Solved: ASA Upgrade to 8.3.X

Stuart Gall · ‎10-04-2012

Hi

I tried to upgrade ASA5510 to 8.3.1 (from 8.2.5)

The configuration migration did not appear to work. My VPNs were up but mostly would not pass traffic.

I saved the migrated configuration (for referenec) and backed out the change.

Now I am looking at the saved migrated configuration to see what I need to fix. And it seems like its a lot.

Questions

1.

object network NAME

subnet 192.168.1.0 255.255.255.0

This makes no sense without a nat(inside,outside) dynamic IP line correct ?

Because I have loads of "object network" with just host or subnet sections.

2.

I have lines like

nat (inside,outside) source static ......

The nat command outside of an object network is no longer listed in the reference guide. So probably I should delete them. But why are they there in the show run if it is invalid it should not be visible in a show run.

3.

I have lines like

nat (Outside,Outside) source static A B destination C D

So question 2 applies but These appear to have come from old nat0 rules for exempting traffic from the VPNs.

4.

I read that I no longer need to make nat0 (Transparent nat ) rules for VPN traffic is that true ? can I just delete the old migrated rules.

If it is not true how do I make a NAT 0 rule equivlent with the new syntax?

TIA

Stuart.

Julio Carvajal · ‎10-04-2012

Hello Stuart:

Answers:

1) If you have the command "NAMES" on and "NAT CONTROL" on the ASA will start creating a huge amount of object networks so they can perform the same thing that they did on 8.2 . So before doing the upgrade remove the names and the nat control feature

no names

no nat-control

2) Twice nat or as you said (nat command outside of an object network) it is listed on the command reference and actually it has the highest priority when the ASA checks the NAT rules. So do NOT delete them as they are more than fine.

A) Twice NAT

B) Auto nat

C) After-Auto nat

3) That is correct but if they are from the NAT 0 with acl from 8.2 versions should be:

nat (inside,outside) source static A A destination static B B

4) You are right, you do not need to use a NAT 0 with ACL in order to configure the VPN, instead you need a TWICE nat as I configured on answer 3.

Any other question..Sure.. Just remember to rate all of the answers.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Stuart Gall · ‎10-04-2012

Ok forget about Q1 the nat lines are further down

I.e the parts of the object network are split

Sent from Cisco Technical Support iPad App

Julio Carvajal · ‎10-04-2012

Hello Stuart:

Answers:

1) If you have the command "NAMES" on and "NAT CONTROL" on the ASA will start creating a huge amount of object networks so they can perform the same thing that they did on 8.2 . So before doing the upgrade remove the names and the nat control feature

no names

no nat-control

2) Twice nat or as you said (nat command outside of an object network) it is listed on the command reference and actually it has the highest priority when the ASA checks the NAT rules. So do NOT delete them as they are more than fine.

A) Twice NAT

B) Auto nat

C) After-Auto nat

3) That is correct but if they are from the NAT 0 with acl from 8.2 versions should be:

nat (inside,outside) source static A A destination static B B

4) You are right, you do not need to use a NAT 0 with ACL in order to configure the VPN, instead you need a TWICE nat as I configured on answer 3.

Any other question..Sure.. Just remember to rate all of the answers.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Stuart Gall · ‎10-04-2012

Thanks Julio,

So OK I keep nat (inside,outside) source static

Check that it matches with the VPNs

but nat (outside,outside) source static ...... ?????

That must be an anomaly of the migration, Right ?

The ACLs look right, All the tunnels came up isakmp and ipsec but some traffic was not being passed so I must have something wrong with the NAT rules. Its just a case of figuring out what it is before I try the upgrade again.

Stuart.

Julio Carvajal · ‎10-04-2012

Hello Stuart,

Outside,Outside would be for a U-turning on the outside interface, so if you just need the VPN to talk to your internal networks the inside,outside is the one you just need.

Do you want the outside user to access the internet via VPN??

Any other question..Sure.. Just remember to rate all of the answers.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Stuart Gall · ‎10-05-2012

Julio,

Yes, that must be it. There was a legacy VPN that required this. But some how the migration got confused beacuse the configuration was only partly removed. (I have been working on tidying the config) So the migration got confused.

I do not need U-Turns and their match rules seem to match traffic that I need.

I suspect that is the cause of the problems.

I am going to book another change window next week. I will let you know how I get on.

Many Thanks for all your help.

Stuart.

Julio Carvajal · ‎10-05-2012

Hello Stuart,

My pleasure to help ..

Let me know if you get any other problem

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC