How to Upgrade a Basic ASA Configuration to 8.4

The Cisco ASA has gone through a few major evolution regarding its functionality and configuration.  Version 8.4 (as well version 8.3) also results in major changes in some aspects of the configuration syntax.  This article is a first in a series that will compare and contrast the configuration of the more familiar 8.2 syntax to that of the now available 8.4.  This particular article starts out with the simplest possible ASA 8.2 configuration and looks at the upgrade process.  After the upgrade is complete, the post-upgrade configuration is compared to the pre-upgrade configuration.

The starting configuration is a default configuration of 8.2(1) on an ASA 5505 with only a couple of exceptions.  The first exception is that the “boot” command has been used to force the appliance to boot into 8.2(1).  The second exception is that “icmp inspection” is enabled for testing purposes.  The configuration is shown below with the exceptions in bold text.

Skip Configuration Example

ciscoasa# show run
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa821-k8.bin
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ciscoasa#

The first step in upgrading the ASA software, assuming that the system requirments are met, is copying down the Operating System image.  This can be done by first placing the new image on a tftp server and issuing a command on the ASA that is similar to the one below.

 

ciscoasa(config)# copy tftp://192.168.1.3/asa842-k8.bin  flash:

//enter accepts what is in brackets
Address or name of remote host [192.168.1.3]?
Source filename [asa842-k8.bin]?
Destination filename [asa842-k8.bin]?
Accessing tftp://192.168.1.3/asa842-k8.bin !!!!!!!!!!!!!!!!!!!!
<—Snip—>

 

Now that the image should be successfully stored in flash, the ASA needs to be configured to boot from it.  To do this, clear any existing line in the configuration that instructs the appliance to boot to another image. Then configure the ASA to boot to the newly downloaded image.  Finally, reboot the ASA appliance.

ciscoasa#
ciscoasa(config)# clear configure boot
ciscoasa(config)# boot system disk0:/asa842-k8.bin
ciscoasa(config)#write memory
ciscoasa(config)#reload

During the reboot process, configuration migration will occur.  The new ASA Operating System image detects the old commands and migrates them to the post 8.3 equivalent commands.  In order to prevent migration from occurring with subsequent reboots, the resulting running configuration should be saved to the startup configuration.

Reading from flash…
!
REAL IP MIGRATION: WARNING
In this version access-lists used in ‘access-group’, ‘class-map’,’dynamic-filter classify-list’, ‘aaa match’ will be migrated from using IP address/ports as seen on interface, to their real values. If an access-list used by these features is shared with per-user ACL then the original access-list has to be recreated. INFO: Note that identical IP addresses or overlapping IP ranges on different interfaces are not detectable by automated Real IP migration. If your deployment contains such scenarios, please verify your migrated configuration is appropriate for those overlapping addresses/ranges. Please also refer to the ASA 8.3 migration guide for a complete explanation of the automated migration process.

INFO: MIGRATION – Saving the startup configuration to file

INFO: MIGRATION – Startup configuration saved to file ‘flash:8_2_1_0_startup_cfg.sav’
*** Output from config line 4, “ASA Version 8.2(1) ”
.
Cryptochecksum (unchanged): 5a96f887 33f90df0 d0e0a0be c30e1bf6
NAT migration logs:
INFO: NAT migration completed.
Real IP migration logs:
No ACL was changed as part of Real-ip migration

INFO: MIGRATION – Saving the startup errors to file ‘flash:upgrade_startup_errors_201112261741.log’
Type help or ‘?’ for a list of available commands.

ciscoasa>en
ciscoasa#write memory

To look at the new running configuration simply use the familiar show run command.  The output is shown below with modified areas in bold text.

Skip Configuration Example

ciscoasa# show run
: Saved
:
ASA Version 8.4(2)
//Previously Showed ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa842-k8.bin
//Previously Configuration
//boot system disk0:/asa821-k8.bin

ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
//The above two commands were added

pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
 nat (inside,outside) dynamic interface
//The above two commands were added

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
!
service-policy global_policy global

//The Following Configuration was added
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:af09c14001b4efa36b79de8f31f84ca1
: end
ciscoasa#

Of the configuration changes, the more interesting and prevalent changes have to do with the global PAT configuration.  When comparing these with the previous version, the commands are vastly different after upgrading to version 8.4.

//Commands in ASA 8.2

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

//Equivalent Commands in 8.4

object network obj_any
 subnet 0.0.0.0 0.0.0.0

object network obj_any
 nat (inside,outside) dynamic interface

This article has demonstrated an upgrade to 8.4 of the simplest possible ASA configuration. This ASA configuration was originated in 8.2 and had not been migrated from previous versions.  In other cases, other considerations may be necessary.  For example, if an ASA is using “nat-control”, that should be eliminated prior to the upgrade process.  More information about ASA version 8.4 can be found in the release notes.  In future articles, more advanced dynamic and static variations of both NAT and PAT will be contrasted between versions 8.2 and 8.4.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To and tagged . Bookmark the permalink.

One Response to How to Upgrade a Basic ASA Configuration to 8.4

  1. Pingback: Typical NAT/PAT Configuration Comparison for ASA 8.4 | PacketU

Comments are closed.