网络工程 - Pix 6.3 到 ASA 9.2 的迁移 - 吾爱随笔录

Pix 6.3 到 ASA 9.2 的迁移

网络工程思科思科-ASA 防火墙思科命令像素

2022-02-23 17:35:03

我继承了生产 Cisco Pix 6.3 防火墙和未配置的 ASA 5512 9.2。我正在阅读有关将现有 Pix 配置转换为 ASA 兼容配置的内容，并且提到了迁移工具，但思科不再提供它。手动执行此操作有点超出我的专业知识。我得到了一些命令，但我没有得到其他命令。

我没有另一个具有多个 WAN IP 的 ISP 连接来测试。

这是按要求清理的运行配置。

: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
nameif ethernet3 dmz2 security49
nameif ethernet4 intf4 security20
nameif ethernet5 fail security20
enable password REDACTED encrypted
passwd REDACTED encrypted
hostname PixFirewall
domain-name example.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network deny-known-bad-ips
  network-object host A.B.C.D
  network-object host E.F.G.H
  ...
object-group network spam-filter
  network-object I.J.K.L 255.255.240.0
  network-object M.N.O.P 255.255.224.0
  ...
object-group network ipsoft
  network-object 192.168.12.23 255.255.255.255
  network-object 192.168.12.24 255.255.255.255
object-group network catCLE
  network-object 10.2.12.17 255.255.255.255
  network-object 10.2.12.18 255.255.255.255
object-group network CLE
  network-object 10.2.0.0 255.255.0.0
  network-object 166.8.136.0 255.255.255.0
  network-object 166.8.138.0 255.255.255.0
object-group network cloud_app
  network-object Q.R.S.T 255.255.255.224
  network-object U.V.W.X 255.255.255.240
  ...
object-group network ftp-server-access
  description ACL group for allowing access to certain services on the FTP server
  network-object host a.b.c.d
  network-object host e.f.g.h
object-group network vendor-access
  description Access group to allow vendor access remotely
  network-object host i.j.k.l
  network-object host m.n.o.p
object-group network ssh-access
  description Access group to allow SSH Access
  network-object host q.r.s.t
  network-object host u.v.w.x
object-group network newerFTP-web-access
  description Access group to allow web access to newer FTP server
  network-object host 1.2.3.4
object-group network RDP-access
  description "Network Group to allow RDP access to IT people"
  network-object host 2.3.4.5
  network-object host 3.4.5.6
access-list inside-to-out permit tcp any any
access-list inside-to-out permit udp any any
access-list inside-to-out permit icmp any any echo
access-list inside-to-out permit icmp any any echo-reply
access-list outside-to-in permit tcp any host F.S.T.45 eq https
access-list outside-to-in permit tcp any host F.S.T.46 eq www
access-list outside-to-in permit tcp any host F.S.T.46 eq https
access-list outside-to-in permit tcp any host F.S.T.48 eq https
access-list outside-to-in permit tcp any host F.S.T.48 eq www
access-list outside-to-in permit tcp any host F.S.T.51 eq www
access-list outside-to-in permit tcp any host F.S.T.51 eq https
access-list outside-to-in permit tcp any host F.S.T.47 eq https
access-list outside-to-in permit tcp any host F.S.T.47 eq www
access-list outside-to-in permit tcp any host F.S.T.44 eq www
access-list outside-to-in permit tcp any host F.S.T.44 eq https
access-list outside-to-in permit udp any host F.S.T.41 eq isakmp
access-list outside-to-in permit esp any host F.S.T.41
access-list outside-to-in permit tcp any host F.S.T.37 eq domain
access-list outside-to-in permit udp any host F.S.T.37 eq domain
access-list outside-to-in permit tcp any host F.S.T.40 eq domain
access-list outside-to-in permit udp any host F.S.T.40 eq domain
access-list outside-to-in permit tcp object-group spam-filter host F.S.T.40 eq smtp
access-list outside-to-in permit tcp any host F.S.T.53 eq www
access-list outside-to-in permit tcp any host F.S.T.53 eq https
access-list outside-to-in permit tcp any host F.S.T.54 eq www
access-list outside-to-in permit tcp any host F.S.T.54 eq https
access-list outside-to-in permit tcp any host F.S.T.45 eq www
access-list outside-to-in permit tcp host 20.18.19.22 host F.S.T.49 eq 445
access-list outside-to-in permit tcp any host F.S.T.46 eq ftp
access-list outside-to-in permit tcp any host F.S.T.55 eq https
access-list outside-to-in permit tcp any host F.S.T.55 eq www
access-list outside-to-in permit tcp any host F.S.T.42 eq www
access-list outside-to-in permit udp any host F.S.T.41 eq 4500
access-list outside-to-in permit tcp any host F.S.T.57 eq www
access-list outside-to-in permit tcp any host F.S.T.53 eq 2052
access-list outside-to-in permit tcp object-group cloud_app host F.S.T.40 eq smtp
access-list outside-to-in permit tcp any host F.S.T.45 eq pop3
access-list outside-to-in permit tcp any host F.S.T.59 eq ftp
access-list outside-to-in permit icmp any any echo-reply
access-list outside-to-in permit icmp any any echo
access-list outside-to-in permit tcp any host F.S.T.59 range 38700 39699
access-list outside-to-in permit icmp any any unreachable
access-list outside-to-in permit icmp any any time-exceeded
access-list outside-to-in permit tcp any host F.S.T.42 eq 8080
access-list outside-to-in permit tcp object-group ftp-server-access host F.S.T.59 eq www
access-list outside-to-in permit tcp any host F.S.T.53 range 28000 30000
access-list outside-to-in permit tcp any host F.S.T.60 eq ftp
access-list outside-to-in permit tcp any host F.S.T.60 range 38700 39699
access-list outside-to-in permit tcp object-group vendor-access host F.S.T.61 eq ssh
access-list outside-to-in permit tcp object-group ssh-access host F.S.T.39 eq ssh
access-list outside-to-in permit tcp object-group newerFTP-web-access host F.S.T.60 eq www
access-list outside-to-in permit tcp object-group RDP-access host F.S.T.62 eq 3389
access-list outside-to-in permit tcp object-group ssh-access host F.S.T.36 eq ssh
access-list outside-to-in permit tcp any host F.S.T.36 eq smtp
access-list outside-to-in permit tcp any host F.S.T.36 eq www
access-list outside-to-in permit tcp any host F.S.T.36 eq pop3
access-list outside-to-in permit tcp any host F.S.T.36 eq imap4
access-list outside-to-in permit tcp any host F.S.T.36 eq https
access-list outside-to-in permit tcp any host F.S.T.36 eq 587
access-list outside-to-in permit tcp any host F.S.T.36 eq 993
access-list outside-to-in permit tcp any host F.S.T.36 eq 995
access-list outside-to-in permit tcp any host F.S.T.42 eq https
access-list outside-to-in permit tcp object-group ssh-access host F.S.T.43 eq ssh
access-list outside-to-in permit tcp any host F.S.T.43 eq https
access-list outside-to-in permit tcp any host F.S.T.43 eq 6876
access-list outside-to-in permit tcp object-group ftp-server-access host F.S.T.59 eq https
access-list outside-to-in permit tcp any host F.S.T.43 eq www
access-list outside-to-in permit tcp any host F.S.T.57 eq https
access-list dmz1fltr permit tcp host 192.168.8.25 host 10.2.12.12 eq 8009
access-list dmz1fltr permit udp host 192.168.8.11 host 10.2.0.3 eq domain
access-list dmz1fltr permit udp host 192.168.8.12 host 10.2.0.3 eq domain
access-list dmz1fltr permit tcp host 192.168.8.11 host 10.2.8.5 eq 1433
access-list dmz1fltr permit tcp host 192.168.8.12 host 10.2.8.5 eq 1433
access-list dmz1fltr permit tcp host 192.168.8.11 host 10.2.12.12 eq 8009
access-list dmz1fltr permit tcp host 192.168.8.12 host 10.2.12.12 eq 8009
access-list dmz1fltr permit tcp host 192.168.8.5 any eq domain
access-list dmz1fltr permit udp host 192.168.8.5 any eq domain
access-list dmz1fltr permit tcp host 192.168.8.5 any eq smtp
access-list dmz1fltr deny ip host 192.168.8.6 host 10.2.12.12
access-list dmz1fltr deny ip host 192.168.8.6 host 10.2.4.2
access-list dmz1fltr deny ip host 192.168.8.6 host 10.2.0.3
access-list dmz1fltr deny ip host 192.168.8.6 host 10.2.8.5
access-list dmz1fltr permit tcp host 192.168.8.6 any eq smtp
access-list dmz1fltr permit tcp host 192.168.8.6 any eq domain
access-list dmz1fltr permit udp host 192.168.8.6 any eq domain
access-list dmz1fltr deny ip host 192.168.8.8 host 10.2.12.12
access-list dmz1fltr deny ip host 192.168.8.8 host 10.2.4.2
access-list dmz1fltr deny ip host 192.168.8.8 host 10.2.0.3
access-list dmz1fltr deny ip host 192.168.8.8 host 10.2.8.5
access-list dmz1fltr permit esp host 192.168.8.8 any
access-list dmz1fltr permit udp host 192.168.8.8 any eq isakmp
access-list dmz1fltr permit udp host 192.168.8.8 any eq 4500
access-list dmz1fltr permit tcp host 192.168.8.5 any eq ftp
access-list dmz1fltr permit tcp host 192.168.8.5 host 10.2.8.81 eq ftp
access-list dmz1fltr permit udp host 192.168.8.53 host 10.2.0.3 eq domain
access-list dmz1fltr permit udp host 192.168.8.60 host 10.2.0.3 eq domain
access-list dmz1fltr permit udp host 192.168.8.60 host 10.2.8.7 eq domain
access-list dmz1fltr permit tcp host 192.168.8.60 any
access-list dmz1fltr permit tcp host 192.168.8.53 host 10.2.24.5 eq 2737
access-list dmz1fltr permit tcp host 192.168.8.53 host 10.2.24.5 eq 2051
access-list dmz1fltr permit udp host 192.168.8.53 host 10.2.24.5 eq 20000
access-list dmz1fltr permit tcp host 192.168.8.53 host 10.2.24.5 eq 20000
access-list dmz1fltr permit tcp host 192.168.8.4 host 10.2.8.81 eq ftp
access-list dmz1fltr permit icmp any any echo-reply
access-list dmz1fltr permit icmp any any echo
access-list dmz1fltr permit tcp host 192.168.8.4 any eq www
access-list dmz1fltr permit tcp any host 192.168.8.4 eq www
access-list dmz1fltr permit tcp host 192.168.8.4 any eq ftp-data
access-list dmz1fltr permit tcp any host 192.168.8.4 eq ssh
access-list dmz1fltr permit tcp host 192.168.8.4 any eq ssh
access-list dmz1fltr permit tcp host 192.168.8.4 any eq domain
access-list dmz1fltr permit udp host 192.168.8.4 any eq domain
access-list dmz1fltr permit udp any host 192.168.8.4 eq domain
access-list dmz1fltr permit tcp any host 192.168.8.4 eq domain
access-list dmz1fltr permit tcp host 192.168.8.4 any eq ftp
access-list dmz1fltr permit tcp host 192.168.8.4 any eq cmd
access-list dmz1fltr permit tcp any host 192.168.8.4 eq cmd
access-list dmz1fltr permit tcp any host 192.168.8.5 eq cmd
access-list dmz1fltr permit tcp host 192.168.8.5 any eq cmd
access-list dmz1fltr permit tcp host 192.168.8.4 any eq telnet
access-list dmz2fltr permit tcp host 166.8.137.30 host 166.8.138.117 eq www
access-list dmz2fltr permit tcp host 166.8.137.30 host 166.8.138.97 eq www
access-list dmz2fltr permit tcp host 166.8.137.30 host 166.8.138.145 eq www
access-list dmz2fltr permit tcp host 166.8.137.30 host 166.8.138.117 eq https
access-list dmz2fltr permit tcp host 166.8.137.30 host 166.8.138.97 eq https
access-list dmz2fltr permit tcp host 166.8.137.30 host 166.8.138.145 eq https
access-list dmz2fltr permit tcp host 166.8.137.30 host 10.2.0.21 eq https
access-list dmz2fltr deny ip any host 166.8.138.117
access-list dmz2fltr deny ip any host 166.8.138.97
access-list dmz2fltr deny ip any host 10.2.0.21
access-list dmz2fltr deny ip host 166.8.137.5 host 166.8.138.117
access-list dmz2fltr deny ip host 166.8.137.5 host 166.8.138.97
access-list dmz2fltr deny ip host 166.8.137.5 host 166.8.138.145
access-list dmz2fltr deny ip host 166.8.137.5 host 10.2.0.21
access-list dmz2fltr permit tcp host 166.8.137.5 any eq smtp
access-list dmz2fltr permit tcp host 166.8.137.5 host 10.2.0.19 eq smtp
access-list dmz2fltr permit udp host 166.8.137.5 host 10.2.0.3 eq domain
access-list dmz2fltr permit tcp host 166.8.137.30 host 10.2.0.28 eq https
access-list dmz2fltr permit tcp host 166.8.137.30 host 10.2.0.28 eq www
access-list dmz2fltr deny ip any host 10.2.0.28
access-list dmz2fltr permit tcp host 166.8.137.31 any eq ftp
access-list dmz2fltr permit tcp host 166.8.137.5 host 10.2.8.98 eq ssh
access-list dmz2fltr permit tcp host 166.8.137.42 host 166.8.138.141 eq 1433
access-list dmz2fltr permit udp host 166.8.137.42 host 10.2.0.3 eq domain
access-list dmz2fltr deny ip any host 10.2.0.3
access-list dmz2fltr deny ip any host 10.2.0.19
access-list dmz2fltr deny ip any host 166.8.138.141
access-list dmz2fltr permit tcp host 166.8.137.42 any eq www
access-list dmz2fltr permit tcp host 166.8.137.42 any eq https
access-list dmz2fltr permit tcp host 166.8.137.42 any eq ftp
access-list dmz2fltr permit tcp host 166.8.137.5 host 10.2.0.28 eq smtp
access-list dmz2fltr permit icmp any any echo
access-list dmz2fltr permit icmp any any echo-reply
access-list dmz2fltr permit tcp host 166.8.137.42 any eq 8080
access-list nonat deny ip any 16.18.20.0 255.255.255.0
access-list nonat deny ip any 10.255.1.0 255.255.255.0
access-list nonat permit ip object-group catCLE object-group ipsoft
access-list nonat permit ip object-group CLE host 166.8.137.31
access-list vpn-cat permit ip object-group catCLE object-group ipsoft
pager lines 24
logging on
logging monitor warnings
logging buffered critical
logging trap errors
logging history emergencies
logging host inside 10.2.8.100
icmp permit any unreachable outside
icmp permit any unreachable dmz1
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu intf4 1500
mtu fail 1500
ip address outside F.S.T.34 255.255.255.224
ip address inside 192.168.14.2 255.255.255.0
ip address dmz1 192.168.8.1 255.255.255.0
ip address dmz2 166.8.137.1 255.255.255.0
ip address intf4 172.16.1.1 255.255.255.0
ip address fail 192.168.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz1
no failover ip address dmz2
no failover ip address intf4
no failover ip address fail
pdm history enable
arp timeout 14400
global (outside) 1 F.S.T.35
global (dmz1) 1 interface
global (dmz2) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 166.8.136.0 255.255.255.0 0 0
nat (inside) 1 166.8.138.0 255.255.255.0 0 0
nat (inside) 1 166.8.139.0 255.255.255.0 0 0
nat (inside) 1 192.168.6.0 255.255.255.0 0 0
nat (inside) 1 10.2.0.0 255.255.0.0 0 0
alias (inside) F.S.T.44 166.8.137.10 255.255.255.255
alias (inside) F.S.T.46 166.8.137.31 255.255.255.255
static (inside,dmz2) 10.2.0.19 10.2.0.19 netmask 255.255.255.255 0 0
static (inside,dmz2) 10.2.0.3 10.2.0.3 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.2.0.3 10.2.0.3 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.2.8.5 10.2.8.5 netmask 255.255.255.255 0 0
static (inside,dmz2) 10.2.0.21 10.2.0.21 netmask 255.255.255.255 0 0
static (inside,dmz2) 166.8.138.97 166.8.138.97 netmask 255.255.255.255 0 0
static (inside,dmz2) 166.8.138.145 166.8.138.145 netmask 255.255.255.255 0 0
static (inside,dmz2) 166.8.138.117 166.8.138.117 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.2.4.2 10.2.4.2 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.2.12.12 10.2.12.12 netmask 255.255.255.255 0 0
static (dmz2,outside) F.S.T.45 166.8.137.30 netmask 255.255.255.255 0 0
static (dmz2,outside) F.S.T.46 166.8.137.31 netmask 255.255.255.255 0 0
static (dmz1,outside) F.S.T.51 192.168.8.25 netmask 255.255.255.255 0 0
static (dmz2,outside) F.S.T.47 166.8.137.40 netmask 255.255.255.255 0 0
static (dmz2,outside) F.S.T.44 166.8.137.10 netmask 255.255.255.255 0 0
static (dmz1,outside) F.S.T.41 192.168.8.8 netmask 255.255.255.255 0 0
static (dmz1,outside) F.S.T.37 192.168.8.2 netmask 255.255.255.255 0 0
static (dmz2,outside) F.S.T.54 166.8.137.50 netmask 255.255.255.255 0 0
static (inside,dmz2) 10.2.0.28 10.2.0.28 netmask 255.255.255.255 0 0
static (inside,outside) F.S.T.48 166.8.138.145 netmask 255.255.255.255 0 0
static (inside,outside) F.S.T.49 10.2.4.45 netmask 255.255.255.255 0 0
static (dmz2,outside) F.S.T.40 166.8.137.5 netmask 255.255.255.255 0 0
static (dmz2,outside) F.S.T.55 166.8.137.60 netmask 255.255.255.255 0 0
static (dmz2,outside) F.S.T.42 166.8.137.42 netmask 255.255.255.255 0 0
static (inside,dmz2) 166.8.138.141 166.8.138.141 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.2.8.81 10.2.8.81 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.2.4.35 10.2.4.35 netmask 255.255.255.255 0 0
static (dmz1,outside) F.S.T.53 192.168.8.53 netmask 255.255.255.255 0 0
static (inside,dmz1) 166.8.136.35 166.8.136.35 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.2.8.7 10.2.8.7 netmask 255.255.255.255 0 0
static (dmz1,outside) F.S.T.58 192.168.8.60 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.2.24.5 10.2.24.5 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.2.4.45 10.2.4.45 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.2.5.67 10.2.5.67 netmask 255.255.255.255 0 0
static (inside,outside) F.S.T.59 10.2.8.48 netmask 255.255.255.255 0 0
static (inside,outside) F.S.T.39 10.2.9.86 netmask 255.255.255.255 0 0
static (inside,outside) F.S.T.60 10.2.8.148 netmask 255.255.255.255 0 0
static (inside,outside) F.S.T.61 10.2.8.44 netmask 255.255.255.255 0 0
static (inside,outside) F.S.T.62 10.2.0.100 netmask 255.255.255.255 0 0
static (inside,outside) F.S.T.36 10.2.8.250 netmask 255.255.255.255 0 0
static (inside,outside) F.S.T.43 10.2.4.250 netmask 255.255.255.255 0 0
static (inside,outside) F.S.T.57 10.2.8.88 netmask 255.255.255.255 0 0
access-group outside-to-in in interface outside
access-group inside-to-out in interface inside
access-group dmz1fltr in interface dmz1
access-group dmz2fltr in interface dmz2
route outside 0.0.0.0 0.0.0.0 F.S.T.33 1
route inside 10.2.0.0 255.255.0.0 192.168.14.1 1
route inside 10.22.66.22 255.255.255.255 192.168.14.1 1
route inside 10.22.66.23 255.255.255.255 192.168.14.1 1
route inside 166.8.1.0 255.255.255.0 192.168.14.1 1
route inside 166.8.65.38 255.255.255.255 192.168.14.1 1
route inside 166.8.136.0 255.255.255.0 192.168.14.1 1
route inside 166.8.138.0 255.255.255.0 192.168.14.1 1
route inside 166.8.139.0 255.255.255.0 192.168.14.1 1
route inside 192.168.6.0 255.255.255.0 192.168.14.1 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 10.2.0.5 source inside
http server enable
http 10.2.0.123 255.255.255.255 inside
snmp-server host inside 10.2.8.98
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set kristrong esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600 kilobytes 10000
crypto map kri 15 ipsec-isakmp
crypto map kri 15 match address vpn-cat
crypto map kri 15 set pfs group2
crypto map kri 15 set peer 20.17.14.4
crypto map kri 15 set transform-set kristrong
crypto map kri interface outside
isakmp enable outside
isakmp key ******** address 20.17.14.4 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
telnet 10.2.8.100 255.255.255.255 inside
telnet timeout 30
ssh 10.2.8.100 255.255.255.255 inside
ssh 10.229.66.228 255.255.255.255 inside
ssh 10.2.0.0 255.255.252.0 inside
ssh timeout 30
console timeout 0
terminal width 80
Cryptochecksum:b80c9ac5e742040be7dc4f8d1f69f1c2
: end

1个回答

选项 1 - 手动转换

用于将 Cisco PIX 配置转换为 Cisco ASA 5500 系列配置的Cisco迁移指南有一整节“手动配置转换”：

执行手动转换是最耗时的方法，但它允许对转换进行最大程度的控制。手动转换包括以下部分：

•接口映射

•FIXUP 转换

•基于局域网的故障转移

•动态接口寻址

•多情景模式配置转换

选项 2 - 通过升级转换配置

您没有指定这是哪个 PIX 型号，但鉴于您有 6 个以太网接口，它必须是更大的型号之一（515 或更大）。如果它有足够的内存，您可以将其升级到 Pix 7.x，它会自动将配置转换为版本 7 语法，这与 ASA 7 语法相同（接口名称除外）。

从 PIX 500 系列安全设备迁移到 ASA 5500 系列自适应安全设备描述了如何执行此操作。

现在，7.x 语法与 9.x 语法之间仍然存在一些差异（主要是 8.3 中引入的新 NAT 语法）。通常，您通常会将 ASA 从 8.2 升级到 8.3，然后从 8.3 升级到 9.0，每次升级都会自动为您进行必要的配置更改。老实说，如果您将 7.x 语法复制/粘贴到 9.2 系统，我不确定这种自动转换是否也有效。您可以尝试在文档中找到它，或者只是尝试一下，看看您能走多远（和/或使用选项 1 中提到的文档来应用剩余的更改）。

一些文档指针：

如果您有权访问 ASA 映像，请考虑首先将其降级到适用于您的特定设备的最旧版本，然后复制/粘贴 7.x 配置，然后将其升级回所需版本（如果需要，分步升级）。

选项 3：使用转换工具进行转换

如果您有 ASA 的服务合同，或者即使 ASA 在保修期内，请打开 TAC 案例并索要转换工具。即使你没有，也值得一试。如果 ASA 是从思科经销商处获得的，请向经销商索取工具（或让他们从思科获得）。

如果这不是一个选项，用于将 Cisco PIX 配置转换为 Cisco ASA 5500 系列配置的迁移指南提到该工具的安装程序名为PIXtoASASetup.exe。谷歌搜索提供了多个非 Cisco 站点，您仍然可以在其中下载此内容，但显然需要您自担风险。

其它你可能感兴趣的问题

上一篇通过所有 TCP/IP 层传递的消息有哪些多种格式下一篇我的交换机上未知的 netflow