Solved: Link to configuration convertor tool from PIX to ASA - Page 2

m-abooali · ‎07-02-2012

Hi,

I have been looking unsuccessfully for the Cisco tool that take the PIX config an dconvert it to ASA (PIX 5125 to ASA 5520). I was wondering if I need that and if its a Yes, where I can find that Tool on the Cisco Site please?

Regards,

Masood

alejands · ‎07-03-2012

Exactly

m-abooali · ‎07-03-2012

I just spoke to the client and he will downgrade the ASAs to 8.2.5 so we can transfer the PIX 525 configs over with no problems.

can we then upgrade to 8.4 directly from 8.2.5?

at this point I woul dlike to thank you for the time you took to assist me on this issue.

Best Regards,

Masood

m-abooali · ‎07-03-2012

I am looking at the drawing on the Cisco documentation and it says "Serial Failover Cable"!? - I remember using two ethernet copper interfaces on each ASA in teh past to do Active/Standby Faiover without serial cable.!? PIX had serial cables but wth teh ASA 5520 I souldn't need to use serial cable nor there is a serial interface available on teh ASAs!?

as far as I know an ddone before:

1- I need two Etheternet Interfaces on each ASA to do Active/Standby failover!?

can you please advise on that?

they don't have a switch to be used for redundancy / failover configuration so I must do Cable based failover using normal ethernet cables but this Cisco documnet saying serial cable has confiused me!?

please advise,

Regards,

Masood

alejands · ‎07-03-2012

You can use unly one physical interface and send the link and the state on the same interface.

You only need one cable for this.

Please let me know if you have any other questions

m-abooali · ‎07-03-2012

well, that is certainly good to know and I am assuming the conmfiguration we had discussed is indeed fo rthat one Interface on each device. both LAN and State.

As for teh upgarding, I asked then to downgrade to 8.2.5 as you had suggested but going back to my question, upgrading is possible from 8.2.3 to 8.4?

Thanks so much for you assistance.

Regards,

Masood

alejands · ‎07-03-2012

Yes Massod you can upgrade from 8.2.5 to 8.4

m-abooali · ‎07-03-2012

Thanks so much!

Masood

alejands · ‎07-03-2012

You are very welcome

m-abooali · ‎07-05-2012

hello again,

this cofiguration has really confused me since it has the standby keyword under the inside interface!? I do not want to change any configs under the inside interface of my current PIX confiuration.

Would you please be able to tell me what I need to type on the ASAs to configure them for this cable based failover?

here is what the link you suggested has listed which ias confusing since it has the standby keyowrd under the inside interface?

interface Ethernet0/0

nameif outside

security-level 0

ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253

no shut

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11

no shut

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2

no shut interface Ethernet0/0
nameif outside
security-level 0
ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253
no shut
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
no shut
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2
no shut

and the STANDBY:

failover failover lan unit secondary failover lan interface failover Ethernet0/3 failover key ***** failover interface ip failover 192.168.55.1 255.255.255.0 standby 192.168.55.2

Now, I already have the configs from PIX 525 which I am going to paste directly onto the ASA which has been doengraded to 8.2.3.

so how does it works with the failover configuration?

can you please advise on how I go about the followings:

1- configure failover before I past the PIX config onto the ASA?

2- paste config for PIX 525 onto the ASA which I have already downgraded the ASA to 8.2.3 version.

Please advise.

Regards,

Masood

m-abooali · ‎07-05-2012

back to my earlier reply:

here is what the have on teh PIX 525

!

interface Ethernet0

shutdown

nameif outside

security-level 0

no ip address

!

interface Ethernet1

shutdown

nameif YZYZ

security-level 99

ip address 192.168.101.2 255.255.255.0

!

interface GigabitEthernet0

nameif YYYYY -Outside

security-level 1

ip address 156.132.x.x 255.255.254.0 standby 156.132.x.x

!

interface Ethernet0

shutdown

nameif outside

security-level 0

no ip address

!

interface Ethernet1

shutdown

nameif YZYZ

security-level 99

ip address 192.168.101.2 255.255.255.0

!

interface GigabitEthernet0

nameif YYYYY -Outside

security-level 1

ip address 156.132.x.x 255.255.254.0 standby 156.132.x.x

AND one vlan and other stuff.

Thanks,

Masood

alejands · ‎07-05-2012

Fisrt paste the configuraion to the ASA on version 8.2.5

then enable the failover on both:

failover lan unit primary

failover lan interface failover "interface you will use with failover"

failover key *****

failover interface ip failover 10.10.10.1 255.255.255.0 standby 10.10.10.2

failover

failover lan unit secondary

failover lan interface failover "interface you will use with failover"

failover key *****

failover interface ip failover 10.10.10.1 255.255.255.0 standby 10.10.10.2

failover

Test it and then do the upgrade

m-abooali · ‎07-11-2012

Hi,

I did transfer over the converted PIX 525 config (converted to ASA 5520 8.4 after going through proper steps) and configured teh failover successfully and thanks for your help.

Now, on Friday, we wil be conducting a Cut over after hours but the client has raised the issue listed below:

I believe intf2-AO-Outside should be GigabitEthernet1/0, XXPOAP should be

GigabitEthernet1/1.10 and intf3-XXPO-Inside should be GigabitEthernet1/1.20.

Inside and outside interfaces will be connected to Fiber Ports on Slot 1.

Failover interface is using copper GigabitEthernet0/2 on Slot 0 which is correct.

PIX525 has only Slot 0 so all Interfaces on PIX are 0/0, 0/1, etc.

What do you think?

I was wondering if the difference in Slots between PIX 5125 and ASa 5520 can cause issues? there is a problem with my CCO account not connected to our service contacts that we have with Cisco being Cisco's Gold Partner and I cannot create a TAc at this time until problem resolved.

PIX had Ethernet interfaces but after conversionI changed the ethetnet interfaces to GigabitEthernet interfaces to latch that of the ASA without altering anyother confiurations under those inetrfaces and I assume it must work as expected!?

Have i missed something?

on PIX:

interface GigabitEthernet0

nameif intf2-XX-Outside

security-level 1

ip address 1X.X.132.106.232 255.255.254.0 standby 156.132.106.231

interface GigabitEthernet0/0

shutdown

nameif intf2-AO-Outside

security-level 1

ip address 156.132.106.232 255.255.254.0 standby 156.132.106.231

on the ASA:

interface GigabitEthernet0/0
shutdown
nameif intf2-XXO-Outside
security-level 1
ip address 156.132.106.232 255.255.254.0 standby 156.132.106.231

does this make sense?

Please advise,

masood