Pix To Asa Migration Tool 8.4
The ASA 5500-X Series was redesigned to address higher performance requirements and increase flexibility when adding new services while maintaining the compact 1-RU form factor.Customers migrating from ASA 5500 Series platforms need to consider these changes at the time of migration to the newer hardware. In this article it describes the best practices to follow while migrating to the new ASA 5500-X Series midrange appliances.
The Cisco ASA 5500 Series midrange appliance portfolio comprises four security appliances (ASA 5510, ASA 5520, ASA 5540, and ASA 5550). In March 2012, Cisco added five new midrange appliances to the ASA family. The new appliances carry the `-X’ suffix to distinguish them and are named as follows: ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X. Cisco ASA 5500-X Seriesdelivers next-generation security services.
The Cisco ASA 5500-X Seriesis designed to support next-generation security services while meeting the higher performance requirements of today’s networks. It is based on a multicore, 64-bit architecture and uses separate dedicated multicore chipsets for crypto and pattern matching operations. Hardware and software changes have been introduced without sacrificing the compact form factor.
Cisco ASA 5500-X Series Hardware Migration Path
The Cisco ASA 5500 Series portfolio comprises four platforms that are based on a single-CPU, 32-bit architecture. Due to architectural limitations, they are not capable of supporting next-generation security services. The table lists the suggested hardware migration path to the ASA 5500-X Series. Suggested sizing approach is a conservative estimate.
- I downloaded the Cisco PIX to ASA Migration Tool (Cisco registration and a PIX service agreement is required). There are three versions — Windows XP Learn more about migration from Cisco PIX to ASA appliances in Cisco's 'Migration from PIX 500 Series Security Appliances to ASA 5500 Series.
- During the upgrade the ASA will try to convert it automatically but this is worthless because it does a horrible job at it. Cisco recommends using auto NAT. This is also bad advice to use Auto NAT because it makes extremly ugly and hard to manage code. This conversion tool will convert your NAT statements to the easist to read and manage code.
Hardware Migration Path from ASA 5500 Series to ASA 5500-X Series
Series Configurations document, the PIX- to- ASA migration tool, and the PIX- to- ASA migration tool uninstaller. Installing on MAC OS X. To install the PIX- to- ASA migration tool on MAC OS X, perform the following steps. Step 1 Download the PIX_to_ASA. Cisco Software Center. Step 2 Double- click the PIX_to_ASA.
| ASA 5500 Series Appliance | Equivalent ASA 5500-X Series Appliance |
| ASA 5510 | ASA 5512-X |
| ASA 5510 with SecPlus License | ASA 5515-X or ASA 5512-X with SecPlus License |
| ASA 5520 | ASA 5525-X |
| ASA 5540 | ASA 5545-X |
| ASA 5550 | ASA 5555-X |
Cisco ASA 5500-X Series Software Migration Path
Software support for the Cisco ASA 5500-X Series is available in ASA Software Release 8.6 and later. Earlier ASA Software releases will fail to load on the new appliances.
Planning for a Successful Migration
To ease the migration process, the following pre-migration checks should be performed to meet the minimum hardware and software requirements.
• Licenses do not migrate automatically. All required licenses should be acquired and applied to the new appliance before starting the migration process.
• ASA 5500-X Series appliances requires ASA Software Release 8.6 or later. They do not support earlier software versions. The new appliance should be loaded with the latest ASA Software release available on Cisco.com.
• Upgrade ASA Software on existing 5500 Series appliances to ASA Software Release 8.4. With this upgrade, configuration will be updated to reflect licensing, NAT, and real IP address migration of ACL enhancements introduced in ASA Software Release 8.3.If ASA 5500 is running a pre-8.4 release, the preferred way is to upgrade iteratively over major revisions e.g., if the appliance is running ASA Software Release 7.2, then do following transitions: 7.2 to 7.4 to 8.0 to 8.2 to 8.4. With this approach, deprecated features are taken care of automatically during upgrades.
• Back up the configuration from the existing ASA 5500 Series appliance on a remote machine. This can be done using the CLI `copy’ command or using Cisco Adaptive Security Device Manager (ASDM).
• If the IPS Security Services Module (SSM) is present, back up the IPS configuration using IDM/IME or the CLI.
• During configuration backup, make sure to export certificates and keys from the old platform for reuse.
Feature License Migration
Cisco ASA feature licenses are linked to the hardware serial number. License information is not included in the configuration; as a result, licenses do not migrate when a configuration is moved from an older appliance to a newer one. All requisite licenses currently in use on an older ASA 5500 Series appliance should be acquired for the new ASA 5500-X Series appliance before proceeding with the migration process.
Cisco ASA Software Requirements for Migration
All new midrange ASA 5500-X Series appliances require ASA Software Release 8.6 or later. Earlier versions (ASA 5500 Series: 5510, 5520, 5540, and 5550) are unsupported and will not load on the new platforms.
Minimum Software Requirements for Migration from ASA 5500 to ASA 5500-X Appliances
| ASA Appliance | Minimum Software Version | Notes |
| ASA 5500 Series (5510, 5520, 5540, and 5550) | ASA Software Release 8.4.2 | Release 8.6 is not supported on these platforms. |
| ASA 5500-X Series (5512-X, 5515-X, 5525-X, 5545-X, and 5555-X) | ASA Software Release 8.6 |
ASA 5500 Series appliances should be upgraded to ASA Software Release 8.4.2 before attempting migration to the ASA 5500-X Series. Upgrade steps are explained in detail at https://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html.
Offline upgrade of ASA 5500 Series appliances to ASA Software Release 8.4 is possible using an internal migration tool hosted at https://gypsy.cisco.com/migration.html. More information on this tool is provided in the next section.
More info of migrating from Cisco ASA 5500 Series to ASA 5500-X Series Midrange Appliances
You can visit: https://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps6120/guide_c07-727453.html
More Related Topics of Cisco ASA:
Introduction
This document explains how to migrate from PIX 500 Series Security Appliances to ASA 5500 Series Adaptive Security Appliances.
Note: The PIX 501, PIX 506 and PIX 506E do not support software version 7.
There are two ways to convert a PIX configuration to an ASA configuration:
Tool-Assisted Conversion
Manual Conversion
Automatic Tool based / Tool-Assisted Conversion
Cisco recommends that you use the tool-assisted conversion in order to convert PIX configurations to ASA configurations.
The tool-assisted conversion method is faster and more scalable if you make multiple conversions. However, the output of the process in an intermediate configuration contains both old syntax and new syntax. This method relies on the installation of the intermediate configuration on the target adaptive security appliance to complete the conversion. Until it is installed on the target device, you cannot view the final configuration.
Note: Cisco has released the PIX to ASA Migration tool in order to help automate the process of migrating to the new ASA appliances. This tool can be downloaded from the PIX Software download site. Refer to Migrating the Configuration of PIX 500 Series Security Appliance to ASA 5500 Series Adaptive Security Appliances for more information.
Prerequisites
Hardware and Software Requirements
You can upgrade PIX 515, 515E, 525, 535 to version 7.0.
Before you start the upgrade process to version 7.x, Cisco recommends that the PIX run version 6.2 or later. This ensures that the current configuration properly converts. In addition, these hardware requirements must be met for minimum RAM requirements:
| PIX Model | RAM Requirements | |
|---|---|---|
| Restricted (R) | UnRestricted (UR) / Failover Only (FO) | |
| PIX-515 | 64 MB* | 128 MB* |
| PIX-515 E | 64 MB* | 128 MB* |
| PIX-525 | 128 MB | 256 MB |
| PIX-535 | 512 MB | 1 GB |
Issue the show version command in order to determine the amount of RAM currently installed on the PIX.
Note: PIX 515 and 515E software upgrades can require a memory upgrade as well:
Those with restricted licenses and 32 MB of memory must be upgraded to 64 MB of memory.
Those with unrestricted licenses and 64 MB of memory must be upgraded to 128 MB of memory.
See this table for the part numbers you need in order to upgrade the memory on these appliances.
| Current Appliance Configuration | Upgrade Solution | ||
|---|---|---|---|
| Platform License | Total Memory (before upgrade) | Part Number | Total Memory (after upgrade) |
| Restricted (R) | 32 MB | PIX-515-MEM-32= | 64 MB |
| Unrestricted (UR) | 32 MB | PIX-515-MEM-128= | 128 MB |
| Failover-Only (FO) | 64 MB | PIX-515-MEM-128= | 128 MB |
Note: The part number depends upon the license installed on the PIX.
The upgrade of software version 6.x to 7.x is seamless and requires some manual work, but these steps must be completed before you begin:
Ensure you have no conduit or outbound/apply commands in your current configuration. These commands are no longer supported in 7.x and the upgrade process removes them. Use the Conduit Converter tool in order to convert these commands to access-lists before you attempt the upgrade.
Ensure that PIX does not terminate Point to Point Tunneling Protocol (PPTP) connections. Software version 7.x currently does not support PPTP termination.
Copy any digital certificates for VPN connections on the PIX before you start the upgrade process.
Read these documents in order to ensure that you are aware of new, changed and deprecated commands:
Release notes for the software version to which you plan to upgrade, which can be found at 'Cisco PIX Security Appliance Release Notes'.
Plan to perform the migration during downtime. Although the migration is a simple two step process, the upgrade of the PIX Security Appliance to 7.x is a major change and requires some downtime.
Download the 7.x software from Cisco Downloads (registered customers only) .
Components Used
The information in this document is based on these software and hardware versions:
ASA 5500 Series Security Appliances
PIX Security Appliance 515, 515E, 525, and 535
PIX Software versions 6.3, 7.0
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Manual Configuration Conversion
With the manual conversion process, you use a text editor to go through your configuration line-by-line and convert PIX-specific commands to ASA commands.
Manual conversion of the PIX configuration to an ASA configuration gives you the most control over the conversion process. However, the process is time consuming and does not scale well if you must make more than one conversion.
These three steps must be completed in order to migrate from PIX to ASA:
Upgrade the PIX software version to 7.x.
Convert interface names from Cisco PIX software 7.0 to Cisco ASA Format.
Copy the PIX software 7.0 configuration to Cisco ASA 5500.
Upgrade the PIX Software Version to 7.x
Before you start the actual upgrade process, complete these steps:
Issue the show running-config or write net command in order to save the PIX current configuration to a text file or a TFTP server.
Issue the show version command in order to verify the requirements, such as RAM. Also, save the output of this command to a text file. If you need to revert back to an older version of the code, you can potentially need the original activation key.
If the PIX has a basic input output system (BIOS) version earlier than 4.2 or if you plan to upgrade a PIX 515 or a PIX 535 with a PDM already installed, then you must complete the upgrade procedure in Monitor Mode instead of with the copy tftp flash method. In order to view the BIOS version, reboot the PIX, and with a console cable attached, read the messages at boot.
The BIOS version is listed in a message, such as:
Note: The 6.x commands are automatically converted to 7.x commands during the upgrade. The automatic conversion of commands results in a change to your configuration. You need to review the configuration changes after the 7.x software boots in order to verify that the automatic changes are satisfactory. Then, save the configuration to flash memory in order to ensure that the system does not convert the configuration again the next time the security appliance boots.
Note: After the system is upgraded to 7.x, it is important that you not use the software version 6.x np disk utility, such as password recovery, as it corrupts the 7.x software image and requires you to restart your system from the Monitor Mode. It can also cause you to lose your previous configuration, security kernel, and key information.
Upgrade the PIX Security Appliance with the copy tftp flash Command
Complete these steps in order to upgrade the PIX with the use of the copy tftp flash command.
Copy the PIX appliance binary image, for example, pix701.bin, to the root directory of the TFTP server.
From the enable prompt, issue the copy tftp flash command.
Enter the IP address of the TFTP server.
Enter the name of the file on the TFTP server that you want to load. This is the PIX binary image file name.
When prompted to start the TFTP copy, type yes.
The image is now copied over from the TFTP server to Flash.
This message appears and indicates that the transfer is a success, the old binary image in Flash is erased, and the new image is written and installed.
Reload the PIX appliance in order to boot the new image.
The PIX now boots the 7.0 image, and this completes the upgrade process.
Example Configuration - Upgrade the PIX Appliance with the copy tftp flash Command
Note: Issue the show version command in order to verify that the PIX now runs the 7.x software version.
Note: In order to examine any errors that occurred during the migration of the configuration, issue the show startup-config errors command. The errors appear in this output after you boot the PIX for the first time.
Upgrade the PIX Security Appliance from Monitor Mode
Enter Monitor Mode
Complete these steps in order to enter Monitor Mode on the PIX.
Connect a console cable to the console port on the PIX with the use of these communication settings:
9600 bits per second
8 data bits
no parity
1 stop bit
no flow control
Power cycle or reload the PIX. During bootup you are prompted to use BREAK or ESC in order to interrupt the Flash boot. You have ten seconds to interrupt the normal boot process.
Press the ESC key or send a BREAK character in order to enter Monitor Mode.
If you use Windows Hyper Terminal, you can press the Esc key or press Ctrl+Break in order to send a BREAK character.
If you Telnet through a terminal server in order to access the console port of the PIX, you need to press Ctrl+] (Control + right bracket) in order to get to the Telnet command prompt. Then, issue the send break command.
And gentlemen (Yes) To the U Got Served Soundtrack (Yea) We about to do dis You know how we get down Oh Yea You know dat come on Omarion hit em wit it [Verse One: Omari] Like whoa You know Girl you're the star of my show In this club Poppin bub The way you shakin deservin some dubs Turn around Make it bounce Shake it like you come from out of town Whats yo name? B2k you got served zip.
The monitor> prompt displays.
Proceed to the Upgrade the PIX from Monitor Mode section.
Upgrade the PIX from Monitor Mode
Complete these steps in order to upgrade your PIX from Monitor Mode.
Copy the PIX appliance binary image, for example, pix701.bin, to the root directory of the TFTP server.
Enter Monitor Mode on the PIX. If you are unsure how to do this, see Enter Monitor Mode.
Note: Once in Monitor Mode, you can use the '?' key in order to see a list of available options.
Enter the interface number that the TFTP server is connected to, or the interface that is closest to the TFTP server. The default is interface 1 (Inside).
Note: In Monitor Mode, the interface always auto negotiates the speed and duplex. The interface settings cannot be hard coded. Therefore, if the PIX interface is plugged into a switch that is hard coded for speed/duplex, reconfigure it to auto negotiate while you are in Monitor Mode. Also, be aware that the PIX appliance cannot initialize a Gigabit Ethernet interface from Monitor Mode. You must use a Fast Ethernet interface instead.
Enter the IP address of the interface defined in step three.
Enter the IP address of the TFTP server.
(Optional) Enter the IP address of your gateway. A gateway address is required if the interface of the PIX is not on the same network as the TFTP server.
Enter the name of the file on the TFTP server that you want to load. This is the PIX binary image file name.
Ping from the PIX to the TFTP server in order to verify IP connectivity.
If the pings fail, double check the cables, the IP address of the PIX interface and the TFTP server, and the IP address of the gateway (if needed). The pings must succeed before you continue.
Type tftp in order to start the TFTP download.
The PIX downloads the image into RAM and automatically boots it.
During the boot process, the file system is converted along with your current configuration. However, you are not done yet. Note this warning message after you boot and continue to step 11:
Once booted, enter enable mode and copy the same image over to the PIX again. This time, issue the copy tftp flash command.
This saves the image to the Flash file system. Failure to complete this step results in a boot loop the next time the PIX reloads.
Note: For detailed instructions on how to copy the image over with the use of the copy tftp flash command, see the Upgrade the PIX Security Appliance with the copy tftp flash Command section.
Once the image is copied over with the copy tftp flash command, the upgrade process is complete.
Example Configuration - Upgrade the PIX Security Appliance from Monitor Mode
Convert Interface Names from Cisco PIX Software 7.0 to Cisco ASA Format
The next step in the process is to edit the newly converted Cisco PIX Software 7.0-based configuration offline.
Since the Cisco ASA interface naming convention is different from Cisco PIX Security Appliances, you need to make changes on the Cisco PIX configuration before you copy/upload it to your Cisco ASA 5500 Series Security Appliance.
Complete these steps in order to make the interface name changes on the PIX configuration:
Copy the new Cisco PIX Software 7.0-based configuration offline. In order to do this, upload the configuration to a TFTP/FTP server or copy the configuration from a console session to a text editor.
In order to upload the PIX configuration to a TFTP/FTP server, from the console, issue this command:
Once the Cisco PIX Software 7.0-based configuration file successfully uploads to the TFTP/FTP server (or is pasted/copied to a text editor), open Notepad/WordPad or any favorite text editor in order to change the interface names on the PIX configuration.
Cisco PIX Security Appliances number interfaces from 0 to n. Cisco ASA 5500 Series Security Appliances number interfaces based on their location/slot. Embedded interfaces are numbered from 0/0 to 0/3, and the management interface is Management 0/0. Interfaces on the 4GE SSM module are numbered from 1/0 to 1/3.
Cisco ASA 5510 with a base license that runs 7.0 has three Fast Ethernet ports (0/0 through 0/2) plus the Management 0/0 interface available. Cisco ASA 5510 with a Security Plus license has all five Fast Ethernet interfaces available. Cisco ASA 5520 and 5540 have four Gigabit Ethernet ports and one Fast Ethernet management port. Cisco ASA 5550 has eight Gigabit Ethernet ports and one Fast Ethernet port.
Change the interface names on the PIX configuration to ASA interface format.
For Example :
Refer to the 'Configuring Interface Parameters' section of Cisco Security Appliance Command Line Configuration Guide, Version 7.0 for more information.
Copy the Configuration from PIX to ASA
At this point, you have a Cisco PIX Software 7.0-based configuration with the interface names modified ready to be copied or uploaded to your Cisco ASA 5500 Series. There are two ways to load the Cisco PIX Software 7.0-based configuration to the Cisco ASA 5500 Series appliance.
Complete the steps in Method 1: Manual Copy/Paste or Method 2: Download from TFTP/FTP.
Method 1: Manual Copy/Paste
Copy the configuration through the copy/paste method from the PIX console:
Log into the Cisco ASA 5500 series through the console and issue the clear config all command in order to clear the configuration before you paste the modified Cisco PIX Software 7.0 configuration.
Copy and paste the configuration to the ASA console, and save the configuration.
Note: Make sure that all the interfaces are in the no shutdown state before you start to test.
Method 2: Download from TFTP/FTP
The second method is to download the Cisco PIX Software 7.0-based configuration from a TFTP/FTP server. For this step, you need to configure the management interface on the Cisco ASA 5500 series appliance for TFTP/FTP download:
From the ASA console, issue this:
Note: (Optional) route management <ip> <mask> <next-hop>
Once the management interface is set up, you can download the PIX configuration to the ASA:
Save the configuration.
Apply a PIX Software Version 6.x Configuration to ASA Software Version 7.x
The conversion of a PIX 6.2 or 6.3 configuration to a new ASA Security Appliance is a manual process. The ASA/PIX administrator is required to convert PIX 6.x syntax to match the ASA syntax and type the commands into the ASA configuration. You can cut and paste some commands such as the access-list command. Be sure to closely compare the PIX 6.2 or 6.3 configuration to the new ASA configuration in order to ensure no mistakes are made in the conversion.
Note: The Cisco CLI Analyzer (registered customers only) can be used in order to convert some of the older, unsupported, commands such as apply, outbound or conduit to the appropriate access-list. The converted statements need to be reviewed thoroughly. It is necessary to verify that the conversion matches the security policies.
Note: The process for the upgrade to a new ASA appliance is different from an upgrade to a new PIX appliance. An attempt to upgrade to an ASA with the PIX process generates a number of configuration errors on the ASA.
Troubleshoot - Manual Configuration Conversion
Device Stuck in Reboot Loop
After you use the copy tftp flash method in order to upgrade the PIX, and reboot, it gets stuck in this reboot loop:
PIX appliances with BIOS versions earlier than 4.2 cannot be upgraded with the use of the copy tftp flash command. You must upgrade them with the Monitor Mode method.
After the PIX runs 7.x, and reboots, it gets stuck in this reboot loop:
If the PIX is upgraded from Monitor Mode to 7.0, but the 7.0 image is not re-copied into Flash after the first boot of 7.0, then when the PIX is reloaded, it becomes stuck in a reboot loop.
The resolution is to load the image again from Monitor Mode. After it boots, you must copy the image one more time with the use of the copy tftp flash method.
Error Message
When you upgrade with the copy tftp flash method, you see this error message:
This message typically appears when the PIX 515 or a PIX 535 with PDM already installed is upgraded with the copy tftp flash method.
Cisco Pix To Asa Migration Tool
Upgrade with the Monitor Mode method in order to resolve this.
Configuration Does Not Seem Correct
After you upgrade the PIX from 6.x to 7.x, some of the configuration does not properly migrate.
The output of the show startup-config errors command shows any errors that occurred during the migration of the configuration. The errors appear in this output after you boot the PIX for the first time. Examine these errors and attempt to resolve them.
Some Services Such as FTP Do Not Work
Occasionally, some services such as FTP do not work after an upgrade.
The inspection for these services are not enabled after the upgrade. Enable the inspection for the appropriate services. In order to do this, add them to default/global inspection policy or create a separate inspection policy for the desired service.
Refer to the 'Applying Application Layer Protocol Inspection' section of Cisco Security Appliance Command Line Configuration Guide, Version 7.0 for more information about inspection policies.
Unable to Access Internet when the Cisco PIX Security Appliance is Replaced with the Cisco Adaptive Security Appliance (ASA)
Use this section if you are unable to access the Internet after you replace the Cisco PIX Security Appliance with the Cisco Adaptive Security Appliance (ASA).
When you unplug the PIX from the network and attach the ASA on the network with an Outside interface IP address that is the same as the Outside interface of the PIX, the upstream router still has the mac-address for the PIX corresponding to the Outside interface IP Address. As a result, it is not able to send the reply packets back to the ASA. In order for the ASA to work, you must clear the ARP entry on the upstream router so that it learns the new/correct mac-address entry. If you flush out the ARP entries when you plan to replace the PIX with ASA, it resolves the Internet connectivity issue. The ARP entry flush must be done by the ISP at their end.