Cisco Security Expert

Jamey Heary

Previous Article Next Article

PIX to ASA Configuration Migration Tool, time is running short

By jheary on Thu, 01/22/09 - 4:34pm.

Ever since Cisco announced the EoS/EoL of the PIX customers have been migrating to the ASA platform. The configuration migration is very straightforward but to make it even easier Cisco developed a free Migration Tool. I’ll take you through how this very simple tool works.

To back up a second, next summer , specifically july 28th,, is the date that Cisco’s PIXen go “End of Routine Failure Analysis Support” . This means it is the last-possible date a routine failure analysis may be performed to determine the cause of product failure or defect. It is also the date that the PIX software goes “End of SW Maintenance Releases”. This means it is the last date that Cisco Engineering may release any final software maintenance releases or bug fixes. After this date, Cisco Engineering will no longer develop, repair, maintain, or test the product software.

In a nutshell July 28th 2009 is the end of the road for the PIX product line for all practical purposes. That is why I am seeing the last hold outs start to convert their PIX boxes over to ASA. Nobody wants to run a FW in productions that lacks bug fix and PSIRT vulnerability fixes.

So, first things first, if you have a pix running 7.X or higher then you are in great shape. The configuration migration basically consists of matching up your old PIX interfaces with the new interfaces of the ASA. If your old PIX has more interfaces than your new ASA then you will have to create a dot1q trunk and interface VLANs on the new ASA to accommodate. However, if your PIX is running something older than 7.X then the migration gets a bit trickier. Here you have two options, upgrade your current PIX to a 7.X code train and then run the migration tool or use the PIX-to-ASA Migration Tool to start with. One caveat with the upgrade first approach is that if you are still using conduits and outbound statements in your config then you have to use the migration tool. You can’t upgrade to 7.X with these statements in place. Bottom line is that regardless of the method you pick I’d recommend you use the migration tool to help you get there. It eliminates a lot of the user error that typically comes with manual configuration migration.

Now on to how the PIX-to-ASA Migration tool works. First of all the tool works on Windows, MAC, and Linux hosts (I almost fell out of my chair when I saw the MAC version). The screenshots are from the MAC version.

Tags

About Cisco Security Expert

Jamey Heary, CCIE #7680, sits on the PCI Security Standards Council- Board of Advisors where he provides strategic and technical guidance for future PCI standards. Jamey is the author of Cisco NAC Appliance: Enforcing Host Security with Clean Access. (Check out all of Jamey Heary's books from Cisco Press.) He also has a patent pending on a new DDoS mitigation technique.

Jamey sits on several security advisory boards for Cisco Systems and is a founding member of the Colorado Healthcare InfoSec Users Group. He is an experienced speaker who is recognized as an expert in network security architecture, regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and he is a Certified HIPAA Security Professional. He has been working in the IT field for 15 years and in IT security for 10 years. Jamey is currently a Distinguished Systems Engineer at Cisco Systems.