Replacing Fully Working ASA 5505's with ASA 5506 X's

First off, calm down - you got this buddy!

I am sure you are looking at everything and saying... WOW that is a lot to take in. But realistically it is not hard to understand. I would first suggest scrapping the ASDM to manage it. Using the Cisco CLI is sooooo much easier to understand. It give you all the configurations on one big page (so to speak). Once you understand what the coding says it all falls into place.

Get Putty and SSL or Console into each one. Login and pull the configurations. Right off the bad you will notice you can copy and past most of the information and it will take with no issue. The biggest thing you have to understand is the NAT and ACL statements are completely different in the coding between those two versions. 8.4 version is where the same NAT statements apply to the current config model.

Crash course for CLI commands:

enable - this allows you admin access to the firewall
config t - this allows you to edit the configuration
wr mem - saves the config after you have changed it
? - gives you all the commands
show run - gives you the current running configuration

Last if you are not comfortaible with CLI and insist on using the ASDM, I believe there is a tool that copies all the configs to another ASA within the ASDM, or you can call Cisco SmartNet if you have the contract to help.

One of our fellow experts have a nice write-up concerning your plight.

https://www.petenetlive.com/KB/Article/0001091

That said, I don't believe this could be resolved in this question format. You may want to get some consulting from an expert.

Can the 5506 version 9.8 still accept Remote Access connections using the Cisco VPN Client (the free one that came with the 5505?  Its just that i dont see the option anymore in the VPN wizard for it to do that...

What type of VPN (SSL, L2L, etc?) connection are you using? If you run a "show ver" on each unit it will show you the available licensing you have for each ASA.

All ASAs have a minimum of 5 free L2L sessions and 2 SSL sessions.

Hello Jeffrey - Its the IP-Sec VPN Client provided by Cisco on a CD (no longer) - I know they are trying to push everyone over to Any Connect but we can make the IP-Sec VPN Client work with Windows 10 even when it breaks it after a feature update, its easy enough to fix.

This is the name of the installer - vpnclient-winx64-msi-5.0.07.0440-k9.exe

I just dont see the option anymore for IP-Sec VPN in the wizard on the new 5506 where you can chose site to site or remote access?

The 5506 has an ASA Security Plus License

So I use ShrewSoft VPN, it allows the use of the Cisco PCF file and settings. Plus you never have to worry about fixing the VPN client from updates (for now at least).

I would assume the option "Remote Access" is specifying a IPSec VPN or other VPN session as you go through the prompts. Is your using the ASDM go through the settings and configure it. As long as you don't save the config, it won't update.

I haven't touched 9.8 CLI yet, closet I've been is 9.3. Though they might not support IPSec VPN in the ASDM and only allow it through the CLI. Cisco does do weird stuff like that occasionally.

Also here is a walk through with Cisco's ASDM - https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html

Thanks for the mention (above)

Going form a 5505 to a 5506, is usually pretty painless. Your main problem is you running 8.2, I'm assuming because you don't have the RAM to upgrade the OS?

If I were you I'd put the RAM in the 5505 upgrade it them migrate the config you will have a much easier time, and before you recoil, the memory for my 5505 (I still have at home) cost me 6 dollars from eBay.  I think i't s only crappy PC100 memory anyway!

Then upgrade 8.2 > 8.4 > 9.2 then your config is pretty easy to migrate, if you look at the link that was posted above.
Also I hate the BVI config on the 5506 so i turn that off, see Cisco ASA 5506-X: Bridged BVI Interface

P

Thanks Pete - That's a great suggestion and I would do that except that the 2 ASA 5505's are a couple of hundred miles away from me and I'm not sure anyone on site has the ability or inclination to add more RAM.  They currently have 256 Mb

Hello Pete - Thinking about what you said - I have a spare ASA 5505 here in my office which could take down to version 8.2 i believe and then import the config from each existing ASA 5505 and then upgrade to 8.4 and  then 9.2 and then restore the config to the ASA 5506

Would that work OK?

Yes in fact I've done the same thing many times in the past :)  I keep a 5505/5510/5520 for this very reason!

Pete

Hello Pete - How does one restore the running config to the 5506.  File > Restore Configurations?

Depends on how/where you are restoring from :)

Backup and Restore a Cisco Firewall.


Pete

I am still waiting to install the ASA's in their locations to see if Pete Long's suggestion worked. It should be this week or early next week some time

I am still waiting to install the new ASA's in their locations to see if Pete Long's suggestion worked. It should be this week or early next week some time.  I am hopeful!

Thanks for the update.

I have installed One of the ASA 5506's and it seems to be working ok - L2L VPN all came up to existing ASA's in two other locations.  Anothe rone to install later today.

I have an issue however connecting a Cisco VPN client to it.  I can make the connection using a local user database quite quickly.  My issue is  in the VPN Monitoring screen it says Bytes Tx 0 Bytes Rx 0

Used the VPN Wizard to create the IKEv1 Remote Access VPN

Also in the Dynamic Crypt-Map which was created it says " Warning: no traffic is selected"

I have to get this working today as after today I am on extended leave.  Its a real headache!!!