Cisco Cisco FirePOWER Appliance 7030 Notas de publicación
Version 5.2.0.3
Sourcefire 3D System Release Notes
36
Features Introduced in Previous Versions
Gateway VPN
You can now configure the Sourcefire 3D System to build secure Virtual Private
Network (VPN) tunnels between virtual routers on Sourcefire managed devices
and a remote device. After the VPN connection is established, the hosts behind
the local gateway can connect to the hosts behind the remote gateway through
the secure VPN tunnel.
The Sourcefire 3D System builds tunnels using the Internet Protocol Security
The Sourcefire 3D System builds tunnels using the Internet Protocol Security
(IPSec) protocol suite. The system uses the IKE protocol to mutually authenticate
the two gateways against each other as well as to negotiate the security
association (SA) for the tunnel. Packets across a VPN tunnel are supported for
both the Authentication Header (AH) and Encapsulating Security Payload (ESP)
security protocols.
The system supports three types of VPN deployments: point-to-point, star, and
The system supports three types of VPN deployments: point-to-point, star, and
mesh.
In a point-to-point VPN deployment, two endpoints communicate directly with
In a point-to-point VPN deployment, two endpoints communicate directly with
each other.
In a star VPN deployment, a central endpoint (hub node) establishes a secure
In a star VPN deployment, a central endpoint (hub node) establishes a secure
connection with multiple remote endpoints (leaf nodes). Star deployments
commonly represent a VPN that connects an organization’s main and branch
office locations using secure connections over the Internet or other third-party
network. Star VPN deployments provide all employees with controlled access to
the organization’s network.
In a mesh VPN deployment, all endpoints can communicate with every other
In a mesh VPN deployment, all endpoints can communicate with every other
endpoint by means of an individual VPN tunnel. The mesh deployment offers
redundancy so that when one endpoint fails, the remaining endpoints can still
communicate with each other. This type of deployment commonly represents a
VPN that connects a group of decentralized branch office locations.
Note that this feature is only available on Series 3 devices. To deploy VPN, you
Note that this feature is only available on Series 3 devices. To deploy VPN, you
must enable Protection, Control, and VPN licenses on each of the managed
devices used for the VPN.
Policy-Based NAT
Version 5.2 introduces the ability to create a network address translation (NAT)
policy. A NAT policy determines how the system performs routing with NAT.
You can now create and use both static and dynamic NAT rules for further
You can now create and use both static and dynamic NAT rules for further
flexibility and granular control of NAT configuration. Policy-based NAT supports
the following types of rules:
•
static, which provide one-to-one translations on destination networks and
optionally port and protocol
•
dynamic IP, which translate many-to-many source networks, but maintain
port and protocol
•
dynamic IP and port, which translate many-to-one or many-to-many source
networks and port and protocol