Solved: PIX 6.3 to ASA 5505 8.2

brentz · ‎04-23-2012

We have an old PIX that is running 6.3 software. We wouldl lik eto move the configuration to an ASA running 8.2 software. Is there an easy way to accomplish this without have to rekey all the commands? Is it possible to tftp the old config to the new ASA?

Thanks

Mohammad Abazeed · ‎04-23-2012

Hey there,

First of all, this should be in the FW section and not the VPN section, this is not VPN related question.

However, if I ware you I would start by upgrading my PIX to the latest 8.0.4 before I begin to insure that everything is migrated especially if you have certificates and you want to export them as exporting the certs is not supported on the PIX prior to 8.0 release, however if that is not needed upgrading to the latest 7.2 will do you good ... Then I would go through this link and follow the procedure there:

- http://www.cisco.com/en/US/docs/security/asa/migration/guide/pix2asa.html

HTH,

Mo.

View solution in original post

Patrick0711 · ‎04-23-2012

Assuming you are using pre shared key authentication, everything should be interchangeable other than the isakmp key line which is coverted to a l2l type tunnel-group in 7.x+ code versions

View solution in original post

Marvin Rhoads · ‎04-23-2012

Cisco did put out a Pix-ASA conversion tool. Please see the Release Notes and then this link to download it.

I would advise, though, that is is a good time to clean up your Pix config. Validate all of your access-lists, NATs and VPNs. Clear out any of the unused stuff before moving it over to the ASA. Even if it's all good, validating and documenting it is a useful exercise.

Once you get it over, I'd move your ASA up to 8.4(3). Yes the NAT sysntax changes but you'll need to do it sooner or later. Why not now?

View solution in original post

Mohammad Abazeed · ‎04-23-2012

Hey there,

First of all, this should be in the FW section and not the VPN section, this is not VPN related question.

However, if I ware you I would start by upgrading my PIX to the latest 8.0.4 before I begin to insure that everything is migrated especially if you have certificates and you want to export them as exporting the certs is not supported on the PIX prior to 8.0 release, however if that is not needed upgrading to the latest 7.2 will do you good ... Then I would go through this link and follow the procedure there:

- http://www.cisco.com/en/US/docs/security/asa/migration/guide/pix2asa.html

HTH,

Mo.

brentz · ‎04-24-2012

Thanks for the replies. I appreciate the help. The conversion tool looks like it will work great.

Patrick0711 · ‎04-23-2012

Assuming you are using pre shared key authentication, everything should be interchangeable other than the isakmp key line which is coverted to a l2l type tunnel-group in 7.x+ code versions

brentz · ‎04-24-2012

Thanks for the replies. I appreciate the help. The conversion tool looks like it will work great.

Marvin Rhoads · ‎04-23-2012

Cisco did put out a Pix-ASA conversion tool. Please see the Release Notes and then this link to download it.

I would advise, though, that is is a good time to clean up your Pix config. Validate all of your access-lists, NATs and VPNs. Clear out any of the unused stuff before moving it over to the ASA. Even if it's all good, validating and documenting it is a useful exercise.

Once you get it over, I'd move your ASA up to 8.4(3). Yes the NAT sysntax changes but you'll need to do it sooner or later. Why not now?

brentz · ‎04-24-2012

Thanks for the replies. I appreciate the help. The conversion tool looks like it will work great.