11-09-2015 10:54 AM - edited 03-11-2019 11:51 PM
I'm new to Cisco ASAs, and have the task of replacing older 5520s with out-of-the-box 5515Xs. I'd like to do a direct swap-out replacement, using a minimally revised startup-config from the older ASA, but I'm guessing that there are differences between the commands in ASA 8.2 vs ASA 9.4. Would someone please point me in the right direction for learning about if there are tools (e.g., startup-config "updater", or virtual ASA for processing the startup-config) for proactively checking for problems that the 9.4 interpreter would have with the 8.2 startup-config?
I'd also appreciate any comments/direction/references to the overall approach for a swap-out.
Maybe I could put the 5515 on a bench w/no connection and reload the 5520 startup? If it "crashes", can I recover?
Thanks in advance!
11-09-2015 11:28 AM
There are two very big differences between 8.2 and 9.4:
1) at 8.3 the NAT stuff was completely redone along radically different lines. The new style uses primary the newfangled "network object"s, preceeded by phase I "twice NAT" and followed by phase III "twice NAT"; there are no more global statements.
2) at 9.0 the IPv6 integration was completely redone, with separate v4 and v6 access lists abolished by merging them and the "any" keyword redefined to be dual-stack.
I haven't tried directly feeding an 8.2 config into 9.4 firmware, so I'm not sure how well it would auto-update. By all means, try it - make a backup copy of your factory default 9.4 config, scp or tftp or usb copy in the 8.2 config, and copy the 8.2 version over the startup-config followed by a reload without a preceding "write memory".. Assuming you have physical access to the 5515-x, there are enough ways to recover from any problems that you can definitely recover.
My advice, having gone from 8.2 on a 5520 to 9.2 on a 5525-x by way of 8.4.6 in a test lab is that you are best off using the auto-updated config as a guideline to a from-scratch rewrite.
Good luck with it,
-- Jim Leinweber, WI State Lab of Hygiene
11-10-2015 01:10 AM
Hi Terry,
There is a public tool made available to customers. You just need to login with your cco id and your are good to go :
https://fwm.cisco.com/auth.do;jsessionid=80A10FB9C79C07D120D7109E7488D3F3#dashboard:1
There is one documenation once you login(click on Firewall Migration and then my Dashboard) which gives you instruction on how to convert your ASA configuration for 5500 series running 8.2 to -x series running 9.2.1 (it would give you option from 5525-x in target platform, you can select that(there would not be an issue as you are having 5515-x).
Follow the instructions mentioned in the doc.
Once you get the 9.2.1 configuration, load it on your asa5515-x and then upgrade your asa to version 9.4.1
If there is any issue in some traffic not working; I would recommand to open a TAC case.
Hope it helps.
Regards,
Akshay Rastogi
Remember to rate the helpful posts and mark the answer as correct if it answers your query.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide