07-02-2010 01:56 AM - edited 03-11-2019 11:06 AM
Hi All,
A client ordered a new ASA5520 ,but urgently needed a firewall inplace so loaned the client one of my older 5520's running 6.22, thinking that once their equipment is delivered I will downgrade the software on the new device install the running config and then upgrade it back to 6.3.
Problem - The down grade was no issue at all the new firewall works perfectly on ver 6.22 config is 100% , when I upgrade to 6.3 the name format has changed and has not imported the naming convention of the hosts to the new version, thus resulting in the majority of the ACL's not being implimented.
I created a doc to manually change the naming std from "name x.x.x.x Description " to " object network Description
host x.x.x.x"
Once this was imported the hostnames all appear fine, however there are still issues with the ACLS, long story short, only if I manually modify the config does it appear to be ok for ver 6.3 , my question is why doesnt this happen automatically or have I missed something?
07-02-2010 02:07 AM
I assume that you mean you were running ASA 8.2.2 and you have upgraded it to ASA 8.3.
There are a couple of major feature transformation in ASA 8.3:
1) Complete transformation on NAT - NAT in 8.3 is now object base, and the old nat/global, and static statements no longer exist in this version.
Here is the configuration guide on NAT in 8.3 for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html#wp1122015
2) Interface ACL on ASA 8.3 now should refer to the real address when NAT is configured instead of the mapped address.
Here is the release notes for 8.3 on what new features have been added and feature that has been modified/transformed:
http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html
07-02-2010 02:39 AM
Hi sorry yes I menat 8.22 to 8.3(1)
I upgraded through ASDM this time and it has migrated +/- 60% of the host names to the new nameing std, however the rest it appear to have just ignored, the ACL's appear to be intact this time ,I dont have any Natting on the firewall,
For example it has an entry like this
object network DMZ_Server_x.x
host x.x.x.x
description Created during name migration
but then further on in the conf it still has the other host names in the old format of name x.x.x.x description, and has not removed these type entries, comments?
07-03-2010 04:37 AM
Yes, with the new version 8.3, everything is object base. All the NAT statement is now object base, hence you will be seeing a lot of the object base entries.
There are 2 types of objects now in version 8.3:
1) "object network
http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/no.html#wp1819044
2) "object-group network
http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/no.html#wp1815632
The "name" command will still exist in version 8.3.
Here is the ASA 8.3 migration guide for your reference (it includes which commands are migrated to which new commands):
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html
Hope that helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: