01-15-2014 12:41 AM - edited 03-11-2019 08:30 PM
Hi,
I have an old PIX 515E that I want to migrate over to a ASA 5512X. The PIX is on 6.3(4) and the ASA is at factory settings, so I can downgrade it to whatever is necessary for a smooth migration.
What's the best path for this migration?
01-15-2014 04:10 AM
Hi,
The new ASA5500-X Series dont support any software below 8.6(1) version. So you will not be able to have a configuration directly migrated from PIX to the new ASA.
The biggest change will be the NAT configurations and depending if you are using VPN on the PIX it will probably also have some changes.
If your configuration isnt large it might also be possible that someone here could provide you with the required new configurations. For example the NAT shouldnt be that hard for us to convert to the new format for you if that is the biggest problem at the moment for you.
- Jouni
01-15-2014 04:25 AM
Thanks Jouni. The PIX has a lot of site2site VPNs on it. So the preshared keys and all are the most important part to retain. If I send the pix config to a TFTP server, then update the NAT lines, should that be the only change between 6.3 and the later versions?
01-15-2014 04:31 AM
Hi,
It seems to me that the command that is supported on the ASA (both old and new) is not supported on the 6.x series software so you can not use that to show the PSKs in clear text.
The VPN configuration format has gone through some changes also so that can not be copied directly either.
The NAT is usually the biggest change but there is also the ACLs to consider. In your current software and all the way to the latest 8.2 software when you configured a NAT for your server to the public network you would always allow the traffic towards that public NAT IP address in the external ACL.
In the newer softwares (8.3 and newer) you always allow the traffic to the local/real IP address even if you are doing NAT. So this fact most likely means atleast some changes to your interface ACL configurations. If you host some servers with the use of NAT.
- Jouni
01-23-2014 07:14 AM
Hi Jouni,
I am setting up the 5512X now. It's on 9.1(2). The NAT seems to be a lot different from what I am used to on the 5510 I have here. (it's on 8.2(1))
I am used to management via the GUI, and the NAT setup seems a lot different. On 8.2(1) I would add a NAT rule to translate from inside to outside. Eg. Original 192.168.1.1, inside to Translated 2.3.4.5 outside.
With 9.1, it seems I need a NAT rule in both directions, so that's inside to ouside PLUS outside to insde?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide