ASA upgrades

Nerm · May 22, 2015, 10:14:52 AM

I have inherited several new customers with ASA 5505's running pre-8.3 software. A few questions in regards to ASA upgrades...

1.) A couple of these new customers have expired SmartNet contracts and refuse to renew. If I understand Cisco licensing correctly this means I technically cannot upgrade these specific customer ASA's.

2.) These are 5505's with minimal basic NAT rules in place so I am assuming I should be safe with the auto conversion between pre-8.3 and newer. Anyone have any experience with the auto conversion in this scenario?

3.) How comfortable would you feel doing these upgrades mentioned remotely? If it was post 8.3 to newer I would be fine but something about the auto conversion that concerns me when doing remotely.

deanwebb · May 22, 2015, 10:30:19 AM

I've done it in labs, and it does require reviewing of the rules to make sure they behave as desired. Most of the time it goes well, but there's always that one rule that results in a "That's funny..." that will fill your day with enchanting opportunities to learn.

dlots · May 22, 2015, 12:35:24 PM

1.) Correct

2.) Don't assume, I might try putting the config into GNS3 and doing the upgrade that way to make sure it works, if they don't work build a script to build these NATs

3.) If remote access requires this ASA to work in a correct fashion I would not do it remotely.

Nerm · May 22, 2015, 01:41:18 PM

I wish I could put the config in GNS3 but I cannot get the ASA platform to work right in GNS3. I have tried a couple different guides with no luck.

deanwebb · May 22, 2015, 02:01:56 PM

What dlots said about the remote thing is pretty crucial. If you would lose remote access to the ASA if this upgrade does not go right, then you can either be there at the remote site to do the upgrade, or you can go there while the business sustains an extended outage after the upgrade.

NetworkGroover · May 22, 2015, 02:04:41 PM

Quote from: Nerm on May 22, 2015, 01:41:18 PM
I wish I could put the config in GNS3 but I cannot get the ASA platform to work right in GNS3. I have tried a couple different guides with no luck.

I had the same experience years ago and gave up on it.

icecream-guy · May 22, 2015, 02:09:55 PM

you will need to check your memory, 8.3+ requires 512MB 256MB is default. ... Project done. but do a show ver first.

wintermute000 · May 23, 2015, 03:13:07 AM

You can run up vASA in VIRL. This could be a good way to get the company to purchase you a copy... hint hint...

ALWAYS ALWAYS ALWAYS rewrite all NAT rules by hand for any pre 8.2 to 8.3 migration. The automatic conversion never works properly.

Nerm · June 15, 2015, 01:37:12 PM

Well vacation is over and it is back to the grind. First thing on my todo (get caught up) list are these ASA upgrades. I did a few of them before leaving for vacation and following the advice of rewriting NAT's and doing them onsite so far has been golden as I have not had a single hiccup yet. Let's hope it stays that way.

config t · June 26, 2015, 01:36:44 AM

Quote from: wintermute000 on May 23, 2015, 03:13:07 AM
You can run up vASA in VIRL. This could be a good way to get the company to purchase you a copy... hint hint...

What is this VIRL you speak of?

Has anyone been successful getting ASA to work in GNS3?

wintermute000 · June 26, 2015, 05:05:36 AM

http://virl-dev-innovate.cisco.com/index.php

been under a rock lately?

AnthonyC · June 26, 2015, 11:25:57 AM

Quote from: config t on June 26, 2015, 01:36:44 AM
Quote from: wintermute000 on May 23, 2015, 03:13:07 AM
You can run up vASA in VIRL. This could be a good way to get the company to purchase you a copy... hint hint...

What is this VIRL you speak of?

Has anyone been successful getting ASA to work in GNS3?

Yes it has been working for years; IIRC it is trivial to setup.