Migration: Pix 515 to ASA 5520

Unanswered Question
Feb 10th, 2009

We've had some issues using the pix migration tool to get our current config over to our new ASA. Are there any general recommendations out there for doing a conversion from a PIX to an ASA?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
rcoote5902_2 Tue, 02/10/2009 - 12:32

Thanks for the link I believe we had referenced that somewhat but I'll dig into it more thoroughly.

We had our configs matched up as far as we could tell but when we tried to cutover we had no outside access. Same port, same address, same cable even...able to ping inside from the ASA management port, but couldn't get any outside addresses.

cdusio Tue, 02/10/2009 - 16:38

Did you bother to reboot your outside gateway I.E. upstream router?

Your mac address changed when you went to the ASA from the PIX and you have the same ip....

Bet that works.


rcoote5902_2 Wed, 02/11/2009 - 07:11

Yes, we actually brought all of our equipment offline for the cutover and restarted everything in stages.

I've found the pix to asa conversion tool does some wierd things with the config, particularly in the order of commands. It placed all of my nat entries before the actual nat command, so they all return as invalid. I'm massaging the output now so it's in the correct order and will see what happens.

I'm doing this all through the CLI as I have read mixed reviewes of the ASDM - which is better?

cdusio Wed, 02/11/2009 - 07:26

I actually really like ASDM especially newer versions like 6.x..

Only issue I ever run into is sometimes the log freezes but I am a huge fan.

If you want you can share the config and I can take a peek at it..

Really pix to ASA should be almost as simple as cut and paste depending on the features you are using on the PIX.. Obviously if your using an old version conduits and outbounds don't work but ACL's should eb fine..


rcoote5902_2 Wed, 02/11/2009 - 08:45

Much appreciated. I'm still 'massaging' the output from the OCC and migration tool. I'm not sure when we'll have a chance to test again, since downtime here is a rare commodity.

If this run doesn't work I'll definitely post some configs for some further input.


This Discussion