How to upgrade a basic asa configuration to 8.4

472 views

Published on

How to Upgrade a Basic ASA Configuration to 8.4

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
472
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

How to upgrade a basic asa configuration to 8.4

  1. 1. How to Upgrade a Basic ASA Configuration to 8.4?The Cisco ASA has gone through a few major evolution regarding its functionality andconfiguration. Version 8.4 (as well version 8.3) also results in major changes insome aspects of the configuration syntax. This article is a first in a series that willcompare and contrast the configuration of the more familiar 8.2 syntax to that of thenow available 8.4. This particular article starts out with the simplest possible ASA8.2 configuration and looks at the upgrade process. After the upgrade is complete,the post-upgrade configuration is compared to the pre-upgrade configuration.The starting configuration is a default configuration of 8.2(1) on an ASA 5505withonly a couple of exceptions. The first exception is that the “boot” command hasbeen used to force the appliance to boot into 8.2(1). The second exception is that“icmp inspection” is enabled for testing purposes. The configuration is shown asfollows:ciscoasa# show run: Saved:ASA Version 8.2(1)!hostnameciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address dhcpsetroute!boot system disk0:/asa821-k8.bin!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!http://www.router-switch.com/
  2. 2. interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passivepager lines 24logging asdm informationalmtu outside 1500mtu inside 1500icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.1.0 255.255.255.0 insideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdowncoldstartcrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000telnet timeout 5ssh timeout 5console timeout 0dhcpdauto_config outside!dhcpd address 192.168.1.5-192.168.1.36 insidedhcpd enable inside!threat-detection basic-threathttp://www.router-switch.com/
  3. 3. threat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn!class-mapinspection_defaultmatch default-inspection-traffic!!policy-map type inspect dnspreset_dns_mapparametersmessage-length maximum 512policy-map global_policyclass inspection_defaultinspect dnspreset_dns_mapinspect ftpinspect h323 h225inspect h323 rasinspect rshinspect rtspinspect esmtpinspect sqlnetinspect skinnyinspect sunrpcinspect xdmcpinspect sipinspect netbiosinspect tftpinspect icmp!service-policyglobal_policy globalprompt hostname contextCryptochecksum:d41d8cd98f00b204e9800998ecf8427e: endciscoasa#The first step in upgrading the ASA software, assuming that the systemrequirments are met, is copying down the Operating System image. This can bedone by first placing the new image on a tftp server and issuing a command on theASA that is similar to the one below.ciscoasa(config)# copy tftp://192.168.1.3/asa842-k8.bin flash://enter accepts what is in bracketsAddress or name of remote host [192.168.1.3]?Source filename [asa842-k8.bin]?http://www.router-switch.com/
  4. 4. Destination filename [asa842-k8.bin]?Accessing tftp://192.168.1.3/asa842-k8.bin !!!!!!!!!!!!!!!!!!!!<—Snip—>Now that the image should be successfully stored in flash, the ASA needs to beconfigured to boot from it. To do this, clear any existing line in the configurationthat instructs the appliance to boot to another image. Then configure the ASA toboot to the newly downloaded image. Finally, reboot the ASA appliance.ciscoasa#ciscoasa(config)# clear configure bootciscoasa(config)# boot system disk0:/asa842-k8.binciscoasa(config)#write memoryciscoasa(config)#reloadDuring the reboot process, configuration migration will occur. The new ASAOperating System image detects the old commands and migrates them to the post8.3 equivalent commands. In order to prevent migration from occurring withsubsequent reboots, the resulting running configuration should be saved to thestartup configuration.Reading from flash…!REAL IP MIGRATION: WARNINGIn this version access-lists used in ‘access-group’, ‘class-map’,dynamic-filterclassify-list’, ‘aaa match’ will be migrated from using IP address/ports as seen oninterface, to their real values. If an access-list used by these features is shared withper-user ACL then the original access-list has to be recreated. INFO: Note thatidentical IP addresses or overlapping IP ranges on different interfaces are notdetectable by automated Real IP migration. If your deployment contains suchscenarios, please verify your migrated configuration is appropriate for thoseoverlapping addresses/ranges. Please also refer to the ASA 8.3 migration guide for acomplete explanation of the automated migration process.INFO: MIGRATION – Saving the startup configuration to fileINFO: MIGRATION – Startup configuration saved to file‘flash:8_2_1_0_startup_cfg.sav’*** Output from config line 4, “ASA Version 8.2(1) ”.Cryptochecksum (unchanged): 5a96f887 33f90df0 d0e0a0be c30e1bf6NAT migration logs:INFO: NAT migration completed.Real IP migration logs:http://www.router-switch.com/
  5. 5. No ACL was changed as part of Real-ip migrationINFO: MIGRATION – Saving the startup errors to file‘flash:upgrade_startup_errors_201112261741.log’Type help or ‘?’ for a list of available commands.ciscoasa>enciscoasa#write memoryTo look at the new running configuration simply use the familiar show runcommand. The output is shown below with modified areas in bold text.ciscoasa# show run: Saved:ASA Version 8.4(2)//Previously Showed ASA Version 8.2(1)!hostnameciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0!http://www.router-switch.com/
  6. 6. interface Vlan2nameif outsidesecurity-level 0ip address dhcpsetroute!boot system disk0:/asa842-k8.bin//Previously Configuration//boot system disk0:/asa821-k8.binftp mode passiveobject network obj_any subnet 0.0.0.0 0.0.0.0//The above two commands were addedpager lines 24logging asdm informationalmtu inside 1500mtu outside 1500icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400!object network obj_any nat (inside,outside) dynamic interface//The above two commands were addedtimeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALhttp server enablehttp 192.168.1.0 255.255.255.0 insideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdowncoldstarttelnet timeout 5ssh timeout 5console timeout 0dhcpdauto_config outsidehttp://www.router-switch.com/
  7. 7. !dhcpd address 192.168.1.5-192.168.1.36 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn!class-mapinspection_defaultmatch default-inspection-traffic!!policy-map type inspect dnspreset_dns_mapparametersmessage-length maximum 512policy-map global_policyclass inspection_defaultinspect dnspreset_dns_mapinspect ftpinspect h323 h225inspect h323 rasinspect rshinspect rtspinspect esmtpinspect sqlnetinspect skinnyinspect sunrpcinspect xdmcpinspect sipinspect netbiosinspect tftpinspect icmpinspect ip-options!service-policyglobal_policy global//The Following Configuration was addedprompt hostname contextcall-homeprofile CiscoTAC-1no activedestination address httphttps://tools.cisco.com/its/service/oddce/services/DDCEServicehttp://www.router-switch.com/
  8. 8. destination address email callhome@cisco.comdestination transport-method httpsubscribe-to-alert-group diagnosticsubscribe-to-alert-group environmentsubscribe-to-alert-group inventory periodic monthlysubscribe-to-alert-group configuration periodic monthlysubscribe-to-alert-group telemetry periodic dailyCryptochecksum:af09c14001b4efa36b79de8f31f84ca1: endciscoasa#Of the configuration changes, the more interesting and prevalent changes have to dowith the global PAT configuration. When comparing these with the previous version,the commands are vastly different after upgrading to version 8.4.//Commands in ASA 8.2global (outside) 1 interfacenat (inside) 1 0.0.0.0 0.0.0.0//Equivalent Commands in 8.4object network obj_anysubnet 0.0.0.0 0.0.0.0object network obj_anynat (inside,outside) dynamic interfaceThis article has demonstrated an upgrade to 8.4 of the simplest possible ASAconfiguration. This ASA configuration was originated in 8.2 and had not beenmigrated from previous versions.In other cases, other considerations may be necessary. For example, if an ASA isusing “nat-control”, that should be eliminated prior to the upgrade process. Moreinformation about ASA version 8.4 can be found in the release notes.More Related Articles:Cisco ASA 8.3, 8.4 Hairpinning NAT ConfigurationCisco ASA 8.4 vs. Typical NAT/PAT Configurationhttp://www.router-switch.com/

×