Showing results for 
Search instead for 
Did you mean: 

How to move VPN configuration from PIX software version 6.x to PIX/ASA version 7.x



In order to move LAN-to-LAN VPN configuration from PIX version 6.3 to PIX/ASA version 7.x, refer to this checklist:

  • In version 6.x and 7.x, the commands to configure crypto map, ISAKMP policy, NAT 0 access-list and Transform set remain same. These commands can be copied to version 7.x without any changes.
  • In version 6.x for crypto map and NAT0 normal ip access lists were used, however in 7.x, extended access-list is used.
  • In version 6.x, there was no concept of tunnel group, however in version 7.x, in order to create and manage the database of connection-specific records for ipsec-l2l IPsec (LAN-to-LAN) tunnels, use the tunnel-group command in global configuration mode. For LAN-to-LAN connections, the name of the tunnel group must be the IP address of the IPsec peer.
  • In version 6.x, in order to configure preshared key for LAN-to-LAN tunnel the isakmp key command was used, but in version 7.x, the  pre-shared-key is configured under tunnel group. For example:-

            ISAKMP key configuration for version 6.x

      isakmp key ******** address netmask

            ISAKMP key configuration for version 7.x

            tunnel-group type ipsec-l2l
      tunnel-group ipsec-attributes
       pre-shared-key *

Refer to this checklist in order to move VPN client configuration from version 6.x to 7.x:


Good info.   In the Cisco Web pages, the deeply hidden PIXtoASA .exe file will do these fairly seamlessly. 

Content for Community-Ad