cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
190
Views
3
Helpful
3
Replies

ASA: Tool that checks the configuration if compatible with new OS

swscco001
Beginner
Beginner

Hello everybody,

our customer has many ASAs that wan not upgraded for a longer time.

I want to upgrade them from rel. 9.8 to 9.12 in the first step.

Is there a tool that checks the configuration (attached) if it is compatible
with the new OS release or what needs to be changed to prevent problems?

Thanks a lot for every hint!



Bye
R.

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

You are fine to migrate to 9.12.

The DH group 2 and 5 as well as 3DES are deprecated with release 9.13+. Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/release/notes/asarn913.html#reference_yw3_ngz_vhb

It would be a good idea to get them to migrate to newer DH groups (to group 14), hashing (to SHA-256) and encryption algorithms (from 3DES to AES) but that does require coordination with the remote peers.

View solution in original post

3 Replies 3

@swscco001 hi, use this guide as a upgrade planner.

Cisco Secure Firewall ASA Upgrade Guide - Planning Your Upgrade [Cisco ASA 5500-X Series Firewalls] - Cisco

you need to check the firewall model and last supported version before upgrade. as per guide you can directly upgrade from 9.8 to 9.12. but make sure check the last version. for ex. last version supported by 5508-X is ASA 9.16(x) .

 

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

I check config only dh group I think group 2 is not support anymore.

Also sha1 i think it also not support.

Marvin Rhoads
Hall of Fame
Hall of Fame

You are fine to migrate to 9.12.

The DH group 2 and 5 as well as 3DES are deprecated with release 9.13+. Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/release/notes/asarn913.html#reference_yw3_ngz_vhb

It would be a good idea to get them to migrate to newer DH groups (to group 14), hashing (to SHA-256) and encryption algorithms (from 3DES to AES) but that does require coordination with the remote peers.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: