cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1804
Views
0
Helpful
3
Replies

Migration from ASA 5520 to 5516-X

danielschmalen
Level 1
Level 1

Hey guys,

 

for a customer, I'm asked to plan a migration from two existing Cisco ASA 5520 cluster to a new model (but still 2 clusters). Currently, I'm thinking about the Cisco ASA 5516-X which will be sufficient for the next 5 years (and plus) based on the current stats and the determined growth.

 

However, the first cluster comes with the following version:

Cisco Adaptive Security Appliance Software Version 9.1(7)23
Device Manager Version 7.7(1)

 

The second cluster with a 8 release:

Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.2(1)

 

As far as I can see in the ASA comp matrix (https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#id_59421) the 5516-X cannot go lower than 9.3 and therefore, I cannot have the old and new hardware on the same software version.

 

What is the best way to migrate here?

 

A Firepower 2110 would also be possible, but I have not worked with Firepower yet. Therefore, I would stay with the ASA which is also probably the least migration effort (even with the Firepower Migration Tool)?

 

Thanks a lot guys, I appreciate any help and suggestions here.

Daniel

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Their second cluster should first be migrated to a similar 9.1 release as the first one. Then you can copy the configurations over much more easily.

 

You can run ASA image on a Firepower 2110 (however you cannot run Firepower services when using it that way). That would also make eventual migration to FTD an easier and better step since the hardware is better suited to that.

View solution in original post

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

Their second cluster should first be migrated to a similar 9.1 release as the first one. Then you can copy the configurations over much more easily.

 

You can run ASA image on a Firepower 2110 (however you cannot run Firepower services when using it that way). That would also make eventual migration to FTD an easier and better step since the hardware is better suited to that.

Thanks for the quick reply!

 

I also thought about upgrading to 9.1 first, just need to verify if downtimes are possible prior the migration. But since it is a active-standby cluster, the operation should be easily possible after business hours.

 

According to a migration page from Cisco (sorry, I don't have the link right now), Cisco suggests to migrate from a 5520 to a 5525-X. The advantage of taking a 5525-X is that I could run the exact same version on the new firewalls as before and upgrade after the migration and verification of the service status. So, there won't be too many changes at the same big bang change. Thoughts?

The software image is the same for both 5516 and 5525 so you could run the same on the new boxes. You just need to go up to 9.1 first. 


Note that there was a significant change to how NAT is handled from 8.3 and upwards. During upgrade NAT will be automatically rebuilt to the new way but in my experience this can cause some issues so make sure to backup the old config so you can build the NAT rules manually if needed.

Review Cisco Networking for a $25 gift card