Solved: Re: CISCO ASA migration from 5510 to 5525x

JPMohapatra · ‎01-28-2019

Hi,

I would like to migrate ASA-5510 version 8.4 (7) to ASA 5525X- version 9.7.2. If someone could please help me with the steps to follow that would be a great help. Existing config has VPN, HA and NAT as well.

Thanks

JP

Sheraz.Salim · ‎01-28-2019

if you doing a change from 8.4 to 9.x in that case no nat rules need to be change. prior to 8.3 the nat order was different. post 8.4 to 9.x the unified nat syntax and function is same so does the VPN and also the HA (Active,Standby) or (ACTIVE/ACTIVE) also know as context firewall. minor changes were added on each ASA code however, no new major updates was/were included.

you should be fine.

please do not forget to rate.

View solution in original post

MajidShirzadeh · ‎01-28-2019

Here is what I used few months ago,

http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp746094

Also please look at this before migration:

https://community.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050

1. upgrade the standby ASA

2. update your object groups, NAT and ACLs

3. initiate failover and monitor for connectivity issues.

4. once you are sure that you have minimal connectivity problems, upgrade the second ASA and update the object groups, NAT and ACLs.

Then initiate failover back to the original active ASA...if required.

--
Please remember to rate and select a correct answer

JPMohapatra · ‎01-28-2019

Thanks for your help, but I would like to migrate the old ASA to the new one as per below.

CISCO ASA migration from 5510- version 8.4 to 5525x- Version 9.7

MajidShirzadeh · ‎01-28-2019

The other option that you can use is run this on GNS3 and upgrade to new code and see what's failing.

JPMohapatra · ‎01-28-2019

thanks, that's a good option to try with.

Sheraz.Salim · ‎01-28-2019

if you doing a change from 8.4 to 9.x in that case no nat rules need to be change. prior to 8.3 the nat order was different. post 8.4 to 9.x the unified nat syntax and function is same so does the VPN and also the HA (Active,Standby) or (ACTIVE/ACTIVE) also know as context firewall. minor changes were added on each ASA code however, no new major updates was/were included.

you should be fine.

please do not forget to rate.

JPMohapatra · ‎01-28-2019

Thank a lot for your help and I appreciate for your time. I’ve few more questions!

Is there any procedure to follow as in best practice for any migration? Or just copy and paste the config and that’s it?

Sheraz.Salim · ‎01-29-2019

I understand the concern you have. i have attach the matrix for you which will give you more confidence in order for you to upgrade or migration.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/release/notes/asarn99.html

according to this cisco link 8.4 to 9.x no big change. however, if you have a change windows which i would recommand you to have to you can look into it what is not working. but you should be fine have read on this link i share ealier and ask any question you have.

please do not forget to rate.

jyoti_prakash85@yahoo.com · ‎01-29-2019

Hello Sheraz,

Thanks for your time and I appreciate. I'll go through the attached document.

If you don't mind I have drafted a migration plan and I would appreciate if you can take a look and recommend your thoughts.

1: Full system backup – Production Firewall (primary and secondary).

2: Upgrade both the new 5525X Firewall to 9.9.X version.

3: Configure Interface (as per the new 5525X Firewall) and HA config on Primary Firewall.

4: Configure Object, ACL, NAT, and VPN.

5: Configure the Secondary Firewall with only Failover syntax.

6: Compare the configuration (old and new) for any missing info with the actual production.

7: Save the ARP details for the troubleshooting.

8: Configure the TACACS access after firewall swap and in the network.

many thanks.

Sheraz.Salim · ‎01-29-2019

2: Upgrade both the new 5525X Firewall to 9.9.X version

what version they on at the moment?

have a look on this doc will save you

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/planning.html

please do not forget to rate.

jyoti_prakash85@yahoo.com · ‎01-29-2019

New firewalls are on the 9.7 version and I would like to go with 9.9.2.

thank you for your prompt response.

Sheraz.Salim · ‎01-29-2019

yes no interim upgrade required you good to go.

please do not forget to rate.

jyoti_prakash85@yahoo.com · ‎01-29-2019

Thank you very much. Is this migration plan looks ok to you?

1: Full system backup – Production Firewall (primary and secondary).
2: Upgrade both the new 5525X Firewall to 9.9.X version.
3: Configure Interface (as per the new 5525X Firewall) and HA on Primary Firewall.
4: Configure Object, ACL, NAT, and VPN.
5: Configure the Secondary Firewall with only Failover syntax.
6: Compare the configuration (old and new) for any missing info with the actual production.
7: Save the ARP details for the troubleshooting.
8: Configure the TACACS access after firewall swap and in the network.

Sheraz.Salim · ‎01-29-2019

yes looks good to me but make sure you understand the process of the upgrading the software in active/passive

load the image on both units' disk0:
change the boot variable
save the config with that change
from the active unit, "failover reload-standby"
wait for successful reload and verify configuration is synced OK. You should expect a message that mate software version is different.
"no failover active" on active unit
log into newly active unit and "failover reload-standby"
wait for succeful reload and verify configuration is synced OK. Both units are now on 9.9x.

please do not forget to rate.

jyoti_prakash85@yahoo.com · ‎01-29-2019

Thank you so much, Sheraz. I really appreciate your prompt response with this.

I'll follow the upgrade process you have mentioned above. many thanks.