Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IOS Update Problem

Hi,

I have CISCO 5510 firewall running with IOS ASA821-k8.bin.

My company has purchased another ASA5510 with IOS ASA843-k8.bin

We need to run both firewalls in Active/Standby mode.

If I upgrade the IOS of old firewall to ASA843-k8.bin the the running configurations does not work properly

It does not pick the network objects and NAT rules as they are configured with OLD IOS and running.

Or if I restore the configurations of old firewall at New ASA the result is worst. Even firewall with new IOS does not show any Access Rule and NAT rule and does not supprt network objects

Any help to solve this issue

Thanks

Everyone's tags (3)
2 REPLIES
Community Member

Re:IOS Update Problem

Hi,

The versions are different and the configs ar different.

You search google with the keywords cisco 8.3 asa youtube.

You will get a video showing the steps to configure in ver 8.3.

Sent from Cisco Technical Support Android App

Pls rate useful posts.

Re:IOS Update Problem

Hi Mahmood,

Either you can make your bothe ASA's running in ASA 8.25 OS or Upgrade to 8.4.3 OS.

If you make 8.25 then you will not have much congiguration changes. But if you make it in to 8.4 there are few changes es[ecially with the NAT rules.

Static NAT/PAT

Pre-8.3 NAT

8.3 NAT

Regular Static NAT

static (inside,outside)   192.168.100.100 10.1.1.6 netmask  255.255.255.255

object network   obj-10.1.1.6
    host 10.1.1.6
    nat (inside,outside) static 192.168.100.100   

Regular Static PAT

static (inside,outside) tcp   192.168.100.100 80 10.1.1.16 8080 netmask  255.255.255.255

object network   obj-10.1.1.16
    host 10.1.1.16
    nat (inside,outside) static 192.168.100.100 service tcp 8080 www

Static Policy NAT

access-list NET1 permit ip host   10.1.2.27 10.76.5.0 255.255.255.224

static (inside,outside)   192.168.100.100 access-list NET1

object network obj-10.1.2.27

   host 10.1.2.27
object network obj-192.168.100.100
    host 192.168.100.100
object network obj-10.76.5.0
    subnet 10.76.5.0 255.255.255.224
nat (inside,outside) source static   obj-10.1.2.27 obj-192.168.100.100
                         destination static obj-10.76.5.0 obj-10.76.5.0

Pre-8.3 NAT

8.3 NAT

Regular Dynamic PAT

nat (inside) 1   192.168.1.0 255.255.255.0
nat (dmz) 1 10.1.1.0 255.255.255.0
global (outside) 1
192.168.100.100

object network obj-192.168.1.0
    subnet 192.168.1.0 255.255.255.0
    nat (inside,outside) dynamic 192.168.100.100
object network obj-10.1.1.0
    subnet 10.1.1.0 255.255.255.0
    nat (dmz,outside) dynamic 192.168.100.100

Regular Dynamic PAT

nat (inside) 1   10.1.2.0 255.255.255.0
global (outside) 1 192.168.100.100
global (dmz) 1 192.168.1.1




object network   obj-10.1.2.0
    subnet 10.1.2.0 255.255.255.0
    nat (inside,outside) dynamic 192.168.100.100
object network obj-10.1.2.0-01
    subnet 10.1.2.0 255.255.255.0
    nat (inside,dmz) dynamic 192.168.1.1

Regular Dynamic PAT-3

nat (inside) 1 0 0
global (outside) 1 interface

object network   obj_any
    subnet 0.0.0.0 0.0.0.0
    nat (inside,outside) dynamic interface

Dynamic Policy NAT

object-group   network og-net-src
    network-object 192.168.1.0 255.255.255.0
    network-object 192.168.2.0 255.255.255.0
object-group network og-net-dst
    network-object 192.168.200.0 255.255.255.0
object-group service og-ser-src
    service-object tcp gt 2000
    service-object tcp eq 1500
access-list NET6 extended permit   object-group og-ser-src
                     object-group og-net-src object-group og-net-dst
nat (inside) 10 access-list NET6
global (outside) 10 192.168.100.100

object network   obj-192.168.100.100
    host 192.168.100.100
object service   obj-tcp-range-2001-65535
    service tcp destination range 2001 65535
object service obj-tcp-eq-1500
    service tcp destination eq 1500
nat (inside,outside) source dynamic   og-net-src
                obj-192.168.100.100 destination
                static og-net-dst og-net-dst
                service obj-tcp-range-2001-65535
                obj-tcp-range-2001-65535
nat (inside,outside) source dynamic   og-net-src
                obj-192.168.100.100 destination
                static og-net-dst og-net-dst
                service obj-tcp-eq-1500 obj-tcp-eq-1500

Policy Dynamic NAT (with multiple   ACEs)

access-list ACL_NAT   permit ip 172.29.0.0 255.255.0.0
                                  192.168.1.0 255.255.255.0
access-list ACL_NAT permit ip   172.29.0.0 255.255.0.0
                                  192.168.2.0 255.255.255.0
access-list ACL_NAT permit ip   172.29.0.0 255.255.0.0
                                  192.168.3.0 255.255.255.0
access-list ACL_NAT permit ip   172.29.0.0 255.255.0.0
                                  192.168.4.0 255.255.255.0
nat (inside) 1 access-list ACL_NAT
global (outside) 1 192.168.100.100

object network   obj-172.29.0.0
    subnet 172.29.0.0 255.255.0.0
object network obj-192.168.100.100
    host 192.168.100.100
object network obj-192.168.1.0
    subnet 192.168.1.0 255.255.255.0

object network   obj-192.168.2.0
    subnet 192.168.2.0 255.255.255.0

object network   obj-192.168.3.0
    subnet 192.168.3.0 255.255.255.0

object network   obj-192.168.4.0
    subnet 192.168.4.0 255.255.255.0

nat (inside,outside) source dynamic obj-172.29.0.0   obj-192.168.100.100
                destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
                destination static obj-192.168.2.0 obj-192.168.2.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
                destination static obj-192.168.3.0 obj-192.168.3.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
                destination static obj-192.168.4.0 obj-192.168.4.0

Outside NAT

global (inside) 1   10.1.2.30-1-10.1.2.40
nat (dmz) 1 10.1.1.0 255.255.255.0   outside
static (inside,dmz) 10.1.1.5 10.1.2.27   netmask 255.255.255.255

object network obj-10.1.2.27
    host 10.1.2.27
    nat (inside,dmz) static 10.1.1.5
object network obj-10.1.1.0
    subnet 10.1.1.0 255.255.255.0
    nat (dmz,inside) dynamic obj-10.1.2.30-10.1.2.40
object network obj-10.1.2.30-10.1.2.40
    range 10.1.2.30 10.1.2.40

NAT & Interface PAT together

nat (inside) 1   10.1.2.0 255.255.255.0
global (outside) 1 interface
global (outside) 1   192.168.100.100-192.168.100.200

object network   obj-192.168.100.100_192.168.100.200
    range 192.168.100.100 192.168.100.200
object network obj-10.1.2.0
    subnet 10.1.2.0 255.255.255.0
    nat (inside,outside) dynamic
               obj-192.168.100.100_192.168.100.200 interface

NAT & Interface PAT with   additional PAT together

nat (inside) 1   10.0.0.0 255.0.0.0

  global (outside) 1   192.168.100.1-192.168.100.200

  global (outside) 1   interface

  global (outside) 1   192.168.100.210

object network   obj-192.168.100.100_192.168.100.200
    range 192.168.100.100 192.168.100.200
object network obj-10.0.0.0
    subnet 10.0.0.0 255.0.0.0
object network second-pat
    host 192.168.100.210
object-group network dynamic-nat-pat
    network-object object obj-192.168.100.100_192.168.100.200
    network-object object second-pat

nat (inside,outside) dynamic dynamic-nat-pat interface

Static NAT for a Range of Ports

Not Possible - Need to write   multiple Statements or perform a Static one-to-one NAT

             (in)    (out)

10.1.1.1-------ASA-----

          --xlate-------> 10.2.2.2

Original Ports: 10000 - 10010

Translated ports: 20000 - 20010


object service ports

service tcp source   range 10000 10010


object service ports-xlate

service tcp source   range 20000 20010


object network server

host 10.1.1.1

object network server-xlate

host 10.2.2.2



nat (inside,outside) source static server server-xlate service ports   ports-xlate

76551 Views

This you need to take care. So that there will not be any issues.

Please do rate for the helpful posts.

By

Karthik

367
Views
0
Helpful
2
Replies
CreatePlease to create content