×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Moving ASA config from 5510 to 5512

Unanswered Question
Apr 24th, 2014
User Badges:

I moved a configuration from an ASA 5510 to a 5512, and in the process, went from version 8.4 to 9.0 of the IOS software.  When we hook the firewall up, I can get to it from SSH, or from the outside, but a number of the NATS don't appear to be up, VPN connections via the client don't work, and there is a L2L VPN Tunnel that isn't working either.

The only differences between the configs are the RSA key, which I had to regenerate for the new firewall, and I had to manually install the cert.  I can't imagine where either of those would affect IP NATs though.

Curiously, all of the NATs that aren't working appear to be on a separate external subnet than the ones that are working, but those networks aren't defined in either config.

 

Suggestions?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marvin Rhoads Thu, 04/24/2014 - 21:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Have a look on disk0:. There should be a startup errors file that lists the issues the parser had when it converted the file.

dustin.kinn Thu, 04/24/2014 - 21:32
User Badges:

I'll check that tomorrow.  It didn't convert the file though, I pasted it from one ASA to the other, then went through line by line to make sure it was the same.

Only differences were that the Cert didn't carry over, I had to reinput that (which again I did by cut and paste, which might be wrong, I'm a total noob when it comes to certs), and there are a few new lines of code, mostly the xlate stuff from version 9.  If I read correctly, the settings it generates preserve the functionality.

There is also a line:

crypto ca trustpool policy

Which is not on the old, but it won't let me remove from the new.

 

Again, I can't imagine that Certs would screw up my NAT settings though.

Marvin Rhoads Fri, 04/25/2014 - 05:16
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

If your NAT statements were based on ACLs, that could impact the setup as some ACL syntax was changed as of 9.x.

I've done a number of upgrades to 9.x though and have not encountered any issues with NAT when moving from post-8.2 platforms. (Of course 8.2 and earlier are a whole other issue.)

dustin.kinn Fri, 04/25/2014 - 11:54
User Badges:

I went from 8.6 to 9.0 on the new ASA, but stupidly didn't even think twice about dropping an 8.4(2) config on the new 9.0(3) firewall.  I verified my upgrade path but didn't even think about where the config was coming from.

Could that be causing my issue?  Could I downgrade the 9.0 5512 to 8.4(2) and then drop the config on, then upgrade to 9.0(3) again?

Actions

This Discussion

Related Content