topic Migrate from ASA to X-Series Next Generation Firewall in Network Security

Migrate from ASA to X-Series Next Generation Firewall

limlayhin — Tue, 12 Mar 2019 02:31:59 GMT

Hi All,

I have firewall running on ASA 5520 Firewall. There is a need to do Tech Refresh to X-Series as the model is EOS and going to be EOL soon.

I have hundreds of VPN accounts, running on IKEv1, using Cisco IPSec VPN Clients.

Is there any migration tools that can help me converting my current configuration to the new firewall configuration?

Current ASA 5520 version is 8.3.

New X-Series will be running on 9.1

I tried copy and paste configuration from ASA5520 to X-Series (I have a testing X-Series ASA now), but the preshared password is not the same.

I don't want to reset all my hundreds over users preshared key, there must be other smarter way to do that.

Any help is much appreciated.

Thanks in advance.

Re: Migrate from ASA to X-Series Next Generation Firewall

Jouni Forss — Thu, 29 Aug 2013 07:11:29 GMT

Hi,

To my understanding as your ASA is already running 8.3 software level the format changes to the configuration would be minor.

The VPN related problem you might be running into is that (if I remember correctly) 8.3 software still didnt have the "ikev1" keyword in the VPN configurations.

For example commands like

crypto ipsec ikev1 transform-set

ikev1 pre-shared-key

crypto ikev1 policy 10

crypto ikev1 enable

crypto map set ikev1 transform-set

And there might be others also

You would need to make those kind of modifications to the configuration before inserting it to the new ASA.

You naturally also have the option to upgrade the current ASA to some 8.4 software level which would be almost identical to the 9.1 configuration format. (9.1 introduced some modifications related to ACL whre "any" refers to both IPv4/IPv6 and "any4" IPv4 only and "any6" IPv6 only if I dont remember wrong)

I am not sure what you mean by the PSK / Pre-Shared-Key thing. Are you saying that you can't get the current PSKs and dont want to change them for all the connections.

To determine the PSKs (that now show up as *********) you can use this command on the current ASA to view the actual PSKs

more system:running-config

This will let you see all the PSKs (among other things)

- Jouni

Migrate from ASA to X-Series Next Generation Firewall

limlayhin — Thu, 29 Aug 2013 07:22:36 GMT

Hi,

Thanks for the reply.

A sample of my config:

tunnel-group LAYHIN-VPNACCESS type remote-access

tunnel-group LAYHIN-VPNACCESS general-attributes

address-pool layhin-ippool

authentication-server-group AASERVER

default-group-policy LAYHIN-VPNACCESS

tunnel-group LAYHIN-VPNACCESS ipsec-attributes

ikev1 pre-shared-key *****

Every vpn user has their own tunnel-group.

Migrate from ASA to X-Series Next Generation Firewall

Jouni Forss — Thu, 29 Aug 2013 07:55:12 GMT

Hi,

What is the actual problem?

Was it getting the actual PSKs from the current 8.3 running firewall?

The command I mentioned above should list the PSKs in clear text in the configuration when you run it in the device that is currently in production use.

more system:running-config

If you have just used the "show run" command to get the current configuration from the production firewall and inserted that to the new firewall then that means that you have inserted all the PSKs as ******** rather than the actual real PSK

So if you need to determine the actual PSK for each Tunnel Group then do this

Issue the "more system:running-config" on the production firewall to get the configuration with the actual PSKs
Then use that configuration on the test firewall so that the PSKs are migrated correctly

- Jouni

Migrate from ASA to X-Series Next Generation Firewall

limlayhin — Thu, 29 Aug 2013 08:04:32 GMT

Hi Jouni,

You are right, using "more system:running-config" allow me to see the pre-shared key of my vpn users.

It solve half of my problem, at least I don't need to tell my users that their password will be reset.

Nevertheless, I will have to configure all my 300 users password one by one.

I was trying to see whether there is any other better way 🙂

Migrate from ASA to X-Series Next Generation Firewall

Jouni Forss — Thu, 29 Aug 2013 08:11:50 GMT

Hi,

You sould be able to insert the same username/password configurations from the current ASA to the new ASA.

If you mean the below configuration lines from the current ASA.

username password encrypted privilege

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed though.

- Jouni

Migrate from ASA to X-Series Next Generation Firewall

limlayhin — Thu, 29 Aug 2013 08:13:53 GMT

Hi,

Now I catch the idea.

Thanks you for your patience.