Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Configuration backup and Site-to-Site VPN and failover questions

Hello,

I am currently in the process of setting up our two new Cisco firewalls (both are 5515-Xs) and have two questions in regards to that, since I'm rather new to ASA configurations.

 

1. I want to use the configuration of our old ASA (5510), which shouldn't be a big problem, but we have several Site-to-Site profiles in use. What happens with the keys that are defined in those?

Do they get reused and I don't have to worry about anything or do I have to inform the sites and set up new connections with new keys?

 

2. I want to use a Active/Standby failover configuration, but I don't know how VPN licenses are handled. I currently have a pack that is assigned to the primary unit, but what do I have to do on the secondary device (if anything) in order for it to use the VPN license when the primary unit is not available? I am under the impression that I can't assign the licenses to a second unit, so does the VPN license get reused much like the configuration, MAC address, etc. in a failover scenario?

 

Thank you for your time.

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

1. I want to use the

1. I want to use the configuration of our old ASA (5510), which shouldn't be a big problem, but we have several Site-to-Site profiles in use. What happens with the keys that are defined in those?

Do they get reused and I don't have to worry about anything or do I have to inform the sites and set up new connections with new keys?

You can pull the keys from the configuration using the more system:running-config this should show you the configured keys.

Also keep in mind that depending on the ASA version you are using ( earlier than 8.3 or 8.3 or newer) on the 5510 you may (or may not) have to convert them to the new NAT configuration and ACLs.

2. I want to use a Active/Standby failover configuration, but I don't know how VPN licenses are handled. I currently have a pack that is assigned to the primary unit, but what do I have to do on the secondary device (if anything) in order for it to use the VPN license when the primary unit is not available? I am under the impression that I can't assign the licenses to a second unit, so does the VPN license get reused much like the configuration, MAC address, etc. in a failover scenario?

You will only need the one license since the secondary ASA will share the licenses installed on the primary ASA.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/license/license_management/license.html#wp2136588

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
3 REPLIES
VIP Green

1. I want to use the

1. I want to use the configuration of our old ASA (5510), which shouldn't be a big problem, but we have several Site-to-Site profiles in use. What happens with the keys that are defined in those?

Do they get reused and I don't have to worry about anything or do I have to inform the sites and set up new connections with new keys?

You can pull the keys from the configuration using the more system:running-config this should show you the configured keys.

Also keep in mind that depending on the ASA version you are using ( earlier than 8.3 or 8.3 or newer) on the 5510 you may (or may not) have to convert them to the new NAT configuration and ACLs.

2. I want to use a Active/Standby failover configuration, but I don't know how VPN licenses are handled. I currently have a pack that is assigned to the primary unit, but what do I have to do on the secondary device (if anything) in order for it to use the VPN license when the primary unit is not available? I am under the impression that I can't assign the licenses to a second unit, so does the VPN license get reused much like the configuration, MAC address, etc. in a failover scenario?

You will only need the one license since the secondary ASA will share the licenses installed on the primary ASA.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/license/license_management/license.html#wp2136588

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Thanks for the answer. Our

Thanks for the answer.

 

Our 5510 is running on 8.2, so does the converting apply here? Is there something I can read regarding this topic?

 

Thanks.

VIP Green

Yes, the new 5515x ASAs will

Yes, the new 5515x ASAs will be shipped with a 9.x image.  So since you are not upgrading the current ASAs, you will need to manually change the NAT and ACL configuration.

The NAT configuration is the biggest change as everything is now object based, NAT exempt has been removed and is replaced by twice NAT.

The following link gives a good indication of the what the new format will look like for the different types of NAT

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

Here is another link you can read through:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/nat_overview.html

As for the ACL, since 8.3 we now use the actual (private) IP of a client / server machine instead of the public IP.  So lets say that a server with private IP of 192.168.1.1 is NATed to 1.1.1.1.  You want to allow access to this server so in you ACL that is configured on the outside interface you would configure the private IP as the destination IP and NOT the public IP.

Here is another document that describes migrating to ASA 8.3 and later versions

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/upgrading/migrating.html

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
77
Views
5
Helpful
3
Replies
CreatePlease to create content