Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to move VPN configuration from PIX software version 6.x to PIX/ASA version 7.x

Resolution

In order to move LAN-to-LAN VPN configuration from PIX version 6.3 to PIX/ASA version 7.x, refer to this checklist:

  • In version 6.x and 7.x, the commands to configure crypto map, ISAKMP policy, NAT 0 access-list and Transform set remain same. These commands can be copied to version 7.x without any changes.
       
  • In version 6.x for crypto map and NAT0 normal ip access lists were used, however in 7.x, extended access-list is used.
       
  • In version 6.x, there was no concept of tunnel group, however in version 7.x, in order to create and manage the database of connection-specific records for ipsec-l2l IPsec (LAN-to-LAN) tunnels, use the tunnel-group command in global configuration mode. For LAN-to-LAN connections, the name of the tunnel group must be the IP address of the IPsec peer.
     
  • In version 6.x, in order to configure preshared key for LAN-to-LAN tunnel the isakmp key command was used, but in version 7.x, the  pre-shared-key is configured under tunnel group. For example:-
        

            ISAKMP key configuration for version 6.x

      isakmp key ******** address 192.168.1.52 netmask 255.255.255.255

            ISAKMP key configuration for version 7.x

            tunnel-group 10.10.10.1 type ipsec-l2l
      tunnel-group 10.20.20.1 ipsec-attributes
       pre-shared-key *

Refer to this checklist in order to move VPN client configuration from version 6.x to 7.x:

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 04:46 PM
Updated by:
 
Labels (1)
Comments
New Member

Good info.   In the Cisco Web pages, the deeply hidden PIXtoASA .exe file will do these fairly seamlessly.