cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3479
Views
5
Helpful
2
Replies
Jaro
Beginner

Upgrade Cisco ASA from 8.2(4) to 9.1.7.20 or later

Hello, I have to upgrade cisco ASA from 8.2(4) to 9.1.7.20 or later due to this security bug: CVE-2018-0101 .

 

I found out, there is difference between NAT configuration in old and new version.

Q: Are there some additional changes between this versions?

 

Thank you very much

1 ACCEPTED SOLUTION

Accepted Solutions
Karsten Iwen
VIP Mentor

Yes, there are a couple of changes with NAT being the biggest.

Your upgrade path is to first go from your version to 8.4(5), after that you can upgrade to the newest 9.1(7) interims-version.

With a firewall that didn't get any maintenance for that long time, I would prepare to reconfigure the NAT and access-control from scratch. To make yourself comfortable with the new NAT, completely read Jounis document on the NAT changes:

https://supportforums.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050

View solution in original post

2 REPLIES 2
Karsten Iwen
VIP Mentor

Yes, there are a couple of changes with NAT being the biggest.

Your upgrade path is to first go from your version to 8.4(5), after that you can upgrade to the newest 9.1(7) interims-version.

With a firewall that didn't get any maintenance for that long time, I would prepare to reconfigure the NAT and access-control from scratch. To make yourself comfortable with the new NAT, completely read Jounis document on the NAT changes:

https://supportforums.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050

Hello there. I'm in the same boat. I have two Cisco ASA 5510's connected via persistent IPSEC tunnel (east coast, west coast). A while ago, we wanted to upgrade the ASA version but given the crazy process to do so (Yeaaaaaaaah, just quickly read through this and you're all set! HA. Ha. ha. https://supportforums.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050). Needless to say, if you're not a Cisco or command line guru, it is anything but daunting.

 

One ASA is version 8.2(5) and the other is 8.2(2). Can't we just disable something or turn something off, rather than purchase physical RAM (required to upgrade to ASA 9 if your router only has 256 MB), then upgrade our router twice (since it needs incremental upgrades), and THEN apply the Cisco patch?

 

With all the reading I've done, I am surprised to not find something that shows how to run some commands to either confirm or deny vulnerability, and if one doesn't want to completely revamp their routers, to JUST turn off the vulnerable part(s). Perhaps I am not seeing the bigger picture here; if so, please let me know (kindly).

 

We only have the persistent IKE IPsec tunnel to the other ASA, and end users also connect with Cisco VPN Client and/or Shrewsoft VPN with .PCF config files. There is also a IKE IPsec tunnel to an Amazon AWS instance.

 

I am basically coming here to see if anyone else, not a very big expert in Cisco, has found something about this CVE-2018-0101 vulnerability that actually helps them out, instead of ending up at a page like this: https://supportforums.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050.

 

Thanks!

Create
Recognize Your Peers
Content for Community-Ad