Simple ASA 55xx to 55xx-X upgrade question

I have an older model ASA 5500-series and I've purchased a new 5555-X.  If they are both at roughly the same up-to-date software version, can I simply copy the config from the old ASA to the new one?
I know that I will possibly have to make minor changes such as changing the interface names (ethernet or fa to gi) but are there any significant command structure changes that would cause problems?  (problems caused specifically by moving from a 55xx to a 55xx-X)?

It really depends what you have configured and what version you are running on the old ASA compaired to the new one.  For example, is the old one running 9.1 and the new one running 9.2?
If you don't have any thing very specific or special configured for your network, ie. you just have ACL, Objects / object-groups, NAT etc. then you will be fine with copying the configuration straight over with possibly a few minor changes (as you have already mentioned).
Please remember to select a correct answer and rate helpful posts

Similar Messages

  • Info about ASA 55xx

    Hi
    i'm starting to read about ASA 55xx in Cisco website. But after some good reading, I have some questions.....
    In Cisco Docs about ASA55xx, I see the "Maximum concurrent AnyConnect or clientless VPN sessions" and "Maximum concurrent site-to-site and IPsec IKEv1 VPN sessions" (e.g. 750 both): well, the maximux concurrent sessions are 750+750 (anyconnect + site-to-site), so I have to add the two types of sessions? Or what are the maximum concurrent sessions (of each type) in ASA5520?
    So, at this point, if I want 750 AnyConnect Session and 750 site-to-site Session which license do i need to buy? ASA5500-SSL-750 ? ASA-VPNS-1000? or whatelse?
    then, what are the "shared" license? When and where do i need to buy them?
    thanks in advance.
    Bye

    Platform capabiliites and required licensing are as noted in the product data sheet:
    Up to 750 AnyConnect and/or clientless VPN peers can be supported on each Cisco ASA 5520 by installing an Essential or a Premium AnyConnect VPN license; 750 IPsec VPN peers are supported on the base platform. VPN capacity and resiliency can be increased by taking advantage of the Cisco ASA 5520's integrated VPN clustering and load-balancing capabilities. The Cisco ASA 5520 supports up to 10 appliances in a cluster, offering a maximum of 7500 AnyConnect and/or clientless VPN peers or 7500 IPsec VPN peers per cluster.
    Reiterating:
    The ASA 5520 750 site-site VPN capability is in the base license / product (Part number ASA5520-BUN-K9 or  ASA5520-K8 depending on whther you are eleigible to pruchase the strong encryption (-BUN-K9) version)
    The AnyConnect user licenses required depend on whether you need Anyconnect Essentials or Premium. The Anyconnect data sheet outlines the differences. Essentials is one license that allows up to 750 clients to use the appliance simultaneously. Premium (which cannot be loaded at the same time as Essentials) requires the licenses to be purchased according to the tiered per user scheme.
    Shared licenses are shared among ASAs in a cluster (2 or more units configured together).
    There is the concept of licenses in a failover (2-unit) cluster. That is automatic - i.e. the license numbers are additive and shared up to the platform capability. the ASA5500-SSL-750 part would be used in that setup.
    There is also the concept of an anyconnect Premium Shared Server. In that scheme, the shared server allocates licenses in 50 unit blocks to the cluster membes ars they need them. The ASA-VPNS-1000 part number you mention is used in that sort of setup.

  • New ASA 55xx

    I currently have a 3725 + the NM-CIDS module doing my firewall / IPS / VPN.
    I'm considering upgrading to a ASA 55xx box.
    I was reading the product page, and it does not seem that I can have one ASA box that does both the IPS with an AIP-SSM-xx and the anti-virus with an CSC-SSM-xx because the box only has one SSM slot.
    I also need this box to be compatible and take over the peer to peer VPN that the 3725 is doing with my current IOS. I have several remote 87x router connected over ADSL and cable connection with active IOS VPN. My 3725 currently has a AIM VPN card to help the CPU. If I change it to a ASA box will I have to re-configure all the remote 87x routers?
    Thanks...

    I would use one ASA with the AIP-SSM module.
    And then place a seperate Anti-x type of device at the back. Having a seperate ASA for the CSM module is overkill IMHO.
    There is no real integration between the CSM/IPS module anyway, so you still have to manage different GUIs. A good option would be to go for IronPort, since they are now part of Cisco, there might be some neat integrations coming along in the future (giving you more value for money). There is'nt any great feedback about the CSM module, most people I know don't like to position it, including some Cisco CSEs themselves(its based on Trend Micro btw)
    Regards
    Farrukh

  • Graphics card upgrade question on the Satellite P10-802

    Hoping someone out there may be able to offer some advice.
    I'm now finding I probably need to upgrade this system a little. Adding memory looks straight forward but was also interested in upgrading the graphics card. Does anyone know if this is possible? Currently it has the ATI MOBILITY RADEON 9700 with 64MB of memory. If it is not possible to change the card is it possible instead to increase the memory on the card itself?
    Thanks in advance if anyone has any advice to offer!
    Cheers
    Message was edited by: liamflan

    No, something like that is definitely not possible.
    Please do not mix the notebook technology with the simple desktop PC.
    You cannot upgrade the notebook graphic card and you cannot increase this graphic card memory.
    Nothing to do :(

  • Security upgrade question - Getting 6.1.6 downloaded to iphone.

    Security upgrade question - I have a 4S phone v6.01 with an upgrade to IOS 7.04 already downloaded and ready for install.  I would like to install the 6.1.6 security upgrade instead. How do I delete the ios7 in the queue or have the 6.1.1 pushed as an option to the phone?

    You can't install iOS 6.1.6 on that device and must update it to 7.0.6.
    (101120)

  • I have an upgrade question. I received a notification when I connected my computer to the internet that Lightroom 5.7.1 was available

    I have an upgrade question. I received a notification when I connected my computer to the internet that Lightroom 5.7.1 was available it included HDR & Panoramic photo merge. I cant find these. Where do I find them.

    well that was a big waste of my time & data allowance then ...
    I live in a flaky slow internet area & I keep my photo edit machine off the internet unless & want to update something. CC is no use to me & that useless update just used up a 12th of my allowance for the year ...

  • Another RAM upgrade question

    Hi everyone,
    I know there seems to be lots of RAM upgrade questions here but hey thats what forums are for.
    I'm looking to upgrade my macbook's RAM it's currently got 2GB (2x1GB)
    Is it possible to purchase 1x4GB and put that with one of my current 1GB sticks to create a total of 5GB?
    I would be interested to know if this is possible or if anyone has tried it.
    Thanks in advance
    Scott

    This will work if your MacBook is late '07 or newer.

  • Simple OS 9 upgrade question

    I am running an IMac on 8.6 and need to upgrade to 9 to install a new printer. Even tho I live in the US, I bought the computer in the UK so it has UK English 8.6 OS on it. I have purchased the OS 9 install disc from a reseller here in the States but it's telling me that it can only install on top of the US English version. So, at the risk of sounding ignorant or lazy, where in the UK is the best place to purchase an OS 9 installation disc for immediate shipping? I've Googled about a zillion UK Mac resellers and no one seems to have it. Thanks.

    Hi, dandy -
    If you do not have a record of the serial numbers of some software, you may then need to move the preference file(s) for it over to the new System Folder. IF you do have a record of those, it is a simple matter to re-enter them when you run the software the first time in the new OS. For that reason, I make it a habit to note the serial number for any software that needs such inside the manual for the software, so I always have a hard copy of it.
    Some software (QuickTime is one such) will display its registration/serial number in its preferences or elsewhere, from where it can be copied.
    With a clean install, will I have to reinstall software or is it only extensions and drivers associated with software etc that will disappear? It appears from the article you linked and from other sources that I can drag and drop the extensions from the old folder to the new but it would ease my mind greatly if you would just confirm that.
    It is usually just extensions, possibly a control panel or two - those can usually be just dragged over to the new System Folder.
    However, it may also be necessary to move browser data and email data over to the new System Folder.
    Netscape usually keeps all of its stuff in a folder named Netscape Users in the Preferences folder.
    Internet Explorer keeps its files in a folder named Explorer in the Preferences folder.
    Outlook Express is a bit different - older versions kept the email archive files in the Outlook Express folder; newer versions running in OS 9 keep those files in the Documents folder that is created by an OS 9 install, here - (hard drive) >> Documents >> Microsoft User Data >> Identities. In the Identities folder will be a folder for each account (identity); the default one is named Main Identity. These separate folders contain the email archive files for each account.
    If you've added extra fonts, you will need to also move those.
    When moving items from the old System Folder to the new one, be sure to not move any extensions or control panels which belong to OS 8.6; such can contaminate an OS 9 install and cause problems.

  • ASA 55xx and Videoconferencing and VCS

    I'm not a Security or ASA guy but I always encounter on all my projects the question of "can you help me translate into a configuration that TCP/IP ports you need for your videoconferencing?"
    APpreciate it a lot if someone can send or email or PM me a working config(scrubs the confidential info) of the ASA that will work for the setup that has
    VCS Control
    VCS Expressway
    Internal video endpoints calling External (different company's) endpoints
    Thanks

    Sory forgot to add more details.
    The protocols will be H.323 and SIP.  Tandberg(now Cisco) has a document that lists all the TCP and UDP ports that are required to be open in the firewall.
    It is just translating those ports into an actual ASA command lines or config that I need since I am not an ASA guy.
    I just want to help the customer that is asking for assistance as I always encounter this question and it is a bt frustrating not have the info.  I am enrolling myself in an ASA class soon though.

  • Simple upgrade question

    Greetings,
    I currently own on older Macbook and I'm considering upgrading to the new 13" Macbook Pro. I know I can transfer my user accounts using the Firewire transfer, but since the Macbook Pro comes with a smaller hard drive than I'm currently using, I would like to ask if it is a good idea just to swap out the drive in the older Macbook and put it in the Macbook Pro? I'm currently running Snow Leopard, so that should not be an issue. Has anyone done this? And if so, what problems did you run into?

    Since the new MacBook Pros' manuals have not yet been made available (they will show up [here|http://support.apple.com/manuals/#portablecomputers] when Apple puts them online) your questions are not easy to answer, but assuming Apple's designs are similar to the previous generation MBP, you should be able to swap out the hard drives without any problem. Since some of your internal hardware may be different and require different drivers (such as for graphics chips) the software from your old MBP may not run the new one, so it may be necessary to reinstall the OS.
    Hope this helps you. Best of luck.

  • Cisco Prime Infrastructure 2.0 and ASA 55xx platform

    Hello,
    We recently upgraded to Prime Infrastructure 2.0 with the hope being able to manage our ASA's from PRIME (and complete an LMS migration).
    When I attempt to add ASA's to prime i get the following collection errors:
    Unable to collect processor and RAM information.          Processor and RAM information.          Unexpected error. See the log file inventory.log for details.
    In the logfile I get the following XML parsing error on the MIB:
    <palError>
      <deviceId>6284310032</deviceId>
      <code>VALIDATION_ERROR</code>
      <message>Failed to validate output XML: cvc-maxInclusive-valid: Value '3484331296' is not facet-valid with respect to maxInclusive '2147483647' for type 'int'.</message>
      <result>
        <result xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="/CISCO-MEMORY-POOL-MIB/xmp-im-file-system-module.xsd">
          <xmp-im-file-system-module>
            <MemoryPoolStatistics>
              <memoryPoolIndex>1</memoryPoolIndex>
              <free>4294967295</free>
              <largestFree>4294967295</largestFree>
              <used>3484331296</used>
            </MemoryPoolStatistics>
    To me it seems that the ASA returns a value that is bigger then int32 and thus causes an overflow? Any clues? Workarounds to add an ASA to Prime without checking these MIB'S?
    Regards,
    Marcel

    The X series (all with 64-bit SMP images) are not currently supported by PI 2.0. We can hope for a device update in the coming months to remedy that situation.
    If you click on the arrow next to the help icon in the top right of your PI and choose "Device Level Support" you will see:
    Cisco ASA-5500 Series Adaptive Security Appliances
    Features :
    Topology
    LLDP Neighbor Discovery
    CDP Neighbor Discovery
    Configuration
    Configuration Archive
    Software Image Management
    Monitoring
    Device Availability
    Reachability
    Inventory
    Physical
    System - Memory Pools
    Interfaces - IP
    Interfaces - Ethernet
    Device Type
    SYSOIDS
    S/W Version
    Software
    Cisco ASA-5510 Adaptive Security Appliance
    OID:1.3.6.1.4.1.9.1.669
    OID:1.3.6.1.4.1.9.12.3.1.3.447
    Cisco ASA-5510 Adaptive Security Appliance Security Context
    OID:1.3.6.1.4.1.9.1.773
    Cisco ASA-5520 Adaptive Security Appliance
    OID:1.3.6.1.4.1.9.1.670
    OID:1.3.6.1.4.1.9.12.3.1.3.448
    Cisco ASA-5520 Adaptive Security Appliance Security Context
    OID:1.3.6.1.4.1.9.1.671
    Cisco ASA-5540 Adaptive Security Appliance
    OID:1.3.6.1.4.1.9.1.672
    OID:1.3.6.1.4.1.9.12.3.1.3.449
    Cisco ASA-5540 Adaptive Security Appliance Security Context
    OID:1.3.6.1.4.1.9.1.673
    Cisco ASA-5560 Adaptive Security Appliance
    OID:1.3.6.1.4.1.9.12.3.1.3.454
    Cisco ASA-5550 Adaptive Security Appliance
    OID:1.3.6.1.4.1.9.1.753
    Cisco ASA-5550 Adaptive Security Appliance Security Context
    OID:1.3.6.1.4.1.9.1.763
    Cisco ASA-5505 Adaptive Security Appliance
    OID:1.3.6.1.4.1.9.1.745
    OID:1.3.6.1.4.1.9.12.3.1.3.560
    Cisco ASA-5580 Adaptive Security Appliance
    OID:1.3.6.1.4.1.9.1.914
    Cisco ASA-5585 Adaptive Security Appliance
    OID:1.3.6.1.4.1.9.1.1194
    OID:1.3.6.1.4.1.9.1.1195
    OID:1.3.6.1.4.1.9.1.1196
    OID:1.3.6.1.4.1.9.1.1197
    Cisco ASA-5585 Adaptive Security Appliance Security Context
    OID:1.3.6.1.4.1.9.1.1198
    OID:1.3.6.1.4.1.9.1.1199
    OID:1.3.6.1.4.1.9.1.1200
    OID:1.3.6.1.4.1.9.1.1201
    Cisco ASA-5585 Adaptive Security Appliance System Context
    OID:1.3.6.1.4.1.9.1.1202
    OID:1.3.6.1.4.1.9.1.1203
    OID:1.3.6.1.4.1.9.1.1204
    OID:1.3.6.1.4.1.9.1.1205
    Cisco ASA-5580 Adaptive Security Appliance Security Context
    OID:1.3.6.1.4.1.9.1.915
    Cisco ASA-5580 Adaptive Security Appliance System Context
    OID:1.3.6.1.4.1.9.1.916

  • Cisco Prime Infrastructure 2.0 and ASA 55xx platform problem

    Hello,
    We recently upgraded to Prime Infrastructure 2.0 with the hope being able to manage our ASA's from PRIME (and complete an LMS migration).
    When I attempt to add ASA's to prime i get the following collection errors:
    Unable to collect processor and RAM information.          Processor and RAM information.          Unexpected error. See the log file inventory.log for details.
    In the logfile I get the following XML parsing error on the MIB:
    <palError>
      <deviceId>6284310032</deviceId>
      <code>VALIDATION_ERROR</code>
      <message>Failed to validate output XML: cvc-maxInclusive-valid: Value '3484331296' is not facet-valid with respect to maxInclusive '2147483647' for type 'int'.</message>
      <result>
        <result xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="/CISCO-MEMORY-POOL-MIB/xmp-im-file-system-module.xsd">
          <xmp-im-file-system-module>
            <MemoryPoolStatistics>
              <memoryPoolIndex>1</memoryPoolIndex>
              <free>4294967295</free>
              <largestFree>4294967295</largestFree>
              <used>3484331296</used>
            </MemoryPoolStatistics>
    To me it seems that the ASA returns a value that is bigger then int32 and thus causes an overflow? Any clues? Workarounds to add an ASA to Prime without checking these MIB'S?
    Regards,
    Marcel

    Hi,
    does anyone happen to know if that problem is fixed? My currently setup looks like this:
    1. Cisco Prime Infrastructure 2.1 with updated device pack.
    2. Assurance license
    3. ASA5510 which has enabled netflow. Netflow is being sent to Cisco Prime 2.1
    I do receive netflow raw data within Cisco Prime 2.1 but any graphical display of netflow data is not working. Does anybody has an idea where the problem is? Could it be that the graphical data is only displayed when sending netflow 1, netflow 5 or netflow 7?
    regards
    Maurus

  • ASA 55xx in transparent mode - switch ARP table?

    Guys,
    It's a basic question about how transparent mode firewalls communicate with the connecting switches.
    My understanding is that if I separate the LAN eg. 10.1.1.x with a transparent firewall than it will only "snoop" the traffic and will not change anything in the Ethernet header.
    Is it correct or still will replace the MAC address with the firewall physical interface address to send the frame to the connecting switch?
    e.g.
    client--------->switch------->transparent 5510-------->switch---------->server
    10.1.1.1                                                                                              10.1.1.100
    When the client sends the ARP to look up the hardware address of the server then what will that received back?
    The MAC address of the transparent ASA, or the server?
    Thank you!

    Source MAC address is never changed if the traffic is passing through same IP subnet (vlan). Here the firewall is in transparent mode and if it alter the source mac address communication will not happen. This is a very fundamental network concept. However it may recreate the same frame with same souce/destination mac addresses.
     

  • Replacing the Java Code Signing Certificate on the ASA 55xx VPN/Firewall Appliance

    Hi,
    basically I am trying to achieve what's documented in
    http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html#wp242704
    (using ASDM: "crypto ca import" = Remote Access VPN -> Certificate Management ->  Code Signer -> Import)
    I give it a complete PKCS12 bundle (unencrypted private key + certificates up to the root CA) to the ASA.
    I can indeed verify that it has been imported correctly by exporting it again:
      crypto ca export CodeSignerBundle pkcs12 1234
    It shows me the private key and all the certificates.
    However, the jars used in WebVPN, while carrying the correct certificate, don't have a full certification chain at their disposal:
    Using jarsigner -verify I see on a random file from the jar:
    sm       905 Fri Nov 30 00:00:00 CET 1979 Java/lang/CpUtf8.class
          X.509, CN=COMMONNAME, O=ORGANIZATION, L=LOCATION, ST=STATE, C=COUNTRY
          [certificate is valid from 8/1/13 4:30 PM to 8/1/16 4:30 PM]
          X.509, CN=LuxTrust Qualified CA, O=LuxTrust S.A., C=LU
          [certificate is valid from 6/5/08 11:25 AM to 10/18/16 12:40 PM]
          [CertPath not validated: Path does not chain with any of the trust anchors]
    Indeed the certificate file inside the jar (META-INF/.....RSA) does not contain what I uploaded to the ASA. One of the intermediary certificates is missing (while another certificate is listed twice).
    What could be the problem here? (ASA v8.2(5))
    Thanks for any help,
    Marki

    It may be that a ip address pool is not assigned to the default webvpn group:
    tunnel-group DefaultWEBVPNGroup general-attributes
    address-pool testpool

  • Simple upgrade question : CS3 to CS5

    Which serial number do i pop into the box?...okokok, I'm overtired, maybe this is obvious...
    Do I use the one that came on the CS5 upgrade package?...will that read my last version of photoshop and just install?...
    Do I use the SN that came on my upgrade version of CS3?...
    thanks
    M
    ps...I'm just trying to avoid the upgrade mini-nightmare I had when I installed CS3...an hour on the phone with people in india, one who had no clue what she was talking about, heavy accents leading to even more difficult communication...I really don't want to go through that again...

    Hi,
    Do you mean you are trying to upgrade from CS3 to CS5???
    1> yes you can upgrade
    2> if you have CS5 upgrade cop, in order to install you need to have obviously CS5 Srial Number + CS3 Serial Number and while installing CS5 that will take you to upgrade check as soon as you enter CS5 Serial Number. if you do not have CS3 serial number then you will have to contact Adobe for unlocking your CS5.
    Hope this helps..!

Maybe you are looking for

  • My itunes won't install but keeps asking for a CD or DVD i don't have, My itunes won't install but keeps asking for a CD or DVD i don't have

    Trying to update iTunes. It downloades OK but when installing it ask for a CD or DVD that I don't have. I have been updating for several years with no problems I updated the software on the iPod touch and now it won't work with the version iTunes i h

  • Disk utilities reports different hard drive space

    I have a MacBook Pro early 2011 that's acting up.When I  repair the disk from disk utilities (separate drive and from recovery drive) it states that I have 100 GB available.  However, if I click on the first "Macintosh HD" that shows up in disk utili

  • OBI + Essbase filtering slow

    Hi, I have a report that uses Essbase 9.3.1. as data source. When I create a filter on some dimension that includes members form more than one level, the report runs much slower. Example: we have a dimension "Organizational Unit" with levels from Gen

  • Windows Mobile Service, getting started, doesn't work.

    I have followed the instructions for creating a mobile data service (several times, under and existing and a new subscription, using an existing and a new database): create the service, download the todo app, build and run it locally (it works), chan

  • [SOLVED] Removing systemctl service trouble

    Hello During installation I followed the instructions below: cd /etc/netctl cp examples/wireless-wpa my-network to create a config for my wireless network. The problem I have now is that I have since renamed that file to not include the "-" character