Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
885
Views
5
Helpful
8
Replies

5510 code version upgrade

Go to solution
Benjamin Saito
Level 1
Level 1

‎02-04-2013 12:34 PM - edited ‎03-11-2019 05:56 PM

I am looking to upgrade a 5510 that is currently on code version 8.0(4) to code version 9.1. I know I will have to upgrade to 1gb ram, but can i just upgrade straight to version 9.1 or do I need to follow an upgrade path? This is a standalone device so I am planning on downtime. Thanks in advance.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jj27
Spotlight
Spotlight
In response to Jouni Forss

‎02-04-2013 01:27 PM

You can safely upgrade from 8.0 to 9.1.  The configuration changes introduced in 8.3 regarding NAT will be converted when you upgrade to 9.1.   As always, make sure you save the configuration on the 8.0 code.

You are correct that the 8.1 code was only for a specific model of ASA.

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Benjamin Saito

‎02-05-2013 12:13 PM

Hi,

Regarding the "any" keyword (9.0(x) Release Notes)

  • "any" now means both ipv4 and ipv6. "any4" for only ipv4 and "any6" for ipv6 only

 Any Keyword 


 Now that ACLs support both IPv4 and IPv6, the any keyword now represents "all IPv4 and IPv6 traffic." Any existing ACLs that use the any keyword will be changed to use the any4 keyword, which denotes "all IPv4 traffic." 


 In addition, a separate keyword was introduced to designate "all IPv6 traffic": any6.

Found at (Along with other information):

http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp582903

Regarding the Xlate settings (9.0(x) Release Notes)

  • Used to keep the original old software behaviour identical even when doing a software jump from old to new

Per-session  PAT disabled when upgrading— Starting in Version 9.0, by default, all  TCP PAT traffic and all UDP DNS traffic use per-session PAT (see the xlate per-session command  in the command reference). If you upgrade to Version 9.0 from an  earlier release, to maintain the existing functionality of multi-session  PAT, the per-session PAT feature is disabled during configuration  migration. The ASA adds the following deny rules: 




xlate per-session deny tcp any4 any4





 




xlate per-session deny tcp any4 any6 





 




xlate per-session deny tcp any6 any4 





 




xlate per-session deny tcp any6 any6 





 




xlate per-session deny udp any4 any4 eq domain





 




xlate per-session deny udp any4 any6 eq domain





 




xlate per-session deny udp any6 any4 eq domain





 




xlate per-session deny udp any6 any6 eq domain





 


 


 


 To enable per-session PAT after you upgrade, enter: 




 




clear configure xlate

Found at:

http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp593140

- Jouni

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-04-2013 12:47 PM

Hi,

Generally it would be adviced to reboot the device to the next new software compared to the current one so that the configuration converts correctly.

In other words

  • 8.0 -> 8.2 -> 8.3 -> 8.4 -> 9.0 -> 9.1 (If I dont remember wrong)

I think the 8.1 software was used only for certain ASA model or I just have never run into it. Think the model was ASA5580

I cant really say for certain what happens if you make the jump directly from 8.0 to 9.1. The most critical point of configuration conversion to newer format is between 8.2 and 8.3 as that was when the NAT configuration and ACL configuration formats were changed drasticly.

It would be good to get used to the new NAT format before rebooting to the new software with automatically converted configurations. Some of the generated configuration might be useless or not work right at all. Also when you know how to configure them yourself, you can make them ALOT simpler.

I personally rewrite the whole configuration for older software myself and then just apply the configurations to a updated device or a totally fresh new ASA to make the configuration as simple as possible. So in that case it doesnt really matter how big the software jump is. In your case I would suggest taking backups of the configurations and doing the upgrade in steps if you are not at all familiar with the new NAT format.

- Jouni

Go to solution
jj27
Spotlight
Spotlight
In response to Jouni Forss

‎02-04-2013 01:27 PM

You can safely upgrade from 8.0 to 9.1.  The configuration changes introduced in 8.3 regarding NAT will be converted when you upgrade to 9.1.   As always, make sure you save the configuration on the 8.0 code.

You are correct that the 8.1 code was only for a specific model of ASA.

0 Helpful

Go to solution
Benjamin Saito
Level 1
Level 1
In response to jj27

‎02-05-2013 11:54 AM

Thank you to both of you for your answers. I was able to upgrade straight from 8.0.4 to 9.1. I have a few questions though about the asa code version.

1. access-list outside_access_in_1 extended permit ip object-group ADMIN_NETWORKS any4

why did the destination get changed from "any" to "any4"? It did this for all rules that had "any", i guess is this related to ipv4? Becasue Any6 is an option.

2.

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

This was thrown in the running config, what is it?

3. What version of java is required for asdm version 711? I have java 6 update 7 on my computer because it's the only version that works with pix's and older asdm versions, but i can't open the asdm using the Java web start application, I can only access it as a local application.

Thanks!

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Benjamin Saito

‎02-05-2013 12:13 PM

Hi,

Regarding the "any" keyword (9.0(x) Release Notes)

  • "any" now means both ipv4 and ipv6. "any4" for only ipv4 and "any6" for ipv6 only

 Any Keyword 


 Now that ACLs support both IPv4 and IPv6, the any keyword now represents "all IPv4 and IPv6 traffic." Any existing ACLs that use the any keyword will be changed to use the any4 keyword, which denotes "all IPv4 traffic." 


 In addition, a separate keyword was introduced to designate "all IPv6 traffic": any6.

Found at (Along with other information):

http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp582903

Regarding the Xlate settings (9.0(x) Release Notes)

  • Used to keep the original old software behaviour identical even when doing a software jump from old to new

Per-session  PAT disabled when upgrading— Starting in Version 9.0, by default, all  TCP PAT traffic and all UDP DNS traffic use per-session PAT (see the xlate per-session command  in the command reference). If you upgrade to Version 9.0 from an  earlier release, to maintain the existing functionality of multi-session  PAT, the per-session PAT feature is disabled during configuration  migration. The ASA adds the following deny rules: 




xlate per-session deny tcp any4 any4





 




xlate per-session deny tcp any4 any6 





 




xlate per-session deny tcp any6 any4 





 




xlate per-session deny tcp any6 any6 





 




xlate per-session deny udp any4 any4 eq domain





 




xlate per-session deny udp any4 any6 eq domain





 




xlate per-session deny udp any6 any4 eq domain





 




xlate per-session deny udp any6 any6 eq domain





 


 


 


 To enable per-session PAT after you upgrade, enter: 




 




clear configure xlate

Found at:

http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp593140

- Jouni

0 Helpful

Go to solution
Benjamin Saito
Level 1
Level 1
In response to Jouni Forss

‎02-05-2013 12:26 PM

Thanks for the quick response again Jouni, that was very helpful.

0 Helpful

Go to solution
Benjamin Saito
Level 1
Level 1
In response to Benjamin Saito

‎02-05-2013 01:45 PM

I am still unable to access the asdm using the java web start application. I try to but a window pops up saying unable to launch application. I have to click on "install asdm launcher" in order to get it to run. I was able to just click on "run asdm" and it worked in earlier versions. Any ideas?

Thanks!

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Benjamin Saito

‎02-05-2013 02:15 PM

Hi,

I personally use the software installed from the ASA on my computer. I dont launch it through the web browser.

I havent really had the need to troubleshoot this much. I can only remember one occasion where a new Java update broke the ASDM. I personally dont use much ASDM also so even less likely that I run into these problems

Heres some information of my setup and versions

Java

My ASA5505

Cisco Adaptive Security Appliance Software Version 9.1(1)

Device Manager Version 7.1(1)52

And everything works fine. ASDM shows the following when it has launched through the browser

- Jouni

0 Helpful

Go to solution
Benjamin Saito
Level 1
Level 1
In response to Jouni Forss

‎02-05-2013 02:26 PM

Jouni, it must be the version of java I am running on this computer. I confirmed from a different computer with an updated version of Java that I was able to access the asdm normally. Thanks again

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card