New ASA5510 IOS version

fsebera · ‎05-26-2011

We will be implementing a new ASA5510 firewall for a test pilot for a new project!!

The test pilot project is basically terminating a number of mobile VPN users across a cellular network.

The list of equipment for the test pilot has already been purchased and is in house.

!

Known requirements:

Up to 100 mobile VPN users for the test

Mobile users will be in motion (on the go) while accessing network services at our test site (test site is our HQ building)

IP addresses of mobile cellular clients may be static or dynamic

Remote management of cellular devices is required and the management server will reside within the firewall DMZ

Remote management may be in or out-of-band to remote clients

Mobile cellular devices are now non-Cisco devices (Sad but true, as our pre-selected mobile router "Cisco 881 series" has been discontinued)

NAT cannot be utilized in this setup

ASA5510 firewall will have a static IP address

Communications links to the telecos will be multiple DS3, one per cell provider

There is no redundancy is this test pilot

:

QUESTION:

The question is what version of IOS should we implement or does it really matter?

:

Once the test pilot has completely successfully, we will purchase the correct sized equipment available at that time!

:

THANKS for any and all comments!

Frank

mirober2 · ‎05-26-2011

Hi Frank,

Personally, I would recommend either 8.2(5) or 8.4(1)11. This will get you all of the latest bug fixes in either train. However, there are a couple of things to keep in mind:

1. 8.4.x has a completely different NAT and ACL syntax than what you might have been used to in the past if you've previously worked with the ASA. If you'll be learning/building the config from scratch, you can disregard this.

2. 8.4.x requires 1 GB of RAM in the 5510. You'll want to make sure your ASA can support this if you choose this software.

3. You should check the release notes of both trains to make sure you're aware of a) feature differences, and b) open caveats:

8.2:
http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.html

8.4:
http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html

Hope that helps.

-Mike

fsebera · ‎05-27-2011

Hi Mike,

I am mostly a routing and switching (R/S) engineer, and have been thrust into the firewall areana several times now.

:

I see Cisco offers 4 different versions of firewall IOS.(current releases)

My R/S experience says that 8.4 is the latest and greatest while 8.3 and below are updates from previous releases.

IOS 8.4 adds new features and technologies while the other versions (8.3 and below) just maintain exesting technologies with little change, more on the side of fixing bugs etc.

R/S IOS crypto versions use k9 while the Cisco ASA5500 series firewall uses k8 to designate crypto features.

Is this correct?

:

Thanks for your help

Frank

varrao · ‎05-27-2011

Hi Frank,

I would like to correct you here. The ASA 8.4 is the latest software train that we have but the previous version 8.3 is also a major release and the big change in the configuration comes post 8.3 only. From 8.3 the syntax and logic for NAT and ACL has changed and moreover a few features that were added. So saying that 8.3 was only for bug fixes would not be correct. The interim releases are the ones taht have the bug fixes andthe release notes mentions which particular bugs are taken care of in the release.

One feature that is added in the version 8.4 is etherchannel configuration on ASA. For more details please go through the release notes for 8.4 and 8.3

Hope this helps

Thanks,

Varun

Thanks,
Varun Rao

fsebera · ‎05-27-2011

Hi Varun,

Excellent!

Thanks for clarifying this point, this stuff is already hard enough without me adding additional confusion.:)

Tks

Frank