09-28-2012 04:25 PM - edited 03-11-2019 05:01 PM
Hi Guys
Today we tried to convert 15 contexts sitting on a legacy 6509 with Sup2 running a FWSM to a new ASA SM sitting in a 6509E with a Sup2T. Trying to get the conversion to work took several attempts but when we did finally get somewhere and reloaded the box, I noticed on reboot after the Cisco Systems piece just before you are told to hit enter, we were still getting errors, but the conversion continued on through them and created all of the contexts.
However, when I examined the contexts I noticed that 90% of every ACL was removed ! I know the static (inside, outside) is replaced with the nat object, and host names are changed to objects in ACLs, but nowhere did I read that most of my ACLs would be completed cleared !
Has anybody any ideas on why this would happen ? I am migrating the client environment to the new 6509e Sup2T/ASA SM for real next weekend and am worried that I will have to rewrite all of the ACLs into the ASA beforehand.
Any guidance or support is greatly appreciated here. Thanks in advance guys
Paul.
10-08-2012 11:39 AM
Paul,
I hope you used the migration tool to do the conversion for you.
http://www.cisco.com/en/US/docs/security/asa/migration/fwsm/fwsm2asasm.html#wp335030
I would suggest opening a TAC case so, we can get this addressed for you.
-Kureli
01-09-2013 02:30 PM
Paul,
Did you resolve this? I'm seeing the same issue whilst converting a multi-context FWSM.
Any feedback would be appreciated,
Dean
01-09-2013 04:01 PM
Hi Dean
There was no quick solution to the problem I'm afraid. The conversion tool completely wiped off the majority of rules.. any acl with syntax 'host' and hostname was wiped, you need to replace host with object, or use host and replace name with IP.
One way to get the bulk of the work done for you is to copy each context to a standalone ASA, and upgrade it from any version post 8.0 which is when Cisco introduced the whole 'object' syntax.
The otherthing to be mindful of is with the new IOS, the acl's must contain only the real addresses. So if you will need to change all of your acls to reflect only real addresses. The translation table will identify the traffic coming in the ingress interface as being destined for the NAT address, and it will allow it through once it sees the real address in the acl.
To be honest, the conversion tool presented more problems than solutions.
Watch out also for changes in the Global and NAT statements. If you are referencing an acl to match qualifying traffic, the new IOS will break out that line of config into every host it sees listed for that ACL, so the config becomes huge. I don't where the benefit is in this.
I think Cisco could have put more time and effort into providing clients with proper solutions to go from FWSM 3.14 to ASA Modules.
Best of luck with it.
Paul
01-10-2013 02:07 AM
Paul,
This is really useful information. At least now I can consider the best way forward. I just wish Cisco had outlined these issues more in the migration documentation.
Really appreciate your feedback.
All the best,
Dean
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide