03-08-2013 01:03 AM - edited 03-11-2019 06:11 PM
Gents
Currently i have;
Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.1(3)
I want to upgrade to latest OS and ASDM. This device will be used as backup VPN Conc on a DR site. Prod ASA has not yet been updated. I am plannig to do the DR first as it is a new devcie going in. I am unable to find any documentation comparing the current and the lastest OS feature set. Can some please advice / point me in the right direction?
Regards
ITS
03-08-2013 01:16 AM
Hi,
I would personally check out the Release Notes from your current software all the way to the new software you are going to use from here
http://www.cisco.com/en/US/products/ps6120/prod_release_notes_list.html
Release Notes usually list new features in their own section.
Naturally the biggest work in your case will probably be about the NAT format change between the jump from 8.2 to 8.3 and any newer software. Its a major change. There are also changes to ACL format (because of the mentioned NAT changes) among other changes.
Is the device you mention holding a configuration that its supposed to use when put into production?
I guess the easiest way to upgrade the software to the latest version would be to keep rebooting the ASA to a new software in short steps so it converts the configurations itself.
So you might go to 8.2(5) -> 8.3(x) -> 8.4(5)
To me it seems (and what I have been told from Cisco direction) that the 8.4(5) would at the moment be the configuration to use unless 9.x has something needed (I cant remember unless I check release notes). There are bugs in the 9.x softwares so I will probably still wait before using it in production devices.
The bad side (in my opinion atleast) regarding updating the configurations is that the end result might not be really "optimal". Also if you have absolutely no expirience from the new NAT it will be hard to go through. So I prefer practice of the new NAT format before actually using it.
Hope this helps
Do ask more if needed.
- Jouni
03-10-2013 09:16 PM
Hi Jouni
Thanks for the reply mate.
So in order to upgrade from my current version I need to go through each software upgrade so the configuration also updates itself. My understanding was I can upgrade to the latest version directly and the configuration will be updated automatically. Yes do keep a copy of the current running-configuration if I need to revert back to the current OS version. I also have heard the same about the latest 9.x series and I was thinking of upgrading to the latest 8.x series.
You mentioned above about the NAT changes, I am not quite clear what you mean by that? My understanding is the entire running-configuration will change to the new format (where required). Is that the case of do we need to make some NAT and ACL changes manually?
The current scenario is…
Production site has an ASA5510 with;
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)51
DR site will have an ASA5510 which is currently on;
Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.1(3)
...with no configuration and needs to be upgraded to the latest ASA OS. When upgraded and configured it will be commissioned on the DR site and will be used as a backup VPN termination point with automated failover capability.
Now would there be any concerns / issues running the production ASA on a different version or different configuration format?
Regards
ITS
03-11-2013 12:19 AM
Hi,
I think Cisco suggest using upgrading the ASA with going software level by software level. To my understanding this is meant for the software to correctly convert. To be honest I havent had to do an update in such a way in some time now since I have always written the new configuration myself so basicly it has not mattered if the configuration conversion has worked or not since I will wipe the configuration anyway. In most of my cases also I have migrated between different hardware so I have just moved the customer connections to a different devices.
What I mean with the NAT is the fact that if you just simply migrate to the new software from your software level without getting to know the new NAT format you will possibly have a hard time configuring the NAT in correct way. Even though the automatic conversion will probably work initially, you will still have to configure any future NAT configurations yourself and this will then be in the new format.
I'm not sure I understood your final points correctly. Do you mean that you are first going to update the non-production ASA and then configure it after the upgrade? In that case you can simply boot straight to the new software. If you are going to configure it yourself after the boot.
If you are planning on configuring these 2 ASAs in Failover then you have to make sure that the hardware setup (Amount of RAM) and and the software are identical.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide