SlideShare una empresa de Scribd logo

Asa 8.3 upgrade what you need to know

IT Tech
IT Tech

Asa 8.3 upgrade what you need to know

Tecnología
1 de 7
Descargar para leer sin conexión
ASA 8.3 Upgrade -What You Need to Know First Things First First, let's make sure we get one thing clear; upgrading your ASA from 8.2 to 8.3 is NOT a Minor upgrade! There are significant internal architectural changes around NAT and ACLs in 8.3. And, more importantly to you (the customer) are the following: 1. The NAT CLI commands are completely different from all previous version of ASA 2. The IP addresses used in the ACLs are different (pre-8.3 versions used the global/translated IPs, whereas 8.3 always uses the real IPs (untranslated) 3. A new concept of host-based objects was introduced, to allow singular hosts to be referenced by their names (previously, we had the name command, but that was more of a macro-substitution in the show running-config output). Pre-Requsites to Upgrading Many models of the ASA require a memory upgrade prior to upgrading the ASA to version 8.3. Brand new ASAs from the factory (manufactured after Feb 2010) come with the upgraded memory. However, if your ASA was manufactured before February 2010, and is one of the models below requiring a memory upgrade, then you will need to purchase the memory upgrade part prior to installing 8.3 on your ASA. Pre-8.3 Memory 8.3 Memory Memory Upgrade Part Platform License Required Required Number Unlimited (inside 5505 256 MB 512 MB ASA5505-MEM-512= hosts=Unlimited) Security Plus 5505 256 MB 512 MB ASA5505-MEM-512= (failover=enabled) No Memory Upgrade 5505 All other licenses 256 MB 256 MB Needed 5510 All licenses 256 MB 1024 MB ASA5510-MEM-1GB= 2048 MB * 5520 All licenses 512 MB ASA5520-MEM-2GB= 5540 All licenses 1024 MB 2048 MB * ASA5540-MEM-2GB= No Memory Needed No Memory 5580 All licenses 8-16 Gb 8-16 Gb Needed *Note: The maximum memory supported for the ASA-5520 and ASA-5540 is 2 Gb. If you install 4 Gb of memory in these units, they will go into a boot loop. 5550 All licenses 4096 MB 4096 MB How to Determine How Much Memory Your ASA Has From the CLI, you can issue the show version | include RAM command to see how Upgrade Upgrade
much memory your ASA has. In the following example, it is an ASA-5520, with 512 MB of RAM, and therefore would require a memory upgrade prior to installing 8.3 on it. ASA# show version | include RAM Hardware: ASA5520, 512 MB RAM , CPU Pentium 4 Celeron 2000 MHz For ASDM users, you can see the amount of RAM in the ASA from the ASDM Home (Device Dashboard) page. Why Does the ASA Need a Memory Upgrade? This seems to be a fairly common question with customers. Why exactly are we requiring a memory upgrade in order to run 8.3? The reason is simple. The memory on the ASAs have not been increased since they were originally introduced, yet as the years have gone by new features have been added which require additional memory at boot. The more memory the base image requires, the less memory there is for things like ACLs, connections, IPSec tunnels, SSL tunnels, etc. Additionally, as we introduce new features and customers adopt those, they consume additional memory. Remove nat-control from your ASA Configuration nat-control is a legacy feature which was created to help users migrate from PIX 6.x to PIX/ASA version 7.0 and higher. In PIX 6.x, if you wanted to pass traffic between two interfaces, it was required that you have a NAT configuration which would allow it. PIX/ASA version 7.0 removed this restriction, and made the behavior like routers. Which is, ACLs control if traffic is permitted or not. NAT then becomes optional. However, in order to preserve the behavior for the PIX customers, if a PIX user upgraded from 6.x to 7.0, then the nat-control command was automatically added to the configuration. The same is true of customers using the PIX to ASA migration tool. Thus, there may still be a number of customers with nat-control in their configuration, and who do not need it. What happens if I remove the nat-control command? Answer: Not much. Removing the command just means that traffic can flow between interfaces without requiring a nat policy. Therefore, the security policy of what traffic is permitted or denied is defined by your interface ACLs. What happens if I leave the nat-control command in my configuration? Answer: Since 8.3 no longer supports the nat-control command, it will add equivalent nat commands to enforce a policy which requires explicit nat rules to allow traffic to pass between interfaces. An example is shown below. Note that the number of these rules increases exponentially with the number of interfaces on your ASA. Thus, it is highly recommended that if your security policy (ie: ACLs) is used to
control what traffic is allowed where, then you should issue no nat-control prior to upgrading to ASA version 8.3. This will prevent the following nat rules from being created - which will block traffic between interfaces, until a more specific nat policy is defined for that traffic. pre-8.3 Configuraiton 8.3 Configuration object network obj_any subnet 0.0.0.0 0.0.0.0 nat (inside,outside) dynamic obj-0.0.0.0 object network obj-0.0.0.0 host 0.0.0.0 object network obj_any-01 subnet 0.0.0.0 0.0.0.0 nat (inside,mgmt) dynamic obj-0.0.0.0 object network obj_any-02 subnet 0.0.0.0 0.0.0.0 nat-control nat (inside,dmz) dynamic obj-0.0.0.0 object network obj_any-03 subnet 0.0.0.0 0.0.0.0 nat (mgmt,outside) dynamic obj-0.0.0.0 object network obj_any-04 subnet 0.0.0.0 0.0.0.0 nat (dmz,outside) dynamic obj-0.0.0.0 object network obj_any-05 subnet 0.0.0.0 0.0.0.0 nat (dmz,mgmt) dynamic obj-0.0.0.0 If you forget to issue no nat-control prior to upgrading, then it is safe to remove the all 0's objects with associated nat rules after the fact. To view your current nat-control configuration, issue the command show run all nat-control. How to Upgrade Your ASA to 8.3 Upgrading your ASA to 8.3 is the same process as all previous upgrades. Just copy the image over to the flash, specify the file to boot, and then reboot your ASA. Upon first boot, the ASA will auto convert your 8.2 configuration into the new syntax for NAT and ACLs required of 8.3. While your CLI commands will change, your devices security policy will remain the same. Please note that we only support upgrading to 8.3 from 8.2. Therefore, you need to be running 8.2 on your ASA prior to upgrading to 8.3. For ASAs in failover set, we do support upgrading from 8.2 to 8.3 with
zero-downtime. Follow the same procedure you have in the past. Note: During the upgrade process, the ASA will save two files on disk. 1. The current (pre-upgraded) configuration in a file named <version>_startup_cfg.sav Example: disk0:/8_2_2_0_startup_cfg.sav This file will be critical if you need to downgrade your ASA from 8.3 to 8.2 in a future date 2. Warning messages and Errors encountered during the upgrade process of converting your configuration to 8.3 will be saved in a file named upgrade_startup_errors_<timestamp>.log Upgrade Paths Cisco officially supports upgrading to ASA version 8.3 only from ASA version 8.2. Therefore, if you are currently running a version of ASA code prior to 8.2, you will need to perform a stepwise upgrade. Please see the table below: Final Train Current Train Intermediate Upgrades 8.2 8.1 8.0 7.2 7.1 7.0 none 8.2 8.2 8.0 --> 8.2 7.2 --> 8.0 --> 8.2 7.2 --> 8.0 --> 8.2 8.3 8.3 8.3 8.3 8.3 8.3
NAT Feature pre-8.3 Configuration 8.3 Configuration Option 1 (Preferred) object network obj-10.1.1.6 host 10.1.1.6 nat (inside,outside) static 209.165.201.15 static (inside,outside) 209.165.201.15 Option 2 10.1.1.6 netmask 255.255.255.255 object network server_real host 10.1.1.6 object network server_global host 209.165.201.15 ! nat (inside,outside) source static server_realserver_global object network internal_net subnet 10.1.1.0 255.255.255.0 nat (inside) 1 10.1.1.0 255.255.255.0 ! Dynamic PAT global (outside) 1 209.165.201.254 object network internal_net nat (inside,outside) dynamic 209.165.201.254 object network NAT_Pool range 209.165.201.2 209.165.201.50 nat (inside) 1 10.1.1.0 255.255.255.0 Dynamic NAT object network internal_net global (outside) 1 interface with Interface subnet 10.1.1.0 255.255.255.0 global (outside) 1 Overload ! 209.165.201.1-209.165.201.2 object network internal_net nat (inside,outside) dynamic NAT_Pool interface Static NAT Examples of Configuration Changes in 8.3 NAT The NAT CLI configuration for 8.3 is radically different than anything than you may be used to. Therefore, for CLI users, it is recommended you ease into 8.3 with the expectation that you will have to re-learn NAT. For those who view this as an obstacle, we would recommend that you use ASDM or CSM or some other GUI tool to configure the ASA - as the GUI configuration for 8.3 is largely the same. That said, for CLI users, please do not upgrade to 8.3 on a Friday night just as you are getting ready to go out of town for the weekend. Instead, it is recommend that you play with it in a lab (if you have one), or read up on the changes (see Additional Information below) before you upgrade. Ok, with that said, let's look at some examples. ACL Changes Although the syntax of the ACLs haven't changed much (just added capabilities for new objects), the significant change is that all IP addresses listed in ACLs which are
applied to an interface will be converted (on upgrade) from using global (ie: translated or post-NAT) IP addresses, to using the real IP address. Let's look at an example. In the above Topology, an internal web server (with IP 10.1.1.6) is being protected by an ASA. Clients on the Internet access this web server by its public IP address: 209.165.201.15 Prior to version 8.3, the interface ACL would permit traffic to the public IP 209.165.201.15. But, starting with 8.3 the real IP 10.1.1.6 is used in the configuration. Please see the configuration examples below. pre-8.3 Configuration static (inside,outside) 209.165.201.15 10.1.1.6 netmask 255.255.255.255 ! access-listoutside_in extended permit tcp any host 209.165.201.15 access-groupoutside_in in interface outside 8.3 Configuration object network obj-10.1.1.6 host 10.1.1.6 nat (inside,outside) static 209.165.201.15 ! access-listoutside_in extended permit tcp any host 10.1.1.6 access-groupoutside_in in interface outside What to Do If You Run Into Problems with 8.3 1. Call in to the TAC, and they can help you 2. Check the upgrade_startup_errors_<timestamp>.log on disk0: by using the more disk0:/upgrade_startup_errors_<timestamp>.log 3. Downgrade to 8.2 using the downgrade <image><config> command. This is IMPORTANT! You must use the downgrade command, specifying the config file on disk (which the 8.3 upgrade process saved) Refer the following video of this document https://supportforums.cisco.com/videos/2200
Reference from https://supportforums.cisco.com/docs/DOC-12690 More Topics Related to Cisco ASA Cisco ASA 8.4 vs. Typical NAT/PAT Configuration Cisco Released Cisco ASA Software 9.0 What Things to be Considered While Upgrading ASA 5500 Series?

Recomendados

ESM High Availability Module User's Guide v6.9.1
ESM High Availability Module User's Guide v6.9.1ESM High Availability Module User's Guide v6.9.1
ESM High Availability Module User's Guide v6.9.1Protect724tk
 
Uponor Exadata e-Business Suite Migration Case Study
Uponor Exadata e-Business Suite Migration Case StudyUponor Exadata e-Business Suite Migration Case Study
Uponor Exadata e-Business Suite Migration Case StudySimo Vilmunen
 
Step by Step to Install oracle grid 11.2.0.3 on solaris 11.1
Step by Step to Install oracle grid 11.2.0.3 on solaris 11.1Step by Step to Install oracle grid 11.2.0.3 on solaris 11.1
Step by Step to Install oracle grid 11.2.0.3 on solaris 11.1Osama Mustafa
 
Presentation of Performance Vision Version 3.3
Presentation of Performance Vision Version 3.3Presentation of Performance Vision Version 3.3
Presentation of Performance Vision Version 3.3PerformanceVision (previously SecurActive)
 
Factory setup wsa_9.2_v1.0
Factory setup wsa_9.2_v1.0Factory setup wsa_9.2_v1.0
Factory setup wsa_9.2_v1.0Dhruv Sharma
 
Oracle Linux 7 Beta First Look (Installations)
Oracle Linux 7 Beta First Look (Installations)Oracle Linux 7 Beta First Look (Installations)
Oracle Linux 7 Beta First Look (Installations)Osama Mustafa
 
Cent os 5.1 - configuring samba 3.0 to use the ads security mode
Cent os 5.1 - configuring samba 3.0 to use the ads security modeCent os 5.1 - configuring samba 3.0 to use the ads security mode
Cent os 5.1 - configuring samba 3.0 to use the ads security modeB Sasi Kumar
 
Enable oracle database vault
Enable oracle database vaultEnable oracle database vault
Enable oracle database vaultOsama Mustafa
 

Más contenido relacionado

La actualidad más candente

Fortinet Ansible Solution Part 2
Fortinet Ansible Solution Part 2Fortinet Ansible Solution Part 2
Fortinet Ansible Solution Part 2Salim Haniff
 
Obiee 11.1.7.0 step by step installation on linux (rhel – red hat)
Obiee 11.1.7.0 step by step installation on linux (rhel – red hat)Obiee 11.1.7.0 step by step installation on linux (rhel – red hat)
Obiee 11.1.7.0 step by step installation on linux (rhel – red hat)Taoufik AIT HSAIN
 
Oracle forms and reports 11g installation on linux
Oracle forms and reports 11g installation on linuxOracle forms and reports 11g installation on linux
Oracle forms and reports 11g installation on linuxVenu Palakolanu
 
Upgrade IOS Cisco Aironet 1130AG Series Access Point
Upgrade IOS Cisco Aironet 1130AG Series Access PointUpgrade IOS Cisco Aironet 1130AG Series Access Point
Upgrade IOS Cisco Aironet 1130AG Series Access PointDani Royman Simanjuntak
 
Oracle virtual server-2-t0-3-upgrade
Oracle virtual server-2-t0-3-upgradeOracle virtual server-2-t0-3-upgrade
Oracle virtual server-2-t0-3-upgradeRavi Kumar Lanke
 
Howto: Install openQRM 5.1 on Debian Wheezy
Howto: Install openQRM 5.1 on Debian WheezyHowto: Install openQRM 5.1 on Debian Wheezy
Howto: Install openQRM 5.1 on Debian WheezyopenQRM Enterprise GmbH
 
Software-defined Datacenter Maintenance - No More Sleepless Nights and Long W...
Software-defined Datacenter Maintenance - No More Sleepless Nights and Long W...Software-defined Datacenter Maintenance - No More Sleepless Nights and Long W...
Software-defined Datacenter Maintenance - No More Sleepless Nights and Long W...SUSE
 
Tharun_Resume_Updated
Tharun_Resume_UpdatedTharun_Resume_Updated
Tharun_Resume_Updatedtharun kumar
 
Transparent firewall filtering bridge - pf sense 2.0.2 by william tarrh
Transparent firewall filtering bridge - pf sense 2.0.2 by william tarrhTransparent firewall filtering bridge - pf sense 2.0.2 by william tarrh
Transparent firewall filtering bridge - pf sense 2.0.2 by william tarrhHichem Chehida
 
Guidlines sitecore9 installation
Guidlines sitecore9 installationGuidlines sitecore9 installation
Guidlines sitecore9 installationPRADEEP GUPTA
 
Fiware testbed from hardware to openstack
Fiware testbed from hardware to openstackFiware testbed from hardware to openstack
Fiware testbed from hardware to openstackHenar Muñoz Frutos
 
Introduction to nexux from zero to Hero
Introduction to nexux from zero to HeroIntroduction to nexux from zero to Hero
Introduction to nexux from zero to HeroDhruv Sharma
 
Ae appliance upgrade_cent_os62-65
Ae appliance upgrade_cent_os62-65Ae appliance upgrade_cent_os62-65
Ae appliance upgrade_cent_os62-65Protect724v2
 

La actualidad más candente (20)

Performance vision Version 3.0 - What's New
Performance vision Version 3.0 - What's NewPerformance vision Version 3.0 - What's New
Performance vision Version 3.0 - What's New
 
12c installation
12c installation12c installation
12c installation
 
Fortinet Ansible Solution Part 2
Fortinet Ansible Solution Part 2Fortinet Ansible Solution Part 2
Fortinet Ansible Solution Part 2
 
12c on RHEL7
12c on RHEL712c on RHEL7
12c on RHEL7
 
Obiee 11.1.7.0 step by step installation on linux (rhel – red hat)
Obiee 11.1.7.0 step by step installation on linux (rhel – red hat)Obiee 11.1.7.0 step by step installation on linux (rhel – red hat)
Obiee 11.1.7.0 step by step installation on linux (rhel – red hat)
 
OTRS
OTRSOTRS
OTRS
 
Oracle forms and reports 11g installation on linux
Oracle forms and reports 11g installation on linuxOracle forms and reports 11g installation on linux
Oracle forms and reports 11g installation on linux
 
Habilitar repositorio EPEL RHEL
Habilitar repositorio EPEL RHELHabilitar repositorio EPEL RHEL
Habilitar repositorio EPEL RHEL
 
Upgrade IOS Cisco Aironet 1130AG Series Access Point
Upgrade IOS Cisco Aironet 1130AG Series Access PointUpgrade IOS Cisco Aironet 1130AG Series Access Point
Upgrade IOS Cisco Aironet 1130AG Series Access Point
 
Oracle virtual server-2-t0-3-upgrade
Oracle virtual server-2-t0-3-upgradeOracle virtual server-2-t0-3-upgrade
Oracle virtual server-2-t0-3-upgrade
 
Install telnet Linux
Install telnet LinuxInstall telnet Linux
Install telnet Linux
 
Howto: Install openQRM 5.1 on Debian Wheezy
Howto: Install openQRM 5.1 on Debian WheezyHowto: Install openQRM 5.1 on Debian Wheezy
Howto: Install openQRM 5.1 on Debian Wheezy
 
Software-defined Datacenter Maintenance - No More Sleepless Nights and Long W...
Software-defined Datacenter Maintenance - No More Sleepless Nights and Long W...Software-defined Datacenter Maintenance - No More Sleepless Nights and Long W...
Software-defined Datacenter Maintenance - No More Sleepless Nights and Long W...
 
Tharun_Resume_Updated
Tharun_Resume_UpdatedTharun_Resume_Updated
Tharun_Resume_Updated
 
Transparent firewall filtering bridge - pf sense 2.0.2 by william tarrh
Transparent firewall filtering bridge - pf sense 2.0.2 by william tarrhTransparent firewall filtering bridge - pf sense 2.0.2 by william tarrh
Transparent firewall filtering bridge - pf sense 2.0.2 by william tarrh
 
Instalar MySQL CentOS
Instalar MySQL CentOSInstalar MySQL CentOS
Instalar MySQL CentOS
 
Guidlines sitecore9 installation
Guidlines sitecore9 installationGuidlines sitecore9 installation
Guidlines sitecore9 installation
 
Fiware testbed from hardware to openstack
Fiware testbed from hardware to openstackFiware testbed from hardware to openstack
Fiware testbed from hardware to openstack
 
Introduction to nexux from zero to Hero
Introduction to nexux from zero to HeroIntroduction to nexux from zero to Hero
Introduction to nexux from zero to Hero
 
Ae appliance upgrade_cent_os62-65
Ae appliance upgrade_cent_os62-65Ae appliance upgrade_cent_os62-65
Ae appliance upgrade_cent_os62-65
 

Destacado

Peri implant Diseases and its management
Peri implant Diseases and its managementPeri implant Diseases and its management
Peri implant Diseases and its managementJignesh Patel
 
Medical emergencies in dental practice
Medical emergencies in dental practiceMedical emergencies in dental practice
Medical emergencies in dental practiceManu Kalluvelil
 
2014 AHA/ACC Atrial Fibrillation Guidelines
2014 AHA/ACC Atrial Fibrillation Guidelines2014 AHA/ACC Atrial Fibrillation Guidelines
2014 AHA/ACC Atrial Fibrillation Guidelinespurplevivid
 
Dental management of Patients taking oral anti-coagulants and Aspirin
Dental management of Patients taking oral anti-coagulants and AspirinDental management of Patients taking oral anti-coagulants and Aspirin
Dental management of Patients taking oral anti-coagulants and AspirinJignesh Patel
 
2015 AHA/ASA Focused Update Guidelines for Acute Ischemic Stroke Regarding En...
2015 AHA/ASA Focused Update Guidelines for Acute Ischemic Stroke Regarding En...2015 AHA/ASA Focused Update Guidelines for Acute Ischemic Stroke Regarding En...
2015 AHA/ASA Focused Update Guidelines for Acute Ischemic Stroke Regarding En...Sun Yai-Cheng
 
Guidelines for management of acute stroke
Guidelines for management of acute strokeGuidelines for management of acute stroke
Guidelines for management of acute strokesankalpgmc8
 
Medically compromised patient
Medically compromised patientMedically compromised patient
Medically compromised patientNeha Anand
 
Medical emergencies dental office
Medical emergencies dental officeMedical emergencies dental office
Medical emergencies dental officeManasa Ambati
 

Destacado (9)

Asa classification
Asa classificationAsa classification
Asa classification
 
Peri implant Diseases and its management
Peri implant Diseases and its managementPeri implant Diseases and its management
Peri implant Diseases and its management
 
Medical emergencies in dental practice
Medical emergencies in dental practiceMedical emergencies in dental practice
Medical emergencies in dental practice
 
2014 AHA/ACC Atrial Fibrillation Guidelines
2014 AHA/ACC Atrial Fibrillation Guidelines2014 AHA/ACC Atrial Fibrillation Guidelines
2014 AHA/ACC Atrial Fibrillation Guidelines
 
Dental management of Patients taking oral anti-coagulants and Aspirin
Dental management of Patients taking oral anti-coagulants and AspirinDental management of Patients taking oral anti-coagulants and Aspirin
Dental management of Patients taking oral anti-coagulants and Aspirin
 
2015 AHA/ASA Focused Update Guidelines for Acute Ischemic Stroke Regarding En...
2015 AHA/ASA Focused Update Guidelines for Acute Ischemic Stroke Regarding En...2015 AHA/ASA Focused Update Guidelines for Acute Ischemic Stroke Regarding En...
2015 AHA/ASA Focused Update Guidelines for Acute Ischemic Stroke Regarding En...
 
Guidelines for management of acute stroke
Guidelines for management of acute strokeGuidelines for management of acute stroke
Guidelines for management of acute stroke
 
Medically compromised patient
Medically compromised patientMedically compromised patient
Medically compromised patient
 
Medical emergencies dental office
Medical emergencies dental officeMedical emergencies dental office
Medical emergencies dental office
 

Similar a Asa 8.3 upgrade what you need to know

2713897 oracle-unix-oracle
2713897 oracle-unix-oracle2713897 oracle-unix-oracle
2713897 oracle-unix-oraclesivacse09
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallIT Tech
 
NAT with ASA & ASA Security Context
NAT with ASA & ASA Security ContextNAT with ASA & ASA Security Context
NAT with ASA & ASA Security ContextNetProtocol Xpert
 
Gluster Storage Platform Installation Guide
Gluster Storage Platform Installation GuideGluster Storage Platform Installation Guide
Gluster Storage Platform Installation GuideGlusterFS
 
Important cisco-chow-commands
Important cisco-chow-commandsImportant cisco-chow-commands
Important cisco-chow-commandsssusere31b5c
 
Automatic upgrade and new error logging in my sql 8.0 oct
Automatic upgrade and new error logging in my sql 8.0 octAutomatic upgrade and new error logging in my sql 8.0 oct
Automatic upgrade and new error logging in my sql 8.0 octStåle Deraas
 
Packaging Strategy for Community Openstack and Implementation Reference | Hoj...
Packaging Strategy for Community Openstack and Implementation Reference | Hoj...Packaging Strategy for Community Openstack and Implementation Reference | Hoj...
Packaging Strategy for Community Openstack and Implementation Reference | Hoj...Vietnam Open Infrastructure User Group
 
InduSoft Web Studio Driver Overview – SITIA and ABCIP
InduSoft Web Studio Driver Overview – SITIA and ABCIPInduSoft Web Studio Driver Overview – SITIA and ABCIP
InduSoft Web Studio Driver Overview – SITIA and ABCIPAVEVA
 
Oracle Real Application Cluster ( RAC )
Oracle Real Application Cluster ( RAC )Oracle Real Application Cluster ( RAC )
Oracle Real Application Cluster ( RAC )varasteh65
 
Aruba Instant 8.3.0.0 Release Notes.pdf
Aruba Instant 8.3.0.0 Release Notes.pdfAruba Instant 8.3.0.0 Release Notes.pdf
Aruba Instant 8.3.0.0 Release Notes.pdfssusere62dc9
 
Android 10 Internals Update
Android 10 Internals UpdateAndroid 10 Internals Update
Android 10 Internals UpdateOpersys inc.
 
AIX Advanced Administration Knowledge Share
AIX Advanced Administration Knowledge ShareAIX Advanced Administration Knowledge Share
AIX Advanced Administration Knowledge Share.Gastón. .Bx.
 
18587936 squid-proxy-configuration-guide - [the-xp.blogspot.com]
18587936 squid-proxy-configuration-guide - [the-xp.blogspot.com]18587936 squid-proxy-configuration-guide - [the-xp.blogspot.com]
18587936 squid-proxy-configuration-guide - [the-xp.blogspot.com]Krisman Tarigan
 
A presentaion on Panasas HPC NAS
A presentaion on Panasas HPC NASA presentaion on Panasas HPC NAS
A presentaion on Panasas HPC NASRahul Janghel
 
Lavigne bsdmag june11
Lavigne bsdmag june11Lavigne bsdmag june11
Lavigne bsdmag june11Dru Lavigne
 
Web Speed And Scalability
Web Speed And ScalabilityWeb Speed And Scalability
Web Speed And ScalabilityJason Ragsdale
 

Similar a Asa 8.3 upgrade what you need to know (20)

2713897 oracle-unix-oracle
2713897 oracle-unix-oracle2713897 oracle-unix-oracle
2713897 oracle-unix-oracle
 
Read me
Read meRead me
Read me
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewall
 
NAT with ASA & ASA Security Context
NAT with ASA & ASA Security ContextNAT with ASA & ASA Security Context
NAT with ASA & ASA Security Context
 
Gluster Storage Platform Installation Guide
Gluster Storage Platform Installation GuideGluster Storage Platform Installation Guide
Gluster Storage Platform Installation Guide
 
Readme
ReadmeReadme
Readme
 
Important cisco-chow-commands
Important cisco-chow-commandsImportant cisco-chow-commands
Important cisco-chow-commands
 
Automatic upgrade and new error logging in my sql 8.0 oct
Automatic upgrade and new error logging in my sql 8.0 octAutomatic upgrade and new error logging in my sql 8.0 oct
Automatic upgrade and new error logging in my sql 8.0 oct
 
Packaging Strategy for Community Openstack and Implementation Reference | Hoj...
Packaging Strategy for Community Openstack and Implementation Reference | Hoj...Packaging Strategy for Community Openstack and Implementation Reference | Hoj...
Packaging Strategy for Community Openstack and Implementation Reference | Hoj...
 
InduSoft Web Studio Driver Overview – SITIA and ABCIP
InduSoft Web Studio Driver Overview – SITIA and ABCIPInduSoft Web Studio Driver Overview – SITIA and ABCIP
InduSoft Web Studio Driver Overview – SITIA and ABCIP
 
N2125 SAS/SATA HBA for IBM System x
N2125 SAS/SATA HBA for IBM System xN2125 SAS/SATA HBA for IBM System x
N2125 SAS/SATA HBA for IBM System x
 
Oracle Real Application Cluster ( RAC )
Oracle Real Application Cluster ( RAC )Oracle Real Application Cluster ( RAC )
Oracle Real Application Cluster ( RAC )
 
Gsi
GsiGsi
Gsi
 
Aruba Instant 8.3.0.0 Release Notes.pdf
Aruba Instant 8.3.0.0 Release Notes.pdfAruba Instant 8.3.0.0 Release Notes.pdf
Aruba Instant 8.3.0.0 Release Notes.pdf
 
Android 10 Internals Update
Android 10 Internals UpdateAndroid 10 Internals Update
Android 10 Internals Update
 
AIX Advanced Administration Knowledge Share
AIX Advanced Administration Knowledge ShareAIX Advanced Administration Knowledge Share
AIX Advanced Administration Knowledge Share
 
18587936 squid-proxy-configuration-guide - [the-xp.blogspot.com]
18587936 squid-proxy-configuration-guide - [the-xp.blogspot.com]18587936 squid-proxy-configuration-guide - [the-xp.blogspot.com]
18587936 squid-proxy-configuration-guide - [the-xp.blogspot.com]
 
A presentaion on Panasas HPC NAS
A presentaion on Panasas HPC NASA presentaion on Panasas HPC NAS
A presentaion on Panasas HPC NAS
 
Lavigne bsdmag june11
Lavigne bsdmag june11Lavigne bsdmag june11
Lavigne bsdmag june11
 
Web Speed And Scalability
Web Speed And ScalabilityWeb Speed And Scalability
Web Speed And Scalability
 

Más de IT Tech

Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setupIT Tech
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideIT Tech
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideIT Tech
 
Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideIT Tech
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faqIT Tech
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesIT Tech
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresIT Tech
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solutionIT Tech
 
Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesIT Tech
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesIT Tech
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesIT Tech
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellIT Tech
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000IT Tech
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexIT Tech
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesIT Tech
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesIT Tech
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration exampleIT Tech
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700IT Tech
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration optionsIT Tech
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement modelIT Tech
 

Más de IT Tech (20)

Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setup
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guide
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guide
 
Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guide
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faq
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switches
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi features
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solution
 
Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switches
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switches
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modes
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fex
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches series
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 series
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration example
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration options
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement model
 

Último

Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfROWELL MARQUINA
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 

Último (20)

Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdf
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 

Asa 8.3 upgrade what you need to know

  • 1. ASA 8.3 Upgrade -What You Need to Know First Things First First, let's make sure we get one thing clear; upgrading your ASA from 8.2 to 8.3 is NOT a Minor upgrade! There are significant internal architectural changes around NAT and ACLs in 8.3. And, more importantly to you (the customer) are the following: 1. The NAT CLI commands are completely different from all previous version of ASA 2. The IP addresses used in the ACLs are different (pre-8.3 versions used the global/translated IPs, whereas 8.3 always uses the real IPs (untranslated) 3. A new concept of host-based objects was introduced, to allow singular hosts to be referenced by their names (previously, we had the name command, but that was more of a macro-substitution in the show running-config output). Pre-Requsites to Upgrading Many models of the ASA require a memory upgrade prior to upgrading the ASA to version 8.3. Brand new ASAs from the factory (manufactured after Feb 2010) come with the upgraded memory. However, if your ASA was manufactured before February 2010, and is one of the models below requiring a memory upgrade, then you will need to purchase the memory upgrade part prior to installing 8.3 on your ASA. Pre-8.3 Memory 8.3 Memory Memory Upgrade Part Platform License Required Required Number Unlimited (inside 5505 256 MB 512 MB ASA5505-MEM-512= hosts=Unlimited) Security Plus 5505 256 MB 512 MB ASA5505-MEM-512= (failover=enabled) No Memory Upgrade 5505 All other licenses 256 MB 256 MB Needed 5510 All licenses 256 MB 1024 MB ASA5510-MEM-1GB= 2048 MB * 5520 All licenses 512 MB ASA5520-MEM-2GB= 5540 All licenses 1024 MB 2048 MB * ASA5540-MEM-2GB= No Memory Needed No Memory 5580 All licenses 8-16 Gb 8-16 Gb Needed *Note: The maximum memory supported for the ASA-5520 and ASA-5540 is 2 Gb. If you install 4 Gb of memory in these units, they will go into a boot loop. 5550 All licenses 4096 MB 4096 MB How to Determine How Much Memory Your ASA Has From the CLI, you can issue the show version | include RAM command to see how Upgrade Upgrade
  • 2. much memory your ASA has. In the following example, it is an ASA-5520, with 512 MB of RAM, and therefore would require a memory upgrade prior to installing 8.3 on it. ASA# show version | include RAM Hardware: ASA5520, 512 MB RAM , CPU Pentium 4 Celeron 2000 MHz For ASDM users, you can see the amount of RAM in the ASA from the ASDM Home (Device Dashboard) page. Why Does the ASA Need a Memory Upgrade? This seems to be a fairly common question with customers. Why exactly are we requiring a memory upgrade in order to run 8.3? The reason is simple. The memory on the ASAs have not been increased since they were originally introduced, yet as the years have gone by new features have been added which require additional memory at boot. The more memory the base image requires, the less memory there is for things like ACLs, connections, IPSec tunnels, SSL tunnels, etc. Additionally, as we introduce new features and customers adopt those, they consume additional memory. Remove nat-control from your ASA Configuration nat-control is a legacy feature which was created to help users migrate from PIX 6.x to PIX/ASA version 7.0 and higher. In PIX 6.x, if you wanted to pass traffic between two interfaces, it was required that you have a NAT configuration which would allow it. PIX/ASA version 7.0 removed this restriction, and made the behavior like routers. Which is, ACLs control if traffic is permitted or not. NAT then becomes optional. However, in order to preserve the behavior for the PIX customers, if a PIX user upgraded from 6.x to 7.0, then the nat-control command was automatically added to the configuration. The same is true of customers using the PIX to ASA migration tool. Thus, there may still be a number of customers with nat-control in their configuration, and who do not need it. What happens if I remove the nat-control command? Answer: Not much. Removing the command just means that traffic can flow between interfaces without requiring a nat policy. Therefore, the security policy of what traffic is permitted or denied is defined by your interface ACLs. What happens if I leave the nat-control command in my configuration? Answer: Since 8.3 no longer supports the nat-control command, it will add equivalent nat commands to enforce a policy which requires explicit nat rules to allow traffic to pass between interfaces. An example is shown below. Note that the number of these rules increases exponentially with the number of interfaces on your ASA. Thus, it is highly recommended that if your security policy (ie: ACLs) is used to
  • 3. control what traffic is allowed where, then you should issue no nat-control prior to upgrading to ASA version 8.3. This will prevent the following nat rules from being created - which will block traffic between interfaces, until a more specific nat policy is defined for that traffic. pre-8.3 Configuraiton 8.3 Configuration object network obj_any subnet 0.0.0.0 0.0.0.0 nat (inside,outside) dynamic obj-0.0.0.0 object network obj-0.0.0.0 host 0.0.0.0 object network obj_any-01 subnet 0.0.0.0 0.0.0.0 nat (inside,mgmt) dynamic obj-0.0.0.0 object network obj_any-02 subnet 0.0.0.0 0.0.0.0 nat-control nat (inside,dmz) dynamic obj-0.0.0.0 object network obj_any-03 subnet 0.0.0.0 0.0.0.0 nat (mgmt,outside) dynamic obj-0.0.0.0 object network obj_any-04 subnet 0.0.0.0 0.0.0.0 nat (dmz,outside) dynamic obj-0.0.0.0 object network obj_any-05 subnet 0.0.0.0 0.0.0.0 nat (dmz,mgmt) dynamic obj-0.0.0.0 If you forget to issue no nat-control prior to upgrading, then it is safe to remove the all 0's objects with associated nat rules after the fact. To view your current nat-control configuration, issue the command show run all nat-control. How to Upgrade Your ASA to 8.3 Upgrading your ASA to 8.3 is the same process as all previous upgrades. Just copy the image over to the flash, specify the file to boot, and then reboot your ASA. Upon first boot, the ASA will auto convert your 8.2 configuration into the new syntax for NAT and ACLs required of 8.3. While your CLI commands will change, your devices security policy will remain the same. Please note that we only support upgrading to 8.3 from 8.2. Therefore, you need to be running 8.2 on your ASA prior to upgrading to 8.3. For ASAs in failover set, we do support upgrading from 8.2 to 8.3 with
  • 4. zero-downtime. Follow the same procedure you have in the past. Note: During the upgrade process, the ASA will save two files on disk. 1. The current (pre-upgraded) configuration in a file named <version>_startup_cfg.sav Example: disk0:/8_2_2_0_startup_cfg.sav This file will be critical if you need to downgrade your ASA from 8.3 to 8.2 in a future date 2. Warning messages and Errors encountered during the upgrade process of converting your configuration to 8.3 will be saved in a file named upgrade_startup_errors_<timestamp>.log Upgrade Paths Cisco officially supports upgrading to ASA version 8.3 only from ASA version 8.2. Therefore, if you are currently running a version of ASA code prior to 8.2, you will need to perform a stepwise upgrade. Please see the table below: Final Train Current Train Intermediate Upgrades 8.2 8.1 8.0 7.2 7.1 7.0 none 8.2 8.2 8.0 --> 8.2 7.2 --> 8.0 --> 8.2 7.2 --> 8.0 --> 8.2 8.3 8.3 8.3 8.3 8.3 8.3
  • 5. NAT Feature pre-8.3 Configuration 8.3 Configuration Option 1 (Preferred) object network obj-10.1.1.6 host 10.1.1.6 nat (inside,outside) static 209.165.201.15 static (inside,outside) 209.165.201.15 Option 2 10.1.1.6 netmask 255.255.255.255 object network server_real host 10.1.1.6 object network server_global host 209.165.201.15 ! nat (inside,outside) source static server_realserver_global object network internal_net subnet 10.1.1.0 255.255.255.0 nat (inside) 1 10.1.1.0 255.255.255.0 ! Dynamic PAT global (outside) 1 209.165.201.254 object network internal_net nat (inside,outside) dynamic 209.165.201.254 object network NAT_Pool range 209.165.201.2 209.165.201.50 nat (inside) 1 10.1.1.0 255.255.255.0 Dynamic NAT object network internal_net global (outside) 1 interface with Interface subnet 10.1.1.0 255.255.255.0 global (outside) 1 Overload ! 209.165.201.1-209.165.201.2 object network internal_net nat (inside,outside) dynamic NAT_Pool interface Static NAT Examples of Configuration Changes in 8.3 NAT The NAT CLI configuration for 8.3 is radically different than anything than you may be used to. Therefore, for CLI users, it is recommended you ease into 8.3 with the expectation that you will have to re-learn NAT. For those who view this as an obstacle, we would recommend that you use ASDM or CSM or some other GUI tool to configure the ASA - as the GUI configuration for 8.3 is largely the same. That said, for CLI users, please do not upgrade to 8.3 on a Friday night just as you are getting ready to go out of town for the weekend. Instead, it is recommend that you play with it in a lab (if you have one), or read up on the changes (see Additional Information below) before you upgrade. Ok, with that said, let's look at some examples. ACL Changes Although the syntax of the ACLs haven't changed much (just added capabilities for new objects), the significant change is that all IP addresses listed in ACLs which are
  • 6. applied to an interface will be converted (on upgrade) from using global (ie: translated or post-NAT) IP addresses, to using the real IP address. Let's look at an example. In the above Topology, an internal web server (with IP 10.1.1.6) is being protected by an ASA. Clients on the Internet access this web server by its public IP address: 209.165.201.15 Prior to version 8.3, the interface ACL would permit traffic to the public IP 209.165.201.15. But, starting with 8.3 the real IP 10.1.1.6 is used in the configuration. Please see the configuration examples below. pre-8.3 Configuration static (inside,outside) 209.165.201.15 10.1.1.6 netmask 255.255.255.255 ! access-listoutside_in extended permit tcp any host 209.165.201.15 access-groupoutside_in in interface outside 8.3 Configuration object network obj-10.1.1.6 host 10.1.1.6 nat (inside,outside) static 209.165.201.15 ! access-listoutside_in extended permit tcp any host 10.1.1.6 access-groupoutside_in in interface outside What to Do If You Run Into Problems with 8.3 1. Call in to the TAC, and they can help you 2. Check the upgrade_startup_errors_<timestamp>.log on disk0: by using the more disk0:/upgrade_startup_errors_<timestamp>.log 3. Downgrade to 8.2 using the downgrade <image><config> command. This is IMPORTANT! You must use the downgrade command, specifying the config file on disk (which the 8.3 upgrade process saved) Refer the following video of this document https://supportforums.cisco.com/videos/2200
  • 7. Reference from https://supportforums.cisco.com/docs/DOC-12690 More Topics Related to Cisco ASA Cisco ASA 8.4 vs. Typical NAT/PAT Configuration Cisco Released Cisco ASA Software 9.0 What Things to be Considered While Upgrading ASA 5500 Series?