I recently visited India (Mumbai) to perform a network upgrade for a remote site. I wasn't able to explore much due to a busy work schedule but my one week stay was truly a unique experience. The people I've met and worked with were warm and supportive. Food was great and I had the chance to taste their various vegetarian and spicy Indian curry dishes!
Before my trip abroad, I was asked to upgrade all our ASA firewalls due to the recent IKEv1 and IKEv2 Buffer Overflow Vulnerability. Cisco has released interim ASA images that would patch this bug (CSCux29978) and there was even a "special" interim image released for the 8.2 code.
Unfortunately, we still got a few first-gen ASA firewalls (non 5500-X) running on 8.2 and an ASA 5520 that hosts our UC Phone Proxy licenses. I've upgraded ASA 8.2 to 8.2(5)59 and the upgrade went smoothly. I also got several ASA 5525-X running 9.1 code upgraded to 9.2(4)8. I only had one ASA 8.3 which was upgraded using the upgrade path: 8.3(2)34 > 8.4(6) > 8.4(7.30).
One of the major change upgrading 8.3 to 8.4 was the IKEv1 command which was automatically converted on 8.4(6).
BEFORE:
crypto ipsec transform-set MY-TSET esp-aes esp-sha-hmac
crypto map CMAP 123 match address MY-ACL
crypto map CMAP 123 set peer 22.7.6.4
crypto map CMAP 123 set transform-set MY-TSET
crypto map CMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 43200
tunnel-group 22.7.6.4 type ipsec-l2l
tunnel-group 22.7.6.4 ipsec-attributes
pre-shared-key cisco
AFTER:
crypto ipsec ikev1 transform-set MY-TSET esp-aes esp-sha-hmac
crypto map CMAP 123 match address MY-ACL
crypto map CMAP 123 set peer 22.7.6.4
crypto map CMAP 123 set ikev1 transform-set MY-TSET
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 43200
tunnel-group 22.7.6.4 type ipsec-l2l
tunnel-group 22.7.6.4 ipsec-attributes
ikev1 pre-shared-key cisco
Before my trip abroad, I was asked to upgrade all our ASA firewalls due to the recent IKEv1 and IKEv2 Buffer Overflow Vulnerability. Cisco has released interim ASA images that would patch this bug (CSCux29978) and there was even a "special" interim image released for the 8.2 code.
Unfortunately, we still got a few first-gen ASA firewalls (non 5500-X) running on 8.2 and an ASA 5520 that hosts our UC Phone Proxy licenses. I've upgraded ASA 8.2 to 8.2(5)59 and the upgrade went smoothly. I also got several ASA 5525-X running 9.1 code upgraded to 9.2(4)8. I only had one ASA 8.3 which was upgraded using the upgrade path: 8.3(2)34 > 8.4(6) > 8.4(7.30).
One of the major change upgrading 8.3 to 8.4 was the IKEv1 command which was automatically converted on 8.4(6).
BEFORE:
crypto ipsec transform-set MY-TSET esp-aes esp-sha-hmac
crypto map CMAP 123 match address MY-ACL
crypto map CMAP 123 set peer 22.7.6.4
crypto map CMAP 123 set transform-set MY-TSET
crypto map CMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 43200
tunnel-group 22.7.6.4 type ipsec-l2l
tunnel-group 22.7.6.4 ipsec-attributes
pre-shared-key cisco
AFTER:
crypto ipsec ikev1 transform-set MY-TSET esp-aes esp-sha-hmac
crypto map CMAP 123 match address MY-ACL
crypto map CMAP 123 set peer 22.7.6.4
crypto map CMAP 123 set ikev1 transform-set MY-TSET
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 43200
tunnel-group 22.7.6.4 type ipsec-l2l
tunnel-group 22.7.6.4 ipsec-attributes
ikev1 pre-shared-key cisco
No comments:
Post a Comment