CIsco PIX 520 to ASA 5510 Migration

ThePhreakshow
ThePhreakshow used Ask the Experts™
on
I am upgrading an old PIX 520 to a newer ASA 5510 Security Plus.

What is the best way to do this? I suspect that the bulk of the current configuration will be compatible with the new box, and should I just cut and paste that config into the new ASA?

The 520 has a VPN setup in it, and there is quite a bit associated with that. Would I be better NOT to directly transfer the VPN config and either use the wizard or set it up from scratch on the new ASA?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Copying the running config from PIX to ASA wont be a gud idea...I suggest you to analyze the whole config of the PIX and apply the configuration on ASA...As command line is different for PIX and ASA...
Kindly go through the below link...It will help you as cisco has some migration tool for PIX to ASA Migration:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808554ed.shtml

I hope that this will help you..
Yes the cisco pix migration tool is really a life saver, I have found that it works best when the ASA and pix are running the same software level such as 8.04 etc, it really copies much better that way and you can be sure your commands will be translated correctly.
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

If your new to ASA i would definatly build it from scratch. The knowledge gained on the new system is much more useful that the quick fix.

Also as stated if your versions dont match it does work quite so well.  If it doesnt work actually diagnosing the problem can be a nightmare.

Building from scratch is also not that long winded.  A VPN will take about 5 minutes using the gui.  It took me 3 days to build our from scratch and we have 100 remote vpns, multiple networks and all kinds of messing about, with failover.  With the knoledge you could probably do a simple setup in a few hours.

Our remote ASA 5510s for example i setup in about 30 minutes, but they are a single VPN with a few access rules on a single network.

Author

Commented:
The PIX is running v6.3(3) and the ASA is running v8.2(2).

I have never worked with either of these two Cisco products, but I have looked at the running config on the PIX and it does not seem too complex and I have posted it below for your comments and suggestions.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2010.10.18 14:05:13 =~=~=~=~=~=~=~=~=~=~=~=
show run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 vacant security75
nameif ethernet3 dmz security25
clock timezone EST -5
clock summer-time EDT recurring

*** ARE THESE NECESSARY? ***

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

*** WILL TRANSFER ACL's AS THEY ARE ***

access-list outbound permit ip any any
access-list no-nat permit ip 192.168.0.0 255.255.240.0 192.168.4.24 255.255.255.248
access-list no-nat permit ip any 192.168.4.24 255.255.255.248
access-list ford-adp-in permit ip 192.168.10.0 255.255.255.0 any
access-list to-dmz permit udp any host 229.59.100.179 eq domain
access-list to-dmz permit udp any host 229.59.100.189 eq domain
access-list to-dmz permit udp any host 229.59.100.190 eq domain
access-list to-dmz permit udp any host 229.59.100.179 eq dnsix
access-list to-dmz permit udp any host 229.59.100.189 eq dnsix
access-list to-dmz permit udp any host 229.59.100.190 eq dnsix
access-list to-dmz permit tcp any host 229.59.100.179 eq www
access-list to-dmz permit tcp any host 229.59.100.180 eq www
access-list to-dmz permit tcp any host 229.59.100.189 eq www
access-list to-dmz permit tcp any host 229.59.100.190 eq www
access-list to-dmz permit tcp any host 229.59.100.179 eq ftp
access-list to-dmz permit tcp any host 229.59.100.180 eq smtp
access-list to-dmz permit tcp any host 229.59.100.180 eq pop3
access-list to-dmz permit tcp any host 229.59.100.180 eq imap4
access-list to-dmz permit udp any host 229.59.100.180 eq 143
access-list to-dmz permit ip any host 229.59.100.186
access-list to-dmz permit ip any host 229.59.100.187
access-list to-dmz permit tcp any host 229.59.100.180 eq 465
access-list to-dmz permit tcp any host 229.59.100.180 eq https
access-list to-dmz permit udp any host 229.59.100.180 eq 443
access-list to-dmz permit icmp any any
access-list dmz-in permit udp any host 10.1.1.181 eq domain
access-list dmz-in permit ip 10.1.1.0 255.255.255.0 any
access-list dmz-in permit tcp any host 10.1.1.181 eq domain
access-list dmz-in permit icmp any any
access-list inside deny udp any any eq 135
access-list inside permit udp any any eq tftp
access-list inside deny udp any any eq netbios-ns
access-list inside deny udp any any eq netbios-dgm
access-list inside deny udp any any eq 139
access-list inside deny tcp any any eq 135
access-list inside deny tcp any any eq 137
access-list inside deny tcp any any eq 138
access-list inside deny tcp any any eq netbios-ssn
access-list inside deny tcp any any eq 445
access-list inside deny tcp any any eq 593
access-list inside deny tcp any any eq 4444
access-list inside permit ip any any

*** NECESSARY? ***

no pager
logging on
logging timestamp
logging trap informational
logging history errors
logging host inside 192.168.1.3
icmp permit any outside
icmp permit any inside
icmp permit any dmz
mtu outside 1500
mtu inside 1500
mtu vacant 1500
mtu dmz 1500

*** WILL TRANSFER THESE ***

ip address outside 229.59.100.178 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip address vacant 192.168.10.1 255.255.255.0
ip address dmz 10.1.1.177 255.255.255.240

ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface vacant
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.4.25-192.168.4.30

no failover
pdm logging critical 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
global (dmz) 10 interface
nat (inside) 0 access-list no-nat
nat (inside) 10 192.168.0.0 255.255.240.0 0 0
nat (vacant) 10 192.168.10.0 255.255.255.0 0 0

*** WILL TRANSFER THE STATIC AND OTHER ROUTES ***

static (dmz,outside) 229.59.100.190 10.1.1.190 netmask 255.255.255.255 1000 100
static (dmz,outside) 229.59.100.179 10.1.1.179 netmask 255.255.255.255 1000 100
static (dmz,outside) 229.59.100.180 10.1.1.180 netmask 255.255.255.255 1000 100
static (dmz,outside) 229.59.100.189 10.1.1.189 netmask 255.255.255.255 1000 100
static (dmz,outside) 229.59.100.186 10.1.1.186 netmask 255.255.255.255 1000 100
static (dmz,outside) 229.59.100.187 10.1.1.187 netmask 255.255.255.255 1000 100
static (dmz,outside) 229.59.100.185 10.1.1.185 netmask 255.255.255.255 50 50
static (dmz,outside) 229.59.100.184 10.1.1.184 netmask 255.255.255.255 50 50
static (inside,dmz) 10.1.1.181 192.168.1.2 netmask 255.255.255.255 0 0
access-group to-dmz in interface outside
access-group inside in interface inside
access-group vacant_in in interface vacant
access-group dmz-in in interface dmz
route outside 0.0.0.0 0.0.0.0 229.59.100.177 1
route inside 192.168.0.0 255.255.255.0 192.168.1.254 1
route inside 192.168.3.0 255.255.255.0 192.168.1.254 1
route inside 192.168.5.0 255.255.255.0 192.168.1.254 1
route inside 192.168.6.0 255.255.255.0 192.168.1.254 1
route inside 192.168.7.0 255.255.255.0 192.168.1.254 1
route inside 192.168.11.0 255.255.255.0 192.168.1.254 1
route inside 192.168.13.0 255.255.255.0 192.168.1.254 1
route inside 192.168.15.0 255.255.255.0 192.168.1.254 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

*** WILL TRANSFER WEBSENSE FILTER INFO ***

url-server (inside) vendor websense host 192.168.1.3 timeout 5 protocol TCP version 4
url-cache src_dst 128KB
filter url except 0.0.0.0 0.0.0.0 198.181.158.53 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 198.181.158.51 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 199.244.232.52 255.255.255.255
filter url except 0.0.0.0 0.0.0.0 10.1.1.0 255.255.255.0
filter url except 10.1.1.0 255.255.255.0 0.0.0.0 0.0.0.0
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 1922.168.1.2 /cisco
floodguard enable


*** IS ALL OF THIS VPN RELATED? IF SO, I WILL NOT TRANSFER BUT RATHER CONFIG FRESH WITH GUI ***

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server dialin protocol radius
aaa-server partnerauth protocol tacacs+
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
crypto dynamic-map vpnmap 10 set transform-set vpnset
crypto dynamic-map vpnmap 30 set transform-set ESP-DES-MD5
crypto dynamic-map vpnmap 50 set transform-set ESP-DES-MD5
crypto map remotemap 10 ipsec-isakmp dynamic vpnmap
crypto map remotemap interface out10.1.1.189e
isakmp enable out10.1.1.189e
isakmp key ******** address 229.59.100.178 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 14400
isakmp policy 25 authentication pre-share
isakmp policy 25 encryption 3des
isakmp policy 25 hash md5
isakmp policy 25 group 2
isakmp policy 25 lifetime 14400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 1
isakmp policy 30 lifetime 14400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 1
isakmp policy 40 lifetime 14400
vpngroup unity address-pool vpnpool
vpngroup unity dns-server 229.59.100.189 229.59.100.190
vpngroup unity wins-server 192.168.1.2 192.168.0.2
vpngroup unity default-domain mycompany.com
vpngroup unity split-tunnel unity_splitTunnelAcl
vpngroup unity idle-time 1800
vpngroup unity password ********
vpdn group unity accept dialin pptp
vpdn group unity ppp authentication pap
vpdn group unity ppp authentication chap
vpdn group unity ppp authentication mschap
vpdn group unity client configuration address local vpnpool
vpdn group unity client configuration dns 192.168.1.2
vpdn group unity pptp echo 60
vpdn group unity client authentication local
vpdn username unity password *********
vpdn enable outside
vpdn enable inside
vpdn enable dmz
url-block url-mempool 3
url-block url-size 3
url-block block 2
terminal width 80

*** SPLIT TUNNEL FOR VPN CLIENTS, I ASSUME. NECESSARY? ***

access-list unity_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any
access-list unity_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list unity_splitTunnelAcl permit ip 192.168.3.0 255.255.255.0 any
access-list unity_splitTunnelAcl permit ip 192.168.5.0 255.255.255.0 any
access-list unity_splitTunnelAcl permit ip 192.168.7.0 255.255.255.0 any
access-list unity_splitTunnelAcl permit ip 192.168.10.0 255.255.255.0 any
access-list unity_splitTunnelAcl permit ip 10.1.1.0 255.255.255.0 any
You are pretty much right on the money, you won't need the split tunnels if you are going to configure the VPN through the wizard again.  Just keep as a reference, the logging section is important if you have a syslog server that will keep the settings for the new device, the interfaces are entirely different so good call there.  I don't think you need to worry about the fixup protocols.  And to be sure configure your interfaces first using the same nameif including capital or not, so you can copy the rest of the information in.

Author

Commented:
Everything went OK, with one exception...

None of the machines in the DMZ (10.1.1.x) can reach the outside world.

The configuration is just like what is posted above.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial