Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
709
Views
0
Helpful
4
Replies

Best method to migrate PIX config to ASA

johnkellyie
Level 1
Level 1

‎01-15-2014 12:41 AM - edited ‎03-11-2019 08:30 PM

Hi,

I have an old PIX 515E that I want to migrate over to a ASA 5512X. The PIX is on 6.3(4) and the ASA is at factory settings, so I can downgrade it to whatever is necessary for a smooth migration.

What's the best path for this migration?

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎01-15-2014 04:10 AM

Hi,

The new ASA5500-X Series dont support any software below 8.6(1) version. So you will not be able to have a configuration directly migrated from PIX to the new ASA.

The biggest change will be the NAT configurations and depending if you are using VPN on the PIX it will probably also have some changes.

If your configuration isnt large it might also be possible that someone here could provide you with the required new configurations. For example the NAT shouldnt be that hard for us to convert to the new format for you if that is the biggest problem at the moment for you.

- Jouni

0 Helpful

johnkellyie
Level 1
Level 1
In response to Jouni Forss

‎01-15-2014 04:25 AM

Thanks Jouni. The PIX has a lot of site2site VPNs on it. So the preshared keys and all are the most important part to retain. If I send the pix config to a TFTP server, then update the NAT lines, should that be the only change between 6.3 and the later versions?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to johnkellyie

‎01-15-2014 04:31 AM

Hi,

It seems to me that the command that is supported on the ASA (both old and new) is not supported on the 6.x series software so you can not use that to show the PSKs in clear text.

The VPN configuration format has gone through some changes also so that can not be copied directly either.

The NAT is usually the biggest change but there is also the ACLs to consider. In your current software and all the way to the latest 8.2 software when you configured a NAT for your server to the public network you would always allow the traffic towards that public NAT IP address in the external ACL.

In the newer softwares (8.3 and newer) you always allow the traffic to the local/real IP address even if you are doing NAT. So this fact most likely means atleast some changes to your interface ACL configurations. If you host some servers with the use of NAT.

- Jouni

0 Helpful

johnkellyie
Level 1
Level 1
In response to Jouni Forss

‎01-23-2014 07:14 AM

Hi Jouni,

I am setting up the 5512X now. It's on 9.1(2). The NAT seems to be a lot different from what I am used to on the 5510 I have here. (it's on 8.2(1))

I am used to management via the GUI, and the NAT setup seems a lot different. On 8.2(1) I would add a NAT rule to translate from inside to outside. Eg. Original 192.168.1.1, inside to Translated 2.3.4.5 outside.

With 9.1, it seems I need a NAT rule in both directions, so that's inside to ouside PLUS outside to insde?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card