Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1160
Views
0
Helpful
5
Replies

Need direction on 5505 to 5512 migration

Go to solution
Steven Couture
Level 1
Level 1

‎01-18-2015 01:48 PM - last edited on ‎03-25-2019 05:54 PM by Community Manager

We recently purchased a 5512 to replace our 5505.  The 5505 is running software version 8.4(7)3.  We want to go to the latest software on the 5512....want is a general overview of how to proceed with this?  Should I do incremental upgrades on the 5505 to the latest software and then concentrate on the migration?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-18-2015 03:03 PM

Hi,

 

From what I can see you should be able to upgrade the ASA5505 directly to 9.3 software version considering your current software level. I would suggest going through the ASA Release Notes to see if any of the changes really affect your situation.

 

Refer to this document

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/release/notes/asarn93.html#pgfId-769104

 

The only problem with software updates that I have faced with ASAs has always been due to some bug or even a hardware malfunction. Never really had problems with things that have actually been mentioned in the release notes.

 

Personally I would not even touch the ASA5505 software level but just copy its configurations to a text file and just edit it to fit the new ASA5512-X (remove old useless configurations, update the naming policy for objects/acls/interfaces etc) and then switch the devices when you are ready. To my understanding there should not be many (if any) changes from your current software to the newest one when considering the basic configurations that the ASA has (ACL/NAT)

 

I would personally do it like that so that I would still be able to easily revert back to the old setup by simply switching the devices.

 

Only done an ASA5500 to ASA5500-X series update couple of times. Last one was replacing a pair of 5540 Failover pair to a 5545-X Failover pair. Old was running 8.2 software and newer one started with 9.1(2) I think. I simply converted the configuration by hand to new format (NAT/ACL) and installed the new Failover pair to the datacenter. The actual switching was naturally just moving cables to the new devices and confirming that everything was working.

 

PS. Just looking at the documents when writing this reply it seems that Cisco has finally released a new ASA model corresponding to the ASA5505 (ASA5506-X)

 

EDIT: Totally missed the fact that ASA5505 does not support 9.3 software.

 

- Jouni

View solution in original post

0 Helpful
5 Replies 5

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎01-18-2015 02:55 PM

Hi Steven, my answers below:

- You can do a direct upgrade from your current 5505 code to the latest code supported on the 5505. Thus, you won't need to perform any interim/incremental upgrades to get on the latest code.The best place to find such information is the release notes for the ASA code:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/release/notes/asarn93.html

- However, you did say that you want to run the latest version on the 5512-X which right now is in the 9.3.x train. Unfortunately, the ASA 5505 only supports up to version 9.2.x.

- With regards to the version of code: Unless you have a specific feature that you need in 9.3.x I would currently recommend that you stay away from it :) Instead, you can run the much more stable release of 9.1(5)

- So, if still want to run the latest code then I would recommend that you:

1. Upgrade the ASA 5505 to 9.1(5). 

2. Upgrade/Downgrade the 5512-X to 9.1(5)

3. Migrate the config from the 5505 to the 5512-X

4. Upgrade the 5512-X to the latest code

5. Check and make sure there were no errors/issues after the upgrade

- Overall, your config migration should not be too bad since you are already running a version of code that is 8.3.x and later which includes the new NAT and ACL structure

I hope this helps!

 

Thank you for rating helpful posts!

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-18-2015 03:03 PM

Hi,

 

From what I can see you should be able to upgrade the ASA5505 directly to 9.3 software version considering your current software level. I would suggest going through the ASA Release Notes to see if any of the changes really affect your situation.

 

Refer to this document

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/release/notes/asarn93.html#pgfId-769104

 

The only problem with software updates that I have faced with ASAs has always been due to some bug or even a hardware malfunction. Never really had problems with things that have actually been mentioned in the release notes.

 

Personally I would not even touch the ASA5505 software level but just copy its configurations to a text file and just edit it to fit the new ASA5512-X (remove old useless configurations, update the naming policy for objects/acls/interfaces etc) and then switch the devices when you are ready. To my understanding there should not be many (if any) changes from your current software to the newest one when considering the basic configurations that the ASA has (ACL/NAT)

 

I would personally do it like that so that I would still be able to easily revert back to the old setup by simply switching the devices.

 

Only done an ASA5500 to ASA5500-X series update couple of times. Last one was replacing a pair of 5540 Failover pair to a 5545-X Failover pair. Old was running 8.2 software and newer one started with 9.1(2) I think. I simply converted the configuration by hand to new format (NAT/ACL) and installed the new Failover pair to the datacenter. The actual switching was naturally just moving cables to the new devices and confirming that everything was working.

 

PS. Just looking at the documents when writing this reply it seems that Cisco has finally released a new ASA model corresponding to the ASA5505 (ASA5506-X)

 

EDIT: Totally missed the fact that ASA5505 does not support 9.3 software.

 

- Jouni

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Jouni Forss

‎01-18-2015 03:36 PM

I'd second Jouni's recommendation.

The main stumbling block I would see is recognizing that the new firewall doesn't have the built-in switch and VLAN interfaces that the 5505 has.

FYI the 5506 isn't quite out yet. The latest ASA software release notes mention adding support for it but the hardware has not been officially announced as of this posting (nor is it orderable).

0 Helpful

Go to solution
Steven Couture
Level 1
Level 1
In response to Marvin Rhoads

‎01-18-2015 05:02 PM

Thank you all - Marvin, what are the ramifications of the 5512 not having the built-in switch and VLAN interfaces?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Steven Couture

‎01-18-2015 09:08 PM

The interfaces on the 5512-X will all be routed interfaces (assuming routed mode for the overall firewall). That's a bit different than than the 5505 which can have multiple interfaces assigned to a VLAN and thus act like a small switch.

You just need to keep that in mind when migrating the 5505 interface configurations (and any NAT or ACL applied to them) to the new platform.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card