Solved: ASA 8.2.1 to 8.4.3

tasoskypraios · ‎05-16-2012

Hi,

We are planning to upgrade our ASA 5520 from 8.2.1 to 8.4.3. Could you please help me asking the following questions?

1. Which is the best migration plan to follow 8.2.1->8.3->8.4.3 or 8.2.1 to 8.4.3>?

We are using nat-control now and for this reason we have many static NAT. I have upgrade an ASA in my lab from 8.2.1 to 8.4.2, disable nat-control and run "no names" command, but the auto-upgrade procedure create nat rules for the static that were used from nat-control. So the configuration is huge.

2. Do i have to remove all the static nat commands that are being used from nat-control before the upgrade?

Thank you

varrao · ‎05-16-2012

Hi,

I guess just update the ASA to teh latest 8.2.x whihc is 8.2.5 and then you can jump straight to 8.4.x, no issues.

Moreover in 8.4 you do not have the concept of nat-control anymore, so it makes sense to disable nat-control on the 8.2 code and remove the static that you have for it and then upgarde to avoid unnecessary things.

Hope that helps

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

View solution in original post

Marvin Rhoads · ‎05-17-2012

Most uses of names (NAT rules and access-lists) need an object in any case so why do double work and have an object plus a name?

Also, while Cisco hasn't inidcated any direction in this way, I would guess that eventually names will be deprecated in favor of objects.

View solution in original post

varrao · ‎05-16-2012

Hi,

I guess just update the ASA to teh latest 8.2.x whihc is 8.2.5 and then you can jump straight to 8.4.x, no issues.

Moreover in 8.4 you do not have the concept of nat-control anymore, so it makes sense to disable nat-control on the 8.2 code and remove the static that you have for it and then upgarde to avoid unnecessary things.

Hope that helps

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

tasoskypraios · ‎05-16-2012

Hi Varun,

I have in my firewall many static nat entries and i am trying to find a way to do it as simple as possible.

I am thinking to do the follwoing, remove every static nat that has has the same IP (used only for NAT CONTROL) like this example

static (inside,DMZ) 10.10.10.10 10.10.10.10 netmask 255.255.255.255

and leave every static nat that used for NAT, in order to be converted automatically

static (inside,DMZ) 10.10.10.10 192.168.1.1 netmask 255.255.255.255

Do you think that this is correct?

Something more if i have problems after the upgrade is there any official downgrade procedure from Cisco?

thank you very much for prompt answer

varrao · ‎05-16-2012

yup that's fine.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

varrao · ‎05-16-2012

Well the upgarde procedure from the 8.2 version to 8.4 is the same as others, you can follow this doc for it:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b20f35.shtml

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

tasoskypraios · ‎05-16-2012

I am not afraid the upgrade procedure from 8.2.1 to 8.4.3 but the downgrade if something goes wrong. I have not find any Cisco document that describes this option. What happens with the nat commands?

Thank you

varrao · ‎05-16-2012

Here's the downgrade procedure:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp72161

The nat commands would be automatically migrated frpm 8.2 syntax to the 8.4 syntax, if you want to check how they would be post migration, refer this:

https://supportforums.cisco.com/docs/DOC-9129

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

tasoskypraios · ‎05-17-2012

I will make the upgrade and i will inform for the results.

Thank you very much,

varrao · ‎05-17-2012

Sure, I'll wait for the update

Thanks,
Varun Rao

tasoskypraios · ‎05-17-2012

I forgot to ask you something else. Before the upgrade i will run the "no names" command, as you know it is best practice.

After the upgrade is it safe to enable names command again?

Thank you

varrao · ‎05-17-2012

Yes you can enable after the ugrade

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Marvin Rhoads · ‎05-17-2012

While it is safe to re-enable names command, it would be better to use objects exclusively.

tasoskypraios · ‎05-17-2012

Hi Marvin

Why is it better not to use names? Can you please explain to me?

Thank you

Marvin Rhoads · ‎05-17-2012

Most uses of names (NAT rules and access-lists) need an object in any case so why do double work and have an object plus a name?

Also, while Cisco hasn't inidcated any direction in this way, I would guess that eventually names will be deprecated in favor of objects.

tasoskypraios · ‎05-25-2012

After 5 days of the upgrade we had no problem at all. So the changes that steps that i have follow are the following

1. disable nat control

2. remove unneded nat used for nat control

3. disable names

and then reload.

thank you all for your support