The Multi-Vendor Networking Forum and Resources
ASA 5500 IOS Upgrade 8.2 to 8.3




ASA 5500 IOS Upgrade 8.2 to 8.3


If you are upgrading your Cisco ASA to version 8.3 or later, you MUST read the
ASA Migration Guide. You must have 2 Gig of RAM and NAT is completely different. The good news is that the 2 Gig isn't expensive and it's not hard to install. I upgraded an ASA 5520 that was only used as a firewall, no VPN.

My Migration method

I had a spare 5520, but I didn't have the 4 port gig module to duplicate my production firewall. I contacted my Cisco Sales staff and obtained the module from the Demo Depot. After upgrading my spare 5520 to 2 Gig of RAM and the correct module, I was able to start loading the current configuration. After building a replica of my production firewall, I upgraded the code from 8.2 to 8.3. There is a tool built into the new code that will migrate the configuration for you, I do not recommend you use this configuration. The names that it uses are not intuitive.

After the firewall was running the 8.3 version of software, I erased the configuration and started from scratch. I took my current configuration (Except the NAT) from my production firewall and copied and pasted it into my test firewall. After this, I started working on the NAT statements. I don't feel as if my NAT configuration was all that difficult, I'm simply doing multiple static NAT's (Binding a single private IP to a single Public IP), I also have multiple NAT overload statements (Many privates to a single Public).

After spending a couple of days rewriting the NAT configuration I finally had a complete configuration for my production firewall on my test ASA.

My Deployment method

I powered off the standby firewall, upgraded the RAM, Software, and copied my new configuration file to it and started it up while disconnected from the network. I then powered off the active firewall, then connected the upgraded firewall. I then tested connectivity. All seemed to go well, so I upgraded the RAM, software, and configuration on the standby unit and placed it back into production.

After the Upgrade

A few hours later I was notified of an individual server not being able to use its static public IP. I found that the NAT overload was NATing it's IP instead of using its individual static NAT. When the server was trying to communicate with the outside resource, it was being denied because it was coming from the wrong source IP.

I found that my NAT overload statement was not correct, I was missing the "after-auto" statement. This statement tells this command to run AFTER the individual one to one NATs.

nat (Inside,Outside) after-auto source dynamic NAT-OVERLOAD-INSIDE-OUT NAT-GENERAL-IP

The firewall has been stable and I have not had any issues with it.

Scape


Feedback form ASA Migration
First name  *
Last name
E-mail  *
Comments  *
* Required fields