05-25-2011 06:34 AM - edited 03-11-2019 01:38 PM
Hi everyone,
I have a problem with the update of my ASA to version 8.4. It seemed that all my local traffic to the outside worked fine but the reverse traffic didn't work. I tried to see the new configuration it seemed that the migration configuration went ok. I had to Downgrade to the old version to get all the rules operational.
First of all, I've upgraded from version 8.0(5)20 to 8.4(1), does anyone think that i should update to 8.3 first?
Here is the upgrade startup error log file:
INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201105181921.log'
Reading from flash...
!!!!!!!!!!!!!!!!!!!
REAL IP MIGRATION: WARNING
In this version access-lists used in 'access-group', 'class-map',
'dynamic-filter classify-list', 'aaa match' will be migrated from
using IP address/ports as seen on interface, to their real values.
If an access-list used by these features is shared with per-user ACL
then the original access-list has to be recreated.
INFO: Note that identical IP addresses or overlapping IP ranges on
different interfaces are not detectable by automated Real IP migration.
If your deployment contains such scenarios, please verify your migrated
configuration is appropriate for those overlapping addresses/ranges.
Please also refer to the ASA 8.3 migration guide for a complete
explanation of the automated migration process.
INFO: MIGRATION - Saving the startup configuration to file
INFO: MIGRATION - Startup configuration saved to file 'flash:8_0_5_20_startup_cfg.sav'
*** Output from config line 4, "ASA Version 8.0(5)20 "
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1752, "access-group outside_acc..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1753, "access-group acl-inside ..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1754, "access-group DMZ_access_..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1755, "access-group acl-wan in ..."
NAT migration logs:
The following 'nat' command didn't have a matching 'global' rule on interface 'inside' and was not migrated.
nat (inside) 1 WifiOrtecAgences 255.255.255.0
The following 'nat' command didn't have a matching 'global' rule on interface 'DMZ' and was not migrated.
nat (inside) 1 WifiOrtecAgences 255.255.255.0
The following 'nat' command didn't have a matching 'global' rule on interface 'WAN' and was not migrated.
nat (inside) 1 WifiOrtecAgences 255.255.255.0
The following 'nat' command didn't have a matching 'global' rule on interface 'inside' and was not migrated.
nat (inside) 1 WifiOrtecInvites 255.255.255.0
The following 'nat' command didn't have a matching 'global' rule on interface 'DMZ' and was not migrated.
nat (inside) 1 WifiOrtecInvites 255.255.255.0
The following 'nat' command didn't have a matching 'global' rule on interface 'WAN' and was not migrated.
nat (inside) 1 WifiOrtecInvites 255.255.255.0
...............................
INFO: NAT migration completed.
Real IP migration logs:
No ACL was changed as part of Real-ip migration
Can anyone help me and tell me where do i have to modify my configuration to get adapted to the new version.
THanks
05-25-2011 10:17 AM
Hello,
If I am understanding correctly, after the migration to 8.4, users on the inside can access the internet, but people on the outside cannot access internal resources. Is this correct? If so, I believe the issue is probably this mentioned in the migration log:
Real IP migration logs:
No ACL was changed as part of Real-ip migration
Here is the migration guide for software version 8.3 and up. As mentioned in the migration guide, real IPs are used in ACLs for software version 8.3 and above.
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp40036
The reason the real IP migration did not take place is because of NAT exemption statements found in your pre 8.3/8.4 config. The following is mentioned in the migration log:
*** Output from config line 4, "ASA Version 8.0(5)20 "
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1752, "access-group outside_acc..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1753, "access-group acl-inside ..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1754, "access-group DMZ_access_..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
In order for people on the outside to access internal resources after the migration, you will have to manually modify the ACLs so the real IPs are reflected in 8.4.
Hope this helps.
06-06-2011 06:52 AM
Thanks for your return, you got the problem. When you mean REAL IP ADDRESS is this mean that I have to write in the ACL mentionned in the log file, the IP instead of the network object?? Is that correct?
Thanks
06-06-2011 03:17 PM
Hello,
When you mean REAL IP ADDRESS is this mean that I have to write in the ACL mentionned in the log file, the IP instead of the network object??
Network objects can still be used in the ACL; however, network objects must now refer to the real IP address instead of the NAT'ed IP address. Here are some examples:
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp54865
Hope this helps.
06-07-2011 06:20 AM
HI,
Ok I get it, I did for my static NAT and I replaced the real IP in the access-list outside_access_in.
However what should I do with dynamic NAT as follows, it's translated by the interface outside so what kind of ACL should be added:
global (outside) 1 interface
nat (outside) 0 access-list outside_nat0_outbound
nat (outside) 1 A.B.C.D 255.255.255.255
nat (inside) 1 Wifi 255.255.255.0
nat (DMZ) 1 SRV-WEB 255.255.255.255
access-group outside_access_in in interface outside
access-group acl-inside in interface inside
access-group DMZ_access_in in interface DMZ
access-group acl-wan in interface WAN per-user-override
Thanks
06-07-2011 06:35 AM
For the above NAT you would need a NAT something like this:
object network ABCD_IP
nat (inside,outside) dynamic interface
object network WIFI_network
nat (inside,outside) dynamic interface
object network SRV-WEB
nat (inside,outside) dynamic interface
For more info on it follow the attached doc.
Hope this helps.
Thanks,
Varun
08-17-2011 08:12 AM
Hi Allen,
WARNING: The following identity NAT was not migrated. If required, an appropriate bypass NAT rule needs to be added.
I have 46 pages of these, but my config on 8.2.4 seems to be quite happy.
Also:
The following 'nat' command didn't have a matching 'global' rule on interface 'dmz' and was not migrated.
nat (inside) 35 10.32.0.0 255.255.0.0
But I have a global rule:
global (outside) 35 xx.xx.xx.xx(hidden)
What does matching 'global' rule really indicate? Is the migration looking for
global (inside) 35 ........
08-24-2011 12:09 PM
Hi Peter,
the warning says that a matching global rule was not found on the "dmz" interaface. it was looking for a global (dmz) 35 .... command in the config and could not find one.
This should not harm anything. Hope this clarifies your doubt.
Regards,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide