10-09-2013 12:41 AM - edited 03-11-2019 07:49 PM
Hello guys,
I would like to greet you. This is my first discussion on cisco support community ( previuously I was on cisco learning network ). I'm lil bit worried about one thing. Currently I'm working in one of the biggest banks in my country as a network administrator and we are planinng to upgrade our ASA from 8.3 (1) version to newer. We noticed a lot of bugs in current version so upgrading is really must. My question would be :
What is the next best software version, I mean painless for my company I have a lot of NAT rules, ACLs, VPN's in production so what is the difference from current version to newer, let me say 8.4.7 ED. Is there any instructions for migration and what problems may encounter because Cisco documentations is lil bit unclear and confusing.
Thanks a lot,
Br,
Mirza Cerim
10-10-2013 05:01 PM
Hi Mirza,
Actually I think that the mayor mayor upgrade is from 8.2 to 8.3; so now that you are on 8.3 it should be a big deal to upgrade your ASAs to 8.4.
Other than open cavets that might be on the release notes you shouldn't experience mayor issue.
Always is a good practice to schedule a maintenance window.
HTH
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach us"
http://www.cisco.com/web/partners/tools/pdihd.html
10-10-2013 09:11 PM
Hi,
some gotchas (i dont like the term) to watch out for in 8.4 that got several of my customers:
1. arp permit-nonconnected. Basically if you have NATs on your outside to a different subnet (from the actual IP used by the ASA interface) then by default they will stop working
2. Identity nat configurable proxy-arp and route-lookup:
if you have NONATs for VPN (or identity NAT in 8.3+ code) that looks like this:
nat (inside,any) source static NET_IN1 NET_IN1 destination static NET_VPN1 NET_VPN1
then you need to add the no-proxy-arp keyword at the end in newer 8.4 code. if you don't the ASA will start replying to ARPs for NET_IN1 subnet on its inside interface also; this is caused by the any keyword.
if it was nat (inside,outside) ... then you're ok...
3. managing the ASA through VPN stops working (bug CSCtr16184):
even if you have the management-access inside command, it might fail:
you need to add the route-lookup keyword in the identity NAT:
nat (inside,outside) ... route-lookup
be sure to review the release notes first:
http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide