cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

4766
Views
0
Helpful
7
Replies
Highlighted

ASA Problem since my upgrade to 8.4

Hi everyone,

I have a problem with the update of my ASA to version 8.4. It seemed that all my local traffic to the outside worked fine but the reverse traffic didn't work. I tried to see the new configuration it seemed that the migration configuration went ok. I had to Downgrade to the old version to get all the rules operational.

First of all, I've upgraded from version 8.0(5)20 to 8.4(1), does anyone think that i should update to 8.3 first?

Here is the upgrade startup  error log file:

INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201105181921.log'
Reading from flash...
!!!!!!!!!!!!!!!!!!!
REAL IP MIGRATION: WARNING
In this version access-lists used in 'access-group', 'class-map',
'dynamic-filter classify-list', 'aaa match' will be migrated from
using IP address/ports as seen on interface, to their real values.
If an access-list used by these features is shared with per-user ACL
then the original access-list has to be recreated.
INFO: Note that identical IP addresses or overlapping IP ranges on
different interfaces are not detectable by automated Real IP migration.
If your deployment contains such scenarios, please verify your migrated
configuration is appropriate for those overlapping addresses/ranges.
Please also refer to the ASA 8.3 migration guide for a complete
explanation of the automated migration process.

INFO: MIGRATION - Saving the startup configuration to file

INFO: MIGRATION - Startup configuration saved to file 'flash:8_0_5_20_startup_cfg.sav'
*** Output from config line 4, "ASA Version 8.0(5)20 "
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1752, "access-group outside_acc..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1753, "access-group acl-inside ..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1754, "access-group DMZ_access_..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1755, "access-group acl-wan in ..."
NAT migration logs:
The following 'nat' command didn't have a matching 'global' rule on interface 'inside' and was not migrated.
nat (inside) 1 WifiOrtecAgences 255.255.255.0

The following 'nat' command didn't have a matching 'global' rule on interface 'DMZ' and was not migrated.
nat (inside) 1 WifiOrtecAgences 255.255.255.0

The following 'nat' command didn't have a matching 'global' rule on interface 'WAN' and was not migrated.
nat (inside) 1 WifiOrtecAgences 255.255.255.0

The following 'nat' command didn't have a matching 'global' rule on interface 'inside' and was not migrated.
nat (inside) 1 WifiOrtecInvites 255.255.255.0

The following 'nat' command didn't have a matching 'global' rule on interface 'DMZ' and was not migrated.
nat (inside) 1 WifiOrtecInvites 255.255.255.0

The following 'nat' command didn't have a matching 'global' rule on interface 'WAN' and was not migrated.
nat (inside) 1 WifiOrtecInvites 255.255.255.0

...............................

INFO: NAT migration completed.
Real IP migration logs:
No ACL was changed as part of Real-ip migration

Can anyone help me and tell me where do i have to modify my configuration to get adapted to the new version.

THanks

7 REPLIES 7
Highlighted
Contributor

Re: ASA Problem since my upgrade to 8.4

Hello,

If I am understanding correctly, after the migration to 8.4, users on the inside can access the internet, but people on the outside cannot access internal resources.  Is this correct?  If so, I believe the issue is probably this mentioned in the migration log:

Real IP migration logs:
No ACL was changed as part of Real-ip migration

Here is the migration guide for software version 8.3 and up.  As mentioned in the migration guide, real IPs are used in ACLs for software version 8.3 and above.

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp40036

The reason the real IP migration did not take place is because of NAT exemption statements found in your pre 8.3/8.4 config.  The following is mentioned in the migration log:

*** Output from config line 4, "ASA Version 8.0(5)20 "
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1752, "access-group outside_acc..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1753, "access-group acl-inside ..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1754, "access-group DMZ_access_..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.

In order for people on the outside to access internal resources after the migration, you will have to manually modify the ACLs so the real IPs are reflected in 8.4.

Hope this helps.

Highlighted

ASA Problem since my upgrade to 8.4

Thanks for your return, you got the problem. When you mean REAL IP ADDRESS is this mean that I have to write in the ACL mentionned in the log file, the IP instead of the network object?? Is that correct?

Thanks

Highlighted
Contributor

ASA Problem since my upgrade to 8.4

Hello,

When you mean REAL IP ADDRESS is this mean that I have to write in the  ACL mentionned in the log file, the IP instead of the network object??

Network objects can still be used in the ACL; however, network objects must now refer to the real IP address instead of the NAT'ed IP address.  Here are some examples:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp54865

Hope this helps.

Highlighted

ASA Problem since my upgrade to 8.4

HI,

Ok I get it, I did for my static NAT and I replaced the real IP in the access-list outside_access_in.

However what should I do with dynamic NAT as follows, it's translated by the interface outside so what kind of ACL should be added:

global (outside) 1 interface

nat (outside) 0 access-list outside_nat0_outbound

nat (outside) 1 A.B.C.D 255.255.255.255

nat (inside) 1 Wifi 255.255.255.0

nat (DMZ) 1 SRV-WEB 255.255.255.255

access-group outside_access_in in interface outside

access-group acl-inside in interface inside

access-group DMZ_access_in in interface DMZ

access-group acl-wan in interface WAN per-user-override

Thanks

Highlighted
Advocate

Re: ASA Problem since my upgrade to 8.4

For the above NAT you would need a NAT something like this:

object network ABCD_IP

nat (inside,outside) dynamic interface

object network WIFI_network

nat (inside,outside) dynamic interface

object network SRV-WEB

nat (inside,outside) dynamic interface

For more info on it follow the attached doc.

Hope this helps.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
Highlighted
Beginner

ASA Problem since my upgrade to 8.4

Hi Allen,

WARNING: The following identity NAT was not migrated. If required, an appropriate bypass NAT rule needs to be added.

I have 46 pages of these, but my config on 8.2.4 seems to be quite happy.

Also:

The following 'nat' command didn't have a matching 'global' rule on interface 'dmz' and was not migrated.

nat (inside) 35 10.32.0.0 255.255.0.0

But I have a global rule:

global (outside) 35 xx.xx.xx.xx(hidden)

What does matching 'global' rule really indicate? Is the migration looking for

global (inside) 35 ........

Highlighted
Cisco Employee

ASA Problem since my upgrade to 8.4

Hi Peter,

the warning says that a matching global rule was not found on the "dmz" interaface. it was looking for a global (dmz) 35 .... command in the config and could not find one.

This should not harm anything. Hope this clarifies your doubt.

Regards,

Prapanch