cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11421
Views
50
Helpful
20
Replies

Ask the Expert:Migration Best Practices for Adaptive Security Appliance 8.3/8.4

ciscomoderator
Community Manager
Community Manager

Read the bioWith : Praveena Shanubhogue

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Migration Best Practices for Adaptive Security Appliance 8.3/8.4 with Praveena Shanubhogue. Learn about best practices while migrating from version 8.2 or before to 8.3 and beyond and ask questions about the new features. Understand bugs or known issues that one needs to be aware of while migrating from 8.2 to 8.3 and beyond.

Praveena Shanubhogue is an engineer in the Cisco Technical Assistance Center in Bangalore, India, specializing in Cisco VPN and Adaptive Security Appliance (ASA) technologies. He has more than 3 years of experience troubleshooting VPN and ASA products. He holds CCIE certification in Security (#29450).

We encourage you to watch the recently published Community Tech-Talk Blog and Video.

Remember to use the rating system to let Praveena know if you have received an adequate response. 

Praveena might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event.  This event is a continuation of the Facebook Forum and lasts through Sept 19, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

20 Replies 20

Fahad Wasi
Level 1
Level 1

Hi Parveen,

I had a question , Is their  a way we can backup the configuration and settings on Cisco Routers?

I mean before migrating from 1 version of Cisco Router or ASA to another, can we backup all the configuration to prevent

Disaster?

What is the name of the OS that we use in ASA firewalls?

Hi Fahad,

1. Yes, there are multiple ways to Backup and later restore the config on Cisco ASA. ASDM > Tools has a Backup and Restore links.

Also, checkout this tool called 'rancid' (

http://www.openmaniak.com/rancid_tutorial.php)

2. As i mentioned on the facebook forum, ASA 7.x was based on PIX OS. And ASA 8.x is a linux based os, which you can call ASA OS.  (i don't know of a specific name given to ASA OS)

-- Praveen

Hi Parveen,

Thanks for your reply, so do we have to connect any storage device with the Router or ASA when taking backup?

Are their USB ports in ASA ?

Fahad

Well, you can copy over tftp/ftp/http(asdm).

You can also add additional flash cards, but sorry, no USB

-- Praveen

Rafael Mendes
Level 2
Level 2

Hi Praveena,

I Have a PIX 515 with IOS version 8.0(3), we buy two ASA 5525-X with IOS 8.6.

What is the better way to proceed with this migration? Manually?

Tks!

Rafael

Hi Praveena,

Is Cisco planning on adding an automated periodical configuration backup for ASAs? Or will this have to be done manually or through a separate script that will do it for you? Why has it not been implemented before on ASA like its on the Cisco routers?

Considering large network environments with hundreds of firewalls (Security Contexts) this would be a usefull option.

Sure the "show tech" command gets you a backup but also alot of extra information you dont need when you just want configuration backups for when disaster strikes

- Jouni

Hi Jouni,

Have you checked out our Smart-Call home feature, which you can customize to backup the ASA config periodically:

https://supportforums.cisco.com/docs/DOC-14958

More on Smart Call Home:

https://supportforums.cisco.com/docs/DOC-12801

I know you are looking for  builtin tool, but it seems this is it for now.

Then there is a Cisco Works Tool called, Cisco Security Manager (CSM):

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6498/data_sheet_c78-584863.html

Also, you can use a perl script to do this (ah yes, not a built in feature ), as mentioned at:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_swconfig.html#wp1063700

That is it from us. I would also point out 'rancid', if you are interested:

http://www.openmaniak.com/rancid_tutorial.php

This not only backs up the config, it also diff's the config, which is what the name stands for (apparently it is, 'Really Awesome New CIsco Diff' tool )

-- Praveen

Hi,

Thanks for the reply.

Does the "Call Home" feature work in an ASA thats running in multiple context mode?

It seems to have the default "call-home" configuration under the system context configuration mode and also seems its not possible to configure it under the different security contexts.

So following the instructions given in those documents, would the ASA only send the system context configuration or would it also send all the configurations of the Security Context on the ASA?

And sorry that the question ain't exactly "on topic"

- Jouni

Hey Jouni,

Ah well, i will be honest with you here i haven't gotten a chance to work on Smart Call home feature, but for one i do know that this is supported on multi-context.

You can add any command to the list, having said that, you can add "more flash:\.cfg" and that should get you the specific context config.

Also, any command added in the snapshot should run in system context AND the regular contexts:

From the config guide:

In multiple context mode, the snapshots  command is divided into two commands: one to obtain information from  the system context and one to obtain information from the regular  context. 

HTH

-- Praveen

Well Rafael, you might not like my answer, but i have a workaround for you apart from doing this manually:

0.

1. Get the PIX config.

2. Edit it using an editor like notepad++:

   - replace interface types (ethernet) manually with the correcponding interface types on the New ASAs (gigabit)

   - Remove the old 'boot system ..' statement and add thew new 'boot system ..' statement

   - remove the 'Crypto Checksum' part from the end.

2. Load it on ASA5525-x's Flash (asdm/tftp/ftp)

3. on ASA5525-x, replace the startup-config with the PIX's config:

   copy flash:/pix-config.txt start

4. Do NOT execute 'write mem'

5. Reload

Now the ASa boxes should come back up with the migrated config.

-- Praveen

can i migrate directly from 8.2 to 8.4 vesion.

i know there is some new NAT statment in place and some other things. other than that if i do this migration it should work fine ..... Please give me ur suggestion.

thanks in advance

Hi Shine,

Sure, you can migrate from any older version directly to 8.4, provided the system meets the memory requirements.

The major changes that stand out are NAT and Real-IP Usage in Filter ACL (rather than using Translated IP), however these are taken care of i.e. the ASA OS  post-8.3 have built-in config migrator that does a good job.

Please read these:

https://supportforums.cisco.com/docs/DOC-12690

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

HTH

-- Praveen

Hi Parveen,

The link:http://www.openmaniak.com/rancid_tutorial.php , that you quoted is about ASA migration?

Can I ask you questions about this article?

Thanks

Hey Fahad,

I haven't used that tool myself, but yeah sure please go ahead and ask, if i know, i will for sure answer or at least give some pointers.

-- Praveen

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: