Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
312
Views
0
Helpful
6
Replies

Cisco ASA OS Update

Adley Francois
Level 1
Level 1

‎05-12-2014 02:03 AM - edited ‎03-11-2019 09:11 PM

Hello Experts,

Presently we are using OS 8.2.5 version on ASA 5510 model and now planning to update it into 8.4.7 version which I believe it's stable version. Please confirm if any other version you advice.

Also, the NATTING and ACL format will be changed after updating the IOS. Do I need to create the ACL and NAT statements again once the firewall OS gets updated or it will automatically be done.

 

Thanks

Labels:
0 Helpful
6 Replies 6

johnlloyd_13
Level 9
Level 9

‎05-12-2014 03:30 AM

Hi,

Make sure you've got the minimum RAM to run 8.4+ code. For 5510 it, 1 GB:

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/product_bulletin_c25-586414.html

Also, NAT has changed in 8.3+ code:

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

0 Helpful

Adley Francois
Level 1
Level 1
In response to johnlloyd_13

‎05-12-2014 06:00 AM

Yes John, we have 1 GB RAM so no worries and I read about the NAT working on latest version where it looks it works like as a Checkpoint NAT rules. Is it?

0 Helpful

Karsten Iwen
VIP
VIP

‎05-12-2014 03:31 AM

8.4.7 is a good version to use. Depending on your config you should consider the newest interims-version because there were some security-bugs in the last Security-Advisory.

The config will be automatically migrated. But there are two important points:

  1. Make sure your config works without "nat-control" and remove that command before you migrate.
  2. Expect that it won't work after the migration. If your NAT-config is a complex (even a little bit), then the migration doesn't work really good. I typically take that as an opportunity to completely rewrite the NAT-Config from scratch. More work before, but all in all it works better that way.
0 Helpful

Adley Francois
Level 1
Level 1
In response to Karsten Iwen

‎05-12-2014 05:58 AM

Thanks Karsten for your valuable response. So I can go for latest version 9.02 (I believe) as 8.4.7 version has some security bugs.

NAT-Control is disabled. In the current scenario, the Static NAT, PAT and NO NAT config is placed. Won't it be automatically updated once the migration is completed. Do I still need to note down NAT and ACL rule in advance?

Thanks.

0 Helpful

Karsten Iwen
VIP
VIP
In response to Adley Francois

‎05-12-2014 06:42 AM

The ACLs are typically migrated correctly. But the NAT is often a huge mess. Do you have a spare ASA to do an offline-migration with your config? With that you could examine the migrated config and see if it matches your needs.

0 Helpful

Adley Francois
Level 1
Level 1
In response to Karsten Iwen

‎05-12-2014 06:58 AM

No we don't have. NAT rules are not much so we can work on re-creating the NAT rules, if need be.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card