kumo_chan
asked on
Network Migration from PIX to ASA
Hello Everyone,
I have a network that I would like to migrate from a Pix to an ASA, as I am planning to get rid of the Pix. And on the same move I would like to assign a differen IP address for the internal e-mail of this network. This is not my configuration so I am also trying to understand it.
I am not really sure If my changes are correct, Could someone give me a clue if what I am doing is the same from Pix to ASA?
What I have on the Pix is the following:
Pix
object-group network network_inside
description Inside Networks Secured by this firewall
network-object 192.168.50.0 255.255.255.0 Network Users (INSIDE)
network-object 192.168.200.0 255.255.255.0 Link to Main Office.
network-object 192.168.49.0 255.255.255.0 Network for VPN Users
object-group network hosts_inet_smtp_in
description DMZ Host group that any internet host can access via SMTP <<<<<<< allowing SMTP for client
network-object host OUTSIDE-IP-FOR_NETWORK
Since I have more than one client through this PIX I divide the networks per user________________
object-group network USER 1
description User 1 Lan
network-object 192.168.50.0 255.255.255.0
network-object 192.168.49.0 255.255.255.0
access-list nonat permit ip object-group network_inside object-group Latrobe_RTR
access-list outside_access_in remark ** ALLOW SMTP TRAFFIC FROM OUTSIDE TO SMTP SERVERS **
access-list outside_access_in permit tcp any object-group hosts_inet_smtp_in eq smtp
access-list LATROBE permit ip object-group network_inside object-group Latrobe_RTR
access-list inside-access-out permit tcp host 192.168.50.10 any eq smtp <<<<< allowing access from my smtp server to outside
global (outside) 2 PUBLIC-IP
nat (inside) 2 192.168.50.0 255.255.255.0 0 0
static (inside,outside) tcp PUBLIC-IP smtp 192.168.50.10 smtp netmask 255.255.255.255 0 0
route inside 192.168.50.0 255.255.255.0 192.168.46.65 1
route inside 192.168.200.0 255.255.255.0 192.168.46.65 1
__________________________ __________ __________ __________ __________ __________ __________ __________ __________ __
What Im planning to configure at the ASA.
object-group network TC-MAIL-SERVERS
description TASCOM MAIL SERVERS <<<<<<<<<<<<<<<<<<<< add public IP address to the emails servers
network0object host <name>
object-group network USER1-LAN
description LATROBE INTERNAL LAN
network-object 192.168.50.0 255.255.255.0
object-group network USER1-VPN
description LATROBE VPN CLIENTS
network-object 192.168.49.0 255.255.255.0
access-list OUTSIDE-IN remark ** ALLOW SMTP TRAFFIC FROM OUTSIDE TO MAIL SERVERS **
access-list OUTSIDE-IN extended permit tcp any object-group TC-MAIL-SERVERS eq smtp
global (OUTSIDE) 8 PUBLIC-IP
nat (INTERFACE) 8 192.168.50.0 255.255.255.0
static (INTERFACE,OUTSIDE) tcp PUBLIC-IP smtp 192.168.50.10 smtp netmask 255.255.255.255
route INTERFACE 192.168.50.0 255.255.255.0 INSIDE-INTERFACE
END_______________________ __________ __________ __________ __________
I have the same firewall for many users so I am not sure if this will work as I am thinking.
Could anyone give me some light if I am on the right path ?
Thanks!!!
I have a network that I would like to migrate from a Pix to an ASA, as I am planning to get rid of the Pix. And on the same move I would like to assign a differen IP address for the internal e-mail of this network. This is not my configuration so I am also trying to understand it.
I am not really sure If my changes are correct, Could someone give me a clue if what I am doing is the same from Pix to ASA?
What I have on the Pix is the following:
Pix
object-group network network_inside
description Inside Networks Secured by this firewall
network-object 192.168.50.0 255.255.255.0 Network Users (INSIDE)
network-object 192.168.200.0 255.255.255.0 Link to Main Office.
network-object 192.168.49.0 255.255.255.0 Network for VPN Users
object-group network hosts_inet_smtp_in
description DMZ Host group that any internet host can access via SMTP <<<<<<< allowing SMTP for client
network-object host OUTSIDE-IP-FOR_NETWORK
Since I have more than one client through this PIX I divide the networks per user________________
object-group network USER 1
description User 1 Lan
network-object 192.168.50.0 255.255.255.0
network-object 192.168.49.0 255.255.255.0
access-list nonat permit ip object-group network_inside object-group Latrobe_RTR
access-list outside_access_in remark ** ALLOW SMTP TRAFFIC FROM OUTSIDE TO SMTP SERVERS **
access-list outside_access_in permit tcp any object-group hosts_inet_smtp_in eq smtp
access-list LATROBE permit ip object-group network_inside object-group Latrobe_RTR
access-list inside-access-out permit tcp host 192.168.50.10 any eq smtp <<<<< allowing access from my smtp server to outside
global (outside) 2 PUBLIC-IP
nat (inside) 2 192.168.50.0 255.255.255.0 0 0
static (inside,outside) tcp PUBLIC-IP smtp 192.168.50.10 smtp netmask 255.255.255.255 0 0
route inside 192.168.50.0 255.255.255.0 192.168.46.65 1
route inside 192.168.200.0 255.255.255.0 192.168.46.65 1
__________________________
What Im planning to configure at the ASA.
object-group network TC-MAIL-SERVERS
description TASCOM MAIL SERVERS <<<<<<<<<<<<<<<<<<<< add public IP address to the emails servers
network0object host <name>
object-group network USER1-LAN
description LATROBE INTERNAL LAN
network-object 192.168.50.0 255.255.255.0
object-group network USER1-VPN
description LATROBE VPN CLIENTS
network-object 192.168.49.0 255.255.255.0
access-list OUTSIDE-IN remark ** ALLOW SMTP TRAFFIC FROM OUTSIDE TO MAIL SERVERS **
access-list OUTSIDE-IN extended permit tcp any object-group TC-MAIL-SERVERS eq smtp
global (OUTSIDE) 8 PUBLIC-IP
nat (INTERFACE) 8 192.168.50.0 255.255.255.0
static (INTERFACE,OUTSIDE) tcp PUBLIC-IP smtp 192.168.50.10 smtp netmask 255.255.255.255
route INTERFACE 192.168.50.0 255.255.255.0 INSIDE-INTERFACE
END_______________________
I have the same firewall for many users so I am not sure if this will work as I am thinking.
Could anyone give me some light if I am on the right path ?
Thanks!!!
ASKER
Hello Max the King,
Thanks for the reply, At the moment I have an ASA with version 8.2, so the good news at the moment is that I think I dont need to look at the change. However What is happenning is that in this company I will get rid of the Pix first and then I need to upgrade the ASA Version. and implement a failover.
Then Could you let me know your stand on the current version??? Will my post be correct or I am totally lost?
Thanks Again, the help is really appreciated!
Thanks for the reply, At the moment I have an ASA with version 8.2, so the good news at the moment is that I think I dont need to look at the change. However What is happenning is that in this company I will get rid of the Pix first and then I need to upgrade the ASA Version. and implement a failover.
Then Could you let me know your stand on the current version??? Will my post be correct or I am totally lost?
Thanks Again, the help is really appreciated!
Hi,
The main problem would have been NAT, but 8.2 is not much different from 6.X release.
what you name "INTERFACE" in tour new config is really the "inside" interface, which will not change.
As for the rest, you may encounter some deprecated command which will be automatically translated by the new operating system of the ASA.
You may as well save to tftp server your actual config and the import into your startup configuration of the new asa and see what happens. Or rather save the running-config to a text file and rewrite the new configuration from scratch; the latter is what i'd prefer, so that by inserting single commands, you'll find out which one is deprecated.
max
The main problem would have been NAT, but 8.2 is not much different from 6.X release.
what you name "INTERFACE" in tour new config is really the "inside" interface, which will not change.
As for the rest, you may encounter some deprecated command which will be automatically translated by the new operating system of the ASA.
You may as well save to tftp server your actual config and the import into your startup configuration of the new asa and see what happens. Or rather save the running-config to a text file and rewrite the new configuration from scratch; the latter is what i'd prefer, so that by inserting single commands, you'll find out which one is deprecated.
max
ASKER
Hello Max,
Thanks for that!! I will try to do your second option and let you know how it went.
Thanks for that!! I will try to do your second option and let you know how it went.
just remember though. if you're changing the public IP mapped to your email servers that you need to update the MX/A records in DNS. If you don't do that, everyone else will continue to forward to your old IP and you won't get any email. Also, I would update your PTR records to ensure anyone that uses those for spam detection don't reject emails from you.
ASKER
Hello Cyclops and Max,
Well I did My change .. configured this on the ASA and it worked out everything except one thing:
They have access to everything as usual, and changed DNS records as well... but I cant make that the Server goes out with its own IP ( NAMED HERE AS PUBLIC-EMAIL).
I want to separate the traffice from the e-mail server from everything esle but it is going to the internet through the general IP, Nslookup works fine .... So I am not sure what am I doing wrong??
name PUBLIC-EMAIL mail.out
name 192.168.50.10 mail.in
static (INSIDE,OUTSIDE) tcp PUBLIC-EMAIL smtp 192.168.50.10 smtp netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp PUBLIC-EMAIL https 192.168.50.10 https netmask 255.255.255.255
global (OUTSIDE) 8 PUBLIC-EMAIL
global (OUTSIDE) 9 PUBLIC WEB
nat (INSIDE) 8 192.168.50.10 255.255.255.255
nat (INSIDE) 9 192.168.50.0 255.255.255.0
Thanks !
Well I did My change .. configured this on the ASA and it worked out everything except one thing:
They have access to everything as usual, and changed DNS records as well... but I cant make that the Server goes out with its own IP ( NAMED HERE AS PUBLIC-EMAIL).
I want to separate the traffice from the e-mail server from everything esle but it is going to the internet through the general IP, Nslookup works fine .... So I am not sure what am I doing wrong??
name PUBLIC-EMAIL mail.out
name 192.168.50.10 mail.in
static (INSIDE,OUTSIDE) tcp PUBLIC-EMAIL smtp 192.168.50.10 smtp netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp PUBLIC-EMAIL https 192.168.50.10 https netmask 255.255.255.255
global (OUTSIDE) 8 PUBLIC-EMAIL
global (OUTSIDE) 9 PUBLIC WEB
nat (INSIDE) 8 192.168.50.10 255.255.255.255
nat (INSIDE) 9 192.168.50.0 255.255.255.0
Thanks !
Hi,
if you can, you'd better give the whole IP address to PUBLIC-EMAIL, that is:
static (INSIDE,OUTSIDE) PUBLIC-EMAIL 192.168.50.10 netmask 255.255.255.255
but before doing that, you must cancel the following:
no
no static (INSIDE,OUTSIDE) tcp PUBLIC-EMAIL smtp 192.168.50.10 smtp netmask 255.255.255.255
no static (INSIDE,OUTSIDE) tcp PUBLIC-EMAIL https 192.168.50.10 https netmask 255.255.255.255
no global (OUTSIDE) 8 PUBLIC-EMAIL
no global (OUTSIDE) 9 PUBLIC WEB
no nat (INSIDE) 8 192.168.50.10 255.255.255.255
no nat (INSIDE) 9 192.168.50.0 255.255.255.0
after this, do not forget to digit a:
clear xlate
hope this helps
max
if you can, you'd better give the whole IP address to PUBLIC-EMAIL, that is:
static (INSIDE,OUTSIDE) PUBLIC-EMAIL 192.168.50.10 netmask 255.255.255.255
but before doing that, you must cancel the following:
no
no static (INSIDE,OUTSIDE) tcp PUBLIC-EMAIL smtp 192.168.50.10 smtp netmask 255.255.255.255
no static (INSIDE,OUTSIDE) tcp PUBLIC-EMAIL https 192.168.50.10 https netmask 255.255.255.255
no global (OUTSIDE) 8 PUBLIC-EMAIL
no global (OUTSIDE) 9 PUBLIC WEB
no nat (INSIDE) 8 192.168.50.10 255.255.255.255
no nat (INSIDE) 9 192.168.50.0 255.255.255.0
after this, do not forget to digit a:
clear xlate
hope this helps
max
ASKER
Hello Max,
Thanks for that.. But I can not really make it happen..It is not working as I would like to.
If I do that, everyone else looses internet, which is not what I would like, I need to identify the e-mail traffic,. so I configured two different external ip addresses, one for the e-mail server and one for everyone else, However the e-mail server always goes out from the other address,
and if I ping the e-mail server public address from the outside it never replies.
static (INSIDE,OUTSIDE) PUBLIC-EMAIL 192.168.50.10 netmask 255.255.255.255
global (OUTSIDE1) 8 PUBLIC-EMAIL
global (OUTSIDE) 9 PUBLIC WEB
nat (INSIDE1) 8 192.168.50.10 255.255.255.255
nat (INSIDE) 9 192.168.50.0 255.255.255.0
I also updated my DNS records but the ip still doesnt reply ...
Any clue how can I achieve that? I need the server to have its own ip and reply to the outside so I can treat it as a different entity than the whole network, but for some reason the other configuration is taking precedence...
Thanks again!, the help is really appreciated!
Thanks for that.. But I can not really make it happen..It is not working as I would like to.
If I do that, everyone else looses internet, which is not what I would like, I need to identify the e-mail traffic,. so I configured two different external ip addresses, one for the e-mail server and one for everyone else, However the e-mail server always goes out from the other address,
and if I ping the e-mail server public address from the outside it never replies.
static (INSIDE,OUTSIDE) PUBLIC-EMAIL 192.168.50.10 netmask 255.255.255.255
global (OUTSIDE1) 8 PUBLIC-EMAIL
global (OUTSIDE) 9 PUBLIC WEB
nat (INSIDE1) 8 192.168.50.10 255.255.255.255
nat (INSIDE) 9 192.168.50.0 255.255.255.0
I also updated my DNS records but the ip still doesnt reply ...
Any clue how can I achieve that? I need the server to have its own ip and reply to the outside so I can treat it as a different entity than the whole network, but for some reason the other configuration is taking precedence...
Thanks again!, the help is really appreciated!
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
i concur with max. this is the typical way to do what you want to do.
ASKER
Hello Max and Cyclops,
I just did it again as you said and everything is perfect now!,
Thanks !!!!
Really appreciated!
I just did it again as you said and everything is perfect now!,
Thanks !!!!
Really appreciated!
the nat part has changed completely since 8.3 release, so you need to write it completely different into your new configuration: you may want to read this article to see the main differences:
https://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/A_11175-Cisco-ASA-PRE-8-3-and-POST-8-3-NAT-Operations.html
as per your different users, please note that
network-object 192.168.50.0 255.255.255.0 Network Users (INSIDE)
already includes up to 254 IP addresses (from 192.168.50.1 to 192.168.50.254).
If you want to introduce different subnets, then you will need to configure VLANs for that.
hope this helps
max