I need to migrate an old PIX-515E to a new Cisco ASA5520 (ver 8.3.1) and after trying i found that the Cisco PIX to ASA migration tool (ver 1) does not successfully complete the process due to 8.3.1 having different code.

The question i have is if anyone knows of another tool or upgraded migration tool that can do this conversion.

Alternatively does anyone know someone where i could send the current config to for conversion for some $$$ ?


asked 10/25/2011 11:00

tmaster100's gravatar image

tmaster100 ♦♦

5 Answers:

I advise to downgrade the asa to 8.2 code, put the commands, and after upgrade the ASA to 8.3!

Best regards,


ikalmar's gravatar image


If you are managing the ASA yourself, this might be a good time and chance to take a good look at the config, learn and understand what the old config does and how to implement it using ASA features and commands ... also, usually doing such a migration step by step instead of through a tool almost always results in getting rid of some unused or unnecessary entries in the config ;) Yes, using tools will most likely save you time, but in the long run, a good understanding of what is going on on your firewall is worth more ...

answered 2011-10-25 at 19:55:34

Garry-G's gravatar image


Thanks, i dropped it down to 8.2(2) to which lessend the errors however i have some that have popped up still.

pdm group PCAnywhere clients outside  (it puts a ^ under pdm)

crypto map WANMAP 20 ipsec-isakmp (it shows incomplete command)

vpngroup vpngroup address-pool vpnpool (it puts a ^ under the first vpngroup)

So a few problems, or incorrect or incomplete commands.

Can anyone advise?

answered 2011-10-25 at 21:18:46

tmaster100's gravatar image


Let's see.

pdm group PCAnywhere clients outside
As per Cisco:
PDM adds pdm group commands to the running configuration and uses them for internal purposes. This command is included in the documentation for informational purposes only.
So this one can be deleted.

crypto map WANMAP 20 ipsec-isakmp
Should be:
crypto map WANMAP 20 ipsec-isakmp dynamic <dynamic map name>

vpngroup vpngroup address-pool vpnpool
This should have been converted to a corresponding tunnel-group command. You might want to check if it did. If so, you can remove this line.

answered 2011-10-25 at 21:20:57

erniebeek's gravatar image



answered 2011-10-26 at 00:35:19

ikalmar's gravatar image


Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments


Asked: 10/25/2011 11:00

Seen: 571 times

Last updated: 12/16/2011 12:28