Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1037
Views
0
Helpful
2
Replies

CSCtf57830 Still present in 8.4(2) (ASA NAT and Real IP Migration) ?

Go to solution
ldesmasures
Level 1
Level 1

‎10-11-2011 01:48 AM - edited ‎03-11-2019 02:36 PM

Hi,

Yesterday we tried to upgrade an ASA cluster from version 8.2(4) to 8.4(2) and it seems we encounterd the "fixed" bug

CSCtf57830. This bug is indicated as fixed in version 8.4(1)...

But in our upgrade process, all the "outside" access-lists entries were not migrated to the real ip objects during the upgrade migration process. For information, in the configuration we have nat exemption with one line containing an "any" statement.

More than 600 "outside" access-lists entries have to be migrated ! So it's not easy to do the modifications manually and during a maintenance window.

The question is : Is this bug really still present in version 8.4(2) ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎10-18-2011 06:02 AM

Hello,

The fix for CSCtf57830 only adds the following warning message to the migration logs: 

MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.

Unfortunately, the migration behavior itself doesn't change and manual intervention is needed.

If you have a large amount of ACLs that need to be migrated, an easier solution might be to remove the NAT exemption lines from the 8.2 config prior to the upgrade, and then recreate them as needed after the upgrade. This way, the ASA will take care of the ACL migration according to the static NAT config.

Hope that helps.

-Mike

View solution in original post

0 Helpful
2 Replies 2

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎10-18-2011 06:02 AM

Hello,

The fix for CSCtf57830 only adds the following warning message to the migration logs: 

MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.

Unfortunately, the migration behavior itself doesn't change and manual intervention is needed.

If you have a large amount of ACLs that need to be migrated, an easier solution might be to remove the NAT exemption lines from the 8.2 config prior to the upgrade, and then recreate them as needed after the upgrade. This way, the ASA will take care of the ACL migration according to the static NAT config.

Hope that helps.

-Mike

0 Helpful

Go to solution
ldesmasures
Level 1
Level 1
In response to mirober2

‎10-18-2011 01:14 PM

Hi Mike,

Thanks for this answer.

More than 600 lines to translate/verify manually... We'll try removing NAT exemption rules before upgrade.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card