Options
Pix to ASA converstion tool question
higherho
Member Posts: 882
Hi all,
So in a month or so we will be getting our second ASA 5510 for firewall purposes (the other one we use for VPN. Security requires us to have these services separate and on different devices). My question is when I convert all my pix (515E) firewall rules, etc to ASA will the certificates on the pix (if we use them) also be converted over too? I am trying to plan this out ahead so I have no downtime or very minimal amount of downtime when I take the pix offline. Any help would be greatly appreciated!
So in a month or so we will be getting our second ASA 5510 for firewall purposes (the other one we use for VPN. Security requires us to have these services separate and on different devices). My question is when I convert all my pix (515E) firewall rules, etc to ASA will the certificates on the pix (if we use them) also be converted over too? I am trying to plan this out ahead so I have no downtime or very minimal amount of downtime when I take the pix offline. Any help would be greatly appreciated!
Comments
-
Optionsapr911
Member Posts: 380 ■■■■□□□□□□
Its going to depend largely on your code base. 8.3 code for the ASA changes a lot of things that wont translate directly from the PIX. If the code is pre 8.3, most of your config should be easily entered into the ASA.
Id copy of the config off the PIX as step 1 and when you get the ASA in, spend some time doing the base config. Get as much of the PIX config loaded on the ASA as you can and spend some time testing it before you put it online. If you have an available switch (or even some empty ports you can assign to a temp vlan) you should be able to do a fairly realistic function test... Just hook up the ASA outside interface to the switch and hook up a computer to the same switch. Create a static route on the computer pointing to the address you want to test and give it a go...
Hope that helps!Currently Working On: Openstack
2020 Goals: AWS/Azure/GCP Certifications, F5 CSE Cloud, SCRUM, CISSP-ISSMP -
Optionshigherho
Member Posts: 882
Its going to depend largely on your code base. 8.3 code for the ASA changes a lot of things that wont translate directly from the PIX. If the code is pre 8.3, most of your config should be easily entered into the ASA.
Id copy of the config off the PIX as step 1 and when you get the ASA in, spend some time doing the base config. Get as much of the PIX config loaded on the ASA as you can and spend some time testing it before you put it online. If you have an available switch (or even some empty ports you can assign to a temp vlan) you should be able to do a fairly realistic function test... Just hook up the ASA outside interface to the switch and hook up a computer to the same switch. Create a static route on the computer pointing to the address you want to test and give it a go...
Hope that helps!
Thanks! Our Pix version is 8.0(4). Sadly I do not have any spare switches but by the time the device comes I should have a few ports available. I was planning on creating a backup of the PIX config and do the whole conversion tool option and then upload it to the ASA and see what all is configured / their. Will be much easier in ASDM for sure!
I will use my PC for the function test and have them both in the same VLAN. I appreciate your help! The upcoming months will be fun
-
Options
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
PIX to ASA conversion tool is really for 6.x to 7.x upgrades where the command set was drastically changed. You don't need it for what you are doing.
Downgrade the code on the new ASA to one that reasonably matches what's on your PIX (8.0.4 is available on the ASA so that will work). Take the existing configuration from the current PIX, change the interface identifiers on it to match the new hardware and load it in. This will not work for any private key pairs you generated, and any signed certificates that you have based on those key pairs. If the key pair was marked as exportable when you generated it then you can export it (sftp or something like that) and then import back into the new ASA. If not marked as exportable you will need to make a new pair then get a new cert issues based on the new private key.
Once it's up and working then you can upgrade to 8.2(something) and then on to 8.4 if you like, I would avoid 8.3 if you can help it.The only easy day was yesterday! -
Optionshigherho
Member Posts: 882
PIX to ASA conversion tool is really for 6.x to 7.x upgrades where the command set was drastically changed. You don't need it for what you are doing.
Downgrade the code on the new ASA to one that reasonably matches what's on your PIX (8.0.4 is available on the ASA so that will work). Take the existing configuration from the current PIX,
O that makes sense. I will try that first (I just have to get the 8.0.4 for the ASA first, come to think of it we should have it considering we have another ASA 5510 acting as our VPN appliance).change the interface identifiers on it to match the new hardware and load it in. This will not work for any private key pairs you generated, and any signed certificates that you have based on those key pairs. If the key pair was marked as exportable when you generated it then you can export it (sftp or something like that) and then import back into the new ASA. If not marked as exportable you will need to make a new pair then get a new cert issues based on the new private key.
I checked the pix and I did not see any certs through ASDM at all. On the VPN appliance though I see certs. I guess I will just do a show config on the PIX again just to make sure.
Once it's up and working then you can upgrade to 8.2(something) and then on to 8.4 if you like, I would avoid 8.3 if you can help it.
I will advoid 8.3! Thanks for the help!