Solved: Thanks for the reply. Lots

4point_cisco · ‎10-19-2015

I need a little help with whether an update is the best course or not.

I have an ASA 5510, ASDM v 7.1(1)52, ASA v 8.2(5). I am looking at putting our exchange onto Azure and need to setup a vpn to it. I've read that in order to set up the vpn I need to be on ASA v 8.3. I've also heard that updating from 8.2 to 8.3 can be almost catastrophic as in all of the ACL's need to be re-written to conform to the new standard (or something like that) that will come with the updated version.

Does anybody have any thoughts or suggestions on this.

I'm somewhat new to the Cisco firewall world so I'm not sure what to do.

John Blakley · ‎10-20-2015

I have no experience with Azure, so I'm not sure what the vpn is for. I'm assuming that you're doing this to MS? Anyway, you can configure vpns on 8.25, so you may want to find out why they want a version => 8.3. The 8.3 upgrade will tremendously increase your config. It reconfigures your nat rules. Now, you have static nats that look like:

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

After 8.3, you'll have an object for every address that you have on top of a nat rule:

object obj_1.1.1.1

host 1.1.1.1

object obj_192.168.1.1

host 192.168.1.1

nat (inside,outside) static 1.1.1.1

The above is a quick example. The conversion utility will make many changes to your nat static and dynamic rules. This is a major upgrade, and Cisco even recommended to me to have a 3-hour outage window for troubleshooting purposes. Another note, as you can see above it's going to tremendously increase the amount of lines that you have in your config. You may also be surprised to find out that (well, in my case at least) there was a lot of redundancy in the converted config. I swear I had 50 "obj_192.168.1.0" objects. They were configured like:

obj_192.168.1.0

obj_192.168.1.0_1

obj_192.168.1.0_2

etc.

For whatever reason, the converter didn't take the one object and apply it to several rules, but instead created an object for each rule.

The other side of this is that you're on an old version of IOS, so upgrading would be a good thing for that alone. You will want to make sure that your hardware can run the new version as there are some requirements (like some models require 2Gb of ram). I wouldn't let a vendor tell me I must be on a new version unless they can give me a good reason why. As far as I know, vpn didn't change between versions so that wouldn't keep you from being able to get a tunnel up with them.

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

Richard Burts · ‎10-21-2015

Blaine

I have looked at the link that you gave and I believe that I know what is going on - and I understand your confusion. What they are giving is a set of tested and validated implementations and includes sample configs. What this really means is that to use their sample config you must be using at least 8.3 code on the ASA.

It is not that the ASA with 8.2(5) wont work but that the ASA with 8.2(5) code can not use the sample config. If you create a config with the correct syntax for 8.2(5) then your ASA should be able to create a successful VPN for Azure. In the short term this should be a very acceptable alternative. As I have said for a longer term plan you should be thinking of replacing the 5510 with an ASA that can run the more recent versions of code.

HTH

Rick

HTH

Rick

View solution in original post

John Blakley · ‎10-20-2015

I have no experience with Azure, so I'm not sure what the vpn is for. I'm assuming that you're doing this to MS? Anyway, you can configure vpns on 8.25, so you may want to find out why they want a version => 8.3. The 8.3 upgrade will tremendously increase your config. It reconfigures your nat rules. Now, you have static nats that look like:

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

After 8.3, you'll have an object for every address that you have on top of a nat rule:

object obj_1.1.1.1

host 1.1.1.1

object obj_192.168.1.1

host 192.168.1.1

nat (inside,outside) static 1.1.1.1

The above is a quick example. The conversion utility will make many changes to your nat static and dynamic rules. This is a major upgrade, and Cisco even recommended to me to have a 3-hour outage window for troubleshooting purposes. Another note, as you can see above it's going to tremendously increase the amount of lines that you have in your config. You may also be surprised to find out that (well, in my case at least) there was a lot of redundancy in the converted config. I swear I had 50 "obj_192.168.1.0" objects. They were configured like:

obj_192.168.1.0

obj_192.168.1.0_1

obj_192.168.1.0_2

etc.

For whatever reason, the converter didn't take the one object and apply it to several rules, but instead created an object for each rule.

The other side of this is that you're on an old version of IOS, so upgrading would be a good thing for that alone. You will want to make sure that your hardware can run the new version as there are some requirements (like some models require 2Gb of ram). I wouldn't let a vendor tell me I must be on a new version unless they can give me a good reason why. As far as I know, vpn didn't change between versions so that wouldn't keep you from being able to get a tunnel up with them.

HTH,

John

HTH, John *** Please rate all useful posts ***

4point_cisco · ‎10-20-2015

Thanks for the reply. Lots for me to read over. This does sound consistent with what I've heard though. I'm contemplating getting an extra external device just for the vpn to Azure and just leave the ASA as it is for now.

Richard Burts · ‎10-20-2015

I am not sure what you read that gave you the understanding that you need to be on at least 8.3 to do VPNs. But that is not correct. You certainly can configure site to site IPsec VPN on 8.2(5).

In addition to the fact that the syntax for ASA doing address translation and in doing access lists changes significantly when upgrading to 8.3 or higher you should consider the requirement to upgrade memory of the ASA to support the newer level of code. Considering that the 5510 is past its End of Sale I would probably be reluctant to upgrade a 5510.

HTH

Rick

HTH

Rick

4point_cisco · ‎10-21-2015

Hey Richard, thanks for the input.

Here is the web site I read that spoke about creating a VPN to Azure.

https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-site-to-site-create/

About a quarter of the way down the page in the Before beginning section there is a link 'About VPN Devices' which goes to this page

https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/

This is where it lists the Cisco ASA with minimum OS of 8.3.

Perhaps I'm reading the wrong information for our purposes. I need to set up the VPN in order to put our exchange server into the cloud.

Thanks again for the help.

Blaine

Richard Burts · ‎10-21-2015

Blaine

I have looked at the link that you gave and I believe that I know what is going on - and I understand your confusion. What they are giving is a set of tested and validated implementations and includes sample configs. What this really means is that to use their sample config you must be using at least 8.3 code on the ASA.

It is not that the ASA with 8.2(5) wont work but that the ASA with 8.2(5) code can not use the sample config. If you create a config with the correct syntax for 8.2(5) then your ASA should be able to create a successful VPN for Azure. In the short term this should be a very acceptable alternative. As I have said for a longer term plan you should be thinking of replacing the 5510 with an ASA that can run the more recent versions of code.

HTH

Rick

HTH

Rick

4point_cisco · ‎10-27-2015

Thanks again Richard, very helpful. I will be setting up the site-to-site this week, your information was great.

Blaine

Richard Burts · ‎10-28-2015

Blaine

I am glad that our suggestions were helpful. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to identify discussions that have helpful information. Good luck with setting up the VPN. I hope to see you continue to be active in the forum.

HTH

Rick

HTH

Rick

ASA 5510 Update