Cisco PIX 515 to Cisco ASA 5520 Conversion

Posted on 2011-10-25
Last Modified: 2012-05-12

I need to migrate an old PIX-515E to a new Cisco ASA5520 (ver 8.3.1) and after trying i found that the Cisco PIX to ASA migration tool (ver 1) does not successfully complete the process due to 8.3.1 having different code.

The question i have is if anyone knows of another tool or upgraded migration tool that can do this conversion.

Alternatively does anyone know someone where i could send the current config to for conversion for some $$$ ?

Question by:tmaster100
    LVL 34

    Expert Comment

    by:Istvan Kalmar

    I advise to downgrade the asa to 8.2 code, put the commands, and after upgrade the ASA to 8.3!

    Best regards,
    LVL 17

    Expert Comment

    If you are managing the ASA yourself, this might be a good time and chance to take a good look at the config, learn and understand what the old config does and how to implement it using ASA features and commands ... also, usually doing such a migration step by step instead of through a tool almost always results in getting rid of some unused or unnecessary entries in the config ;) Yes, using tools will most likely save you time, but in the long run, a good understanding of what is going on on your firewall is worth more ...
    LVL 1

    Author Comment

    Thanks, i dropped it down to 8.2(2) to which lessend the errors however i have some that have popped up still.

    pdm group PCAnywhere clients outside  (it puts a ^ under pdm)

    crypto map WANMAP 20 ipsec-isakmp (it shows incomplete command)

    vpngroup vpngroup address-pool vpnpool (it puts a ^ under the first vpngroup)

    So a few problems, or incorrect or incomplete commands.

    Can anyone advise?
    LVL 35

    Expert Comment

    by:Ernie Beek
    Let's see.

    pdm group PCAnywhere clients outside
    As per Cisco:
    PDM adds pdm group commands to the running configuration and uses them for internal purposes. This command is included in the documentation for informational purposes only.
    So this one can be deleted.

    crypto map WANMAP 20 ipsec-isakmp
    Should be:
    crypto map WANMAP 20 ipsec-isakmp dynamic <dynamic map name>

    vpngroup vpngroup address-pool vpnpool
    This should have been converted to a corresponding tunnel-group command. You might want to check if it did. If so, you can remove this line.
    LVL 34

    Accepted Solution


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
    From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now