Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Firewalls Community


Cisco ASA to ASA Migration


How to Migrate Cisco ASA 5580 (8.2) to Cisco ASA 5585 (9.1), 

Cisco ASA versions are different, I would like to know how can we migrate one version to another version with another device,


Client wants to replace ASA 5580 with ASA 5585 or ASA x series firewall, 

different ASA has different capibilities, so is it possible to migrate one device configuration to another device which is next generation firewall ?



It's possible but not

It's possible but not necessarily desirable.

* You can't directly upgrade 8.2 to 9.1, and the newer devices may not support anything older than, say, 8.6, so unless you have spare test hardware it may be infeasible.  Even if you do have spare hardware you will have to go through multiple intermediate upgrades.

* Firmware 8.3 radically changes the NAT design; you might not like the automatic upgrade version.

* Firmware 9.0 unifies v4 and v6 access-lists, changing the meaning of the "any" keyword.  Again, you might not like the automatic upgrade version.

When I was upgrading from 8.2 on a 5520 to 9.0 (currently 9.4) on a 5525-x a while back, I ended up rewriting my configurations from scratch, and was much happier with that approach.

Hall of Fame Master

I have had good luck by using

I have had good luck by using a combination of tools.

There is a great utility at for NAT migration. I have used it on several larger upgrades without any problem. That's in contrast to the Cisco configuration parser which does a poor job at that function. they also have a cleanup tool to help identify unused objects and other bits that can be safely deleted.

If you're a partner, Cisco has a migration tool available at Unfortunately it doesn't support the 5585 platform. However, you can sometimes "fool" it into supporting your configuration as long as you don't use any features specific to your hardware platform.

Hi Marvin, 

Hi Marvin, 

I would like to know that if I want to migrate Cisco ASA 5580 to Cisco ASA 5585x , what will be the procedure I do not have device version concern, i have question regarding device model, because if two devices are different, so how can i migrate my old configuration to new one? how can i enhance my knowledge about Cisco ASA Firewall Series for Migration from one device to another?

Hall of Fame Master

Your concern should be about

Your concern should be about the device version because that is where 95% of the issues arise.

The hardware model only gives us issue where the new hardware does not have the same interface numbering as the one that is being replaced. In that case, the new interface numbers must be mapped to the old and the configuration file updated to reflect this change.

Other than that, it's mostly about syntax and associated behavior changes between versions - primarily in the area of NAT rules and access-lists in the case of an ASA migration.

You do need to make sure any licensing (Security Plus, cluster, AnyConnect etc.) that is being used on the existing hardware has also been purchased and applied to the new unit prior to loading the configuration.


Hello Guys,

Hello Guys,

do we have documents on best practices when we migrate a layer 3 ASA to layer 2 mode?

As you know this is the major design changes , does Cisco has any doco which can help us ?

I couldn't find anything on this. 

Hall of Fame Master

@prashant dwivedi  ,

LNCT_sati1985  ,

I've never seen such a document. I doubt there is one since it is a very unusual sort of migration and would reflect a fundamental change in the implementation that I've never seen any customer undertake.

Thanks mate. We are in the

Thanks mate. We are in the process of migrating layer 3 ASA with FTDs cluster - Layer 2.