1. How to Upgrade a Basic ASA Configuration to 8.4?
The Cisco ASA has gone through a few major evolution regarding its functionality and
configuration. Version 8.4 (as well version 8.3) also results in major changes in
some aspects of the configuration syntax. This article is a first in a series that will
compare and contrast the configuration of the more familiar 8.2 syntax to that of the
now available 8.4. This particular article starts out with the simplest possible ASA
8.2 configuration and looks at the upgrade process. After the upgrade is complete,
the post-upgrade configuration is compared to the pre-upgrade configuration.
The starting configuration is a default configuration of 8.2(1) on an ASA 5505with
only a couple of exceptions. The first exception is that the âbootâ command has
been used to force the appliance to boot into 8.2(1). The second exception is that
âicmp inspectionâ is enabled for testing purposes. The configuration is shown as
follows:
ciscoasa# show run
: Saved
:
ASA Version 8.2(1)
!
hostnameciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcpsetroute
!
boot system disk0:/asa821-k8.bin
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
http://www.router-switch.com/
3. threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-mapinspection_default
match default-inspection-traffic
!
!
policy-map type inspect dnspreset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dnspreset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policyglobal_policy global
prompt hostname context
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ciscoasa#
The first step in upgrading the ASA software, assuming that the system
requirments are met, is copying down the Operating System image. This can be
done by first placing the new image on a tftp server and issuing a command on the
ASA that is similar to the one below.
ciscoasa(config)# copy tftp://192.168.1.3/asa842-k8.bin flash:
//enter accepts what is in brackets
Address or name of remote host [192.168.1.3]?
Source filename [asa842-k8.bin]?
http://www.router-switch.com/
4. Destination filename [asa842-k8.bin]?
Accessing tftp://192.168.1.3/asa842-k8.bin !!!!!!!!!!!!!!!!!!!!
<âSnipâ>
Now that the image should be successfully stored in flash, the ASA needs to be
configured to boot from it. To do this, clear any existing line in the configuration
that instructs the appliance to boot to another image. Then configure the ASA to
boot to the newly downloaded image. Finally, reboot the ASA appliance.
ciscoasa#
ciscoasa(config)# clear configure boot
ciscoasa(config)# boot system disk0:/asa842-k8.bin
ciscoasa(config)#write memory
ciscoasa(config)#reload
During the reboot process, configuration migration will occur. The new ASA
Operating System image detects the old commands and migrates them to the post
8.3 equivalent commands. In order to prevent migration from occurring with
subsequent reboots, the resulting running configuration should be saved to the
startup configuration.
Reading from flashâŠ
!
REAL IP MIGRATION: WARNING
In this version access-lists used in âaccess-groupâ, âclass-mapâ,'dynamic-filter
classify-listâ, âaaa matchâ will be migrated from using IP address/ports as seen on
interface, to their real values. If an access-list used by these features is shared with
per-user ACL then the original access-list has to be recreated. INFO: Note that
identical IP addresses or overlapping IP ranges on different interfaces are not
detectable by automated Real IP migration. If your deployment contains such
scenarios, please verify your migrated configuration is appropriate for those
overlapping addresses/ranges. Please also refer to the ASA 8.3 migration guide for a
complete explanation of the automated migration process.
INFO: MIGRATION â Saving the startup configuration to file
INFO: MIGRATION â Startup configuration saved to file
âflash:8_2_1_0_startup_cfg.savâ
*** Output from config line 4, âASA Version 8.2(1) â
.
Cryptochecksum (unchanged): 5a96f887 33f90df0 d0e0a0be c30e1bf6
NAT migration logs:
INFO: NAT migration completed.
Real IP migration logs:
http://www.router-switch.com/
5. No ACL was changed as part of Real-ip migration
INFO: MIGRATION â Saving the startup errors to file
âflash:upgrade_startup_errors_201112261741.logâ
Type help or â?â for a list of available commands.
ciscoasa>en
ciscoasa#write memory
To look at the new running configuration simply use the familiar show run
command. The output is shown below with modified areas in bold text.
ciscoasa# show run
: Saved
:
ASA Version 8.4(2)
//Previously Showed ASA Version 8.2(1)
!
hostnameciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
http://www.router-switch.com/
7. !
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-mapinspection_default
match default-inspection-traffic
!
!
policy-map type inspect dnspreset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dnspreset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
!
service-policyglobal_policy global
//The Following Configuration was added
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
http://www.router-switch.com/
8. destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:af09c14001b4efa36b79de8f31f84ca1
: end
ciscoasa#
Of the configuration changes, the more interesting and prevalent changes have to do
with the global PAT configuration. When comparing these with the previous version,
the commands are vastly different after upgrading to version 8.4.
//Commands in ASA 8.2
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
//Equivalent Commands in 8.4
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any
nat (inside,outside) dynamic interface
This article has demonstrated an upgrade to 8.4 of the simplest possible ASA
configuration. This ASA configuration was originated in 8.2 and had not been
migrated from previous versions.
In other cases, other considerations may be necessary. For example, if an ASA is
using ânat-controlâ, that should be eliminated prior to the upgrade process. More
information about ASA version 8.4 can be found in the release notes.
More Related Articles:
Cisco ASA 8.3, 8.4 Hairpinning NAT Configuration
Cisco ASA 8.4 vs. Typical NAT/PAT Configuration
http://www.router-switch.com/