Solved

Cisco ASA upgrade to 8.3 is there a utility to run the config through to test the NAT changes?

Posted on 2011-02-22
7
5,308 Views
Last Modified: 2012-05-11
I'm running 8.2 on my ASAs now and I'd like to install 8.3, but I'm nervous about doing so with the new NAT changes.  Is there a utility that I can run my config through to see what the output will be when 8.3 reconfigures it and also if there will be any errors?  That would make me feel much better about the upgrade.
0
Comment
Question by:jpletcher1
  • 3
  • 2
  • 2
7 Comments
 
LVL 12

Accepted Solution

by:
Hilal1924 earned 125 total points
ID: 34952607
Hi IPLetcher:

I don't think you need to worry too much. The NAT-Control Command is no longer supported and neither is the global/translated IP for NAT. All you need to do is follow the below article and everything should turn out to be fine.

https://supportforums.cisco.com/docs/DOC-12690

There is a firewall migration tool avialable from cisco which is only available to Customers with valid CSO account. Try that if you have an account on Cisco.

Best Of Luck,

Hilal
0
 

Author Comment

by:jpletcher1
ID: 34952908
Thanks, I do have a Cisco account.  Can you send me the link to the tool?  Is it just a tool for PIX to ASA or Other Firewall to ASA migrations?  Or can you use it for seeing what would happen when upgrading from one Cisco IOS to a newer IOS?
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 125 total points
ID: 34952951
Please refer this page:

http://www.petenetlive.com/KB/Article/0000247.htm
If you upgrading ASA automatically convert the commands to the new image!
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:jpletcher1
ID: 34952987
I do understand that the upgrade will take care of the changes in syntax for me.  I do know though that there can be hangups during an upgrade if there are problems with the 8.3 upgrade not being able to fully translate.  So I was hoping to run my exising 8.2 config through a utility or something and see what the 8.3 output would be, and if there would be any errors.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34953023
I've found a problem:
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/A_3938-ASA-8-2-to-8-3-nonat-migration-probem.html


If you feel there is a migration problem after hardware upgrade, view the errors with:
hostname# show startup-config errors
0
 
LVL 12

Expert Comment

by:Hilal1924
ID: 34953248
Yes I agree  the issues that you face while migrating can be only related with Nat Control and Object Model. While these errors do not bring down your configuration they can be very severe when trying to figure out where the problem is. So it is better to understand the new changes in ASA and then Migrating. And Also please follow the link that I posted in my first comment.
0
 

Author Closing Comment

by:jpletcher1
ID: 35039959
Thanks guys, I will go off the articles and keep my fingers crossed.  I have an active and standby unit, so it shouldn't be too risky to update one and see how it goes before I do the other.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now