Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA OS Update

Hello Experts,

Presently we are using OS 8.2.5 version on ASA 5510 model and now planning to update it into 8.4.7 version which I believe it's stable version. Please confirm if any other version you advice.

Also, the NATTING and ACL format will be changed after updating the IOS. Do I need to create the ACL and NAT statements again once the firewall OS gets updated or it will automatically be done.

 

Thanks

6 REPLIES

Hi,Make sure you've got the

Hi,

Make sure you've got the minimum RAM to run 8.4+ code. For 5510 it, 1 GB:

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/product_bulletin_c25-586414.html

Also, NAT has changed in 8.3+ code:

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

New Member

Yes John, we have 1 GB RAM so

Yes John, we have 1 GB RAM so no worries and I read about the NAT working on latest version where it looks it works like as a Checkpoint NAT rules. Is it?

VIP Purple

8.4.7 is a good version to

8.4.7 is a good version to use. Depending on your config you should consider the newest interims-version because there were some security-bugs in the last Security-Advisory.

The config will be automatically migrated. But there are two important points:

  1. Make sure your config works without "nat-control" and remove that command before you migrate.
  2. Expect that it won't work after the migration. If your NAT-config is a complex (even a little bit), then the migration doesn't work really good. I typically take that as an opportunity to completely rewrite the NAT-Config from scratch. More work before, but all in all it works better that way.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Thanks Karsten for your

Thanks Karsten for your valuable response. So I can go for latest version 9.02 (I believe) as 8.4.7 version has some security bugs.

NAT-Control is disabled. In the current scenario, the Static NAT, PAT and NO NAT config is placed. Won't it be automatically updated once the migration is completed. Do I still need to note down NAT and ACL rule in advance?

Thanks.

VIP Purple

The ACLs are typically

The ACLs are typically migrated correctly. But the NAT is often a huge mess. Do you have a spare ASA to do an offline-migration with your config? With that you could examine the migrated config and see if it matches your needs.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

No we don't have. NAT rules

No we don't have. NAT rules are not much so we can work on re-creating the NAT rules, if need be.

67
Views
0
Helpful
6
Replies
CreatePlease login to create content