TechChad
asked on
PIX to ASA migration
Hello all,
I'm currently in the process of migrating our PIX 506e to a new ASA 5510 (Version 8.4(3)). Everything looks to be configured right, however when we transfer all traffic through the ASA none of the ACL Rules work. We host about a few different public facing servers, as well as our company's long distance that goes through a SIP gateway. It's a bit hard to test new configurations since they have to be done really early in the morning for least impact to business functionality. I'm just not missing, especially since the Packet Trace utility says everything is working.
Here's a snippet of the config:
!
interface Ethernet0/0
nameif outside
security-level 0
ip address AAA.AAA.AAA.AAA 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.32.1 255.255.0.0
!
interface Ethernet0/2
shutdown
nameif DSLFailOver
security-level 0
ip address ZZZ.ZZZ.ZZZ.ZZZ 255.255.255.248
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.10 255.255.255.0
management-only
!
access-list 100 extended permit icmp any any
access-list 100 extended permit tcp any host 10.1.1.70 eq www
access-list 100 extended permit tcp any host 10.1.1.70 eq https
access-list 100 extended permit tcp any host 10.1.1.70 eq pop3
access-list 100 extended permit tcp any host 10.1.1.70 eq imap4
access-list 100 extended permit tcp any host 10.1.1.4 eq www
access-list 100 extended permit object-group TCPUDP any host 10.1.1.160 object-group OpenCourse
access-list 100 extended permit tcp any host 10.1.83.111 eq ssh
access-list 100 extended permit tcp any host 10.1.83.111 object-group 8080
access-list 100 extended permit tcp any host 10.1.83.111 eq www
access-list 100 extended permit udp any host 10.1.83.111 eq sip
access-list 100 extended permit tcp any host 10.1.1.63 eq https
access-list 100 extended permit tcp any host 10.1.1.63 eq www
access-list 100 extended permit tcp any host 10.1.1.63 eq ssh
access-list 100 extended permit tcp any host 10.1.1.63 eq ftp
access-list 100 extended permit tcp any host 10.1.32.4 eq smtp
access-list 100 extended permit tcp any host 10.1.32.4 eq ssh
object network obj-10.1.1.4
nat (inside,outside) static BBB.BBB.BBB.BBB
object network obj-10.1.83.111
nat (inside,outside) static CCC.CCC.CCC.CCC
object network obj-10.1.1.63
nat (inside,outside) static DDD.DDD.DDD.DDD
object network obj-10.1.32.4
nat (inside,outside) static EEE.EEE.EEE.EEE
object network obj-10.1.1.160
nat (inside,outside) static FFF.FFF.FFF.FFF
object network obj-10.1.1.70
nat (inside,outside) static GGG.GGG.GGG.GGG
object network BAJA-PAT
nat (inside,DSLFailOver) dynamic interface
object network RELIANCE-PAT
nat (inside,outside) dynamic interface
access-group 100 in interface outside
I'm currently in the process of migrating our PIX 506e to a new ASA 5510 (Version 8.4(3)). Everything looks to be configured right, however when we transfer all traffic through the ASA none of the ACL Rules work. We host about a few different public facing servers, as well as our company's long distance that goes through a SIP gateway. It's a bit hard to test new configurations since they have to be done really early in the morning for least impact to business functionality. I'm just not missing, especially since the Packet Trace utility says everything is working.
Here's a snippet of the config:
!
interface Ethernet0/0
nameif outside
security-level 0
ip address AAA.AAA.AAA.AAA 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.32.1 255.255.0.0
!
interface Ethernet0/2
shutdown
nameif DSLFailOver
security-level 0
ip address ZZZ.ZZZ.ZZZ.ZZZ 255.255.255.248
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.10 255.255.255.0
management-only
!
access-list 100 extended permit icmp any any
access-list 100 extended permit tcp any host 10.1.1.70 eq www
access-list 100 extended permit tcp any host 10.1.1.70 eq https
access-list 100 extended permit tcp any host 10.1.1.70 eq pop3
access-list 100 extended permit tcp any host 10.1.1.70 eq imap4
access-list 100 extended permit tcp any host 10.1.1.4 eq www
access-list 100 extended permit object-group TCPUDP any host 10.1.1.160 object-group OpenCourse
access-list 100 extended permit tcp any host 10.1.83.111 eq ssh
access-list 100 extended permit tcp any host 10.1.83.111 object-group 8080
access-list 100 extended permit tcp any host 10.1.83.111 eq www
access-list 100 extended permit udp any host 10.1.83.111 eq sip
access-list 100 extended permit tcp any host 10.1.1.63 eq https
access-list 100 extended permit tcp any host 10.1.1.63 eq www
access-list 100 extended permit tcp any host 10.1.1.63 eq ssh
access-list 100 extended permit tcp any host 10.1.1.63 eq ftp
access-list 100 extended permit tcp any host 10.1.32.4 eq smtp
access-list 100 extended permit tcp any host 10.1.32.4 eq ssh
object network obj-10.1.1.4
nat (inside,outside) static BBB.BBB.BBB.BBB
object network obj-10.1.83.111
nat (inside,outside) static CCC.CCC.CCC.CCC
object network obj-10.1.1.63
nat (inside,outside) static DDD.DDD.DDD.DDD
object network obj-10.1.32.4
nat (inside,outside) static EEE.EEE.EEE.EEE
object network obj-10.1.1.160
nat (inside,outside) static FFF.FFF.FFF.FFF
object network obj-10.1.1.70
nat (inside,outside) static GGG.GGG.GGG.GGG
object network BAJA-PAT
nat (inside,DSLFailOver) dynamic interface
object network RELIANCE-PAT
nat (inside,outside) dynamic interface
access-group 100 in interface outside
Ernie Beek
Anything showing in the logs of the ASA?
ASKER
Appologies for the ignorance which logs are you reffering to?
No apologies needed :-)
I assume you're using ASDM. There's a logging option you can use to monitor what's happening almost real time. I'm using my phone right now so I can't point you to it exactly.
I assume you're using ASDM. There's a logging option you can use to monitor what's happening almost real time. I'm using my phone right now so I can't point you to it exactly.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Cisco support assisted with finding the solution.