ASA5525-x replacing PIX515E

[normntwrk]

Does anyone know if I can just lay the config from the PIX onto the ASA and have everything work ? PIX is at version 8.0.4 which is the same as some of the earlier ASAs I believe

We also use the Cisco IPsec VPN software client extensively as well as an IPsec site to site VPN, will those clients out in the field be able to connect up to the ASA without changes on the client side ?

Thanks
Norm

 

[ADB100]

Unfortunately a migration from PIX/ASA 8.0x to ASA 8.3+ is going to require some manual intervention due to the NAT changes. Depending on your ruleset it might be fairly easy to just rewrite the config. I have done a few of upgrades from PIX to ASA and let the code try and convert the NAT stuff but it has only worked for me once. i.e. upgrade the PIX to the last 8.0(4)x release and take a copy of the configuration. Take the vanilla ASA, install 8.0(4) and then copy the PIX configuration onto it (modifying the interface names as appropriate). Once you are happy the configuration looks OK then upgrade to 8.3+ and let the ASA image detect its a pre 8.3 configuration and then make the NAT changes for you.
This is all good however as I said this has worked for me once, all the other times there has been manual intervention required. With a 5525-X the minimum software release is 8.6(1) so this software upgrade path isn't even an option unless you have a spare 5510 or other non-X ASA?

Andy