You are here: Home / Blog / Security: ASA Version 8.3.1 Released

Security: ASA Version 8.3.1 Released

11th March 2010 by 3 Comments

New Major Version of the ASA firmware

Cisco has been criticised lately for not focussing enough on Security products. There isn’t a revolution that willchanging the internet forever. Some stand out features / problems / considerations for me are listed here.

NAT Simplification

Here is the big one. The Cisco ASA NAT has been completely changed and the syntax is all new including the use of Real IP address in access-list (instead of xlated addresses).

The NAT configuration was completely redesigned to allow greater flexibility and ease of use. You can now configure NAT using auto NAT, where you configure NAT as part of the attributes of a network object, and manual NAT, where you can configure more advanced NAT options.

The following commands were introduced or modified: nat (in global and object network configuration mode), show nat, show nat pool, show xlate, show running-config nat.

The following commands were removed: global, static, nat-control, alias.

and the use of Real IP Addresses.

When using NAT, mapped addresses are no longer required in an access list for many features. You should always use the real, untranslated addresses when configuring these features. Using the real address means that if the NAT configuration changes, you do not need to change the access lists.

The following commands and features that use access lists now use real IP addresses. These features are automatically migrated to use real IP addresses when you upgrade to 8.3, unless otherwise noted.

•access-group command
•Modular Policy Framework match access-list command
•Botnet Traffic Filter dynamic-filter enable classify-list command
•AAA aaa … match commands

Note: WCCP is not automatically migrated when you upgrade to 8.3.

Memory Upgrades Needed

You need to purchase RAM upgrades for just about all models of ASA in use today.

Standard Memory and Memory Requirements
ASA Model Default DRAM Memory Default Internal Flash Memory Required DRAM for 8.3<
5505 256 MB 128 MB 512 MB
5510 256 MB 512 MB 1 GB
5520 512 MB 512 MB 2 GB
5540 1 GB 512 MB 2 GB
5550 4 GB 512 4 GB
5580-20 8 GB 1 GB 8 GB
5580-40 12 GB 1 GB 12 GB

SSL VPN Support extended to 64-bit platforms

Release 8.3(1) provides browser-based (clientless) VPN access from the following newly supported platforms:

•Windows 7 x86 (32-bit) and x64 (64-bit) via Internet Explorer 8.x and Firefox 3.x
•Windows Vista x64 via Internet Explorer 7.x/8.x, or Firefox 3.x.
•Windows XP x64 via Internet Explorer 6.x/7.x/8.x and Firefox 3.x
•Mac OS 10.6 32- and 64-bit via Safari 4.x and Firefox 3.x.

Master Passphrase

The master passphrase feature allows you to securely store plain text passwords in encrypted format. It provides a master key that is used to universally encrypt or mask all passwords, without changing any functionality.

The following commands were introduced: key config-key password-encryption, password encryption aes.

Release Notes for the Cisco ASA 5500 Series, 8.3(x)  [Cisco ASA 5500 Series Adaptive Security Appliances] – Cisco Systems

Filed Under: Blog, Cisco Tagged With: , ,
About Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus

  • Roland

    ASA is still missing policy-routing, etherchannel and VPN with multi-context.

    • http://etherealmind.com Greg Ferro

      All of which are security vulnerabilities. Particularly VPN in multi-context. I think it’s very hard to achieve end point determination at a high level of integrity with encrypted packets.

      Etherchannel is more likely a licensing issue. As in, I can charge more for ASA with multiple interfaces like this. The Cisco card is effectively a licensing fee for using the higher speed interfaces.

  • Ivan Brunello

    A) first note: Real IP addresses in ACL? Why?

    ACL logic (or as someone would define “ILlogic”) has always been clear to me:
    1) check ACL (check whether you can pass traffic)
    2) check routing (check whether traffic should go)
    3) check NAT (check HOW it should go)
    Applying ACLs using this logic leads to use public addresses, and make lot of sense.

    Changing this would lead to:
    1) check how ACL on internal would translate to public (i.e. lookup NAT statements)
    2) same as above
    3) same as above

    Furthermore, we happened to change servers, without the need to change public ip address (you know, DNS propagation time )
    And no, we didn’t have those nifty load-balancers.
    New logic would have forced us to change BOTH NAT AND ACL statements (often embedded in big ACL groups)
    I think this is not so uncommon.

    I think using original IP (simplicity against better understanding of the difference between NAT and ACL) would be a step backward, not forward.

    B) second note: no more “no nat-control”.
    Haven’t looked it so much (my test machines do not satisfy memory reqs), but they discouraged (read “removed”) the lack of nat between devices.
    Using a firewall as an Internet Facing device leads to proper NAT management.
    Using a firewall as an effective stateful filtering device between internal departments is IMHO a good thing (better than IOS-Firewall – again IMHO), and does not need NAT.
    They added in recent version, easying my filtering life (e.g. I’m currently removing old IOS ACL routers w/ ASAs), and NOW THEY JUST REMOVED