Friday, January 1, 2016

Cisco ASA Firewall Migration Tool

There's a lot of ASA firewall conversion tools over the Internet and there's one I use called the Cisco ASA NAT Converter. This is a very useful tool for admins who still run ASA 8.2 code (and earlier) since the ASA code 8.3+ has a different NAT syntax.


Cisco has also launched their own free firewall conversion tool and it could convert Juniper, Check Point and older Cisco ASA 8.2 (and earlier) configurations to the equivalent Cisco ASA 5500-X next-generation firewall command output. The portal also includes Cisco's latest products such as Email Security Appliance (ESA), Web Security Appliance (WSA) and migration tool for the legacy Cisco IPS to the newer FirePower next-generation IPS (NGIPS). First, you need to login by signing up or can use your existing Cisco (CCO) login.




I've tried the Firewall Migration app and converted an ASA 8.2 config file (.cfg) to ASA 5512-X 9.1(4) output. You go to Firewall Migration > My Conversions > Create New Conversion. I've TFTP'd my ASA .cfg file and compressed it using WinZip (WinRar doesn't work for this case). Next is to fill up the necessary Source and Target Platform fields, browse the .cfg zip file and click OK. The tool will sometime display an error and it will ask to remove lines such as the boot system and banner commands.

ciscoasa# copy running-config tftp://172.27.25.254/fwm-sample.cfg

Source filename [running-config]?

Address or name of remote host [172.27.25.254]?

Destination filename [fwm-sample.cfg]?
Cryptochecksum: 31942d17 818aa141 3ffc37ab 948f1a66
!!!!!!!!!!!!!!
56462 bytes copied in 3.780 secs (18820 bytes/sec)



The result will be available after few minutes (mine took around 20 mins) and a URL will be sent via your registered email or it can be downloaded by going to Firewall Migration > My Conversions > My Completed Conversion.






The result is great and it's like having a security consultant if your ASA knowledge isn't that in-depth. There's also another free Cisco ASA tool that I'm using which I'll be blogging soon. The tool is called the ASA CLI Analyzer.