Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 8.2 upgrade to 9.x

Hello,

So I have a new project upgrading our old 5510 over here to 5515x. 5510 is running 8.2 and 5515x will run 9.x From what I have read I won't be able to easily just copy running config and slap it on a new 5515x. Does anybody know whether Cisco introduced drastic cli config change? What features will most likely need my attention the most? I have never worked with 9.x yet so not sure what changed and what didn't. I hear commands for NATing sort of changed....

 

Thanks,

 

-Ignat

1 ACCEPTED SOLUTION

Accepted Solutions

Hi Ignat,Yes, NAT has changed

Hi Ignat,

Yes, NAT has changed since the 8.3+ code.

Please find useful links for your upgrade:

http://www.tunnelsup.com/nat-converter

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

 

6 REPLIES

Hi Ignat,Yes, NAT has changed

Hi Ignat,

Yes, NAT has changed since the 8.3+ code.

Please find useful links for your upgrade:

http://www.tunnelsup.com/nat-converter

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

 

New Member

Thank you sir. Did anything

Thank you sir. Did anything else change? I got s2s VPN tunnels, Remote Access, OSPF running on that 5510.

Hi,AFAIK it's pretty much the

Hi,

AFAIK it's pretty much the same with the exception of Anyconnect and IKEv2 for VPNs.

New Member

Yeah we don't use anyconnect

Yeah we don't use anyconnect and I believe all tunnels are IKEv1. This is not too bad I though I will have to reverse engineer the whole thing over the weekends. Thank you sir.

Hall of Fame Super Silver

The other bit to note are any

The other bit to note are any "outside-in" access-lists. The old code referenced the NATted address for any public facing servers. The new syntax refers instead to the real IP address of the server(s) in the ACL.

It's only an issue if you have some static NAT or PAT and are allowing inbound access.

A few commands (like nat control for example) have been deprecated. If you move in your old config a couple of lines at a time you can watch for errors as the parser reads them and adjust accordingly.

Setup the new unit in an offline lab and you can check out all the syntax errors ahead of time.

New Member

Yeah that was the plan. Boot

Yeah that was the plan. Boot it up of the network and paste line by line to see what it likes and what it doesn't. Hopefully NAT is the only thing I will have to deal with.

378
Views
0
Helpful
6
Replies