On March 8, 2010 Cisco announced the newest Cisco ASA 5500 firewall software version 8.3. This is a release with the most radical changes compared to the previous releases since version 7.x. The most important change regarding configuration is the way Network Address Translation (NAT) is implemented. Also, another big change regarding hardware is that you will need a serious memory upgrade to be able to run this software. Let’s see some important points about this release below:
Network Address Translation changes
NAT is disabled by default on Cisco ASA however is one of the most important mechanisms that almost all firewall administrators use. The majority of network implementations make use of private IP addressing inside the Enterprise network and then employee Network Address Translation to translate their private IP addresses into publicly routable addresses in order to access the Internet. The task of NAT is usually carried by the border firewall. NAT in Cisco ASA 8.3 has been completely redesigned compared with previous versions. It is now configured under a network object.
ASA versions prior to 8.3
To configure dynamic NAT: Use the nat (internal interface name) command to specify the internal addresses to be translated together with the global (outside interface name) command to specify the mapped IP pool which all internal addresses will be translated to.
To configure static NAT: Use the static (internal if, external if) command to specify the static mapping between an internal host/network and an external public host/network.
ASA version 8.3
Now forget everything you know about NAT configuration. In this version, NAT is implemented using network objects. Basically you create a network object which defines the Real IP/Network to be translated (e.g the internal LAN network) and inside the network object you can use a nat statement which specifies whether the translation will be dynamic or static together with the Mapped IP/network. The Cisco ASA Firewall Fundamentals – 2nd edition ebook describes all details about the NAT differences in 8.3 version.
Memory upgrade changes
The downside of the new ASA version is that it requires significant memory upgrade for ASA models up to 5540 (5505, 5510, 5520, 5540). Newest ASA units purchased after February 2010 will have the minimum memory required by 8.3 version, however if you already have an older unit running a version prior to 8.3 then you will need to purchase extra memory if you want to upgrade to 8.3.
The minimum memory requirements for ASA 8.3 are the following:
Cisco ASA Model
Minimum RAM Required for 8.3
5505 Unlimited user
5505 Security Plus
5510 Security Plus
My opinion about the new version
What I see in the new version is an attempt from Cisco to move away from the “Interface based” policy implementation and adopt a more “global based” or “object based” approach. The policy enforcement in Cisco ASA firewalls is mostly based on the “interface” concept. Access lists are applied to interfaces, modular policy framework configurations are applied to interfaces (and globally also), Network Address Translation is implemented based on interfaces, security levels are configured per interface etc etc. On the other hand, some competitor vendors (like Checkpoint for example) are based on “object based” approach with a “global policy” concept which is applied on objects irrespective of interfaces. Hmm, I think Cisco is moving towards the Checkpoint firewall approach 🙂 . Well, it’s not a bad thing to adopt some concepts from your competitors to make you even better.
Regarding upgrading to the new version, I would not recommend it for the time being. The older ASA versions (7.x, 8.0, 8.1, 8.2) are so stable and reliable that I would not rush to change them on my security infrastructure for the moment. Also, the extra memory required for older units is another prohibitive factor for upgrading now.