Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Moving ASA config from 5510 to 5512

I moved a configuration from an ASA 5510 to a 5512, and in the process, went from version 8.4 to 9.0 of the IOS software.  When we hook the firewall up, I can get to it from SSH, or from the outside, but a number of the NATS don't appear to be up, VPN connections via the client don't work, and there is a L2L VPN Tunnel that isn't working either.

The only differences between the configs are the RSA key, which I had to regenerate for the new firewall, and I had to manually install the cert.  I can't imagine where either of those would affect IP NATs though.

Curiously, all of the NATs that aren't working appear to be on a separate external subnet than the ones that are working, but those networks aren't defined in either config.

 

Suggestions?

Everyone's tags (1)
4 REPLIES
Hall of Fame Super Silver

Have a look on disk0:. There

Have a look on disk0:. There should be a startup errors file that lists the issues the parser had when it converted the file.

Community Member

I'll check that tomorrow.  It

I'll check that tomorrow.  It didn't convert the file though, I pasted it from one ASA to the other, then went through line by line to make sure it was the same.

Only differences were that the Cert didn't carry over, I had to reinput that (which again I did by cut and paste, which might be wrong, I'm a total noob when it comes to certs), and there are a few new lines of code, mostly the xlate stuff from version 9.  If I read correctly, the settings it generates preserve the functionality.

There is also a line:

crypto ca trustpool policy

Which is not on the old, but it won't let me remove from the new.

 

Again, I can't imagine that Certs would screw up my NAT settings though.

Hall of Fame Super Silver

If your NAT statements were

If your NAT statements were based on ACLs, that could impact the setup as some ACL syntax was changed as of 9.x.

I've done a number of upgrades to 9.x though and have not encountered any issues with NAT when moving from post-8.2 platforms. (Of course 8.2 and earlier are a whole other issue.)

Community Member

I went from 8.6 to 9.0 on the

I went from 8.6 to 9.0 on the new ASA, but stupidly didn't even think twice about dropping an 8.4(2) config on the new 9.0(3) firewall.  I verified my upgrade path but didn't even think about where the config was coming from.

Could that be causing my issue?  Could I downgrade the 9.0 5512 to 8.4(2) and then drop the config on, then upgrade to 9.0(3) again?

106
Views
0
Helpful
4
Replies
CreatePlease to create content