Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
663
Views
0
Helpful
8
Replies

ASA 5510 upgrade from 7.3 to 9.1

gwilliamsn
Level 5
Level 5

‎11-04-2013 10:26 AM - edited ‎03-11-2019 08:00 PM

The ASA ran an upgrade of the config. I ended up with a few things I am not understanding.

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object network obj-0.0.0.0

host 0.0.0.0

object network obj_any-02

subnet 0.0.0.0 0.0.0.0

object network obj_any-03

subnet 0.0.0.0 0.0.0.0

object network obj_any-04

subnet 0.0.0.0 0.0.0.0

object network obj_any-05

subnet 0.0.0.0 0.0.0.0

object network obj_any-06

subnet 0.0.0.0 0.0.0.0

object network obj_any-01

nat (inside,outside) dynamic obj-0.0.0.0

object network obj_any-02

nat (inside,dmz) dynamic obj-0.0.0.0

object network obj_any-03

nat (inside,dmz1) dynamic obj-0.0.0.0

object network obj_any-04

nat (dmz,outside) dynamic obj-0.0.0.0

object network obj_any-05

nat (dmz1,outside) dynamic obj-0.0.0.0

object network obj_any-06

nat (dmz1,dmz) dynamic obj-0.0.0.0

What does this all mean?

Thank you

Labels:
0 Helpful
8 Replies 8

Karsten Iwen
VIP
VIP

‎11-04-2013 10:36 AM

That means that you just realized what probably every admin who upgraded the ASA realized before ... The automatic upgrate function (at least for the config migration <8.3 --> >=8.3) nearly always generates a non-usable config.

If your NAT-config is not too complex you should start over and build all NAT rules from scratch.

For you particular question: Have you removed the "nat-control" command before upgrading? If I remember right I also had a similar config when I forgot to remove that command before going to 8.3/8.4.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

gwilliamsn
Level 5
Level 5
In response to Karsten Iwen

‎11-04-2013 12:52 PM

Unfortunately I did not do the upgrade. Since I had never done an upgrade before we brought in a consultant. I do believe Nat-Control was left in the config.

Is it safe to remove these lines of code? I cant figure out what they are for.

The ASA is working without issue but I don’t like to have unnecessary config if not needed.

I have this in place.

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj_any

nat (inside,outside) dynamic external IP

0 Helpful

Karsten Iwen
VIP
VIP
In response to gwilliamsn

‎11-04-2013 02:33 PM

I assume that these nat-statements can be removed, but that is dependant on the rest of the NAT-config. What they do is NAT-Excemption for all traffic that has no dedicated NAT-rule. Normally you don't need them as NAT-excemption is configured in NAT-section 1 (manual NAT before the object-NAT).

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

jumora
Level 7
Level 7
In response to Karsten Iwen

‎11-04-2013 07:23 PM

Well I don´t think that you should remove the NAT commands in place, these are PATs that translate the networks behind the first named interface to the second named interface to the IP that is associated to the interface

On disk0 you should have a backup configuration but if you don´t have it there then what I would suggest is posting the complete configuration of before and after the upgrade. Either way if you remove any NAT command and something breaks you will know that is something is wrong

Value our effort and rate the assistance!
0 Helpful

Karsten Iwen
VIP
VIP
In response to jumora

‎11-05-2013 02:01 AM

I just thought again about the meaning of this rule and remembered what it did:

The translation is to a host address of 0.0.0.0/32 which in fact is invalid (it does not translate to the interface address). It enforces the behaviour of "nat-control" after the migration. If no other rule matches the traffic, then this rule is used and drops the traffic because no translation can be build (you can't translate to the address 0.0.0.0).

If these lines are in the config after the migration, then every trafic through the ASA needs a dedicated NAT-rule as it was in the old PIX-days. There it was ment as a secondary access-control mechanism but that's quite outdated nowadays where the ASA often sits in internal networks where no NAT is needed.

So my recommendation is:

Remove these lines, but at the same time make sure that your config doesn't depend on this dropping to restrict the traffic. When you remove these lines, only allowed traffic should have permit statements in the Access-Lists.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

jumora
Level 7
Level 7
In response to Karsten Iwen

‎11-05-2013 09:04 AM

Can you get us the configurations that I requested?

Value our effort and rate the assistance!
0 Helpful

jumora
Level 7
Level 7
In response to jumora

‎11-06-2013 02:56 PM

Do you still need the assistance?

Please rate the assistance.

Value our effort and rate the assistance!
0 Helpful

jumora
Level 7
Level 7
In response to jumora

‎11-09-2013 09:28 PM

Please rate the assistance.

Value our effort and rate the assistance!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card