Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1093
Views
0
Helpful
4
Replies

Any chance of migrating config from legacy ASA to ASA-X?

Go to solution
Larry Gelencser
Level 1
Level 1

‎01-20-2016 02:13 PM

Greetings Cisco Guru's!

   I've been using an ASA-5510 for the past 7 years (To add it's been up 24/7/365 and problem free the entire time besides one bad Cisco software update) and it's now time to retire her. I'm currently deciding between the 5508-X & 5516-X models (If you have a suggestion I'd appreciate that too) but my question is:

 Is there a way to migrate the settings from my current device onto the new one or do I simply need to build it from scratch?

  My device doesn't have major configurations as I simply use it to secure and feed our office with a 20MB internet connection as well as connect about 20 remote sites with lan-to-lan vpn and support about a dozen remote users...

Thanks in advance!

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎01-20-2016 03:01 PM

Which ASA-version are you running? I assume that it's not 8.3 or higher. Then at least ACLs and NAT have to be rewritten (and find-replace-things like interface-IDs). If the config is not that complex, I would always see that as the opportunity to start with a clean config.

For your decision 5508-X or 5516-X. Are you planning to upgrade the internet-link soon? The 5508-X will handle a 20 MBit link easily, even if you use FirePOWER for added security. If you plan for more bandwidth and you want to keep the option to use FirePOWER, then you should go for the 5516-X.

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Larry Gelencser

‎01-21-2016 06:42 AM

With 9.1(6) running on the old ASA, all ACLs and NAT will stay the same. With that it's very likely that you can take your config in an editor, replace all Interfaces to the new names and paste that in the new ASA.

Are you running SSL-VPNs? Then you need to copy some files from old flash to the new flash.

FirePOWER is expensive, but it provides the services to protect against many threats that we are facing today. For the perimeter-firewall (when there is no dedicated security-proxy) I always propose the TAMC license (yes, that's the most expensive one). If the budget is really restricted, then I would go for the URL-license to at least have web-filtering.

Happy cycling!!!

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎01-20-2016 03:01 PM

Which ASA-version are you running? I assume that it's not 8.3 or higher. Then at least ACLs and NAT have to be rewritten (and find-replace-things like interface-IDs). If the config is not that complex, I would always see that as the opportunity to start with a clean config.

For your decision 5508-X or 5516-X. Are you planning to upgrade the internet-link soon? The 5508-X will handle a 20 MBit link easily, even if you use FirePOWER for added security. If you plan for more bandwidth and you want to keep the option to use FirePOWER, then you should go for the 5516-X.

0 Helpful

Go to solution
Larry Gelencser
Level 1
Level 1
In response to Karsten Iwen

‎01-21-2016 06:04 AM

Hello Karsten!

 Thank you very much for your response! I'm currently running asa 9.1(6). My config is not complicated, but, with only 1 device that must be up all the time with no room for my mistakes or troubleshooting I can't afford for it to go down for long. Of course to also mention I'm the only IT jack of all trades guy for my company and will admit my Cisco skills are novice so I rely on Cisco TAC support sometimes.

  I am planning on moving to 50Mb link soon so perhaps the 5516-x would be better? I'm still debating on the firepower services, they are quite expensive and it already takes a lot of convincing for my bean counters to approve the support service renewals :) Do you feel it's worth the Firepower services? I honestly get confused researching the Firepower services on the Cisco site as it appears there's different options and I don't know where to get the clear info I need to make a decision. I tried the online chat but that got me nowhere..

I really appreciate your input and help!

btw, I love the profile pic, I too am a cyclist! 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Larry Gelencser

‎01-21-2016 06:42 AM

With 9.1(6) running on the old ASA, all ACLs and NAT will stay the same. With that it's very likely that you can take your config in an editor, replace all Interfaces to the new names and paste that in the new ASA.

Are you running SSL-VPNs? Then you need to copy some files from old flash to the new flash.

FirePOWER is expensive, but it provides the services to protect against many threats that we are facing today. For the perimeter-firewall (when there is no dedicated security-proxy) I always propose the TAMC license (yes, that's the most expensive one). If the budget is really restricted, then I would go for the URL-license to at least have web-filtering.

Happy cycling!!!

0 Helpful

Go to solution
Larry Gelencser
Level 1
Level 1
In response to Karsten Iwen

‎01-21-2016 07:51 AM

Karsten you are a Cisco God, Danke!!

0 Helpful
Customers Also Viewed These Support Documents