ASA 8.3 – ACL and NAT Software Features

Now that the official announcement of ASA Software Release 8.3 is several weeks old, this post will serve to comment on the enhancements/improvements/requirements of this code. Future posts will comment on exploring the details of specific modifications and improvements of this package as compared to earlier security appliance software.

The first very notable concern for a network administrator in considering an upgrade to this new release is its robust DRAM memory requirements. For even the lowly ASA 5505 model, the amount of installed memory must be doubled – from 256MB to 512MB. For the 5510 and 5520 models it needs to be quadrupled! (5510 – 256MB to 1GB; 5520 – 512MB to 2GB). Since the 5540 has been shipping with 1GB standard, it merely has to have its capacity doubled to 2GB. Later on I will speculate as to why this extra memory is required.

Now, let’s look at some of the major feature changes. The first of these represents a major change in the implementation of access control lists (ACLs) – no longer are they configured with global (or translated) addresses, but instead are now configured using the local (or untranslated) addresses. The ASA Release Notes for this feature makes the strong argument that this marked change makes the access-lists NAT independent; in other words, the Network Address Translation configuration can be changed without having to reconfigure the access-list. Cisco Systems has also taken care to provide automatic conversion of configuration files with ACLs created from OS8.2 and earlier versions to the newer format.

Another improvement made to the implementation of ACLs coincide with how the service policies already are applied on the ASA or PIX; namely that they can be applied now globally in addition to per-interface. This means that essentially two (2) layers of ACLs can be evaluated on each interface; the interface-specific list is evaluated first, then the global list.

The next feature change worthy of mention is a major revision to the implementation of NAT.  The commands nat-control, global, and static have all been removed! Since the revision to NAT is so extensive, this will be the subject of a future blog article. Suffice it to say here that the new implementation of this feature seems much more similar to access-lists in that line numbers can be used in the rules as well as source and destination IP addresses. Secondly, NAT rules can be applied within a defined object-group.

With these extensive revisions to both ACLs and NAT, it would appear to me that the access-lists and Network Address Translation rules are now being cached in DRAM memory to improve performance (think “turbo ACLs” on the IOS router). It is therefore not so surprising that such significant memory upgrades are required.

Author: Doug McKillip

References

In this article

Join the Conversation