In the new version of code for 8.3, you'll notice a few changes, perhaps most obviously the new memory requirements, the 5520s and 5540's for instance now require 4 GB of ram. Besides the new RAM requirements you'll find the following changes:
Wider support for IE8 (32& 64 / win 7, vista, xp) also officially support 10.6 OSX for SSL VPN.
Licensing is now aggregate, that is if you have 100 SSL VPN licenses on your active, and 100 on standby (this is required, even though only the active can terminate connections) starting with 8.3, your active ASA will support the aggregate (200) number of licenses. If there was ever a failure, and one is shipped back to Cisco, the other will support the aggregate for 30 days. That should be plenty of time to replace your backup.
You'll now use "objects" which is your IP to name mapping (think names). You can now define a server once, Mailserver=192.168.168.50, and put that MailServer in several different ACLs and NAT rules, you can then change the mapping and it will follow within the other portions of the configuration. The goal is to move towards a more object-oriented configuration, so it's simpler to configure things and make changes system-wide.
There is a new technique, where you can do a reverse many-to-one NAT, called one-to-many NAT. The idea is that you can have a single host on the inside, that is now matching multiple IP's on the outside, perhaps two different service providers.
ACLs now use a concept called REAL-IP, the idea of REAL-IP is that when you build that ACL for the outside interface, for server 192.168.168.50 that's being mapped to 50.50.50.50, you would previously think about what the packet looks like when it arrives on the interface. So think, on the outside, the packet is destined for 50.50.50.50 (there's a static NAT to the inside host). Well, now you'll use the REAL-IP, or the actual IP of the box. While frustrating for some of the veteran users, the idea is to make it easier for the new guys coming in. They can now look at access from a higher level, and permit or deny access to a server, or host regardless of thinking about the static NAT configuration.
There is also a concept of global ACLs, if you're familiar with Modular Policy Framework, think of a Policy-map that is applied globally. So the global ACL is that you can permit or deny traffic universally, ignoring the interfaces. This is a concept available on competitors products, so Cisco wanted to support it. The traditional ACL implementation is still supported, the idea though is if you have a lot of interfaces and you want to allow access to a specific host on all of them, you can write that rule in a global ACL and not have to create the same entry on every interface. While some of this seems frustrating for the veterans, the end goal is to make our lives easier.
Smart-call-home (introduced in 8.2.2) dumps stats and config (sanitized) details to Cisco, and you can login and view details about your equipment. You can see if there are TAC advisories for your versions of code, if there are issues you can open a TAC case from there. Another fun aspect is that you're looking at spec's on the box (CPU, Memory, Interface) and can log those periodically so it's great for base-lining and if you have an issue TAC can easily see the history right there.
Upgrading to 8.3 will perform a config-conversion, meaning your CLI configuration will look completely different from how it looked prior to upgrade. There will also be a file in flash that's basically a text file that shows any errors that occured in the upgrade.(I performed an upgrade of a fairly complex configuration without any errors by the way). If you're a CLI user, it will feel like you're on a different planet, if you're an ASDM user, you may not be real sure what's different, as the look, feel,and terminology is almost identical.
Your existing config is backed-up to flash, and there is actually a downgrade command, so if you do hate it you can roll back. *note* if you do use the downgrade command, realize that you must specify the name of the file which you can find in flash. (Similar to the downgrade process that appeared when moving from 6.3 to 7.0).
As you may recall from any of my classes, you can perform a zero-downtime upgrade, by moving one ASA at a time to 8.3 from 8.2 and you can have a fail-over pair on different code, and the 8.3 is no different. This should not be used for a long period of time however, it's recommended that you move one then the other as soon as you can. While they can run side-by-side you may get a copy of the 8.3 config (completely different core commands) pushed on top of the 8.2.
You can upgrade without the memory upgrade, and the code will load, but it throws an error. As you can imagine you will be forfeiting support if you chose to do this, as when you call TAC with a problem, they're going to point this out first :)
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment