Posts Tagged ASA5510

Migrating from Cisco Pix to Cisco ASA

One of the most notable differences between Cisco ASA devices  and Cisco Pix devices  to be aware of is that the  ASA devices don’t  support the PPTP  protocol, (think of it as sanity catching up to your organization) and that the ASA5505 doesn’t support EZVpn server mode. While these may sound trivial, suddenly changing the way employees connect can feel like a cultural issue.

Another difference and one I wouldn’t  have guessed until I saw it on a customer system was that capitalization alone is not enough to distinguish names on the ASA, you cannot assign Test1 to an IP address and TEST1 to a different address, they are the same reference.  Again think of it as sanity enforcement, your organization should not be using the caplock key as an address discriminator.  The PDM “name” function is not supported at all as well as a handful of other warnings when importing.

There is a utility from Cisco available to assist in importing, alas I have never used it because I like to know exactly what is changing. Yes this can be a big  job when working with 20,000 lines of configuration but the last job I did of that size was 100% successful, not just 99%,  due to understanding the details of each conversion issue. My process is to reflect the changes back into the source and then re-import until there is a completely  clean import.

VPN organization is also very different, there are tunnel groups, isakmp definitions and group policies, these require an understanding of the intent and the security policies behind your VPN rules.

For those needing help with converting from Pix to ASA you may want to get an expert involved, especially to understand the impact on security policy as after all the firewall device is meant to be the implementation of a security policy, it should not be the security policy itself.

For help in migrating or configuring Cisco ASA security appliances or VPN connectivity and architecture email security @ idsbusiness.com

I also recommend a followup security scan if ever there is any doubt, one should be done periodically anyways so post conversion is an ideal time.

Bil Herd

Share

, , , , , , , , , , , ,

No Comments