09-21-2011 06:25 AM - edited 03-11-2019 02:28 PM
Hi all,
First post so be gentle!!!
I are currently implementing a new patching schedule (when I say new i mean a company first!!!) and I have identified that the firewalls are all running 8.2(2). I would like to bring these up to the latest version but am a little worried about impact!!! I have setup a test firewall with the config from our live asa's and run the upgrade but have received multiple lines like the following:
.....................................................................................................WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 4167, "access-group outside_acc..."
....and......
NAT migration logs:
The following 'nat' command didn't have a matching 'global' rule on interface 'dmzs' and was not migrated.
nat (newcompany) 1 0.0.0.0 0.0.0.0
Not being able to test the upgraded firewall in a live environment I am worried that the upgrade has left out some critical stuff and won't work properly when migrated. Is there anything I can do to stop these errors (i.e. change the configs before upgrade) or are they informational and everyhting should work fine?? (unlikely I know)
Any Help most appreciated!
Tim
Solved! Go to Solution.
09-21-2011 06:39 AM
Hi Tim,
Can you post me the config fom both the versions, which is config before the upgarde and after the upgarde, i'll compare them and let you know if you are missing anything.
Moreover you can refer this doc for the ASA 8.3 or later upgrade:
https://supportforums.cisco.com/docs/DOC-12690
Thanks,
Varun
09-21-2011 06:39 AM
Hi Tim,
Can you post me the config fom both the versions, which is config before the upgarde and after the upgarde, i'll compare them and let you know if you are missing anything.
Moreover you can refer this doc for the ASA 8.3 or later upgrade:
https://supportforums.cisco.com/docs/DOC-12690
Thanks,
Varun
09-21-2011 06:48 AM
You can refer to the migration guide as well, it woudl be great help:
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html
Thanks,
Varun
09-21-2011 07:01 AM
Thanks Varun,
I will get a copy of the configs, before and after, and send them over.
Looks like your first post has already answered some of my problems:
The folowing errors.....
NAT migration logs:
The following 'nat' command didn't have a matching 'global' rule on interface 'dmzs' and was not migrated.
nat (newcompany) 1 0.0.0.0 0.0.0.0
........are easily removed by issuing "no nat-control" prior to upgrade.
Tim
09-21-2011 07:13 AM
Yup. Do let me know once you have the config, we can compare them and see if any changes needed be done.
-Varun
09-21-2011 07:16 AM
Varun,
I have the configs but, for obvious reasons do not want to post them on here, can I send them to you???
Tim
09-21-2011 07:20 AM
Yes sure, you can send attach the files and send Private message to me.
Varun
11-06-2011 10:42 PM
Can I upgrade directly to 8.4(2) from 8.2(2)? Or I have to go via 8.3?
11-06-2011 10:55 PM
Hi,
You can very well go from 8.2.2 to 8.4.2, that would not be a problem. Just make sure about the memory requirements and upgrade procedures as mentioned in the links above in the post.
Thanks,
Varun
01-12-2012 10:10 PM
Hi Team,
i am also facing some problem in 8.4.2, i upgraded both primary and secondary ASA from TFTP from 8.3 to 8.4.2.
After this primary is stable but secondary ASA continiously rebooting,
need help on this.
Regards
MR
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide