+ Reply to Thread
Results 1 to 3 of 3
  1. Aperture Science Futura's Avatar
    Join Date
    Feb 2011
    Manchester UK

    MCSE NT4, CCENT, PRINCE2 foundation, CCNA, ITIL v3 Foundation

    Default ASA Upgrade from 8.2 to 8.4, disruptive to NAT and ACL's ?

    Hi there, first post in this section of the forum so go easy on me, I have a ASA 5540 at my disposal and currently run 8.2. I have full service contract so no worries there. what does bother me is that I believe the migration to be a little difficult due to NAT rules and ACLS etc. Could any expert take a look at my config and point me in right direction. I really don't see how my NAT rules would be affected by it?


    RAS-ASA# sh nat

    NAT policies on Interface inside:
    match ip inside any outside
    NAT exempt
    translate_hits = 2330, untranslate_hits = 26598
    match ip inside outside 255.255.255.
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
    match ip inside any inside
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
    match ip inside inside
    NAT exempt
    translate_hits = 0, untranslate_hits = 0


    RAS-ASA# sh access-list
    access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
    alert-interval 300
    access-list outside-acl; 2 elements; name hash: 0xb1b82131
    access-list outside-acl line 1 extended permit icmp any any echo-reply (hitcnt=0
    ) 0x96a7c779
    access-list outside-acl line 2 extended permit ip (hitcnt=0) 0xa9f05e40
    access-list inside_nat0_outbound; 2 elements; name hash: 0x467c8ce4
    access-list inside_nat0_outbound line 1 extended permit ip any 255
    .255.255.0 (hitcnt=0) 0xab071e45
    access-list inside_nat0_outbound line 2 extended permit ip 255.255
    .255.0 (hitcnt=0) 0x73e1046d
    access-list VPN-NoInsideAccess; 3 elements; name hash: 0x994a9051
    access-list VPN-NoInsideAccess line 1 extended permit udp any any eq domain log
    disable (hitcnt=0) 0x0cdd00cb
    access-list VPN-NoInsideAccess line 2 extended deny ip any 255.255.0
    .0 (hitcnt=0) 0x01fa2f66
    access-list VPN-NoInsideAccess line 3 extended permit ip any any log disable (hi
    tcnt=0) 0xcd714067


    sh run
    : Saved
    ASA Version 8.2(2)
    hostname RAS-ASA
    domain-name ras.domainname.com
    enable password *************** encrypted
    passwd *************** encrypted
    interface GigabitEthernet0/0
    nameif outside
    security-level 0
    ip address
    interface GigabitEthernet0/1
    nameif inside
    security-level 100
    ip address
    interface GigabitEthernet0/2
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/3
    no nameif
    no security-level
    no ip address
    interface Management0/0
    no nameif
    no security-level
    no ip address
    boot system disk0:/asa822-k8.bin
    ftp mode passive
    clock timezone GMT 0
    clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns domain-lookup inside
    dns server-group DefaultDNS
    domain-name ************.com
    access-list outside-acl extended permit icmp any any echo-reply
    access-list outside-acl extended permit ip 192.168
    access-list inside_nat0_outbound extended permit ip any 255.255.25
    access-list inside_nat0_outbound extended permit ip
    access-list VPN-NoInsideAccess extended permit udp any any eq domain log disable

    access-list VPN-NoInsideAccess extended deny ip any
    access-list VPN-NoInsideAccess extended permit ip any any log disable
    pager lines 24
    logging enable
    logging timestamp
    logging buffer-size 20000
    logging console debugging
    logging monitor debugging
    logging buffered debugging
    logging trap debugging
    logging asdm informational
    logging host inside
    logging host inside
    logging debug-trace
    no logging message 710005
    logging message 113019 level critical
    logging message 113015 level critical
    logging message 716001 level critical
    mtu outside 1500
    mtu inside 1500
    ip local pool RAS-Pool
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-625-53.bin
    no asdm history enable
    arp timeout 14400
    nat (inside) 0 access-list inside_nat0_outbound
    access-group outside-acl in interface outside
    route outside 1
    route inside 1
    route inside tunneled
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    dynamic-access-policy-record ipad
    priority 1
    svc ask none default svc
    dynamic-access-policy-record Check-AV
    svc ask none default webvpn
    aaa-server SecureID protocol radius
    aaa-server SecureID (inside) host
    key *****
    aaa authentication telnet console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    aaa authentication enable console LOCAL
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec
    enrollment terminal
    fqdn vpn.domain.com
    subject-name CN=vpn.domainname,O=domain,C=gb
    keypair SSL-Cert
    crl configure
    crypto ca trustpoint ASDM_TrustPoint1
    enrollment terminal
    crl configure
    crypto ca trustpoint ASDM_TrustPoint3
    enrollment terminal
    subject-name CN=vpn.domainname,O=domain,C=GB,L=
    keypair VPN-2048-Key
    crl configure
    crypto ca certificate chain ASDM_TrustPoint1
    certificate ca 3863e9fc quit
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    telnet inside
    telnet timeout 5
    ssh XX.XX.XX.XX outside
    ssh inside
    ssh timeout 30
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag
    e-rate 200
    ssl trust-point ASDM_TrustPoint3 inside
    ssl trust-point ASDM_TrustPoint3 outside
    enable outside
    csd image disk0:/csd_3.4.2048.pkg
    csd enable
    svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
    svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 2
    svc profiles No-SBL disk0:/No-SBL
    svc profiles SBL disk0:/SBL2
    svc enable
    port-forward RDP 3389 3389 3389 rdp

    group-policy MobileWorker internal
    group-policy MobileWorker attributes
    vpn-tunnel-protocol IPSec svc
    address-pools value RAS-Pool
    svc profiles value No-SBL

    group-policy DfltGrpPolicy attributes
    dns-server value
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    customization value VPN-Problem
    file-entry disable
    file-browsing disable
    url-entry disable

    tunnel-group IPSEC-VPN type remote-access
    tunnel-group IPSEC-VPN general-attributes
    address-pool RAS-Pool
    authentication-server-group SecureID
    default-group-policy IPSEC-VPN
    tunnel-group IPSEC-VPN ipsec-attributes
    pre-shared-key *****
    class-map IPS
    match any
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns migrated_dns_map_1
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect ip-options
    class IPS
    ips inline fail-open
    service-policy global_policy global
    prompt hostname context
    profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DD
    destination address email callhome@cisco.com
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
    : end
    RAS-ASA# exit


    Really appreciate any help with this.
    Reply With Quote Quote  

  2. SS
  3. Random Member docrice's Avatar
    Join Date
    Apr 2010
    Bay Area, CA

    GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, GCFE, GCFA, GMON, OSWP, SFCP, SnortCP, Sec+; expired: CCNA (R&S, Security, Wireless), WCNA
    I only glanced through this, but I'll say that the 8.3 auto-migration wizard doesn't always work well. In a particular case I went from 7.x to 8.2 to 8.3 and it ended up being a disaster. Not everything migrated cleanly, I lost a number of routes and ssh statements, etc.. I had to rebuild some of the config from scratch in a severely-constrained maintenance window. This might not end up being the case for you, but I recommend testing well beforehand.
    Reply With Quote Quote  

  4. Senior Member PhildoBaggins's Avatar
    Join Date
    Sep 2010
    In America

    A+, Net+, MCP, LCP, BAIS, BCNE, CCENT, CCNA, CCNA Security, CCNA Voice, CCDA, CCNP, CUDS, LCSAUC, CIPTDS, NSA 4011, Cisco IOS Security Specialist, Hub
    DO NOT auto migrate anything 8.2 to 8.3+. I have done a bunch of 8.4 migrations to my internal ASAs and customer ASA. I will always export the build and then analyse the text.

    for the most part it gives me an oppourtunity to really look and go:


    As docrice stated its not just NATs, vpn statements are slightly different with isakmp versions, nats will break of course.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks