PIX 525 with ASA 5585-X, SSP-10

Unanswered Question
Jun 25th, 2012

We are helping a client move from PIX 525 to ASA 5585-X, SSP10. This is a production environment and very critical migration. Has someone done this and could provide a step-by-step procedure. What are the gotchas which we should be aware off?

Thanks for all your help in advance.

NG

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
varrao Mon, 06/25/2012 - 07:44

Hi Naveen,

What version of ASA are you using??? You would first need to convert the configuration fro PIX to ASA 8.2 and from ther you can take it to higher codes like 8.3 or later. There's a PIX to ASA migration tool available on cisco.com, you can download it from there.

Thanks,
Varun Rao
Security Team,
Cisco TAC

gnaveen123 Mon, 06/25/2012 - 08:00

We plan on moving to 8.4(4.1).

Could you point me to the conversion tool?

Is the conversion tool reliable enough to have a tech do it by himself?

Or, he needs to have a sound knowledge of ASA software?

varrao Mon, 06/25/2012 - 08:24

Hi Naveen,

Here is the tool for conversion:

http://www.cisco.com/cisco/software/cart.html?imageGuId=AF7198892F2A04876765A5A60B514470C1007A65&i=rs

Your plan of action should be to, first install version 8.2.x on your ASA, convert the config from PIX to ASA using the tool, apply the config on the ASA, and then upgrade the ASA to version 8.4.4.1, ASA would convert the config from 8.2.x to 8.4.4.1 itself, since there are some NAT and ACL changes from 8.3 & later.

Yes you would need a person wit sound knowlede of ASA, who can test things at every step.

Thanks,
Varun Rao
Security Team,
Cisco TAC

gnaveen123 Fri, 07/13/2012 - 12:36

The PIX version is 7.2(4). It looks like it's only the interface change as PIX and ASA 7.2 is not that different. I don't see any benefit of this tool for PIX running 7.x and higher.

Ramraj.Sivagnanam Sat, 07/14/2012 - 23:07

Hi Bro

I have done tones of this type of migration, the only problem you'll faced is this, since you're maintaining the same configuration but changing the chassis, you'll MAY encouter arp issues. I face this all the time.

This is because, when you change chassis, and the interface IP remains the same, the LAN switch is going to see 2 different MAC addresses for the same IP Address. Please be sure to clear the ARP TABLE on all directly connected LAN switches.

Don't be fooled, as I've failed this exercise few times in the past due to ARP. After I swapped the chassis, I didn't clear the ARP TABLE, thinking it was not necessary, but I learnt this the hard way :-)

Good luck bro!

Actions

Login or Register to take actions

This Discussion

Posted June 25, 2012 at 7:36 AM
Stats:
Replies:5 Avg. Rating:5
Views:632 Votes:0
Shares:0
Tags: asa_5500
+

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446