Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

PIX to ASA migration

Posted on 2012-03-23
5
Medium Priority
?
489 Views
Last Modified: 2012-04-16
Hello all,

I'm currently in the process of migrating our PIX 506e to a new ASA 5510 (Version 8.4(3)).  Everything looks to be configured right, however when we transfer all traffic through the ASA none of the ACL Rules work.  We host about a few different public facing servers, as well as our company's long distance that goes through a SIP gateway.  It's a bit hard to test new configurations since they have to be done really early in the morning for least impact to business functionality.  I'm just not missing, especially since the Packet Trace utility says everything is working.

Here's a snippet of the config:

!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address AAA.AAA.AAA.AAA 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.1.32.1 255.255.0.0
!
interface Ethernet0/2
 shutdown
 nameif DSLFailOver
 security-level 0
 ip address ZZZ.ZZZ.ZZZ.ZZZ 255.255.255.248
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.10.10 255.255.255.0
 management-only
!


access-list 100 extended permit icmp any any
access-list 100 extended permit tcp any host 10.1.1.70 eq www
access-list 100 extended permit tcp any host 10.1.1.70 eq https
access-list 100 extended permit tcp any host 10.1.1.70 eq pop3
access-list 100 extended permit tcp any host 10.1.1.70 eq imap4
access-list 100 extended permit tcp any host 10.1.1.4 eq www
access-list 100 extended permit object-group TCPUDP any host 10.1.1.160 object-group OpenCourse
access-list 100 extended permit tcp any host 10.1.83.111 eq ssh
access-list 100 extended permit tcp any host 10.1.83.111 object-group 8080
access-list 100 extended permit tcp any host 10.1.83.111 eq www
access-list 100 extended permit udp any host 10.1.83.111 eq sip
access-list 100 extended permit tcp any host 10.1.1.63 eq https
access-list 100 extended permit tcp any host 10.1.1.63 eq www
access-list 100 extended permit tcp any host 10.1.1.63 eq ssh
access-list 100 extended permit tcp any host 10.1.1.63 eq ftp
access-list 100 extended permit tcp any host 10.1.32.4 eq smtp
access-list 100 extended permit tcp any host 10.1.32.4 eq ssh

object network obj-10.1.1.4
 nat (inside,outside) static BBB.BBB.BBB.BBB
object network obj-10.1.83.111
 nat (inside,outside) static CCC.CCC.CCC.CCC
object network obj-10.1.1.63
 nat (inside,outside) static DDD.DDD.DDD.DDD
object network obj-10.1.32.4
 nat (inside,outside) static EEE.EEE.EEE.EEE
object network obj-10.1.1.160
 nat (inside,outside) static FFF.FFF.FFF.FFF
object network obj-10.1.1.70
 nat (inside,outside) static GGG.GGG.GGG.GGG
object network BAJA-PAT
 nat (inside,DSLFailOver) dynamic interface
object network RELIANCE-PAT
 nat (inside,outside) dynamic interface

access-group 100 in interface outside
0
Comment
Question by:TechChad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37777355
Anything showing in the logs of the ASA?
0
 

Author Comment

by:TechChad
ID: 37778646
Appologies for the ignorance which logs are you reffering to?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37778754
No apologies needed :-)

I assume you're using ASDM. There's a logging option you can use to monitor what's happening almost real time. I'm using my phone right now so I can't point you to it exactly.
0
 

Accepted Solution

by:
TechChad earned 0 total points
ID: 37833337
After widdling it down with Cisco support it appears to be an issue with our ISP and their ARP tables being statically assigned to the devices.  After they put the MAC of the new ASA into their ARP tables.  All was well...thank you all for your help!
0
 

Author Closing Comment

by:TechChad
ID: 37850326
Cisco support assisted with finding the solution.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question