SlideShare una empresa de Scribd logo

How to upgrade a basic asa configuration to 8.4

IT Tech
IT Tech

How to Upgrade a Basic ASA Configuration to 8.4

Tecnología
1 de 8
Descargar para leer sin conexión
How to Upgrade a Basic ASA Configuration to 8.4? The Cisco ASA has gone through a few major evolution regarding its functionality and configuration. Version 8.4 (as well version 8.3) also results in major changes in some aspects of the configuration syntax. This article is a first in a series that will compare and contrast the configuration of the more familiar 8.2 syntax to that of the now available 8.4. This particular article starts out with the simplest possible ASA 8.2 configuration and looks at the upgrade process. After the upgrade is complete, the post-upgrade configuration is compared to the pre-upgrade configuration. The starting configuration is a default configuration of 8.2(1) on an ASA 5505with only a couple of exceptions. The first exception is that the “boot” command has been used to force the appliance to boot into 8.2(1). The second exception is that “icmp inspection” is enabled for testing purposes. The configuration is shown as follows: ciscoasa# show run : Saved : ASA Version 8.2(1) ! hostnameciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcpsetroute ! boot system disk0:/asa821-k8.bin ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! http://www.router-switch.com/
interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdowncoldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpdauto_config outside ! dhcpd address 192.168.1.5-192.168.1.36 inside dhcpd enable inside ! threat-detection basic-threat http://www.router-switch.com/
threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn ! class-mapinspection_default match default-inspection-traffic ! ! policy-map type inspect dnspreset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dnspreset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect icmp ! service-policyglobal_policy global prompt hostname context Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e : end ciscoasa# The first step in upgrading the ASA software, assuming that the system requirments are met, is copying down the Operating System image. This can be done by first placing the new image on a tftp server and issuing a command on the ASA that is similar to the one below. ciscoasa(config)# copy tftp://192.168.1.3/asa842-k8.bin flash: //enter accepts what is in brackets Address or name of remote host [192.168.1.3]? Source filename [asa842-k8.bin]? http://www.router-switch.com/
Destination filename [asa842-k8.bin]? Accessing tftp://192.168.1.3/asa842-k8.bin !!!!!!!!!!!!!!!!!!!! <—Snip—> Now that the image should be successfully stored in flash, the ASA needs to be configured to boot from it. To do this, clear any existing line in the configuration that instructs the appliance to boot to another image. Then configure the ASA to boot to the newly downloaded image. Finally, reboot the ASA appliance. ciscoasa# ciscoasa(config)# clear configure boot ciscoasa(config)# boot system disk0:/asa842-k8.bin ciscoasa(config)#write memory ciscoasa(config)#reload During the reboot process, configuration migration will occur. The new ASA Operating System image detects the old commands and migrates them to the post 8.3 equivalent commands. In order to prevent migration from occurring with subsequent reboots, the resulting running configuration should be saved to the startup configuration. Reading from flash… ! REAL IP MIGRATION: WARNING In this version access-lists used in ‘access-group’, ‘class-map’,'dynamic-filter classify-list’, ‘aaa match’ will be migrated from using IP address/ports as seen on interface, to their real values. If an access-list used by these features is shared with per-user ACL then the original access-list has to be recreated. INFO: Note that identical IP addresses or overlapping IP ranges on different interfaces are not detectable by automated Real IP migration. If your deployment contains such scenarios, please verify your migrated configuration is appropriate for those overlapping addresses/ranges. Please also refer to the ASA 8.3 migration guide for a complete explanation of the automated migration process. INFO: MIGRATION – Saving the startup configuration to file INFO: MIGRATION – Startup configuration saved to file ‘flash:8_2_1_0_startup_cfg.sav’ *** Output from config line 4, “ASA Version 8.2(1) ” . Cryptochecksum (unchanged): 5a96f887 33f90df0 d0e0a0be c30e1bf6 NAT migration logs: INFO: NAT migration completed. Real IP migration logs: http://www.router-switch.com/
No ACL was changed as part of Real-ip migration INFO: MIGRATION – Saving the startup errors to file ‘flash:upgrade_startup_errors_201112261741.log’ Type help or ‘?’ for a list of available commands. ciscoasa>en ciscoasa#write memory To look at the new running configuration simply use the familiar show run command. The output is shown below with modified areas in bold text. ciscoasa# show run : Saved : ASA Version 8.4(2) //Previously Showed ASA Version 8.2(1) ! hostnameciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! http://www.router-switch.com/
interface Vlan2 nameif outside security-level 0 ip address dhcpsetroute ! boot system disk0:/asa842-k8.bin //Previously Configuration //boot system disk0:/asa821-k8.bin ftp mode passive object network obj_any subnet 0.0.0.0 0.0.0.0 //The above two commands were added pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 ! object network obj_any nat (inside,outside) dynamic interface //The above two commands were added timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdowncoldstart telnet timeout 5 ssh timeout 5 console timeout 0 dhcpdauto_config outside http://www.router-switch.com/
! dhcpd address 192.168.1.5-192.168.1.36 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn ! class-mapinspection_default match default-inspection-traffic ! ! policy-map type inspect dnspreset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dnspreset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect icmp inspect ip-options ! service-policyglobal_policy global //The Following Configuration was added prompt hostname context call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService http://www.router-switch.com/
destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:af09c14001b4efa36b79de8f31f84ca1 : end ciscoasa# Of the configuration changes, the more interesting and prevalent changes have to do with the global PAT configuration. When comparing these with the previous version, the commands are vastly different after upgrading to version 8.4. //Commands in ASA 8.2 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 //Equivalent Commands in 8.4 object network obj_any subnet 0.0.0.0 0.0.0.0 object network obj_any nat (inside,outside) dynamic interface This article has demonstrated an upgrade to 8.4 of the simplest possible ASA configuration. This ASA configuration was originated in 8.2 and had not been migrated from previous versions. In other cases, other considerations may be necessary. For example, if an ASA is using “nat-control”, that should be eliminated prior to the upgrade process. More information about ASA version 8.4 can be found in the release notes. More Related Articles: Cisco ASA 8.3, 8.4 Hairpinning NAT Configuration Cisco ASA 8.4 vs. Typical NAT/PAT Configuration http://www.router-switch.com/

Recomendados

Tiempos pasados
Tiempos pasadosTiempos pasados
Tiempos pasadosEnrique Toro Gonzalez
 
Apuntes
ApuntesApuntes
Apuntesprofevero
 
La Mujer es una Mujer no un Hombre
La Mujer es una Mujer no un HombreLa Mujer es una Mujer no un Hombre
La Mujer es una Mujer no un Hombreguest8252b7
 
Presentaciòn de archivos no periodìsticos
Presentaciòn de archivos no periodìsticosPresentaciòn de archivos no periodìsticos
Presentaciòn de archivos no periodìsticosMochila
 
Estudiar
EstudiarEstudiar
Estudiarjpaga12
 
Tema 3. tratamiento de imágenes.
Tema 3. tratamiento de imágenes.Tema 3. tratamiento de imágenes.
Tema 3. tratamiento de imágenes.SaraGomez1996
 
Fatiga crónica
Fatiga crónicaFatiga crónica
Fatiga crónicaJONNATAN TORO
 
Mala Madre
Mala MadreMala Madre
Mala MadreMaisu
 

Más contenido relacionado

Destacado

Sitio Web Kayak.com
Sitio Web Kayak.com Sitio Web Kayak.com
Sitio Web Kayak.com refu33
 
Acens Cloud hosting en El Economista (9-febrero-2011)
Acens Cloud hosting en El Economista (9-febrero-2011) Acens Cloud hosting en El Economista (9-febrero-2011)
Acens Cloud hosting en El Economista (9-febrero-2011) Acens
 
Reporte de diseño de un folleto
Reporte de diseño de un folletoReporte de diseño de un folleto
Reporte de diseño de un folletoIvan Zoquiapa
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)theijes
 
Seguridad Protocolos
Seguridad ProtocolosSeguridad Protocolos
Seguridad Protocolosguestea241d
 
Protocolos y servicios informáticos
Protocolos y servicios informáticosProtocolos y servicios informáticos
Protocolos y servicios informáticosalepeor
 
[FISPE-SSI] Documento final estudio U-020 - Resumen Ejecutivo
[FISPE-SSI] Documento final estudio U-020 - Resumen Ejecutivo[FISPE-SSI] Documento final estudio U-020 - Resumen Ejecutivo
[FISPE-SSI] Documento final estudio U-020 - Resumen EjecutivoTMGT
 
Periodismo y Nuevas Tecnologías Parte I
Periodismo y Nuevas Tecnologías Parte IPeriodismo y Nuevas Tecnologías Parte I
Periodismo y Nuevas Tecnologías Parte Itumbo
 
Protocolos de enrutamiento
Protocolos de enrutamientoProtocolos de enrutamiento
Protocolos de enrutamientocomunicacion
 
Acens Cloud hosting en El Economista (17-marzo-2011)
Acens Cloud hosting en El Economista (17-marzo-2011)Acens Cloud hosting en El Economista (17-marzo-2011)
Acens Cloud hosting en El Economista (17-marzo-2011)Acens
 
Sphemro
SphemroSphemro
SphemroEspol
 
Tarea 1 de sistema de la informacion
Tarea 1 de sistema de la informacionTarea 1 de sistema de la informacion
Tarea 1 de sistema de la informacionDiego Nauto
 

Destacado (19)

Sitio Web Kayak.com
Sitio Web Kayak.com Sitio Web Kayak.com
Sitio Web Kayak.com
 
Acens Cloud hosting en El Economista (9-febrero-2011)
Acens Cloud hosting en El Economista (9-febrero-2011) Acens Cloud hosting en El Economista (9-febrero-2011)
Acens Cloud hosting en El Economista (9-febrero-2011)
 
Reporte de diseño de un folleto
Reporte de diseño de un folletoReporte de diseño de un folleto
Reporte de diseño de un folleto
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)
 
modelo OSI
modelo OSImodelo OSI
modelo OSI
 
Seguridad Protocolos
Seguridad ProtocolosSeguridad Protocolos
Seguridad Protocolos
 
Switch
SwitchSwitch
Switch
 
Archivos
ArchivosArchivos
Archivos
 
Protocolos y servicios informáticos
Protocolos y servicios informáticosProtocolos y servicios informáticos
Protocolos y servicios informáticos
 
[FISPE-SSI] Documento final estudio U-020 - Resumen Ejecutivo
[FISPE-SSI] Documento final estudio U-020 - Resumen Ejecutivo[FISPE-SSI] Documento final estudio U-020 - Resumen Ejecutivo
[FISPE-SSI] Documento final estudio U-020 - Resumen Ejecutivo
 
Periodismo y Nuevas Tecnologías Parte I
Periodismo y Nuevas Tecnologías Parte IPeriodismo y Nuevas Tecnologías Parte I
Periodismo y Nuevas Tecnologías Parte I
 
Protocolos de enrutamiento
Protocolos de enrutamientoProtocolos de enrutamiento
Protocolos de enrutamiento
 
Teoria e analisi del cinema 4. Allen e il suo pubblico
Teoria e analisi del cinema 4. Allen e il suo pubblicoTeoria e analisi del cinema 4. Allen e il suo pubblico
Teoria e analisi del cinema 4. Allen e il suo pubblico
 
Acens Cloud hosting en El Economista (17-marzo-2011)
Acens Cloud hosting en El Economista (17-marzo-2011)Acens Cloud hosting en El Economista (17-marzo-2011)
Acens Cloud hosting en El Economista (17-marzo-2011)
 
Pasos
PasosPasos
Pasos
 
taller 12
taller 12taller 12
taller 12
 
Computer part
Computer partComputer part
Computer part
 
Sphemro
SphemroSphemro
Sphemro
 
Tarea 1 de sistema de la informacion
Tarea 1 de sistema de la informacionTarea 1 de sistema de la informacion
Tarea 1 de sistema de la informacion
 

Más de IT Tech

Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setupIT Tech
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideIT Tech
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideIT Tech
 
Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideIT Tech
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faqIT Tech
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesIT Tech
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresIT Tech
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solutionIT Tech
 
Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesIT Tech
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesIT Tech
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesIT Tech
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellIT Tech
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000IT Tech
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexIT Tech
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesIT Tech
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesIT Tech
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration exampleIT Tech
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700IT Tech
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration optionsIT Tech
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement modelIT Tech
 

Más de IT Tech (20)

Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setup
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guide
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guide
 
Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guide
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faq
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switches
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi features
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solution
 
Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switches
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switches
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modes
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fex
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches series
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 series
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration example
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration options
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement model
 

Último

Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneUiPathCommunity
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Français Patch Tuesday - Avril
Français Patch Tuesday - AvrilFrançais Patch Tuesday - Avril
Français Patch Tuesday - AvrilIvanti
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 

Último (20)

Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyone
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.
 
Français Patch Tuesday - Avril
Français Patch Tuesday - AvrilFrançais Patch Tuesday - Avril
Français Patch Tuesday - Avril
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 

How to upgrade a basic asa configuration to 8.4

  • 1. How to Upgrade a Basic ASA Configuration to 8.4? The Cisco ASA has gone through a few major evolution regarding its functionality and configuration. Version 8.4 (as well version 8.3) also results in major changes in some aspects of the configuration syntax. This article is a first in a series that will compare and contrast the configuration of the more familiar 8.2 syntax to that of the now available 8.4. This particular article starts out with the simplest possible ASA 8.2 configuration and looks at the upgrade process. After the upgrade is complete, the post-upgrade configuration is compared to the pre-upgrade configuration. The starting configuration is a default configuration of 8.2(1) on an ASA 5505with only a couple of exceptions. The first exception is that the “boot” command has been used to force the appliance to boot into 8.2(1). The second exception is that “icmp inspection” is enabled for testing purposes. The configuration is shown as follows: ciscoasa# show run : Saved : ASA Version 8.2(1) ! hostnameciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcpsetroute ! boot system disk0:/asa821-k8.bin ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! http://www.router-switch.com/
  • 2. interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdowncoldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpdauto_config outside ! dhcpd address 192.168.1.5-192.168.1.36 inside dhcpd enable inside ! threat-detection basic-threat http://www.router-switch.com/
  • 3. threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn ! class-mapinspection_default match default-inspection-traffic ! ! policy-map type inspect dnspreset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dnspreset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect icmp ! service-policyglobal_policy global prompt hostname context Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e : end ciscoasa# The first step in upgrading the ASA software, assuming that the system requirments are met, is copying down the Operating System image. This can be done by first placing the new image on a tftp server and issuing a command on the ASA that is similar to the one below. ciscoasa(config)# copy tftp://192.168.1.3/asa842-k8.bin flash: //enter accepts what is in brackets Address or name of remote host [192.168.1.3]? Source filename [asa842-k8.bin]? http://www.router-switch.com/
  • 4. Destination filename [asa842-k8.bin]? Accessing tftp://192.168.1.3/asa842-k8.bin !!!!!!!!!!!!!!!!!!!! <—Snip—> Now that the image should be successfully stored in flash, the ASA needs to be configured to boot from it. To do this, clear any existing line in the configuration that instructs the appliance to boot to another image. Then configure the ASA to boot to the newly downloaded image. Finally, reboot the ASA appliance. ciscoasa# ciscoasa(config)# clear configure boot ciscoasa(config)# boot system disk0:/asa842-k8.bin ciscoasa(config)#write memory ciscoasa(config)#reload During the reboot process, configuration migration will occur. The new ASA Operating System image detects the old commands and migrates them to the post 8.3 equivalent commands. In order to prevent migration from occurring with subsequent reboots, the resulting running configuration should be saved to the startup configuration. Reading from flash… ! REAL IP MIGRATION: WARNING In this version access-lists used in ‘access-group’, ‘class-map’,'dynamic-filter classify-list’, ‘aaa match’ will be migrated from using IP address/ports as seen on interface, to their real values. If an access-list used by these features is shared with per-user ACL then the original access-list has to be recreated. INFO: Note that identical IP addresses or overlapping IP ranges on different interfaces are not detectable by automated Real IP migration. If your deployment contains such scenarios, please verify your migrated configuration is appropriate for those overlapping addresses/ranges. Please also refer to the ASA 8.3 migration guide for a complete explanation of the automated migration process. INFO: MIGRATION – Saving the startup configuration to file INFO: MIGRATION – Startup configuration saved to file ‘flash:8_2_1_0_startup_cfg.sav’ *** Output from config line 4, “ASA Version 8.2(1) ” . Cryptochecksum (unchanged): 5a96f887 33f90df0 d0e0a0be c30e1bf6 NAT migration logs: INFO: NAT migration completed. Real IP migration logs: http://www.router-switch.com/
  • 5. No ACL was changed as part of Real-ip migration INFO: MIGRATION – Saving the startup errors to file ‘flash:upgrade_startup_errors_201112261741.log’ Type help or ‘?’ for a list of available commands. ciscoasa>en ciscoasa#write memory To look at the new running configuration simply use the familiar show run command. The output is shown below with modified areas in bold text. ciscoasa# show run : Saved : ASA Version 8.4(2) //Previously Showed ASA Version 8.2(1) ! hostnameciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! http://www.router-switch.com/
  • 6. interface Vlan2 nameif outside security-level 0 ip address dhcpsetroute ! boot system disk0:/asa842-k8.bin //Previously Configuration //boot system disk0:/asa821-k8.bin ftp mode passive object network obj_any subnet 0.0.0.0 0.0.0.0 //The above two commands were added pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 ! object network obj_any nat (inside,outside) dynamic interface //The above two commands were added timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdowncoldstart telnet timeout 5 ssh timeout 5 console timeout 0 dhcpdauto_config outside http://www.router-switch.com/
  • 7. ! dhcpd address 192.168.1.5-192.168.1.36 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn ! class-mapinspection_default match default-inspection-traffic ! ! policy-map type inspect dnspreset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dnspreset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect icmp inspect ip-options ! service-policyglobal_policy global //The Following Configuration was added prompt hostname context call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService http://www.router-switch.com/
  • 8. destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:af09c14001b4efa36b79de8f31f84ca1 : end ciscoasa# Of the configuration changes, the more interesting and prevalent changes have to do with the global PAT configuration. When comparing these with the previous version, the commands are vastly different after upgrading to version 8.4. //Commands in ASA 8.2 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 //Equivalent Commands in 8.4 object network obj_any subnet 0.0.0.0 0.0.0.0 object network obj_any nat (inside,outside) dynamic interface This article has demonstrated an upgrade to 8.4 of the simplest possible ASA configuration. This ASA configuration was originated in 8.2 and had not been migrated from previous versions. In other cases, other considerations may be necessary. For example, if an ASA is using “nat-control”, that should be eliminated prior to the upgrade process. More information about ASA version 8.4 can be found in the release notes. More Related Articles: Cisco ASA 8.3, 8.4 Hairpinning NAT Configuration Cisco ASA 8.4 vs. Typical NAT/PAT Configuration http://www.router-switch.com/