Upgrade Advice for ASA5520 from 8.04 to 8.3

Unanswered Question
Jun 1st, 2010
User Badges:

Hello,


I have a lot of AnyConnect users on my ASA 5520, and the licensing cost is pretty hefty for an additional 500 users. I found out that the 8.3 version of the ASA has a special license that lets you have pretty much unlimited AnyConnect users. Its called AnyConnect Essentials. It costs a few hundred bucks so I think I would like to try it.


My only hesitation is the upgrade from 8.04 to 8.3. Has anyone here done that upgrade? Will I need to change my config at all? Are any commands deprecated? Advice? Warnings?


Thanks,


P.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Tue, 06/01/2010 - 07:33
User Badges:
  • Green, 3000 points or more

Hi,


I've done it and everything should go smoothly.


There are configuration changes, for example NAT is completely different as well as the object-groups and ACL configurations.

When you upgrade to 8.3, the configuration will be automatically adjusted to the new syntax.


I will recommend however you go over these two links:


8.3 release notes:

http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html


8.3 migration guide:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html


Federico.

Jennifer Halim Wed, 06/02/2010 - 01:57
User Badges:
  • Cisco Employee,

Federico is right, the NAT configuration is completely different, however, when you perform the upgrade, it will be migrated from the old NAT/static statements to the new NAT statements.


You would also need to upgrade your memory to run ASA version 8.3. ASA 5520 would have default of 512MB of DRAM, and to run version 8.3, you would need to have 2 GB of DRAM (as stated in the release notes):

http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html#wp37821


Lastly, if you have inbound ACL on the outside interface, and you have static NAT configuration to translate private to public ip address, on ASA version 8.2 and below, the access-list that you applied to your outside interface would refer to the public ip address, on ASA version 8.3, you would need to configure ACL on the outside interface to refer to the private ip address (real ip address). Unfortunately migration upgrade does not migrate the ACL to the real ip address.


Example:

On version 8.2 and lower, if you have:

static (inside,outside) 200.1.1.1 10.1.1.1 netmask 255.255.255.255

access-list outside-acl permit tcp any host 200.1.1.1 eq 80

access-group outside-acl in interface outside


On version 8.3 and above, you would need to configure the following ACL:

access-list outside-acl permit tcp any host 10.1.1.1 eq 80

access-group outside-acl in interface outside


The static NAT statement will change to the following automatically during upgrade:

object network obj-10.1.1.1

     host 10.1.1.1

     nat (inside,outside) static 200.1.1.1


Hope that helps.

pener1963 Wed, 06/02/2010 - 05:24
User Badges:

Thank you both for such good and consise information.


The only static statements I have on the outside interface are these (one for a BES server and another for inbound SMTP). The outside interface does not have a public IP so I should be ok right? The migration should take care of it, or do I need to do something?


static (inside,outside) tcp interface 3101 10.1.4.70 3101 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 172.16.3.86 smtp netmask 255.255.255.255

Jennifer Halim Wed, 06/02/2010 - 05:30
User Badges:
  • Cisco Employee,

As far as the static NAT translation is concern, you do not need to change anything.


However, with the access-list on the outside interface, you would need to change it after the upgrade.


Please post the current outside acl. It should be changed to something like the following after you upgrade it:

permit tcp any host 10.1.4.70 eq 3101

permit tcp any host 172.16.3.86 eq 25

pener1963 Wed, 06/02/2010 - 05:40
User Badges:

Here is the ACL for the Outside:



access-list outside remark --- Allow ICMP Traffic ---
access-list outside extended permit icmp any any echo
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit icmp any any time-exceeded
access-list outside extended permit icmp any any unreachable
access-list outside remark --- Allow VPN Tunnel for Third party Company ---
access-list outside extended permit esp host 88.88.88.88 host 172.16.4.2
access-list outside remark --- Allow Network Devices to Logging Servers ---
access-list outside extended permit udp object-group network_logging_devices object-group network_logging_servers eq syslog
access-list outside remark --- Allow World to connect to Web SSL VPN ---
access-list outside extended permit tcp object-group nat_pool_edgert host 172.31.1.4 eq https
access-list outside remark --- Allow SMTP Connections to Exchange (DISABLED on EdgeRT. For DR Purposes) ---
access-list outside extended permit tcp object-group nat_pool_edgert host 172.16.3.62 eq smtp
access-list outside remark -- Allow IPSec Tunnel with Cisco Thick Client --
access-list outside extended permit udp object-group nat_pool_edgert host 172.31.1.4 eq isakmp
access-list outside remark -- Allow Network Devices to Syslog Server for http requests --
access-list outside extended permit tcp object-group network_logging_devices object-group network_logging_servers eq www
access-list outside remark --- Allow RADIUS Authentication for Network Devices ---
access-list outside extended permit udp object-group Network_Auth_Devices object-group Network_Auth_Servers eq radius
access-list outside remark --- Allow DNS Traffic ---
access-list outside extended permit udp object-group nat_pool_edgert_secondary object-group dmz_DNS_Servers eq domain
access-list outside extended permit tcp object-group nat_pool_edgert_secondary object-group dmz_DNS_Servers eq domain
access-list outside extended permit udp object-group nat_pool_edgert object-group dmz_DNS_Servers eq domain
access-list outside extended permit tcp object-group nat_pool_edgert object-group dmz_DNS_Servers eq domain
access-list outside extended permit udp object-group allow_dmz_DNS_zonetransfers object-group dmz_DNS_Servers eq domain
access-list outside extended permit tcp object-group allow_dmz_DNS_zonetransfers object-group dmz_DNS_Servers eq domain
access-list outside remark --- Allow Traffic to BES Server ----
access-list outside extended permit tcp object-group POST-INI_servers host 172.16.3.86 eq smtp
access-list outside extended permit tcp any host 10.1.4.70 eq 3101
access-list outside extended permit tcp object-group POST-INI_Servers interface outside_edgert_vlan10 eq smtp
access-list outside remark -- Allow Third Part server to VIRT -------
access-list outside extended permit tcp host 99.99.99.99 host 10.100.37.41 eq 9443
access-list outside extended permit tcp 10.254.0.0 255.254.0.0 host 10.100.37.41 eq https
access-list outside remark --- Deny and Log Everything Else ---
access-list outside extended deny ip any any log

Jennifer Halim Wed, 06/02/2010 - 05:49
User Badges:
  • Cisco Employee,

The ones that has the ip address looks ok, the rest i can't see because it's under the object-group. However, as long as it is the real ip address, not the NATed ip address, they are correct.

andamani Thu, 01/27/2011 - 19:03
User Badges:
  • Cisco Employee,

Yup, that is right.. all the ACL's in 8.3 have to have the real ip addresses and no NAT ip addresses.


Regards,

Anisha


P.S.: please mark the thread as resolved if you feel your query is answered.

Actions

This Discussion