Re: ASA 8.3 to 8.4 Upgrade - Mirror update?

John Peterson · ‎05-17-2012

Im upgrading a asa 5510 from 8.3 to 8.4.

I know from 8.2 to 8.3 was not a mirror update because of nat and access-list but is from 8.3 to 8.4 a mirror update or is there anything which I should be aware of?

Any help would be highly appercaited.

Kevin P Sheahan · ‎05-17-2012

The only difference that you'll see is that all identity NATs will include 'no proxy-arp' and 'route-lookup'.. the 'unidirectional' keyword will be removed. This will maintain existing functionality and your upgrade should not require any special considerations beyond that. Be cautious and backup your config still.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349

siddhartham · ‎05-17-2012

Which version of 8.4 you are upgrading to. There are many bugs in 8.4.1 and in 8.4.2, better to go to 8.4.3

Siddhartha

John Peterson · ‎05-17-2012

Thank you,

The steps I will take to upgrade the ASA will be to load the new file in flash and then force the ASA to boot from the new image.

I am guessing that there will be no additional configuration required?

Also when would I use proxy-arp or route lookup?

Kevin P Sheahan · ‎05-17-2012

You are correct in assuming that there should be no additional configuration required. Once the ASA boots into the new code you should have the same functionality as before without having to make manual changes to your configuration.

You would use proxy arp when you have address space from the ISP that is separate from the address that is on your 'outside' interface. Basically, when the ISP routes to your other address space it will arp for the address it is trying to reach and with proxy arp your asa would reply back to the arp on behalf of the address that is represented by a nat.

The route-lookup command is to determine the egress interface by interrogating the routing table rather than using the interface specified in the nat command.

Hope this helps.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349

MARK BAKER · ‎10-02-2012

Another consideration if you are using the default pix/asa username to login to your ASA.

Increased SSH security; the SSH default username is no longer supported—Starting in 8.4(2), you can no longer connect to the ASA using SSH with the pix or asa username and the login password. To use SSH, you must configure AAA authentication using the aaa authentication ssh console LOCAL command (CLI) or Configuration > Device Management > Users/AAA > AAA Access > Authentication (ASDM); then define a local user by entering the username command (CLI) or choosing Configuration > Device Management > Users/AAA > User Accounts (ASDM). If you want to use a AAA server for authentication instead of the local database, we recommend also configuring local authentication as a backup method. Increased SSH security; the SSH default username is no longer supported—Starting in 8.4(2), you can no longer connect to the ASA using SSH with the pix or asa username and the login password. To use SSH, you must configure AAA authentication using the aaa authentication ssh console LOCAL command (CLI) or Configuration > Device Management > Users/AAA > AAA Access > Authentication (ASDM); then define a local user by entering the username command (CLI) or choosing Configuration > Device Management > Users/AAA > User Accounts (ASDM). If you want to use a AAA server for authentication instead of the local database, we recommend also configuring local authentication as a backup method.