Migration Best Practices for ASA 8.3/8 · Migration Best Practices for ASA 8.3/8.4 ... All rights...
Transcript of Migration Best Practices for ASA 8.3/8 · Migration Best Practices for ASA 8.3/8.4 ... All rights...
© 2011 Cisco and/or its affiliates. All rights reserved. 1
Cisco Support Community Presents :
Tech-Talk Series
Glenn Baptist Customer Support Engineer, Cisco TAC
CCIE Security (#32835)
With,
Migration Best Practices for ASA 8.3/8.4
© 2011 Cisco and/or its affiliates. All rights reserved. 2
Major Changes
Best Practices
New Features
Known Issues
© 2011 Cisco and/or its affiliates. All rights reserved. 4
NAT Re-design
Named Network Objects & Service Objects
Real IP Addresses in Access Rules instead
of Mapped Addresses
© 2011 Cisco and/or its affiliates. All rights reserved. 5
Inbound Interface ACL
192.168.1.1 1.1.1.1 198.1.1.1
Translated to
Pre-8.3 Configuration 8.3 Configuration
static (inside,outside) 1.1.1.1
192.168.1.1 netmask
255.255.255.255
access-list outside_in extended
permit tcp any host 1.1.1.1
access-group outside_access_in in
interface outside
object network obj-192.168.1.1 host 192.168.1.1
nat (inside,outside) static 1.1.1.1
access-list outside_in extended permit
tcp any host 192.168.1.1
access-group outside_access_in in
interface outside
© 2011 Cisco and/or its affiliates. All rights reserved. 7
Memory Requirements
Show Startup Errors
NAT-Control in 8.3 doesn't exist
Use ‘Downgrade Command if you want to revert
© 2011 Cisco and/or its affiliates. All rights reserved. 8
ASA Model
Internal Flash
Memory
(Default Shipping)
DRAM (Default Shipping)
Before Feb.
2010
After Feb. 2010
(Required for 8.3
and Higher)
5505 128 MB 256 MB 512 MB3
5510 256 MB 256 MB 1 GB
5520 256 MB 512 MB 2 GB
5540 256 MB 1 GB 2 GB
Memory requirements
hostname(config)# downgrade disk0:/asa821-k8.bin disk0:/8_2_1_0_startup_cfg.sav
Downgrade
The current (pre-upgraded) configuration
© 2011 Cisco and/or its affiliates. All rights reserved. 9
hostname# show startup-config errors
Reading from flash...
!
REAL IP MIGRATION: WARNING
In this version access-lists used in 'access-group', 'class-map', 'dynamic-filter classify-list',
'aaa match' will be migrated from using IP address/ports as seen on interface, to their real
values If an access-list used by these features is shared with per-user ACL then the original
access-list has to be recreated.
INFO: Note that identical IP addresses or overlapping IP ranges on different interfaces are not
detectable by automated Real IP migration. If your deployment contains such scenarios, please
verify your migrated configuration is appropriate for those overlapping addresses/ranges.
Please also refer to the ASA 8.3 migration guide for a complete explanation of the automated
migration process.
INFO: MIGRATION - Saving the startup configuration to file
INFO: MIGRATION - Startup configuration saved to file 'flash:8_2_1_15_startup_cfg.sav'
*** Output from config line 4, "ASA Version 8.2(1)15 "
NAT migration logs:
INFO: NAT migration completed.
Real IP migration logs: ACL <1> has been migrated to real-ip version
© 2011 Cisco and/or its affiliates. All rights reserved. 10
If you do not install a memory upgrade, you receive the following message upon logging in:
***********************************************************************
** *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING ***
**
** ----> Minimum Memory Requirements NOT Met! <----
**
** Installed RAM: 512 MB
** Required RAM: 2048 MB
** Upgrade part#: ASA5520-MEM-2GB=
**
** This ASA does not meet the minimum memory requirements needed to run this image. Please install additional memory
(part number listed above) or downgrade to ASA version 8.2 or earlier.
** Continuing to run without a memory upgrade is unsupported, and critical system features will not function properly.
© 2011 Cisco and/or its affiliates. All rights reserved. 12
ASA 8.3.1 Non-identical Failover Licenses
ASA 8.4.1 Stateful Failover with Dynamic Routing Protocols
ASA 8.4.2 Route Lookup
nat [(real_ifc,mapped_ifc)] static {mapped_inline_ip |
mapped_obj} [route-lookup]
© 2011 Cisco and/or its affiliates. All rights reserved. 14
CSCti36048 ASA upgrade to 8.3(2) adds unidirectional keyword to manual NAT lines
CSCtf57830 Incorrect Real IP Translation of ACE after 8.3.1 upgrade
© 2011 Cisco and/or its affiliates. All rights reserved. 16
Supportforums.cisco.com
facebook.com/CiscoSupportCommunity
twitter.com/#!/cisco_support
youtube.com/user/ciscosupportchannel
itunes.apple.com/us/app/cisco-technical-
support/id398104252?mt=8
linkedin.com/groups/CSC-Cisco-Support-Community-3210019