Tuesday, April 12, 2011

Migrating from a PIX device to an ASA device

I recently retired a Cisco PIX device and replaced it with an ASA device. I’m no CCIE but I’ve worked with Cisco gear enough over the last few years and have come to depend upon it. When given a choice, I always buy Cisco (at least, when I can afford it). Here are my thoughts on the migration process.

First things first, always purchase the Cisco SmartNet coverage. Not only does it include hardware replacement in case the device crashes, but more importantly SmartNet gives you access to Cisco technicians who specialize in areas such as device configuration and VPNs. In this case, I was able to get several of my questions answered, I received guidance when it came to the initial configuration of the ASA device plus building the VPN tunnel. Always, always, always purchase the SmartNet coverage and keep purchasing it for the life of the device.

Pull a text copy of the running configuration file off of the PIX device and make note about the private IP addresses and public IP addresses. This is information that every network administration should already know about and it’s a good way to refresh your knowledge. This is the starting point for your configuration of the new ASA device.

I’d found documentation on Cisco’s technical assistance website regarding migrating the settings of a PIX device over to a new ASA device. This documentation was good and included a link to a utility that I downloaded and used to do an initial conversion of the configuration file of the PIX device for use on the ASA. But it was only the beginning (very important - remember this if it is the only item you remember from this post). A PIX only has two (2) interfaces (Ethernet ports where you plug in the network cable) – an inside interface (assigned an internal IP address and accessible from the LAN) and an outside interface (assigned a public, routable IP address). The ASA device typically has eight (8) interfaces. So right off the bat, even if you use the PIX to ASA conversion tool from Cisco, you need to think about how you’ll map the interfaces. This all goes into the VLAN configuration of the ASA device also. Create a VLAN (VLAN1) that encompasses Ethernet port 0/0 and assign it as outside (as in the outside interface). Next, create another VLAN (VLAN2) that encompasses Ethernet ports 0/1 thru 0/7 and assign it as inside interface (as in the inside interface).

I won't spend too much time on this because what you do here depends upon what you'll use the device for. Configure the VLANs so that they accept/reject access to the device based upon things like the IP address of the host that wants to access the device thru services such as the ASDM, telnet, and SSH. This is also where you’ll configure internal / external traffic routes.

Test, test, and test again. Test traffic flow, test access to the inside and outside interfaces, and test the VPN tunnels. As Ronald Regan once said, “trust but verify.” This saying should be a first thought for any network administrator or anyone involved in IT.

Once everything has been tested and judged to be working as it should, back it up! Back up the device’s configuration file. Back up everything and make sure that if needed, the backup file is available on the LAN where the device is so that you can upload it. Besides the backup file that you can pull from an ASA device using the ASDM console, make a text copy of the running configuration file. During this whole process, examining the text copy of the running configuration file proved invaluable in troubleshooting and eventually solving issues.


No comments: