We have procured ASA 5585 S20X , that will replace our existing ASA & the FWSM . We have some 21 contexts to be migrated from FWSM to the new ASA box . Does the Cisco migration procedure provided in documentation "fwsm2asasm" suffice our needs or is this only for the ASA Service Modules ?
That tool is only for migration to the ASA SM which uses VLAN interfaces like the FWSM does.
An ASA 5585 with 21 contexts is going to have to use some combination of physical Ethernet ports and logical subinterfaces (and possibly Etherchannels) and will require a non-trivial amount of engineering effort to migrate the contexts manually.
You may get some utility from the tool (NAT migration if you're doing NAT your FWSM) but I'd be very careful just dropping it in as-is with tweaks to account for interfaces vs. VLANs. Consider, for example how the ASA access-lists are applied to interface names.
Personally I'm not aware of any best practices / guides. Our take (as a Cisco partner) would be to approach it is an engineering task and apply some old fashioned manual configuration skills by an experienced security expert to the job.
I'd perhaps run the tool and just use that as an offline starting point for the migration effort.
I have migrated one around 100 Security Context FWSM to an ASA5585-X SSP-20.
I would first suggest you start by planning the setup of the new ASA in the network. As you know the FWSM is directly connected to another device as a separate module while the ASA is its own device. Therefore you have to check what the current bandwith usage through the FWSM is and plan the connection to the network accordingly so that the ASA doesnt come a bottleneck in the network.
Though I imagine this has already been done before aquiring the ASA. The FWSM to my understanding has fairly higher throughput than most ASA models other than the ASA5585-X higher end models and 5580 models. The FWSM also benefits from being directly attached to your core device.
As Marvin already mentioned, you are probably going to use Trunk interfaces or Trunk with Port-Channel configuration. Natuarally the fact if you have the 10G I/O license might also factor into some choises made.
Naturally when you begin the project of replacing the FWSM with the ASA you should first go through all the Security Contexts and possibly rest of the network to really understand what is required from the new ASA. After this you should be able to easily produce the correct configurations for the new ASA. Usually this is something that has already been done as you might have maintained the FWSM environment for a long time and know it in and out already.
You could then probably separate each Security Contexts configurations to their own files and migrate the configurations manually one by one. You could also go through the required steps to eventually direct the traffic to the ASA instead of the FWSM.
You will probably be able to install the ASA to the network and create all the Security Contexts to the ASA with full configurations before you really migrate any Security Context from the original FWSM. The actual migration process might be as simple as shutting down /enabling interfaces/ports, changing routes and moving IP addresses between interfaces. Naturally this requires that you have a good understanding how everything works.
I essentially did the migration in following steps
Chose the correct ASA for our needs and planned how it was to be connected to the network
Prepared the actual ASA to our datacenter and connected it to the network and enabled remote management
As all the Security Contexts were separate customer firewalls I went through them one by one and built complete migration configurations needed for all the steps
Migrated firewall configuration
Steps to move the LAN, DMZ and WAN connections/interfaces from FWSM to ASA
Created around 10-30 migration configurations and performed migration during major maintanance breaks
The above served me well atleast. I think I ran into 2-3 minor problems where the actual problem was related to a typo. Once it was forgetting to enable default route propagation adverticement in the network as the core device had changed. One was having a typo in NAT configuration.
I would also suggest that you also use the Cisco Support Community (just like at the moment) and ask if you run into some problems with migrating some configurations like the NAT configurations. There is usually always someone that can help with those.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :