Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4791
Views
0
Helpful
15
Replies

upgrading from cisco pix 515e to asa 5510

donnie
Level 1
Level 1

‎10-03-2010 06:22 AM - edited ‎03-11-2019 11:49 AM

Hi all,

I would like to upgrade my cisco pix 515e ver 6.3(4) to asa5510 ver 8.2(1).

Pls advise if i can export the config from pix515e and import to asa5510 and if the config exported from my pix is usable in my asa5510 straight away or i need to make some changes for the config to work in asa ver8.2(1). Thks in advance.

Labels:
0 Helpful
15 Replies 15

wromsait
Level 1
Level 1

‎10-03-2010 07:34 AM

You won't be able to export the config directly from the pix running 6.3.4 to the asa running 8.2.1.   You would need to upgrade your pix from 6.3.4 to the 7.2 code.  You can follow the procedure below.  Please be aware of the memory requirements. 

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml

Once you are running 7.2 code on the pix, you can use this configuration and reconfigure it for the ASA 8.2.1.   You would need to clean up the configuration to match the interface number on the ASA.  Other than that, the config should be compatible with the ASA 8.2.1.

I hope this helps.

regards,

Wasan Romsaitong

0 Helpful

Shilpa Gupta
Cisco Employee
Cisco Employee

‎10-03-2010 07:38 AM

Hello,

In addition to what Wassan has said, you can also use a pix to asa migration tool.

The following is the link for downloading the tool:-

http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/ciscosecure/pix/PIXtoASAsetup_1_0.exe&app=Tablebuild&status=showC2A

Also you can read more about migration from pix to ASA from the link below:-

http://www.cisco.com/en/US/docs/security/asa/migration/guide/pix2asa.html#wp290854

Thanks,

Shilpa

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to Shilpa Gupta

‎10-03-2010 07:54 AM

also things like certificates and keys you might need to generate them again

0 Helpful

donnie
Level 1
Level 1
In response to Shilpa Gupta

‎10-03-2010 09:13 AM

Hi Shilpa,

I most probably will use the tool you mentioned. Can you advise how long it take for the conversion process base on your experience?

0 Helpful

donnie
Level 1
Level 1

‎10-03-2010 08:40 AM

Hi all,

Thk you for your prompt response.

Basically this firewall is used mainly for the following functions. Pls advise if the upgrade will affect the below in terms of config

1)site to site vpn to multiple sites

2)NAT for some internal servers to public ip

3)PAT for internal to external

4)accesslists for incoming and outgoing traffic

0 Helpful

Shilpa Gupta
Cisco Employee
Cisco Employee
In response to donnie

‎10-03-2010 09:36 AM

Hello,

It will not take much time may be less than 15 min's.

Also it will be great if you follow the upgrade path and change the configuration as per the upgrade path. You can upgrade it to 7.x version and then to 8.x.

Take care for the following:-

  • Ensure you have no conduit or           outbound/apply commands in your current           configuration. These commands are no longer supported in 7.x and the upgrade           process removes them. Use the           Conduit           Converter tool in order to convert these commands to access-lists before           you attempt the upgrade.

  • Ensure that PIX does not terminate Point to Point Tunneling Protocol           (PPTP) connections. Software version 7.x currently does not support PPTP           termination.

  • Copy any digital certificates for VPN connections on the PIX before           you start the upgrade process.

  • Plan to perform the migration during downtime. Although the migration           is a simple two step process, the upgrade of the PIX Security Appliance to 7.x           is a major change and requires some downtime.

    The following is the link for reference:-

    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808554ed.shtml

    The following the link which explains all changes of commands  and features from 6.x to 7.x:-

    http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html#wp1599386

    I hope it helps.

    • 0 Helpful

    donnie
    Level 1
    Level 1
    In response to Shilpa Gupta

    ‎10-03-2010 05:06 PM

    Hi Shilpa,

    THk you!

    So i will use the pixtoasa conversion tool to load the config from my pix to my asa5510 which is running asa ver 7.2

    Then i will upgrade the asa 5510 from ver7.2 to ver8.2

    Will the process from ver7.2 to ver8.2 make great changes to my asa config such that certain functions may not be workable?

    0 Helpful

    Shilpa Gupta
    Cisco Employee
    Cisco Employee
    In response to donnie

    ‎10-04-2010 12:57 AM

    Hi,

    There is not much difference in configuration commands for 7.x and 8.x versions. When you convert from pix 6.3.4 version to 7.x, you need to configure some things manually.

    You need to make sure of the following:-

    PPTP  VPN is not supported on software versions 7.x. PPTP commands in the  source configuration are marked as comments in the converted  configuration with a note that they are not supported.

    Exporting  certificates is not supported in PIX 6.3. If you have certificates in  your PIX configuration, you must either upgrade to PIX version 8.0 and  export the certificates first, or you must obtain a new certificate  after the conversion process.

    Serial  cable failover is not supported in the ASA platform. Therefore, you  must add LAN failover on the ASA after the migration process.

    Physical  interface exhaustion—A physical interface must always be mapped  one-to-one to a destination physical interface. If interfaces in the  source platform exceed the number of available intehttps://supportforums.cisco.com/post!reply.jspa?message=3193112rfaces available in  the destination platform, such as migrating from a fully equipped  Cisco PIX 535 to an Cisco ASA 5540, those interfaces will be converted  to the 7.x syntax but will keep their original interface names.

    Multiple Context Mode—You must manually convert multiple context mode configurations.

    VLANS  on the Cisco ASA 5505—On an Cisco ASA 5505, the migration tool assigns  VLAN 2 to Ethernet 0/0 and VLAN 1 to all other physical interfaces.  Typically, VLAN 1 and VLAN 2 provide access to inside and outside  interfaces. If you do not assign source interfaces to these VLANs, then  the ASA will not have access to the inside and the outside interfaces.


    Once you have converted configuration from 6.3.4 to 7.2, you can make sure if its fine or not. Once it is done, you can either upload the configuration directly to ASA having 7.2 code and  upgrade the ASA. or you can also use the conversion tool to convert it to 8.x.


    During conversion, you can see some of the warning messages, for e.g.:-

    INFO: PIX to ASA conversion tool $Revision: 1.9 $

    INFO: PIX Version 6.3(4) Removed from config

    INFO: fixup protocol sip udp 5060 Removed from config

    WARNING: The configuration is NOT supported - floodguard enable

    WARNING: Your password is set to all STARS(*) Please Correct before deploying to the new 
device! 'vpdn username cisco password ********* '

    INFO: Cryptochecksum:e136533e23231c5bbbbf4088cee75a5a Removed from config

    INFO: : end Removed from config

    INFO: The destination platform is: asa-5540

    which will tell you what changes has been done and what changes you need to do. For e.g all the passwords will be converted to"*'
    So you need to put the passwords again.

    You can try this method and let me know if you need any help.

    0 Helpful

    donnie
    Level 1
    Level 1
    In response to Shilpa Gupta

    ‎10-06-2010 05:48 PM

    Hi Shilpa,

    Thk you for the advise and apologies for late reply. Can i know what is the difference between single mode and multiple mode in cisco pix?

    0 Helpful

    Shilpa Gupta
    Cisco Employee
    Cisco Employee
    In response to donnie

    ‎10-06-2010 06:40 PM

    Hello,

    The adaptive security appliance runs in a combination of the following modes:

    Transparent firewall or routed firewall mode

    The firewall mode determines if the security appliance runs as a Layer 2 or Layer 3 firewall.

    Multiple context or single context mode

    The security context mode determines if the adaptive security appliance  runs as a single device or as multiple security contexts, which act like  virtual devices.

    You can partition a single security appliance into  multiple virtual devices, known as security contexts. Each context is  an independent device, with its own security policy, interfaces, and  administrators. Multiple contexts are similar to having multiple  standalone devices.

    You can read more about it in the following links:-

    http://www1.cisco.com/en/US/docs/security/asa/asa83/command/reference/cli.html

    http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/contexts.html

    Thanks,

    Shilpa

    0 Helpful

    donnie
    Level 1
    Level 1
    In response to Shilpa Gupta

    ‎10-06-2010 07:39 PM

    Hi Shilpa,

    Thk you. After understanding the differences between the 2 modes i confirm my pix firewall is on single mode though i cannot verify using "show mode" command since my pix is on 6.3(4).

    As my asa 5510 already has some config that i want to maintain and its on ver 8.2(1), do you think its possible to export my pix config to add on to existing asa config at ver8.2(1) using the conversion tool? Thks in advance.

    0 Helpful

    Shilpa Gupta
    Cisco Employee
    Cisco Employee
    In response to donnie

    ‎10-06-2010 10:18 PM

    Hello,

    Yes, you can merge the configuration on ASA.

    When you copy a configuration to the running configuration, you merge           the two configurations. A merge adds any new commands from the new           configuration to the running configuration. If the configurations are the same,           no changes occur. If commands conflict or if commands affect the running of the           context, then the effect of the merge depends on the command. You might get           errors, or you might have unexpected results.

    The following is the reference link:-

    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008072142a.shtml#ftp

    And just to be on safer side, keep the back of the configuration which is already present on ASA.

    Thanks,

    Shilpa

    0 Helpful

    donnie
    Level 1
    Level 1
    In response to Shilpa Gupta

    ‎10-06-2010 11:13 PM

    Hi Shilpa,

    Thk you! I will probably forgo the merging to reduce complication. I have tried out the conversion tool which generate a text file. I know how to upload the converted text file to my asa disk:0 using asdm. But how do i copy this text file to the running-config using asdm? Pls advise.

    0 Helpful

    Shilpa Gupta
    Cisco Employee
    Cisco Employee
    In response to donnie

    ‎10-07-2010 07:30 AM

    Hello,

    You can not restore the running-config from ASDM. You need to use CLI.


    Although there are options on ASDM for backup and restore.


    You can specify configurations and images to restore from a zip file on your local  computer. The zip file you choose must be created from the Tools > Backup  configurations option.
     
    You can only restore backups to the same security appliance from which they were  originally made. 
    Also, although you can use the Tools > Backup Configurations option to  back up a running configuration, you cannot use the Tools > Restore Configurations
option to restore it. Instead, unzip and transfer the running-config.cfg file to the  security appliance file system, then use the copy running-config.cfg startup-config
command to restore the startup configuration file. Finally, reboot to load it to memory.


    There is a bug id also for the same. Please find the link below:-


    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsr46204

    Thanks,

    Shilpa

    0 Helpful
    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

    Customers Also Viewed These Support Documents
    Review Cisco Networking products for a $25 gift card