1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ASA Upgrade 8.2 -> 9.1

Discussion in 'Network Security' started by BraderzTheDog, Jun 10, 2014.

  1. BraderzTheDog

    BraderzTheDog Kilobyte Poster


    I'm after some advice based on any experiences you may have had on this one...

    I'm upgrading a pair of Firewalls (A/S) from asa825 -> asa915.

    I've done this many times, but have always re-wrote the NAT statements as Cisco utilised the NGN at 8.3 and real IP access list migration too.

    However this time, there a lot of NAT config on this firewall and I've already made the jump from 8.2.5 to 8.3.1. There are a lot of errors in the NAT config which means I basically need to re-write and re order about 6000 NAT statements. :x

    Its going to take ages, and I'm not happy... Is there a better path to getting to 9.1, that will be less error prone possibly and save me a lot of time?
    Oh... Another thing, it doesn't take into account Static NAT access lists, before you would have a rule to the Public Address for clients in ->. Now this needs to be to the Post NAT address so something like any4 to - port 80. So these all have to be re-wrote manually too...

    My intended path:

    8.25 -> 8.31 -> 9.15.

    Between 8.25 and 8.31 the automated conversion occurs, however I've seen other people say its less error prone to go to version 8.4(x).

    I'm not scared to re-write the statements, the odd few... but not 6000...

  2. jvanassen

    jvanassen Kilobyte Poster

    Afraid i cant give alot of input right now but will watch this post closely as i know this is a task i will need to look at in the next few weeks.
    Certifications: CompTIA A+, Network+, CCENT
    WIP: ICND2 200-101
  3. BraderzTheDog

    BraderzTheDog Kilobyte Poster

    Just to let you know, if anyone is planning to do this upgrade its far from straight forward...

    Cisco recommends going from 8.2X to 8.4.6 (where the migration occurs) and then up to 9.1.3 or later.

    Release Notes for the Cisco ASA Series, 9.1(x) - Cisco

    This doesn't work, ended up getting into a cycle of continuous reboots and crashes. Anyway, had a talk to them earlier today, TAC have recommended the converted code using the automated scrip to be checked and proof read. Basically it doesn't work, and it needs to be re-wrote.

    I've had more success going this route:

    8.2.5 -> 8.31 -> 9.1.3

    The following need to be reviewed:
    1. Real IP access list migration - anything that went to the NAT address now needs to go to the real IP - example.

    any4 -> - tcp/80 - will not work, this now needs to go to the post NAT address
    any4 -> - tcp/80 - will work, it obviously looks at the NAT table before policy.

    2. NAT ordering - all over the place and causes packets not to be translated properly.
    e.g. static NAT's are mixed amongst PAT's and no Nat.

    3. Inflation of NAT rules - bloat
    Anything that would cover multiple interfaces is now expanded to a per interface rule meaning; if you have 50 sub interfaces and a SINGLE nat rule that covers all interfaces, after conversion you will have the same rule duplicated but per interface.

    End result 1 rule is now 50. The client I'm working on has 74 sub interfaces, and over 40 rules that are like this. 74 x 40 = 2960... WHY?!?!

    An absolute nightmare if you have 6000 Nat rules to go through, also access lists do not convert properly, or are the put into the correct order.

    Anyway, the lesson I have learned... Don't put large amounts of configuration on a single firewall... Single big box methodology is dated and causes so many problems when it comes to downtime and upgrades. Definitely will be putting a case forward to contextualise in the future on a client by client basis, or virtualise to have smaller configurations per client.

    Anyway enough rant and on with the line by line job! :(

    Good luck to anyone else that's got this on their list of things to do!
    Last edited: Jun 12, 2014
  4. John228

    John228 New Member

    I'm going through a migration from 8.2.5 > 9.1.5 too. What I found in reference to the continuous reboots is if you have names configured, before you upgrade to 8.4.6 for example. Remove all the names.

    no name google-dns

    Then do the upgrade. I find it doesn't crash if you do it that way. But I totally understand the frustration with ACLs which get expanded which were in object groups. NAT is different but the more I understand I like the way it works. I heard it was done that way in prep for IPv6.

    Anyways, good luck! Hope things go smoothly.

Share This Page