[c-nsp] ASA 8.3
Ryan West
rwest at zyedge.com
Wed May 12 08:39:54 EDT 2010
Ivan,
> -----Original Message-----
> Sent: Wednesday, May 12, 2010 4:12 AM
> To: cisco-nsp
> Subject: [c-nsp] ASA 8.3
>
> Hi All,
>
> Shortly I will be deploying some new ASAs and came across the 8.3
> release. I didn't expect that a minor release would have quite so many
> fundamental changes. Without looking at the release notes, migration
> notes
> (http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html)
> and various blogs etc on the Internet I would have expected things to be
> not too different than 8.2 which I have used recently.
>
> I would appreciate any feedback from those who have deployed 8.3 as a
> new install or migration. I will eventually have to decide if it is
> better to stick with the known 8.2 or the new 8.3 (new features and new
> bugs) to save the pain of an update later.
>
The structure of NAT has changed so much that any non vanilla implementations are going to be very touchy. If you're using a large pool of NAT exempt addresses and calling them from a object-group, this will be expanded per entry into statements like:
Nat (inside,any) source static <new generated object network (not an object-group)> <new generated object network (not an object-group)> destination static <object-group name> <object-group name>
So, seeing that for the first time might come as a surprise. I ran into two NAT bugs during a migration with PAT and order of operations. CSCtf89372 is one of them, which still is not fixed in the interim.
A manual re-ordering of NAT rules fixes the issues, I thought Cisco had moved on from the PIX 6.3 days, guess not.
-ryan
More information about the cisco-nsp
mailing list