07-02-2012 12:50 PM - edited 03-11-2019 04:25 PM
Hi,
I have been looking unsuccessfully for the Cisco tool that take the PIX config an dconvert it to ASA (PIX 5125 to ASA 5520). I was wondering if I need that and if its a Yes, where I can find that Tool on the Cisco Site please?
Regards,
Masood
Solved! Go to Solution.
07-03-2012 10:46 AM
Exactly
07-03-2012 11:08 AM
I just spoke to the client and he will downgrade the ASAs to 8.2.5 so we can transfer the PIX 525 configs over with no problems.
can we then upgrade to 8.4 directly from 8.2.5?
at this point I woul dlike to thank you for the time you took to assist me on this issue.
Best Regards,
Masood
07-03-2012 11:16 AM
I am looking at the drawing on the Cisco documentation and it says "Serial Failover Cable"!? - I remember using two ethernet copper interfaces on each ASA in teh past to do Active/Standby Faiover without serial cable.!? PIX had serial cables but wth teh ASA 5520 I souldn't need to use serial cable nor there is a serial interface available on teh ASAs!?
as far as I know an ddone before:
1- I need two Etheternet Interfaces on each ASA to do Active/Standby failover!?
can you please advise on that?
they don't have a switch to be used for redundancy / failover configuration so I must do Cable based failover using normal ethernet cables but this Cisco documnet saying serial cable has confiused me!?
please advise,
Regards,
Masood
07-03-2012 11:23 AM
You can use unly one physical interface and send the link and the state on the same interface.
You only need one cable for this.
Please let me know if you have any other questions
07-03-2012 11:39 AM
well, that is certainly good to know and I am assuming the conmfiguration we had discussed is indeed fo rthat one Interface on each device. both LAN and State.
As for teh upgarding, I asked then to downgrade to 8.2.5 as you had suggested but going back to my question, upgrading is possible from 8.2.3 to 8.4?
Thanks so much for you assistance.
Regards,
Masood
07-03-2012 11:47 AM
Yes Massod you can upgrade from 8.2.5 to 8.4
07-03-2012 11:52 AM
Thanks so much!
Masood
07-03-2012 12:08 PM
You are very welcome
07-05-2012 12:29 PM
hello again,
this cofiguration has really confused me since it has the standby keyword under the inside interface!? I do not want to change any configs under the inside interface of my current PIX confiuration.
Would you please be able to tell me what I need to type on the ASAs to configure them for this cable based failover?
here is what the link you suggested has listed which ias confusing since it has the standby keyowrd under the inside interface?
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253
no shut
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
no shut
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2
no shut interface Ethernet0/0
nameif outside
security-level 0
ip address 172.22.1.252 255.255.255.0 standby 172.22.1.253
no shut
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.10 255.255.255.0 standby 10.10.10.11
no shut
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.60.1 255.255.255.0 standby 192.168.60.2
no shut
and the STANDBY:
failover
failover lan unit secondary
failover lan interface failover Ethernet0/3
failover key *****
failover interface ip failover 192.168.55.1 255.255.255.0 standby 192.168.55.2
Now, I already have the configs from PIX 525 which I am going to paste directly onto the ASA which has been doengraded to 8.2.3.
so how does it works with the failover configuration?
can you please advise on how I go about the followings:
1- configure failover before I past the PIX config onto the ASA?
2- paste config for PIX 525 onto the ASA which I have already downgraded the ASA to 8.2.3 version.
Please advise.
Regards,
Masood
07-05-2012 12:34 PM
back to my earlier reply:
here is what the have on teh PIX 525
!
interface Ethernet0
shutdown
nameif outside
security-level 0
no ip address
!
interface Ethernet1
shutdown
nameif YZYZ
security-level 99
ip address 192.168.101.2 255.255.255.0
!
interface GigabitEthernet0
nameif YYYYY -Outside
security-level 1
ip address 156.132.x.x 255.255.254.0 standby 156.132.x.x
!
interface Ethernet0
shutdown
nameif outside
security-level 0
no ip address
!
interface Ethernet1
shutdown
nameif YZYZ
security-level 99
ip address 192.168.101.2 255.255.255.0
!
interface GigabitEthernet0
nameif YYYYY -Outside
security-level 1
ip address 156.132.x.x 255.255.254.0 standby 156.132.x.x
AND one vlan and other stuff.
Thanks,
Masood
07-05-2012 01:16 PM
Fisrt paste the configuraion to the ASA on version 8.2.5
then enable the failover on both:
failover lan unit primary
failover lan interface failover "interface you will use with failover"
failover key *****
failover interface ip failover 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover
failover lan unit secondary
failover lan interface failover "interface you will use with failover"
failover key *****
failover interface ip failover 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover
Test it and then do the upgrade
07-11-2012 09:24 AM
Hi,
I did transfer over the converted PIX 525 config (converted to ASA 5520 8.4 after going through proper steps) and configured teh failover successfully and thanks for your help.
Now, on Friday, we wil be conducting a Cut over after hours but the client has raised the issue listed below:
I believe intf2-AO-Outside should be GigabitEthernet1/0, XXPOAP should be
GigabitEthernet1/1.10 and intf3-XXPO-Inside should be GigabitEthernet1/1.20.
Inside and outside interfaces will be connected to Fiber Ports on Slot 1.
Failover interface is using copper GigabitEthernet0/2 on Slot 0 which is correct.
PIX525 has only Slot 0 so all Interfaces on PIX are 0/0, 0/1, etc.
What do you think?
I was wondering if the difference in Slots between PIX 5125 and ASa 5520 can cause issues? there is a problem with my CCO account not connected to our service contacts that we have with Cisco being Cisco's Gold Partner and I cannot create a TAc at this time until problem resolved.
PIX had Ethernet interfaces but after conversionI changed the ethetnet interfaces to GigabitEthernet interfaces to latch that of the ASA without altering anyother confiurations under those inetrfaces and I assume it must work as expected!?
Have i missed something?
on PIX:
interface GigabitEthernet0
nameif intf2-XX-Outside
security-level 1
ip address 1X.X.132.106.232 255.255.254.0 standby 156.132.106.231
interface GigabitEthernet0/0
shutdown
nameif intf2-AO-Outside
security-level 1
ip address 156.132.106.232 255.255.254.0 standby 156.132.106.231
on the ASA:
interface GigabitEthernet0/0
shutdown
nameif intf2-XXO-Outside
security-level 1
ip address 156.132.106.232 255.255.254.0 standby 156.132.106.231
does this make sense?
Please advise,
masood
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide