Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
664
Views
10
Helpful
5
Replies

Firewall config move

Go to solution
Patrick McHenry
Level 3
Level 3

‎02-19-2014 01:26 PM - edited ‎03-11-2019 08:47 PM

Hi,

I would like to take a config from a ASA5520 version 8.4(7) and convert it to run on a 5545X version 9.1(1) or higher. Is there a tool I can use to convert the config to match up with the 5545X hardware and software?

Any good docs on the procedure for doing the migration?

Thank you

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
INGENIERIA Y CONSULTORIAS WEBREDES LTDA
Level 1
Level 1

‎02-19-2014 01:52 PM

i recommend you to create the whole configuration from scratch if you don't know the main differences.

but as i see you had an 8.4 config version, must be compatible... so try it!!!

just took attention with the copy with keys... so the whole config transfers the users and passwords of the VPN users.

had a great day . best regards, and rate if you'll find this post useful

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎02-20-2014 12:31 AM

There are no gotchas to look out for in 9.1.  You can copy paste your configuration straight from 8.4(7).  9.1 introduces support for CX-SSP for ASA 5512-X through 5555-X

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html#wp744465

Just copy about 10 lines at a time.  this ensures that there are no copy paste errors, and if you do happen to see an error it is easier to troubleshoot.

Another option is to copy the running-config file using TFTP to the new ASA then copy the running config file to the startup config.  this way is probably the fastest but if you do happen on som errors it is more difficult to troubleshoot...if you ask me that is.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
5 Replies 5

Go to solution
INGENIERIA Y CONSULTORIAS WEBREDES LTDA
Level 1
Level 1

‎02-19-2014 01:52 PM

i recommend you to create the whole configuration from scratch if you don't know the main differences.

but as i see you had an 8.4 config version, must be compatible... so try it!!!

just took attention with the copy with keys... so the whole config transfers the users and passwords of the VPN users.

had a great day . best regards, and rate if you'll find this post useful
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎02-20-2014 12:31 AM

There are no gotchas to look out for in 9.1.  You can copy paste your configuration straight from 8.4(7).  9.1 introduces support for CX-SSP for ASA 5512-X through 5555-X

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html#wp744465

Just copy about 10 lines at a time.  this ensures that there are no copy paste errors, and if you do happen to see an error it is easier to troubleshoot.

Another option is to copy the running-config file using TFTP to the new ASA then copy the running config file to the startup config.  this way is probably the fastest but if you do happen on som errors it is more difficult to troubleshoot...if you ask me that is.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Patrick McHenry
Level 3
Level 3
In response to Marius Gunnerud

‎02-20-2014 05:15 AM

Thanks Guys - how about copying from usb to running config? Must I still pay attention to lines not being added?

Thank you

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Patrick McHenry

‎02-20-2014 05:27 AM

I am sure that it is possible, though I have never tried this.  Just keep in mind that not all USB types are supported.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Go to solution
James Leinweber
Level 4
Level 4
In response to Marius Gunnerud

‎02-20-2014 01:48 PM

I'm too chicken to copy to the running config; I import the old syntax to a separate file, copy it to the startup config, reload, and let Cisco convert it live during boot.  Then there is some cleanup and saving to do.   From 8.4 to 9.x you don't have the NAT changes to worry about, so things would probably go mostly OK.  Aside from IPS, the big firewall innovations in 9.x are the v6 ACL's got integrated, so you have new any4 and any6 keywords for mono-protocol traffic, and any is dual-protocol.  You'll probably want to pay attention to that; it made me unify some of my network object-groups and rewrite a bunch of ACLs.  Also, IPsec tunnels can optionally use IKEv2 instead of IKEv2 for negotiations.

-- Jim Leinweber, WI State Lab of Hygiene

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card