Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
788
Views
2
Helpful
1
Replies

Legacy ASA5510 to 2110 Migration

michaelkeller25ctr
Level 1
Level 1

‎04-02-2018 12:30 PM

Hi Everyone,

Hope all is well. I am in the process of migrating a customer's legacy ASA platform (5510) to a new 2110 appliance that will not be leveraging the FTD image - only the ASA image (9.x) with ASDM (7.x). The existing 5510 is currently running ancient software:

Cisco Adaptive Security Appliance Software Version 7.2(4)23

Device Manager Version 5.2(4)52

Is there any way to determine is a direct configuration migration - for the most part - is possible between the platforms? I know you would typically do a step-up for platform on older software, and I have to image this is similar.

Thanks!

Labels:
1 Reply 1

Jonatan Jonasson
Level 4
Level 4

‎04-03-2018 04:29 PM

Hi,


II don't think there is direct configuration migration available in this scenario (not sure,I know there are tools available for ASA to FTD, but that  requires ASA 9.x software), but I've had a similar discussion on this subject before and just to share some of my thoughts on this.


Since you do not plan on using the FTD image, but only the ASA image on the FirePower 2110 appliance, I suggest you look at this like any other ASA upgrade and focus on that perspective. The platform change will be the easier part of this migration.


There are significant changes in configuration and default behaviour between ASA versions 8.2 and 8.3, and then there are again additional configurational changes in version 9.0

For reference take a look at both the two following resources:

https://supportforums.cisco.com/t5/security-documents/asa-8-3-upgrade-what-you-need-to-know/ta-p/3127078

https://www.cisco.com/c/en/us/td/docs/security/asa/asa83/upgrading/migrating.html


Note that the second one states "Due to additional configuration migration in Version 9.0 (see the 9.0 upgrade guide), we suggest that you upgrade to Version 8.4 first, and then to Version 9.0."

And the ASA Upgrade Guide seconds this, stating that ASa version 8.2 and earlier should be upgraded to 8.4(6) and from there to any of the 9.x versions.

(https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/planning.html)


If you have a spare 5510, then you could load it with 7.2(4), and then go through the upgrade procedures.

And once you get to 9.x, then you could copy most of the configuration over, interfaces and other platform-specific objects would need to be configured manually.

(Note that there are different memory requirements for the 5510 in 8.3, so if you have a really old appliance you might not be able to upgrade.)


There is (atleast) one caveat with this approach though.

The ASA will try to migrate your configuration when you upgrade from 8.2 or earlier to 8.3/8.4, in my experience; depending on the complexity of your configuration this migration might not work as intended.


So in my mind the solution to your challenge really depends on how complex, or not, the current configuration of this ASA 5510 appliance is.


I know this doesn't directly answer your question but I hope it helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card