Welcome to the next edition of Tech- Talk series. Our topic this time is from the Security domain and we are going to discuss about "ASA 8.3/8.4- Migration and best practices". Most of you already know me, my name is Vinay Sharma- Technical Community Manager and I’ll be your host in the video to discuss this topic with our Cisco expert Glenn, who is a Customer Support engineer with Cisco TAC.
As you are aware that we have started this series of tech talk to address some your most talked about concerns in our community discussion. So, today we have specifically selected this topic and brought a technical expert from Cisco to share more insights on this topic. Hope you will like the session. Please do share your feedback and opinion so that we continue to improve our self. Also, if you want to hear about any specific topic, please share your feedback.
“We discussed about ASA 8.3 migration, What you need to know before the migration & Best practices along with few key points & features to keep in mind before the upgrade.
Our expert is Glenn Baptist, a Customer Support engineer with Cisco TAC, based in India, with broad experience in Cisco firewalls, including ASA, PIX, FWSM. He also holds a CCIE Certification in Security (32835).
Here are few MAJOR changes one should be aware of before the migration. This would help us understand what challenges we might have to face after the migration:-
The NAT feature has been redesigned for increased flexibility and functionality. All NAT and NAT-related commands have been redesigned.
The NAT configuration was completely redesigned to allow greater flexibility and ease of use. You can now configure NAT using auto NAT, where you configure NAT as part of the attributes of a network object, and manual NAT, where you can configure more advanced NAT options.
Real IP Address
Another change is with the way you configure Real IP addresses in access rules instead of mapped addresses.
When using NAT or PAT, you used to have to specify the mapped addresses and ports in an access list for all features that use access lists. Now, for several supported features, you must use the real, untranslated IP address and ports. (Other features continue to use the mapped IP address).
When using NAT, mapped addresses are no longer required in an access list for many features. You should always use the real, untranslated addresses when configuring these features. Using the real address means that if the NAT configuration changes, you do not need to change the access lists. These features are automatically migrated to use real IP addresses when you upgrade to 8.3, unless otherwise noted.
Named network objects & service objects
A new concept of host-based objects was introduced, to allow singular hosts to be referenced by their names (previously, we had the name command, but that was more of a macro-substitution in the show running-config output).
Named Network and Service Objects—Network and service objects are automatically created for NAT.
Although you can use named network and service objects in other features, such as access lists and object groups, objects are not automatically created for any feature other than NAT.
You can now create named network objects that you can use in place of a host, a subnet, or a range of IP addresses in your configuration and named service objects that you can use in place of a protocol and port in your configuration. You can then change the object definition in one place, without having to change any other part of your configuration.
Best practices while upgrading from pre-8.3 to the 8.3/above
Memory Upgrade -To run Version 8.3 in a production environment, you need to upgrade the memory on the Cisco ASA 5505, 5510, 5520, or 5540.
Note:- Brand new ASAs from the factory (manufactured after Feb 2010) come with the upgraded memory.
Startup Errors- In case the migration hasn’t gone well, to view the bootup error log enter the show startup-config errors command.
nat-control in 8.3 doesn't exist - The best practice is to use access rules for access control instead of relying on the absence of a NAT rule to prevent traffic through the adaptive security appliance.
Downgrade option is also available in case we need to revert. During the upgrade process, the ASA will save two files on disk. When upgrade is performed to Version 8.3, the configuration is migrated. The old configuration is automatically stored in flash memory.
ASA 8.3.1 : Non-identical failover licenses - Failover licenses no longer need to be identical on each unit. The license used for both units is the combined license from the primary and secondary units
ASA 8.4.1 : Stateful Failover with Dynamic Routing Protocols- In the previous code, dynamic routes were not replicated to the standby device upon failover. This code has included the replication of dynamic routes. This way you will not lose routes upon failover as the information would be sent to the other device without losing it.
ASA 8.4.2 : route lookup - In earlier releases for identity NAT, proxy ARP was disabled, and a route lookup was always used to determine the egress interface. You could not configure these settings. In 8.4(2) and later, the default behavior for identity NAT was changed to match the behavior of other static NAT configurations: proxy ARP is enabled, and the NAT configuration determines the egress interface (if specified) by default. You can leave these settings as is, or you can enable or disable them discretely. Note that you can now also disable proxy ARP for regular static NAT.
Hi Team,We are collecting application name field in Netflow along with NBAR configured. We do see router (ISR1100) sending application name details through netflow but majority of the applications shows up as 'unknown' on StealthWatch dashboard under Appl...
Learn about the rapidly evolving cyberthreat landscape and how both organizations and users can protect themselves as we transition to a forever hybrid world through a conversation with Cisco Talos Security Research Leader for Europe, Middle East, Africa,...
Hi, although on ISE Installation Guide - 2.7, section Cisco ISE Administration Node Ports, there is no evidence of the use of port 8905, only on then section Cisco ISE Policy Service Node Ports, the result of the following command shows otherwise (Pr...
We have a pair of FTD 4110's that have been sitting in a closet for 3 years, but we're dusting them off and trying to upgrade the software. I transferred the software and see it as an 'available update,' but the status is 'not-installed' and I don't see a...
I've seen discussion in these forums and mention in the ISE Posture Best Practices about using the av-pair termination-action-modifier=1 setting to tell the NAD to use the same authentication method from the original authentication. This is def...