Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
739
Views
0
Helpful
6
Replies

Copy config from ASA5550 (8.2) to ASA5520 (8.4)

Richard Dumag
Level 1
Level 1

‎08-24-2012 10:40 AM - edited ‎03-11-2019 04:46 PM

Has anyone tried this or done something similar?  This is to test the upgrade of our ASA5550 from 8.2 to 8.4. 

I have a test ASA5520 with 8.4.  I copied the 5550 config to the 5520 then rebooted it.

After the upgrade, I couldn't test connectivity of course, but the upgrade seem to be a success as the errors in the logs are minimal.

However, after looking at the new config ,I see new entries (i.e access-lists, object-groups) that do not exist in the old config.

I'm familiar with the new NAT and object scheme.  But in looking at the flow for our outside ACL (from object, to NAT, to access-list), it does not seem to make sense.

I'm also opening a TAC case to see if they can evaluate the configs. 

I also wanted to ask those who have gone though the upgrade what they're experience had been.

Any comments is appreciated.

Labels:
0 Helpful
6 Replies 6

Julio Carvajal
VIP Alumni
VIP Alumni

‎08-24-2012 10:47 AM

Hello Richard,

8.3 and higher versions is based on object-networks so your entire nat will be based on that ( as an example if you have names enabled before the upgrade, all of the names will be translated to objects automatically)

Also if you have nat-control enabled extra nat statements will be added to your configuration as Nat control is disabled on this higher versions so it's a must to disable it before the upgrade.

Please keep this links with you

https://supportforums.cisco.com/docs/DOC-12690

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html

Rate all the helpful posts

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Richard Dumag
Level 1
Level 1
In response to Julio Carvajal

‎08-24-2012 10:55 AM

Hi Julio,

Thanks for the reply.  Names and nat-control are disabled on our 5550.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Richard Dumag

‎08-24-2012 11:00 AM

Hello Richard,

The nat control disabled is great

Please read the first link I sent you so you can learn about how the ASA on 8.3 and higher versions works, then you will be able to read your configuration and figure out if there is something wrong.

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Richard Dumag
Level 1
Level 1
In response to Julio Carvajal

‎08-24-2012 02:40 PM

I also discovered that the outside ACLs are still showing the NATted IP addresses instead of Real addresses.

Looks like there's going to be a LOT of cleaning up after the upgrade. 

Has anyone encountered this issue?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Richard Dumag

‎08-24-2012 03:14 PM

Hello Richard,

That usually happens because of an upgrade error but I have seen the behavior before, let's see if someone else has seen this issue.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Richard Dumag
Level 1
Level 1
In response to Julio Carvajal

‎08-24-2012 03:30 PM

Thanks Julio.  I will go through it again and see if I get a different result.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card