Re: Migrate from ASA to X-Series Next Generation Firewall
To my understanding as your ASA is already running 8.3 software level the format changes to the configuration would be minor.
The VPN related problem you might be running into is that (if I remember correctly) 8.3 software still didnt have the "ikev1" keyword in the VPN configurations.
For example commands like
crypto ipsec ikev1 transform-set
crypto ikev1 policy 10
crypto ikev1 enable
And there might be others also
You would need to make those kind of modifications to the configuration before inserting it to the new ASA.
You naturally also have the option to upgrade the current ASA to some 8.4 software level which would be almost identical to the 9.1 configuration format. (9.1 introduced some modifications related to ACL whre "any" refers to both IPv4/IPv6 and "any4" IPv4 only and "any6" IPv6 only if I dont remember wrong)
I am not sure what you mean by the PSK / Pre-Shared-Key thing. Are you saying that you can't get the current PSKs and dont want to change them for all the connections.
To determine the PSKs (that now show up as *********) you can use this command on the current ASA to view the actual PSKs
This will let you see all the PSKs (among other things)
Migrate from ASA to X-Series Next Generation Firewall
What is the actual problem?
Was it getting the actual PSKs from the current 8.3 running firewall?
The command I mentioned above should list the PSKs in clear text in the configuration when you run it in the device that is currently in production use.
If you have just used the "show run" command to get the current configuration from the production firewall and inserted that to the new firewall then that means that you have inserted all the PSKs as ******** rather than the actual real PSK
So if you need to determine the actual PSK for each Tunnel Group then do this
Issue the "more system:running-config" on the production firewall to get the configuration with the actual PSKs
Then use that configuration on the test firewall so that the PSKs are migrated correctly
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...