Ever since Cisco announced the EoS/EoL of the PIX customers have been migrating to the ASA platform. The configuration migration is very straightforward but to make it even easier Cisco developed a free Migration Tool. I’ll take you through how this very simple tool works.
To back up a second, next summer , specifically july 28th,, is the date that Cisco’s PIXen go “End of Routine Failure Analysis Support” . This means it is the last-possible date a routine failure analysis may be performed to determine the cause of product failure or defect. It is also the date that the PIX software goes “End of SW Maintenance Releases”. This means it is the last date that Cisco Engineering may release any final software maintenance releases or bug fixes. After this date, Cisco Engineering will no longer develop, repair, maintain, or test the product software.
In a nutshell July 28th 2009 is the end of the road for the PIX product line for all practical purposes. That is why I am seeing the last hold outs start to convert their PIX boxes over to ASA. Nobody wants to run a FW in productions that lacks bug fix and PSIRT vulnerability fixes.
So, first things first, if you have a pix running 7.X or higher then you are in great shape. The configuration migration basically consists of matching up your old PIX interfaces with the new interfaces of the ASA. If your old PIX has more interfaces than your new ASA then you will have to create a dot1q trunk and interface VLANs on the new ASA to accommodate. However, if your PIX is running something older than 7.X then the migration gets a bit trickier. Here you have two options, upgrade your current PIX to a 7.X code train and then run the migration tool or use the PIX-to-ASA Migration Tool to start with. One caveat with the upgrade first approach is that if you are still using conduits and outbound statements in your config then you have to use the migration tool. You can’t upgrade to 7.X with these statements in place. Bottom line is that regardless of the method you pick I’d recommend you use the migration tool to help you get there. It eliminates a lot of the user error that typically comes with manual configuration migration.
Now on to how the PIX-to-ASA Migration tool works. First of all the tool works on Windows, MAC, and Linux hosts (I almost fell out of my chair when I saw the MAC version). The screenshots are from the MAC version.
Jamey Heary, CCIE No. 7680, is the author of the Cisco NAC Appliance: Enforcing Host Security with Clean Access book by Cisco Press. Jamey is a seasoned security technologist with over 15 years in the IT field with 10 years focused on IT security. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey is currently a Security Consulting Systems Engineer with Cisco, though the opinions expressed here are his own. Jamey is a member of Network World's Cisco Subnet blog community.
The Leader in Network Knowledge
Great Article
Jamey,
This is a fantastic article, and very helpful for people making the transition. Keep up the good work.
Steve
RE: great article
Thanks Steve, glad you liked it!
Minor nit...
Nice article - Cisco should have done more to publicize this useful tool. However, it tends to irritate Apple users when their platform of choice is referred to as a "MAC". The appropriate word is "Mac". This bothers networking professionals even more, since MAC = Media Access Control (e.g. Ethernet MAC addresses).
I liked this article. I
I liked this article. I would like to know one thing. Does exist any tool to migrate form Cisco Pix firewall to another platform like Juniper SSG 140?
Thanks Jamey.
Julen
Post new comment