Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
557
Views
0
Helpful
4
Replies

Moving ASA config from 5510 to 5512

dustin.kinn
Level 1
Level 1

‎04-24-2014 09:05 PM - edited ‎03-11-2019 09:07 PM

I moved a configuration from an ASA 5510 to a 5512, and in the process, went from version 8.4 to 9.0 of the IOS software.  When we hook the firewall up, I can get to it from SSH, or from the outside, but a number of the NATS don't appear to be up, VPN connections via the client don't work, and there is a L2L VPN Tunnel that isn't working either.

The only differences between the configs are the RSA key, which I had to regenerate for the new firewall, and I had to manually install the cert.  I can't imagine where either of those would affect IP NATs though.

Curiously, all of the NATs that aren't working appear to be on a separate external subnet than the ones that are working, but those networks aren't defined in either config.

 

Suggestions?

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-24-2014 09:26 PM

Have a look on disk0:. There should be a startup errors file that lists the issues the parser had when it converted the file.

0 Helpful

dustin.kinn
Level 1
Level 1
In response to Marvin Rhoads

‎04-24-2014 09:32 PM

I'll check that tomorrow.  It didn't convert the file though, I pasted it from one ASA to the other, then went through line by line to make sure it was the same.

Only differences were that the Cert didn't carry over, I had to reinput that (which again I did by cut and paste, which might be wrong, I'm a total noob when it comes to certs), and there are a few new lines of code, mostly the xlate stuff from version 9.  If I read correctly, the settings it generates preserve the functionality.

There is also a line:

crypto ca trustpool policy

Which is not on the old, but it won't let me remove from the new.

 

Again, I can't imagine that Certs would screw up my NAT settings though.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dustin.kinn

‎04-25-2014 05:16 AM

If your NAT statements were based on ACLs, that could impact the setup as some ACL syntax was changed as of 9.x.

I've done a number of upgrades to 9.x though and have not encountered any issues with NAT when moving from post-8.2 platforms. (Of course 8.2 and earlier are a whole other issue.)

0 Helpful

dustin.kinn
Level 1
Level 1
In response to Marvin Rhoads

‎04-25-2014 11:54 AM

I went from 8.6 to 9.0 on the new ASA, but stupidly didn't even think twice about dropping an 8.4(2) config on the new 9.0(3) firewall.  I verified my upgrade path but didn't even think about where the config was coming from.

Could that be causing my issue?  Could I downgrade the 9.0 5512 to 8.4(2) and then drop the config on, then upgrade to 9.0(3) again?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card