Guest

Support

Migrating to the Cisco ASA Services Module from the FWSM

  • Viewing Options

  • PDF (193.7 KB)
  • Feedback
Migrating to the Cisco ASA Services Module from the FWSM

Table Of Contents

Migrating to the Cisco ASA Services Module from the FWSM

Contents

Information About the Migration

Migrating the FWSM Configuration to the ASA SM

Running the Migration Tool

Applying the Migrated Configuration to the ASA SM

Unsupported Runtime Commands

Unsupported Debug Commands

Unsupported Clear Commands

Unsupported Show Commands

Configuration Migration Reference

Migration Due to Default Behavior Differences

Migration Due to Unsupported Features in ASA SM

Migration Due to CLI Differences

Default Value and Value Range Differences

SNMP Differences

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines


Migrating to the Cisco ASA Services Module from the FWSM


Contents

Information About the Migration

Migrating the FWSM Configuration to the ASA SM

Unsupported Runtime Commands

Configuration Migration Reference

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines

Information About the Migration

This guide describes how to convert Cisco FWSM configurations to Cisco ASA SM 8.5 configurations.

This document also provides details about the differences between Cisco FWSM and Cisco ASA SM behavior.

Although the ASA SM shares a common software foundation with the FWSM, you cannot directly use a FWSM configuration on an ASA SM.

Differences between the platforms, such as the use of specific commands, prevent FWSM configurations from being used unmodified on the ASA SM.


Warning After running Migration Tool, you cannot paste the migrated configuration directly at the CLI prompt on the ASA SM; you must copy the configuration over the network to the startup configuration and reload the ASA SM so that it can perform additional migrations at startup.

In particular, the NAT feature on the ASA SM is redesigned for increased flexibility and functionality compared to FWSM. On the ASA SM, you can configure NAT using auto NAT, where you configure NAT as part of the attributes of a network object, and manual NAT, where you can configure more advanced NAT options.

On the ASA SM, all NAT and NAT-related commands are redesigned. The following commands were introduced or modified: nat (in global and object network configuration mode), show nat, show nat pool, show xlate, show running-config nat. The following commands were removed: global, static, nat-control, alias.

For a description of the differences in NAT matching for statics between FWSM and ASA SM, see Migration Due to Default Behavior Differences.

For detailed information about the NAT feature changes on the ASA SM, see "NAT Migration" in Cisco ASA 5500 Migration Guide for Version 8.3.

Migrating the FWSM Configuration to the ASA SM

Migrating the FWSM configuration to the ASA SM occurs by perform two steps:

Step 1: Running the Migration Tool

Step 2: Applying the Migrated Configuration to the ASA SM

You must perform the migration from the FWSM to the ASA SM using these two steps because the Migration Tool does not make all the necessary command syntax changes when you run the Migration Tool. Because of this fact, you cannot open the migrated configuration file, enter the select all command and copy the configuration, and then paste the configuration to the command line of the ASA SM.

You must copy the migrated configuration file to the startup configuration of the ASA SM. When the ASA SM is subsequently restarted, the startup configuration is parsed upon startup. The ASA SM image takes the NAT, ACL, and other commands that have been deprecated or changed from the FWSM and translates the commands into the commands that the ASA SM accepts.

Running the Migration Tool

The Migration Tool includes a Windows and Macintosh application to perform the FWSM configuration migration.

Prerequisites

The ASA SM must be in a known state. The blade cannot have a configuration running on it. If it has been configured, execute the write erase command to clear the configuration on the service module.

To convert the FWSM configuration to an ASA SM configuration, perform the following steps:


Step 1 From the Cisco software download site, locate the file fwsm_migration_mac.zip or fwsm_migration_win.zip and save it to a Windows or Macintosh client. Decompress the ZIP file and extract the corresponding file for the system on which you plan to run the conversion application—fwsm_migration.exe or fwsm_migration.app.

Step 2 From the FWSM that you are migrating to an ASA SM, copy all the configuration files, which includes each configuration file for all contexts and the system context file, to the directory in which you extracted the Migration Tool application.

For single mode, copy the running configuration file. For multi-mode, copy the following configuration files:

The system space configuration

The admin context

Any user context of interest

Step 3 Double click the fwsm_migration.exe or fwsm_migration.app file to start the Migration Tool.

The FWSM Configuration Migration dialog box appears along with a command window, which will display the progress and status of the conversion.

Step 4 Select the radio button appropriate for your conversion:

Single File—select this option when you are converting the configuration file for the FWSM running in single-context mode.

Directory—select this option when you are converting multiple files for the FWSM that ran in multiple-context mode. Each context has an associated configuration file and the FWSM has a system context file.

Step 5 Under the option you selected (Single File or Directory), enter information for the file or files to convert:

Input File field—enter the path and file name for the configuration file for the single-context FWSM or click Browse to locate the file on your local system.

Input Directory—enter the path to the directory containing all the multi-context configuration files and the system context file or click Browse to locate the directory on your local system.

Step 6 Under the option you selected (Single File or Directory), enter the conversion output information:

Output File field—enter the path and file name for that the Migration Tool will use to create the converted configuration file for the single-context FWSM.

Output Directory—enter the path to the directory that the Migration Tool will place the converted multi-context configuration files and the system context file or click Browse to locate the directory on your local system.

Step 7 In the ASA SM Boot Image field, enter the location of the ASA SM boot image in the following format:

drive:/boot-file-path

The boot image value must include one of the following options:

disk0:/path and filename on disk0

disk1:/path and filename on disk1

flash:/path and filename on flash

URL beginning with tftp prefix

The value you enter in this field defines the image you want the ASA SM to boot up with when it completes the final migration.


Note You must write the boot image value to memory by issuing the write memory command on the ASA SM. Issuing the write memory command saves the boot image value you specify for the boot image to the BOOT variable in the configuration file. After writing the value to memory, verify that the boot variable was written to memory by entering the show bootvar command.
See Cisco ASA 5500 Series Command Reference, 8.5 for the ASA SM.


Step 8 In the Log Location field, enter the path and file name for the log file that the Migration Tool will use to log the status information from the conversion or click Browse to locate the file on your local system.

Step 9 Click Convert to start the conversion.

Status information appears in the command window. Once the conversion successfully completes, a Success dialog box appears.

Step 10 Click OK to end the conversion.


What to Do Next

Applying the Migrated Configuration to the ASA SM

Applying the Migrated Configuration to the ASA SM

Prerequisites

You must have migrated your FWSM configuration by using the Migration Tool. See Running the Migration Tool.

Configure an interface on the ASA SM to allow file transfer using TFTP, SSH, or HTTP.


Step 1 Copy the migrated files to the ASA SM via TFTP, SSH, or HTTP.


Note If necessary, add an interface configuration to allow file transfer using TFTP, SSH, or HTTP.


a. If working in single mode, copy the migrated configuration to the startup-config file.

b. If working in multiple mode, copy the system configuration to the startup-config and all context configuration files (such as, the Admin context) to disk0:.


Note The context files must be placed on disk0: in the path the system configuration points to for each context. If the system configuration has the configuration URL for a context as "config-url disk0:/context/ctx1.cfg" then the file for that context needs to be placed in that context directory path.



Note You cannot paste the migrated configuration directly at the CLI prompt on the ASA SM; you must copy the configuration over the network to the startup configuration and then reload the ASA SM so that it can perform additional migrations at startup. You cannot copy and paste the configuration because of the complexities of converting certain features, such as converting the FWSM NAT feature to the NAT feature on theASA SM, which uses Object NAT and Twice NAT.


Step 2 Reload the ASA SM when you are migrating a single mode FWSM image.

On startup, final configuration modifications will be conducted by the ASA SM image.


Note When you upload multi-mode FWSM contexts, reloading the ASA SM is not necessary after applying each multi-mode context.



Unsupported Runtime Commands

This section contains the following topics:

Unsupported Debug Commands

Unsupported Clear Commands

Unsupported Show Commands

Unsupported Debug Commands

The following debug commands are supported on the FWSM but not on the ASA SM.

[show | no] debug ip bgp

[show | no] debug resource partition

[show | no] debug pc-lu

[show | no] debug ssl

[show | no] debug npcp

[show | no] debug route-np

[show | no] debug aging

[show | no] debug session

[show | no] debug RM-NP-counter

[show | no] debug control-plane

[show | no] debug route-monitor

[show | no] debug acl optimization

[show | no] debug route-inject

Unsupported Clear Commands

The following clear commands are supported on the FWSM but not on the ASA SM.

clear dispatch stats all

clear ip bgp

clear route-monitor statistics

clear route statistics

clear np number_item keyword

clear np all stats

clear npcp statistics

clear service-acceleration

clear configure resource rule

clear configure resource partition

clear configure ftp-map

clear configure gtp-map

clear configure mgcp-map

clear configure h225-map

clear configure xlate-bypass

clear configure rip

clear configure route-monitor

clear configure router bgp

clear configure control-point tcp-normalizer

clear configure route-inject

Unsupported Show Commands

The following show commands are supported on the FWSM but not on the ASA SM.

show running-config all ftp-map

show running-config all gtp-map

show running-config all mgcp-map

show running-config all h225-map

show running-config all xlate-bypass

show running-config all rip

show running-config all route-monitor

show running-config all control-point tcp-normalizer

show running-config all route-inject

show resource rule

show resource acl-partition

show resource partition

show flashfs

show conn np

show asr

show pcdebug

show pc conn

show nic

show np keyword

show np number_item keywords

show cpu threshold

show dispatch table

show dispatch statistics

show pc xlate

show pc local-host

show ip bgp

show route-monitor

show npcp keywords

show service-acceleration statistics

show route-inject

Configuration Migration Reference

This section contains the following topics:

Migration Due to Default Behavior Differences

Migration Due to Unsupported Features in ASA SM

Migration Due to CLI Differences

Default Value and Value Range Differences

SNMP Differences

Migration Due to Default Behavior Differences

The major default behavior differences between FWSM and ASA SM are as follows.

Implicit Deny

By default, when the interfaces on the FWSM are configured without assigning any access list or access group commands, the FWSM drops all traffic that enters those interfaces. To allow any traffic to enter the FWSM, you must attach an inbound access list to an interface.

By default, when the interfaces on the ASA SM are configured without assigning any access list or access group commands, the ASA SM allows traffic to pass from a higher security interface (assume the inside security level is 100) to a lower security interface (assume the outside security level is 0). The inverse is not true. The ASA SM does not allow traffic to pass from the outside to inside interface.

Therefore, the Migration Tool was created to assume that this type of FWSM configuration required that traffic be blocked no matter the direction. To maintain parity, the Migration Tool adds an explicit ACL (deny ip any any) on all the interfaces to deny traffic. Additionally, on ASA SM, the last statement of any access list is an implicit deny ip any any. IOS device use this same behavior.

See the following examples:

Example 1

no access-list/groups on any interface
 
   

Traffic from the inside to the outside is permitted.

Traffic from the outside to the inside is denied.

Example 2

access-list INSIDE permit ip 192.168.1.0 255.255.0 any
access-group INSIDE in interface inside
 
   

Traffic from the inside to the outside, source IP 192.168.1.10, is permitted.

Traffic from the inside to the outside, source IP 192.168.2.1, is denied (hits implicit).

Implicit ICMP Deny

By default, FWSM is configured to set an implicit ICMP deny to the interface. The ASA SM is configured to set an implicit permit.

When you run the Migration Tool, it adds icmp deny statements on all interfaces.

NAT Matching for Statics

By default, FWSM is configured to use best match for static NAT and static PAT (regular and policy). When overlapping IP addresses occur in the static statements, a warning is displayed but the overlapping IP addresses are supported. The order of the static commands does not matter; the static statement that best matches the real address is used.

In the ASA SM, IP addresses are matched against static NAT and static PAT rules based on the order the rules appear in the configuration.

The Migration Tool is unable to preserve the behavior of the FWSM; therefore, if you have overlapping NAT rules, you should look at your migrated configuration to ensure it matches your address translation requirements.

Migration Due to Unsupported Features in ASA SM

The following FWSM features are not supported in ASA SM.

IPSec in Multimode (Management only)

On the FWSM, IPSec is supported for management purposes in multimode.

The ASA SM does not provide support for IPSec in multimode. IPSec (both in single and multimode) is not supported. When you run the Migration Tool, it removes any VPN related commands and informs you that IPSec is not supported.

Asymmetric Routing

When asymmetric routing was introduced in ASA SM, it was not affected by the active/active restriction.

On the ASA SM, asymmetric routing is only supported in active/active mode.

The Migration Tool removes the commands if not in active/active mode and informs the user.

BGP Stub Routing

CLI commands:

router bgp

bgp router-id

neighbor remote-as

neighbor password

network

This is a feature in FWSM that supports BGP stub routing.

ASA SM does not support this feature.

The Migration Tool removes the BGP related commands and informs the user.

Failover Preemption for Active/Standby Failover

CLI command:

[no] failover preempt

This is a feature in FWSM that can be configured in an Active/Standby failover scenario. When this feature is configured, the Primary unit always becomes Active after a certain time in the following cases:

When the primary unit fails and the secondary becomes active

When the secondary unit boots before the primary unit and the secondary unit is active

ASA SM does not support this feature.

The Migration Tool removes the command and informs the user.

Route Health Injection

CLI commands:

route-inject

redistribute nat

redistribute connected

redistribute static

This is a feature on FWSM that installs connected, static, NAT pool routes configured on the FWSM into MSFC on a per context basis. MSFC can then redistribute the routes.

ASA SM does not support this feature.

DHCP Relay Interface Specific Servers

CLI:

interface vlan vlan_id

dhcprelay server ip_address

FWSM added this feature in 3.2(1). With this feature, interface specific DHCP servers can be configured. "dhcprelay server" CLI could be configured in global mode and it was also added to be in interface specific mode.

ASA SM does not support this feature.

The Migration Tool converts the commands from interface specific to global and informs the user.

Stateful Failover Uauth Table Replication

FWSM supports replicating the Uauth Table to the failover peer when stateful failover is configured.

ASA SM does not support this feature.

The Migration Tool adds an INFO message when stateful failover is configured.

Migration Due to CLI Differences

The following table lists the differences between CLI commands for FWSM and ASA SM:

Table 1 FWSM vs. ASA SM Configuration CLI differences

Feature
FWSM Commands
Behavior in ASA SM

Connection timeouts for all protocols

set connection timeout idle

The idle keyword is not supported on ASA SM. ASA SM has the tcp keyword, which is used to close TCP connections after a certain time.

Running the Migration Tool converts the idle keyword to the tcp keyword.

Connection rate limit

set connection conn-rate-limit

The command is not supported on the ASA SM. The Migration Tool removes the command from the configuration.

AAA authentication challenge

aaa authentication challenge disable

The command is not supported on theASA SM. The Migration Tool removes the command from the configuration.

AAA authentication clear conn

aaa authentication clear-conn

The command is not supported on the ASA SM. The Migration Tool removes the command from the configuration.

Virtual SSH

virtual ssh

The command is not supported on the ASA SM. The Migration Tool removes the command from the configuration.

Interactive password prompts with Radius for authentication

auth-prompt reject [invalid-credentials | expired-pwd]

The ASA SM supports the command but not the new options.

The Migration Tool removes the command when the new options are present.

DHCP relay trusted interface (option 82)

dhcprelay information trusted

dhcprelay information trust-all

The command is not supported on the ASA SM. The Migration Tool removes the command from the configuration.

http-map

port-misuse

The command is not supported on the ASA SM. The Migration Tool removes the command from the configuration.

 

logging deny conn-queue-full

The command is not supported on the ASA SM. The Migration Tool removes the command from the configuration.

EtherType Access lists and denying IPv4 and ARPs

On the FWSM, in transparent firewall mode with "deny all" ethertype access-list, both IPv4 and ARP cannot be denied with FWSM.

On the ASA SM, in transparent firewall mode with "deny all" ethertype access-list, all the ethertypes including IPv4 and ARP are denied.

The Migration Tool adds permit statements for IPv4 and ARP ethertypes.

Direct Login or Logout using Virtual HTTP for User Authentication

virtual http ip_address [host hostname]

On the ASA SM, the virtual http command exists but has different behavior for this command. ASA SM supports the login aspect of direct authentication but not logout.

ASA SM does support the cascading authentication with the virtual http command.

You can configure this feature on ASA SM by using the aaa authentication listener http command.

Route Monitoring

Route-monitor

ASA SM supports the same feature using the sla monitor command. ASA SM supports more options with the command thanFWSM.

The Migration Tool removes the FWSM command and adds information in the tool log about the sla monitor command, which you can use to achieve similar functionality.

Application Inspection

ftp-map

gtp-map

h225-map

http-map

mgcp-map

snmp-map

sip-map

ASA SM supports the Application Inspection map commands.

Running the Migration Tool converts the map commands to policy-map match commands used by the ASA SM.

RIP

rip

ASA SM supports single line RIP configuration.

Running the Migration Tool converts the configuration to the RIP configuration used by the ASA SM when the command is present in the startup configuration.

TCP Normalizer

control-point tcp-normalizer

FWSM supports a limited TCP Normalizer. This can be enabled or disabled using a configuration setting.

ASA SM does not include a setting to disable the TCP normalizer.

The Migration Tool removes the command from the configuration.

Rule limits

resource acl-partition

resource partition

size

rule

allocate-acl-partition

access-list commit

resource rule

Due to Hard NPs, FWSM has fixed rule limits and commands to support the limits.

ASA SM does not have fixed rule limits so it does not support the commands to allow fixed rule limits.

The Migration Tool removes the commands from the configuration.

Xlates for all traffic

xlate-bypass

FWSM creates xlates for all traffic (including to the device traffic).

ASA SM does not create xlates for all traffic and, therefore, does not support the command.

The Migration Tool removes the command from the configuration.

ACL optimization

access-list optimization enable

ASA SM does not support this command.

The Migration Tool removes the command from the configuration.

 

sysopt uauth allow-http-cache

ASA SM does not support this command.

The Migration Tool removes the command from the configuration.

 

sysopt np completion-unit

ASA SM does not support this command.

The Migration Tool removes the command from the configuration.

 

sysopt connection tcp sack-permitted

FWSM uses the no form of the command to clear the SACK permitted option exchanged during the TCP 3-way handshake. The SACK option is enabled by default.

ASA SM implements this feature using the tcp-options selective-ack clear/allow command under tcp-map. By default, ASA SM allows the SACK option.

The Migration Tool converts the no form of the command to the ASA SM tcp-options command.

 

sysopt connection tcp window-scale

FWSM uses the no form of the command to clear the Window-scale TCP option. The option is allowed by default.

ASA SM implements this feature using tcp-options window-scale {clear/allow} command under tcp-map. The default is to allow the window-scale option.

The Migration Tool converts the no form of the command to the ASA SM tcp-options command.

SNMP Trap commands

snmp-server enable traps entity redun-switchover

snmp-server enable traps entity alarm-asserted

snmp-server enable traps entity alarm-cleared

snmp-server enable traps resource

snmp-server enable traps resource limit-reached

snmp-server enable traps resource rate-limit-reached

ASA SM does not support these SNMP traps and, therefore, does not support these commands.

The Migration Tool removes the commands from the configuration.

Service Reset

service reset no-connection

ASA SM achieves the same behavior using the service reset inbound command.

The Migration Tool converts the FWSM command to the service reset inbound command used by ASA SM.

 

aaa schedule round-robin

ASA SM does not support this command.

The Migration Tool removes the command from the configuration.

 

aaa authentication {ftp | telnet | http | https} challenge disable

ASA SM does not support the challenge disable command or the ftp option.

The Migration Tool removes the command from the configuration.

Resource Limits

limit-resource rate fixups value

limit-resource rate resource value%

limit-resource Mac-addresses value|value%

limit-resource IPSec value|value%

ASA SM does not have upper limits on resources and, therefore, does not support% rate limit for resources. ASA SM does not support limiting MAC addresses and IPSec tunnels.

The Migration Tool converts limit-resource rate fixups value to limit-resource rate inspects value, removes limit-resource rate resource value%, removes limit-resource Mac-addresses value|value%, removes limit-resource IPSec value|value%.

URL-Server commands

url-server [if_name] vendor websense host local_ip protocol udp context-name

url-server [if_name] vendor websense host local_ip protocol tcp connections num_conns

ASA SM does not support the context-name keyword. ASA SM requires the protocol keyword followed by TCP for configuring the number of simultaneous connections.

The Migration Tool removes the context-name keyword from the command. If the connections keyword is found without the protocol keyword, the Migration Tool adds the protocol keyword.


Default Value and Value Range Differences

The following table lists the differences in default values and value ranges between the FWSM and the ASA SM. These differences in default values and value ranges do not affect the migration to ASA SM from FWSM.

Table 2 Default Values/Value Range Differences

FWSM Values
ASA SM Values

Minimum failover poll time in milliseconds is 500

CLI:

failover polltime msec

Minimum failover poll time in milliseconds is 200

CLI:

failover polltime msec

Minimum poll interval for interfaces is 3 seconds.

CLI:

failover polltime interface

Minimum poll interval for interfaces is 1 second. ASA SM supports milliseconds and the minimum millisecond interval is 500.

CLI:

failover polltime interval

failover polltime interval msec

Minimum Failover Unit poll time is 500 milliseconds

CLI:

failover polltime unit msec

Minimum Failover Unit poll time is 200 milliseconds

CLI:

failover polltime unit msec

Resource limits.

Conns - 999,900

Conns/Sec - 102,400

Fixups/Sec - 10,000

Hosts - 256K

Syslogs/sec - 30,000

Xlates - 256K

ASA SM does not have resource limits for all the resources that are mentioned in the FWSM column.

SIP Disconnect Timeout

Minimum - 1 minute

Maximum - 10 minutes

CLI:

timeout sip-disconnect

SIP Disconnect Timeout

Minimum - 1 second

Maximum - 1193 minutes

CLI:

timeout sip-disconnect

SIP Invite Timeout

Maximum - 30 minutes

CLI:

timeout sip-invite

SIP Invite Timeout

Maximum - 1193 minutes

CLI:

timeout sip-invite

Xlate Timeout

Minimum - 30 seconds

CLI:

timeout xlate

Xlate Timeout

Minimum - 1 minute

CLI:

timeout xlate

Note The Migration Tool converts the xlate timeout command that has values between 30 seconds to 59 seconds to 1 minute.


SNMP Differences

The following FWSM MIBs are not supported by ASA SM:

CISCO-ENTITY-ALARM-MIB.my

CISCO-ENTITY-REDUNDANCY-MIB.my

CISCO-ENTITY-REDUNDANCY-TC-MIB.my

CISCO-NAT-EXT-MIB.my

TCP-MIB.my

UDP-MIB.my

The following FWSM SNMP traps are not supported by ASA SM.

ceAlarmAsserted: CISCO-ENTITY-ALARM-MIB.my

ceRedunEventSwitchover: CISCO-ENTITY-REDUNDANCY-MIB.my

clrResourceRateLimitReached: CISCO-L4L7MODULE-RESOURCE-LIMIT-MIB.my

Related Documentation

For additional information about the FWSM, go to the following URL:

http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/tsd_products_support_model_home.html

For additional information about the ASA SM, go to the following URL:

http://www.cisco.com/go/asadocs

Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

©2010 Cisco Systems, Inc. All rights reserved.