02-04-2013 12:34 PM - edited 03-11-2019 05:56 PM
I am looking to upgrade a 5510 that is currently on code version 8.0(4) to code version 9.1. I know I will have to upgrade to 1gb ram, but can i just upgrade straight to version 9.1 or do I need to follow an upgrade path? This is a standalone device so I am planning on downtime. Thanks in advance.
Solved! Go to Solution.
02-04-2013 01:27 PM
You can safely upgrade from 8.0 to 9.1. The configuration changes introduced in 8.3 regarding NAT will be converted when you upgrade to 9.1. As always, make sure you save the configuration on the 8.0 code.
You are correct that the 8.1 code was only for a specific model of ASA.
02-05-2013 12:13 PM
Hi,
Regarding the "any" keyword (9.0(x) Release Notes)
Any Keyword
Now that ACLs support both IPv4 and IPv6, the any keyword now represents "all IPv4 and IPv6 traffic." Any existing ACLs that use the any keyword will be changed to use the any4 keyword, which denotes "all IPv4 traffic."
In addition, a separate keyword was introduced to designate "all IPv6 traffic": any6.
Found at (Along with other information):
http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp582903
Regarding the Xlate settings (9.0(x) Release Notes)
•Per-session PAT disabled when upgrading— Starting in Version 9.0, by default, all TCP PAT traffic and all UDP DNS traffic use per-session PAT (see the xlate per-session command in the command reference). If you upgrade to Version 9.0 from an earlier release, to maintain the existing functionality of multi-session PAT, the per-session PAT feature is disabled during configuration migration. The ASA adds the following deny rules:
xlate per-session deny tcp any4 any4xlate per-session deny tcp any4 any6xlate per-session deny tcp any6 any4xlate per-session deny tcp any6 any6xlate per-session deny udp any4 any4 eq domainxlate per-session deny udp any4 any6 eq domainxlate per-session deny udp any6 any4 eq domainxlate per-session deny udp any6 any6 eq domainTo enable per-session PAT after you upgrade, enter:
clear configure xlate
Found at:
http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp593140
- Jouni
02-04-2013 12:47 PM
Hi,
Generally it would be adviced to reboot the device to the next new software compared to the current one so that the configuration converts correctly.
In other words
I think the 8.1 software was used only for certain ASA model or I just have never run into it. Think the model was ASA5580
I cant really say for certain what happens if you make the jump directly from 8.0 to 9.1. The most critical point of configuration conversion to newer format is between 8.2 and 8.3 as that was when the NAT configuration and ACL configuration formats were changed drasticly.
It would be good to get used to the new NAT format before rebooting to the new software with automatically converted configurations. Some of the generated configuration might be useless or not work right at all. Also when you know how to configure them yourself, you can make them ALOT simpler.
I personally rewrite the whole configuration for older software myself and then just apply the configurations to a updated device or a totally fresh new ASA to make the configuration as simple as possible. So in that case it doesnt really matter how big the software jump is. In your case I would suggest taking backups of the configurations and doing the upgrade in steps if you are not at all familiar with the new NAT format.
- Jouni
02-04-2013 01:27 PM
You can safely upgrade from 8.0 to 9.1. The configuration changes introduced in 8.3 regarding NAT will be converted when you upgrade to 9.1. As always, make sure you save the configuration on the 8.0 code.
You are correct that the 8.1 code was only for a specific model of ASA.
02-05-2013 11:54 AM
Thank you to both of you for your answers. I was able to upgrade straight from 8.0.4 to 9.1. I have a few questions though about the asa code version.
1. access-list outside_access_in_1 extended permit ip object-group ADMIN_NETWORKS any4
why did the destination get changed from "any" to "any4"? It did this for all rules that had "any", i guess is this related to ipv4? Becasue Any6 is an option.
2.
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
This was thrown in the running config, what is it?
3. What version of java is required for asdm version 711? I have java 6 update 7 on my computer because it's the only version that works with pix's and older asdm versions, but i can't open the asdm using the Java web start application, I can only access it as a local application.
Thanks!
02-05-2013 12:13 PM
Hi,
Regarding the "any" keyword (9.0(x) Release Notes)
Any Keyword
Now that ACLs support both IPv4 and IPv6, the any keyword now represents "all IPv4 and IPv6 traffic." Any existing ACLs that use the any keyword will be changed to use the any4 keyword, which denotes "all IPv4 traffic."
In addition, a separate keyword was introduced to designate "all IPv6 traffic": any6.
Found at (Along with other information):
http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp582903
Regarding the Xlate settings (9.0(x) Release Notes)
•Per-session PAT disabled when upgrading— Starting in Version 9.0, by default, all TCP PAT traffic and all UDP DNS traffic use per-session PAT (see the xlate per-session command in the command reference). If you upgrade to Version 9.0 from an earlier release, to maintain the existing functionality of multi-session PAT, the per-session PAT feature is disabled during configuration migration. The ASA adds the following deny rules:
xlate per-session deny tcp any4 any4xlate per-session deny tcp any4 any6xlate per-session deny tcp any6 any4xlate per-session deny tcp any6 any6xlate per-session deny udp any4 any4 eq domainxlate per-session deny udp any4 any6 eq domainxlate per-session deny udp any6 any4 eq domainxlate per-session deny udp any6 any6 eq domainTo enable per-session PAT after you upgrade, enter:
clear configure xlate
Found at:
http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp593140
- Jouni
02-05-2013 12:26 PM
Thanks for the quick response again Jouni, that was very helpful.
02-05-2013 01:45 PM
I am still unable to access the asdm using the java web start application. I try to but a window pops up saying unable to launch application. I have to click on "install asdm launcher" in order to get it to run. I was able to just click on "run asdm" and it worked in earlier versions. Any ideas?
Thanks!
02-05-2013 02:15 PM
Hi,
I personally use the software installed from the ASA on my computer. I dont launch it through the web browser.
I havent really had the need to troubleshoot this much. I can only remember one occasion where a new Java update broke the ASDM. I personally dont use much ASDM also so even less likely that I run into these problems
Heres some information of my setup and versions
Java
My ASA5505
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 7.1(1)52
And everything works fine. ASDM shows the following when it has launched through the browser
- Jouni
02-05-2013 02:26 PM
Jouni, it must be the version of java I am running on this computer. I confirmed from a different computer with an updated version of Java that I was able to access the asdm normally. Thanks again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide