1. ASA 8.3 Upgrade -What You Need to Know
First Things First
First, let's make sure we get one thing clear; upgrading your ASA from 8.2 to 8.3 is
NOT a Minor upgrade! There are significant internal architectural changes around
NAT and ACLs in 8.3. And, more importantly to you (the customer) are the
following:
1. The NAT CLI commands are completely different from all previous version of
ASA
2. The IP addresses used in the ACLs are different (pre-8.3 versions used the
global/translated IPs, whereas 8.3 always uses the real IPs (untranslated)
3. A new concept of host-based objects was introduced, to allow singular hosts
to be referenced by their names (previously, we had the name command, but
that was more of a macro-substitution in the show running-config output).
Pre-Requsites to Upgrading
Many models of the ASA require a memory upgrade prior to upgrading the ASA to
version 8.3. Brand new ASAs from the factory (manufactured after Feb 2010) come
with the upgraded memory. However, if your ASA was manufactured before
February 2010, and is one of the models below requiring a memory upgrade, then
you will need to purchase the memory upgrade part prior to installing 8.3 on your
ASA.
Pre-8.3 Memory 8.3
Memory Memory Upgrade Part
Platform License
Required
Required
Number
Unlimited
(inside
5505
256 MB
512 MB
ASA5505-MEM-512=
hosts=Unlimited)
Security
Plus
5505
256 MB
512 MB
ASA5505-MEM-512=
(failover=enabled)
No Memory Upgrade
5505
All other licenses
256 MB
256 MB
Needed
5510
All licenses
256 MB
1024 MB
ASA5510-MEM-1GB=
2048 MB *
5520
All licenses
512 MB
ASA5520-MEM-2GB=
5540
All licenses
1024 MB
2048 MB *
ASA5540-MEM-2GB=
No Memory
Needed
No Memory
5580
All licenses
8-16 Gb
8-16 Gb
Needed
*Note: The maximum memory supported for the ASA-5520 and ASA-5540 is 2 Gb. If
you install 4 Gb of memory in these units, they will go into a boot loop.
5550
All licenses
4096 MB
4096 MB
How to Determine How Much Memory Your ASA Has
From the CLI, you can issue the show version | include RAM command to see how
Upgrade
Upgrade
2. much memory your ASA has. In the following example, it is an ASA-5520, with 512
MB of RAM, and therefore would require a memory upgrade prior to installing 8.3 on
it.
ASA#
show version | include RAM
Hardware: ASA5520, 512 MB RAM
, CPU Pentium 4 Celeron 2000 MHz
For ASDM users, you can see the amount of RAM in the ASA from the ASDM Home
(Device Dashboard) page.
Why Does the ASA Need a Memory Upgrade?
This seems to be a fairly common question with customers. Why exactly are we
requiring a memory upgrade in order to run 8.3? The reason is simple. The memory
on the ASAs have not been increased since they were originally introduced, yet as
the years have gone by new features have been added which require additional
memory at boot. The more memory the base image requires, the less memory
there is for things like ACLs, connections, IPSec tunnels, SSL tunnels,
etc. Additionally, as we introduce new features and customers adopt those, they
consume additional memory.
Remove nat-control from your ASA Configuration
nat-control is a legacy feature which was created to help users migrate from PIX 6.x
to PIX/ASA version 7.0 and higher. In PIX 6.x, if you wanted to pass traffic between
two interfaces, it was required that you have a NAT configuration which would allow
it. PIX/ASA version 7.0 removed this restriction, and made the behavior like
routers. Which is, ACLs control if traffic is permitted or not. NAT then becomes
optional. However, in order to preserve the behavior for the PIX customers, if a PIX
user upgraded from 6.x to 7.0, then the nat-control command was automatically
added to the configuration. The same is true of customers using the PIX to ASA
migration tool. Thus, there may still be a number of customers with nat-control in
their configuration, and who do not need it.
What happens if I remove the nat-control command?
Answer: Not much. Removing the command just means that traffic can flow
between interfaces without requiring a nat policy. Therefore, the security policy of
what traffic is permitted or denied is defined by your interface ACLs.
What happens if I leave the nat-control command in my configuration?
Answer: Since 8.3 no longer supports the nat-control command, it will add
equivalent nat commands to enforce a policy which requires explicit nat rules to
allow traffic to pass between interfaces. An example is shown below. Note that the
number of these rules increases exponentially with the number of interfaces on your
ASA. Thus, it is highly recommended that if your security policy (ie: ACLs) is used to
3. control what traffic is allowed where, then you should issue no nat-control prior to
upgrading to ASA version 8.3. This will prevent the following nat rules from being
created - which will block traffic between interfaces, until a more specific nat policy is
defined for that traffic.
pre-8.3 Configuraiton
8.3 Configuration
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic obj-0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
nat (inside,mgmt) dynamic obj-0.0.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
nat-control
nat (inside,dmz) dynamic obj-0.0.0.0
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
nat (mgmt,outside) dynamic obj-0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
nat (dmz,outside) dynamic obj-0.0.0.0
object network obj_any-05
subnet 0.0.0.0 0.0.0.0
nat (dmz,mgmt) dynamic obj-0.0.0.0
If you forget to issue no nat-control prior to upgrading, then it is safe to remove the
all 0's objects with associated nat rules after the fact.
To view your current nat-control configuration, issue the command show run all
nat-control.
How to Upgrade Your ASA to 8.3
Upgrading your ASA to 8.3 is the same process as all previous upgrades. Just copy
the image over to the flash, specify the file to boot, and then reboot your
ASA. Upon first boot, the ASA will auto convert your 8.2 configuration into the new
syntax for NAT and ACLs required of 8.3. While your CLI commands will change, your
devices security policy will remain the same.
Please note that we only support upgrading to 8.3 from 8.2. Therefore, you need to
be running 8.2 on your ASA prior to upgrading to 8.3.
For ASAs in failover set, we do support upgrading from 8.2 to 8.3 with
4. zero-downtime. Follow the same procedure you have in the past.
Note: During the upgrade process, the ASA will save two files on disk.
1. The
current
(pre-upgraded)
configuration
in
a
file
named <version>_startup_cfg.sav
Example: disk0:/8_2_2_0_startup_cfg.sav
This file will be critical if you need to downgrade your ASA from 8.3 to 8.2 in a
future date
2. Warning messages and Errors encountered during the upgrade process of
converting your configuration to 8.3 will be saved in a file
named upgrade_startup_errors_<timestamp>.log
Upgrade Paths
Cisco officially supports upgrading to ASA version 8.3 only from ASA version
8.2. Therefore, if you are currently running a version of ASA code prior to 8.2, you
will need to perform a stepwise upgrade. Please see the table below:
Final Train
Current Train
Intermediate Upgrades
8.2
8.1
8.0
7.2
7.1
7.0
none
8.2
8.2
8.0 --> 8.2
7.2 --> 8.0 --> 8.2
7.2 --> 8.0 --> 8.2
8.3
8.3
8.3
8.3
8.3
8.3
5. NAT Feature
pre-8.3 Configuration
8.3 Configuration
Option 1 (Preferred)
object network obj-10.1.1.6
host 10.1.1.6
nat (inside,outside) static
209.165.201.15
static (inside,outside) 209.165.201.15 Option 2
10.1.1.6 netmask 255.255.255.255
object network server_real
host 10.1.1.6
object network server_global
host 209.165.201.15
!
nat (inside,outside) source static
server_realserver_global
object network internal_net
subnet 10.1.1.0 255.255.255.0
nat (inside) 1 10.1.1.0 255.255.255.0
!
Dynamic PAT
global (outside) 1 209.165.201.254
object network internal_net
nat (inside,outside) dynamic
209.165.201.254
object network NAT_Pool
range
209.165.201.2
209.165.201.50
nat (inside) 1 10.1.1.0 255.255.255.0
Dynamic
NAT
object network internal_net
global (outside) 1 interface
with
Interface
subnet 10.1.1.0 255.255.255.0
global
(outside)
1
Overload
!
209.165.201.1-209.165.201.2
object network internal_net
nat (inside,outside) dynamic
NAT_Pool interface
Static NAT
Examples of Configuration Changes in 8.3
NAT
The NAT CLI configuration for 8.3 is radically different than anything than you may be
used to. Therefore, for CLI users, it is recommended you ease into 8.3 with the
expectation that you will have to re-learn NAT. For those who view this as an
obstacle, we would recommend that you use ASDM or CSM or some other GUI tool
to configure the ASA - as the GUI configuration for 8.3 is largely the same.
That said, for CLI users, please do not upgrade to 8.3 on a Friday night just as you are
getting ready to go out of town for the weekend. Instead, it is recommend that you
play with it in a lab (if you have one), or read up on the changes (see Additional
Information below) before you upgrade. Ok, with that said, let's look at some
examples.
ACL Changes
Although the syntax of the ACLs haven't changed much (just added capabilities for
new objects), the significant change is that all IP addresses listed in ACLs which are
6. applied to an interface will be converted (on upgrade) from using global (ie:
translated or post-NAT) IP addresses, to using the real IP address. Let's look at an
example.
In the above Topology, an internal web server (with IP 10.1.1.6) is being protected by
an ASA.
Clients on the Internet access this web server by its public IP
address: 209.165.201.15 Prior to version 8.3, the interface ACL would permit
traffic to the public IP 209.165.201.15. But, starting with 8.3 the real IP 10.1.1.6 is
used in the configuration. Please see the configuration examples below.
pre-8.3 Configuration
static (inside,outside) 209.165.201.15 10.1.1.6 netmask 255.255.255.255
!
access-listoutside_in extended permit tcp any host 209.165.201.15
access-groupoutside_in in interface outside
8.3 Configuration
object network obj-10.1.1.6
host 10.1.1.6
nat (inside,outside) static 209.165.201.15
!
access-listoutside_in extended permit tcp any host 10.1.1.6
access-groupoutside_in in interface outside
What to Do If You Run Into Problems with 8.3
1. Call in to the TAC, and they can help you
2. Check the upgrade_startup_errors_<timestamp>.log on disk0: by using
the more disk0:/upgrade_startup_errors_<timestamp>.log
3. Downgrade to 8.2 using the downgrade <image><config> command. This is
IMPORTANT! You must use the downgrade command, specifying the config
file on disk (which the 8.3 upgrade process saved)
Refer the following video of this document
https://supportforums.cisco.com/videos/2200