Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

8.3 Production Ready?

Hi all,

I'm returning to ASA's after having spending the last 4 years working with Checkpoint firewalls.  I am getting set up to port my current configuration from the Checkpoints over to the ASA's, so I'm starting from scratch.

I noticed that 8.3 came out recently, and I had to smile when I read the release notes.  It seems that Cisco has taken the things I liked most about Checkpoint (mainly object-based configuration), and incorporated it into 8.3.

My configuration isn't too complex - I have a pair of 5540's that will be in active/passive failover.  There will be a few NATs, but nothing too heavy.  Where many ASA's protect business users from the Internet (most traffic being initiated from inside-to-outside), my situation is that the ASA's are protecting a fairly large website (99% of traffic is initiated from outside-to-inside).  While I'll set up VPN, it's only for use by our admins to do remote administration and usage is really light.

I'm aware of the 2GB memory requirement, and like I said, I don't have any existing config to upgrade.  However, if there's a lot of NAT bugs or crashes, I'll stick with 8.2 until 8.3 stabilises a bit.

Does anyone have any input?

Thanks,

Justin

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: 8.3 Production Ready?

If the config is simple with no bidirectional which is called as twice nat in 8.3 etc.. I'd say go with 8.3.

People love the global acl and object based NAT configuration.

I'd suggest to configure from start using 8.3 and not configure in 8.2.2. and then issue an upgrade as we have seen issues with converting the config to 8.3 when policy nat is configured with "any" as destination etc.. You probably already read that in the RN.

-KS

3 REPLIES
Cisco Employee

Re: 8.3 Production Ready?

8.3 is fairly new, there are a couple of nat issues, but not major showstoppers.

If this is not a very very important ASA (in case something came up because the code is fairly new) I would try it out. Especially if you have worked with Checkpoint you will see that there are a couple of similarities.

Nat has changed some.

And there are nice features like global ACLs, real ip and the Smart services which will be liked by people as they start using them.

I would try it if I were you.

I hope it helps.

PK

Cisco Employee

Re: 8.3 Production Ready?

If the config is simple with no bidirectional which is called as twice nat in 8.3 etc.. I'd say go with 8.3.

People love the global acl and object based NAT configuration.

I'd suggest to configure from start using 8.3 and not configure in 8.2.2. and then issue an upgrade as we have seen issues with converting the config to 8.3 when policy nat is configured with "any" as destination etc.. You probably already read that in the RN.

-KS

Community Member

Re: 8.3 Production Ready?

Thanks for the tips everyone.

I'll be at least initially setting things up with 8.3.  While this is a very important ASA, the operations it will be doing are pretty basic, and I have a test lab environment which I'll be able to test everything with.  I also won't be deploying them for awhile, so I can apply bug fixes between now and then.

396
Views
0
Helpful
3
Replies
CreatePlease to create content