Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1985
Views
0
Helpful
6
Replies

Migrate from ASA to X-Series Next Generation Firewall

Go to solution
limlayhin
Level 1
Level 1

‎08-28-2013 11:41 PM - edited ‎03-11-2019 07:31 PM

Hi All,

I have firewall running on ASA 5520 Firewall. There is a need to do Tech Refresh to X-Series as the model is EOS and going to be EOL soon.

I have hundreds of VPN accounts, running on IKEv1, using Cisco IPSec VPN Clients.

Is there any migration tools that can help me converting my current configuration to the new firewall configuration?

Current ASA 5520 version is 8.3.

New X-Series will be running on 9.1

I tried copy and paste configuration from ASA5520 to X-Series (I have a testing X-Series ASA now), but the preshared password is not the same.

I don't want to reset all my hundreds over users preshared key, there must be other smarter way to do that.

Any help is much appreciated.

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to limlayhin

‎08-29-2013 01:11 AM

Hi,

You sould be able to insert the same username/password configurations from the current ASA to the new ASA.

If you mean the below configuration lines from the current ASA.

username password encrypted privilege

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed though.

- Jouni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-29-2013 12:11 AM

Hi,

To my understanding as your ASA is already running 8.3 software level the format changes to the configuration would be minor.

The VPN related problem you might be running into is that (if I remember correctly) 8.3 software still didnt have the "ikev1" keyword in the VPN configurations.

For example commands like

crypto ipsec ikev1 transform-set

ikev1 pre-shared-key

crypto ikev1 policy 10

crypto ikev1 enable

crypto map set ikev1 transform-set

And there might be others also

You would need to make those kind of modifications to the configuration before inserting it to the new ASA.

You naturally also have the option to upgrade the current ASA to some 8.4 software level which would be almost identical to the 9.1 configuration format. (9.1 introduced some modifications related to ACL whre "any" refers to both IPv4/IPv6 and "any4" IPv4 only and "any6" IPv6 only if I dont remember wrong)

I am not sure what you mean by the PSK / Pre-Shared-Key thing. Are you saying that you can't get the current PSKs and dont want to change them for all the connections.

To determine the PSKs (that now show up as *********) you can use this command on the current ASA to view the actual PSKs

more system:running-config

This will let you see all the PSKs (among other things)

- Jouni

0 Helpful

Go to solution
limlayhin
Level 1
Level 1
In response to Jouni Forss

‎08-29-2013 12:22 AM

Hi,

Thanks for the reply.

A sample of my config:

tunnel-group LAYHIN-VPNACCESS type remote-access

tunnel-group LAYHIN-VPNACCESS general-attributes

address-pool layhin-ippool

authentication-server-group AASERVER

default-group-policy LAYHIN-VPNACCESS

tunnel-group LAYHIN-VPNACCESS ipsec-attributes

ikev1 pre-shared-key *****

Every vpn user has their own tunnel-group.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to limlayhin

‎08-29-2013 12:55 AM

Hi,

What is the actual problem?

Was it  getting the actual PSKs from the current 8.3 running firewall?

The command I mentioned above should list the PSKs in clear text in the configuration when you run it in the device that is currently in production use.

more system:running-config

If you have just used the "show run" command to get the current configuration from the production firewall and inserted that to the new firewall then that means that you have inserted all the PSKs as ******** rather than the actual real PSK

So if you need to determine the actual PSK for each Tunnel Group then do this

  • Issue the "more system:running-config" on the production firewall to get the configuration with the actual PSKs
  • Then use that configuration on the test firewall so that the PSKs are migrated correctly

- Jouni

0 Helpful

Go to solution
limlayhin
Level 1
Level 1
In response to Jouni Forss

‎08-29-2013 01:04 AM

Hi Jouni,

You are right, using "more system:running-config" allow me to see the pre-shared key of my vpn users.

It solve half of my problem, at least I don't need to tell my users that their password will be reset.

Nevertheless, I will have to configure all my 300 users password one by one.

I was trying to see whether there is any other better way :-)

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to limlayhin

‎08-29-2013 01:11 AM

Hi,

You sould be able to insert the same username/password configurations from the current ASA to the new ASA.

If you mean the below configuration lines from the current ASA.

username password encrypted privilege

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed though.

- Jouni

0 Helpful

Go to solution
limlayhin
Level 1
Level 1
In response to Jouni Forss

‎08-29-2013 01:13 AM

Hi,

Now I catch the idea.

Thanks you for your patience.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card