Pix To Asa Migration Tool 8.4

This post details how to test Cisco ASA 8.4 migration on GNS3 such that you know in advance how its going to effect your existing configuration(Pre 8.3). To do this you will have to first follow the following post which will get you an ASA working and is connected to its host machine.

  1. Asa Migration Australia
  2. Cisco Pix To Asa Migration Tool
  3. Cisco Pix To Asa Migration Tool Download

After you have done you can just follow following these steps

1. Copy configuration from your live Pre 8.3 ASA using following command and save all configuration to a file on your machine

Jan 3, 2014 - The same is true of customers using the PIX to ASA migration tool. More Topics Related to Cisco ASA Cisco ASA 8.4 vs.

more system:running-configuration

2. ASA in GNS3 will have interface without module numbers so you need to change interface number in the configuration. Open the configuration file you just saved change the Interface Number from Eth or Gi0/0, Gi0/1 to Gi0,Gi1 receptivity all available interfaces and sub interfaces, use sodapdf to save it.

3. Start a TFTP Server on your machine and set its directory to where you have stored your configuration file in Step 1.

4. Start ASA in GNS and open the console, use following commands to copy the config using TFTP. I had copied the configuration from live ASA to a file ‘ASAUpgrade’

ASAGNS# copy tftp startup-config

Address or name of remote host []? 10.10.10.2

Source filename []? ASAUpgrade

Accessing tftp://10.10.10.2/ASAUpgrade

5. Now reload the firewall without saving the configuration

ASAGNS# reload
System config has been modified. Save? [Y]es/[N]o:N
Proceed with reload? [confirm]

6. When the firewall will reload, on startup it will migrate the configuration that you just copied to startup-configuration. It will show migration errors or anything which is migrate/not migrate. It can be related to NAT or other stuff, here is example from mine

Reading from flash...
!!!!!!!!.............WARNING: This rule will match all incoming traffic on interace 'any'.
Use 'unidirectional' option to apply the rule for outgoing traffic only.
*** Output from config line 548, 'nat (outside,any) source...'
WARNING: This rule will match all incoming traffic on interface 'outside'.
Use 'unidirectional' option to apply the rule for outgoing traffic only.
*** Output from config line 549, 'nat (outside,outside) so...'

These error are also copied to a log file which you can see on flash

Cisco pix to asa migration tool

ASAGNS# sh flash
--#-- --length-- -----date/time------ path
5 4096 May 08 2012 11:50:26 log
14 4096 May 08 2012 11:50:30 coredumpinfo
15 59 May 08 2012 11:50:30 coredumpinfo/coredump.cfg
84 196 May 08 2012 11:50:30 upgrade_startup_errors_201205081050.log
79 0 May 08 2012 12:07:08 nat_ident_migrate
85 5775 May 08 2012 12:47:54 upgrade_startup_errors_201205081147.log

7. Now, again use the command ‘more system:running-configuration’ and copy all the configuration to another text file.

Asa Migration Australia

8. By now, you should have two files with running config, one from your Live ASA and other one from ASA in GNS with migrated config. It now time to use some config diff tool. I am using Notedpad++. Download and install it

Once its installed, download the Compare plugin from following

Copy, the plugin file to plugin folder. For me its C:Program FilesNotepad++plugins

9. Restart the Notepad++, open both Configuration files and in Notepad++ window click on Plugins>Comapre>Compare

8.4

10. Now you will see both Live Config and Migrated config side by side. The missing, modified config, all will be highlighted. It will give you a good idea to see how much configuration is changed, how NAT statements are migrate, which NAT statements are not migrated and what you can expect when you will upgrade software on your live ASA.

In my blog post 'Sadly, the PIX Firewall Is Discontinued,' written early in 2008, I said how much I had enjoyed working with the Cisco PIX over the years and how disappointed I was that it was announced by Cisco to be 'End of Sale' on January 28, 2008. In the Cisco PIX Security Appliances End-of-Sale Announcement, they detail the timeline for the PIX to 'go away.' That time is:

  • End of Sale for Hardware: July 28, 2008
  • End of Software Maintenance: July 28, 2009
  • End of Service Contract Renewals: October 23, 2012
  • End of Support: July 27, 2013

While there is some time before Cisco will stop supporting your PIX (in 2013), it should be of concern to you that there is no more software maintenance for your PIX come July of this year. That means that if there is a bug, Cisco isn't going to offer a patch for it; they will tell you to upgrade to an ASA (Adaptive Security Appliance) instead. Also, that means that there will be no more enhancements to the features of your PIX. What you have now is all you will ever have.

Tool

Truly, the PIX is an excellent firewall that is stable and offers just about everything most of us need. Still, if you have even one PIX firewall in place, the announcement is something that has to concern you. And, if like some large enterprises, you have hundreds of PIX firewalls in place it could be a huge concern. And these days, the bigger question for enterprises may be 'how are we going to get millions of dollars in a down economy to replace our PIX firewalls with ASA firewalls?' While I can't help you solve that problem, let's assume that you already have your new ASA to replace your PIX. How do you do it?

PIX and ASA configurations differ

The important thing to note about PIX and ASA configurations are that they are different. In other words, to do one thing on a PIX requires a different command on an ASA. The ASA uses a more 'IOS-like' configuration where the PIX has its own 'PIX-OS' configuration. Here are just some of the differences between the two:

  • The ASA is different hardware and has different interface names.
  • The ASA uses sub-interface commands, like the Cisco IOS.
  • A PIX will use FIXUP commands for application inspection whereas the ASA will use policy maps.
  • On the PIX,outbound and conduit commands are used versus access lists on the ASA.

There are two ways to perform this conversion — manually or by using the automatic migration tool. You may want to perform the conversion manually if you want more granular control, but Cisco offers a PIX to ASA Migration Tool that can perform this automatically. Let's look at how it works.

Cisco Pix To Asa Migration Tool

Note that to use this tool, your PIX must be running PIX-OS Version 6.3 or later.

Cisco's PIX to ASA Migration Tool

I downloaded the Cisco PIX to ASA Migration Tool (Cisco registration and a PIX service agreement is required). There are three versions — Windows XP, Mac OSX, and Red Hat 9 Linux. I downloaded the Windows XP version and installed it. The Windows XP version did work on my Vista laptop. Once installed, I saw that it includes a User Guide, Migration Scripts, and the actual tool.

The PIX to ASA Migration Tool is really very simple. When you run it, it asks for a source and a target. The source can be either 'Live' devices (powered on and running) or saved configuration files on your hard drive. If you are going to pull the configuration off of a live device, you would enter something like https://IP_Address/config into the blank for the configuration file. The target is where you want the resulting migrated config file to be placed.

I entered the source configuration file and target, and the tool scanned my configuration for interfaces. Next, I had to specify the type of device that this will go on. Will it be an ASA 5505? 5510? 5520? 5550? 5580? And what type of license?

I specified a 5505 with a plus license. I took the defaults for how my PIX Ethernet interfaces would be converted to ASA VLAN interfaces.

Cisco Pix To Asa Migration Tool Download

Here is what it looked like: Figure A

From here, all I had to do was click Make Target Configuration for my ASA. The configuration took only a few seconds, and I was given an output log that looked like this:

Figure BNext, I clicked on View Target Configuration to see my new ASA configuration file. You can see what it looked like in Figure C. I could tell instantly that it was converted with the new ASA header on the file. Even more so, I could see that it now had policy maps instead of fixup commands.Figure CConclusion

While I have enjoyed using Cisco PIX devices over the years, it is also nice to move on to a more powerful and featured device — the Cisco ASA. I am very pleased with the ease of migration that Cisco offers with their migration tool.

Learn more about migration from Cisco PIX to ASA appliances in Cisco's 'Migration from PIX 500 Series Security Appliances to ASA 5500 Series Adaptive Security Appliances' and the 'Cisco PIX to Cisco ASA 5500 Series Migration Release Notes.'

Posted :