Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14955
Views
10
Helpful
18
Replies

ASA 8.2 to 8.4 upgrade NAT question

Go to solution
billmatthews
Level 1
Level 1

‎01-06-2012 07:23 AM - edited ‎03-11-2019 03:11 PM

Hello,

We're planning the upgrade from 8.2 to 8.4, which I understand has NAT and ACL changes.  I've read the migration guide at http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.pdf

My understanding is that the upgrade procedure will convert the NATs, and place real IPs in the ACLs instead of the translated IPs.

But in looking through my 8.2 configs it appears the real IPs are already being used in my access lists.  For example x.x.x.x is my public IP, and y.y.y.y is my internal IP.  This is my current config:


static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255
access-list acl_out extended permit tcp any host x.x.x.x eq ssh

So it seems that the 8.4 upgrade won't need to change anything.  Is that correct?

Thanks
Bill

Labels:
0 Helpful
18 Replies 18

Go to solution
thomascollins
Level 3
Level 3
In response to varrao

‎01-06-2012 12:43 PM

Thanks.  What would be the upgrade plan for an HA active/standby pair?

  1. Take unitA offline, upgrade unitB using step by step
  2. Run no failover on unitB, bring unitA back online
  3. Upgrade unitA (just straight to 8.4, no step by step needed this time)
  4. Enable failover, let config sync

Does that sound right?

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to thomascollins

‎01-06-2012 12:52 PM

Nope, the best would be to make the primary active and upgrdae the secondary (standby) first to the image that you would like to finally go to, failover and make secondary active and and then upgrade the primary box to the right image, this way you would not lose any traffic and would be up all the time.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
thomascollins
Level 3
Level 3
In response to varrao

‎01-06-2012 12:54 PM

That makes a lot more sense, I like that.  But for some reason that's not what another engineer recommended (SR

620272873)

Tom

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to thomascollins

‎01-06-2012 01:05 PM

Hey Thomas, I just went through it and there are two things in here:

Number one - going by the book (which is wat the engineer recommends you)

Number two - my own personal experience, because there have been situations where in some TAC's I did a lab repro for the upgrdae as other customers were apprehensive about doing it on their production device, I did the way I told you, no issues.

So what he must have told, would definitely have a good reason for it or some experience that he can share, I would say, you can definitely talk to the engineer and he would definitely explain you his reason behind it. Just make sure you have your memory requirements spot on.

I hope I was able to clear it out.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card