04-04-2014 09:43 AM - edited 03-11-2019 09:02 PM
Hi Everyone,
I need to upgrade ASA from 8.2(5)46 to asa847-k8.bin .
This ASA is used for Remote access VPN.
Need to know what steps i should take in order for this upgrade
Except Natting is there anything else that will change in the running config of device?
Current NAT i have is
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.255.0
Also ASDM need to upgrade to asdm-715-100.bin right?
Regards
MAhesh
Need to confirm is it safe to upgrade directly to asa847-k8.bin?
Is asa847-k8.bin stable version without any bugs?
Solved! Go to Solution.
04-05-2014 10:25 AM
"nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0"
This NAT will look like the following:
object network ALL_NETWORKS
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.255.0
Is there any reason you have these natting to themselves? in any case, these will look like the following:
object network LAN1
subnet 10.0.0.0 255.0.0.0
nat (inside,outside) source static LAN1 LAN1 destination static LAN1 LAN1
object network LAN2
subnet 172.16.0.0 255.255.255.0
nat (inside,outside) source static LAN2 LAN2 destination static LAN2 LAN2
This link shows a good comparison between pre 8.3 and post 8.3 NAT configurations.
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
--
Please remember to rate and select a correct answer
04-30-2014 12:24 AM
"Also need to confirm if we are using ALL_NETWORKS anywhere in NAT or not?"
From what you posted you have a NAT statement for the ALL_NETWORKS. If this is in use depends on the location of the NAT statement in relation to the obj_any NAT statement.
object network ALL_NETWORKS
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
&
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
Are the same thing. You only need one of these. So yes, you can delete one of them. Be sure to do this in a service window as you will need to clear xlate and test to make sure everything is working correctly.
--
Please remember to select a correct answer and rate
04-05-2014 07:45 AM
There is a memory upgrade requirement also when upgrading to 8.3 and higher and depending on which model ASA you have the memory requirement differs. Please refer to the following link for the requirements:
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/product_bulletin_c25-586414.html
Yes it is possible to upgrade directly to 8.4. As for known bugs/caveats please refer to the 8.4 release notes:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn84.html#pgfId-404945
Other than the NAT there is a change to the way access lists work. Instead of defining the NATed IP, now you need to define the real IP in the ACL. So if you have NATed a server (10.10.10.10) to the ASA interface (1.1.1.1) then in the ACL that allows http traffic in on the outside interface you would define the 10.10.10.10 address and not the 1.1.1.1 address.
Yes, you will also need to upgrade the ASDM.
The following document describes some migration tasks that you may need to take into consideration. worth having a read through it:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/upgrading/migrating.html
--
Please remember to rate and select a correct answer
04-05-2014 09:31 AM
i will go through the above links and if any questions will ask you.
For current NAT
Current NAT i have is
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.255.0
What would be new NAT in 8.4?
IF you can help me with this it will be much appreciated.
Regards
Mahesh
04-05-2014 10:25 AM
"nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0"
This NAT will look like the following:
object network ALL_NETWORKS
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.255.0
Is there any reason you have these natting to themselves? in any case, these will look like the following:
object network LAN1
subnet 10.0.0.0 255.0.0.0
nat (inside,outside) source static LAN1 LAN1 destination static LAN1 LAN1
object network LAN2
subnet 172.16.0.0 255.255.255.0
nat (inside,outside) source static LAN2 LAN2 destination static LAN2 LAN2
This link shows a good comparison between pre 8.3 and post 8.3 NAT configurations.
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
--
Please remember to rate and select a correct answer
04-13-2014 08:20 AM
Hi Marius,
I did upgrade today here is default config below that came after upgrade to 8.4
object network obj-10.0.0.0
subnet 10.0.0.0 255.0.0.0
object network obj-172.16.0.0
subnet 172.16.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object-group network VPN_Access
description VPN Access Subnets
network-object 172.31.98.0 255.255.255.0
network-object 172.31.92.0 255.255.252.0
access-list inside_access_in extended permit ip any object-group VPN_Access
access-list inside_access_in extended deny ip any any
access-list outside_access_in extended deny ip any any
access-list inside_nat0_outbound extended permit ip any object-group VPN_Access
access-list vpn_filter1 extended permit ip 172.31.98.0 255.255.255.0 172.16.7.0 255.255.255.0
access-list vpn_filter1 extended permit ip 172.31.98.0 255.255.255.0 172.16.3.0 255.255.255.0
nat (inside,outside) source static any any destination static VPN_Access VPN_Access no-proxy-arp route-lookup
object network obj-10.0.0.0
nat (inside,outside) static 10.0.0.0
object network obj-172.16.0.0
nat (inside,outside) static 172.16.0.0
object network obj_any
nat (inside,outside) dynamic interface
Need to know if i did not done any changes to this then VPN should have work ok?
Then i apply the config below as you said
sh run nat
nat (inside,outside) source static any any destination static VPN_Access VPN_Acc ess no-proxy-arp route-lookup
nat (inside,outside) source static LAN1 LAN1 destination static LAN1 LAN1
nat (inside,outside) source static LAN2 LAN2 destination static LAN2 LAN2
!
object network ALL_NETWORKS
nat (inside,outside) dynamic interface
object network ALL_NETWORKS
subnet 0.0.0.0 0.0.0.0
object network LAN1
subnet 10.0.0.0 255.0.0.0
object network LAN2
subnet 172.16.0.0 255.255.255.0
object-group network VPN_Access
description VPN Access Subnets
network-object 172.31.98.0 255.255.255.0
network-object 172.31.92.0 255.255.252.0
access-list inside_access_in extended deny ip any any
access-list inside_access_in extended permit ip any object-group VPN_Access
access-list outside_access_in extended deny ip any any
access-list vpn_filter1 extended permit ip 172.31.98.0 255.255.255.0 172.16.7.0 255.255.255.0
access-list vpn_filter1 extended permit ip 172.31.98.0 255.255.255.0 172.16.3.0 255.255.255.0
nat (inside,outside) source static any any destination static VPN_Access VPN_Access no-proxy-arp route-lookup
nat (inside,outside) source static LAN1 LAN1 destination static LAN1 LAN1
nat (inside,outside) source static LAN2 LAN2 destination static LAN2 LAN2
!
object network ALL_NETWORKS
nat (inside,outside) dynamic interface
Also need to confirm if we are using ALL_NETWORKS anywhere in NAT or not?
if not is it ok to delete ALL_Networks?
Best regards
MAhesh
04-29-2014 02:54 AM
Hi Mahesh,
Sorry for late reply as I have been away for a few weeks.
Do you require further assistance with this issue?
--
Pease remember to select a correct answer and rate
04-29-2014 11:41 AM
Hi MArius,
IF you can answer my last question that will be much appreciated.
Regards
MAhesh
04-30-2014 12:24 AM
"Also need to confirm if we are using ALL_NETWORKS anywhere in NAT or not?"
From what you posted you have a NAT statement for the ALL_NETWORKS. If this is in use depends on the location of the NAT statement in relation to the obj_any NAT statement.
object network ALL_NETWORKS
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
&
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
Are the same thing. You only need one of these. So yes, you can delete one of them. Be sure to do this in a service window as you will need to clear xlate and test to make sure everything is working correctly.
--
Please remember to select a correct answer and rate
04-30-2014 08:58 AM
Many thanks Marius
Regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide