cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1308
Views
20
Helpful
12
Replies
Beginner

ASA 5550 Upgrade from 8.4(7) to 9.1(7)

Guys

 

I have to upgrade a couple of our ASA 5550 firewalls from 8.4(7) to 9.1(7). I am not able to get information related to configuration changes between them. Can anyone please help me with this.

 

Thanks

Ravindra

12 REPLIES 12
Cisco Employee

Re: ASA 5550 Upgrade from 8.4(7) to 9.1(7)

Hi; 

 

You can upgrade directly to the desired version. Check "Upgrading the Software" 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html#pgfId-763574

 

I would strongly recommend to find a supported version since 9.1 is going EOL. 

 

https://www.cisco.com/c/en/us/products/collateral/security/asa-firepower-services/eos-eol-notice-c51-738645.html

 

If you have any questions, let us know. 

Mike. 

Mike
Beginner

Re: ASA 5550 Upgrade from 8.4(7) to 9.1(7)

Mike

 

Thanks for reminding me about the EOL.

 

Currently I am looking for the Configuration Changes between the software versions 8.4(7) and 9.1.7.23 as I couldn't find it in the release notes. 

 

Your help would be much appreciated.

 

Thanks

Ravindra

Hall of Fame Guru

Re: ASA 5550 Upgrade from 8.4(7) to 9.1(7)


@ravindra692 wrote:

I have to upgrade a couple of our ASA 5550 firewalls from 8.4(7) to 9.1(7).


Have you heard about this critical security advisory:  Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability

9.1(7) is an affected release.  The fix for this version is found in 9.1(7)23.

Beginner

Re: ASA 5550 Upgrade from 8.4(7) to 9.1(7)

Yes

 

I did I have already upgraded four of our firewalls to mitigate this vulnerability.

But the rest of them has a 8.4.7 running on them which is a major upgrade. That is why I would like to know about the configuration changes while upgrading from 8.4.7 to 9.1.7.23.

 

Your help would be much appreciated.

 

Thanks

Ravindra

Enthusiast

Re: ASA 5550 Upgrade from 8.4(7) to 9.1(7)

If you are on 8.4.x you have the new style NAT, so the main config change is that at 9.0 they unified IPv4 and IPv6 access lists, and changed the semantics of the "any" keyword to be dual-stack, introducing new "any4" and "any6" keywords which are protocol-specific. If you aren't using IPv6 you may not much care. If you are using IPv6, you may or may not like the automatically upgraded configuration.
Beginner

Re: ASA 5550 Upgrade from 8.4(7) to 9.1(7)

Hi

 

we are not using IPv6, then Can I go ahead with the upgrade or is there any other configuration changes to look for

 

Thanks

Ravindra

Enthusiast

Re: ASA 5550 Upgrade from 8.4(7) to 9.1(7)

If you don't have any IPv6 rules, I would expect an 8.4 to 9.1 upgrade to do an automatic conversion to a highly similar and working configuration, so I'd go ahead. Note that not having IPv6 rules on your firewall isn't the same as having no IPv6 traffic on your VLANs. All contemporary cellphone, tablet, and desktop clients are dual-stack and mostly prefer IPv6 to IPv4 by default. If you aren't monitoring for IPv6, and aren't blocking IPv6 misbehavior by clients, you are at risk for dual-stack malware using IPv6 to hijack internal routing and then using IPv6 transition tunnels to exfiltrate data. At a minimum I'd suggest blocking protocol 41 (IPv4 packet with IPv6 payload) and port 3544/UDP (default Teredo server negotiations) at your border firewall, regardless of of whether or not you support any native IPv6. And wired switchports should be blocking native IPv6 (ethernet type 0x86dd) if you aren't using it, or filtering out rogue DHCPv6 and ICMPv6 router advertisements if you are. E.g. for the last decade my wired desktop client switchports have had: ~~~ ip access-group V4CLIENT in ipv6 traffic-filter V6CLIENT in ~~~ where the filters are: ~~~ ip access-list extended V4CLIENT deny udp any eq bootps any eq bootpc deny icmp any any redirect permit ip any any ipv6 access-list V6CLIENT deny udp any eq 547 any eq 546 deny icmp any any router-advertisement deny icmp any any redirect permit ipv6 any any
Highlighted
Beginner

Re: ASA 5550 Upgrade from 8.4(7) to 9.1(7)

The firewalls that I am  planning to upgrdae are IPSec firewalls. I checked for IPV6 config and traffic, there isn't any. So IPV6 is not a problem anymore.

I am worried about the Certificates, do they change when I perform the upgrade?

 

Your comments would be much appreciated.

 

Thanks 

Ravindra

Enthusiast

Re: ASA 5550 Upgrade from 8.4(7) to 9.1(7)

I would expect all the private keys, certificates, and trustpoints to carry over, unchanged.
Beginner

Re: ASA 5550 Upgrade from 8.4(7) to 9.1(7)

I have a few expired certs on those devices. will they cause any problem

Enthusiast

Re: ASA 5550 Upgrade from 8.4(7) to 9.1(7)

I wouldn't think that expired certificates would cause a problem, but have no experience of that; I tend to install new certificates, update all the statements using them, then delete the old ones. Usually before they expire.
Beginner

Re: ASA 5550 Upgrade from 8.4(7) to 9.1(7)

Thank you