Announcement

Collapse
No announcement yet.

migration from asa 5505 to asa 5510

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • migration from asa 5505 to asa 5510

    my company has the asa 5505 working as the remote access vpn server. my company needs more licenses for vpn than the asa 5505 give it. because of my company purchased the asa 5510. i must migrate configuration from the asa 5505 to the asa 5510. i exported configuration file from asa 5505. i made the changes on them and imported them in the asa 5510. my asa5510 doesn't work. why? can we help me? i puted configuration files from asa 5505 and 5510
    thanks
    Attached Files

  • #2
    Re: migration from asa 5505 to asa 5510

    Your 5505 was running 8.2 and the new 5510 runs 8.4 so the nat configuration is much different with version 8.3 and up. I found no nat config on your 5510. Here is the converted config from the 5505 which you can use on the 5510 running 8.4. Just copy and paste it in.

    This is your dynamic pat rule:


    object network INSIDE_HOSTS
    subnet 0.0.0.0 0.0.0.0
    nat (inside,outside) dynamic interface


    This is for your nat exemption:




    object network RA_VPN_HOSTS
    subnet 192.168.50.0 255.255.255.128

    nat (inside,outside) 1 source static INSIDE_HOST INSIDE_HOSTS destination static RA_VPN_HOSTS RA_VPN_HOSTS

    or

    nat (inside,outside) 1 source static any any destination static RA_VPN_HOSTS RA_VPN_HOSTS (8.3 and above you can use the "any" keyword)
    Last edited by auglan; 27th June 2012, 21:03.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: migration from asa 5505 to asa 5510

      accordingly i need copy
      object network INSIDE_HOSTS
      subnet 0.0.0.0 0.0.0.0
      nat (inside,outside) dynamic interface
      object network RA_VPN_HOSTS
      subnet 192.168.50.0 255.255.255.128
      nat (inside,outside) 1 source static INSIDE_HOST INSIDE_HOSTS destination static RA_VPN_HOSTS RA_VPN_HOSTS
      in my asa5510 configuration file and i import this configuration file in asa5510? that's all?

      Comment


      • #4
        Re: migration from asa 5505 to asa 5510

        Yes, this will fix the nat issue for internet usage as well as for your remote access vpn clients.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: migration from asa 5505 to asa 5510

          i import configuration in asa and my running confiruation is
          ASA Version 8.4(2)
          !
          hostname asa5510
          domain-name dri.local
          enable password 8Ry2YjIyt7RRXU24 encrypted
          passwd 2KFQnbNIdI.2KYOU encrypted
          names
          !
          interface Ethernet0/0
          nameif outside
          security-level 0
          ip address 178.x.x.x 255.255.255.248
          !
          interface Ethernet0/1
          nameif inside
          security-level 100
          ip address 192.168.0.10 255.255.255.0
          management-only
          !
          interface Ethernet0/2
          shutdown
          no nameif
          no security-level
          no ip address
          !
          interface Ethernet0/3
          shutdown
          no nameif
          no security-level
          no ip address
          !
          interface Management0/0
          nameif management
          security-level 100
          ip address 192.168.1.1 255.255.255.0
          management-only
          !
          ftp mode passive
          clock timezone CEST 1
          clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
          dns server-group DefaultDNS
          domain-name dri.local
          object network VPN-POOL
          subnet 192.168.50.0 255.255.255.0
          description VPN Client pool
          object network LAN-NETWORK
          subnet 192.168.0.0 255.255.255.0
          description LAN Network
          object-group network PAT-SOURCE-NETWORKS
          description Source networks for PAT
          network-object 192.168.0.0 255.255.255.0
          access-list INSIDE-IN remark Allow traffic from LAN
          access-list INSIDE-IN extended permit ip 192.168.0.0 255.255.255.0 any
          pager lines 24
          logging asdm informational
          mtu outside 1500
          mtu inside 1500
          mtu management 1500
          ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0
          icmp unreachable rate-limit 1 burst-size 1
          no asdm history enable
          arp timeout 14400
          !
          nat (inside,outside) after-auto source dynamic PAT-SOURCE-NETWORKS interface
          access-group INSIDE-IN in interface inside
          route outside 0.0.0.0 0.0.0.0 178.x.x.178 1
          route outside 0.0.0.0 0.0.0.0 178.x.x.177 1
          timeout xlate 3:00:00
          timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
          timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
          timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
          timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
          timeout tcp-proxy-reassembly 0:01:00
          timeout floating-conn 0:00:00
          dynamic-access-policy-record DfltAccessPolicy
          action terminate
          dynamic-access-policy-record dripolisa
          aaa-server DRI protocol ldap
          aaa-server DRI (inside) host 192.168.0.20
          ldap-base-dn DC=dri,DC=local
          ldap-scope subtree
          ldap-naming-attribute sAMAccountName
          ldap-login-password *****
          ldap-login-dn CN=dragan urukalo,OU=novisad,OU=sektor2,OU=REVIZIJA,DC=dri,D C=local
          server-type microsoft
          user-identity default-domain LOCAL
          aaa authentication enable console LOCAL
          aaa authentication http console LOCAL
          aaa authentication serial console LOCAL
          aaa authorization command LOCAL
          http server enable
          http 192.168.1.0 255.255.255.0 management
          no snmp-server location
          no snmp-server contact
          snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
          crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
          crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
          crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
          crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
          crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
          crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
          crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
          crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
          crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
          crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
          crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
          crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
          crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
          crypto map outside_map interface outside
          crypto ikev1 enable outside
          crypto ikev1 policy 10
          authentication pre-share
          encryption 3des
          hash sha
          group 2
          lifetime 86400
          telnet timeout 5
          ssh timeout 5
          console timeout 0
          dhcpd auto_config outside
          !
          dhcpd address 192.168.0.14-192.168.0.45 inside
          !
          dhcpd address 192.168.1.2-192.168.1.254 management
          dhcpd enable management
          !
          threat-detection basic-threat
          threat-detection statistics port
          threat-detection statistics protocol
          threat-detection statistics access-list
          no threat-detection statistics tcp-intercept
          webvpn
          group-policy drivpn internal
          group-policy drivpn attributes
          dns-server value 192.168.0.20 192.168.0.254
          vpn-simultaneous-logins 10
          vpn-idle-timeout 30
          vpn-tunnel-protocol ikev1
          default-domain value dri.local
          username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
          tunnel-group drivpn type remote-access
          tunnel-group drivpn general-attributes
          address-pool vpnadrese
          authentication-server-group DRI
          default-group-policy drivpn
          tunnel-group drivpn ipsec-attributes
          ikev1 pre-shared-key *****
          !
          class-map inspection_default
          match default-inspection-traffic
          !
          !
          policy-map type inspect dns preset_dns_map
          parameters
          message-length maximum client auto
          message-length maximum 512
          policy-map global_policy
          class inspection_default
          inspect dns preset_dns_map
          inspect ftp
          inspect h323 h225
          inspect h323 ras
          inspect rsh
          inspect rtsp
          inspect esmtp
          inspect sqlnet
          inspect skinny
          inspect sunrpc
          inspect xdmcp
          inspect sip
          inspect netbios
          inspect tftp
          inspect ip-options
          inspect http
          !
          service-policy global_policy global
          prompt hostname context
          no call-home reporting anonymous
          Cryptochecksum:4d4577afbf90588f7378df22c4d2d225
          : end


          what do you think?

          Comment


          • #6
            Re: migration from asa 5505 to asa 5510

            Looks good. I dont see a nat exemption for your remote access vpn clients though.


            nat (inside,outside) after-auto source dynamic PAT-SOURCE-NETWORKS interface


            You could have just used auto nat. The way you have it is fine though. Its just another way of doing it.


            object network PAT_SOURCE_NETWORKS
            subnet 192.168.0.0 255.255.255.0
            nat (inside,outside) dynamic interface
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: migration from asa 5505 to asa 5510

              my remote access VPN should work with this configuration? how i should put nat exemption?
              thanks
              Last edited by gogi100; 3rd July 2012, 13:53.

              Comment


              • #8
                Re: migration from asa 5505 to asa 5510

                Here is a link to the configuration guide in regards to the vpn:


                http://www.cisco.com/en/US/docs/secu...te_access.html


                This is for your nat exemption. Change the addressing around to suit your needs.



                object network RA_VPN_HOSTS
                subnet 192.168.50.0 255.255.255.128

                nat (inside,outside) 1 source static INSIDE_HOST INSIDE_HOSTS destination static RA_VPN_HOSTS RA_VPN_HOSTS
                Last edited by auglan; 3rd July 2012, 14:26.
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment


                • #9
                  Re: migration from asa 5505 to asa 5510

                  i tryed that i use vpn client for connecting on my asa5510. i can logon but i can't access my resource on local network 192.168.0.0/24. my configuration on asa5510 is:
                  Result of the command: "show runn"


                  : Saved
                  :
                  ASA Version 8.4(2)
                  !
                  hostname asa5510
                  domain-name dri.local
                  enable password 8Ry2YjIyt7RRXU24 encrypted
                  passwd 2KFQnbNIdI.2KYOU encrypted
                  names
                  !
                  interface Ethernet0/0
                  nameif outside
                  security-level 0
                  ip address 178.x.x.178 255.255.255.248
                  !
                  interface Ethernet0/1
                  nameif inside
                  security-level 100
                  ip address 192.168.0.10 255.255.255.0
                  !
                  interface Ethernet0/2
                  shutdown
                  no nameif
                  no security-level
                  no ip address
                  !
                  interface Ethernet0/3
                  shutdown
                  no nameif
                  no security-level
                  no ip address
                  !
                  interface Management0/0
                  nameif management
                  security-level 100
                  ip address 192.168.1.1 255.255.255.0
                  management-only
                  !
                  ftp mode passive
                  clock timezone CEST 1
                  clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
                  dns server-group DefaultDNS
                  domain-name dri.local
                  object network VPN-POOL
                  subnet 192.168.50.0 255.255.255.0
                  description VPN Client pool
                  object network LAN-NETWORK
                  subnet 192.168.0.0 255.255.255.0
                  description LAN Network
                  object-group network PAT-SOURCE-NETWORKS
                  description Source networks for PAT
                  network-object 192.168.0.0 255.255.255.0
                  access-list INSIDE-IN remark Allow traffic from LAN
                  access-list INSIDE-IN extended permit tcp 192.168.0.0 255.255.255.0 any
                  access-list INSIDE-IN extended permit ip object VPN-POOL object LAN-NETWORK
                  access-list inside_access_out extended permit icmp object VPN-POOL object LAN-NETWORK echo-reply
                  pager lines 24
                  logging asdm informational
                  mtu outside 1500
                  mtu inside 1500
                  mtu management 1500
                  ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0
                  icmp unreachable rate-limit 1 burst-size 1
                  no asdm history enable
                  arp timeout 14400
                  !
                  nat (inside,outside) after-auto source dynamic PAT-SOURCE-NETWORKS interface
                  access-group INSIDE-IN in interface inside
                  access-group inside_access_out out interface inside
                  route outside 0.0.0.0 0.0.0.0 178.x.x.177 1
                  timeout xlate 3:00:00
                  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
                  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
                  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
                  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
                  timeout tcp-proxy-reassembly 0:01:00
                  timeout floating-conn 0:00:00
                  dynamic-access-policy-record DfltAccessPolicy
                  action terminate
                  dynamic-access-policy-record dripolisa
                  aaa-server DRI protocol ldap
                  aaa-server DRI (inside) host 192.168.0.20
                  ldap-base-dn DC=dri,DC=local
                  ldap-scope subtree
                  ldap-naming-attribute sAMAccountName
                  ldap-login-password *****
                  ldap-login-dn CN=dragan urukalo,OU=novisad,OU=sektor2,OU=REVIZIJA,DC=dri,D C=local
                  server-type microsoft
                  user-identity default-domain LOCAL
                  aaa authentication enable console LOCAL
                  aaa authentication http console LOCAL
                  aaa authentication serial console LOCAL
                  aaa authorization command LOCAL
                  http server enable
                  http 192.168.1.0 255.255.255.0 management
                  no snmp-server location
                  no snmp-server contact
                  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
                  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
                  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
                  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
                  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
                  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
                  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
                  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
                  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
                  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
                  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
                  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
                  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
                  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
                  crypto map outside_map interface outside
                  crypto ikev1 enable outside
                  crypto ikev1 policy 10
                  authentication pre-share
                  encryption 3des
                  hash sha
                  group 2
                  lifetime 86400
                  telnet timeout 5
                  ssh timeout 5
                  console timeout 0
                  dhcpd auto_config outside
                  !
                  dhcpd address 192.168.0.14-192.168.0.45 inside
                  !
                  dhcpd address 192.168.1.2-192.168.1.254 management
                  dhcpd enable management
                  !
                  threat-detection basic-threat
                  threat-detection statistics port
                  threat-detection statistics protocol
                  threat-detection statistics access-list
                  no threat-detection statistics tcp-intercept
                  webvpn
                  group-policy drivpn internal
                  group-policy drivpn attributes
                  dns-server value 192.168.0.20 192.168.0.254
                  vpn-simultaneous-logins 10
                  vpn-idle-timeout 30
                  vpn-tunnel-protocol ikev1 l2tp-ipsec
                  default-domain value dri.local
                  username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
                  tunnel-group drivpn type remote-access
                  tunnel-group drivpn general-attributes
                  address-pool vpnadrese
                  authentication-server-group DRI
                  authentication-server-group (inside) DRI
                  authentication-server-group (outside) DRI
                  authorization-server-group DRI
                  default-group-policy drivpn
                  tunnel-group drivpn ipsec-attributes
                  ikev1 pre-shared-key *****
                  !
                  class-map inspection_default
                  match default-inspection-traffic
                  !
                  !
                  policy-map type inspect dns preset_dns_map
                  parameters
                  message-length maximum client auto
                  message-length maximum 512
                  policy-map global_policy
                  class inspection_default
                  inspect dns preset_dns_map
                  inspect ftp
                  inspect h323 h225
                  inspect h323 ras
                  inspect rsh
                  inspect rtsp
                  inspect esmtp
                  inspect sqlnet
                  inspect skinny
                  inspect sunrpc
                  inspect xdmcp
                  inspect sip
                  inspect netbios
                  inspect tftp
                  inspect ip-options
                  inspect http
                  !
                  service-policy global_policy global
                  prompt hostname context
                  no call-home reporting anonymous
                  Cryptochecksum:38c7540e27ed313b9f3387ca49371753
                  : end
                  what i do? how i can access from my vpn client to local resources. i changed access rules but nothing

                  Comment


                  • #10
                    Re: migration from asa 5505 to asa 5510

                    I don't see a split tunnel ACL specified under your group policy. This will be pushed down to the remote client so it knows what traffic to encrypt and send over the tunnel.


                    access-list Split_Tunnel_List remark The corporate network behind the ASA. Change to suit your needs.

                    (config)#access-list Split_Tunnel_List extended permit ip 10.0.1.0 255.255.255.0 any (This will tell the client to encrypt all traffic going to 10.0.1.0/24, The source address is from the prospective of the VPN Server)

                    Enter Group Policy configuration mode for the policy that you wish to modify.

                    (config)#group-policy drivpn attributes
                    (config-group-policy)#

                    Specify the split tunnel policy. In this case the policy is tunnelspecified.

                    (config-group-policy)#split-tunnel-policy tunnelspecified
                    Specify the split tunnel access list. In this case, the list is Split_Tunnel_List.

                    ciscoasa(config-group-policy)#split-tunnel-network-list value Split_Tunnel_List
                    CCNA, CCNA-Security, CCNP
                    CCIE Security (In Progress)

                    Comment


                    • #11
                      Re: migration from asa 5505 to asa 5510

                      i changed my configuration at direction but again i can't access my resources on local lan
                      my configuration is:
                      Result of the command: "show runn"

                      : Saved
                      :
                      ASA Version 8.4(2)
                      !
                      hostname asa5510
                      domain-name dri.local
                      enable password 8Ry2YjIyt7RRXU24 encrypted
                      passwd 2KFQnbNIdI.2KYOU encrypted
                      names
                      !
                      interface Ethernet0/0
                      nameif outside
                      security-level 0
                      ip address 178.x.x.178 255.255.255.248
                      !
                      interface Ethernet0/1
                      nameif inside
                      security-level 100
                      ip address 192.168.0.10 255.255.255.0
                      management-only
                      !
                      interface Ethernet0/2
                      shutdown
                      no nameif
                      no security-level
                      no ip address
                      !
                      interface Ethernet0/3
                      shutdown
                      no nameif
                      no security-level
                      no ip address
                      !
                      interface Management0/0
                      nameif management
                      security-level 100
                      ip address 192.168.1.1 255.255.255.0
                      management-only
                      !
                      ftp mode passive
                      clock timezone CEST 1
                      clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
                      dns server-group DefaultDNS
                      domain-name dri.local
                      object network VPN-POOL
                      subnet 192.168.50.0 255.255.255.0
                      description VPN Client pool
                      object network LAN-NETWORK
                      subnet 192.168.0.0 255.255.255.0
                      description LAN Network
                      object-group network PAT-SOURCE-NETWORKS
                      description Source networks for PAT
                      network-object 192.168.0.0 255.255.255.0
                      access-list INSIDE-IN remark Allow traffic from LAN
                      access-list INSIDE-IN extended permit ip 192.168.0.0 255.255.255.0 any
                      access-list Split_Tunnel_List extended permit ip 192.168.0.0 255.255.255.0 any
                      pager lines 24
                      logging asdm informational
                      mtu outside 1500
                      mtu inside 1500
                      mtu management 1500
                      ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0
                      icmp unreachable rate-limit 1 burst-size 1
                      no asdm history enable
                      arp timeout 14400
                      !
                      nat (inside,outside) after-auto source dynamic PAT-SOURCE-NETWORKS interface
                      access-group INSIDE-IN in interface inside
                      route outside 0.0.0.0 0.0.0.0 178.x.x.177 1
                      timeout xlate 3:00:00
                      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
                      timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
                      timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
                      timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
                      timeout tcp-proxy-reassembly 0:01:00
                      timeout floating-conn 0:00:00
                      dynamic-access-policy-record DfltAccessPolicy
                      action terminate
                      dynamic-access-policy-record dripolisa
                      aaa-server DRI protocol ldap
                      aaa-server DRI (inside) host 192.168.0.20
                      ldap-base-dn DC=dri,DC=local
                      ldap-scope subtree
                      ldap-naming-attribute sAMAccountName
                      ldap-login-password *****
                      ldap-login-dn CN=dragan urukalo,OU=novisad,OU=sektor2,OU=REVIZIJA,DC=dri,D C=local
                      server-type microsoft
                      user-identity default-domain LOCAL
                      aaa authentication enable console LOCAL
                      aaa authentication http console LOCAL
                      aaa authentication serial console LOCAL
                      aaa authorization command LOCAL
                      http server enable
                      http 192.168.1.0 255.255.255.0 management
                      no snmp-server location
                      no snmp-server contact
                      snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
                      crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
                      crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
                      crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
                      crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
                      crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
                      crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
                      crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
                      crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
                      crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
                      crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
                      crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
                      crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
                      crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
                      crypto map outside_map interface outside
                      crypto ikev1 enable outside
                      crypto ikev1 policy 10
                      authentication pre-share
                      encryption 3des
                      hash sha
                      group 2
                      lifetime 86400
                      telnet timeout 5
                      ssh timeout 5
                      console timeout 0
                      dhcpd auto_config outside
                      !
                      dhcpd address 192.168.0.14-192.168.0.45 inside
                      !
                      dhcpd address 192.168.1.2-192.168.1.254 management
                      dhcpd enable management
                      !
                      threat-detection basic-threat
                      threat-detection statistics port
                      threat-detection statistics protocol
                      threat-detection statistics access-list
                      no threat-detection statistics tcp-intercept
                      webvpn
                      group-policy drivpn internal
                      group-policy drivpn attributes
                      dns-server value 192.168.0.20 192.168.0.254
                      vpn-simultaneous-logins 10
                      vpn-idle-timeout 30
                      vpn-tunnel-protocol ikev1
                      split-tunnel-network-list value Split_Tunnel_List
                      default-domain value dri.local
                      username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
                      tunnel-group drivpn type remote-access
                      tunnel-group drivpn general-attributes
                      address-pool vpnadrese
                      authentication-server-group DRI
                      default-group-policy drivpn
                      tunnel-group drivpn ipsec-attributes
                      ikev1 pre-shared-key *****
                      !
                      class-map inspection_default
                      match default-inspection-traffic
                      !
                      !
                      policy-map type inspect dns preset_dns_map
                      parameters
                      message-length maximum client auto
                      message-length maximum 512
                      policy-map global_policy
                      class inspection_default
                      inspect dns preset_dns_map
                      inspect ftp
                      inspect h323 h225
                      inspect h323 ras
                      inspect rsh
                      inspect rtsp
                      inspect esmtp
                      inspect sqlnet
                      inspect skinny
                      inspect sunrpc
                      inspect xdmcp
                      inspect sip
                      inspect netbios
                      inspect tftp
                      inspect ip-options
                      inspect http
                      !
                      service-policy global_policy global
                      prompt hostname context
                      no call-home reporting anonymous
                      Cryptochecksum:d21cbb210b1c058e9111d50920190159
                      : end
                      wha can i do?

                      Comment


                      • #12
                        Re: migration from asa 5505 to asa 5510

                        You still don't have a nat exemption ACL to tell the ASA not to nat when going between the protected subnet behind the ASA to the remote client.


                        This is for your nat exemption. change to suit your needs




                        object network RA_VPN_HOSTS
                        subnet 192.168.50.0 255.255.255.128

                        nat (inside,outside) 1 source static INSIDE_HOST INSIDE_HOSTS destination static RA_VPN_HOSTS RA_VPN_HOSTS
                        CCNA, CCNA-Security, CCNP
                        CCIE Security (In Progress)

                        Comment


                        • #13
                          Re: migration from asa 5505 to asa 5510

                          thank's problem is solved

                          Comment


                          • #14
                            Re: migration from asa 5505 to asa 5510

                            Okay good. Thanks for letting me know.
                            CCNA, CCNA-Security, CCNP
                            CCIE Security (In Progress)

                            Comment


                            • #15
                              I have a cisco 5520 IOS 8.2(1) recently purchased 5516 IOS 9.6. Whats the best way to do a back and restore.

                              Comment

                              Working...
                              X