Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
416
Views
0
Helpful
2
Replies

Questions concerning the 8.3.1 or 8.3.2 upgrade

Go to solution
Kevin Melton
Level 2
Level 2

‎12-14-2010 07:29 AM - edited ‎03-11-2019 12:22 PM

Forum

I will be undertaking the migration of code for a client tomorrow evening as we move them from the former Interim code (8.2.2.17).  I have read thru the Migration Guide.  So far most of what was published made sense with respect to what is going away (global, static, etc).

One of the primary concerns as I see it is the difference for certain ACL's to use the Real IP address instead of mapped IP addresses due to the order of NAT now occuring first vs. the packet hitting an ACL first.

Wanting to map out what changes would occur, and having the luxury of working at another client this morning that was gracious enough to let me look at their post 8.3.1 upgrade, I was able to compare an old configuration which was saved long before their migration to the existing running configuration on the ASA.  What i found was rather surprising.  I had an expectation that i would see where mapped IP addresses in ACL's applied with the "access-group command" would have been converted (probably manually) to Real IP addresses.  But ALAS this is NOT what I see.  I went into the former configuration and looked for "static" statements to ensure that what I were looking at were indeed mapped addresses, and found that they were.  I do not see any evidence that the addresses changed.  Let me illustrate:

Prior configuration ACL entries on the old code using mapped addresses:

access-list outside_access_in extended permit icmp any any object-group ICMP-Allowed
access-list outside_access_in extended permit esp any any
access-list outside_access_in remark Prevent Malacious Activity from known offending IP's
access-list outside_access_in extended deny ip object-group BLOCKED any
access-list outside_access_in extended deny ip object-group Blocked any
access-list outside_access_in extended permit tcp any host 12.109.128.67 object-group TCP_PIC_Exchange
access-list outside_access_in extended permit tcp any host 12.109.128.68 eq www
access-list outside_access_in extended permit tcp any host 12.109.128.77 object-group TCP_DR_Oracle
access-list outside_access_in extended permit tcp any host 12.109.128.76 object-group DR-WEB-TCP
access-list outside_access_in extended permit udp any host 12.109.128.76 eq domain
access-list outside_access_in extended permit tcp any host 12.109.128.78 object-group TCP_DR_Exch
access-list outside_access_in extended permit tcp any host 12.109.128.73 object-group TCP_DR_Scada inactive
access-list outside_access_in extended permit tcp any host 12.109.128.74 eq www inactive

And here we see the associated static statements in the old config on the old code:

static (inside,outside) 12.109.128.67 10.31.31.10 netmask 255.255.255.255
static (inside,outside) 12.109.128.68 10.31.31.9 netmask 255.255.255.255
static (inside,outside) 12.109.128.70 172.16.32.64 netmask 255.255.255.255
static (inside,outside) 12.109.128.75 192.168.101.24 netmask 255.255.255.255
static (dmz,outside) 12.109.128.76 192.168.154.5 netmask 255.255.255.255
static (inside,outside) 12.109.128.77 192.168.102.3 netmask 255.255.255.255
static (inside,outside) 12.109.128.78 192.168.101.19 netmask 255.255.255.255
static (inside,dmz) 192.168.101.19 192.168.101.19 netmask 255.255.255.255
static (inside,dmz) 192.168.101.24 192.168.101.24 netmask 255.255.255.255
static (inside,dmz) 192.168.102.3 192.168.102.3 netmask 255.255.255.255
static (inside,outside) 12.109.128.73 192.168.103.60 netmask 255.255.255.255
static (inside,outside) 12.109.128.69 192.168.101.95 netmask 255.255.255.255

And here is the "access-group" command applying it to the outside interface:

access-group outside_access_in in interface outside

Now I will show you the current running configuration:

access-list outside_access_in extended permit tcp any host 12.109.128.67 object-group TCP_PIC_Exchange
access-list outside_access_in extended permit tcp any host 12.109.128.68 eq www
access-list outside_access_in extended permit tcp any host 12.109.128.77 object-group TCP_DR_Oracle
access-list outside_access_in extended permit tcp any host 12.109.128.76 object-group DR-WEB-TCP
access-list outside_access_in extended permit udp any host 12.109.128.76 eq domain
access-list outside_access_in extended permit tcp any host 12.109.128.78 object-group TCP_DR_Exch
access-list outside_access_in extended permit tcp any host 12.109.128.73 object-group TCP_DR_Scada inactive
access-list outside_access_in extended permit tcp any host 12.109.128.74 eq www inactive
access-list outside_access_in extended permit tcp any 12.109.128.0 255.255.255.0 eq ftp inactive

Notice here that the ACL entries have not changed post migration.  Does this customer need to manually change the ACL's in this config to the Real Ip addresses?  Are these ACL's not working in their present configuration?

Thanks for any input here...

Kevin

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎12-14-2010 07:38 AM

Hello Kevin,

I would say, they are not working. One of the features that was introduced with version 8.3 is the "Real IP" which pretty much is the same as using the real IP of the host on the ACL's rather than use the Mapped IP.

Hopefully you would not need to be worried as the Upgrade will migrate the ACLS Automatically.

I thought that if you are going to version 8.3.1 you will be interested on this

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtf74204

Please if you have any questions, feel free to ask.

Mike

Mike

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎12-14-2010 07:38 AM

Hello Kevin,

I would say, they are not working. One of the features that was introduced with version 8.3 is the "Real IP" which pretty much is the same as using the real IP of the host on the ACL's rather than use the Mapped IP.

Hopefully you would not need to be worried as the Upgrade will migrate the ACLS Automatically.

I thought that if you are going to version 8.3.1 you will be interested on this

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtf74204

Please if you have any questions, feel free to ask.

Mike

Mike
0 Helpful

Go to solution
ongmichael
Level 1
Level 1
In response to Maykol Rojas

‎12-15-2010 07:42 AM

Hi,

           Currently i have one FW with 8.3(1) version. Since this version has the bug, should I downgrade to 8.2(2) or earlier stable version?

I have inbound security issue from low to high sec level when i use the static NAT . Could it be due to this ? Appreciate your reply.

( ASA 8.3 ACLmigration will not go through correctly with nat 0 and static Symptom: When migrating from ASA 8.0/8.1/8.2 to 8.3 access-list may not be translated for IP addresses falling under static and nat exemption rules. Conditions: ASA 8.3. IP address falling under both static translation and nat exemption. Workaround: Manually add missing access-list entries to allow traffic through. )

           

Regards,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card