+ Reply to Thread
Results 1 to 3 of 3
  1. Aperture Science Futura's Avatar
    Join Date
    Feb 2011
    Location
    Manchester UK
    Posts
    191

    Certifications
    MCSE NT4, CCENT, PRINCE2 foundation, CCNA, ITIL v3 Foundation
    #1

    Default ASA Upgrade from 8.2 to 8.4, disruptive to NAT and ACL's ?

    Hi there, first post in this section of the forum so go easy on me, I have a ASA 5540 at my disposal and currently run 8.2. I have full service contract so no worries there. what does bother me is that I believe the migration to be a little difficult due to NAT rules and ACLS etc. Could any expert take a look at my config and point me in right direction. I really don't see how my NAT rules would be affected by it?

    ------

    RAS-ASA# sh nat

    NAT policies on Interface inside:
    match ip inside any outside 192.168.184.0 255.255.255.0
    NAT exempt
    translate_hits = 2330, untranslate_hits = 26598
    match ip inside 192.168.125.0 255.255.255.0 outside 192.168.115.0 255.255.255.
    240
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
    match ip inside any inside 192.168.184.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
    match ip inside 192.168.125.0 255.255.255.0 inside 192.168.115.0 255.255.255.2
    40
    NAT exempt
    translate_hits = 0, untranslate_hits = 0

    -----

    RAS-ASA# sh access-list
    access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
    alert-interval 300
    access-list outside-acl; 2 elements; name hash: 0xb1b82131
    access-list outside-acl line 1 extended permit icmp any any echo-reply (hitcnt=0
    ) 0x96a7c779
    access-list outside-acl line 2 extended permit ip 192.168.115.0 255.255.255.240
    192.168.125.0 255.255.255.0 (hitcnt=0) 0xa9f05e40
    access-list inside_nat0_outbound; 2 elements; name hash: 0x467c8ce4
    access-list inside_nat0_outbound line 1 extended permit ip any 192.168.184.0 255
    .255.255.0 (hitcnt=0) 0xab071e45
    access-list inside_nat0_outbound line 2 extended permit ip 192.168.125.0 255.255
    .255.0 192.168.115.0 255.255.255.240 (hitcnt=0) 0x73e1046d
    access-list VPN-NoInsideAccess; 3 elements; name hash: 0x994a9051
    access-list VPN-NoInsideAccess line 1 extended permit udp any any eq domain log
    disable (hitcnt=0) 0x0cdd00cb
    access-list VPN-NoInsideAccess line 2 extended deny ip any 192.168.0.0 255.255.0
    .0 (hitcnt=0) 0x01fa2f66
    access-list VPN-NoInsideAccess line 3 extended permit ip any any log disable (hi
    tcnt=0) 0xcd714067

    ------



    sh run
    : Saved
    :
    ASA Version 8.2(2)
    !
    hostname RAS-ASA
    domain-name ras.domainname.com
    enable password *************** encrypted
    passwd *************** encrypted
    names
    dns-guard
    !
    interface GigabitEthernet0/0
    nameif outside
    security-level 0
    ip address 192.168.115.2 255.255.255.240
    !
    interface GigabitEthernet0/1
    nameif inside
    security-level 100
    ip address 192.168.125.90 255.255.255.0
    !
    interface GigabitEthernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    shutdown
    no nameif
    no security-level
    no ip address
    !
    boot system disk0:/asa822-k8.bin
    ftp mode passive
    clock timezone GMT 0
    clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup inside
    dns server-group DefaultDNS
    name-server 192.168.125.53
    name-server 192.168.125.54
    domain-name ************.com
    access-list outside-acl extended permit icmp any any echo-reply
    access-list outside-acl extended permit ip 192.168.115.0 255.255.255.240 192.168
    .125.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any 192.168.184.0 255.255.25
    5.0
    access-list inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0
    192.168.115.0 255.255.255.240
    access-list VPN-NoInsideAccess extended permit udp any any eq domain log disable

    access-list VPN-NoInsideAccess extended deny ip any 192.168.0.0 255.255.0.0
    access-list VPN-NoInsideAccess extended permit ip any any log disable
    pager lines 24
    logging enable
    logging timestamp
    logging buffer-size 20000
    logging console debugging
    logging monitor debugging
    logging buffered debugging
    logging trap debugging
    logging asdm informational
    logging host inside 192.168.125.93
    logging host inside 192.168.125.88
    logging debug-trace
    no logging message 710005
    logging message 113019 level critical
    logging message 113015 level critical
    logging message 716001 level critical
    mtu outside 1500
    mtu inside 1500
    ip local pool RAS-Pool 192.168.184.1-192.168.184.254
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-625-53.bin
    no asdm history enable
    arp timeout 14400
    nat (inside) 0 access-list inside_nat0_outbound
    access-group outside-acl in interface outside
    route outside 0.0.0.0 0.0.0.0 192.168.115.1 1
    route inside 192.168.0.0 255.255.0.0 192.168.125.1 1
    route inside 0.0.0.0 0.0.0.0 192.168.125.1 tunneled
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    dynamic-access-policy-record ipad
    priority 1
    webvpn
    svc ask none default svc
    dynamic-access-policy-record Check-AV
    webvpn
    svc ask none default webvpn
    aaa-server SecureID protocol radius
    aaa-server SecureID (inside) host 192.168.125.92
    key *****
    aaa authentication telnet console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    aaa authentication enable console LOCAL
    http server enable
    http 0.0.0.0 0.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec
    enrollment terminal
    fqdn vpn.domain.com
    subject-name CN=vpn.domainname,O=domain,C=gb
    keypair SSL-Cert
    crl configure
    crypto ca trustpoint ASDM_TrustPoint1
    enrollment terminal
    crl configure
    crypto ca trustpoint ASDM_TrustPoint3
    enrollment terminal
    subject-name CN=vpn.domainname,O=domain,C=GB,L=
    keypair VPN-2048-Key
    crl configure
    crypto ca certificate chain ASDM_TrustPoint1
    certificate ca 3863e9fc quit
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh XX.XX.XX.XX 255.255.255.192 outside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 30
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag
    e-rate 200
    ssl trust-point ASDM_TrustPoint3 inside
    ssl trust-point ASDM_TrustPoint3 outside
    webvpn
    enable outside
    csd image disk0:/csd_3.4.2048.pkg
    csd enable
    svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
    svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 2
    svc profiles No-SBL disk0:/No-SBL
    svc profiles SBL disk0:/SBL2
    svc enable
    port-forward RDP 3389 3389 3389 rdp

    group-policy MobileWorker internal
    group-policy MobileWorker attributes
    vpn-tunnel-protocol IPSec svc
    address-pools value RAS-Pool
    webvpn
    svc profiles value No-SBL

    group-policy DfltGrpPolicy attributes
    dns-server value 192.168.125.53 192.168.125.54
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    webvpn
    customization value VPN-Problem
    file-entry disable
    file-browsing disable
    url-entry disable

    tunnel-group IPSEC-VPN type remote-access
    tunnel-group IPSEC-VPN general-attributes
    address-pool RAS-Pool
    authentication-server-group SecureID
    default-group-policy IPSEC-VPN
    tunnel-group IPSEC-VPN ipsec-attributes
    pre-shared-key *****
    !
    class-map IPS
    match any
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect ip-options
    class IPS
    ips inline fail-open
    !
    service-policy global_policy global
    prompt hostname context
    call-home
    profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DD
    CEService
    destination address email callhome@cisco.com
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:6dd777da1e3eb401b1a8dad3f1a06d10
    : end
    RAS-ASA# exit

    Logoff



    Really appreciate any help with this.
    Reply With Quote Quote  

  2. SS -->
  3. Random Member docrice's Avatar
    Join Date
    Apr 2010
    Location
    Bay Area, CA
    Posts
    1,687

    Certifications
    GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, GCFE, GCFA, GMON, OSWP, SFCP, SnortCP, Sec+; expired: CCNA (R&S, Security, Wireless), WCNA
    #2
    I only glanced through this, but I'll say that the 8.3 auto-migration wizard doesn't always work well. In a particular case I went from 7.x to 8.2 to 8.3 and it ended up being a disaster. Not everything migrated cleanly, I lost a number of routes and ssh statements, etc.. I had to rebuild some of the config from scratch in a severely-constrained maintenance window. This might not end up being the case for you, but I recommend testing well beforehand.
    Reply With Quote Quote  

  4. Senior Member PhildoBaggins's Avatar
    Join Date
    Sep 2010
    Location
    In America
    Posts
    274

    Certifications
    A+, Net+, MCP, LCP, BAIS, BCNE, CCENT, CCNA, CCNA Security, CCNA Voice, CCDA, CCNP, CUDS, LCSAUC, CIPTDS, NSA 4011, Cisco IOS Security Specialist, Hub
    #3
    DO NOT auto migrate anything 8.2 to 8.3+. I have done a bunch of 8.4 migrations to my internal ASAs and customer ASA. I will always export the build and then analyse the text.

    for the most part it gives me an oppourtunity to really look and go:

    WHY DID THEY BUILD THIS IN ASDM
    WHY ARE THESE RULES HERE THEY DONT DO ANYTHING
    THESE TUNNELS ARE OLD AND WE DONT HAVE THESE VENDORS ANYMORE

    As docrice stated its not just NATs, vpn statements are slightly different with isakmp versions, nats will break of course.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks