IOS Update Problem

mehmoodch · ‎07-27-2012

Hi,

I have CISCO 5510 firewall running with IOS ASA821-k8.bin.

My company has purchased another ASA5510 with IOS ASA843-k8.bin

We need to run both firewalls in Active/Standby mode.

If I upgrade the IOS of old firewall to ASA843-k8.bin the the running configurations does not work properly

It does not pick the network objects and NAT rules as they are configured with OLD IOS and running.

Or if I restore the configurations of old firewall at New ASA the result is worst. Even firewall with new IOS does not show any Access Rule and NAT rule and does not supprt network objects

Any help to solve this issue

Thanks

Durga Prasad M.S · ‎07-27-2012

Hi,

The versions are different and the configs ar different.

You search google with the keywords cisco 8.3 asa youtube.

You will get a video showing the steps to configure in ver 8.3.

Sent from Cisco Technical Support Android App

Pls rate useful posts.

nkarthikeyan · ‎07-27-2012

Hi Mahmood,

Either you can make your bothe ASA's running in ASA 8.25 OS or Upgrade to 8.4.3 OS.

If you make 8.25 then you will not have much congiguration changes. But if you make it in to 8.4 there are few changes es[ecially with the NAT rules.

Static NAT/PAT

Pre-8.3 NAT	8.3 NAT
Regular Static NAT static (inside,outside) 192.168.100.100 10.1.1.6 netmask 255.255.255.255	object network obj-10.1.1.6 host 10.1.1.6 nat (inside,outside) static 192.168.100.100
Regular Static PAT static (inside,outside) tcp 192.168.100.100 80 10.1.1.16 8080 netmask 255.255.255.255	object network obj-10.1.1.16 host 10.1.1.16 nat (inside,outside) static 192.168.100.100 service tcp 8080 www
Static Policy NAT access-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224 static (inside,outside) 192.168.100.100 access-list NET1	object network obj-10.1.2.27 host 10.1.2.27 object network obj-192.168.100.100 host 192.168.100.100 object network obj-10.76.5.0 subnet 10.76.5.0 255.255.255.224 nat (inside,outside) source static obj-10.1.2.27 obj-192.168.100.100 destination static obj-10.76.5.0 obj-10.76.5.0

Pre-8.3 NAT

8.3 NAT

Regular Dynamic PAT

nat (inside) 1 192.168.1.0 255.255.255.0
nat (dmz) 1 10.1.1.0 255.255.255.0
global (outside) 1
192.168.100.100

object network obj-192.168.1.0
    subnet 192.168.1.0 255.255.255.0
    nat (inside,outside) dynamic 192.168.100.100
object network obj-10.1.1.0
    subnet 10.1.1.0 255.255.255.0
    nat (dmz,outside) dynamic 192.168.100.100

Regular Dynamic PAT

nat (inside) 1 10.1.2.0 255.255.255.0
global (outside) 1 192.168.100.100
global (dmz) 1 192.168.1.1

object network   obj-10.1.2.0
    subnet 10.1.2.0 255.255.255.0
    nat (inside,outside) dynamic 192.168.100.100
object network obj-10.1.2.0-01
    subnet 10.1.2.0 255.255.255.0
    nat (inside,dmz) dynamic 192.168.1.1

Regular Dynamic PAT-3

nat (inside) 1 0 0
global (outside) 1 interface

object network   obj_any
    subnet 0.0.0.0 0.0.0.0
    nat (inside,outside) dynamic interface

Dynamic Policy NAT

object-group   network og-net-src
    network-object 192.168.1.0 255.255.255.0
    network-object 192.168.2.0 255.255.255.0
object-group network og-net-dst
    network-object 192.168.200.0 255.255.255.0
object-group service og-ser-src
    service-object tcp gt 2000
    service-object tcp eq 1500
access-list NET6 extended permit   object-group og-ser-src
                     object-group og-net-src object-group og-net-dst
nat (inside) 10 access-list NET6
global (outside) 10 192.168.100.100

object network   obj-192.168.100.100
    host 192.168.100.100
object service   obj-tcp-range-2001-65535
    service tcp destination range 2001 65535
object service obj-tcp-eq-1500
    service tcp destination eq 1500
nat (inside,outside) source dynamic   og-net-src
                obj-192.168.100.100 destination
                static og-net-dst og-net-dst
                service obj-tcp-range-2001-65535
                obj-tcp-range-2001-65535
nat (inside,outside) source dynamic   og-net-src
                obj-192.168.100.100 destination
                static og-net-dst og-net-dst
                service obj-tcp-eq-1500 obj-tcp-eq-1500

Policy Dynamic NAT (with multiple ACEs)

access-list ACL_NAT   permit ip 172.29.0.0 255.255.0.0
                                  192.168.1.0 255.255.255.0
access-list ACL_NAT permit ip   172.29.0.0 255.255.0.0
                                  192.168.2.0 255.255.255.0
access-list ACL_NAT permit ip   172.29.0.0 255.255.0.0
                                  192.168.3.0 255.255.255.0
access-list ACL_NAT permit ip   172.29.0.0 255.255.0.0
                                  192.168.4.0 255.255.255.0
nat (inside) 1 access-list ACL_NAT
global (outside) 1 192.168.100.100

object network   obj-172.29.0.0
    subnet 172.29.0.0 255.255.0.0
object network obj-192.168.100.100
    host 192.168.100.100
object network obj-192.168.1.0
    subnet 192.168.1.0 255.255.255.0

object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0

object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0

object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0

nat (inside,outside) source dynamic obj-172.29.0.0   obj-192.168.100.100
                destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
                destination static obj-192.168.2.0 obj-192.168.2.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
                destination static obj-192.168.3.0 obj-192.168.3.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
                destination static obj-192.168.4.0 obj-192.168.4.0

Outside NAT

global (inside) 1   10.1.2.30-1-10.1.2.40
nat (dmz) 1 10.1.1.0 255.255.255.0   outside
static (inside,dmz) 10.1.1.5 10.1.2.27   netmask 255.255.255.255

object network obj-10.1.2.27
    host 10.1.2.27
    nat (inside,dmz) static 10.1.1.5
object network obj-10.1.1.0
    subnet 10.1.1.0 255.255.255.0
    nat (dmz,inside) dynamic obj-10.1.2.30-10.1.2.40
object network obj-10.1.2.30-10.1.2.40
    range 10.1.2.30 10.1.2.40

NAT & Interface PAT together

nat (inside) 1 10.1.2.0 255.255.255.0
global (outside) 1 interface
global (outside) 1 192.168.100.100-192.168.100.200

object network   obj-192.168.100.100_192.168.100.200
    range 192.168.100.100 192.168.100.200
object network obj-10.1.2.0
    subnet 10.1.2.0 255.255.255.0
    nat (inside,outside) dynamic
               obj-192.168.100.100_192.168.100.200 interface

NAT & Interface PAT with additional PAT together

nat (inside) 1 10.0.0.0 255.0.0.0

global (outside) 1 192.168.100.1-192.168.100.200

global (outside) 1 interface

global (outside) 1 192.168.100.210

object network   obj-192.168.100.100_192.168.100.200
    range 192.168.100.100 192.168.100.200
object network obj-10.0.0.0
    subnet 10.0.0.0 255.0.0.0
object network second-pat
    host 192.168.100.210
object-group network dynamic-nat-pat
    network-object object obj-192.168.100.100_192.168.100.200
    network-object object second-pat

nat (inside,outside) dynamic dynamic-nat-pat interface

Static NAT for a Range of Ports

Not Possible - Need to write multiple Statements or perform a Static one-to-one NAT

(in) (out)

10.1.1.1-------ASA-----

--xlate-------> 10.2.2.2

Original Ports: 10000 - 10010

Translated ports: 20000 - 20010

object service ports

service tcp source range 10000 10010

object service ports-xlate

service tcp source range 20000 20010

object network server

host 10.1.1.1

object network server-xlate

host 10.2.2.2

nat (inside,outside) source static server server-xlate service ports ports-xlate

76551 Views

This you need to take care. So that there will not be any issues.

Please do rate for the helpful posts.

By

Karthik