I have a cluster of PIX525 with 7.0(4), some days ago the Primary PIX failed and it was impossible to startup again.
The failover worked and the PIX Secondary worked ... but this Secondary has a fail and every day at 11:00 AM restart without apparent reason.
We bought a new ASA clusters, two 5525-X but this new firewalls have 8.6.1 software ... I know the migration between 7.0 and 8.6 its hard, I was trying but the configuration of this firewalls are very complex (at least 1500 lines access-lists).
I know about the differences in static, global, nat and access-list but I would like to have any cook book or quick reference manual to do this migration.
Is there any tool or suggestion to make this migration ?
In addition to Julio's good advice, I would use the opportunity to clean up the access-lists. At 1500 lines there is very likely a fair amount of unused and incorrect entries. Since you were running Pix 525 with 7.0(4) I would guess that those firewalls were not given much "love".
You can use some tools such as Cisco Security Manager and SolarWinds Firewall Service Manager to import your Pix configuration and analyze access-lists for duplicate, shadowed and unused rules. Both of those products have trial versions that you could use to perform analysis of a single firewall.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...