Cisco | PIX 506E - Security Appliance | Migrating from the Cisco Pix Firewall to the Cisco ASA Security

Migrating from the Cisco Pix Firewall to the Cisco ASA Security
Migrating from the Cisco Pix Firewall to the Cisco
pp
ASA Securityy Appliance
Presented by:
David Harrison - CCIE #8521,CCSP,CCSI
Ladi Adefala, CCSI
Ashish Upadhyay, BDM
WWT/Cisco Confidential
Date:
March 13, 2008
1
Agenda
‰ Introductions
‰ Cisco
Ci
PIX - End
E d off S
Sale
l Overview
O
i
‰ Cisco ASA Product Overview
‰ Key PIX to ASA Migration Drivers
‰ Cisco PIX-2-ASA Feature Comparison Overview
‰ How to Migrate from PIX to ASA Platform? Step-by-Step
Approach
‰ WWT S
Security
it Professional
P f i
l Services
S i
Overview
O
i
‰ Important Links/Reference Documents
‰ Q&A
WWT/Cisco Confidential
2
Introductions
• WWT Security Practice Team:
□
□
□
□
□
Ashish
A
hi h Upadhyay,
U dh
Business
B i
Development
D
l
t Manager
M
Dave Harrison, CCIE #8521,CCSP,CCSI – National Security Lead
Ladi Adefala, CCSI – National Post-Sales
Post Sales Practice Manager
Sara Vaughan – Marketing/Event Coordination
Ed Levens/Diana Dewerey – Marketing/Event Support
• Cisco Guests
□
□
□
□
Scott Maxwell, AT-CAM Commercial/Enterprise
Brian Sak, Virtual Security Expert
Tim St.
St Laurent,
Laurent AT-CAM Federal
Daniel Charborneau, Channel SE
WWT/Cisco Confidential
3
Which Products are Going End of Sale?
• All models of the Cisco PIX Security
Appliance product family
□
□
□
□
□
Cisco
Cisco
Cisco
Cisco
Cisco
PIX
PIX
PIX
PIX
PIX
501
506E
515E
525
535
Cisco PIX 501
Cisco PIX 506E
• All Cisco PIX Security Appliance
Software release trains
□
6.2, 6.3, 7.0, 7.1, 7.2, and 8.0
Cisco PIX 515E
• The following accessories will be sold
for six months past chassis/bundle end
of sales
□
□
□
□
Licenses
I/O cards and VAC+ card
Memory upgrade kits
Accessory kitsf
Cisco PIX 525
Cisco PIX 535
WWT/Cisco Confidential
4
Cisco PIX Security Appliance Product Family
End of Sale Timeline
End of Software
Maintenance
Releases
Accessories End of Sales
Platform End of Sales
2008
2009
2010
2011
End of Service
Contract
Renewals
2012
Milestone
Date
External announcement
January 28, 2008
E d off Sales
End
S l (EoS)
(E S) for
f platforms/bundles
l tf
/b dl
J l 28
July
28, 2008
End of Sales (EoS) for accessories
January 27, 2009
End of software maintenance releases
July 28
28, 2009
End of service contract renewals
October 23, 2012
End of Support / End of Life (EoL)
July 27, 2013
WWT/Cisco Confidential
End of Support
2013
5
Which Products are Going End of Sale?
End-of-Life Milestones and Dates for the Cisco VPN 3000 Series Concentrators
Milestone
Definition
Date
End-of-Life
Announcement Date
The date the document that announces the end of sale and end of life of a
product is distributed to the general public.
February 7, 2007
End-of-Sale Date
The last date to order the product through Cisco point-of-sale mechanisms. The
product is no longer for sale after this date.
August 6, 2007
Last Ship Date: HW
The last-possible ship date that can be requested of Cisco and/or its contract
manufacturers. Actual ship date is dependent on lead time.
November 4, 2007
End of Routine Failure
Analysis Date: HW
The last-possible date a routine failure analysis may be performed to determine
the cause of product failure or defect.
August 5, 2008
End
d of
o New
e Se
Service
ce
Attachment Date: HW
For
o equipment
equ p e t a
and
d so
software
t a e tthat
at iss not
ot co
covered
e ed by a se
service-and-support
ce a d suppo t
contract, this is the last date to order a new service-and-support contract or add
the equipment and/or software to an existing service-and-support contract.
August
g
5,, 2008
End of Service
Contract Renewal
Date: HW
The last date to extend or renew a service contract for the product.
November 1, 2011
Last Date of
Support: HW
The last date to receive service and support for the product. After this date, all
support services for the product are unavailable, and the product becomes
obsolete.
b l t
August 4, 2012
WWT/Cisco Confidential
6
Cisco ASA 5500 Adaptive Security Appliance
1. Advanced Firewall Services
2 Unified
U ifi d Communications
C
i ti
S
it
2.
Security
3. SSL and IPSEC VPN
4.
4 Intrusion
I t i Prevention
P
ti
5. Content Security Services
-Anti
A ti Virus
Vi
-Anti Spam
A ti Phi
hi
-Anti
Phishing
-Anti Spyware
-URL
URL filtering
filt i
WWT/Cisco Confidential
7
Why announce the end of sale now?
• Increased frequency and sophistication of
Networkk attacks
k – Enterprise
i Security
S
i needs
d
be evolved.
• Regulatory Compliance Pressure – Network
Security as part of day-to-day operations of a
business
• New network demands caused by - New
applications such as unified communications,
video,
d
and
d collaboration
ll b
require the
h next
generation of networks and security.
WWT/Cisco Confidential
8
Your Network and Threats to Your Network
Have Changed…
g
Increased and More Complex Threats
Convergence of
Data and Voice
Wireless Mobility
Branch
Office
Data
Center
Public
Services
Increase in
O li
Online
Collaboration
Disappearing
Network
Perimeters
Corporate
Network
More Media-Rich
Applications
Internet
Partner
Access
Corporate
LAN
Remote
Access
Partner
Business
Apps
New F
N
Focus on
Compliance
Sarbanes Oxley
ISO 27001
CobiT
….Your
Your Security Must Adapt as Well
WWT/Cisco Confidential
9
Cisco ASA 5500 Series Appliances
Cisco
o ASA 550
00 Platfo
orms
Solutions Ranging from Desktop to Data Center
• Integrates, market-proven firewall, SSL/IPsec, IPS,
and content security technologies
• Extensible multi-processor
architecture delivers
p
high concurrent services performance and
significant investment protection
• Flexible management lowers cost of ownership
y
• Easy-to-use
Web-based user interface
• Numerous certifications and awards
• And much more…
ASA 5550
New
New
ASA 5580-40
ASA 5580-20
ASA 5540
ASA 5520
ASA 5510
ASA 5505
Teleworker
Branch
Office
Internet
Edge
WWT/Cisco Confidential
Campus
Segmentation
Data
Center
10
Recommended Migration Path for
Cisco PIX Security Appliance Customers
Cisco ASA 5505
Series
Key Migration Benefits
• 1.5 - 2.5X firewall throughput
• 3 - 33X VPN throughput
• 8 port switch with 2 PoE ports
• VLAN support (20 with Sec+)
• Supports SSL VPN
• Modular for future upgrades
Cisco
PIX 501
Series
Cisco
PIX 506E
Series
Cisco ASA 5510 / 5520
Series
Key Migration Benefits
• 1.6 - 2.4x firewall throughput
• 2.3 - 3x scalability (conns/sec)
• Gigabit
Gi bit Eth
Ethernett supportt
• A/A solution costs 30% less
• VPN clustering/load balancing
• Supports IPS, CSC, SSL VPN
Cisco PIX 515E
Series
Cisco ASA 5520 / 5540
Series
Key Migration Benefits
• 1.5 - 2x firewall throughput
• 1.3 - 2.7x scalability
• Supports 3X GigE density
• A/A solution costs 30% less
• VPN clustering/load balancing
• Supports IPS, CSC, SSL VPN
Cisco PIX 525
S i
Series
WWT/Cisco Confidential
Cisco ASA 5550 / 5580
Series
Key Migration Benefits
• 2 - 20x real-world FW throughput
• 2 - 8x scalability (conns/sec)
S
t SSL VPN
VPN, iinc. clus/LB
l /LB
• Supports
• 10GE I/O support (5580)
• Supports 2.5x GE density (5580)
• A/A solution costs 35% less
Cisco PIX 535
Series
11
WWT/Cisco Confidential
12
5505
5510
5520
WWT/Cisco Confidential
5540
5550
5580-20
5580-40
13
Many Compelling Benefits for Migrating to
Cisco ASA 5500 Adaptive Security Appliances
Adaptive Security Offers
Better, Flexible Protection
Mature, Next-Generation
Security Solution
Leverages Customer’s
Existing PIX Investment
• Superior network
protection from
ever-changing threats
through IPS, CSC, etc
• Equal or better pricing
provides lower TCO
• Better performance
and scalability
scalability, solutions
scaling to 10+ Gbps
• Flexible VPN solution
with market-leading SSL
VPN capabilities
• Built upon 10+ years of
innovation in Cisco
PIX, VPN 3000, and IPS
4200 solutions
• Hundreds of thousands
of Cisco ASA 5500 units
deployed worldwide
• GD quality software
available (v7.0.7+)
• Common Criteria, FIPS,
and NEBS certified
• Cisco PIX knowledge
directly transferable to
Cisco ASA 5500 Series
• Consistent GUI and
CLI interfaces as Cisco
PIX Security Appliances
• Consistent syslog and
SNMP monitoring
• Managed by Cisco
Security Manager,
MARS, and manyy 3rd
party products
WWT/Cisco Confidential
14
Cisco ASA 5500 Series: Breadth and Depth
Industry First Scalable, Multi-Function, Feature Rich Appliance
Firewall with
Application Layer
S
Security
i
IPS and Anti-X
Defenses
Access Control
and
Authentication
SSL and IPSec
Connectivity
Cisco Intelligent
Networking
Services
Multi-layer packet and traffic analysis
ƒ Advanced application and protocol inspection services
ƒ Network application controls
ƒ Advanced VoIP/multimedia security
ƒ
Real-time protection from application and OS level attacks
ƒ Network-based worm and virus mitigation
ƒ Spyware, adware, malware detection and control
ƒ On-box event correlation and proactive response
ƒ
Flexible user and network based access control services
ƒ Stateful packet inspection
ƒ Integration with popular authentication sources including
Microsoft Active Directory, LDAP, Kerberos, and RSA SecurID
ƒ
Threat protected SSL and IPSec VPN services
ƒ Zero-touch, automatically updateable IPSec remote access
ƒ Flexible clientless and full tunneling client SSL VPN services
ƒ QoS/routing-enabled site-to-site VPN
ƒ
Active\Active Failover
ƒ Bridged Firewall
ƒ Multicast support
ƒ
WWT/Cisco Confidential
Virtual Firewalls\Multiple Context
ƒ Network segmentation & partitioning
ƒ Routing, resiliency, load-balancing
ƒ
15
Cisco ASA 5500 Adaptive Security Appliances
Delivering Market-Leading Threat Defense and VPN Services
Provides Converged Threat Defense, Flexible Secure Connectivity,
Minimized Operation Costs, and Unique Adaptive Design to Combat Future Threats
M k t L di Fi
Market-Leading
Firewallll S
Services
i
M k t L di VPN S
Market-Leading
Services
i
ƒ Integrates and extends the #1 deployed
firewall technology from Cisco PIX
Security Appliances
ƒ Built upon the experience of over
one million PIX deployed worldwide
and 10+ y
years of innovation
Market-Leading IPS Services
ƒ Integrates and extends the #1
deployed remote access VPN
technology from Cisco VPN 3000
Concentrators and Cisco PIX
Security Appliances, offering both
SSL and IPsec VPN services
Market-Leading Content Security
ƒ Integrates
g
and extends the #1 deployed
p y
IPS and IDS technology from the Cisco
IPS 4200 Series
ƒ Provides comprehensive security from
di t d attacks
directed
tt k and
d many other
th threats
th t
ƒ Integrates
g
and extends the #1
deployed gateway content security
technology to protect from viruses,
spyware, spam, phishing, and
employee productivity impacting
websites
Market-Leading Unified Communications Security
ƒ Comprehensive access control,
control threat protection,
protection network policies,
policies service protection,
protection and voice/video
confidentiality for real-time Unified Communications traffic
WWT/Cisco Confidential
16
Cisco ASA 5500 Series and Cisco PIX Security
Appliances Feature Comparison
Cisco PIX
Cisco ASA
Cisco ASA 5500 Benefit
Flexible Access Control, Both IP
and User-Based
;
;
Cisco ASA 5500 Supports More ACLs due
to Increased Memory
y
Advanced Application Layer
Firewall Services for over 30
Popular Protocols
;
;
Cisco ASA 5500 Offers Better Deep Packet
Inspection Performance
Security S
S
Services for
f Encrypted
Voice / Video Communications
:
;
Only Cisco ASA 5500 Enables Secure End
Endto-End Encrypted Voice / Video
Communications
Cisco Easy VPN and Site-to-Site
IPsec VPN
;
;
;
;
Cisco ASA 5500 Provides Superior VPN
Performance
Full-Featured, Hardware
Accelerated IPS Services
;
:
:
:
Anti Virus, Anti-Spam,
Anti-Virus,
Anti Spam, AntiAnti
Phishing, and URL Filtering
Services from Trend Micro
:
;
Cisco ASA 5500 P
Ci
Protects
t t ffrom M
Malware,
l
Helping Increase Employee Productivity
Consistent Management and
Monitoring
;
;
Leverage Cisco PIX Knowledge and Tools
with Cisco ASA 5500
Clientless SSL VPN and Cisco
AnyConnect SSL VPN
VPN Clustering and Load
Balancing
B
l
i
S
Support
t
WWT/Cisco Confidential
Cisco ASA 5500 Provides World-Class,
Flexible SSL VPN Access
Cisco ASA 5500 Provides Enterprise-Class
VPN S
Scalability
l bilit
Cisco ASA 5500 Provides Superior
Protection from Attacks
17
Cisco ASA 5500 Series Modular Policy Framework
Extensible Design Enables Flexible, Flow-Based Services Policies
Security Services Extensibility
Remote Access
VPN
Connectivity
Site-to-Site
Site
to Site
VPN
Connectivity
Partner Technology and Service Extensions
Application
Inspection
& Control
Modular
Policy
Framework
IPS & Anti-X
Defenses
Access Control
& Authentication
Thrreat Conttrol
Secure C
Communiications
Cisco Technology and Service Extensions
Cisco Intelligent Networking, High Availability, and Scalability Services
The Cisco ASA 5500 Series Modular Policy Framework Allows Business to
Adapt and Extend the Security Services Profile Via Cisco-Developed and
Partner-Provided Innovations Delivering High Current Services Performance
and Services Extensibility
WWT/Cisco Confidential
18
Cisco ASA 5500 Series Modular Policy Framework
Extensible Design Enables Flexible, Flow-Based Services Policies
Modular Policy Framework Overview
Modular Policy Framework provides a consistent and flexible way to configure security
appliance features in a manner similar to Cisco IOS software QoS CLI. For example, you can
use Modular Policy Framework to create a timeout configuration that is specific to a
particular TCP application, as opposed to one that applies to all TCP applications.
Modular Policy Framework is supported with these features:
•
IPS
•
TCP normalization,
li ti
and
d connection
ti
limits
li it and
d timeouts
ti
t
•
QoS policing
•
QoS priority queue
•
Application inspection
Configuring Modular Policy Framework consists of three tasks:
1. Identify the traffic to which you want to apply actions. See "Using a Class Map"
2. Apply actions to the traffic. See "Defining Actions Using a Policy Map" section.
3
3.
A ti t the
Activate
th actions
ti
on an interface.
i t f
See
S "Applying
"A l i
a Policy
P li to
t an IInterface
t f
Using
U i
a
Service Policy" section.
WWT/Cisco Confidential
19
Cisco ASA Adaptive Security Appliances
Industry Certifications and Evaluations
• Common Criteria
□
New
□
□
□
Completed:
(FW)
Completed:
In process:
In process:
• FIPS 140
EAL4, v7.0.6—ASA 5510/20/40
EAL2, v6.0—ASA SSM-10/20 (IPS)
EAL4+, v7.2.2—ASA Family (FW)
EAL4, v7.2.2—ASA Family (VPN)
□
Completed: Level 2, v7.0.4—ASA Family
Completed: Level 2, v7.2.2
In process: Level 2
2, v8
v8.0.2
02
□
Completed: v7.2.2—ASA Family
□
Completed: v7.0.4—ASA Family
□
Completed: v7.1—ASA Family
□
Completed: ASA 5510, 5520, and 5540
□
□
• ICSA Firewall 4.1, Corporate Category
New
• ICSA IPSec 1.0D
• ICSA Anti-Virus Gateway
• NEBS LLevell 3
WWT/Cisco Confidential
20
• Agenda
□ Company Highlights
□ Cisco Practice Overview
□ Professional Services Approach
WWT/Cisco Confidential
21
Cisco Security Manager
• Agenda
□ Company Highlights
□ Cisco Practice Overview
□ Professional Services Approach
WWT/Cisco Confidential
22
Migrating from the Cisco PIX Firewall to the
Cisco ASA Adaptive
p
Security
y Appliance
pp
3 Simple
p Steps
p
WWT/Cisco Confidential
23
Migrating from the Cisco PIX Firewall to the
Cisco ASA Adaptive Security Appliance
WWT/Cisco Confidential
24
Migrating from the Cisco PIX Firewall to the
Cisco ASA Security
y Appliance.
pp
Upgrade to Pix Version 7.0 is seamless and requires little manual
intervention 6
intervention.
6.X
X commands are automatically converted to 7
7.0
0
commands.
BUT !!!!!!
WWT/Cisco Confidential
25
Also !!!!
1.
2.
3.
4
4.
5.
6.
Before you begin:
Backup your configuration 2 times. Once to a text file and once
to a TFTP server.
Make certain you do not have CONDUIT or OUTBOUND
commands. (use output interpreter to convert to access-lists if
you do)
Make certain the PIX does not terminate PPTP connections. 7.0
does not support PPTP.
Save Digital certificates off the PIX if you are using them before
beginning the upgrade.
After the upgrade make certain to use common sense and
confirm the automatic configuration changes have actually
occurred.
Save the changed configuration to FLASH after the PIX has
restarted and converted the configuration.
WWT/Cisco Confidential
26
Which PIX Firewalls CAN and can NOT
be upgraded to 7.0
PIX 5
515
5
PIX 501
PIX 515E
5 5
PIX 525
5 5
PIX 506
WWT/Cisco Confidential
PIX 535
PIX 506E
27
Check the Memory Requirements on the Pix
before upgrading.
PIX 515
PIX 515E
PIX 525
WWT/Cisco Confidential
PIX 535
28
Also !!!!
Before you begin:
If you are upgrading a PIX 515 or 535 with PDM already installed
WWT/Cisco Confidential
29
Migrating from the Cisco PIX Firewall to
the Cisco ASA security
y Appliance
pp
Read the following Documents and print them out for reference to
make certain you understand the new, changed and deprecated
commands.
1.
2.
Release notes for the software version for which you plan to upgrade.
(7.0)
Guide for PIX 6.2 and 6.3 upgrading to Cisco PIX software Version 7.0
WWT/Cisco Confidential
30
Migrating from the Cisco PIX Firewall to
the Cisco ASA security
y Appliance
pp
Study the new and deprecated changes !!!
WWT/Cisco Confidential
31
Migrating from the Cisco PIX Firewall to
the Cisco ASA security
y Appliance
pp
WWT/Cisco Confidential
32
Migrating from the Cisco PIX Firewall to
the Cisco ASA security
y Appliance
pp
WWT/Cisco Confidential
33
Migrating from the Cisco PIX Firewall to
the Cisco ASA security Appliance
1.
Plan to perform the Migration during downtime (Although it is an easy 3
step process this is a major change and will require some downtime)
2.
Prepare ahead of time by downloading the PIX 7.0 software and putting
it on an available TFTP server. Save your existing configuration files and
operating system to a TFTP server on the network.
WWT/Cisco Confidential
34
Migrating from the Cisco PIX Firewall to
the Cisco ASA Adaptive
p
Security
y Appliance
pp
WWT/Cisco Confidential
35
Migrating from the Cisco PIX Firewall to
the Cisco ASA security
y Appliance
pp
Step 1
Upgrade
U
d your Pix
Pi Firewall
Fi
ll Software
S ft
Version
V i
from version 6.2 or 6.3 to Pix Software
Version 7.0.
WWT/Cisco Confidential
36
Step 1a:
Verify you are running Pix 6.2 or 6.3 and you
have enough RAM for the upgrade to 7.X
WWT/Cisco Confidential
37
Step 1b:
Save your current configuration and current operating system to a TFTP
server on the network.
Have a Recovery Plan before you begin
WWT/Cisco Confidential
38
Step 1b: (cont’d)
WWT/Cisco Confidential
39
Step 1b
Rename the “OLD” backup configuration file appropriately so that it is not
confused
co
used with
t the
t e “NEW” co
converted
e ted 7.0
0 configuration
co gu at o tthat
at you will also
a so be
copying to the TFTP server.
Example: startup-config.old
WWT/Cisco Confidential
40
Step 1c:
Copy the. new 7.0 code to your PIX from the TFTP server
WWT/Cisco Confidential
41
Step 1c: (cont’d)
WWT/Cisco Confidential
42
Step 1c: (cont’d)
WWT/Cisco Confidential
43
Step 1c: (cont’d)
WWT/Cisco Confidential
44
Step 1c: (cont’d)
WWT/Cisco Confidential
45
Step 1d:
Reboot the Pix Firewall (reload)
After the reboot of the Pix Firewall 7.0 code will load and
the 6.X configuration will be converted to 7.X commands.
After you upgrade the Pix from 6.X to 7.X use the
show startup-config errors command to display the errors experienced
converting
ti th
the 6
6.X
X code
d to
t 7.X
7X
Save the configuration (wr mem)
WWT/Cisco Confidential
46
Emergency Procedures
What if something goes TERRIBLY wrong !!!
WWT/Cisco Confidential
47
Monitor Mode Upgrade
Hit the “ESCAPE” key right after the Pix begins to boot
WWT/Cisco Confidential
48
Monitor Mode Upgrade
WWT/Cisco Confidential
49
Monitor Mode Upgrade
WWT/Cisco Confidential
50
Monitor Mode Upgrade
WWT/Cisco Confidential
51
Monitor Mode Upgrade
WWT/Cisco Confidential
52
Monitor Mode Upgrade
WWT/Cisco Confidential
53
Monitor Mode Upgrade
WWT/Cisco Confidential
54
!!! Congratulations !!!
You have finished STEP #1.
You h
Y
have upgraded
d d th
the code
d on your existing
i ti Pi
Pix
Firewall to 7.0. By doing this you have
automatically
t
ti ll converted
t d your configuration
fi
ti from
f
6.X commands to the new 7.X commands.
WWT/Cisco Confidential
55
Migrating from the Cisco PIX Firewall to
the Cisco ASA security Appliance
Step 2
Copy your converted
d configuration
f
on the
h
Cisco PIX Firewall to the Cisco ASA
Adaptive Security Appliance.
WWT/Cisco Confidential
56
Step 2:
Copy the configuration from the PIX to the ASA.
Copy the configuration from the PIX to a TFTP server. Then use the
copy command to download the configuration from the TFTP server
to the ASA.
PIX
TFTP Server
WWT/Cisco Confidential
ASA
57
Step 2:
G tto the
Go
th PIX Firewall
Fi
ll
WWT/Cisco Confidential
58
Step 2a:
Move the 7.X configuration from the PIX to the TFTP server
WWT/Cisco Confidential
59
Step 2a:
Good thing we renamed our old configuration file
From startup
startup-config
config
To: startup-config.old
WWT/Cisco Confidential
60
Step 2a: (Cont’d)
Copy the 7.X configuration from the PIX to the TFTP server
WWT/Cisco Confidential
61
Step 2a: (Cont’d)
Copy the 7.X configuration from the PIX to the TFTP server
WWT/Cisco Confidential
62
Step 2:
Go to the new ASA
WWT/Cisco Confidential
63
Step 2b:
Copy the 7.X configuration from the TFTP Server to the ASA Security
Appliance
WWT/Cisco Confidential
64
Step 2b: (Cont’d)
Copy the 7.X configuration from the TFTP Server to the ASA Security
Appliance.
WWT/Cisco Confidential
65
Step 2b: (Cont’d)
Copy the 7.X configuration from the TFTP Server to the ASA Security
Appliance.
WWT/Cisco Confidential
66
Step 2b: (Cont’d)
Copy the 7.X configuration from the TFTP Server to the ASA Security
Appliance.
WWT/Cisco Confidential
67
Step 2b: (Cont’d)
Copy the 7.X configuration from the TFTP Server to the ASA Security
Appliance.
WWT/Cisco Confidential
68
Step 2b: (Cont’d)
Copy the 7.X configuration from the TFTP Server to the ASA Security
Appliance.
WWT/Cisco Confidential
69
Step 2b: (Cont’d)
Copy the 7.X configuration from the TFTP Server to the ASA Security
Appliance.
WWT/Cisco Confidential
70
Migrating from the Cisco PIX Firewall to
the Cisco ASA security Appliance
St
Step
3
Configure the ASA interfaces
Names Security Levels
Names,
Levels, IP addresses
WWT/Cisco Confidential
71
Step 3:
Configure the ASA interfaces for IP, name ,
and security level (Notice the errors during conversion)
WWT/Cisco Confidential
72
ASA 5510,5520,5540,5550,5580
interface Ethernet0/0
nameif outside
security-level 0
ip address 70.222.200.111 255.255.255.224
no shutdown
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
!
interface Ethernet0/2
nameif dmz
security level 50
security-level
ip address 172.16.1.1 255.255.255.0
no shutdown
WWT/Cisco Confidential
73
Step 3: (Cont’d)
Configure the ASA interfaces for IP, name and security level
WWT/Cisco Confidential
74
Step 3: ASA 5505
Configure the ASA interfaces for IP, name ,
and security level
WWT/Cisco Confidential
75
Step 3: ASA 5505
Configure the ASA interfaces for IP, name ,
and security level
WWT/Cisco Confidential
76
Step 3: (Cont’d)
Configure the ASA interfaces for IP, name ,
and security level
WWT/Cisco Confidential
77
How do I upgrade Upgrading Pix
Failover Sets to 7.0 ???
WWT/Cisco Confidential
78
Step 1:
Power Down the Standby\Backup Pix
WWT/Cisco Confidential
79
Step 2:
Upgrade the Active\Powered On Pix to 7.0 as Previously
shown in this Demo. Reboot at least once and make certain
to verify functionality
functionality.
WWT/Cisco Confidential
80
How do I upgrade Upgrading Pix
Failover Sets to 7.0 ???
Step 3: Power off the newly upgraded Pix and power
on the second Pix and upgrade the second Pix. Verify
the upgrade of the second Pix and reboot at least once.
Step 4: Now also power on the First Pix that you
upgraded.
upgraded
Both Pix appliances are now upgraded to 7.0 and are
powered on.
Step 5: Use the show failover command to verify that
they establish failover communications.
WWT/Cisco Confidential
81
Are there any known issues with upgrading
failover sets ????
WWT/Cisco Confidential
82
Summary: Why Migrate to ASA?
The Converged Advantage
• Superior solution with converged best-of-breed security
services
□
Combines market-proven firewall, IPS, IPSec, and SSL VPN services along
with adaptive architecture for future services extensions—protects
businesses with its superior
p
network security
yp
posture,, while p
providing
g
strong investment protection
• Threat-protected VPN services
□
Gives businesses VPN deployment flexibility by offering both IPSec and
WebVPN services, allowing businesses to tailor fit secure connectivity
services based on their growing connectivity and scalability requirements
• Co
Consistent
s ste t user
use experience
e pe e ce
□
Leverages customers existing knowledge of Cisco PIX Security Appliances
for easy migration to Cisco ASA 5500 solutions
• High
High-performance
performance IPS and Anti-X
Anti X Services
□
Advanced Intrusion Prevention Services (IPS) and network Anti-X Services
mitigate wide range of threats including worms, web-based attacks, and
more
WWT/Cisco Confidential
83
WWT Professional Services Offering
Expert guidance and support can help improve the
accuracy and completeness of migration
migration.
WWT Service Capabilities and Features
¾
Configuration review and improvement recommendations
¾
Remote or Onsite knowledge transfer sessions to help you support your
migration process
¾
Focused escalation support during critical migration change windows
¾
Review of plans for migration, testing, rollback, failure recovery, and risk
mitigation and recommend improvements
mitigation,
impro ements
¾
Support for conversion of Cisco PIX Firewall configurations and IPSec VPN
configurations to Cisco ASA configurations, providing configuration best
practices
¾
Provide guidance through firewall cutovers
WWT/Cisco Confidential
84
Cisco Training Offerings
WWT is the only Cisco Gold Partner that is also a
Cisco Learning
g Partner
Securing Networks with Pix and ASA (SNPA)
¾ Taught
T
ht b
by Cisco
Ci
Certified
C tifi d Systems
S t
Instructors
I t t
with
ith real-world
l
ld
deployment experience
¾ 5-day class with hands-on labs
¾ Live equipment in Classroom
New ASA Course Offerings:
¾ New Curriculum focusing on ASA 8.0 to be released in May/June
2008
WWT/Cisco Confidential
85
Further Information
•
•
•
•
•
•
Cisco Security Center
http://tools cisco com/security/center/home x
http://tools.cisco.com/security/center/home.x
Cisco ASA 5500 Series Adaptive Security Appliances
http://www.cisco.com/go/asa
Cisco PIX Security Appliances End Of Sale Customer Portal
http://www.cisco.com/go/pixeos
Cisco ASA 5500: Power of the PIX Plus
http://www.cisco.com/cdc_content_elements/flash/security/pix500/cisco_asa_fla
sh.html
Cisco Security Manager
http://www.cisco.com/en/US/products/ps6498/index.html
Additional Resources:
□ For
o more
o e information
o at o about the
t e Cisco
C sco End-of-Life
do
e Policy,
o cy, go to
to:
http://www.cisco.com/en/US/products/prod_end_of_life.html
□ To subscribe to receive end-of-life/end-of-sale information, go to:
http://www.cisco.com/cgi-bin/Support/FieldNoticeTool/field-notice
WWT/Cisco Confidential
86
Call to Action!!
• Are you ready to Migrate ?
□ Cisco
Ci
is
i offering
ff i aggressive
i trade
d in
i programs that
h will
ill
allow you to transition at your own pace. Please contact
your WWT/Cisco sales account manager for further
details.
• WWT Professional Services Offering:
□ Our Experienced Professional Services Engineers are here
provide Expert
p
guidance
g
and support
pp
that can help
p
to p
you improve the accuracy and completeness of
migration.
WWT/Cisco Confidential
87
Q&A
WWT/Cisco Confidential
88
Thank You !!
WWT/Cisco Confidential
89
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising