migration from asa 5505 to asa 5510

Home Forums Networking Cisco Security – PIX/ASA/VPN migration from asa 5505 to asa 5510

This topic contains 14 replies, has 3 voices, and was last updated by Avatar beyazgelin 2 years ago.

Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • Avatar
    gogi100
    Member
    #159157

    my company has the asa 5505 working as the remote access vpn server. my company needs more licenses for vpn than the asa 5505 give it. because of my company purchased the asa 5510. i must migrate configuration from the asa 5505 to the asa 5510. i exported configuration file from asa 5505. i made the changes on them and imported them in the asa 5510. my asa5510 doesn’t work. why? can we help me? i puted configuration files from asa 5505 and 5510
    thanks

    Avatar
    Anonymous
    #373253

    Re: migration from asa 5505 to asa 5510

    Your 5505 was running 8.2 and the new 5510 runs 8.4 so the nat configuration is much different with version 8.3 and up. I found no nat config on your 5510. Here is the converted config from the 5505 which you can use on the 5510 running 8.4. Just copy and paste it in.

    This is your dynamic pat rule:

    object network INSIDE_HOSTS
    subnet 0.0.0.0 0.0.0.0
    nat (inside,outside) dynamic interface

    This is for your nat exemption:

    object network RA_VPN_HOSTS
    subnet 192.168.50.0 255.255.255.128

    nat (inside,outside) 1 source static INSIDE_HOST INSIDE_HOSTS destination static RA_VPN_HOSTS RA_VPN_HOSTS

    or

    nat (inside,outside) 1 source static any any destination static RA_VPN_HOSTS RA_VPN_HOSTS (8.3 and above you can use the “any” keyword)

    Avatar
    gogi100
    Member
    #334944

    Re: migration from asa 5505 to asa 5510

    accordingly i need copy

    Quote:
    object network INSIDE_HOSTS
    subnet 0.0.0.0 0.0.0.0
    nat (inside,outside) dynamic interface
    object network RA_VPN_HOSTS
    subnet 192.168.50.0 255.255.255.128
    nat (inside,outside) 1 source static INSIDE_HOST INSIDE_HOSTS destination static RA_VPN_HOSTS RA_VPN_HOSTS

    in my asa5510 configuration file and i import this configuration file in asa5510? that’s all?

    Avatar
    Anonymous
    #373256

    Re: migration from asa 5505 to asa 5510

    Yes, this will fix the nat issue for internet usage as well as for your remote access vpn clients.

    Avatar
    gogi100
    Member
    #334945

    Re: migration from asa 5505 to asa 5510

    i import configuration in asa and my running confiruation is

    Quote:
    ASA Version 8.4(2)
    !
    hostname asa5510
    domain-name dri.local
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 178.x.x.x 255.255.255.248
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.0.10 255.255.255.0
    management-only
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns server-group DefaultDNS
    domain-name dri.local
    object network VPN-POOL
    subnet 192.168.50.0 255.255.255.0
    description VPN Client pool
    object network LAN-NETWORK
    subnet 192.168.0.0 255.255.255.0
    description LAN Network
    object-group network PAT-SOURCE-NETWORKS
    description Source networks for PAT
    network-object 192.168.0.0 255.255.255.0
    access-list INSIDE-IN remark Allow traffic from LAN
    access-list INSIDE-IN extended permit ip 192.168.0.0 255.255.255.0 any
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    !
    nat (inside,outside) after-auto source dynamic PAT-SOURCE-NETWORKS interface
    access-group INSIDE-IN in interface inside
    route outside 0.0.0.0 0.0.0.0 178.x.x.178 1
    route outside 0.0.0.0 0.0.0.0 178.x.x.177 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    action terminate
    dynamic-access-policy-record dripolisa
    aaa-server DRI protocol ldap
    aaa-server DRI (inside) host 192.168.0.20
    ldap-base-dn DC=dri,DC=local
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *****
    ldap-login-dn CN=dragan urukalo,OU=novisad,OU=sektor2,OU=REVIZIJA,DC=dri,DC=local
    server-type microsoft
    user-identity default-domain LOCAL
    aaa authentication enable console LOCAL
    aaa authentication http console LOCAL
    aaa authentication serial console LOCAL
    aaa authorization command LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !
    dhcpd address 192.168.0.14-192.168.0.45 inside
    !
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    !
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy drivpn internal
    group-policy drivpn attributes
    dns-server value 192.168.0.20 192.168.0.254
    vpn-simultaneous-logins 10
    vpn-idle-timeout 30
    vpn-tunnel-protocol ikev1
    default-domain value dri.local
    username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
    tunnel-group drivpn type remote-access
    tunnel-group drivpn general-attributes
    address-pool vpnadrese
    authentication-server-group DRI
    default-group-policy drivpn
    tunnel-group drivpn ipsec-attributes
    ikev1 pre-shared-key *****
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect http
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:4d4577afbf90588f7378df22c4d2d225
    : end

    what do you think?

    Avatar
    Anonymous
    #373271

    Re: migration from asa 5505 to asa 5510

    Looks good. I dont see a nat exemption for your remote access vpn clients though.

    nat (inside,outside) after-auto source dynamic PAT-SOURCE-NETWORKS interface

    You could have just used auto nat. The way you have it is fine though. Its just another way of doing it.

    object network PAT_SOURCE_NETWORKS
    subnet 192.168.0.0 255.255.255.0
    nat (inside,outside) dynamic interface

    Avatar
    gogi100
    Member
    #334946

    Re: migration from asa 5505 to asa 5510

    my remote access VPN should work with this configuration? how i should put nat exemption?
    thanks

    Avatar
    Anonymous
    #373272

    Re: migration from asa 5505 to asa 5510

    Here is a link to the configuration guide in regards to the vpn:

    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_remote_access.html

    This is for your nat exemption. Change the addressing around to suit your needs.

    object network RA_VPN_HOSTS
    subnet 192.168.50.0 255.255.255.128

    nat (inside,outside) 1 source static INSIDE_HOST INSIDE_HOSTS destination static RA_VPN_HOSTS RA_VPN_HOSTS

    Avatar
    gogi100
    Member
    #334947

    Re: migration from asa 5505 to asa 5510

    i tryed that i use vpn client for connecting on my asa5510. i can logon but i can’t access my resource on local network 192.168.0.0/24. my configuration on asa5510 is:

    Quote:
    Result of the command: “show runn”

    : Saved
    :
    ASA Version 8.4(2)
    !
    hostname asa5510
    domain-name dri.local
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 178.x.x.178 255.255.255.248
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.0.10 255.255.255.0
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns server-group DefaultDNS
    domain-name dri.local
    object network VPN-POOL
    subnet 192.168.50.0 255.255.255.0
    description VPN Client pool
    object network LAN-NETWORK
    subnet 192.168.0.0 255.255.255.0
    description LAN Network
    object-group network PAT-SOURCE-NETWORKS
    description Source networks for PAT
    network-object 192.168.0.0 255.255.255.0
    access-list INSIDE-IN remark Allow traffic from LAN
    access-list INSIDE-IN extended permit tcp 192.168.0.0 255.255.255.0 any
    access-list INSIDE-IN extended permit ip object VPN-POOL object LAN-NETWORK
    access-list inside_access_out extended permit icmp object VPN-POOL object LAN-NETWORK echo-reply
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    !
    nat (inside,outside) after-auto source dynamic PAT-SOURCE-NETWORKS interface
    access-group INSIDE-IN in interface inside
    access-group inside_access_out out interface inside
    route outside 0.0.0.0 0.0.0.0 178.x.x.177 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    action terminate
    dynamic-access-policy-record dripolisa
    aaa-server DRI protocol ldap
    aaa-server DRI (inside) host 192.168.0.20
    ldap-base-dn DC=dri,DC=local
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *****
    ldap-login-dn CN=dragan urukalo,OU=novisad,OU=sektor2,OU=REVIZIJA,DC=dri,DC=local
    server-type microsoft
    user-identity default-domain LOCAL
    aaa authentication enable console LOCAL
    aaa authentication http console LOCAL
    aaa authentication serial console LOCAL
    aaa authorization command LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !
    dhcpd address 192.168.0.14-192.168.0.45 inside
    !
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    !
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy drivpn internal
    group-policy drivpn attributes
    dns-server value 192.168.0.20 192.168.0.254
    vpn-simultaneous-logins 10
    vpn-idle-timeout 30
    vpn-tunnel-protocol ikev1 l2tp-ipsec
    default-domain value dri.local
    username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
    tunnel-group drivpn type remote-access
    tunnel-group drivpn general-attributes
    address-pool vpnadrese
    authentication-server-group DRI
    authentication-server-group (inside) DRI
    authentication-server-group (outside) DRI
    authorization-server-group DRI
    default-group-policy drivpn
    tunnel-group drivpn ipsec-attributes
    ikev1 pre-shared-key *****
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect http
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:38c7540e27ed313b9f3387ca49371753
    : end

    what i do? how i can access from my vpn client to local resources. i changed access rules but nothing

    Avatar
    Anonymous
    #373280

    Re: migration from asa 5505 to asa 5510

    I don’t see a split tunnel ACL specified under your group policy. This will be pushed down to the remote client so it knows what traffic to encrypt and send over the tunnel.

    access-list Split_Tunnel_List remark The corporate network behind the ASA. Change to suit your needs.

    (config)#access-list Split_Tunnel_List extended permit ip 10.0.1.0 255.255.255.0 any (This will tell the client to encrypt all traffic going to 10.0.1.0/24, The source address is from the prospective of the VPN Server)

    Enter Group Policy configuration mode for the policy that you wish to modify.

    (config)#group-policy drivpn attributes
    (config-group-policy)#

    Specify the split tunnel policy. In this case the policy is tunnelspecified.

    (config-group-policy)#split-tunnel-policy tunnelspecified
    Specify the split tunnel access list. In this case, the list is Split_Tunnel_List.

    ciscoasa(config-group-policy)#split-tunnel-network-list value Split_Tunnel_List

    Avatar
    gogi100
    Member
    #334948

    Re: migration from asa 5505 to asa 5510

    i changed my configuration at direction but again i can’t access my resources on local lan
    my configuration is:

    Quote:
    Result of the command: “show runn”

    : Saved
    :
    ASA Version 8.4(2)
    !
    hostname asa5510
    domain-name dri.local
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 178.x.x.178 255.255.255.248
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.0.10 255.255.255.0
    management-only
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns server-group DefaultDNS
    domain-name dri.local
    object network VPN-POOL
    subnet 192.168.50.0 255.255.255.0
    description VPN Client pool
    object network LAN-NETWORK
    subnet 192.168.0.0 255.255.255.0
    description LAN Network
    object-group network PAT-SOURCE-NETWORKS
    description Source networks for PAT
    network-object 192.168.0.0 255.255.255.0
    access-list INSIDE-IN remark Allow traffic from LAN
    access-list INSIDE-IN extended permit ip 192.168.0.0 255.255.255.0 any
    access-list Split_Tunnel_List extended permit ip 192.168.0.0 255.255.255.0 any
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    !
    nat (inside,outside) after-auto source dynamic PAT-SOURCE-NETWORKS interface
    access-group INSIDE-IN in interface inside
    route outside 0.0.0.0 0.0.0.0 178.x.x.177 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    action terminate
    dynamic-access-policy-record dripolisa
    aaa-server DRI protocol ldap
    aaa-server DRI (inside) host 192.168.0.20
    ldap-base-dn DC=dri,DC=local
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *****
    ldap-login-dn CN=dragan urukalo,OU=novisad,OU=sektor2,OU=REVIZIJA,DC=dri,DC=local
    server-type microsoft
    user-identity default-domain LOCAL
    aaa authentication enable console LOCAL
    aaa authentication http console LOCAL
    aaa authentication serial console LOCAL
    aaa authorization command LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !
    dhcpd address 192.168.0.14-192.168.0.45 inside
    !
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    !
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy drivpn internal
    group-policy drivpn attributes
    dns-server value 192.168.0.20 192.168.0.254
    vpn-simultaneous-logins 10
    vpn-idle-timeout 30
    vpn-tunnel-protocol ikev1
    split-tunnel-network-list value Split_Tunnel_List
    default-domain value dri.local
    username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
    tunnel-group drivpn type remote-access
    tunnel-group drivpn general-attributes
    address-pool vpnadrese
    authentication-server-group DRI
    default-group-policy drivpn
    tunnel-group drivpn ipsec-attributes
    ikev1 pre-shared-key *****
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect http
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:d21cbb210b1c058e9111d50920190159
    : end

    wha can i do?

    Avatar
    Anonymous
    #373283

    Re: migration from asa 5505 to asa 5510

    You still don’t have a nat exemption ACL to tell the ASA not to nat when going between the protected subnet behind the ASA to the remote client.

    This is for your nat exemption. change to suit your needs

    object network RA_VPN_HOSTS
    subnet 192.168.50.0 255.255.255.128

    nat (inside,outside) 1 source static INSIDE_HOST INSIDE_HOSTS destination static RA_VPN_HOSTS RA_VPN_HOSTS

    Avatar
    gogi100
    Member
    #334949

    Re: migration from asa 5505 to asa 5510

    thank’s problem is solved

    Avatar
    Anonymous
    #373284

    Re: migration from asa 5505 to asa 5510

    Okay good. Thanks for letting me know.

    Avatar
    beyazgelin
    Member
    #391859

    I have a cisco 5520 IOS 8.2(1) recently purchased 5516 IOS 9.6. Whats the best way to do a back and restore.

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic.