Looking at migrating from the following:
PIX Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)51
Cisco Adaptive Security Appliance Software Version 8.6(1)
Device Manager Version 6.6(1)
Is this migration directly supported, or do I need to downgrade first?
I would recommend you to go from the 8.0(4) to 8.2(5) and then jump directly to 8.6 (1)
Remember to remove the Nat-control command before going to 8.3 or higher versions.
Rate all the helpful posts
I don't think I'm able to do that unfortunately. It looks like 8.0(4) is the latest version for the PIX, and the ASA 5515X only supports 8.6(1).
Okay I did not check the ASA model You are right dude
So the only way to do it would be directly, again make sure you remove the nat-control command from the configuration.
Also keep a backup of the configuration in case you have an error.
Go ahead and perform the upgrade and let me know how it goes, as soon as you do it make sure the ACL's are pointing to the private Ip addresses.
Check the Nat exemption rules ( Nat 0 with ACL) on 8.0 and then go to 8.6 and check how they got build.
It might happen that you get the following Nat rules
Do change the sintax ( the highlighted words) on them as specific as possible to avoid routing problems
I´m in the same situation, I´m recieving the new hardware next days, and i have sam version on the PIX, how went your migration, i will like to know how hard wass and whou that goes!
It actually went really smooth. I would recommend you perform a test migration and make sure the config looks good before putting it into production. Here are some of my notes:
I used the PIX-to-ASA Migration Tool and selected the target device type of ASA 5520 7.2(2) or after since that device had gigabit ports.
Remove this line: asdm image flash:/asdm-61551.bin
Replace with: asdm image disk0:/asdm-66114.bin
"no webvpn" to enable the Cisco ASDM GUI
"aaa authentication ssh console LOCAL" to enable SSH and create a username
WebFiltering caused huge ASA logs, resolved by following this thread: https://supportforums.cisco.com/thread/227630
On my outside rules I had to add back in the descriptions since for some reason they didn't get migrated over, and also cleaned up some of the groups since those rules use the internal IP's instead of the NAT IP's now.
My inside rules worked great and the descriptions all came over with them.
NAT rules look a bit different, but now you can add descriptions to those too.
You'll need to clear your arp tables or wait till they timeout.
ASA talks to the PIX's just fine, so I didn't have to upgrade all of my sites at one time.