Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
372
Views
0
Helpful
2
Replies

Cisco ASA migration from 8.3 (1)

MirzaCisco
Level 1
Level 1

‎10-09-2013 12:41 AM - edited ‎03-11-2019 07:49 PM

Hello guys,

I would like to greet you. This is my first discussion on cisco support community ( previuously I was on cisco learning network ). I'm lil bit worried about one thing. Currently I'm working in one of the biggest banks in my country as a network administrator and we are planinng to upgrade our ASA from 8.3 (1) version to newer. We noticed a lot of bugs in current version so upgrading is really must. My question would be :

What is the next best software version, I mean painless for my company I have a lot of NAT rules, ACLs, VPN's in production so what is the difference from current version to newer, let me say 8.4.7 ED. Is there any instructions for migration and what problems may encounter because Cisco documentations is lil bit unclear and confusing.

Thanks a lot,

Br,

Mirza Cerim

Labels:
0 Helpful
2 Replies 2

Luis Silva Benavides
Cisco Employee
Cisco Employee

‎10-10-2013 05:01 PM

Hi Mirza,

Actually I think that the mayor mayor upgrade is from 8.2 to 8.3; so now that you are on 8.3 it should be a big deal to upgrade your ASAs to 8.4.

Other than open cavets that might be on the release notes you shouldn't experience mayor issue.

Always is a good practice to schedule a maintenance window.

HTH

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach us"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva
0 Helpful

Patrick Moubarak
Level 4
Level 4

‎10-10-2013 09:11 PM

Hi,

some gotchas (i dont like the term) to watch out for in 8.4 that got several of my customers:

1. arp permit-nonconnected. Basically if you have NATs on your outside to a different subnet (from the actual IP used by the ASA interface) then by default they will stop working

2. Identity nat configurable proxy-arp and route-lookup:

if you have NONATs for VPN (or identity NAT in 8.3+ code) that looks like this:

nat (inside,any) source static NET_IN1 NET_IN1 destination static NET_VPN1 NET_VPN1

then you need to add the no-proxy-arp keyword at the end in newer 8.4 code. if you don't the ASA will start replying to ARPs for NET_IN1 subnet on its inside interface also; this is caused by the any keyword.

if it was nat (inside,outside) ... then you're ok...

3. managing the ASA through VPN stops working (bug CSCtr16184):

even if you have the management-access inside command, it might fail:

you need to add the route-lookup keyword in the identity NAT:

nat (inside,outside) ... route-lookup

be sure to review the release notes first:

http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html

Patrick

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card