Solved

Migrate Cisco ASA 5510 and 5515 K9?

Posted on 2016-11-04
12
41 Views
Last Modified: 2016-11-10
Hello experts,

We currently have a Cisco ASA 5510 and just purchased a 5515 k9.  Is there a easy way to import in our configuration from the first to the new one and also are these two able to be clustered?

Thank you,

Karen
0
Comment
Question by:klsphotos
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 125 total points
ID: 41874617
The difference varies between releases.

What version (show version) are you running on each?
0
 
LVL 13

Accepted Solution

by:
SIM50 earned 250 total points
ID: 41874728
If version is 8.4+, you can copy and paste the config into the new device.
For failover cluster, devices need to be the same.
0
 
LVL 9

Assisted Solution

by:Cheever000
Cheever000 earned 125 total points
ID: 41874746
As SIM said, if the version is 8.4 + you can copy past, just change the name of the interfaces to match the Gig on the 15. you could do a find replace.
0
 

Author Comment

by:klsphotos
ID: 41874758
Thank you everyone.  I honestly think it's version 7 something, I would have to look, does that mean we have to upgrade it before copying the config over?  I honestly do not want to re-configure eveyrthing we have in the first one by hand......that would be a nightmare.

Guess I can't back it up and import it in?

Karen
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 41874764
No, and you don't want to.  Better to copy and modify the configuration for the new release.
0
 
LVL 9

Expert Comment

by:Cheever000
ID: 41874767
If you are running 7, there are massive changes between that and the 9 code that the 5515 is running.  Best bet here is to rebuild the configuration clean and new.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 13

Expert Comment

by:SIM50
ID: 41874775
Guess I can't back it up and import it in?

You can't import a config from one ASA to another ASA.

Technically, you can try to upgrade and let ASA do the conversion. If you are running 7.0 code than most likely your ASA has 256MB of RAM and you need 1GB for 8.3.

EDIT: You would have to follow the upgrade path, you wouldn't be able to go straight to 9.x version from 7.x.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 41875358
It you are versson 7 I'd rebuild it fresh, as pointed out above even post 8.3 you would need to change the physical interface names as the new firewall will have gigabit ports.

If you use certificates you will also need to export the cert and import it onto the new firewall, though if you have a decent cert vendor they will reissue a set to save you the bother!

TO EXPORT
ASDM
Configuration > Device Management > Certificate Management > Identity Certificates > Select the certificate > Export > Choose a location and a 'pass-phrase'.
CLI
crypto ca export {trust-point-name} pkcs12 {password}

TO IMPORT
ASDM

Configuration > Device Management > Certificate Management > Identity Certificates > Add > Use the same Trustpoint name as the source firewall > Browse the file you exported earlier > Enter the passphrase > Add Certificate.
CLI
crypto ca import {trust-point-name} pkcs12 {password}


If you build it beside the ASA5510 then you can test by simply swapping the cables over, if you do this, then make sure the routers/switches directly connected, you know how to flush the ARP/MAC cache on them.

You could of course update the ASA5510 to version 8.3 (there are memory limitations to doing this,) but you only really want to update the config, so it will just honk and error when it reboots - the config will get updated, this is a little riskier, but if you have a weekends worth of downtime you could always downgrade and restore the config again if it explodes! If you go down that route, issue a "no nat-control' command first and make sure you know what all your NAT rules are doing - (I had one update my nat rules backwards once?)

P
0
 

Author Comment

by:klsphotos
ID: 41877598
Thank you everyone.  I have confirmed it is version 7 we are running now.  I have never done this before so it looks like I do not have any choice but to set it up from scratch with the same config?  The new one is so much bigger than our old one.  

I'm overjoyed
1
 

Author Comment

by:klsphotos
ID: 41882799
HI everyone, not sure if I should open up a new ticket but I just found out the ASA version of the new device is 9.2 and our current version is 8.2, should I still do it manually or could I copy the config?

Thank you
0
 
LVL 13

Expert Comment

by:SIM50
ID: 41882805
Manually. The big changes come in 8.3.
0
 
LVL 13

Expert Comment

by:SIM50
ID: 41882809
Alternatively, you can downgrade the new ASA to 8.2, copy and paste config then upgrade to 8.3. Verify and clean up config if necessary and then continue upgrading to 9.6.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now