Here are few MAJOR changes one should be aware of before the migration. This would help us understand what challenges we might have to face after the migration:-
The NAT feature has been redesigned for increased flexibility and functionality. All NAT and NAT-related commands have been redesigned.
The NAT configuration was completely redesigned to allow greater flexibility and ease of use. You can now configure NAT using auto NAT, where you configure NAT as part of the attributes of a network object, and manual NAT, where you can configure more advanced NAT options.
Another change is with the way you configure Real IP addresses in access rules instead of mapped addresses.
When using NAT or PAT, you used to have to specify the mapped addresses and ports in an access list for all features that use access lists. Now, for several supported features, you must use the real, untranslated IP address and ports. (Other features continue to use the mapped IP address).
When using NAT, mapped addresses are no longer required in an access list for many features. You should always use the real, untranslated addresses when configuring these features. Using the real address means that if the NAT configuration changes, you do not need to change the access lists. These features are automatically migrated to use real IP addresses when you upgrade to 8.3, unless otherwise noted.
Let's look at an example.
In the above Topology, an internal web server (with IP 10.1.1.6) is being protected by an ASA. Clients on the Internet access this web server by its public IP address: 18.104.22.168 Prior to version 8.3, the interface ACL would permit traffic to the public IP 22.214.171.124. But, starting with 8.3 the real IP 10.1.1.6 is used in the configuration. Please see the configuration examples below.
static (inside,outside) 126.96.36.199 10.1.1.6 netmask 255.255.255.255
access-list outside_in extended permit tcp any host 188.8.131.52
access-group outside_in in interface outside
object network obj-10.1.1.6
nat (inside,outside) static 184.108.40.206
access-list outside_in extended permit tcp any host 10.1.1.6
access-group outside_in in interface outside
A new concept of host-based objects was introduced, to allow singular hosts to be referenced by their names (previously, we had the name command, but that was more of a macro-substitution in the show running-config output).
Named Network and Service Objects—Network and service objects are automatically created for NAT.
Although you can use named network and service objects in other features, such as access lists and object groups, objects are not automatically created for any feature other than NAT.
You can now create named network objects that you can use in place of a host, a subnet, or a range of IP addresses in your configuration and named service objects that you can use in place of a protocol and port in your configuration. You can then change the object definition in one place, without having to change any other part of your configuration.
To run Version 8.3 in a production environment, you need to upgrade the memory on the Cisco ASA 5505, 5510, 5520, or 5540.
Brand new ASAs from the factory (manufactured after Feb 2010) come with the upgraded memory. However, if your ASA was manufactured before February 2010, and is one of the models below requiring a memory upgrade, then you will need to purchase the memory upgrade part prior to installing 8.3 on your ASA.
In case the migration hasn't gone well, to view the bootup error log enter the show startup-config errors command. To view the bootup error log, enter the show startup-config errors command. See the following sample log
The nat-control command is deprecated. To maintain the requirement that all traffic from a higher security interface to a lower security interface be translated, a NAT rule will be inserted at the end of section 2 for each interface to disallow any remaining traffic. The nat-control command was used for NAT configurations defined with earlier versions of the adaptive security appliance. The best practice is to use access rules for access control instead of relying on the absence of a NAT rule to prevent traffic through the adaptive security appliance.
The current (pre-upgraded) configuration in a file named <version>_startup_cfg.sav
This file will be critical if you need to downgrade your ASA from 8.3 to 8.2 in a future date
Warning messages and Errors encountered during the upgrade process of converting your configuration to 8.3 will be saved in a file named upgrade_startup_errors_<timestamp>.log
When you upgrade to Version 8.3, your configuration is migrated. The old configuration is automatically stored in flash memory. For example when you upgrade from 8.2(1) to 8.3(1), the old 8.2(1) configuration is stored in flash memory in a file called 8_2_1_0_startup_cfg.sav.
We modified the following commands: nat static [no-proxy-arp] [route-lookup] (object network) and nat source static [no-proxy-arp] [route-lookup] (global).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.