Cisco released a new Cisco ASA software version 9.0 recently and I wanted to inform you about the most notable new features of this release and also about some other important changes you need to keep in mind before upgrading.
Upgrade Notes
If you upgrade to version 9.0 from any previous ASA version (8.x) then you can’t go back to your previous configuration since there are some important changes on Access Control Lists (ACL) after upgrading to 9.0 software.
You MUST backup the original configuration (copy it to a text file) if you want to downgrade your software for any reason.
ASA version 9.0 is supported on all models (regular ASA5500 series and ASA5500-X series models).
You can upgrade to version 9.0 from any previous ASA version. If upgrading from a version prior to 8.3, then you must read the “Cisco ASA 5500 Migration to Version 8.3 and Later” guide first.
Changes in ACLs
Regarding IPv6 ACLs, the previous command “ipv6 access-list” is not used anymore. All IPv6 ACLs will be migrated to normal extended ACLs (access-list extended). So if you want to apply both IPv4 and IPv6 access list entries, you can have them under the same “extended” ACL.
Also, the “any” keyword in an ACL has a different meaning in version 9.0. Now, if you have the “any” keyword in an ACL entry in version 9.0, it represents “ALL IPv4 AND IPv6 addresses”.
If you want to reference “all IPv4 addresses” in an ACL, then you must you the keyword “any4”. Similarly, if you want to reference “all IPv6 addresses”, then you must use the keyword “any6”.
If you are migrating from version 8.x and you had a keyword “any” in your ACL configuration, this will be changed to “any4” in the new configuration running under version 9.0.
Example:
Version 8.x ACL
ASA(config)# access-list DMZ extended permit ip any host 100.100.100.1
Version 9.x ACL
ASA(config)# access-list DMZ extended permit ip any4 host 100.100.100.1
New Features
The following are the most notable new features introduced in this new release:
- Support for Clustering. Now you can have up to 8 Cisco ASA boxes together in a single cluster so they act as one single unit with dynamic load-sharing between the boxes (in single OR multiple-context mode!). This is supported only on models 5580 and 5585-X for the moment (with plans to offer support for clustering on other models in the future).
- Dynamic routing and site-to-site VPN on a per-context basis, providing much better flexibility and segmentation between departments or between customers if you are offering hosted security services.
- Scansafe Integration. Integration with Cisco Cloud Web Security (formerly ScanSafe), which allows enterprises to enforce granular web access and web application policy while providing protection from viruses and malware.
- IPv4 to IPv6 NAT translation: (NAT64) Translation between IPv4 and IPv6 enabling ASA to be deployed in mixed IPv4/IPv6 environments.
References:
Cisco ASA version 9 Q&A
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/qa_c67-712934.html
Cisco ASA version 9 Release Notes
http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html
Related Posts
- Prevent Spoofing Attacks on Cisco ASA using RPF
- Configuring Connection Limits on Cisco ASA Firewalls – Protect from DoS
- Configuring AAA Authentication-Authorization-Accounting on Cisco ASA Firewall (TACACS+, RADIUS)
- Cisco ASA Firewall Management Interface Configuration (with Example)
- How to Configure Access Control Lists on a Cisco ASA 5500/5500-X Firewall (with Examples)