Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Upgrade problems ASA5505 to ASA5512-x

So I recently acquired an ASA 5512-x to replace my old ASA 5505 to allow for more VPN connections. I was able to transfer most of the configurations from my ASA 5505 rather easily, but some of the commands didn't translate properly and I need some help. Below are the lines as they appear in the CLI of the 5505. 

global (inside) 2 interface

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 2 access-list inside_nat_outbound

nat (inside) 1 x.x.x.x y.y.y.y

nat (outside) 1 x.x.x.x y.y.y.y

static (inside,outside) tcp interface 48941 x.x.x.x 3389 netmask y.y.y.y

static (inside,outside) tcp interface 24581 x.x.x.x 3389 netmask y.y.y.y

static (inside,outside) tcp interface 8000 x.x.x.x 8000 netmask y.y.y.y

static (inside,outside) tcp interface 85 x.x.x.x 85 netmask y.y.y.y

static (inside,inside) x.x.x.x x.x.x.x netmask y.y.y.y

static (inside,inside) x.x.x.x x.x.x.x netmask y.y.y.y 

It seems to boil down to 3 command changes, but I have spent the last couple of days trying to find the answer on my own and haven't been able to get anywhere. Any help or guidance you could offer would be greatly appreciated. 

Everyone's tags (1)
3 REPLIES
New Member

I would highly recommend you

I would highly recommend you do your upgrade on your 5505 first, THEN take that upgraded config and paste into the 5512X

That is the process I follow when upgrading to another appliance. Your config above tells me you are running pre-8.3 code on the 5505. What is the 5512X running, 9.1? If so, then upgrade 5505 to 9.1 and like I said before, copy/paste there

Keep in mind you will no longer be using "interface vlan 1" commands, so simply take the IP's from those on the 5505 and apply to the 5512 GigabitEthernet interfaces based on your needs (i.e., G0 Outside, G1 inside etc.)

 

 

 

 

VIP Green

The problem I find when going

The problem I find when going through the upgrade path on the ASA, is that the ASA adds a bunch of commands you don't really need.  So I try to avoid upgrading the ASA automatically so I don't have to do a lot of cleaning up later.  Having said that, if you have hundreds of NAT and ACL lines, then yes it will save a lot of time doing the upgrade instead of manually changing the commands.

I think it is just a matter of preference and how much time you can, or are willing to, allocate to the task.

--

Please remember to rate and select a correct answer
VIP Green

nat (outside) 1 x.x.x.x y.y.y

nat (outside) 1 x.x.x.x y.y.y.y
First of all, I am a little curious as to why you have the above nat command? this should not be there


static (inside,outside) tcp interface 48941 x.x.x.x 3389 netmask y.y.y.y
This command would be translated to the following:


object network <OBJECT-NAME>
  host x.x.x.x
  nat (inside,outside) static interface service tcp 3389 48941

The nat format is nat (real_int,mapped_int) static <mapped_IP> service <tcp/udp> <real_port> <mapped_port>

nat (inside) 1 x.x.x.x y.y.y.y
global (outside) 1 interface

These two commands would be translated to the following:

object network <OBJ_NAME>

  subnet x.x.x.x y.y.y.y
  nat (inside,outside) dynamic interface

Without seeing the no_nat ACL I can not give you the exact command but here is the format:

object network LOCAL_LAN

  subnet x.x.x.x y.y.y.y

object network REMOTE_LAN

  subnet z.z.z.z y.y.y.y

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static REMOTE_LAN REMOTE_LAN

nat (real_int,mapped_int) source static <real_source> <mapped_source> destination static <mapped_dst> <real_dst>

I am assuming you have the following NAT statements because you have configured nat control on your ASA?

static (inside,inside) x.x.x.x x.x.x.x netmask y.y.y.y

static (inside,inside) x.x.x.x x.x.x.x netmask y.y.y.y

If so, this is no longer require since nat control has been removed from the ASA completely.  So this is not required in the configuration if my assumption is correct.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
169
Views
0
Helpful
3
Replies
CreatePlease login to create content