Link to home
Create AccountLog in
Avatar of kumo_chan
kumo_chanFlag for Australia

asked on

Network Migration from PIX to ASA

Hello Everyone,

I have a network that I would like to migrate from a Pix to an ASA, as I am planning to get rid of the Pix.  And on the same move I would like to assign a differen IP address for the  internal e-mail of this network. This is not my configuration so  I am also trying to understand it.

 I am not really sure If my changes are correct, Could someone give me a clue if what I am doing is the same from Pix to ASA?

What I have on the Pix is the following:

Pix

object-group network network_inside
  description Inside Networks Secured by this firewall
network-object 192.168.50.0 255.255.255.0       Network Users (INSIDE)
 network-object 192.168.200.0 255.255.255.0     Link to Main Office.
network-object 192.168.49.0 255.255.255.0        Network for VPN Users

object-group network hosts_inet_smtp_in
  description DMZ Host group that any internet host can access via SMTP <<<<<<< allowing SMTP for client
  network-object host OUTSIDE-IP-FOR_NETWORK

Since I have more than one client through this PIX I divide the networks per user________________

object-group network USER 1
  description User 1 Lan
  network-object 192.168.50.0 255.255.255.0
  network-object 192.168.49.0 255.255.255.0

access-list nonat permit ip object-group network_inside object-group Latrobe_RTR

access-list outside_access_in remark ** ALLOW SMTP TRAFFIC FROM OUTSIDE TO SMTP SERVERS **
access-list outside_access_in permit tcp any object-group hosts_inet_smtp_in eq smtp


access-list LATROBE permit ip object-group network_inside object-group Latrobe_RTR

access-list inside-access-out permit tcp host 192.168.50.10 any eq smtp  <<<<< allowing access from my smtp server to outside

global (outside) 2 PUBLIC-IP

nat (inside) 2 192.168.50.0 255.255.255.0 0 0


static (inside,outside) tcp PUBLIC-IP  smtp 192.168.50.10 smtp netmask 255.255.255.255 0 0


route inside 192.168.50.0 255.255.255.0 192.168.46.65 1
route inside 192.168.200.0 255.255.255.0 192.168.46.65 1



____________________________________________________________________________________________________________
 What Im planning to configure at the ASA.

object-group network TC-MAIL-SERVERS
 description TASCOM MAIL SERVERS  <<<<<<<<<<<<<<<<<<<< add public IP address to the emails servers
network0object host  <name>

object-group network USER1-LAN
 description LATROBE INTERNAL LAN
 network-object 192.168.50.0 255.255.255.0
object-group network USER1-VPN
 description LATROBE VPN CLIENTS
 network-object 192.168.49.0 255.255.255.0

access-list OUTSIDE-IN remark ** ALLOW SMTP TRAFFIC FROM OUTSIDE TO MAIL SERVERS **
access-list OUTSIDE-IN extended permit tcp any object-group TC-MAIL-SERVERS eq smtp

global (OUTSIDE) 8 PUBLIC-IP
nat      (INTERFACE) 8 192.168.50.0 255.255.255.0


static (INTERFACE,OUTSIDE) tcp PUBLIC-IP smtp 192.168.50.10 smtp netmask 255.255.255.255

route INTERFACE 192.168.50.0 255.255.255.0 INSIDE-INTERFACE


END_______________________________________________________________

I have the same firewall for many users so I am not sure if this will work as I am thinking.

Could anyone give me some light  if I am on the right path ?

Thanks!!!
Avatar of max_the_king
max_the_king

Hi,
the nat part has changed completely since 8.3 release, so you need to write it completely different into your new configuration: you may want to read this article to see the main differences:
https://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/A_11175-Cisco-ASA-PRE-8-3-and-POST-8-3-NAT-Operations.html

as per your different users, please note that
network-object 192.168.50.0 255.255.255.0       Network Users (INSIDE)
already includes up to 254 IP addresses (from 192.168.50.1 to 192.168.50.254).
If you want to introduce different subnets, then you will need to configure VLANs for that.

hope this helps
max
Avatar of kumo_chan

ASKER

Hello Max the King,


Thanks for the reply, At the moment I have an ASA with version 8.2, so the good news at the moment is that I think I dont need to look at the change. However  What is happenning is that in this company I will get rid of the Pix first and then I need to upgrade the ASA Version. and implement a failover.

Then  Could you let me know your stand on the current version??? Will my post be correct or I am totally lost?

Thanks Again, the help is really appreciated!
Hi,
The main problem would have been NAT, but 8.2 is not much different from 6.X release.
what you name "INTERFACE" in tour new config is really the "inside" interface, which will not change.
As for the rest, you may encounter some deprecated command which will be automatically translated by the new operating system of the ASA.
You may as well save to tftp server your actual config and the import into your startup configuration of the new asa and see what happens. Or rather save the running-config to a text file and rewrite the new configuration from scratch; the latter is what i'd prefer, so that by inserting single commands, you'll find out which one is deprecated.

max
Hello Max,

Thanks for that!! I will try to do your second option and  let you know how it went.
just remember though.  if you're changing the public IP mapped to your email servers that you need to update the MX/A records in DNS.  If you don't do that, everyone else will continue to forward to your old IP and you won't get any email.  Also, I would update your PTR records to ensure anyone that uses those for spam detection don't reject emails from you.
Hello Cyclops and Max,

Well I did My change .. configured this on the ASA and it worked out everything except one thing:

They have access to everything as usual, and changed DNS records as well... but I cant make that the Server goes out with its own IP  ( NAMED HERE AS PUBLIC-EMAIL).

I want to separate the traffice from the e-mail server from  everything esle  but it is going to the internet through the general IP, Nslookup works fine .... So I am not sure what am I doing wrong??

name PUBLIC-EMAIL mail.out      
name 192.168.50.10 mail.in

static (INSIDE,OUTSIDE) tcp PUBLIC-EMAIL smtp 192.168.50.10 smtp netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp PUBLIC-EMAIL https 192.168.50.10 https netmask 255.255.255.255

global (OUTSIDE) 8 PUBLIC-EMAIL
global (OUTSIDE) 9 PUBLIC WEB

nat (INSIDE) 8 192.168.50.10 255.255.255.255
nat (INSIDE) 9 192.168.50.0 255.255.255.0


Thanks !
Hi,
if you can, you'd better give the whole IP address to PUBLIC-EMAIL, that is:

static (INSIDE,OUTSIDE) PUBLIC-EMAIL 192.168.50.10 netmask 255.255.255.255

but before doing that, you must cancel the following:

no
no static (INSIDE,OUTSIDE) tcp PUBLIC-EMAIL smtp 192.168.50.10 smtp netmask 255.255.255.255
no static (INSIDE,OUTSIDE) tcp PUBLIC-EMAIL https 192.168.50.10 https netmask 255.255.255.255

no global (OUTSIDE) 8 PUBLIC-EMAIL
no global (OUTSIDE) 9 PUBLIC WEB

no nat (INSIDE) 8 192.168.50.10 255.255.255.255
no nat (INSIDE) 9 192.168.50.0 255.255.255.0

after this, do not forget to digit a:
clear xlate

hope this helps
max
Hello Max,

Thanks for that.. But I can not really make it happen..It is not working as I would like to.

If I do that, everyone else looses internet, which is not what I would like, I need to identify the e-mail traffic,. so I configured two different external ip addresses, one for the e-mail server and one  for everyone else, However the e-mail server always goes  out from the other address,

and if I ping the e-mail server public  address  from the outside it never replies.


static (INSIDE,OUTSIDE) PUBLIC-EMAIL 192.168.50.10 netmask 255.255.255.255

global (OUTSIDE1) 8 PUBLIC-EMAIL
global (OUTSIDE) 9 PUBLIC WEB

nat (INSIDE1) 8 192.168.50.10 255.255.255.255
nat (INSIDE) 9 192.168.50.0 255.255.255.0


I also updated my DNS records  but the ip still doesnt reply ...

Any clue how can I achieve that? I need the server to have its own ip and reply to the outside so I can treat it as a different entity than the whole network, but for some reason the  other configuration is taking precedence...


Thanks again!, the help is really appreciated!
ASKER CERTIFIED SOLUTION
Avatar of max_the_king
max_the_king

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
i concur with max.  this is the typical way to do what you want to do.
Hello Max and Cyclops,

I just did it again as you said and everything is perfect now!,

Thanks !!!!
Really appreciated!