06-25-2012 07:36 AM - edited 03-11-2019 04:22 PM
We are helping a client move from PIX 525 to ASA 5585-X, SSP10. This is a production environment and very critical migration. Has someone done this and could provide a step-by-step procedure. What are the gotchas which we should be aware off?
Thanks for all your help in advance.
NG
06-25-2012 07:44 AM
Hi Naveen,
What version of ASA are you using??? You would first need to convert the configuration fro PIX to ASA 8.2 and from ther you can take it to higher codes like 8.3 or later. There's a PIX to ASA migration tool available on cisco.com, you can download it from there.
Thanks,
Varun Rao
Security Team,
Cisco TAC
06-25-2012 08:00 AM
We plan on moving to 8.4(4.1).
Could you point me to the conversion tool?
Is the conversion tool reliable enough to have a tech do it by himself?
Or, he needs to have a sound knowledge of ASA software?
06-25-2012 08:24 AM
Hi Naveen,
Here is the tool for conversion:
Your plan of action should be to, first install version 8.2.x on your ASA, convert the config from PIX to ASA using the tool, apply the config on the ASA, and then upgrade the ASA to version 8.4.4.1, ASA would convert the config from 8.2.x to 8.4.4.1 itself, since there are some NAT and ACL changes from 8.3 & later.
Yes you would need a person wit sound knowlede of ASA, who can test things at every step.
Thanks,
Varun Rao
Security Team,
Cisco TAC
07-13-2012 12:36 PM
The PIX version is 7.2(4). It looks like it's only the interface change as PIX and ASA 7.2 is not that different. I don't see any benefit of this tool for PIX running 7.x and higher.
07-14-2012 11:07 PM
Hi Bro
I have done tones of this type of migration, the only problem you'll faced is this, since you're maintaining the same configuration but changing the chassis, you'll MAY encouter arp issues. I face this all the time.
This is because, when you change chassis, and the interface IP remains the same, the LAN switch is going to see 2 different MAC addresses for the same IP Address. Please be sure to clear the ARP TABLE on all directly connected LAN switches.
Don't be fooled, as I've failed this exercise few times in the past due to ARP. After I swapped the chassis, I didn't clear the ARP TABLE, thinking it was not necessary, but I learnt this the hard way :-)
Good luck bro!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: