Table Of Contents
Migrating to the Cisco ASA Services Module from the FWSM
Information About the Migration
Migrating the FWSM Configuration to the ASA SM
Applying the Migrated Configuration to the ASA SM
Configuration Migration Reference
Migration Due to Default Behavior Differences
Migration Due to Unsupported Features in ASA SM
Migration Due to CLI Differences
Default Value and Value Range Differences
Obtaining Documentation, Obtaining Support, and Security Guidelines
Migrating to the Cisco ASA Services Module from the FWSM
Contents
•Information About the Migration
•Migrating the FWSM Configuration to the ASA SM
•Configuration Migration Reference
•Obtaining Documentation, Obtaining Support, and Security Guidelines
Information About the Migration
This guide describes how to convert Cisco FWSM configurations to Cisco ASA SM 8.5 configurations.
This document also provides details about the differences between Cisco FWSM and Cisco ASA SM behavior.
Although the ASA SM shares a common software foundation with the FWSM, you cannot directly use a FWSM configuration on an ASA SM.
Differences between the platforms, such as the use of specific commands, prevent FWSM configurations from being used unmodified on the ASA SM.
In particular, the NAT feature on the ASA SM is redesigned for increased flexibility and functionality compared to FWSM. On the ASA SM, you can configure NAT using auto NAT, where you configure NAT as part of the attributes of a network object, and manual NAT, where you can configure more advanced NAT options.
On the ASA SM, all NAT and NAT-related commands are redesigned. The following commands were introduced or modified: nat (in global and object network configuration mode), show nat, show nat pool, show xlate, show running-config nat. The following commands were removed: global, static, nat-control, alias.
For a description of the differences in NAT matching for statics between FWSM and ASA SM, see Migration Due to Default Behavior Differences.
For detailed information about the NAT feature changes on the ASA SM, see "NAT Migration" in Cisco ASA 5500 Migration Guide for Version 8.3.
Migrating the FWSM Configuration to the ASA SM
Migrating the FWSM configuration to the ASA SM occurs by perform two steps:
Step 1: Running the Migration Tool
Step 2: Applying the Migrated Configuration to the ASA SM
You must perform the migration from the FWSM to the ASA SM using these two steps because the Migration Tool does not make all the necessary command syntax changes when you run the Migration Tool. Because of this fact, you cannot open the migrated configuration file, enter the select all command and copy the configuration, and then paste the configuration to the command line of the ASA SM.
You must copy the migrated configuration file to the startup configuration of the ASA SM. When the ASA SM is subsequently restarted, the startup configuration is parsed upon startup. The ASA SM image takes the NAT, ACL, and other commands that have been deprecated or changed from the FWSM and translates the commands into the commands that the ASA SM accepts.
Running the Migration Tool
The Migration Tool includes a Windows and Macintosh application to perform the FWSM configuration migration.
Prerequisites
The ASA SM must be in a known state. The blade cannot have a configuration running on it. If it has been configured, execute the write erase command to clear the configuration on the service module.
To convert the FWSM configuration to an ASA SM configuration, perform the following steps:
Step 1 From the Cisco software download site, locate the file fwsm_migration_mac.zip or fwsm_migration_win.zip and save it to a Windows or Macintosh client. Decompress the ZIP file and extract the corresponding file for the system on which you plan to run the conversion application—fwsm_migration.exe or fwsm_migration.app.
Step 2 From the FWSM that you are migrating to an ASA SM, copy all the configuration files, which includes each configuration file for all contexts and the system context file, to the directory in which you extracted the Migration Tool application.
For single mode, copy the running configuration file. For multi-mode, copy the following configuration files:
•The system space configuration
•The admin context
•Any user context of interest
Step 3 Double click the fwsm_migration.exe or fwsm_migration.app file to start the Migration Tool.
The FWSM Configuration Migration dialog box appears along with a command window, which will display the progress and status of the conversion.
Step 4 Select the radio button appropriate for your conversion:
•Single File—select this option when you are converting the configuration file for the FWSM running in single-context mode.
•Directory—select this option when you are converting multiple files for the FWSM that ran in multiple-context mode. Each context has an associated configuration file and the FWSM has a system context file.
Step 5 Under the option you selected (Single File or Directory), enter information for the file or files to convert:
•Input File field—enter the path and file name for the configuration file for the single-context FWSM or click Browse to locate the file on your local system.
•Input Directory—enter the path to the directory containing all the multi-context configuration files and the system context file or click Browse to locate the directory on your local system.
Step 6 Under the option you selected (Single File or Directory), enter the conversion output information:
•Output File field—enter the path and file name for that the Migration Tool will use to create the converted configuration file for the single-context FWSM.
•Output Directory—enter the path to the directory that the Migration Tool will place the converted multi-context configuration files and the system context file or click Browse to locate the directory on your local system.
Step 7 In the ASA SM Boot Image field, enter the location of the ASA SM boot image in the following format:
drive:/boot-file-path
The boot image value must include one of the following options:
•disk0:/path and filename on disk0
•disk1:/path and filename on disk1
•flash:/path and filename on flash
•URL beginning with tftp prefix
The value you enter in this field defines the image you want the ASA SM to boot up with when it completes the final migration.
Note You must write the boot image value to memory by issuing the write memory command on the ASA SM. Issuing the write memory command saves the boot image value you specify for the boot image to the BOOT variable in the configuration file. After writing the value to memory, verify that the boot variable was written to memory by entering the show bootvar command.
See Cisco ASA 5500 Series Command Reference, 8.5 for the ASA SM.
Step 8 In the Log Location field, enter the path and file name for the log file that the Migration Tool will use to log the status information from the conversion or click Browse to locate the file on your local system.
Step 9 Click Convert to start the conversion.
Status information appears in the command window. Once the conversion successfully completes, a Success dialog box appears.
Step 10 Click OK to end the conversion.
What to Do Next
Applying the Migrated Configuration to the ASA SM
Applying the Migrated Configuration to the ASA SM
Prerequisites
•You must have migrated your FWSM configuration by using the Migration Tool. See Running the Migration Tool.
•Configure an interface on the ASA SM to allow file transfer using TFTP, SSH, or HTTP.
Step 1 Copy the migrated files to the ASA SM via TFTP, SSH, or HTTP.
Note If necessary, add an interface configuration to allow file transfer using TFTP, SSH, or HTTP.
a. If working in single mode, copy the migrated configuration to the startup-config file.
b. If working in multiple mode, copy the system configuration to the startup-config and all context configuration files (such as, the Admin context) to disk0:.
Note The context files must be placed on disk0: in the path the system configuration points to for each context. If the system configuration has the configuration URL for a context as "config-url disk0:/context/ctx1.cfg" then the file for that context needs to be placed in that context directory path.
Note You cannot paste the migrated configuration directly at the CLI prompt on the ASA SM; you must copy the configuration over the network to the startup configuration and then reload the ASA SM so that it can perform additional migrations at startup. You cannot copy and paste the configuration because of the complexities of converting certain features, such as converting the FWSM NAT feature to the NAT feature on theASA SM, which uses Object NAT and Twice NAT.
Step 2 Reload the ASA SM when you are migrating a single mode FWSM image.
On startup, final configuration modifications will be conducted by the ASA SM image.
Note When you upload multi-mode FWSM contexts, reloading the ASA SM is not necessary after applying each multi-mode context.
Unsupported Runtime Commands
This section contains the following topics:
Unsupported Debug Commands
The following debug commands are supported on the FWSM but not on the ASA SM.
•[show | no] debug ip bgp
•[show | no] debug resource partition
•[show | no] debug pc-lu
•[show | no] debug ssl
•[show | no] debug npcp
•[show | no] debug route-np
•[show | no] debug aging
•[show | no] debug session
•[show | no] debug RM-NP-counter
•[show | no] debug control-plane
•[show | no] debug route-monitor
•[show | no] debug acl optimization
•[show | no] debug route-inject
Unsupported Clear Commands
The following clear commands are supported on the FWSM but not on the ASA SM.
•clear dispatch stats all
•clear ip bgp
•clear route-monitor statistics
•clear route statistics
•clear np number_item keyword
•clear np all stats
•clear npcp statistics
•clear service-acceleration
•clear configure resource rule
•clear configure resource partition
•clear configure ftp-map
•clear configure gtp-map
•clear configure mgcp-map
•clear configure h225-map
•clear configure xlate-bypass
•clear configure rip
•clear configure route-monitor
•clear configure router bgp
•clear configure control-point tcp-normalizer
•clear configure route-inject
Unsupported Show Commands
The following show commands are supported on the FWSM but not on the ASA SM.
•show running-config all ftp-map
•show running-config all gtp-map
•show running-config all mgcp-map
•show running-config all h225-map
•show running-config all xlate-bypass
•show running-config all rip
•show running-config all route-monitor
•show running-config all control-point tcp-normalizer
•show running-config all route-inject
•show resource rule
•show resource acl-partition
•show resource partition
•show flashfs
•show conn np
•show asr
•show pcdebug
•show pc conn
•show nic
•show np keyword
•show np number_item keywords
•show cpu threshold
•show dispatch table
•show dispatch statistics
•show pc xlate
•show pc local-host
•show ip bgp
•show route-monitor
•show npcp keywords
•show service-acceleration statistics
•show route-inject
Configuration Migration Reference
This section contains the following topics:
•Migration Due to Default Behavior Differences
•Migration Due to Unsupported Features in ASA SM
•Migration Due to CLI Differences
•Default Value and Value Range Differences
Migration Due to Default Behavior Differences
The major default behavior differences between FWSM and ASA SM are as follows.
Implicit Deny
By default, when the interfaces on the FWSM are configured without assigning any access list or access group commands, the FWSM drops all traffic that enters those interfaces. To allow any traffic to enter the FWSM, you must attach an inbound access list to an interface.
By default, when the interfaces on the ASA SM are configured without assigning any access list or access group commands, the ASA SM allows traffic to pass from a higher security interface (assume the inside security level is 100) to a lower security interface (assume the outside security level is 0). The inverse is not true. The ASA SM does not allow traffic to pass from the outside to inside interface.
Therefore, the Migration Tool was created to assume that this type of FWSM configuration required that traffic be blocked no matter the direction. To maintain parity, the Migration Tool adds an explicit ACL (deny ip any any) on all the interfaces to deny traffic. Additionally, on ASA SM, the last statement of any access list is an implicit deny ip any any. IOS device use this same behavior.
See the following examples:
Example 1
no access-list/groups on any interfaceTraffic from the inside to the outside is permitted.
Traffic from the outside to the inside is denied.
Example 2
access-list INSIDE permit ip 192.168.1.0 255.255.0 anyaccess-group INSIDE in interface insideTraffic from the inside to the outside, source IP 192.168.1.10, is permitted.
Traffic from the inside to the outside, source IP 192.168.2.1, is denied (hits implicit).
Implicit ICMP Deny
By default, FWSM is configured to set an implicit ICMP deny to the interface. The ASA SM is configured to set an implicit permit.
When you run the Migration Tool, it adds icmp deny statements on all interfaces.
NAT Matching for Statics
By default, FWSM is configured to use best match for static NAT and static PAT (regular and policy). When overlapping IP addresses occur in the static statements, a warning is displayed but the overlapping IP addresses are supported. The order of the static commands does not matter; the static statement that best matches the real address is used.
In the ASA SM, IP addresses are matched against static NAT and static PAT rules based on the order the rules appear in the configuration.
The Migration Tool is unable to preserve the behavior of the FWSM; therefore, if you have overlapping NAT rules, you should look at your migrated configuration to ensure it matches your address translation requirements.
Migration Due to Unsupported Features in ASA SM
The following FWSM features are not supported in ASA SM.
IPSec in Multimode (Management only)
On the FWSM, IPSec is supported for management purposes in multimode.
The ASA SM does not provide support for IPSec in multimode. IPSec (both in single and multimode) is not supported. When you run the Migration Tool, it removes any VPN related commands and informs you that IPSec is not supported.
Asymmetric Routing
When asymmetric routing was introduced in ASA SM, it was not affected by the active/active restriction.
On the ASA SM, asymmetric routing is only supported in active/active mode.
The Migration Tool removes the commands if not in active/active mode and informs the user.
BGP Stub Routing
CLI commands:
router bgp
bgp router-id
neighbor remote-as
neighbor password
network
This is a feature in FWSM that supports BGP stub routing.
ASA SM does not support this feature.
The Migration Tool removes the BGP related commands and informs the user.
Failover Preemption for Active/Standby Failover
CLI command:
[no] failover preempt
This is a feature in FWSM that can be configured in an Active/Standby failover scenario. When this feature is configured, the Primary unit always becomes Active after a certain time in the following cases:
•When the primary unit fails and the secondary becomes active
•When the secondary unit boots before the primary unit and the secondary unit is active
ASA SM does not support this feature.
The Migration Tool removes the command and informs the user.
Route Health Injection
CLI commands:
route-inject
redistribute nat
redistribute connected
redistribute static
This is a feature on FWSM that installs connected, static, NAT pool routes configured on the FWSM into MSFC on a per context basis. MSFC can then redistribute the routes.
ASA SM does not support this feature.
DHCP Relay Interface Specific Servers
CLI:
interface vlan vlan_id
dhcprelay server ip_address
FWSM added this feature in 3.2(1). With this feature, interface specific DHCP servers can be configured. "dhcprelay server" CLI could be configured in global mode and it was also added to be in interface specific mode.
ASA SM does not support this feature.
The Migration Tool converts the commands from interface specific to global and informs the user.
Stateful Failover Uauth Table Replication
FWSM supports replicating the Uauth Table to the failover peer when stateful failover is configured.
ASA SM does not support this feature.
The Migration Tool adds an INFO message when stateful failover is configured.
Migration Due to CLI Differences
The following table lists the differences between CLI commands for FWSM and ASA SM:
Default Value and Value Range Differences
The following table lists the differences in default values and value ranges between the FWSM and the ASA SM. These differences in default values and value ranges do not affect the migration to ASA SM from FWSM.
SNMP Differences
The following FWSM MIBs are not supported by ASA SM:
CISCO-ENTITY-ALARM-MIB.my
CISCO-ENTITY-REDUNDANCY-MIB.my
CISCO-ENTITY-REDUNDANCY-TC-MIB.my
CISCO-NAT-EXT-MIB.my
TCP-MIB.my
UDP-MIB.my
The following FWSM SNMP traps are not supported by ASA SM.
ceAlarmAsserted: CISCO-ENTITY-ALARM-MIB.my
ceRedunEventSwitchover: CISCO-ENTITY-REDUNDANCY-MIB.my
clrResourceRateLimitReached: CISCO-L4L7MODULE-RESOURCE-LIMIT-MIB.my
Related Documentation
For additional information about the FWSM, go to the following URL:
http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/tsd_products_support_model_home.html
For additional information about the ASA SM, go to the following URL:
http://www.cisco.com/go/asadocs
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
©2010 Cisco Systems, Inc. All rights reserved.