cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
305
Views
5
Helpful
2
Replies

Migration from CISCO PIX TO ASA

usman ali dar
Level 1
Level 1

we have two firewall

  1. old firewall pix outside IP 192.168.100.1/24
  2. New Firewall ASA outside Ip 192.168.100.10/24

the Old Firewall (PIX) is NATTED (Globally) inside with interface for most of the network segments which include many applications and other resources.

 

now if I migrate all the configurations on New firewall (ASA) and shut down the old Firewall PIX it might break applications that required that outside interface IP address.

 

I can think of two solutions:

 

  1. I can change the Outside IP of  New firewall (ASA) with Old Firewall (PIX)
  2. I can define one more address globally and nat all the network segments to it as it is configured on PIX and route the traffic towards the new Firewall (ASA)

 

as of solution 1 I don't know what happen if I change the ip address of new firewall old firewall.....will it totally break the ASA or its just interface and will take it and start working........

 

I cant do sub-interfaces because its in the same subnet....nor additional interface address or secondary address...wont work

 

any suggestions and the best way to deal with it.

2 Replies 2

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Usman,

You can use the PIX ip on your new ASA(create object) and use it for NAT. No need to define it on the interface. ASA will nat it and answer arp for this IP. Depending upon your requirement you can even use the PIX IP on outside interface but your existing rules will be impacted too.  Clear xlate if you chose the latter and it should work fine. If you chose the former ensure that routing is properly taken care of and it should work just fine.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

hey I hope you are doing good, successfully I have upgrade the firewall to asa 9 there are some issues kindly can you help

 

SCANARIO:

 

we have setup all the traffic from inside to go outside for internet and Nat the network segments that we want to provide the internet and other services.

 

we have inside users that usually connects to the server on internet via client workflows with static port, I have added one single rule for it

 

any permit inside to go outside to server on port tcp 1234

 

now the issue starts like this all the users connect in the morning and suddenly some of the users out of 10/8 are kicked out and two remain connected to the server. anyone new or old cant log in to the server.

 

after some time like 1 2 3 hour it start working again....I am trying to see whats wrong on my network side if there is or firewall so that I can fix that ...

  1. I tried capture packets from client to server when there is no outage...I see packets are sent on port and nat and then connected simple
  2. I tried capture packets from same client to server when there is an outage ...I see client sending packets and re transmit no response after 9 seconds the server ACK the transmission and then lost again...after some time client close the connection....
  3. I tried to trace route its all same.....

 

kindly help or guide

Review Cisco Networking for a $25 gift card