The Cisco PIX firewall is near its end-of-software-maintenance life. Are you ready to upgrade to ASA? David Davis tells you about a tool that will ease your PIX to ASA upgrade.
In my blog post "Sadly, the PIX Firewall Is Discontinued," written early in 2008, I said how much I had enjoyed working with the Cisco PIX over the years and how disappointed I was that it was announced by Cisco to be "End of Sale" on January 28, 2008. In the Cisco PIX Security Appliances End-of-Sale Announcement, they detail the timeline for the PIX to "go away." That time is:
- End of Sale for Hardware: July 28, 2008
- End of Software Maintenance: July 28, 2009
- End of Service Contract Renewals: October 23, 2012
- End of Support: July 27, 2013
While there is some time before Cisco will stop supporting your PIX (in 2013), it should be of concern to you that there is no more software maintenance for your PIX come July of this year. That means that if there is a bug, Cisco isn't going to offer a patch for it; they will tell you to upgrade to an ASA (Adaptive Security Appliance) instead. Also, that means that there will be no more enhancements to the features of your PIX. What you have now is all you will ever have.
Truly, the PIX is an excellent firewall that is stable and offers just about everything most of us need. Still, if you have even one PIX firewall in place, the announcement is something that has to concern you. And, if like some large enterprises, you have hundreds of PIX firewalls in place it could be a huge concern. And these days, the bigger question for enterprises may be "how are we going to get millions of dollars in a down economy to replace our PIX firewalls with ASA firewalls?" While I can't help you solve that problem, let's assume that you already have your new ASA to replace your PIX. How do you do it?
PIX and ASA configurations differ
The important thing to note about PIX and ASA configurations are that they are different. In other words, to do one thing on a PIX requires a different command on an ASA. The ASA uses a more "IOS-like" configuration where the PIX has its own "PIX-OS" configuration. Here are just some of the differences between the two:
- The ASA is different hardware and has different interface names.
- The ASA uses sub-interface commands, like the Cisco IOS.
- A PIX will use FIXUP commands for application inspection whereas the ASA will use policy maps.
- On the PIX,outbound and conduit commands are used versus access lists on the ASA.
There are two ways to perform this conversion -- manually or by using the automatic migration tool. You may want to perform the conversion manually if you want more granular control, but Cisco offers a PIX to ASA Migration Tool that can perform this automatically. Let's look at how it works.
Note that to use this tool, your PIX must be running PIX-OS Version 6.3 or later.
Cisco's PIX to ASA Migration Tool
I downloaded the Cisco PIX to ASA Migration Tool (Cisco registration and a PIX service agreement is required). There are three versions -- Windows XP, Mac OSX, and Red Hat 9 Linux. I downloaded the Windows XP version and installed it. The Windows XP version did work on my Vista laptop. Once installed, I saw that it includes a User Guide, Migration Scripts, and the actual tool.
The PIX to ASA Migration Tool is really very simple. When you run it, it asks for a source and a target. The source can be either "Live" devices (powered on and running) or saved configuration files on your hard drive. If you are going to pull the configuration off of a live device, you would enter something like https://IP_Address/config into the blank for the configuration file. The target is where you want the resulting migrated config file to be placed.
I entered the source configuration file and target, and the tool scanned my configuration for interfaces. Next, I had to specify the type of device that this will go on. Will it be an ASA 5505? 5510? 5520? 5550? 5580? And what type of license?
I specified a 5505 with a plus license. I took the defaults for how my PIX Ethernet interfaces would be converted to ASA VLAN interfaces.Here is what it looked like: Figure A
From here, all I had to do was click Make Target Configuration for my ASA. The configuration took only a few seconds, and I was given an output log that looked like this:Figure B Next, I clicked on View Target Configuration to see my new ASA configuration file. You can see what it looked like in Figure C. I could tell instantly that it was converted with the new ASA header on the file. Even more so, I could see that it now had policy maps instead of fixup commands. Figure C Conclusion
While I have enjoyed using Cisco PIX devices over the years, it is also nice to move on to a more powerful and featured device -- the Cisco ASA. I am very pleased with the ease of migration that Cisco offers with their migration tool.
Learn more about migration from Cisco PIX to ASA appliances in Cisco's "Migration from PIX 500 Series Security Appliances to ASA 5500 Series Adaptive Security Appliances" and the "Cisco PIX to Cisco ASA 5500 Series Migration Release Notes."