Migration ASA 8.6.1.10 to 9.0.2
My question is:
are there any specfic migration paths from ASA release 8.6 to 9.0
I have observed that no migration is done for the object ANY to ANY4
I have observerd that migration is done from ASA 8.4.6 to 9.0
Hi,
To my understanding the 8.6 software level is basically the starting software level of the new ASA5500-X series
I guess you could consider 8.3 or 8.4 the first new softwares of the original ASA5500 series.
With that being said it would seem to me that if you have an ASA5500-X series device that there is not really any software jump you can do from 8.6 other than to 9.0 or 9.1 series software.
I have mostly switched between 8.x and 9.x software on my test ASAs and have not faced any problems so far.
It would seem strange to me that no ACL migration would be done from 8.6 to 9.0? The Release notes does suggest that this should happen. i do have a new ASA5515-X but havent had the time to test it much yet.
- Jouni
Similar Messages
-
Using SQL Express with Legacy PB
I have inherited a legacy system written in PowerBuilder which connects to an SQL Anywhere 5.5 database via ODBC. The Sybase drivers are not 64-Bit compatible so this system is throwing errors and there are no updated drivers available. I do not currently
have the budget to update the database to a current version of SQL Anywhere (which required /seat license) and I'm under the gun to get the system working on a 64-Bit PC.
Advice, please! Is MS SQL Express a good option?
Thanks in advance.Hello,
Microsoft has created the following technical document for migrating from Sybase Anywhere (ASA) to SQL Server 2008:
http://download.microsoft.com/download/7/C/2/7C20B070-BFF8-44B4-BD7D-1B03DF50F924/MigrateSybaseASAtoSQLServer2008.docx
Microsoft offers the SSMA for Sybase Tool to migrate from Sybase ASE to SQL Server too, but it is not clear to me it supports Sybase
Anywhere (ASA). The following third party tool seems to offer migrating ASA objects and data to SQL Server.
http://www.ispirer.com/products/sybase-to-sql-server-migration
However, I don’t have any suggestions for you about the PowerBuilder application.
Hope this helps.
Regards,
Alberto Morillo
SQLCoffee.com -
Hi,
I'm trying to migrate a configuration of an ASA 5520(Version: ASA 8.0(5)) to an ASA 5585 (Version: 8.4(2)). I keep getting some errors which are included below. I've been struggling with these for some copule of weeks and read the documentation on cisco.com (
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html) and also some pages on this forum. Some lines are written in bold of which I wasn't able to find any information about. Any help is appreciated. Thanks.
INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201203062349.log'
Reading from flash...
!!!!!!!!!!!!!!!!!!!WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
WARNING: MIGRATION: Failed to create acl element to track during migration
*** Output from config line 1291, "access-group outside_acc..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1292, "access-group inside_acce..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1293, "access-group DMZ_access_..."
WARNING: MIGRATION: During migration of access-list <XXXXXXX> expanded
this object-group ACE
permit object-group DM_INLINE_SERVICE_5 XXX 255.255.255.0 DMZnet 255.255.255.0
WARNING: MIGRATION: Failed to create acl element to track during migration
*** Output from config line 1298, "access-group XXXXX..."
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 2
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 3
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 4
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 5
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 6
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 7
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 8
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 9
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 10
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 11
*** Output from config line 1797, "service-policy global-po..."
NAT migration logs:
The following 'nat' command didn't have a matching 'global' rule on interface 'dmz' and was not migrated.
nat (inside) 1 access-list inside_nat_outbound
WARNING: The following identity NAT was not migrated. If required, an appropriate bypass NAT rule needs to be added.
global (outside) 10 interface
nat (inside) 0 logserver 255.255.255.255
WARNING: The following identity NAT was not migrated. If required, an appropriate bypass NAT rule needs to be added.
nat (inside) 0 logserver 255.255.255.255
The following 'nat' command didn't have a matching 'global' rule on interface 'dmz' and was not migrated.
nat (inside) 1 icnetwork 255.255.0.0
ERROR: MIGRATION: No memory to create migrated service-policy element
The following 'nat' command didn't have a matching 'global' rule on interface 'TAV' and was not migrated.
nat (dmz) 1 access-list dmz_nat_outbound
INFO: NAT migration completed.
ERROR: an object-group with the same name (egitim) exist.
WARNING: Failed to create an object for name 'egitim' in the following ACL:
access-list DMZ_access_in extended permit tcp host 9.1.1.90 object-group egitim anyUmmm,
Did you possibly try the default username/password combination? (cisco/cisco) It should then prompt you to change these settings once you gain access. I'm not familiar with how the migration works, if it transitions the user accounts over or you end up starting from scratch. Give that a try and hopefully it gets you into your new system. -
ASA Migration of DHCP Scope to a Server
Hello All,
We migrated the DHCP scope from the ASA to a MS DHCP server with this configuration:
group-policy BV-SSL1 internal
group-policy BV-SSL1 attributes
no address-pools value remotepool4 remotepool2 remotepool3
no intercept-dhcp enable
dhcp-network-scope 10.180.49.0
exit
tunnel-group BVVPN10 general-attributes
no address-pool remotepool2
no address-pool remotepool3
no address-pool remotepool4
dhcp-server 10.182.14.55
exit
tunnel-group BV-SSL general-attributes
no address-pool remotepool2
no address-pool remotepool3
no address-pool remotepool4
dhcp-server 10.182.14.55
exit
no vpn-addr-assign aaa
no vpn-addr-assign local
vpn-addr-assign dhcp
This is running good, until we used all 254 addresses that was specified in the dhcp-network-scope.
My question is should i have specified dhcp-network-scope none to allow for all 3 scopes can be used to hand out IP addresses for the remote users?
Thanks,
KimberlyOkay, that's at least a good start. Can you monitor the ULS logs while you attempt to browse to the site to see what form of error(s) you're getting?
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Quick question re: migration of nat exemption from asa pre-8.2 to post-8.2
I am going through http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.pdf and I have a question about nat exemption. According to the guide above, the migration of nat exemption will look like this:
access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.252.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
object network obj-vLan201
subnet vLan201 255.255.255.0
object network obj-172.19.252.0
subnet 172.19.252.0 255.255.255.0
nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.252.0 obj-172.19.252.0
My question is this: if acl inside_nat0_outbound has multiple ACEs, does the migrated configuration contain a separate "nat (inside,any)" statement for each ACE in the original pre-8.3 config, like this?
access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.252.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.253.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
object network obj-vLan201
subnet vLan201 255.255.255.0
object network obj-172.19.252.0
subnet 172.19.252.0 255.255.255.0
object network obj-172.19.253.0
subnet 172.19.253.0 255.255.255.0
nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.252.0 obj-172.19.252.0
nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.253.0 obj-172.19.253.0
Our current acl has about twenty entries, which would make for twenty nat statements, if this is right.
Thanks,
-MathewHi,
Default behaviour for NAT past 8.2 software level is to let traffic flow through the ASA without NAT. Before that "nat-control" setting on the ASA defined if the traffic needed a NAT configuration or not.
If your NAT0 / NAT Exempt configurations contain statements meant for VPN connections then you have to make new ones for those.
Are the entries in your old NAT0 configurations meant for traffic between different networks in your own LAN or are they meant for different VPN connections? Or perhaps both.
But as you said, moving to the new software does mean that even some simple NAT configuration will now contain more configurations than in the old software.
- Jouni -
Cisco PIX to Cisco ASA Migration Tool
Hello,
I appreciate any help to download the The Cisco PIX to ASA migration tool referred at
http://www.cisco.com/en/US/partner/docs/security/asa/migration/release/notes/pix2asarn.html#wp39336
Thanks in Advance
Francisco AlmeidaAs a registered user, go to the download page for Pix Software here.
Navigate on the menu tree to "Version 1.0" and you should see the software available to download: -
Migration cisco concentrator to ASA
Hi,
we want to migrate from concentrator to ASA.
I know that there was a cisco internal tool to adapt the concentrator configuration.
Is this tool still internal or could it be downloaded somewhere?
Thanks for your help.Hi Martin,
What version of Concentrator are you currently using? If you are using a VPNC 3000 series, you can view the recommended upgrade path to an ASA via the following link (see "Product Migration Options" at the bottom of the document)
http://www.cisco.com/en/US/partner/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html
Mike -
Migrating watchguard firebox to cisco asa 5515x
Guys
I have a client who wants to migrated their very old watchbuard firebox to cisco asa 5515x. Is there any of the cofiguration tool available that I can use to migrate their existing config on watchguard to ASA ? Please advise
Thanks in advanceAmit,
From my understanding there is no such tool. Not even from Pix to ASA which is no longer available.
I am afraid that you may need to manually migrate the configuration.
Regards,
Juan Lombana
Please rate helpful posts. -
Migrating from FWSM to ASA Service Module (ASASM)
I'm migrating from a failover pair of FWSM modules across to a failover pair of ASA Service Modules. In order to avoid a "big bang" switchover I intend to migrate subnets from one to the other over a protracted period.
With that in mind, can anyone confirm whether there is any restriction on having FWSM and ASASM modules in the same chassis? A trawl of the relevant documentation hasn't revealed anything.
In this specific case it is Catalyst 6509E VSS chassis pairs with Sup-2T.
Thanks in advance.So long as the chassis has enough power to power these modules you are good.
Upto 4 FWSMs can be installed in a chassis.
Upto 4 ASA-SM modules can be installed in a chassis.
FWSM:
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet0900aecd803e69c3.html
• Up to 4 FWSMs (20 Gbps) per Catalyst 6500 chassis
ASA-SM
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps11621/qa_c67-662207.html
Q. How many ASA Services Modules can I place in a Cisco Catalyst 6500 Series chassis?
A. Up to four independent ASA Services Modules can simultaneously run in a Cisco Catalyst 6500-E Series chassis.
-Kureli
Checkout my breakout session at Cisco Live 2013, Orlando, Florida.
BRKSEC-2024 Deploying Next-Generation Firewall Services on the ASA
Room 314A Tuesday, June 25 3:00 PM - 4:30 PM -
Migrate Standby ASA to Backup Data Center
Hello Experts,
We have backup data center where I am now planning to provide backup internet service ( in the case where there is internet down or power outage at main server room) .
I have a pair of Cisco ASA's 5540, one of which I need to move to backup data center ( BDC), Presently I have ADSL router at disaster serve room with static public IP from ISP.
Currently, I am publishing all my internal resources through ASA. Now my questions, if I move Standby ASA to Disaster Server Room. How I can publish the same internal resources through standby ASA and make it standby as active during the down time of main server room
Please can anyone suggestion how to achieve this setup. Is is this scenario possible
Thanking in advance.
SamirHello,
I knew it.
I'll just tell you from the beginning hope it might help you to understand. I appreciate your help.
Presently at my main data center I'm having a leased line router and then 2 ASA 5540 (with failover active/standby).
I was thinking to move 1 ASA to backup disaster server room. In this regard, I asked earlier how I can still achieve the active/standby after migrating to backup room. But you had anwered my query
Query 2
I have got new ADSL service and router with public static IP at backup server room. Now I moved one of my ASA.
How can I keep publishing the internal resources ( like access to internal webserver, rdp connection) by using this ADSL service if the main server room is completely down .
Hope it is clear.
Thanks -
Any tool to migrate from a Nokia/CheckPoint firewall to CISCO ASA
Would like to know if there is any tool that could help to migrate CheckPoint firewall objects and rules database to CISCO ASA equivalent ;
Could the last CISCO Security Manager product help in this process ?
thanks in advanceJoel, you may need to use a firewall analyser or fw auditing tools to retreave fw rules from Nokia/Fw-1 in a legibel format like using LFA, but you still need to manually entered the configuration into ASA.
Check this link and look for (LFA) Lumeta firewall analyser, they work along with checkpoint..
http://www.lumeta.com/
Also reference this thread, it may help.
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd7e5c4
HTH
Jorge -
Context Migration from FWSM to ASA
Hi there ,
What would be best way to migrate a Context from FWSM to ASA (non SM) with minimal down time & effort .
I am thinking of these steps :
1) Preconfigure the new ASA with the same IP-Address as FWSM for the interfaces (keep the ASA subinterfaces in shut state ) , configure Access rules .
( Want to retain same ip for the interfaces , since there are many hosts behind the FWSM with this gateway IP configured )
2) Shut the context specific interfaces on FWSM & bring up the Context specific interfaces on the ASA.
( Also a query - If I introduce ASA into the Network with the same IP as of FWSM , though the interfaces would be in shut state , should i expect any IP Conflicts )
ThanksHi,
Well you probably have the option to configure the old FWSMs interface MAC address to the ASAs corresponding interface manually, this way there will be no change in the ARP from the perspective of the server/host.
I guess depending on if you have a single firewall or failover firewall the command is a bit different as you define either 1 or 2 MAC addresses.
I think this was the command to modify the MAC address
http://www.cisco.com/en/US/docs/security/asa/command-reference/m1.html#wp2111205
- Jouni -
Any one know about a tool to migrate watch gurad config to ASA
I've never come across such a tool.
I believe you'll need to do a manual configuration of the ASA to match the Watchguard settings. -
Can provide me with the PIX to ASA migration tools? I can't seem to find them, are they still available?
MikeHi,
Never used this myself.
Heres some guide to getting the tool
http://www.cisco.com/en/US/docs/security/asa/migration/guide/pix2asa.html#wp290854
I'd assume though you will need a CCO account with service contract. I couldn't download the software as we have not gotten any of the contract under my name/account.
Looking at the whole "path" the the tool download it seems to be the following
Downloads Home ->
Products ->
Security ->
Firewalls ->
Adaptive Security Appliances (ASA) ->
Cisco PIX Firewall Software ->
PIX Firewall Software-1.0
You might need to "hop throught" a couple of drop down menus to get to the Software 1.0 under which you will find the download link. I can't test it at the moment.
- Jouni -
We are currently running a Check Point firewall and would like to migrate to the ASA platform. Does anyone know of a conversion / migration utility that will convert Check Point firewall rules to ASA?
ThanksHere is the new self-service tool that Cisco has released to convert to any vendor firewalls to Cisco ASA.
Currently it supports Juniper ScreenOS and CheckPoint to Cisco ASA conversion.
Link to the original post:
https://supportforums.cisco.com/community/netpro/security/firewall/blog/2013/12/19/conversion-tool--checkpoint-fw-to-cisco-asa
Link to the tool itself:
https://fwmig.cisco.com
Maybe you are looking for
-
In measurement doc.where to enter as on date counter readings after go live
Dear All, After go live the sap system, user has to start creating the measurement document for counters which as follows. Suppose we have go lived on 1st feb 2010, so on that day already physical counter is showing following readings. Equipment - Co
-
Hello everyone. Can anyone shed some light on this problem? If I downloaded an app from the app store called "Print to PDF" that allows opening any application and going to print converts that to a PDF e.g. Safari pages, mail etc and I did not sync o
-
Similar Program as Microsoft Money for Mac?
Hello, I am in the process of changing over from pc to Mac. I am currently using Microsoft Money...is there an equivalant for the Mac? All I really need it to do is download bank activity from my checking account, set budget, and run income/expense r
-
Bluetooth Apple mouse suddenly very fast
I've used the Apple BT mouse since getting the Mac mini G4 more than a year ago with no problems. It's set to the second highest notch in Systems Preferences. Yesterday the batteries ran out and I replaced them after switching the computer off. When
-
Adjustment in close fiscal year
Hi Friends, We close the 2009 fiscal year now we need to pass some adjustements in that fiscal year. Please tell me what is the proccess thanks, Chitra