Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
524
Views
0
Helpful
3
Replies

Cisco ASA OS Upgrade from 8.0(2) to

WIPRO Perth
Level 1
Level 1

‎03-08-2013 01:03 AM - edited ‎03-11-2019 06:11 PM

Gents

Currently i have;

Cisco Adaptive Security Appliance Software Version 8.0(2)

Device Manager Version 6.1(3)

I want to upgrade to latest OS and ASDM. This device will be used as backup VPN Conc on a DR site. Prod ASA has not yet been updated. I am plannig to do the DR first as it is a new devcie going in. I am unable to find any documentation comparing the current and the lastest OS feature set. Can some please advice / point me in the right direction?

Regards

ITS

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎03-08-2013 01:16 AM

Hi,

I would personally check out the Release Notes from your current software all the way to the new software you are going to use from here

http://www.cisco.com/en/US/products/ps6120/prod_release_notes_list.html

Release Notes usually list new features in their own section.

Naturally the biggest work in your case will probably be about the NAT format change between the jump from 8.2 to 8.3 and any newer software. Its a major change. There are also changes to ACL format (because of the mentioned NAT changes) among other changes.

Is the device you mention holding a configuration that its supposed to use when put into production?

I guess the easiest way to upgrade the software to the latest version would be to keep rebooting the ASA to a new software in short steps so it converts the configurations itself.

So you might go to 8.2(5) -> 8.3(x) -> 8.4(5)

To me it seems (and what I have been told from Cisco direction) that the 8.4(5) would at the moment be the configuration to use unless 9.x has something needed (I cant remember unless I check release notes). There are bugs in the 9.x softwares so I will probably still wait before using it in production devices.

The bad side (in my opinion atleast) regarding updating the configurations is that the end result might not be really "optimal". Also if you have absolutely no expirience from the new NAT it will be hard to go through. So I prefer practice of the new NAT format before actually using it.

Hope this helps

Do ask more if needed.

- Jouni

0 Helpful

WIPRO Perth
Level 1
Level 1
In response to Jouni Forss

‎03-10-2013 09:16 PM

Hi Jouni

Thanks for the reply mate.

So  in order to upgrade from my current version I need to go through each  software upgrade so the configuration also updates itself. My  understanding was I can upgrade to the latest version directly and the  configuration will be updated automatically. Yes do keep a copy of the current running-configuration if I need to revert back to the current OS version. I also have heard the same about the latest 9.x series and I was thinking of upgrading to the latest 8.x series.

You  mentioned above about the NAT changes, I am not quite clear what you  mean by that? My understanding is the entire running-configuration will  change to the new format (where required). Is that the case of do we  need to make some NAT and ACL changes manually?

The current scenario is…

Production site has an ASA5510 with;

Cisco Adaptive Security Appliance Software Version 8.0(4)

Device Manager Version 6.1(5)51

DR site will have an ASA5510 which is currently on;

Cisco Adaptive Security Appliance Software Version 8.0(2)

Device Manager Version 6.1(3)

...with  no configuration and needs to be upgraded to the latest ASA OS. When  upgraded and configured it will be commissioned on the DR site and will  be used as a backup VPN termination point with automated failover  capability.

Now would there be any concerns / issues running the production ASA on a different version or different configuration format?

Regards

ITS

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to WIPRO Perth

‎03-11-2013 12:19 AM

Hi,

I think Cisco suggest using upgrading the ASA with going software level by software level. To my understanding this is meant for the software to correctly convert. To be honest I havent had to do an update in such a way in some time now since I have always written the new configuration myself so basicly it has not mattered if the configuration conversion has worked or not since I will wipe the configuration anyway. In most of my cases also I have migrated between different hardware so I have just moved the customer connections to a different devices.

What I mean with the NAT is the fact that if you just simply migrate to the new software from your software level without getting to know the new NAT format you will possibly have a hard time configuring the NAT in correct way. Even though the automatic conversion will probably work initially, you will still have to configure any future NAT configurations yourself and this will then be in the new format.

I'm not sure I understood your final points correctly. Do you mean that you are first going to update the non-production ASA and then configure it after the upgrade? In that case you can simply boot straight to the new software. If you are going to configure it yourself after the boot.

If you are planning on configuring these 2 ASAs in Failover then you have to make sure that the hardware setup (Amount of RAM) and and the software are identical.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card