Solved: Updating ASA 8.2 to 8.4(5)

Maurice Ball · ‎02-06-2013

Could someone please give me a clear explanation on what is the feature option " Proxy ARP on egress interface" used for on the ASA? I'm about to upgrade a ASA from IOS 8.2(1) to 8.4(5) and I am trying to determine if it should be enabled or disabled.

Jouni Forss · ‎02-07-2013

Hi,

There has been changes at the start of 8.4 software regarding the Proxy ARP settings in the NAT configurations

8.4(2)

Identity NAT configurable proxy ARP and route lookup

In earlier releases for identity NAT, proxy ARP was disabled, and a route lookup was always used to determine the egress interface. You could not configure these settings. In 8.4(2) and later, the default behavior for identity NAT was changed to match the behavior of other static NAT configurations: proxy ARP is enabled, and the NAT configuration determines the egress interface (if specified) by default. You can leave these settings as is, or you can enable or disable them discretely. Note that you can now also disable proxy ARP for regular static NAT.

For pre-8.3 configurations, the migration of NAT exempt rules (the nat 0 access-list command) to 8.4(2) and later now includes the following keywords to disable proxy ARP and to use a route lookup: no-proxy-arp and route-lookup. The unidirectional keyword that was used for migrating to 8.3(2) and 8.4(1) is no longer used for migration. When upgrading to 8.4(2) from 8.3(1), 8.3(2), and 8.4(1), all identity NAT configurations will now include the no-proxy-arp and route-lookup keywords, to maintain existing functionality. The unidirectional keyword is removed.

We modified the following commands: nat static [no-proxy-arp] [route-lookup] (object network) and nat source static [no-proxy-arp] [route-lookup] (global).

Source:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/intro_intro.html#wp1326317

To my understanding the ASA configuration migrations are usually aiming to keep the functionality of the ASA the same even in the case where the default setting might have changed.

- Jouni

View solution in original post

Jouni Forss · ‎02-06-2013

Hi,

Can you provide a link to the thing you are referring to?

Generally Proxy ARP should be enabled on the "outside" interface of the ASA atleast and I think its enabled by default on all interfaces of the ASA unless you use the "sysopt noproxyarp " configurations.

Also when you configure Static NAT on the ASA the Proxy ARP should be enabled by default for the those NAT configurations unless you specify otherwise.

The ASA needs to be able to answer an ARP request for its configured NAT IP addresses so in general when configuring the Static NAT towards the "outside" the Proxy ARP should be enabled.

- Jouni

Maurice Ball · ‎02-07-2013

I m not referencing a link. I need to upgrade my ASA. The ASA is setup with two contexts an inside and outside context. I have 12 interfaces on the inside context going to different vlans. I have done some testing. I upgraded the ASA from 8.2 to 8.3 and then to 8.4.5. I noticed on 8.4.5 on all of my Static NAT rules that the proxy-arp feature was disable by default. I was trying to determine should it be disable or enable?

Jouni Forss · ‎02-07-2013

Hi,

There has been changes at the start of 8.4 software regarding the Proxy ARP settings in the NAT configurations

8.4(2)

Identity NAT configurable proxy ARP and route lookup

In earlier releases for identity NAT, proxy ARP was disabled, and a route lookup was always used to determine the egress interface. You could not configure these settings. In 8.4(2) and later, the default behavior for identity NAT was changed to match the behavior of other static NAT configurations: proxy ARP is enabled, and the NAT configuration determines the egress interface (if specified) by default. You can leave these settings as is, or you can enable or disable them discretely. Note that you can now also disable proxy ARP for regular static NAT.

For pre-8.3 configurations, the migration of NAT exempt rules (the nat 0 access-list command) to 8.4(2) and later now includes the following keywords to disable proxy ARP and to use a route lookup: no-proxy-arp and route-lookup. The unidirectional keyword that was used for migrating to 8.3(2) and 8.4(1) is no longer used for migration. When upgrading to 8.4(2) from 8.3(1), 8.3(2), and 8.4(1), all identity NAT configurations will now include the no-proxy-arp and route-lookup keywords, to maintain existing functionality. The unidirectional keyword is removed.

We modified the following commands: nat static [no-proxy-arp] [route-lookup] (object network) and nat source static [no-proxy-arp] [route-lookup] (global).

Source:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/intro_intro.html#wp1326317

To my understanding the ASA configuration migrations are usually aiming to keep the functionality of the ASA the same even in the case where the default setting might have changed.

- Jouni

Maurice Ball · ‎02-07-2013

thanks for your help

Christian Jorge · ‎04-08-2013

Only a doubt that I've put in other discussion. I think that here is a better place to discuss.

I performed my first asa software upgrade. Customer firewall this time has many VPNs configured but few NATs (some exempt and one PAT).

I followed the path: 8.2.5(26) -> 8.3.(2) -> 8.4.5(6)

The result:

- from 8.2.5(26) -> 8.3(2) : NAT-exempt conversion results a lot of garbage (all combinations related to source to all possible destination segments - as Nat-exempt declares no destination segments) and the dangerous "unidirectional" command after each NAT-exempt line converted.

- from 8.3(2) -> 8.4.5(6) there was no change in configuration (not even removing "unidirectional" commands in NAT)

Results: I had to clean all NAT garbage and delete all "unidirectional" command.

Now I have to upgrade a firewall with a huge configuration, mixing PATs, Statics, NAT Exemption, Dynamic NAT.

What exactly path from 8.2.5(26) to 8.4.5(6) should I follow to have a smooth upgrade and convertion?

Shoud I use 8.3(1) path instead of 8.3(2), use both, use 8.4(2) after some 8.3.x to final version?

I tried to emulate an ASA 8.4 e put all the config from 8.2. All NAT lines was not converted and disappeared. So I think I have to follow some intermediate path, as mentioned before,

Jouni Forss · ‎04-08-2013

Hi,

To be honest the way I do upgrades for our customers wont help you much.

I never use the ASA to convert the configuration for myself. I always go through the 8.2 format NAT configuration and manually rewrite the rules I need to keep the same NAT operation in place. Therefore I cant really suggest any certain path to take while upgrading.

To my understanding there was some problems with NAT0 configuration migration especially when moving to 8.3(x) software. Also it doesnt help that there has been changes and additions to the NAT configuration/operation all throughout 8.4 software. Also in some cases it doesnt seem that the NAT is even still operating as the documentation describes. For example with regards to the route lookup enable/disable feature.

If you want to read some about the new 8.3+ NAT configuration format then I would recomend the document I recently wrote

https://supportforums.cisco.com/docs/DOC-31116

There is also a good document that compares the configuration formats of NAT between 8.2 and 8.3

https://supportforums.cisco.com/docs/DOC-9129

Naturally if you want someone to take look at NAT configurations you might find help on these forums too. I am not sure how huge NAT configuration you are talking about above?

- Jouni