Professional Documents
Culture Documents
Presented by:
Date:
WWT/Cisco Confidential
March 13, 2008
1
Agenda
Introductions
Cisco
Ci PIX - End
E d off S
Sale
l Overview
O i
Cisco ASA Product Overview
Key PIX to ASA Migration Drivers
Cisco PIX-2-ASA Feature Comparison Overview
How to Migrate from PIX to ASA Platform? Step-by-Step
Approach
WWT S Security
it Professional
P f i l Services
S i Overview
O i
Important Links/Reference Documents
Q&A
WWT/Cisco Confidential 2
Introductions
• Cisco Guests
□ Scott Maxwell, AT-CAM Commercial/Enterprise
□ Brian Sak, Virtual Security Expert
□ Tim St.
St Laurent,
Laurent AT-CAM Federal
□ Daniel Charborneau, Channel SE
WWT/Cisco Confidential 3
Which Products are Going End of Sale?
WWT/Cisco Confidential 4
Cisco PIX Security Appliance Product Family
End of Sale Timeline
Milestone Date
External announcement January 28, 2008
E d off Sales
End S l (EoS)
(E S) for
f platforms/bundles
l tf /b dl J l 28
July 28, 2008
End of Sales (EoS) for accessories January 27, 2009
End of software maintenance releases July 28
28, 2009
End of service contract renewals October 23, 2012
End of Support / End of Life (EoL) July 27, 2013
WWT/Cisco Confidential 5
Which Products are Going End of Sale?
End-of-Life Milestones and Dates for the Cisco VPN 3000 Series Concentrators
Milestone Definition Date
End-of-Life The date the document that announces the end of sale and end of life of a February 7, 2007
Announcement Date product is distributed to the general public.
End-of-Sale Date The last date to order the product through Cisco point-of-sale mechanisms. The August 6, 2007
product is no longer for sale after this date.
Last Ship Date: HW The last-possible ship date that can be requested of Cisco and/or its contract November 4, 2007
manufacturers. Actual ship date is dependent on lead time.
End of Routine Failure The last-possible date a routine failure analysis may be performed to determine August 5, 2008
Analysis Date: HW the cause of product failure or defect.
Endd of
o New
e Se
Service
ce For
o equipment
equ p e t a andd so
software
t a e tthat
at iss not
ot co
covered
e ed by a se
service-and-support
ce a d suppo t August
g 5,, 2008
Attachment Date: HW contract, this is the last date to order a new service-and-support contract or add
the equipment and/or software to an existing service-and-support contract.
End of Service The last date to extend or renew a service contract for the product. November 1, 2011
Contract Renewal
Date: HW
Last Date of The last date to receive service and support for the product. After this date, all August 4, 2012
Support: HW support services for the product are unavailable, and the product becomes
obsolete.
b l t
WWT/Cisco Confidential 6
Cisco ASA 5500 Adaptive Security Appliance
WWT/Cisco Confidential 7
Why announce the end of sale now?
WWT/Cisco Confidential 8
Your Network and Threats to Your Network
Have Changed…
g
Increased and More Complex Threats
Convergence of
Data and Voice Wireless Mobility
Branch
Office
Data
Center
Public
Services More Media-Rich
Increase in Corporate Internet Applications
O li
Online Network
Collaboration Partner
Access
Partner
New F
N Focus on
Remote
Disappearing Corporate
Access
Business Compliance
Sarbanes Oxley
LAN Apps
Network
Perimeters ISO 27001
CobiT
….Your
Your Security Must Adapt as Well
WWT/Cisco Confidential 9
Cisco ASA 5500 Series Appliances
Solutions Ranging from Desktop to Data Center
ASA 5540
ASA 5520
Cisco
ASA 5510
ASA 5505
WWT/Cisco Confidential 10
Recommended Migration Path for
Cisco PIX Security Appliance Customers
Cisco ASA 5505 Cisco ASA 5510 / 5520 Cisco ASA 5520 / 5540 Cisco ASA 5550 / 5580
Series Series Series Series
Key Migration Benefits Key Migration Benefits Key Migration Benefits Key Migration Benefits
• 1.5 - 2.5X firewall throughput • 1.6 - 2.4x firewall throughput • 1.5 - 2x firewall throughput • 2 - 20x real-world FW throughput
• 3 - 33X VPN throughput • 2.3 - 3x scalability (conns/sec) • 1.3 - 2.7x scalability • 2 - 8x scalability (conns/sec)
• 8 port switch with 2 PoE ports • Gigabit
Gi bit Eth
Ethernett supportt • Supports 3X GigE density • Supports
S t SSL VPN
VPN, iinc. clus/LB
l /LB
• VLAN support (20 with Sec+) • A/A solution costs 30% less • A/A solution costs 30% less • 10GE I/O support (5580)
• Supports SSL VPN • VPN clustering/load balancing • VPN clustering/load balancing • Supports 2.5x GE density (5580)
• Modular for future upgrades • Supports IPS, CSC, SSL VPN • Supports IPS, CSC, SSL VPN • A/A solution costs 35% less
Cisco Cisco Cisco PIX 515E Cisco PIX 525 Cisco PIX 535
PIX 501 PIX 506E Series S i
Series Series
Series Series
WWT/Cisco Confidential 11
WWT/Cisco Confidential 12
5505 5510 5520 5540 5550 5580-20 5580-40
WWT/Cisco Confidential 13
Many Compelling Benefits for Migrating to
Cisco ASA 5500 Adaptive Security Appliances
Adaptive Security Offers Mature, Next-Generation Leverages Customer’s
Better, Flexible Protection Security Solution Existing PIX Investment
WWT/Cisco Confidential 14
Cisco ASA 5500 Series: Breadth and Depth
Industry First Scalable, Multi-Function, Feature Rich Appliance
Access Control Flexible user and network based access control services
Stateful packet inspection
and
Integration with popular authentication sources including
Authentication Microsoft Active Directory, LDAP, Kerberos, and RSA SecurID
WWT/Cisco Confidential 15
Cisco ASA 5500 Adaptive Security Appliances
Delivering Market-Leading Threat Defense and VPN Services
Provides Converged Threat Defense, Flexible Secure Connectivity,
Minimized Operation Costs, and Unique Adaptive Design to Combat Future Threats
M k t L di Fi
Market-Leading Firewallll S
Services
i M k t L di VPN S
Market-Leading Services
i
Integrates and extends the #1 deployed Integrates and extends the #1
firewall technology from Cisco PIX deployed remote access VPN
Security Appliances technology from Cisco VPN 3000
Built upon the experience of over Concentrators and Cisco PIX
one million PIX deployed worldwide Security Appliances, offering both
and 10+ y years of innovation SSL and IPsec VPN services
WWT/Cisco Confidential 16
Cisco ASA 5500 Series and Cisco PIX Security
Appliances Feature Comparison
Cisco PIX Cisco ASA Cisco ASA 5500 Benefit
Flexible Access Control, Both IP
and User-Based ; ; Cisco ASA 5500 Supports More ACLs due
to Increased Memory
y
Advanced Application Layer
Firewall Services for over 30
Popular Protocols
; ; Cisco ASA 5500 Offers Better Deep Packet
Inspection Performance
Full-Featured, Hardware
Accelerated IPS Services : ; Cisco ASA 5500 Provides Superior
Protection from Attacks
Anti Virus, Anti-Spam,
Anti-Virus, Anti Spam, Anti-
Anti
Phishing, and URL Filtering
Services from Trend Micro
: ; Cisco ASA 5500 P
Ci Protects
t t ffrom M
Malware,
l
Helping Increase Employee Productivity
WWT/Cisco Confidential 17
Cisco ASA 5500 Series Modular Policy Framework
Extensible Design Enables Flexible, Flow-Based Services Policies
Application
Remote Access Inspection
Thrreat Conttrol
VPN & Control
Connectivity
Modular
IPS & Anti-X
Policy Defenses
Site-to-Site
Site to Site Framework
Secure C
The Cisco ASA 5500 Series Modular Policy Framework Allows Business to
Adapt and Extend the Security Services Profile Via Cisco-Developed and
Partner-Provided Innovations Delivering High Current Services Performance
and Services Extensibility
WWT/Cisco Confidential 18
Cisco ASA 5500 Series Modular Policy Framework
Extensible Design Enables Flexible, Flow-Based Services Policies
WWT/Cisco Confidential 19
Cisco ASA Adaptive Security Appliances
Industry Certifications and Evaluations
• Common Criteria
□ Completed: EAL4, v7.0.6—ASA 5510/20/40
(FW)
□ Completed: EAL2, v6.0—ASA SSM-10/20 (IPS)
New
□ In process: EAL4+, v7.2.2—ASA Family (FW)
□ In process: EAL4, v7.2.2—ASA Family (VPN)
• FIPS 140
□ Completed: Level 2, v7.0.4—ASA Family
□ Completed: Level 2, v7.2.2
□ In process: Level 2
2, v8
v8.0.2
02
• ICSA Firewall 4.1, Corporate Category
New
□ Completed: v7.2.2—ASA Family
• ICSA IPSec 1.0D
□ Completed: v7.0.4—ASA Family
• ICSA Anti-Virus Gateway
□ Completed: v7.1—ASA Family
• NEBS LLevell 3
□ Completed: ASA 5510, 5520, and 5540
WWT/Cisco Confidential 20
• Agenda
□ Company Highlights
□ Cisco Practice Overview
□ Professional Services Approach
WWT/Cisco Confidential 21
Cisco Security Manager
• Agenda
□ Company Highlights
□ Cisco Practice Overview
□ Professional Services Approach
WWT/Cisco Confidential 22
Migrating from the Cisco PIX Firewall to the
Cisco ASA Adaptive
p Security
y Appliance
pp
3 Simple
p Steps
p
WWT/Cisco Confidential 23
Migrating from the Cisco PIX Firewall to the
Cisco ASA Adaptive Security Appliance
WWT/Cisco Confidential 24
Migrating from the Cisco PIX Firewall to the
Cisco ASA Security
y Appliance.
pp
BUT !!!!!!
WWT/Cisco Confidential 25
Also !!!! Before you begin:
WWT/Cisco Confidential 26
Which PIX Firewalls CAN and can NOT
be upgraded to 7.0
PIX 5
515
5 PIX 515E
5 5 PIX 525
5 5 PIX 535
WWT/Cisco Confidential 27
Check the Memory Requirements on the Pix
before upgrading.
WWT/Cisco Confidential 28
Also !!!! Before you begin:
If you are upgrading a PIX 515 or 535 with PDM already installed
WWT/Cisco Confidential 29
Migrating from the Cisco PIX Firewall to
the Cisco ASA security
y Appliance
pp
Read the following Documents and print them out for reference to
make certain you understand the new, changed and deprecated
commands.
1. Release notes for the software version for which you plan to upgrade.
(7.0)
2. Guide for PIX 6.2 and 6.3 upgrading to Cisco PIX software Version 7.0
WWT/Cisco Confidential 30
Migrating from the Cisco PIX Firewall to
the Cisco ASA security
y Appliance
pp
WWT/Cisco Confidential 31
Migrating from the Cisco PIX Firewall to
the Cisco ASA security
y Appliance
pp
WWT/Cisco Confidential 32
Migrating from the Cisco PIX Firewall to
the Cisco ASA security
y Appliance
pp
WWT/Cisco Confidential 33
Migrating from the Cisco PIX Firewall to
the Cisco ASA security Appliance
2. Prepare ahead of time by downloading the PIX 7.0 software and putting
it on an available TFTP server. Save your existing configuration files and
operating system to a TFTP server on the network.
WWT/Cisco Confidential 34
Migrating from the Cisco PIX Firewall to
the Cisco ASA Adaptive
p Security
y Appliance
pp
WWT/Cisco Confidential 35
Migrating from the Cisco PIX Firewall to
the Cisco ASA security
y Appliance
pp
Step 1
Upgrade
U d your Pix
Pi Firewall
Fi ll Software
S ft Version
V i
from version 6.2 or 6.3 to Pix Software
Version 7.0.
WWT/Cisco Confidential 36
Step 1a:
Verify you are running Pix 6.2 or 6.3 and you
have enough RAM for the upgrade to 7.X
WWT/Cisco Confidential 37
Step 1b:
Save your current configuration and current operating system to a TFTP
server on the network.
WWT/Cisco Confidential 38
Step 1b: (cont’d)
WWT/Cisco Confidential 39
Step 1b
Example: startup-config.old
WWT/Cisco Confidential 40
Step 1c:
Copy the. new 7.0 code to your PIX from the TFTP server
WWT/Cisco Confidential 41
Step 1c: (cont’d)
WWT/Cisco Confidential 42
Step 1c: (cont’d)
WWT/Cisco Confidential 43
Step 1c: (cont’d)
WWT/Cisco Confidential 44
Step 1c: (cont’d)
WWT/Cisco Confidential 45
Step 1d:
After the reboot of the Pix Firewall 7.0 code will load and
the 6.X configuration will be converted to 7.X commands.
After you upgrade the Pix from 6.X to 7.X use the
show startup-config errors command to display the errors experienced
converting
ti th
the 6
6.X
X code
d to
t 7.X
7X
WWT/Cisco Confidential 46
Emergency Procedures
WWT/Cisco Confidential 47
Monitor Mode Upgrade
Hit the “ESCAPE” key right after the Pix begins to boot
WWT/Cisco Confidential 48
Monitor Mode Upgrade
WWT/Cisco Confidential 49
Monitor Mode Upgrade
WWT/Cisco Confidential 50
Monitor Mode Upgrade
WWT/Cisco Confidential 51
Monitor Mode Upgrade
WWT/Cisco Confidential 52
Monitor Mode Upgrade
WWT/Cisco Confidential 53
Monitor Mode Upgrade
WWT/Cisco Confidential 54
!!! Congratulations !!!
You have finished STEP #1.
You h
Y have upgraded
d d th
the code
d on your existing
i ti Pi
Pix
Firewall to 7.0. By doing this you have
automatically
t ti ll converted
t d your configuration
fi ti from
f
6.X commands to the new 7.X commands.
WWT/Cisco Confidential 55
Migrating from the Cisco PIX Firewall to
the Cisco ASA security Appliance
Step 2
WWT/Cisco Confidential 56
Step 2:
Copy the configuration from the PIX to the ASA.
Copy the configuration from the PIX to a TFTP server. Then use the
copy command to download the configuration from the TFTP server
to the ASA.
WWT/Cisco Confidential 57
Step 2:
G tto the
Go th PIX Firewall
Fi ll
WWT/Cisco Confidential 58
Step 2a:
Move the 7.X configuration from the PIX to the TFTP server
WWT/Cisco Confidential 59
Step 2a:
From startup
startup-config
config
To: startup-config.old
WWT/Cisco Confidential 60
Step 2a: (Cont’d)
Copy the 7.X configuration from the PIX to the TFTP server
WWT/Cisco Confidential 61
Step 2a: (Cont’d)
Copy the 7.X configuration from the PIX to the TFTP server
WWT/Cisco Confidential 62
Step 2:
WWT/Cisco Confidential 63
Step 2b:
Copy the 7.X configuration from the TFTP Server to the ASA Security
Appliance
WWT/Cisco Confidential 64
Step 2b: (Cont’d)
Copy the 7.X configuration from the TFTP Server to the ASA Security
Appliance.
WWT/Cisco Confidential 65
Step 2b: (Cont’d)
Copy the 7.X configuration from the TFTP Server to the ASA Security
Appliance.
WWT/Cisco Confidential 66
Step 2b: (Cont’d)
Copy the 7.X configuration from the TFTP Server to the ASA Security
Appliance.
WWT/Cisco Confidential 67
Step 2b: (Cont’d)
Copy the 7.X configuration from the TFTP Server to the ASA Security
Appliance.
WWT/Cisco Confidential 68
Step 2b: (Cont’d)
Copy the 7.X configuration from the TFTP Server to the ASA Security
Appliance.
WWT/Cisco Confidential 69
Step 2b: (Cont’d)
Copy the 7.X configuration from the TFTP Server to the ASA Security
Appliance.
WWT/Cisco Confidential 70
Migrating from the Cisco PIX Firewall to
the Cisco ASA security Appliance
St
Step 3
WWT/Cisco Confidential 71
Step 3:
Configure the ASA interfaces for IP, name ,
and security level (Notice the errors during conversion)
WWT/Cisco Confidential 72
ASA 5510,5520,5540,5550,5580
interface Ethernet0/0
nameif outside
security-level 0
ip address 70.222.200.111 255.255.255.224
no shutdown
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
!
interface Ethernet0/2
nameif dmz
security level 50
security-level
ip address 172.16.1.1 255.255.255.0
no shutdown
WWT/Cisco Confidential 73
Step 3: (Cont’d)
Configure the ASA interfaces for IP, name and security level
WWT/Cisco Confidential 74
Step 3: ASA 5505
Configure the ASA interfaces for IP, name ,
and security level
WWT/Cisco Confidential 75
Step 3: ASA 5505
Configure the ASA interfaces for IP, name ,
and security level
WWT/Cisco Confidential 76
Step 3: (Cont’d)
Configure the ASA interfaces for IP, name ,
and security level
WWT/Cisco Confidential 77
How do I upgrade Upgrading Pix
Failover Sets to 7.0 ???
WWT/Cisco Confidential 78
Step 1:
Power Down the Standby\Backup Pix
WWT/Cisco Confidential 79
Step 2:
Upgrade the Active\Powered On Pix to 7.0 as Previously
shown in this Demo. Reboot at least once and make certain
to verify functionality
functionality.
WWT/Cisco Confidential 80
How do I upgrade Upgrading Pix
Failover Sets to 7.0 ???
WWT/Cisco Confidential 81
Are there any known issues with upgrading
failover sets ????
WWT/Cisco Confidential 82
Summary: Why Migrate to ASA?
The Converged Advantage
WWT/Cisco Confidential 83
WWT Professional Services Offering
WWT/Cisco Confidential 84
Cisco Training Offerings
WWT is the only Cisco Gold Partner that is also a
Cisco Learning
g Partner
WWT/Cisco Confidential 85
Further Information
WWT/Cisco Confidential 86
Call to Action!!
WWT/Cisco Confidential 87
Q&A
WWT/Cisco Confidential 88
Thank You !!
WWT/Cisco Confidential 89