Greetings Networkers and other readers,
Just got an ASA 5510 in to configure for a client... it shipped with the latest 8.2 release - not 8.4 release. After learning 8.4 by necessity back in April for another client, I was amused more than surprised. Those of you who have grappled with 8.4 or 8.3 likely know what I mean.
The question really is to upgrade or not to upgrade? If Cisco plans on being done with the nat 0 and nat 1 commands of the 8.2 realm, then now is the best time to upgrade. There won't be a better one, really.
So after applying a small bit of config to this new ASA, IP Addresses, nameifs, gateway, dhcpd pool, logging, commands to make ssh work, and the like, I decided to upgrade.
But I also wanted to see what 8.4 would do to my nat 1 and global statements ... so I threw these in for fun:
global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
Wish I'd thrown in a few ACLs, too ...
Nevertheless ... downloaded asa842-k8.bin
Made sure there was room for both images
Backed up the current 8.2(5) image to tftp; backed up the running config to tftp
Uploaded 8.4(2) to disk0: (aka flash:)
Entered this config:
boot system disk0:/asa842-k8.bin
wr mem
reload
Here was the output (minimized):
...
Loading disk0:/asa842-k8.bin... Booting...
Platform ASA5510
...
This platform has an ASA 5510 Security Plus license.
Cisco Adaptive Security Appliance Software Version 8.4(2)
...
(all good so far)
...
Reading from flash...
!!
REAL IP MIGRATION: WARNING
In this version access-lists used in 'access-group', 'class-map',
'dynamic-filter classify-list', 'aaa match' will be migrated from
using IP address/ports as seen on interface, to their real values.
If an access-list used by these features is shared with per-user ACL
then the original access-list has to be recreated.
INFO: Note that identical IP addresses or overlapping IP ranges on
different interfaces are not detectable by automated Real IP migration.
If your deployment contains such scenarios, please verify your migrated
configuration is appropriate for those overlapping addresses/ranges.
Please also refer to the ASA 8.3 migration guide for a complete
explanation of the automated migration process.
INFO: MIGRATION - Saving the startup configuration to file
INFO: MIGRATION - Startup configuration saved to file 'flash:8_2_5_0_startup_cfg.sav'
*** Output from config line 5, "ASA Version 8.2(5) "
...
Cryptochecksum (unchanged): f02d75cc f9c78de4 a3c860ee f04eca61
NAT migration logs:
INFO: NAT migration completed.
Real IP migration logs:
No ACL was changed as part of Real-ip migration
The flash device is in use by another task.
Type help or '?' for a list of available commands.
fw01>
INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201112161542.log'
DHCP Client: can't enable DHCP Client when DHCP Server/Relay is running on the interface.
DHCP: Interface 'management' is currently configured as SERVER and cannot be changed to a CLIENT by a CLIENT feature
(this last message repeated itself 7 times)
This is what happened to the nat 1 command:
object network obj_any
subnet 0.0.0.0 0.0.0.0
! --- and ----
object network obj_any
nat (Inside,Outside) dynamic interface
Not sure about the complaint about dhcp on the management interface, the config looks like before the upgrade.
Checked the error log, but it says the same thing as the above.
5 comments:
Over the last couple of weeks I've been upgrading a clients ASAs to 8.4. My initial reaction was "this just makes way more configuration lines to get NATing done" and thus far I'm not really excited at all about the new way of doing NAT. The biggest nuisance is if you have a NAT Exempt ACL ("nonat" usually!!) - I learned you best have a separate NAT Exemption ACL for each source interface and not one shared one for all "private" interfaces or it cause may too much confusion once migrated.
We just upgraded from 8.2 to 8.4; 2 hours ago. Now, we cannot get any inbound connections, only outbound...wth!
@techtalk87
In case you haven't sorted this out already - it's probably the NAT rules that were munged with the upgrade. I'd go through them one by one and make sure you have a rule permitting any specific inbound connections. Ping if you have more questions, I'll be quicker to reply today.
When the call-home functionality is enabled, even with anonymous, then the error 'DHCP: Interface 'inside' is currently configured as CLIENT and cannot be changed to a SERVER by a SERVER feature' is displayed when setting the dhcpd enable inside command.
Clear the call-home configuration and you are tood to go.
the DHCP errors are caused by Call-Home
http://www.petenetlive.com/KB/Article/0000836.htm
Pete
Post a Comment