Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
423
Views
5
Helpful
3
Replies

Configuration backup and Site-to-Site VPN and failover questions

Go to solution
KevinGueTIS
Level 1
Level 1

‎09-18-2014 01:54 AM - edited ‎03-11-2019 09:46 PM

Hello,

I am currently in the process of setting up our two new Cisco firewalls (both are 5515-Xs) and have two questions in regards to that, since I'm rather new to ASA configurations.

 

1. I want to use the configuration of our old ASA (5510), which shouldn't be a big problem, but we have several Site-to-Site profiles in use. What happens with the keys that are defined in those?

Do they get reused and I don't have to worry about anything or do I have to inform the sites and set up new connections with new keys?

 

2. I want to use a Active/Standby failover configuration, but I don't know how VPN licenses are handled. I currently have a pack that is assigned to the primary unit, but what do I have to do on the secondary device (if anything) in order for it to use the VPN license when the primary unit is not available? I am under the impression that I can't assign the licenses to a second unit, so does the VPN license get reused much like the configuration, MAC address, etc. in a failover scenario?

 

Thank you for your time.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎09-18-2014 03:31 AM

1. I want to use the configuration of our old ASA (5510), which shouldn't be a big problem, but we have several Site-to-Site profiles in use. What happens with the keys that are defined in those?

Do they get reused and I don't have to worry about anything or do I have to inform the sites and set up new connections with new keys?

You can pull the keys from the configuration using the more system:running-config this should show you the configured keys.

Also keep in mind that depending on the ASA version you are using ( earlier than 8.3 or 8.3 or newer) on the 5510 you may (or may not) have to convert them to the new NAT configuration and ACLs.

2. I want to use a Active/Standby failover configuration, but I don't know how VPN licenses are handled. I currently have a pack that is assigned to the primary unit, but what do I have to do on the secondary device (if anything) in order for it to use the VPN license when the primary unit is not available? I am under the impression that I can't assign the licenses to a second unit, so does the VPN license get reused much like the configuration, MAC address, etc. in a failover scenario?

You will only need the one license since the secondary ASA will share the licenses installed on the primary ASA.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/license/license_management/license.html#wp2136588

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marius Gunnerud
VIP
VIP

‎09-18-2014 03:31 AM

1. I want to use the configuration of our old ASA (5510), which shouldn't be a big problem, but we have several Site-to-Site profiles in use. What happens with the keys that are defined in those?

Do they get reused and I don't have to worry about anything or do I have to inform the sites and set up new connections with new keys?

You can pull the keys from the configuration using the more system:running-config this should show you the configured keys.

Also keep in mind that depending on the ASA version you are using ( earlier than 8.3 or 8.3 or newer) on the 5510 you may (or may not) have to convert them to the new NAT configuration and ACLs.

2. I want to use a Active/Standby failover configuration, but I don't know how VPN licenses are handled. I currently have a pack that is assigned to the primary unit, but what do I have to do on the secondary device (if anything) in order for it to use the VPN license when the primary unit is not available? I am under the impression that I can't assign the licenses to a second unit, so does the VPN license get reused much like the configuration, MAC address, etc. in a failover scenario?

You will only need the one license since the secondary ASA will share the licenses installed on the primary ASA.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/license/license_management/license.html#wp2136588

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
KevinGueTIS
Level 1
Level 1
In response to Marius Gunnerud

‎09-18-2014 05:39 AM

Thanks for the answer.

 

Our 5510 is running on 8.2, so does the converting apply here? Is there something I can read regarding this topic?

 

Thanks.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to KevinGueTIS

‎09-18-2014 07:47 AM

Yes, the new 5515x ASAs will be shipped with a 9.x image.  So since you are not upgrading the current ASAs, you will need to manually change the NAT and ACL configuration.

The NAT configuration is the biggest change as everything is now object based, NAT exempt has been removed and is replaced by twice NAT.

The following link gives a good indication of the what the new format will look like for the different types of NAT

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

Here is another link you can read through:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/nat_overview.html

As for the ACL, since 8.3 we now use the actual (private) IP of a client / server machine instead of the public IP.  So lets say that a server with private IP of 192.168.1.1 is NATed to 1.1.1.1.  You want to allow access to this server so in you ACL that is configured on the outside interface you would configure the private IP as the destination IP and NOT the public IP.

Here is another document that describes migrating to ASA 8.3 and later versions

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/upgrading/migrating.html

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card