cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1124
Views
0
Helpful
4
Replies

Upgrade from 7.2 to 8.4

Upgrading from 7.2 to 8.4 cisco ASA rewrite itself commands ? Nat for example is different from 8.3/8.4 right ?

Thanks

4 Replies 4

RonaldNutter
Level 1
Level 1

NAT is the big thing that changed.  Would be a little concerned about going from 7.2 to 8.4 in one move.

Would suggest about going to 8.2.5 first and making sure that everything goes well.  Then maybe going to 8.4.

So far, I havent seen much in 8.4 that would make me want to go to that version.  Another thing to look at is that you will need to do a memory upgrade on your ASA which probably wont be cheap.

Unless there is a feature that exists only in 8.4, I would go to 8.2.5 and stay there for the time being.

nkarthikeyan
Level 7
Level 7

Hi Poiu,

You have to upgrade to 8.3 and then to 8.4 version. Start from 8.3 version you have lots of changes in the sysntax. Especially in NAT and few more things. I have pasted the change in commands with specifi to NAT/PAT which was posted in our forumn by an SME. Before going to 8.4 pls go through the doc for 8.4 and understand. Do read the release notes of 8.4 and go for an upgrade.

When you upgrade it should take the configs converted.

Static NAT/PAT

Pre-8.3 NAT

8.3 NAT

Regular Static NAT

static (inside,outside)   192.168.100.100 10.1.1.6 netmask  255.255.255.255

object network   obj-10.1.1.6
    host 10.1.1.6
    nat (inside,outside) static 192.168.100.100   

Regular Static PAT

static (inside,outside) tcp   192.168.100.100 80 10.1.1.16 8080 netmask  255.255.255.255

object network   obj-10.1.1.16
    host 10.1.1.16
    nat (inside,outside) static 192.168.100.100 service tcp 8080 www

Static Policy NAT

access-list NET1 permit ip host   10.1.2.27 10.76.5.0 255.255.255.224

static (inside,outside)   192.168.100.100 access-list NET1

object network obj-10.1.2.27

   host 10.1.2.27
object network obj-192.168.100.100
    host 192.168.100.100
object network obj-10.76.5.0
    subnet 10.76.5.0 255.255.255.224
nat (inside,outside) source static   obj-10.1.2.27 obj-192.168.100.100
                         destination static obj-10.76.5.0 obj-10.76.5.0

Pre-8.3 NAT

8.3 NAT

Regular Dynamic PAT

nat (inside) 1   192.168.1.0 255.255.255.0
nat (dmz) 1 10.1.1.0 255.255.255.0
global (outside) 1
192.168.100.100

object network obj-192.168.1.0
    subnet 192.168.1.0 255.255.255.0
    nat (inside,outside) dynamic 192.168.100.100
object network obj-10.1.1.0
    subnet 10.1.1.0 255.255.255.0
    nat (dmz,outside) dynamic 192.168.100.100

Regular Dynamic PAT

nat (inside) 1   10.1.2.0 255.255.255.0
global (outside) 1 192.168.100.100
global (dmz) 1 192.168.1.1




object network   obj-10.1.2.0
    subnet 10.1.2.0 255.255.255.0
    nat (inside,outside) dynamic 192.168.100.100
object network obj-10.1.2.0-01
    subnet 10.1.2.0 255.255.255.0
    nat (inside,dmz) dynamic 192.168.1.1

Regular Dynamic PAT-3

nat (inside) 1 0 0
global (outside) 1 interface

object network   obj_any
    subnet 0.0.0.0 0.0.0.0
    nat (inside,outside) dynamic interface

Dynamic Policy NAT

object-group   network og-net-src
    network-object 192.168.1.0 255.255.255.0
    network-object 192.168.2.0 255.255.255.0
object-group network og-net-dst
    network-object 192.168.200.0 255.255.255.0
object-group service og-ser-src
    service-object tcp gt 2000
    service-object tcp eq 1500
access-list NET6 extended permit   object-group og-ser-src
                     object-group og-net-src object-group og-net-dst
nat (inside) 10 access-list NET6
global (outside) 10 192.168.100.100

object network   obj-192.168.100.100
    host 192.168.100.100
object service   obj-tcp-range-2001-65535
    service tcp destination range 2001 65535
object service obj-tcp-eq-1500
    service tcp destination eq 1500
nat (inside,outside) source dynamic   og-net-src
                obj-192.168.100.100 destination
                static og-net-dst og-net-dst
                service obj-tcp-range-2001-65535
                obj-tcp-range-2001-65535
nat (inside,outside) source dynamic   og-net-src
                obj-192.168.100.100 destination
                static og-net-dst og-net-dst
                service obj-tcp-eq-1500 obj-tcp-eq-1500

Policy Dynamic NAT (with multiple   ACEs)

access-list ACL_NAT   permit ip 172.29.0.0 255.255.0.0
                                  192.168.1.0 255.255.255.0
access-list ACL_NAT permit ip   172.29.0.0 255.255.0.0
                                  192.168.2.0 255.255.255.0
access-list ACL_NAT permit ip   172.29.0.0 255.255.0.0
                                  192.168.3.0 255.255.255.0
access-list ACL_NAT permit ip   172.29.0.0 255.255.0.0
                                  192.168.4.0 255.255.255.0
nat (inside) 1 access-list ACL_NAT
global (outside) 1 192.168.100.100

object network   obj-172.29.0.0
    subnet 172.29.0.0 255.255.0.0
object network obj-192.168.100.100
    host 192.168.100.100
object network obj-192.168.1.0
    subnet 192.168.1.0 255.255.255.0

object network   obj-192.168.2.0
    subnet 192.168.2.0 255.255.255.0

object network   obj-192.168.3.0
    subnet 192.168.3.0 255.255.255.0

object network   obj-192.168.4.0
    subnet 192.168.4.0 255.255.255.0

nat (inside,outside) source dynamic obj-172.29.0.0   obj-192.168.100.100
                destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
                destination static obj-192.168.2.0 obj-192.168.2.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
                destination static obj-192.168.3.0 obj-192.168.3.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
                destination static obj-192.168.4.0 obj-192.168.4.0

Outside NAT

global (inside) 1   10.1.2.30-1-10.1.2.40
nat (dmz) 1 10.1.1.0 255.255.255.0   outside
static (inside,dmz) 10.1.1.5 10.1.2.27   netmask 255.255.255.255

object network obj-10.1.2.27
    host 10.1.2.27
    nat (inside,dmz) static 10.1.1.5
object network obj-10.1.1.0
    subnet 10.1.1.0 255.255.255.0
    nat (dmz,inside) dynamic obj-10.1.2.30-10.1.2.40
object network obj-10.1.2.30-10.1.2.40
    range 10.1.2.30 10.1.2.40

NAT & Interface PAT together

nat (inside) 1   10.1.2.0 255.255.255.0
global (outside) 1 interface
global (outside) 1   192.168.100.100-192.168.100.200

object network   obj-192.168.100.100_192.168.100.200
    range 192.168.100.100 192.168.100.200
object network obj-10.1.2.0
    subnet 10.1.2.0 255.255.255.0
    nat (inside,outside) dynamic
               obj-192.168.100.100_192.168.100.200 interface

NAT & Interface PAT with   additional PAT together

nat (inside) 1   10.0.0.0 255.0.0.0

  global (outside) 1   192.168.100.1-192.168.100.200

  global (outside) 1   interface

  global (outside) 1   192.168.100.210

object network   obj-192.168.100.100_192.168.100.200
    range 192.168.100.100 192.168.100.200
object network obj-10.0.0.0
    subnet 10.0.0.0 255.0.0.0
object network second-pat
    host 192.168.100.210
object-group network dynamic-nat-pat
    network-object object obj-192.168.100.100_192.168.100.200
    network-object object second-pat

nat (inside,outside) dynamic dynamic-nat-pat interface

Static NAT for a Range of Ports

Not Possible - Need to write   multiple Statements or perform a Static one-to-one NAT

             (in)    (out)

10.1.1.1-------ASA-----

          --xlate-------> 10.2.2.2

Original Ports: 10000 - 10010

Translated ports: 20000 - 20010


object service ports

service tcp source   range 10000 10010


object service ports-xlate

service tcp source   range 20000 20010


object network server

host 10.1.1.1

object network server-xlate

host 10.2.2.2



nat (inside,outside) source static server server-xlate service ports   ports-xlate

76551 Views

Please do rate for the helpful posts.

By

Karthik

thanks for yor answer,

I'd like to upgrade to 8.2.5 and even thou there are already some discussions regarding upgrading ASA from 7.2 to 8.2 in failover pair, I'm still not sure I have to:

first reboot primary then secondary

or

first reboot secondary then primary

in Cisco document the how to perform Zero Downtime Upgrades for Failover Pairs choose the second one, however cause in my case I'm upgrading from 7.2 to 8.2 Zero Downtime Upgrades won't work or at least it is not supported.

Any advice or Cisco documents specific to Upgrading Failover Pairs without Zero Downtime ?

In my idea:

1. update IOS and ASDM on both device

2. active# no failover active

3. reboot active

4. (after reboot) active# failover active

5. reboot standby

Poiu

Thanks

Hi Poiu,

Yes. 1st thing you have to make the standby fw to take charge as the active. reload primary fw and once that comes back and says its okay and waiting as the standby then you can make the other firewall which is active to be forced to go as the standby to make the actual primary as active and reload the secondary. So that there won't be much outage or interupption.... Eventhough we have the interupption that will not be much visible for the endusers.

Please do rate if the given information helps.

By

Karthik

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: