Upgrading ASA5505 from vers 7.2 to 8.4

a.mckenzie · ‎06-25-2013

Hi ,

I have an ASA 5505 which is running vers 7.2 software and needs to be upgraded to vers 8.4(5) .

Cisco recommend upgrading btwn major release versions (quoting from Cisco) ' to ensure that your configuration updates correctly' , and suggests upgrading from vers 7.2 to 8.2 (directly) as per the url below

http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.html#wp315678

Therefore I'm guessing my upgrade path will be ( if I care about maintaining the configuration) from vers 7.2 - 8.2 then from 8.2 - 8.3 and finally from

8.3 - 8.4.

However , if I don't care about the config on my ASA , can I just clear its config and then upgrade it in 1 step (ie from vers 7.2 to 8.4) , then put my basic config back on the ASA which is now running vers 8.4. (obiviously checking that each line of config is accepted by the ASA now running 8.4)

Thanks

jebose · ‎06-25-2013

Hi Anthony,

I would suggest to Follow the following Upgarde path.

7.2--> 8.2--> 8.4(5)

Prior to the upgrade please ensure that the asa supports minimum hardware requirement. For asa 5505 we require 512 Mb ram to upgrade to 8.2 and higher codes.

http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.html#wp37821

i would suggets to use the config migration tool build in ios 8.3/8.4 for migration. please refer the folloiwng link for details.

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp41139

once you upgrade from 8.2 to 8.4 the asa will save a backup of config in flash (file.sav) and will migrate the exisitng config to the new code. it would also add a log file in flash with the errors it encountred while migrating the config.

we can manually later check the same to verify the config related errors.

here is the release notes of ios 8.4

http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp591970

let me know if you require further info.

Regards,

Engineer-Customer Support(SECURITY)

Cisco Systems Inc.

E-Mail : jebose@cisco.com

a.mckenzie · ‎06-25-2013

Hi Jebose,

thanks I forgot to say I will upgrading memory to 512mb before hand. The upgrade path you recommend I assume maintains configuration on the firewall.

On my ASA I have only basic configuration (there is no NAT configuration ).

Therefore can I remove config on my ASA and upgrade directly from 7.2 to 8.4 . And the put my basic config back on my ASA

Regards,

Anthony

jebose · ‎06-25-2013

Hi Anthony,

It completely depends how comfortable you are with the current ios version. if there are no nats in config then you just have to migrate the access-lists only.

Regards,

Jesu Kumar Bose

Engineer-Customer Support(SECURITY)

Cisco Systems Inc.

E-Mail : jebose@cisco.com

a.mckenzie · ‎06-25-2013

Hi Jebose,

my ASA is only being used to create/terminate an IP Sec VPN tunnel only so I have only 1 line of ACL configuration being used as the example shown below

object-group A

network-object exampleA1 10.0.0.1

network-object exampleA2 10.0.0.2

object-group B

network-object exampleB1 11.0.0.1

network-object exampleB2 11.0.0.2

access-list 100 extended permit ip object-group A object-group B

crypto map outside-map 20 match address 100

crypto map outside-map interface outside

(Rest of crypto map/isakmp statements omitted)

What Differences are you refering to when you say I have to migrate the ACL when I upgrade from vers 7.2 to 8.4 and how this this relate to ACL 100 in the example above .

P.S . I have another firewall which I have configured to terminate IPSec VPN tunnel as above and it is running version 8.6 software and seems to accept the ACL in the format above when attached to crypto map. Only slight deviation in the crypto statements I have to specify ikev version in the transform set , and specify 'crypto ikev1 policy ' (in vers 8.6 and I believe 8.4) instead of 'crypto isakmp policy' (in vers 7.2)