The long awaited 9.0 software for Cisco ASA firewall is now released and available for download from cisco.com. Here is a short list of the most obvious new features:
From now on there is built-in support for Cisco Cloud Web Security (formerly known as ScanSafe). Up until now the any support in ASA to redirect outbound web traffic to a ScanSafe-tower was to use destination NAT, which had some obvious limitations.
Now you create a policy-map that specifies interresting traffic with an ACL (which for example specified all web-traffic sourced from your internal networks) and the ASA automatically sends the traffic to Scansafe. In order to do that you have to specify a group ID as well as the hostname of one or two scansafe towers.
Together with IBFW (identity based firewall) there can be an AD-integration which gives group membership and other AD-parameters in the configuration GUI of Scansafe. This integration gives the ability to:
- Filter outbound web traffic based on web category so that the finance-department (members of that AD-group) are allowed to access banking sites, students are allowed to access facebook but not facebook games and so on.
- Automatically scan all web traffic to/from your organisation for viruses/malwars/trojans.
- Automatically block traffic to the darkest corener of internet by using the bulit-in web reputation classification in Scansafe which is updated 24/7/365.
This is probably the one single feature that is most wanted and longed for! In previous versions, the only way to load-share traffic between multiple hardwares was the “active-active”-solution that has the following limitations:
- There can only be 2 boxes in a “cluster”.
- They need to run multiple context mode.
- Each context is at any given time only active in one box.
Now it is possible to group multiple (up to 8!) boxes together so that they act as one single unit with dynamic load-sharing between the boxes (in single- OR multiple-context mode!). So from now on there can be REAL clustering in ASA-firewalls. Unfortunately at the moment only for 5580 and 5585-X firewalls but hopefully this will change!
New features in mutiple context mode
Some previous limitations of running the ASA in multiple context mode has now been removed so that from now on a virtual context can do:
- Dynamic routing with EIGRP and OSPF (there are limitations in making adjacencies between contexts communication over a shared interface because of multicast limitation in multiple context mode!).
- VPN. There is now ipsec-support in contexts. Lan2Lan-tunnels only, no remote-access.
The number of new IPv6-features in ASA 9.0 is massive! If you are interrested in this please see the release notes linked in the bottom of this post. A few examples of new features:
- Ipv4 and ipv6 in the same acl:s/ruleset. This also includes that you can make an object “Webserver” that inclueds both the servers v4- AND v6-address in the same object and you only use the object in your acl:s.
- NAT beween ipv4 and ipv6.
- DHCP relay and OSPFv4.
The upgrade from 8.x to 9.0 includes a migration that is not reversable. Most notable the any-keyword in acl:s is replaced with “any4” and that “any” from now on means “all v4 AND v6”. Upgrading is possible directly from any previous version without intermediate steps.
The release notes for ASA version 9.0: