cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3299
Views
0
Helpful
14
Replies

ASA 8.2.1 to 8.4.3

tasoskypraios
Level 1
Level 1

Hi,

We are planning to upgrade our ASA 5520 from 8.2.1 to 8.4.3. Could you please help me asking the following questions?

1. Which is the best migration plan to follow 8.2.1->8.3->8.4.3 or 8.2.1 to 8.4.3>?

     We are using nat-control now and for this reason we have many static NAT. I have upgrade an ASA in my lab from 8.2.1 to 8.4.2, disable nat-control and run "no names" command, but the auto-upgrade procedure create nat rules for the static that were used from nat-control. So the configuration is huge.

2. Do i have to remove all the static nat commands that are being used from nat-control before the upgrade?

Thank you

2 Accepted Solutions

Accepted Solutions

varrao
Level 10
Level 10

Hi,

I guess just update the ASA to teh latest 8.2.x whihc is 8.2.5 and then you can jump straight to 8.4.x, no issues.

Moreover in 8.4 you do not have the concept of nat-control anymore, so it makes sense to disable nat-control on the 8.2 code and remove the static that you have for it and then upgarde to avoid unnecessary things.

Hope that helps

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

View solution in original post

Most uses of names (NAT rules and access-lists) need an object in any case so why do double work and have an object plus a name?

Also, while Cisco hasn't inidcated any direction in this way, I would guess that eventually names will be deprecated in favor of objects.

View solution in original post

14 Replies 14

varrao
Level 10
Level 10

Hi,

I guess just update the ASA to teh latest 8.2.x whihc is 8.2.5 and then you can jump straight to 8.4.x, no issues.

Moreover in 8.4 you do not have the concept of nat-control anymore, so it makes sense to disable nat-control on the 8.2 code and remove the static that you have for it and then upgarde to avoid unnecessary things.

Hope that helps

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Hi Varun,

I have in my firewall many static nat entries and i am trying to find  a way to do it as simple as possible.

I am thinking to do the follwoing, remove every static nat that has has the same IP (used only for NAT CONTROL) like this example

static (inside,DMZ) 10.10.10.10 10.10.10.10 netmask 255.255.255.255

and leave every static nat that used for NAT, in order to be converted automatically

static (inside,DMZ) 10.10.10.10 192.168.1.1 netmask 255.255.255.255

Do you think that this is correct?

Something more if i have problems after the upgrade is there any official downgrade procedure from Cisco?

thank you very much for prompt answer

yup that's fine.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Well the upgarde procedure from the 8.2 version to 8.4 is the same as others, you can follow this doc for it:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b20f35.shtml

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

I am not afraid the upgrade procedure from 8.2.1 to 8.4.3 but the downgrade if something goes wrong. I have not find any Cisco document that describes this option. What happens with the nat commands?

Thank you

Here's the downgrade procedure:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp72161

The nat commands would be automatically migrated frpm 8.2 syntax to the 8.4 syntax, if you want to check how they would be post migration, refer this:

https://supportforums.cisco.com/docs/DOC-9129

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

I will make the upgrade and i will inform for the results.

Thank you very much,

Sure, I'll wait for the update

Thanks,
Varun Rao

I forgot to ask you something else. Before the upgrade i will run the "no names" command, as you know it is best practice.

After the upgrade is it safe to enable names command again?

Thank you

Yes you can enable after the ugrade

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

While it is safe to re-enable names command, it would be better to use objects exclusively.

Hi Marvin

Why is it better not to use names? Can you please explain to me?

Thank you

Most uses of names (NAT rules and access-lists) need an object in any case so why do double work and have an object plus a name?

Also, while Cisco hasn't inidcated any direction in this way, I would guess that eventually names will be deprecated in favor of objects.

After 5 days of the upgrade we had no problem at all. So the changes that steps that i have follow are the following

1. disable nat control

2. remove unneded nat used for nat control

3. disable names

and then reload.

thank you all for your support

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: