cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
913
Views
8
Helpful
7
Replies

Replacing PIX 515 with ASA 5510

Kevin Melton
Level 2
Level 2

I have been tasked with swapping out two legacy PIX 515 E's with two recently purchased ASA 5510's.

Is there any prerequisite information that I should be aware of, i.e., are there any special steps or things that I need to do to migrate to the new platform?

My plan was simply to copy the old config off of the PIX's and then paste it into the ASA's...

also the legacy PIX's are in a Failover Pair...we have purchased the licensing for the Failover on the ASA's as well...

Thank You.

7 Replies 7

emad.silicon
Level 1
Level 1

First you have to see the version of your pix to decide if you can copy and past configuration or not , then you have to tell us what the cable type that you install for your failover , last my advice is to configure your both ASA form zero ,there is no othere special steps to do.

Assuming your config is not too large, I find it best to copy/paste one or two sections at a time of the old config into the new device. Some things you can do with bulk copies, like access-lists and static nat entries. Other things you will want to copy/paste more slowly, like vpn configs or other things, just to make sure there are no or few errors.

I've not migrated from PIX to ASA, but I have done many migrations from PIX 6.3(x) to PIX7.x, and that's what i've had the most success with.

(oh, and incase you've been living in a cave, ASA's don't support conduits).

Yeah I came out of the cave years ago: haven't used conduits for quite some time now. I enjoyed your comment.

I think your method is good as well. Thanks for your input. I am going to chop the config into functional sections that I can keep track of in order to transfer the config.

thx

I would say for you get an better idea of migrating from PIX to ASA have a look at this training module provided by Cisco http://www.cisco.com/web/learning/le31/le29/configuring_asa_pix_security_appliances.html

It would solve most of your questions. If your running 6.X code, upgrade it to 7.X first and then you could copy the configuration to the ASA. But just in case you wouldn't be able to upgrade, I guess its going to be the hard way.

-Hoogen

Do rate if this post helps :)

Thanks for your help to this point. I am curious why we have to upgrade code on the old Hardware Platform when in fact the new ASA Hardware is replacing the Legacy Hardware.

..

thx again.

jballowe
Level 1
Level 1

I have done about 20 or so of these upgrades, and the biggest changes from version 6.x to 7.x revolve around 1) interface configuration, 2) VPNs & 3) modular policy framework (ICMP, fixup, etc.) 4) failover

Of those changes, the only element of config that may not properly be migrated after an upgrade would be your VPN configuration - the move to tunnel groups and group policy is a big change and sometimes the ACLs used to identify interesting traffic for crypto maps does not populate properly.

If you are starting from scratch rather than upgrading, all of your object-groups, ACLs, names, NAT configuration and fixup data (though it will be transformed as you enter it ) can be copied and pasted directly. The interface configuration is more like that of traditional IOS and should be very easy to accomplish.

Remember that if you are going to use the management interface to turn off the "management-only" option - that's a nasty gotcha that can be very frustrating when you are sitting there during a maintenance window wondering why that interface won't pass traffic.

Failover is LAN-only - you no longer use a state cable for failover. Rather, you should have a dedicated LAN interface for failover. As such, if you need a DMZ, buy the security plus license for the 5510 so that you will have more than just the inside and outside interfaces available to pass traffic.

Conduits are bad - be sure to convert them to ACLs before moving to the new platform.

Consider using the latest interim release if you run 7.2 instead of the GD release - lots of bugs have been addressed in the interim releases, some of which were pretty nasty.

Hope this helps - good luck!

Great post.

That said, let me make a suggestion here. Do NOT use the latest 7.2 interim release, in fact skip 7.2 altogether if the firewall is terminating site to site VPN traffic.

CSCsi40796 makes VPN tunnel usage a nightmare since the bug manifests itself by tearing down TCP connections that traverse active VPN tunnels.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: