Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2871
Views
0
Helpful
1
Replies

Facebook Forum - Migration Best Practices for ASA 8.3/8.4

ciscomoderator
Community Manager
Community Manager

‎08-29-2012 02:59 PM - edited ‎02-21-2020 04:43 AM

Live chat with Cisco Expert Praveena Shanubhogue

September 6, 2012


Facebook_Forum_Template_067 - Copy.png

Learn about the Best Practices that should be taken care while migrating from version 8.2 or before to 8.3 and beyond and ask questions about the new Features introduced that stand out. Understand Bugs or Known issues that one needs to be aware of while migrating from 8.2 to 8.3 and beyond.

Where:

Please go to Cisco Support Facebook Page on the event day: http://www.facebook.com/CiscoSupportCommunity

When:

9:00 AM PDT (San Francisco; UTC -7 hrs)

This corresponds to:

3:00 PM CEST(Paris; UTC +1 hr)

9:00 PM PKT (Pakistan, UTC +5 hrs)

9:30 PM IST (India; UTC +5:30 hrs)

11:00 PM (Indonesia; UTC +7 hrs)

We encourage you to watch the recently published Community Tech-Talk Blog and Video:https://supportforums.cisco.com/community/netpro/security/firewall/blog/2012/08/23/community-tech-talk-series--migration-best-practices-for-asa-8384

What is Facebook Forum?

Facebook forums are online conversations, held at a ore-arranged time on our Facebook page. It gives you an opportunity to interact with a live Cisco expert and get more information about a particular technology, service or product.

How do I participate?

On the day of the event, go to our Facebook page http://www.facebook.com/CiscoSupportCommunity.

To RSVP Click Here


0 Helpful
1 Reply 1

ciscomoderator
Community Manager
Community Manager

‎10-10-2012 03:08 PM

Here's a condensed summary of our October Facebook forum in a Q&A format

What default behavior has been changed from 8.2 to 8.3/8.4?

1. the way NAT statements are written, and the NAT priorities.

2. the way the interface access-lists filter the traffic. (in 8.2, access-list would need to allow translated ip address to pass through, however post 8.3, you would need to allow real-ip addresses to pass through)

More on this:http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp78024

Why did Cisco make this change? What is better about this way vs. how we did it in the past?

We had about 4 Priorities in NAT statements, and it wasn't possible to reorder NAT statements, without removing a nat (static) statement. And these priorities could very well be cleaned up, and that is what we have done. And the NAT statements in 8.4 have a cleaner interface and the Manual NAT statements now can be reordered. These NAT changes have come a long way from 8.3 to 8.4.

Are there any specific tools available for asa configuration change from 8.2 to 8.3/later.?

Cisco TAC has access to a beta tool, that converts pre-8.2 config to 8.3 style config, however end-user, i.e. you , are expected to check the accuracy of features like NAT, ACL to make sure everything has veen migrated properly.

For that matter, post-8.3 releases have built-in config migrator that do a good job. So i would highly recommend using the same i.e.Load the config on an ASA running 8.2, and then upgrade it to a stable release beyong 8.4 (say 8.4(4)5). This should perform a good migration. Look for startup-config errors (show startup error) after migrating from 8.2 to post 8.3.

Does ASA 8.3 or beyond, support Zero-downtime upgrade from a pre-8.3 version, given the config migration that happens in between?

Yes, it sure does, provided one strictly follows the Zero-Down time upgrade procedure, the important rule being, you have to upgrade the ASA sequentially from one Major release to the very next Major release i.e. you are not allowed ti skip a Major release. For example, if you want to move from 8.2 to 8.4, you will need to go to 8.3.1/8.3.2 first.

More on this:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/admin_swconfig.html#wp1374697

Can one simply upgrade my ASA running 8.2 to version beyond 8.3 now?

Given the changes in the NAT and ACL configuration, and given the memory requirement of these later releases, it is highly recommended that one go through the migration guide available on CCO:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html or the document on Support Forums, that is very concise in this matter:

https://supportforums.cisco.com/docs/DOC-12690. Also take a look at the Tech Talk conducted by Glenn:https://supportforums.cisco.com/videos/4364

Why is route-lookup keyword getting appended to each manual NAT statement when i upgrade beyond 8.4.2?

That's an interesting point. In 8.4.1 or before, route-lookup was always performed, before determining which egress interface needs to be taken while translating an ip addressing, however in 8.4.2 that behavior was changed, i.e. Route-lookup is not performed if it is not mentioned explicitly.

In 8.4.2, if a favoring NAT statement exists at the top, that helps ASA forward the packet to an egress interface (UN-Nat, if you want to call it that), the packet would just get punted to that interface irrespective of where the route points to. With route-lookup keyword in 8.4.2, this decision is stalled till a favoring route is consulted.

You can read about new features introduced per release here:

http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html

How do i know how a NAT statement written in pre-8.2 is written in post-8.3?

ASA CLI configuration guide is always a good source, however it tends to be extremely detailed some times. This document on Support Forums, written by Magnus, a TAC engineer, answers your question precisely enough:

https://supportforums.cisco.com/docs/DOC-9129

Do you have pointers more resources that would be useful to our users as they plan their migration to ASA 8.3/8.4?

Couple of advices to the users planning the migration:

1. Stick to 8.2 for now, at least till End of Life is announced for the same as long as it serves the purpose. If you need any new features (http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html), then yes, please layout an upgrade plan using: https://supportforums.cisco.com/docs/DOC-12690 .

2. 8.3 has already been killed. 8.4 is the release that replaced 8.3, so please don't stay on 8.3, move on to 8.4.

When we talk about migration from 1 version of ASA to another, are we actually migrating the configurations and settings from 1 version to another?

My other question do ASA firewalls have IOS in them just like Routers?

Yes, ASA always migrates the config to suite the version that it is getting migrated to. So far, the config changes have been very minimal (i.e. retaining the same old behavior but new cli) up till 8.2. However 8.3 or beyond have introduced a major config change, and the old (pre-8.2) config gets migrated in a best effort manner.And, Yes, ASAs have an OS similar to IOS on Routers, ASA OS 7.x was based on PIX OS, and ASA OS 8.x is based on Linux

To visit the actual forum that took place on Facebook visit here:

https://www.facebook.com/133380531411/posts/10151220036751412

To see the archive on the Facebook, visit :

http://www.facebook.com/notes/cisco-online-support-community-netpro/facebook-forum-summary-migration-best-practices-for-asa-8384/450264688345473

.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card