ASA Upgrade from 8.2 to 8.4, disruptive to NAT and ACL's ?
Futura
Member Posts: 191
Hi there, first post in this section of the forum so go easy on me, I have a ASA 5540 at my disposal and currently run 8.2. I have full service contract so no worries there. what does bother me is that I believe the migration to be a little difficult due to NAT rules and ACLS etc. Could any expert take a look at my config and point me in right direction. I really don't see how my NAT rules would be affected by it?
RAS-ASA# sh nat
NAT policies on Interface inside:
match ip inside any outside 192.168.184.0 255.255.255.0
NAT exempt
translate_hits = 2330, untranslate_hits = 26598
match ip inside 192.168.125.0 255.255.255.0 outside 192.168.115.0 255.255.255.
240
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside any inside 192.168.184.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.125.0 255.255.255.0 inside 192.168.115.0 255.255.255.2
40
NAT exempt
translate_hits = 0, untranslate_hits = 0
RAS-ASA# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside-acl; 2 elements; name hash: 0xb1b82131
access-list outside-acl line 1 extended permit icmp any any echo-reply (hitcnt=0
) 0x96a7c779
access-list outside-acl line 2 extended permit ip 192.168.115.0 255.255.255.240
192.168.125.0 255.255.255.0 (hitcnt=0) 0xa9f05e40
access-list inside_nat0_outbound; 2 elements; name hash: 0x467c8ce4
access-list inside_nat0_outbound line 1 extended permit ip any 192.168.184.0 255
.255.255.0 (hitcnt=0) 0xab071e45
access-list inside_nat0_outbound line 2 extended permit ip 192.168.125.0 255.255
.255.0 192.168.115.0 255.255.255.240 (hitcnt=0) 0x73e1046d
access-list VPN-NoInsideAccess; 3 elements; name hash: 0x994a9051
access-list VPN-NoInsideAccess line 1 extended permit udp any any eq domain log
disable (hitcnt=0) 0x0cdd00cb
access-list VPN-NoInsideAccess line 2 extended deny ip any 192.168.0.0 255.255.0
.0 (hitcnt=0) 0x01fa2f66
access-list VPN-NoInsideAccess line 3 extended permit ip any any log disable (hi
tcnt=0) 0xcd714067
sh run
: Saved
:
ASA Version 8.2(2)
!
hostname RAS-ASA
domain-name ras.domainname.com
enable password *************** encrypted
passwd *************** encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.115.2 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.125.90 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.125.53
name-server 192.168.125.54
domain-name ************.com
access-list outside-acl extended permit icmp any any echo-reply
access-list outside-acl extended permit ip 192.168.115.0 255.255.255.240 192.168
.125.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.184.0 255.255.25
5.0
access-list inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0
192.168.115.0 255.255.255.240
access-list VPN-NoInsideAccess extended permit udp any any eq domain log disable
access-list VPN-NoInsideAccess extended deny ip any 192.168.0.0 255.255.0.0
access-list VPN-NoInsideAccess extended permit ip any any log disable
pager lines 24
logging enable
logging timestamp
logging buffer-size 20000
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm informational
logging host inside 192.168.125.93
logging host inside 192.168.125.88
logging debug-trace
no logging message 710005
logging message 113019 level critical
logging message 113015 level critical
logging message 716001 level critical
mtu outside 1500
mtu inside 1500
ip local pool RAS-Pool 192.168.184.1-192.168.184.254
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
access-group outside-acl in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.115.1 1
route inside 192.168.0.0 255.255.0.0 192.168.125.1 1
route inside 0.0.0.0 0.0.0.0 192.168.125.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record ipad
priority 1
webvpn
svc ask none default svc
dynamic-access-policy-record Check-AV
webvpn
svc ask none default webvpn
aaa-server SecureID protocol radius
aaa-server SecureID (inside) host 192.168.125.92
key *****
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec
enrollment terminal
fqdn vpn.domain.com
subject-name CN=vpn.domainname,O=domain,C=gb
keypair SSL-Cert
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
subject-name CN=vpn.domainname,O=domain,C=GB,L=
keypair VPN-2048-Key
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate ca 3863e9fc quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh XX.XX.XX.XX 255.255.255.192 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag
e-rate 200
ssl trust-point ASDM_TrustPoint3 inside
ssl trust-point ASDM_TrustPoint3 outside
webvpn
enable outside
csd image disk0:/csd_3.4.2048.pkg
csd enable
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 2
svc profiles No-SBL disk0:/No-SBL
svc profiles SBL disk0:/SBL2
svc enable
port-forward RDP 3389 3389 3389 rdp
group-policy MobileWorker internal
group-policy MobileWorker attributes
vpn-tunnel-protocol IPSec svc
address-pools value RAS-Pool
webvpn
svc profiles value No-SBL
group-policy DfltGrpPolicy attributes
dns-server value 192.168.125.53 192.168.125.54
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
customization value VPN-Problem
file-entry disable
file-browsing disable
url-entry disable
tunnel-group IPSEC-VPN type remote-access
tunnel-group IPSEC-VPN general-attributes
address-pool RAS-Pool
authentication-server-group SecureID
default-group-policy IPSEC-VPN
tunnel-group IPSEC-VPN ipsec-attributes
pre-shared-key *****
!
class-map IPS
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
class IPS
ips inline fail-open
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6dd777da1e3eb401b1a8dad3f1a06d10
: end
RAS-ASA# exit
Logoff
Really appreciate any help with this.
RAS-ASA# sh nat
NAT policies on Interface inside:
match ip inside any outside 192.168.184.0 255.255.255.0
NAT exempt
translate_hits = 2330, untranslate_hits = 26598
match ip inside 192.168.125.0 255.255.255.0 outside 192.168.115.0 255.255.255.
240
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside any inside 192.168.184.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.125.0 255.255.255.0 inside 192.168.115.0 255.255.255.2
40
NAT exempt
translate_hits = 0, untranslate_hits = 0
RAS-ASA# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside-acl; 2 elements; name hash: 0xb1b82131
access-list outside-acl line 1 extended permit icmp any any echo-reply (hitcnt=0
) 0x96a7c779
access-list outside-acl line 2 extended permit ip 192.168.115.0 255.255.255.240
192.168.125.0 255.255.255.0 (hitcnt=0) 0xa9f05e40
access-list inside_nat0_outbound; 2 elements; name hash: 0x467c8ce4
access-list inside_nat0_outbound line 1 extended permit ip any 192.168.184.0 255
.255.255.0 (hitcnt=0) 0xab071e45
access-list inside_nat0_outbound line 2 extended permit ip 192.168.125.0 255.255
.255.0 192.168.115.0 255.255.255.240 (hitcnt=0) 0x73e1046d
access-list VPN-NoInsideAccess; 3 elements; name hash: 0x994a9051
access-list VPN-NoInsideAccess line 1 extended permit udp any any eq domain log
disable (hitcnt=0) 0x0cdd00cb
access-list VPN-NoInsideAccess line 2 extended deny ip any 192.168.0.0 255.255.0
.0 (hitcnt=0) 0x01fa2f66
access-list VPN-NoInsideAccess line 3 extended permit ip any any log disable (hi
tcnt=0) 0xcd714067
sh run
: Saved
:
ASA Version 8.2(2)
!
hostname RAS-ASA
domain-name ras.domainname.com
enable password *************** encrypted
passwd *************** encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.115.2 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.125.90 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.125.53
name-server 192.168.125.54
domain-name ************.com
access-list outside-acl extended permit icmp any any echo-reply
access-list outside-acl extended permit ip 192.168.115.0 255.255.255.240 192.168
.125.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.184.0 255.255.25
5.0
access-list inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0
192.168.115.0 255.255.255.240
access-list VPN-NoInsideAccess extended permit udp any any eq domain log disable
access-list VPN-NoInsideAccess extended deny ip any 192.168.0.0 255.255.0.0
access-list VPN-NoInsideAccess extended permit ip any any log disable
pager lines 24
logging enable
logging timestamp
logging buffer-size 20000
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm informational
logging host inside 192.168.125.93
logging host inside 192.168.125.88
logging debug-trace
no logging message 710005
logging message 113019 level critical
logging message 113015 level critical
logging message 716001 level critical
mtu outside 1500
mtu inside 1500
ip local pool RAS-Pool 192.168.184.1-192.168.184.254
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
access-group outside-acl in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.115.1 1
route inside 192.168.0.0 255.255.0.0 192.168.125.1 1
route inside 0.0.0.0 0.0.0.0 192.168.125.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record ipad
priority 1
webvpn
svc ask none default svc
dynamic-access-policy-record Check-AV
webvpn
svc ask none default webvpn
aaa-server SecureID protocol radius
aaa-server SecureID (inside) host 192.168.125.92
key *****
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec
enrollment terminal
fqdn vpn.domain.com
subject-name CN=vpn.domainname,O=domain,C=gb
keypair SSL-Cert
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
subject-name CN=vpn.domainname,O=domain,C=GB,L=
keypair VPN-2048-Key
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate ca 3863e9fc quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh XX.XX.XX.XX 255.255.255.192 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag
e-rate 200
ssl trust-point ASDM_TrustPoint3 inside
ssl trust-point ASDM_TrustPoint3 outside
webvpn
enable outside
csd image disk0:/csd_3.4.2048.pkg
csd enable
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 2
svc profiles No-SBL disk0:/No-SBL
svc profiles SBL disk0:/SBL2
svc enable
port-forward RDP 3389 3389 3389 rdp
group-policy MobileWorker internal
group-policy MobileWorker attributes
vpn-tunnel-protocol IPSec svc
address-pools value RAS-Pool
webvpn
svc profiles value No-SBL
group-policy DfltGrpPolicy attributes
dns-server value 192.168.125.53 192.168.125.54
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
customization value VPN-Problem
file-entry disable
file-browsing disable
url-entry disable
tunnel-group IPSEC-VPN type remote-access
tunnel-group IPSEC-VPN general-attributes
address-pool RAS-Pool
authentication-server-group SecureID
default-group-policy IPSEC-VPN
tunnel-group IPSEC-VPN ipsec-attributes
pre-shared-key *****
!
class-map IPS
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
class IPS
ips inline fail-open
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6dd777da1e3eb401b1a8dad3f1a06d10
: end
RAS-ASA# exit
Logoff
Really appreciate any help with this.
Comments
-
docrice Member Posts: 1,706 ■■■■■■■■■■I only glanced through this, but I'll say that the 8.3 auto-migration wizard doesn't always work well. In a particular case I went from 7.x to 8.2 to 8.3 and it ended up being a disaster. Not everything migrated cleanly, I lost a number of routes and ssh statements, etc.. I had to rebuild some of the config from scratch in a severely-constrained maintenance window. This might not end up being the case for you, but I recommend testing well beforehand.Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
-
PhildoBaggins Member Posts: 276DO NOT auto migrate anything 8.2 to 8.3+. I have done a bunch of 8.4 migrations to my internal ASAs and customer ASA. I will always export the build and then analyse the text.
for the most part it gives me an oppourtunity to really look and go:
WHY DID THEY BUILD THIS IN ASDM
WHY ARE THESE RULES HERE THEY DONT DO ANYTHING
THESE TUNNELS ARE OLD AND WE DONT HAVE THESE VENDORS ANYMORE
As docrice stated its not just NATs, vpn statements are slightly different with isakmp versions, nats will break of course.