Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 8.2.1 to 8.4.3

Hi,

We are planning to upgrade our ASA 5520 from 8.2.1 to 8.4.3. Could you please help me asking the following questions?

1. Which is the best migration plan to follow 8.2.1->8.3->8.4.3 or 8.2.1 to 8.4.3>?

     We are using nat-control now and for this reason we have many static NAT. I have upgrade an ASA in my lab from 8.2.1 to 8.4.2, disable nat-control and run "no names" command, but the auto-upgrade procedure create nat rules for the static that were used from nat-control. So the configuration is huge.

2. Do i have to remove all the static nat commands that are being used from nat-control before the upgrade?

Thank you

Everyone's tags (6)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Red

ASA 8.2.1 to 8.4.3

Hi,

I guess just update the ASA to teh latest 8.2.x whihc is 8.2.5 and then you can jump straight to 8.4.x, no issues.

Moreover in 8.4 you do not have the concept of nat-control anymore, so it makes sense to disable nat-control on the 8.2 code and remove the static that you have for it and then upgarde to avoid unnecessary things.

Hope that helps

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
Hall of Fame Super Silver

Re: ASA 8.2.1 to 8.4.3

Most uses of names (NAT rules and access-lists) need an object in any case so why do double work and have an object plus a name?

Also, while Cisco hasn't inidcated any direction in this way, I would guess that eventually names will be deprecated in favor of objects.

14 REPLIES
Red

ASA 8.2.1 to 8.4.3

Hi,

I guess just update the ASA to teh latest 8.2.x whihc is 8.2.5 and then you can jump straight to 8.4.x, no issues.

Moreover in 8.4 you do not have the concept of nat-control anymore, so it makes sense to disable nat-control on the 8.2 code and remove the static that you have for it and then upgarde to avoid unnecessary things.

Hope that helps

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Re: ASA 8.2.1 to 8.4.3

Hi Varun,

I have in my firewall many static nat entries and i am trying to find  a way to do it as simple as possible.

I am thinking to do the follwoing, remove every static nat that has has the same IP (used only for NAT CONTROL) like this example

static (inside,DMZ) 10.10.10.10 10.10.10.10 netmask 255.255.255.255

and leave every static nat that used for NAT, in order to be converted automatically

static (inside,DMZ) 10.10.10.10 192.168.1.1 netmask 255.255.255.255

Do you think that this is correct?

Something more if i have problems after the upgrade is there any official downgrade procedure from Cisco?

thank you very much for prompt answer

Red

ASA 8.2.1 to 8.4.3

yup that's fine.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
Red

ASA 8.2.1 to 8.4.3

Well the upgarde procedure from the 8.2 version to 8.4 is the same as others, you can follow this doc for it:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b20f35.shtml

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

ASA 8.2.1 to 8.4.3

I am not afraid the upgrade procedure from 8.2.1 to 8.4.3 but the downgrade if something goes wrong. I have not find any Cisco document that describes this option. What happens with the nat commands?

Thank you

Red

ASA 8.2.1 to 8.4.3

Here's the downgrade procedure:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp72161

The nat commands would be automatically migrated frpm 8.2 syntax to the 8.4 syntax, if you want to check how they would be post migration, refer this:

https://supportforums.cisco.com/docs/DOC-9129

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

ASA 8.2.1 to 8.4.3

I will make the upgrade and i will inform for the results.

Thank you very much,

Red

ASA 8.2.1 to 8.4.3

Sure, I'll wait for the update

Thanks, Varun Rao Security Team, Cisco TAC
New Member

ASA 8.2.1 to 8.4.3

I forgot to ask you something else. Before the upgrade i will run the "no names" command, as you know it is best practice.

After the upgrade is it safe to enable names command again?

Thank you

Red

ASA 8.2.1 to 8.4.3

Yes you can enable after the ugrade

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
Hall of Fame Super Silver

Re: ASA 8.2.1 to 8.4.3

While it is safe to re-enable names command, it would be better to use objects exclusively.

New Member

Re: ASA 8.2.1 to 8.4.3

Hi Marvin

Why is it better not to use names? Can you please explain to me?

Thank you

Hall of Fame Super Silver

Re: ASA 8.2.1 to 8.4.3

Most uses of names (NAT rules and access-lists) need an object in any case so why do double work and have an object plus a name?

Also, while Cisco hasn't inidcated any direction in this way, I would guess that eventually names will be deprecated in favor of objects.

New Member

Re: ASA 8.2.1 to 8.4.3

After 5 days of the upgrade we had no problem at all. So the changes that steps that i have follow are the following

1. disable nat control

2. remove unneded nat used for nat control

3. disable names

and then reload.

thank you all for your support

2424
Views
0
Helpful
14
Replies