«

»

May 09

Cisco ASA 8.4 Migration – Test it first on GNS3

This post details how to test Cisco ASA 8.4 migration on GNS3 such that you know in advance how its going to effect your existing configuration(Pre 8.3).  To do this you will have to first follow the following post which will get you an ASA working and is connected to its host machine.

http://www.xerunetworks.com/2012/03/asa-84-asdm-on-gns3-step-by-step-guide/

After you have done you can just follow following these steps

 

1. Copy configuration from your live Pre 8.3 ASA using following command and save all configuration to a file on your machine

more system:running-configuration

2. ASA in GNS3 will have interface without module numbers so you need to change interface number in the configuration. Open the configuration file you just saved change the Interface Number from Eth or Gi0/0, Gi0/1 to Gi0,Gi1 receptivity all available interfaces and sub interfaces. 

3. Start a TFTP Server on your machine and set its directory to where you have stored your configuration file in Step 1.

4. Start ASA in GNS and open the console, use following commands to copy the config using TFTP. I had copied the configuration from live ASA to a file ‘ASAUpgrade’

ASAGNS# copy tftp startup-config

Address or name of remote host []? 10.10.10.2

Source filename []? ASAUpgrade

Accessing tftp://10.10.10.2/ASAUpgrade

5. Now reload the firewall without saving the configuration

ASAGNS# reload
System config has been modified. Save? [Y]es/[N]o:N
Proceed with reload? [confirm]

6. When the firewall will reload, on startup it will migrate the configuration that you just copied to startup-configuration. It will show migration errors or anything which is migrate/not migrate. It can be related to NAT or other stuff, here is example from mine

Reading from flash...
!!!!!!!!.............WARNING: This rule will match all incoming traffic on interace 'any'.
Use 'unidirectional' option to apply the rule for outgoing traffic only.
*** Output from config line 548, "nat (outside,any) source..."
WARNING: This rule will match all incoming traffic on interface 'outside'.
Use 'unidirectional' option to apply the rule for outgoing traffic only.
*** Output from config line 549, "nat (outside,outside) so..."

These error are also copied to a log file which you can see on flash

 

ASAGNS# sh flash
--#--  --length--  -----date/time------  path
    5  4096        May 08 2012 11:50:26  log
   14  4096        May 08 2012 11:50:30  coredumpinfo
   15  59          May 08 2012 11:50:30  coredumpinfo/coredump.cfg
   84  196         May 08 2012 11:50:30  upgrade_startup_errors_201205081050.log
   79  0           May 08 2012 12:07:08  nat_ident_migrate
   85  5775        May 08 2012 12:47:54  upgrade_startup_errors_201205081147.log

7. Now, again use the command ‘more system:running-configuration’ and copy all the configuration to another text file.

8. By now, you should have two files with running config, one from your Live ASA and other one from ASA in GNS with migrated config. It now time to use some config diff tool. I am using Notedpad++. Download and install it

http://notepad-plus-plus.org/download/v6.1.2.html

Once its installed, download the Compare plugin from following

http://sourceforge.net/projects/npp-compare/

Copy, the plugin file to plugin folder. For me its C:\Program Files\Notepad++\plugins

9. Restart the Notepad++, open both Configuration files and in Notepad++ window click on Plugins>Comapre>Compare

10. Now you will see both Live Config and Migrated config side by side. The missing, modified config, all will be highlighted. It will give you a good idea to see how much configuration is changed, how NAT statements are migrate, which NAT statements are not migrated and what you can expect when you will upgrade software on your live ASA.

Leave a Reply

%d bloggers like this: