09-05-2013 09:22 AM - edited 03-11-2019 07:34 PM
I'm looking for any advice or suggestions on best practice for the task of upgrading from a PIX 525 running 6.3 to an ASA 5525X with IPS, the PIX is setup in active/standby failover and the ASA will be setup the same way. The PIX has been in service for many years and has a substantial configuration but no IPS or VPN services, just firewalling.
I've used the PIX to ASA 7.2 migration tool before and it worked OK but If I do this I still need to get from 7.2 to 9.1 or some incremental jump up to 9.1. Any advice would be appericiated.
09-05-2013 09:32 AM
Hi,
Since no VPN is involved I guess your only hard part is setting up the NAT configurations to the new format. There is also an ACL change involved related to the NAT change. As the order of NAT and ACL was changed you will now have to use the real IP address in the ACL rules and never the NAT IP address. (Which was the case for software below 8.3)
You can't really use the ASA5525-X to do the automatic conversion upon reboot/reload as its a new ASA model and only accepts 8.6 software at minimum to my understanding. This means it wont accept the 7.2 format (or up to 8.2 format) of NAT configurations at all.
Also the PIX can't be upgraded to the newest software levels either. So I guess you are looking at the manual NAT conversion.
Is the current NAT configurations on the PIX large or would it be something that you would be willing to post here? Could always try to help you out converting the NAT configurations.
Here is a link to a document I wrote about the new NAT 8.3+ configuration format.
https://supportforums.cisco.com/docs/DOC-31116
Here is also a good document comparing old and new NAT format
https://supportforums.cisco.com/docs/DOC-9129
- Jouni
09-05-2013 10:45 AM
Jouni,
Thank you for your response, it sounds like the migration is going to be painful. There are four active interfaces on the PIX and quite a bit of dynamic and static NAT configurations but I don't think I can post that information on the forum. I'll check out the documents you referenced and go from there. Again thanks for your help.
Steve
09-05-2013 11:02 AM
Ok,
Thats understandable, though dont hesitate to ask here if you need help with some NAT configurations format.
I would imagine that you are not familiar with the "packet-tracer" command? This was released in 7.0 software level if I dont remember wrong. This is a powerfull tool to confirm that everything is working as expected on your firewall, especially the NAT.
You can essentially simulate packet entering any interface of the firewall and the firewall will tell what rules/configurations it WOULD hit/match.
The basic format is
packet-tracer input tcp
packet-tracer input udp
packet-tracer input icmp
If you need help interpeting the output, again, dont hesitate to post here and ask.
Why I mentioned this command was the fact that you can essentially start building the new ASA firewall configuration since its not yet in production and use the "packet-tracer" command to make sure that the traffic is hitting the NAT rules etc. which you expect them to.
Here is a link to Command Reference about the "packet-tracer" command which has more specific information about the command
http://72.163.4.161/en/US/docs/security/asa/command-reference/p1.html#wp2129824
Though now that I look at it myself, it seems a bit confusing
Hope this helps.
- Jouni
09-05-2013 11:40 AM
Actually I have several smaller ASA5510’s running 7.X and early 8.X around the globe that I manage so I’ve used the Packet Tracer command. However these firewalls don't incorporate the new NAT and ACL changes so I don't have experience in those areas.
Again I appreciate your help.
Steve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide