![Page 1: Migration Best Practices for ASA 8.3/8 - Cisco · © 2011 Cisco and/or its affiliates. All rights reserved. 5 Inbound Interface ACL 198.1.1.1 1.1.1.1 192.168.1.1 Translated to Pre-8.3](https://reader033.vdocuments.site/reader033/viewer/2022042405/5f1d91ac087c5e6219414972/html5/thumbnails/1.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. 1
Cisco Support Community Presents :
Tech-Talk Series
Glenn Baptist Customer Support Engineer, Cisco TAC
CCIE Security (#32835)
With,
Migration Best Practices for ASA 8.3/8.4
![Page 2: Migration Best Practices for ASA 8.3/8 - Cisco · © 2011 Cisco and/or its affiliates. All rights reserved. 5 Inbound Interface ACL 198.1.1.1 1.1.1.1 192.168.1.1 Translated to Pre-8.3](https://reader033.vdocuments.site/reader033/viewer/2022042405/5f1d91ac087c5e6219414972/html5/thumbnails/2.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. 2
Major Changes
Best Practices
New Features
Known Issues
![Page 3: Migration Best Practices for ASA 8.3/8 - Cisco · © 2011 Cisco and/or its affiliates. All rights reserved. 5 Inbound Interface ACL 198.1.1.1 1.1.1.1 192.168.1.1 Translated to Pre-8.3](https://reader033.vdocuments.site/reader033/viewer/2022042405/5f1d91ac087c5e6219414972/html5/thumbnails/3.jpg)
3 © 2011 Cisco and/or its affiliates. All rights reserved.
![Page 4: Migration Best Practices for ASA 8.3/8 - Cisco · © 2011 Cisco and/or its affiliates. All rights reserved. 5 Inbound Interface ACL 198.1.1.1 1.1.1.1 192.168.1.1 Translated to Pre-8.3](https://reader033.vdocuments.site/reader033/viewer/2022042405/5f1d91ac087c5e6219414972/html5/thumbnails/4.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. 4
NAT Re-design
Named Network Objects & Service Objects
Real IP Addresses in Access Rules instead
of Mapped Addresses
![Page 5: Migration Best Practices for ASA 8.3/8 - Cisco · © 2011 Cisco and/or its affiliates. All rights reserved. 5 Inbound Interface ACL 198.1.1.1 1.1.1.1 192.168.1.1 Translated to Pre-8.3](https://reader033.vdocuments.site/reader033/viewer/2022042405/5f1d91ac087c5e6219414972/html5/thumbnails/5.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. 5
Inbound Interface ACL
192.168.1.1 1.1.1.1 198.1.1.1
Translated to
Pre-8.3 Configuration 8.3 Configuration
static (inside,outside) 1.1.1.1
192.168.1.1 netmask
255.255.255.255
access-list outside_in extended
permit tcp any host 1.1.1.1
access-group outside_access_in in
interface outside
object network obj-192.168.1.1 host 192.168.1.1
nat (inside,outside) static 1.1.1.1
access-list outside_in extended permit
tcp any host 192.168.1.1
access-group outside_access_in in
interface outside
![Page 6: Migration Best Practices for ASA 8.3/8 - Cisco · © 2011 Cisco and/or its affiliates. All rights reserved. 5 Inbound Interface ACL 198.1.1.1 1.1.1.1 192.168.1.1 Translated to Pre-8.3](https://reader033.vdocuments.site/reader033/viewer/2022042405/5f1d91ac087c5e6219414972/html5/thumbnails/6.jpg)
6 © 2011 Cisco and/or its affiliates. All rights reserved.
![Page 7: Migration Best Practices for ASA 8.3/8 - Cisco · © 2011 Cisco and/or its affiliates. All rights reserved. 5 Inbound Interface ACL 198.1.1.1 1.1.1.1 192.168.1.1 Translated to Pre-8.3](https://reader033.vdocuments.site/reader033/viewer/2022042405/5f1d91ac087c5e6219414972/html5/thumbnails/7.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. 7
Memory Requirements
Show Startup Errors
NAT-Control in 8.3 doesn't exist
Use ‘Downgrade Command if you want to revert
![Page 8: Migration Best Practices for ASA 8.3/8 - Cisco · © 2011 Cisco and/or its affiliates. All rights reserved. 5 Inbound Interface ACL 198.1.1.1 1.1.1.1 192.168.1.1 Translated to Pre-8.3](https://reader033.vdocuments.site/reader033/viewer/2022042405/5f1d91ac087c5e6219414972/html5/thumbnails/8.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. 8
ASA Model
Internal Flash
Memory
(Default Shipping)
DRAM (Default Shipping)
Before Feb.
2010
After Feb. 2010
(Required for 8.3
and Higher)
5505 128 MB 256 MB 512 MB3
5510 256 MB 256 MB 1 GB
5520 256 MB 512 MB 2 GB
5540 256 MB 1 GB 2 GB
Memory requirements
hostname(config)# downgrade disk0:/asa821-k8.bin disk0:/8_2_1_0_startup_cfg.sav
Downgrade
The current (pre-upgraded) configuration
![Page 9: Migration Best Practices for ASA 8.3/8 - Cisco · © 2011 Cisco and/or its affiliates. All rights reserved. 5 Inbound Interface ACL 198.1.1.1 1.1.1.1 192.168.1.1 Translated to Pre-8.3](https://reader033.vdocuments.site/reader033/viewer/2022042405/5f1d91ac087c5e6219414972/html5/thumbnails/9.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. 9
hostname# show startup-config errors
Reading from flash...
!
REAL IP MIGRATION: WARNING
In this version access-lists used in 'access-group', 'class-map', 'dynamic-filter classify-list',
'aaa match' will be migrated from using IP address/ports as seen on interface, to their real
values If an access-list used by these features is shared with per-user ACL then the original
access-list has to be recreated.
INFO: Note that identical IP addresses or overlapping IP ranges on different interfaces are not
detectable by automated Real IP migration. If your deployment contains such scenarios, please
verify your migrated configuration is appropriate for those overlapping addresses/ranges.
Please also refer to the ASA 8.3 migration guide for a complete explanation of the automated
migration process.
INFO: MIGRATION - Saving the startup configuration to file
INFO: MIGRATION - Startup configuration saved to file 'flash:8_2_1_15_startup_cfg.sav'
*** Output from config line 4, "ASA Version 8.2(1)15 "
NAT migration logs:
INFO: NAT migration completed.
Real IP migration logs: ACL <1> has been migrated to real-ip version
![Page 10: Migration Best Practices for ASA 8.3/8 - Cisco · © 2011 Cisco and/or its affiliates. All rights reserved. 5 Inbound Interface ACL 198.1.1.1 1.1.1.1 192.168.1.1 Translated to Pre-8.3](https://reader033.vdocuments.site/reader033/viewer/2022042405/5f1d91ac087c5e6219414972/html5/thumbnails/10.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. 10
If you do not install a memory upgrade, you receive the following message upon logging in:
***********************************************************************
** *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING ***
**
** ----> Minimum Memory Requirements NOT Met! <----
**
** Installed RAM: 512 MB
** Required RAM: 2048 MB
** Upgrade part#: ASA5520-MEM-2GB=
**
** This ASA does not meet the minimum memory requirements needed to run this image. Please install additional memory
(part number listed above) or downgrade to ASA version 8.2 or earlier.
** Continuing to run without a memory upgrade is unsupported, and critical system features will not function properly.
![Page 11: Migration Best Practices for ASA 8.3/8 - Cisco · © 2011 Cisco and/or its affiliates. All rights reserved. 5 Inbound Interface ACL 198.1.1.1 1.1.1.1 192.168.1.1 Translated to Pre-8.3](https://reader033.vdocuments.site/reader033/viewer/2022042405/5f1d91ac087c5e6219414972/html5/thumbnails/11.jpg)
11 © 2011 Cisco and/or its affiliates. All rights reserved.
![Page 12: Migration Best Practices for ASA 8.3/8 - Cisco · © 2011 Cisco and/or its affiliates. All rights reserved. 5 Inbound Interface ACL 198.1.1.1 1.1.1.1 192.168.1.1 Translated to Pre-8.3](https://reader033.vdocuments.site/reader033/viewer/2022042405/5f1d91ac087c5e6219414972/html5/thumbnails/12.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. 12
ASA 8.3.1 Non-identical Failover Licenses
ASA 8.4.1 Stateful Failover with Dynamic Routing Protocols
ASA 8.4.2 Route Lookup
nat [(real_ifc,mapped_ifc)] static {mapped_inline_ip |
mapped_obj} [route-lookup]
![Page 13: Migration Best Practices for ASA 8.3/8 - Cisco · © 2011 Cisco and/or its affiliates. All rights reserved. 5 Inbound Interface ACL 198.1.1.1 1.1.1.1 192.168.1.1 Translated to Pre-8.3](https://reader033.vdocuments.site/reader033/viewer/2022042405/5f1d91ac087c5e6219414972/html5/thumbnails/13.jpg)
13 © 2011 Cisco and/or its affiliates. All rights reserved.
![Page 14: Migration Best Practices for ASA 8.3/8 - Cisco · © 2011 Cisco and/or its affiliates. All rights reserved. 5 Inbound Interface ACL 198.1.1.1 1.1.1.1 192.168.1.1 Translated to Pre-8.3](https://reader033.vdocuments.site/reader033/viewer/2022042405/5f1d91ac087c5e6219414972/html5/thumbnails/14.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. 14
CSCti36048 ASA upgrade to 8.3(2) adds unidirectional keyword to manual NAT lines
CSCtf57830 Incorrect Real IP Translation of ACE after 8.3.1 upgrade
![Page 15: Migration Best Practices for ASA 8.3/8 - Cisco · © 2011 Cisco and/or its affiliates. All rights reserved. 5 Inbound Interface ACL 198.1.1.1 1.1.1.1 192.168.1.1 Translated to Pre-8.3](https://reader033.vdocuments.site/reader033/viewer/2022042405/5f1d91ac087c5e6219414972/html5/thumbnails/15.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. 15
Q & A
![Page 16: Migration Best Practices for ASA 8.3/8 - Cisco · © 2011 Cisco and/or its affiliates. All rights reserved. 5 Inbound Interface ACL 198.1.1.1 1.1.1.1 192.168.1.1 Translated to Pre-8.3](https://reader033.vdocuments.site/reader033/viewer/2022042405/5f1d91ac087c5e6219414972/html5/thumbnails/16.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. 16
Supportforums.cisco.com
facebook.com/CiscoSupportCommunity
twitter.com/#!/cisco_support
youtube.com/user/ciscosupportchannel
itunes.apple.com/us/app/cisco-technical-
support/id398104252?mt=8
linkedin.com/groups/CSC-Cisco-Support-Community-3210019
![Page 17: Migration Best Practices for ASA 8.3/8 - Cisco · © 2011 Cisco and/or its affiliates. All rights reserved. 5 Inbound Interface ACL 198.1.1.1 1.1.1.1 192.168.1.1 Translated to Pre-8.3](https://reader033.vdocuments.site/reader033/viewer/2022042405/5f1d91ac087c5e6219414972/html5/thumbnails/17.jpg)
Thank you.