Sponsored Links
On March 8, 2010 Cisco announced the newest Cisco ASA 5500 firewall software version 8.3. This is a release with the most radical changes compared to the previous releases since version 7.x. The most important change regarding configuration is the way Network Address Translation (NAT) is implemented. Also, another big change regarding hardware is that you will need a serious memory upgrade to be able to run this software. Let’s see some important points about this release below:
Network Address Translation changes
NAT is disabled by default on Cisco ASA however is one of the most important mechanisms that almost all firewall administrators use. The majority of network implementations make use of private IP addressing inside the Enterprise network and then employee Network Address Translation to translate their private IP addresses into publicly routable addresses in order to access the Internet. The task of NAT is usually carried by the border firewall. NAT in Cisco ASA 8.3 has been completely redesigned compared with previous versions. It is now configured under a network object.
ASA versions prior to 8.3
To configure dynamic NAT: Use the nat (internal interface name) command to specify the internal addresses to be translated together with the global (outside interface name) command to specify the mapped IP pool which all internal addresses will be translated to.
To configure static NAT: Use the static (internal if, external if) command to specify the static mapping between an internal host/network and an external public host/network.
ASA version 8.3
Now forget everything you know about NAT configuration. In this version, NAT is implemented using network objects. Basically you create a network object which defines the Real IP/Network to be translated (e.g the internal LAN network) and inside the network object you can use a nat statement which specifies whether the translation will be dynamic or static together with the Mapped IP/network. The Cisco ASA Firewall Fundamentals – 2nd edition ebook describes all details about the NAT differences in 8.3 version.
Memory upgrade changes
The downside of the new ASA version is that it requires significant memory upgrade for ASA models up to 5540 (5505, 5510, 5520, 5540). Newest ASA units purchased after February 2010 will have the minimum memory required by 8.3 version, however if you already have an older unit running a version prior to 8.3 then you will need to purchase extra memory if you want to upgrade to 8.3.
The minimum memory requirements for ASA 8.3 are the following:
|
Cisco ASA Model |
Minimum RAM Required for 8.3 |
|
5505 10-user |
256MB |
|
5505 50-user |
256MB |
|
5505 Unlimited user |
512MB |
|
5505 Security Plus |
512MB |
|
5510 |
1 GB |
|
5510 Security Plus |
1 GB |
|
5520 |
2 GB |
|
5540 |
2 GB |
|
5550 |
4 GB |
|
5580-20 |
8 GB |
|
5580-40 |
12 GB |
My opinion about the new version
What I see in the new version is an attempt from Cisco to move away from the “Interface based” policy implementation and adopt a more “global based” or “object based” approach. The policy enforcement in Cisco ASA firewalls is mostly based on the “interface” concept. Access lists are applied to interfaces, modular policy framework configurations are applied to interfaces (and globally also), Network Address Translation is implemented based on interfaces, security levels are configured per interface etc etc. On the other hand, some competitor vendors (like Checkpoint for example) are based on “object based” approach with a “global policy” concept which is applied on objects irrespective of interfaces. Hmm, I think Cisco is moving towards the Checkpoint firewall approach 
. Well, it’s not a bad thing to adopt some concepts from your competitors to make you even better.
Regarding upgrading to the new version, I would not recommend it for the time being. The older ASA versions (7.x, 8.0, 8.1, 8.2) are so stable and reliable that I would not rush to change them on my security infrastructure for the moment. Also, the extra memory required for older units is another prohibitive factor for upgrading now.
Related posts:
- How to Configure a Cisco ASA 5510 Firewall – Basic Configuration Tutorial
- ASA Firewall NAT Control Feature
- Cisco IOS jumps from version 12 to version 15
- Cisco ASA Firewall with PPPoE
- Prevent Spoofing Attacks on Cisco ASA using RPF
- Cisco ASA 5505 Firewall License Restriction for DMZ
- Cisco ASA 5500 new software 8.2 released
Sponsored Links
2 Responses to 'Cisco ASA version 8.3 is here'
Leave a Reply
Configuration Tutorial For Cisco ASA 5500 Firewalls
With FREE ASA 5505 Configuration Tutorial Bonus
CLICK HERE TO DOWNLOAD EBOOKS
- August 2010 (4)
- July 2010 (4)
- June 2010 (6)
- May 2010 (4)
- April 2010 (7)
- March 2010 (5)
- February 2010 (6)
- January 2010 (6)
- December 2009 (6)
- November 2009 (3)
- October 2009 (4)
- September 2009 (4)
- August 2009 (2)
- July 2009 (4)
- June 2009 (4)
- May 2009 (3)
- April 2009 (4)
- March 2009 (5)
- February 2009 (3)
- January 2009 (3)
- December 2008 (5)
- November 2008 (7)
- October 2008 (6)
- September 2008 (7)
- August 2008 (6)
- July 2008 (6)
- June 2008 (3)
- May 2008 (6)
- April 2008 (6)
- March 2008 (4)
ASA is still missing policy routing, etherchannel, vpn with multi-context. I prefer Fortinet.
Hello Gary,
Yes I agree with what you say. Fortinet products are really gaining ground in the race of network security hardware.