Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
629
Views
3
Helpful
3
Replies

ASA: Tool that checks the configuration if compatible with new OS

Go to solution
swscco001
Level 3
Level 3

‎11-16-2023 02:08 AM

Hello everybody,

our customer has many ASAs that wan not upgraded for a longer time.

I want to upgrade them from rel. 9.8 to 9.12 in the first step.

Is there a tool that checks the configuration (attached) if it is compatible
with the new OS release or what needs to be changed to prevent problems?

Thanks a lot for every hint!



Bye
R.

Preview file
26 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-16-2023 04:54 AM

You are fine to migrate to 9.12.

The DH group 2 and 5 as well as 3DES are deprecated with release 9.13+. Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/release/notes/asarn913.html#reference_yw3_ngz_vhb

It would be a good idea to get them to migrate to newer DH groups (to group 14), hashing (to SHA-256) and encryption algorithms (from 3DES to AES) but that does require coordination with the remote peers.

View solution in original post

3 Replies 3

Go to solution
Kasun Bandara
VIP
VIP

‎11-16-2023 02:13 AM - edited ‎11-16-2023 02:14 AM

@swscco001 hi, use this guide as a upgrade planner.

Cisco Secure Firewall ASA Upgrade Guide - Planning Your Upgrade [Cisco ASA 5500-X Series Firewalls] - Cisco

you need to check the firewall model and last supported version before upgrade. as per guide you can directly upgrade from 9.8 to 9.12. but make sure check the last version. for ex. last version supported by 5508-X is ASA 9.16(x) .

 

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Go to solution
MHM Cisco World
VIP
VIP

‎11-16-2023 02:18 AM

I check config only dh group I think group 2 is not support anymore.

Also sha1 i think it also not support.

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-16-2023 04:54 AM

You are fine to migrate to 9.12.

The DH group 2 and 5 as well as 3DES are deprecated with release 9.13+. Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/release/notes/asarn913.html#reference_yw3_ngz_vhb

It would be a good idea to get them to migrate to newer DH groups (to group 14), hashing (to SHA-256) and encryption algorithms (from 3DES to AES) but that does require coordination with the remote peers.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card