Solved

PIX vs ASA CLI command differences

Posted on 2009-05-04
2
1,355 Views
Last Modified: 2012-08-14
For years, we have used the Cisco PIX FW, with extremely good results. Never had a problem with them.  Now that Cisco is discontinuing this product, we just purchased our first ASA. (5540).

There are many commands that have been drastically changed from the PIX IOS to the ASA IOS.  

One of them is the "sysopt connection permit-pptp" command which is no longer available on the ASA.  Instead the command SEEMS to be "sysopt connection permit-vpn".

If I enter the "sysopt connection permit-vpn" command in the ASA does it allow for Microsoft VPN clients, (including Vista ones), to come in via VPN for authentication?  

I will include the code I would have USUALLY put in to the PIX for supporting MS VPN clients.  If someone could translate that into code for the ASA I would greatly appreciate it.
(PIX code for supporting MS VPN clients)
 
ip local pool ippool 192.168.100.1-192.168.100.254
 
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host <local radius server ip> <pwd> timeout 10
 
 
sysopt connection permit-pptp
 
vpdn group PPTP-GROUP accept dialin pptp
vpdn group PPTP-GROUP ppp authentication pap
vpdn group PPTP-GROUP ppp authentication chap
vpdn group PPTP-GROUP ppp authentication mschap
vpdn group PPTP-GROUP client configuration address local ippool
vpdn group PPTP-GROUP client configuration dns <local DNS server IP>
vpdn group PPTP-GROUP client authentication aaa RADIUS
vpdn group PPTP-GROUP pptp echo 60
vpdn enable outside

Open in new window

0
Comment
Question by:jgrammer42
2 Comments
 
LVL 8

Accepted Solution

by:
akalbfell earned 500 total points
ID: 24305500
Cisco actually makes a PIX to ASA config tool, i have used it once with surprisingly good results. I only had to make a few minor changes on the ASA afterwards...

http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=/cisco/ciscosecure/pix/PIXtoASAsetup_1_0.exe

you need a CCO account which i am assuming you have :-)
0
 

Author Comment

by:jgrammer42
ID: 24307775
Thanks, akalbfell, I will give that a shot.
0

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ISP Change 14 63
Juniper VPN for Mac and windows OS 5 52
Home firewall recommendations 11 59
What is an ASP Table on a Cisco ASA? 3 24
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question