Clicky

Hi,

I need to migrate an old PIX-515E to a new Cisco ASA5520 (ver 8.3.1) and after trying i found that the Cisco PIX to ASA migration tool (ver 1) does not successfully complete the process due to 8.3.1 having different code.

The question i have is if anyone knows of another tool or upgraded migration tool that can do this conversion.

Alternatively does anyone know someone where i could send the current config to for conversion for some $$$ ?

Cheers.

asked 10/25/2011 11:00

tmaster100's gravatar image

tmaster100 ♦♦


5 Answers:
Hi,

I advise to downgrade the asa to 8.2 code, put the commands, and after upgrade the ASA to 8.3!

Best regards,
Istvan
link

answered

ikalmar's gravatar image

ikalmar

If you are managing the ASA yourself, this might be a good time and chance to take a good look at the config, learn and understand what the old config does and how to implement it using ASA features and commands ... also, usually doing such a migration step by step instead of through a tool almost always results in getting rid of some unused or unnecessary entries in the config ;) Yes, using tools will most likely save you time, but in the long run, a good understanding of what is going on on your firewall is worth more ...
link

answered 2011-10-25 at 19:55:34

Garry-G's gravatar image

Garry-G

Thanks, i dropped it down to 8.2(2) to which lessend the errors however i have some that have popped up still.


pdm group PCAnywhere clients outside  (it puts a ^ under pdm)

crypto map WANMAP 20 ipsec-isakmp (it shows incomplete command)

vpngroup vpngroup address-pool vpnpool (it puts a ^ under the first vpngroup)


So a few problems, or incorrect or incomplete commands.

Can anyone advise?
link

answered 2011-10-25 at 21:18:46

tmaster100's gravatar image

tmaster100

Let's see.

pdm group PCAnywhere clients outside
As per Cisco:
----
PDM adds pdm group commands to the running configuration and uses them for internal purposes. This command is included in the documentation for informational purposes only.
----
So this one can be deleted.

crypto map WANMAP 20 ipsec-isakmp
Should be:
crypto map WANMAP 20 ipsec-isakmp dynamic <dynamic map name>

vpngroup vpngroup address-pool vpnpool
This should have been converted to a corresponding tunnel-group command. You might want to check if it did. If so, you can remove this line.
link

answered 2011-10-25 at 21:20:57

erniebeek's gravatar image

erniebeek

link

answered 2011-10-26 at 00:35:19

ikalmar's gravatar image

ikalmar

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

Asked: 10/25/2011 11:00

Seen: 571 times

Last updated: 12/16/2011 12:28