Tuesday, July 20, 2010

Cisco PIX to ASA migration guide

There are two ways to convert a PIX configuration to an ASA configuration:

1•manual conversion

2•tool-assisted conversion 

 
Table 1 Conversion Process Summary

Task

See

Step 1 

Retrieve the PIX configuration from the device.

Retrieving the PIX Configuration

Step 2 

Convert the PIX conduit and outbound commands.

Converting the conduit and outbound Commands

Step 3 

Convert the PIX configuration to an ASA configuration.

Converting a Cisco PIX Configuration to a Cisco ASA 5500 Series Configuration

Step 4 

View the converted, intermediate configuration.

Viewing the Intermediate Configuration

Step 5 

Complete the conversion process by installing the converted configuration on an ASA 5500 Series Adaptive Security Appliance running 7.0(x), 7.2(x), or 8.x software.

Installing the Intermediate ASA Configuration

Step 6 

(Optional) Configure LAN-based failover (if converting from a serial cable failover configuration).

Configuring LAN-based Failover

Step 7 

Verify the final, converted configuration.

Verifying the ASA Configuration

Step 8 

Deploy your new device.

Deploying the New Device


Table 4 Interface Constructs

PIX 6.3 interface configuration
(before conversion)

ASA 7.2(2) interface configuration
(after conversion)

Static IP and failover: 

interface ethernet0 auto
nameif ethernet0 outside security0
ip address outside 192.168.2.1 255.255.255.0
failover ip address outside 192.168.2.2
 
interface GigabitEthernet0/0
ip address 192.168.2.1 255.255.255.0 standby 192.168.2.2
nameif outside
security-level 0

VLAN: 

interface gb-ethernet2 1000auto
interface gb-ethernet2 vlan50 logical
nameif vlan50 vlan50 security10
ip address vlan50 50.1.1.1 255.0.0.0
 
interface GigabitEthernet0/0
no shutdown
interface GigabitEthernet0/0.50
vlan 50
ip address 50.1.1.1 255.0.0.0
nameif vlan50
security-level 10

Dynamic IP address through DHCP: 

interface ethernet0 10baset
nameif ethernet0 outside security0
ip address outside dhcp setroute
 
interface GigabitEthernet0/0

no ip address 

no shutdown

ip address dhcp setroute

nameif outside

security-level 0

Dynamic IP address through PPPOE: 

interface ethernet0 10baset
nameif ethernet0 outside security0
ip address outside pppoe setroute
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname cisco
vpdn group pppoex ppp authentication pap
vpdn username cisco password xxx
 
interface GigabitEthernet0/0
ip address pppoe setroute
pppoe client route distance 2
pppoe client vpdn group pppoex
nameif outside
security-level 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname cisco
vpdn group pppoex ppp authentication pap
vpdn username cisco password xxx

Table 5 FIXUP Conversion

PIX/ASA 6.3 commands
(before conversion)

PIX/ASA 7.2(2) commands
(after conversion)

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect smtp
inspect sqlnet
inspect tftp

LAN-Based Failover

PIX 6.3(5) configuration (before conversion):
interface gb-ethernet0 1000auto
interface gb-ethernet1 1000auto
interface gb-ethernet2 1000auto
interface gb-ethernet2 vlan50 logical
interface gb-ethernet2 vlan55 logical
interface ethernet0 100full
interface ethernet1 100full
nameif gb-ethernet0 outside security0
nameif gb-ethernet1 inside security100
nameif gb-ethernet2 dmz security8
nameif ethernet0 eng security4
nameif ethernet1 mkt security4
nameif vlan50 vlan50 security10
nameif vlan55 vlan55 security12
ip address outside 5.5.5.45 255.255.255.0
ip address inside 14.36.8.48 255.255.0.0
ip address dmz 1.1.1.6 255.255.255.0
ip address mkt 2.2.2.2 255.255.255.0
ip address vlan50 50.1.1.1 255.0.0.0
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 5.5.5.68
failover ip address inside 14.36.199.34
failover ip address mkt 2.2.2.4
failover ip address vlan50 50.1.1.2
failover lan unit primary
failover lan interface mkt
failover link vlan55
failover lan enable


Converted ASA configuration:

interface GigabitEthernet0/0
ip address 5.5.5.45 255.255.255.0 standby 5.5.5.68
nameif outside
security-level 0
: Original Interface id gb-ethernet1
interface GigabitEthernet0/1
ip address 14.36.8.48 255.255.0.0 standby 14.36.199.34
nameif inside
security-level 100
: Original Interface id gb-ethernet2
interface GigabitEthernet0/2
ip address 1.1.1.6 255.255.255.0
nameif dmz
security-level 8
: Original Interface id gb-ethernet2_50
interface GigabitEthernet0/2.50
vlan 50
ip address 50.1.1.1 255.0.0.0 standby 50.1.1.2
nameif vlan50
security-level 10
: Original Interface id gb-ethernet2_55
interface GigabitEthernet0/2.55
vlan 55
no ip address
no shutdown
: Original Interface id ethernet0
interface GigabitEthernet0/3
no ip address
no shutdown
nameif eng
: Original Interface id ethernet1
: Failover
interface GigabitEthernet1/0
security-level 4
failover
failover timeout 0:00:00
:::: your failover poll timer syntax has been corrected from'failover poll 15' to
'failover polltime 15'
failover polltime 15
failover lan unit primary
::::failover lan interface mkt -> failover lan interface mkt GigabitEthernet1/0
failover lan interface mkt GigabitEthernet1/0
failover interface ip mkt 2.2.2.2 255.255.255.0 standby 2.2.2.4
::::failover link vlan55 -> failover link vlan55 GigabitEthernet0/2.55
failover link vlan55 GigabitEthernet0/2.55
failover interface ip vlan55 0.0.0.0 0.0.0.0 standby 0.0.0.0
:::: Not supported - failover lan enable
 

Reference:
1. Migration Guide for Converting Cisco PIX Configurations to Cisco ASA 5500 Series Configurations
http://www.cisco.com/en/US/docs/security/asa/migration/guide/pix2asa.html
 
2. Migration from PIX 500 Series Security Appliances to ASA 5500 Series Adaptive Security Appliances
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808554ed.shtml
Posted by at

5 comments:

  1. JIMYJuly 16, 2019 at 3:22 AM


    good blog.

     Cloud Based Firewall

    CISCO Firewall

    ReplyDelete
  2. Avik MajumderOctober 6, 2021 at 6:31 AM

    Garmin Express is an application which is used to easily update maps and software, sync with garmin connect and register your Device. You can download garmin.com/express software from official garmin site, where you will get options to download for Windows and for Mac.


    Garmin Express software has many uses, such as Update your maps, sync with connect, update your software, manage content, udate marin charts, redeem a voucher and golf course updates. You can add your device to Garmin express after logging into garmin account. Follow the steps given on garmin express login .


    Garmin sat nav devices comes with a variety of applications. But it is crucial to keep those devices up to date. Visit garmin sat nav update to update your maps. You can also update your sat nav devices of camper van or RV using this method. Garmin sat nav update provides you European maps


    Garmin express software has various versions which kept changing. Garmin express allows you to download and update garmin maps for free. Garmin express was used in 2018, 2019 and 2020, 2021, garmin map updates free download 2021 to download Free garmin express software.


    Garmin.com/express is official site to download Garmin Express. You can download garmin express for mac by clicking on that option. Garmin Express is also available on mac book pro. Garmin express software is not available on ios.

    ReplyDelete
  3. Right DirectionNovember 10, 2021 at 11:01 AM

    Nice blog

    garmin dezl update
    garmin nuvi 265w map updates free

    garmin won't turn on
    Garminexpressinstaller.exe

    Planning to go somewhere The Location
    Tracker     for the first time or moving to a new city or town, just update your maps and you are good to go hassle-free. Updating your GPS means you are going in the right direction for sure or you're not gonna get lost in your way. Just one step: The Location Tracker update

    ReplyDelete
  4. Jennifer MofiDecember 22, 2021 at 2:38 PM

    To follow accurate and exact navigation on your in dash GPS, get the right maps and directions on your next journey, navigate safely & efficiently, know about terrain contours & elevation, or reach attractions and your all journeys, hotels & restaurants you desire detailed and updated maps. My Dash updates being the reliable companion on every road trip, help you get everything said so far.

    ReplyDelete
  5. Travel BloggingAugust 31, 2022 at 1:41 PM

    How to Customize the QuickBooks Home Page
    https://qb-solutions.blogspot.com/2022/08/how-to-customize-quickbooks-home-page.html

    ReplyDelete

Subscribe to: Post Comments (Atom)

Related post:

Related Posts with Thumbnails