[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 638
  • Last Modified:

Cisco PIX 515 to Cisco ASA 5520 Conversion


I need to migrate an old PIX-515E to a new Cisco ASA5520 (ver 8.3.1) and after trying i found that the Cisco PIX to ASA migration tool (ver 1) does not successfully complete the process due to 8.3.1 having different code.

The question i have is if anyone knows of another tool or upgraded migration tool that can do this conversion.

Alternatively does anyone know someone where i could send the current config to for conversion for some $$$ ?

1 Solution
Istvan KalmarCommented:

I advise to downgrade the asa to 8.2 code, put the commands, and after upgrade the ASA to 8.3!

Best regards,
Garry GlendownConsulting and Network/Security SpecialistCommented:
If you are managing the ASA yourself, this might be a good time and chance to take a good look at the config, learn and understand what the old config does and how to implement it using ASA features and commands ... also, usually doing such a migration step by step instead of through a tool almost always results in getting rid of some unused or unnecessary entries in the config ;) Yes, using tools will most likely save you time, but in the long run, a good understanding of what is going on on your firewall is worth more ...
tmaster100Author Commented:
Thanks, i dropped it down to 8.2(2) to which lessend the errors however i have some that have popped up still.

pdm group PCAnywhere clients outside  (it puts a ^ under pdm)

crypto map WANMAP 20 ipsec-isakmp (it shows incomplete command)

vpngroup vpngroup address-pool vpnpool (it puts a ^ under the first vpngroup)

So a few problems, or incorrect or incomplete commands.

Can anyone advise?
Ernie BeekCommented:
Let's see.

pdm group PCAnywhere clients outside
As per Cisco:
PDM adds pdm group commands to the running configuration and uses them for internal purposes. This command is included in the documentation for informational purposes only.
So this one can be deleted.

crypto map WANMAP 20 ipsec-isakmp
Should be:
crypto map WANMAP 20 ipsec-isakmp dynamic <dynamic map name>

vpngroup vpngroup address-pool vpnpool
This should have been converted to a corresponding tunnel-group command. You might want to check if it did. If so, you can remove this line.
Istvan KalmarCommented:

pdm converted to asdm, so you need to confgure asdm:


and here is the document howto configure cryípto:


Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now