Migrating from the Cisco Pix Firewall to the Cisco ASA Security AppliancePresented by:yppDavid Harrison - CCIE #8521,CCSP,CCSILadi Adefala, CCSIAshish
Cisco ASA 5500 Series AppliancesSolutions Ranging from Desktop to Data Center• Integrates, market-proven firewall, SSL/IPsec, IPS,and content security
Recommended Migration Path forCisco PIX Security Appliance CustomersCisco ASA 5510 / 5520SeriesCisco ASA 5505SeriesCisco ASA 5520 / 5540SeriesCisco AS
WWT/Cisco Confidential12
5505 5510 5520 5540 5550 5580-20 5580-40WWT/Cisco Confidential13
Many Compelling Benefits for Migrating to Cisco ASA 5500 Adaptive Security AppliancesAdaptive Security Offers Better, Flexible ProtectionLeverages Cus
Cisco ASA 5500 Series: Breadth and DepthIndustry First Scalable, Multi-Function, Feature Rich Appliance Multi-layer packet and traffic analysis Adva
Cisco ASA 5500 Adaptive Security AppliancesDelivering Market-Leading Threat Defense and VPN ServicesMktL di VPN S iMktLdi Fi llS iProvides Converged T
Cisco ASA 5500 Series and Cisco PIX Security Appliances Feature ComparisonCisco PIX Cisco ASA Cisco ASA 5500 BenefitFlexible Access Control, Both IP a
Cisco ASA 5500 Series Modular Policy FrameworkExtensible Design Enables Flexible, Flow-Based Services PoliciesSecurity Services ExtensibilityCisco Tec
Cisco ASA 5500 Series Modular Policy FrameworkExtensible Design Enables Flexible, Flow-Based Services PoliciesModular Policy Framework OverviewModular
Agenda IntroductionsCi PIXEd fSl O iCisco PIX -End of Sale Overview Cisco ASA Product Overview Key PIX to ASA Migration Drivers Cisco PIX-2-ASA
Cisco ASA Adaptive Security AppliancesIndustry Certifications and Evaluations• Common Criteria□ Completed: EAL4, v7.0.6—ASA 5510/20/40 (FW)(FW)□ Comp
•Agenda•Agenda□ Company Highlights□Cisco Practice Overview□Cisco Practice Overview□ Professional Services ApproachWWT/Cisco Confidential21
Cisco Security Manager•Agenda•Agenda□ Company Highlights□Cisco Practice Overview□Cisco Practice Overview□ Professional Services ApproachWWT/Cisco Conf
Migrating from the Cisco PIX Firewall to the Cisco ASA Adaptive Security Appliance pypp3 Simple StepsppWWT/Cisco Confidential23
Migrating from the Cisco PIX Firewall to the Cisco ASA Adaptive Security Appliance WWT/Cisco Confidential24
Migrating from the Cisco PIX Firewall to the Cisco ASA Security Appliance. yppUpgrade to Pix Version 7.0 is seamless and requires little manual interv
Also !!!! Before you begin:1. Backup your configuration 2 times. Once to a text file and once to a TFTP server.to a TFTP server.2. Make certain yo
Which PIX Firewalls CAN and can NOTbe upgraded to 7.0PIX 515 PIX 515E PIX 525 PIX 53555 55 55 535PIX
Check the Memory Requirements on the Pix before upgrading.PIX 515PIX 515E PIX 525PIX 535WWT/Cisco Confidential28
Also !!!! Before you begin:If you are upgrading a PIX 515 or 535 with PDM already installedWWT/Cisco Confidential29
Introductions• WWT Security Practice Team:AhihU dh B i D l tM□Ashish Upadhyay, Business Development Manager□ Dave Harrison, CCIE #8521,CCSP,CCSI – Nat
Migrating from the Cisco PIX Firewall to the Cisco ASA security Appliance yppRead the following Documents and print them out for reference toRead the
Migrating from the Cisco PIX Firewall to the Cisco ASA security Appliance yppStudy the new and deprecated changes !!!WWT/Cisco Confidential31
Migrating from the Cisco PIX Firewall to the Cisco ASA security Appliance yppWWT/Cisco Confidential32
Migrating from the Cisco PIX Firewall to the Cisco ASA security Appliance yppWWT/Cisco Confidential33
Migrating from the Cisco PIX Firewall tothe Cisco ASA security Appliance 1. Plan to perform the Migration during downtime (Although it is an easy 3 st
Migrating from the Cisco PIX Firewall to the Cisco ASA Adaptive Security Appliance pyppWWT/Cisco Confidential35
Migrating from the Cisco PIX Firewall to the Cisco ASA security Appliance yppStep 1Ud PiFi llSft ViUpgrade your Pix Firewall Software Version from ver
Step 1a:Verify you are running Pix 6.2 or 6.3 and you have enough RAM for the upgrade to 7.XWWT/Cisco Confidential37
Step 1b:Save your current configuration and current operating system to a TFTP server on the network.Have a Recovery Plan before you beginWWT/Cisco Co
Step 1b: (cont’d)WWT/Cisco Confidential39
Which Products are Going End of Sale?• All models of the Cisco PIX Security Appliance product familyAppliance product family□ Cisco PIX 501□ Cisco PIX
Step 1bRename the “OLD” backup configuration file appropriately so that it is not confused with the “NEW”converted 7.0 configuration that you will als
Step 1c:Copy the. new 7.0 code to your PIX from the TFTP serverWWT/Cisco Confidential41
Step 1c: (cont’d)WWT/Cisco Confidential42
Step 1c: (cont’d)WWT/Cisco Confidential43
Step 1c: (cont’d)WWT/Cisco Confidential44
Step 1c: (cont’d)WWT/Cisco Confidential45
Step 1d:Reboot the Pix Firewall (reload)After the reboot of the Pix Firewall 7.0 code will load and the 6.X configuration will be converted to 7.X com
Emergency ProceduresWhat if something goes TERRIBLY wrong !!!WWT/Cisco Confidential47
Monitor Mode UpgradeHit the “ESCAPE” key right after the Pix begins to bootWWT/Cisco Confidential48
Monitor Mode UpgradeWWT/Cisco Confidential49
Cisco PIX Security Appliance Product FamilyEnd of Sale TimelineEnd of SupportEnd of SoftwareMaintenanceEnd of ServiceContractAccessories End of SalesM
Monitor Mode UpgradeWWT/Cisco Confidential50
Monitor Mode UpgradeWWT/Cisco Confidential51
Monitor Mode UpgradeWWT/Cisco Confidential52
Monitor Mode UpgradeWWT/Cisco Confidential53
Monitor Mode UpgradeWWT/Cisco Confidential54
!!! Congratulations !!!You have finished STEP #1. Y h d d th d i ti PiYou have upgraded the code on your existing Pix Firewall to 7.0. By doing this y
Migrating from the Cisco PIX Firewall to the Cisco ASA security Appliance Step 2Step 2df hCopy your converted configuration on the Cisco PIX Firewall
Step 2:Copy the configuration from the PIX to the ASA.Copy the configuration from the PIX to a TFTP server. Then use the copy command to download the
Step 2:GtthPIXFi llGo to the PIX FirewallWWT/Cisco Confidential58
Step 2a:Move the 7.X configuration from the PIX to the TFTP server WWT/Cisco Confidential59
Which Products are Going End of Sale?End-of-Life Milestones and Dates for the Cisco VPN 3000 Series ConcentratorsMilestone Definition DateEnd-of-Life
Step 2a:Good thing we renamed our old configuration fileFrom startupconfigFrom startup-configTo: startup-config.oldWWT/Cisco Confidential60
Step 2a: (Cont’d)Copy the 7.X configuration from the PIX to the TFTP server WWT/Cisco Confidential61
Step 2a: (Cont’d)Copy the 7.X configuration from the PIX to the TFTP server WWT/Cisco Confidential62
Step 2:Go to the new ASAWWT/Cisco Confidential63
Step 2b:Copy the 7.X configuration from the TFTP Server to the ASA Security ApplianceWWT/Cisco Confidential64
Step 2b: (Cont’d)Copy the 7.X configuration from the TFTP Server to the ASA Security Appliance. WWT/Cisco Confidential65
Step 2b: (Cont’d)Copy the 7.X configuration from the TFTP Server to the ASA Security Appliance. WWT/Cisco Confidential66
Step 2b: (Cont’d)Copy the 7.X configuration from the TFTP Server to the ASA Security Appliance. WWT/Cisco Confidential67
Step 2b: (Cont’d)Copy the 7.X configuration from the TFTP Server to the ASA Security Appliance. WWT/Cisco Confidential68
Step 2b: (Cont’d)Copy the 7.X configuration from the TFTP Server to the ASA Security Appliance. WWT/Cisco Confidential69
Cisco ASA 5500 Adaptive Security Appliance 1. Advanced Firewall Services2UifidC i ti S it2. Unified Communications Security3. SSL and IPSEC VPN 4It i
Step 2b: (Cont’d)Copy the 7.X configuration from the TFTP Server to the ASA Security Appliance. WWT/Cisco Confidential70
Migrating from the Cisco PIX Firewall to the Cisco ASA security Appliance St 3Step 3Configure the ASA interfacesNames Security Levels IP addressesName
Step 3:Configure the ASA interfaces for IP, name , and security level (Notice the errors during conversion)WWT/Cisco Confidential72
ASA 5510,5520,5540,5550,5580interface Ethernet0/0nameif outsidesecurity-level 0ip address 70.222.200.111 255.255.255.224no shutdown !interface Ethern
Step 3: (Cont’d)Configure the ASA interfaces for IP, name and security levelWWT/Cisco Confidential74
Step 3: ASA 5505Configure the ASA interfaces for IP, name , and security levelWWT/Cisco Confidential75
Step 3: ASA 5505Configure the ASA interfaces for IP, name , and security levelWWT/Cisco Confidential76
Step 3: (Cont’d)Configure the ASA interfaces for IP, name , and security levelWWT/Cisco Confidential77
How do I upgrade Upgrading Pix Failover Sets to 7.0 ???WWT/Cisco Confidential78
Step 1:Power Down the Standby\Backup PixWWT/Cisco Confidential79
Why announce the end of sale now?• Increased frequency and sophistication of kkiS i dNetwork attacks –Enterprise Security needs be evolved.• Regulator
Step 2:Upgrade the Active\Powered On Pix to 7.0 as Previously shown in this Demo. Reboot at least once and make certain to verify functionalityto veri
How do I upgrade Upgrading Pix Failover Sets to 7.0 ???Step 3:Power off the newly upgraded Pix and powerStep 3: Power off the newly upgraded Pix and p
Are there any known issues with upgrading failover sets ???? WWT/Cisco Confidential82
Summary: Why Migrate to ASA?The Converged Advantage• Superior solution with converged best-of-breed security servicesservices□ Combines market-proven
WWT Professional Services Offering Expert guidance and support can help improve the accuracy and completeness of migrationWWT Service Capabilities and
Cisco Training OfferingsWWT is the only Cisco Gold Partner that is also a Cisco Learning PartnergSecuring Networks with Pix and ASA (SNPA)T ht b Ci C
Further Information• Cisco Security Centerhttp://tools cisco com/security/center/home xhttp://tools.cisco.com/security/center/home.x• Cisco ASA 5500 S
Call to Action!!• Are you ready to Migrate ?Ci i ff i i d i h ill□Cisco is offering aggressive trade in programs that will allow you to transition at
Q&AQ & AWWT/Cisco Confidential88
Thank You !!WWT/Cisco Confidential89
Your Network and Threats to Your Network Have Changed…gIncreased and More Complex ThreatsConvergence ofBranch OfficeData Convergence of Data and Voice
Kommentare zu diesen Handbüchern