troubleshooting Question

Network Migration from PIX to ASA

Avatar of kumo_chan
kumo_chanFlag for Australia asked on
Software Firewalls
11 Comments1 Solution614 ViewsLast Modified:
Hello Everyone,

I have a network that I would like to migrate from a Pix to an ASA, as I am planning to get rid of the Pix.  And on the same move I would like to assign a differen IP address for the  internal e-mail of this network. This is not my configuration so  I am also trying to understand it.

 I am not really sure If my changes are correct, Could someone give me a clue if what I am doing is the same from Pix to ASA?

What I have on the Pix is the following:

Pix

object-group network network_inside
  description Inside Networks Secured by this firewall
network-object 192.168.50.0 255.255.255.0       Network Users (INSIDE)
 network-object 192.168.200.0 255.255.255.0     Link to Main Office.
network-object 192.168.49.0 255.255.255.0        Network for VPN Users

object-group network hosts_inet_smtp_in
  description DMZ Host group that any internet host can access via SMTP <<<<<<< allowing SMTP for client
  network-object host OUTSIDE-IP-FOR_NETWORK

Since I have more than one client through this PIX I divide the networks per user________________

object-group network USER 1
  description User 1 Lan
  network-object 192.168.50.0 255.255.255.0
  network-object 192.168.49.0 255.255.255.0

access-list nonat permit ip object-group network_inside object-group Latrobe_RTR

access-list outside_access_in remark ** ALLOW SMTP TRAFFIC FROM OUTSIDE TO SMTP SERVERS **
access-list outside_access_in permit tcp any object-group hosts_inet_smtp_in eq smtp


access-list LATROBE permit ip object-group network_inside object-group Latrobe_RTR

access-list inside-access-out permit tcp host 192.168.50.10 any eq smtp  <<<<< allowing access from my smtp server to outside

global (outside) 2 PUBLIC-IP

nat (inside) 2 192.168.50.0 255.255.255.0 0 0


static (inside,outside) tcp PUBLIC-IP  smtp 192.168.50.10 smtp netmask 255.255.255.255 0 0


route inside 192.168.50.0 255.255.255.0 192.168.46.65 1
route inside 192.168.200.0 255.255.255.0 192.168.46.65 1



____________________________________________________________________________________________________________
 What Im planning to configure at the ASA.

object-group network TC-MAIL-SERVERS
 description TASCOM MAIL SERVERS  <<<<<<<<<<<<<<<<<<<< add public IP address to the emails servers
network0object host  <name>

object-group network USER1-LAN
 description LATROBE INTERNAL LAN
 network-object 192.168.50.0 255.255.255.0
object-group network USER1-VPN
 description LATROBE VPN CLIENTS
 network-object 192.168.49.0 255.255.255.0

access-list OUTSIDE-IN remark ** ALLOW SMTP TRAFFIC FROM OUTSIDE TO MAIL SERVERS **
access-list OUTSIDE-IN extended permit tcp any object-group TC-MAIL-SERVERS eq smtp

global (OUTSIDE) 8 PUBLIC-IP
nat      (INTERFACE) 8 192.168.50.0 255.255.255.0


static (INTERFACE,OUTSIDE) tcp PUBLIC-IP smtp 192.168.50.10 smtp netmask 255.255.255.255

route INTERFACE 192.168.50.0 255.255.255.0 INSIDE-INTERFACE


END_______________________________________________________________

I have the same firewall for many users so I am not sure if this will work as I am thinking.

Could anyone give me some light  if I am on the right path ?

Thanks!!!
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 11 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 11 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros