FWSM to ASA 5585 Name Migration Caveats

This document explains the migration from the Cisco FWSM to the ASA in regards to the support of names and name aliases.

Cisco Support of Names for the FWSM and the ASA 5585

The Cisco Firewall Service Module (FWSM) supports the use of names inside of object-group and firewall rules (ACE, ACLs). 

The Cisco ASA software version 8.3 and later dropped the support of names inside of ACLs, but still support the use of names inside of object-groups.

Example Pre Migration:
Here is an abbreviated example of a current FWSM config using name aliases in both the ACL and the object-group:

names
name 146.151.218.2 JonSmithStaticVPN

object-group network StaffStaticVPN

 network-object JonSmithStaticVPN 255.255.255.255

access-list INBOUND extended permit ip host JonSmithStaticVPN any
access-list INBOUND extended permit ip object-group StaffStaticVPN any

Example Post Migration:
Here is an abbreviated example of a ASA config after the migration from the FWSM:

names
name 146.151.218.2 JonSmithStaticVPN

object-group network StaffStaticVPN
 network-object JonSmithStaticVPN 255.255.255.255

access-list INBOUND extended remark 146.151.218.2=JonSmithStaticVPN
access-list INBOUND extended permit ip host 146.151.218.2 any
access-list INBOUND extended permit ip object-group StaffStaticVPN any

Notice that the name JonSmithStaticVPN is no longer used in the ACL, but it still is used in the object-group.

The ACL line that did previously use the name alias is preceded by a new remark that shows the mapping of IP address to name alias.  This was done by the migration script created by DoIT and not supplied by the vendor.

Suggested Changes for Departmental Firewall Administators Before the Migration to the ASA:

If you want to preserve the use of a name alias inside of the ACL before the migration to the ASA, you can create a new object-group and use that object-group in the ACL:

Example 1: of converting a name to an object group

object-group network myMailServer
  network-object  10.1.2.3 255.255.255.255

  access-list INBOUND extended permit tcp any object-group myMailServer eq smtp

Or you may use the existing name in a object-group and use the new object-group in the ACL:

Example 2: of converting a name to an object group

names
name 146.151.218.2 JonSmithStaticVPN

object-group network myVPNusers
  network-object  JonSmithStaticVPN 255.255.255.255

  access-list INBOUND extended permit ip object-group myVPNusers any

Suggested Changes for Departmental Firewall Administators After the Migration to the ASA:

The ASA 8.4 has a new syntax for naming object which can be used.

Here is an example:

object network myMailServer
  host 10.1.2.3

then you could use it in the ACL, for example

 access-list INBOUND extended permit tcp object myMailServer any eq smtp

The only issue with this syntax is that you can have only one host/network/subnet in the "object network <>". Where as the the use of a object-group you may used any number of hosts/subnets.




Keywords:FWSM ASA 5585 migration   Doc ID:19166
Owner:Greg P.Group:Network Services
Created:2011-07-18 19:00 CDTUpdated:2011-08-01 19:00 CDT
Sites:Network Services
Feedback:  4   0