cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1156
Views
10
Helpful
5
Replies

PIX 525 with ASA 5585-X, SSP-10

Naveen Gupta
Level 1
Level 1

We are helping a client move from PIX 525 to ASA 5585-X, SSP10. This is a production environment and very critical migration. Has someone done this and could provide a step-by-step procedure. What are the gotchas which we should be aware off?

Thanks for all your help in advance.

NG

5 Replies 5

varrao
Level 10
Level 10

Hi Naveen,

What version of ASA are you using??? You would first need to convert the configuration fro PIX to ASA 8.2 and from ther you can take it to higher codes like 8.3 or later. There's a PIX to ASA migration tool available on cisco.com, you can download it from there.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

We plan on moving to 8.4(4.1).

Could you point me to the conversion tool?

Is the conversion tool reliable enough to have a tech do it by himself?

Or, he needs to have a sound knowledge of ASA software?

Hi Naveen,

Here is the tool for conversion:

http://www.cisco.com/cisco/software/cart.html?imageGuId=AF7198892F2A04876765A5A60B514470C1007A65&i=rs

Your plan of action should be to, first install version 8.2.x on your ASA, convert the config from PIX to ASA using the tool, apply the config on the ASA, and then upgrade the ASA to version 8.4.4.1, ASA would convert the config from 8.2.x to 8.4.4.1 itself, since there are some NAT and ACL changes from 8.3 & later.

Yes you would need a person wit sound knowlede of ASA, who can test things at every step.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

The PIX version is 7.2(4). It looks like it's only the interface change as PIX and ASA 7.2 is not that different. I don't see any benefit of this tool for PIX running 7.x and higher.

Hi Bro

I have done tones of this type of migration, the only problem you'll faced is this, since you're maintaining the same configuration but changing the chassis, you'll MAY encouter arp issues. I face this all the time.

This is because, when you change chassis, and the interface IP remains the same, the LAN switch is going to see 2 different MAC addresses for the same IP Address. Please be sure to clear the ARP TABLE on all directly connected LAN switches.

Don't be fooled, as I've failed this exercise few times in the past due to ARP. After I swapped the chassis, I didn't clear the ARP TABLE, thinking it was not necessary, but I learnt this the hard way :-)

Good luck bro!

Warm regards,
Ramraj Sivagnanam Sivajanam
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: