CiscoTips

On March 8, 2010 Cisco announced the newest Cisco ASA 5500 firewall software version 8.3. This is a release with the most radical changes compared to the previous releases since version 7.x. The most important change regarding configuration is the way Network Address Translation (NAT) is implemented. Also, another big change regarding hardware is that you will need a serious memory upgrade to be able to run this software. Let’s see some important points about this release below:

Network Address Translation changes

NAT is disabled by default on Cisco ASA however is one of the most important mechanisms that almost all firewall administrators use. The majority of network implementations make use of private IP addressing inside the Enterprise network and then employee Network Address Translation to translate their private IP addresses into publicly routable addresses in order to access the Internet. The task of NAT is usually carried by the border firewall. NAT in Cisco ASA 8.3 has been completely redesigned compared with previous versions. It is now configured under a network object.

ASA versions prior to 8.3

To configure dynamic NAT: Use the nat (internal interface name) command to specify the internal addresses to be translated together with the global (outside interface name) command to specify the mapped IP pool which all internal addresses will be translated to.

To configure static NAT: Use the static (internal if, external if) command to specify the static mapping between an internal host/network and an external public host/network.

ASA version 8.3

Now forget everything you know about NAT configuration. In this version, NAT is implemented using network objects. Basically you create a network object which defines the Real IP/Network to be translated (e.g the internal LAN network) and inside the network object you can use a nat statement which specifies whether the translation will be dynamic or static together with the Mapped IP/network. The Cisco ASA Firewall Fundamentals – 2nd edition ebook describes all details about the NAT differences in 8.3 version.

Memory upgrade changes

The downside of the new ASA version is that it requires significant memory upgrade for ASA models up to 5540 (5505, 5510, 5520, 5540). Newest ASA units purchased after February 2010 will have the minimum memory required by 8.3 version, however if you already have an older unit running a version prior to 8.3 then you will need to purchase extra memory if you want to upgrade to 8.3.
The minimum memory requirements for ASA 8.3 are the following:

My opinion about the new version

What I see in the new version is an attempt from Cisco to move away from the “Interface based” policy implementation and adopt a more “global based” or “object based” approach. The policy enforcement in Cisco ASA firewalls is mostly based on the “interface” concept. Access lists are applied to interfaces, modular policy framework configurations are applied to interfaces (and globally also), Network Address Translation is implemented based on interfaces, security levels are configured per interface etc etc. On the other hand, some competitor vendors (like Checkpoint for example) are based on “object based” approach with a “global policy” concept which is applied on objects irrespective of interfaces. Hmm, I think Cisco is moving towards the Checkpoint firewall approach . Well, it’s not a bad thing to adopt some concepts from your competitors to make you even better.

Regarding upgrading to the new version, I would not recommend it for the time being. The older ASA versions (7.x, 8.0, 8.1, 8.2) are so stable and reliable that I would not rush to change them on my security infrastructure for the moment. Also, the extra memory required for older units is another prohibitive factor for upgrading now.

Cisco supports several types of VPN implementations on the ASA but they are generally categorized as either “IPSec Based VPNs” or “SSL Based VPNs“. The first category uses the IPSec protocol for secure communications while the second category uses SSL. SSL Based VPNs are also called WebVPN in Cisco terminology. The two general VPN categories supported by Cisco ASA are further divided into the following VPN technologies.

IPSec Based VPNs:

• Lan-to-Lan IPSec VPN: Used to connect remote LAN networks over unsecure media (e.g Internet). It runs between ASA-to-ASA or ASA-to-Cisco Router.
• Remote Access with IPSec VPN Client: A VPN client software is installed on user’s PC to provide remote access to the central network. Uses the IPSec protocol and provides full network connectivity to the remote user. The users use their applications at the central site as they normally would without a VPN in place.

SSL Based VPNs (WebVPN):

• Clientless Mode WebVPN: This is the first implementation of SSL WebVPN supported from ASA version 7.0 and later. It lets users establish a secure remote access VPN tunnel using just a Web browser. There is no need for a software or hardware VPN client. However, only limited applications can be accessed remotely.
• AnyConnect WebVPN: A special Java based client is installed on the user’s computer providing an SSL secure tunnel to the central site. Provides full network connectivity (similar with IPSec remote access client). All applications at the central site can be accessed remotely.

From the description above you can understand that the AnyConnect WebVPN technology combines the best from both IPSec based VPNs and SSL based VPNs. It offers full network connectivity to the remote user without having to install a dedicated VPN software like the IPSec remote access client. The AnyConnect VPN client is a lightweight Java client (around 3MB) which can be installed or uninstalled from the remote user’s PC dynamically.

The ASR 9000 has 6 times more capacity and is 4 times faster than any other router in the same category. It is able to transmit data at a rate of 6.4 terabits per second. What does this mean? It means that it is capable of transmitting 200 dvd video / sec or 250.000 mp3s / sec or 500.000 e-books / second. Therefore, the bandwidth capacity of the ASR 9000 router is 10 times of the Cisco ASR 1000. For example, the ASR 9000 supports 100 megabits per second (Mbps) to homes, compared to common legacy E1 or T1 connections which used to have around 1.5 to 2 Mbps.

«We really believe that the IP (Internet Protocol) traffic on the Internet will be growing by 46% annually up to 2012 while the bulk of traffic, about 90%, will be consumed by video,” said Pankaj Patel, senior vice president who manages the company’s relationships with telecommunications carriers.

The ASR 9000 has innovative technology for proactive management of video signals which are particularly difficult. It can repair and offer an excellent image quality and performance for HDTV and other video services, state executives of Cisco. It is ideal for companies such as AT & T and Verizon because they offer more and faster Internet video to mobile phones and for the PC consumers.

As a corollary, the company adds that the ASR 9000 operates 40% more effectively than other competing products, helping to save the planet and saving money for the network operators.

So far, some of the largest telecommunications companies in the world, including Softbank Corp. Japan have signed for the acquisition of such devices. The ASR 9000 router is using the same operating system as the Cisco CRS – 1 that transmits data with rate of 92 trillion bits per second and which now ‘runs’ for more than 200 telecommunication operators in the high speed lanes of the world wide web. When the Cisco launched CRS-1 in 2004, some analysts said that these heavy duty network machines (weighing 2,300 pounds and having a height of 7 feet) did not satisfied customers’ wishes. They even predicted that the San Jose company will not sell more than 50 units. Pankaj however stated that Cisco now sells at least 50 such routers per week. Last year, the company earned 39 billion U.S. dollars just from the sales of ASR routers.

Glen Hunt, an analyst at Current Analysis said that Cisco’s new router will cost providers at least $ 80,000. The ASR 9000 can be installed close to homes and business premises of consumers. This model took 4 years to get out to production and had cost $200 million U.S. dollars. According to Ray Mota, director of sales strategy of Synergy Research Group, the ASR 9000 will fill a gap in the production chain of Cisco and will help the San Jose company to maintain its market share. Cisco competes with companies like Alcatel – Lucent and Juniper Networks in the sales of routers. However, Cisco controls 59% of the market compared with Alcatel – Lucent controlling 15% and 14% for Juniper.

One of the most popular Cisco certifications (probably after CCNA) is the Cisco Certified Network Professional (CCNP). A CCNP is like the Master’s degree in the Cisco qualifications arena (CCNA can be considered the Bachelor’s degree and CCIE is the PhD degree!!). With a CCNP certification, a networking professional proves to be a highly qualified specialist for planning, building and maintaining medium to large IP networks.

On January 25, 2010 Cisco announced drastic changes to CCNP certification. The most important one is that instead of taking 4 exams you now need only 3 (ROUTE exam, SWITCH exam and TSHOOT exam). The old 4-exam certification path option will be available until July 31 2010. After that date, only the new 3-exam option will be available. However, from now until July 31 you can mix and match between the old and new exams accordingly.

More details about the new CCNP update below:

• BSCI, BCMSN, ISCW, ONT exams are available until July 31 2010.
• ROUTE exam (642-902) and SWITCH exam (642-813) will be available from March 10, 2010.
• TSHOOT exam (642-832) will be available from April 30, 2010.
• Exams are becoming even more hands-on (for example the TSHOOT troubleshooting exam is mostly hands-on practical concepts).
• Before July 31, 2010 BSCI exam can substitute for ROUTE exam or vice versa.
• Before July 31, 2010 BCMSN exam can substitute for SWITCH exam or vice versa.
• Exam price will be $200 per exam instead of $150.

Overall, the new CCNP update maps better to real-world network environments. Although the exams are less than before, I think it will be more difficult to pass without having actual practical experience with Cisco routers and switches (at least 2 years I would say).

For more details about the new CCNP certification, visit the Cisco link here.