Cisco ASA version 8.3 is here

On March 8, 2010 Cisco announced the newest Cisco ASA 5500 firewall software version 8.3. This is a release with the most radical changes compared to the previous releases since version 7.x. The most important change regarding configuration is the way Network Address Translation (NAT) is implemented. Also, another big change regarding hardware is that you will need a serious memory upgrade to be able to run this software. Let’s see some important points about this release below:

Network Address Translation changes

NAT is disabled by default on Cisco ASA however is one of the most important mechanisms that almost all firewall administrators use. The majority of network implementations make use of private IP addressing inside the Enterprise network and then employee Network Address Translation to translate their private IP addresses into publicly routable addresses in order to access the Internet. The task of NAT is usually carried by the border firewall. NAT in Cisco ASA 8.3 has been completely redesigned compared with previous versions. It is now configured under a network object.

ASA versions prior to 8.3

To configure dynamic NAT: Use the nat (internal interface name) command to specify the internal addresses to be translated together with the global (outside interface name) command to specify the mapped IP pool which all internal addresses will be translated to.

To configure static NAT: Use the static (internal if, external if) command to specify the static mapping between an internal host/network and an external public host/network.

ASA version 8.3

Now forget everything you know about NAT configuration. In this version, NAT is implemented using network objects. Basically you create a network object which defines the Real IP/Network to be translated (e.g the internal LAN network) and inside the network object you can use a nat statement which specifies whether the translation will be dynamic or static together with the Mapped IP/network. The Cisco ASA Firewall Fundamentals – 2nd edition ebook describes all details about the NAT differences in 8.3 version.

Memory upgrade changes

The downside of the new ASA version is that it requires significant memory upgrade for ASA models up to 5540 (5505, 5510, 5520, 5540). Newest ASA units purchased after February 2010 will have the minimum memory required by 8.3 version, however if you already have an older unit running a version prior to 8.3 then you will need to purchase extra memory if you want to upgrade to 8.3.
The minimum memory requirements for ASA 8.3 are the following:

Cisco ASA Model

Minimum RAM Required for 8.3

5505 10-user

256MB

5505 50-user

256MB

5505 Unlimited user

512MB

5505 Security Plus

512MB

5510

1 GB

5510 Security Plus

1 GB

5520

2 GB

5540

2 GB

5550

4 GB

5580-20

8 GB

5580-40

12 GB

My opinion about the new version

What I see in the new version is an attempt from Cisco to move away from the “Interface based” policy implementation and adopt a more “global based” or “object based” approach. The policy enforcement in Cisco ASA firewalls is mostly based on the “interface” concept. Access lists are applied to interfaces, modular policy framework configurations are applied to interfaces (and globally also), Network Address Translation is implemented based on interfaces, security levels are configured per interface etc etc. On the other hand, some competitor vendors (like Checkpoint for example) are based on “object based” approach with a “global policy” concept which is applied on objects irrespective of interfaces. Hmm, I think Cisco is moving towards the Checkpoint firewall approach :) . Well, it’s not a bad thing to adopt some concepts from your competitors to make you even better.

Regarding upgrading to the new version, I would not recommend it for the time being. The older ASA versions (7.x, 8.0, 8.1, 8.2) are so stable and reliable that I would not rush to change them on my security infrastructure for the moment. Also, the extra memory required for older units is another prohibitive factor for upgrading now.

Get Free Cisco Tutorials – Sign Up Below

Fill out your e-mail address below to receive free
Cisco Configuration Examples and Tutorials
(Your email is safe with us)
My Email Address is:

Comments

  1. ASA is still missing policy routing, etherchannel, vpn with multi-context. I prefer Fortinet.

  2. BlogAdmin says:

    Hello Gary,

    Yes I agree with what you say. Fortinet products are really gaining ground in the race of network security hardware.

  3. Hey blogadmin,

    Don’t you think cisco tends to jump the gun here, whereas reality shows it’s competitors use object based nat for years already? like juniper, sonicwall, checkpoint.

    Midnite

  4. I agree, please Cisco catch up with the other vendors with your ASA products. I love Cisco but your killing me. Moving away from the NAT’s per interface isn’t much of a change. How about ACTIVE-ACTIVE-ACTIVE-ACTIVE Firewall Clusters, System based policies (ACLs) instead of ACL’s per interface. Mutli-context with VPN/IPSEC support, better throughput on devices without having to purchase your FlagShip products.

    I for one have invested heavily into Fortinet – they are going(have) taken the industry by storm.

Speak Your Mind

*