To upgrade ASA's past 8.2 or not... that is the question

TesseracTTesseracT Member Posts: 167
What version are your production ASA's at?

Ours are still at 8.2... I don't see any major benefits of upgrading to the newer versions just yet, but maybe I can be convinced icon_lol.gif

The NAT changes seem to be a headache. There's also other changes that don't seem to give any real world advantages. I'm aware that you should skip 8.3 and go straight to 8.4 but it all just seems like such a pain. Everything is working smoothly at the moment and I can't bring myself to create more work in my already busy schedule.

Have you made the change? Why or why not?

Comments

  • chrisonechrisone Senior Member Member Posts: 2,272 ■■■■■■■■■□
    We have not made the changes. We run web features on our ASA's and changing the NATing will probably cause outages left and right and we will not even know where to begin with. At some point we will have to do it, however we should use the time to understand the major changes and how it would affect our environment. At this time there is no benefit other than a huge monetary risk.
    Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2022 Goals:
    Certs: EnCE (cert obtained), SC-300 (cert obtained), AZ-500 (in progress)
    Course: BC Security - Empire Operations 1 (completed), Zero Point Security - CRTO (course completed), BHIS - Active Defense & Cyber Deception (completed)
  • TurgonTurgon Banned Posts: 6,308 ■■■■■■■■■□
    TesseracT wrote: »
    What version are your production ASA's at?

    Ours are still at 8.2... I don't see any major benefits of upgrading to the newer versions just yet, but maybe I can be convinced icon_lol.gif

    The NAT changes seem to be a headache. There's also other changes that don't seem to give any real world advantages. I'm aware that you should skip 8.3 and go straight to 8.4 but it all just seems like such a pain. Everything is working smoothly at the moment and I can't bring myself to create more work in my already busy schedule.

    Have you made the change? Why or why not?

    I understand the NAT changes are a headache. Migrating from FWSM to ASA is fun too :)
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    At an organization that just happened to standardize on 8.3(1), I had the extremely fortunate opportunity to upgrade an HA pair from 7.2(4) to 8.3(1). What a joy it was when I went from the original version to 8.2, then to 8.3 ... and the config auto-migration system failed to properly migrate all the configurations properly.

    There was downtime beyond the expected outage window while I tried to input configurations by hand from the config backups I took at each step of the upgrade process. Everything was hitless until I put in 8.3(1) and rebooted each firewall for the new code to take effect. I somehow lost half of my routes, half of my SSH config, and had to re-do several NAT configs (perhaps reboot again or clear the translation table) in order for things to just "start working" magically. If I had been doing this remotely, I would have been running to the nearest airport to fix it.

    8.3 sucks. I hear 8.4 is better. Granted, this is the initial release of 8.3 we're talking about so bugs should have been expected. In any case, my lessons-learned recommendation to you is to test-test-test the migration process in a lab before committing it in a production environment. Heads should have rolled at Cisco for 8.3(1).
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • cisco_troopercisco_trooper Too many Member Posts: 1,441 ■■■■□□□□□□
    You also have to consider regulatory requirements. If you are in a regulated industrated and have to maintain compliance you will run into the issue of you HAVE to upgrade your software regularly whether you like it or not.
  • Maced129Maced129 Member Posts: 78 ■■□□□□□□□□
    ether channeling and identity firewall are some cool features in 8.4.
    Here's a list of new features:
    Release Notes for the Cisco ASA 5500 Series, 8.4(x)  [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems

    For the most part, I've stuck with 8.2...only used 8.4 on one install for the ether channel capability.
  • SteveO86SteveO86 Member Posts: 1,423
    You'll definitely want to run a test bed or schedule some type of maintenance window to get familiar with the changes. From 8.2 to 8.3/.4

    I've got a customer with 40/50+ ASA's running a mixture of 8.2 and 8.3, it's an annoyance. We are actually planning a upgrade them to 8.3 across the board. Because we've got 8.3 running in their environment already. We've encountered a few of the open caveats with 8.2.. Last one we encountered was we were unable to gain SSH access to the device, turned out there were no active SSH sessions but there 5 were SSH processes running on the ASA, HTTPS access worked fine and I enabled telnet for a bit and that worked to so the issue was related to SSH and required a reload.. that's our reason for upgrading this customer's ASA to 8.3 from 8.2.
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    I recently unified all of our ASAs to 8.3 from various versions. I never worked with the old versions so the natting issues that other people describe never really effected me. Although the no natting configuration is a bit odd lol.
Sign In or Register to comment.