08-28-2013 11:41 PM - edited 03-11-2019 07:31 PM
Hi All,
I have firewall running on ASA 5520 Firewall. There is a need to do Tech Refresh to X-Series as the model is EOS and going to be EOL soon.
I have hundreds of VPN accounts, running on IKEv1, using Cisco IPSec VPN Clients.
Is there any migration tools that can help me converting my current configuration to the new firewall configuration?
Current ASA 5520 version is 8.3.
New X-Series will be running on 9.1
I tried copy and paste configuration from ASA5520 to X-Series (I have a testing X-Series ASA now), but the preshared password is not the same.
I don't want to reset all my hundreds over users preshared key, there must be other smarter way to do that.
Any help is much appreciated.
Thanks in advance.
Solved! Go to Solution.
08-29-2013 01:11 AM
Hi,
You sould be able to insert the same username/password configurations from the current ASA to the new ASA.
If you mean the below configuration lines from the current ASA.
username
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed though.
- Jouni
08-29-2013 12:11 AM
Hi,
To my understanding as your ASA is already running 8.3 software level the format changes to the configuration would be minor.
The VPN related problem you might be running into is that (if I remember correctly) 8.3 software still didnt have the "ikev1" keyword in the VPN configurations.
For example commands like
crypto ipsec ikev1 transform-set
ikev1 pre-shared-key
crypto ikev1 policy 10
crypto ikev1 enable
crypto map
And there might be others also
You would need to make those kind of modifications to the configuration before inserting it to the new ASA.
You naturally also have the option to upgrade the current ASA to some 8.4 software level which would be almost identical to the 9.1 configuration format. (9.1 introduced some modifications related to ACL whre "any" refers to both IPv4/IPv6 and "any4" IPv4 only and "any6" IPv6 only if I dont remember wrong)
I am not sure what you mean by the PSK / Pre-Shared-Key thing. Are you saying that you can't get the current PSKs and dont want to change them for all the connections.
To determine the PSKs (that now show up as *********) you can use this command on the current ASA to view the actual PSKs
more system:running-config
This will let you see all the PSKs (among other things)
- Jouni
08-29-2013 12:22 AM
Hi,
Thanks for the reply.
A sample of my config:
tunnel-group LAYHIN-VPNACCESS type remote-access
tunnel-group LAYHIN-VPNACCESS general-attributes
address-pool layhin-ippool
authentication-server-group AASERVER
default-group-policy LAYHIN-VPNACCESS
tunnel-group LAYHIN-VPNACCESS ipsec-attributes
ikev1 pre-shared-key *****
Every vpn user has their own tunnel-group.
08-29-2013 12:55 AM
Hi,
What is the actual problem?
Was it getting the actual PSKs from the current 8.3 running firewall?
The command I mentioned above should list the PSKs in clear text in the configuration when you run it in the device that is currently in production use.
more system:running-config
If you have just used the "show run" command to get the current configuration from the production firewall and inserted that to the new firewall then that means that you have inserted all the PSKs as ******** rather than the actual real PSK
So if you need to determine the actual PSK for each Tunnel Group then do this
- Jouni
08-29-2013 01:04 AM
Hi Jouni,
You are right, using "more system:running-config" allow me to see the pre-shared key of my vpn users.
It solve half of my problem, at least I don't need to tell my users that their password will be reset.
Nevertheless, I will have to configure all my 300 users password one by one.
I was trying to see whether there is any other better way :-)
08-29-2013 01:11 AM
Hi,
You sould be able to insert the same username/password configurations from the current ASA to the new ASA.
If you mean the below configuration lines from the current ASA.
username
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed though.
- Jouni
08-29-2013 01:13 AM
Hi,
Now I catch the idea.
Thanks you for your patience.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide