Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA migration from 8.3 (1)

Hello guys,

I would like to greet you. This is my first discussion on cisco support community ( previuously I was on cisco learning network ). I'm lil bit worried about one thing. Currently I'm working in one of the biggest banks in my country as a network administrator and we are planinng to upgrade our ASA from 8.3 (1) version to newer. We noticed a lot of bugs in current version so upgrading is really must. My question would be :

What is the next best software version, I mean painless for my company I have a lot of NAT rules, ACLs, VPN's in production so what is the difference from current version to newer, let me say 8.4.7 ED. Is there any instructions for migration and what problems may encounter because Cisco documentations is lil bit unclear and confusing.

Thanks a lot,


Mirza Cerim

Cisco Employee

Cisco ASA migration from 8.3 (1)

Hi Mirza,

Actually I think that the mayor mayor upgrade is from 8.2 to 8.3; so now that you are on 8.3 it should be a big deal to upgrade your ASAs to 8.4.

Other than open cavets that might be on the release notes you shouldn't experience mayor issue.

Always is a good practice to schedule a maintenance window.


Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach us"

Luis Silva "If you need PDI (Planning, Design, Implement) assistance feel free to reach us"

Cisco ASA migration from 8.3 (1)


some gotchas (i dont like the term) to watch out for in 8.4 that got several of my customers:

1. arp permit-nonconnected. Basically if you have NATs on your outside to a different subnet (from the actual IP used by the ASA interface) then by default they will stop working

2. Identity nat configurable proxy-arp and route-lookup:

if you have NONATs for VPN (or identity NAT in 8.3+ code) that looks like this:

nat (inside,any) source static NET_IN1 NET_IN1 destination static NET_VPN1 NET_VPN1

then you need to add the no-proxy-arp keyword at the end in newer 8.4 code. if you don't the ASA will start replying to ARPs for NET_IN1 subnet on its inside interface also; this is caused by the any keyword.

if it was nat (inside,outside) ... then you're ok...

3. managing the ASA through VPN stops working (bug CSCtr16184):

even if you have the management-access inside command, it might fail:

you need to add the route-lookup keyword in the identity NAT:

nat (inside,outside) ... route-lookup

be sure to review the release notes first: