How can I upgrade my ASA production firewall with minimum down time?

I currently have in production an ASA 5510 (200 users). Its running ver 8.2(5)48.
I have already purchased and received my new firewall ASA 5512 ver 9.2(2)4 and I have have the FirePOWER e-license and all the needed software for the new box.
I anticipate several layers involved with my project; IOS, ACLS,NAT Tables, and more. I also understand Source fire software will need to run in a virtual environment.
Is there a documented step by step process? Can someone point me to the most specific resource that will at least outline the most critical steps and most common mistakes?
Thank you!
K
Kount WilliamsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ken BooneNetwork ConsultantCommented:
So here is the flow that I have been going down when performing this:

1st you need to decide if you want to configure the new ASA form scratch or not.  

      If yes go ahead and configure it without it being on the network.  
             If you are used to ASDM its not too much different.
             If you are used to the CLI it is radically different.
             There are huge differences in ASA code pre8.3 and 8.3 and above.
             Things like how the NATting is configured and how you reference devices in the ACLs.
     If no then upgrade your 5510 to 8.3.
              This way the upgrade reconfigures your code for you.
              Then take this code and cut and past into the new ASA.
              A few points here.  It is not going to be a straight cut and paste, the interfaces for instance will
              be named differently.  Some of the syntax from 8.3 to 9.x has changed as well.  So there may be a
              few tweaks.

Ok so now the new ASA is configured and ready.  So once you are ready rack it in place and move the cables from your old to new.

Test everything out and tweak as necessary.

Once that is done and only when that is done - start working on the sourcefire stuff.

You will probably need to upgrade the sourcefire modules in the new ASA, you will need to install the Firesight Management Console software in VM and start working on that.

When that is ready and licensed you can configure the ASA to start sending traffic through that module.

Here is a short doc that gives you some helpful guidance as well:

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/guide_c07-727453.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Kount WilliamsAuthor Commented:
Hey Ken,
Great Job!
 just what I needed to know! Also  When I upgrade to 8.3 should I anticipate issues after I reload?
0
Ken BooneNetwork ConsultantCommented:
There was a change in the way proxy arp was handled or the default settings changed somewhere along the way.. but I think that was in 8.4.  I can't remember.  The one thing to keep in mind is that when you swap the ASA out if you had devices with public NAT statements, the router on the outside of the firewall will need to have its arp cache flushed.  So if you can reach the internet from normal clients but folks are telling you they can't reach your server that is Natted, it is probably an ARP issue on the device on the outside of your firewall.
Good luck.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.