© 2011 Cisco and/or its affiliates. All rights reserved. 1

Cisco Support Community Presents :

Tech-Talk Series

Glenn Baptist Customer Support Engineer, Cisco TAC

CCIE Security (#32835)

With,

Migration Best Practices for ASA 8.3/8.4

© 2011 Cisco and/or its affiliates. All rights reserved. 2

Major Changes

Best Practices

New Features

Known Issues

3 © 2011 Cisco and/or its affiliates. All rights reserved.

© 2011 Cisco and/or its affiliates. All rights reserved. 4

NAT Re-design

Named Network Objects & Service Objects

Real IP Addresses in Access Rules instead

of Mapped Addresses

© 2011 Cisco and/or its affiliates. All rights reserved. 5

Inbound Interface ACL

192.168.1.1 1.1.1.1 198.1.1.1

Translated to

Pre-8.3 Configuration 8.3 Configuration

static (inside,outside) 1.1.1.1

192.168.1.1 netmask

255.255.255.255

access-list outside_in extended

permit tcp any host 1.1.1.1

access-group outside_access_in in

interface outside

object network obj-192.168.1.1 host 192.168.1.1

nat (inside,outside) static 1.1.1.1

access-list outside_in extended permit

tcp any host 192.168.1.1

access-group outside_access_in in

interface outside

6 © 2011 Cisco and/or its affiliates. All rights reserved.

© 2011 Cisco and/or its affiliates. All rights reserved. 7

Memory Requirements

Show Startup Errors

NAT-Control in 8.3 doesn't exist

Use ‘Downgrade Command if you want to revert

© 2011 Cisco and/or its affiliates. All rights reserved. 8

ASA Model

Internal Flash

Memory

(Default Shipping)

DRAM (Default Shipping)

Before Feb.

2010

After Feb. 2010

(Required for 8.3

and Higher)

5505 128 MB 256 MB 512 MB3

5510 256 MB 256 MB 1 GB

5520 256 MB 512 MB 2 GB

5540 256 MB 1 GB 2 GB

Memory requirements

hostname(config)# downgrade disk0:/asa821-k8.bin disk0:/8_2_1_0_startup_cfg.sav

Downgrade

The current (pre-upgraded) configuration

© 2011 Cisco and/or its affiliates. All rights reserved. 9

hostname# show startup-config errors

Reading from flash...

!

REAL IP MIGRATION: WARNING

In this version access-lists used in 'access-group', 'class-map', 'dynamic-filter classify-list',

'aaa match' will be migrated from using IP address/ports as seen on interface, to their real

values If an access-list used by these features is shared with per-user ACL then the original

access-list has to be recreated.

INFO: Note that identical IP addresses or overlapping IP ranges on different interfaces are not

detectable by automated Real IP migration. If your deployment contains such scenarios, please

verify your migrated configuration is appropriate for those overlapping addresses/ranges.

Please also refer to the ASA 8.3 migration guide for a complete explanation of the automated

migration process.

INFO: MIGRATION - Saving the startup configuration to file

INFO: MIGRATION - Startup configuration saved to file 'flash:8_2_1_15_startup_cfg.sav'

*** Output from config line 4, "ASA Version 8.2(1)15 "

NAT migration logs:

INFO: NAT migration completed.

Real IP migration logs: ACL <1> has been migrated to real-ip version

© 2011 Cisco and/or its affiliates. All rights reserved. 10

If you do not install a memory upgrade, you receive the following message upon logging in:

***********************************************************************

** *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING ***

**

** ----> Minimum Memory Requirements NOT Met! <----

**

** Installed RAM: 512 MB

** Required RAM: 2048 MB

** Upgrade part#: ASA5520-MEM-2GB=

**

** This ASA does not meet the minimum memory requirements needed to run this image. Please install additional memory

(part number listed above) or downgrade to ASA version 8.2 or earlier.

** Continuing to run without a memory upgrade is unsupported, and critical system features will not function properly.

11 © 2011 Cisco and/or its affiliates. All rights reserved.

© 2011 Cisco and/or its affiliates. All rights reserved. 12

ASA 8.3.1 Non-identical Failover Licenses

ASA 8.4.1 Stateful Failover with Dynamic Routing Protocols

ASA 8.4.2 Route Lookup

nat [(real_ifc,mapped_ifc)] static {mapped_inline_ip |

mapped_obj} [route-lookup]

13 © 2011 Cisco and/or its affiliates. All rights reserved.

© 2011 Cisco and/or its affiliates. All rights reserved. 14

CSCti36048 ASA upgrade to 8.3(2) adds unidirectional keyword to manual NAT lines

CSCtf57830 Incorrect Real IP Translation of ACE after 8.3.1 upgrade

© 2011 Cisco and/or its affiliates. All rights reserved. 15

Q & A

© 2011 Cisco and/or its affiliates. All rights reserved. 16

Supportforums.cisco.com

facebook.com/CiscoSupportCommunity

twitter.com/#!/cisco_support

youtube.com/user/ciscosupportchannel

itunes.apple.com/us/app/cisco-technical-

support/id398104252?mt=8

linkedin.com/groups/CSC-Cisco-Support-Community-3210019

Thank you.