SlideShare a Scribd company logo

Asa 7 to 9 migration

Download as PPTX, PDF
Ilham Perdana
Ilham Perdana

Konversi dari command PIX/ASA 7.2(x) ke ASA 9.x. Perbedaan di NAT dan Access Rule antara versi sebelum ASA 8.3 dan setelah ASA 8.3. Versi draft sebelum presentasi ke customer.

Technology
1 of 24
ASA 7.2 to 9.1 Command Migration APPLIANCE MIGRATION FROM ASA 5540 TO ASA 5545-X (DRAFT) V1.0
Migrated Features  Real IP addresses in access lists for several supported features, you must use the real, untranslated IP address and ports  NAT The NAT feature has been redesigned for increased flexibility and functionality  Named Network and Service Objects Network and service objects are automatically created for NAT.
Features That Use Real IP Addresses  access-group command  Modular Policy Framework match access-list command  Botnet Traffic Filter dynamic-filter enable classify-list command  AAA aaa ... match commands  WCCP wccp redirect-list group-list command (not automatically migrated)
Features That Use Real IP Addresses ASDM Real IP addresses are now used in the following features instead of mapped addresses:  Access Rules  AAA Rules  Service Policy Rules  Botnet Traffic Filter classification  WCCP redirection (not automatically migrated)
Features That Continue to Use Mapped IP Addresses The following features use access lists, but these access lists will continue to use the mapped values as seen on an interface:  IPSec access lists  capture command access lists  Per-user access lists  Routing protocol access lists  All other feature access lists...
Sample Real IP Address Migration Static NAT with ingress access group Old Configuration static (inside,outside) 172.23.57.1 10.50.50.50 netmask 255.255.255.255 access-list 1 permit ip any host 172.23.57.1 access-group 1 in interface outside Migrated Configuration access-list 1 permit ip any host 10.50.50.50 access-group 1 in interface outside
Sample Real IP Address Migration Access group with deny/permit ACEs Old Configuration global (outside) 1 10.10.10.128-10.10.10.255 nat (inside) 1 172.16.10.0 255.255.255.0 access-list 100 extended deny ip any host 10.10.10.210 access-list 100 extended permit ip any 10.10.10.211 255.255.255.128 access-group 100 in interface outside Migrated Configuration access-list 100 extended deny ip any 172.16.10.0 255.255.255.0 access-group 100 in interface outside
NAT Migration  The NAT feature has been redesigned for increased flexibility and functionality  Almost all NAT configurations will migrate seamlessly. In the rare cases when user intervention is required, you will be notified. There will never be an unreported loss of security after migration.
Old NAT Commands The following commands are no longer supported; they are migrated to new commands, and are then removed from the configuration.  Alias  Global  nat (old version)  nat-control  Static  sysopt nodnsalias—This command is not migrated; instead, configure the dns option within the new NAT commands.
New NAT Commands Network Object NAT (Typically used for regular NAT configurations)  nat dynamic object network name nat [(real_ifc,mapped_ifc)] dynamic {[mapped_inline_host_ip] [interface] | [mapped_obj] [pat-pool mapped_obj [round-robin]] [interface]} [dns]  nat static object network name nat [(real_ifc,mapped_ifc)] static {mapped_inline_ip | mapped_obj | interface} [dns | service {tcp | udp} real_port mapped_port] [no-proxy-arp] [route-lookup] The no-proxy-arp, route-lookup, pat-pool, and round-robin keywords were added in 8.4(2).
Twice NAT (Typically used for policy NAT configurations)  nat source dynamic nat [(real_ifc,mapped_ifc)] [line | {after-object [line]}] source dynamic {real_obj | any} {[mapped_obj] [pat-pool mapped_obj [round-robin]] [interface]} [destination static {mapped_obj | interface} {real_obj | any}] [service {mapped_dest_svc_obj real_dest_svc_obj] [dns] [unidirectional][inactive] [description desc]  nat source static nat [(real_ifc,mapped_ifc)] [line | {after-object [line]}] source static {real_obj | any} {mapped_obj | interface | any}} [destination static {mapped_obj | interface} {real_obj | any}] [service {real_src_mapped_dest_svc_obj | any} mapped_src_real_dest_svc_obj] [dns] [unidirectional | [no-proxy-arp] [route-lookup]] [inactive] [description desc]
Preserving the Order of NAT Rules The new NAT order uses a table with three sections:  Section 1 (twice NAT rules)—These rules are assessed based on the order they appear in the configuration. For migration purposes, this section includes migrated policy NAT rules.  Section 2 (network object NAT (generated) rules)—These rules are assessed according to internal rules; the order they appear in the configuration does not matter  Section 3 (twice NAT rules that you specifically want to be evaluated after the network object NAT rules)
NAT Migration Guidelines and Limitations  Dynamic identity NAT (the nat 0 command) will not be migrated. Static identity NAT is treated like any other static command, and is converted depending on whether it is regular or policy NAT.  NAT exemption (the nat 0 access-list command) is migrated differently depending on the release to which you are upgrading.  When upgrading to 8.4(2) from 8.3(1), 8.3(2), or 8.4(1), migration for identity NAT will occur to preserve existing functionality.  Regular NAT commands with the dns option will be migrated. The dns option in static PAT andpolicy NAT commands will be ignored.
NAT Migration Guidelines and Limitations  Connection Settings in old NAT commands—Options such as conn- max, emb-limit, norandomseq, or nailed will be moved to service policies.  The following naming conventions are used for the new service policies:  class-map—class-conn-param-protocol-n  access-list—acl-conn-param-protocol-n  policy-map—policy-conn-param-interface
Supported Features for Objects Version 8.3 introduces named network and service objects for use with the following features:  NAT—You can no longer use a named IP address (using the name command) in NAT.  Access lists—access-list command. You can no longer use a named IP address (using the name command) in an access list.  Object groups—object-group network and object-group service commands. Named IP addresses are still allowed in object groups, as well as network objects.
Object Migration New network and service objects (the object network and object service commands) are substituted into existing commands in the following cases:  For each network object NAT command, an object network command is created to represent the real IP address that you want to translate.  When new nat commands require an object instead of an inline value, network and service objects are automatically created.  If you use a named IP address in NAT (using the name command) and the names command is enabled, then a network object is created even if an inline IP address could be used in the new nat command.
Object Migration  If an access-list command includes an IP address that was used in NAT, and the NAT migration created a network object for that IP address, then the network object replaces the IP address in the access-list command.  If you use a named IP address in the access-list command (using the name command) and the names command is enabled, then an object replaces the name.  For multiple global commands that share the same NAT ID, a network object group is created that contains the network objects created for the inline IP addresses.
Objects are not created for the following cases:  A name command exists in the configuration, but is not used in a nat or access-list command.  An inline value that is still allowed in the nat command.  name commands used under object-group commands.  IP addresses used in access-list commands that are not used in NAT or named with a name command.
name Command Naming Conventions When the names command is enabled, then for migrated name commands, the same name is used for the object network command. For example: for the following name command used in NAT name 10.1.1.1 test An object network command is created: object network test host 10.1.1.1
Inline IP Address Naming Conventions For migrated IP addresses used inline, network objects are created using the following naming convention:  Hosts and subnets—obj-a.b.c.d.  Ranges—obj-a.b.c.d-p.q.r.s
Inline Protocol Naming Conventions For migrated protocols used inline, service objects are created using the following naming convention, obj-inline_text.
Network Object Naming Conventions with Multiple global Commands with the Same NAT IDFor multiple global commands that share the same NAT ID, a network object group is created that contains the network objects created for the inline IP addresses. The following naming convention is used: og-global-interface_nat-id. Old Configuration global (outside) 1 10.76.6.111 global (outside) 1 10.76.6.109-10.76.6.110 New Network Objects and Groups object network obj-10.76.6.111 host 10.76.6.111 object network obj-10.76.6.109-10.76.6.110 range 10.76.6.109-10.76.6.110 object-group og-global-outside_1 network-object obj-10.76.6.111 network-object obj-10.76.6.109-10.76.6.110
Information About Activation Key Compatibility Your activation key remains compatible if you upgrade to the latest version from any previous version.
Thank You

Recommended

Dynamic Hadoop Clusters
Dynamic Hadoop ClustersDynamic Hadoop Clusters
Dynamic Hadoop Clusters
Steve Loughran
 
Designing and Building Multi-Region Swift Deployment
Designing and Building Multi-Region Swift DeploymentDesigning and Building Multi-Region Swift Deployment
Designing and Building Multi-Region Swift Deployment
Siheon Kim
 
Relational Database Access with Python
Relational Database Access with PythonRelational Database Access with Python
Relational Database Access with Python
Mark Rees
 
Docker Voting App Orientation
Docker Voting App OrientationDocker Voting App Orientation
Docker Voting App Orientation
Tony Pujals
 
Python database interfaces
Python database interfacesPython database interfaces
Python database interfacesMohammad Javad Beheshtian
 
Developing distributed applications with Akka and Akka Cluster
Developing distributed applications with Akka and Akka ClusterDeveloping distributed applications with Akka and Akka Cluster
Developing distributed applications with Akka and Akka Cluster
Konstantin Tsykulenko
 
Relational Database Access with Python ‘sans’ ORM
Relational Database Access with Python ‘sans’ ORM Relational Database Access with Python ‘sans’ ORM
Relational Database Access with Python ‘sans’ ORM
Mark Rees
 
An introduction to_rac_system_test_planning_methods
An introduction to_rac_system_test_planning_methodsAn introduction to_rac_system_test_planning_methods
An introduction to_rac_system_test_planning_methods
Ajith Narayanan
 

Recommended

Dynamic Hadoop Clusters
Dynamic Hadoop ClustersDynamic Hadoop Clusters
Dynamic Hadoop Clusters
Steve Loughran
 
Designing and Building Multi-Region Swift Deployment
Designing and Building Multi-Region Swift DeploymentDesigning and Building Multi-Region Swift Deployment
Designing and Building Multi-Region Swift Deployment
Siheon Kim
 
Relational Database Access with Python
Relational Database Access with PythonRelational Database Access with Python
Relational Database Access with Python
Mark Rees
 
Docker Voting App Orientation
Docker Voting App OrientationDocker Voting App Orientation
Docker Voting App Orientation
Tony Pujals
 
Python database interfaces
Python database interfacesPython database interfaces
Python database interfacesMohammad Javad Beheshtian
 
Developing distributed applications with Akka and Akka Cluster
Developing distributed applications with Akka and Akka ClusterDeveloping distributed applications with Akka and Akka Cluster
Developing distributed applications with Akka and Akka Cluster
Konstantin Tsykulenko
 
Relational Database Access with Python ‘sans’ ORM
Relational Database Access with Python ‘sans’ ORM Relational Database Access with Python ‘sans’ ORM
Relational Database Access with Python ‘sans’ ORM
Mark Rees
 
An introduction to_rac_system_test_planning_methods
An introduction to_rac_system_test_planning_methodsAn introduction to_rac_system_test_planning_methods
An introduction to_rac_system_test_planning_methods
Ajith Narayanan
 
Interface between kernel and user space
Interface between kernel and user spaceInterface between kernel and user space
Interface between kernel and user spaceSusant Sahani
 
9:40 am InfluxDB 2.0 and Flux – The Road Ahead Paul Dix, Founder and CTO | ...
9:40 am InfluxDB 2.0 and Flux – The Road Ahead Paul Dix, Founder and CTO | ... 9:40 am InfluxDB 2.0 and Flux – The Road Ahead Paul Dix, Founder and CTO | ...
9:40 am InfluxDB 2.0 and Flux – The Road Ahead Paul Dix, Founder and CTO | ...
InfluxData
 
Cloug Troubleshooting Oracle 11g Rac 101 Tips And Tricks
Cloug Troubleshooting Oracle 11g Rac 101 Tips And TricksCloug Troubleshooting Oracle 11g Rac 101 Tips And Tricks
Cloug Troubleshooting Oracle 11g Rac 101 Tips And Tricks
Scott Jenner
 
Introduction to netlink in linux kernel (english)
Introduction to netlink in linux kernel (english)Introduction to netlink in linux kernel (english)
Introduction to netlink in linux kernel (english)
Sneeker Yeh
 
Install and upgrade Oracle grid infrastructure 12.1.0.2
Install and upgrade Oracle grid infrastructure 12.1.0.2Install and upgrade Oracle grid infrastructure 12.1.0.2
Install and upgrade Oracle grid infrastructure 12.1.0.2
Biju Thomas
 
Cassandra 2.0 better, faster, stronger
Cassandra 2.0 better, faster, strongerCassandra 2.0 better, faster, stronger
Cassandra 2.0 better, faster, stronger
Patrick McFadin
 
Presentation oracle net services
Presentation oracle net servicesPresentation oracle net services
Presentation oracle net services
xKinAnx
 
Meetup talk
Meetup talkMeetup talk
Meetup talk
Arpit Tak
 
Towards a real-time reconfiguration service for distributed Java
Towards a real-time reconfiguration service for distributed JavaTowards a real-time reconfiguration service for distributed Java
Towards a real-time reconfiguration service for distributed JavaUniversidad Carlos III de Madrid
 
Asynchronous Orchestration DSL on squbs
Asynchronous Orchestration DSL on squbsAsynchronous Orchestration DSL on squbs
Asynchronous Orchestration DSL on squbs
Anil Gursel
 
Effective testing for spark programs Strata NY 2015
Effective testing for spark programs Strata NY 2015Effective testing for spark programs Strata NY 2015
Effective testing for spark programs Strata NY 2015
Holden Karau
 
Oracle Database Performance Tuning Concept
Oracle Database Performance Tuning ConceptOracle Database Performance Tuning Concept
Oracle Database Performance Tuning Concept
Chien Chung Shen
 
Buiilding reactive distributed systems with Akka
Buiilding reactive distributed systems with AkkaBuiilding reactive distributed systems with Akka
Buiilding reactive distributed systems with Akka
Johan Andrén
 
Jugoslavija MOD!!!
Jugoslavija MOD!!!Jugoslavija MOD!!!
Jugoslavija MOD!!!
AleksMilovanovic
 
Oracle real application clusters system tests with demo
Oracle real application clusters system tests with demoOracle real application clusters system tests with demo
Oracle real application clusters system tests with demo
Ajith Narayanan
 
Create your oracle_apps_r12_lab_with_less_than_us1000
Create your oracle_apps_r12_lab_with_less_than_us1000Create your oracle_apps_r12_lab_with_less_than_us1000
Create your oracle_apps_r12_lab_with_less_than_us1000
Ajith Narayanan
 
Streamline Hadoop DevOps with Apache Ambari
Streamline Hadoop DevOps with Apache AmbariStreamline Hadoop DevOps with Apache Ambari
Streamline Hadoop DevOps with Apache Ambari
Alejandro Fernandez
 
Realtime Statistics based on Apache Storm and RocketMQ
Realtime Statistics based on Apache Storm and RocketMQRealtime Statistics based on Apache Storm and RocketMQ
Realtime Statistics based on Apache Storm and RocketMQ
Xin Wang
 
12c Flex ASM: Moving to Flex ASM
12c Flex ASM: Moving to Flex ASM12c Flex ASM: Moving to Flex ASM
12c Flex ASM: Moving to Flex ASM
Monowar Mukul
 
Solr Search Engine: Optimize Is (Not) Bad for You
Solr Search Engine: Optimize Is (Not) Bad for YouSolr Search Engine: Optimize Is (Not) Bad for You
Solr Search Engine: Optimize Is (Not) Bad for You
Sematext Group, Inc.
 
Mikro tik
Mikro tikMikro tik
Mikro tikguest8423a64e
 
Vpn addind technique
Vpn addind techniqueVpn addind technique
Vpn addind technique
kamarasan karthik
 

More Related Content

What's hot

Interface between kernel and user space
Interface between kernel and user spaceInterface between kernel and user space
Interface between kernel and user spaceSusant Sahani
 
9:40 am InfluxDB 2.0 and Flux – The Road Ahead Paul Dix, Founder and CTO | ...
9:40 am InfluxDB 2.0 and Flux – The Road Ahead Paul Dix, Founder and CTO | ... 9:40 am InfluxDB 2.0 and Flux – The Road Ahead Paul Dix, Founder and CTO | ...
9:40 am InfluxDB 2.0 and Flux – The Road Ahead Paul Dix, Founder and CTO | ...
InfluxData
 
Cloug Troubleshooting Oracle 11g Rac 101 Tips And Tricks
Cloug Troubleshooting Oracle 11g Rac 101 Tips And TricksCloug Troubleshooting Oracle 11g Rac 101 Tips And Tricks
Cloug Troubleshooting Oracle 11g Rac 101 Tips And Tricks
Scott Jenner
 
Introduction to netlink in linux kernel (english)
Introduction to netlink in linux kernel (english)Introduction to netlink in linux kernel (english)
Introduction to netlink in linux kernel (english)
Sneeker Yeh
 
Install and upgrade Oracle grid infrastructure 12.1.0.2
Install and upgrade Oracle grid infrastructure 12.1.0.2Install and upgrade Oracle grid infrastructure 12.1.0.2
Install and upgrade Oracle grid infrastructure 12.1.0.2
Biju Thomas
 
Cassandra 2.0 better, faster, stronger
Cassandra 2.0 better, faster, strongerCassandra 2.0 better, faster, stronger
Cassandra 2.0 better, faster, stronger
Patrick McFadin
 
Presentation oracle net services
Presentation oracle net servicesPresentation oracle net services
Presentation oracle net services
xKinAnx
 
Meetup talk
Meetup talkMeetup talk
Meetup talk
Arpit Tak
 
Towards a real-time reconfiguration service for distributed Java
Towards a real-time reconfiguration service for distributed JavaTowards a real-time reconfiguration service for distributed Java
Towards a real-time reconfiguration service for distributed JavaUniversidad Carlos III de Madrid
 
Asynchronous Orchestration DSL on squbs
Asynchronous Orchestration DSL on squbsAsynchronous Orchestration DSL on squbs
Asynchronous Orchestration DSL on squbs
Anil Gursel
 
Effective testing for spark programs Strata NY 2015
Effective testing for spark programs Strata NY 2015Effective testing for spark programs Strata NY 2015
Effective testing for spark programs Strata NY 2015
Holden Karau
 
Oracle Database Performance Tuning Concept
Oracle Database Performance Tuning ConceptOracle Database Performance Tuning Concept
Oracle Database Performance Tuning Concept
Chien Chung Shen
 
Buiilding reactive distributed systems with Akka
Buiilding reactive distributed systems with AkkaBuiilding reactive distributed systems with Akka
Buiilding reactive distributed systems with Akka
Johan Andrén
 
Jugoslavija MOD!!!
Jugoslavija MOD!!!Jugoslavija MOD!!!
Jugoslavija MOD!!!
AleksMilovanovic
 
Oracle real application clusters system tests with demo
Oracle real application clusters system tests with demoOracle real application clusters system tests with demo
Oracle real application clusters system tests with demo
Ajith Narayanan
 
Create your oracle_apps_r12_lab_with_less_than_us1000
Create your oracle_apps_r12_lab_with_less_than_us1000Create your oracle_apps_r12_lab_with_less_than_us1000
Create your oracle_apps_r12_lab_with_less_than_us1000
Ajith Narayanan
 
Streamline Hadoop DevOps with Apache Ambari
Streamline Hadoop DevOps with Apache AmbariStreamline Hadoop DevOps with Apache Ambari
Streamline Hadoop DevOps with Apache Ambari
Alejandro Fernandez
 
Realtime Statistics based on Apache Storm and RocketMQ
Realtime Statistics based on Apache Storm and RocketMQRealtime Statistics based on Apache Storm and RocketMQ
Realtime Statistics based on Apache Storm and RocketMQ
Xin Wang
 
12c Flex ASM: Moving to Flex ASM
12c Flex ASM: Moving to Flex ASM12c Flex ASM: Moving to Flex ASM
12c Flex ASM: Moving to Flex ASM
Monowar Mukul
 
Solr Search Engine: Optimize Is (Not) Bad for You
Solr Search Engine: Optimize Is (Not) Bad for YouSolr Search Engine: Optimize Is (Not) Bad for You
Solr Search Engine: Optimize Is (Not) Bad for You
Sematext Group, Inc.
 

What's hot (20)

Interface between kernel and user space
Interface between kernel and user spaceInterface between kernel and user space
Interface between kernel and user space
 
9:40 am InfluxDB 2.0 and Flux – The Road Ahead Paul Dix, Founder and CTO | ...
9:40 am InfluxDB 2.0 and Flux – The Road Ahead Paul Dix, Founder and CTO | ... 9:40 am InfluxDB 2.0 and Flux – The Road Ahead Paul Dix, Founder and CTO | ...
9:40 am InfluxDB 2.0 and Flux – The Road Ahead Paul Dix, Founder and CTO | ...
 
Cloug Troubleshooting Oracle 11g Rac 101 Tips And Tricks
Cloug Troubleshooting Oracle 11g Rac 101 Tips And TricksCloug Troubleshooting Oracle 11g Rac 101 Tips And Tricks
Cloug Troubleshooting Oracle 11g Rac 101 Tips And Tricks
 
Introduction to netlink in linux kernel (english)
Introduction to netlink in linux kernel (english)Introduction to netlink in linux kernel (english)
Introduction to netlink in linux kernel (english)
 
Install and upgrade Oracle grid infrastructure 12.1.0.2
Install and upgrade Oracle grid infrastructure 12.1.0.2Install and upgrade Oracle grid infrastructure 12.1.0.2
Install and upgrade Oracle grid infrastructure 12.1.0.2
 
Cassandra 2.0 better, faster, stronger
Cassandra 2.0 better, faster, strongerCassandra 2.0 better, faster, stronger
Cassandra 2.0 better, faster, stronger
 
Presentation oracle net services
Presentation oracle net servicesPresentation oracle net services
Presentation oracle net services
 
Meetup talk
Meetup talkMeetup talk
Meetup talk
 
Towards a real-time reconfiguration service for distributed Java
Towards a real-time reconfiguration service for distributed JavaTowards a real-time reconfiguration service for distributed Java
Towards a real-time reconfiguration service for distributed Java
 
Asynchronous Orchestration DSL on squbs
Asynchronous Orchestration DSL on squbsAsynchronous Orchestration DSL on squbs
Asynchronous Orchestration DSL on squbs
 
Effective testing for spark programs Strata NY 2015
Effective testing for spark programs Strata NY 2015Effective testing for spark programs Strata NY 2015
Effective testing for spark programs Strata NY 2015
 
Oracle Database Performance Tuning Concept
Oracle Database Performance Tuning ConceptOracle Database Performance Tuning Concept
Oracle Database Performance Tuning Concept
 
Buiilding reactive distributed systems with Akka
Buiilding reactive distributed systems with AkkaBuiilding reactive distributed systems with Akka
Buiilding reactive distributed systems with Akka
 
Jugoslavija MOD!!!
Jugoslavija MOD!!!Jugoslavija MOD!!!
Jugoslavija MOD!!!
 
Oracle real application clusters system tests with demo
Oracle real application clusters system tests with demoOracle real application clusters system tests with demo
Oracle real application clusters system tests with demo
 
Create your oracle_apps_r12_lab_with_less_than_us1000
Create your oracle_apps_r12_lab_with_less_than_us1000Create your oracle_apps_r12_lab_with_less_than_us1000
Create your oracle_apps_r12_lab_with_less_than_us1000
 
Streamline Hadoop DevOps with Apache Ambari
Streamline Hadoop DevOps with Apache AmbariStreamline Hadoop DevOps with Apache Ambari
Streamline Hadoop DevOps with Apache Ambari
 
Realtime Statistics based on Apache Storm and RocketMQ
Realtime Statistics based on Apache Storm and RocketMQRealtime Statistics based on Apache Storm and RocketMQ
Realtime Statistics based on Apache Storm and RocketMQ
 
12c Flex ASM: Moving to Flex ASM
12c Flex ASM: Moving to Flex ASM12c Flex ASM: Moving to Flex ASM
12c Flex ASM: Moving to Flex ASM
 
Solr Search Engine: Optimize Is (Not) Bad for You
Solr Search Engine: Optimize Is (Not) Bad for YouSolr Search Engine: Optimize Is (Not) Bad for You
Solr Search Engine: Optimize Is (Not) Bad for You
 

Similar to Asa 7 to 9 migration

Vpn addind technique
Vpn addind techniqueVpn addind technique
Vpn addind technique
kamarasan karthik
 
BIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To AdvancedBIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To Advanced
Mustafa Golam
 
Training Day Slides
Training Day SlidesTraining Day Slides
Training Day Slides
adam_merritt
 
Netfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scaleNetfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scale
brouer
 
Dns
DnsDns
Dns
Md Shihab
 
12c Database new features
12c Database new features12c Database new features
12c Database new features
Sandeep Redkar
 
Nginx
NginxNginx
Nginx
Geeta Vinnakota
 
Arp Dan Ipconfig Syntax
Arp Dan Ipconfig SyntaxArp Dan Ipconfig Syntax
Arp Dan Ipconfig Syntaxguestcc37e8c
 
DirectAccess, do’s and don’ts
DirectAccess, do’s and don’tsDirectAccess, do’s and don’ts
DirectAccess, do’s and don’ts
kieranjacobsen
 
DHCP
DHCPDHCP
DHCP
viditsir
 
AWS | NAT Gateway Configuration
AWS | NAT Gateway ConfigurationAWS | NAT Gateway Configuration
AWS | NAT Gateway Configuration
Mohan Reddy
 
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Netgear Italia
 
Oracle Real Application Cluster ( RAC )
Oracle Real Application Cluster ( RAC )Oracle Real Application Cluster ( RAC )
Oracle Real Application Cluster ( RAC )varasteh65
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Servermmoizuddin
 
11 module configuring novell ipx
11 module configuring novell ipx11 module configuring novell ipx
11 module configuring novell ipx
Asif
 
Database programming
Database programmingDatabase programming
Database programming
Shree M.L.Kakadiya MCA mahila college, Amreli
 
Cisco ise jun os and ios xr - tacacs+ integration
Cisco ise jun os and ios xr - tacacs+ integrationCisco ise jun os and ios xr - tacacs+ integration
Cisco ise jun os and ios xr - tacacs+ integration
ArunKumar Subbiah
 
Ansible Tower - Drew Bomhof, Brandon Dunne - ManageIQ Design Summit 2016
Ansible Tower - Drew Bomhof, Brandon Dunne - ManageIQ Design Summit 2016Ansible Tower - Drew Bomhof, Brandon Dunne - ManageIQ Design Summit 2016
Ansible Tower - Drew Bomhof, Brandon Dunne - ManageIQ Design Summit 2016
ManageIQ
 

Similar to Asa 7 to 9 migration (20)

Mikro tik
Mikro tikMikro tik
Mikro tik
 
Vpn addind technique
Vpn addind techniqueVpn addind technique
Vpn addind technique
 
BIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To AdvancedBIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To Advanced
 
Training Day Slides
Training Day SlidesTraining Day Slides
Training Day Slides
 
Netfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scaleNetfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scale
 
Dns
DnsDns
Dns
 
12c Database new features
12c Database new features12c Database new features
12c Database new features
 
Nginx
NginxNginx
Nginx
 
Arp Dan Ipconfig Syntax
Arp Dan Ipconfig SyntaxArp Dan Ipconfig Syntax
Arp Dan Ipconfig Syntax
 
Session_2.ppt
Session_2.pptSession_2.ppt
Session_2.ppt
 
DirectAccess, do’s and don’ts
DirectAccess, do’s and don’tsDirectAccess, do’s and don’ts
DirectAccess, do’s and don’ts
 
DHCP
DHCPDHCP
DHCP
 
AWS | NAT Gateway Configuration
AWS | NAT Gateway ConfigurationAWS | NAT Gateway Configuration
AWS | NAT Gateway Configuration
 
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
 
Oracle Real Application Cluster ( RAC )
Oracle Real Application Cluster ( RAC )Oracle Real Application Cluster ( RAC )
Oracle Real Application Cluster ( RAC )
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Server
 
11 module configuring novell ipx
11 module configuring novell ipx11 module configuring novell ipx
11 module configuring novell ipx
 
Database programming
Database programmingDatabase programming
Database programming
 
Cisco ise jun os and ios xr - tacacs+ integration
Cisco ise jun os and ios xr - tacacs+ integrationCisco ise jun os and ios xr - tacacs+ integration
Cisco ise jun os and ios xr - tacacs+ integration
 
Ansible Tower - Drew Bomhof, Brandon Dunne - ManageIQ Design Summit 2016
Ansible Tower - Drew Bomhof, Brandon Dunne - ManageIQ Design Summit 2016Ansible Tower - Drew Bomhof, Brandon Dunne - ManageIQ Design Summit 2016
Ansible Tower - Drew Bomhof, Brandon Dunne - ManageIQ Design Summit 2016
 

Recently uploaded

Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 

Recently uploaded (20)

Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 

Asa 7 to 9 migration

  • 1. ASA 7.2 to 9.1 Command Migration APPLIANCE MIGRATION FROM ASA 5540 TO ASA 5545-X (DRAFT) V1.0
  • 2. Migrated Features  Real IP addresses in access lists for several supported features, you must use the real, untranslated IP address and ports  NAT The NAT feature has been redesigned for increased flexibility and functionality  Named Network and Service Objects Network and service objects are automatically created for NAT.
  • 3. Features That Use Real IP Addresses  access-group command  Modular Policy Framework match access-list command  Botnet Traffic Filter dynamic-filter enable classify-list command  AAA aaa ... match commands  WCCP wccp redirect-list group-list command (not automatically migrated)
  • 4. Features That Use Real IP Addresses ASDM Real IP addresses are now used in the following features instead of mapped addresses:  Access Rules  AAA Rules  Service Policy Rules  Botnet Traffic Filter classification  WCCP redirection (not automatically migrated)
  • 5. Features That Continue to Use Mapped IP Addresses The following features use access lists, but these access lists will continue to use the mapped values as seen on an interface:  IPSec access lists  capture command access lists  Per-user access lists  Routing protocol access lists  All other feature access lists...
  • 6. Sample Real IP Address Migration Static NAT with ingress access group Old Configuration static (inside,outside) 172.23.57.1 10.50.50.50 netmask 255.255.255.255 access-list 1 permit ip any host 172.23.57.1 access-group 1 in interface outside Migrated Configuration access-list 1 permit ip any host 10.50.50.50 access-group 1 in interface outside
  • 7. Sample Real IP Address Migration Access group with deny/permit ACEs Old Configuration global (outside) 1 10.10.10.128-10.10.10.255 nat (inside) 1 172.16.10.0 255.255.255.0 access-list 100 extended deny ip any host 10.10.10.210 access-list 100 extended permit ip any 10.10.10.211 255.255.255.128 access-group 100 in interface outside Migrated Configuration access-list 100 extended deny ip any 172.16.10.0 255.255.255.0 access-group 100 in interface outside
  • 8. NAT Migration  The NAT feature has been redesigned for increased flexibility and functionality  Almost all NAT configurations will migrate seamlessly. In the rare cases when user intervention is required, you will be notified. There will never be an unreported loss of security after migration.
  • 9. Old NAT Commands The following commands are no longer supported; they are migrated to new commands, and are then removed from the configuration.  Alias  Global  nat (old version)  nat-control  Static  sysopt nodnsalias—This command is not migrated; instead, configure the dns option within the new NAT commands.
  • 10. New NAT Commands Network Object NAT (Typically used for regular NAT configurations)  nat dynamic object network name nat [(real_ifc,mapped_ifc)] dynamic {[mapped_inline_host_ip] [interface] | [mapped_obj] [pat-pool mapped_obj [round-robin]] [interface]} [dns]  nat static object network name nat [(real_ifc,mapped_ifc)] static {mapped_inline_ip | mapped_obj | interface} [dns | service {tcp | udp} real_port mapped_port] [no-proxy-arp] [route-lookup] The no-proxy-arp, route-lookup, pat-pool, and round-robin keywords were added in 8.4(2).
  • 11. Twice NAT (Typically used for policy NAT configurations)  nat source dynamic nat [(real_ifc,mapped_ifc)] [line | {after-object [line]}] source dynamic {real_obj | any} {[mapped_obj] [pat-pool mapped_obj [round-robin]] [interface]} [destination static {mapped_obj | interface} {real_obj | any}] [service {mapped_dest_svc_obj real_dest_svc_obj] [dns] [unidirectional][inactive] [description desc]  nat source static nat [(real_ifc,mapped_ifc)] [line | {after-object [line]}] source static {real_obj | any} {mapped_obj | interface | any}} [destination static {mapped_obj | interface} {real_obj | any}] [service {real_src_mapped_dest_svc_obj | any} mapped_src_real_dest_svc_obj] [dns] [unidirectional | [no-proxy-arp] [route-lookup]] [inactive] [description desc]
  • 12. Preserving the Order of NAT Rules The new NAT order uses a table with three sections:  Section 1 (twice NAT rules)—These rules are assessed based on the order they appear in the configuration. For migration purposes, this section includes migrated policy NAT rules.  Section 2 (network object NAT (generated) rules)—These rules are assessed according to internal rules; the order they appear in the configuration does not matter  Section 3 (twice NAT rules that you specifically want to be evaluated after the network object NAT rules)
  • 13. NAT Migration Guidelines and Limitations  Dynamic identity NAT (the nat 0 command) will not be migrated. Static identity NAT is treated like any other static command, and is converted depending on whether it is regular or policy NAT.  NAT exemption (the nat 0 access-list command) is migrated differently depending on the release to which you are upgrading.  When upgrading to 8.4(2) from 8.3(1), 8.3(2), or 8.4(1), migration for identity NAT will occur to preserve existing functionality.  Regular NAT commands with the dns option will be migrated. The dns option in static PAT andpolicy NAT commands will be ignored.
  • 14. NAT Migration Guidelines and Limitations  Connection Settings in old NAT commands—Options such as conn- max, emb-limit, norandomseq, or nailed will be moved to service policies.  The following naming conventions are used for the new service policies:  class-map—class-conn-param-protocol-n  access-list—acl-conn-param-protocol-n  policy-map—policy-conn-param-interface
  • 15. Supported Features for Objects Version 8.3 introduces named network and service objects for use with the following features:  NAT—You can no longer use a named IP address (using the name command) in NAT.  Access lists—access-list command. You can no longer use a named IP address (using the name command) in an access list.  Object groups—object-group network and object-group service commands. Named IP addresses are still allowed in object groups, as well as network objects.
  • 16. Object Migration New network and service objects (the object network and object service commands) are substituted into existing commands in the following cases:  For each network object NAT command, an object network command is created to represent the real IP address that you want to translate.  When new nat commands require an object instead of an inline value, network and service objects are automatically created.  If you use a named IP address in NAT (using the name command) and the names command is enabled, then a network object is created even if an inline IP address could be used in the new nat command.
  • 17. Object Migration  If an access-list command includes an IP address that was used in NAT, and the NAT migration created a network object for that IP address, then the network object replaces the IP address in the access-list command.  If you use a named IP address in the access-list command (using the name command) and the names command is enabled, then an object replaces the name.  For multiple global commands that share the same NAT ID, a network object group is created that contains the network objects created for the inline IP addresses.
  • 18. Objects are not created for the following cases:  A name command exists in the configuration, but is not used in a nat or access-list command.  An inline value that is still allowed in the nat command.  name commands used under object-group commands.  IP addresses used in access-list commands that are not used in NAT or named with a name command.
  • 19. name Command Naming Conventions When the names command is enabled, then for migrated name commands, the same name is used for the object network command. For example: for the following name command used in NAT name 10.1.1.1 test An object network command is created: object network test host 10.1.1.1
  • 20. Inline IP Address Naming Conventions For migrated IP addresses used inline, network objects are created using the following naming convention:  Hosts and subnets—obj-a.b.c.d.  Ranges—obj-a.b.c.d-p.q.r.s
  • 21. Inline Protocol Naming Conventions For migrated protocols used inline, service objects are created using the following naming convention, obj-inline_text.
  • 22. Network Object Naming Conventions with Multiple global Commands with the Same NAT IDFor multiple global commands that share the same NAT ID, a network object group is created that contains the network objects created for the inline IP addresses. The following naming convention is used: og-global-interface_nat-id. Old Configuration global (outside) 1 10.76.6.111 global (outside) 1 10.76.6.109-10.76.6.110 New Network Objects and Groups object network obj-10.76.6.111 host 10.76.6.111 object network obj-10.76.6.109-10.76.6.110 range 10.76.6.109-10.76.6.110 object-group og-global-outside_1 network-object obj-10.76.6.111 network-object obj-10.76.6.109-10.76.6.110
  • 23. Information About Activation Key Compatibility Your activation key remains compatible if you upgrade to the latest version from any previous version.