Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 221
  • Last Modified:

Migrate Cisco ASA 5510 and 5515 K9?

Hello experts,

We currently have a Cisco ASA 5510 and just purchased a 5515 k9.  Is there a easy way to import in our configuration from the first to the new one and also are these two able to be clustered?

Thank you,

Karen
0
klsphotos
Asked:
klsphotos
  • 4
  • 3
  • 2
  • +2
3 Solutions
 
Jan SpringerCommented:
The difference varies between releases.

What version (show version) are you running on each?
0
 
SIM50Commented:
If version is 8.4+, you can copy and paste the config into the new device.
For failover cluster, devices need to be the same.
0
 
Cheever000Commented:
As SIM said, if the version is 8.4 + you can copy past, just change the name of the interfaces to match the Gig on the 15. you could do a find replace.
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
klsphotosAuthor Commented:
Thank you everyone.  I honestly think it's version 7 something, I would have to look, does that mean we have to upgrade it before copying the config over?  I honestly do not want to re-configure eveyrthing we have in the first one by hand......that would be a nightmare.

Guess I can't back it up and import it in?

Karen
0
 
Jan SpringerCommented:
No, and you don't want to.  Better to copy and modify the configuration for the new release.
0
 
Cheever000Commented:
If you are running 7, there are massive changes between that and the 9 code that the 5515 is running.  Best bet here is to rebuild the configuration clean and new.
0
 
SIM50Commented:
Guess I can't back it up and import it in?

You can't import a config from one ASA to another ASA.

Technically, you can try to upgrade and let ASA do the conversion. If you are running 7.0 code than most likely your ASA has 256MB of RAM and you need 1GB for 8.3.

EDIT: You would have to follow the upgrade path, you wouldn't be able to go straight to 9.x version from 7.x.
0
 
Pete LongConsultantCommented:
It you are versson 7 I'd rebuild it fresh, as pointed out above even post 8.3 you would need to change the physical interface names as the new firewall will have gigabit ports.

If you use certificates you will also need to export the cert and import it onto the new firewall, though if you have a decent cert vendor they will reissue a set to save you the bother!

TO EXPORT
ASDM
Configuration > Device Management > Certificate Management > Identity Certificates > Select the certificate > Export > Choose a location and a 'pass-phrase'.
CLI
crypto ca export {trust-point-name} pkcs12 {password}

TO IMPORT
ASDM

Configuration > Device Management > Certificate Management > Identity Certificates > Add > Use the same Trustpoint name as the source firewall > Browse the file you exported earlier > Enter the passphrase > Add Certificate.
CLI
crypto ca import {trust-point-name} pkcs12 {password}


If you build it beside the ASA5510 then you can test by simply swapping the cables over, if you do this, then make sure the routers/switches directly connected, you know how to flush the ARP/MAC cache on them.

You could of course update the ASA5510 to version 8.3 (there are memory limitations to doing this,) but you only really want to update the config, so it will just honk and error when it reboots - the config will get updated, this is a little riskier, but if you have a weekends worth of downtime you could always downgrade and restore the config again if it explodes! If you go down that route, issue a "no nat-control' command first and make sure you know what all your NAT rules are doing - (I had one update my nat rules backwards once?)

P
0
 
klsphotosAuthor Commented:
Thank you everyone.  I have confirmed it is version 7 we are running now.  I have never done this before so it looks like I do not have any choice but to set it up from scratch with the same config?  The new one is so much bigger than our old one.  

I'm overjoyed
1
 
klsphotosAuthor Commented:
HI everyone, not sure if I should open up a new ticket but I just found out the ASA version of the new device is 9.2 and our current version is 8.2, should I still do it manually or could I copy the config?

Thank you
0
 
SIM50Commented:
Manually. The big changes come in 8.3.
0
 
SIM50Commented:
Alternatively, you can downgrade the new ASA to 8.2, copy and paste config then upgrade to 8.3. Verify and clean up config if necessary and then continue upgrading to 9.6.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now