CISCO ASA to PALO ALTO (Expedition's migration)

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

CISCO ASA to PALO ALTO (Expedition's migration)

Hello, 

 

I need to migrate the configuration from a CISCO ASA. I would like to know what file do I need. I have the output of the " show run" command and the output of the "tech-file". 

 

Thanks,

 

Highlighted
L5 Sessionator

The Expedition Import process mentions:

"Upload the output from the command "more system:running-config" to bring crypto keys in clear text or show running"

Would this work for you?

Highlighted
L2 Linker

So, I need the command "more system:running-config". Or can I use the "show run"?

 

Regards,

Highlighted
L3 Networker

Hello,

 

As Didac stated the more 'system:running config' will display the IPSEC encrypted keys into clear text so that you are able to migrate those tunnels over from the ASA.

 

If you simply use a "show run" those keys remain encrypted and will not properly migrate over. Expedition is not able to crack the md5 hash for these keys so you will need to make it viewable for our tool to build these tunnels.

 

So if possible display the keys in clear text and transfer them to your "show run" file save it and upload it into expedition to help migrate everything over in one file.

 

I hope this answers your question.

Highlighted
L2 Linker

Ok, thank you @azuniga . I understand. 

 

I am migrating the configuration. I am using this playlist: https://www.youtube.com/watch?v=-gbQ-YcgoPs&list=PLD6FJ8WNiIqVez8EBeoyRsnQcKTA5FuZ-&index=1.

 

But in video 2, during the device creation, it asks for the NGFW's Serial Number. Is this step permanent or can I change the Serial Number, when I pass the config to the real device? It is because I do not have the physical devices, but I need to starts with the config migration. 

 

Regards,

Highlighted
L5 Sessionator

As you do not have the physical device, you won't be able to connect to it yet for retrieving it's configuration or pushing resulting configuration into it. Therefore, you can skip this "device creation" step and go ahead with the project creation and migration.

 

If you want to create a base configuration, you may want to use the IronSkillets and generate a base config with some best practices already in place.

 

Later, you can create the device, attach it to the project and do your final steps to push the configuration into the device, or simply export the XML configuration and load it into your NGFW.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!