cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


2663
Views
0
Helpful
14
Replies
Highlighted
Beginner

ASA 8.2.1 to 8.4.3

Hi,

We are planning to upgrade our ASA 5520 from 8.2.1 to 8.4.3. Could you please help me asking the following questions?

1. Which is the best migration plan to follow 8.2.1->8.3->8.4.3 or 8.2.1 to 8.4.3>?

     We are using nat-control now and for this reason we have many static NAT. I have upgrade an ASA in my lab from 8.2.1 to 8.4.2, disable nat-control and run "no names" command, but the auto-upgrade procedure create nat rules for the static that were used from nat-control. So the configuration is huge.

2. Do i have to remove all the static nat commands that are being used from nat-control before the upgrade?

Thank you

Everyone's tags (6)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Engager

ASA 8.2.1 to 8.4.3

Hi,

I guess just update the ASA to teh latest 8.2.x whihc is 8.2.5 and then you can jump straight to 8.4.x, no issues.

Moreover in 8.4 you do not have the concept of nat-control anymore, so it makes sense to disable nat-control on the 8.2 code and remove the static that you have for it and then upgarde to avoid unnecessary things.

Hope that helps

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
Hall of Fame Master

Re: ASA 8.2.1 to 8.4.3

Most uses of names (NAT rules and access-lists) need an object in any case so why do double work and have an object plus a name?

Also, while Cisco hasn't inidcated any direction in this way, I would guess that eventually names will be deprecated in favor of objects.

14 REPLIES 14
Engager

ASA 8.2.1 to 8.4.3

Hi,

I guess just update the ASA to teh latest 8.2.x whihc is 8.2.5 and then you can jump straight to 8.4.x, no issues.

Moreover in 8.4 you do not have the concept of nat-control anymore, so it makes sense to disable nat-control on the 8.2 code and remove the static that you have for it and then upgarde to avoid unnecessary things.

Hope that helps

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
Beginner

Re: ASA 8.2.1 to 8.4.3

Hi Varun,

I have in my firewall many static nat entries and i am trying to find  a way to do it as simple as possible.

I am thinking to do the follwoing, remove every static nat that has has the same IP (used only for NAT CONTROL) like this example

static (inside,DMZ) 10.10.10.10 10.10.10.10 netmask 255.255.255.255

and leave every static nat that used for NAT, in order to be converted automatically

static (inside,DMZ) 10.10.10.10 192.168.1.1 netmask 255.255.255.255

Do you think that this is correct?

Something more if i have problems after the upgrade is there any official downgrade procedure from Cisco?

thank you very much for prompt answer

Engager

ASA 8.2.1 to 8.4.3

yup that's fine.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
Engager

ASA 8.2.1 to 8.4.3

Well the upgarde procedure from the 8.2 version to 8.4 is the same as others, you can follow this doc for it:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b20f35.shtml

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
Beginner

ASA 8.2.1 to 8.4.3

I am not afraid the upgrade procedure from 8.2.1 to 8.4.3 but the downgrade if something goes wrong. I have not find any Cisco document that describes this option. What happens with the nat commands?

Thank you

Engager

ASA 8.2.1 to 8.4.3

Here's the downgrade procedure:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp72161

The nat commands would be automatically migrated frpm 8.2 syntax to the 8.4 syntax, if you want to check how they would be post migration, refer this:

https://supportforums.cisco.com/docs/DOC-9129

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
Beginner

ASA 8.2.1 to 8.4.3

I will make the upgrade and i will inform for the results.

Thank you very much,

Engager

ASA 8.2.1 to 8.4.3

Sure, I'll wait for the update

Thanks, Varun Rao Security Team, Cisco TAC
Beginner

ASA 8.2.1 to 8.4.3

I forgot to ask you something else. Before the upgrade i will run the "no names" command, as you know it is best practice.

After the upgrade is it safe to enable names command again?

Thank you

Engager

ASA 8.2.1 to 8.4.3

Yes you can enable after the ugrade

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
Hall of Fame Master

Re: ASA 8.2.1 to 8.4.3

While it is safe to re-enable names command, it would be better to use objects exclusively.

Beginner

Re: ASA 8.2.1 to 8.4.3

Hi Marvin

Why is it better not to use names? Can you please explain to me?

Thank you

Hall of Fame Master

Re: ASA 8.2.1 to 8.4.3

Most uses of names (NAT rules and access-lists) need an object in any case so why do double work and have an object plus a name?

Also, while Cisco hasn't inidcated any direction in this way, I would guess that eventually names will be deprecated in favor of objects.

Beginner

Re: ASA 8.2.1 to 8.4.3

After 5 days of the upgrade we had no problem at all. So the changes that steps that i have follow are the following

1. disable nat control

2. remove unneded nat used for nat control

3. disable names

and then reload.

thank you all for your support