08-27-2012 10:19 AM - edited 03-11-2019 04:46 PM
Looking at migrating from the following:
PIX-515E
PIX Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)51
to
ASA5515
Cisco Adaptive Security Appliance Software Version 8.6(1)
Device Manager Version 6.6(1)
Is this migration directly supported, or do I need to downgrade first?
08-27-2012 12:06 PM
Hello Neal,
I would recommend you to go from the 8.0(4) to 8.2(5) and then jump directly to 8.6 (1)
Remember to remove the Nat-control command before going to 8.3 or higher versions.
Regards,
Julio
Rate all the helpful posts
08-27-2012 12:18 PM
I don't think I'm able to do that unfortunately. It looks like 8.0(4) is the latest version for the PIX, and the ASA 5515X only supports 8.6(1).
http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html
08-27-2012 12:45 PM
Hello Neal,
Okay I did not check the ASA model You are right dude
So the only way to do it would be directly, again make sure you remove the nat-control command from the configuration.
Also keep a backup of the configuration in case you have an error.
Go ahead and perform the upgrade and let me know how it goes, as soon as you do it make sure the ACL's are pointing to the private Ip addresses.
Check the Nat exemption rules ( Nat 0 with ACL) on 8.0 and then go to 8.6 and check how they got build.
It might happen that you get the following Nat rules
nat (inside,any)
nat (any,any)
Do change the sintax ( the highlighted words) on them as specific as possible to avoid routing problems
nat (inside,outside)
nat (inside,outside)
Regards,
Julio
11-28-2012 08:13 AM
Hello Neal,
I´m in the same situation, I´m recieving the new hardware next days, and i have sam version on the PIX, how went your migration, i will like to know how hard wass and whou that goes!
Regards,
Jose
11-28-2012 08:31 AM
It actually went really smooth. I would recommend you perform a test migration and make sure the config looks good before putting it into production. Here are some of my notes:
I used the PIX-to-ASA Migration Tool and selected the target device type of ASA 5520 7.2(2) or after since that device had gigabit ports.
Remove this line: asdm image flash:/asdm-61551.bin
Replace with: asdm image disk0:/asdm-66114.bin
"no webvpn" to enable the Cisco ASDM GUI
"aaa authentication ssh console LOCAL" to enable SSH and create a username
WebFiltering caused huge ASA logs, resolved by following this thread: https://supportforums.cisco.com/thread/227630
On my outside rules I had to add back in the descriptions since for some reason they didn't get migrated over, and also cleaned up some of the groups since those rules use the internal IP's instead of the NAT IP's now.
My inside rules worked great and the descriptions all came over with them.
NAT rules look a bit different, but now you can add descriptions to those too.
You'll need to clear your arp tables or wait till they timeout.
ASA talks to the PIX's just fine, so I didn't have to upgrade all of my sites at one time.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: