PIX 515E to ASA5515 Migration

nealzorn1 · ‎08-27-2012

Looking at migrating from the following:

PIX-515E
PIX Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)51

to

ASA5515
Cisco Adaptive Security Appliance Software Version 8.6(1)
Device Manager Version 6.6(1)

Is this migration directly supported, or do I need to downgrade first?

Julio Carvajal · ‎08-27-2012

Hello Neal,

I would recommend you to go from the 8.0(4) to 8.2(5) and then jump directly to 8.6 (1)

Remember to remove the Nat-control command before going to 8.3 or higher versions.

Regards,

Julio

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

nealzorn1 · ‎08-27-2012

I don't think I'm able to do that unfortunately. It looks like 8.0(4) is the latest version for the PIX, and the ASA 5515X only supports 8.6(1).

http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html

Julio Carvajal · ‎08-27-2012

Hello Neal,

Okay I did not check the ASA model You are right dude

So the only way to do it would be directly, again make sure you remove the nat-control command from the configuration.

Also keep a backup of the configuration in case you have an error.

Go ahead and perform the upgrade and let me know how it goes, as soon as you do it make sure the ACL's are pointing to the private Ip addresses.

Check the Nat exemption rules ( Nat 0 with ACL) on 8.0 and then go to 8.6 and check how they got build.

It might happen that you get the following Nat rules

nat (inside,any)

nat (any,any)

Do change the sintax ( the highlighted words) on them as specific as possible to avoid routing problems

nat (inside,outside)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

verdmont2008 · ‎11-28-2012

Hello Neal,

I´m in the same situation, I´m recieving the new hardware next days, and i have sam version on the PIX, how went your migration, i will like to know how hard wass and whou that goes!

Regards,

Jose

nealzorn1 · ‎11-28-2012

It actually went really smooth. I would recommend you perform a test migration and make sure the config looks good before putting it into production. Here are some of my notes:

I used the PIX-to-ASA Migration Tool and selected the target device type of ASA 5520 7.2(2) or after since that device had gigabit ports.

Remove this line: asdm image flash:/asdm-61551.bin
Replace with: asdm image disk0:/asdm-66114.bin

"no webvpn" to enable the Cisco ASDM GUI

"aaa authentication ssh console LOCAL" to enable SSH and create a username

WebFiltering caused huge ASA logs, resolved by following this thread: https://supportforums.cisco.com/thread/227630

On my outside rules I had to add back in the descriptions since for some reason they didn't get migrated over, and also cleaned up some of the groups since those rules use the internal IP's instead of the NAT IP's now.

My inside rules worked great and the descriptions all came over with them.

NAT rules look a bit different, but now you can add descriptions to those too.

You'll need to clear your arp tables or wait till they timeout.

ASA talks to the PIX's just fine, so I didn't have to upgrade all of my sites at one time.