Cisco ASA to PA Migration Zone Assignment Issues

Issue

While using the PA Migration tool for Cisco's ASA configuration it was noted that when using auto-zone assign the Migration tool is unable to assign the zone when the access-list has a tcp/udp/ip any

Resolution

• Replace
  • tcp any -> tcp host <zone-name-any>
  • udp any -> udp host <zone-name-any>
  • ip any -> ip host <zone-name-any>secur
• The zone-name in this case depends on the access list for eg:
  • Replace "access-list fromout extended permit tcp any host 1.2.3.4 eq www"  with "access-list fromout extended permit tcp host outside-any host 1.2.3.4 eq www"
  • Replace "access-list fromin extended permit tcp any host 1.2.3.4 eq www" with "access-list fromin extended permit tcp host inside-any host 1.2.3.4 eq www"
• The zone name you choose depends on the interface to which the access-group is assigned.
  • In keeping with the above example, the access groups fromout and fromin are applied to the outside and inside interfaces: access-group fromout in interface outside access-group fromin in interface inside
  • So if access-group consultants & vips are assigned to the inside interface you can use the same zone name (inside-any) substitution in step 1 & 2
• Create address name entries in the config file for each zonename-any object used in steps 1/2 eg. name 1.1.1.1 outside-any name 2.2.2.2 inside-any
• Import the modified config file into the Migration Tool
• Once the initial import is done (before doing the auto zone assign) in the section Interfaces and zones create entries for: Network      Netmask          Zone 1.1.1.1      255.255.255.255 outside 2.2.2.2      255.255.255.255 inside
• Save the change
• Do the Auto Zone Assignment
• Eventually the outside-any, inside-any etc can be replaced by any in the PA config file

owner: panagent