Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5520 Upgrade

I need to upgrade an asa5520 from 8.0.4 to the latest version. I know the access list and NAT statement has changed from 8.3. Would a straight upgrade work or is there anything else i need to do?

Any help will be greatly appreciated





I did an 8.2 -> 9.0 migration

I did an 8.2 -> 9.0 migration on ASA 5520s (and later 5525-x) last year.  While there are upgrade paths which will convert the configuration, I had better results re-writing it from scratch.  I did use a 8.2 -> 8.4 -> 9.0 automatic rewrite in a test lab to help inspire the from-scratch work. 


The big changes are:

   * NAT is completely different, and ACL's use the real, on-link (usually private) addresses not the mapped (usually public) NAT addresses.     I converted all of my outbound subnet mappings and inbound host mappings to phase II object NAT.   I had to be careful about having phase I double-NAT rules for IPsec and other internal rewrite uses which kicked in before the phase II stuff.  I didn't need any phase III rules.  I ended up with a lot less NAT0 style phase I rules than in the old style; I like the new way better.

    * IPv6 support is completely different, with integrated ACL's for v4 and v6.  So "any" is now dual-protocol, with new "any4" and "any6" keywords for the old-style single-protocol rules.  Note that network object-groups can be dual-protocol, but network objects cannot.

   * You can use IKEv2 IPsec negotations if you want.


-- Jim Leinweber, WI State Lab of Hygiene

CreatePlease to create content