topic 5510 code version upgrade in Network Security

5510 code version upgrade

Benjamin Saito — Tue, 12 Mar 2019 00:56:04 GMT

I am looking to upgrade a 5510 that is currently on code version 8.0(4) to code version 9.1. I know I will have to upgrade to 1gb ram, but can i just upgrade straight to version 9.1 or do I need to follow an upgrade path? This is a standalone device so I am planning on downtime. Thanks in advance.

Re: 5510 code version upgrade

Jouni Forss — Mon, 04 Feb 2013 20:47:28 GMT

Hi,

Generally it would be adviced to reboot the device to the next new software compared to the current one so that the configuration converts correctly.

In other words

8.0 -> 8.2 -> 8.3 -> 8.4 -> 9.0 -> 9.1 (If I dont remember wrong)

I think the 8.1 software was used only for certain ASA model or I just have never run into it. Think the model was ASA5580

I cant really say for certain what happens if you make the jump directly from 8.0 to 9.1. The most critical point of configuration conversion to newer format is between 8.2 and 8.3 as that was when the NAT configuration and ACL configuration formats were changed drasticly.

It would be good to get used to the new NAT format before rebooting to the new software with automatically converted configurations. Some of the generated configuration might be useless or not work right at all. Also when you know how to configure them yourself, you can make them ALOT simpler.

I personally rewrite the whole configuration for older software myself and then just apply the configurations to a updated device or a totally fresh new ASA to make the configuration as simple as possible. So in that case it doesnt really matter how big the software jump is. In your case I would suggest taking backups of the configurations and doing the upgrade in steps if you are not at all familiar with the new NAT format.

- Jouni

Re: 5510 code version upgrade

jj27 — Mon, 04 Feb 2013 21:27:52 GMT

You can safely upgrade from 8.0 to 9.1. The configuration changes introduced in 8.3 regarding NAT will be converted when you upgrade to 9.1. As always, make sure you save the configuration on the 8.0 code.

You are correct that the 8.1 code was only for a specific model of ASA.

5510 code version upgrade

Benjamin Saito — Tue, 05 Feb 2013 19:54:16 GMT

Thank you to both of you for your answers. I was able to upgrade straight from 8.0.4 to 9.1. I have a few questions though about the asa code version.

1. access-list outside_access_in_1 extended permit ip object-group ADMIN_NETWORKS any4

why did the destination get changed from "any" to "any4"? It did this for all rules that had "any", i guess is this related to ipv4? Becasue Any6 is an option.

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

This was thrown in the running config, what is it?

3. What version of java is required for asdm version 711? I have java 6 update 7 on my computer because it's the only version that works with pix's and older asdm versions, but i can't open the asdm using the Java web start application, I can only access it as a local application.

Thanks!

5510 code version upgrade

Jouni Forss — Tue, 05 Feb 2013 20:13:17 GMT

Hi,

Regarding the "any" keyword (9.0(x) Release Notes)

"any" now means both ipv4 and ipv6. "any4" for only ipv4 and "any6" for ipv6 only

Any Keyword

Now that ACLs support both IPv4 and IPv6, the any keyword now represents "all IPv4 and IPv6 traffic." Any existing ACLs that use the any keyword will be changed to use the any4 keyword, which denotes "all IPv4 traffic."

In addition, a separate keyword was introduced to designate "all IPv6 traffic": any6.

Found at (Along with other information):

http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp582903

Regarding the Xlate settings (9.0(x) Release Notes)

Used to keep the original old software behaviour identical even when doing a software jump from old to new

•Per-session PAT disabled when upgrading— Starting in Version 9.0, by default, all TCP PAT traffic and all UDP DNS traffic use per-session PAT (see the xlate per-session command in the command reference). If you upgrade to Version 9.0 from an earlier release, to maintain the existing functionality of multi-session PAT, the per-session PAT feature is disabled during configuration migration. The ASA adds the following deny rules:

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

To enable per-session PAT after you upgrade, enter:

clear configure xlate

Found at:

http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp593140

- Jouni

5510 code version upgrade

Benjamin Saito — Tue, 05 Feb 2013 20:26:43 GMT

Thanks for the quick response again Jouni, that was very helpful.

5510 code version upgrade

Benjamin Saito — Tue, 05 Feb 2013 21:45:20 GMT

I am still unable to access the asdm using the java web start application. I try to but a window pops up saying unable to launch application. I have to click on "install asdm launcher" in order to get it to run. I was able to just click on "run asdm" and it worked in earlier versions. Any ideas?

Thanks!

5510 code version upgrade

Jouni Forss — Tue, 05 Feb 2013 22:15:06 GMT

Hi,

I personally use the software installed from the ASA on my computer. I dont launch it through the web browser.

I havent really had the need to troubleshoot this much. I can only remember one occasion where a new Java update broke the ASDM. I personally dont use much ASDM also so even less likely that I run into these problems

Heres some information of my setup and versions

Java

My ASA5505

Cisco Adaptive Security Appliance Software Version 9.1(1)

Device Manager Version 7.1(1)52

And everything works fine. ASDM shows the following when it has launched through the browser

- Jouni

5510 code version upgrade

Benjamin Saito — Tue, 05 Feb 2013 22:26:35 GMT

Jouni, it must be the version of java I am running on this computer. I confirmed from a different computer with an updated version of Java that I was able to access the asdm normally. Thanks again