I did an 8.2 -> 9.0 migration

Lakeram Harrypersaud · ‎03-12-2014

I need to upgrade an asa5520 from 8.0.4 to the latest version. I know the access list and NAT statement has changed from 8.3. Would a straight upgrade work or is there anything else i need to do?

Any help will be greatly appreciated

Thanks,

Lake

James Leinweber · ‎03-12-2014

I did an 8.2 -> 9.0 migration on ASA 5520s (and later 5525-x) last year. While there are upgrade paths which will convert the configuration, I had better results re-writing it from scratch. I did use a 8.2 -> 8.4 -> 9.0 automatic rewrite in a test lab to help inspire the from-scratch work.

The big changes are:

* NAT is completely different, and ACL's use the real, on-link (usually private) addresses not the mapped (usually public) NAT addresses. I converted all of my outbound subnet mappings and inbound host mappings to phase II object NAT. I had to be careful about having phase I double-NAT rules for IPsec and other internal rewrite uses which kicked in before the phase II stuff. I didn't need any phase III rules. I ended up with a lot less NAT0 style phase I rules than in the old style; I like the new way better.

* IPv6 support is completely different, with integrated ACL's for v4 and v6. So "any" is now dual-protocol, with new "any4" and "any6" keywords for the old-style single-protocol rules. Note that network object-groups can be dual-protocol, but network objects cannot.

* You can use IKEv2 IPsec negotations if you want.

-- Jim Leinweber, WI State Lab of Hygiene

ASA 5520 Upgrade