Cisco ASA 8.3 OS

by Carissa

Cisco ASA 8.3 OS

by Carissa

by Carissa

If you’ve interacted with Cisco OS and IOS levels before, a numeric increase to the right of the decimal historically indicates a minor upgrade, focused on resolving open caveats or simple enhancements to existing features.

Cisco’s release of the ASA security OS 8.3 has challenged that perception.  The changes in the configuration of Network (and Port) Address Translation and Access Control Lists alone are worthy of Calvin & Hobbes’ best efforts at transmogrification.

This article won’t presume to cover in detail all the differences or iterations, but will touch on a few specific examples that are critical to review prior to any planned upgrade to this version.

The word of the day is objects.


The following is an example of a pre-8.3 and 8.3 configuration of a simple STATIC NAT in preparation for allowing public Internet access to an internal web server (10.1.1.10) by referencing the public IP 192.0.0.10:

Pre-8.3 configuration:

static (inside,outside) 192.0.0.10 10.1.1.10 netmask 255.255.255.255

8.3 configuration:

object network PubWebServer

host 10.1.1.10

nat (inside,outside) static 192.0.0.10


Another example of a difference in pre-8.3 and 8.3 configuration is shown in the following basic DYNAMIC PAT (Port Address Translation) to hide an internal RFC addressed network (192.168.2.0/24) as a single public IP address (192.0.0.1) for Internet access:

Pre-8.3 configuration:

nat (inside) 1 192.168.2.0 255.255.255.0

global (outside) 1 192.0.0.1

8.3 configuration:

object network my-inside-net

subnet 192.168.2.0 255.255.255.0

nat (inside,outside) dynamic 192.0.0.1


From the above, you can see that although structured differently, the familiar configuration parameters referencing the interfaces, IP addressing and NAT/PAT method (STATIC and DYNAMIC) are still present.   Cisco states the benefit as an increased flexibility in administering and managing both simple and complex NAT scenarios.

The changes to the Access Control Lists are less visually dramatic, but nonetheless are still significant.  The primary changes include the following:

1.       ACLs now reference the real ip addressing (pre-nat) of the hosts & networks where historically the public ip addressing (post-nat) were referenced (specifically on public facing interfaces)

2.       A Global ACL now exists which now tails the end of any interface based ACL

3.       As a result of the Global ACL, the explicit deny we’ve all come to respect is non-existent on interface based ACLs and now exists only in the Global ACL

Visit the 8.3 Configuration Guide for more details regarding the NAT/PAT and ACL changes.

In addition, as you prepare or decide whether or not to upgrade to version 8.3 of the OS closely review the memory requirements (which vary by ASA model) .  The following table identifies those appliances that require additional memory for the 8.3 upgrade.

Standard Memory and Memory Requirements

ASA Model Default Internal Flash Memory Default DRAM Before Feb. 2010 Default DRAM After Feb. 2010 Required DRAM for 8.3
5505

128 MB

256 MB

512 MB

Unlimited Hosts License: 512MB1
Security Plus License with failover enabled: 512MB1
All other licenses: 256MB
5510

256 MB

256 MB

1 GB

1 GB1

5520

256 MB

512 MB

2 GB

2 GB1

5540

256 MB

1 GB

2 GB

2 GB1

5550

256 MB

4 GB

4 GB

4 GB

5580-20

1 GB

8 GB

8 GB

8 GB

5580-40

1 GB

12 GB

12 GB

12 GB

1 A DRAM upgrade may be required.

If you’d like to learn more or have a member of our Network Solutions Group (NSG) assist with the planning or execution of an upgrade, please contact your Keller Schroeder Account Manager today!

Top