Upgraded 8.0(5) to 8.4 ASA now config is a mess

[RadiclDreamer]

Like the title says, the ASA used to have a site to site defined with all named members. Now the named members have been replaced with IP addresses. Is this supposed to happen?

I was going to go back through and change it back but

A. Didnt know if there is an easier way
B. Didnt know if this was best practice

 

[sactwnguy]

good luck, that upgrade is a mess because of the NAT changes. I never did find an easy way to fix the configuration quickly. I ended up writing scripts to remove and recreate the objects in batches. If I had known the mess it would created I would have just rewrote the policy/config from scratch. This was the upgrade that made me really start looking at other vendor firewalls.

 

[RadiclDreamer]

That sucks, unfortunately I am not able to rewrite from scratch easily. My config is massive, several hundred objects, several hundred NAT, tons of Access lists.

 

[cpals]

We had some big problems going from 8.2 to 8.4. Ended up getting TAC involved due to how the NAT changes effected our internal servers. Working fine now but was a hassle to get there.

 

[Pheran]

Is it your access lists that are a mess now? I'm guessing you got bit by the name to object change. We went through something similar with an FWSM to ASASM migration, and I wrote a perl script to convert the config from names to objects. I can't guarantee that it will work for your situation unmodified, but I'm happy to share it if you want to check it out.

 

[m1ldslide1]

First - don't do code upgrades to anything important (routers, switches, firewalls, servers, phone systems, etc) without first understanding the changes. This NAT change in particular is famously challenging, and a quick internet search would've revealed that. Other syntax changes - such as the host-to-IP change - are all well documented out there as well. /lecture

Second - call TAC. I'm told this is one of the most common calls that they get, and they should be able to help you resolve without too much hand wringing.

 

[thecoolnessrune]

This was why I made sure I was on 8.4 before I ever implemented my network. I understand that wasn't an option for you, but yeah, its a awful nightmare for a lot of people. Like the others said, get a hold of TAC, its an extremely common call for them.

 

[RadiclDreamer]

Is it your access lists that are a mess now? I'm guessing you got bit by the name to object change. We went through something similar with an FWSM to ASASM migration, and I wrote a perl script to convert the config from names to objects. I can't guarantee that it will work for your situation unmodified, but I'm happy to share it if you want to check it out.

Yeah, this sounds like the same thing we are facing. Can you elaborate on this a bit? I read the article about names > objects but didnt quite understand what it meant. I had everything named in the entire device and now its a wasteland of IPs. It still works fine its just a friggin mess to work with.

Some things like NAT had the named items there and some things like VPN tunnels decided to take the duplicate ip that was just an ip, not named. The duplicate IP in the device by the way, was created by the upgrade as well.

 

[RadiclDreamer]

First - don't do code upgrades to anything important (routers, switches, firewalls, servers, phone systems, etc) without first understanding the changes. This NAT change in particular is famously challenging, and a quick internet search would've revealed that. Other syntax changes - such as the host-to-IP change - are all well documented out there as well. /lecture

Second - call TAC. I'm told this is one of the most common calls that they get, and they should be able to help you resolve without too much hand wringing.

I understood the functional parts, its just my beautiful fully named appliance now is filled with crap.

For example, it used to be

VPN to Blah
> Host one
> Host two
> Maybe a subnet or two


now its

VPN to Blah

>172.25.1.1
>10.10.10.10
>1.2.3.4
>192.168.1.0/24

Hindsight being 20/20 and all I should have researched it a bit more before diving in, but i had done these before on smaller installs and had no issues and (foolishly) assumed it would be the same here

 

[Pheran]

Yeah, this sounds like the same thing we are facing. Can you elaborate on this a bit? I read the article about names > objects but didnt quite understand what it meant. I had everything named in the entire device and now its a wasteland of IPs. It still works fine its just a friggin mess to work with.

Some things like NAT had the named items there and some things like VPN tunnels decided to take the duplicate ip that was just an ip, not named. The duplicate IP in the device by the way, was created by the upgrade as well.

Basically the ASA no longer uses the "name" command except in a few ancillary places (dns servers, logging hosts, etc.). The functionality it used to provide has been replaced by the "object" statement. Objects are a bit more flexible since they can contain a netmask, plus if you change an object the ACL using it actually changes, unlike names which were purely cosmetic when showing the config.

Upgrading our firewall to the new version would have resulted in a giant set of ACLs containing only IP addresses. That's why I wrote the script to convert all of our named ACLs into object-based ACLs, so we still have coherent ACLs on the new version - plus all IPs used in multiple places are objects, so if we update one they all change. It also converts all existing object-groups to be populated with the new objects.

 

[RadiclDreamer]

Basically the ASA no longer uses the "name" command except in a few ancillary places (dns servers, logging hosts, etc.). The functionality it used to provide has been replaced by the "object" statement. Objects are a bit more flexible since they can contain a netmask, plus if you change an object the ACL using it actually changes, unlike names which were purely cosmetic when showing the config.

Upgrading our firewall to the new version would have resulted in a giant set of ACLs containing only IP addresses. That's why I wrote the script to convert all of our named ACLs into object-based ACLs, so we still have coherent ACLs on the new version - plus all IPs used in multiple places are objects, so if we update one they all change. It also converts all existing object-groups to be populated with the new objects.

Ok, that makes more sense but I am still unsure of a few things.

Firstly, what would cause it to duplicate items in the config? For example, I used to have

nameofserver - 123.123.123.123

now I have two items

nameofserver - 123.123.123.123
123.123.123.123 - 123.123.123.123

So I can remove the ip item and point everything to the named "object"?

 

[Pheran]

nameofserver - 123.123.123.123
123.123.123.123 - 123.123.123.123

I'm not quite sure what you mean by these lines, especially the second one.

 

[RadiclDreamer]

Yeah, I thought that might be hard to interp.

I mean I have one entry in my objects list with a name and an IP and another where the name is the IP. Essentially I have double entries for items now, only one is named with a readble/non ip name.