Friday, June 14, 2019

Migrating Cisco ASA Firewall Context Configuration

I needed to migrate a Security Context from one Cisco ASA firewall to another. A quick way is to transfer the config file (.cfg) stored in flash (disk0) to an FTP or TFTP server and then transfer again to the destination ASA firewall. This is very handy when config file is big or lengthy and it saves time compared to just copy/paste config to the new device.

ciscoasa-old/admin# changeto system

ciscoasa-old# ping 172.27.5.1    // MAKE SURE FTP/TFTP SERVER IS REACHABLE
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.27.5.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 290/290/290 ms

ciscoasa-old# copy disk0:/CUSTA.cfg tftp://172.27.5.1/CUSTA

Source filename [CUST-A.cfg]?

Address or name of remote host [172.27.5.1]?

Destination filename [CUST-A]?

!!

6468 bytes copied in 6.600 secs (1078 bytes/sec)


Transfer the Context config file to the new Cisco ASA Firewall.

ciscoasa-new/admin# changeto system
ciscoasa-new# copy disk0:/CUST-A.cfg tftp://172.27.25.251/CUST-A

Source filename [CUST-A.cfg]?

Address or name of remote host [172.27.5.1]?

Destination filename [CUST-A.cfg]?
!!
6468 bytes copied in 15.190 secs (431 bytes/sec)

ciscoasa-new# dir

Directory of disk0:/

<SNIP>

175    -rwx  6468        01:37:19 Jun 01 2019  CUST-A.cfg

260034560 bytes total (170184704 bytes free)



Configure the new Contex and point to the transferred config file stored in ASA flash (disk0)

ciscoasa-new# configure terminal
ciscoasa-new(config)# interface GigabitEthernet0/1.1   // CONFIGURE THE CONTEXT "INSIDE" INTERFACE 
ciscoasa-new(config)# context CTX-NEW
Creating context 'CTX-NEW'... Done. (19)
ciscoasa-new(config-ctx)# allocate-interface GigabitEthernet0/0  
ciscoasa-new(config-ctx)# allocate-interface GigabitEthernet0/1.1
ciscoasa-new(config-ctx)# config-url disk0:/CUST-A.cfg