Greetings Networkers and other readers,
Just got an ASA 5510 in to configure for a client... it shipped with the latest 8.2 release - not 8.4 release. After learning 8.4 by necessity back in April for another client, I was amused more than surprised. Those of you who have grappled with 8.4 or 8.3 likely know what I mean.
The question really is to upgrade or not to upgrade? If Cisco plans on being done with the nat 0 and nat 1 commands of the 8.2 realm, then now is the best time to upgrade. There won't be a better one, really.
So after applying a small bit of config to this new ASA, IP Addresses, nameifs, gateway, dhcpd pool, logging, commands to make ssh work, and the like, I decided to upgrade.
But I also wanted to see what 8.4 would do to my nat 1 and global statements ... so I threw these in for fun:
global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
Wish I'd thrown in a few ACLs, too ...
Nevertheless ... downloaded asa842-k8.bin
Made sure there was room for both images
Backed up the current 8.2(5) image to tftp; backed up the running config to tftp
Uploaded 8.4(2) to disk0: (aka flash:)
Entered this config:
boot system disk0:/asa842-k8.bin
wr mem
reload
Here was the output (minimized):
...
Loading disk0:/asa842-k8.bin... Booting...
Platform ASA5510
...
This platform has an ASA 5510 Security Plus license.
Cisco Adaptive Security Appliance Software Version 8.4(2)
...
(all good so far)
...
Reading from flash...
!!
REAL IP MIGRATION: WARNING
In this version access-lists used in 'access-group', 'class-map',
'dynamic-filter classify-list', 'aaa match' will be migrated from
using IP address/ports as seen on interface, to their real values.
If an access-list used by these features is shared with per-user ACL
then the original access-list has to be recreated.
INFO: Note that identical IP addresses or overlapping IP ranges on
different interfaces are not detectable by automated Real IP migration.
If your deployment contains such scenarios, please verify your migrated
configuration is appropriate for those overlapping addresses/ranges.
Please also refer to the ASA 8.3 migration guide for a complete
explanation of the automated migration process.
INFO: MIGRATION - Saving the startup configuration to file
INFO: MIGRATION - Startup configuration saved to file 'flash:8_2_5_0_startup_cfg.sav'
*** Output from config line 5, "ASA Version 8.2(5) "
...
Cryptochecksum (unchanged): f02d75cc f9c78de4 a3c860ee f04eca61
NAT migration logs:
INFO: NAT migration completed.
Real IP migration logs:
No ACL was changed as part of Real-ip migration
The flash device is in use by another task.
Type help or '?' for a list of available commands.
fw01>
INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201112161542.log'
DHCP Client: can't enable DHCP Client when DHCP Server/Relay is running on the interface.
DHCP: Interface 'management' is currently configured as SERVER and cannot be changed to a CLIENT by a CLIENT feature
(this last message repeated itself 7 times)
This is what happened to the nat 1 command:
object network obj_any
subnet 0.0.0.0 0.0.0.0
! --- and ----
object network obj_any
nat (Inside,Outside) dynamic interface
Not sure about the complaint about dhcp on the management interface, the config looks like before the upgrade.
Checked the error log, but it says the same thing as the above.
