Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Best method to migrate PIX config to ASA

Hi,

I have an old PIX 515E that I want to migrate over to a ASA 5512X. The PIX is on 6.3(4) and the ASA is at factory settings, so I can downgrade it to whatever is necessary for a smooth migration.

What's the best path for this migration?

Everyone's tags (3)
4 REPLIES
Super Bronze

Best method to migrate PIX config to ASA

Hi,

The new ASA5500-X Series dont support any software below 8.6(1) version. So you will not be able to have a configuration directly migrated from PIX to the new ASA.

The biggest change will be the NAT configurations and depending if you are using VPN on the PIX it will probably also have some changes.

If your configuration isnt large it might also be possible that someone here could provide you with the required new configurations. For example the NAT shouldnt be that hard for us to convert to the new format for you if that is the biggest problem at the moment for you.

- Jouni

New Member

Best method to migrate PIX config to ASA

Thanks Jouni. The PIX has a lot of site2site VPNs on it. So the preshared keys and all are the most important part to retain. If I send the pix config to a TFTP server, then update the NAT lines, should that be the only change between 6.3 and the later versions?

Super Bronze

Best method to migrate PIX config to ASA

Hi,

It seems to me that the command that is supported on the ASA (both old and new) is not supported on the 6.x series software so you can not use that to show the PSKs in clear text.

The VPN configuration format has gone through some changes also so that can not be copied directly either.

The NAT is usually the biggest change but there is also the ACLs to consider. In your current software and all the way to the latest 8.2 software when you configured a NAT for your server to the public network you would always allow the traffic towards that public NAT IP address in the external ACL.

In the newer softwares (8.3 and newer) you always allow the traffic to the local/real IP address even if you are doing NAT. So this fact most likely means atleast some changes to your interface ACL configurations. If you host some servers with the use of NAT.

- Jouni

New Member

Best method to migrate PIX config to ASA

Hi Jouni,

I am setting up the 5512X now. It's on 9.1(2). The NAT seems to be a lot different from what I am used to on the 5510 I have here. (it's on 8.2(1))

I am used to management via the GUI, and the NAT setup seems a lot different. On 8.2(1) I would add a NAT rule to translate from inside to outside. Eg. Original 192.168.1.1, inside to Translated 2.3.4.5 outside.

With 9.1, it seems I need a NAT rule in both directions, so that's inside to ouside PLUS outside to insde?

193
Views
0
Helpful
4
Replies
CreatePlease to create content