Showing results for 
Search instead for 
Did you mean: 

Community Tech -Talk Series - Migration Best Practices for ASA 8.3/8.4

Vinay Sharma
Rising star

Welcome to the next edition of Tech- Talk series. Our topic this time is from the Security domain and we are going to discuss about "ASA 8.3/8.4- Migration and best practices". Most of you already know me, my name is Vinay Sharma- Technical Community Manager and I’ll be your host in the video to discuss this topic with our Cisco expert Glenn, who is a Customer Support engineer with Cisco TAC.

ASA image.jpg


As you are aware that we have started this series of tech talk to address some your most talked about concerns in our community discussion. So, today we have specifically selected this topic and brought a technical expert from Cisco to share more insights on this topic. Hope you will like the session. Please do share your feedback and opinion so that we continue to improve our self. Also, if you want to hear about any specific topic, please share your feedback.

“We discussed about ASA 8.3 migration, What you need to know before the migration & Best practices along with few key points & features to keep in mind before the upgrade.

Tech-Talk ASA video image.png


Our expert is Glenn Baptist, a Customer Support engineer with Cisco TAC, based in India, with broad experience in Cisco firewalls, including ASA, PIX, FWSM. He also holds a CCIE Certification in Security (32835).

Here are few MAJOR changes one should be aware of before the migration. This would help us understand what challenges we might have to face after the migration:-

NAT Redesigned

The NAT feature has been redesigned for increased flexibility and functionality. All NAT and NAT-related commands have been redesigned.

The NAT configuration was completely redesigned to allow greater flexibility and ease of use. You can now configure NAT using auto NAT, where you configure NAT as part of the attributes of a network object, and manual NAT, where you can configure more advanced NAT options.

Real IP Address

Another change is with the way you configure Real IP addresses in access rules instead of mapped addresses.

When using NAT or PAT, you used to have to specify the mapped addresses and ports in an access list for all features that use access lists. Now, for several supported features, you must use the real, untranslated IP address and ports. (Other features continue to use the mapped IP address).

When using NAT, mapped addresses are no longer required in an access list for many features. You should always use the real, untranslated addresses when configuring these features. Using the real address means that if the NAT configuration changes, you do not need to change the access lists. These features are automatically migrated to use real IP addresses when you upgrade to 8.3, unless otherwise noted.

Named network objects & service objects

A new concept of host-based objects was introduced, to allow singular hosts to be referenced by their names (previously, we had the name command, but that was more of a macro-substitution in the show running-config output).

Named Network and Service Objects—Network and service objects are automatically created for NAT.

Although you can use named network and service objects in other features, such as access lists and object groups, objects are not automatically created for any feature other than NAT.

You can now create named network objects that you can use in place of a host, a subnet, or a range of IP addresses in your configuration and named service objects that you can use in place of a protocol and port in your configuration. You can then change the object definition in one place, without having to change any other part of your configuration.

Best practices while upgrading from pre-8.3 to the 8.3/above

  • Memory Upgrade -To run Version 8.3 in a production environment, you need to upgrade the memory on the Cisco ASA 5505, 5510, 5520, or 5540.

Note:- Brand new ASAs from the factory (manufactured after Feb 2010) come with the upgraded memory.

  • Startup Errors- In case the migration hasn’t gone well, to view the bootup error log enter the show startup-config errors command.

  • nat-control in 8.3 doesn't exist - The best practice is to use access rules for access control instead of relying on the absence of a NAT rule to prevent traffic through the adaptive security appliance.

  • Downgrade option is also available in case we need to revert. During the upgrade process, the ASA will save two files on disk. When upgrade is performed to Version 8.3, the configuration is migrated. The old configuration is automatically stored in flash memory.

Interesting features

  1. ASA 8.3.1 : Non-identical failover licenses - Failover licenses no longer need to be identical on each unit. The license used for both units is the combined license from the primary and secondary units
  2. ASA 8.4.1 : Stateful Failover with Dynamic Routing Protocols- In the previous code, dynamic routes were not replicated to the standby device upon failover. This code has included the replication of dynamic routes. This way you will not lose routes upon failover as the information would be sent to the other device without losing it.   
  3. ASA 8.4.2 : route lookup - In earlier releases for identity NAT, proxy ARP was disabled, and a route lookup was always used to determine the egress interface. You could not configure these settings. In 8.4(2) and later, the default behavior for identity NAT was changed to match the behavior of other static NAT configurations: proxy ARP is enabled, and the NAT configuration determines the egress interface (if specified) by default. You can leave these settings as is, or you can enable or disable them discretely. Note that you can now also disable proxy ARP for regular static NAT.

Additional Information

We hope the valuable insights from our Cisco Experts will help answer these recurring comments and questions we've encountered on

Migration Best Practices for ASA 8.3/8.4.

Watch the Tech-Talk and check out the detailed Document specifically written on the Migration Best Practices for ASA 8.3/8.4.

We hope you enjoy it.


I really dislike the new nat :< Sorry not a fan of it




Yes i agree with Daniel, it is not intuitive that way to allow connections to NATed service

shine pothen

Thanks for sharing these steps.

To scale the performance of firewalls and to provide high reliability, Cisco has a new feature called ITD. Please see ITD (Intelligent Traffic Director) White Paper.

Also, recent blog : Intelligent Traffic Director @ Cisco Live Milan 2015


ITD Provides CAPEX and OPEX Savings for Customers

ITD (Intelligent Traffic Director) is a hardware based multi-Tbps Layer 4 load-balancing, traffic steering and clustering solution on Nexus 5K/6K/7K series of switches. It supports IP-stickiness, resiliency, NAT, (EFT), VIP, health monitoring, sophisticated failure handling policies, N+M redundancy, IPv4, IPv6, VRF, weighted load-balancing, bi-directional flow-coherency, and IPSLA probes including DNS.

ITD is much superior than legacy solutions like PBR, WCCP, ECMP, port-channel, layer-4 load-balancer appliances.


Content for Community-Ad