Professional Documents
Culture Documents
ASA 8.3 Upgrade - What You Need To Know
ASA 8.3 Upgrade - What You Need To Know
1. The NAT CLI commands are completely different from all previous version of ASA
2. The IP addresses used in the ACLs are different (pre-8.3 versions used the global/translated IPs, whereas
8.3 always uses the real IPs (untranslated)
3. A new concept of host-based objects was introduced, to allow singular hosts to be referenced by their
names (previously, we had the name command, but that was more of a macro-substitution in the show
running-config output).
Pre-Requsites to Upgrading
Many models of the ASA require a memory upgrade prior to upgrading the ASA to version
8.3. Brand new ASAs from the factory (manufactured after Feb 2010) come with the
upgraded memory. However, if your ASA was manufactured before February 2010, and is
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
1
one of the models below requiring a memory upgrade, then you will need to purchase the
memory upgrade part prior to installing 8.3 on your ASA.
Platform
License
Pre-8.3 Memory
Required
8.3 Memory
Required
Memory Upgrade
Part Number
5505
Unlimited (inside
hosts=Unlimited)
256 MB
512 MB
ASA5505-MEM-512=
5505
Security Plus
(failover=enabled)
256 MB
512 MB
ASA5505-MEM-512=
5505
256 MB
256 MB
No Memory Upgrade
Needed
5510
All licenses
256 MB
1024 MB
ASA5510MEM-1GB=
5520
All licenses
512 MB
2048 MB *
ASA5520MEM-2GB=
5540
All licenses
1024 MB
2048 MB *
ASA5540MEM-2GB=
5550
All licenses
4096 MB
4096 MB
No Memory Upgrade
Needed
5580
All licenses
8-16 Gb
8-16 Gb
No Memory Upgrade
Needed
* Note: The maximum memory supported for the ASA-5520 and ASA-5540 is 2 Gb. If you
install 4 Gb of memory in these units, they will go into a boot loop.
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
2
ASA#
show version | include RAM
Hardware: ASA5520, 512 MB RAM
, CPU Pentium 4 Celeron 2000 MHz
For ASDM users, you can see the amount of RAM in the ASA from the ASDM Home (Device
Dashboard) page.
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
3
pre-8.3 Configuraiton
8.3 Configuration
nat-control
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
4
If you forget to issue no nat-control prior to upgrading, then it is safe to remove the all 0's
objects with associated nat rules after the fact.
To view your current nat-control configuration, issue the command show run all natcontrol.
Please note that we only support upgrading to 8.3 from 8.2. Therefore, you need to be
running 8.2 on your ASA prior to upgrading to 8.3.
For ASAs in failover set, we do support upgrading from 8.2 to 8.3 with zero-downtime.
Follow the same procedure you have in the past.
Note: During the upgrade process, the ASA will save two files on disk.
1. The current (pre-upgraded) configuration in a file named <version>_startup_cfg.sav
Example: disk0:/8_2_2_0_startup_cfg.sav
This file will be critical if you need to downgrade your ASA from 8.3 to 8.2 in a future date
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
5
2. Warning messages and Errors encountered during the upgrade process of converting your configuration to
8.3 will be saved in a file named upgrade_startup_errors_<timestamp>.log
Upgrade Paths
Cisco officially supports upgrading to ASA version 8.3 only from ASA version 8.2.
Therefore, if you are currently running a version of ASA code prior to 8.2, you will need to
perform a stepwise upgrade. Please see the table below:
Current Train
Intermediate Upgrades
Final Train
8.2
none
8.3
8.1
8.2
8.3
8.0
8.2
8.3
7.2
8.3
7.1
8.3
7.0
8.3
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
6
That said, for CLI users, please do not upgrade to 8.3 on a Friday night just as you are
getting ready to go out of town for the weekend. Instead, it is recommend that you play with
it in a lab (if you have one), or read up on the changes (see Additional Information below)
before you upgrade. Ok, with that said, let's look at some examples.
ACL Changes
Although the syntax of the ACLs haven't changed much (just added capabilities for new
objects), the significant change is that all IP addresses listed in ACLs which are applied to
an interface will be converted (on upgrade) from using global (ie: translated or post-NAT) IP
addresses, to using the real IP address. Let's look at an example.
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
7
In the above Topology, an internal web server (with IP 10.1.1.6) is being protected
by an ASA. Clients on the Internet access this web server by its public IP address:
209.165.201.15 Prior to version 8.3, the interface ACL would permit traffic to the public
IP 209.165.201.15. But, starting with 8.3 the real IP 10.1.1.6 is used in the configuration.
Please see the configuration examples below.
pre-8.3 Configuration
static (inside,outside) 209.165.201.15 10.1.1.6 netmask 255.255.255.255
!
access-list outside_in extended permit tcp any host 209.165.201.15
access-group outside_in in interface outside
8.3 Configuration
object network obj-10.1.1.6 host 10.1.1.6 nat (inside,outside) static 209.165.201.15
!
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
8
https://supportforums.cisco.com/videos/2200
Additional Information
Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
9