05-06-2013 12:46 PM - edited 03-11-2019 06:39 PM
Is there a conversion tool? It would make my life a lot easier to convert 43 firewalls with failovers. Thank you in advance for your help and assistance.
05-06-2013 12:53 PM
Hi,
To my knowledge there are none.
The ASA will automatically convert the configuration. Though I cant say for sure what kind of software jump can be or does it matter even.
I have personally gone the route of manually rewriting NAT/ACL rules for each firewall.(And any other affected configurations) (In the process of migrating FWSM -> ASA still, now approx. 150 firewalls done)
So sadly I cant help you with finding a tool for it.
I will however link a document I made about the new NAT format
https://supportforums.cisco.com/docs/DOC-31116
And other good document that compares the old/new NAT format
https://supportforums.cisco.com/docs/DOC-9129
Naturally if you want to confirm some certain NAT configurations I'm sure you can find help here but so far I havent seen any conversion tool but havent really looked for one either.
The "risky" way would be to upgrade the failover pairs in steady software jumps and let the ASA automatically convert configurations. (To my understanding there has been some problems with NAT0 conversions in some of the first software jumps). The main reason originally for not letting ASA automatically conver the configurations was that I wanted to learn the new NAT format before using it. Also I dont quite like the output of the automatic conversion of the NAT rules.
- Jouni
05-06-2013 02:01 PM
Jouni is correct - there's no offline tool. I even opened a TAC case a while back asking if such was available even to TAC. The answer was no.
You may or may not get a TAC engineer to load your old config in a lab ASA for you to parse. With 43 firewalls you might have your own lab ASA that could be used similarly. Or "break" of the failover pairs to use the standby unit as a testing box.
The 8.3+ config parser will convert an earlier format configuration at load time and both load the newly converted configuration and generate a log file telling you what it changed.
It's mostly the NAT that gives you some risk during upgrade. You will get mixed messages from TAC but you can go directly from 8.2 to any of the higher versions (at least through the current 9.1(1)) as long as you have the required memory (prerequisites increased as of 8.3).
One additional benefit of rewriting the NAT and access-list entries "by hand" is that it's a good chance to validate your entries. But then depending on your operational environment that may be very difficult to do. You can at least run through a check looking for duplicated, hidden or shadowed access list entries.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide