cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4661
Views
20
Helpful
12
Replies

ASA 5550 Upgrade from 8.4(7) to 9.1(7)

ravindra692
Level 1
Level 1

Guys

 

I have to upgrade a couple of our ASA 5550 firewalls from 8.4(7) to 9.1(7). I am not able to get information related to configuration changes between them. Can anyone please help me with this.

 

Thanks

Ravindra

12 Replies 12

Maykol Rojas
Cisco Employee
Cisco Employee

Hi; 

 

You can upgrade directly to the desired version. Check "Upgrading the Software" 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html#pgfId-763574

 

I would strongly recommend to find a supported version since 9.1 is going EOL. 

 

https://www.cisco.com/c/en/us/products/collateral/security/asa-firepower-services/eos-eol-notice-c51-738645.html

 

If you have any questions, let us know. 

Mike. 

Mike

Mike

 

Thanks for reminding me about the EOL.

 

Currently I am looking for the Configuration Changes between the software versions 8.4(7) and 9.1.7.23 as I couldn't find it in the release notes. 

 

Your help would be much appreciated.

 

Thanks

Ravindra

Leo Laohoo
Hall of Fame
Hall of Fame

@ravindra692 wrote:

I have to upgrade a couple of our ASA 5550 firewalls from 8.4(7) to 9.1(7).


Have you heard about this critical security advisory:  Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability

9.1(7) is an affected release.  The fix for this version is found in 9.1(7)23.

Yes

 

I did I have already upgraded four of our firewalls to mitigate this vulnerability.

But the rest of them has a 8.4.7 running on them which is a major upgrade. That is why I would like to know about the configuration changes while upgrading from 8.4.7 to 9.1.7.23.

 

Your help would be much appreciated.

 

Thanks

Ravindra

If you are on 8.4.x you have the new style NAT, so the main config change is that at 9.0 they unified IPv4 and IPv6 access lists, and changed the semantics of the "any" keyword to be dual-stack, introducing new "any4" and "any6" keywords which are protocol-specific. If you aren't using IPv6 you may not much care. If you are using IPv6, you may or may not like the automatically upgraded configuration.

Hi

 

we are not using IPv6, then Can I go ahead with the upgrade or is there any other configuration changes to look for

 

Thanks

Ravindra

If you don't have any IPv6 rules, I would expect an 8.4 to 9.1 upgrade to do an automatic conversion to a highly similar and working configuration, so I'd go ahead. Note that not having IPv6 rules on your firewall isn't the same as having no IPv6 traffic on your VLANs. All contemporary cellphone, tablet, and desktop clients are dual-stack and mostly prefer IPv6 to IPv4 by default. If you aren't monitoring for IPv6, and aren't blocking IPv6 misbehavior by clients, you are at risk for dual-stack malware using IPv6 to hijack internal routing and then using IPv6 transition tunnels to exfiltrate data. At a minimum I'd suggest blocking protocol 41 (IPv4 packet with IPv6 payload) and port 3544/UDP (default Teredo server negotiations) at your border firewall, regardless of of whether or not you support any native IPv6. And wired switchports should be blocking native IPv6 (ethernet type 0x86dd) if you aren't using it, or filtering out rogue DHCPv6 and ICMPv6 router advertisements if you are. E.g. for the last decade my wired desktop client switchports have had: ~~~ ip access-group V4CLIENT in ipv6 traffic-filter V6CLIENT in ~~~ where the filters are: ~~~ ip access-list extended V4CLIENT deny udp any eq bootps any eq bootpc deny icmp any any redirect permit ip any any ipv6 access-list V6CLIENT deny udp any eq 547 any eq 546 deny icmp any any router-advertisement deny icmp any any redirect permit ipv6 any any

The firewalls that I am  planning to upgrdae are IPSec firewalls. I checked for IPV6 config and traffic, there isn't any. So IPV6 is not a problem anymore.

I am worried about the Certificates, do they change when I perform the upgrade?

 

Your comments would be much appreciated.

 

Thanks 

Ravindra

I would expect all the private keys, certificates, and trustpoints to carry over, unchanged.

I have a few expired certs on those devices. will they cause any problem

I wouldn't think that expired certificates would cause a problem, but have no experience of that; I tend to install new certificates, update all the statements using them, then delete the old ones. Usually before they expire.

Thank you

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: