ā09-06-2012 10:50 AM - edited ā03-11-2019 04:51 PM
With : Praveena Shanubhogue
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Migration Best Practices for Adaptive Security Appliance 8.3/8.4 with Praveena Shanubhogue. Learn about best practices while migrating from version 8.2 or before to 8.3 and beyond and ask questions about the new features. Understand bugs or known issues that one needs to be aware of while migrating from 8.2 to 8.3 and beyond.
Praveena Shanubhogue is an engineer in the Cisco Technical Assistance Center in Bangalore, India, specializing in Cisco VPN and Adaptive Security Appliance (ASA) technologies. He has more than 3 years of experience troubleshooting VPN and ASA products. He holds CCIE certification in Security (#29450).
We encourage you to watch the recently published Community Tech-Talk Blog and Video.
Remember to use the rating system to let Praveena know if you have received an adequate response.
Praveena might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event is a continuation of the Facebook Forum and lasts through Sept 19, 2012. Visit this forum often to view responses to your questions and the questions of other community members.
ā09-08-2012 03:09 AM
Hi Parveen,
I had a question , Is their a way we can backup the configuration and settings on Cisco Routers?
I mean before migrating from 1 version of Cisco Router or ASA to another, can we backup all the configuration to prevent
Disaster?
What is the name of the OS that we use in ASA firewalls?
ā09-11-2012 04:08 AM
Hi Fahad,
1. Yes, there are multiple ways to Backup and later restore the config on Cisco ASA. ASDM > Tools has a Backup and Restore links.
Also, checkout this tool called 'rancid' (
http://www.openmaniak.com/rancid_tutorial.php)
2. As i mentioned on the facebook forum, ASA 7.x was based on PIX OS. And ASA 8.x is a linux based os, which you can call ASA OS. (i don't know of a specific name given to ASA OS)
-- Praveen
ā09-11-2012 05:13 AM
Hi Parveen,
Thanks for your reply, so do we have to connect any storage device with the Router or ASA when taking backup?
Are their USB ports in ASA ?
Fahad
ā09-12-2012 07:46 AM
Well, you can copy over tftp/ftp/http(asdm).
You can also add additional flash cards, but sorry, no USB
-- Praveen
ā09-11-2012 06:30 AM
Hi Praveena,
I Have a PIX 515 with IOS version 8.0(3), we buy two ASA 5525-X with IOS 8.6.
What is the better way to proceed with this migration? Manually?
Tks!
Rafael
ā09-11-2012 11:32 PM
Hi Praveena,
Is Cisco planning on adding an automated periodical configuration backup for ASAs? Or will this have to be done manually or through a separate script that will do it for you? Why has it not been implemented before on ASA like its on the Cisco routers?
Considering large network environments with hundreds of firewalls (Security Contexts) this would be a usefull option.
Sure the "show tech" command gets you a backup but also alot of extra information you dont need when you just want configuration backups for when disaster strikes
- Jouni
ā09-12-2012 08:47 AM
Hi Jouni,
Have you checked out our Smart-Call home feature, which you can customize to backup the ASA config periodically:
https://supportforums.cisco.com/docs/DOC-14958
More on Smart Call Home:
https://supportforums.cisco.com/docs/DOC-12801
I know you are looking for builtin tool, but it seems this is it for now.
Then there is a Cisco Works Tool called, Cisco Security Manager (CSM):
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6498/data_sheet_c78-584863.html
Also, you can use a perl script to do this (ah yes, not a built in feature ), as mentioned at:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_swconfig.html#wp1063700
That is it from us. I would also point out 'rancid', if you are interested:
http://www.openmaniak.com/rancid_tutorial.php
This not only backs up the config, it also diff's the config, which is what the name stands for (apparently it is, 'Really Awesome New CIsco Diff' tool )
-- Praveen
ā09-13-2012 05:36 AM
Hi,
Thanks for the reply.
Does the "Call Home" feature work in an ASA thats running in multiple context mode?
It seems to have the default "call-home" configuration under the system context configuration mode and also seems its not possible to configure it under the different security contexts.
So following the instructions given in those documents, would the ASA only send the system context configuration or would it also send all the configurations of the Security Context on the ASA?
And sorry that the question ain't exactly "on topic"
- Jouni
ā09-14-2012 10:03 AM
Hey Jouni,
Ah well, i will be honest with you here i haven't gotten a chance to work on Smart Call home feature, but for one i do know that this is supported on multi-context.
You can add any command to the list, having said that, you can add "more flash:\
Also, any command added in the snapshot should run in system context AND the regular contexts:
From the config guide:
In multiple context mode, the snapshots command is divided into two commands: one to obtain information from the system context and one to obtain information from the regular context.
HTH
-- Praveen
ā09-12-2012 07:55 AM
Well Rafael, you might not like my answer, but i have a workaround for you apart from doing this manually:
0.
1. Get the PIX config.
2. Edit it using an editor like notepad++:
- replace interface types (ethernet) manually with the correcponding interface types on the New ASAs (gigabit)
- Remove the old 'boot system ..' statement and add thew new 'boot system ..' statement
- remove the 'Crypto Checksum' part from the end.
2. Load it on ASA5525-x's Flash (asdm/tftp/ftp)
3. on ASA5525-x, replace the startup-config with the PIX's config:
copy flash:/pix-config.txt start
4. Do NOT execute 'write mem'
5. Reload
Now the ASa boxes should come back up with the migrated config.
-- Praveen
ā09-14-2012 09:21 AM
can i migrate directly from 8.2 to 8.4 vesion.
i know there is some new NAT statment in place and some other things. other than that if i do this migration it should work fine ..... Please give me ur suggestion.
thanks in advance
ā09-14-2012 10:08 AM
Hi Shine,
Sure, you can migrate from any older version directly to 8.4, provided the system meets the memory requirements.
The major changes that stand out are NAT and Real-IP Usage in Filter ACL (rather than using Translated IP), however these are taken care of i.e. the ASA OS post-8.3 have built-in config migrator that does a good job.
Please read these:
https://supportforums.cisco.com/docs/DOC-12690
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html
HTH
-- Praveen
ā09-15-2012 03:57 AM
Hi Parveen,
The link:http://www.openmaniak.com/rancid_tutorial.php , that you quoted is about ASA migration?
Can I ask you questions about this article?
Thanks
ā09-18-2012 05:40 AM
Hey Fahad,
I haven't used that tool myself, but yeah sure please go ahead and ask, if i know, i will for sure answer or at least give some pointers.
-- Praveen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide