10-03-2010 06:22 AM - edited 03-11-2019 11:49 AM
Hi all,
I would like to upgrade my cisco pix 515e ver 6.3(4) to asa5510 ver 8.2(1).
Pls advise if i can export the config from pix515e and import to asa5510 and if the config exported from my pix is usable in my asa5510 straight away or i need to make some changes for the config to work in asa ver8.2(1). Thks in advance.
10-03-2010 07:34 AM
You won't be able to export the config directly from the pix running 6.3.4 to the asa running 8.2.1. You would need to upgrade your pix from 6.3.4 to the 7.2 code. You can follow the procedure below. Please be aware of the memory requirements.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml
Once you are running 7.2 code on the pix, you can use this configuration and reconfigure it for the ASA 8.2.1. You would need to clean up the configuration to match the interface number on the ASA. Other than that, the config should be compatible with the ASA 8.2.1.
I hope this helps.
regards,
Wasan Romsaitong
10-03-2010 07:38 AM
Hello,
In addition to what Wassan has said, you can also use a pix to asa migration tool.
The following is the link for downloading the tool:-
Also you can read more about migration from pix to ASA from the link below:-
http://www.cisco.com/en/US/docs/security/asa/migration/guide/pix2asa.html#wp290854
Thanks,
Shilpa
10-03-2010 07:54 AM
also things like certificates and keys you might need to generate them again
10-03-2010 09:13 AM
Hi Shilpa,
I most probably will use the tool you mentioned. Can you advise how long it take for the conversion process base on your experience?
10-03-2010 08:40 AM
Hi all,
Thk you for your prompt response.
Basically this firewall is used mainly for the following functions. Pls advise if the upgrade will affect the below in terms of config
1)site to site vpn to multiple sites
2)NAT for some internal servers to public ip
3)PAT for internal to external
4)accesslists for incoming and outgoing traffic
10-03-2010 09:36 AM
Hello,
It will not take much time may be less than 15 min's.
Also it will be great if you follow the upgrade path and change the configuration as per the upgrade path. You can upgrade it to 7.x version and then to 8.x.
Take care for the following:-
Ensure you have no conduit or outbound/apply commands in your current configuration. These commands are no longer supported in 7.x and the upgrade process removes them. Use the Conduit Converter tool in order to convert these commands to access-lists before you attempt the upgrade.
Ensure that PIX does not terminate Point to Point Tunneling Protocol (PPTP) connections. Software version 7.x currently does not support PPTP termination.
Copy any digital certificates for VPN connections on the PIX before you start the upgrade process.
Plan to perform the migration during downtime. Although the migration is a simple two step process, the upgrade of the PIX Security Appliance to 7.x is a major change and requires some downtime.
The following is the link for reference:-
The following the link which explains all changes of commands and features from 6.x to 7.x:-
http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html#wp1599386
I hope it helps.
10-03-2010 05:06 PM
Hi Shilpa,
THk you!
So i will use the pixtoasa conversion tool to load the config from my pix to my asa5510 which is running asa ver 7.2
Then i will upgrade the asa 5510 from ver7.2 to ver8.2
Will the process from ver7.2 to ver8.2 make great changes to my asa config such that certain functions may not be workable?
10-04-2010 12:57 AM
•PPTP VPN is not supported on software versions 7.x. PPTP commands in the source configuration are marked as comments in the converted configuration with a note that they are not supported.
•Exporting certificates is not supported in PIX 6.3. If you have certificates in your PIX configuration, you must either upgrade to PIX version 8.0 and export the certificates first, or you must obtain a new certificate after the conversion process.
•Serial cable failover is not supported in the ASA platform. Therefore, you must add LAN failover on the ASA after the migration process.
•Physical interface exhaustion—A physical interface must always be mapped one-to-one to a destination physical interface. If interfaces in the source platform exceed the number of available intehttps://supportforums.cisco.com/post!reply.jspa?message=3193112rfaces available in the destination platform, such as migrating from a fully equipped Cisco PIX 535 to an Cisco ASA 5540, those interfaces will be converted to the 7.x syntax but will keep their original interface names.
•Multiple Context Mode—You must manually convert multiple context mode configurations.
•VLANS on the Cisco ASA 5505—On an Cisco ASA 5505, the migration tool assigns VLAN 2 to Ethernet 0/0 and VLAN 1 to all other physical interfaces. Typically, VLAN 1 and VLAN 2 provide access to inside and outside interfaces. If you do not assign source interfaces to these VLANs, then the ASA will not have access to the inside and the outside interfaces.
Once you have converted configuration from 6.3.4 to 7.2, you can make sure if its fine or not. Once it is done, you can either upload the configuration directly to ASA having 7.2 code and upgrade the ASA. or you can also use the conversion tool to convert it to 8.x.
During conversion, you can see some of the warning messages, for e.g.:-
INFO: PIX to ASA conversion tool $Revision: 1.9 $
INFO: PIX Version 6.3(4) Removed from config
INFO: fixup protocol sip udp 5060 Removed from config
WARNING: The configuration is NOT supported - floodguard enable
WARNING: Your password is set to all STARS(*) Please Correct before deploying to the new
device! 'vpdn username cisco password ********* '
INFO: Cryptochecksum:e136533e23231c5bbbbf4088cee75a5a Removed from config
INFO: : end Removed from config
INFO: The destination platform is: asa-5540
which will tell you what changes has been done and what changes you need to do. For e.g all the passwords will be converted to"*'
So you need to put the passwords again.
You can try this method and let me know if you need any help.
10-06-2010 05:48 PM
Hi Shilpa,
Thk you for the advise and apologies for late reply. Can i know what is the difference between single mode and multiple mode in cisco pix?
10-06-2010 06:40 PM
Hello,
The adaptive security appliance runs in a combination of the following modes:
•Transparent firewall or routed firewall mode
The firewall mode determines if the security appliance runs as a Layer 2 or Layer 3 firewall.
•Multiple context or single context mode
The security context mode determines if the adaptive security appliance runs as a single device or as multiple security contexts, which act like virtual devices.
You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices.
You can read more about it in the following links:-
http://www1.cisco.com/en/US/docs/security/asa/asa83/command/reference/cli.html
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/contexts.html
Thanks,
Shilpa
10-06-2010 07:39 PM
Hi Shilpa,
Thk you. After understanding the differences between the 2 modes i confirm my pix firewall is on single mode though i cannot verify using "show mode" command since my pix is on 6.3(4).
As my asa 5510 already has some config that i want to maintain and its on ver 8.2(1), do you think its possible to export my pix config to add on to existing asa config at ver8.2(1) using the conversion tool? Thks in advance.
10-06-2010 10:18 PM
Hello,
Yes, you can merge the configuration on ASA.
When you copy a configuration to the running configuration, you merge the two configurations. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. You might get errors, or you might have unexpected results.
The following is the reference link:-
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008072142a.shtml#ftp
And just to be on safer side, keep the back of the configuration which is already present on ASA.
Thanks,
Shilpa
10-06-2010 11:13 PM
Hi Shilpa,
Thk you! I will probably forgo the merging to reduce complication. I have tried out the conversion tool which generate a text file. I know how to upload the converted text file to my asa disk:0 using asdm. But how do i copy this text file to the running-config using asdm? Pls advise.
10-07-2010 07:30 AM
Hello,
You can not restore the running-config from ASDM. You need to use CLI.
Although there are options on ASDM for backup and restore.
You can specify configurations and images to restore from a zip file on your local computer. The zip file you choose must be created from the Tools > Backup configurations option.
You can only restore backups to the same security appliance from which they were originally made.
Also, although you can use the Tools > Backup Configurations option to back up a running configuration, you cannot use the Tools > Restore Configurations
option to restore it. Instead, unzip and transfer the running-config.cfg file to the security appliance file system, then use the copy running-config.cfg startup-config
command to restore the startup configuration file. Finally, reboot to load it to memory.
There is a bug id also for the same. Please find the link below:-
Thanks,
Shilpa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide