I moved a configuration from an ASA 5510 to a 5512, and in the process, went from version 8.4 to 9.0 of the IOS software. When we hook the firewall up, I can get to it from SSH, or from the outside, but a number of the NATS don't appear to be up, VPN connections via the client don't work, and there is a L2L VPN Tunnel that isn't working either.
The only differences between the configs are the RSA key, which I had to regenerate for the new firewall, and I had to manually install the cert. I can't imagine where either of those would affect IP NATs though.
Curiously, all of the NATs that aren't working appear to be on a separate external subnet than the ones that are working, but those networks aren't defined in either config.
I'll check that tomorrow. It didn't convert the file though, I pasted it from one ASA to the other, then went through line by line to make sure it was the same.
Only differences were that the Cert didn't carry over, I had to reinput that (which again I did by cut and paste, which might be wrong, I'm a total noob when it comes to certs), and there are a few new lines of code, mostly the xlate stuff from version 9. If I read correctly, the settings it generates preserve the functionality.
There is also a line:
crypto ca trustpool policy
Which is not on the old, but it won't let me remove from the new.
Again, I can't imagine that Certs would screw up my NAT settings though.
I went from 8.6 to 9.0 on the new ASA, but stupidly didn't even think twice about dropping an 8.4(2) config on the new 9.0(3) firewall. I verified my upgrade path but didn't even think about where the config was coming from.
Could that be causing my issue? Could I downgrade the 9.0 5512 to 8.4(2) and then drop the config on, then upgrade to 9.0(3) again?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...