This discussion is locked

Ask the Expert:Migration Best Practices for Adaptive Security Appliance 8.3/8.4

Unanswered Question
Sep 6th, 2012

Read the bioWith : Praveena Shanubhogue

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Migration Best Practices for Adaptive Security Appliance 8.3/8.4 with Praveena Shanubhogue. Learn about best practices while migrating from version 8.2 or before to 8.3 and beyond and ask questions about the new features. Understand bugs or known issues that one needs to be aware of while migrating from 8.2 to 8.3 and beyond.

Praveena Shanubhogue is an engineer in the Cisco Technical Assistance Center in Bangalore, India, specializing in Cisco VPN and Adaptive Security Appliance (ASA) technologies. He has more than 3 years of experience troubleshooting VPN and ASA products. He holds CCIE certification in Security (#29450).

We encourage you to watch the recently published Community Tech-Talk Blog and Video.

Remember to use the rating system to let Praveena know if you have received an adequate response. 

Praveena might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event.  This event is a continuation of the Facebook Forum and lasts through Sept 19, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (5 ratings)
fahad.wasi Sat, 09/08/2012 - 03:09

Hi Parveen,

I had a question , Is their  a way we can backup the configuration and settings on Cisco Routers?

I mean before migrating from 1 version of Cisco Router or ASA to another, can we backup all the configuration to prevent

Disaster?

What is the name of the OS that we use in ASA firewalls?

pshanubh Tue, 09/11/2012 - 04:08

Hi Fahad,

1. Yes, there are multiple ways to Backup and later restore the config on Cisco ASA. ASDM > Tools has a Backup and Restore links.

Also, checkout this tool called 'rancid' (

http://www.openmaniak.com/rancid_tutorial.php)

2. As i mentioned on the facebook forum, ASA 7.x was based on PIX OS. And ASA 8.x is a linux based os, which you can call ASA OS.  (i don't know of a specific name given to ASA OS)

-- Praveen

fahad.wasi Tue, 09/11/2012 - 05:13

Hi Parveen,

Thanks for your reply, so do we have to connect any storage device with the Router or ASA when taking backup?

Are their USB ports in ASA ?

Fahad

pshanubh Wed, 09/12/2012 - 07:46

Well, you can copy over tftp/ftp/http(asdm).

You can also add additional flash cards, but sorry, no USB

-- Praveen

rafaelmendes Tue, 09/11/2012 - 06:30

Hi Praveena,

I Have a PIX 515 with IOS version 8.0(3), we buy two ASA 5525-X with IOS 8.6.

What is the better way to proceed with this migration? Manually?

Tks!

Rafael

Jouni Forss Tue, 09/11/2012 - 23:32

Hi Praveena,

Is Cisco planning on adding an automated periodical configuration backup for ASAs? Or will this have to be done manually or through a separate script that will do it for you? Why has it not been implemented before on ASA like its on the Cisco routers?

Considering large network environments with hundreds of firewalls (Security Contexts) this would be a usefull option.

Sure the "show tech" command gets you a backup but also alot of extra information you dont need when you just want configuration backups for when disaster strikes

- Jouni

pshanubh Wed, 09/12/2012 - 08:47

Hi Jouni,

Have you checked out our Smart-Call home feature, which you can customize to backup the ASA config periodically:

https://supportforums.cisco.com/docs/DOC-14958

More on Smart Call Home:

https://supportforums.cisco.com/docs/DOC-12801

I know you are looking for  builtin tool, but it seems this is it for now.

Then there is a Cisco Works Tool called, Cisco Security Manager (CSM):

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6498/data_sheet_c78-584863.html

Also, you can use a perl script to do this (ah yes, not a built in feature ), as mentioned at:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_swconfig.html#wp1063700

That is it from us. I would also point out 'rancid', if you are interested:

http://www.openmaniak.com/rancid_tutorial.php

This not only backs up the config, it also diff's the config, which is what the name stands for (apparently it is, 'Really Awesome New CIsco Diff' tool )

-- Praveen

Jouni Forss Thu, 09/13/2012 - 05:36

Hi,

Thanks for the reply.

Does the "Call Home" feature work in an ASA thats running in multiple context mode?

It seems to have the default "call-home" configuration under the system context configuration mode and also seems its not possible to configure it under the different security contexts.

So following the instructions given in those documents, would the ASA only send the system context configuration or would it also send all the configurations of the Security Context on the ASA?

And sorry that the question ain't exactly "on topic"

- Jouni

pshanubh Fri, 09/14/2012 - 10:03

Hey Jouni,

Ah well, i will be honest with you here i haven't gotten a chance to work on Smart Call home feature, but for one i do know that this is supported on multi-context.

You can add any command to the list, having said that, you can add "more flash:\.cfg" and that should get you the specific context config.

Also, any command added in the snapshot should run in system context AND the regular contexts:

From the config guide:

In multiple context mode, the snapshots  command is divided into two commands: one to obtain information from  the system context and one to obtain information from the regular  context. 

HTH

-- Praveen

pshanubh Wed, 09/12/2012 - 07:55

Well Rafael, you might not like my answer, but i have a workaround for you apart from doing this manually:

0.

1. Get the PIX config.

2. Edit it using an editor like notepad++:

   - replace interface types (ethernet) manually with the correcponding interface types on the New ASAs (gigabit)

   - Remove the old 'boot system ..' statement and add thew new 'boot system ..' statement

   - remove the 'Crypto Checksum' part from the end.

2. Load it on ASA5525-x's Flash (asdm/tftp/ftp)

3. on ASA5525-x, replace the startup-config with the PIX's config:

   copy flash:/pix-config.txt start

4. Do NOT execute 'write mem'

5. Reload

Now the ASa boxes should come back up with the migrated config.

-- Praveen

shinepothen Fri, 09/14/2012 - 09:21

can i migrate directly from 8.2 to 8.4 vesion.

i know there is some new NAT statment in place and some other things. other than that if i do this migration it should work fine ..... Please give me ur suggestion.

thanks in advance

pshanubh Fri, 09/14/2012 - 10:08

Hi Shine,

Sure, you can migrate from any older version directly to 8.4, provided the system meets the memory requirements.

The major changes that stand out are NAT and Real-IP Usage in Filter ACL (rather than using Translated IP), however these are taken care of i.e. the ASA OS  post-8.3 have built-in config migrator that does a good job.

Please read these:

https://supportforums.cisco.com/docs/DOC-12690

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

HTH

-- Praveen

pshanubh Tue, 09/18/2012 - 05:40

Hey Fahad,

I haven't used that tool myself, but yeah sure please go ahead and ask, if i know, i will for sure answer or at least give some pointers.

-- Praveen

brobinb Mon, 09/17/2012 - 20:12

Hi Praveena,

I have two stand alone ASA5520s' running on 8.0. Will need to upgrade to 5525-x with 8.3. Do the procedures of manually upgrading PIX with 8.0 to ASA5525-x with 8.3 also apply to 5520? Or there is a easier way to complete the upgrade?

Thanks in advance.

Robin

pshanubh Tue, 09/18/2012 - 05:50

Hey Robin,

All 55xx-X series ASAs can load OS beyond 8.6 only, but they are almost similer to 8.4 when it comes to configuration.

So since you have ASAs as opposed to PIXs, you have two options:

Option#1:

0. backup your ASA config.

1. Upgrade these ASAs to 8.4 when you are about decommission them. And it does not matter if they don't have enough RAM (since they are not going to be operational)

2. Now Back this config and make changes to the interfaces (i.e.only if 5525-x interface mapping changes  compared to 5520)

   - Remove the old 'boot system ..' statement and add thew new 'boot system ..' statement

   - remove the 'Crypto Checksum' part from the end.

2. Load it on ASA5525-x's Flash (asdm/tftp/ftp)

3. on ASA5525-x, replace the startup-config with the PIX's config:

   copy flash:/pix-config.txt start

4. Do NOT execute 'write mem'

5. Reload

Option#2:

Same as option #1, if you choose to skip step #1 in the last option. (i.e. identical with the last PIX to 5525-x migration steps)

Let me know if you have any queries.

-- Praveen

brobinb Tue, 09/18/2012 - 08:15

Thanks for your reply!

In addition to the upgrade process, if the two 5525-xs' will be running in HA mode (active/standby for instance). Then the process will be as follow?

1. migrate the config of two stand alone 5520s' onto one 5520, build HA pair, then upgrade the primary 5520 from 8.0 to    8.4.

2. Follow the migration process you mention, load the config onto the new 5525-x, upgrade to 8.6, build secondary 5525-x, from where to foam the HA pair.

Will this work or do I miss anything?

Best Regards,

Robin

pshanubh Tue, 09/18/2012 - 08:32

Well with HA in picture, what you have in mind should work just fine.

You could also do this:

1. As far as 5520 is concerned, just get one ASA (that will be converted to HA), and migrate it to 8.4

2. Edit this config in order to get interfaces and boot variable (pointing to 8.6) right (and remove the checksum part (i know i keep repeating this part, but this is absolutely necessary )). And also, for each interfaces append a standby ip address.

3. Load it on 5525-x and reload

4. Make this 5525-x the primary in the HA Pair

5. Add the secondary 5525-x enable failover on this one

6. The second 5525-x should now sync up the config

This way you need to worry about HA config only once (on 5525-x).

If the interface mapping stay the same, i guess you can follow your method, but as you can see above, since the secondary box does not need to be *built* (config sync up happens when you build HA), forming 5520 HA is not necessary

-- Praveen

Actions

Login or Register to take actions

This Discussion

Posted September 6, 2012 at 10:50 AM
Stats:
Replies:20 Avg. Rating:5
Views:6058 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446