Guest

Cisco PIX 500 Series Security Appliances

Cisco PIX to Cisco ASA 5500 Series Migration Release Notes

 Feedback

Table Of Contents

Cisco PIX to Cisco ASA 5500 Series Migration Release Notes Version 1.0

Contents

Introduction

System Requirements

Platform Requirements

Determining the Software Version

Important Notes

Installation

Installing on Microsoft Windows

Installing on Mac OS X

Installing on Linux

Caveats

Open Caveats

Workaround for CSCsq64371

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines


Cisco PIX to Cisco ASA 5500 Series Migration Release Notes Version 1.0


July, 2008

Contents

This document includes the following sections:

Introduction

System Requirements

Important Notes

Caveats

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines

Introduction

The Cisco PIX to ASA migration tool assists in migrating the software configuration of a Cisco PIX Security Appliance to a Cisco ASA 5500 Series Adaptive Security Appliance. While these two product families share a common software foundation, some differences exist (such as interface names) that require some work when migrating a configuration from PIX to ASA. The Cisco PIX to ASA migration tool can take a Cisco PIX Software v6.3 or v7.x configuration and convert it to a configuration that is usable on a Cisco ASA 5500 Series appliance.

The Cisco PIX to ASA migration tool supports both GUI and CLI-based operation, giving administrators flexibility in how they use this tool. The graphical interface guides administrators through the entire process, from selecting input/output files, to selecting the migration target platform, to mapping network interfaces, and then to generating the new migrated configuration. The CLI interface enables the same capabilities, but it gives administrators the ability to create scripts to easily perform bulk migrations. This tool will help to expedite the migration process and help to prevent administrators from making common mistakes when performing manual migrations.

System Requirements

The sections that follow list the system requirements for operating a Cisco ASA 5500 Series Adaptive Security appliance. This section includes the following topics:

Platform Requirements

Determining the Software Version

Platform Requirements

To perform the migration, the ASA platform requires the following:

The configuration from the PIX source.

Cisco ASA Software Version 7.2 or later for the converted CLIs.


Note Cisco ASA Software versions earlier than 7.2(2) may also be specified as targets, but features in later versions (such as PPPoE and others), which are available on some PIX platforms, are not be handled by earlier ASA versions.


Platform that supports Java Runtime Environment version 1.4.2 or later (such as Windows XP, 2003, Mac OS X, Linux, and so on). We recommend that the latest version of either Java 1.4.2, Java 5 (1.5), or Java 6 (1.6) be used. Java downloads may be obtained from http://www.java.com/downloads or from links on that page.

The following ASA target types are supported:

ASA-5505

ASA-5510

ASA-5520

ASA-5540

ASA-5550

ASA-5580

Determining the Software Version

Use one of the following methods to determine the software version of your device:

Use the show version command to verify the software version of your Cisco ASA 5500 Series Adaptive Security Appliance.

Connect to the device using ASDM, and verify the software version in the Device Information box on the Device Dashboard tab of the Home page.

Important Notes

This section lists important notes related to the Cisco PIX to ASA migration tool.

Installation

The Cisco PIX-to-ASA migration tool is supported on Microsoft Windows, Red Hat Linux, or Mac OS X. You must have Java Runtime Environment version 1.4.2 or later installed. We recommend that the latest version of either Java 1.4.2, Java 5 (1.5), or Java 6 (1.6) be used. Java downloads may be obtained from http://www.java.com/en/download/index.jsp.


Note Although the PIX-to-ASA migration tool is supported on Microsoft Windows, Red Hat Linux, and Mac OS X only, it may run on other platforms that support the required versions of Java.



Note When you download the installation files shown in these instructions, the names of the downloaded installation files may include a version number. For example, you may download and use PIXtoASASetup_1_0.exe in the place of the PIXtoASASetup.exe file.


Installing on Microsoft Windows

To install the Cisco PIX-to-ASA migration tool on Windows, perform the following steps:


Step 1 Download the PIXtoASAsetup.exe file from the Cisco Software Center.

Step 2 Double-click the PIXtoASAsetup.exe file.

The PIX-to-ASA migration tool installation wizard opens.

Step 3 Click Next.

The Destination Folder screen appears.

Step 4 (Optional) To change the install location, perform the following steps:

a. Click Change.

b. Browse to the desired installation location.

c. Click OK.

Step 5 Click Next.

The Setup Type screen appears. Select the setup type you prefer, and click Next.

You can choose between a complete installation and a custom installation:

Complete Installation—Installs all components. After clicking next, the Ready to Install Program screen appears. Go to Step 7.

Custom Installation—You can choose the components you want installed. After clicking Next, the Custom Setup screen appears. Go to Step 6.

Step 6 (Optional) Select which components that you do not want installed by clicking the disk icon next to the component, selecting This feature will not be available, and then clicking Next. Click on a component name to see a description of the component.


Note By default, all features are selected to be installed.


The Ready to Install the Program screen appears.

Step 7 Click Install.

Step 8 When the installation is complete, click Finish to close the Install Wizard.


Tip To launch the Cisco PIX-to-ASA migration tool when you close the wizard, check the Launch PIX-to-ASA migration tool checkbox.


The Install Wizard adds a Cisco PIX-to-ASA migration tool folder to your Start menu. The folder contains shortcuts to the Migrating Cisco PIX Configurations to Cisco ASA 5500 Series Configurations document, the Cisco PIX-to-ASA migration tool, and the PIX-to-ASA migration tool uninstaller.


Installing on Mac OS X

To install the Cisco PIX-to-ASA migration tool on Mac OS X, perform the following steps:


Step 1 Download the PIX_to_ASA.dmg disk image file from the Cisco Software Center.

Step 2 Double-click the PIX_to_ASA.dmg disk image file to mount it.

A PIX to ASA folder opens on your desktop. If not, double-click the PIX to ASA virtual disk icon that is on the desktop.

Step 3 (Optional) Create a directory in which to store a permanent copy of the folder contents.

Although you do not need to keep a copy of the extracted files on your system, it is useful if you are going to use the scripting tools.

Step 4 (Optional) Drag the contents of the of the folder to the folder you created. You can drag the PIXtoASA.app file to the Macintosh Applications folder to install the application.

The archive contains PIXtoASA.app (a Macintosh GUI application), an executable JAR for scripts, a Bourne shell script, and the user documentation in PDF format.


Installing on Linux

To install the Cisco PIX-to-ASA migration tool on Red Hat Linux, perform the following steps:


Step 1 Download the PIXtoASA.zip file from the Cisco Software Center.

Step 2 Unpack the file with either the unzip or the gunzip application to the desired location.

The file contains a PDF file of the user documentation, a Bourne shell script that can be used to launch the application, and an executable JAR file.


Caveats

The following sections describe the caveats for the Version 1.0.

For your convenience in locating caveats in the Cisco Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

Commands are in boldface type.

Product names and acronyms may be standardized.

Spelling errors and typos may be corrected.


Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:

http://www.cisco.com/support/bugtools

To become a registered cisco.com user, go to the following website:

http://tools.cisco.com/RPF/register/register.do


Open Caveats

Table 1 lists the open caveats for Version 1.0.

Table 1 Open Caveats 

DDTS Number
Caveat

CSCsq64590

It takes more than 2 minutes to convert a config of size 246 KB.

CSCsq64371

GUI hangs sometimes when run on Linux Red Hat.

CSCsq23343

Migrating PIX config to 5505 speed/duplex should be part of physical int Version (Max5): 000.014

CSCsr47540

PIX sub-interfaces to ASA 5505 warning.

CSCsr47542

Multiple context PIX not converted.

CSCsr08009

After copying a configuration through tftp, some commands may need to be rewritten to memory.

CSCsl18083

The vpngroup commands are not converted to tunnel-group commands automatically. Even though this defect is resolved, it is not in currently shipping ASA software.

CSCsr52222

Disallow selection of non-default VLAN interfaces on ASA 5505 target.

CSCsr60738

Interface name begins with a numeral, the tool throws up an error.


Workaround for CSCsq64371

If the processing session began from a shell session, as opposed to starting from double-clicking the JAR in a GUI file viewer, then the session may be suspended from the shell. To suspend a session in the background, some shells have a "foreground" (fg) command that will make a background process into a foreground process. With a foreground process, a key sequence, such as Ctrl-Z, will suspend the process. When the suspended process is restarted, it then redraws the screen and processes the current source configuration file to completion.

Alternatively, the kill command, with appropriate arguments, may be used to suspend and then resume processing. The process ID may be found with the ps command.

Related Documentation

For additional information about the PIX-to-ASA migration tool, see the Migration Guide for Converting Cisco PIX Configurations to Cisco ASA 5500 Series Configurations.

For additional information about the Cisco ASA 5500 Series Adaptive Security Appliance, go to the following URL on Cisco.com: http://www.cisco.com/en/US/products/ps6120/tsd_products_support_series_home.html

Obtaining Documentation, Obtaining Support, and Security Guidelines

For any issues encountered during beta testing please notify the beta alias (pixtoasa-beta@cisco.com).

For information on obtaining documentation, obtaining non-beta support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html