Solved: There is a memory upgrade

mahesh18 · ‎04-04-2014

Hi Everyone,

I need to upgrade ASA from 8.2(5)46 to asa847-k8.bin .

This ASA is used for Remote access VPN.

Need to know what steps i should take in order for this upgrade

Except Natting is there anything else that will change in the running config of device?

Current NAT i have is

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.255.0

Also ASDM need to upgrade to asdm-715-100.bin right?

Regards

MAhesh

Need to confirm is it safe to upgrade directly to asa847-k8.bin?

Is asa847-k8.bin stable version without any bugs?

Marius Gunnerud · ‎04-05-2014

"nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0"

This NAT will look like the following:

object network ALL_NETWORKS

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.255.0

Is there any reason you have these natting to themselves? in any case, these will look like the following:

object network LAN1

subnet 10.0.0.0 255.0.0.0

nat (inside,outside) source static LAN1 LAN1 destination static LAN1 LAN1

object network LAN2

subnet 172.16.0.0 255.255.255.0

nat (inside,outside) source static LAN2 LAN2 destination static LAN2 LAN2

This link shows a good comparison between pre 8.3 and post 8.3 NAT configurations.

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎04-30-2014

"Also need to confirm if we are using ALL_NETWORKS anywhere in NAT or not?"

From what you posted you have a NAT statement for the ALL_NETWORKS. If this is in use depends on the location of the NAT statement in relation to the obj_any NAT statement.

object network ALL_NETWORKS
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface

&

object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface

Are the same thing. You only need one of these. So yes, you can delete one of them. Be sure to do this in a service window as you will need to clear xlate and test to make sure everything is working correctly.

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎04-05-2014

There is a memory upgrade requirement also when upgrading to 8.3 and higher and depending on which model ASA you have the memory requirement differs. Please refer to the following link for the requirements:

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/product_bulletin_c25-586414.html

Yes it is possible to upgrade directly to 8.4. As for known bugs/caveats please refer to the 8.4 release notes:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn84.html#pgfId-404945

Other than the NAT there is a change to the way access lists work. Instead of defining the NATed IP, now you need to define the real IP in the ACL. So if you have NATed a server (10.10.10.10) to the ASA interface (1.1.1.1) then in the ACL that allows http traffic in on the outside interface you would define the 10.10.10.10 address and not the 1.1.1.1 address.

Yes, you will also need to upgrade the ASDM.

The following document describes some migration tasks that you may need to take into consideration. worth having a read through it:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/upgrading/migrating.html

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎04-05-2014

i will go through the above links and if any questions will ask you.

For current NAT

Current NAT i have is

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.255.0

What would be new NAT in 8.4?

IF you can help me with this it will be much appreciated.

Regards

Mahesh

Marius Gunnerud · ‎04-05-2014

"nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0"

This NAT will look like the following:

object network ALL_NETWORKS

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,outside) 172.16.0.0 172.16.0.0 netmask 255.255.255.0

Is there any reason you have these natting to themselves? in any case, these will look like the following:

object network LAN1

subnet 10.0.0.0 255.0.0.0

nat (inside,outside) source static LAN1 LAN1 destination static LAN1 LAN1

object network LAN2

subnet 172.16.0.0 255.255.255.0

nat (inside,outside) source static LAN2 LAN2 destination static LAN2 LAN2

This link shows a good comparison between pre 8.3 and post 8.3 NAT configurations.

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎04-13-2014

Hi Marius,

I did upgrade today here is default config below that came after upgrade to 8.4

object network obj-10.0.0.0
subnet 10.0.0.0 255.0.0.0
object network obj-172.16.0.0
subnet 172.16.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object-group network VPN_Access
description VPN Access Subnets
network-object 172.31.98.0 255.255.255.0
network-object 172.31.92.0 255.255.252.0
access-list inside_access_in extended permit ip any object-group VPN_Access
access-list inside_access_in extended deny ip any any
access-list outside_access_in extended deny ip any any
access-list inside_nat0_outbound extended permit ip any object-group VPN_Access
access-list vpn_filter1 extended permit ip 172.31.98.0 255.255.255.0 172.16.7.0 255.255.255.0
access-list vpn_filter1 extended permit ip 172.31.98.0 255.255.255.0 172.16.3.0 255.255.255.0

nat (inside,outside) source static any any destination static VPN_Access VPN_Access no-proxy-arp route-lookup

object network obj-10.0.0.0
nat (inside,outside) static 10.0.0.0
object network obj-172.16.0.0
nat (inside,outside) static 172.16.0.0
object network obj_any
nat (inside,outside) dynamic interface

Need to know if i did not done any changes to this then VPN should have work ok?

Then i apply the config below as you said

sh run nat
nat (inside,outside) source static any any destination static VPN_Access VPN_Acc ess no-proxy-arp route-lookup
nat (inside,outside) source static LAN1 LAN1 destination static LAN1 LAN1
nat (inside,outside) source static LAN2 LAN2 destination static LAN2 LAN2
!
object network ALL_NETWORKS
nat (inside,outside) dynamic interface

object network ALL_NETWORKS
subnet 0.0.0.0 0.0.0.0
object network LAN1
subnet 10.0.0.0 255.0.0.0
object network LAN2
subnet 172.16.0.0 255.255.255.0
object-group network VPN_Access
description VPN Access Subnets
network-object 172.31.98.0 255.255.255.0
network-object 172.31.92.0 255.255.252.0
access-list inside_access_in extended deny ip any any
access-list inside_access_in extended permit ip any object-group VPN_Access
access-list outside_access_in extended deny ip any any
access-list vpn_filter1 extended permit ip 172.31.98.0 255.255.255.0 172.16.7.0 255.255.255.0
access-list vpn_filter1 extended permit ip 172.31.98.0 255.255.255.0 172.16.3.0 255.255.255.0

nat (inside,outside) source static any any destination static VPN_Access VPN_Access no-proxy-arp route-lookup
nat (inside,outside) source static LAN1 LAN1 destination static LAN1 LAN1
nat (inside,outside) source static LAN2 LAN2 destination static LAN2 LAN2
!
object network ALL_NETWORKS
nat (inside,outside) dynamic interface

Also need to confirm if we are using ALL_NETWORKS anywhere in NAT or not?

if not is it ok to delete ALL_Networks?

Best regards

MAhesh

Marius Gunnerud · ‎04-29-2014

Hi Mahesh,

Sorry for late reply as I have been away for a few weeks.

Do you require further assistance with this issue?

--

Pease remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎04-29-2014

Hi MArius,

IF you can answer my last question that will be much appreciated.

Regards

MAhesh

Marius Gunnerud · ‎04-30-2014

"Also need to confirm if we are using ALL_NETWORKS anywhere in NAT or not?"

From what you posted you have a NAT statement for the ALL_NETWORKS. If this is in use depends on the location of the NAT statement in relation to the obj_any NAT statement.

object network ALL_NETWORKS
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface

&

object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface

Are the same thing. You only need one of these. So yes, you can delete one of them. Be sure to do this in a service window as you will need to clear xlate and test to make sure everything is working correctly.

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎04-30-2014

Many thanks Marius

Regards

MAhesh

Upgrading ASA from 8.2(5)46 to asa847-k8.bin