Features we’d like to see on the ASA Appliance

In the Cisco ASA security appliance classes I teach, my students frequently mention features they’d like to see in future releases of the code. Now, I don’t have any insight as to when or if these will be made available, but I wanted to touch on just a few of them.

  1. Mixed-mode implementation of Transparent and Routed Firewall
    Currently, the implementation of transparent firewall on the ASA is limited to using two interfaces per security context. Furthermore, if more than one security context is used they both must be implementing transparent mode. Another drawback in implementing transparent (vs routed) firewalls with security contexts is the fact that interfaces cannot be shared among the contexts. Allowing a mixture of routed and transparent firewalls simultaneously on the appliance would provide more effective device utilization.
  2. Support for Generic Route Encapsulation (GRE) and Tunnel Interfaces
    The ASA security appliance has supported Enhanced Interior Gateway Protocol (EIGRP) since release 8.0, a natural choice for dynamic routing of IPSec VPNs. The use of GRE with IPSec on the Cisco IOS routers offers greater resilience for backup tunnels should the primary path suddenly become unavailable. Since the ASA operating system has continually improved high availability (via failover for IPSec VPNs) the addition of dynamically advertised routes via tunnel interfaces seems to be a natural path forward. If this feature does eventually get implemented, it would be interesting to see if Dynamic Multipoint VPN functionality would also be included.
  3. Active-Active Failover with VPN
    Perhaps the most discouraging factor in implementing Active-Active Failover that I encounter in training classes is the lack of VPN support. Since Active-Active Failover requires the use of security contexts (virtual firewalls) which don’t support VPNs, there cannot be two security appliances simultaneously passing VPN traffic. This greatly desired functionality is rumored to be “on the roadmap” for a future release.

Considering the increased memory requirements for the Cisco ASA product line necessary to run OS 8.3, one can only imagine that the addition of any of the above features would require even more system resources.

Author: Doug McKillip

In this article

Join the Conversation