Welcome to the next edition of Tech- Talk series. Our topic this time is from the Security domain and we are going to discuss about "ASA 8.3/8.4- Migration and best practices". Most of you already know me, my name is Vinay Sharma- Technical Community Manager and I’ll be your host in the video to discuss this topic with our Cisco expert Glenn, who is a Customer Support engineer with Cisco TAC.
As you are aware that we have started this series of tech talk to address some your most talked about concerns in our community discussion. So, today we have specifically selected this topic and brought a technical expert from Cisco to share more insights on this topic. Hope you will like the session. Please do share your feedback and opinion so that we continue to improve our self. Also, if you want to hear about any specific topic, please share your feedback.
“We discussed about ASA 8.3 migration, What you need to know before the migration & Best practices along with few key points & features to keep in mind before the upgrade.
Our expert is Glenn Baptist, a Customer Support engineer with Cisco TAC, based in India, with broad experience in Cisco firewalls, including ASA, PIX, FWSM. He also holds a CCIE Certification in Security (32835).
Here are few MAJOR changes one should be aware of before the migration. This would help us understand what challenges we might have to face after the migration:-
The NAT feature has been redesigned for increased flexibility and functionality. All NAT and NAT-related commands have been redesigned.
The NAT configuration was completely redesigned to allow greater flexibility and ease of use. You can now configure NAT using auto NAT, where you configure NAT as part of the attributes of a network object, and manual NAT, where you can configure more advanced NAT options.
Real IP Address
Another change is with the way you configure Real IP addresses in access rules instead of mapped addresses.
When using NAT or PAT, you used to have to specify the mapped addresses and ports in an access list for all features that use access lists. Now, for several supported features, you must use the real, untranslated IP address and ports. (Other features continue to use the mapped IP address).
When using NAT, mapped addresses are no longer required in an access list for many features. You should always use the real, untranslated addresses when configuring these features. Using the real address means that if the NAT configuration changes, you do not need to change the access lists. These features are automatically migrated to use real IP addresses when you upgrade to 8.3, unless otherwise noted.
Named network objects & service objects
A new concept of host-based objects was introduced, to allow singular hosts to be referenced by their names (previously, we had the name command, but that was more of a macro-substitution in the show running-config output).
Named Network and Service Objects—Network and service objects are automatically created for NAT.
Although you can use named network and service objects in other features, such as access lists and object groups, objects are not automatically created for any feature other than NAT.
You can now create named network objects that you can use in place of a host, a subnet, or a range of IP addresses in your configuration and named service objects that you can use in place of a protocol and port in your configuration. You can then change the object definition in one place, without having to change any other part of your configuration.
Best practices while upgrading from pre-8.3 to the 8.3/above
Memory Upgrade -To run Version 8.3 in a production environment, you need to upgrade the memory on the Cisco ASA 5505, 5510, 5520, or 5540.
Note:- Brand new ASAs from the factory (manufactured after Feb 2010) come with the upgraded memory.
Startup Errors- In case the migration hasn’t gone well, to view the bootup error log enter the show startup-config errors command.
nat-control in 8.3 doesn't exist - The best practice is to use access rules for access control instead of relying on the absence of a NAT rule to prevent traffic through the adaptive security appliance.
Downgrade option is also available in case we need to revert. During the upgrade process, the ASA will save two files on disk. When upgrade is performed to Version 8.3, the configuration is migrated. The old configuration is automatically stored in flash memory.
ASA 8.3.1 : Non-identical failover licenses - Failover licenses no longer need to be identical on each unit. The license used for both units is the combined license from the primary and secondary units
ASA 8.4.1 : Stateful Failover with Dynamic Routing Protocols- In the previous code, dynamic routes were not replicated to the standby device upon failover. This code has included the replication of dynamic routes. This way you will not lose routes upon failover as the information would be sent to the other device without losing it.
ASA 8.4.2 : route lookup - In earlier releases for identity NAT, proxy ARP was disabled, and a route lookup was always used to determine the egress interface. You could not configure these settings. In 8.4(2) and later, the default behavior for identity NAT was changed to match the behavior of other static NAT configurations: proxy ARP is enabled, and the NAT configuration determines the egress interface (if specified) by default. You can leave these settings as is, or you can enable or disable them discretely. Note that you can now also disable proxy ARP for regular static NAT.
Before I get into the question, I understand that the better method would be to use a firewall for what I am trying to accomplish however I need to work within the scope of what I have right now, so no new hardware etc. Also the powers that be have ...
Hello Community, We have Two ISE nodes configured as primary and secondary for every persona. And the two nodes (ISE01 and ISE02) join to same Active Directory Domain (Acme.com). This domain has two instance of Domain controller (dc1.acme.com and dc2...
After a brief network flap on my secondary ASA 5525 the secondary unit is perpetually testing then passing. It's weird that link status would change for those three interfaces at the same time because those are threeseparate devices they're connected...
Hey all!I ran into an issue where our firewall was dropping a lot of packets both through and to it. The output of 'show asp drop' showed that the amount of drops for TCP Out-of-Order packet buffer full (tcp-buffer-full) and TCP Out-of-Order packet ...
We are planning to purchase a new Firewall solution for our Office network. The feature that we require from the firewall is as below:HTTPS decryption and loggingIPS/IDSGateway AntivirusURL filteringWAN load balancing and fault toleranceBased on my Resear...