny any outside
ip verify reverse-path interface outside
ip verify reverse-path interface inside

Block4:

access-list inside_outbound_nat0_acl permit ip any 192.168.1.96 255.255.255.224
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (inside) 0 access-list inside_outbound_nat0_acl

Block5:

static (inside,outside) 199.x.133.187 192.168.1.10 netmask 255.255.255.255
static (inside,outside) 199.x.133.188 192.168.1.39 netmask 255.255.255.255

Block6:

access-list outside_access_in permit tcp any host 199.x.133.187 eq 3389
access-list outside_access_in permit tcp any host 199.x.133.186 eq telnet
access-list outside_access_in permit tcp any host 199.x.133.188 eq 3389
access-group outside_access_in in interface outside

Block7:

isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

Block8:

ip local pool WendysVPN-IP 192.168.1.99-192.168.1.124
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
username <username> password <password>

Block9:

group-policy remoteclient internal
group-policy remoteclient attributes
 wins-server 192.168.1.10
 dns-server 192.168.1.10
 default-domain domain.com
 vpn-idle-timeout 30

Block10:

tunnel-group domainVPN type ipsec-ra

tunnel-group domainVPN general-attributes
 address-pool WendysVPN-IP
 default-group-policy remoteclient

tunnel-group testgroup ipsec-attributes
pre-shared-key "your vpngroup password"

Block11:

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
sysopt connection permit-ipsec


Block12:

telnet 192.168.0.0 255.255.255.0 inside
ssh 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside



0
 
stressedout2004Commented:
Forgot these commands:

hostname domain
domain-name domain.com
crypto key generate rsa modulus 1024
http server enable



0
 
cyberlewAuthor Commented:
..."The fixup protocol is migrated by default to IP inspect so there's no need
to transfer them.  For HTTP access, do you have the ASDM already installed?"  

Can you explain the above a little clearer?  How does the fixup get migrated?  and "for HTTP access" ?

The unit is siting on my desk at the office.  After I make the changes and fix any errors I will take the system to the client site.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
stressedout2004Commented:
ASA by default has a "Default Global Policy" at the bottom part of its configuration (equivalent to fixup on PIX 6.3). It is enable by default, it can either be alter or disabled if you prefer to make your own. Below is the default policy:

policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global

As you can see, most of the protocol you have on fixup is there with the exception of http, ils, rtsp and sip. If you need those protocol, you can just add them on your configuration by entering the following commands (my bad, i thought all of the protocols you have enabled on fixup is enabled by default on the ASA. Apparently not all of them):

policy-map global_policy
 class inspection_default
  inspect http
  inspect ils
  inspect rtsp
  inspect sip

Now for the HTTP access, I was asking you whether you have the ASDM already installed which is what the new GUI is called for ASA and PIX 7.x (PDM is for the PIX 6.x). I missed that you already mentioned that the ASA has the latest OS and PDM. [my bad again : )] .




0
 
cyberlewAuthor Commented:
Cool,  I'm swamped today but will get the config on the unit tomarrow.
0
 
cyberlewAuthor Commented:
Here is the output from pasting the config to the 5510 Security Plus.  Take a look at the errors and let me know if they need to be addressed.

ciscoasa(config-if)#
ciscoasa(config-if)# interface ethernet0/3
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip address 199.227.133.186 255.255.255.248
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)#

ciscoasa(config-if)#
ciscoasa(config-if)# interface ethernet0/1
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 199.227.133.185
ciscoasa(config)# icmp deny any outside
ciscoasa(config)# ip verify reverse-path interface outside
ciscoasa(config)# ip verify reverse-path interface inside
ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)# access-list inside_outbound_nat0_acl permit ip any 192.168.1$
ciscoasa(config)# global (outside) 10 interface
INFO: outside interface address added to PAT pool
ciscoasa(config)# nat (inside) 10 0.0.0.0 0.0.0.0 0 0
ciscoasa(config)# nat (inside) 0 access-list inside_outbound_nat0_acl
ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)# static (inside,outside) 199.227.133.187 192.168.1.10 netmask$
ciscoasa(config)# static (inside,outside) 199.227.133.188 192.168.1.39 netmask$
ciscoasa(config)#

ciscoasa(config)# access-list outside_access_in permit tcp any host 199.227.13$
ciscoasa(config)# access-list outside_access_in permit tcp any host 199.227.13$
ciscoasa(config)# access-list outside_access_in permit tcp any host 199.227.13$
ciscoasa(config)# access-group outside_access_in in interface outside
ciscoasa(config)#
ciscoasa(config)# isakmp enable outside
ciscoasa(config)# isakmp policy 20 authentication pre-share
ciscoasa(config)# isakmp policy 20 encryption des
ciscoasa(config)# isakmp policy 20 hash md5
ciscoasa(config)# isakmp policy 20 group 2
ciscoasa(config)# isakmp policy 20 lifetime 86400
ciscoasa(config)#
ciscoasa(config)# ip local pool wenVPN-IP 192.168.1.99-192.168.1.124
ciscoasa(config)# crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
ciscoasa(config)# username windy password zehc67nas
ciscoasa(config)#
ciscoasa(config)# group-policy remoteclient internal
ciscoasa(config)# group-policy remoteclient attributes
ciscoasa(config-group-policy)#  wins-server 192.168.1.10
                                            ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-group-policy)#  dns-server 192.168.1.10
                                           ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-group-policy)#  default-domain wen.com
                                               ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-group-policy)#  vpn-idle-timeout 30
ciscoasa(config-group-policy)#
ciscoasa(config-group-policy)#
ciscoasa(config-group-policy)# tunnel-group wenVPN type ipsec-ra
ciscoasa(config)#
ciscoasa(config)# tunnel-group wenVPN general-attributes
ciscoasa(config-general)#  address-pool wenVPN-IP
ciscoasa(config-general)#  default-group-policy remoteclient
ciscoasa(config-general)#
ciscoasa(config-general)# tunnel-group testgroup ipsec-attributes
                                                 ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-general)# pre-shared-key letmein
                             ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-general)# exit
ciscoasa(config)#
ciscoasa(config)# group-policy remoteclient internal
ERROR: Group Policy remoteclient already exists.
ERROR: Failed to add group-policy remoteclient
ciscoasa(config)# group-policy remoteclient attributes
ciscoasa(config-group-policy)#  wins-server 192.168.1.10
                                            ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-group-policy)#  dns-server 192.168.1.10
                                           ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-group-policy)#  default-domain wen.com
                                               ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-group-policy)#  vpn-idle-timeout 30
ciscoasa(config-group-policy)# exit
ciscoasa(config)# tunnel-group wenVPN type ipsec-ra
                                      ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config)#
ciscoasa(config)# tunnel-group wenVPN general-attributes
ciscoasa(config-general)#  address-pool wenVPN-IP
ERROR: Duplicate address-pool wenVPN-IP
ciscoasa(config-general)#  default-group-policy remoteclient
ciscoasa(config-general)#
ciscoasa(config-general)# tunnel-group testgroup ipsec-attributes
                                                 ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-general)# pre-shared-key letmein
                             ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-general)# exit
ciscoasa(config)# crypto dynamic-map outside_dyn_map 20 set transform-set ESP-$
ciscoasa(config)# crypto map outside_map 65535 ipsec-isakmp dynamic outside_dy$
ciscoasa(config)# crypto map outside_map interface outside
ciscoasa(config)# sysopt connection permit-ipsec
ciscoasa(config)# telnet 192.168.0.0 255.255.255.0 inside
ciscoasa(config)# ssh 192.168.0.0 255.255.255.0 inside
ciscoasa(config)# http 192.168.1.0 255.255.255.0 inside
ciscoasa(config)# hostname wen
wen(config)# domain-name wen.com
wen(config)# crypto key generate rsa modulus 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
wen(config)# http server enable
wen(config)#
wen(config)# policy-map global_policy
wen(config-pmap)#  class inspection_default
ERROR: % class-map inspection_default not configured
wen(config-pmap)#   inspect http
                      ^
ERROR: % Invalid input detected at '^' marker.
wen(config-pmap)#   inspect ils
                      ^
ERROR: % Invalid input detected at '^' marker.
wen(config-pmap)#   inspect rtsp
                      ^
ERROR: % Invalid input detected at '^' marker.
wen(config-pmap)#   inspect sip
                      ^
ERROR: % Invalid input detected at '^' marker.
wen(config-pmap)# exit
wen(config)# policy-map global_policy
wen(config-pmap)#  class inspection_default
ERROR: % class-map inspection_default not configured
wen(config-pmap)#   inspect http
                      ^
ERROR: % Invalid input detected at '^' marker.
wen(config-pmap)#   inspect ils
                      ^
ERROR: % Invalid input detected at '^' marker.
wen(config-pmap)#   inspect rtsp
                      ^
ERROR: % Invalid input detected at '^' marker.
wen(config-pmap)#   inspect sip
                      ^
ERROR: % Invalid input detected at '^' marker.

0
 
cyberlewAuthor Commented:
Here is the new config...

Here the new config on the 5510
:
ASA Version 7.0(4)
!
hostname wen
domain-name wen.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif outside
 security-level 0
 ip address 199.227.133.186 255.255.255.248
!
interface Management0/0
 nameif mana
 security-level 0
 ip address 10.1.1.1 255.0.0.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list inside_outbound_nat0_acl extended permit ip any 192.168.1.96 255.255
.255.224
access-list outside_access_in extended permit tcp any host 199.227.133.187 eq 33
89
access-list outside_access_in extended permit tcp any host 199.227.133.186 eq te
lnet
access-list outside_access_in extended permit tcp any host 199.227.133.188 eq 33
89
pager lines 24
mtu inside 1500
mtu outside 1500
mtu mana 1500
ip local pool wenVPN-IP 192.168.1.99-192.168.1.124
ip verify reverse-path interface inside
ip verify reverse-path interface outside
no failover
icmp deny any outside
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) 199.227.133.187 192.168.1.10 netmask 255.255.255.255
static (inside,outside) 199.227.133.188 192.168.1.39 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 199.227.133.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy remoteclient internal
group-policy remoteclient attributes
 vpn-idle-timeout 30
 webvpn
username windy password JD.3qVNfdCGS9hUz encrypted
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group wenVPN type ipsec-ra
tunnel-group wenVPN general-attributes
 address-pool wenVPN-IP
 default-group-policy remoteclient
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
!
policy-map global_policy
!
0
 
stressedout2004Commented:
Add the following commands:

tunnel-group wenVPN ipsec-attributes
pre-shared-key letmein
exit


group-policy remoteclient attributes
wins-server value 192.168.1.10
dns-server value 192.168.1.10
default-domain value wen.com
exit


class-map inspection_default
match default-inspection-traffic
exit

policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect esmtp
inspect sqlnet
inspect rtsp
exit

service-policy global_policy global
0
 
stressedout2004Commented:
BTW, you might want to consider upgrading this ASM to the latest code before giving it to your client. 7.0 is a bit flacky.
0
 
cyberlewAuthor Commented:
Cool,  I notice the 'exit' commands, so where I'm at when I paste the commands must be reivent?  If so, where should I be when I start? 'config' or 'config T' or just 'enable'?  

Yea,  I did an 'erase flash' to start fresh , didn't know it was sooo fresh, and alas I only had the old one on the HD.  Will update soon.

Thanks,
0
 
stressedout2004Commented:
>>>>Cool,  I notice the 'exit' commands, so where I'm at when I paste the commands must be reivent?
Yup, there are certain configuration mode that you have to be in. Like if you notice, you had a lot of syntax
error because you weren't in the proper mode config. Like for instance,

ciscoasa(config)# tunnel-group wenVPN general-attributes
ciscoasa(config-general)#  default-group-policy remoteclient
ciscoasa(config-general)#
ciscoasa(config-general)# tunnel-group testgroup ipsec-attributes
ERROR: % Invalid input detected at '^' marker.

You were under the config mode for general tunnel attributes. So you have to exit out to run the command for the ipsec attributes. Just make sure to start of at config mode (config)# when you do each block of the commands.
0
 
cyberlewAuthor Commented:
Here is the new config.  I don't reale care aout the VPN access working as of yet but routing/forward must be up when I put it in service.  Can you please doulbe check the settings and make any segestions.  I also will ask another question on the fourm reguarding how to better secure this ASA config, but that will be after it is in place and working.

ASA Version 7.1(2)
!
hostname wen
domain-name wen.com
enable password RNPhCyvDiqPGf encrypted
names
!
interface Ethernet0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif outside
 security-level 0
 ip address 199.227.133.186 255.255.255.248
!
interface Management0/0
 nameif mana
 security-level 0
 ip address 10.1.1.1 255.0.0.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name wen.com
access-list inside_outbound_nat0_acl extended permit ip any 192.168.1.96 255.255
.255.224
access-list outside_access_in extended permit tcp any host 199.227.133.187 eq 33
89
access-list outside_access_in extended permit tcp any host 199.227.133.186 eq te
lnet
access-list outside_access_in extended permit tcp any host 199.227.133.188 eq 33
89
pager lines 24
mtu inside 1500
mtu outside 1500
mtu mana 1500
ip local pool wenVPN-IP 192.168.1.99-192.168.1.124
ip verify reverse-path interface inside
ip verify reverse-path interface outside
no failover
icmp deny any outside
asdm image disk0:/asdm512.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) 199.227.133.187 192.168.1.10 netmask 255.255.255.255
static (inside,outside) 199.227.133.188 192.168.1.39 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 199.227.133.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy remoteclient internal
group-policy remoteclient attributes
 wins-server value 192.168.1.10
 dns-server value 192.168.1.10
 vpn-idle-timeout 30
 default-domain value wen.com
username windy password JD.3qVNfdCGS9hUz encrypted
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group wenVPN type ipsec-ra
tunnel-group wenVPN general-attributes
 address-pool wenVPN-IP
 default-group-policy remoteclient
tunnel-group wenVPN ipsec-attributes
 pre-shared-key *
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.100-10.1.1.105 mana
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable mana
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect esmtp
  inspect sqlnet
!
service-policy global_policy global
Cryptochecksum:72567173f7b9b44e406537247f341a9b
: end
0
 
stressedout2004Commented:
Ok, the config looks good so far.

BTW, I am not sure what your plans is for this access-list but if you intend on being able to telnet into the
ASA's outside IP address(199.227.133.186) over clear text then it is not going to work. So this access-list for
now is not doing anything.

access-list outside_access_in extended permit tcp any host 199.227.133.186 eq telnet

When you put this ASA in place of the PIX, do a "clear arp" or simply reboot to the adjacent devices, specially the one that is infront of the PIX.

Also, please take note about your Interface assignment. Ethernet0/3 for the outside and Ethernet0/1 for the inside. You are not using the default outside interface so keep yourself check in cabling (just a friendly reminder, thats all).

The VPN should work fine, everything is in place.

Good luck.
0
 
cyberlewAuthor Commented:
How can I remove that access list?  and from what prompt?

I had a chance to try it this morning and it did not work.  It's between a 3550 and a 2600.  I only rebooted the router though.  For now they have a little linksys router in place and it works fine.  I will pull the 2600 config today and post it asap.
0
 
cyberlewAuthor Commented:
Stressedout   I'm going to close this ticket and open a new question posting both configs.  

Thanks for all the help
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now