Nothing much than what the

Chewbakka1 · ‎02-10-2017

Hi,

I have been given the unfogiving task to migrate the configuration of an old ASA running 8.0(2) to a newer 5512-X running 9.2

I tried to copy the configuration to another 8.2 firewall and upgrading that to 8.4, and then paste the configuration to the new 5512-X

But the configuration generated was buggy and not functioning as expected.

Is there a quicker way? Or is this a manual endeavour....

Marvin Rhoads · ‎02-10-2017

It's mostly manual. Most people avoid the parser that automatically upgrades as it can make a bad configuration worse. It works IF you read the exceptions log carefully and address every single point.

Cisco (and partners) have an internal tool that creates a migrated configuration. Even it won't fix bad logic though. :)

My experience (having done dozens of them) is that it's a good opportunity to sit down and clean out your configuration, leaving only well-documented bits that you completely understand after the upgrade.

James Leinweber · ‎02-13-2017

I'm with Marvin; go for the manual cleanup. You can use the automatic upgrade configs to hint at the changes. The big two are:

1) after 8.3, there was a complete change in how NAT works

2) after 9.0, v4 and v6 access-lists were merged, and the "any" keyword is dual-stack

-- Jim Leinweber, WI State Lab of Hygiene

Mohammed al Baqari · ‎02-13-2017

Nothing much than what the guys said. Things which I faced during upgrades from pre-9 to post-9.

1) You need to understand how nat works and make sure that you configure nat rules manually. Don't relay on automatically created NATs during the upgrade. Most likely they won't work as you want.

2) Be aware of per-session PAT which is enabled by default in version 9.0+. This can create performance degradation for internet browsing. Personally I disable it cuz that suites my environment.

3) Changes in crypto syntax due to introduction of IKEv2.

ASA Migration 8.0(2)->9.2