Cisco PIX 506E - Security Appliance Bedienungsanleitung

Migrating from the Cisco Pix Firewall to the Cisco ASA Security AppliancePresented by:yppDavid Harrison - CCIE #8521,CCSP,CCSILadi Adefala, CCSIAshish

Cisco ASA 5500 Series AppliancesSolutions Ranging from Desktop to Data Center• Integrates, market-proven firewall, SSL/IPsec, IPS,and content security

Recommended Migration Path forCisco PIX Security Appliance CustomersCisco ASA 5510 / 5520SeriesCisco ASA 5505SeriesCisco ASA 5520 / 5540SeriesCisco AS

WWT/Cisco Confidential12

5505 5510 5520 5540 5550 5580-20 5580-40WWT/Cisco Confidential13

Many Compelling Benefits for Migrating to Cisco ASA 5500 Adaptive Security AppliancesAdaptive Security Offers Better, Flexible ProtectionLeverages Cus

Cisco ASA 5500 Series: Breadth and DepthIndustry First Scalable, Multi-Function, Feature Rich Appliance Multi-layer packet and traffic analysis Adva

Cisco ASA 5500 Adaptive Security AppliancesDelivering Market-Leading Threat Defense and VPN ServicesMktL di VPN S iMktLdi Fi llS iProvides Converged T

Cisco ASA 5500 Series and Cisco PIX Security Appliances Feature ComparisonCisco PIX Cisco ASA Cisco ASA 5500 BenefitFlexible Access Control, Both IP a

Cisco ASA 5500 Series Modular Policy FrameworkExtensible Design Enables Flexible, Flow-Based Services PoliciesSecurity Services ExtensibilityCisco Tec

Cisco ASA 5500 Series Modular Policy FrameworkExtensible Design Enables Flexible, Flow-Based Services PoliciesModular Policy Framework OverviewModular

Agenda IntroductionsCi PIXEd fSl O iCisco PIX -End of Sale Overview Cisco ASA Product Overview Key PIX to ASA Migration Drivers Cisco PIX-2-ASA

Cisco ASA Adaptive Security AppliancesIndustry Certifications and Evaluations• Common Criteria□ Completed: EAL4, v7.0.6—ASA 5510/20/40 (FW)(FW)□ Comp

•Agenda•Agenda□ Company Highlights□Cisco Practice Overview□Cisco Practice Overview□ Professional Services ApproachWWT/Cisco Confidential21

Cisco Security Manager•Agenda•Agenda□ Company Highlights□Cisco Practice Overview□Cisco Practice Overview□ Professional Services ApproachWWT/Cisco Conf

Migrating from the Cisco PIX Firewall to the Cisco ASA Adaptive Security Appliance pypp3 Simple StepsppWWT/Cisco Confidential23

Migrating from the Cisco PIX Firewall to the Cisco ASA Adaptive Security Appliance WWT/Cisco Confidential24

Migrating from the Cisco PIX Firewall to the Cisco ASA Security Appliance. yppUpgrade to Pix Version 7.0 is seamless and requires little manual interv

Also !!!! Before you begin:1. Backup your configuration 2 times. Once to a text file and once to a TFTP server.to a TFTP server.2. Make certain yo

Which PIX Firewalls CAN and can NOTbe upgraded to 7.0PIX 515 PIX 515E PIX 525 PIX 53555 55 55 535PIX

Check the Memory Requirements on the Pix before upgrading.PIX 515PIX 515E PIX 525PIX 535WWT/Cisco Confidential28

Also !!!! Before you begin:If you are upgrading a PIX 515 or 535 with PDM already installedWWT/Cisco Confidential29

Introductions• WWT Security Practice Team:AhihU dh B i D l tM□Ashish Upadhyay, Business Development Manager□ Dave Harrison, CCIE #8521,CCSP,CCSI – Nat

Migrating from the Cisco PIX Firewall to the Cisco ASA security Appliance yppRead the following Documents and print them out for reference toRead the

Migrating from the Cisco PIX Firewall to the Cisco ASA security Appliance yppStudy the new and deprecated changes !!!WWT/Cisco Confidential31

Migrating from the Cisco PIX Firewall to the Cisco ASA security Appliance yppWWT/Cisco Confidential32

Migrating from the Cisco PIX Firewall to the Cisco ASA security Appliance yppWWT/Cisco Confidential33

Migrating from the Cisco PIX Firewall tothe Cisco ASA security Appliance 1. Plan to perform the Migration during downtime (Although it is an easy 3 st

Migrating from the Cisco PIX Firewall to the Cisco ASA Adaptive Security Appliance pyppWWT/Cisco Confidential35

Migrating from the Cisco PIX Firewall to the Cisco ASA security Appliance yppStep 1Ud PiFi llSft ViUpgrade your Pix Firewall Software Version from ver

Step 1a:Verify you are running Pix 6.2 or 6.3 and you have enough RAM for the upgrade to 7.XWWT/Cisco Confidential37

Step 1b:Save your current configuration and current operating system to a TFTP server on the network.Have a Recovery Plan before you beginWWT/Cisco Co

Step 1b: (cont’d)WWT/Cisco Confidential39

Which Products are Going End of Sale?• All models of the Cisco PIX Security Appliance product familyAppliance product family□ Cisco PIX 501□ Cisco PIX

Step 1bRename the “OLD” backup configuration file appropriately so that it is not confused with the “NEW”converted 7.0 configuration that you will als

Step 1c:Copy the. new 7.0 code to your PIX from the TFTP serverWWT/Cisco Confidential41

Step 1c: (cont’d)WWT/Cisco Confidential42

Step 1c: (cont’d)WWT/Cisco Confidential43

Step 1c: (cont’d)WWT/Cisco Confidential44

Step 1c: (cont’d)WWT/Cisco Confidential45

Step 1d:Reboot the Pix Firewall (reload)After the reboot of the Pix Firewall 7.0 code will load and the 6.X configuration will be converted to 7.X com

Emergency ProceduresWhat if something goes TERRIBLY wrong !!!WWT/Cisco Confidential47

Monitor Mode UpgradeHit the “ESCAPE” key right after the Pix begins to bootWWT/Cisco Confidential48

Monitor Mode UpgradeWWT/Cisco Confidential49

Cisco PIX Security Appliance Product FamilyEnd of Sale TimelineEnd of SupportEnd of SoftwareMaintenanceEnd of ServiceContractAccessories End of SalesM

Monitor Mode UpgradeWWT/Cisco Confidential50

Monitor Mode UpgradeWWT/Cisco Confidential51

Monitor Mode UpgradeWWT/Cisco Confidential52

Monitor Mode UpgradeWWT/Cisco Confidential53

Monitor Mode UpgradeWWT/Cisco Confidential54

!!! Congratulations !!!You have finished STEP #1. Y h d d th d i ti PiYou have upgraded the code on your existing Pix Firewall to 7.0. By doing this y

Migrating from the Cisco PIX Firewall to the Cisco ASA security Appliance Step 2Step 2df hCopy your converted configuration on the Cisco PIX Firewall

Step 2:Copy the configuration from the PIX to the ASA.Copy the configuration from the PIX to a TFTP server. Then use the copy command to download the

Step 2:GtthPIXFi llGo to the PIX FirewallWWT/Cisco Confidential58

Step 2a:Move the 7.X configuration from the PIX to the TFTP server WWT/Cisco Confidential59

Which Products are Going End of Sale?End-of-Life Milestones and Dates for the Cisco VPN 3000 Series ConcentratorsMilestone Definition DateEnd-of-Life

Step 2a:Good thing we renamed our old configuration fileFrom startupconfigFrom startup-configTo: startup-config.oldWWT/Cisco Confidential60

Step 2a: (Cont’d)Copy the 7.X configuration from the PIX to the TFTP server WWT/Cisco Confidential61

Step 2a: (Cont’d)Copy the 7.X configuration from the PIX to the TFTP server WWT/Cisco Confidential62

Step 2:Go to the new ASAWWT/Cisco Confidential63

Step 2b:Copy the 7.X configuration from the TFTP Server to the ASA Security ApplianceWWT/Cisco Confidential64

Step 2b: (Cont’d)Copy the 7.X configuration from the TFTP Server to the ASA Security Appliance. WWT/Cisco Confidential65

Step 2b: (Cont’d)Copy the 7.X configuration from the TFTP Server to the ASA Security Appliance. WWT/Cisco Confidential66

Step 2b: (Cont’d)Copy the 7.X configuration from the TFTP Server to the ASA Security Appliance. WWT/Cisco Confidential67

Step 2b: (Cont’d)Copy the 7.X configuration from the TFTP Server to the ASA Security Appliance. WWT/Cisco Confidential68

Step 2b: (Cont’d)Copy the 7.X configuration from the TFTP Server to the ASA Security Appliance. WWT/Cisco Confidential69

Cisco ASA 5500 Adaptive Security Appliance 1. Advanced Firewall Services2UifidC i ti S it2. Unified Communications Security3. SSL and IPSEC VPN 4It i

Step 2b: (Cont’d)Copy the 7.X configuration from the TFTP Server to the ASA Security Appliance. WWT/Cisco Confidential70

Migrating from the Cisco PIX Firewall to the Cisco ASA security Appliance St 3Step 3Configure the ASA interfacesNames Security Levels IP addressesName

Step 3:Configure the ASA interfaces for IP, name , and security level (Notice the errors during conversion)WWT/Cisco Confidential72

ASA 5510,5520,5540,5550,5580interface Ethernet0/0nameif outsidesecurity-level 0ip address 70.222.200.111 255.255.255.224no shutdown !interface Ethern

Step 3: (Cont’d)Configure the ASA interfaces for IP, name and security levelWWT/Cisco Confidential74

Step 3: ASA 5505Configure the ASA interfaces for IP, name , and security levelWWT/Cisco Confidential75

Step 3: ASA 5505Configure the ASA interfaces for IP, name , and security levelWWT/Cisco Confidential76

Step 3: (Cont’d)Configure the ASA interfaces for IP, name , and security levelWWT/Cisco Confidential77

How do I upgrade Upgrading Pix Failover Sets to 7.0 ???WWT/Cisco Confidential78

Step 1:Power Down the Standby\Backup PixWWT/Cisco Confidential79

Why announce the end of sale now?• Increased frequency and sophistication of kkiS i dNetwork attacks –Enterprise Security needs be evolved.• Regulator

Step 2:Upgrade the Active\Powered On Pix to 7.0 as Previously shown in this Demo. Reboot at least once and make certain to verify functionalityto veri

How do I upgrade Upgrading Pix Failover Sets to 7.0 ???Step 3:Power off the newly upgraded Pix and powerStep 3: Power off the newly upgraded Pix and p

Are there any known issues with upgrading failover sets ???? WWT/Cisco Confidential82

Summary: Why Migrate to ASA?The Converged Advantage• Superior solution with converged best-of-breed security servicesservices□ Combines market-proven

WWT Professional Services Offering Expert guidance and support can help improve the accuracy and completeness of migrationWWT Service Capabilities and

Cisco Training OfferingsWWT is the only Cisco Gold Partner that is also a Cisco Learning PartnergSecuring Networks with Pix and ASA (SNPA)T ht b Ci C

Further Information• Cisco Security Centerhttp://tools cisco com/security/center/home xhttp://tools.cisco.com/security/center/home.x• Cisco ASA 5500 S

Call to Action!!• Are you ready to Migrate ?Ci i ff i i d i h ill□Cisco is offering aggressive trade in programs that will allow you to transition at

Q&AQ & AWWT/Cisco Confidential88

Thank You !!WWT/Cisco Confidential89

Your Network and Threats to Your Network Have Changed…gIncreased and More Complex ThreatsConvergence ofBranch OfficeData Convergence of Data and Voice