09-18-2014 01:54 AM - edited 03-11-2019 09:46 PM
Hello,
I am currently in the process of setting up our two new Cisco firewalls (both are 5515-Xs) and have two questions in regards to that, since I'm rather new to ASA configurations.
1. I want to use the configuration of our old ASA (5510), which shouldn't be a big problem, but we have several Site-to-Site profiles in use. What happens with the keys that are defined in those?
Do they get reused and I don't have to worry about anything or do I have to inform the sites and set up new connections with new keys?
2. I want to use a Active/Standby failover configuration, but I don't know how VPN licenses are handled. I currently have a pack that is assigned to the primary unit, but what do I have to do on the secondary device (if anything) in order for it to use the VPN license when the primary unit is not available? I am under the impression that I can't assign the licenses to a second unit, so does the VPN license get reused much like the configuration, MAC address, etc. in a failover scenario?
Thank you for your time.
Solved! Go to Solution.
09-18-2014 03:31 AM
1. I want to use the configuration of our old ASA (5510), which shouldn't be a big problem, but we have several Site-to-Site profiles in use. What happens with the keys that are defined in those?
Do they get reused and I don't have to worry about anything or do I have to inform the sites and set up new connections with new keys?
You can pull the keys from the configuration using the more system:running-config this should show you the configured keys.
Also keep in mind that depending on the ASA version you are using ( earlier than 8.3 or 8.3 or newer) on the 5510 you may (or may not) have to convert them to the new NAT configuration and ACLs.
2. I want to use a Active/Standby failover configuration, but I don't know how VPN licenses are handled. I currently have a pack that is assigned to the primary unit, but what do I have to do on the secondary device (if anything) in order for it to use the VPN license when the primary unit is not available? I am under the impression that I can't assign the licenses to a second unit, so does the VPN license get reused much like the configuration, MAC address, etc. in a failover scenario?
You will only need the one license since the secondary ASA will share the licenses installed on the primary ASA.
--
Please remember to select a correct answer and rate helpful posts
09-18-2014 03:31 AM
1. I want to use the configuration of our old ASA (5510), which shouldn't be a big problem, but we have several Site-to-Site profiles in use. What happens with the keys that are defined in those?
Do they get reused and I don't have to worry about anything or do I have to inform the sites and set up new connections with new keys?
You can pull the keys from the configuration using the more system:running-config this should show you the configured keys.
Also keep in mind that depending on the ASA version you are using ( earlier than 8.3 or 8.3 or newer) on the 5510 you may (or may not) have to convert them to the new NAT configuration and ACLs.
2. I want to use a Active/Standby failover configuration, but I don't know how VPN licenses are handled. I currently have a pack that is assigned to the primary unit, but what do I have to do on the secondary device (if anything) in order for it to use the VPN license when the primary unit is not available? I am under the impression that I can't assign the licenses to a second unit, so does the VPN license get reused much like the configuration, MAC address, etc. in a failover scenario?
You will only need the one license since the secondary ASA will share the licenses installed on the primary ASA.
--
Please remember to select a correct answer and rate helpful posts
09-18-2014 05:39 AM
Thanks for the answer.
Our 5510 is running on 8.2, so does the converting apply here? Is there something I can read regarding this topic?
Thanks.
09-18-2014 07:47 AM
Yes, the new 5515x ASAs will be shipped with a 9.x image. So since you are not upgrading the current ASAs, you will need to manually change the NAT and ACL configuration.
The NAT configuration is the biggest change as everything is now object based, NAT exempt has been removed and is replaced by twice NAT.
The following link gives a good indication of the what the new format will look like for the different types of NAT
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
Here is another link you can read through:
As for the ACL, since 8.3 we now use the actual (private) IP of a client / server machine instead of the public IP. So lets say that a server with private IP of 192.168.1.1 is NATed to 1.1.1.1. You want to allow access to this server so in you ACL that is configured on the outside interface you would configure the private IP as the destination IP and NOT the public IP.
Here is another document that describes migrating to ASA 8.3 and later versions
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/upgrading/migrating.html
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide