Cisco Security :: ASA 5520 - Upgrade 8.2.x To 9.1.x?
Jan 17, 2013
I have a project to upgrade an ASA 5520 to 9.1.x, then add another ASA for failover. What will be the correct way ?
I had the 2 Gb memory.
I have rewritten all nat statements (during my other 8.2 to 8.3 or 8.4 upgrade project, the nat conversion was catastrophic, so I rewrite all now).
Can I upgrade directly to v9 ? Or 8.2 -> 8.4 -> 9.1 ?
I think to :
- inject actual config in the new ASA in 8.2
- remove nat statement
- upgrade to 8.4
- configure new nat
- upgrade to 9
- connect the new ASA to the network and deconnect the other ASA
- test
- upgrade old ASA to 8.4 or 9 directly ?
- configure failover
View 1 Replies
ADVERTISEMENT
Jul 4, 2011
I am going to be updating the IOS on our Cisco ASA 5520 from verion 7.0(8) to 8.2(5). I am also going to setup AnyConnect. Are there any major changes in the 2 IOS versions that I need to be aware of or will the config work in either version? Also, we are currently using the Cisco VPN Client to connect to our network. Will that still work after the upgrade?
View 3 Replies
View Related
Oct 19, 2011
We wish to upgrade 8.2(3) to 8.2(5) on our asa 5520 and 5510. I have been looking for Cisco guides for installation instructions but havent been able to track any. or is it just as striaght forward as copy image, reboot secondary and the primary
View 2 Replies
View Related
Apr 15, 2013
I am trying to upgrade our ASA5520(Primary/Standby) to 8.45. Can i upgrade 8.25 directly to 8.45 or do i have to upgrade to 8.3 first?
View 1 Replies
View Related
Sep 7, 2011
I have a 2 ASA 5520 firewalls for high availability and need to upgrade IOS from 7.2(4) to 8.2 or latest. What could be the better way and upgrade procedure. Below is show version details and IOS upgrade to latest.
Cisco Adaptive Security Appliance Software Version 7.2(4)Device Manager Version 5.2(4)
Compiled on Sun 06-Apr-08 13:39 by buildersSystem image file is "disk0:/asa724-k8.bin"Config file at boot was "startup-config"
IGN-ASA-1 up 45 days 17 hoursfailover cluster up 45 days 17 hours
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHzInternal ATA Compact Flash, 256MBSlot 1: ATA Compact Flash, 512MBBIOS Flash M50FW080 @ 0xffe00000, 1024KB
[Code] ........
View 5 Replies
View Related
Feb 11, 2013
Due to increase of demands on our ASA cluster, we need to upgrade to a new cluster of 5545x. Our current config contains a lot of S2S & NAT
View 1 Replies
View Related
May 7, 2013
We have 2 ASA 5520s in active/standy. We run IOS 8.2(5)24 and I wondered if I need to upgrade as I see the versions have gone to 8.4 and beyond! We are not getting any issues and I'm aware of the difficult migration from 8.2 to 8.4 etc due to the NAT change.
View 3 Replies
View Related
Feb 27, 2013
I'm about to upgrade from an ASA5520 to ASA5525.
View 1 Replies
View Related
Aug 7, 2011
I have a couple of ASA5520 and ASA5550, and I wanted to know if it is worth it to upgrade the software from 8.2(4) to 8.2(5)? Because of the RAM I cannot upgrade to 8.3 for now.
View 1 Replies
View Related
Mar 11, 2012
We are currently on 8.0(4) and planning on upgrading our failover pair to 8.4.2, I read some documents saying that we can perform a zero downtime upgrade.
According the below documents Version 8.2 supports mismatch memory failover, [URL]
Upgrade Path:
Active Firewall: Standby Firewall:
8.0(4) 8.0(4)-->8.2.2
8.0(4) Upgrade RAM-2G---Reload
faiover to standby 8.2.2
8.0(4)--->8.2.2 8.2.2
[code]...
Can I perform zero downtime upgrade with the above upgrade path? Will both the firewalls act as a failover pair if one is on 8.2.2 and other is on 8.4.2.
"Performing Zero Downtime Upgrades for Failover Pairs
The two units in a failover configuration should have the same major (first number) and minor (second number) software version. However, you do not need to maintain version parity on the units during the upgrade process; you can have different versions on the software running on each unit and still maintain failover support." [URL]
View 4 Replies
View Related
May 23, 2012
I upgraded a pair of ASA 5520s from ASA 8.3 to ASA 8.4(4) this week and now my DMZ hosts cannot reliably communicate with eachother. I have a DMZ network of 10.20.20.16/28 configured. 10.20.20.17 is the ASA/Gateway and 10.20.20.19 is one host and 10.20.20.20 is another host. These two hosts had no problem communicating with eachother before the upgrade. Now, they usually cannot communicate with eachother. Occasionally they can communicate, but only for a few minutes. What is strange is I never had any access lists for these hosts to talk with eachother before the upgrade (because their traffic to eachother should have never reached the firewall) but now I needed to create an access list on the DMZ interface allowing these two hosts to talk. ICMP works fine, but only if the ACL is in place. TCP rarely works.
View 2 Replies
View Related
Jun 18, 2012
We upgraded and re-configured two existing ASA5520 platforms in order to provide an SSL VPN solution for one of our customers.
The customer opted to deploy AnyConnect Essentials the functionality / features they required for day one were catered for in the Essentials license and budget constraints meant Premium licensing could not be included in the original deployment.
The licenses added to the system were:
L-ASA-AC-E-5520= AnyConnect Essentials VPN License - ASA 5520 (750 Users)
ASA-AC-M-5520 AnyConnect Mobile - ASA 5520 (req. Essentials or Premium)
The customer is now seeing a growing number of mobile devices and wishes to support the BYOD culture growing within the business; as a result we now need to use features available in AnyConnect Premium. I am aware from reading the following document [URL] that AnyConnect Essentials and Premium licenses cannot co-exist on an ASA; I need to ensure we purchase the appropriate upgrade for the customer.
Is there an SKU to upgrade / migrate an existing Essentials deployment to Premium? I've reviewed the licensing guide and price list but cannot find a method which enables this transition.
View 3 Replies
View Related
Dec 12, 2012
I need to upgrade the ASA 5520 from OS 8.2(5)26 to 8.2(5)33. the ASA only has 64M of flash. I have a 256M flash card. What are the steps to upgrade the flash? I am not sure how it will boot up because the new flash will be blank?
View 2 Replies
View Related
Feb 16, 2012
I have a NAC platfom with CAM/CAS - 4.7.2 and Agents - Windows - 4.7.2.10 and MAC - 4.7.2.507.
I want to upgrade to NAC 4.9 on the CAM/CAS and but want to know if CAM/CAS 4.9 will be compatible with agents Win/MAC 4.7.2.10/4.7.2.507 pending when I upgrade the agents on the Client machines. For certain reasons we do not want to do the Agent upgrade yet.
I have gone through the NAC 4.9 CAM/CAS/Agent Compatibility Matrix in the NAC 4.9 release notes but I am still not clear on this.
View 1 Replies
View Related
Oct 9, 2011
I have been asked to look at upgrading two 5520 ASA configured in a HA pair Active/Standby, from version 7.2(4) to version 8.3(1) to bring it in line with some other ASA firewalls in the organisation.
My question is can I simply upgrade straight from 7.2(4) to 8.3(1) or will I have to step the upgrade from 7.2(4) => 8.2(x) => 8.3(1)
Having read a few articles on the forums and the release notes I think I should be able to go from 7.2(4) => 8.3(1) .
The second part of my query is around the upgrade itself, having researched this a little there seems to be various views on how to go about upgrading a HA pair and I cannot find anything specific on the website.
The approach I am thinking of is simply as follows;
- upload images onto both firewalls in the HA pair
- On the standby from the CLI
clear configure boot
[Code].....
View 3 Replies
View Related
Jul 21, 2011
last night we tried to upgrade our cluster (2x ASA5520) from 8.0(4) to 8.2(3) and failed miserably.
1. Both units got the new image, but when we reloaded the secondary unit then we got the following strange message:
"Mate's license (10GE I/O Enabled) is not compatible with my license (10GE I/O Disabled). Fail over will be disabled."
After this message fail over was not there anymore and both units became active (!!!) which killed everything. Of course ASA5520 doesn't have 10GE and we have exactly the same units. What could be the problem here? Currently we run with a single unit with 8.2(3) and the secondary unit is switched off.
2. After the upgrade we cannot connect with multiple VPN sessions from the same client, this gets logged:
"Multiple sessions per tunnel are not supported"
This was working just fine with 8.0(4) and doesn't work with 8.2(3). Do we have to update something in the config or what is causing this? If you ask why we went with 8.2(3) instead of 8.2(5) then the answer is because we were testing that for several month in our secondary data center, but unfortunately only on a single ASA and not on a cluster. We couldn't go higher due to the 512MB RAM we have in all units.
And we had to upgrade, because we had crashes with 8.0(4) which was working fine for a long-long time.
View 7 Replies
View Related
Aug 16, 2011
I was trying to upgrade from 8.3.1 to 8.3.2. but I am unable to copy via tftp to the ASA flash or disk0:
ASA5520# copy tftp: flash:
Address or name of remote host []? 10.88.127.153
Source filename []? asa831-k8.bin
Destination filename [asa831-k8.bin]?
[code]....
Half way thru writing to the disk, it goes for a reboot. There is more than enought space on the disk0. I tried copying via a Compact Flash, but the ASA is not detecting the Compact Flash (which I thinks should be disk1). I tried copying a asdm file, even that also went for a reboot.I am stuck now, unable to upgrade
View 12 Replies
View Related
Mar 25, 2013
I need to upgrade the flash memory of the ASA 5520 from 256Mb to 512Mb. As far as I realized the built-in flash memory called system compact flash and there is also an empty slot which it is possible to install a user flash.
What is the difference between user and system compact flash? and for upgrade can I just insert the user compact flash or do I need to upgrade the system compact flash? Where can I find the part number for each type?
View 4 Replies
View Related
Mar 7, 2011
Do I need the security plus license to do HA with two 5520's?I was told by our purchasing department that the 5520 was supposed to be able to do HA out of the box, but when I look I see only the VPN + license. Does that mean I can download the security plus license? Or do I even need it on the 5520.
View 2 Replies
View Related
Jun 17, 2012
I have an ASA 5520 running 8.0(3) with two Subinterfaces configured like this:
=================================
interface GigabitEthernet0/1
nameif inside
security-level 100
no ip address
!
interface GigabitEthernet0/1.72
description VLAN 72
[code]....
(notice that they have the same security-level)I need to control the traffic between them with ACLs so I in ASDM unchecked "enable traffic between two or more interfaces with same security level" and "enable traffic between two or more hosts connected to the same interface"Now I cannot ping from one Vlan to the other, as expected,,, but I tried many different ACLs and I cannot ping or telnet to the other side from either one.
View 9 Replies
View Related
Jun 20, 2011
I have a SSL certificate from a third party that is showing under the Identity in ADSM, howerver the audit scan of the firewall shows that the SSL Certificate Signed with an unknown certification Authority. I have installed the Intermediate Primary and Secondary Certificate from the third party under the CA Certificate of the ADSM however when I verify the SSL certificate it still shows as self-signed. What other steps do I miss. I have attached some screenshots.
View 2 Replies
View Related
May 6, 2013
I have a DMZ (50) from where I need to allow some protocols to inside zone (level 0). I am doing that with ACL, but after having done that the implicit security level rule to lower level (outsite level 0) is not working anymore, I guess by the implicity deny after the acl. I'd need allow traffic to the outside zone from DMZ, as well as the inspect traffic from the inside one. Is there anyway to have both ACL and Security levels?
If not, what do I need to do to just allow some protocols going to higher level and leave the higher-to-lower traffic inspected allowed, same schema as we have with security levels.
View 3 Replies
View Related
Feb 1, 2007
I'm trying to establish a site to site ipsec tunnel between an ASA 5520 and a Nortel Connectivity box. Despite trying a number of different transform sets and IKE setups it keeps failing at phase 1 with:
Information Exchange processing failed
Received an UN-encrypted INVALID_ID_INFO notify message dropping.
View 4 Replies
View Related
Sep 22, 2011
We have a ASA 5520 which is configured to send log files to an ftp server. It has been doing that until recently I found out that it stopped sending the logs on August 11. I can't remember what I have changed in the ASA config to make the ftp stop. I changed the ftp config to another server but it won't upload any log file.
What can I do to make the ASA save the log buffer to the ftp server again?
View 1 Replies
View Related
Jan 31, 2013
We have cisco asa 5505 series ulbunk8 and if it is possible to upgrade it to k9?
View 5 Replies
View Related
Aug 18, 2011
I want to upgrade my ASA 5510 from version 7.0(6) to 8.2(5). Reading the release notes for 8.2(5) it says the DRAM requirement is 256MB unless you have high CPU usage. Also it says I need to upgrade through the major releases, from 7.0(x) to 7.1(x) and 7.1(x) to 7.2(x) and then from 7.2(x) to 8.2(x). The questions are:
- My ASA has 256MB of RAM and 68% of free memory, would you think it will run the 8.2(5) version with no problem?
- When making the upgrades to the major releases, is there any consideration regarding the configuration file? Or the versions to use for the 7.1 and 7.2 versions?
- Would you recommend making all the upgrades in one maintenance window? How much time could it take?
View 2 Replies
View Related
Nov 10, 2011
On a Cisco ASA 5520. I have 2 interfaces that are the same security level. I need hosts on 1 of these interfaces to be able to get to a specific IP and port on the other but I DON'T want to blanket enable 'same-security-traffic permit inter-interface" I have added an ACL inbound on the interface allowing the desired traffic and inbound on the other for return traffic and it simply doesn't work.
interface GigabitEthernet0/3.175
vlan 175
nameif Test175
security-level 30
ip address 172.30.175.1 255.255.255.0
[code]....
View 13 Replies
View Related
Mar 27, 2013
I have issue with traffic passing between same security level interfaces. I want to control traffic between same security level interfaces with ACL. Even no restriction, traffic does not go through. [code]
I tried to access server from THREE network to web server at FOUR network I have no response. In sh xlate output it shows "PAT Global 10.124.104.254 (28889) Local 10.124.103.1(2922) " I am not sure what else should I do. I add both same-security-level commands and it is the same.
View 6 Replies
View Related
Apr 17, 2011
We have two multilayer switches and only one ASA 5520. I'd like to connect ASA in the way described on the picture: each redundant interface includes two physical ones, which are connected to different switches
My question is what kind of link it is necessary to have between switches to make this idea work? I'd have subinterfaces like Re1.100, Re2.200 and so on for my traffic.
I understand that correct design approach is to have two redundant firewalls with failover but we cannot purchase the second one yet.
View 1 Replies
View Related
Dec 6, 2012
I recently configured WCCP with a Sophos Web Filter on my network it works good but the problem I am having is I have two 5520s so I am directing the device to look at 2 different IP addresses and since the devices are in an Active/Passive failover. The problem is because the second device is in a passive failover it is not responding which is throwing connection errors to my Sophos device. I know you can have a single management connection for the ASA's but is there a way to have a single IP for the ASAs for the WCCP?
View 1 Replies
View Related
Mar 6, 2011
How to upgrade from ACS Se 1113 (running 4.2.0.124) to a new 1121 appliance running version 5.2. We also run RA for AD integration ?
View 5 Replies
View Related
Nov 4, 2011
I have a Cisco 1921 ISR Router with Security License running software version 15.0. I want to upgrade the router to 15.1. But I don't want to lose the security license that came with the router. When I look at the IOS downloads page on Cisco, all I see is universal images for all versions of 15.1.
My question is - where is the security license stored? In the IOS or programmed in somewhere else of the router? If I upgrade my router to one of the newer 15.1 universal images, will I lose my security license?
View 2 Replies
View Related
Sep 21, 2011
I am trying to upgrade all my firewalls to Security Plus but I am not sure what firewalls are needing the upgrade. Is there a SNMP pull I can do to see what license is on my firewall? example: "This platform has an ASA 5510 Security Plus license." via SNMP
View 1 Replies
View Related
