Last week Cisco recently released the latest version of the Cisco Adaptive Security Appliance (ASA) 5500 firmware Version 8.3(1). It has been about 6 months since release 8.2(1) was released and a lot of effort has gone into this latest version. There are several new features and several enhancements with this new version that you are likely to take advantage of. This article covers the new features and enhancements that I think most people will find useful.
Downloading the Image
The new software was made available for downloading on March 8, 2010 and the new software is just as easy to use as previous versions. There are file that you will want to download is asa831-k8.bin if you have an ASA 5505, 5510, 5520, 5540, or 5550. If you have an ASA 5580-20 or ASA 5580-40 then you need a different image file "asa831-smp-k8.bin. Don't forget to download the current Adaptive Security Device Manager (ASDM) version 6.3(1) file "asdm-631.bin" and place that on the ASA's flash. This version of ASDM will work for ASAs that are running either version 8.0, 8.1, 8.2, or 8.3.
Cisco has also put out new documentation for ASA release 8.3. Cisco has a new configuration guide, an ASDM configuration guide. The new Command Reference guide. Cisco has documentation on migrating and getting started. There is even documentation on managing licenses and open-source licenses. I'm glad to see that management documentation wasn't forgotten. There is a guide for NetFlow collectors and SNMPv3, and even syslog messages.
IPv6 LAN-to-LAN Manually-Configured Tunnels
While many of you may not be migrating to IPv6 right now you should still be forming your IPv6 transition strategy today. One of those strategies may involve creating a tunnel through your lame IPv4-only service provider to an ISP that has IPv6 capabilities. If you have a router outside your firewall then this is where you would most-likely configure this tunnel. However, if you have an environment where your handoff to your current ISP is the outside Ethernet interface on your ASA, now you can configure an IPv6 LAN-to-LAN tunnel.
IPv6-Enabled Stateful Failover
Early adopters of IPv6 on their ASAs have been familiar with this limitation for a while now. In release 8.2(1) and earlier, there were limitations on how you could configure an HA pair of ASA firewalls that had IPv6-addressed interfaces. The new version eliminates these issues and allows interfaces using IPv6 addresses to perform in the stateful active/passive failover.
Smart Call Home
Smart Call Home Version 3.0(1) allows for speedier communication with Cisco TAC and faster MTBF for troubleshooting instances. It allows proactive diagnostics and real-time alerts to be sent to the experts at Cisco TAC for speedy problem resolution. Below are some of the commands you will use to configure this feature.
destination address email firstname.lastname@example.org
destination transport-method email
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
When you are done with the configuration you can use the "show call-home [detail]" command
Clientless SSL Browser Support
ASA version 8.3(1) provides greater support for new browser versions with clientless SSL VPN. Version 8.3(1) now supports the following browsers and operating system platforms. This is good news for organizations that want to provide SSL VPN services to the broadest range of remote users.
Smart Tunnel Enhancements
Smart Tunnels are SSL-based VPN connections that allow TCP applications to connect through an ASA like a proxy server. They over better performance than a browser plug-in but still allows for clientless VPN access that doesn't require the user to have administrative rights on their computer. Smart tunnels can be configured using the "smart-tunnel list", "smart-tunnel network", and "smart-tunnel tunnel-policy" commands. However, I feel that it is easier to configure these types of clientless VPN features using ASDM.
NAT configuration has been redesigned to allow for simpler configuration and increased flexibility. Gone are the "nat-control", "static", "global", and "alias" commands. The new syntax uses the "dat dynamic" and "nat static" commands. Therefore, there will be some migration of your nat statements when you migrate to version 8.3.
Botnet Traffic Filter
While not solely an 8.3 version feature, the Botnet Traffic Filter is something worth exploring. Botnet Traffic Filter has been available since ASA version 8.2(1). The Botnet Traffic Filter inspects outbound network traffic for connections to blacklisted sites and for malware connecting to a command-and-control system. It is a subscription-based service that provides updated dynamic database of malware DNS and IP addresses. You can also adjust the database and add your own IP addresses and ranges to it. User connections to these blacklist addresses are automatically blocked. It is pretty easy to configure and will definitely help your organization observe botnet command and control traffic and identify botnet infected computers within your organization. Just like other features on the ASA, you can configure it with the CLI, but this feature may be easier to get going with the ASDMinterface. Cisco has put together a video to help you learn how to configure this feature.
Increased Memory Required
One of the down-sides to running 8.3 is that it will require additional memory on ASA models 5505, 5510, 5520 and 5540. The minimum memory on ASA 5505s is 512MB of RAM, while 5510s will need 1GB or RAM and ASA 5520s and 5540s will need 2GB of RAM. Check out the Memory Requirements section of this release guide document.
The new 8.3 release of the ASA firmware provides some useful features that continue to build upon the solid foundation of the ASA. Hopefully you will be able to order your memory upgrades, and then schedule some maintenance to install that memory and get the latest version of firmware and ASDM installed on your ASAs. Be sure to check the release notes before migrating to make sure that this new version won't cause any problems for your systems.