cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
387
Views
10
Helpful
4
Replies

Upgrading PIX525 (ver. 6.3.(3)) to ASA 5525X w/IPS (ver. 9.1.(1))

STEVE FOWLER
Level 1
Level 1

I'm looking for any advice or suggestions on best practice for the task of upgrading from a PIX 525 running 6.3 to an ASA 5525X with IPS, the PIX is setup in active/standby failover and the ASA will be setup the same way. The PIX has been in service for many years and has a substantial configuration but no IPS or VPN services, just firewalling.

I've used the PIX to ASA 7.2 migration tool before and it worked OK but If I do this I still need to get from 7.2 to 9.1 or some incremental jump up to 9.1. Any advice would be appericiated.

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Since no VPN is involved I guess your only hard part is setting up the NAT configurations to the new format. There is also an ACL change involved related to the NAT change. As the order of NAT and ACL was changed you will now have to use the real IP address in the ACL rules and never the NAT IP address. (Which was the case for software below 8.3)

You can't really use the ASA5525-X to do the automatic conversion upon reboot/reload as its a new ASA model and only accepts 8.6 software at minimum to my understanding. This means it wont accept the 7.2 format (or up to 8.2 format) of NAT configurations at all.

Also the PIX can't be upgraded to the newest software levels either. So I guess you are looking at the manual NAT conversion.

Is the current NAT configurations on the PIX large or would it be something that you would be willing to post here? Could always try to help you out converting the NAT configurations.

Here is a link to a document I wrote about the new NAT 8.3+ configuration format.

https://supportforums.cisco.com/docs/DOC-31116

Here is also a good document comparing old and new NAT format

https://supportforums.cisco.com/docs/DOC-9129

- Jouni

Jouni,

Thank you for your response, it sounds like the migration is going to be painful. There are four active interfaces on the PIX and quite a bit of dynamic and static NAT configurations but I don't think I can post that information on the forum.  I'll check out the documents you referenced and go from there. Again thanks for your help.

Steve

Ok,

Thats understandable, though dont hesitate to ask here if you need help with some NAT configurations format.

I would imagine that you are not familiar with the "packet-tracer" command? This was released in 7.0 software level if I dont remember wrong. This is a powerfull tool to confirm that everything is working as expected on your firewall, especially the NAT.

You can essentially simulate packet entering any interface of the firewall and the firewall will tell what rules/configurations it WOULD hit/match.

The basic format is

packet-tracer input tcp


packet-tracer input udp  


packet-tracer input icmp 8 0

If you need help interpeting the output, again, dont hesitate to post here and ask.

Why I mentioned this command was the fact that you can essentially start building the new ASA firewall configuration since its not yet in production and use the "packet-tracer" command to make sure that the traffic is hitting the NAT rules etc. which you expect them to.

Here is a link to Command Reference about the "packet-tracer" command which has more specific information about the command

http://72.163.4.161/en/US/docs/security/asa/command-reference/p1.html#wp2129824

Though now that I look at it myself, it seems a bit confusing

Hope this helps.

- Jouni

Actually I have several smaller ASA5510’s running 7.X and early 8.X around the globe that I manage so I’ve used the Packet Tracer command. However these firewalls don't incorporate the new NAT and ACL changes so I don't have experience in those areas.

Again I appreciate your help.

Steve

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: