ASA OS 8.5 — A Few Perspectives

A recent announcement this summer was made by Cisco Systems concerning a new ASA software release, 8.5. This post focuses on this version’s new features as well as its associated newly supported hardware. At the time of this post, there wasn’t an associated ASDM software (version 6.5(x)) available for download.

Most notable in the release notes is the support for a new Catalyst 6500 module, the ASA Services Module. The module appears to be a replacement for the Firewall Services Module (FWSM) which was available for more than a decade. Its capabilities and metrics are impressive, as you can see in this data sheet. While these statistics are worth noting, a conspicuously absent feature is the ability of this “blade” to terminate any VPN connections other than those used to manage it. As the release notes state, the hardware is treated as a “No Payload Encryption” model “for this release”, which leads me to believe that this is only temporary. Although not mentioned in any of the Cisco security training courses, the “No Payload Encryption” license can export without any restrictions typically associated with any other cryptographic one of 3DES and stronger.

Release 8.5(1) adds little more than a half-dozen new features; among the most notable is the ability to mix transparent and routed firewall modes among multiple security contexts or virtual firewalls (this capability was offered by at least one Cisco firewall competitor). As I mentioned in an earlier post, the Cisco IOS firewall already allows for this. A second note-worthy improvement was made to Port Address Translation (PAT). A pool of PAT addresses can be specified instead of a single address, and optional configuration of round-robin assignment is possible. As the notes indicate, having too many connections sourced from the same address via PAT could be incorrectly interpreted by network monitoring systems as a possible Denial-of-Service attack. Finally, there appears to be a tighter integration of the ASA module with the Catalyst 6500 chassis in regard to the states of VLANs and redundancy.  Response to link state failures for initiating failover are much faster, and the ASA service modules can now rely upon the new Virtual Switching System for more seamless handling of connection switchover than the older inter-chassis failover.

In this article

Join the Conversation

1 comment

  1. MikeInSeoul Reply

    Ok, so there are some new features. Now, what are the chances of those features making it down to the FWSMs? Especially the mixing firewall types in multi-context mode?

    I’m thinking it’s probably somewhere between slim and none … *sigh*