Cisco Firewall :: Migration Error Upgrading To ASA 8.4.4
Oct 25, 2012
I was trying to upgrade an ASA to from 8.2.4 to 8.4.4, and I began receiving the following migration errors (the IP addresses have been changed to protect the innocent):
ERROR: MIGRATION: The following ACE is partially/not migrated to Real IP, as it could result in more permissive policy. Please manually migrate this ACE. permit esp host 1.1.1.1 host 2.2.2.2
I got a TON of these, in fact the migration, and these errors ran for over 24 hours before I gave up, powercycled the unit and forced 8.2.4 to boot through ROMMON. This was a secondary unit, that's why I let it go this long.
What I don't understand is that we do not have anything in the configuration for ESP.
View 1 Replies
ADVERTISEMENT
Nov 9, 2011
I'm having some problems when upgrading the IOS of my Catalyst 3750 switch through a tftp server. I've been surfing the net and found that there seems to be a problem when the image file is larger than 16M but this is not my case.I erased the flash to be sure that there was enough memory space to upload the image but didnt work.I also tried with archive download-sw /overwrite command and using a ftp server but the problem is the always the same: [code]To make sure it was not a problem of my computer or tftp server, I tried with a different computer and with a different tftp server but the same happen. I also tried with a 3750V2 and still the same. Even when trying to backup the current IOS to my computer, I got "error writing".
Then, I have tried to do the same with a different model of switch, a WS-C3560-48PS and it works perfect.I still need to try using Xmodem but Xmodem takes ages to finalize the process.
View 8 Replies
View Related
May 14, 2012
I upgraded IOS-XE on 4500E (SUP7L-E) to cat4500e-universalk9.SPA.03.03.00.SG.151-1. I encounter the log when i try to issue write mem commad
% VRF table-id 0 not activeCompressed configuration from 8947 bytes to 2140 bytes[OK].
View 3 Replies
View Related
Feb 4, 2013
I am trying to copy IOS from unix box to 3750 switch
archive tar /xtract tftp://192.168.1.5/c3750-ipserviceslmk9-tar.122-55.SE7.tar flash:
%Error opening tftp://192.168.1.5/c3750-ipserviceslmk9-tar.122-55.SE7.tar (Timed out)
i get error
i can ping the unix box from the switch.Here is switch flash info
sh flash
Directory of flash:/
2 -rwx 6484 Mar 1 1993 00:02:53 +00:00 vlan.dat 4 -rwx 1929 Feb 4 2013 22:59:34 +00:00 private-config.text 5 drwx 128 Jun 22 1993 16:14:21 +00:00 c3750-ipservices-mz.122-25.SEE2 458 -rwx 20848 Feb 4 2013 22:59:34 +00:00 config.text 6 drwx 64 Jun 22 1993 16:21:05 +00:00 c3750-ipservicesk9-mz.122-35.SE2 460 -rwx 12961 Mar 1 1993 00:05:47 +00:00 config.text.bak 461 -rwx 3096 Feb 4 2013 22:59:34 +00:00 multiple-fs
15998976 bytes total (5166592 bytes free)
View 10 Replies
View Related
Oct 19, 2011
I upgraded the firmware per one suggestion, but no difference.I am going thru the setup wizard with ethernet cable attached. I want to use them wirelessly so I clicked wireless setup, and entered my network info. At that point I get an error message saying it failed to save settings. I know the ID and password are correct.I have tried exiting the setup wizard and accessing the camera thru the web interface. All wireless settings are correct. The camera works FINE on web browser, myDlink, and even my iPhone app as long as the ethernet cable is attached.Other wireless devices have no trouble connecting to my router. Is there some setting on the router that can be preventing the connection? I've done some trial-and-error changes, like different ports and enabling/disabling UpNp on both camera and router.Oh and almost forgot to mention.I did call tech support, which was a joke. Some foreign lady was reading off a script that told me to reset, unplug, reboot everything. Then she gave me a case# and said upgrade the firmware.
View 11 Replies
View Related
Apr 29, 2013
I am trying to copy IOS from my TFTP server which is on my laptop to cisco 2960 switch
I am able to ping to switch from my laptop, connectivity is fine, tftp server is running
Current Image on Switch --> C2960-LANBASE-MZ.122-25.SEE3.bin --> trying to upgrade to --> c2960-lanbasek9-mz.122-53.SE2
I am getting below error when trying to upgarde IOS:
2960-SW#copy tftp: flash:
Address or name of remote host []? 10.1.x.x
Source filename []? c2960-lanbasek9-mz.122-53.SE2
[Code].....
View 6 Replies
View Related
Mar 8, 2011
As we are all aware that the ASA8.3 has quite some changes interms of configuration method.
I would like to know if it is possible to use the pix to Asa conversion tool for 8.3 purpose.
View 2 Replies
View Related
Feb 12, 2013
I have old ASA with 8.0 configuration that includes huge number of ACL, NAT , VPNs , we got a new ASA with 8.6 , and we are planning to move the configuration to the new box , I'm wondering what is the best approach to do this , I'm thinking of one of the following scenarios1- downgrade the new ASA to 8.3 , the apply the config , remove the identity nat commands and names then upgrade to 8.6 and after that reconfigure the NAT rules and object groups .2- convert the old config manually to 8.6 code including NAT , object-group ,ACL and apply it to the new ASA ( this is going to be huge task). What are the commands that I have to look at when I convert to 8.6 and will the VPN configuration be affected ?
View 5 Replies
View Related
May 28, 2012
I have a PIX 515 with version 8.0(3). We buy a ASA 5525-X for replace the PIX.
The question is, what is the better method to migrade the configurations? Manually?
What is the better version for 5525-X? 8.6.1?
View 4 Replies
View Related
Oct 3, 2012
I don't seem to be able to find a migration utility for PIX rel 8.0.4 to ASA 8.6 is there one available will save a lot of time
View 1 Replies
View Related
Aug 26, 2012
Looking at migrating from the following:
PIX-515EPIX Security Appliance Software Version 8.0(4)Device Manager Version 6.1(5)51
to
ASA5515Cisco Adaptive Security Appliance Software Version 8.6(1)Device Manager Version 6.6(1)
Is this migration directly supported, or do I need to downgrade first?
View 5 Replies
View Related
Jan 23, 2013
I have ASA-AC-M-5520, can we migrate the license to ASA-AC-M-5585
View 1 Replies
View Related
Sep 24, 2012
I'm testing upgrading an ASA from 8.2.5 to 8.4.4. During the the upgrade, it change all of my ACL host entries to objects. But I noticed that the keyword "host" is still a valid option when creating an ACL.
I'm trying to understand why this change is made during the migration.
View 3 Replies
View Related
Apr 23, 2013
I am about to carry out a migration from ASA 5550 to ASA 5555-X, however I cannot find any detailed document or reliable tool for this migration.
View 4 Replies
View Related
Dec 18, 2012
We're migrating as mentioned in the subject and this new format is quite a departure from previous iOS versions so I thought I'd post the configs of the PIX and the ASA and ask if someone is willing to compare them and verify that it is correct and should be basically plug and play. The xxx.xxx.xxx are outside IP addresses and the yyy.yyy.yyy are inside addresses. .
Existing PIX config
PIX Version 6.3(4)
interface ethernet0 100full
[Code]......
View 2 Replies
View Related
Jan 22, 2013
Customer has a ASA5540 at their main location and need a new ASA5500 for a DR site.
Can I simply take a config file from an ASA5540 and easily drop it on an ASA5545-X or what ever?
They are going to be using it as a VPN concentrator primarily.
Or are there going to be issues since the 5540 is running 8.4(5) and the 5545-X? Or if they upgrade to 9,0(1) or higher, then they should be the same?
View 2 Replies
View Related
Nov 26, 2012
My company (in Healthcare) is going to be changing ISPs for our internet connectivity, and with this change comes a new external IP block. So I need a scheme to migrate over all of my existing VPN tunnels and other items over to new IP addresses. We do have an external router which I plan on doing a route-map to handle which traffic the ISP should go to based on IP. My big concern is for the ASA 5510. Can I setup a second outside interface on the new IP range? Then migrate my VPN tunnels over one-by-one? A drop-dead cutover date is just not possible with all of the external companies that I have to contact to get VPN tunnels updated with. If it's not possible, we have in our budget to get another 5510 next year as a redundant unit. I may be able to get that early and just migrate from one firewall to another.
View 3 Replies
View Related
Mar 23, 2011
in the ASA Migration Guide for Version 8.3 says about real ip address: "All of the access-listcommands used for these features are automatically migrated unless otherwise noted"
But my ACL's have not been migrated to real ip address. In my migration log:
INFO: NAT migration completed. Real IP migration logs: No ACL was changed as part of Real-ip migrationWhy?So, do I have to migrate them manually?
View 3 Replies
View Related
Feb 22, 2012
when I migrated the ASA config from 8.2 to 8.3, in all groups the group members has been replaced by the IP address object. However, the "name" for this object has been migrated, but there is the "object network name" configuration missing.
What I can do now is that I can open the new created object in the ASDM, search for the object with this IP address and then enter the object name I had before. When I apply the config, ASDM then creates the object and replaces all affected objects in all groups, by replacing the object group memeber "network-object host hostname" with "network-object object hostname".
Do you know if there exists an automated way, which checks all the groups for members "network-object host", creates the "object network" and replaces the "network-object hosts" with "network-object object" within the group? As long we have a lot of groups which contains partially > 50 members?
View 2 Replies
View Related
Jul 8, 2012
We currently have redundant FWSM's and are planning a migration to standalone ASA 5500 series firewalls. However, we have a complete VMWare environment and are looking at the Nexus 1000V. I understand the Nexus 1000V and VSG architecture and implementation, and I do understand that the ASA 1000V is designed for cloud environments. But I do have one question about the ASA 1000V.
Is it possible for an ASA 5500 series firewall to be replaced by an ASA 1000V? Basically, can an ASA 1000V be a sole firewall solution, or are ASA 5500's still needed? Is there a datasheet anywhere that compares the ASA 1000V and ASA 5500 series?
View 4 Replies
View Related
May 20, 2013
I've recently migrated a PIX 525 to ASA 5520, but for some reason (through ASA) the users from OUTSIDE aren't able access services published in DMZ as well as some DMZ servers aren't able to communicate to some OUTSIDE services.
-INSIDE to DMZ is working fine. (through ASA)
-INSIDE to OUTSIDE is working fine. (through ASA)
Below is the configuration from my PIX (where everything works just fine) as well as the one on the ASA (where there is a problem), what could be the cause?In the below case the DMZ hosts from 11.1.10.0 aren't able to access SMTP services (through ASA) and the OUTSIDE users aren't able to access DMZ web server (11.1.10.40) through ASA, this all just works fine with PIX.
object-group network inside_subnet_all network-object object inside_subnet_a network-object object inside_subnet_b network-object object inside_subnet_c network-object object inside_subnet_d network-object object inside_subnet_e network-object object inside_subnet_f network-object object inside_subnet_g network-object object inside_subnet_.access-list OUTSIDE extended permit tcp any object host-11.1.10.40 object- group WWW-HTTPS access-list DMZ extended permit object SMTP object dmz_subnet any access-list INSIDE extended permit ip
View 1 Replies
View Related
Apr 24, 2011
I have just upgraded a ASA5510 from 8.2 to 8.3 using migration tool.All seemed to go well, still double checking the config as this is a bench test of upgrade prior to filed upgrades.
Anyway one thing that is slightly frustrating is that the migration has expanded all of my access-lists, so we maybe had 10 lines of config relating to access-lists based on access-groups, now we have hundreds of lines.On ASDM this is bad enough but on CLI with show run its a bit of a bind.
Is there any way to un-expand the access list or do I simply delete and start again using my access groups.
View 2 Replies
View Related
Mar 12, 2013
We are in the middle of upgrading from two PIX's to some new ASA5512X's. To give you some background on the situation we are upgrading these since the PIXs are fairly old. We had one extra that we had to use since one PIX has failed already. The guy that implemented the PIXs orginally was learning how to do so as he went so there is alot of needless config in the PIX, atleast from what I can tell. Another guy that works with me has done some configuration on the new ASAs and has done the majority of it so far. Today we went to install the new ASAs and switch everything over hoping it would work, but that didn't happen. It seems that there is something wrong with our NAT and ACLs somewhere along the lines. The way our network is laid out is that we have two school campus with a site-to-site VPN one is 172.17.0.0/16 and the other is 172.18.0.0/16. We also have a remote-access VPN on both ASA's. When we connected the new ASAs up and brought up the interfaces, nothing on the inside could ping the internet nor the other side. The VPN showed active on the ASA's and each ASA could ping the others outside interface, but that was it. I have posted the configs below.
ASA1:
: Saved
: Written by enable_15 at 04:26:18.240 CDT Tue Mar 12 2013
!
ASA Version 8.6(1)2
[Code].....
View 5 Replies
View Related
Sep 20, 2011
I are currently implementing a new patching schedule (when I say new i mean a company first!!!) and I have identified that the firewalls are all running 8.2(2). I would like to bring these up to the latest version but am a little worried about impact!!! I have setup a test firewall with the config from our live asa's and run the upgrade but have received multiple lines.
View 9 Replies
View Related
Jun 24, 2012
We are working for a client move from PIX 525 to ASA 5585-X, SSP10. This is a production environment and very critical migration. What are the gotchas which we should be aware off?
View 1 Replies
View Related
May 15, 2012
I need ot upgrade a Cisco PIX 515 E to A Cisco ASA (not sure what type and modle yet!). the PIX currently has about 80 lines of ACLs and no VPNs. So only inside and outside interfaces and 80 lines of ACLs to be transferred over to the ASA.I was wondering if the ACLs can be transferred over to ASA as is?is there anything that I need ot watch for?
View 1 Replies
View Related
Jun 26, 2011
I wanna upgrade FWSM Version 3.1(11) to latest 4.x version is this possible or i have to upgrade first to 3.2 and then to 4.x?
Is there any changes in configuration commands that i need to know? The version that 6500 running is s72033-advipservicesk9_wan-mz.122-18.SXF14.bin,an upgrade to 6500 is needed also?And if so what ios version will i put?Also which is the asdm supported version?
View 3 Replies
View Related
Feb 26, 2011
We have 2 ASA 5520's working in active/standby mode and both have the IPS module installed then 2 firewalls have also been upgraded to have 2GB of memory.
I have been asked if it is worth upgrading to 8.4 from 8.2. There is nothing wrong with our current firmware and if it isn't broken then why change strings to mind, but I also dont wnat to be left behind.
I've upgraded the firmware on the ASA's before, but they have been pretty simple. I do the standby ASA first and wait for it to come up, then do the other. However I think 8.3 and 8.4 are big jumps and have issues with NAT (we have a lot of NAT's and NAT exempts). I have had a quick read of 8.4's document, but has actually upgraded from 8.2 to 8.4?
View 8 Replies
View Related
Apr 25, 2012
I'm in the process of upgrading our ASA 5520's from 8.2 to 8.4. I have sufficient memory installed and have read many posts in this forum on different upgrade strategies. I have an active/standy configuration and have settled on upgrading the standy unit from 8.2 to 8.3 then to 8.4, fixing any errors, testing traffic and then upgrading the primary unit to the latest rev. I've read where active/standy mismatching is supported but for a short period. My question is how long will I be able to run two boxes with different software? Unfortunately I don't have the option of doing this off line in a lab.
View 1 Replies
View Related
May 1, 2012
I have recently come upon a ticket that requires functionality from a later version of the ASA 5510 IOS Firmware, upon researching how to do this upgrade I got caught in a catch 22 where I am unable to download ASDM or the ASA software.
Apparently I need a service account? I'm looking at Cisco software download page and searching ASDM which then brings up links to two pages which are ASA and ASDM.
View 1 Replies
View Related
Jun 29, 2011
I have a ASA5505 with the Sec Plus license on it. This allows 25 VPN peers at any time according to the show version output:
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : Unlimited
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 25
WebVPN Peers : 2
Dual ISPs : Enabled
VLAN Trunk Ports : 8
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5505 Security Plus license.
1.)As far as I understand this means RA users and peer2peer combined?
2.)I need additional RA clients to be able to connect in at any time, as far as I know there is no way to allow more IPSEC clients then this due to hardware limitations?
3.)If I go for the Anyconnect option (10 users license), does this then mean that I can use the 25 IPSEC VPNs and at the same time have users using the 10 SSL Anyconnect VPNs at the same time?
4.)Which Anyconnect license am I supposed to buy if this is the route I go, the clients will all be connecting from their desktops most of the time?
5.)Is it difficult to set up?
View 4 Replies
View Related
May 15, 2013
official or unofficial (official more preferable) guide about upgrading IOS from 8.2 to 8.4 on ASA 5520 model?
View 1 Replies
View Related
Aug 19, 2012
we are going to upgrade our 5580 ASA Cluster from 7.2 to 8.2 and want to do it like this way ( which worked for all 7.x upgrades ) :download asa8.2 Image to primary + secondary Firewallreboot primary ( message come up " mate version ...)reboot secondary.Does it works any experience? Does it work if both firewall can see each other during the boot process ?
Do I have to bring the secondary into the monitor mode so the fw is not visible for the primary ?
View 2 Replies
View Related
