Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1886
Views
5
Helpful
2
Replies

ASA Backup and Restore

caug
Level 1
Level 1

‎09-06-2017 10:30 PM - edited ‎03-08-2019 11:56 AM

I know there are plenty of threads around this topic but I am new to Cisco so please hang with me.

 

I have two ASA 5545 in the same remote datacenter location.  I do not have physical access to either.  I need to use remote hands if I need to do anything like move cables etc.  The older ASA is running 8.6 while the newer one is running 9.2.  The old ASA is in production while the new ASA is to replace it.  

 

Is it as simple as taking a backup with either ASDM or cli using "more system:running-config" and restoring to the new ASA?  Is one method better than the other?  Will my site-to-site VPNs reconnect once the cables are moved over (read: will everything get restored e.g. keys, certs, passwords, etc.)?  Will I need to manualy edit anything in the backup before I restore it, like the image file, since it is a different firmware version?

 

Sorry for the seemingly simple questions but I am new to Cisco and I've never done this before.  Thanks.

Labels:
0 Helpful
2 Replies 2

Pawan Raut
Level 4
Level 4

‎09-07-2017 12:12 AM

I belive you should have console access atleast to configure new Pair of ASA.

I assume you have pair of ASA in active/standby mode and you will keep same IP address for new ASA as old one have.

So in my view you should  follow below steps

1) Power on new ASA pair.

2) Connect two ASA by cross connect cable for HA pair

3) take console of new ASA pair

4) Configure those ASA pair in active/standby.

5) Take back configuration from old ASA "more system:running-config" (This will include unencrypted VPN pre-share key)

6) IOS version 8.6 and 9.2 dont have  Major differances but please take look at Guidelines and Migration for 9.0, 9.1 and 9.2 (https://www.cisco.com/c/en/us/td/docs/security/asa/migration/upgrade/upgrade.html)

7)Make sure your new ASA Pair have same interface as old one incase you have any change in interface then adjust it accordingly in the config backup taken from old ASA.

8) Now Configure the new ASA with the config backup (you can copy+ paste with carefully).

9) Generate crypto rsa key for ssh login as this need to be genrated and wont get copy from config.

10) Now Cross verify the config of new ASA with old before cutover. If evrything is fine then move to cutover

11) For Cut over move cable from Old ASA to New ASA

12) Verify the connectivity is up and you can ping connected devices.

13) Ipsec VPN will not come up automatically if no active traffic is flowing from ASA. You can test it my dummy intresting traffic (packet tracer command).

 

Kindly rate for helpful Post

caug
Level 1
Level 1

‎09-08-2017 07:25 PM

Thanks for your help.  

 

So the crypto key for ssh should be the only thing I need to generate.  Everything else should get restored from the backup?

 

There is constantly traffic going across the VPN so I'd expect it to come up right away.

 

I'll give it a try and report back.  Thanks again.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card