Wednesday, April 13, 2011

Cisco ASA 5500 7.2x to 8.4x upgrade

I just completed this upgrade on two firewalls and want to share some issues I encountered. Our firewalls were using the following basic features:
  • IPSEC VPN client
  • Site to Site IPSEC VPN tunnel
  • PAT
  • Static NATs
  • NAT exempt 
Firstly the image boots up and the new asdm works. You should have no concern about the ASA not booting up. In fact I had to do one that was located in a Data Center in Chicago and we were in California!
  1. The known documented issue with the nat exempt command must be taken care of. The keyword unidirectional is added to the nat exempt (nat 0) rule which must be changed to bidirectional for each nat exempt command you have.
  2. Since the new access rules now references the real IPs of translated addresses I found that none of these got changed on my outside access list! I had to change each ACL entry manually from the public address to its private IP address. 
  3. There is a site to site IPSEC VPN tunnel built that references a translated IP of a local host in the encryption domain. The conversion process added a nat exempt rule for the encryption domain! This, of course, prevented the local host from being translated when it was trying to connect to the remote host across the tunnel. No match was found and so the tunnel never gets established! I removed that nat exempt rule to fix.
That's it! All the best in your upgrades.

Here is the Cisco reference to the 8.4x release notes.

No comments:

Post a Comment