ASA 6.22 migration to 6.3

Unanswered Question
Jul 2nd, 2010

Hi All,

A client ordered a new ASA5520 ,but urgently needed a firewall inplace so loaned the client one of my older 5520's running 6.22, thinking that once their equipment is delivered I will downgrade the software on the new device install the running config and then upgrade it back to 6.3.

Problem - The down grade was no issue at all the new firewall works perfectly on ver 6.22 config is 100% , when I upgrade to 6.3 the name format has changed and has not imported the naming convention of the hosts to the new version, thus resulting in the majority of the ACL's not being implimented.

I created a doc to manually change the naming std from "name x.x.x.x  Description "  to " object network Description

                                                                                                                                     host x.x.x.x"

Once this was imported the hostnames all appear fine, however there are still issues with the ACLS, long story short, only if I manually modify the config does it appear to be ok for ver 6.3 , my question is why doesnt this happen automatically or have I missed something?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Fri, 07/02/2010 - 02:07

I assume that you mean you were running ASA 8.2.2 and you have upgraded it to ASA 8.3.

There are a couple of major feature transformation in ASA 8.3:

1) Complete transformation on NAT - NAT in 8.3 is now object base, and the old nat/global, and static statements no longer exist in this version.

Here is the configuration guide on NAT in 8.3 for your reference:

2) Interface ACL on ASA 8.3 now should refer to the real address when NAT is configured instead of the mapped address.

Here is the release notes for 8.3 on what new features have been added and feature that has been modified/transformed:

David Da Costa Fri, 07/02/2010 - 02:39

Hi sorry yes I menat 8.22 to 8.3(1)

I upgraded through ASDM this time and it has migrated +/- 60% of the host names to the new nameing std, however the rest it appear to have just ignored, the ACL's appear to be intact this time ,I dont have any Natting on the firewall,

For example it has an entry like this

object network DMZ_Server_x.x
host x.x.x.x
description Created during name migration

but then further on in the conf it still has the other host names in the old format  of name  x.x.x.x  description, and has not removed these type entries, comments?

Jennifer Halim Sat, 07/03/2010 - 04:37

Yes, with the new version 8.3, everything is object base. All the NAT statement is now object base, hence you will be seeing a lot of the object base entries.

There are 2 types of objects now in version 8.3:

1) "object network " would be the object for the NAT statement. Here is the command for your reference:

2) "object-group network would be the old object-group to group hosts/subnets together. Here is the command for your reference:

The "name" command will still exist in version 8.3.

Here is the ASA 8.3 migration guide for your reference (it includes which commands are migrated to which new commands):

Hope that helps.


This Discussion