cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3411
Views
0
Helpful
6
Replies

CSM 4 + ASA v8.2 upgrade to ASA v8.3

hi everyone,

i have Problem with upgrading an ASA from Version 8.2 to Version 8.3 in Cisco Security Manager.

the upgrade itself is not the problem, the ASA is doing the upgrade Process without any Problem,

but if i want to chnage the version of the ASA in CSM then i got an error that i have to unassign the NAT rules from the ASA to change the version,

when i do this then all my configured NAT Rules are gone, and i have no chance to get them back, even when i do a hole policy discovery on that device.

Is there a special procedure in upgrading an ASA from verson 8.2 to 8.3 in CSM? Or is there a way  to convert the existing NAT rules to the new type, like the ASA itself is doing it when its being upgraded?

Thanks in advance

Greetz Sebastian

6 Replies 6

bgl-group
Level 1
Level 1

Just to bump this back to the top. I am in the same situation as the original poster - and I have a couple of firewalls with in excess of 60 nat rules each. As they are serving production web servers I can't afford a significant downtime to rebuild the configuration.

Someone else must have had to do this.

I know the firewall can upgrade itself so why not csm?

mm..very good question. As far as I know (but you might want to open a TAC case to have this double checked) there is no automat

ic way for CSM to convert the NAT policies plus I believe that rediscover will throw some error.

The only way I believe you have is to completely delete the device and rediscover as 8.3 so that all the policy can be discovered as new.

The draw back of this method is that you will lose all the shared policy (not only the nat shared policy).

To workaround tha you can try the following:

1- before deleting, create a clone device (right click -> clone)

2- delete the device

3- discover a new device (this will discover the new ASA at code 8.3 and import all your policy)

4- right click on the clone device and select copy policy

4.1 select the new imported device

4.2 select all the shared policy that were on the previous device and that you want to mantain.

Hope this will workaround your issue.

Stefano

Having looked at this. I tried the following.

I deleted a test device from CSM and then upgraded the device to 8.3.

I then added the device as a new machine and imported all the policies - csm recognised it as an 8.3 device and let me proceed.

The rule import worked as expected and it imported one of the new NAT rules that had been upgraded.

This is where the problems start - I now have in CSM two object nat rules. These rules cannot be edited, deleted, changed in any way. Fine if they never need to be changed but you can't guarantee this. Screenshot attached to posting.

The only way I can see to proceed would be to build the entire firewall from scratch again and swap out a unit with the existing firewall. Otherwise we will be storing up problems for future maintenance.

Any thoughts.....

Hi,

did you manage to solve the problem or did you try the workaround I suggested?

If it does not work, please open a TAC case so we can have a look

Stefano

Well I have got it working but it took a little bit of work.

I found a spare ASA firewall and rigged it up as a test lab.

I then shut down the AAA authentication and copied the startup-config from the firewall.

The 8.2 software and the copied config was put onto the test firewall

A management address was then configured into the asa and upgraded to v8.3

I then brought the 8.3 firewall into CSM

The NAT rules were then recoded offline (in the case of the large firewalls this took an afternoon)

Once this was done the production firewalls were upgraded - all the nat rules were deleted and then the firewall was brought back into csm. The NAT rules were then copied from the test firewall and then applied to the production unit.

This needs to be repeated for each firewall we have..... it is about an hours downtime on each one depending on the complextity of the rule set. (A pair we did last night didn't have any nat rules so were very easy to do).

Oh well only another 7 to go.....

eh eh, good luck

Stefano

Review Cisco Networking for a $25 gift card