Solved: Upgrade Cisco ASA from 8.2(4) to 9.1.7.20 or later

Jaro · ‎02-12-2018

Hello, I have to upgrade cisco ASA from 8.2(4) to 9.1.7.20 or later due to this security bug: CVE-2018-0101 .

I found out, there is difference between NAT configuration in old and new version.

Q: Are there some additional changes between this versions?

Thank you very much

Karsten Iwen · ‎02-12-2018

Yes, there are a couple of changes with NAT being the biggest.

Your upgrade path is to first go from your version to 8.4(5), after that you can upgrade to the newest 9.1(7) interims-version.

With a firewall that didn't get any maintenance for that long time, I would prepare to reconfigure the NAT and access-control from scratch. To make yourself comfortable with the new NAT, completely read Jounis document on the NAT changes:

https://supportforums.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050

View solution in original post

Karsten Iwen · ‎02-12-2018

Yes, there are a couple of changes with NAT being the biggest.

Your upgrade path is to first go from your version to 8.4(5), after that you can upgrade to the newest 9.1(7) interims-version.

With a firewall that didn't get any maintenance for that long time, I would prepare to reconfigure the NAT and access-control from scratch. To make yourself comfortable with the new NAT, completely read Jounis document on the NAT changes:

https://supportforums.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050

somethinglesspersonal · ‎02-12-2018

Hello there. I'm in the same boat. I have two Cisco ASA 5510's connected via persistent IPSEC tunnel (east coast, west coast). A while ago, we wanted to upgrade the ASA version but given the crazy process to do so (Yeaaaaaaaah, just quickly read through this and you're all set! HA. Ha. ha. https://supportforums.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050). Needless to say, if you're not a Cisco or command line guru, it is anything but daunting.

One ASA is version 8.2(5) and the other is 8.2(2). Can't we just disable something or turn something off, rather than purchase physical RAM (required to upgrade to ASA 9 if your router only has 256 MB), then upgrade our router twice (since it needs incremental upgrades), and THEN apply the Cisco patch?

With all the reading I've done, I am surprised to not find something that shows how to run some commands to either confirm or deny vulnerability, and if one doesn't want to completely revamp their routers, to JUST turn off the vulnerable part(s). Perhaps I am not seeing the bigger picture here; if so, please let me know (kindly).

We only have the persistent IKE IPsec tunnel to the other ASA, and end users also connect with Cisco VPN Client and/or Shrewsoft VPN with .PCF config files. There is also a IKE IPsec tunnel to an Amazon AWS instance.

I am basically coming here to see if anyone else, not a very big expert in Cisco, has found something about this CVE-2018-0101 vulnerability that actually helps them out, instead of ending up at a page like this: https://supportforums.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050.

Thanks!