ASA 5550 to ASA 5555-X migration

MinaEdouard · ‎04-24-2013

Hi,

I am about to carry out a migration from ASA 5550 to ASA 5555-X, however I cannot find any detailed document or reliable tool for this migration.

Anyone has experience of knowledge about such migration is so welcomed to share his/her views.

Thanks.

Jouni Forss · ‎04-24-2013

Hi,

Is your ASA5550 still running software below 8.3? For example some 8.2(x) software? In that case the biggest configuration work is related to NAT and ACL configuration formats.

Here is one link to a Cisco document about migrating between software levels

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

Here is a link to a document I made about the new NAT configuration format that came with 8.3+ software levels

https://supportforums.cisco.com/docs/DOC-31116

Here is also an document that compares the new and old NAT format configurations

https://supportforums.cisco.com/docs/DOC-9129

Sadly if you are using the a below 8.3 software level then you cant just drop the current configuration to the new device as the new ASA5500-X series only supports 8.6(1) and above software level.

This naturally makes the configuration migration harder as you would have to either use some spare device to handle the automatic migration of the configuration between software levels (Some original ASA5500 Series device which could be upgraded to new software)

My personal approach from the start has been to simply go through the existing NAT configuration and rewriting them manually to the new format. I am not sure if there is any actual tool for the migration. Rather there are guides that teach you the new format. I have never looked for a tool myself. Only one I know is the ASA itself which can do the configuration migration provided the device supports both the old and new software. But this was not the case in your situation.

The good thing in your situation is naturally the fact that you are replacing a whole device so you can always go back to the old if you face some problems during migration.

- Jouni

MinaEdouard · ‎04-24-2013

Hello Jouni,

Thank your for your reply.

The current ASA are runnning version 8.4(2).

I read that that should pass fine to newer version 8.6(1), but I really do not know the procedures.

Jouni Forss · ‎04-24-2013

Hi,

In that case I would imagine there is little to no problems with migrating the configuration to the new ASA.

The configuration format should stay the same regarding NAT and ACL and VPN configurations for example.

Incase you are using multiple public subnets on the ASA "outside" interface at the moment then you might run into problems unless you upgrade to higher software level than 8.6(1). Those higher software levels would then let you use the command "arp permit-nonconnected" which makes it possible to use multiple subnets on a single interface.

The 8.6(1) software to my understanding is just the starting software level meant for the new ASA5500-X models. The samw way that the ASA SM (replacement for Cisco FWSM) started from 8.5(1) and I think the ASA V1000 model started with 8.7(1)

Also the new ASA5500-X series to my understanding have more physical interfaces so I dont know if that causes minor format changes when configuring the interfaces.

But I dont see that there should be many differences between the configuration formats

But it would seem that since you are moving to new hardware completely that you can simply "drop" all the configurations to the new ASA and see if there is any problems during that.

- Jouni

MinaEdouard · ‎05-22-2013

Hi,

I will try to drop the config as is and see what would come out.

For now, there are not so many NAT rules configured on ASA 5550 (NAT rules mainly handled by an ASR), so even I will have to re-create the current few NAT rules that wont be an issue.

I will proceed with the migration the soonest and update the thread.

Thanks