Table of Contents
Migrating from the Cisco ASA 5500 to the Cisco Adaptive Security Virtual Appliance
Supported Platforms for Migration
Modifying a Cisco ASA 5500 Configuration to an ASAv Configuration
Obtaining Documentation and Submitting a Service Request
Overview
Although the ASAv shares a common software foundation with the Cisco ASA 5500, you cannot directly use an ASA 5500 configuration on an ASAv. You must modify the ASA 5500 configuration and remove configurations for all features that are not supported on the ASAv.
Supported Platforms for Migration
You may migrate all ASA hardware devices that have 8.4(x) and later software installed on them.
Modifying a Cisco ASA 5500 Configuration to an ASAv Configuration
To migrate an ASA 5500 configuration to an ASAv configuration, follow these guidelines:
Guidelines
- You may perform a migration using either the CLI or ASDM.
- To use ASDM, you must configure the ASAv for HTTP access.
- Use a text editor to modify the source configuration file for the ASAv.
- The ASAv does not support multiple context mode; you can, however, convert a security context configuration into an ASAv configuration.
- The ASAv does not support ASA clustering; therefore, the cluster-related interface configuration needs to be removed before you can use it on the ASAv.
![]()
Note You may copy an unmodified hardware configuration onto an ASAv. However, you will receive “Invalid Input” and other errors or warnings for the commands that are not supported in this version of the virtual platform.
Detailed Steps
The following table lists the steps that are required to change an ASA 5500 configuration to an ASAv configuration.
To upgrade an ASA 5500 configuration to Version 9.2(1), you can leverage a built-in ASAv migration tool. This tool activates when you reboot if the startup configuration matches older ASA versions. Version 9.2(1) then migrates feature-related commands that have changed from the version that was originally stored in the startup configuration.
See the ASA release notes for more information about configuration migration and for upgrade guidelines.
Retrieve the ASA 5500 firewall configuration file from the source device, and store it on your local file system.
See the “Managing Software and Configurations” chapter in the General Operations CLI Configuration Guide.
Choose one of the following two options:
Export the following VPN configuration files:
- Any clientless secure socket layer (SSL) customizations or plugins.
- Any AnyConnect, Cisco Secure Desktop, and host scan images from the ASA 5500.
- The PKCS12 file for the identity certificate from the ASA 5500.
Note Make sure that you place the files in the same path that is specified in the configuration.
See the “Clientless SSL VPN Overview” chapter in the VPN CLI Configuration Guide.
See the “Configuring AnyConnect VPN Client Connections” chapter in the VPN CLI Configuration Guide.
See the “Installing and Enabling CSD” chapter in the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators.
See the “Configuring AnyConnect Host Scan” chapter in the VPN CLI Configuration Guide.
See the “Configuring Digital Certificates” chapter in the General Operations CLI Configuration Guide.
See the “Configuring Policy Groups” chapter in the VPN CLI Configuration Guide.
We encourage you to use the ASDM Backup Utility to facilitate this process and save the source files. These VPN-specific files may include the following: all security images, identity certificates, VPN pre-shared keys, and all SSL VPN configurations.
Note Make sure that you uncheck the running and startup configuration check boxes to exclude them from the backup process.
See the “Managing Software and Configurations” chapter in the General Operations ASDM Configuration Guide.
Change any interface configuration to match the available interfaces on the ASAv: Management 0/0 and GigabitEthernet 0/0 - 0/8 (for a ten-interface deployment).
See the “Starting Interface Configuration (ASA 5510 and Higher)” chapter in the General Operations CLI Configuration Guide.
Remove the Content Security and Control Security Services Module configuration (if one is installed).
See the “Configuring the ASA CSC Module” chapter in the Firewall CLI Configuration Guide.
Remove the Advanced Inspection and Prevention Security Services Module configuration (if one is installed).
See the “Configuring the ASA IPS Module” chapter in the Firewall CLI Configuration Guide.
See the “Configuring the ASA CX Module” chapter in the Firewall CLI Configuration Guide.
Remove the following unsupported features:
- Multiple context mode
- Clustering—Remove the cluster-pool and mgmt-pool keywords and arguments from the ip address command.
- Active/Active Failover
See the “Configuring Multiple Context Mode” chapter in the General Operations CLI Configuration Guide.
See the “Configuring a Cluster of ASAs” chapter in the General Operations CLI Configuration Guide.
See the “Configuring Failover” chapter in the General Operations CLI Configuration Guide.
Deploy the ASAv. To enable ASDM connectivity, you need to set appropriate properties, including the mapping of interfaces, in the OVF template.
See the “Deploying the Cisco Adaptive Security Virtual Appliance” chapter in the Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide.
Connect to the ASAv and configure SSH or Telnet for basic connectivity.
From the CLI, use the telnet, ssh , or http command.
In ASDM, choose Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH .
See the “Deploying the Cisco Adaptive Security Virtual Appliance” chapter in the Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide.
Find your ASAv serial number, then you can obtain a new license that is required to run the ASAv in standard mode.
From the CLI, enter the show version or show inventory command.
In ASDM, choose Help > About the Cisco ASA .
You must also request additional feature licenses that match to what is configured on your ASA hardware.
See the “Deploying the Cisco Adaptive Security Virtual Appliance” chapter in the Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide.
Import the VPN-specific files that you obtained from performing Step 3. If you obtained an ASDM backup zip file, you can then restore it onto the ASAv.
In ASDM, choose Tools > Restore Configurations .
Note If you issue the anyconnect-essentials command or the no anyconnect-essentials command, the following message appears:
See the “Clientless SSL VPN Overview” chapter in the VPN CLI Configuration Guide.
See the “Configuring AnyConnect VPN Client Connections” chapter in the VPN CLI Configuration Guide.
See the “Installing and Enabling CSD” chapter in the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators.
Copy the modified ASA 5500 configuration into the ASAv startup configuration. Then enter the reload noconfirm command to reload the ASAv and preserve the copied startup configuration.
You can only use copy-and-paste or read-from-file methods on files that have been saved with Version 9.2(1) and modified in previous steps. These methods may leave interfaces in a shut-down state, may conflict with running configurations, and will not trigger the ASA migration tool.
The VMware vSphere client console window does not allow you to copy and paste information. You must use a TFTP, HTTP, or FTP server to transfer the modified configuration file by entering either the configure net or copy running-config command from the CLI.
See the “Configuring Management Access” chapter in the General Operations CLI Configuration Guide.
See the reload noconfirm command in the Command Reference.
See the “Configuring Digital Certificates” chapter in the General Operations CLI Configuration Guide.
See the configure net or copy running-config command in the Command Reference.
From the CLI, use the show startup-config errors command to view any errors that the ASAv detected as it booted.
See the show startup-config errors command in the Command Reference.
See the “Managing Software and Configurations” chapter in the General Operations ASDM Configuration Guide.
Review the configuration for interfaces that may be disabled, but should not be.
From the CLI, enter the no shutdown command.
In ASDM, choose Configuration > Device Management > Interfaces .
See the no shutdown command in the Command Reference.
See the “Completing Interface Configuration (Routed Mode)” chapter in the General Operations ASDM Configuration Guide.
Verify that the access lists, interfaces, and inspections are correct.
In the CLI, use the show running-config command to confirm that the ASAv configuration is correct.
See the “Using the ACL Manager” chapter in the General Operations ASDM Configuration Guide.
See the “Starting Interface Configuration (ASA 5510 and Higher)” chapter in the General Operations ASDM Configuration Guide.
See the “Getting Started with Application Layer Protocol Inspection” chapter in the Firewall ASDM Configuration Guide.
See the show running-config command in the Command Reference.
Test the modified configuration on the ASAv for the desired behavior before deploying it in production.
See the packet tracer command in the Command Reference.
See the “Troubleshooting” chapter in the General Operations ASDM Configuration Guide.
Sample Configuration Files
Basic Configuration Before Migration
The following is a basic sample configuration file from an ASA 5525-X before migration to the ASAv:
Basic Configuration After Migration
The following is a basic sample configuration file from an ASA 5525-X after migration to the ASAv:
Configuration with VPN Before Migration
Before migration, make sure that the following two requirements have been met:
- Pre-shared keys with ***** have an actual key.
- The vCPU and AnyConnect Essentials feature licenses have been added.
The following is a sample configuration file with VPN from an ASA 5515-X before migration to the ASAv:
crypto map Inside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5Configuration with VPN After Migration
The following is a sample configuration file with VPN from an ASA 5515-X after migration to the ASAv:
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html .
Subscribe to What’s New in Cisco Product Documentation , which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.