Re: Pix to ASA migration

[Craig Van Tassle <craig () codestorm org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It might be helpful if you post your config(modified of course.

A couple of things I would check is if you can ping your ASA.
If you can from there check you NAT rules, Make sure you have a NAT for your
outside going. Check to see what if any of the interfaces are shutdown, and they
have a proper security level (100 for your LAN and 0 for the Internet)

The ASA( PIX 0S 7.x) is different is some significant areas that can have unique
consequences.

There is not "fixup" command in the ASA IIRC. That is part of the policy-map's
now.  Also check to see if you have
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface if your config?

But I'm willing to bet 10-1 that your NAT setting didn't copy like you though
they would.

My NAT looks like this

NAT (ethernet0/0) 10 0.0.0.0 0.0.0.0

HTH.

Craig.

timpacalypse () yahoo com wrote:
> I am moving from a PIX 6.3(3) to an ASA 5520.  I thought it would be as easy as copying the configuration from the 
> PIX into the ASA but apparently not.  The interface configuration syntax was a little off but easy enough fix.  
> Everything else seemed to go through fine.  
>
> So I plug it in and it's angry.  It seems like DNS doesn't work.  
>
> So I went back and did a little reading.  I think that when I was configuring the policy map for the IPS that I may 
> have over written the default inspection policy map (fixup dns, fixup skinny, etc).  
>
> My question is, if none of fixup protocols are set will that prevent me from getting out to the internet?  My 
> understanding is that the appliance just inspects the traffic, I thought that if I set No fixup that it just wouldn't 
> inspect it.  
>
> ---------------------------------------------------------------------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic Excellence 
> in Information Security. Our program offers unparalleled Infosec management 
> education and the case study affords you unmatched consulting experience. 
> Using interactive e-Learning technology, you can earn this esteemed degree, 
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFIYEMAOTIJ89W4sIRAiYRAKDrx30h6r5E4BjlBPYawjbdXmEg9wCfYA6D
HXOnEUZJjBISbhqVhYDCn/U=
=+h0C
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------