Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 8.3 to 8.4 Upgrade - Mirror update?

Im upgrading a asa 5510 from 8.3 to 8.4.

I know from 8.2 to 8.3 was not a mirror update because of nat and access-list but is from 8.3 to 8.4 a mirror update or is there anything which I should be aware of?

Any help would be highly appercaited.

  • Firewalling
Everyone's tags (8)
5 REPLIES

ASA 8.3 to 8.4 Upgrade - Mirror update?

The only difference that you'll see is that all identity NATs will include 'no proxy-arp' and 'route-lookup'.. the 'unidirectional' keyword will be removed. This will maintain existing functionality and your upgrade should not require any special considerations beyond that. Be cautious and backup your config still.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349
Silver

ASA 8.3 to 8.4 Upgrade - Mirror update?

Which version of 8.4 you are upgrading to. There are many bugs in 8.4.1 and in 8.4.2, better to go to 8.4.3

Siddhartha
New Member

Re: ASA 8.3 to 8.4 Upgrade - Mirror update?

Thank you,

The steps I will take to upgrade the ASA will be to load the new file in flash and then force the ASA to boot from the new image.

I am guessing that there will be no additional configuration required?

Also when would I use proxy-arp or route lookup?

ASA 8.3 to 8.4 Upgrade - Mirror update?

You are correct in assuming that there should be no additional configuration required. Once the ASA boots into the new code you should have the same functionality as before without having to make manual changes to your configuration.

You would use proxy arp when you have address space from the ISP that is separate from the address that is on your 'outside' interface. Basically, when the ISP routes to your other address space it will arp for the address it is trying to reach and with proxy arp your asa would reply back to the arp on behalf of the address that is represented by a nat.

The route-lookup command is to determine the egress interface by interrogating the routing table rather than using the interface specified in the nat command.

Hope this helps.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349
Bronze

ASA 8.3 to 8.4 Upgrade - Mirror update?

Another consideration if you are using the default pix/asa username to login to your ASA.

Increased SSH security; the SSH default username is no longer supported—Starting in 8.4(2), you can no longer connect to the ASA using SSH with the pix or asa username and the login password. To use SSH, you must configure AAA authentication using the aaa authentication ssh console LOCAL command (CLI) or Configuration > Device Management > Users/AAA > AAA Access > Authentication (ASDM); then define a local user by entering the username command (CLI) or choosing Configuration > Device Management > Users/AAA > User Accounts (ASDM). If you want to use a AAA server for authentication instead of the local database, we recommend also configuring local authentication as a backup method. Increased SSH security; the SSH default username is no longer supported—Starting in 8.4(2), you can no longer connect to the ASA using SSH with the pix or asa username and the login password. To use SSH, you must configure AAA authentication using the aaa authentication ssh console LOCAL command (CLI) or Configuration > Device Management > Users/AAA > AAA Access > Authentication (ASDM); then define a local user by entering the username command (CLI) or choosing Configuration > Device Management > Users/AAA > User Accounts (ASDM). If you want to use a AAA server for authentication instead of the local database, we recommend also configuring local authentication as a backup method.

2328
Views
10
Helpful
5
Replies
This widget could not be displayed.