Upgrading Cisco’s ASA to v 8.3
Cisco released version 8.3 for the Cisco ASA 5500 Series on March 8th, 2010 and it is considerably different than previous versions. Many long time PIX & ASA techies were upset and confused. Others believed Cisco was improving on a solid foundation. NAT in 8.3 is the most significant change and forget everything you knew about statics, globals and nat 0, as they don’t exist in 8.3.
Fortunately our security engineers embraced 8.3 early and we are experiencing great success partnering with our clients and assisting with their upgrades. Planning and performing the upgrade is important, but the training, knowledge transfer and “2nd day” phone support has proven to be the most appreciated aspect of our professional services.
Cisco’s Web site has ample reading on the features and benefits. Please allow me to share some notes I have accumulated.
- Be prepared to purchase memory upgrade kit(s).
- Be careful about buying 3rd party DRAM & Flash memory and voiding your TAC support.
- If you purchased your ASA’s after February in 2010 you may have the minimum Flash & DRAM required to run v8.3.
- Don’t buy the DRAM & Flash upgrade kit(s) until you are prepared to do the upgrade shortly afterward.
- If you have a failover configuration the two units must have the same amount of DRAM.
- You do not have to have the same amount of Flash memory.
- If you use two units with different flash memory sizes, make sure the unit with the smaller flash memory has enough space for the software images and configuration files.
- Licensing between the two ASAs needs to be the same (Licensing is confusing).
- Consider adding the subscription based ASA Botnet Traffic Filter.
- Botnet Traffic Filter monitors network ports for rogue activity and detecting infected internal endpoints sending commands and control traffic back to the host on the Internet.
- Consider adding IPS/IDS (Intrusion Prevention and Intrusion Detection).
- Smart Tunnels with tunnel policies and improvements to UC-IME made my engineers happy.
Security requires a rational, defense-in-depth approach, using joint solutions to satisfy evolving security requirements. IT organizations are always asked to do more with less. Striving for a centralized management & regulatory compliance reporting architecture is fundamental to avoiding failed audits, fines and legal liability.
-Marty Deger, PEI