01-04-2017 03:33 AM - edited 03-12-2019 01:43 AM
Hi
I have asked for advice before on these forums and you have been extremely good and very helpful with your guidance.
We have a Single Cisco ASA 5510 firewall live in our production network at the perimeter. This currently has a large amount of configuration with 1-1 NATs and ACL/Site to site VPN and client configurations currently and is stuck on version 8.2(5)59 currently due to lack of downtime being available with our maintenance agreement due to end in September 2017. We have a hardware spare onsite that is identical to our live firewall.
We have now purchased a pair of Cisco 5545-X next Generation Firewalls to replace the above firewall and to add hardware resilience and am researching the best approach to migrating our services over to the new firewalls. We are looking to cluster the new 5545-X Firewalls and have a full Security Plus license for each one.
I have a few questions that i hope you experts can provide some guidance on if at all possible .
We only have a single70Mb DIA with a single range /27 of Public IP addresses presented in the existing firewalls .
What would be the best approach to migrate the config to the new firewalls as i know we are on a very old legacy version 8.2(5)59 of ASA software?
Any guidance on what the best steps to take are with this project that will mean the least hassle?. Is there a configuration migration path that would work that would mean we wouldn't have to rebuild the configuration from scratch on the new firewalls manually?
.
Any advice would be greatly appreciated ?
Damian T
01-04-2017 11:41 AM
Take your spare 5510, make sure it has the current config on it. Then upgrade the spare 5510 to the latest software you can, and let it do the config upgrade. Then take that config and put it on your new 5545. Then form the 5545 cluster.
Then downgrade your spare 5510 back to what it was originally, wipe its config, and put the current config back on it.
01-04-2017 09:34 PM
Personally I have not had good results with the automatic upgrades where there are a lot of NAT rules.
I prefer to run the configuration through something like tunnelsup.com where they have posted a free conversion utility. https://www.tunnelsup.com/nat-converter/
They also have a cleanup tool that checks for unused objects and ACLs. I always use that when looking at a larg configuraiton that has grown unwieldy over time.
For partners, there is also an offline conversion tool that was developed by SecureWay.
01-11-2017 07:05 AM
Absolutely brilliant advice thanks the help and specifically NAT information. I have taken the strategy of using the spare 5510 and am doing some test migrations before taking the plunge with a Live Migration when I am confident there aren't any problems with the NAT config.
Thank you in advance
Damian
01-10-2017 04:21 AM
Take your spare 5510, make sure it has the current config on it. Then upgrade the spare 5510 to the latest software you can, and let it do the config upgrade. Then take that config and put it on your new 5545. Then form the 5545 cluster.
Then downgrade your spare 5510 back to what it was originally, wipe its config, and put the current config back on it.
I prefer to run the configuration through something like tunnelsup.com where they have posted a free conversion utility. https://www.tunnelsup.com/nat-converter/
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide