Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
622
Views
0
Helpful
3
Replies

ASA 6.22 migration to 6.3

David Da Costa
Level 1
Level 1

‎07-02-2010 01:56 AM - edited ‎03-11-2019 11:06 AM

Hi All,

A client ordered a new ASA5520 ,but urgently needed a firewall inplace so loaned the client one of my older 5520's running 6.22, thinking that once their equipment is delivered I will downgrade the software on the new device install the running config and then upgrade it back to 6.3.

Problem - The down grade was no issue at all the new firewall works perfectly on ver 6.22 config is 100% , when I upgrade to 6.3 the name format has changed and has not imported the naming convention of the hosts to the new version, thus resulting in the majority of the ACL's not being implimented.

I created a doc to manually change the naming std from "name x.x.x.x  Description "  to " object network Description

                                                                                                                                     host x.x.x.x"

Once this was imported the hostnames all appear fine, however there are still issues with the ACLS, long story short, only if I manually modify the config does it appear to be ok for ver 6.3 , my question is why doesnt this happen automatically or have I missed something?

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-02-2010 02:07 AM

I assume that you mean you were running ASA 8.2.2 and you have upgraded it to ASA 8.3.

There are a couple of major feature transformation in ASA 8.3:

1) Complete transformation on NAT - NAT in 8.3 is now object base, and the old nat/global, and static statements no longer exist in this version.

Here is the configuration guide on NAT in 8.3 for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html#wp1122015

2) Interface ACL on ASA 8.3 now should refer to the real address when NAT is configured instead of the mapped address.

Here is the release notes for 8.3 on what new features have been added and feature that has been modified/transformed:

http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html

0 Helpful

David Da Costa
Level 1
Level 1
In response to Jennifer Halim

‎07-02-2010 02:39 AM

Hi sorry yes I menat 8.22 to 8.3(1)

I upgraded through ASDM this time and it has migrated +/- 60% of the host names to the new nameing std, however the rest it appear to have just ignored, the ACL's appear to be intact this time ,I dont have any Natting on the firewall,

For example it has an entry like this

object network DMZ_Server_x.x
host x.x.x.x
description Created during name migration

but then further on in the conf it still has the other host names in the old format  of name  x.x.x.x  description, and has not removed these type entries, comments?

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to David Da Costa

‎07-03-2010 04:37 AM

Yes, with the new version 8.3, everything is object base. All the NAT statement is now object base, hence you will be seeing a lot of the object base entries.

There are 2 types of objects now in version 8.3:

1) "object network " would be the object for the NAT statement. Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/no.html#wp1819044

2) "object-group network would be the old object-group to group hosts/subnets together. Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/no.html#wp1815632

The "name" command will still exist in version 8.3.

Here is the ASA 8.3 migration guide for your reference (it includes which commands are migrated to which new commands):

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

Hope that helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card