Cisco ASA VPN Filters

Reply
L1 Bithead

Cisco ASA VPN Filters

I am running the Expedition Tool on our Cisco ASA firewalls and the tools is stating that most of our IP Address, IP Address Groups and Services are invalid.  When I go over these invalid objects, they are all part of our VPN filters on our VPN tunnels.  Is there anyway for the Tool to recognize that these are ACLs rules in the ASA and that they are not invalid?  

L7 Applicator

Re: Cisco ASA VPN Filters

before go deep in the troubleshooting, can you verify if you edit the file with "vi" there is no weird characters at the begining of each line line CTRL+M ??? Thanks . And check the format of the config has not been altered, like when a object is defined begins at the very left position and the properties inside it are one space to the right and so... Regards 

L1 Bithead

Re: Cisco ASA VPN Filters

This is the configuration directly from the firewall (the .cfg file) and nothing would have been altered.  The Expedition Tool does not seem to understand VPN filter rules, which is just killing us.  We have hundreds of rules to convert over, we just cannot get this Tool to help us, so we are having to do this manually which is just a horrid task!   If their is anything you help us with, it would be appreciated!  

L7 Applicator

Re: Cisco ASA VPN Filters

Please share the config file with us via email to fwmigrate at paloaltonetworks dot com or opening a case with support and share the case number with us. Thanks

L1 Bithead

Re: Cisco ASA VPN Filters

I have opened a new case for this issue.  The case number is 00968461.  I have uploaded the cisco configuration file to the case. 

L7 Applicator

Re: Cisco ASA VPN Filters

Hi, 

 

I understood what happened.

 

[WORKAROUND]

 

you have to add as many access-groups to the config as filter you want to import into Expedition.

 

Example:

 

search by access-group and after the current access-groups add a new entry/es

 

 

access-group AWS_Prod_VPC_Filter in interface XXX-rsvpn-untrust-599

 

Assuming AWS_Prod_VPC_Filter is the ACL name and XXX-rsvpn-untrust-599 is the Interface where the traffic will come IN

 

Then import the config on a new Project.

L1 Bithead

Re: Cisco ASA VPN Filters

Before I added the access-group to the config file, I was only getting 20 security rules from the expedition tool.  After I add the lines below, I still only get 20 security rules. 

 

access-group AWS_Prod_VPC_Filter in interface IVDC-rsvpn-untrust-599

access-group AWS_SharedServices_Prod_VPC_Filter in interface IVDC-rsvpn-untrust-599

 

In addition, there are no interfaces for the access-lists in the configuration.  It goes through the tunnel interface of the Cisco ASA firewall which goes through the ASIC and is not a defined interface like on a Palo Alto firewall.  Is it possible I am still doing something wrong here with the configuration?  

L1 Bithead

Re: Cisco ASA VPN Filters

Ok, I go it to work.  The access-group does work, I just needed to go into the policies select and do a discovery again manually.  The security rules went from 20 to 89 now.  So it I am on the right track now.  

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!