Pix 6.3 to ASA 9.2 Migration Guide

ciscocisco-asacisco-commandsfirewallpix

I inherited a production Cisco Pix 6.3 firewall and an unconfigured ASA 5512 9.2. I'm reading up on converting the existing Pix config to an ASA-compatible config and there's mention of a migration tool, but it's no longer available from Cisco. Doing this manually is a bit beyond my know-how. Some of the commands I get, but others I don't.

I don't have another ISP connection with multiple WAN IPs to test on either.

Here's the sanitized running-config as requested.

: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
nameif ethernet3 dmz2 security49
nameif ethernet4 intf4 security20
nameif ethernet5 fail security20
enable password REDACTED encrypted
passwd REDACTED encrypted
hostname PixFirewall
domain-name example.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network deny-known-bad-ips
  network-object host A.B.C.D
  network-object host E.F.G.H
  ...
object-group network spam-filter
  network-object I.J.K.L 255.255.240.0
  network-object M.N.O.P 255.255.224.0
  ...
object-group network ipsoft
  network-object 192.168.12.23 255.255.255.255
  network-object 192.168.12.24 255.255.255.255
object-group network catCLE
  network-object 10.2.12.17 255.255.255.255
  network-object 10.2.12.18 255.255.255.255
object-group network CLE
  network-object 10.2.0.0 255.255.0.0
  network-object 166.8.136.0 255.255.255.0
  network-object 166.8.138.0 255.255.255.0
object-group network cloud_app
  network-object Q.R.S.T 255.255.255.224
  network-object U.V.W.X 255.255.255.240
  ...
object-group network ftp-server-access
  description ACL group for allowing access to certain services on the FTP server
  network-object host a.b.c.d
  network-object host e.f.g.h
object-group network vendor-access
  description Access group to allow vendor access remotely
  network-object host i.j.k.l
  network-object host m.n.o.p
object-group network ssh-access
  description Access group to allow SSH Access
  network-object host q.r.s.t
  network-object host u.v.w.x
object-group network newerFTP-web-access
  description Access group to allow web access to newer FTP server
  network-object host 1.2.3.4
object-group network RDP-access
  description "Network Group to allow RDP access to IT people"
  network-object host 2.3.4.5
  network-object host 3.4.5.6
access-list inside-to-out permit tcp any any
access-list inside-to-out permit udp any any
access-list inside-to-out permit icmp any any echo
access-list inside-to-out permit icmp any any echo-reply
access-list outside-to-in permit tcp any host F.S.T.45 eq https
access-list outside-to-in permit tcp any host F.S.T.46 eq www
access-list outside-to-in permit tcp any host F.S.T.46 eq https
access-list outside-to-in permit tcp any host F.S.T.48 eq https
access-list outside-to-in permit tcp any host F.S.T.48 eq www
access-list outside-to-in permit tcp any host F.S.T.51 eq www
access-list outside-to-in permit tcp any host F.S.T.51 eq https
access-list outside-to-in permit tcp any host F.S.T.47 eq https
access-list outside-to-in permit tcp any host F.S.T.47 eq www
access-list outside-to-in permit tcp any host F.S.T.44 eq www
access-list outside-to-in permit tcp any host F.S.T.44 eq https
access-list outside-to-in permit udp any host F.S.T.41 eq isakmp
access-list outside-to-in permit esp any host F.S.T.41
access-list outside-to-in permit tcp any host F.S.T.37 eq domain
access-list outside-to-in permit udp any host F.S.T.37 eq domain
access-list outside-to-in permit tcp any host F.S.T.40 eq domain
access-list outside-to-in permit udp any host F.S.T.40 eq domain
access-list outside-to-in permit tcp object-group spam-filter host F.S.T.40 eq smtp
access-list outside-to-in permit tcp any host F.S.T.53 eq www
access-list outside-to-in permit tcp any host F.S.T.53 eq https
access-list outside-to-in permit tcp any host F.S.T.54 eq www
access-list outside-to-in permit tcp any host F.S.T.54 eq https
access-list outside-to-in permit tcp any host F.S.T.45 eq www
access-list outside-to-in permit tcp host 20.18.19.22 host F.S.T.49 eq 445
access-list outside-to-in permit tcp any host F.S.T.46 eq ftp
access-list outside-to-in permit tcp any host F.S.T.55 eq https
access-list outside-to-in permit tcp any host F.S.T.55 eq www
access-list outside-to-in permit tcp any host F.S.T.42 eq www
access-list outside-to-in permit udp any host F.S.T.41 eq 4500
access-list outside-to-in permit tcp any host F.S.T.57 eq www
access-list outside-to-in permit tcp any host F.S.T.53 eq 2052
access-list outside-to-in permit tcp object-group cloud_app host F.S.T.40 eq smtp
access-list outside-to-in permit tcp any host F.S.T.45 eq pop3
access-list outside-to-in permit tcp any host F.S.T.59 eq ftp
access-list outside-to-in permit icmp any any echo-reply
access-list outside-to-in permit icmp any any echo
access-list outside-to-in permit tcp any host F.S.T.59 range 38700 39699
access-list outside-to-in permit icmp any any unreachable
access-list outside-to-in permit icmp any any time-exceeded
access-list outside-to-in permit tcp any host F.S.T.42 eq 8080
access-list outside-to-in permit tcp object-group ftp-server-access host F.S.T.59 eq www
access-list outside-to-in permit tcp any host F.S.T.53 range 28000 30000
access-list outside-to-in permit tcp any host F.S.T.60 eq ftp
access-list outside-to-in permit tcp any host F.S.T.60 range 38700 39699
access-list outside-to-in permit tcp object-group vendor-access host F.S.T.61 eq ssh
access-list outside-to-in permit tcp object-group ssh-access host F.S.T.39 eq ssh
access-list outside-to-in permit tcp object-group newerFTP-web-access host F.S.T.60 eq www
access-list outside-to-in permit tcp object-group RDP-access host F.S.T.62 eq 3389
access-list outside-to-in permit tcp object-group ssh-access host F.S.T.36 eq ssh
access-list outside-to-in permit tcp any host F.S.T.36 eq smtp
access-list outside-to-in permit tcp any host F.S.T.36 eq www
access-list outside-to-in permit tcp any host F.S.T.36 eq pop3
access-list outside-to-in permit tcp any host F.S.T.36 eq imap4
access-list outside-to-in permit tcp any host F.S.T.36 eq https
access-list outside-to-in permit tcp any host F.S.T.36 eq 587
access-list outside-to-in permit tcp any host F.S.T.36 eq 993
access-list outside-to-in permit tcp any host F.S.T.36 eq 995
access-list outside-to-in permit tcp any host F.S.T.42 eq https
access-list outside-to-in permit tcp object-group ssh-access host F.S.T.43 eq ssh
access-list outside-to-in permit tcp any host F.S.T.43 eq https
access-list outside-to-in permit tcp any host F.S.T.43 eq 6876
access-list outside-to-in permit tcp object-group ftp-server-access host F.S.T.59 eq https
access-list outside-to-in permit tcp any host F.S.T.43 eq www
access-list outside-to-in permit tcp any host F.S.T.57 eq https
access-list dmz1fltr permit tcp host 192.168.8.25 host 10.2.12.12 eq 8009
access-list dmz1fltr permit udp host 192.168.8.11 host 10.2.0.3 eq domain
access-list dmz1fltr permit udp host 192.168.8.12 host 10.2.0.3 eq domain
access-list dmz1fltr permit tcp host 192.168.8.11 host 10.2.8.5 eq 1433
access-list dmz1fltr permit tcp host 192.168.8.12 host 10.2.8.5 eq 1433
access-list dmz1fltr permit tcp host 192.168.8.11 host 10.2.12.12 eq 8009
access-list dmz1fltr permit tcp host 192.168.8.12 host 10.2.12.12 eq 8009
access-list dmz1fltr permit tcp host 192.168.8.5 any eq domain
access-list dmz1fltr permit udp host 192.168.8.5 any eq domain
access-list dmz1fltr permit tcp host 192.168.8.5 any eq smtp
access-list dmz1fltr deny ip host 192.168.8.6 host 10.2.12.12
access-list dmz1fltr deny ip host 192.168.8.6 host 10.2.4.2
access-list dmz1fltr deny ip host 192.168.8.6 host 10.2.0.3
access-list dmz1fltr deny ip host 192.168.8.6 host 10.2.8.5
access-list dmz1fltr permit tcp host 192.168.8.6 any eq smtp
access-list dmz1fltr permit tcp host 192.168.8.6 any eq domain
access-list dmz1fltr permit udp host 192.168.8.6 any eq domain
access-list dmz1fltr deny ip host 192.168.8.8 host 10.2.12.12
access-list dmz1fltr deny ip host 192.168.8.8 host 10.2.4.2
access-list dmz1fltr deny ip host 192.168.8.8 host 10.2.0.3
access-list dmz1fltr deny ip host 192.168.8.8 host 10.2.8.5
access-list dmz1fltr permit esp host 192.168.8.8 any
access-list dmz1fltr permit udp host 192.168.8.8 any eq isakmp
access-list dmz1fltr permit udp host 192.168.8.8 any eq 4500
access-list dmz1fltr permit tcp host 192.168.8.5 any eq ftp
access-list dmz1fltr permit tcp host 192.168.8.5 host 10.2.8.81 eq ftp
access-list dmz1fltr permit udp host 192.168.8.53 host 10.2.0.3 eq domain
access-list dmz1fltr permit udp host 192.168.8.60 host 10.2.0.3 eq domain
access-list dmz1fltr permit udp host 192.168.8.60 host 10.2.8.7 eq domain
access-list dmz1fltr permit tcp host 192.168.8.60 any
access-list dmz1fltr permit tcp host 192.168.8.53 host 10.2.24.5 eq 2737
access-list dmz1fltr permit tcp host 192.168.8.53 host 10.2.24.5 eq 2051
access-list dmz1fltr permit udp host 192.168.8.53 host 10.2.24.5 eq 20000
access-list dmz1fltr permit tcp host 192.168.8.53 host 10.2.24.5 eq 20000
access-list dmz1fltr permit tcp host 192.168.8.4 host 10.2.8.81 eq ftp
access-list dmz1fltr permit icmp any any echo-reply
access-list dmz1fltr permit icmp any any echo
access-list dmz1fltr permit tcp host 192.168.8.4 any eq www
access-list dmz1fltr permit tcp any host 192.168.8.4 eq www
access-list dmz1fltr permit tcp host 192.168.8.4 any eq ftp-data
access-list dmz1fltr permit tcp any host 192.168.8.4 eq ssh
access-list dmz1fltr permit tcp host 192.168.8.4 any eq ssh
access-list dmz1fltr permit tcp host 192.168.8.4 any eq domain
access-list dmz1fltr permit udp host 192.168.8.4 any eq domain
access-list dmz1fltr permit udp any host 192.168.8.4 eq domain
access-list dmz1fltr permit tcp any host 192.168.8.4 eq domain
access-list dmz1fltr permit tcp host 192.168.8.4 any eq ftp
access-list dmz1fltr permit tcp host 192.168.8.4 any eq cmd
access-list dmz1fltr permit tcp any host 192.168.8.4 eq cmd
access-list dmz1fltr permit tcp any host 192.168.8.5 eq cmd
access-list dmz1fltr permit tcp host 192.168.8.5 any eq cmd
access-list dmz1fltr permit tcp host 192.168.8.4 any eq telnet
access-list dmz2fltr permit tcp host 166.8.137.30 host 166.8.138.117 eq www
access-list dmz2fltr permit tcp host 166.8.137.30 host 166.8.138.97 eq www
access-list dmz2fltr permit tcp host 166.8.137.30 host 166.8.138.145 eq www
access-list dmz2fltr permit tcp host 166.8.137.30 host 166.8.138.117 eq https
access-list dmz2fltr permit tcp host 166.8.137.30 host 166.8.138.97 eq https
access-list dmz2fltr permit tcp host 166.8.137.30 host 166.8.138.145 eq https
access-list dmz2fltr permit tcp host 166.8.137.30 host 10.2.0.21 eq https
access-list dmz2fltr deny ip any host 166.8.138.117
access-list dmz2fltr deny ip any host 166.8.138.97
access-list dmz2fltr deny ip any host 10.2.0.21
access-list dmz2fltr deny ip host 166.8.137.5 host 166.8.138.117
access-list dmz2fltr deny ip host 166.8.137.5 host 166.8.138.97
access-list dmz2fltr deny ip host 166.8.137.5 host 166.8.138.145
access-list dmz2fltr deny ip host 166.8.137.5 host 10.2.0.21
access-list dmz2fltr permit tcp host 166.8.137.5 any eq smtp
access-list dmz2fltr permit tcp host 166.8.137.5 host 10.2.0.19 eq smtp
access-list dmz2fltr permit udp host 166.8.137.5 host 10.2.0.3 eq domain
access-list dmz2fltr permit tcp host 166.8.137.30 host 10.2.0.28 eq https
access-list dmz2fltr permit tcp host 166.8.137.30 host 10.2.0.28 eq www
access-list dmz2fltr deny ip any host 10.2.0.28
access-list dmz2fltr permit tcp host 166.8.137.31 any eq ftp
access-list dmz2fltr permit tcp host 166.8.137.5 host 10.2.8.98 eq ssh
access-list dmz2fltr permit tcp host 166.8.137.42 host 166.8.138.141 eq 1433
access-list dmz2fltr permit udp host 166.8.137.42 host 10.2.0.3 eq domain
access-list dmz2fltr deny ip any host 10.2.0.3
access-list dmz2fltr deny ip any host 10.2.0.19
access-list dmz2fltr deny ip any host 166.8.138.141
access-list dmz2fltr permit tcp host 166.8.137.42 any eq www
access-list dmz2fltr permit tcp host 166.8.137.42 any eq https
access-list dmz2fltr permit tcp host 166.8.137.42 any eq ftp
access-list dmz2fltr permit tcp host 166.8.137.5 host 10.2.0.28 eq smtp
access-list dmz2fltr permit icmp any any echo
access-list dmz2fltr permit icmp any any echo-reply
access-list dmz2fltr permit tcp host 166.8.137.42 any eq 8080
access-list nonat deny ip any 16.18.20.0 255.255.255.0
access-list nonat deny ip any 10.255.1.0 255.255.255.0
access-list nonat permit ip object-group catCLE object-group ipsoft
access-list nonat permit ip object-group CLE host 166.8.137.31
access-list vpn-cat permit ip object-group catCLE object-group ipsoft
pager lines 24
logging on
logging monitor warnings
logging buffered critical
logging trap errors
logging history emergencies
logging host inside 10.2.8.100
icmp permit any unreachable outside
icmp permit any unreachable dmz1
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu intf4 1500
mtu fail 1500
ip address outside F.S.T.34 255.255.255.224
ip address inside 192.168.14.2 255.255.255.0
ip address dmz1 192.168.8.1 255.255.255.0
ip address dmz2 166.8.137.1 255.255.255.0
ip address intf4 172.16.1.1 255.255.255.0
ip address fail 192.168.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz1
no failover ip address dmz2
no failover ip address intf4
no failover ip address fail
pdm history enable
arp timeout 14400
global (outside) 1 F.S.T.35
global (dmz1) 1 interface
global (dmz2) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 166.8.136.0 255.255.255.0 0 0
nat (inside) 1 166.8.138.0 255.255.255.0 0 0
nat (inside) 1 166.8.139.0 255.255.255.0 0 0
nat (inside) 1 192.168.6.0 255.255.255.0 0 0
nat (inside) 1 10.2.0.0 255.255.0.0 0 0
alias (inside) F.S.T.44 166.8.137.10 255.255.255.255
alias (inside) F.S.T.46 166.8.137.31 255.255.255.255
static (inside,dmz2) 10.2.0.19 10.2.0.19 netmask 255.255.255.255 0 0
static (inside,dmz2) 10.2.0.3 10.2.0.3 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.2.0.3 10.2.0.3 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.2.8.5 10.2.8.5 netmask 255.255.255.255 0 0
static (inside,dmz2) 10.2.0.21 10.2.0.21 netmask 255.255.255.255 0 0
static (inside,dmz2) 166.8.138.97 166.8.138.97 netmask 255.255.255.255 0 0
static (inside,dmz2) 166.8.138.145 166.8.138.145 netmask 255.255.255.255 0 0
static (inside,dmz2) 166.8.138.117 166.8.138.117 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.2.4.2 10.2.4.2 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.2.12.12 10.2.12.12 netmask 255.255.255.255 0 0
static (dmz2,outside) F.S.T.45 166.8.137.30 netmask 255.255.255.255 0 0
static (dmz2,outside) F.S.T.46 166.8.137.31 netmask 255.255.255.255 0 0
static (dmz1,outside) F.S.T.51 192.168.8.25 netmask 255.255.255.255 0 0
static (dmz2,outside) F.S.T.47 166.8.137.40 netmask 255.255.255.255 0 0
static (dmz2,outside) F.S.T.44 166.8.137.10 netmask 255.255.255.255 0 0
static (dmz1,outside) F.S.T.41 192.168.8.8 netmask 255.255.255.255 0 0
static (dmz1,outside) F.S.T.37 192.168.8.2 netmask 255.255.255.255 0 0
static (dmz2,outside) F.S.T.54 166.8.137.50 netmask 255.255.255.255 0 0
static (inside,dmz2) 10.2.0.28 10.2.0.28 netmask 255.255.255.255 0 0
static (inside,outside) F.S.T.48 166.8.138.145 netmask 255.255.255.255 0 0
static (inside,outside) F.S.T.49 10.2.4.45 netmask 255.255.255.255 0 0
static (dmz2,outside) F.S.T.40 166.8.137.5 netmask 255.255.255.255 0 0
static (dmz2,outside) F.S.T.55 166.8.137.60 netmask 255.255.255.255 0 0
static (dmz2,outside) F.S.T.42 166.8.137.42 netmask 255.255.255.255 0 0
static (inside,dmz2) 166.8.138.141 166.8.138.141 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.2.8.81 10.2.8.81 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.2.4.35 10.2.4.35 netmask 255.255.255.255 0 0
static (dmz1,outside) F.S.T.53 192.168.8.53 netmask 255.255.255.255 0 0
static (inside,dmz1) 166.8.136.35 166.8.136.35 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.2.8.7 10.2.8.7 netmask 255.255.255.255 0 0
static (dmz1,outside) F.S.T.58 192.168.8.60 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.2.24.5 10.2.24.5 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.2.4.45 10.2.4.45 netmask 255.255.255.255 0 0
static (inside,dmz1) 10.2.5.67 10.2.5.67 netmask 255.255.255.255 0 0
static (inside,outside) F.S.T.59 10.2.8.48 netmask 255.255.255.255 0 0
static (inside,outside) F.S.T.39 10.2.9.86 netmask 255.255.255.255 0 0
static (inside,outside) F.S.T.60 10.2.8.148 netmask 255.255.255.255 0 0
static (inside,outside) F.S.T.61 10.2.8.44 netmask 255.255.255.255 0 0
static (inside,outside) F.S.T.62 10.2.0.100 netmask 255.255.255.255 0 0
static (inside,outside) F.S.T.36 10.2.8.250 netmask 255.255.255.255 0 0
static (inside,outside) F.S.T.43 10.2.4.250 netmask 255.255.255.255 0 0
static (inside,outside) F.S.T.57 10.2.8.88 netmask 255.255.255.255 0 0
access-group outside-to-in in interface outside
access-group inside-to-out in interface inside
access-group dmz1fltr in interface dmz1
access-group dmz2fltr in interface dmz2
route outside 0.0.0.0 0.0.0.0 F.S.T.33 1
route inside 10.2.0.0 255.255.0.0 192.168.14.1 1
route inside 10.22.66.22 255.255.255.255 192.168.14.1 1
route inside 10.22.66.23 255.255.255.255 192.168.14.1 1
route inside 166.8.1.0 255.255.255.0 192.168.14.1 1
route inside 166.8.65.38 255.255.255.255 192.168.14.1 1
route inside 166.8.136.0 255.255.255.0 192.168.14.1 1
route inside 166.8.138.0 255.255.255.0 192.168.14.1 1
route inside 166.8.139.0 255.255.255.0 192.168.14.1 1
route inside 192.168.6.0 255.255.255.0 192.168.14.1 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 10.2.0.5 source inside
http server enable
http 10.2.0.123 255.255.255.255 inside
snmp-server host inside 10.2.8.98
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set kristrong esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600 kilobytes 10000
crypto map kri 15 ipsec-isakmp
crypto map kri 15 match address vpn-cat
crypto map kri 15 set pfs group2
crypto map kri 15 set peer 20.17.14.4
crypto map kri 15 set transform-set kristrong
crypto map kri interface outside
isakmp enable outside
isakmp key ******** address 20.17.14.4 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
telnet 10.2.8.100 255.255.255.255 inside
telnet timeout 30
ssh 10.2.8.100 255.255.255.255 inside
ssh 10.229.66.228 255.255.255.255 inside
ssh 10.2.0.0 255.255.252.0 inside
ssh timeout 30
console timeout 0
terminal width 80
Cryptochecksum:b80c9ac5e742040be7dc4f8d1f69f1c2
: end

Best Answer

Option 1 - manual conversion

Cisco's Migration Guide for Converting Cisco PIX Configurations to Cisco ASA 5500 Series Configurations has a whole section "Manual Configuration Conversion":

Performing a manual conversion is the most time-consuming method, yet it allows for the most control over the conversion. The manual conversion includes following sections:

•Interface Mapping

•FIXUP Conversion

•LAN-Based Failover

•Dynamic Interface Addressing

•Multiple Context Mode Configuration Conversion

Option 2 - convert the config by upgrading

You did not specify which PIX model this is, but given that you have 6 ethernet interfaces it must be one of the bigger models (515 or larger). If it has enough memory you can upgrade it to Pix 7.x, which will automatically convert the configuration to version 7 syntax, which is identical to ASA 7 syntax (apart from interface names).

Migration from PIX 500 Series Security Appliances to ASA 5500 Series Adaptive Security Appliances describes how to do this.

Now, there are still some differences between 7.x syntax to 9.x syntax (mostly the new NAT syntax introduced in 8.3). Typically you would normally upgrade an ASA e.g. from 8.2 to 8.3 and then from 8.3 to 9.0, and each upgrade would automatically make the necessary config changes for you. To be honest I'm not sure if this automatic conversion will also work if you copy/paste a 7.x syntax to a 9.2 system. You can either try to find this in the documentation, or just give it a try and see how far you get (and/or use the document mentioned in option 1 to apply the remaining changes).

Some doc pointers:

If you have access to ASA images, consider downgrading it first to the oldest version available for your specific device, then copy/paste the 7.x config, then upgrade it back to the desired version (in steps, if needed).

Option 3 : convert using the conversion tool

If you have a service contract on the ASA, or maybe even if the ASA is under warranty, open a TAC case and ask for the conversion tool. Even if you haven't, it's worth a shot. If the ASA was acquired from a Cisco reseller, ask the reseller for the tool (or ask them to get it from Cisco).

If that is not an option, the Migration Guide for Converting Cisco PIX Configurations to Cisco ASA 5500 Series Configurations mentions that the tool's installer is named PIXtoASASetup.exe. A Google search gives multiple non-Cisco sites where you can still download this, but obviously at your own risk.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Vpn – ASA VPN communication issue

Your NAT Exemptions on the Spokes are messed up.

First, you have the Spoke 2 address as the source on Spoke 1, and you're missing Spoke 2 altogether:

ip access-list extended NONAT
deny   ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255
permit ip 192.168.210.64 0.0.0.31 any

You need to have:

ip access-list extended NONAT
deny   ip 192.168.210.224 0.0.0.31 172.16.0.0 0.0.255.255
deny   ip 192.168.210.224 0.0.0.31 192.168.210.64 0.0.0.31
permit ip 192.168.210.224 0.0.0.31 any

And then on Spoke 2 you have the right source, but are just missing an entry for Spoke 1:

ip access-list extended NONAT
deny   ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255
permit ip 192.168.210.64 0.0.0.31 any

This needs to have the Spoke 1 segment added as shown below:

ip access-list extended NONAT
deny   ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255
deny   ip 192.168.210.64 0.0.0.31 192.168.210.224 0.0.0.31
permit ip 192.168.210.64 0.0.0.31 any