Cisco ASA New Features by Release

Cisco ASA New Features by Release
Cisco ASA New Features by Release
Last Modified: 2017-08-28
Cisco ASA New Features
This document lists new features for each release.
Note
New, changed, and deprecated syslog messages are listed in the syslog message guide.
New Features in Version 9.8
New Features in ASA 9.8(1.200)
Released: July 30, 2017
Note
Feature
This release is only supported on the ASAv for Microsoft Azure.
Description
High Availability and Scalability Features
Active/Backup High Availability for A stateless Active/Backup solution that allows for a failure of the active ASAv to trigger an
ASAv on Microsoft Azure
automatic failover of the system to the backup ASAv in the Microsoft Azure public cloud.
We introduced the following commands: failover cloud
No ASDM support.
New Features in ASDM 7.8(1.150)
Released: June 20, 2017
There are no new features in this release.
Cisco ASA New Features by Release
1
Cisco ASA New Features
New Features in ASA 9.8(1)/ASDM 7.8(1)
New Features in ASA 9.8(1)/ASDM 7.8(1)
Released: May 15, 2017
Feature
Description
Platform Features
ASAv50 platform
The ASAv virtual platform has added a high-end performance ASAv50 platform that provides
10 Gbps Firewall throughput levels. The ASAv50 requires ixgbe-vf vNICs, which are supported
on VMware and KVM only.
SR-IOV on the ASAv platform
The ASAv virtual platform supports Single Root I/O Virtualization (SR-IOV) interfaces,
which allows multiple VMs to share a single PCIe network adapter inside a host. ASAv
SR-IOV support is available on VMware, KVM, and AWS only.
Automatic ASP load balancing now Formerly, you could only manually enable and disable ASP load balancing.
supported for the ASAv
We modified the following command: asp load-balance per-packet auto
We modified the following screen: Configuration > Device Management > Advanced >
ASP Load Balancing
Firewall Features
Support for setting the TLS proxy
server SSL cipher suite
You can now set the SSL cipher suite when the ASA acts as a TLS proxy server. Formerly,
you could only set global settings for the ASA using the ssl cipher command on the
Configuration > Device Management > Advanced > SSL Settings > Encryption page.
We introduced the following command: server cipher-suite
We modified the following screen: Configuration > Firewall > Unified Communications
> TLS Proxy, Add/Edit dialog boxes, Server Configuration page.
Global timeout for ICMP errors
You can now set the idle time before the ASA removes an ICMP connection after receiving
an ICMP echo-reply packet. When this timeout is disabled (the default), and you enable ICMP
inspection, then the ASA removes the ICMP connection as soon as an echo-reply is received;
thus any ICMP errors that are generated for the (now closed) connection are dropped. This
timeout delays the removal of ICMP connections so you can receive important ICMP errors.
We added the following command: timeout icmp-error
We modified the following screen: Configuration > Firewall > Advanced > Global Timeouts.
High Availability and Scalability Features
Cisco ASA New Features by Release
2
Cisco ASA New Features
New Features in ASA 9.8(1)/ASDM 7.8(1)
Feature
Description
Improved cluster unit health-check
failure detection
You can now configure a lower holdtime for the unit health check: .3 seconds minimum. The
previous minimum was .8 seconds. This feature changes the unit health check messaging
scheme to heartbeats in the data plane from keepalives in the control plane. Using heartbeats
improves the reliability and the responsiveness of clustering by not being susceptible to control
plane CPU hogging and scheduling delays. Note that configuring a lower holdtime increases
cluster control link messaging activity. We suggest that you analyze your network before you
configure a low holdtime; for example, make sure a ping from one unit to another over the
cluster control link returns within the holdtime/3, because there will be three heartbeat messages
during one holdtime interval. If you downgrade your ASA software after setting the hold time
to .3 - .7, this setting will revert to the default of 3 seconds because the new setting is
unsupported.
This feature is not available on the Firepower 4100 or
9300.
We modified the following commands: health-check holdtime, show asp drop cluster
counter, show cluster info health details
Note
We modified the following screen: Configuration > Device Management > High Availability
and Scalability > ASA Cluster
VPN Features
Support for IKEv2, certificate based Virtual Tunnel Interface (VTI) now supports BGP (static VTI). You can now use IKEv2 in
authentication, and ACL in VTI
standalone and high availability modes. You can use certificate based authentication by setting
up a trustpoint in the IPsec profile. You can also apply access lists on VTI using access-group
commands to filter ingress traffic.
We introduced the following command in the IPsec profile configuration mode: set trustpoint.
We introduced options to select the trustpoint for certificate based authentication in the
following screen:
Configuration > Site-to-Site VPN > Advanced > IPsec Proposals (Transform Sets) >
IPsec Profile > Add
Mobile IKEv2 (MobIKE) is enabled Mobile devices operating as remote access clients require transparent IP address changes
by default
while moving. Supporting MobIKE on ASA allows a current IKE security association (SA)
to be updated without deleting the current SA. MobIKE is “always on.”
We introduced the following command: ikev2 mobike-rrc. Used to enable/disable return
routability checking.
SAML 2.0 SSO Updates
The default signing method for a signature in a SAML request changed from SHA1 to SHA2,
and you can configure which signing method you prefer: rsa-sha1, rsa-sha256, rsa-sha384,
or rsa-sha512.
We changed the following command in webvpn mode: saml idp signature can be configured
with a value. Disabled is still the default.
We introduced changes to the following screen: Configuration > Remote Access VPN >
Clientless SSL VPN Access > Advanced > Single Sign On Servers > Add.
Cisco ASA New Features by Release
3
Cisco ASA New Features
New Features in ASA 9.8(1)/ASDM 7.8(1)
Feature
Description
Change for tunnelgroup
webvpn-attributes
We changed the pre-fill-username and secondary-pre-fill-username value from clientless to
client.
We changed the following commands in webvpn mode: pre-fill-username and
secondary-pre-fill-usernamecan be configured with a client value.
AAA Features
Login history
By default, the login history is saved for 90 days. You can disable this feature or change the
duration, up to 365 days. This feature only applies to usernames in the local database when
you enable local AAA authentication for one or more of the management methods (SSH,
ASDM, Telnet, and so on).
We introduced the following commands: aaa authentication login-history, show aaa
login-history
We introduced the following screen: Configuration > Device Management > Users/AAA
> Login History
Password policy enforcement to
You can now prohibit the reuse of previous passwords for up to 7 generations, and you can
prohibit the reuse of passwords, and also prohibit the use of a password that matches a username.
prohibit use of a password matching We introduced the following commands: password-history, password-policy reuse-interval,
a username
password-policy username-check
We modified the following screen: Configuration > Device Management > Users/AAA >
Password Policy
Separate authentication for users
In releases prior to 9.6(2), you could enable SSH public key authentication (ssh authentication)
with SSH public key authentication without also explicitly enabling AAA SSH authentication with the Local user database (aaa
and users with passwords
authentication ssh console LOCAL). In 9.6(2), the ASA required you to explicitly enable
AAA SSH authentication. In this release, you no longer have to explicitly enable AAA SSH
authentication; when you configure the ssh authentication command for a user, local
authentication is enabled by default for users with this type of authentication. Moreover, when
you explicitly configure AAA SSH authentication, this configuration only applies for usernames
with passwords, and you can use any AAA server type (aaa authentication ssh console
radius_1, for example). For example, some users can use public key authentication using the
local database, and other users can use passwords with RADIUS.
We did not modify any commands.
We did not modify any screens.
Also in Version 9.6(3).
Monitoring and Troubleshooting Features
Saving currently-running packet
captures when the ASA crashes
Formerly, active packet captures were lost if the ASA crashed. Now, packet captures are saved
to disk 0 at the time of the crash with the filename [context_name.]capture_name.pcap.
We did not modify any commands.
We did not modify any screens.
Cisco ASA New Features by Release
4
Cisco ASA New Features
New Features in Version 9.7
New Features in Version 9.7
New Features in ASDM 7.7(1.151)
Released: April 28, 2017
Note
ASDM 7.7(1.150) was removed from Cisco.com due to bug CSCvd90344.
Feature
Description
Admin Features
New background service for the
ASDM upgrade tool
ASDM uses a new background service for Tools > Check for ASA/ASDM Upgrades. The
older service used by earlier versions of ASDM will be discontinued by Cisco in the future.
New Features in ASA 9.7(1.4)/ASDM 7.7(1)
Released: April 4, 2017
Note
Feature
Verion 9.7(1) was removed from Cisco.com due to bug CSCvd78303.
Description
Platform Features
Cisco ASA New Features by Release
5
Cisco ASA New Features
New Features in ASA 9.7(1.4)/ASDM 7.7(1)
Feature
Description
New default configuration for the
A new default configuration will be used for the ASA 5506-X series. The Integrated Bridging
ASA 5506-X series using Integrated and Routing feature provides an alternative to using an external Layer 2 switch. For users
Routing and Bridging
replacing the ASA 5505, which includes a hardware switch, this feature lets you replace the
ASA 5505 with an ASA 5506-X or other ASA model without using additional hardware.
The new default configuration includes:
• outside interface on GigabitEthernet 1/1, IP address from DHCP
• inside bridge group BVI 1 with GigabitEthernet ½ (inside1) through 1/8 (inside7), IP
address 192.168.1.1
• inside --> outside traffic flow
• inside ---> inside traffic flow for member interfaces
• (ASA 5506W-X) wifi interface on GigabitEthernet 1/9, IP address 192.168.10.1
• (ASA 5506W-X) wifi <--> inside, wifi --> outside traffic flow
• DHCP for clients on inside and wifi. The access point itself and all its clients use the
ASA as the DHCP server.
• Management 1/1 interface is Up, but otherwise unconfigured. The ASA FirePOWER
module can then use this interface to access the ASA inside network and use the inside
interface as the gateway to the Internet.
• ASDM access—inside and wifi hosts allowed.
• NAT—Interface PAT for all traffic from inside, wifi, and management to outside.
If you are upgrading, you can either erase your configuration and apply the default using the
configure factory-default command, or you can manually configure a BVI and bridge group
members to suit your needs. Note that to easily allow intra-bridge group communication, you
need to enable the same-security-traffic permit inter-interface command (this command
is already present for the ASA 5506W-X default configuration).
Cisco ASA New Features by Release
6
Cisco ASA New Features
New Features in ASA 9.7(1.4)/ASDM 7.7(1)
Feature
Description
Alarm ports support on the ISA 3000 The ISA 3000 supports two alarm input interfaces and one alarm out interface. External sensors
such as door sensors can be connected to the alarm inputs. External devices like buzzers can
be connected to the alarm out interface. Alarms triggered are conveyed through two LEDs,
syslogs, SNMP traps, and through devices connected to the alarm out interface.You can
configure descriptions of external alarms. You can also specify the severity and trigger, for
external and internal alarms. All alarms can be configured for relay, monitoring and logging.
We introduced the following commands: alarm contact description, alarm contact severity,
alarm contact trigger, alarm facility input-alarm, alarm facility power-supply rps, alarm
facility temperature, alarm facility temperature high, alarm facility temperature low,
clear configure alarm, clear facility-alarm output, show alarm settings, show environment
alarm-contact.
We introduced the following screens:
Configuration > Device Management > Alarm Port > Alarm Contact
Configuration > Device Management > Alarm Port > Redundant Power Supply
Configuration > Device Management > Alarm Port > Temperature
Monitoring > Properties > Alarm > Alarm Settings
Monitoring > Properties > Alarm > Alarm Contact
Monitoring > Properties > Alarm > Facility Alarm Status
Microsoft Azure Security Center
support on the ASAv10
Microsoft Azure is a public cloud environment that uses a private Microsoft Hyper V
Hypervisor. Microsoft Azure Security Center is a Microsoft orchestration and management
layer on top of Azure that simplifies the deployment of a highly secure public cloud
infrastructure. Integration of the ASAv into Azure Security Center allows the ASAv to be
offered as a firewall option to protect Azure environments.
Precision Time Protocol (PTP) for
the ISA 3000
The ISA 3000 supports PTP, a time synchronization protocol for nodes distributed across a
network. It provides greater accuracy than other time synchronization protocols, such as NTP,
due to its hardware timestamp feature. The ISA 3000 supports PTP forward mode, as well as
the one-step, end-to-end transparent clock. We added the following commands to the default
configuration to ensure that PTP traffic is not sent to the ASA FirePOWER module for
inspection. If you have an existing deployment, you need to manually add these commands:
object-group service bypass_sfr_inspect
service-object udp destination range 319 320
access-list sfrAccessList extended deny object-group bypass_sfr_inspect any
any
We introduced the following commands: debug ptp, ptp domain, ptp mode e2etransparent,
ptp enable, show ptp clock, show ptp internal-info, show ptp port
We introduced the following screens:
Configuration > Device Management > PTP
Monitoring > Properties > PTP
Cisco ASA New Features by Release
7
Cisco ASA New Features
New Features in ASA 9.7(1.4)/ASDM 7.7(1)
Feature
Description
Automatic Backup and Restore for
the ISA 3000
You can enable auto-backup and/or auto-restore functionality using pre-set parameters in the
backup and restore commands. The use cases for these features include initial configuration
from external media; device replacement; roll back to an operable state.
We introduced the following commands: backup-package location, backup-package auto,
show backup-package status, show backup-package summary
No ASDM support.
Firewall Features
Support for SCTP multi-streaming
reordering and reassembly and
fragmentation. Support for SCTP
multi-homing, where the SCTP
endpoints have more than one IP
address.
The system now fully supports SCTP multi-streaming reordering, reassembly, and
fragmentation, which improves Diameter and M3UA inspection effectiveness for SCTP traffic.
The system also supports SCTP multi-homing, where the endpoints have more than one IP
address each. For multi-homing, the system opens pinholes for the secondary addresses so
that you do not need to write access rules to allow them. SCTP endpoints must be limited to
3 IP addresses each.
We modified the output of the following command: show sctp detail.
We did not modify any screens.
M3UA inspection improvements.
M3UA inspection now supports stateful failover, semi-distributed clustering, and multihoming.
You can also configure strict application server process (ASP) state validation and validation
for various messages. Strict ASP state validation is required for stateful failover and clustering.
We added or modified the following commands: clear service-policy inspect m3ua session
[assocID id], match port sctp, message-tag-validation, show service-policy inspect m3ua
drop, show service-policy inspect m3ua endpoint, show service-policy inspect m3ua
session, show service-policy inspect m3ua table, strict-asp-state, timeout session.
We modified the following screens: Configuration > Firewall > Objects > Inspection Maps
> M3UA Add/Edit dialog boxes.
Support for TLSv1.2 in TLS proxy You can now use TLSv1.2 with TLS proxy for encrypted SIP or SCCP inspection with the
and Cisco Unified Communications Cisco Unified Communications Manager 10.5.2. The TLS proxy supports the additional
Manager 10.5.2.
TLSv1.2 cipher suites added as part of the client cipher-suite command.
We modified the following commands: client cipher-suite
We did not modify any screens.
Cisco ASA New Features by Release
8
Cisco ASA New Features
New Features in ASA 9.7(1.4)/ASDM 7.7(1)
Feature
Description
Integrated Routing and Bridging
Integrated Routing and Bridging provides the ability to route between a bridge group and a
routed interface. A bridge group is a group of interfaces that the ASA bridges instead of routes.
The ASA is not a true bridge in that the ASA continues to act as a firewall: access control
between interfaces is controlled, and all of the usual firewall checks are in place. Previously,
you could only configure bridge groups in transparent firewall mode, where you cannot route
between bridge groups. This feature lets you configure bridge groups in routed firewall mode,
and to route between bridge groups and between a bridge group and a routed interface. The
bridge group participates in routing by using a Bridge Virtual Interface (BVI) to act as a
gateway for the bridge group. Integrated Routing and Bridging provides an alternative to
using an external Layer 2 switch if you have extra interfaces on the ASA to assign to the
bridge group. In routed mode, the BVI can be a named interface and can participate separately
from member interfaces in some features, such as access rules and DHCP server.
The following features that are supported in transparent mode are not supported in routed
mode: multiple context mode, ASA clustering. The following features are also not supported
on BVIs: dynamic routing and multicast routing.
We modified the following commands: access-group, access-list ethertype, arp-inspection,
dhcpd, mac-address-table static, mac-address-table aging-time, mac-learn, route, show
arp-inspection, show bridge-group, show mac-address-table, show mac-learn
We modified the following screens:
Configuration > Device Setup > Interface Settings > Interfaces
Configuration > Device Setup > Routing > Static Routes
Configuration > Device Management > DHCP > DHCP Server
Configuration > Firewall > Access Rules
Configuration > Firewall > EtherType Rules
VM Attributes
You can define network objects to filter traffic according to attributes associated with one or
more Virtual Machines (VMs) in an VMware ESXi environment managed by VMware vCenter.
You can define access control lists (ACLs) to assign policies to traffic from groups of VMs
sharing one or more attributes.
We added the following command: show attribute.
We added the following screen:
Configuration > Firewall > VM Atttribute Agent
Stale route timeout for interior
gateway protocols
You can now configure the timeout for removing stale routes for interior gateway protocols
such as OSPF.
We added the following command: timeout igp stale-route.
We modified the following screen: Configuration > Firewall > Advanced > Global Timeouts.
Routing Features
Cisco ASA New Features by Release
9
Cisco ASA New Features
New Features in ASA 9.7(1.4)/ASDM 7.7(1)
Feature
Description
31-bit Subnet Mask
For routed interfaces, you can configure an IP address on a 31-bit subnet for point-to-point
connections. The 31-bit subnet includes only 2 addresses; normally, the first and last address
in the subnet is reserved for the network and broadcast, so a 2-address subnet is not usable.
However, if you have a point-to-point connection and do not need network or broadcast
addresses, a 31-bit subnet is a useful way to preserve addresses in IPv4. For example, the
failover link between 2 ASAs only requires 2 addresses; any packet that is transmitted by one
end of the link is always received by the other, and broadcasting is unnecessary. You can also
have a directly-connected management station running SNMP or Syslog. This feature is not
supported with BVIs for bridge groups or multicast routing.
We modified the following commands: ip address, http, logging host, snmp-server host,
ssh
We modified the following screens:
Configuration > Device Setup > Interface Settings > Interfaces > Add Interface > General
High Availability and Scalability Features
Inter-site clustering improvement for You can now configure the site ID for each Firepower 4100/9300 chassis when you deploy
the ASA on the Firepower
the ASA cluster. Previously, you had to configure the site ID within the ASA application;
4100/9300 chassis
this new feature eases initial deployment. Note that you can no longer set the site ID within
the ASA configuration. Also, for best compatibility with inter-site clustering, we recommend
that you upgrade to ASA 9.7(1) and FXOS 2.1.1, which includes several improvements to
stability and performance.
We modified the following command: site-id
We modified the following screen: Configuration > Device Management > High Availability
and Scalability > ASA Cluster > Cluster Configuration
Director localization: inter-site
clustering improvement for data
centers
To improve performance and keep traffic within a site for inter-site clustering for data centers,
you can enable director localization. New connections are typically load-balanced and owned
by cluster members within a given site. However, the ASA assigns the director role to a
member at any site. Director localization enables additional director roles: a local director at
the same site as the owner, and a global director that can be at any site. Keeping the owner
and director at the same site improves performance. Also, if the original owner fails, the local
director chooses a new connection owner at the same site. The global director is used if a
cluster member receives packets for a connection that is owned on a different site.
We introduced or modified the following commands: director-localization, show asp table
cluster chash, show conn, show conn detail
We modified the following screen: Configuration > Device Management > High Availability
and Scalability > ASA Cluster > Cluster Configuration
Cisco ASA New Features by Release
10
Cisco ASA New Features
New Features in ASA 9.7(1.4)/ASDM 7.7(1)
Feature
Description
Interface link state monitoring
By default, each ASA in a failover pair checks the link state of its interfaces every 500 msec.
polling for failover now configurable You can now configure the polling interval, between 300 msec and 799 msec; for example,
for faster detection
if you set the polltime to 300 msec, the ASA can detect an interface failure and trigger failover
faster.
We introduced the following command: failover polltime link-state
We modified the following screen: Configuration > Device Management > High Availability
and Scalability > Failover > Criteria
Bidirectional Forwarding Detection
(BFD) support for Active/Standby
failover health monitoring on the
Firepower 9300 and 4100
You can enable Bidirectional Forwarding Detection (BFD) for the failover health check
between two units of an Active/Standby pair on the Firepower 9300 and 4100. Using BFD
for the health check is more reliable than the default health check method and uses less CPU.
We introduced the following command: failover health-check bfd
We modified the following screen: Configuration > Device Management > High Availability
and Scalability > Failover > Setup
VPN Features
Dynamic RRI for IKEv2 static
crypto maps
Dynamic Reverse Route Injection occurs upon the successful establishment of IPsec Security
Associations (SA's) when dynamic is specified for a crypto map. Routes are added based
on the negotiated selector information. The routes will be deleted after the IPsec SA's are
deleted. Dynamic RRI is supported on IKEv2 based static crypto maps only.
We modified the following command: crypto map set reverse-route.
We modified the following screen: Configuration > Remote Access VPN > Network
(Client) Access > Advanced > IPsec > Crypto Maps > Add/Edit > Tunnel Policy (Crypto
Maps) - Advanced
Virtual Tunnel Interface (VTI)
support for ASA VPN module
The ASA VPN module is enhanced with a new logical interface called Virtual Tunnel Interface
(VTI), used to represent a VPN tunnel to a peer. This supports route based VPN with IPsec
profiles attached to each end of the tunnel. Using VTI does away with the need to configure
static crypto map access lists and map them to interfaces.
We introduced the following commands: crypto ipsec profile, interface tunnel,
responder-only, set ikev1 transform-set, set pfs, set security-association lifetime, tunnel
destination, tunnel mode ipsec, tunnel protection ipsec profile, tunnel source interface.
We introduced the following screens:
Configuration > Site-to-Site VPN > Advanced > IPsec Proposals (Transform Sets) >
IPsec Profile
Configuration > Site-to-Site VPN > Advanced > IPsec Proposals (Transform Sets) >
IPsec Profile > Add > Add IPsec Profile
Configuration > Device Setup > Interface Settings > Interfaces > Add > VTI Interface
Configuration > Device Setup > Interface Settings > Interfaces > Add > VTI Interface
> General
Configuration > Device Setup > Interface Settings > Interfaces > Add > VTI Interface
> Advanced
Cisco ASA New Features by Release
11
Cisco ASA New Features
New Features in ASA 9.7(1.4)/ASDM 7.7(1)
Feature
Description
SAML 2.0 based SSO for
AnyConnect
SAML 2.0-based service provider IdP is supported in a private network. With the ASA as a
gateway between the user and services, authentication on IdP is handled with a restricted
anonymous webvpn session, and all traffic between IdP and the user is translated.
We added the following command: saml idp
We modified the following commands: debug webvpn saml, show saml metadata
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL
VPN Access > Advanced > Single Sign On Servers > Add SSO Server.
CMPv2
To be positioned as a security gateway device in wireless LTE networks, the ASA now supports
certain management functions using the Certificate Management Protocol (CMPv2).
We modified the following commands: enrollment url, keypair, auto-update,
crypto-ca-trustpoint, show crypto ca server certificates, show crypto key, show
tech-support
We modified the following screens: Configuration > Remote Access VPN > Certificate
Management > Identity Certificates > Add an Identity Certificate
Multiple certificate authentication
You can now validate multiple certificates per session with AnyConnect SSL and IKEv2
client protocols. The Aggregate Authentication protocol has been extended to define the
protocol exchange for multiple-certificate authentication and utilize this for both session types.
We modified the following command: authentication {[aaa] [certificate | multiple-certificate]
| saml}
We modified the following screens:
Configuration > Remote Access VPN > Network (Client) Access > Dynamic Access
Policies > Edit AnyConnect Connection Profile
Configuration > Remote Access VPN > Network Client Access > AnyConnect Connection
Profiles > Edit AnyConnect Connection Profiles
Increase split-tunneling routing limit The limit for split-tunneling routes for AC-SSL and AC-IKEv2 was increased from 200 to
1200. The IKEv1 limit was left at 200.
Smart Tunnel Support on Chrome
A new method for smart-tunnel support in the Chrome browser on Mac and Windows devices
was created. A Chrome Smart Tunnel Extension has replaced Netscape Plugin Application
Program Interfaces (NPAPIs) that are no longer supported on Chrome. If you click on the
smart tunnel enabled bookmark in Chrome without the extension already being installed, you
are redirected to the Chrome Web Store to obtain the extension. New Chrome installations
will direct the user to the Chrome Web Store to download the extension. The extension
downloads the binaries from ASA that are required to run smart tunnel. Your usual bookmark
and application configuration while using smart tunnel is unchanged other than the process
of installing the new extension.
Clientless SSL VPN: Session
information for all web interfaces
All web interfaces will now display details of the current session, including the user name
used to login, and user privileges which are currently assigned. This will help the user be
aware of the current user session and will improve user security.
Cisco ASA New Features by Release
12
Cisco ASA New Features
New Features in ASA 9.7(1.4)/ASDM 7.7(1)
Feature
Description
Clientless SSL VPN: Validation of
all cookies for web applications'
sessions
All web applications will now grant access only after validating all security-related cookies.
In each request, each cookie with an authentication token or a session ID will be verified
before granting access to the user session. Multiple session cookies in the same request will
result in the connection being dropped. Cookies with failed validations will be treated as
invalid and the event will be added to the audit log.
AnyConnect: Maximum Connect
Time Alert Interval is now supported
in the Group Policy for AnyConnect
VPN Client connections.
The alert interval is the interval of time before max connection time is reached that a message
will be displayed to the user warning them of termination. Valid time interval is 1-30 minutes.
Default is 30 minutes. Previously supported for clientless and site-to-site VPN connections.
The following command can now be used for AnyConnect connections: vpn-session-timeout
alert-interval
We modified the following screen: Configuration > Remote Access VPN > Network (Client)
Access > Group Policies > Add/Edit > General > More Options, adding a Maximum
Connect Time Alert Interval field
AAA Features
IPv6 address support for LDAP and You can now use either IPv4 or IPv6 addresses for LDAP and TACACS+ servers used for
TACACS+ Servers for AAA
AAA.
We modified the following command: aaa-server host, test aaa-server
We modified the following screen: Configuration > Device Management > Users/AAA >
AAA Server Groups > Add AAA Server Group
Administrative Features
PBKDF2 hashing for all local
username and enable passwords
Local username and enable passwords of all lengths are stored in the configuration using a
PBKDF2 (Password-Based Key Derivation Function 2) hash. Previously, passwords 32
characters and shorter used the MD5-based hashing method. Already existing passwords
continue to use the MD5-based hash unless you enter a new password. See the "Software and
Configurations" chapter in the General Operations Configuration Guide for downgrading
guidelines.
We modified the following commands: enable password, username
We modified the following screens:
Configuration > Device Setup > Device Name/Password > Enable Password
Configuration > Device Management > Users/AAA > User Accounts > Add/Edit User
Account > Identity
Licensing Features
Licensing changes for failover pairs Only the active unit requests the license entitlements. Previously, both units requested license
on the Firepower 4100/9300 chassis entitlements. Supported with FXOS 2.1.1.
Monitoring and Troubleshooting Features
Cisco ASA New Features by Release
13
Cisco ASA New Features
New Features in Version 9.6
Feature
Description
IPv6 address support for traceroute The traceroute command was modified to accept an IPv6 address.
We modified the following command: traceroute
We did not modify any screens.
Support for the packet tracer for
bridge group member interfaces
You can now use the packet tracer for bridge group member interfaces.
We added two new options to the packet-tracer command; vlan-idanddmac
We added VLAN ID and Destination MAC Address fields in the packet-tracer screen:Tools
> Packet Tracer
IPv6 address support for syslog
servers
You can now configure syslog servers with IPv6 addresses to record and send syslogs over
TCP and UDP.
We modified the following commands: logging host, show running config, show logging
We modified the following screen: Configuration > Device Management > Logging >
Syslog Servers > Add Syslog Server
SNMP OIDs and MIBs
The ASA now supports SNMP MIB objects corresponding to the end-to-end transparent clock
mode as part of the Precision Time Protocol (PTP) for the ISA 3000. The following SNMP
MIB objects are supported:
• ciscoPtpMIBSystemInfo
• cPtpClockDefaultDSTable
• cPtpClockTransDefaultDSTable
• cPtpClockPortTransDSTable
New Features in Version 9.6
New Features in ASA 9.6(3.1)/ASDM 7.7(1)
Released: April 3, 2017
Note
Feature
Version 9.6(3) was removed from Cisco.com due to bug CSCvd78303.
Description
AAA Features
Cisco ASA New Features by Release
14
Cisco ASA New Features
New Features in ASDM 7.6(2.150)
Feature
Description
Separate authentication for users
In releases prior to 9.6(2), you could enable SSH public key authentication (ssh authentication)
with SSH public key authentication without also explicitly enabling AAA SSH authentication with the Local user database (aaa
and users with passwords
authentication ssh console LOCAL). In 9.6(2), the ASA required you to explicitly enable
AAA SSH authentication. In this release, you no longer have to explicitly enable AAA SSH
authentication; when you configure the ssh authentication command for a user, local
authentication is enabled by default for users with this type of authentication. Moreover, when
you explicitly configure AAA SSH authentication, this configuration only applies for for
usernames with passwords, and you can use any AAA server type (aaa authentication ssh
console radius_1, for example). For example, some users can use public key authentication
using the local database, and other users can use passwords with RADIUS.
We did not modify any commands.
We did not modify any screens.
Also in Version 9.8(1).
New Features in ASDM 7.6(2.150)
Released: October 12, 2016
There are no new features in this release.
New Features in ASA 9.6(2)/ASDM 7.6(2)
Released: August 24, 2016
Feature
Description
Platform Features
ASA for the Firepower 4150
We introduced the ASA for the Firepower 4150.
Requires FXOS 2.0.1.
We did not add or modify any commands.
We did not add or modify any screens.
Hot Plug Interfaces on the ASAv
You can add and remove Virtio virtual interfaces on the ASAv while the system is active.
When you add a new interface to the ASAv, the virtual machine detects and provisions the
interface. When you remove an existing interface, the virtual machine releases any resource
associated with the interface. Hot plug interfaces are limited to Virtio virtual interfaces on the
Kernel-based Virtual Machine (KVM) hypervisor.
Cisco ASA New Features by Release
15
Cisco ASA New Features
New Features in ASA 9.6(2)/ASDM 7.6(2)
Feature
Description
Microsoft Azure support on the
ASAv10
Microsoft Azure is a public cloud environment that uses a private Microsoft Hyper V
Hypervisor. The ASAv runs as a guest in the Microsoft Azure environment of the Hyper V
Hypervisor. The ASAv on Microsoft Azure supports one instance type, the Standard D3,
which supports four vCPUs, 14 GB, and four interfaces.
Also in 9.5(2.200).
Through traffic support on the
Management 0/0 interface for the
ASAv
You can now allow through traffic on the Management 0/0 interface on the ASAv. Previously,
only the ASAv on Microsoft Azure supported through traffic; now all ASAvs support through
traffic. You can optionally configure this interface to be management-only, but it is not
configured by default.
We modified the following command: management-only
Common Criteria Certification
The ASA was updated to comply with the Common Criteria requirements. See the rows in
this table for the following features that were added for this certification:
• ASA SSL Server mode matching for ASDM
• SSL client RFC 6125 support:
◦Reference Identities for Secure Syslog Server connections and Smart Licensing
connections
◦ASA client checks Extended Key Usage in server certificates
◦Mutual authentication when ASA acts as a TLS client for TLS1.1 and 1.2
• PKI debug messages
• Crypto Key Zeroization verification
• IPsec/ESP Transport Mode Support for IKEv2
• New syslog messages
Firewall Features
DNS over TCP inspection
You can now inspect DNS over TCP traffic (TCP/53).
We added the following command: tcp-inspection
We modified the following page: Configuration > Firewall > Objects > Inspection Maps
> DNS Add/Edit dialog box
Cisco ASA New Features by Release
16
Cisco ASA New Features
New Features in ASA 9.6(2)/ASDM 7.6(2)
Feature
Description
MTP3 User Adaptation (M3UA)
inspection
You can now inspect M3UA traffic and also apply actions based on point code, service
indicator, and message class and type.
We added or modified the following commands: clear service-policy inspect m3ua {drops
| endpoint [IP_address]}, inspect m3ua, match dpc, match opc, match service-indicator,
policy-map type inspect m3ua, show asp table classify domain inspect-m3ua, show conn
detail, show service-policy inspect m3ua {drops | endpoint IP_address}, ss7 variant,
timeout endpoint
We added or modified the following pages: Configuration > Firewall > Objects > Inspection
Maps > M3UA; the Rule Action > Protocol Inspection tab for service policy rules
Session Traversal Utilities for NAT You can now inspect STUN traffic for WebRTC applications including Cisco Spark. Inspection
(STUN) inspection
opens pinholes required for return traffic.
We added or modified the following commands: inspect stun, show conn detail, show
service-policy inspect stun
We added an option to the Rule Actions > Protocol Inspection tab of the Add/Edit Service
Policy dialog box
Application layer health checking
for Cisco Cloud Web Security
You can now configure Cisco Cloud Web Security to check the health of the Cloud Web
Security application when determining if the server is healthy. By checking application health,
the system can fail over to the backup server when the primary server responds to the TCP
three-way handshake but cannot process requests. This ensures a more reliable system.
We added the following commands: health-check application url, health-check application
timeout
We modified the following screen: Configuration > Device Management > Cloud Web
Security
Connection holddown timeout for
route convergence.
You can now configure how long the system should maintain a connection when the route
used by the connection no longer exists or is inactive. If the route does not become active
within this holddown period, the connection is freed. You can reduce the holddown timer to
make route convergence happen more quickly. However, the 15 second default is appropriate
for most networks to prevent route flapping.
We added the following command: timeout conn-holddown
We modified the following screen: Configuration > Firewall > Advanced > Global Timeouts
Also in 9.4(3).
Cisco ASA New Features by Release
17
Cisco ASA New Features
New Features in ASA 9.6(2)/ASDM 7.6(2)
Feature
Description
Changes in TCP option handling
You can now specify actions for the TCP MSS and MD5 options in a packet’s TCP header
when configuring a TCP map. In addition, the default handling of the MSS, timestamp,
window-size, and selective-ack options has changed. Previously, these options were allowed,
even if there were more than one option of a given type in the header. Now, packets are
dropped by default if they contain more than one option of a given type. For example,
previously a packet with 2 timestamp options would be allowed, now it will be dropped.
You can configure a TCP map to allow multiple options of the same type for MD5, MSS,
selective-ack, timestamp, and window-size. For the MD5 option, the previous default was to
clear the option, whereas the default now is to allow it. You can also drop packets that contain
the MD5 option. For the MSS option, you can set the maximum segment size in the TCP map
(per traffic class). The default for all other TCP options remains the same: they are cleared.
We modified the following command: tcp-options
We modified the following screen: Configuration > Firewall > Objects > TCP Maps
Add/Edit dialog box
Transparent mode maximum
The maximum interfaces per bridge group was increased from 4 to 64.
interfaces per bridge group increased We did not modify any commands.
to 64
We did not modify any screens.
Flow offload support for multicast
connections in transparent mode.
You can now offload multicast connections to be switched directly in the NIC on transparent
mode Firepower 4100 and 9300 series devices. Multicast offload is available for bridge groups
that contain two and only two interfaces.
There are no new commands or ASDM screens for this feature.
Customizable ARP rate limiting
You can set the maximum number of ARP packets allowed per second. The default value
depends on your ASA model. You can customize this value to prevent an ARP storm attack.
We added the following commands: arp rate-limit, show arp rate-limit
We modified the following screen: Configuration > Device Management > Advanced
> ARP > ARP Static Table
Ethertype rule support for the IEEE You can now write Ethertype access control rules for the IEEE 802.2 Logical Link Control
802.2 Logical Link Control packet's packet's Destination Service Access Point address. Because of this addition, the bpdu keyword
Destination Service Access Point
no longer matches the intended traffic. Rewrite bpdu rules for dsap 0x42.
address.
We modified the following commands: access-list ethertype
We modified the following screen: Configuration > Firewall > EtherType Rules.
Remote Access Features
Pre-fill/Username-from-cert feature AnyConnect SSL support is extended, allowing pre-fill/username-from-certificate feature
for multiple context mode
CLIs, previously available only in single mode, to be enabled in multiple context mode as
well.
We did not modify any commands.
We did not modify any screens.
Cisco ASA New Features by Release
18
Cisco ASA New Features
New Features in ASA 9.6(2)/ASDM 7.6(2)
Feature
Description
Flash Virtualization for Remote
Access VPN
Remote access VPN in multiple context mode now supports flash virtualization. Each context
can have a private storage space and a shared storage place based on the total flash that is
available:
• Private storage—Store files associated only with that user and specific to the content
that you want for that user.
• Shared storage—Upload files to this space and have it accessible to any user context for
read/write access once you enable it.
We introduced the following commands: limit-resource storage, storage-url
We modified the following screens: Configuration > Context Management > Resource
Class > Add Resource Class
Configuration > Context Management > Security Contexts
AnyConnect client profiles
AnyConnect client profiles are supported in multiple context mode. To add a new profile
supported in multiple context mode using ASDM, you must have the AnyConnect Secure Mobility Client release 4.2.00748 or
4.3.03013 and later.
Stateful failover for AnyConnect
connections in multiple context
mode
Stateful failover is now supported for AnyConnect connections in multiple context mode.
We did not modify any commands.
We did not modify any screens.
Remote Access VPN Dynamic
Access Policy (DAP) is supported
in multiple context mode
You can now configure DAP per context in multiple context mode.
We did not modify any commands.
We did not modify any screens.
Remote Access VPN CoA (Change You can now configure CoA per context in multiple context mode.
of Authorization) is supported in
We did not modify any commands.
multiple context mode
We did not modify any screens.
Remote Access VPN localization is Localization is supported globally. There is only one set of localization files that are shared
supported in multiple context mode across different contexts.
We did not modify any commands.
We did not modify any screens.
Umbrella Roaming Security module You can choose to configure the AnyConnect Secure Mobility Client's Umbrella Roaming
support
Security module for additional DNS-layer security when no VPN is active.
We did not modify any commands.
We modified the following screen: Configuration > Remote Access VPN > Network (Client)
Access > AnyConnect Client Profile.
Cisco ASA New Features by Release
19
Cisco ASA New Features
New Features in ASA 9.6(2)/ASDM 7.6(2)
Feature
Description
IPsec/ESP Transport Mode Support Transport mode is now supported for ASA IKEv2 negotiation. It can be used in place of tunnel
for IKEv2
(default) mode. Tunnel mode encapsulates the entire IP packet. Transport mode encapsulates
only the upper-layer protocols of an IP packet. Transport mode requires that both the source
and destination hosts support IPSec, and can only be used when the destination peer of the
tunnel is the final destination of the IP packet.
We modified the following command: crypto map set ikev2 mode
We modified the following screen: Configuration > Remote Access VPN > Network (Client)
Access > Advanced > IPsec > IPsec Proposals (Transform Sets) > IKEv2 proposals >
Add/Edit
Per-packet routing lookups for IPsec By default, per-packet adjacency lookups are done for outer ESP packets; lookups are not
inner packets
done for packets sent through the IPsec tunnel. In some network topologies, when a routing
update has altered the inner packet’s path, but the local IPsec tunnel is still up, packets through
the tunnel may not be routed correctly and fail to reach their destination. To prevent this, use
the new option to enable per-packet routing lookups for the IPsec inner packets.
We added the following command: crypto ipsec inner-routing-lookup
We modified the following screen: Configuration > Remote Access VPN > Network (Client)
Access > Advanced > IPsec > Crypto Maps adding the Enable IPsec Inner Routing
Lookup checkbox.
Certificate and Secure Connection Features
ASA client checks Extended Key
Usage in server certificates
Syslog and Smart licensing Server Certificates must contain “ServerAuth” in the Extended
Key Usage field. If not, the connection fails.
Mutual authentication when ASA
If the server requests a client certificate from the ASA for authentication, the ASA will send
acts as a TLS client for TLS1.1 and the client identity certificate configured for that interface. The certificate is configured by the
1.2
ssl trust-point command.
PKI debug messages
The ASA PKI module makes connections to CA servers such as SCEP enrollment, revocation
checking using HTTP, etc. All of these ASA PKI exchanges will be logged as debug traces
under debug crypto ca message 5.
ASA SSL Server mode matching for For an ASDM user who authenticates with a certificate, you can now require the certificate
ASDM
to match a certificate map.
We modified the following command: http authentication-certificate match
We modified the following screen: Configuration > Device Management > Management
Access > ASDM/HTTPS/Telnet/SSH
Cisco ASA New Features by Release
20
Cisco ASA New Features
New Features in ASA 9.6(2)/ASDM 7.6(2)
Feature
Description
Reference Identities for Secure
TLS client processing now supports rules for verification of a server identity defined in RFC
Syslog Server connections and Smart 6125, Section 6. Identity verification will be done during PKI validation for TLS connections
Licensing connections
to the Syslog Server and the Smart Licensing server only. If the presented identity cannot be
matched against the configured reference identity, the connection is not established.
We added or modified the following commands: crypto ca reference-identity, logging host,
call home profile destination address
We modifed the following screens:
Configuration > Remote Access VPN > Advanced
Configuration > Device Management > Logging > Syslog Servers > Add/Edit
Configuration > Device Management > Smart Call Home
Crypto Key Zeroization verification The ASA crypto system has been updated to comply with new key zeroization requirements.
Keys must be overwritten with all zeros and then the data must be read to verify that the write
was successful.
SSH public key authentication
improvements
In earlier releases, you could enable SSH public key authentication (ssh authentication)
without also enabling AAA SSH authentication with the Local user database (aaa
authentication ssh console LOCAL). The configuration is now fixed so that you must
explicitly enable AAA SSH authentication. To disallow users from using a password instead
of the private key, you can now create a username without any password defined.
We modified the following commands: ssh authentication, username
We modifed the following screens:
Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH
Configuration > Device Management > Users/AAA > User Accounts > Add/Edit User
Account
Interface Features
Increased MTU size for the ASA on You can set the maximum MTU to 9188 bytes on the Firepower 4100 and 9300; formerly,
the Firepower 4100/9300 chassis
the maximum was 9000 bytes. This MTU is supported with FXOS 2.0.1.68 and later.
We modified the following command: mtu
We modified the following screen: Configuration > Device Setup > Interface Settings >
Interfaces > Advanced
Routing Features
Cisco ASA New Features by Release
21
Cisco ASA New Features
New Features in ASA 9.6(2)/ASDM 7.6(2)
Feature
Description
Bidirectional Forwarding Detection The ASA now supports the BFD routing protocol. Support was added for configuring BFD
(BFD) Support
templates, interfaces, and maps. Support for BGP routing protocol to use BFD was also added.
We added or modified the following commands: authentication, bfd echo, bfd interval, bfd
map, bfd slow-timers, bfd template, bfd-template, clear bfd counters, echo, debug bfd,
neighbor fall-over bfd, show bfd drops, show bfd map, show bfd neighbors, show bfd
summary
We added or modified the following screens:
Configuration > Device Setup > Routing > BFD > Template
Configuration > Device Setup > Routing > BFD > Interface
Configuration > Device Setup > Routing > BFD > Map
Configuration > Device Setup > Routing > BGP > IPv6 Family > Neighbors
IPv6 DHCP
The ASA now supports the following features for IPv6 addressing:
• DHCPv6 Address client—The ASA obtains an IPv6 global address and optional default
route from the DHCPv6 server.
• DHCPv6 Prefix Delegation client—The ASA obtains delegated prefix(es) from a
DHCPv6 server. The ASA can then use these prefixes to configure other ASA interface
addresess so that StateLess Address Auto Configuration (SLAAC) clients can
autoconfigure IPv6 addresses on the same network.
• BGP router advertisement for delegated prefixes
• DHCPv6 stateless server—The ASA provides other information such as the domain
name to SLAAC clients when they send Information Request (IR) packets to the ASA.
The ASA only accepts IR packets, and does not assign addresses to the clients.
We added or modified the following commands: clear ipv6 dhcp statistics, domain-name,
dns-server, import, ipv6 address autoconfig, ipv6 address dhcp, ipv6 dhcp client pd,
ipv6 dhcp client pd hint, ipv6 dhcp pool, ipv6 dhcp server, network, nis address, nis
domain-name, nisp address, nisp domain-name, show bgp ipv6 unicast, show ipv6 dhcp,
show ipv6 general-prefix, sip address, sip domain-name, sntp address
We added or modified the following screens:
Configuration > Device Setup > Interface Settings > Interfaces > Add Interface > IPv6
Configuration > Device Management > DHCP > DHCP Pool
Configuration > Device Setup > Routing > BGP > IPv6 Family > Networks
Monitoring > interfaces > DHCP
High Availability and Scalability Features
Cisco ASA New Features by Release
22
Cisco ASA New Features
New Features in ASA 9.6(2)/ASDM 7.6(2)
Feature
Description
Improved sync time for dynamic
When you use AnyConnect on a failover pair, then the sync time for the associated dynamic
ACLs from AnyConnect when using ACLs (dACLs) to the standby unit is now improved. Previously, with large dACLs, the sync
Active/Standby failover
time could take hours during which time the standby unit is busy syncing instead of providing
high availability backup.
We did not modify any commands.
We did not modify any screens.
Licensing Features
Permanent License Reservation for For highly secure environments where communication with the Cisco Smart Software Manager
the ASAv
is not allowed, you can request a permanent license for the ASAv. In 9.6(2), we also added
support for this feature for the ASAv on Amazon Web Services. This feature is not supported
for Microsoft Azure.
Not all accounts are approved for permanent license reservation. Make sure you have
approval from Cisco for this feature before you attempt to configure it.
We introduced the following commands: license smart reservation, license smart reservation
cancel, license smart reservation install, license smart reservation request universal,
license smart reservation return
Note
No ASDM support.
Also in 9.5(2.200).
Permanent License Reservation for Due to an update to the Smart Agent (to 1.6.4), the request and authorization codes now use
the ASAv Short String enhancement shorter strings.
We did not modify any commands.
We did not modify any screens.
Permanent License Reservation for For highly secure environments where communication with the Cisco Smart Software Manager
the ASA on the Firepower
is not allowed, you can request a permanent license for the ASA on the Firepower 9300 and
4100/9300 chassis
Firepower 4100. All available license entitlements are included in the permanent license,
including the Standard Tier, Strong Encryption (if qualified), Security Contexts, and Carrier
licenses. Requires FXOS 2.0.1.
All configuration is performed on the Firepower 4100/9300 chassis; no configuration is
required on the ASA.
Cisco ASA New Features by Release
23
Cisco ASA New Features
New Features in ASA 9.6(2)/ASDM 7.6(2)
Feature
Description
Smart Agent Upgrade for ASAv to
v1.6
The smart agent was upgraded from Version 1.1 to Version 1.6. This upgrade supports
permanent license reservation and also supports setting the Strong Encryption (3DES/AES)
license entitlement according to the permission set in your license account.
If you downgrade from Version 9.5(2.200), the ASAv does not retain the licensing
registration state. You need to re-register with the license smart register idtoken
id_token force commandConfiguration > Device Management > Licensing >
Smart Licensing page with the Force registration option; obtain the ID token from
the Smart Software Manager.
We introduced the following commands: show license status, show license summary, show
license udi, show license usage
Note
We modified the following commands: show license all, show tech-support license
We deprecated the following commands: show license cert, show license entitlement, show
license pool, show license registration
We did not change any screens.
Also in 9.5(2.200).
Monitoring Features
Packet capture of type asp-drop
supports ACL and match filtering
When you create a packet capture of type asp-drop, you can now also specify an ACL or
match option to limit the scope of the capture.
We modified the following command: capture type asp-drop
We did not modify any screens.
Forensic Analysis enhancements
You can create a core dump of any process running on the ASA. The ASA also extracts the
text section of the main ASA process that you can copy from the ASA for examination.
We modified the following commands: copy system:text, verify system:text, crashinfo
force dump process
We did not modify any screens.
Tracking Packet Count on a
Per-Connection Basis through
NetFlow
Two counters were added that allow Netflow users to see the number of Layer 4 packets being
sent in both directions on a connection. You can use these counters to determine average
packet rates and sizes and to better predict traffic types, anomalies, and events.
We did not modify any commands.
We did not modify any screens.
Cisco ASA New Features by Release
24
Cisco ASA New Features
New Features in ASA 9.6(1)/ASDM 7.6(1)
Feature
Description
SNMP engineID sync for Failover
In a failover pair, the SNMP engineIDs of the paired ASAs are synced on both units. Three
sets of engineIDs are maintained per ASA—synced engineID, native engineID and remote
engineID.
An SNMPv3 user can also specify the engineID of the ASA when creating a profile to preserve
localized snmp-server user authentication and privacy options. If a user does not specify the
native engineID, the show running config output will show two engineIDs per user.
We modified the following command: snmp-server user
No ASDM support.
Also in 9.4(3).
New Features in ASA 9.6(1)/ASDM 7.6(1)
Released: March 21, 2016
Note
The ASAv 9.5.2(200) features, including Microsoft Azure support, are not available in 9.6(1). They are
available in 9.6(2).
Feature
Description
Platform Features
ASA for the Firepower 4100 series We introduced the ASA for the Firepower 4110, 4120, and 4140.
Requires FXOS 1.1.4.
We did not add or modify any commands.
We did not add or modify any screens.
SD card support for the ISA 3000
You can now use an SD card for external storage on the ISA 3000. The card appears as disk3
in the ASA file system. Note that plug and play support requires hardware version 2.1 and
later. Use the show module command to check your hardware version.
We did not add or modify any commands.
We did not add or modify any screens.
Dual power supply support for the
ISA 3000
For dual power supplies in the ISA 3000, you can establish dual power supplies as the expected
configuration in the ASA OS. If one power supply fails, the ASA issues an alarm. By default,
the ASA expects a single power supply and won't issue an alarm as long as it includes one
working power supply.
We introduced the following command: power-supply dual.
No ASDM support.
Firewall Features
Cisco ASA New Features by Release
25
Cisco ASA New Features
New Features in ASA 9.6(1)/ASDM 7.6(1)
Feature
Description
Diameter inspection improvements You can now inspect Diameter over TCP/TLS traffic, apply strict protocol conformance
checking, and inspect Diameter over SCTP in cluster mode.
We introduced or modified the following commands: client clear-text, inspect diameter,
strict-diameter.
We added or modified the following screens:
Configuration > Firewall > Objects > Inspect Maps > Diameter
Configuration > Firewall > Service Policy add/edit wizard's Rule Actions > Protocol
Inspection tab
SCTP stateful inspection in cluster
mode
SCTP stateful inspection now works in cluster mode. You can also configure SCTP stateful
inspection bypass in cluster mode.
We did not add or modify any commands.
We did not add or modify any screens.
H.323 inspection support for the
H.255 FACILITY message coming
before the H.225 SETUP message
for H.460.18 compatibility.
You can now configure an H.323 inspection policy map to allow for H.225 FACILITY
messages to come before the H.225 SETUP message, which can happen when endpoints
comply with H.460.18.
We introduced the following command: early-message.
We added an option to the Call Attributes tab in the H.323 inspection policy map.
Cisco Trustsec support for Security Cisco Trustsec on ASA now implements SXPv3, which enables SGT-to-subnet bindings,
Exchange Protocol (SXP) version 3. which are more efficient than host bindings.
We introduced or modified the following commands: cts sxp mapping network-map
maximum_hosts, cts role-based sgt-map, show cts sgt-map, show cts sxp sgt-map, show
asp table cts sgt-map.
We modified the following screens: Configuration > Firewall > Identity By TrustSec and
the SGT Map Setup dialog boxes.
Flow off-load support for the
Firepower 4100 series.
You can identify flows that should be off-loaded from the ASA and switched directly in the
NIC for the Firepower 4100 series.
Requires FXOS 1.1.4.
We did not add or modify any commands.
We did not add or modify any screens.
Remote Access Features
IKEv2 Fragmentation, RFC-7383
support
The ASA now supports this standard fragmentation of IKEv2 packets. This allows
interoperability with other IKEv2 implementations such as Apple, Strongswan etc. ASA
continues to support the current, proprietary IKEv2 fragmentation to maintain backward
compatibility with Cisco products that do not support RFC-7383, such as the AnyConnect
client.
We introduced the following commands: crypto ikev2 fragmentation, show running-config
crypto ikev2, show crypto ikev2 sa detail
Cisco ASA New Features by Release
26
Cisco ASA New Features
New Features in ASA 9.6(1)/ASDM 7.6(1)
Feature
Description
VPN Throughput Performance
Enhancements on Firepower 9300
and Firepower 4100 series
The crypto engine accelerator-bias command is now supported on the ASA security module
on the Firepower 9300 and Firepower 4100 series. This command lets you “bias” more crypto
cores toward either IPSec or SSL.
We modified the following command: crypto engine accelerator-bias
We did not add or modify any screens.
Configurable SSH encryption and
HMAC algorithm.
Users can select cipher modes when doing SSH encryption management and can configure
HMAC and encryption for varying key exchange algorithms. You might want to change the
ciphers to be more or less strict, depending on your application. Note that the performance of
secure copy depends partly on the encryption cipher used. By default, the ASA negotiates
one of the following algorithms in order: 3des-cbc aes128-cbc aes192-cbc aes256-cbc
aes128-ctr aes192-ctr aes256-ctr. If the first algorithm proposed (3des-cbc) is chosen, then
the performance is much slower than a more efficient algorithm such as aes128-cbc. To change
the proposed ciphers, use ssh cipher encryption custom aes128-cbc, for example.
We introduced the following commands: ssh cipher encryption, ssh cipher integrity.
We introduced the following screen: Configuration > Device Management > Advanced >
SSH Ciphers
Also available in 9.1(7), 9.4(3), and 9.5(3).
HTTP redirect support for IPv6
When you enable HTTP redirect to HTTPS for ASDM access or clientless SSL VPN, you
can now redirect traffic sent an to IPv6 address.
We added functionality to the following command: http redirect
We added functionality to the following screen: Configuration > Device Management >
HTTP Redirect
Also available in 9.1(7) and 9.4(3).
Routing Features
Cisco ASA New Features by Release
27
Cisco ASA New Features
New Features in ASA 9.6(1)/ASDM 7.6(1)
Feature
Description
IS-IS routing
The ASA now supports the Intermediate System to Intermediate System (IS-IS) routing
protocol. Support was added for routing data, performing authentication, and redistributing
and monitoring routing information using the IS-IS routing protocol.
We introduced the following commands: advertise passive-only, area-password,
authentication key, authentication mode, authentication send-only, clear isis, debug isis,
distance, domain-password, fast-flood, hello padding, hostname dynamic,
ignore-lsp-errors, isis adjacency-filter, isis advertise prefix, isis authentication key, isis
authentication mode, isis authentication send-only, isis circuit-type, isis csnp-interval,
isis hello-interval, isis hello-multiplier, isis hello padding, isis lsp-interval, isis metric,
isis password, isis priority, isis protocol shutdown, isis retransmit-interval, isis
retransmit-throttle-interval, isis tag, is-type, log-adjacency-changes, lsp-full suppress,
lsp-gen-interval, lsp-refresh-interval, max-area-addresses, max-lsp-lifetime,
maximum-paths, metric, metric-style, net, passive-interface, prc-interval, protocol
shutdown, redistribute isis, route priority high, route isis, set-attached-bit,
set-overload-bit, show clns, show isis, show router isis, spf-interval, summary-address.
We introduced the following screens:
Configuration > Device Setup > Routing > ISIS
Monitoring > Routing > ISIS
High Availability and Scalability Features
Support for site-specific IP addresses For inter-site clustering in routed mode with Spanned EtherChannels, you can now configure
in Routed, Spanned EtherChannel site-specific IP addresess in addition to site-specific MAC addresses. The addition of site IP
mode
addresses allows you to use ARP inspection on the Overlay Transport Virtualization (OTV)
devices to prevent ARP responses from the global MAC address from traveling over the Data
Center Interconnect (DCI), which can cause routing problems. ARP inspection is required
for some switches that cannot use VACLs to filter MAC addresses.
We modified the following commands: mac-address, show interface
We modified the following screen: Configuration > Device Setup > Interface Settings >
Interfaces > Add/Edit EtherChannel Interface > Advanced
Administrative Features
Longer password support for local You can now create local username and enable passwords up to 127 characters (the former
username and enable passwords (up limit was 32). When you create a password longer than 32 characters, it is stored in the
to 127 characters)
configuration using a PBKDF2 (Password-Based Key Derivation Function 2) hash. Shorter
passwords continue to use the MD5-based hashing method.
We modified the following commands: enable, username
We modified the following screens:
Configuration > Device Setup > Device Name/Password > Enable Password
Configuration > Device Management > Users/AAA > User Accounts > Add/Edit User
Account > Identity
Cisco ASA New Features by Release
28
Cisco ASA New Features
New Features in Version 9.5
Feature
Description
Support for the cempMemPoolTable The cempMemPoolTable of the CISCO-ENHANCED-MEMPOOL-MIB is now supported.
in the
This is a table of memory pool monitoring entries for all physical entities on a managed system.
CISCO-ENHANCED-MEMPOOL-MIB Note
The CISCO-ENHANCED-MEMPOOL-MIB uses 64-bit counters and supports
reporting of memory on platforms with more than 4GB of RAM.
We did not add or modify any commands.
We did not add or modify any screens.
Also available in 9.1(7) and 9.4(3).
REST API Version 1.3.1
We added support for the REST API Version 1.3.1.
New Features in Version 9.5
New Features in ASA 9.5(3.9)/ASDM 7.6(2)
Released: April 11, 2017
Note
Verion 9.5(3) was removed from Cisco.com due to bug CSCvd78303.
Feature
Description
Remote Access Features
Configurable SSH encryption and
HMAC algorithm.
Users can select cipher modes when doing SSH encryption management and can configure
HMAC and encryption for varying key exchange algorithms. You might want to change the
ciphers to be more or less strict, depending on your application. Note that the performance of
secure copy depends partly on the encryption cipher used. By default, the ASA negotiates
one of the following algorithms in order: 3des-cbc aes128-cbc aes192-cbc aes256-cbc
aes128-ctr aes192-ctr aes256-ctr. If the first algorithm proposed (3des-cbc) is chosen, then
the performance is much slower than a more efficient algorithm such as aes128-cbc. To change
the proposed ciphers, use ssh cipher encryption custom aes128-cbc, for example.
We introduced the following commands: ssh cipher encryption, ssh cipher integrity.
We introduced the following screen: Configuration > Device Management > Advanced >
SSH Ciphers
Also available in 9.1(7) and 9.4(3).
Cisco ASA New Features by Release
29
Cisco ASA New Features
New Features in ASAv 9.5(2.200)/ASDM 7.5(2.153)
New Features in ASAv 9.5(2.200)/ASDM 7.5(2.153)
Released: January 28, 2016
Note
This release supports only the ASAv.
Feature
Description
Platform Features
Microsoft Azure support on the
ASAv10
Microsoft Azure is a public cloud environment that uses a private Microsoft Hyper V
Hypervisor. The ASAv runs as a guest in the Microsoft Azure environment of the Hyper V
Hypervisor. The ASAv on Microsoft Azure supports one instance type, the Standard D3,
which supports four vCPUs, 14 GB, and four interfaces.
Licensing Features
Permanent License Reservation for For highly secure environments where communication with the Cisco Smart Software Manager
the ASAv
is not allowed, you can request a permanent license for the ASAv.
Not all accounts are approved for permanent license reservation. Make sure you have
approval from Cisco for this feature before you attempt to configure it.
We introduced the following commands: license smart reservation, license smart reservation
cancel, license smart reservation install, license smart reservation request universal,
license smart reservation return
Note
No ASDM support.
Smart Agent Upgrade to v1.6
The smart agent was upgraded from Version 1.1 to Version 1.6. This upgrade supports
permanent license reservation and also supports setting the Strong Encryption (3DES/AES)
license entitlement according to the permission set in your license account.
If you downgrade from Version 9.5(2.200), the ASAv does not retain the licensing
registration state. You need to re-register with the license smart register idtoken
id_token force commandConfiguration > Device Management > Licensing >
Smart Licensing page with the Force registration option; obtain the ID token from
the Smart Software Manager.
We introduced the following commands: show license status, show license summary, show
license udi, show license usage
Note
We modified the following commands: show license all, show tech-support license
We deprecated the following commands: show license cert, show license entitlement, show
license pool, show license registration
We did not change any screens.
Cisco ASA New Features by Release
30
Cisco ASA New Features
New Features in ASA 9.5(2.1)/ASDM 7.5(2)
New Features in ASA 9.5(2.1)/ASDM 7.5(2)
Released: December 14, 2015
Note
This release supports only the ASA on the Firepower 9300.
Feature
Description
Platform Features
VPN support for the ASA on the
Firepower 9300
With FXOS 1.1.3, you can now configure VPN features.
Firewall Features
Flow off-load for the ASA on the
Firepower 9300
You can identify flows that should be off-loaded from the ASA and switched directly in the
NIC (on the Firepower 9300). This provides improved performance for large data flows in
data centers.
Also requires FXOS 1.1.3.
We added or modified the following commands: clear flow-offload, flow-offload enable,
set-connection advanced-options flow-offload, show conn detail, show flow-offload.
We added or modified the following screens: Configuration > Firewall > Advanced >
Offload Engine, the Rule Actions > Connection Settings tab when adding or editing rules
under Configuration > Firewall > Service Policy Rules.
High Availability Features
Inter-chassis clustering for 6
With FXOS 1.1.3, you can now enable inter-chassis, and by extension inter-site clustering.
modules, and inter-site clustering for You can include up to 6 modules in up to 6 chassis.
the ASA on the Firepower 9300
We did not modify any commands.
We did not modify any screens.
Licensing Features
Strong Encryption (3DES) license
automatically applied for the ASA
on the Firepower 9300
For regular Cisco Smart Software Manager users, the Strong Encryption license is automatically
enabled for qualified customers when you apply the registration token on the Firepower 9300.
If you are using the Smart Software Manager satellite deployment, to use ASDM
and other strong encryption features, after you deploy the ASA you must enable the
Strong Encryption (3DES) license using the ASA CLI.
This feature requires FXOS 1.1.3.
Note
We removed the following command for non-satellite configurations: feature
strong-encryption
We modified the following screen: Configuration > Device Management > Licensing >
Smart License
Cisco ASA New Features by Release
31
Cisco ASA New Features
New Features in ASA 9.5(2)/ASDM 7.5(2)
New Features in ASA 9.5(2)/ASDM 7.5(2)
Released: November 30, 2015
Feature
Description
Platform Features
Cisco ISA 3000 Support
The Cisco ISA 3000 is a DIN Rail mounted, ruggedized, industrial security appliance. It is
low-power, fan-less, with Gigabit Ethernet and a dedicated management port. This model
comes with the ASA Firepower module pre-installed. Special features for this model include
a customized transparent mode default configuration, as well as a hardware bypass function
to allow traffic to continue flowing through the appliance when there is a loss of power.
We introduced the following command: hardware-bypass, hardware-bypass manual,
hardware-bypass boot-delay
We modified the following screen: Configuration > Device Management > Hardware
Bypass
Also in Version 9.4(1.225).
Firewall Features
DCERPC inspection improvements DCERPC inspection now supports NAT for OxidResolver ServerAlive2 opnum5 messages.
and UUID filtering
You can also now filter on DCERPC message universally unique identifiers (UUIDs) to reset
or log particular message types. There is a new DCERPC inspection class map for UUID
filtering.
We introduced the following command: match [not] uuid. We modified the following
command: class-map type inspect.
We added the following screen: Configuration > Firewall > Objects > Class Maps >
DCERPC.
We modified the following screen: Configuration > Firewall > Objects > Inspect Maps
> DCERPC.
Diameter inspection
You can now inspect Diameter traffic. Diameter inspection requires the Carrier license.
We introduced or modified the following commands: class-map type inspect diameter,
diameter, inspect diameter, match application-id, match avp, match command-code,
policy-map type inspect diameter, show conn detail, show diameter, show service-policy
inspect diameter, unsupported
We added or modified the following screens:
Configuration > Firewall > Objects > Inspect Maps > Diameter and Diameter AVP
Configuration > Firewall > Service Policy add/edit wizard's Rule Actions > Protocol
Inspection tab
Cisco ASA New Features by Release
32
Cisco ASA New Features
New Features in ASA 9.5(2)/ASDM 7.5(2)
Feature
Description
SCTP inspection and access control You can now use the SCTP protocol and port specifications in service objects, access control
lists (ACLs) and access rules, and inspect SCTP traffic. SCTP inspection requires the Carrier
license.
We introduced the following commands: access-list extended , clear conn protocol sctp,
inspect sctp, match ppid, nat static (object), policy-map type inspect sctp, service-object,
service, set connection advanced-options sctp-state-bypass, show conn protocol sctp,
show local-host connection sctp, show service-policy inspect sctp, timeout sctp
We added or modified the following screens:
Configuration > Firewall > Access Rules add/edit dialogs
Configuration > Firewall > Advanced > ACL Manager add/edit dialogs
Configuration > Firewall > Advanced > Global Timeouts
Configuration > Firewall > NAT add/edit static network object NAT rule, Advanced NAT
Settings dialog box
Configuration > Firewall > Objects > Service Objects/Groups add/edit dialogs
Configuration > Firewall > Objects > Inspect Maps > SCTP
Configuration > Firewall > Service Policy add/edit wizard' s Rule Actions > Protocol
Inspection and Connection Settings tabs
Carrier Grade NAT enhancements For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, rather
now supported in failover and ASA than have NAT allocate one port translation at a time (see RFC 6888). This feature is now
clustering
supported in failover and ASA cluster deployments.
We modified the following command: show local-host
We did not modify any screens.
Captive portal for active
The captive portal feature is required to enable active authentication using identity policies
authentication on ASA FirePOWER starting with ASA FirePOWER 6.0.
6.0.
We introduced or modified the following commands: captive-portal, clear configure
captive-portal, show running-config captive-portal.
High Availability Features
Cisco ASA New Features by Release
33
Cisco ASA New Features
New Features in ASA 9.5(2)/ASDM 7.5(2)
Feature
Description
LISP Inspection for Inter-Site Flow Cisco Locator/ID Separation Protocol (LISP) architecture separates the device identity from
Mobility
its location into two different numbering spaces, making server migration transparent to clients.
The ASA can inspect LISP traffic for location changes and then use this information for
seamless clustering operation; the ASA cluster members inspect LISP traffic passing between
the first hop router and the egress tunnel router (ETR) or ingress tunnel router (ITR), and then
change the flow owner to be at the new site.
We introduced or modified the following commands: allowed-eid, clear cluster info
flow-mobility counters, clear lisp eid, cluster flow-mobility lisp, debug cluster
flow-mobility, debug lisp eid-notify-intercept, flow-mobility lisp, inspect lisp, policy-map
type inspect lisp, site-id, show asp table classify domain inspect-lisp, show cluster info
flow-mobility counters, show conn, show lisp eid, show service-policy, validate-key
We introduced or modified the following screens:
Configuration > Device Management > High Availability and Scalability > ASA Cluster
> Cluster Configuration
Configuration > Firewall > Objects > Inspect Maps > LISP
Configuration > Firewall > Service Policy Rules > Protocol Inspection
Configuration > Firewall > Service Policy Rules > Cluster
Monitoring > Routing > LISP-EID Table
ASA 5516-X support for clustering The ASA 5516-X now supports 2-unit clusters. Clustering for 2 units is enabled by default
in the base license.
We did not modify any commands.
We did not modify any screens.
Configurable level for clustering
trace entries
By default, all levels of clustering events are included in the trace buffer, including many low
level events. To limit the trace to higher level events, you can set the minimum trace level for
the cluster.
We introduced the following command: trace-level
We did not modify any screens.
Interface Features
Support to map Secondary VLANs You can now configure one or more secondary VLANs for a subinterface. When the ASA
to a Primary VLAN
receives traffic on the secondary VLANs, it maps the traffic to the primary VLAN.
We introduced or modified the following commands: vlan secondary, show vlan mapping
We modified the following screens: Configuration > Device Setup > Interface Settings >
Interfaces
Configuration > Device Setup > Interface Settings > Interfaces > Add Interface > General
Routing Features
Cisco ASA New Features by Release
34
Cisco ASA New Features
New Features in ASA 9.5(2)/ASDM 7.5(2)
Feature
Description
PIM Bootstrap Router (BSR) support The ASA currently supports configuring static RPs to route multicast traffic for different
for multicast routing
groups. For large complex networks where multiple RPs could exist, the ASA now supports
dynamic RP selection using PIM BSR to support mobility of RPs.
We introduced the following commands: clear pim group-map, debug pim bsr, pim
bsr-border, pim bsr-candidate, show pim bsr-router, show pim group-map rp-timers
We introduced the following screen: Configuration > Device Setup > Routing > Multicast
> PIM > Bootstrap Router
Remote Access Features
Support for Remote Access VPN in You can now use the following remote access features in multiple context mode:
multiple context mode
• AnyConnect 3.x and later (SSL VPN only; no IKEv2 support)
• Centralized AnyConnect image configuration
• AnyConnect image upgrade
• Context Resource Management for AnyConnect connections
The AnyConnect Apex license is required for multiple context mode; you cannot use
the default or legacy license.
We introduced the following commands: limit-resource vpn anyconnect, limit-resource
vpn burst anyconnect
Note
We modified the following screen: Configuration > Context Management > Resource
Class > Add Resource Class
Clientless SSL VPN offers SAML
2.0-based Single Sign-On (SSO)
functionality
The ASA acts as a SAML Service Provider.
Clientless SSL VPN conditional
debugging
You can debug logs by filtering, based on the filter condition sets, and can then better analyze
them.
We introduced the following additions to the debug command:
• [no] debug webvpn condition user <user name>
• [no] debug webvpn condition group <group name>
• [no] debug webvpn condition p-ipaddress <ipv4> [subnet<mask>]
• [no] debug webvpn condition p-ipaddress <ipv6> [prefix<prefix>]
• debug webvpn condition reset
• show debug webvpn condition
• show webvpn debug-condition
Cisco ASA New Features by Release
35
Cisco ASA New Features
New Features in ASA 9.5(2)/ASDM 7.5(2)
Feature
Description
Clientless SSL VPN cache disabled The clientless SSL VPN cache is now disabled by default. Disabling the clientless SSL VPN
by default
cache provides better stability. If you want to enable the cache, you must manually enable it.
webvpn
cache
no disable
We modified the following command: cache
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL
VPN Access > Advanced > Content Cache
Licensing Features
Validation of the Smart Call
Home/Smart Licensing certificate if
the issuing hierarchy of the server
certificate changes
Smart licensing uses the Smart Call Home infrastructure. When the ASA first configures
Smart Call Home anonymous reporting in the background, it automatically creates a trustpoint
containing the certificate of the CA that issued the Smart Call Home server certificate. The
ASA now supports validation of the certificate if the issuing hierarchy of the server certificate
changes; you can enable the automatic update of the trustpool bundle at periodic intervals.
We introduced the following command: auto-import
We modified the following screen: Configuration > Remote Access VPN > Certificate
Management > Trusted Certificate Pool > Edit Policy
New Carrier license
The new Carrier license replaces the existing GTP/GPRS license, and also includes support
for SCTP and Diameter inspection. For the ASA on the Firepower 9300, the feature mobile-sp
command will automatically migrate to the feature carrier command.
We introduced or modified the following commands: feature carrier, show activation-key,
show license, show tech-support, show version
We modified the following screen: Configuration > Device Management > Licensing >
Smart License
Monitoring Features
SNMP engineID sync
In an HA pair, the SNMP engineIDs of the paired ASAs are synced on both units. Three sets
of engineIDs are maintained per ASA—synced engineID, native engineID and remote
engineID.
An SNMPv3 user can also specify the engineID of the ASA when creating a profile to preserve
localized snmp-server user authentication and privacy options. If a user does not specify the
native engineID, the show running config output will show two engineIDs per user.
We modified the following commands: snmp-server user, no snmp-server user
We did not add or modify any screens.
Also available in 9.4(3).
Cisco ASA New Features by Release
36
Cisco ASA New Features
New Features in ASA 9.5(1.5)/ASDM 7.5(1.112)
Feature
Description
show tech support enhancements
The show tech support command now:
• Includes dir all-filesystems output—This output can be helpful in the following cases:
◦SSL VPN configuration: check if the required resources are on the ASA
◦Crash: check for the date timestamp and presence of a crash file
• Removes the show kernel cgroup-controller detail output—This command output
will remain in the output of show tech-support detail.
We modified the following command: show tech support
We did not add or modify any screens.
Also available in 9.1(7) and 9.4(3).
logging debug-trace persistence
Formerly, when you enabled logging debug-trace to redirect debugs to a syslog server, if the
SSH connection were disconnected (due to network connectivity or timeout), then the debugs
were removed. Now, debugs persist for as long as the logging command is in effect.
We modified the following command: logging debug-trace
We did not modify any screens.
New Features in ASA 9.5(1.5)/ASDM 7.5(1.112)
Released: November 11, 2015
Feature
Description
Platform Features
Support for ASA FirePOWER 6.0
The 6.0 software version for the ASA FirePOWER module is supported on all previously
supported device models.
Support for managing the ASA
You can manage the ASA FirePOWER module using ASDM instead of using Firepower
FirePOWER module through ASDM Management Center (formerly FireSIGHT Management Center) when running version 6.0
for the 5512-X through 5585-X.
on the module. You can still use ASDM to manage the module on the 5506-X, 5506H-X,
5506W-X, 5508-X, and 5516-X when running 6.0.
No new screens or commands were added.
Cisco ASA New Features by Release
37
Cisco ASA New Features
New Features in ASDM 7.5(1.90)
New Features in ASDM 7.5(1.90)
Released: October 14, 2015
Feature
Description
Remote Access Features
AnyConnect Version 4.2 support
ASDM supports AnyConnect 4.2 and the Network Visibility Module (NVM). NVM enhances
the enterprise administrator’s ability to do capacity and service planning, auditing, compliance,
and security analytics. The NVM collects the endpoint telemetry and logs both the flow data
and the file reputation in the syslog and also exports the flow records to a collector (a third-party
vendor), which performs the file analysis and provides a UI interface.
We modified the following screen: Configuration > Remote Access VPN > Network (Client)
Access > AnyConnect Client Profile (a new profile called Network Visibility Service
Profile)
New Features in ASAv 9.5(1.200)/ASDM 7.5(1)
Released: August 31, 2015
Note
This release supports only the ASAv.
Feature
Description
Platform Features
Microsoft Hyper-V supervisor
support
Extends the hypervisor portfolio for the ASAv.
ASAv5 low memory support
The ASAv5 now only requires 1 GB RAM to operate. Formerly, it required 2 GB. For
already-deployed ASAv5s, you should reduce the allocated memory to 1 GB or you will see
an error that you are using more memory than is licensed.
New Features in ASA 9.5(1)/ASDM 7.5(1)
Released: August 12, 2015
Note
This version does not support the Firepower 9300 ASA security module or the ISA 3000.
Cisco ASA New Features by Release
38
Cisco ASA New Features
New Features in ASA 9.5(1)/ASDM 7.5(1)
Feature
Description
Firewall Features
GTPv2 inspection and improvements GTP inspection can now handle GTPv2. In addition, GTP inspection for all versions now
to GTPv0/1 inspection
supports IPv6 addresses.
We modified the following commands: clear service-policy inspect gtp statistics, clear
service-policy inspect gtp pdpmcb, clear service-policy inspect gtp request, match message
id, show service-policy inspect gtp pdpmcb, show service-policy inspect gtp request,
show service-policy inspect gtp statistics, timeout endpoint
We deprecated the following command: timeout gsn
We modified the following screen: Configuration > Firewall > Objects > Inspect Maps >
GTP
IP Options inspection improvements IP Options inspection now supports all possible IP options. You can tune the inspection to
allow, clear, or drop any standard or experimental options, including those not yet defined.
You can also set a default behavior for options not explicitly defined in an IP options inspection
map.
We introduced the following commands: basic-security, commercial-security, default,
exp-flow-control, exp-measure, extended-security, imi-traffic-description, quick-start,
record-route, timestamp
We modified the following screen: Configuration > Firewall > Objects > Inspect Maps >
IP Options
Carrier Grade NAT enhancements
For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, rather
than have NAT allocate one port translation at a time (see RFC 6888).
We introduced the following commands: xlate block-allocation size, xlate block-allocation
maximum-per-host. We added the block-allocation keyword to the nat command.
We introduced the following screen: Configuration > Firewall > Advanced > PAT Port
Block Allocation. We added Enable Block Allocation the object NAT and twice NAT dialog
boxes.
High Availability Features
Inter-site clustering support for
Spanned EtherChannel in Routed
firewall mode
You can now use inter-site clustering for Spanned EtherChannels in routed mode. To avoid
MAC address flapping, configure a site ID for each cluster member so that a site-specific
MAC address for each interface can be shared among a site’s units.
We introduced or modified the following commands: site-id, mac-address site-id, show
cluster info, show interface
We modified the following screen: Configuration > Device Management > High Availability
and Scalability > ASA Cluster > Cluster Configuration
Cisco ASA New Features by Release
39
Cisco ASA New Features
New Features in ASA 9.5(1)/ASDM 7.5(1)
Feature
Description
ASA cluster customization of the
auto-rejoin behavior when an
interface or the cluster control link
fails
You can now customize the auto-rejoin behavior when an interface or the cluster control link
fails.
We introduced the following command: health-check auto-rejoin
We introduced the following screen: Configuration > Device Management > High
Availability and Scalability > ASA Cluster > Auto Rejoin
The ASA cluster supports GTPv1
and GTPv2
The ASA cluster now supports GTPv1 and GTPv2 inspection.
We did not modify any commands.
We did not modify any screens.
Cluster replication delay for TCP
connections
This feature helps eliminate the “unnecessary work” related to short-lived flows by delaying
the director/backup flow creation.
We introduced the following command: cluster replication delay
We introduced the following screen: Configuration > Device Management > High
Availability and Scalability > ASA Cluster Replication
Also available for the Firepower 9300 ASA security module in Version 9.4(1.152).
Disable health monitoring of a
By default when using clustering, the ASA monitors the health of an installed hardware module
hardware module in ASA clustering such as the ASA FirePOWER module. If you do not want a hardware module failure to trigger
failover, you can disable module monitoring.
We modified the following command: health-check monitor-interface service-module
We modified the following screen: Configuration > Device Management > High Availability
and Scalability > ASA Cluster > Cluster Interface Health Monitoring
Enable use of the Management 1/1
interface as the failover link on the
ASA 5506H
On the ASA 5506H only, you can now configure the Management 1/1 interface as the failover
link. This feature lets you use all other interfaces on the device as data interfaces. Note that
if you use this feature, you cannot use the ASA Firepower module, which requires the
Management 1/1 interface to remain as a regular management interface.
We modified the following commands: failover lan interface, failover link
We modified the following screen: Configuration > Device Management > High Availability
and Scalability > Failover > Setup
Routing Features
Support for IPv6 in Policy Based
Routing
IPv6 addresses are now supported for Policy Based Routing.
We introduced the following commands: set ipv6 next-hop, set default ipv6-next hop, set
ipv6 dscp
We modified the following screens:
Configuration > Device Setup > Routing > Route Maps > Add Route Map > Policy Based
Routing Configuration > Device Setup > Routing > Route Maps > Add Route Maps >
Match Clause
Cisco ASA New Features by Release
40
Cisco ASA New Features
New Features in ASA 9.5(1)/ASDM 7.5(1)
Feature
Description
VXLAN support for Policy Based
Routing
You can now enable Policy Based Routing on a VNI interface.
We did not modify any commands.
We modified the following screen: Configuration > Device Setup > Interface Settings >
Interfaces > Add/Edit Interface > General
Policy Based Routing support for
You can configure Identity Firewall and Cisco TrustSec and then use Identity Firewall and
Identity Firewall and Cisco Trustsec Cisco TrustSec ACLs in Policy Based Routing route maps.
We did not modify any commands.
We modified the following screen: Configuration > Device Setup > Routing > Route Maps
> Add Route Maps > Match Clause
Separate routing table for
management-only interfaces
To segregate and isolate management traffic from data traffic, the ASA now supports a separate
routing table for management-only interfaces.
We introduced or modified the following commands: backup, clear ipv6 route
management-only, clear route management-only, configure http, configure net, copy,
enrollment source, name-server, restore, show asp table route-management-only, show
ipv6 route management-only show route management-only
We did not modify any screens.
Protocol Independent Multicast
Source-Specific Multicast
(PIM-SSM) pass-through support
The ASA now allows PIM-SSM packets to pass through when you enable multicast routing,
unless the ASA is the Last-Hop Router. This feature allows greater flexibility in choosing a
multicast group while also protecting against different attacks; hosts only receive traffic from
explicitly-requested sources.
We did not modify any commands.
We did not modify any screens.
Remote Access Features
IPv6 VLAN Mapping
ASA VPN code has been enhanced to support full IPv6 capabilities. No configuration change
is necessary for the administrator.
Clientless SSL VPN SharePoint
2013 Support
Added support and a predefined application template for this new SharePoint version.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL
VPN Access > Portal > Bookmarks > Add Bookmark List > Select Bookmark Type >
Predefined application templates
Dynamic Bookmarks for Clientless Added CSCO_WEBVPN_DYNAMIC_URL and CSCO_WEBVPN_MACROLIST to the
VPN
list of macros when using bookmarks. These macros allow the administrator to configure a
single bookmark that can generate multiple bookmark links on the clientless user’s portal and
to statically configure bookmarks to take advantage of arbitrarily sized lists provided by LDAP
attribute maps.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL
VPN Access > Portal > Bookmarks
Cisco ASA New Features by Release
41
Cisco ASA New Features
New Features in ASA 9.5(1)/ASDM 7.5(1)
Feature
Description
VPN Banner Length Increase
The overall banner length, which is displayed during post-login on the VPN remote client
portal, has increased from 500 to 4000.
We modified the following command: banner (group-policy).
We modified the following screen: Configuration > Remote Access VPN > .... Add/Edit
Internal Group Policy > General Parameters > Banner
Cisco Easy VPN client on the ASA This release supports Cisco Easy VPN on the ASA 5506-X series and for the ASA 5508-X.
5506-X, 5506W-X, 5506H-X, and The ASA acts as a VPN hardware client when connecting to the VPN headend. Any devices
5508-X
(computers, printers, and so on) behind the ASA on the Easy VPN port can communicate
over the VPN; they do not have to run VPN clients individually. Note that only one ASA
interface can act as the Easy VPN port; to connect multiple devices to that port, you need to
place a Layer 2 switch on the port, and then connect your devices to the switch.
We introduced the following commands: vpnclient enable, vpnclient server, vpnclient
mode, vpnclient username, vpnclient ipsec-over-tcp, vpnclient management, vpnclient
vpngroup, vpnclient trustpoint, vpnclient nem-st-autoconnect, vpnclient mac-exempt
We introduced the following screen: Configuration > VPN > Easy VPN Remote
Monitoring Features
Show invalid usernames in syslog
messages
You can now show invalid usernames in syslog messages for unsuccessful login attempts.
The default setting is to hide usernames when the username is invalid or if the validity is
unknown. If a user accidentally types a password instead of a username, for example, then it
is more secure to hide the “username” in the resultant syslog message. You might want to
show invalid usernames to help with troubleshooting login issues.
We introduced the following command: no logging hide username
We modified the following screen: Configuration > Device Management > Logging >
Syslog Setup
This feature is also available in 9.2(4) and 9.3(3).
REST API Features
REST API Version 1.2.1
We added support for the REST API Version 1.2.1.
Cisco ASA New Features by Release
42
Cisco ASA New Features
New Features in Version 9.4
New Features in Version 9.4
New Features in ASA 9.4(4.5)/ASDM 7.6(2)
Released: April 3, 2017
Note
Verion 9.4(4) was removed from Cisco.com due to bug CSCvd78303.
There are no new features in this release.
New Features in ASA 9.4(3)/ASDM 7.6(1)
Released: April 25, 2016
Feature
Description
Firewall Features
Connection holddown timeout for
route convergence
You can now configure how long the system should maintain a connection when the route
used by the connection no longer exists or is inactive. If the route does not become active
within this holddown period, the connection is freed. You can reduce the holddown timer to
make route convergence happen more quickly. However, the 15 second default is appropriate
for most networks to prevent route flapping.
We added the following command: timeout conn-holddown
We modified the following screen: Configuration > Firewall > Advanced > Global Timeouts
Remote Access Features
Configurable SSH encryption and
HMAC algorithm.
Users can select cipher modes when doing SSH encryption management and can configure
HMAC and encryption for varying key exchange algorithms.
We introduced the following commands: ssh cipher encryption, ssh cipher integrity.
We introduced the following screen: Configuration > Device Management > Advanced >
SSH Ciphers
Also available in 9.1(7).
HTTP redirect support for IPv6
When you enable HTTP redirect to HTTPS for ASDM access or clientless SSL VPN, you
can now redirect traffic sent an to IPv6 address.
We added functionality to the following command: http redirect
We added functionality to the following screen: Configuration > Device Management >
HTTP Redirect
Also available in 9.1(7).
Cisco ASA New Features by Release
43
Cisco ASA New Features
New Features in ASA 9.4(2.145)/ASDM 7.5(1)
Feature
Description
Monitoring Features
SNMP engineID sync for Failover
In a failover pair, the SNMP engineIDs of the paired ASAs are synced on both units. Three
sets of engineIDs are maintained per ASA—synced engineID, native engineID and remote
engineID.
An SNMPv3 user can also specify the engineID of the ASA when creating a profile to preserve
localized snmp-server user authentication and privacy options. If a user does not specify the
native engineID, the show running config output will show two engineIDs per user.
We modified the following command: snmp-server user
No ASDM support.
show tech support enhancements
The show tech support command now:
• Includes dir all-filesystems output—This output can be helpful in the following cases:
◦SSL VPN configuration: check if the required resources are on the ASA
◦Crash: check for the date timestamp and presence of a crash file
• Removes the show kernel cgroup-controller detail output—This command output
will remain in the output of show tech-support detail.
We modified the following command: show tech support
We did not add or modify any screens.
Also available in 9.1(7).
Support for the cempMemPoolTable The cempMemPoolTable of the CISCO-ENHANCED-MEMPOOL-MIB is now supported.
in the
This is a table of memory pool monitoring entries for all physical entities on a managed system.
CISCO-ENHANCED-MEMPOOL-MIB Note
The CISCO-ENHANCED-MEMPOOL-MIB uses 64-bit counters and supports
reporting of memory on platforms with more than 4GB of RAM.
We did not add or modify any commands.
We did not add or modify any screens.
Also available in 9.1(7).
New Features in ASA 9.4(2.145)/ASDM 7.5(1)
Released: November 13, 2015
There are no new features in this release.
Note
This release supports only the Firepower 9300 ASA security module.
Cisco ASA New Features by Release
44
Cisco ASA New Features
New Features in ASA 9.4(2)/ASDM 7.5(1)
New Features in ASA 9.4(2)/ASDM 7.5(1)
Released: September 24, 2015
There are no new features in this release.
Note
ASAv 9.4(1.200) features are not included in this release.
Note
This version does not support the ISA 3000.
New Features in ASA 9.4(1.225)/ASDM 7.5(1)
Released: September 17, 2015
Note
This release supports only the Cisco ISA 3000.
Feature
Description
Platform Features
Cisco ISA 3000 Support
The Cisco ISA 3000 is a DIN Rail mounted, ruggedized, industrial security appliance. It is
low-power, fan-less, with Gigabit Ethernet and a dedicated management port. This model
comes with the ASA Firepower module pre-installed. Special features for this model include
a customized transparent mode default configuration, as well as a hardware bypass function
to allow traffic to continue flowing through the appliance when there is a loss of power.
We introduced the following commands: hardware-bypass, hardware-bypass manual,
hardware-bypass boot-delay, show hardware-bypass
We introduced the following screen: Configuration > Device Management > Hardware
Bypass
The hardware-bypass boot-delay command is not available in ASDM 7.5(1).
This feature is not available in Version 9.5(1).
Cisco ASA New Features by Release
45
Cisco ASA New Features
New Features in ASA 9.4(1.152)/ASDM 7.4(3)
New Features in ASA 9.4(1.152)/ASDM 7.4(3)
Released: July 13, 2015
Note
This release supports only the ASA on the Firepower 9300.
Feature
Description
Platform Features
ASA security module on the
Firepower 9300
We introduced the ASA security module on the Firepower 9300.
Note
Firepower Chassis Manager 1.1.1 does not support any VPN features (site-to-site or
remote access) for the ASA security module on the Firepower 9300.
High Availability Features
Intra-chassis ASA Clustering for the You can cluster up to 3 security modules within the Firepower 9300 chassis. All modules in
Firepower 9300
the chassis must belong to the cluster.
We introduced the following commands: cluster replication delay, debug service-module,
management-only individual, show cluster chassis
We introduced the following screen: Configuration > Device Management > High
Availability and Scalability > ASA Cluster Replication
Licensing Features
Cisco Smart Software Licensing for We introduced Smart Software Licensing for the ASA on the Firepower 9300.
the ASA on the Firepower 9300
We introduced the following commands: feature strong-encryption, feature mobile-sp,
feature context
We modified the following screen: Configuration > Device Management > Licensing >
Smart License
New Features in ASAv 9.4(1.200)/ASDM 7.4(2)
Released: May 12, 2015
Note
Feature
This release supports only the ASAv.
Description
Platform Features
Cisco ASA New Features by Release
46
Cisco ASA New Features
New Features in ASDM 7.4(2)
Feature
Description
ASAv on VMware no longer
requires vCenter support
You can now install the ASAv on VMware without vCenter using the vSphere client or the
OVFTool using a Day 0 configuration.
ASAv on Amazon Web Services
(AWS)
You can now use the ASAv with Amazon Web Services (AWS) and the Day 0 configuration.
Note
Amazon Web Services only supports models ASAv10 and ASAv30.
New Features in ASDM 7.4(2)
Released: May 6, 2015
Feature
Description
Remote Access Features
AnyConnect Version 4.1 support
ASDM now supports AnyConnect Version 4.1.
We modified the following screen: Configuration > Remote Access VPN > Network (Client)
Access > AnyConnect Client Profile (a new profile called AMP Enabler Service Profile)
New Features in ASA 9.4(1)/ASDM 7.4(1)
Released: March 30, 2015
Feature
Description
Platform Features
ASA 5506W-X, ASA 5506H-X,
ASA 5508-X, ASA 5516-X
We introduced the ASA 5506W-X with wireless access point, hardened ASA 5506H-X, ASA
5508-X, and ASA 5516-X models.
We introduced the following command: hw-module module wlan recover image, hw-module
module wlan recover image.
We did not modify any ASDM screens.
Certification Features
Cisco ASA New Features by Release
47
Cisco ASA New Features
New Features in ASA 9.4(1)/ASDM 7.4(1)
Feature
Description
Department of Defense Unified
Capabilities Requirements (UCR)
2013 Certification
The ASA was updated to comply with the DoD UCR 2013 requirements. See the rows in this
table for the following features that were added for this certification:
• Periodic certificate authentication
• Certificate expiration alerts
• Enforcement of the basic constraints CA flag
• ASDM Username From Certificate Configuration
• ASDM management authorization
• IKEv2 invalid selectors notification configuration
• IKEv2 pre-shared key in Hex
FIPS 140-2 Certification compliance When you enable FIPS mode on the ASA, additional restrictions are put in place for the ASA
updates
to be FIPS 140-2 compliant. Restrictions include:
• RSA and DH Key Size Restrictions—Only RSA and DH keys 2K (2048 bits) or larger
are allowed. For DH, this means groups 1 (768 bit), 2 (1024 bit), and 5 (1536 bit) are
not allowed.
Note
The key size restrictions disable use of IKEv1 with
FIPS.
• Restrictions on the Hash Algorithm for Digital Signatures—Only SHA256 or better is
allowed.
• SSH Cipher Restrictions—Allowed ciphers: aes128-cbc or aes256-cbc. MACs: SHA1
To see the FIPS certification status for the ASA, see:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf
This PDF is updated weekly.
See the Computer Security Division Computer Security Resource Center site for more
information:
http://csrc.nist.gov/groups/STM/cmvp/inprocess.html
We modified the following command: fips enable
Firewall Features
Improved SIP inspection
If you have multiple SIP signaling flows going through an ASA with multiple cores, SIP
performance on multiple core ASAs. inspection performance has been improved. However, you will not see improved performance
if you are using a TLS, phone, or IME proxy.
We did not modify any commands.
We did not modify any screens.
Cisco ASA New Features by Release
48
Cisco ASA New Features
New Features in ASA 9.4(1)/ASDM 7.4(1)
Feature
Description
SIP inspection support for Phone
Proxy and UC-IME Proxy was
removed.
You can no longer use Phone Proxy or UC-IME Proxy when configuring SIP inspection. Use
TLS Proxy to inspect encrypted traffic.
We removed the following commands: phone-proxy, uc-ime. We removed the phone-proxy
and uc-ime keywords from the inspect sip command.
We removed Phone Proxy and UC-IME Proxy from the Select SIP Inspect Map service
policy dialog box.
DCERPC inspection support for
ISystemMapper UUID message
RemoteGetClassObject opnum3.
The ASA started supporting non-EPM DCERPC messages in release 8.3, supporting the
ISystemMapper UUID message RemoteCreateInstance opnum4. This change extends support
to the RemoteGetClassObject opnum3 message.
We did not modify any commands.
We did not modify any screens.
Unlimited SNMP server trap hosts
per context
The ASA supports an unlimited number of SNMP server trap hosts per context. The show
snmp-server host command output displays only the active hosts that are polling the ASA,
as well as the statically configured hosts.
We modified the following command: show snmp-server host.
We did not modify any screens.
VXLAN packet inspection
The ASA can inspect the VXLAN header to enforce compliance with the standard format.
We introduced the following command: inspect vxlan.
We modified the following screen: Configuration > Firewall > Service Policy Rules > Add
Service Policy Rule > Rule Actions > Protocol Inspection
DHCP monitoring for IPv6
You can now monitor DHCP statistics and DHCP bindings for IPv6.
We introduced the following screens:
Monitoring > Interfaces > DHCP > IPV6 DHCP Statistics Monitoring > Interfaces >
DHCP > IPV6 DHCP Binding.
ESMTP inspection change in default The default for ESMTP inspection was changed to allow TLS sessions, which are not inspected.
behavior for TLS sessions.
However, this default applies to new or reimaged systems. If you upgrade a system that
includes no allow-tls, the command is not changed.
The change in default behavior was also made in these older versions: 8.4(7.25), 8.5(1.23),
8.6(1.16), 8.7(1.15), 9.0(4.28), 9.1(6.1), 9.2(3.2) 9.3(1.2), 9.3(2.2).
High Availability Features
Blocking syslog generation on a
standby ASA
You can now block specific syslogs from being generated on a standby unit.
We introduced the following command: no logging message syslog-id standby.
We did not modify any screens.
Cisco ASA New Features by Release
49
Cisco ASA New Features
New Features in ASA 9.4(1)/ASDM 7.4(1)
Feature
Description
Enable and disable ASA cluster
health monitoring per interface
You can now enable or disable health monitoring per interface. Health monitoring is enabled
by default on all port-channel, redundant, and single physical interfaces. Health monitoring
is not performed on VLAN subinterfaces or virtual interfaces such as VNIs or BVIs. You
cannot configure monitoring for the cluster control link; it is always monitored. You might
want to disable health monitoring of non-essential interfaces, for example, the management
interface.
We introduced the following command: health-check monitor-interface.
We introduced the following screen: Configuration > Device Management > High
Availability and Scalability > ASA Cluster > Cluster Interface Health Monitoring
ASA clustering support for DHCP
relay
You can now configure DHCP relay on the ASA cluster. Client DHCP requests are
load-balanced to the cluster members using a hash of the client MAC address. DHCP client
and server functions are still not supported.
We introduced the following command: debug cluster dhcp-relay
We did not modify any screens.
SIP inspection support in ASA
clustering
You can now configure SIP inspection on the ASA cluster. A control flow can be created on
any unit (due to load balancing), but its child data flows must reside on the same unit. TLS
Proxy configuration is not supported.
We introduced the following command: show cluster service-policy
We did not modify any screens.
Routing Features
Policy Based Routing
Policy Based Routing (PBR) is a mechanism by which traffic is routed through specific paths
with a specified QoS using ACLs. ACLs let traffic be classified based on the content of the
packet’s Layer 3 and Layer 4 headers. This solution lets administrators provide QoS to
differentiated traffic, distribute interactive and batch traffic among low-bandwidth, low-cost
permanent paths and high-bandwidth, high-cost switched paths, and allows Internet service
providers and other organizations to route traffic originating from various sets of users through
well-defined Internet connections.
We introduced the following commands: set ip next-hop verify-availability, set ip next-hop,
set ip next-hop recursive, set interface, set ip default next-hop, set default interface, set
ip df, set ip dscp, policy-route route-map, show policy-route, debug policy-route
We introduced or modified the following screens:
Configuration > Device Setup > Routing > Route Maps > Policy Based Routing
Configuration > Device Setup > Routing > Interface Settings > Interfaces.
Interface Features
Cisco ASA New Features by Release
50
Cisco ASA New Features
New Features in ASA 9.4(1)/ASDM 7.4(1)
Feature
Description
VXLAN support
VXLAN support was added, including VXLAN tunnel endpoint (VTEP) support. You can
define one VTEP source interface per ASA or security context.
We introduced the following commands: debug vxlan, default-mcast-group, encapsulation
vxlan, inspect vxlan, interface vni, mcast-group, nve, nve-only, peer ip, segment-id, show
arp vtep-mapping, show interface vni, show mac-address-table vtep-mapping, show nve,
show vni vlan-mapping, source-interface, vtep-nve, vxlan port
We introduced the following screens:
Configuration > Device Setup > Interface Settings > Interfaces > Add > VNI Interface
Configuration > Device Setup > Interface Settings > VXLAN
Monitoring Features
Memory tracking for the EEM
We have added a new debugging feature to log memory allocations and memory usage, and
to respond to memory logging wrap events.
We introduced or modified the following commands: memory logging, show memory
logging, show memory logging include, event memory-logging-wrap
We modified the following screen: Configuration > Device Management > Advanced >
Embedded Event Manager > Add Event Manager Applet > Add Event Manager Applet
Event
Troubleshooting crashes
The show tech-support command output and show crashinfo command output includes the
most recent 50 lines of generated syslogs. Note that you must enable the logging buffer
command to enable these results to appear.
Remote Access Features
Cisco ASA New Features by Release
51
Cisco ASA New Features
New Features in ASA 9.4(1)/ASDM 7.4(1)
Feature
Description
Support for ECDHE-ECDSA ciphers TLSv1.2 added support for the following ciphers:
• ECDHE-ECDSA-AES256-GCM-SHA384
• ECDHE-RSA-AES256-GCM-SHA384
• DHE-RSA-AES256-GCM-SHA384
• AES256-GCM-SHA384
• ECDHE-ECDSA-AES256-SHA384
• ECDHE-RSA-AES256-SHA384
• ECDHE-ECDSA-AES128-GCM-SHA256
• ECDHE-RSA-AES128-GCM-SHA256
• DHE-RSA-AES128-GCM-SHA256
• RSA-AES128-GCM-SHA256
• ECDHE-ECDSA-AES128-SHA256
• ECDHE-RSA-AES128-SHA256
Note
ECDSA and DHE ciphers are the highest
priority.
We introduced the following command: ssl ecdh-group.
We modified the following screen: Configuration > Remote Access VPN > Advanced >
SSL Settings.
Cisco ASA New Features by Release
52
Cisco ASA New Features
New Features in ASA 9.4(1)/ASDM 7.4(1)
Feature
Description
Clientless SSL VPN session cookie You can now prevent a Clientless SSL VPN session cookie from being accessed by a third
access restriction
party through a client-side script such as Javascript.
Note
Use this feature only if Cisco TAC advises you to do so. Enabling this command
presents a security risk because the following Clientless SSL VPN features will not
work without any warning.
• Java plug-ins
• Java rewriter
• Port forwarding
• File browser
• Sharepoint features that require desktop applications (for example, MS Office
applications)
• AnyConnect Web launch
• Citrix Receiver, XenDesktop, and Xenon
• Other non-browser-based and browser plugin-based applications
We introduced the following command: http-only-cookie.
We introduced the following screen: Configuration > Remote Access VPN > Clientless
SSL VPN Access > Advanced > HTTP Cookie.
This feature is also in 9.2(3).
Virtual desktop access control using The ASA now supports security group tagging-based policy control for Clientless SSL remote
security group tagging
access to internal applications and websites. This feature uses Citrix’s virtual desktop
infrastructure (VDI) with XenDesktop as the delivery controller and the ASA’s content
transformation engine.
See the following Citrix product documentation for more information:
• Policies for XenDesktop and XenApp: http://support.citrix.com/proddocs/topic/infocenter/
ic-how-to-use.html
• Managing policies in XenDesktop 7: http://support.citrix.com/proddocs/topic/
xendesktop-7/cds-policies-wrapper-rho.html
• Using group policy editor for XenDesktop 7 policies: http://support.citrix.com/proddocs/
topic/xendesktop-7/cds-policies-use-gpmc.html
Cisco ASA New Features by Release
53
Cisco ASA New Features
New Features in ASA 9.4(1)/ASDM 7.4(1)
Feature
Description
OWA 2013 feature support has been Clientless SSL VPN supports the new features in OWA 2013 except for the following:
added for Clientless SSL VPN
• Support for tablets and smartphones
• Offline mode
• Active Directory Federation Services (AD FS) 2.0. The ASA and AD FS 2.0 can't
negotiate encryption protocols.
We did not modify any commands.
We did not modify any screens.
Citrix XenDesktop 7.5 and
StoreFront 2.5 support has been
added for Clientless SSL VPN
Clientless SSL VPN supports the access of XenDesktop 7.5 and StoreFront 2.5.
See http://support.citrix.com/proddocs/topic/xenapp-xendesktop-75/
cds-75-about-whats-new.html for the full list of XenDesktop 7.5 features, and for more details.
See http://support.citrix.com/proddocs/topic/dws-storefront-25/dws-about.html for the full
list of StoreFront 2.5 features, and for more details.
We did not modify any commands.
We did not modify any screens.
Periodic certificate authentication
When you enable periodic certificate authentication, the ASA stores certificate chains received
from VPN clients and re-authenticates them periodically.
We introduced or modified the following commands: periodic-authentication certificate,
revocation-check, show vpn-sessiondb
We modified the following screens:
Configuration > Device Management > Certificate Management > Identity Certificates
Configuration > Device Management > Certificate Management > CA Certificates
Certificate expiration alerts
The ASA checks all CA and ID certificates in the trust points for expiration once every 24
hours. If a certificate is nearing expiration, a syslog will be issued as an alert. You can configure
the reminder and recurrence intervals. By default, reminders will start at 60 days prior to
expiration and recur every 7 days.
We introduced or modified the following commands: crypto ca alerts expiration
We modified the following screens:
Configuration > Device Management > Certificate Management > Identity Certificates
Configuration > Device Management > Certificate Management > CA Certificates
Enforcement of the basic constraints Certificates without the CA flag now cannot be installed on the ASA as CA certificates by
CA flag
default. The basic constraints extension identifies whether the subject of the certificate is a
CA and the maximum depth of valid certification paths that include this certificate. You can
configure the ASA to allow installation of these certificates if desired.
We introduced the following command: ca-check
We modified the following screens: Configuration > Device Management > Certificate
Management > CA Certificates
Cisco ASA New Features by Release
54
Cisco ASA New Features
New Features in ASA 9.4(1)/ASDM 7.4(1)
Feature
Description
IKEv2 invalid selectors notification Currently, if the ASA receives an inbound packet on an SA, and the packet’s header fields
configuration
are not consistent with the selectors for the SA, then the ASA discards the packet. You can
now enable or disable sending an IKEv2 notification to the peer. Sending this notification is
disabled by default.
This feature is supported with AnyConnect 3.1.06060 and
later.
We introduced the following command: crypto ikev2 notify invalid-selectors
Note
IKEv2 pre-shared key in Hex
You can now configure the IKEv2 pre-shared keys in hex.
We introduced the following command: ikev2 local-authentication pre-shared-key hex,
ikev2 remote-authentication pre-shared-key hex
Administrative Features
ASDM management authorization
You can now configure management authorization separately for HTTP access vs. Telnet and
SSH access.
We introduced the following command: aaa authorization http console
We modified the following screen: Configuration > Device Management > Users/AAA >
AAA Access > Authorization
ASDM Username From Certificate When you enable ASDM certificate authentication (http authentication-certificate), you
Configuration
can configure how ASDM extracts the username from the certificate; you can also enable
pre-filling the username at the login prompt.
We introduced the following command: http username-from-certificate
We introduced the following screen: Configuration > Device Management > Management
Access > HTTP Certificate Rule.
terminal interactive command to
enable or disable help when you
enter ? at the CLI
Normally, when you enter ? at the ASA CLI, you see command help. To be able to enter ?
as text within a command (for example, to include a ? as part of a URL), you can disable
interactive help using the no terminal interactive command.
We introduced the following command: terminal interactive
REST API Features
REST API Version 1.1
We added support for the REST API Version 1.1.
Support for token-based
Client can send log-in request to a specific URL; if successful, a token is returned (in response
authentication (in addition to existing header). Client then uses this token (in a special request header) for sending additional API
basic authentication)
calls. The token is valid until explicitly invalidated, or the idle/session timeout is reached.
Cisco ASA New Features by Release
55
Cisco ASA New Features
New Features in Version 9.3
Feature
Description
Limited multiple-context support
The REST API agent can now be enabled in multi-context mode; the CLI commands can be
issued only in system-context mode (same commands as single-context mode).
Pass-through CLI API commands can be used to configure any context, as follows.
https://<asa_admin_context_ip>/api/cli?context=<context_name>
If the context parameter is not present, it is assumed that the request is directed to the admin
context.
Advanced (granular) inspection
Granular inspection of these protocols is supported:
• DNS over UDP
• HTTP
• ICMP
• ICMP ERROR
• RTSP
• SIP
• FTP
• DCERPC
• IP Options
• NetBIOS Name Server over IP
• SQL*Net
New Features in Version 9.3
New Features in ASA 9.3(3)/ASDM 7.4(1)
Released: April 22, 2015
Feature
Platform Features
Cisco ASA New Features by Release
56
Description
Cisco ASA New Features
New Features in ASA 9.3(2)/ASDM 7.3(3)
Feature
Description
Show invalid usernames in
syslog messages
You can now show invalid usernames in syslog messages for unsuccessful
login attempts. The default setting is to hide usernames when the username
is invalid or if the validity is unknown. If a user accidentally types a
password instead of a username, for example, then it is more secure to hide
the “username” in the resultant syslog message. You might want to show
invalid usernames to help with troubleshooting login issues.
We introduced the following command: no logging hide username
This feature is not supported in ASDM.
This feature is not available in 9.4(1).
New Features in ASA 9.3(2)/ASDM 7.3(3)
Released: February 2, 2015
Feature
Description
Platform Features
ASA FirePOWER software
module for the ASA 5506-X
You can configure ASA FirePOWER on the ASA 5506-X using ASDM; a
separate FireSIGHT Management Center is not required, although you can
use one instead of ASDM.
We introduced the following screens:
Home > ASA FirePOWER Dashboard
Home > ASA FirePOWER Reporting
Configuration > ASA FirePOWER Configuration
Monitoring > ASA FirePOWER Monitoring
New Features in ASA 9.3(2.200)/ASDM 7.3(2)
Released: December 18, 2014
Note
This release supports only the ASAv.
Feature
Description
Platform Features
Cisco ASA New Features by Release
57
Cisco ASA New Features
New Features in ASA 9.3(2)/ASDM 7.3(2)
Feature
Description
ASAv with KVM and Virtio
You can deploy the ASAv using the Kernel-based Virtual Machine (KVM)
and the Virtio virtual interface driver.
New Features in ASA 9.3(2)/ASDM 7.3(2)
Released: December 18, 2014
Feature
Description
Platform Features
ASA 5506-X
We introduced the ASA 5506-X.
We introduced or modified the following commands: service
sw-reset-button, upgrade rommon, show environment temperature
accelerator
ASA FirePOWER software
module for the ASA 5506-X
You can configure ASA FirePOWER on the ASA 5506-X using ASDM; a
separate FireSIGHT Management Center is not required, although you can
use one instead of ASDM. Note: This feature requires ASA 7.3(3).
We introduced the following screens:
Home > ASA FirePOWER Dashboard
Home > ASA FirePOWER Reporting
Configuration > ASA FirePOWER Configuration
Monitoring > ASA FirePOWER Monitoring
ASA FirePOWER passive
monitor-only mode using
traffic redirection interfaces
You can now configure a traffic forwarding interface to send traffic to the
module instead of using a service policy. In this mode, neither the module
nor the ASA affects the traffic.
We fully supported the following command: traffic-forward sfr
monitor-only. You can configure this in CLI only.
Mixed level SSPs in the ASA You can now use the following mixed level SSPs in the ASA 5585-X:
5585-X
• ASA SSP-10/ASA FirePOWER SSP-40
• ASA SSP-20/ASA FirePOWER SSP-60
Requirements: ASA SSP in slot 0, ASA FirePOWER SSP in slot 1
ASA REST API 1.0.1
A REST API was added to support configuring and managing major
functions of the ASA.
We introduced or modified the following commands: rest-api image,
rest-api agent, show rest-api agent, debug rest-api, show version
Cisco ASA New Features by Release
58
Cisco ASA New Features
New Features in ASA 9.3(2)/ASDM 7.3(2)
Feature
Description
Support for ASA image
signing and verification
ASA images are now signed using a digital signature. The digital signature
is verified after the ASA is booted.
We introduced the following commands: copy /noverify, verify
/image-signature, show software authenticity keys, show software
authenticity file, show software authenticity running, show software
authenticity development, software authenticity development, software
authenticity key add special, software authenticity key revoke special
This feature is not supported in ASDM.
Accelerated security path load The accelerated security path (ASP) load balancing mechanism reduces
balancing
packet drop and improves throughput by allowing multiple cores of the CPU
to receive packets from an interface receive ring and work on them
independently.
We introduced the following command: asp load-balance per-packet-auto
We introduced the following screen: Configuration > Device Management
> Advanced > ASP Load Balancing
Firewall Features
Configuration session for
editing ACLs and objects.
You can now edit ACLs and objects in an isolated configuration session.
You can also forward reference objects and ACLs, that is, configure rules
Forward referencing of objects and access groups for objects or ACLs that do not yet exist.
and ACLs in access rules.
We introduced the following commands: clear configuration session, clear
session, configure session, forward-reference, show configuration session
This feature is not supported in ASDM.
SIP support for Trust
Verification Services, NAT66,
CUCM 10.5(1), and model
8831 phones.
You can now configure Trust Verification Services servers in SIP inspection.
You can also use NAT66. SIP inspection has been tested with CUCM
10.5(1).
We introduced the following command: trust-verification-server.
We introduced the following screen: Configuration > Firewall > Objects
> Inspection Maps > SIP > Add/Edit SIP Inspect Map > Details > TVS
Server
Unified Communications
support for CUCM 10.5(1)
SIP and SCCP inspections were tested and verified with Cisco Unified
Communications Manager 10.5(1).
Remote Access Features
Browser support for Citrix
VDI
We now support an HTML 5-based browser solution for accessing the Citrix
VDI, without requiring the Citrix Receiver client on the desktop.
Clientless SSL VPN for Mac
OSX 10.9
We now support Clientless SSL VPN features such as the rewriter, smart
tunnels, and plugins on all browsers that are supported on Mac OSX 10.9.
Cisco ASA New Features by Release
59
Cisco ASA New Features
New Features in ASA 9.3(2)/ASDM 7.3(2)
Feature
Description
Interoperability with
standards-based, third-party,
IKEv2 remote access clients
We now support VPN connectivity via standards-based, third-party, IKEv2
remote-access clients (in addition to AnyConnect). Authentication support
includes preshared keys, certificates, and user authentication via the
Extensible Authentication Protocol (EAP).
We introduced or modified the following commands: ikev2
remote-authentication, ikev2 local-authentication, clear vpn-sessiondb,
show vpn-sessiondb, vpn-sessiondb logoff
We introduced or modified the following screens:
Wizards > IPsec IKEv2 Remote Access Wizard.
Configuration > Remote Access VPN > Network (Client) Access > IPsec
(IKEv2) Connection Profiles
Configuration > Remote Access VPN > Network (Client) Access > IPsec
(IKEv2) Connection Profiles > Add/Edit > Advanced > IPsec
Monitoring > VPN > VPN Statistics > Sessions
Transport Layer Security
(TLS) version 1.2 support
We now support TLS version 1.2 for secure message transmission for
ASDM, Clientless SSVPN, and AnyConnect VPN.
We introduced or modified the following commands: ssl client-version, ssl
server-version, ssl cipher, ssl trust-point, ssl dh-group, show ssl, show
ssl cipher, show vpn-sessiondb
We deprecated the following command: ssl encryption
We modified the following screens:
Configuration > Device Management > Advanced > SSL Settings
Configuration > Remote Access VPN > Advanced > SSL Settings
AnyConnect 4.0 support for
TLS version 1.2
Licensing Features
Cisco ASA New Features by Release
60
AnyConnect 4.0 now supports TLS version 1.2 with the following four
additional cipher suites: DHE-RSA-AES256-SHA256,
DHE-RSA-AES128-SHA256, AES256-SHA256, and AES128-SHA256.
Cisco ASA New Features
New Features in ASA 9.3(2)/ASDM 7.3(2)
Feature
Description
Cisco Smart Software
Licensing for the ASAv
Smart Software Licensing lets you purchase and manage a pool of licenses.
Unlike PAK licenses, smart licenses are not tied to a specific serial number.
You can easily deploy or retire ASAvs without having to manage each unit’s
license key. Smart Software Licensing also lets you see your license usage
and needs at a glance.
We introduced the following commands: clear configure license, debug
license agent, feature tier, http-proxy, license smart, license smart
deregister, license smart register, license smart renew, show license,
show running-config license, throughput level
We introduced or modified the following screens:
Configuration > Device Management > Licensing > Smart License
Configuration > Device Management > Smart Call-Home
Monitoring > Properties > Smart License
High Availability Features
Lock configuration changes on You can now lock configuration changes on the standby unit (Active/Standby
the standby unit or standby
failover) or the standby context (Active/Active failover) so you cannot make
context in a failover pair
changes on the standby unit outside normal configuration syncing.
We introduced the following command: failover standby config-lock
We modified the following screen: Configuration > Device Management
> High Availability and Scalability > Failover > Setup
ASA clustering inter-site
deployment in transparent
mode with the ASA cluster
firewalling between inside
networks
You can now deploy a cluster in transparent mode between inside networks
and the gateway router at each site (AKA East-West insertion), and extend
the inside VLANs between sites. We recommend using Overlay Transport
Virtualization (OTV), but you can use any method that ensures that the
overlapping MAC Addresses and IP addresses of the gateway router do not
leak between sites. Use a First Hop Redundancy Protocol (FHRP) such as
HSRP to provide the same virtual MAC and IP addresses to the gateway
routers.
Interface Features
Cisco ASA New Features by Release
61
Cisco ASA New Features
New Features in ASA 9.3(2)/ASDM 7.3(2)
Feature
Description
Traffic Zones
You can group interfaces together into a traffic zone to accomplish traffic
load balancing (using Equal Cost Multi-Path (ECMP) routing), route
redundancy, and asymmetric routing across multiple interfaces.
You cannot apply a security policy to a named zone; the security
policy is interface-based. When interfaces in a zone are configured
with the same access rule, NAT, and service policy, then
load-balancing and asymmetric routing operate correctly.
We introduced or modified the following commands: zone, zone-member,
show running-config zone, clear configure zone, show zone, show asp
table zone, show nameif zone, show conn long, show local-host zone,
show route zone, show asp table routing, clear conn zone, clear local-host
zone
Note
We introduced or modified the following screens:
Configuration > Device Setup > Interface Parameters > Zones
Configuration > Device Setup > Interface Parameters > Interfaces
Routing Features
BGP support for IPv6
We added support for IPv6.
We introduced or modified the following commands: address-family ipv6,
bgp router-id, ipv6 prefix-list, ipv6 prefix-list description, ipv6 prefix-list
sequence-number, match ipv6 next-hop, match ipv6 route-source, match
ipv6- address prefix-list, set ipv6-address prefix -list, set ipv6 next-hop,
set ipv6 next-hop peer-address
We introduced the following screen: Configuration > Device Setup >
Routing > BGP > IPv6 Family
Monitoring Features
Cisco ASA New Features by Release
62
Cisco ASA New Features
New Features in ASA 9.3(1)/ASDM 7.3(1)
Feature
Description
SNMP MIBs and traps
The CISCO-PRODUCTS-MIB and
CISCO-ENTITY-VENDORTYPE-OID-MIB have been updated to support
the new ASA 5506-X.
The ASA 5506-X have been added as new products to the SNMP
sysObjectID OID and entPhysicalVendorType OID.
The ASA now supports the CISCO-CONFIG-MAN-MIB, which enables
you to do the following:
• Know which commands have been entered for a specific configuration.
• Notify the NMS when a change has occurred in the running
configuration.
• Track the time stamps associated with the last time that the running
configuration was changed or saved.
• Track other changes to commands, such as terminal details and
command sources.
We modified the following command: snmp-server enable traps
We modified the following screen: Configuration > Device Management
> Management Access > SNMP > Configure Traps > SNMP Trap
Configuration
Showing route summary
information for
troubleshooting
The show route-summary command output has been added to the show
tech-support detail command.
Management Features
System backup and restore
We now support complete system backup and restoration using the CLI.
We introduced the following commands: backup, restore
We did not modify any screens. This functionality is already available in
ASDM.
New Features in ASA 9.3(1)/ASDM 7.3(1)
Released: July 24, 2014
Note
The ASA 5505 is not supported in this release or later. ASA Version 9.2 was the final release for the ASA
5505.
Cisco ASA New Features by Release
63
Cisco ASA New Features
New Features in ASA 9.3(1)/ASDM 7.3(1)
Feature
Description
Firewall Features
SIP, SCCP, and TLS Proxy support for You can now inspect IPv6 traffic when using SIP, SCCP, and TLS
IPv6
Proxy (using SIP or SCCP).
We did not modify any commands.
We did not modify any ASDM screens.
Support for Cisco Unified
Communications Manager 8.6
The ASA now interoperates with Cisco Unified Communications
Manager Version 8.6 (including SCCPv21 support).
We did not modify any commands.
We did not modify any ASDM screens.
Transactional Commit Model on rule When enabled, a rule update is applied after the rule compilation is
engine for access groups and NAT
completed; without affecting the rule matching performance.
We introduced the following commands: asp rule-engine
transactional-commit, show running-config asp rule-engine
transactional-commit, clear configure asp rule-engine
transactional-commit
We introduced the following screen: Configuration > Device
Management > Advanced > Rule Engine
Remote Access Features
XenDesktop 7 Support for clientless
SSL VPN
We added support for XenDesktop 7 to clientless SSL VPN. When
creating a bookmark with auto sign-on, you can now specify a
landing page URL or a Control ID.
We did not modify any commands.
We modified the following screen: Configuration > Remote Access
VPN > Clientless SSL VPN Access > Portal > Bookmarks
Cisco ASA New Features by Release
64
Cisco ASA New Features
New Features in ASA 9.3(1)/ASDM 7.3(1)
Feature
Description
AnyConnect Custom Attribute
Enhancements
Custom attributes define and configure AnyConnect features that
have not been incorporated into the ASA, such as Deferred Upgrade.
Custom attribute configuration has been enhanced to allow multiple
values and longer values, and now requires a specification of their
type, name and value. They can now be added to Dynamic Access
Policies as well as Group Policies. Previously defined custom
attributes will be updated to this enhanced configuration format
upon upgrade to 9.3.x.
We introduced or modified the following commands:
anyconnect-custom-attr, anyconnect-custom-data, and
anyconnect-custom
We introduced or modified the following screens:
Configuration > Remote Access VPN > Network (Client) Access
> Advanced > AnyConnect Custom Attributes
Configuration > Remote Access VPN > Network (Client) Access
> Advanced > AnyConnect Custom Attribute Names
Configuration > Remote Access VPN > Network (Client) Access
> Group Policies > Add/Edit > Advanced > AnyConnect Client
> Custom Attributes
Configuration > Remote Access VPN > Network (Client) Access
> Dynamic Access Policies > Add/Edit > AnyConnect Custom
Attributes
AnyConnect Identity Extensions
(ACIDex) for Desktop Platforms
ACIDex, also known as AnyConnect Endpoint Attributes or Mobile
Posture, is the method used by the AnyConnect VPN client to
communicate posture information to the ASA. Dynamic Access
Polices use these endpoint attributes to authorize users.
The AnyConnect VPN client now provides Platform identification
for the desktop operating systems (Windows, Mac OS X, and Linux)
and a pool of MAC Addresses which can be used by DAPs.
We did not modify any commands.
We modified the following screen: Configuration > Remote Access
VPN > Dynamic Access Policies > Add/Edit > Add/Edit (endpoint
attribute), select AnyConnect for the Endpoint Attribute Type.
Additional operating systems are in the Platform drop-down list
and MAC Address has changed to Mac Address Pool.
Cisco ASA New Features by Release
65
Cisco ASA New Features
New Features in ASA 9.3(1)/ASDM 7.3(1)
Feature
Description
TrustSec SGT Assignment for VPN
TrustSec Security Group Tags (SGT) can now be added to the
SGT-IP table on the ASA when a remote user connects.
We introduced the following new command: security-group-tag
value
We introduced or modified the following screens:
Configuration > Remote Access VPN > AAA/Local Users > Local
Users > Edit User > VPN Policy
Configuration > Remote Access VPN > Network (Client) Access
> Group Policies > Add a Policy
High Availability Features
Improved support for monitoring
module health in clustering
We added improved support for monitoring module health in
clustering.
We modified the following command: show cluster info health
We did not modify any ASDM screens.
Disable health monitoring of a
hardware module
By default, the ASA monitors the health of an installed hardware
module such as the ASA FirePOWER module. If you do not want
a hardware module failure to trigger failover, you can disable module
monitoring.
We modified the following command: monitor-interface
service-module
We modified the following screen: Configuration > Device
Management > High Availability and Scalability > Failover >
Interfaces
Platform Features
Cisco ASA New Features by Release
66
Cisco ASA New Features
New Features in ASA 9.3(1)/ASDM 7.3(1)
Feature
Description
ASP Load Balancing
The new auto option in the asp load-balance per-packet command
enables the ASA to adaptively switch ASP load balancing per-packet
on and off on each interface receive ring. This automatic mechanism
detects whether or not asymmetric traffic has been introduced and
helps avoid the following issues:
• Overruns caused by sporadic traffic spikes on flows
• Overruns caused by bulk flows oversubscribing specific
interface receive rings
• Overruns caused by relatively heavily overloaded interface
receive rings, in which a single core cannot sustain the load
We introduced or modified the following commands: asp
load-balance per-packet auto, show asp load-balance per-packet,
show asp load-balance per-packet history, and clear asp
load-balance history
We did not modify any ASDM screens.
SNMP MIBs
The CISCO-REMOTE-ACCESS-MONITOR-MIB now supports
the ASASM.
Interface Features
Transparent mode bridge group
maximum increased to 250
The bridge group maximum was increased from 8 to 250 bridge
groups. You can configure up to 250 bridge groups in single mode
or per context in multiple mode, with 4 interfaces maximum per
bridge group.
We modified the following commands: interface bvi, bridge-group
We modified the following screens:
Configuration > Device Setup > Interfaces
Configuration > Device Setup > Interfaces > Add/Edit Bridge
Group Interface
Configuration > Device Setup > Interfaces > Add/Edit Interface
Routing Features
BGP support for ASA clustering
We added support for BGP with ASA clustering.
We introduced the following new command: bgp router-id
clusterpool
We modified the following screen: Configuration > Device Setup
> Routing > BGP > IPv4 Family > General
Cisco ASA New Features by Release
67
Cisco ASA New Features
New Features in ASA 9.3(1)/ASDM 7.3(1)
Feature
Description
BGP support for nonstop forwarding
We added support for BGP Nonstop Forwarding.
We introduced the following new commands: bgp graceful-restart,
neighbor ha-mode graceful-restart
We modified the following screens:
Configuration > Device Setup > Routing > BGP > General
Configuration > Device Setup > Routing > BGP > IPv4 Family
> Neighbor
Monitoring > Routing > BGP Neighbors
BGP support for advertised maps
We added support for BGPv4 advertised map.
We introduced the following new command: neighbor advertise-map
We modified the following screen: Configuration > Device Setup
> Routing > BGP > IPv4 Family > Neighbor > Add BGP
Neighbor > Routes
OSPF Support for Non-Stop
Forwarding (NSF)
OSPFv2 and OSPFv3 support for NSF was added.
We added the following commands: capability, nsf cisco, nsf cisco
helper, nsf ietf, nsf ietf helper, nsf ietf helper strict-lsa-checking,
graceful-restart, graceful-restart helper, graceful-restart helper
strict-lsa-checking
We added the following screens:
Configuration > Device Setup > Routing > OSPF > Setup > NSF
Properties
Configuration > Device Setup > Routing > OSPFv3 > Setup >
NSF Properties
AAA Features
Cisco ASA New Features by Release
68
Cisco ASA New Features
New Features in ASA 9.3(1)/ASDM 7.3(1)
Feature
Description
Layer 2 Security Group Tag Imposition You can now use security group tagging combined with Ethernet
tagging to enforce policies. SGT plus Ethernet Tagging, also called
Layer 2 SGT Imposition, enables the ASA to send and receive
security group tags on Gigabit Ethernet interfaces using Cisco
proprietary Ethernet framing (Ether Type 0x8909), which allows
the insertion of source security group tags into plain-text Ethernet
frames.
We introduced or modified the following commands: cts manual,
policy static sgt, propagate sgt, cts role-based sgt-map, show cts
sgt-map, packet-tracer, capture, show capture, show asp drop,
show asp table classify, show running-config all, clear configure
all, and write memory
We modified the following screens:
Configuration > Device Setup > Interfaces > Add Interface >
Advanced
Configuration > Device Setup > Interfaces > Add Redundant
Interface > Advanced
Configuration > Device Setup > Add Ethernet Interface >
Advanced
Wizards > Packet Capture Wizard
Tools > Packet Tracer
Removal of AAA Windows NT
domain authentication
We removed NTLM support for remote access VPN users.
We deprecated the following command: aaa-server protocol nt
We modified the following screen: Configuration > Remote Access
VPN > AAA/Local Users > AAA Server Groups > Add AAA
Server Group
ASDM Identity Certificate Wizard
When using the current Java version, the ASDM Launcher requires
a trusted certificate. An easy approach to fulfill the certificate
requirements is to install a self-signed identity certificate. The ASDM
Identity Certificate Wizard makes creating a self-signed identity
certificate easy. When you first launch ASDM and do not have a
trusted certificate, you are prompted to launch ASDM with Java
Web Start; this new wizard starts automatically. After creating the
identity certificate, you need to register it with the Java Control
Panel. See https://www.cisco.com/go/asdm-certificate for
instructions.
We added the following screen: Wizards > ASDM Identity
Certificate Wizard
Monitoring Features
Cisco ASA New Features by Release
69
Cisco ASA New Features
New Features in Version 9.2
Feature
Description
Monitoring Aggregated Traffic for
Physical Interfaces
The show traffic command output has been updated to include
aggregated traffic for physical interfaces information. To enable this
feature, you must first enter the sysopt traffic detailed-statistics
command.
show tech support enhancements
The show tech support command now includes show resource
usage count all 1 output, including information about xlates, conns,
inspects, syslogs, and so on. This information is helpful for
diagnosing performance issues.
We modified the following command: show tech support
We did not add or modify any screens.
ASDM can save Botnet Traffic Filter ASDM can no longer save Botnet Traffic Filter reports as PDF files;
reports as HTML instead of PDF
it can instead save them as HTML.
The following screen was modified: Monitoring > Botnet Traffic
Filter
New Features in Version 9.2
New Features in ASA 9.2(4)/ ASDM 7.4(3)
Released: July 16, 2015
Feature
Description
Platform Features
Show invalid usernames in syslog
messages
You can now show invalid usernames in syslog messages for
unsuccessful login attempts. The default setting is to hide usernames
when the username is invalid or if the validity is unknown. If a user
accidentally types a password instead of a username, for example,
then it is more secure to hide the “username” in the resultant syslog
message. You might want to show invalid usernames to help with
troubleshooting login issues.
We introduced the following command: no logging hide username
We modified the following screen: Configuration > Device
Management > Logging > Syslog Setup
DHCP features
Cisco ASA New Features by Release
70
Cisco ASA New Features
New Features in ASA 9.2(3)/ ASDM 7.3(1.101)
Feature
Description
DHCP Relay server validates the
DHCP Server Identifier for replies
If the ASA DHCP relay server receives a reply from an incorrect
DHCP server, it now verifies that the reply is from the correct server
before acting on the reply.
Monitoring Features
NAT-MIB
cnatAddrBindNumberOfEntries and
cnatAddrBindSessionCount OIDs to
allow polling for Xlate count.
Support was added for the NAT-MIB
cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount
OIDs to support xlate_count and max_xlate_count for SNMP.
This data is equivalent to the show xlate count command.
We did not modify any ASDM screens.
Also available in 8.4(5) and 9.1(5).
New Features in ASA 9.2(3)/ ASDM 7.3(1.101)
Released: December 15, 2014
Feature
Description
Remote Access Features
Cisco ASA New Features by Release
71
Cisco ASA New Features
New Features in ASA 9.2(2.4)/ASDM 7.2(2)
Feature
Description
Clientless SSL VPN session cookie
access restriction
You can now prevent a Clientless SSL VPN session cookie from
being accessed by a third party through a client-side script such as
Javascript.
Note
Use this feature only if Cisco TAC advises you to do so.
Enabling this command presents a security risk because
the following Clientless SSL VPN features will not work
without any warning.
• Java plug-ins
• Java rewriter
• Port forwarding
• File browser
• Sharepoint features that require desktop applications
(for example, MS Office applications)
• AnyConnect Web launch
• Citrix Receiver, XenDesktop, and Xenon
• Other non-browser-based and browser plugin-based
applications
We introduced the following command: http-only-cookie
We introduced the following screen: Configuration > Remote
Access VPN > Clientless SSL VPN Access > Advanced > HTTP
Cookie
New Features in ASA 9.2(2.4)/ASDM 7.2(2)
Released: August 12, 2014
Note
Version 9.2(2) was removed from Cisco.com due to build issues; please upgrade to Version 9.2(2.4) or
later.
Feature
Platform Features
Cisco ASA New Features by Release
72
Description
Cisco ASA New Features
New Features in ASA 9.2(1)/ASDM 7.2(1)
Feature
Description
ASA 5585-X (all models) support for The ASA FirePOWER module supplies next-generation firewall
the matching ASA FirePOWER SSP services, including Next-Generation IPS (NGIPS), Application
hardware module.
Visibility and Control (AVC), URL filtering, and Advanced Malware
Protection (AMP).You can use the module in single or multiple
ASA 5512-X through ASA 5555-X
context mode, and in routed or transparent mode.
support for the ASA FirePOWER
software module.
We introduced or modified the following commands: capture
interface asa_dataplane, debug sfr, hw-module module 1 reload,
hw-module module 1 reset, hw-module module 1 shutdown,
session do setup host ip, session do get-config, session do
password-reset, session sfr, sfr, show asp table classify domain
sfr, show capture, show conn, show module sfr, show
service-policy, sw-module sfr.
We introduced the following screens:
Home > ASA FirePOWER Status
Wizards > Startup Wizard > ASA FirePOWER Basic
Configuration
Configuration > Firewall > Service Policy Rules > Add Service
Policy Rule > Rule Actions > ASA FirePOWER Inspection
Remote Access Features
Internet Explorer 11 browser support
on Windows 8.1 and Windows 7 for
clientless SSL VPN
We added support for Internet Explorer 11 with Windows 7 and
Windows 8.1 for clientless SSL VPN..
We did not modify any commands.
We did not modify any screens.
New Features in ASA 9.2(1)/ASDM 7.2(1)
Released: April 24, 2014
Note
The ASA 5510, ASA 5520, ASA 5540, ASA 5550, and ASA 5580 are not supported in this release or
later. ASA Version 9.1 was the final release for these models.
Feature
Description
Platform Features
The Cisco Adaptive Security Virtual The ASAv brings full firewall functionality to virtualized
Appliance (ASAv) has been added as environments to secure data center traffic and multi-tenant
a new platform to the ASA series.
environments. The ASAv runs on VMware vSphere. You can
manage and monitor the ASAv using ASDM or the CLI.
Cisco ASA New Features by Release
73
Cisco ASA New Features
New Features in ASA 9.2(1)/ASDM 7.2(1)
Feature
Description
Routing Features
BGP Support
We now support the Border Gateway Protocol (BGP). BGP is an
inter autonomous system routing protocol. BGP is used to exchange
routing information for the Internet and is the protocol used between
Internet service providers (ISP).
We introduced the following commands: router bgp, bgp
maxas-limit, bgp log-neighbor-changes, bgp transport
path-mtu-discovery, bgp fast-external-fallover, bgp
enforce-first-as, bgp asnotation dot, timers bgp, bgp default
local-preference, bgp always-compare-med, bgp bestpath
compare-routerid, bgp deterministic-med, bgp bestpath med
missing-as-worst, policy-list, match as-path, match community,
match metric, match tag, as-path access-list, community-list,
address-family ipv4, bgp router-id, distance bgp, table-map,
bgp suppress-inactive, bgp redistribute-internal, bgp scan-time,
bgp nexthop, aggregate-address, neighbor, bgp inject-map, show
bgp, show bgp cidr-only, show bgp all community, show bgp all
neighbors, show bgp community, show bgp community-list, show
bgp filter-list, show bgp injected-paths, show bgp ipv4 unicast,
show bgp neighbors, show bgp paths, show bgp pending-prefixes,
show bgp prefix-list, show bgp regexp, show bgp replication,
show bgp rib-failure, show bgp route-map, show bgp summary,
show bgp system-config, show bgp update-group, clear route
network, maximum-path, network.
We modified the following commands: show route, show route
summary, show running-config router, clear config router, clear
route all, timers lsa arrival, timers pacing, timers throttle,
redistribute bgp.
We introduced the following screens:
Configuration > Device Setup > Routing > BGP
Monitoring > Routing > BGP Neighbors, Monitoring > Routing
> BGP Routes
We modified the following screens:
Configuration > Device Setup > Routing > Static Routes> Add
> Add Static Route
Configuration > Device Setup > Routing > Route Maps> Add >
Add Route Map
Static route for Null0 interface
Sending traffic to a Null0 interface results in dropping the packets
destined to the specified network. This feature is useful in
configuring Remotely Triggered Black Hole (RTBH) for BGP.
We modified the following command: route.
We modified the following screen: Configuration > Device Setup
> Routing > Static Routes> Add > Add Static Route
Cisco ASA New Features by Release
74
Cisco ASA New Features
New Features in ASA 9.2(1)/ASDM 7.2(1)
Feature
Description
OSPF support for Fast Hellos
OSPF supports the Fast Hello Packets feature, resulting in a
configuration that results in faster convergence in an OSPF network.
We modified the following command: ospf dead-interval
We modified the following screen: Configuration > Device Setup
> Routing > OSPF > Interface > Edit OSPF Interface Advanced
properties
New OSPF Timers
New OSPF timers were added; old ones were deprecated.
We introduced the following commands: timers lsa arrival, timers
pacing, timers throttle.
We removed the following commands: timers spf, timers
lsa-grouping-pacing
We modified the following screen: Configuration > Device Setup
> Routing > OSPF > Setup > Edit OSPF Process Advanced
Properties
OSPF Route filtering using ACL
Route filtering using ACL is now supported.
We introduced the following command: distribute-list
We introduced the following screen: Configuration > Device Setup
> Routing > OSPF > Filtering Rules > Add Filter Rules
OSPF Monitoring enhancements
Additional OSPF monitoring information was added.
We modified the following commands: show ospf events, show
ospf rib, show ospf statistics, show ospf border-routers [detail],
show ospf interface brief
OSPF redistribute BGP
OSPF redistribution feature was added.
We added the following command: redistribute bgp
We added the following screen: Configuration > Device Setup >
Routing > OSPF > Redistribution
EIGRP Auto- Summary
For EIGRP, the Auto-Summary field is now disabled by default.
We modified the following screen: Configuration > Device Setup
> Routing > EIGRP > Setup > Edit EIGRP Process Advanced
Properties
High Availability Features
Cisco ASA New Features by Release
75
Cisco ASA New Features
New Features in ASA 9.2(1)/ASDM 7.2(1)
Feature
Description
Support for cluster members at
different geographical locations
(inter-site) for transparent mode
You can now place cluster members at different geographical
locations when using Spanned EtherChannel mode in transparent
firewall mode. Inter-site clustering with spanned EtherChannels in
routed firewall mode is not supported.
We did not modify any commands.
We did not modify any ASDM screens.
Static LACP port priority support for Some switches do not support dynamic port priority with LACP
clustering
(active and standby links). You can now disable dynamic port
priority to provide better compatibility with spanned EtherChannels.
You should also follow these guidelines:
• Network elements on the cluster control link path should not
verify the L4 checksum. Redirected traffic over the cluster
control link does not have a correct L4 checksum. Switches
that verify the L4 checksum could cause traffic to be dropped.
• Port-channel bundling downtime should not exceed the
configured keepalive interval.
We introduced the following command: clacp static-port-priority.
We modified the following screen: Configuration > Device
Management > High Availability and Scalability > ASA Cluster
Support for 32 active links in a
spanned EtherChannel for clustering
ASA EtherChannels now support up to 16 active links. With spanned
EtherChannels, that functionality is extended to support up to 32
active links across the cluster when used with two switches in a vPC
and when you disable dynamic port priority. The switches must
support EtherChannels with 16 active links, for example, the Cisco
Nexus 7000 with with F2-Series 10 Gigabit Ethernet Module.
For switches in a VSS or vPC that support 8 active links, you can
now configure 16 active links in the spanned EtherChannel (8
connected to each switch). Previously, the spanned EtherChannel
only supported 8 active links and 8 standby links, even for use with
a VSS/vPC.
If you want to use more than 8 active links in a spanned
EtherChannel, you cannot also have standby links; the
support for 9 to 32 active links requires you to disable
cLACP dynamic port priority that allows the use of
standby links.
We introduced the following command: clacp static-port-priority.
Note
We modified the following screen: Configuration > Device
Management > High Availability and Scalability > ASA Cluster
Support for 16 cluster members for the The ASA 5585-X now supports 16-unit clusters.
ASA 5585-X
We did not modify any commands.
We did not modify any ASDM screens.
Cisco ASA New Features by Release
76
Cisco ASA New Features
New Features in ASA 9.2(1)/ASDM 7.2(1)
Feature
Description
Support for clustering with the Cisco
Nexus 9300
The ASA supports clustering when connected to the Cisco Nexus
9300.
Remote Access Features
ISE Change of Authorization
The ISE Change of Authorization (CoA) feature provides a
mechanism to change the attributes of an authentication,
authorization, and accounting (AAA) session after it is established.
When a policy changes for a user or user group in AAA, CoA
packets can be sent directly to the ASA from the ISE to reinitialize
authentication and apply the new policy. An Inline Posture
Enforcement Point (IPEP) is no longer required to apply access
control lists (ACLs) for each VPN session established with the ASA.
When an end user requests a VPN connection the ASA authenticates
the user to the ISE and receives a user ACL that provides limited
access to the network. An accounting start message is sent to the
ISE to register the session. Posture assessment occurs directly
between the NAC agent and the ISE. This process is transparent to
the ASA. The ISE sends a policy update to the ASA via a CoA
“policy push.” This identifies a new user ACL that provides increased
network access privileges. Additional policy evaluations may occur
during the lifetime of the connection, transparent to the ASA, via
subsequent CoA updates.
We introduced the following commands: dynamic-authorization,
authorize-only, debug radius dynamic-authorization.
We modified the following commands: without-csd [anyconnect],
interim-accounting-update [periodic [interval]].
We removed the following commands: nac-policy, eou,
nac-settings.
We modified the following screen: Configuration > Remote Access
VPN > AAA/Local Users > AAA Server Groups > Add/Edit AAA
Server Group
Improved clientless rewriter HTTP 1.1 The rewriter has been changed so that if the client supports
compression handling
compressed content and the content will not be rewritten, then it
will accept compressed content from the server. If the content must
be rewritten and it is identified as being compressed, it will be
decompressed, rewritten, and if the client supports it, recompressed.
We did not introduce or modify any commands.
We did not introduce or modify any ASDM screens.
Cisco ASA New Features by Release
77
Cisco ASA New Features
New Features in ASA 9.2(1)/ASDM 7.2(1)
Feature
Description
OpenSSL upgrade
The version of OpenSSL on the ASA will be updated to version
1.0.1e.
We disabled the heartbeat option, so the ASA is not
vulnerable to the Heartbleed Bug.
We did not introduce or modify any commands.
Note
We did not introduce or modify any ASDM screens.
Interface Features
Support for 16 active links in an
EtherChannel
You can now configure up to 16 active links in an EtherChannel.
Previously, you could have 8 active links and 8 standby links. Be
sure your switch can support 16 active links (for example the Cisco
Nexus 7000 with with F2-Series 10 Gigabit Ethernet Module).
If you upgrade from an earlier ASA version, the maximum
active interfaces is set to 8 for compatibility purposes (the
lacp max-bundle command).
We modified the following commands: lacp max-bundle and
port-channel min-bundle.
Note
We modified the following screen: Configuration > Device Setup
> Interfaces > Add/Edit EtherChannel Interface > Advanced.
Maximum MTU is now 9198 bytes
The maximum MTU that the ASA can use is 9198 bytes (check for
your model’s exact limit at the CLI help). This value does not include
the Layer 2 header. Formerly, the ASA let you specify the maximum
MTU as 65535 bytes, which was inaccurate and could cause
problems. If your MTU was set to a value higher than 9198, then
the MTU is automatically lowered when you upgrade. In some cases,
this MTU change can cause an MTU mismatch; be sure to set any
connecting equipment to use the new MTU value.
We modified the following command: mtu
We modified the following screen: Configuration > Device Setup
> Interface Settings > Interfaces > Edit Interface > Advanced
Also in Version 9.1(6).
Monitoring Features
Cisco ASA New Features by Release
78
Cisco ASA New Features
New Features in ASA 9.2(1)/ASDM 7.2(1)
Feature
Description
Embedded Event Manager (EEM)
The EEM feature enables you to debug problems and provides
general purpose logging for troubleshooting. The EEM responds to
events in the EEM system by performing actions. There are two
components: events that the EEM triggers, and event manager applets
that define actions. You may add multiple events to each event
manager applet, which triggers it to invoke the actions that have
been configured on it.
We introduced or modified the following commands: event manager
applet, description, event syslog id, event none, event timer,
event crashinfo, action cli command, output, show
running-config event manager, event manager run, show event
manager, show counters protocol eem, clear configure event
manager, debug event manager, debug menu eem.
We introduced the following screens: Configuration > Device
Management > Advanced > Embedded Event Manager, Monitoring
> Properties > EEM Applets.
SNMP hosts, host groups, and user
lists
You can now add up to 4000 hosts. The number of supported active
polling destinations is 128. You can specify a network object to
indicate the individual hosts that you want to add as a host group.
You can associate more than one user with one host.
We introduced or modified the following commands: snmp-server
host-group, snmp-server user-list, show running-config
snmp-server, clear configure snmp-server.
We modified the following screen: Configuration > Device
Management > Management Access > SNMP.
SNMP message size
The limit on the message size that SNMP sends has been increased
to 1472 bytes.
SNMP OIDs and MIBs
The ASA now supports the cpmCPUTotal5minRev OID.
The ASAv has been added as a new product to the SNMP
sysObjectID OID and entPhysicalVendorType OID.
The CISCO-PRODUCTS-MIB and
CISCO-ENTITY-VENDORTYPE-OID-MIB have been updated to
support the new ASAv platform.
Administrative Features
Improved one-time password
authentication
Administrators who have sufficient authorization privileges may
enter privileged EXEC mode by entering their authentication
credentials once. The auto-enable option was added to the aaa
authorization exec command.
We modified the following command: aaa authorization exec.
We modified the following screen: Configuration > Device
Management > Users/AAA > AAA Access > Authorization.
Cisco ASA New Features by Release
79
Cisco ASA New Features
New Features in Version 9.1
Feature
Description
Auto Update Server certificate
verification enabled by default
The Auto Update Server certificate verification is now enabled by
default; for new configurations, you must explicitly disable certificate
verification. If you are upgrading from an earlier release, and you
did not enable certificate verification, then certificate verification
is not enabled, and you see the following warning:
WARNING: The certificate provided by the auto-update
servers will not be verified.
In order to verify this certificate please use the
verify-certificate option.
The configuration will be migrated to explicitly configure no
verification:.
auto-update server no-verification
We modified the following command: auto-update server
[verify-certificate | no-verification].
We modified the following screen: Configuration > Device
Management > System/Image Configuration > Auto Update > Add
Auto Update Server.
New Features in Version 9.1
New Features in ASA 9.1(7.4)/ASDM 7.5(2.153)
Released: February 19, 2016
Note
Version 9.1(7) was removed from Cisco.com due to build issues; please upgrade to Version 9.1(7.4) or
later.
Feature
Remote Access Features
Cisco ASA New Features by Release
80
Description
Cisco ASA New Features
New Features in ASA 9.1(7.4)/ASDM 7.5(2.153)
Feature
Description
Clientless SSL VPN session
cookie access restriction
You can now prevent a Clientless SSL VPN session cookie from being
accessed by a third party through a client-side script such as Javascript.
Note
Use this feature only if Cisco TAC advises you to do so. Enabling
this command presents a security risk because the following
Clientless SSL VPN features will not work without any warning.
• Java plug-ins
• Java rewriter
• Port forwarding
• File browser
• Sharepoint features that require desktop applications (for example, MS
Office applications)
• AnyConnect Web launch
• Citrix Receiver, XenDesktop, and Xenon
• Other non-browser-based and browser plugin-based applications
We introduced the following command: http-only-cookie.
We introduced the following screen: Configuration > Remote Access VPN
> Clientless SSL VPN Access > Advanced > HTTP Cookie.
This feature is also in 9.2(3) and 9.4(1).
Configurable SSH encryption Users can select cipher modes when doing SSH encryption management and
and HMAC algorithm
can configure HMAC and encryption for varying key exchange algorithms.
We introduced the following commands: ssh cipher encryption and ssh
cipher integrity.
No ASDM support.
Clientless SSL VPN cache
disabled by default
The clientless SSL VPN cache is now disabled by default. Disabling the
clientless SSL VPN cache provides better stability. If you want to enable the
cache, you must manually enable it.
webvpn
cache
no disable
We modified the following command: cache
We modified the following screen: Configuration > Remote Access VPN
> Clientless SSL VPN Access > Advanced > Content Cache
Also available in 9.5(2).
Cisco ASA New Features by Release
81
Cisco ASA New Features
New Features in ASA 9.1(6)/ASDM 7.1(7)
Feature
Description
HTTP redirect support for
IPv6
When you enable HTTP redirect to HTTPS for ASDM access or clientless
SSL VPN, you can now redirect traffic sent an to IPv6 address.
We added functionality to the following command: http redirect
We added functionality to the following screen: Configuration > Device
Management > HTTP Redirect
Administrative Features
show tech support
enhancements
The show tech support command now:
• Includes dir all-filesystems output—This output can be helpful in the
following cases:
◦SSL VPN configuration: check if the required resources are on
the ASA
◦Crash: check for the date timestamp and presence of a crash file
• Includes show resource usage count all 1 output—Includes information
about xlates, conns, inspects, syslogs, and so on. This information is
helpful for diagnosing performance issues.
• Removes the show kernel cgroup-controller detail output—This
command output will remain in the output of show tech-support detail.
We modified the following command: show tech support
We did not add or modify any screens.
Support for the
The cempMemPoolTable of the CISCO-ENHANCED-MEMPOOL-MIB is
cempMemPoolTable in the
now supported. This is a table of memory pool monitoring entries for all
CISCO-ENHANCED-MEMPOOL-MIB physical entities on a managed system.
The CISCO-ENHANCED-MEMPOOL-MIB uses 64-bit counters
and supports reporting of memory on platforms with more than 4GB
of RAM.
We did not add or modify any commands.
Note
We did not add or modify any screens.
New Features in ASA 9.1(6)/ASDM 7.1(7)
Released: March 2, 2015
Feature
Interface Features
Cisco ASA New Features by Release
82
Description
Cisco ASA New Features
New Features in ASA 9.1(5)/ASDM 7.1(6)
Feature
Description
Maximum MTU is now 9198 The maximum MTU that the ASA can use is 9198 bytes (check for your
bytes
model’s exact limit at the CLI help). This value does not include the Layer
2 header. Formerly, the ASA let you specify the maximum MTU as 65535
bytes, which was inaccurate and could cause problems. If your MTU was set
to a value higher than 9198, then the MTU is automatically lowered when
you upgrade. In some cases, this MTU change can cause an MTU mismatch;
be sure to set any connecting equipment to use the new MTU value.
We modified the following command: mtu
We modified the following screen: Configuration > Device Setup >
Interface Settings > Interfaces > Edit Interface > Advanced
New Features in ASA 9.1(5)/ASDM 7.1(6)
Released: March 31, 2014
Feature
Description
Administrative Features
Secure Copy client
The ASA now supports the Secure Copy (SCP) client to transfer files to and from
a SCP server.
We introduced the following commands: ssh pubkey-chain, server (ssh
pubkey-chain), key-string, key-hash, ssh stricthostkeycheck.
We modified the following command: copy scp.
We modified the following screens:
Tools > File Management > File Transfer > Between Remote Server and Flash
Configuration > Device Management > Management Access > File Access >
Secure Copy (SCP) Server
Improved one-time
Administrators who have sufficient authorization privileges may enter privileged
password authentication EXEC mode by entering their authentication credentials once. The auto-enable
option was added to the aaa authorization exec command.
We modified the following command: aaa authorization exec.
We modified the following screen: Configuration > Device Management >
Users/AAA > AAA Access > Authorization.
Firewall Features
Cisco ASA New Features by Release
83
Cisco ASA New Features
New Features in ASA 9.1(5)/ASDM 7.1(6)
Feature
Description
Transactional Commit
When enabled, a rule update is applied after the rule compilation is completed;
Model on rule engine for without affecting the rule matching performance.
access groups
We introduced the following comands: asp rule-engine transactional-commit,
show running-config asp rule-engine transactional-commit, clear configure
asp rule-engine transactional-commit.
We introduced the following screen: Configuration > Device Management >
Advanced > Rule Engine.
Monitoring Features
SNMP hosts, host
groups, and user lists
You can now add up to 4000 hosts. The number of supported active polling
destinations is 128. You can specify a network object to indicate the individual
hosts that you want to add as a host group. You can associate more than one user
with one host.
We introduced or modified the following commands: snmp-server host-group,
snmp-server user-list, show running-config snmp-server, clear configure
snmp-server.
We modified the following screen: Configuration > Device Management >
Management Access > SNMP.
NAT-MIB
cnatAddrBindNumberOfEntries
and
cnatAddrBindSessionCount
OIDs to allow polling for
Xlate count.
Support was added for the NAT-MIB cnatAddrBindNumberOfEntries and
cnatAddrBindSessionCount OIDs to support xlate_count and max_xlate_count
for SNMP.
This data is equivalent to the show xlate count command.
We did not modify any ASDM screens.
Also available in 8.4(5).
Remote Access Features
AnyConnect DTLS
Single session
Performance
Improvement
UDP traffic, such as streaming media, was being affected by a high number of
dropped packets when sent over an AnyConnect DTLS connection. For example,
this could result in streaming video playing poorly or cease streaming completely.
The reason for this was the relatively small size of the flow control queue.
We increased the DTLS flow-control queue size and offset this by reducing the
admin crypto queue size. For TLS sessions, the priority of the crypto command
was increased to high to compensated for this change. For both DTLS and TLS
sessions, the session will now persist even if packets are dropped. This will prevent
media streams from closing and ensure that the number of dropped packets is
comparable with other connection methods.
We did not modify any commands.
We did not modify any ASDM screens.
Cisco ASA New Features by Release
84
Cisco ASA New Features
New Features in ASA 9.1(4)/ASDM 7.1(5)
Feature
Description
Webtype ACL
enhancements
We introduced URL normalization. URL normalization is an additional security
feature that includes path normalization, case normalization and scheme
normalization. URLs specified in an ACE and portal address bar are normalized
before comparison; for making decisions on webvpn traffic filtering.
For example, if you have an https://calo.cisco.com/checkout/Devices bookmark,
an https://calo.cisco.com/checkout/Devices/* under web type acl seems to match.
However, since URL normalization has been introduced, both bookmark URL
and web type ACL are normalized before comparison. In this example,
https://calo.cisco.com/checkout/Devices is normalized to
https://calo.cisco.com/checkout/Devices and
https://calo.cisco.com/checkout/Devices/* stays the same, so the two do not match.
You must configure the following to meet the requirement:
• to permit the bookmark URL (https://calo.cisco.com/checkout/Devices),
configure the ACL to permit that URL
• to permit the URLs within the Devices folder, configure the ACL to permit
https://calo.cisco.com/checkout/Devices/*
We did not modify any commands.
We did not modify any ASDM screens.
New Features in ASA 9.1(4)/ASDM 7.1(5)
Released: December 9, 2013
Feature
Description
Remote Access Features
HTML5 WebSocket
proxying
HTML5 WebSockets provide persistent connections between clients and servers.
During the establishment of the clientless SSL VPN connection, the handshake
appears to the server as an HTTP Upgrade request. The ASA will now proxy this
request to the backend and provide a relay after the handshake is complete.
Gateway mode is not currently supported.
We did not modify any commands.
We did not modify any ASDM screens.
Cisco ASA New Features by Release
85
Cisco ASA New Features
New Features in ASA 9.1(4)/ASDM 7.1(5)
Feature
Description
Inner IPv6 for IKEv2
IPv6 traffic can now be tunneled through IPsec/IKEv2 tunnels. This makes the
ASA to AnyConnect VPN connections fully IPv6 compliant. GRE is used when
both IPv4 and IPv6 traffic are being tunneled, and when both the client and
headend support GRE. For a single traffic type, or when GRE is not supported
by the client or the headend, we use straight IPsec.
This feature requires AnyConnect Client Version 3.1.05 or
later.
Output of the show ipsec sa and show vpn-sessiondb detail anyconnect
commands has been updated to reflect the assigned IPv6 address, and to indicate
the GRE Transport Mode security association when doing IKEv2 dual traffic.
Note
The vpn-filter command must now be used for both IPv4 and IPv6 ACLs. If the
depracated ipv6-vpn-filter command is used to configure IPv6 ACLs the
connection will be terminated.
We did not modify any ASDM screens.
Mobile Devices running
Citrix Server Mobile
have additional
connection options
Support for mobile devices connecting to Citrix server through the ASA now
includes selection of a tunnel-group, and RSA Securid for authorization. Allowing
mobile users to select different tunnel-groups allows the administrator to use
different authentication methods.
We introduced the application-type command to configure the default tunnel
group for VDI connections when a Citrix Receiver user does not choose a
tunnel-group. A none action was added to the vdi command to disable VDI
configuration for a particular group policy or user.
We modified the following screen: Configuration > Remote Access VPN >
Clientliess SSL VPN Access > VDI Access.
Split-tunneling supports Split-tunneling of VPN traffic has been enhanced to support both exclude and
exclude ACLs
include ACLs. Exclude ACLs were previously ignored.
This feature requires AnyConnect Client Version 3.1.03103 or
later.
We did not modify any commands.
Note
We did not modify any ASDM screens.
High Availability and Scalability Features
ASA 5500-X support for The ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X
clustering
now support 2-unit clusters. Clustering for 2 units is enabled by default in the
base license; for the ASA 5512-X, you need the Security Plus license.
We did not modify any commands.
We did not modify any ASDM screens.
Cisco ASA New Features by Release
86
Cisco ASA New Features
New Features in ASA 9.1(4)/ASDM 7.1(5)
Feature
Description
Improved VSS and vPC If you configure the cluster control link as an EtherChannel (recommended), and
support for health check it is connected to a VSS or vPC pair, you can now increase stability with health
monitoring
check monitoring. For some switches, such as the Nexus 5000, when one unit in
the VSS/vPC is shutting down or booting up, EtherChannel member interfaces
connected to that switch may appear to be Up to the ASA, but they are not passing
traffic on the switch side. The ASA can be erroneously removed from the cluster
if you set the ASA holdtime timeout to a low value (such as .8 seconds), and the
ASA sends keepalive messages on one of these EtherChannel interfaces. When
you enable the VSS/vPC health check feature, the ASA floods the keepalive
messages on all EtherChannel interfaces in the cluster control link to ensure that
at least one of the switches can receive them.
We modified the following command: health-check [vss-enabled]
We modified the following screen: Configuration > Device Management > High
Availability and Scalability > ASA Cluster
Support for cluster
members at different
geographical locations
(inter-site); Individual
Interface mode only
You can now place cluster members at different geographical locations when
using individual interface mode. See the configuration guide for inter-site
guidelines.
We did not modify any commands.
We did not modify any ASDM screens.
Support for clustering
The ASA supports clustering when connected to the Cisco Nexus 5000 and Cisco
with the Cisco Nexus
Catalyst 3750-X.
5000 and Cisco Catalyst We modified the following command: health-check [vss-enabled]
3750-X
We modified the following screen: Configuration > Device Management > High
Availability and Scalability > ASA Cluster
Basic Operation Features
DHCP rebind function
During the DHCP rebind phase, the client now attempts to rebind to other DHCP
servers in the tunnel group list. Prior to this release, the client did not rebind to
an alternate server, when the DHCP lease fails to renew.
We introduced the following commands: show ip address dhcp lease proxy,
show ip address dhcp lease summary, and show ip address dhcp lease server.
We introduced the following screen: Monitoring > Interfaces > DHCP> DHCP
Lease Information.
Troubleshooting Features
Cisco ASA New Features by Release
87
Cisco ASA New Features
New Features in ASA 9.1(3)/ASDM 7.1(4)
Feature
Description
Crashinfo dumps include Application Kernel Layer 4 to 7 (AK47) framework-related information is now
AK47 framework
available in crashinfo dumps. A new option, ak47, has been added to the debug
information
menu command to help in debugging AK47 framework issues. The
framework-related information in the crashinfo dump includes the following:
• Creating an AK47 instance.
• Destroying an AK47 instance.
• Generating an crashinfo with a memory manager frame.
• Generating a crashinfo after fiber stack overflow.
• Generating a crashinfo after a local variable overflow.
• Generating a crashinfo after an exception has occurred.
New Features in ASA 9.1(3)/ASDM 7.1(4)
Released: September 18, 2013
Feature
Description
Module Features
Support for the ASA CX You can now configure ASA CX service policies per context on the ASA.
module in multiple
Note
Although you can configure per context ASA service policies, the ASA
context mode
CX module itself (configured in PRSM) is a single context mode device;
the context-specific traffic coming from the ASA is checked against the
common ASA CX policy.
Requires ASA CX 9.2(1) or later.
We did not modify any commands.
We did not modify any ASDM screens.
ASA 5585-X with
ASA CX SSP-40 and -60 modules can be used with the matching level ASA
SSP-40 and -60 support 5585-X with SSP-40 and -60.
for the ASA CX SSP-40 Requires ASA CX 9.2(1) or later.
and -60
We did not modify any commands.
We did not modify any screens.
Cisco ASA New Features by Release
88
Cisco ASA New Features
New Features in ASA 9.1(3)/ASDM 7.1(4)
Feature
Description
Filtering packets
You can now filter packets that have been captured on the ASA CX backplane
captured on the ASA CX using the match or access-list keyword with the capture interface asa_dataplane
backplane
command. Control traffic specific to the ASA CX module is not affected by the
access-list or match filtering; the ASA captures all control traffic. In multiple
context mode, configure the packet capture per context. Note that all control traffic
in multiple context mode goes only to the system execution space. Because only
control traffic cannot be filtered using an access list or match, these options are
not available in the system execution space.
Requires ASA CX 9.2(1) or later.
We modified the following command: capture interface asa_dataplane.
A new option, Use backplane channel, was added to the Ingress Traffic Selector
screen and the Egress Selector screen, in the Packet Capture Wizard to enable
filtering of packets that have been captured on the ASA CX backplane.
Monitoring Features
Ability to view top 10
memory users
You can now view the top bin sizes allocated and the top 10 PCs for each allocated
bin size. Previously, you had to enter multiple commands to see this information
(the show memory detail command and the show memory binsize command);
the new command provides for quicker analysis of memory issues.
We introduced the following command: show memory top-usage.
We did not modify any ASDM screens.
Also available in 8.4(6).
Smart Call Home
We added a new type of Smart Call Home message to support ASA clustering.
A Smart Call Home clustering message is sent for only the following three events:
• When a unit joins the cluster
• When a unit leaves the cluster
• When a cluster unit becomes the cluster master
Each message that is sent includes the following information:
• The active cluster member count
• The output of the show cluster info command and the show cluster history
command on the cluster master
We modified the following commands: show call-home, show running-config
call-home.
We did not modify any ASDM screens.
Also available in 9.0(3).
Remote Access Features
Cisco ASA New Features by Release
89
Cisco ASA New Features
New Features in ASA 9.1(2)/ASDM 7.1(3)
Feature
Description
user-storage value
command password is
now encrypted in show
commands
The password in the user-storage value command is now encrypted when you
enter show running-config.
We modified the following command: user-storage value.
We modified the following screen: Configuration > Remote Access VPN >
Clientless SSL VPN Access > Group Policies > More Options > Session
Settings.
Also available in 8.4(6).
New Features in ASA 9.1(2)/ASDM 7.1(3)
Released: May 14, 2013
Note
Features added in 8.4(6) are not included in 9.1(2) unless they are explicitly listed in this table.
Feature
Description
Certification Features
FIPS and Common
Criteria certifications
The FIPS 140-2 Non-Proprietary Security Policy was updated as part of the Level
2 FIPS 140-2 validation for the Cisco ASA series, which includes the
Cisco ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5580, ASA
5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5585-X,
and the ASA Services Module.
The Common Criteria Evaluation Assurance Level 4 (EAL4) was updated, which
provides the basis for a specific Target of Evaluation (TOE) of the Cisco ASA
and VPN platform solutions.
Encryption Features
Support for IPsec
Instead of using the proprietary encryption for the failover key (the failover key
LAN-to-LAN tunnels to command), you can now use an IPsec LAN-to-LAN tunnel for failover and state
encrypt failover and state link encryption.
link communications
Note
Failover LAN-to-LAN tunnels do not count against the IPsec (Other
VPN) license.
We introduced or modified the following commands: failover ipsec
pre-shared-key, show vpn-sessiondb.
We modified the following screen: Configuration > Device Management >
High Availability > Failover > Setup.
Cisco ASA New Features by Release
90
Cisco ASA New Features
New Features in ASA 9.1(2)/ASDM 7.1(3)
Feature
Description
Additional ephemeral
Diffie-Hellman ciphers
for SSL encryption
The ASA now supports the following ephemeral Diffie-Hellman (DHE) SSL
cipher suites:
• DHE-AES128-SHA1
• DHE-AES256-SHA1
These cipher suites are specified in RFC 3268, Advanced Encryption Standard
(AES) Ciphersuites for Transport Layer Security (TLS).
When supported by the client, DHE is the preferred cipher because it provides
Perfect Forward Secrecy. See the following limitations:
• DHE is not supported on SSL 3.0 connections, so make sure to also enable
TLS 1.0 for the SSL server.
!! set server version
ciscoasa(config)# ssl server-version tlsv1 sslv3
!! set client version
ciscoasa(config) # ssl client-version any
• Some popular applications do not support DHE, so include at least one other
SSL encryption method to ensure that a cipher suite common to both the
SSL client and server can be used.
• Some clients may not support DHE, including AnyConnect 2.5 and 3.0,
Cisco Secure Desktop, and Internet Explorer 9.0.
We modified the following command: ssl encryption.
We modified the following screen: Configuration > Device Management >
Advanced > SSL Settings.
Also available in 8.4(4.1).
Management Features
Support for administrator When you configure authentication for CLI or ASDM access using the local
password policy when database, you can configure a password policy that requires a user to change their
using the local database password after a specified amount of time and also requires password standards
such as a minimum length and the minimum number of changed characters.
We introduced the following commands: change-password, password-policy
lifetime, password-policy minimum changes, password-policy
minimum-length, password-policy minimum-lowercase, password-policy
minimum-uppercase, password-policy minimum-numeric, password-policy
minimum-special, password-policy authenticate enable, clear configure
password-policy, show running-config password-policy.
We introduced the following screen: Configuration > Device Management >
Users/AAA > Password Policy.
Also available in 8.4(4.1).
Cisco ASA New Features by Release
91
Cisco ASA New Features
New Features in ASA 9.1(2)/ASDM 7.1(3)
Feature
Description
Support for SSH public
key authentication
You can now enable public key authentication for SSH connections to the ASA
on a per-user basis. You can specify a public key file (PKF) formatted key or a
Base64 key. The PKF key can be up to 4096 bits. Use PKF format for keys that
are too large to for the ASA support of the Base64 format (up to 2048 bits).
We introduced the following commands: ssh authentication.
We introduced the following screens:
Configuration > Device Management > Users/AAA > User Accounts > Edit
User Account > Public Key Authentication and Configuration > Device
Management > Users/AAA > User Accounts > Edit User Account > Public
Key Using PKF.
Also available in 8.4(4.1); PKF key format support is only in 9.1(2).
AES-CTR encryption for The SSH server implementation in the ASA now supports AES-CTR mode
SSH
encryption.
Improved SSH rekey
interval
An SSH connection is rekeyed after 60 minutes of connection time or 1 GB of
data traffic.
We introduced the following command: show ssh sessions detail.
Support for
Diffie-Hellman Group
14 for the SSH Key
Exchange
Support for Diffie-Hellman Group 14 for SSH Key Exchange was added. Formerly,
only Group 1 was supported.
We introduced the following command: ssh key-exchange.
We modified the following screen: Configuration > Device Management >
Management Access > ASDM/HTTPS/Telnet/SSH.
Also available in 8.4(4.1).
Support for a maximum You can set the maximum number of simultaneous ASDM, SSH, and Telnet
number of management sessions.
sessions
We introduced the following commands: quota management-session, show
running-config quota management-session, show quota management-session.
We introduced the following screen: Configuration > Device Management >
Management Access > Management Session Quota.
Also available in 8.4(4.1).
Support for a pre-login
banner in ASDM
Cisco ASA New Features by Release
92
Administrator can define a message that appears before a user logs into ASDM
for management access. This customizable content is called a pre-login banner,
and can notify users of special requirements or important information.
Cisco ASA New Features
New Features in ASA 9.1(2)/ASDM 7.1(3)
Feature
Description
The default Telnet
password was removed
To improve security for management access to the ASA, the default login password
for Telnet was removed; you must manually set the password before you can log
in using Telnet. Note: The login password is only used for Telnet if you do not
configure Telnet user authentication (the aaa authentication telnet console
command).
Formerly, when you cleared the password, the ASA restored the default of “cisco.”
Now when you clear the password, the password is removed.
The login password is also used for Telnet sessions from the switch to the ASASM
(see the session command). For initial ASASM access, you must use the
service-module session command, until you set a login password.
We modified the following command: passwd.
We did not modify any ASDM screens.
Also available in 9.0(2).
Platform Features
Support for Power-On
Self-Test (POST)
The ASA runs its power-on self-test at boot time even if it is not running in FIPS
140-2-compliant mode.
Additional tests have been added to the POST to address the changes in the
AES-GCM/GMAC algorithms, ECDSA algorithms, PRNG, and Deterministic
Random Bit Generator Validation System (DRBGVS).
Improved
The X9.31 implementation has been upgraded to use AES-256 encryption instead
pseudo-random number of 3DES encryption to comply with the Network Device Protection Profile (NDPP)
generation (PRNG)
in single-core ASAs.
Support for image
verification
Support for SHA-512 image integrity checking was added.
We modified the following command: verify.
We did not modify any ASDM screens.
Also available in 8.4(4.1).
Support for private
VLANs on the
ASA Services Module
You can use private VLANs with the ASASM. Assign the primary VLAN to the
ASASM; the ASASM automatically handles secondary VLAN traffic. There is
no configuration required on the ASASM for this feature; see the switch
configuration guide for more information.
Cisco ASA New Features by Release
93
Cisco ASA New Features
New Features in ASA 9.1(2)/ASDM 7.1(3)
Feature
Description
CPU profile
enhancements
The cpu profile activate command now supports the following:
• Delayed start of the profiler until triggered (global or specific thread CPU%)
• Sampling of a single thread
We modified the following command: cpu profile activate [n-samples]
[sample-process process-name] [trigger cpu-usage cpu% [process-name].
We did not modify any ASDM screens.
Also available in 8.4(6).
DHCP Features
DHCP relay servers per You can now configure DHCP relay servers per-interface, so requests that enter
interface (IPv4 only)
a given interface are relayed only to servers specified for that interface. IPv6 is
not supported for per-interface DHCP relay.
We introduced or modified the following commands: dhcprelay server (interface
config mode), clear configure dhcprelay, show running-config dhcprelay.
We modified the following screen: Configuration > Device Management >
DHCP > DHCP Relay.
DHCP trusted interfaces You can now configure interfaces as trusted interfaces to preserve DHCP Option
82. DHCP Option 82 is used by downstream switches and routers for DHCP
snooping and IP Source Guard. Normally, if the ASA DHCP relay agent receives
a DHCP packet with Option 82 already set, but the giaddr field (which specifies
the DHCP relay agent address that is set by the relay agent before it forwards the
packet to the server) is set to 0, then the ASA will drop that packet by default.
You can now preserve Option 82 and forward the packet by identifying an interface
as a trusted interface.
We introduced or modified the following commands: dhcprelay information
trusted, dhcprelay informarion trust-all, show running-config dhcprelay.
We modified the following screen: Configuration > Device Management >
DHCP > DHCP Relay.
Module Features
ASA 5585-X support for The ASA 5585-X now supports additional interfaces on network modules in slot
network modules
1. You can install one or two of the following optional network modules:
• ASA 4-port 10G Network Module
• ASA 8-port 10G Network Module
• ASA 20-port 1G Network Module
Also available in 8.4(4.1).
Cisco ASA New Features by Release
94
Cisco ASA New Features
New Features in ASA 9.1(2)/ASDM 7.1(3)
Feature
Description
ASA 5585-X DC power Support was added for the ASA 5585-X DC power supply.
supply support
Also available in 8.4(5).
Support for ASA CX
For demonstration purposes only, you can enable monitor-only mode for the
monitor-only mode for service policy, which forwards a copy of traffic to the ASA CX module, while
demonstration purposes the original traffic remains unaffected.
Another option for demonstration purposes is to configure a traffic-forwarding
interface instead of a service policy in monitor-only mode. The traffic-forwarding
interface sends all traffic directly to the ASA CX module, bypassing the ASA.
We modified or introduced the following commands: cxsc {fail-close | fail-open}
monitor-only, traffic-forward cxsc monitor-only.
We modified the following screen: Configuration > Firewall > Service Policy
Rules > Add Service Policy Rule > Rule Actions > ASA CX Inspection.
The traffic-forwarding feature is supported by CLI only.
Support for the ASA CX You can now use NAT 64 in conjunction with the ASA CX module.
module and NAT 64
We did not modify any commands.
We did not modify any ASDM screens.
NetFlow Features
Support for NetFlow
flow-update events and
an expanded set of
NetFlow templates
In addition to adding the flow-update events, there are now NetFlow templates
that allow you to track flows that experience a change to their IP version with
NAT, as well as IPv6 flows that remain IPv6 after NAT.
Two new fields were added for IPv6 translation support.
Several NetFlow field IDs were changed to their IPFIX equivalents.
For more information, see the Cisco ASA Implementation Note for NetFlow
Collectors.
Firewall Features
EtherType ACL support In transparent firewall mode, the ASA can now pass IS-IS traffic using an
for IS-IS traffic
EtherType ACL.
(transparent firewall
We modified the following command: access-list ethertype {permit | deny}
mode)
is-is.
We modified the following screen: Configuration > Device Management >
Management Access > EtherType Rules.
Also available in 8.4(5).
Cisco ASA New Features by Release
95
Cisco ASA New Features
New Features in ASA 9.1(2)/ASDM 7.1(3)
Feature
Description
Decreased the
half-closed timeout
minimum value to 30
seconds
The half-closed timeout minimum value for both the global timeout and connection
timeout was lowered from 5 minutes to 30 seconds to provide better DoS
protection.
We modified the following commands: set connection timeout half-closed,
timeout half-closed.
We modified the following screens:
Configuration > Firewall > Service Policy Rules > Connection Settings
Configuration > Firewall > Advanced > Global Timeouts.
Remote Access Features
IKE security and
performance
improvements
The number of IPsec-IKE security associations (SAs) can be limited for IKE v1
now, as well as IKE v2.
We modified the following command: crypto ikev1 limit.
We modified the following screen: Configuration > Site-to-Site VPN >
Advanced > IKE Parameters.
The IKE v2 Nonce size has been increased to 64 bytes.
There are no ASDM screen or CLI changes.
For IKE v2 on Site-to-Site, a new algorithm ensures that the encryption algorithm
used by child IPsec SAs is not higher strength than the parent IKE. Higher strength
algorithms will be downgraded to the IKE level.
This new algorithm is enabled by default. We recommend that you do not disable
this feature.
We introduced the following command: crypto ipsec ikev2
sa-strength-enforcement.
We did not modify any ASDM screens.
For Site-to-Site, IPsec data-based rekeying can be disabled.
We modified the following command: crypto ipsec security-association.
We modified the following screen: Configuration > Site-to-Site > IKE
Parameters.
Improved Host Scan and Host Scan and the ASA use an improved process to transfer posture attributes
ASA Interoperability
from the client to the ASA. This gives the ASA more time to establish a VPN
connection with the client and apply a dynamic access policy.
Also available in 8.4(5).
Cisco ASA New Features by Release
96
Cisco ASA New Features
New Features in ASA 9.1(2)/ASDM 7.1(3)
Feature
Description
Clientless SSL VPN:
Windows 8 Support
This release adds support for Windows 8 x86 (32-bit) and Windows 8 x64 (64-bit)
operating systems.
We support the following browsers on Windows 8:
• Internet Explorer 10 (desktop only)
• Firefox (all supported Windows 8 versions)
• Chrome (all supported Windows 8 versions)
See the following limitations:
• Internet Explorer 10:
◦The Modern (AKA Metro) browser is not supported.
◦If you enable Enhanced Protected Mode, we recommend that you add
the ASA to the trusted zone.
◦If you enable Enhanced Protected Mode, Smart Tunnel and Port
Forwarder are not supported.
• A Java Remote Desktop Protocol (RDP) plugin connection to a Windows 8
PC is not supported.
Also available in 9.0(2).
Cisco Secure Desktop:
Windows 8 Support
CSD 3.6.6215 was updated to enable selection of Windows 8 in the Prelogin
Policy operating system check.
See the following limitations:
• Secure Desktop (Vault) is not supported with Windows 8.
Also available in 9.0(2).
Dynamic Access
Policies: Windows 8
Support
ASDM was updated to enable selection of Windows 8 in the DAP Operating
System attribute.
Also available in 9.0(2).
Monitoring Features
Cisco ASA New Features by Release
97
Cisco ASA New Features
New Features in ASA 9.1(1)/ASDM 7.1(1)
Feature
Description
NSEL
Flow-update events have been introduced to provide periodic byte counters for
flow traffic. You can change the time interval at which flow-update events are
sent to the NetFlow collector. You can filter to which collectors flow-update
records will be sent.
We introduced or modified the following commands: flow-export active
refresh-interval, flow-export event-type.
We modified the following screens:
Configuration > Device Management > Logging > NetFlow.
Configuration > Firewall > Service Policy Rules > Add Service Policy Rule
Wizard - Rule Actions > NetFlow > Add Flow Event
Also available in 8.4(5).
New Features in ASA 9.1(1)/ASDM 7.1(1)
Released: December 3, 2012
Note
Features added in 8.4(4.x), 8.4(5), 8.4(6), and 9.0(2) are not included in 9.1(1) unless they were listed in
the 9.0(1) feature table.
Feature
Description
Module Features
Support for the ASA CX SSP for the
ASA 5512-X through ASA 5555-X
We introduced support for the ASA CX SSP software module for
the ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and
ASA 5555-X. The ASA CX software module requires a Cisco solid
state drive (SSD) on the ASA. For more information about the SSD,
see the ASA 5500-X hardware guide.
We modified the following commands: session cxsc, show module
cxsc, sw-module cxsc.
We did not modify any screens.
New Features in Version 9.0
New Features in ASA 9.0(4)/ASDM 7.1(4)
There were no new features in ASA 9.0(4)/ASDM 7.1(4).
Cisco ASA New Features by Release
98
Cisco ASA New Features
New Features in ASA 9.0(3)/ASDM 7.1(3)
New Features in ASA 9.0(3)/ASDM 7.1(3)
Released: July 22, 2013
Note
Features added in 8.4(4.x), 8.4(5), and 8.4(6) are not included in 9.0(3) unless they were listed in the 9.0(1)
feature table.
Feature
Description
Monitoring Features
Smart Call Home
We added a new type of Smart Call Home message to support ASA
clustering.
A Smart Call Home clustering message is sent for only the following
three events:
• When a unit joins the cluster
• When a unit leaves the cluster
• When a cluster unit becomes the cluster master
Each message that is sent includes the following information:
• The active cluster member count
• The output of the show cluster info command and the show
cluster history command on the cluster master
New Features in ASA 9.0(2)/ASDM 7.1(2)
Released: February 25, 2013
Note
Features added in 8.4(4.x), 8.4(5), and 8.4(6) are not included in 9.0(2) unless they were listed in the 9.0(1)
feature table.
Feature
Description
Remote Access Features
Cisco ASA New Features by Release
99
Cisco ASA New Features
New Features in ASA 9.0(2)/ASDM 7.1(2)
Feature
Description
Clientless SSL VPN: Windows 8
Support
This release adds support for Windows 8 x86 (32-bit) and Windows
8 x64 (64-bit) operating systems.
We support the following browsers on Windows 8:
• Internet Explorer 10 (desktop only)
• Firefox (all supported Windows 8 versions)
• Chrome (all supported Windows 8 versions)
See the following limitations:
• Internet Explorer 10:
◦The Modern (AKA Metro) browser is not supported.
◦If you enable Enhanced Protected Mode, we recommend
that you add the ASA to the trusted zone.
◦If you enable Enhanced Protected Mode, Smart Tunnel
and Port Forwarder are not supported.
• A Java Remote Desktop Protocol (RDP) plugin connection to
a Windows 8 PC is not supported.
Management Features
The default Telnet password was
removed
To improve security for management access to the ASA, the default
login password for Telnet was removed; you must manually set the
password before you can log in using Telnet. Note: The login
password is only used for Telnet if you do not configure Telnet user
authentication (the aaa authentication telnet console command).
Formerly, when you cleared the password, the ASA restored the
default of “cisco.” Now when you clear the password, the password
is removed.
The login password is also used for Telnet sessions from the switch
to the ASASM (see the session command). For initial ASASM
access, you must use the service-module session command, until
you set a login password.
We modified the following command: passwd.
We did not modify any ASDM screens.
Cisco ASA New Features by Release
100
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
New Features in ASA 9.0(1)/ASDM 7.0(1)
Released: October 29, 2012
Note
Features added in 8.4(4.x), 8.4(5), and 8.4(6) are not included in 9.0(1) unless they are explicitly listed in
this table.
Feature
Description
Firewall Features
Cisco ASA New Features by Release
101
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
Feature
Description
Cisco TrustSec integration
Cisco TrustSec provides an access-control solution that builds upon
an existing identity-aware infrastructure to ensure data confidentiality
between network devices and integrate security access services on
one platform. In the Cisco TrustSec solution, enforcement devices
utilize a combination of user attributes and end-point attributes to
make role-based and identity-based access control decisions.
In this release, the ASA integrates with Cisco TrustSec to provide
security group based policy enforcement. Access policies within the
Cisco TrustSec domain are topology-independent, based on the roles
of source and destination devices rather than on network IP
addresses.
The ASA can utilize the Cisco TrustSec solution for other types of
security group based policies, such as application inspection; for
example, you can configure a class map containing an access policy
based on a security group.
We introduced or modified the following commands: access-list
extended, cts sxp enable, cts server-group, cts sxp default, cts
sxp retry period, cts sxp reconcile period, cts sxp connection
peer, cts import-pac, cts refresh environment-data, object-group
security, security-group, show running-config cts, show
running-config object-group, clear configure cts, clear configure
object-group, show cts, show object-group, show conn
security-group, clear cts, debug cts.
We introduced the following MIB: CISCO-TRUSTSEC-SXP-MIB.
We introduced or modified the following screens:
Configuration > Firewall > Identity by TrustSec
Configuration > Firewall > Objects > Security Groups Object
Groups
Configuration > Firewall > Access Rules > Add Access Rules
Monitoring > Properties > Identity by TrustSec > PAC
Monitoring > Properties > Identity by TrustSec > Environment
Data
Monitoring > Properties > Identity by TrustSec > SXP
Connections
Monitoring > Properties > Identity by TrustSec > IP Mappings
Monitoring > Properties > Connections
Tools > Packet Tracer
Cisco ASA New Features by Release
102
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
Feature
Description
Cisco Cloud Web Security (ScanSafe) Cisco Cloud Web Security provides content scanning and other
malware protection service for web traffic. It can also redirect and
report about web traffic based on user identity.
Clientless SSL VPN is not supported with Cloud Web
Security; be sure to exempt any clientless SSL VPN traffic
from the ASA service policy for Cloud Web Security.
We introduced or modified the following commands: class-map
type inspect scansafe, default user group, http[s] (parameters),
inspect scansafe, license, match user group, policy-map type
inspect scansafe, retry-count, scansafe, scansafe general-options,
server {primary | backup}, show conn scansafe, show scansafe
server, show scansafe statistics, user-identity monitor, whitelist.
Note
We introduced or modified the following screens:
Configuration > Device Management > Cloud Web Security
Configuration > Firewall > Objects > Class Maps > Cloud Web
Security
Configuration > Firewall > Objects > Class Maps > Cloud Web
Security > Add/Edit
Configuration > Firewall > Objects > Inspect Maps > Cloud
Web Security
Configuration > Firewall > Objects > Inspect Maps > Cloud
Web Security > Add/Edit
Configuration > Firewall > Objects > Inspect Maps > Cloud
Web Security > Add/Edit > Manage Cloud Web Security Class
Maps
Configuration > Firewall > Identity Options Configuration >
Firewall > Service Policy Rules
Monitoring > Properties > Cloud Web Security
Extended ACL and object
ICMP traffic can now be permitted/denied based on ICMP code.
enhancement to filter ICMP traffic by We introduced or modified the following commands: access-list
ICMP code
extended, service-object, service.
We introduced or modified the following screens:
Configuration > Firewall > Objects > Service Objects/Groups
Configuration > Firewall > Access Rule
Unified communications support on
the ASASM
The ASASM now supports all Unified Communications features.
NAT support for reverse DNS lookups NAT now supports translation of the DNS PTR record for reverse
DNS lookups when using IPv4 NAT, IPv6 NAT, and NAT64 with
DNS inspection enabled for the NAT rule.
Cisco ASA New Features by Release
103
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
Feature
Description
Per-session PAT
The per-session PAT feature improves the scalability of PAT and,
for ASA clustering, allows each member unit to own PAT
connections; multi-session PAT connections have to be forwarded
to and owned by the master unit. At the end of a per-session PAT
session, the ASA sends a reset and immediately removes the xlate.
This reset causes the end node to immediately release the connection,
avoiding the TIME_WAIT state. Multi-session PAT, on the other
hand, uses the PAT timeout, by default 30 seconds. For “hit-and-run”
traffic, such as HTTP or HTTPS, the per-session feature can
dramatically increase the connection rate supported by one address.
Without the per-session feature, the maximum connection rate for
one address for an IP protocol is approximately 2000 per second.
With the per-session feature, the connection rate for one address for
an IP protocol is 65535/average-lifetime.
By default, all TCP traffic and UDP DNS traffic use a per-session
PAT xlate. For traffic that can benefit from multi-session PAT, such
as H.323, SIP, or Skinny, you can disable per-session PAT by
creating a per-session deny rule.
We introduced the following commands: xlate per-session, clear
configure xlate, show running-config xlate.
We introduced the following screen: Configuration > Firewall >
Advanced > Per-Session NAT Rules.
ARP cache additions for
non-connected subnets
The ASA ARP cache only contains entries from directly-connected
subnets by default. You can now enable the ARP cache to also
include non-directly-connected subnets. We do not recommend
enabling this feature unless you know the security risks. This feature
could facilitate denial of service (DoS) attack against the ASA; a
user on any interface could send out many ARP replies and overload
the ASA ARP table with false entries.
You may want to use this feature if you use:
• Secondary subnets.
• Proxy ARP on adjacent routes for traffic forwarding.
We introduced the following command: arp permit-nonconnected.
We modified the following screen: Configuration > Device
Management > Advanced > ARP > ARP Static Table.
Also available in 8.4(5).
Cisco ASA New Features by Release
104
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
Feature
Description
SunRPC change from dynamic ACL
to pin-hole mechanism
Previously, Sun RPC inspection does not support outbound access
lists because the inspection engine uses dynamic access lists instead
of secondary connections.
In this release, when you configure dynamic access lists on the ASA,
they are supported on the ingress direction only and the ASA drops
egress traffic destined to dynamic ports. Therefore, Sun RPC
inspection implements a pinhole mechanism to support egress traffic.
Sun RPC inspection uses this pinhole mechanism to support
outbound dynamic access lists.
Also available in 8.4(4.1).
Inspection reset action change
Previously, when the ASA dropped a packet due to an inspection
engine rule, the ASA sent only one RST to the source device of the
dropped packet. This behavior could cause resource issues.
In this release, when you configure an inspection engine to use a
reset action and a packet triggers a reset, the ASA sends a TCP reset
under the following conditions:
• The ASA sends a TCP reset to the inside host when the service
resetoutbound command is enabled. (The service
resetoutbound command is enabled by default.)
• The ASA sends a TCP reset to the outside host when the
service resetinbound command is enabled. (The service
resetinbound command is disabled by default.)
For more information, see the service command in the ASA
command reference.
This behavior ensures that a reset action will reset the connections
on the ASA and on inside servers; therefore countering denial of
service attacks. For outside hosts, the ASA does not send a reset by
default and information is not revealed through a TCP reset.
Also available in 8.4(4.1).
Increased maximum connection limits The maximum number of connections for service policy rules was
for service policy rules
increased from 65535 to 2000000.
We modified the following commands: set connection conn-max,
set connection embryonic-conn-max, set connection
per-client-embryonic-max, set connection per-client-max.
We modified the following screen: Configuration > Firewall >
Service Policy Rules > Connection Settings.
Also available in 8.4(5)
High Availability and Scalability Features
Cisco ASA New Features by Release
105
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
Feature
ASA Clustering for the ASA 5580 and
5585-X
Cisco ASA New Features by Release
106
Description
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
Feature
Description
ASA Clustering lets you group multiple ASAs together as a single
logical device. A cluster provides all the convenience of a single
device (management, integration into a network) while achieving
the increased throughput and redundancy of multiple devices. ASA
clustering is supported for the ASA 5580 and the ASA 5585-X; all
units in a cluster must be the same model with the same hardware
specifications. See the configuration guide for a list of unsupported
features when clustering is enabled.
We introduced or modified the following commands:
channel-group, clacp system-mac, clear cluster info, clear
configure cluster, cluster exec, cluster group, cluster
interface-mode, cluster-interface, conn-rebalance,
console-replicate, cluster master unit, cluster remove unit, debug
cluster, debug lacp cluster, enable (cluster group), health-check,
ip address, ipv6 address, key (cluster group), local-unit,
mac-address (interface), mac-address pool, mtu cluster,
port-channel span-cluster, priority (cluster group), prompt
cluster-unit, show asp cluster counter, show asp table cluster
chash-table, show cluster, show cluster info, show cluster
user-identity, show lacp cluster, show running-config cluster.
We introduced or modified the following screens:
Home > Device Dashboard
Home > Cluster Dashboard Home > Cluster Firewall Dashboard
Configuration > Device Management > Advanced > Address
Pools > MAC Address Pools
Configuration > Device Management > High Availability and
Scalability > ASA Cluster
Configuration > Device Management > Logging > Syslog Setup
> Advanced
Configuration > Device Setup > Interfaces > Add/Edit Interface
> Advanced
Configuration > Device Setup > Interfaces > Add/Edit Interface
> IPv6
Configuration > Device Setup > Interfaces > Add/Edit
EtherChannel Interface > Advanced
Configuration > Firewall > Advanced > Per-Session NAT Rules
Monitoring > ASA Cluster Monitoring > Properties > System
Resources Graphs > Cluster Control Link
Tools > Preferences > General
Tools > System Reload
Tools > Upgrade Software from Local Computer
Wizards > High Availability and Scalability Wizard
Cisco ASA New Features by Release
107
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
Feature
Description
Wizards > Packet Capture Wizard
Wizards > Startup Wizard
OSPF, EIGRP, and Multicast for
clustering
For OSPFv2 and OSPFv3, bulk synchronization, route
synchronization, and spanned EtherChannels are supported in the
clustering environment.
For EIGRP, bulk synchronization, route synchronization, and
spanned EtherChannels are supported in the clustering environment.
Multicast routing supports clustering.
We introduced or modified the following commands: show route
cluster, debug route cluster, show mfib cluster, debug mfib
cluster.
Packet capture for clustering
To support cluster-wide troubleshooting, you can enable capture of
cluster-specific traffic on the master unit using the cluster exec
capture command, which is then automatically enabled on all of
the slave units in the cluster. The cluster exec keywords are the new
keywords that you place in front of the capture command to enable
cluster-wide capture.
We modified the following commands: capture, show capture.
We modified the following screen: Wizards > Packet Capture
Wizard.
Logging for clustering
Each unit in the cluster generates syslog messages independently.
You can use the logging device-id command to generate syslog
messages with identical or different device IDs to make messages
appear to come from the same or different units in the cluster.
We modified the following command: logging device-id.
We modified the following screen: Configuration > Logging >
Syslog Setup > Advanced > Advanced Syslog Configuration.
Support for clustering with the Cisco
Nexus 7000 and Cisco Catalyst 6500
Cisco ASA New Features by Release
108
The ASA supports clustering when connected to the Cisco Nexus
7000 and Cisco Catalyst 6500 with Supervisor 32, 720, and
720-10GE.
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
Feature
Description
Configure the connection replication
rate during a bulk sync
You can now configure the rate at which the ASA replicates
connections to the standby unit when using Stateful Failover. By
default, connections are replicated to the standby unit during a 15
second period. However, when a bulk sync occurs (for example,
when you first enable failover), 15 seconds may not be long enough
to sync large numbers of connections due to a limit on the maximum
connections per second. For example, the maximum connections on
the ASA is 8 million; replicating 8 million connections in 15 seconds
means creating 533 K connections per second. However, the
maximum connections allowed per second is 300 K. You can now
specify the rate of replication to be less than or equal to the maximum
connections per second, and the sync period will be adjusted until
all the connections are synchronized.
We introduced the following command: failover replication rate
rate.
Also available in 8.4(4.1) and 8.5(1.7).
IPv6 Features
IPv6 Support on the ASA’s outside
interface for VPN Features.
This release of the ASA adds support for IPv6 VPN connections to
its outside interface using SSL and IKEv2/IPsec protocols.
This release of the ASA continues to support IPv6 VPN traffic on
its inside interface using the SSL protocol as it has in the past. This
release does not provide IKEv2/IPsec protocol on the inside interface.
Remote Access VPN support for IPv6: You can configure the ASA to assign an IPv4 address, an IPv6
address, or both an IPv4 and an IPv6 address to an AnyConnect
IPv6 Address Assignment Policy
client by creating internal pools of addresses on the ASA or by
assigning a dedicated address to a local user on the ASA.
The endpoint must have the dual-stack protocol implemented in its
operating system to be assigned both types of addresses.
Assigning an IPv6 address to the client is supported for the SSL
protocol. This feature is not supported for the IKEv2/IPsec protocol.
We introduced the following commands: ipv6-vpn-addr-assign,
vpn-framed-ipv6-address.
We modified the following screens:
Configuration > Remote Access VPN > Network (Client) Access
> Address Assignment > Assignment Policy
Configuration > Remote Access VPN > AAA/Local Users > Local
Users > (Edit local user account) > VPN Policy
Cisco ASA New Features by Release
109
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
Feature
Description
Remote Access VPN support for IPv6: DNS servers can be defined in a Network (Client) Access internal
group policy on the ASA. You can specify up to four DNS server
Assigning DNS Servers with IPv6
addresses including up to two IPv4 addresses and up to two IPv6
Addresses to group policies
addresses.
DNS servers with IPv6 addresses can be reached by VPN clients
when they are configured to use the SSL protocol. This feature is
not supported for clients configured to use the IKEv2/IPsec protocol.
We modified the following command: dns-server value.
We modified the following screen: Configuration > Remote Access
VPN > Network (Client) Access > Group Policies > (Edit group
policy) > Servers.
Remote Access VPN support for IPv6: Split tunneling enables you to route some network traffic through
the VPN tunnel (encrypted) and to route other network traffic outside
Split tunneling
the VPN tunnel (unencrypted or “in the clear”). You can now perform
split tunneling on IPv6 network traffic by defining an IPv6 policy
which specifies a unified access control rule.
IPv6 split tunneling is reported with the telemetric data sent by the
Smart Call Home feature. If either IPv4 or IPv6 split tunneling is
enabled, Smart Call Home reports split tunneling as “enabled.” For
telemetric data, the VPN session database displays the IPv6 data
typically reported with session management.
You can include or exclude IPv6 traffic from the VPN “tunnel” for
VPN clients configured to use the SSL protocol. This feature is not
supported for the IKEv2/IPsec protocol.
We introduced the following command: ipv6-split-tunnel-policy.
We modified the following screen: Configuration > Remote Access
VPN > Network (Client) Access > Group Policies > (Edit group
policy) > Advanced > Split Tunneling.
Remote Access VPN support for IPv6: Access control rules for client firewalls support access list entries
for both IPv4 and IPv6 addresses.
AnyConnect Client Firewall Rules
ACLs containing IPv6 addresses can be applied to clients configured
to use the SSL protocol. This feature is not supported for the
IKEv2/IPsec protocol.
We modified the following command: anyconnect firewall-rule.
We modified the following screen: Configuration > Remote Access
VPN > Network (Client) Access > Group Policies > (Edit group
policy) > Advanced > AnyConnect Client > Client Firewall.
Cisco ASA New Features by Release
110
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
Feature
Description
Remote Access VPN support for IPv6: The Client Protocol Bypass feature allows you to configure how the
ASA manages IPv4 traffic when it is expecting only IPv6 traffic or
Client Protocol Bypass
how it manages IPv6 traffic when it is expecting only IPv4 traffic.
When the AnyConnect client makes a VPN connection to the ASA,
the ASA could assign it an IPv4, IPv6, or both an IPv4 and IPv6
address. If the ASA assigns the AnyConnect connection only an
IPv4 address or only an IPv6 address, you can now configure the
Client Bypass Protocol to drop network traffic for which the ASA
did not assign an IP address, or allow that traffic to bypass the ASA
and be sent from the client unencrypted or “in the clear.”
For example, assume that the ASA assigns only an IPv4 address to
an AnyConnect connection and the endpoint is dual stacked. When
the endpoint attempts to reach an IPv6 address, if Client Bypass
Protocol is disabled, the IPv6 traffic is dropped; however, if Client
Bypass Protocol is enabled, the IPv6 traffic is sent from the client
in the clear.
This feature can be used by clients configured to use the SSL or
IKEv2/IPsec protocol.
We introduced the following command: client-bypass-protocol.
We modified the following screen: Configuration > Remote Access
VPN > Network (Client) Access > Group Policies > (Group
Policy) Advanced > AnyConnect Client > Client Bypass Protocol.
Remote Access VPN support for IPv6: You can now specify a dedicated IPv6 address for local VPN users.
IPv6 Interface ID and prefix
This feature benefits users configured to use the SSL protocol. This
feature is not supported for the IKEv2/IPsec protocol.
We introduced the following command: vpn-framed-ipv6-address.
We modified the following screen: Configuration > Remote Access
VPN > AAA/Local Users > Local Users > (Edit User) > VPN
Policy.
Remote Access VPN support for IPv6: You can return the FQDN of the ASA to the AnyConnect client to
Sending ASA FQDN to AnyConnect facilitate load balancing and session roaming.
client
This feature can be used by clients configured to use the SSL or
IKEv2/IPsec protocol.
We introduced the following command: gateway-fqdn.
We modified the following screen: Configuration > Remote Access
VPN > Network (Client) Access > Group Policies > (Edit group
policy) > Advanced > AnyConnect.
Cisco ASA New Features by Release
111
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
Feature
Description
Remote Access VPN support for IPv6: Clients with IPv6 addresses can make AnyConnect connections
through the public-facing IPv6 address of the ASA cluster or through
ASA VPN Load Balancing
a GSS server. Likewise, clients with IPv6 addresses can make
AnyConnect VPN connections through the public-facing IPv4
address of the ASA cluster or through a GSS server. Either type of
connection can be load-balanced within the ASA cluster.
For clients with IPv6 addresses to successfully connect to the ASAs
public-facing IPv4 address, a device that can perform network
address translation from IPv6 to IPv4 needs to be in the network.
This feature can be used by clients configured to use the SSL or
IKEv2/IPsec protocol.
We modified the following commands: show run vpn
load-balancing.
We modified the following screen: Configuration > Remote Access
VPN > Load Balancing.
Remote Access VPN support for IPv6: When using ASA 9.0 or later with ASDM 6.8 or later, you can now
Dynamic Access Policies support IPv6 specify these attributes as part of a dynamic access policy (DAP):
attributes
• IPv6 addresses as a Cisco AAA attribute
• IPv6 TCP and UDP ports as part of a Device endpoint attribute
• Network ACL Filters (client)
This feature can be used by clients configured to use the SSL or
IKEv2/IPsec protocol.
We modified the following screens:
Configuration > Remote Access VPN > Network (Client) Access
> Dynamic Access Policies > Add > Cisco AAA attribute
Configuration > Remote Access VPN > Network (Client) Access
> Dynamic Access Policies > Add > Device > Add Endpoint
Attribute
Configuration > Remote Access VPN > Network (Client) Access
> Dynamic Access Policies > Network ACL Filters (client)
Configuration > Remote Access VPN > Network (Client) Access
> Dynamic Access Policies > Webtype ACL Filters (clientless)
Cisco ASA New Features by Release
112
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
Feature
Description
Remote Access VPN support for IPv6: Session management output displays the IPv6 addresses in
Public/Assigned address fields for AnyConnect connections,
Session Management
site-to-site VPN connections, and Clientless SSL VPN connections.
You can add new filter keywords to support filtering the output to
show only IPv6 (outside or inside) connections. No changes to IPv6
User Filters exist.
This feature can be used by clients configured to use the SSL
protocol. This feature does not support IKEv2/IPsec protocol.
We modified the following command: show vpn-sessiondb.
We modified these screen: Monitoring > VPN > VPN Statistics >
Sessions.
NAT support for IPv6
NAT now supports IPv6 traffic, as well as translating between IPv4
and IPv6 (NAT64). Translating between IPv4 and IPv6 is not
supported in transparent mode.
We modified the following commands: nat (in global and object
network configuration mode), show conn, show nat, show nat pool,
show xlate.
We modified the following screens:
Configuration > Firewall > Objects > Network Objects/Group
Configuration > Firewall > NAT Rules
DHCPv6 relay
DHCP relay is supported for IPv6.
We introduced the following commands: ipv6 dhcprelay server,
ipv6 dhcprelay enable, ipv6 dhcprelay timeout, clear config ipv6
dhcprelay, ipv6 nd managed-config-flag, ipv6 nd
other-config-flag, debug ipv6 dhcp, debug ipv6 dhcprelay, show
ipv6 dhcprelay binding, clear ipv6 dhcprelay binding, show ipv6
dhcprelay statistics, and clear ipv6 dhcprelay statistics.
We modified the following screen: Configuration > Device
Management > DHCP > DHCP Relay.
Cisco ASA New Features by Release
113
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
Feature
OSPFv3
Cisco ASA New Features by Release
114
Description
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
Feature
Description
OSPFv3 routing is supported for IPv6. Note the following additional
guidelines and limitations for OSPFv2 and OSPFv3:
Clustering
• OSPFv2 and OSPFv3 support clustering.
• When clustering is configured, OSPFv3 encryption is not
supported. An error message appears if you try to configure
OSPFv3 encryption in a clustering environment.
• When using individual interfaces, make sure that you establish
the master and slave units as either OSPFv2 or OSPFv3
neighbors.
• When using individual interfaces, OSPFv2 adjacencies can
only be established between two contexts on a shared interface
on the master unit. Configuring static neighbors is supported
only on point-to-point links; therefore, only one neighbor
statement is allowed on an interface.
Other
• OSPFv2 and OSPFv3 support multiple instances on an
interface.
• The ESP and AH protocol is supported for OSPFv3
authentication.
• OSPFv3 supports Non-Payload Encryption.
We introduced or modified the following commands: ipv6 ospf cost,
ipv6 ospf database-filter all out, ipv6 ospf dead-interval, ipv6
ospf hello-interval, ipv6 ospf mtu-ignore, ipv6 ospf neighbor,
ipv6 ospf network, ipv6 ospf priority, ipv6 ospf
retransmit-interval, ipv6 ospf transmit-delay, ipv6 router ospf,
ipv6 router ospf area, ipv6 router ospf default, ipv6 router ospf
default-information, ipv6 router ospf distance, ipv6 router ospf
exit, ipv6 router ospf ignore, ipv6 router ospf
log-adjacency-changes, ipv6 router ospf no, ipv6 router ospf
redistribute, ipv6 router ospf router-id, ipv6 router ospf
summary-prefix, ipv6 router ospf timers, area range, area
virtual-link, default, default-information originate, distance,
ignore lsa mospf, log-adjacency-changes, redistribute, router-id,
summary-prefix, timers lsa arrival, timers pacing flood, timers
pacing lsa-group, timers pacing retransmission, show ipv6 ospf,
show ipv6 ospf border-routers, show ipv6 ospf database-filter,
show ipv6 ospf flood-list, show ipv6 ospf interface, show ipv6
ospf neighbor, show ipv6 ospf request-list, show ipv6 ospf
retransmission-list, show ipv6 ospf summary-prefix, show ipv6
ospf virtual-links, show ospf, show run ipv6 router, clear ipv6
ospf, clear configure ipv6 router, debug ospfv3.
We introduced the following screens:
Cisco ASA New Features by Release
115
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
Feature
Description
Configuration > Device Setup > Routing > OSPFv3 > Setup
Configuration > Device Setup > Routing > OSPFv3 > Interface
Configuration > Device Setup > Routing > OSPFv3 >
Redistribution
Configuration > Device Setup > Routing > OSPFv3 > Summary
Prefix
Configuration > Device Setup > Routing > OSPFv3 > Virtual
Link
Monitoring > Routing > OSPFv3 LSAs
Monitoring > Routing > OSPFv3 Neighbors
Unified ACL for IPv4 and IPv6
ACLs now support IPv4 and IPv6 addresses. You can also specify
a mix of IPv4 and IPv6 addresses for the source and destination.
The IPv6-specific ACLs are deprecated. Existing IPv6 ACLs are
migrated to extended ACLs.
ACLs containing IPv6 addresses can be applied to clients configured
to use the SSL protocol. This feature is not supported for the
IKEv2/IPsec protocol.
We modified the following commands: access-list extended,
access-list webtype.
We removed the following commands: ipv6 access-list, ipv6
access-list webtype, ipv6-vpn-filter.
We modified the following screens:
Configuration > Firewall > Access Rules
Configuration > Remote Access VPN > Network (Client) Access
> Group Policies > General > More Options
Mixed IPv4 and IPv6 object groups
Previously, network object groups could only contain all IPv4
addresses or all IPv6 addresses. Now network object groups can
support a mix of both IPv4 and IPv6 addresses.
You cannot use a mixed object group for
NAT.
We modified the following command: object-group network.
Note
We modified the following screen: Configuration > Firewall >
Objects > Network Objects/Groups.
Range of IPv6 addresses for a Network You can now configure a range of IPv6 addresses for a network
object
object.
We modified the following command: range.
We modified the following screen: Configuration > Firewall >
Objects > Network Objects/Groups.
Cisco ASA New Features by Release
116
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
Feature
Description
Inspection support for IPv6 and
NAT64
We now support DNS inspection for IPv6 traffic.
We also support translating between IPv4 and IPv6 for the following
inspections:
• DNS
• FTP
• HTTP
• ICMP
You can now also configure the service policy to generate a syslog
message (767001) when unsupported inspections receive and drop
IPv6 traffic.
We modified the following command: service-policy fail-close.
We modified the following screen: Configuration > Firewall >
Service Policy Rules > Add Service Policy Rule Wizard - Service
Policy.
Remote Access Features
Clientless SSL VPN: Additional
Support
We have added additional support for these browsers, operating
systems, web technologies and applications:
Internet browser support: Microsoft Internet Explorer 9, Firefox
4, 5, 6, 7, and 8
Operating system support: Mac OS X 10.7
Web technology support: HTML 5
Application Support: Sharepoint 2010
Clientless SSL VPN: Enhanced quality The clientless SSL VPN rewriter engines were significantly improved
to provide better quality and efficacy. As a result, you can expect a
for rewriter engines
better end-user experience for clientless SSL VPN users.
We did not add or modify any commands for this feature.
We did not add or modify any ASDM screens for this feature.
Also available in 8.4(4.1).
Cisco ASA New Features by Release
117
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
Feature
Description
Clientless SSL VPN: Citrix Mobile
Receiver
This feature provides secure remote access for Citrix Receiver
applications running on mobile devices to XenApp and XenDesktop
VDI servers through the ASA.
For the ASA to proxy Citrix Receiver to a Citrix Server, when users
try to connect to Citrix virtualized resource, instead of providing
the Citrix Server’s address and credentials, users enter the ASA’s
SSL VPN IP address and credentials.
We modified the following command: vdi.
We modified the following screen: Configuration > Remote Access
VPN > Clientless SSL VPN Access > Group Policy > Edit > More
Options > VDI Access > Add VDI Server.
Clientless SSL VPN: Enhanced
Auto-sign-on
This feature improves support for web applications that require
dynamic parameters for authentication.
We modified the following screen: Configuration > Remote Access
VPN > Clientless SSL VPN Access > Portal > Bookmarks.
Clientless SSL VPN: Clientless Java This feature provides proxy support for clientless Java plug-ins when
a proxy is configured in client machines' browsers.
Rewriter Proxy Support
We did not add or modify any commands for this feature.
We did not add or modify any ASDM screens for this feature.
Clientless SSL VPN: Remote File
Explorer
The Remote File Explorer provides users with a way to browse the
corporate network from their web browser. When users click the
Remote File System icon on the Cisco SSL VPN portal page, an
applet is launched on the user's system displaying the remote file
system in a tree and folder view.
We did not add or modify any commands for this feature.
We did not add or modify any ASDM screens for this feature.
Clientless SSL VPN: Server
Certificate Validation
This feature enhances clientless SSL VPN support to enable SSL
server certificate verification for remote HTTPS sites against a list
of trusted CA certificates.
We modified the following commands: ssl-server-check, crypto,
crypto ca trustpool, crl, certificate, revocation-check.
We modified the following screen: Configuration > Remote Access
VPN > Certificate Management > Trusted Certificate Pool.
Cisco ASA New Features by Release
118
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
Feature
Description
AnyConnect Performance
Improvements
This feature improves throughput performance for AnyConnect
TLS/DTLS traffic in multi-core platforms. It accelerates the SSL
VPN datapath and provides customer-visible performance gains in
AnyConnect, smart tunnels, and port forwarding.
We modified the following commands: crypto engine
accelerator-bias and show crypto accelerator.
We modified the following screen: Configuration > Remote Access
VPN > Advanced > Crypto Engine.
Custom Attributes
Custom attributes define and configure AnyConnect features that
have not yet been added to ASDM. You add custom attributes to a
group policy, and define values for those attributes.
For AnyConnect 3.1, custom attributes are available to support
AnyConnect Deferred Upgrade.
Custom attributes can benefit AnyConnect clients configured for
either IKEv2/IPsec or SSL protocols.
We added the following command: anyconnect-custom-attr.
A new screen was added: Configuration > Remote Access VPN
> Network (Client) Access > Advanced > AnyConnect Custom
Attributes.
Cisco ASA New Features by Release
119
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
Feature
Next Generation Encryption
Cisco ASA New Features by Release
120
Description
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
Feature
Description
The National Standards Association (NSA) specified a set of
cryptographic algorithms that devices must support to meet U.S.
federal standards for cryptographic strength. RFC 6379 defines the
Suite B cryptographic suites. Because the collective set of algorithms
defined as NSA Suite B are becoming a standard, the AnyConnect
IPsec VPN (IKEv2 only) and public key infrastructure (PKI)
subsystems now support them. The next generation encryption
(NGE) includes a larger superset of this set adding cryptographic
algorithms for IPsec V3 VPN, Diffie-Hellman Groups 14 and 24
for IKEv2, and RSA certificates with 4096 bit keys for DTLS and
IKEv2.
The following functionality is added to ASA to support the Suite B
algorithms:
• AES-GCM/GMAC support (128-, 192-, and 256-bit keys)
◦IKEv2 payload encryption and authentication
◦ESP packet encryption and authentication
◦Hardware supported only on multi-core platforms
• SHA-2 support (256-, 384-, and 512-bit hashes)
◦ESP packet authentication
◦Hardware and software supported only on multi-core
platforms
• ECDH support (groups 19, 20, and 21)
◦IKEv2 key exchange
◦IKEv2 PFS
◦Software only supported on single- or multi-core
platforms
• ECDSA support (256-, 384-, and 521-bit elliptic curves)
◦IKEv2 user authentication
◦PKI certificate enrollment
◦PKI certificate generation and verification
◦Software only supported on single- or multi-core
platforms
New cryptographic algorithms are added for IPsecV3.
Note
Suite B algorithm support requires an AnyConnect Premium
license for IKEv2 remote access connections, but Suite B
usage for other connections or purposes (such as PKI) has
Cisco ASA New Features by Release
121
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
Feature
Description
no limitations. IPsecV3 has no licensing restrictions.
We introduced or modified the following commands: crypto ikev2
policy, crypto ipsec ikev2 ipsec-proposal, crypto key generate,
crypto key zeroize, show crypto key mypubkey, show
vpn-sessiondb.
We introduced or modified the following screens:
Monitor > VPN > Sessions
Monitor > VPN > Encryption Statistics
Configuration > Site-to-Site VPN > Certificate Management >
Identity Certificates
Configuration > Site-to-Site VPN > Advanced > System Options
Configuration > Remote Access VPN > Network (Client) Access
> Advanced > IPsec > Crypto Maps
Support for VPN on the ASASM
The ASASM now supports all VPN features.
Multiple Context Mode Features
Site-to-Site VPN in multiple context
mode
Site-to-site VPN tunnels are now supported in multiple context
mode.
New resource type for site-to-site VPN New resource types, vpn other and vpn burst other, were created to
tunnels
set the maximum number of site-to-site VPN tunnels in each context.
We modified the following commands: limit-resource, show
resource types, show resource usage, show resource allocation.
We modified the following screen: Configuration > Context
Management > Resource Class > Add Resource Class.
Dynamic routing in Security Contexts EIGRP and OSPFv2 dynamic routing protocols are now supported
in multiple context mode. OSPFv3, RIP, and multicast routing are
not supported.
New resource type for routing table
entries
A new resource class, routes, was created to set the maximum
number of routing table entries in each context.
We modified the following commands: limit-resource, show
resource types, show resource usage, show resource allocation.
We modified the following screen: Configuration > Context
Management > Resource Class > Add Resource Class.
Cisco ASA New Features by Release
122
Cisco ASA New Features
New Features in ASA 9.0(1)/ASDM 7.0(1)
Feature
Description
Mixed firewall mode support in
multiple context mode
You can set the firewall mode independently for each security
context in multiple context mode, so some can run in transparent
mode while others run in routed mode.
We modified the following command: firewall transparent.
You cannot set the firewall mode in ASDM; you must use the
command-line interface.
Also available in Version 8.5(1).
Module Features
ASA Services Module support on the The Cisco 7600 series now supports the ASASM. For specific
Cisco 7600 switch
hardware and software requirements, see: http://www.cisco.com/en/
US/docs/security/asa/compatibility/asamatrx.html.
ASA 5585-X support for the ASA CX The ASA CX module lets you enforce security based on the complete
SSP-10 and -20
context of a situation. This context includes the identity of the user
(who), the application or website that the user is trying to access
(what), the origin of the access attempt (where), the time of the
attempted access (when), and the properties of the device used for
the access (how). With the ASA CX module, you can extract the
full context of a flow and enforce granular policies such as permitting
access to Facebook but denying access to games on Facebook or
permitting finance employees access to a sensitive enterprise
database but denying the same to other employees.
We introduced or modified the following commands: capture, cxsc,
cxsc auth-proxy, debug cxsc, hw-module module password-reset,
hw-module module reload, hw-module module reset, hw-module
module shutdown, session do setup host ip, session do get-config,
session do password-reset, show asp table classify domain cxsc,
show asp table classify domain cxsc-auth-proxy, show capture,
show conn, show module, show service-policy.
We introduced the following screens:
Home > ASA CX Status
Wizards > Startup Wizard > ASA CX Basic Configuration
Configuration > Firewall > Service Policy Rules > Add Service
Policy Rule > Rule Actions > ASA CX Inspection
Also available in 8.4(4.1).
ASA 5585-X Dual SSP support for the
SSP-10 and SSP-20 (in addition to the
SSP-40 and SSP-60); VPN support for
Dual SSPs
The ASA 5585-X now supports dual SSPs using all SSP models
(you can use two SSPs of the same level in the same chassis). VPN
is now supported when using dual SSPs.
We did not modify any commands.
We did not modify any screens.
Cisco ASA New Features by Release
123
Cisco ASA New Features
New Features in Version 8.7
New Features in Version 8.7
New Features in ASA 8.7(1.1)/ASDM 6.7(1)
Released: October 16, 2012
Note
Version 8.7(1) was removed from Cisco.com due to build issues; please upgrade to Version 8.7(1.1) or
later.
Feature
Description
Platform Features
Support for the ASA
1000V
We introduced support for the ASA 1000V for the Nexus 1000V switch.
Cloning the ASA 1000V You can add one or multiple instances of the ASA 1000V to your deployment
using the method of cloning VMs.
Management Features
ASDM mode
You can configure, manage, and monitor the ASA 1000V using the Adaptive
Security Device Manager (ASDM), which is the single GUI-based device manager
for the ASA.
VNMC mode
You can configure and manage the ASA 1000V using the Cisco Virtual Network
Management Center (VNMC), which is a GUI-based multi-device manager for
multiple tenants.
XML APIs
You can configure and manage the ASA 1000V using XML APIs, which are
application programmatic interfaces provided through the Cisco VNMC. This
feature is only available in VNMC mode.
Firewall Features
Cisco VNMC access and Cisco VNMC access and configuration are required to create security profiles.
configuration
You can configure access to the Cisco VNMC through the Configuration > Device
Setup > Interfaces pane in ASDM. Enter the login username and password,
hostname, and shared secret to access the Cisco VNMC. Then you can configure
security profiles and security profile interfaces. In VNMC mode, use the CLI to
configure security profiles.
Cisco ASA New Features by Release
124
Cisco ASA New Features
New Features in ASA 8.7(1.1)/ASDM 6.7(1)
Feature
Description
Security profiles and
security profile
interfaces
Security profiles are interfaces that correspond to an edge security profile that has
been configured in the Cisco VNMC and assigned in the Cisco Nexus 1000V
VSM. Policies for through-traffic are assigned to these interfaces and the outside
interface. You can add security profiles through the Configuration > Device Setup
> Interfaces pane. You create the security profile by adding its name and selecting
the service interface. ASDM then generates the security profile through the Cisco
VNMC, assigns the security profile ID, and automatically generates a unique
interface name. The interface name is used in the security policy configuration.
We introduced or modified the following commands: interface security-profile,
security-profile, mtu, vpath path-mtu, clear interface security-profile, clear
configure interface security-profile, show interface security-profile, show
running-config interface security-profile, show interface ip brief, show
running-config mtu, show vsn ip binding, show vsn security-profile.
We introduced or modified the following screens:
Configuration > Device Setup > Interfaces Configuration > Device Setup >
Interfaces > Add Security Profile Monitoring > Interfaces > Security Profiles
Service interface
The service interface is the Ethernet interface associated with security profile
interfaces. You can only configure one service interface, which must be the inside
interface.
We introduced the following command: service-interface security-profile all.
We modified the following screen: Configuration > Device Setup > Interfaces.
VNMC policy agent
The VNMC policy agent enables policy configuration through both the ASDM
and VNMC modes. It includes a web server that receives XML-based requests
from Cisco VNMC over HTTPS and converts it to the ASA 1000V configuration.
We introduced the following commands: vnmc policy-agent, login, shared-secret,
registration host, vnmc org, show vnmc policy-agent, show running-config
vnmc policy-agent, clear configure vnmc policy-agent.
We modified the following screen: Configuration > Device Setup > Interfaces.
Cisco ASA New Features by Release
125
Cisco ASA New Features
New Features in Version 8.6
New Features in Version 8.6
New Features in ASA 8.6(1)/ASDM 6.6(1)
Released: February 28, 2012
Note
This ASA software version is only supported on the ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA
5545-X, and ASA 5555-X.
Version 8.6(1) includes all features in 8.4(2), plus the features listed in this table.
Features added in 8.4(3) are not included in 8.6(1) unless they are explicitly listed in this table.
Feature
Description
Hardware Features
Support for the ASA
5512-X through ASA
5555-X
We introduced support for the ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA
5545-X, and ASA 5555-X.
IPS Features
Support for the IPS SSP We introduced support for the IPS SSP software module for the ASA 5512-X,
for the ASA 5512-X
ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X.
through ASA 5555-X
We introduced or modified the following commands: session, show module,
sw-module.
We did not modify any screens.
Remote Access Features
Clientless SSL VPN
browser support
The ASA now supports clientless SSL VPN with Microsoft Internet Explorer 9
and Firefox 4.
Also available in Version 8.4(3).
Cisco ASA New Features by Release
126
Cisco ASA New Features
New Features in ASA 8.6(1)/ASDM 6.6(1)
Feature
Description
Compression for DTLS To improve throughput, Cisco now supports compression for DTLS and TLS on
and TLS
AnyConnect 3.0 or later. Each tunneling method configures compression
separately, and the preferred configuration is to have both SSL and DTLS
compression as LZS. This feature enhances migration from legacy VPN clients.
Using data compression on high speed remote access connections passing
highly compressible data requires significant processing power on the
ASA. With other activity and traffic on the ASA, the number of sessions
that can be supported on the platform is reduced.
We introduced or modified the following commands: anyconnect dtls
compression [lzs | none] and anyconnect ssl compression [deflate | lzs | none].
Note
We modified the following screen: Configuration > Remote Access VPN >
Clientless SSL VPN Access > Group Policies > Edit > Edit Internal Group
Policy > Advanced > AnyConnect Client > SSL Compression.
Also available in Version 8.4(3).
Clientless SSL VPN
Session Timeout Alerts
Allows you to create custom messages to alert users that their VPN session is
about to end because of inactivity or a session timeout.
We introduced the following commands: vpn-session-timeout alert-interval,
vpn-idle-timeout alert-interval.
We introduced the following screens:
Remote Access VPN > Configuration > Clientless SSL VPN Access > Portal >
Customizations > Add/Edit > Timeout Alerts Remote Access VPN > Configuration
> Clientless SSL VPN Access > Group Policies > Add/Edit General
Also available in Version 8.4(3).
Multiple Context Mode Features
Cisco ASA New Features by Release
127
Cisco ASA New Features
New Features in ASA 8.6(1)/ASDM 6.6(1)
Feature
Description
Automatic generation of In multiple context mode, the ASA now converts the automatic MAC address
a MAC address prefix
generation configuration to use a default prefix. The ASA auto-generates the
prefix based on the last two bytes of the interface MAC address. This conversion
happens automatically when you reload, or if you reenable MAC address
generation. The prefix method of generation provides many benefits, including a
better guarantee of unique MAC addresses on a segment. You can view the
auto-generated prefix by entering the show running-config mac-address
command. If you want to change the prefix, you can reconfigure the feature with
a custom prefix. The legacy method of MAC address generation is no longer
available.
To maintain hitless upgrade for failover pairs, the ASA does not convert
the MAC address method in an existing configuration upon a reload if
failover is enabled. However, we strongly recommend that you manually
change to the prefix method of generation. After upgrading, to use the
prefix method of MAC address generation, reenable MAC address
generation to use the default prefix.
We modified the following command: mac-address auto.
Note
We modified the following screen: Configuration > Context Management >
Security Contexts
AAA Features
Increased maximum
LDAP values per
attribute
The maximum number of values that the ASA can receive for a single attribute
was increased from 1000 (the default) to 5000, with an allowed range of 500 to
5000. If a response message is received that exceeds the configured limit, the
ASA rejects the authentication. If the ASA detects that a single attribute has more
than 1000 values, then the ASA generates informational syslog 109036. For more
than 5000 attributes, the ASA generates error level syslog 109037.
We introduced the following command: ldap-max-value-range number (Enter
this command in aaa-server host configuration mode).
ASDM does not support this command; enter the command using the Command
Line Tool.
Also available in Version 8.4(3).
Support for sub-range of When an LDAP search results in an attribute with a large number of values,
LDAP search results
depending on the server configuration, it might return a sub-range of the values
and expect the ASA to initiate additional queries for the remaining value ranges.
The ASA now makes multiple queries for the remaining ranges, and combines
the responses into a complete array of attribute values.
Also available in Version 8.4(3).
Troubleshooting Features
Cisco ASA New Features by Release
128
Cisco ASA New Features
New Features in Version 8.5
Feature
Description
Regular expression
matching for the show
asp table classifier and
show asp table filter
commands
You can now enter the show asp table classifier and show asp table filter
commands with a regular expression to filter output.
We modified the following commands: show asp table classifier match regex,
show asp table filter match regex.
ASDM does not support this command; enter the command using the Command
Line Tool.
Also available in Version 8.4(3).
New Features in Version 8.5
New Features in ASA 8.5(1.7)/ASDM 6.5(1.101)
Released: March 5, 2012
Note
We recommend that you upgrade to a Cisco.com-posted ASA interim release only if you have a specific
problem that it resolves. If you decide to run an interim release in a production environment, keep in mind
that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco
TAC and will usually remain on the download site only until the next maintenance release is available. If
you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance
or feature release when it becomes available.
We will document interim release features at the time of the next maintenance or feature release. For a
list of resolved caveats for each ASA interim release, see the interim release notes available on the
Cisco.com software download site.
Table 1: New Features for ASA Interim Version 8.5(1.7)/ASDM Version 6.5(1.101)
Feature
Description
Hardware Features
Support for the Catalyst The ASA now interoperates with the Catalyst 6500 Supervisor 2T. For hardware
6500 Supervisor 2T
and software compatibility, see: http://www.cisco.com/en/US/docs/security/asa/
compatibility/asamatrx.html.
Note
You may have to upgrade the FPD image on the ASA. See the Upgrading
procedure the in the release notes.
Multiple Context Features
Cisco ASA New Features by Release
129
Cisco ASA New Features
New Features in ASA 8.5(1.6)/ASDM 6.5(1)
Feature
Description
ASDM support for
ASDM now shows that an autogenerated prefix will be used if you do not specify
Automatic generation of one.
a MAC address prefix
We modified the following screen: Configuration > Context Management >
Security Contexts
Failover Features
Configure the connection You can now configure the rate at which the ASA replicates connections to the
replication rate during a standby unit when using stateful failover. By default, connections are replicated
bulk sync
to the standby unit during a 15 second period. However, when a bulk sync occurs
(for example, when you first enable failover), 15 seconds may not be long enough
to sync large numbers of connections due to a limit on the maximum connections
per second. For example, the maximum connections on the ASA is 8 million;
replicating 8 million connections in 15 seconds means creating 533K connections
per second. However, the maximum connections allowed per second is 300K.
You can now specify the rate of replication to be less than or equal to the maximum
connections per second, and the sync period will be adjusted until all the
connections are synced.
We introduced the following command: failover replication rate rate.
We modified the following screen: Configuration > Device Management >
High Availability > Failover.
New Features in ASA 8.5(1.6)/ASDM 6.5(1)
Released: January 27, 2012
Note
We recommend that you upgrade to a Cisco.com-posted ASA interim release only if you have a specific
problem that it resolves. If you decide to run an interim release in a production environment, keep in mind
that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco
TAC and will usually remain on the download site only until the next maintenance release is available. If
you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance
or feature release when it becomes available.
We will document interim release features at the time of the next maintenance or feature release. For a
list of resolved caveats for each ASA interim release, see the interim release notes available on the
Cisco.com software download site.
Table 2: New Features for ASA Interim Version 8.5(1.6)/ASDM Version 6.5(1)
Feature
Description
Multiple Context Features
Cisco ASA New Features by Release
130
Cisco ASA New Features
New Features in ASA 8.5(1)/ASDM 6.5(1)
Feature
Description
Automatic generation of In multiple context mode, the ASA now converts the automatic MAC address
a MAC address prefix
generation configuration to use a default prefix. The ASA auto-generates the
prefix based on the last two bytes of the backplane MAC address. This conversion
happens automatically when you reload, or if you reenable MAC address
generation. The prefix method of generation provides many benefits, including a
better guarantee of unique MAC addresses on a segment. You can view the
auto-generated prefix by entering the show running-config mac-address
command. If you want to change the prefix, you can reconfigure the feature with
a custom prefix. The legacy method of MAC address generation is no longer
available.
To maintain hitless upgrade for failover pairs, the ASA does not convert
the MAC address method in an existing configuration upon a reload if
failover is enabled. However, we strongly recommend that you manually
change to the prefix method of generation when using failover. Without
the prefix method, ASASMs installed in different slot numbers experience
a MAC address change upon failover, and can experience traffic
interruption. After upgrading, to use the prefix method of MAC address
generation, reenable MAC address generation to use the default prefix.
We modified the following command: mac-address auto.
Note
ASDM was not changed.
New Features in ASA 8.5(1)/ASDM 6.5(1)
Released: July 8, 2011
This ASA and ASDM software version is only supported on the ASASM.
Version 8.5(1) includes all features in 8.4(1), plus the features listed in this table. The following features,
however, are not supported in No Payload Encryption software, and this release is only available as a No
Payload Encryption release:
• VPN
• Unified Communications
Features added in 8.4(2) are not included in 8.5(1) unless they are explicitly listed in this table.
Table 3: New Features for ASA Version 8.5(1)/ASDM Version 6.5(1)
Feature
Description
Hardware Features
Support for the
ASA Services Module
We introduced support for the ASASM for the Cisco Catalyst 6500 E switch.
Firewall Features
Cisco ASA New Features by Release
131
Cisco ASA New Features
New Features in ASA 8.5(1)/ASDM 6.5(1)
Feature
Description
Mixed firewall mode
support in multiple
context mode
You can set the firewall mode independently for each security context in multiple
context mode, so some can run in transparent mode while others run in routed
mode.
We modified the following command: firewall transparent.
You cannot set the firewall mode in ASDM; you must use the command line
interface.
Interface Features
Automatic MAC address Automatic generation of MAC addresses is now enabled by default in multiple
generation is now
context mode.
enabled by default in
We modified the following command: mac address auto.
multiple context mode
We modified the following screen: System > Configuration > Context Management
> Security Contexts.
NAT Features
Identity NAT
In earlier releases for identity NAT, proxy ARP was disabled, and a route lookup
configurable proxy ARP was always used to determine the egress interface. You could not configure these
and route lookup
settings. In 8.4(2) and later, the default behavior for identity NAT was changed
to match the behavior of other static NAT configurations: proxy ARP is enabled,
and the NAT configuration determines the egress interface (if specified) by default.
You can leave these settings as is, or you can enable or disable them discretely.
Note that you can now also disable proxy ARP for regular static NAT.
For pre-8.3 configurations, the migration of NAT exempt rules (the nat 0
access-list command) to 8.4(2) and later now includes the following keywords
to disable proxy ARP and to use a route lookup: no-proxy-arp and route-lookup.
The unidirectional keyword that was used for migrating to 8.3(2) and 8.4(1) is
no longer used for migration. When upgrading to 8.4(2) from 8.3(1), 8.3(2), and
8.4(1), all identity NAT configurations will now include the no-proxy-arp and
route-lookup keywords, to maintain existing functionality. The unidirectional
keyword is removed.
We modified the following commands: nat static [no-proxy-arp] [route-lookup]
(object network) and nat source static [no-proxy-arp] [route-lookup] (global).
We modified the following screens:
Configuration > Firewall > NAT Rules > Add/Edit Network Object > Advanced
NAT Settings Configuration > Firewall > NAT Rules > Add/Edit NAT Rule
Also available in Version 8.4(2).
Cisco ASA New Features by Release
132
Cisco ASA New Features
New Features in Version 8.4
Feature
Description
PAT pool and round
You can now specify a pool of PAT addresses instead of a single address. You
robin address assignment can also optionally enable round-robin assignment of PAT addresses instead of
first using all ports on a PAT address before using the next address in the pool.
These features help prevent a large number of connections from a single PAT
address from appearing to be part of a DoS attack and makes configuration of
large numbers of PAT addresses easy.
Currently in 8.5(1), the PAT pool feature is not available as a fallback
method for dynamic NAT or PAT. You can only configure the PAT pool
as the primary method for dynamic PAT (CSCtq20634).
We modifed the following commands: nat dynamic [pat-pool mapped_object
[round-robin]] (object network) and nat source dynamic [pat-pool
mapped_object [round-robin]] (global).
Note
We modified the following screens:
Configuration > Firewall > NAT Rules > Add/Edit Network Object Configuration
> Firewall > NAT Rules > Add/Edit NAT Rule
Also available in Version 8.4(2).
Switch Integration Features
Autostate
The switch supervisor engine can send autostate messages to the ASASM about
the status of physical interfaces associated with ASA VLANs. For example, when
all physical interfaces associated with a VLAN go down, the autostate message
tells the ASA that the VLAN is down. This information lets the ASA declare the
VLAN as down, bypassing the interface monitoring tests normally required for
determining which side suffered a link failure. Autostate messaging provides a
dramatic improvement in the time the ASA takes to detect a link failure (a few
milliseconds as compared to up to 45 seconds without autostate support).
The switch supports autostate messaging only if you install a single ASA
in the chassis.
See the following Cisco IOS command: firewall autostate.
Note
Virtual Switching
System
The ASASM supports VSS when configured on the switches. No ASA
configuration is required.
New Features in Version 8.4
New Features in ASA 8.4(7)/ASDM 7.1(3)
Released: September 3, 2013
There were no new features in ASA 8.4(7)/ASDM 7.1(3).
Cisco ASA New Features by Release
133
Cisco ASA New Features
New Features in ASA 8.4(6)/ASDM 7.1(2.102)
New Features in ASA 8.4(6)/ASDM 7.1(2.102)
Released: April 29, 2013
Feature
Description
Monitoring Features
Ability to view top 10
memory users
You can now view the top bin sizes allocated and the top 10 PCs for each allocated
bin size. Previously, you had to enter multiple commands to see this information
(the show memory detail command and the show memory binsize command);
the new command provides for quicker analysis of memory issues.
We introduced the following command: show memory top-usage.
No ASDM changes were made.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
CPU profile
enhancements
The cpu profile activate command now supports the following:
• Delayed start of the profiler until triggered (global or specific thread CPU
%)
• Sampling of a single thread
We modified the following command: cpu profile activate [n-samples]
[sample-process process-name] [trigger cpu-usage cpu% [process-name].
No ASDM changes were made.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
Remote Access Features
user-storage value
command password is
now encrypted in show
commands
The password in the user-storage value command is now encrypted when you
enter show running-config.
We modified the following command: user-storage value.
We modified the following screen: Configuration > Remote Access VPN >
Clientless SSL VPN Access > Group Policies > More Options > Session
Settings.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
New Features in ASA 8.4(5)/ASDM 7.0(2)
Released: October 31, 2012
Feature
Firewall Features
Cisco ASA New Features by Release
134
Description
Cisco ASA New Features
New Features in ASA 8.4(5)/ASDM 7.0(2)
Feature
Description
EtherType ACL support In transparent firewall mode, the ASA can now pass IS-IS traffic using an
for IS-IS traffic
EtherType ACL.
(transparent firewall
We modified the following command: access-list ethertype {permit | deny}
mode)
is-is.
We modified the following screen: Configuration > Device Management >
Management Access > EtherType Rules.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
ARP cache additions for The ASA ARP cache only contains entries from directly-connected subnets by
non-connected subnets default. You can now enable the ARP cache to also include non-directly-connected
subnets. We do not recommend enabling this feature unless you know the security
risks. This feature could facilitate denial of service (DoS) attack against the ASA;
a user on any interface could send out many ARP replies and overload the ASA
ARP table with false entries.
You may want to use this feature if you use:
• Secondary subnets.
• Proxy ARP on adjacent routes for traffic forwarding.
We introduced the following command: arp permit-nonconnected.
We modified the following screen: Configuration > Device Management >
Advanced > ARP > ARP Static Table.
This feature is not available in 8.5(1), 8.6(1), or 8.7(1).
Increased maximum
connection limits for
service policy rules
The maximum number of connections for service policy rules was increased from
65535 to 2000000.
We modified the following commands: set connection conn-max, set connection
embryonic-conn-max, set connection per-client-embryonic-max, set connection
per-client-max.
We modified the following screen: Configuration > Firewall > Service Policy
Rules > Connection Settings.
This feature is not available in 8.5(1), 8.6(1), or 8.7(1).
Remote Access Features
Improved Host Scan and Host Scan and the ASA use an improved process to transfer posture attributes
ASA Interoperability
from the client to the ASA. This gives the ASA more time to establish a VPN
connection with the client and apply a dynamic access policy.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
Cisco Secure Desktop:
Windows 8 Support
CSD 3.6.6215 was updated to enable selection of Windows 8 in the Prelogin
Policy operating system check.
See the following limitations:
• Secure Desktop (Vault) is not supported with Windows 8.
Cisco ASA New Features by Release
135
Cisco ASA New Features
New Features in ASA 8.4(5)/ASDM 7.0(2)
Feature
Description
Dynamic Access
Policies: Windows 8
Support
ASDM was updated to enable selection of Windows 8 in the DAP Operating
System attribute.
Monitoring Features
NAT-MIB
cnatAddrBindNumberOfEntries
and
cnatAddrBindSessionCount
OIDs to allow polling for
Xlate count.
Support was added for the NAT-MIB cnatAddrBindNumberOfEntries and
cnatAddrBindSessionCount OIDs to support xlate_count and max_xlate_count
for SNMP.
NSEL
Flow-update events have been introduced to provide periodic byte counters for
flow traffic. You can change the time interval at which flow-update events are
sent to the NetFlow collector. You can filter to which collectors flow-update
records will be sent.
This data is equivalent to the show xlate count command.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
We introduced the following command: flow-export active refresh-interval.
We modified the following command: flow-export event-type.
We modified the following screens:
Configuration > Device Management > Logging > NetFlow.
Configuration > Firewall > Service Policy Rules > Add Service Policy Rule
Wizard - Rule Actions > NetFlow > Add Flow Event
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
Hardware Features
ASA 5585-X DC power Support was added for the ASA 5585-X DC power supply.
supply support
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
Cisco ASA New Features by Release
136
Cisco ASA New Features
New Features in ASA 8.4(4.5)/ASDM 6.4(9.103)
New Features in ASA 8.4(4.5)/ASDM 6.4(9.103)
Released: August 13, 2012
Note
Version 8.4(4.3) was removed from Cisco.com due to build issues; please upgrade to Version 8.4(4.5) or
later.
We recommend that you upgrade to a Cisco.com-posted interim release only if you have a specific problem
that it resolves. If you decide to run an interim release in a production environment, keep in mind that
only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC
and will remain on the download site only until the next maintenance release is available. If you choose
to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature
release when it becomes available. We will document interim release features at the time of the next
maintenance or feature release. For a list of resolved caveats for each interim release, see the interim
release notes available on the Cisco.com software download site.
Feature
Description
Firewall Features
ARP cache additions for The ASA ARP cache only contains entries from directly-connected subnets by
non-connected subnets default. You can now enable the ARP cache to also include non-directly-connected
subnets. We do not recommend enabling this feature unless you know the security
risks. This feature could facilitate denial of service (DoS) attack against the ASA;
a user on any interface could send out many ARP replies and overload the ASA
ARP table with false entries.
You may want to use this feature if you use:
• Secondary subnets.
• Proxy ARP on adjacent routes for traffic forwarding.
We introduced the following command: arp permit-nonconnected.
We modified the following screen: Configuration > Device Management >
Advanced > ARP > ARP Static Table.
This feature is not available in 8.5(1), 8.6(1), or 8.7(1).
Monitoring Features
NAT-MIB
cnatAddrBindNumberOfEntries
and
cnatAddrBindSessionCount
OIDs to allow polling for
Xlate count.
Support was added for the NAT-MIB cnatAddrBindNumberOfEntries and
cnatAddrBindSessionCount OIDs to support xlate_count and max_xlate_count
for SNMP.
This data is equivalent to the show xlate count command.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
Cisco ASA New Features by Release
137
Cisco ASA New Features
New Features in ASA 8.4(4.1)/ASDM 6.4(9)
New Features in ASA 8.4(4.1)/ASDM 6.4(9)
Released: June 18, 2012
Note
Version 8.4(4) was removed from Cisco.com due to build issues; please upgrade to Version 8.4(4.1) or
later.
Feature
Description
Certification Features
FIPS and Common
Criteria certifications
The FIPS 140-2 Non-Proprietary Security Policy was updated as part of the Level
2 FIPS 140-2 validation for the Cisco ASA 5500 series, which includes the
Cisco ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5580, and
ASA 5585-X.
The Common Criteria Evaluation Assurance Level 4 (EAL4) was updated, which
provides the basis for a specific Target of Evaluation (TOE) of the Cisco ASA
and VPN platform solutions.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).
Support for administrator When you configure authentication for CLI or ASDM access using the local
password policy when database, you can configure a password policy that requires a user to change their
using the local database password after a specified amount of time and also requires password standards
such as a minimum length and the minimum number of changed characters.
We introduced or modified the following commands: change-password,
password-policy lifetime, password-policy minimum changes, password-policy
minimum-length, password-policy minimum-lowercase, password-policy
minimum-uppercase, password-policy minimum-numeric, password-policy
minimum-special, password-policy authenticate enable, clear configure
password-policy, show running-config password-policy.
We introduced the following screen: Configuration > Device Management >
Users/AAA > Password Policy
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).
Support for SSH public
key authentication
You can now enable public key authentication for SSH connections to the ASA
on a per-user basis using Base64 key up to 2048 bits.
We introduced the following commands: ssh authentication.
We introduced the following screen: Configuration > Device Management >
Users/AAA > User Accounts > Edit User Account > Public Key Authentication
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).
Cisco ASA New Features by Release
138
Cisco ASA New Features
New Features in ASA 8.4(4.1)/ASDM 6.4(9)
Feature
Description
Support for
Diffie-Hellman Group
14 for the SSH Key
Exchange
Support for Diffie-Hellman Group 14 for SSH Key Exchange was added. Formerly,
only Group 1 was supported.
We introduced the following command: ssh key-exchange.
We modified the following screen: Configuration > Device Management >
Management Access > ASDM/HTTPS/Telnet/SSH.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).
Support for a maximum You can set the maximum number of simultaneous ASDM, SSH, and Telnet
number of management sessions.
sessions
We introduced the following commands: quota management-session, show
running-config quota management-session, show quota management-session.
We introduced the following screen: Configuration > Device Management >
Management Access > Management Session Quota.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).
Additional ephemeral
Diffie-Hellman ciphers
for SSL encryption
The ASA now supports the following ephemeral Diffie-Hellman (DHE) SSL
cipher suites:
• DHE-AES128-SHA1
• DHE-AES256-SHA1
These cipher suites are specified in RFC 3268, Advanced Encryption Standard
(AES) Ciphersuites for Transport Layer Security (TLS).
When supported by the client, DHE is the preferred cipher because it provides
Perfect Forward Secrecy. See the following limitations:
• DHE is not supported on SSL 3.0 connections, so make sure to also enable
TLS 1.0 for the SSL server.
!! set server version
ciscoasa(config)# ssl server-version tlsv1 sslv3
!! set client version
ciscoasa(config) # ssl client-version any
• Some popular applications do not support DHE, so include at least one other
SSL encryption method to ensure that a cipher suite common to both the
SSL client and server can be used.
• Some clients may not support DHE, including AnyConnect 2.5 and 3.0,
Cisco Secure Desktop, and Internet Explorer 9.0.
We modified the following command: ssl encryption.
We modified the following screen: Configuration > Device Management >
Advanced > SSL Settings.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).
Cisco ASA New Features by Release
139
Cisco ASA New Features
New Features in ASA 8.4(4.1)/ASDM 6.4(9)
Feature
Description
Image verification
Support for SHA-512 image integrity checking was added.
We modified the following command: verify.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).
Improved
Hardware-based noise for additional entropy was added to the software-based
pseudo-random number random number generation process. This change makes pseudo-random number
generation
generation (PRNG) more random and more difficult for attackers to get a repeatable
pattern or guess the next random number to be used for encryption and decryption
operations. Two changes were made to improve PRNG:
• Use the current hardware-based RNG for random data to use as one of the
parameters for software-based RNG.
• If the hardware-based RNG is not available, use additional hardware noise
sources for software-based RNG. Depending on your model, the following
hardware sensors are used:
◦ASA 5505—Voltage sensors.
◦ASA 5510 and 5550—Fan speed sensors.
◦ASA 5520, 5540, and 5580—Temperature sensors.
◦ASA 5585-X—Fan speed sensors.
We introduced the following commands: show debug menu cts [128 | 129]
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).
Remote Access Features
Clientless SSL VPN:
Enhanced quality for
rewriter engines
The clientless SSL VPN rewriter engines were significantly improved to provide
better quality and efficacy. As a result, you can expect a better end-user experience
for clientless SSL VPN users.
We did not add or modify any commands for this feature.
We did not add or modify any ASDM screens for this feature.
This feature is not available in 8.5(1), 8.6(1), or 8.7(1).
Failover Features
Cisco ASA New Features by Release
140
Cisco ASA New Features
New Features in ASA 8.4(4.1)/ASDM 6.4(9)
Feature
Description
Configure the connection You can now configure the rate at which the ASA replicates connections to the
replication rate during a standby unit when using Stateful Failover. By default, connections are replicated
bulk sync
to the standby unit during a 15 second period. However, when a bulk sync occurs
(for example, when you first enable failover), 15 seconds may not be long enough
to sync large numbers of connections due to a limit on the maximum connections
per second. For example, the maximum connections on the ASA is 8 million;
replicating 8 million connections in 15 seconds means creating 533 K connections
per second. However, the maximum connections allowed per second is 300 K.
You can now specify the rate of replication to be less than or equal to the maximum
connections per second, and the sync period will be adjusted until all the
connections are synced.
We introduced the following command: failover replication rate rate.
This feature is not available in 8.6(1) or 8.7(1). This feature is also in 8.5(1.7).
Application Inspection Features
SunRPC change from
dynamic ACL to
pin-hole mechanism
Previously, Sun RPC inspection does not support outbound access lists because
the inspection engine uses dynamic access lists instead of secondary connections.
In this release, when you configure dynamic access lists on the ASA, they are
supported on the ingress direction only and the ASA drops egress traffic destined
to dynamic ports. Therefore, Sun RPC inspection implements a pinhole mechanism
to support egress traffic. Sun RPC inspection uses this pinhole mechanism to
support outbound dynamic access lists.
This feature is not available in 8.5(1), 8.6(1), or 8.7(1).
Inspection reset action
change
Previously, when the ASA dropped a packet due to an inspection engine rule, the
ASA sent only one RST to the source device of the dropped packet. This behavior
could cause resource issues.
In this release, when you configure an inspection engine to use a reset action and
a packet triggers a reset, the ASA sends a TCP reset under the following conditions:
• The ASA sends a TCP reset to the inside host when the service
resetoutbound command is enabled. (The service resetoutbound command
is disabled by default.)
• The ASA sends a TCP reset to the outside host when the service
resetinbound command is enabled. (The service resetinbound command
is disabled by default.)
For more information, see the service command in the ASA command reference.
This behavior ensures that a reset action will reset the connections on the ASA
and on inside servers; therefore countering denial of service attacks. For outside
hosts, the ASA does not send a reset by default and information is not revealed
through a TCP reset.
This feature is not available in 8.5(1), 8.6(1), or 8.7(1).
Module Features
Cisco ASA New Features by Release
141
Cisco ASA New Features
New Features in ASA 8.4(3)/ASDM 6.4(7)
Feature
Description
ASA 5585-X support for The ASA CX module lets you enforce security based on the complete context of
the ASA CX SSP-10 and a situation. This context includes the identity of the user (who), the application
-20
or website that the user is trying to access (what), the origin of the access attempt
(where), the time of the attempted access (when), and the properties of the device
used for the access (how). With the ASA CX module, you can extract the full
context of a flow and enforce granular policies such as permitting access to
Facebook but denying access to games on Facebook or permitting finance
employees access to a sensitive enterprise database but denying the same to other
employees.
We introduced or modified the following commands: capture, cxsc, cxsc
auth-proxy, debug cxsc, hw-module module password-reset, hw-module
module reload, hw-module module reset, hw-module module shutdown,
session do setup host ip, session do get-config, session do password-reset,
show asp table classify domain cxsc, show asp table classify domain
cxsc-auth-proxy, show capture, show conn, show module, show service-policy.
We introduced the following screens:
Home > ASA CX Status Wizards > Startup Wizard > ASA CX Basic
Configuration
Configuration > Firewall > Service Policy Rules > Add Service Policy Rule
> Rule Actions > ASA CX Inspection
ASA 5585-X support for The ASA 5585-X now supports additional interfaces on network modules in slot
network modules
1. You can install one or two of the following optional network modules:
• ASA 4-port 10G Network Module
• ASA 8-port 10G Network Module
• ASA 20-port 1G Network Module
This feature is not available in 9.0(1), 9.0(2), or 9.1(1).
New Features in ASA 8.4(3)/ASDM 6.4(7)
Released: January 9, 2012
Feature
NAT Features
Cisco ASA New Features by Release
142
Description
Cisco ASA New Features
New Features in ASA 8.4(3)/ASDM 6.4(7)
Feature
Description
Round robin PAT pool
allocation uses the same
IP address for existing
hosts
When using a PAT pool with round robin allocation, if a host has an existing
connection, then subsequent connections from that host will use the same PAT
IP address if ports are available.
We did not modify any commands.
We did not modify any screens.
This feature is not available in 8.5(1) or 8.6(1).
Flat range of PAT ports
for a PAT pool
If available, the real source port number is used for the mapped port. However,
if the real port is not available, by default the mapped ports are chosen from the
same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to
65535. Therefore, ports below 1024 have only a small PAT pool.
If you have a lot of traffic that uses the lower port ranges, when using a PAT pool,
you can now specify a flat range of ports to be used instead of the three
unequal-sized tiers: either 1024 to 65535, or 1 to 65535.
We modified the following commands: nat dynamic [pat-pool mapped_object
[flat [include-reserve]]] (object network configuration mode) and nat source
dynamic [pat-pool mapped_object [flat [include-reserve]]] (global configuration
mode).
We modified the following screens:
Configuration > Firewall > NAT Rules > Add/Edit Network Object
Configuration > Firewall > NAT Rules > Add/Edit NAT Rule
This feature is not available in 8.5(1) or 8.6(1).
Extended PAT for a PAT Each PAT IP address allows up to 65535 ports. If 65535 ports do not provide
pool
enough translations, you can now enable extended PAT for a PAT pool. Extended
PAT uses 65535 ports per service, as opposed to per IP address, by including the
destination address and port in the translation information.
We modified the following commands: nat dynamic [pat-pool mapped_object
[extended]] (object network configuration mode) and nat source dynamic
[pat-pool mapped_object [extended]] (global configuration mode).
We modified the following screens:
Configuration > Firewall > NAT Rules > Add/Edit Network Object
Configuration > Firewall > NAT Rules > Add/Edit NAT Rule
This feature is not available in 8.5(1) or 8.6(1).
Cisco ASA New Features by Release
143
Cisco ASA New Features
New Features in ASA 8.4(3)/ASDM 6.4(7)
Feature
Description
Configurable timeout for When a PAT xlate times out (by default after 30 seconds), and the ASA reuses
PAT xlate
the port for a new translation, some upstream routers might reject the new
connection because the previous connection might still be open on the upstream
device. The PAT xlate timeout is now configurable, to a value between 30 seconds
and 5 minutes.
We introduced the following command: timeout pat-xlate.
We modified the following screen: Configuration > Firewall > Advanced >
Global Timeouts.
This feature is not available in 8.5(1) or 8.6(1).
Automatic NAT rules to
translate a VPN peer’s
local IP address back to
the peer’s real IP address
In rare situations, you might want to use a VPN peer’s real IP address on the inside
network instead of an assigned local IP address. Normally with VPN, the peer is
given an assigned local IP address to access the inside network. However, you
might want to translate the local IP address back to the peer’s real public IP address
if, for example, your inside servers and network security is based on the peer’s
real IP address.
You can enable this feature on one interface per tunnel group. Object NAT rules
are dynamically added and deleted when the VPN session is established or
disconnected. You can view the rules using the show nat command.
Note
Because of routing issues, we do not recommend using this feature unless
you know you need this feature; contact Cisco TAC to confirm feature
compatibility with your network. See the following limitations:
• Only supports Cisco IPsec and AnyConnect Client.
• Return traffic to the public IP addresses must be routed back to the
ASA so the NAT policy and VPN policy can be applied.
• Does not support load-balancing (because of routing issues).
• Does not support roaming (public IP changing).
We introduced the following command: nat-assigned-to-public-ip interface
(tunnel-group general-attributes configuration mode).
ASDM does not support this command; enter the command using the Command
Line Tool.
Remote Access Features
Clientless SSL VPN
browser support
Cisco ASA New Features by Release
144
The ASA now supports clientless SSL VPN with Microsoft Internet Explorer 9
and Firefox 4.
Cisco ASA New Features
New Features in ASA 8.4(3)/ASDM 6.4(7)
Feature
Description
Compression for DTLS To improve throughput, Cisco now supports compression for DTLS and TLS on
and TLS
AnyConnect 3.0 or later. Each tunneling method configures compression
separately, and the preferred configuration is to have both SSL and DTLS
compression as LZS. This feature enhances migration from legacy VPN clients.
Using data compression on high speed remote access connections passing
highly compressible data requires significant processing power on the
ASA. With other activity and traffic on the ASA, the number of sessions
that can be supported on the platform is reduced.
We introduced or modified the following commands: anyconnect dtls
compression [lzs | none] and anyconnect ssl compression [deflate | lzs | none].
Note
We modified the following screen: Configuration > Remote Access VPN >
Clientless SSL VPN Access > Group Policies > Edit > Edit Internal Group
Policy > Advanced > AnyConnect Client > SSL Compression.
Clientless SSL VPN
Session Timeout Alerts
Allows you to create custom messages to alert users that their VPN session is
about to end because of inactivity or a session timeout.
We introduced the following commands: vpn-session-timeout alert-interval,
vpn-idle-timeout alert-interval.
We introduced the following screens:
Remote Access VPN > Configuration > Clientless SSL VPN Access > Portal
> Customizations > Add/Edit > Timeout Alerts
Remote Access VPN > Configuration > Clientless SSL VPN Access > Group
Policies > Add/Edit General
AAA Features
Increased maximum
LDAP values per
attribute
The maximum number of values that the ASA can receive for a single attribute
was increased from 1000 (the default) to 5000, with an allowed range of 500 to
5000. If a response message is received that exceeds the configured limit, the
ASA rejects the authentication. If the ASA detects that a single attribute has more
than 1000 values, then the ASA generates informational syslog 109036. For more
than 5000 attributes, the ASA generates error level syslog 109037.
We introduced the following command: ldap-max-value-range number (Enter
this command in aaa-server host configuration mode).
ASDM does not support this command; enter the command using the Command
Line Tool.
Support for sub-range of When an LDAP search results in an attribute with a large number of values,
LDAP search results
depending on the server configuration, it might return a sub-range of the values
and expect the ASA to initiate additional queries for the remaining value ranges.
The ASA now makes multiple queries for the remaining ranges, and combines
the responses into a complete array of attribute values.
Cisco ASA New Features by Release
145
Cisco ASA New Features
New Features in ASA 8.4(2.8)/ASDM 6.4(5.106)
Feature
Description
Key vendor-specific
attributes (VSAs) sent in
RADIUS access request
and accounting request
packets from the ASA
Four New VSAs—Tunnel Group Name (146) and Client Type (150) are sent in
RADIUS access request packets from the ASA. Session Type (151) and Session
Subtype (152) are sent in RADIUS accounting request packets from the ASA.
All four attributes are sent for all accounting request packet types: Start,
Interim-Update, and Stop. The RADIUS server (for example, ACS and ISE) can
then enforce authorization and policy attributes or use them for accounting and
billing purposes.
Troubleshooting Features
Regular expression
matching for the show
asp table classifier and
show asp table filter
commands
You can now enter the show asp table classifier and show asp table filter
commands with a regular expression to filter output.
We modified the following commands: show asp table classifier match regex,
show asp table filter match regex.
ASDM does not support this command; enter the command using the Command
Line Tool.
New Features in ASA 8.4(2.8)/ASDM 6.4(5.106)
Released: August 31, 2011
Note
We recommend that you upgrade to a Cisco.com-posted ASA interim release only if you have a specific
problem that it resolves. If you decide to run an interim release in a production environment, keep in mind
that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco
TAC and will usually remain on the download site only until the next maintenance release is available. If
you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance
or feature release when it becomes available.
We will document interim release features at the time of the next maintenance or feature release. For a
list of resolved caveats for each ASA interim release, see the interim release notes available on the
Cisco.com software download site.
Feature
Description
Remote Access Features
Clientless SSL VPN
browser support
The ASA now supports clientless SSL VPN with Microsoft Internet Explorer 9
and Firefox 4.
Also available in Version 8.2(5.13) and 8.3.2(25).
Cisco ASA New Features by Release
146
Cisco ASA New Features
New Features in ASA 8.4(2.8)/ASDM 6.4(5.106)
Feature
Description
Compression for DTLS To improve throughput, Cisco now supports compression for DTLS and TLS on
and TLS
AnyConnect 3.0 or later. Each tunneling method configures compression
separately, and the preferred configuration is to have both SSL and DTLS
compression as LZS. This feature enhances migration from legacy VPN clients.
Using data compression on high speed remote access connections passing
highly compressible data requires significant processing power on the
ASA. With other activity and traffic on the ASA, the number of sessions
that can be supported on the platform is reduced.
We introduced or modified the following commands: anyconnect dtls
compression [lzs | none] and anyconnect ssl compression [deflate | lzs | none].
Note
We modified the following screen: Configuration > Remote Access VPN >
Clientless SSL VPN Access > Group Policies > Edit > Edit Internal Group
Policy > Advanced > AnyConnect Client > SSL Compression.
Also available in Version 8.2(5.13) and 8.3.2(25).
Clientless SSL VPN
Session Timeout Alerts
Allows you to create custom messages to alert users that their VPN session is
about to end because of inactivity or a session timeout.
We introduced the following commands: vpn-session-timeout alert-interval,
vpn-idle-timeout alert-interval.
We introduced the following screens:
Remote Access VPN > Configuration > Clientless SSL VPN Access > Portal
> Customizations > Add/Edit > Timeout Alerts
Remote Access VPN > Configuration > Clientless SSL VPN Access > Group
Policies > Add/Edit General
AAA Features
Increased maximum
LDAP values per
attribute
The maximum number of values that the ASA can receive for a single attribute
was increased from 1000 (the default) to 5000, with an allowed range of 500 to
5000. If a response message is received that exceeds the configured limit, the
ASA rejects the authentication. If the ASA detects that a single attribute has more
than 1000 values, then the ASA generates informational syslog 109036. For more
than 5000 attributes, the ASA generates error level syslog 109037.
We introduced the following command: ldap-max-value-range number (Enter
this command in aaa-server host configuration mode).
ASDM does not support this command; enter the command using the Command
Line Tool.
Support for sub-range of When an LDAP search results in an attribute with a large number of values,
LDAP search results
depending on the server configuration, it might return a sub-range of the values
and expect the ASA to initiate additional queries for the remaining value ranges.
The ASA now makes multiple queries for the remaining ranges, and combines
the responses into a complete array of attribute values.
Troubleshooting Features
Cisco ASA New Features by Release
147
Cisco ASA New Features
New Features in ASA 8.4(2)/ASDM 6.4(5)
Feature
Description
Regular expression
matching for the show
asp table classifier and
show asp table filter
commands
You can now enter the show asp table classifier and show asp table filter
commands with a regular expression to filter output.
We modified the following commands: show asp table classifier match regex,
show asp table filter match regex.
ASDM does not support this command; enter the command using the Command
Line Tool.
Also available in Version 8.2(5.13) and 8.3.2(25).
New Features in ASA 8.4(2)/ASDM 6.4(5)
Released: June 20, 2011
Feature
Firewall Features
Cisco ASA New Features by Release
148
Description
Cisco ASA New Features
New Features in ASA 8.4(2)/ASDM 6.4(5)
Feature
Description
Identity Firewall
Typically, a firewall is not aware of the user identities and, therefore, cannot apply
security policies based on identity.
The Identity Firewall in the ASA provides more granular access control based on
users’ identities. You can configure access rules and security policies based on
usernames and user groups name rather than through source IP addresses. The
ASA applies the security policies based on an association of IP addresses to
Windows Active Directory login information and reports events based on the
mapped usernames instead of network IP addresses.
The Identity Firewall integrates with Window Active Directory in conjunction
with an external Active Directory (AD) Agent that provides the actual identity
mapping. The ASA uses Windows Active Directory as the source to retrieve the
current user identity information for specific IP addresses.
In an enterprise, some users log onto the network by using other authentication
mechanisms, such as authenticating with a web portal (cut-through proxy) or by
using a VPN. You can configure the Identity Firewall to allow these types of
authentication in connection with identity-based access policies.
We introduced or modified the following commands: user-identity enable,
user-identity default-domain, user-identity domain, user-identity logout-probe,
user-identity inactive-user-timer, user-identity poll-import-user-group-timer,
user-identity action netbios-response-fail, user-identity user-not-found,
user-identity action ad-agent-down, user-identity action
mac-address-mismatch, user-identity action domain-controller-down,
user-identity ad-agent active-user-database, user-identity ad-agent hello-timer,
user-identity ad-agent aaa-server, user-identity update import-user,
user-identity static user, ad-agent-mode, dns domain-lookup, dns poll-timer,
dns expire-entry-timer, object-group user, show user-identity, show dns,
clear configure user-identity, clear dns, debug user-identity, test aaa-server
ad-agent.
We introduced the following screens:
Configuration > Firewall > Identity Options. Configuration > Firewall >
Objects > Local User Groups
Monitoring > Properties > Identity
We modified the following screen:
Configuration > Device Management > Users/AAA > AAA Server Groups >
Add/Edit Server Group.
Cisco ASA New Features by Release
149
Cisco ASA New Features
New Features in ASA 8.4(2)/ASDM 6.4(5)
Feature
Description
Identity NAT
In earlier releases for identity NAT, proxy ARP was disabled, and a route lookup
configurable proxy ARP was always used to determine the egress interface. You could not configure these
and route lookup
settings. In 8.4(2) and later, the default behavior for identity NAT was changed
to match the behavior of other static NAT configurations: proxy ARP is enabled,
and the NAT configuration determines the egress interface (if specified) by default.
You can leave these settings as is, or you can enable or disable them discretely.
Note that you can now also disable proxy ARP for regular static NAT.
For pre-8.3 configurations, the migration of NAT exempt rules (the nat 0
access-list command) to 8.4(2) and later now includes the following keywords
to disable proxy ARP and to use a route lookup: no-proxy-arp and route-lookup.
The unidirectional keyword that was used for migrating to 8.3(2) and 8.4(1) is
no longer used for migration. When upgrading to 8.4(2) from 8.3(1), 8.3(2), and
8.4(1), all identity NAT configurations will now include the no-proxy-arp and
route-lookup keywords, to maintain existing functionality. The unidirectional
keyword is removed.
We modified the following commands: nat static [no-proxy-arp] [route-lookup]
(object network) and nat source static [no-proxy-arp] [route-lookup] (global).
We modified the following screens:
Configuration > Firewall > NAT Rules > Add/Edit Network Object >
Advanced NAT Settings
Configuration > Firewall > NAT Rules > Add/Edit NAT Rule
PAT pool and round
You can now specify a pool of PAT addresses instead of a single address. You
robin address assignment can also optionally enable round-robin assignment of PAT addresses instead of
first using all ports on a PAT address before using the next address in the pool.
These features help prevent a large number of connections from a single PAT
address from appearing to be part of a DoS attack and makes configuration of
large numbers of PAT addresses easy.
Currently in 8.4(2), the PAT pool feature is not available as a fallback
method for dynamic NAT or PAT. You can only configure the PAT pool
as the primary method for dynamic PAT (CSCtq20634).
We modifed the following commands: nat dynamic [pat-pool mapped_object
[round-robin]] (object network) and nat source dynamic [pat-pool
mapped_object [round-robin]] (global).
Note
We modified the following screens:
Configuration > Firewall > NAT Rules > Add/Edit Network Object
Configuration > Firewall > NAT Rules > Add/Edit NAT Rul
Cisco ASA New Features by Release
150
Cisco ASA New Features
New Features in ASA 8.4(2)/ASDM 6.4(5)
Feature
Description
IPv6 Inspection
You can configure IPv6 inspection by configuring a service policy to selectively
block IPv6 traffic based on the extension header. IPv6 packets are subjected to
an early security check. The ASA always passes hop-by-hop and destination
option types of extension headers while blocking router header and no next header.
You can enable default IPv6 inspection or customize IPv6 inspection. By defining
a policy map for IPv6 inspection you can configure the ASA to selectively drop
IPv6 packets based on following types of extension headers found anywhere in
the IPv6 packet:
• Hop-by-Hop Options
• Routing (Type 0)
• Fragment
• Destination Options
• Authentication
• Encapsulating Security Payload
We modified the following commands: policy-map type inspect ipv6,
verify-header, match header, match header routing-type, match header
routing-address count gt, match header count gt.
We introduced the following screen: Configuration > Firewall > Objects >
Inspect Maps > IPv6.
Remote Access Features
Portal Access Rules
This enhancement allows customers to configure a global clientless SSL VPN
access policy to permit or deny clientless SSL VPN sessions based on the data
present in the HTTP header. If denied, an error code is returned to the clients.
This denial is performed before user authentication and thus minimizes the use
of processing resources.
We modified the following command: webvpn portal-access-rule.
We modified the following screen: Configuration > Remote Access VPN >
Clientless SSL VPN Access > Portal > Portal Access Rules.
Also available in Version 8.2(5).
Clientless support for
The ASA 8.4(2) clientless SSL VPN core rewriter now supports Microsoft Outlook
Microsoft Outlook Web Web App 2010.
App 2010
Cisco ASA New Features by Release
151
Cisco ASA New Features
New Features in ASA 8.4(2)/ASDM 6.4(5)
Feature
Description
Secure Hash Algorithm This release supports the Secure Hash Algorithm SHA-2 for increased
SHA-2 Support for IPsec cryptographic hashing security for IPsec/IKEv2 AnyConnect Secure Mobility
IKEv2 Integrity and PRF Client connections to the ASA. SHA-2 includes hash functions with digests of
256, 384, or 512 bits, to meet U.S. government requirements.
We modified the following commands: integrity, prf, show crypto ikev2 sa
detail, show vpn-sessiondb detail remote.
We modified the following screen: Configuration > Remote Access VPN >
Network (Client) Access > Advanced > IPsec > IKE Policies > Add/Edit
IKEv2 Policy (Proposal).
Secure Hash Algorithm
SHA-2 Support for
Digital Signature over
IPsec IKEv2
This release supports the use of SHA-2 compliant signature algorithms to
authenticate IPsec IKEv2 VPN connections that use digital certificates, with the
hash sizes SHA-256, SHA-384, and SHA-512.
SHA-2 digital signature for IPsec IKEv2 connections is supported with the
AnyConnect Secure Mobility Client, Version 3.0.1 or later.
Split Tunnel DNS policy This release includes a new policy pushed down to the AnyConnect Secure
for AnyConnect
Mobility Client for resolving DNS addresses over split tunnels. This policy applies
to VPN connections using the SSL or IPsec/IKEv2 protocol and instructs the
AnyConnect client to resolve all DNS addresses through the VPN tunnel. If DNS
resolution fails, the address remains unresolved and the AnyConnect client does
not try to resolve the address through public DNS servers.
By default, this feature is disabled. The client sends DNS queries over the tunnel
according to the split tunnel policy: tunnel all networks, tunnel networks specified
in a network list, or exclude networks specified in a network list.
We introduced the following command: split-tunnel-all-dns.
We modified the following screen: Configuration > Remote Access VPN >
Network (Client) Access > Group Policies > Add/Edit Group Policy >
Advanced > Split Tunneling (see the Send All DNS Lookups Through Tunnel
check box).
Also available in Version 8.2(5).
Cisco ASA New Features by Release
152
Cisco ASA New Features
New Features in ASA 8.4(2)/ASDM 6.4(5)
Feature
Description
Mobile Posture
You can now configure the ASA to permit or deny VPN connections to mobile
(formerly referred to as devices, enable or disable mobile device access on a per group bases, and gather
information about connected mobile devices based on a mobile device’s posture
AnyConnect
Identification Extensions data. The following mobile platforms support this capability: AnyConnect for
iPhone/iPad/iPod Versions 2.5.x and AnyConnect for Android Version 2.4.x.
for Mobile Device
Detection)
Licensing Requirements
Enforcing remote access controls and gathering posture data from mobile devices
requires an AnyConnect Mobile license and either an AnyConnect Essentials or
AnyConnect Premium license to be installed on the ASA. You receive the
following functionality based on the license you install:
• AnyConnect Premium License Functionality
Enterprises that install the AnyConnect Premium license will be able to enforce
DAP policies, on supported mobile devices, based on these DAP attributes and
any other existing endpoint attributes. This includes allowing or denying remote
access from a mobile device.
• AnyConnect Essentials License Functionality
Enterprises that install the AnyConnect Essentials license will be able to do the
following:
• Enable or disable mobile device access on a per group basis and to configure
that feature using ASDM.
• Display information about connected mobile devices via CLI or ASDM
without having the ability to enforce DAP policies or deny or allow remote
access to those mobile devices.
We modified the following screen: Configuration > Remote Access VPN >
Network (Client) Access > Dynamic Access Policies > Add/Edit Endpoint
Attributes > Endpoint Attribute Type:AnyConnect.
Also available in Version 8.2(5).
SSL SHA-2 digital
signature
You can now use of SHA-2 compliant signature algorithms to authenticate SSL
VPN connections that use digital certificates. Our support for SHA-2 includes all
three hash sizes: SHA-256, SHA-384, and SHA-512. SHA-2 requires AnyConnect
2.5(1) or later (2.5(2) or later recommended). This release does not support SHA-2
for other uses or products.
Caution: To support failover of SHA-2 connections, the standby ASA must be
running the same image.
We modified the following command: show crypto ca certificate (the Signature
Algorithm field identifies the digest algorithm used when generating the signature).
We did not modify any screens.
Also available in Version 8.2(5).
Cisco ASA New Features by Release
153
Cisco ASA New Features
New Features in ASA 8.4(2)/ASDM 6.4(5)
Feature
Description
SHA2 certificate
signature support for
Microsoft Windows 7
and Android-native VPN
clients
ASA supports SHA2 certificate signature support for Microsoft Windows 7 and
Android-native VPN clients when using the L2TP/IPsec protocol.
We did not modify any commands.
We did not modify any screens.
Also available in Version 8.2(5).
Enable/disable certificate This feature changes the preference of a connection profile during the connection
mapping to override the profile selection process. By default, if the ASA matches a certificate field value
group-url attribute
specified in a connection profile to the field value of the certificate used by the
endpoint, the ASA assigns that profile to the VPN connection. This optional
feature changes the preference to a connection profile that specifies the group
URL requested by the endpoint. The new option lets administrators rely on the
group URL preference used by many older ASA software releases.
We introduced the following command: tunnel-group-preference.
We modified the following screens:
Configuration > Remote Access VPN > Clientless SSL VPN > Connection
Profiles
Configuration > Remote Access VPN > Network (Client) Access > AnyConnect
Connection Profiles
Also available in Version 8.2(5).
ASA 5585-X Features
Support for Dual SSPs
for SSP-40 and SSP-60
For SSP-40 and SSP-60, you can use two SSPs of the same level in the same
chassis. Mixed-level SSPs are not supported (for example, an SSP-40 with an
SSP-60 is not supported). Each SSP acts as an independent device, with separate
configurations and management. You can use the two SSPs as a failover pair if
desired.
When using two SSPs in the chassis, VPN is not supported; note,
however, that VPN has not been disabled.
We modified the following commands: show module, show inventory, show
environment.
Note
We did not modify any screens.
Support for the IPS
SSP-10, -20, -40, and
-60
We introduced support for the IPS SSP-10, -20, -40, and -60 for the ASA 5585-X.
You can only install the IPS SSP with a matching-level SSP; for example, SSP-10
and IPS SSP-10.
Also available in Version 8.2(5).
CSC SSM Features
Cisco ASA New Features by Release
154
Cisco ASA New Features
New Features in ASA 8.4(2)/ASDM 6.4(5)
Feature
Description
CSC SSM Support
For the CSC SSM, support for the following features has been added:
• HTTPS traffic redirection: URL filtering and WRS queries for incoming
HTTPS connections.
• Configuring global approved whitelists for incoming and outgoing SMTP
and POP3 e-mail.
• E-mail notification for product license renewals.
We did not modify any commands.
We modified the following screens:
Configuration > Trend Micro Content Security > Mail > SMTP
Configuration > Trend Micro Content Security > Mail > POP3
Configuration > Trend Micro Content Security > Host/Notification Settings
Configuration > Trend Micro Content Security > CSC Setup > Host
Configuration
Monitoring Features
Smart Call-Home
Anonymous Reporting
Customers can now help to improve the ASA platform by enabling Anonymous
Reporting, which allows Cisco to securely receive minimal error and health
information from the device.
We introduced the following commands: call-home reporting anonymous,
call-home test reporting anonymous.
We modified the following screen: Configuration > Device Monitoring > Smart
Call-Home.
Also available in Version 8.2(5).
IF-MIB ifAlias OID
support
The ASA now supports the ifAlias OID. When you browse the IF-MIB, the ifAlias
OID will be set to the value that has been set for the interface description.
Also available in Version 8.2(5).
Interface Features
Support for Pause
Frames for Flow Control
on 1-Gigabit Ethernet
Interface
You can now enable pause (XOFF) frames for flow control on 1-Gigabit Ethernet
interfaces; support was previously added for 10-Gigabit Ethernet interfaces in
8.2(2).
We modified the following command: flowcontrol.
We modified the following screens:
(Single Mode) Configuration > Device Setup > Interfaces > Add/Edit Interface
> General
(Multiple Mode, System) Configuration > Interfaces > Add/Edit Interface
Also available in Version 8.2(5).
Cisco ASA New Features by Release
155
Cisco ASA New Features
New Features in ASA 8.4(2)/ASDM 6.4(5)
Feature
Description
Management Features
Increased SSH security;
the SSH default
username is no longer
supported
Starting in 8.4(2), you can no longer connect to the ASA using SSH with the pix
or asa username and the login password. To use SSH, you must configure AAA
authentication using the aaa authentication ssh console LOCAL command (CLI)
or Configuration > Device Management > Users/AAA > AAA Access >
Authentication (ASDM); then define a local user by entering the username
command (CLI) or choosing Configuration > Device Management > Users/AAA
> User Accounts (ASDM). If you want to use a AAA server for authentication
instead of the local database, we recommend also configuring local authentication
as a backup method.
Unified Communications Features
ASA-Tandberg
Interoperability with
H.323 Inspection
H.323 Inspection now supports uni-directional signaling for two-way video
sessions. This enhancement allows H.323 Inspection of one-way video conferences
supported by Tandberg video phones. Supporting uni-directional signaling allows
Tandberg phones to switch video modes (close their side of an H.263 video session
and reopen the session using H.264, the compression standard for high-definition
video).
We did not modify any commands.
We did not modify any screens.
Also available in Version 8.2(5).
Routing Features
Timeout for connections When multiple static routes exist to a network with different metrics, the ASA
using a backup static
uses the one with the best metric at the time of connection creation. If a better
route
route becomes available, then this timeout lets connections be closed so a
connection can be reestablished to use the better route. The default is 0 (the
connection never times out). To take advantage of this feature, change the timeout
to a new value.
We modified the following command: timeout floating-conn.
We modified the following screen: Configuration > Firewall > Advanced >
Global Timeouts.
Also available in Version 8.2(5).
ASDM Features
Cisco ASA New Features by Release
156
Cisco ASA New Features
New Features in ASA 8.4(1.11)/ASDM 6.4(2)
Feature
Description
Migrate Network Object If you migrate to 8.3 or later, the ASA creates named network objects to replace
Group Members
inline IP addresses in some features. In addition to named objects, ASDM
automatically creates non-named objects for any IP addresses used in the
configuration. These auto-created objects are identified by the IP address only,
do not have a name, and are not present as named objects in the platform
configuration.
When the ASA creates named objects as part of the migration, the matching
non-named ASDM-only objects are replaced with the named objects. The only
exception are non-named objects in a network object group. When the ASA creates
named objects for IP addresses that are inside a network object group, ASDM
retains the non-named objects as well, creating duplicate objects in ASDM. To
merge these objects, choose Tools > Migrate Network Object Group Members.
We introduced the following screen: Tools > Migrate Network Object Group
Members.
See Cisco ASA 5500 Migration to Version 8.3 and Later for more information.
New Features in ASA 8.4(1.11)/ASDM 6.4(2)
Released: May 20, 2011
Note
We recommend that you upgrade to a Cisco.com-posted interim release only if you have a specific problem
that it resolves. If you decide to run an interim release in a production environment, keep in mind that
only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC
and will remain on the download site only until the next maintenance release is available. If you choose
to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature
release when it becomes available. We will document interim release features at the time of the next
maintenance or feature release. For a list of resolved caveats for each interim release, see the interim
release notes available on the Cisco.com software download site.
Feature
Description
Firewall Features
Cisco ASA New Features by Release
157
Cisco ASA New Features
New Features in ASA 8.4(1)/ASDM 6.4(1)
Feature
Description
PAT pool and round
You can now specify a pool of PAT addresses instead of a single address. You
robin address assignment can also optionally enable round-robin assignment of PAT addresses instead of
first using all ports on a PAT address before using the next address in the pool.
These features help prevent a large number of connections from a single PAT
address from appearing to be part of a DoS attack and makes configuration of
large numbers of PAT addresses easy.
Currently in 8.4(1.11), the PAT pool feature is not available as a fallback
method for dynamic NAT or PAT. You can only configure the PAT pool
as the primary method for dynamic PAT (CSCtq20634).
We modifed the following commands: nat dynamic [pat-pool mapped_object
[round-robin]] (object network) and nat source dynamic [pat-pool
mapped_object [round-robin]] (global).
Note
We modified the following screens:
Configuration > Firewall > NAT Rules > Add/Edit Network Object
Configuration > Firewall > NAT Rules > Add/Edit NAT Rule
New Features in ASA 8.4(1)/ASDM 6.4(1)
Released: January 31, 2011
Feature
Description
Hardware Features
Support for the
ASA 5585-X
We introduced support for the ASA 5585-X with Security Services Processor
(SSP)-10, -20, -40, and -60.
Note
No Payload Encryption
hardware for export
Support was previously added in 8.2(3) and 8.2(4); the ASA 5585-X is
not supported in 8.3(x).
You can purchase the ASA 5585-X with No Payload Encryption. For export to
some countries, payload encryption cannot be enabled on the Cisco ASA 5500
series. The ASA software senses a No Payload Encryption model, and disables
the following features:
• Unified Communications
• VPN
You can still install the Strong Encryption (3DES/AES) license for use with
management connections. For example, you can use ASDM HTTPS/SSL, SSHv2,
Telnet and SNMPv3. You can also download the dynamic database for the Botnet
Traffic Filer (which uses SSL).
Remote Access Features
Cisco ASA New Features by Release
158
Cisco ASA New Features
New Features in ASA 8.4(1)/ASDM 6.4(1)
Feature
Description
L2TP/IPsec Support on
Android Platforms
We now support VPN connections between Android mobile devices and ASA
5500 series devices, when using the L2TP/IPsec protocol and the native Android
VPN client. Mobile devices must be using the Android 2.1, or later, operating
system.
Also available in Version 8.2(5).
UTF-8 Character
AnyConnect 3.0 used with ASA 8.4(1), supports UTF-8 characters in passwords
Support for AnyConnect sent using RADIUS/MSCHAP and LDAP protocols.
Passwords
IPsec VPN Connections Internet Key Exchange Version 2 (IKEv2) is the latest key exchange protocol
with IKEv2
used to establish and control Internet Protocol Security (IPsec) tunnels. The ASA
now supports IPsec with IKEv2 for the AnyConnect Secure Mobility Client,
Version 3.0(1), for all client operating systems.
On the ASA, you enable IPsec connections for users in the group policy. For the
AnyConnect client, you specify the primary protocol (IPsec or SSL) for each ASA
in the server list of the client profile.
IPsec remote access VPN using IKEv2 was added to the AnyConnect Essentials
and AnyConnect Premium licenses.
Site-to-site sessions were added to the Other VPN license (formerly IPsec VPN).
The Other VPN license is included in the Base license.
We modified the following commands: vpn-tunnel-protocol, crypto ikev2 policy,
crypto ikev2 enable, crypto ipsec ikev2, crypto dynamic-map, crypto map.
We modified the following screens:
Configure > Site-to-Site VPN > Connection Profiles
Configure > Remote Access > Network (Client) Access > AnyConnect
Connection Profiles
Network (Client) Access > Advanced > IPsec > IKE Parameters > IKE Policies
Network (Client) Access > Advanced > IPsec > IKE Parameters > IKE
Parameters
Network (Client) Access > Advanced > IPsec > IKE Parameters > IKE
Proposals
SSL SHA-2 digital
signature
This release supports the use of SHA-2 compliant signature algorithms to
authenticate SSL VPN connections that use digital certificates. Our support for
SHA-2 includes all three hash sizes: SHA-256, SHA-384, and SHA-512. SHA-2
requires AnyConnect 2.5.1 or later (2.5.2 or later recommended). This release
does not support SHA-2 for other uses or products. This feature does not involve
configuration changes.
Caution: To support failover of SHA-2 connections, the standby ASA must be
running the same image. To support this feature, we added the Signature Algorithm
field to the show crypto ca certificate command to identify the digest algorithm
used when generating the signature.
Cisco ASA New Features by Release
159
Cisco ASA New Features
New Features in ASA 8.4(1)/ASDM 6.4(1)
Feature
Description
SCEP Proxy
SCEP Proxy provides the AnyConnect Secure Mobility Client with support for
automated third-party certificate enrollment. Use this feature to support
AnyConnect with zero-touch, secure deployment of device certificates to authorize
endpoint connections, enforce policies that prevent access by non-corporate assets,
and track corporate assets. This feature requires an AnyConnect Premium license
and will not work with an Essentials license.
We introduced or modified the following commands: crypto ikev2 enable,
scep-enrollment enable, scep-forwarding-url, debug crypto ca scep-proxy,
secondary-username-from-certificate, secondary-pre-fill-username.
Host Scan Package
Support
This feature provides the necessary support for the ASA to install or upgrade a
Host Scan package and enable or disable Host Scan. This package may either be
a standalone Host Scan package or one that ASA extracts from an AnyConnect
Next Generation package.
In previous releases of AnyConnect, an endpoint’s posture was determined by
Cisco Secure Desktop (CSD). Host Scan was one of many features bundled in
CSD. Unbundling Host Scan from CSD gives AnyConnect administrators greater
freedom to update and install Host Scan separately from the other features of
CSD.
We introduced the following command: csd hostscan image path.
Kerberos Constrained
Delegation (KCD)
This release implements the KCD protocol transition and constrained delegation
extensions on the ASA. KCD provides Clientless SSL VPN (also known as
WebVPN) users with SSO access to any web services protected by Kerberos.
Examples of such services or applications include Outlook Web Access (OWA),
Sharepoint, and Internet Information Server (IIS).
Implementing protocol transition allows the ASA to obtain Kerberos service
tickets on behalf of remote access users without requiring them to authenticate to
the KDC (through Kerberos). Instead, a user authenticates to ASA using any of
the supported authentication mechanisms, including digital certificates and
Smartcards, for Clientless SSL VPN (also known as WebVPN). When user
authentication is complete, the ASA requests and obtains an impersonate ticket,
which is a service ticket for ASA on behalf of the user. The ASA may then use
the impersonate ticket to obtain other service tickets for the remote access user.
Constrained delegation provides a way for domain administrators to limit the
network resources that a service trusted for delegation (for example, the ASA)
can access. This task is accomplished by configuring the account under which
the service is running to be trusted for delegation to a specific instance of a service
running on a specific computer.
We modified the following commands: kcd-server, clear aaa, show aaa, test
aaa-server authentication.
We modified the following screen: Configuration > Remote Access VPN >
Clientless SSL VPN Access > Advanced > Microsoft KCD Server.
Clientless SSL VPN
browser support
Cisco ASA New Features by Release
160
The ASA now supports clientless SSL VPN with Apple Safari 5.
Cisco ASA New Features
New Features in ASA 8.4(1)/ASDM 6.4(1)
Feature
Description
Clientless VPN Auto
Sign-on Enhancement
Smart tunnel now supports HTTP-based auto sign-on on Firefox as well as Internet
Explorer. Similar to when Internet Explorer is used, the administrator decides to
which hosts a Firefox browser will automatically send credentials. For some
authentication methods, if may be necessary for the administrator to specify a
realm string on the ASA to match that on the web application (in the Add Smart
Tunnel Auto Sign-on Server window). You can now use bookmarks with macro
substitutions for auto sign-on with Smart tunnel as well.
The POST plug-in is now obsolete. The former POST plug-in was created so that
administrators could specify a bookmark with sign-on macros and receive a
kick-off page to load prior to posting the the POST request. The POST plug-in
approach allows requests that required the presence of cookies, and other header
items, fetched ahead of time to go through. The administrator can now specify
pre-load pages when creating bookmarks to achieve the same functionality. Same
as the POST plug-in, the administrator specifies the pre-load page URL and the
URL to send the POST request to.
You can now replace the default preconfigured SSL VPN portal with your own
portal. The administrators do this by specifying a URL as an External Portal.
Unlike the group-policy home page, the External Portal supports POST requests
with macro substitution (for auto sign-on) as well as pre-load pages.
We introduced or modified the following command: smart-tunnel auto-signon.
We introduced or modified the following screens:
Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal
> Customization.
Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal
> Bookmarks > Edit > Edit Bookmark
Expanded Smart Tunnel Smart Tunnel adds support for the following applications:
application support
• Microsoft Outlook Exchange Server 2010 (native support).
Users can now use Smart Tunnel to connect Microsoft Office Outlook to a
Microsoft Exchange Server.
• Microsoft Sharepoint/Office 2010.
Users can now perform remote file editing using Microsoft Office 2010
Applications and Microsoft Sharepoint by using Smart Tunnel.
Interface Features
Cisco ASA New Features by Release
161
Cisco ASA New Features
New Features in ASA 8.4(1)/ASDM 6.4(1)
Feature
Description
EtherChannel support
(ASA 5510 and higher)
You can configure up to 48 802.3ad EtherChannels of eight active interfaces each.
You cannot use interfaces on the 4GE SSM, including the integrated
4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel.
We introduced the following commands: channel-group, lacp port-priority,
interface port-channel, lacp max-bundle, port-channel min-bundle,
port-channel load-balance, lacp system-priority, clear lacp counters, show
lacp, show port-channel.
Note
We introduced or modified the following screens:
Configuration > Device Setup > Interfaces
Configuration > Device Setup > Interfaces > Add/Edit EtherChannel Interface
Configuration > Device Setup > Interfaces > Add/Edit Interface
Configuration > Device Setup > EtherChannel
Bridge groups for
transparent mode
If you do not want the overhead of security contexts, or want to maximize your
use of security contexts, you can group interfaces together in a bridge group, and
then configure multiple bridge groups, one for each network. Bridge group traffic
is isolated from other bridge groups. You can configure up to 8 bridge groups in
single mode or per context in multiple mode, with 4 interfaces maximum per
bridge group.
Although you can configure multiple bridge groups on the ASA 5505,
the restriction of 2 data interfaces in transparent mode on the ASA 5505
means you can only effectively use 1 bridge group.
We introduced the following commands: interface bvi, bridge-group, show
bridge-group.
Note
We modified or introduced the following screens:
Configuration > Device Setup > Interfaces
Configuration > Device Setup > Interfaces > Add/Edit Bridge Group Interface
Configuration > Device Setup > Interfaces > Add/Edit Interface
Scalability Features
Increased contexts for
For the ASA 5550 and ASA 5585-X with SSP-10, the maximum contexts was
the ASA 5550, 5580, and increased from 50 to 100. For the ASA 5580 and 5585-X with SSP-20 and higher,
5585-X
the maximum was increased from 50 to 250.
Increased VLANs for the For the ASA 5580 and 5585-X, the maximum VLANs was increased from 250
ASA 5580 and 5585-X to 1024.
Additional platform
support
Cisco ASA New Features by Release
162
Google Chrome has been added as a supported platform for ASA Version 8.4.
Both 32-bit and 64-bit platforms are supported on Windows XP, Vista, and 7 and
Mac OS X Version 6.0.
Cisco ASA New Features
New Features in ASA 8.4(1)/ASDM 6.4(1)
Feature
Description
Increased connections
for the ASA 5580 and
5585-X
We increased the firewall connection limits:
• ASA 5580-20—1,000,000 to 2,000,000.
• ASA 5580-40—2,000,000 to 4,000,000.
• ASA 5585-X with SSP-10: 750,000 to 1,000,000.
• ASA 5585-X with SSP-20: 1,000,000 to 2,000,000.
• ASA 5585-X with SSP-40: 2,000,000 to 4,000,000.
• ASA 5585-X with SSP-60: 2,000,000 to 10,000,000.
Increased AnyConnect
VPN sessions for the
ASA 5580
The AnyConnect VPN session limit was increased from 5,000 to 10,000.
Increased Other VPN
sessions for the ASA
5580
The other VPN session limit was increased from 5,000 to 10,000.
High Availability Features
Stateful Failover with
Dynamic Routing
Protocols
Routes that are learned through dynamic routing protocols (such as OSPF and
EIGRP) on the active unit are now maintained in a Routing Information Base
(RIB) table on the standby unit. Upon a failover event, traffic on the secondary
active unit now passes with minimal disruption because routes are known. Routes
are synchronized only for link-up or link-down events on an active unit. If the
link goes up or down on the standby unit, dynamic routes sent from the active
unit may be lost. This is normal, expected behavior.
We modified the following commands: show failover, show route, show route
failover.
We did not modify any screens.
Unified Communication Features
Phone Proxy addition to The Unified Communications wizard guides you through the complete
Unified Communication configuration and automatically configures required aspects for the Phone Proxy.
Wizard
The wizard automatically creates the necessary TLS proxy, then guides you
through creating the Phone Proxy instance, importing and installing the required
certificates, and finally enables the SIP and SCCP inspection for the Phone Proxy
traffic automatically.
We modified the following screens:
Wizards > Unified Communications Wizard.
Configuration > Firewall > Unified Communications.
Cisco ASA New Features by Release
163
Cisco ASA New Features
New Features in ASA 8.4(1)/ASDM 6.4(1)
Feature
Description
UC Protocol Inspection SIP Inspection and SCCP Inspection are enhanced to support new features in the
Enhancements
Unified Communications Solutions; such as, SCCP v2.0 support, support for
GETPORT messages in SCCP Inspection, SDP field support in INVITE messages
with SIP Inspection, and QSIG tunneling over SIP. Additionally, the Cisco
Intercompany Media Engine supports Cisco RT Lite phones and third-party video
endpoints (such as, Tandberg).
We did not modify any commands.
We did not modify any screens.
Inspection Features
DCERPC Enhancement DCERPC Inspection was enhanced to support inspection of RemoteCreateInstance
RPC messages.
We did not modify an commands.
We did not modify any screens.
Troubleshooting and Monitoring Features
SNMP traps and MIBs
Supports the following additional keywords: connection-limit-reached, entity
cpu-temperature, cpu threshold rising, entity fan-failure, entity power-supply,
ikev2 stop | start, interface-threshold, memory-threshold, nat packet-discard,
warmstart.
The entPhysicalTable reports entries for sensors, fans, power supplies, and related
components.
Supports the following additional MIBs: ENTITY-SENSOR-MIB,
CISCO-ENTITY-SENSOR-EXT-MIB, CISCO-ENTITY-FRU-CONTROL-MIB,
CISCO-PROCESS-MIB, CISCO-ENHANCED-MEMPOOL-MIB,
CISCO-L4L7MODULE-RESOURCE-LIMIT-MIB, NAT-MIB, EVENT-MIB,
EXPRESSION-MIB
Supports the following additional traps: warmstart, cpmCPURisingThreshold,
mteTriggerFired, cirResourceLimitReached, natPacketDiscard,
ciscoEntSensorExtThresholdNotification.
We introduced or modified the following commands: snmp cpu threshold rising,
snmp interface threshold, snmp-server enable traps.
We modified the following screen: Configuration > Device Management >
Management Access > SNMP.
TCP Ping Enhancement TCP ping allows users whose ICMP echo requests are blocked to check
connectivity over TCP. With the TCP ping enhancement you can specify a source
IP address and a port and source interface to send pings to a hostname or an IPv4
address.
We modified the following command: ping tcp.
We modified the following screen: Tools > Ping.
Cisco ASA New Features by Release
164
Cisco ASA New Features
New Features in ASA 8.4(1)/ASDM 6.4(1)
Feature
Description
Show Top CPU
Processes
You can now monitor the processes that run on the CPU to obtain information
related to the percentage of the CPU used by any given process. You can also see
information about the load on the CPU, broken down per process, at 5 minutes,
1 minute, and 5 seconds prior to the log time. Information is updated automatically
every 5 seconds to provide real-time statistics, and a refresh button in the pane
allows a manual data refresh at any time.
We introduced the following command: show process cpu-usage sorted.
We introduced the following screen: Monitoring > Properties > CPU - Per
Process.
General Features
Password Encryption
Visibility
You can show password encryption in a security context.
We modified the following command: show password encryption.
We did not modify any screens.
ASDM Features
ASDM Upgrade
Enhancement
When ASDM loads on a device that has an incompatible ASA software version,
a dialog box notifies users that they can select from the following options:
• Upgrade the image version from Cisco.com.
• Upgrade the image version from their local drive.
• Continue with the incompatible ASDM/ASA pair (new choice).
We did not modify any screens.
This feature interoperates with all ASA versions.
Implementing IKEv2 in IKEv2 support has been implemented into the AnyConnect VPN Wizard (formerly
Wizards
SSL VPN wizard), the Clientless SSL VPN Wizard, and the Site-to-Site IPsec
VPN Wizard (formerly IPSec VPN Wizard) to comply with IPsec remote access
requirements defined in federal and public sector mandates. Along with the
enhanced security, the new support offers the same end user experience
independent of the tunneling protocol used by the AnyConnect client session.
IKEv2 also allows other vendors’ VPN clients to connect to the ASAs.
We modified the following wizards: Site-to-Site IPsec VPN Wizard, AnyConnect
VPN Wizard, and Clientless SSL VPN Wizard.
Cisco ASA New Features by Release
165
Cisco ASA New Features
New Features in Version 8.3
Feature
Description
IPS Startup Wizard
enhancements
For the IPS SSP in the ASA 5585-X, the IPS Basic Configuration screen was
added to the startup wizard. Signature updates for the IPS SSP were also added
to the Auto Update screen. The Time Zone and Clock Configuration screen was
added to ensure the clock is set on the ASA; the IPS SSP gets its clock from the
ASA.
We introduced or modified the following screens: Wizards > Startup Wizard >
IPS Basic Configuration Wizards > Startup Wizard > Auto Update Wizards >
Startup Wizard > Time Zone and Clock Configuration
New Features in Version 8.3
New Features in ASA 8.3(2.25)/ASDM 6.4(5.106)
Released: August 31, 2011
Note
We recommend that you upgrade to a Cisco.com-posted ASA interim release only if you have a specific
problem that it resolves. If you decide to run an interim release in a production environment, keep in mind
that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco
TAC and will usually remain on the download site only until the next maintenance release is available. If
you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance
or feature release when it becomes available.
We will document interim release features at the time of the next maintenance or feature release. For a
list of resolved caveats for each ASA interim release, see the interim release notes available on the
Cisco.com software download site.
Feature
Description
Remote Access Features
Clientless SSL VPN
browser support
The ASA now supports clientless SSL VPN with Microsoft Internet Explorer 9
and Firefox 4.
Also available in Version 8.2(5.13) and 8.4.2(8).
Cisco ASA New Features by Release
166
Cisco ASA New Features
New Features in ASA 8.3(2)/ASDM 6.3(2)
Feature
Description
Compression for DTLS To improve throughput, Cisco now supports compression for DTLS and TLS on
and TLS
AnyConnect 3.0 or later. Each tunneling method configures compression
separately, and the preferred configuration is to have both SSL and DTLS
compression as LZS. This feature enhances migration from legacy VPN clients.
Using data compression on high speed remote access connections passing
highly compressible data requires significant processing power on the
ASA. With other activity and traffic on the ASA, the number of sessions
that can be supported on the platform is reduced.
We introduced or modified the following commands: anyconnect dtls
compression [lzs | none] and anyconnect ssl compression [deflate | lzs | none].
Note
We modified the following screen: Configuration > Remote Access VPN >
Clientless SSL VPN Access > Group Policies > Edit > Edit Internal Group
Policy > Advanced > AnyConnect Client > SSL Compression.
Also available in Version 8.2(5.13) and 8.4.2(8).
Troubleshooting Features
Regular expression
matching for the show
asp table classifier and
show asp table filter
commands
You can now enter the show asp table classifier and show asp table filter
commands with a regular expression to filter output.
We modified the following commands: show asp table classifier match regex,
show asp table filter match regex.
ASDM does not support this command; enter the command using the Command
Line Tool.
Also available in Version 8.2(5.13) and 8.4.2(8).
New Features in ASA 8.3(2)/ASDM 6.3(2)
Released: August 2, 2010
Feature
Description
Monitoring Features
Cisco ASA New Features by Release
167
Cisco ASA New Features
New Features in ASA 8.3(2)/ASDM 6.3(2)
Feature
Description
Enhanced logging and
connection blocking
When you configure a syslog server to use TCP, and the syslog server is
unavailable, the ASA blocks new connections that generate syslog messages until
the server becomes available again (for example, VPN, firewall, and
cut-through-proxy connections). This feature has been enhanced to also block
new connections when the logging queue on the ASA is full; connections resume
when the logging queue is cleared.
This feature was added for compliance with Common Criteria EAL4+. Unless
required, we recommend allowing new connections when syslog messages cannot
be sent. To allow new connections, configure the syslog server to use UDP or use
the logging permit-hostdown command check the Allow user traffic to pass
when TCP syslog server is down check box on the Configuration > Device
Management > Logging > Syslog Servers pane.
The following commands were modified: show logging.
The following syslog messages were introduced: 414005, 414006, 414007, and
414008
No ASDM screens were modified.
Syslog message filtering Support has been added for the following:
and sorting
• Syslog message filtering based on multiple text strings that correspond to
various columns
• Creation of custom filters
• Column sorting of messages. For detailed information, see the ASDM
configuration guide.
The following screens were modified:
Monitoring > Logging > Real-Time Log Viewer > View
Monitoring > Logging > Log Buffer Viewer > View
This feature interoperates with all ASA versions.
Clearing syslog
messages for the CSC
SSM
Support for clearing syslog messages has been added in the Latest CSC Security
Events pane.
The following screen was modified: Home > Content Security.
This feature interoperates with all ASA versions.
Remote Access Features
Cisco ASA New Features by Release
168
Cisco ASA New Features
New Features in ASA 8.3(2)/ASDM 6.3(2)
Feature
Description
2048-bit RSA certificate
and Diffie-Hellman
Group 5 (DH5)
performance
improvement
(ASA 5510, ASA 5520, ASA 5540, and ASA 5550 only) We strongly recommend
that you enable hardware processing instead of software for large modulus
operations such as 2048-bit certificates and DH5 keys. If you continue to use
software processing for large keys, you could experience significant performance
degradation due to slow session establishment for IPsec and SSL VPN connections.
We recommend that you initially enable hardware processing during a low-use
or maintenance period to minimize a temporary packet loss that can occur during
the transition of processing from software to hardware.
For the ASA 5540 and ASA 5550 using SSL VPN, in specific load
conditions, you may want to continue to use software processing for large
keys. If VPN sessions are added very slowly and the ASA runs at
capacity, then the negative impact to data throughput is larger than the
positive impact for session establishment.
The following commands were introduced or modified: crypto engine
large-mod-accel, clear configure crypto engine, show running-config crypto
engine, and show running-config crypto.
Note
In ASDM, use the Command Line Interface tool to enter the crypto engine
large-mod-accel command.
Also available in Version 8.2(3).
Microsoft Internet
Explorer proxy
lockdown control
Enabling this feature hides the Connections tab in Microsoft Internet Explorer for
the duration of an AnyConnect VPN session. Disabling the feature leaves the
display of the Connections tab unchanged; the default setting for the tab can be
shown or hidden, depending on the user registry settings.
The following command was introduced: msie-proxy lockdown.
In ASDM, use the Command Line Interface tool to enter this command.
Also available in Version 8.2(3).
Secondary password
enhancement
You can now configure SSL VPN support for a common secondary password for
all authentications or use the primary password as the secondary password.
The following command was modified: secondary-pre-fill-username
[use-primary-password | use-common-password] ]
The following screen was modified: Configuration > Remote Access VPN >
Clientless SSL Access > Connection Profiles > Add/Edit Clientless SSL VPN
Connection Profile > Advanced > Secondary Authentication.
General Features
Cisco ASA New Features by Release
169
Cisco ASA New Features
New Features in ASA 8.3(1)/ASDM 6.3(1)
Feature
Description
No Payload Encryption
image for export
For export to some countries, payload encryption cannot be enabled on the Cisco
ASA 5500 series. For version 8.3(2), you can now install a No Payload Encryption
image (asa832-npe-k8.bin) on the following models:
• ASA 5505
• ASA 5510
• ASA 5520
• ASA 5540
• ASA 5550
Features that are disabled in the No Payload Encryption image include:
• Unified Communications.
• Strong encryption for VPN (DES encryption is still available for VPN).
• VPN load balancing (note that the CLI GUI is still present; the feature will
not function, however).
• Downloading of the dynamic database for the Botnet Traffic Filer (Static
black and whitelists are still supported. Note that the CLI GUI is still present;
the feature will not function, however.).
• Management protocols requiring strong encryption, including SSL, SSHv2,
and SNMPv3. You can, however, use SSL or SNMPv3 using base encryption
(DES). Also, SSHv1 and SNMPv1 and v2 are still available.
If you attempt to install a Strong Encryption (3DES/AES) license, you see the
following warning:
WARNING: Strong encryption types have been disabled in this image;
the VPN-3DES-AES license option has been ignored.
New Features in ASA 8.3(1)/ASDM 6.3(1)
Released: March 8, 2010
Feature
Remote Access Features
Cisco ASA New Features by Release
170
Description
Cisco ASA New Features
New Features in ASA 8.3(1)/ASDM 6.3(1)
Feature
Description
Smart Tunnel
Enhancements
Logoff enhancement—Smart tunnel can now be logged off when all browser
windows have been closed (parent affinity), or you can right click the notification
icon in the system tray and confirm log out.
Tunnel Policy—An administrator can dictate which connections go through the
VPN gateway and which do not. An end user can browse the Internet directly
while accessing company internal resources with smart tunnel if the administrator
chooses.
Simplified configuration of which applications to tunnel—When a smart tunnel
is required, a user no longer needs to configure a list of processes that can access
smart tunnel and in turn access certain web pages. An “enable smart tunnel” check
box for either a bookmark or standalone application allows for an easier
configuration process.
Group policy home page—Using a check box in ASDM, administrators can now
specify their home page in group policy in order to connect via smart tunnel.
The following commands were introduced: smart-tunnel network, smart-tunnel
tunnel-policy.
The following screen was modified: Configuration > Remote Access VPN >
AAA/Local Users > Local Users > Edit > VPN Policy > Clientless SSL VPN.
Newly Supported
Platforms for
Browser-based VPN
Release 8.3(1) provides browser-based (clientless) VPN access from the following
newly supported platforms:
• Windows 7 x86 (32-bit) and x64 (64-bit) via Internet Explorer 8.x and
Firefox 3.x
• Windows Vista x64 via Internet Explorer 7.x/8.x, or Firefox 3.x.
• Windows XP x64 via Internet Explorer 6.x/7.x/8.x and Firefox 3.x
• Mac OS 10.6.x 32- and 64-bit via Safari 4.x and Firefox 3.x.
Firefox 2.x is likely to work, although we no longer test it.
Release 8.3(1) introduces browser-based support for 64-bit applications on Mac
OS 10.5.
Release 8.3(1) now supports smart tunnel access on all 32-bit and 64-bit Windows
OSs supported for browser-based VPN access, Mac OS 10.5 running on an Intel
processor only, and Mac OS 10.6.x. The ASA does not support port forwarding
on 64-bit OSs.
Browser-based VPN access does not support Web Folders on Windows 7, Vista,
and Internet Explorer 8.
An ActiveX version of the RDP plug-in is not available for 64-bit browsers.
Note
Windows 2000 and Mac OS X 10.4 are no longer supported for
browser-based access.
Cisco ASA New Features by Release
171
Cisco ASA New Features
New Features in ASA 8.3(1)/ASDM 6.3(1)
Feature
Description
IPv6 support for IKEv1 For LAN-to-LAN connections using mixed IPv4 and IPv6 addressing, or all IPv6
LAN-to-LAN VPN
addressing, the ASA supports VPN tunnels if both peers are Cisco ASA 5500
connections
series ASAs, and if both inside networks have matching addressing schemes (both
IPv4 or both IPv6).
Specifically, the following topologies are supported when both peers are Cisco
ASA 5500 series ASAs:
• The ASAs have IPv4 inside networks and the outside network is IPv6 (IPv4
addresses on the inside interfaces and IPv6 addresses on the outside
interfaces).
• The ASAs have IPv6 inside networks and the outside network is IPv4 (IPv6
addresses on the inside interface and IPv4 addresses on the outside
interfaces).
• The ASAs have IPv6 inside networks and the outside network is IPv6 (IPv6
addresses on the inside and outside interfaces).
Note
The defect CSCtd38078 currently prevents the Cisco ASA 5500
series from connecting to a Cisco IOS device as the peer device of
a LAN-to-LAN connection.
The following commands were modified or introduced: isakmp enable, crypto
map, crypto dynamic-map, tunnel-group, ipv6-vpn-filter, vpn-sessiondb,
show crypto isakmp sa, show crypto ipsec sa, show crypto debug-condition,
show debug crypto, show vpn-sessiondb, debug crypto condition, debug menu
ike.
The following screens were modified or introduced:
Wizards > IPsec VPN Wizard,
Configuration > Site-to-Site VPN > Connection Profiles Configuration >
Site-to-Site VPN > Connection Profiles > Basic > Add IPsec Site-to-Site
Connection Profile
Configuration > Site-to-Site VPN > Group Policies
Configuration > Site-to-Site VPN > Group Policies > Edit Internal Group
Policy
Configuration > Site-to-Site VPN > Advanced > Crypto Maps
Configuration > Site-to-Site VPN > Advanced > Crypto Maps > Add > Create
IPsec Rule
Configuration > Site-to-Site VPN > Advanced > ACL Manager
Cisco ASA New Features by Release
172
Cisco ASA New Features
New Features in ASA 8.3(1)/ASDM 6.3(1)
Feature
Description
Plug-in for AnyConnect The AnyConnect Profile Editor is a convenient GUI-based configuration tool you
Profile Editor
can use to configure the AnyConnect 2.5 or later client profile, an XML file
containing settings that control client features. Previously, you could only change
profile settings manually by editing the XML tags in the profile file. The
AnyConnect Profile Editor is a plug-in binary file named anyconnectprof.sgz
packaged with the ASDM image and installed in the root directory of disk0:/ in
the flash memory on the ASA. This design allows you to update the editor to be
compatible with new AnyConnect features available in new client releases.
SSL VPN Portal
Customization Editor
You can rebrand and customize the screens presented to clientless SSL VPN users
using the new Edit Customization Object window in ASDM. You can customize
the logon, portal and logout screens, including corporate logos, text messages,
and the general layout. Previously, the customization feature was embedded in
the ASA software image. Moving it to ASDM provides greater usability for this
feature and future enhancements.
The following screen was modified: Configuration > Remote Access VPN >
Clientless SSL VPN Access > Portal > Customization.
Usability Improvements ASDM provides a step-by-step guide to configuring Clientless SSL VPN,
for Remote Access VPN AnyConnect SSL VPN Remote Access, or IPsec Remote Access using the ASDM
Assistant. The ASDM Assistant is more comprehensive than the VPN wizards,
which are designed only to get you up and running.
The following screen was modified: Configuration > Remote Access VPN >
Introduction > ASDM Assistant.
Firewall Features
Interface-Independent
Access Policies
You can now configure access rules that are applied globally, as well as access
rules that are applied to an interface. If the configuration specifies both a global
access policy and interface-specific access policies, the interface-specific policies
are evaluated before the global policy.
The following command was modified: access-group global.
The following screen was modified: Configuration > Firewall > Access Rules.
Cisco ASA New Features by Release
173
Cisco ASA New Features
New Features in ASA 8.3(1)/ASDM 6.3(1)
Feature
Description
Network and Service
Objects
You can now create named network objects that you can use in place of a host, a
subnet, or a range of IP addresses in your configuration and named service objects
that you can use in place of a protocol and port in your configuration. You can
then change the object definition in one place, without having to change any other
part of your configuration. This release introduces support for network and service
objects in the following features:
• NAT
• Access lists rules
• Network object groups
Note
ASDM used network objects internally in previous releases; this
feature introduces platform support for network objects.
The following commands were introduced or modified: object network, object
service, show running-config object, clear configure object, access-list
extended, object-group network.
The following screens were modified or introduced:
Configuration > Firewall > Objects > Network Objects/Groups,
Configuration > Firewall > Objects > Service Objects/Groups
Configuration > Firewall > NAT Rules, Configuration > Firewall > Access
Rules
Object-group Expansion Significantly reduces the network object-group expansion while maintaining a
Rule Reduction
satisfactory level of packet classification performance.
The following commands were modified: show object-group, clear object-group,
show access-list.
The following screen was modified: Configuration > Firewall > Access Rules
> Advanced.
NAT Simplification
The NAT configuration was completely redesigned to allow greater flexibility
and ease of use. You can now configure NAT using auto NAT, where you
configure NAT as part of the attributes of a network object, and manual NAT,
where you can configure more advanced NAT options.
The following commands were introduced or modified: nat (in global and object
network configuration mode), show nat, show nat pool, show xlate, show
running-config nat.
The following commands were removed: global, static, nat-control, alias.
The following screens were modified or introduced:
Configuration > Firewall > Objects > Network Objects/Group Configuration
> Firewall > NAT Rules
Cisco ASA New Features by Release
174
Cisco ASA New Features
New Features in ASA 8.3(1)/ASDM 6.3(1)
Feature
Description
Use of Real IP addresses When using NAT, mapped addresses are no longer required in an access list for
in access lists instead of many features. You should always use the real, untranslated addresses when
translated addresses
configuring these features. Using the real address means that if the NAT
configuration changes, you do not need to change the access lists.
The following commands and features that use access lists now use real IP
addresses. These features are automatically migrated to use real IP addresses when
you upgrade to 8.3, unless otherwise noted.
• access-group command Access rules
• Modular Policy Framework match access-list command Service policy
rules
• Botnet Traffic Filter dynamic-filter enable classify-list command
• AAA aaa ... match commands rules
• WCCP wccp redirect-list group-list command redirect.
Note
Threat Detection
Enhancements
WCCP is not automatically migrated when you upgrade to
8.3.
You can now customize the number of rate intervals for which advanced statistics
are collected. The default number of rates was changed from 3 to 1. For basic
statistics, advanced statistics, and scanning threat detection, the memory usage
was improved.
The following commands were modified: threat-detection statistics port
number-of-rates, threat-detection statistics protocol number-of-rates, show
threat-detection memory.
The following screen was modified: Configuration > Firewall > Threat
Detection.
Unified Communication Features
SCCP v19 support
The IP phone support in the Cisco Phone Proxy feature was enhanced to include
support for version 19 of the SCCP protocol on the list of supported IP phones.
Cisco ASA New Features by Release
175
Cisco ASA New Features
New Features in ASA 8.3(1)/ASDM 6.3(1)
Feature
Description
Cisco Intercompany
Media Engine Proxy
Cisco Intercompany Media Engine (UC-IME) enables companies to interconnect
on-demand, over the Internet with advanced features made available by VoIP
technologies. Cisco Intercompany Media Engine allows for business-to-business
federation between Cisco Unified Communications Manager clusters in different
enterprises by utilizing peer-to-peer, security, and SIP protocols to create dynamic
SIP trunks between businesses. A collection of enterprises work together to end
up looking like one large business with inter-cluster trunks between them.
The following commands were modified or introduced: uc-ime, fallback
hold-down, fallback monitoring, fallback sensitivity-file, mapping-service
listening-interface, media-termination, ticket epoch, ucm address, clear
configure uc-ime, debug uc-ime, show running-config uc-ime, inspect sip.
The following screens were modified or introduced:
Wizards > Unified Communications Wizard > Cisco Intercompany Media
Engine Proxy Configuration > Firewall > Unified Communications, and then
click UC-IME Proxy Configuration > Firewall > Service Policy Rules >
Add/Edit Service Policy Rule > Rule Actions > Select SIP Inspection Map
SIP Inspection Support
for IME
SIP inspection has been enhance to support the new Cisco Intercompany Media
Engine (UC-IME) Proxy.
The following command was modified: inspect sip.
The following screen was modified: Configuration > Firewall > Service Policy
Rules > Add/Edit Service Policy Rule > Rule Actions > Select SIP Inspection
Map.
Unified Communication The Unified Communications wizard guides you through the complete
Wizard
configuration and automatically configures required aspects for the following
proxies: Cisco Mobility Advantage Proxy, Cisco Presence Federation Proxy,
Cisco Intercompany Media Engine proxy. Additionally, the Unified
Communications wizard automatically configures other required aspects of the
proxies.
The following screens were modified:
Wizards > Unified Communications Wizard
Configuration > Firewall > Unified Communications
Enhanced Navigation for The Unified Communications proxy features, such as the Phone Proxy, TLS
Unified Communication Proxy, CTL File, and CTL Provider pages, are moved from under the Objects
Features
category in the left Navigation panel. to the new Unified Communications category.
In addition, this new category contains pages for the new Unified Communications
wizard and the UC-IME Proxy page.
This feature interoperates with all ASA versions.
Routing Features
Cisco ASA New Features by Release
176
Cisco ASA New Features
New Features in ASA 8.3(1)/ASDM 6.3(1)
Feature
Description
Route map support
ASDM has added enhanced support for static and dynamic routes.
The following screen was modified: Configuration > Device Setup > Routing
> Route Maps.
This feature interoperates with all ASA versions.
Monitoring Features
Time Stamps for Access Displays the timestamp, along with the hash value and hit count, for a specified
List Hit Counts
access list.
The following command was modified: show access-list.
The following screen was modified: Configuration > Firewall > Access Rules.
(The timestamp appears when you hover the mouse over a cell in the Hits column.)
High Performance
Monitoring for ASDM
You can now enable high performance monitoring for ASDM to show the top
200 hosts connected through the ASA. Each entry of a host contains the IP address
of the host and the number of connections initiated by the host, and is updated
every 120 seconds.
The following commands were introduced: hpm topn enable, clear configure
hpm, show running-config hpm.
The following screen was introduced: Home > Firewall Dashboard > Top 200
Hosts.
Licensing Features
Non-identical failover
licenses
Failover licenses no longer need to be identical on each unit. The license used for
both units is the combined license from the primary and secondary units.
For the ASA 5505 and 5510 ASAs, both units require the Security Plus
license; the Base license does not support failover, so you cannot enable
failover on a standby unit that only has the Base license.
The following commands were modified: show activation-key and show version.
Note
The following screen was modified: Configuration > Device Management >
Licensing > Activation Key.
Stackable time-based
licenses
Time-based licenses are now stackable. In many cases, you might need to renew
your time-based license and have a seamless transition from the old license to the
new one. For features that are only available with a time-based license, it is
especially important that the license not expire before you can apply the new
license. The ASA allows you to stack time-based licenses so you do not have to
worry about the license expiring or about losing time on your licenses because
you installed the new one early. For licenses with numerical tiers, stacking is only
supported for licenses with the same capacity, for example, two 1000-session SSL
VPN licenses. You can view the state of the licenses using the show activation-key
command at Configuration > Device Management > Licensing > Activation
Key.
Cisco ASA New Features by Release
177
Cisco ASA New Features
New Features in ASA 8.3(1)/ASDM 6.3(1)
Feature
Description
Intercompany Media
Engine License
The IME license was introduced.
Time-based licenses
based on Uptime
Time-based licenses now count down according to the total uptime of the ASA;
the system clock does not affect the license.
Multiple time-based
licenses active at the
same time
You can now install multiple time-based licenses, and have one license per feature
active at a time.
The following commands were modified: show activation-key and show version.
The following screen was modified: Configuration > Device Management >
Licensing > Activation Key.
Discrete activation and
deactivation of
time-based licenses.
You can now activate or deactivate time-based licenses using a command.
The following command was modified: activation-key [activate | deactivate].
The following screen was modified: Configuration > Device Management >
Licensing > Activation Key.
General Features
Master Passphrase
The master passphrase feature allows you to securely store plain text passwords
in encrypted format. It provides a master key that is used to universally encrypt
or mask all passwords, without changing any functionality. The Backup/Restore
feature supports the master passphrase.
The following commands were introduced: key config-key password-encryption,
password encryption aes.
The following screens were introduced:
Configuration > Device Management > Advanced > Master Passphrase
Configuration > Device Management > Device Administration > Master
Passphrase
ASDM Features
Upgrade Software from The Upgrade Software from Cisco.com wizard has changed to allow you to
Cisco.com Wizard
automatically upgrade ASDM and the ASA to more current versions. Note that
this feature is only available in single mode and, in multiple context mode, in the
System execution space. It is not available in a context.
The following screen was modified: Tools > Check for ASA/ASDM Updates.
This feature interoperates with all ASA versions.
Cisco ASA New Features by Release
178
Cisco ASA New Features
New Features in Version 8.2
Feature
Description
Backup/Restore
Enhancements
The Backup Configurations pane was re-ordered and re-grouped so you can choose
the files you want to backup more easily. A Backup Progress pane was added
allowing you to visually measure the progress of the backup. And you will see
significant performance improvement when using backup or restore.
The following screen was modified: Tools > Backup Configurations or Tools
> Restore Configurations.
This feature interoperates with all ASA versions.
New Features in Version 8.2
New Features in ASA 8.2(5.13)/ASDM 6.4(4.106)
Released: September 18, 2011
Note
We recommend that you upgrade to a Cisco.com-posted ASA interim release only if you have a specific
problem that it resolves. If you decide to run an interim release in a production environment, keep in mind
that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco
TAC and will usually remain on the download site only until the next maintenance release is available. If
you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance
or feature release when it becomes available.
We will document interim release features at the time of the next maintenance or feature release. For a
list of resolved caveats for each ASA interim release, see the interim release notes available on the
Cisco.com software download site.
Feature
Description
Remote Access Features
Clientless SSL VPN
browser support
The ASA now supports clientless SSL VPN with Microsoft Internet Explorer 9
and Firefox 4.
Also available in Version 8.3(2.25) and 8.4.2(8).
Cisco ASA New Features by Release
179
Cisco ASA New Features
New Features in ASA 8.2(5)/ASDM 6.4(3)
Feature
Description
Compression for DTLS To improve throughput, Cisco now supports compression for DTLS and TLS on
and TLS
AnyConnect 3.0 or later. Each tunneling method configures compression
separately, and the preferred configuration is to have both SSL and DTLS
compression as LZS. This feature enhances migration from legacy VPN clients.
Using data compression on high speed remote access connections passing
highly compressible data requires significant processing power on the
ASA. With other activity and traffic on the ASA, the number of sessions
that can be supported on the platform is reduced.
We introduced or modified the following commands: anyconnect dtls
compression [lzs | none] and anyconnect ssl compression [deflate | lzs | none].
Note
We modified the following screen: Configuration > Remote Access VPN >
Clientless SSL VPN Access > Group Policies > Edit > Edit Internal Group
Policy > Advanced > AnyConnect Client > SSL Compression.
Also available in Version 8.3(2.25) and Version 8.4.2(8).
Troubleshooting Features
Regular expression
matching for the show
asp table classifier and
show asp table filter
commands
You can now enter the show asp table classifier and show asp table filter
commands with a regular expression to filter output.
We modified the following commands: show asp table classifier match regex,
show asp table filter match regex.
ASDM does not support this command; enter the command using the Command
Line Tool.
Also available in Version 8.3(2.25) and Version 8.4.2(8).
New Features in ASA 8.2(5)/ASDM 6.4(3)
Released: May 23, 2011
Feature
Description
Monitoring Features
Smart Call-Home
Anonymous
Reporting
Customers can now help to improve the ASA platform by enabling Anonymous
Reporting, which allows Cisco to securely receive minimal error and health
information from the device.
We introduced the following commands: call-home reporting anonymous, call-home
test reporting anonymous.
We modified the following screen: Configuration > Device Monitoring > Smart
Call-Home.
Also available in Version 8.4(2).
Cisco ASA New Features by Release
180
Cisco ASA New Features
New Features in ASA 8.2(5)/ASDM 6.4(3)
Feature
Description
IF-MIB ifAlias OID The ASA now supports the ifAlias OID. When you browse the IF-MIB, the ifAlias
support
OID will be set to the value that has been set for the interface description.
Also available in Version 8.4(2).
Remote Access Features
Portal Access Rules
This enhancement allows customers to configure a global clientless SSL VPN access
policy to permit or deny clientless SSL VPN sessions based on the data present in
the HTTP header. If denied, an error code is returned to the clients. This denial is
performed before user authentication and thus minimizes the use of processing
resources.
We modified the following command: portal-access-rule.
We modified the following screen: Configuration > Remote Access VPN >
Clientless SSL VPN Access > Portal > Portal Access Rules.
Also available in Version 8.4(2).
Cisco ASA New Features by Release
181
Cisco ASA New Features
New Features in ASA 8.2(5)/ASDM 6.4(3)
Feature
Description
Mobile Posture
You can now configure the ASA to permit or deny VPN connections to mobile
(formerly referred to devices, enable or disable mobile device access on a per-group basis, and gather
information about connected mobile devices based on the mobile device posture data.
as AnyConnect
The following mobile platforms support this capability: AnyConnect for
Identification
iPhone/iPad/iPod Versions 2.5.x and AnyConnect for Android Version 2.4.x. You
Extensions for
do not need to enable CSD to configure these attributes in ASDM.
Mobile Device
Detection)
Licensing Requirements
Enforcing remote access controls and gathering posture data from mobile devices
requires an AnyConnect Mobile license and either an AnyConnect Essentials or
AnyConnect Premium license to be installed on the ASA. You receive the following
functionality based on the license you install:
• AnyConnect Premium License Functionality
Enterprises that install the AnyConnect Premium license will be able to enforce DAP
policies, on supported mobile devices, based on these DAP attributes and any other
existing endpoint attributes. This includes allowing or denying remote access from
a mobile device.
• AnyConnect Essentials License Functionality
Enterprises that install the AnyConnect Essentials license will be able to do the
following:
• Enable or disable mobile device access on a per-group basis and to configure
that feature using ASDM.
• Display information about connected mobile devices via CLI or ASDM without
having the ability to enforce DAP policies or deny or allow remote access to
those mobile devices.
We modified the following screen: Configuration > Remote Access VPN > Network
(Client) Access > Dynamic Access Policies > Add/Edit Endpoint Attributes >
Endpoint Attribute Type:AnyConnect.
Also available in Version 8.4(2).
Cisco ASA New Features by Release
182
Cisco ASA New Features
New Features in ASA 8.2(5)/ASDM 6.4(3)
Feature
Description
Split Tunnel DNS
policy for
AnyConnect
This release includes a new policy pushed down to the AnyConnect Secure Mobility
Client for resolving DNS addresses over split tunnels. This policy applies to VPN
connections using the SSL or IPsec/IKEv2 protocol and instructs the AnyConnect
client to resolve all DNS addresses through the VPN tunnel. If DNS resolution fails,
the address remains unresolved and the AnyConnect client does not try to resolve the
address through public DNS servers.
By default, this feature is disabled. The client sends DNS queries over the tunnel
according to the split tunnel policy—tunnel all networks, tunnel networks specified
in a network list, or exclude networks specified in a network list.
We introduced the following command: split-tunnel-all-dns.
We modified the following screen: Configuration > Remote Access VPN > Network
(Client) Access > Group Policies > Add/Edit Group Policy > Advanced > Split
Tunneling (see the Send All DNS Lookups Through Tunnel check box).
Also available in Version 8.4(2).
SSL SHA-2 digital
signature
You can now use of SHA-2 compliant signature algorithms to authenticate SSL VPN
connections that use digital certificates. Our support for SHA-2 includes all three
hash sizes: SHA-256, SHA-384, and SHA-512. SHA-2 requires AnyConnect 2.5(1)
or later (2.5(2) or later recommended). This release does not support SHA-2 for other
uses or products.
Caution: To support failover of SHA-2 connections, the standby ASA must be running
the same image.
We modified the following command: show crypto ca certificate (the Signature
Algorithm field identifies the digest algorithm used when generating the signature).
We did not modify any screens.
Also available in Version 8.4(2).
L2TP/IPsec support
for Android
We now support VPN connections between Android mobile devices and ASA 5500
series devices, when using the L2TP/IPsec protocol and the native Android VPN
client. Mobile devices must be using the Android 2.1 or later operating system.
We did not modify any commands.
We did not modify any screens.
Also available in Version 8.4(1).
SHA2 certificate
signature support for
Microsoft Windows
7 and Android-native
VPN clients
ASA supports SHA2 certificate signature support for Microsoft Windows 7 and
Android-native VPN clients when using the L2TP/IPsec protocol.
We did not modify any commands.
We did not modify any screens.
Also available in Version 8.4(2).
Cisco ASA New Features by Release
183
Cisco ASA New Features
New Features in ASA 8.2(5)/ASDM 6.4(3)
Feature
Description
Enable/disable
certificate mapping
to override the
group-url attribute
This feature changes the preference of a connection profile during the connection
profile selection process. By default, if the ASA matches a certificate field value
specified in a connection profile to the field value of the certificate used by the
endpoint, the ASA assigns that profile to the VPN connection. This optional feature
changes the preference to a connection profile that specifies the group URL requested
by the endpoint. The new option lets administrators rely on the group URL preference
used by many older ASA software releases.
We introduced the following command: tunnel-group-preference.
We modified the following screens:
Configuration > Remote Access VPN > Clientless SSL VPN > Connection Profiles
Configuration > Remote Access VPN > Network (Client) Access > AnyConnect
Connection Profiles
Also available in Version 8.4(2).
Interface Features
Support for Pause
You can now enable pause (XOFF) frames for flow control on 1-Gigabit Ethernet
Frames for Flow
interfaces; support was previously added for 10-Gigabit Ethernet interfaces in 8.2(2).
Control on 1-Gigabit We modified the following command: flowcontrol.
Ethernet Interface
We modified the following screens:
(Single Mode) Configuration > Device Setup > Interfaces > Add/Edit Interface >
General (Multiple Mode, System) Configuration > Interfaces > Add/Edit Interface
Also available in Version 8.4(2).
Unified Communications Features
ASA-Tandberg
H.323 Inspection now supports uni-directional signaling for two-way video sessions.
Interoperability with This enhancement allows H.323 Inspection of one-way video conferences supported
H.323 Inspection
by Tandberg video phones. Supporting uni-directional signaling allows Tandberg
phones to switch video modes (close their side of an H.263 video session and reopen
the session using H.264, the compression standard for high-definition video).
We did not modify any commands.
We did not modify any screens.
Also available in Version 8.4(2).
Routing Features
Cisco ASA New Features by Release
184
Cisco ASA New Features
New Features in ASA 8.2(4.4)/ASDM 6.3(5)
Feature
Description
Timeout for
connections using a
backup static route
When multiple static routes exist to a network with different metrics, the ASA uses
the one with the best metric at the time of connection creation. If a better route
becomes available, then this timeout lets connections be closed so a connection can
be reestablished to use the better route. The default is 0 (the connection never times
out). To take advantage of this feature, change the timeout to a new value.
We modified the following command: timeout floating-conn.
We modified the following screen: Configuration > Firewall > Advanced > Global
Timeouts.
Also available in Version 8.4(2).
New Features in ASA 8.2(4.4)/ASDM 6.3(5)
Released: March 4, 2011
Note
We recommend that you upgrade to a Cisco.com-posted interim release only if you have a specific problem
that it resolves. If you decide to run an interim release in a production environment, keep in mind that
only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC
and will remain on the download site only until the next maintenance release is available. If you choose
to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature
release when it becomes available. We will document interim release features at the time of the next
maintenance or feature release. For a list of resolved caveats for each interim release, see the Cisco ASA
Interim Release Notes available on the Cisco.com software download site.
Feature
Description
Hardware Features
Support for the IPS We introduced support for the IPS SSP-10, -20, -40, and -60 for the ASA 5585-X.
SSP-10, -20, -40, and You can only install the IPS SSP with a matching-level SSP; for example, SSP-10
-60 for the ASA
and IPS SSP-10.
5585-X
Remote Access Features
Clientless SSL VPN By default, Clientless SSL VPN now provides content transformation (rewriting)
support for Outlook support for Outlook Web Access (OWA) 2010 traffic.
Web Access 2010
We did not modify any commands.
We did not modify any screens.
Cisco ASA New Features by Release
185
Cisco ASA New Features
New Features in ASA 8.2(4.1)/ASDM 6.3(5)
New Features in ASA 8.2(4.1)/ASDM 6.3(5)
Released: January 18, 2011
Note
We recommend that you upgrade to a Cisco.com-posted interim release only if you have a specific problem
that it resolves. If you decide to run an interim release in a production environment, keep in mind that
only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC
and will remain on the download site only until the next maintenance release is available. If you choose
to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature
release when it becomes available. We will document interim release features at the time of the next
maintenance or feature release. For a list of resolved caveats for each interim release, see the Cisco ASA
Interim Release Notes available on the Cisco.com software download site.
Feature
Description
Remote Access Features
SSL SHA-2 digital
signature
This release supports the use of SHA-2 compliant signature algorithms to authenticate
SSL VPN connections that use digital certificates. Our support for SHA-2 includes
all three hash sizes: SHA-256, SHA-384, and SHA-512. SHA-2 requires AnyConnect
2.5.1 or later (2.5.2 or later recommended). This release does not support SHA-2 for
other uses or products. This feature does not involve configuration changes. Caution:
To support failover of SHA-2 connections, the standby ASA must be running the
same image. To support this feature, we added the Signature Algorithm field to the
show crypto ca certificate command to identify the digest algorithm used when
generating the signature.
New Features in ASA 8.2(4)/ASDM 6.3(5)
Released: December 15, 2010
Feature
Description
Hardware Features
Support for the Cisco We introduced support for the ASA 5585-X with Security Services Processor (SSP)-10
ASA 5585-X with
and -40.
SSP-10 and SSP-40 Note
The ASA 5585-X is not supported in Version
8.3(x).
Cisco ASA New Features by Release
186
Cisco ASA New Features
New Features in ASA 8.2(3.9)/ASDM 6.3(4)
New Features in ASA 8.2(3.9)/ASDM 6.3(4)
Released: November 2, 2010
Note
We recommend that you upgrade to a Cisco.com-posted interim release only if you have a specific problem
that it resolves. If you decide to run an interim release in a production environment, keep in mind that
only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC
and will remain on the download site only until the next maintenance release is available. If you choose
to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature
release when it becomes available. We will document interim release features at the time of the next
maintenance or feature release. For a list of resolved caveats for each interim release, see the Cisco ASA
Interim Release Notes available on the Cisco.com software download site.
Feature
Description
Remote Access Features
SSL SHA-2 digital
signature
This release supports the use of SHA-2 compliant signature algorithms to authenticate
SSL VPN connections that use digital certificates. Our support for SHA-2 includes
all three hash sizes: SHA-256, SHA-384, and SHA-512. SHA-2 requires AnyConnect
2.5.1 or later (2.5.2 or later recommended). This release does not support SHA-2 for
other uses or products. This feature does not involve configuration changes. Caution:
To support failover of SHA-2 connections, the standby ASA must be running the
same image. To support this feature, we added the Signature Algorithm field to the
show crypto ca certificate command to identify the digest algorithm used when
generating the signature.
New Features in ASA 8.2(3)/ASDM 6.3(3) and 6.3(4)
Released: August 9, 2010
Note
ASDM 6.3(4) does not include any new features; it includes a caveat fix required for support of the ASA
5585-X.
Feature
Description
Hardware Features
Support for the Cisco Support for the ASA 5585-X with Security Services Processor (SSP)-20 and -60 was
ASA 5585-X with
introduced.
SSP-20 and SSP-60 Note
The ASA 5585-X is not supported in Version
8.3(x).
The ASA 5585-X requires ASDM 6.3(4).
Cisco ASA New Features by Release
187
Cisco ASA New Features
New Features in ASA 8.2(2)/ASDM 6.2(5)
Feature
Description
Remote Access Features
2048-bit RSA
certificate and
Diffie-Hellman
Group 5 (DH5)
performance
improvement
(ASA 5510, ASA 5520, ASA 5540, and ASA 5550 only) We strongly recommend
that you enable hardware processing instead of software for large modulus operations
such as 2048-bit certificates and DH5 keys. If you continue to use software processing
for large keys, you could experience significant performance degradation due to slow
session establishment for IPsec and SSL VPN connections. We recommend that you
initially enable hardware processing during a low-use or maintenance period to
minimize a temporary packet loss that can occur during the transition of processing
from software to hardware.
Note
For the ASA 5540 and ASA 5550 using SSL VPN, in specific load
conditions, you may want to continue to use software processing for large
keys. If VPN sessions are added very slowly and the ASA runs at capacity,
then the negative impact to data throughput is larger than the positive impact
for session establishment.
The ASA 5580/5585-X platforms already integrate this capability; therefore,
crypto engine commands are not applicable on these platforms.
The following commands were introduced or modified: crypto engine
large-mod-accel, clear configure crypto engine, show running-config crypto
engine, and show running-config crypto.
In ASDM, use the Command Line Interface tool to enter the crypto engine
large-mod-accel command.
Also available in Version 8.3(2).
Microsoft Internet
Explorer proxy
lockdown control
Enabling this feature hides the Connections tab in Microsoft Internet Explorer for
the duration of an AnyConnect VPN session. Disabling the feature leaves the display
of the Connections tab unchanged; the default setting for the tab can be shown or
hidden, depending on the user registry settings.
The following command was introduced: msie-proxy lockdown.
In ASDM, use the Command Line Interface tool to enter this command.
Trusted Network
This feature enables the AnyConnect client to retain its session information and cookie
Detection Pause and so that it can seamlessly restore connectivity after the user leaves the office, as long
Resume
as the session does not exceed the idle timer setting. This feature requires an
AnyConnect release that supports TND pause and resume.
New Features in ASA 8.2(2)/ASDM 6.2(5)
Released: January 11, 2010
Feature
Description
Remote Access Features
Cisco ASA New Features by Release
188
Cisco ASA New Features
New Features in ASA 8.2(2)/ASDM 6.2(5)
Feature
Description
Scalable Solutions
for
Waiting-to-Resume
VPN Sessions
An administrator can now keep track of the number of users in the active state and
can look at the statistics. The sessions that have been inactive for the longest time
are marked as idle (and are automatically logged off) so that license capacity is not
reached and new users can log in.
The following screen was modified: Monitoring > VPN > VPN Statistics > Sessions.
Also available in Version 8.0(5).
Application Inspection Features
Inspection for
IP Options
You can now control which IP packets with specific IP options should be allowed
through the ASA. You can also clear IP options from an IP packet, and then allow it
through the ASA. Previously, all IP options were denied by default, except for some
special cases.
This inspection is enabled by default. The following command is added to
the default global service policy: inspect ip-options. Therefore, the ASA
allows RSVP traffic that contains packets with the Router Alert option (option
20) when the ASA is in routed mode.
The following commands were introduced: policy-map type inspect ip-options,
inspect ip-options, eool, nop.
Note
The following screens were introduced:
Configuration > Firewall > Objects > Inspect Maps > IP-Options
Configuration > Firewall > Service Policy > Add/Edit Service Policy Rule > Rule
Actions > Protocol Inspection
Enabling Call Set up You can enable call setup between H.323 endpoints when the Gatekeeper is inside
Between H.323
the network. The ASA includes options to open pinholes for calls based on the
Endpoints
RegistrationRequest/RegistrationConfirm (RRQ/RCF) messages.
Because these RRQ/RCF messages are sent to and from the Gatekeeper, the calling
endpoint IP address is unknown and the ASA opens a pinhole through source IP
address/port 0/0. By default, this option is disabled.
The following command was introduced: ras-rcf-pinholes enable (under the
policy-map type inspect h323 > parameters commands).
The following screen was modified: Configuration > Firewall > Objects > Inspect
Maps > H.323 > Details > State Checking.
Also available in Version 8.0(5).
Unified Communication Features
Mobility Proxy
The Mobility Proxy no longer requires the UC Proxy license.
application no longer
requires Unified
Communications
Proxy license
Interface Features
Cisco ASA New Features by Release
189
Cisco ASA New Features
New Features in ASA 8.2(2)/ASDM 6.2(5)
Feature
Description
In multiple context
mode, auto-generated
MAC addresses now
use a
user-configurable
prefix, and other
enhancements
The MAC address format was changed to allow use of a prefix, to use a fixed starting
value (A2), and to use a different scheme for the primary and secondary unit MAC
addresses in a failover pair.
The MAC addresess are also now persistent accross reloads.
The command parser now checks if auto-generation is enabled; if you want to also
manually assign a MAC address, you cannot start the manual MAC address with A2.
The following command was modified: mac-address auto prefix prefix.
The following screen was modified: Configuration > Context Management >
Security Contexts.
Also available in Version 8.0(5).
Support for Pause
Frames for Flow
Control on the ASA
5580 10 Gigabit
Ethernet Interfaces
You can now enable pause (XOFF) frames for flow control.
The following command was introduced: flowcontrol.
The following screens were modified:
(Single Mode) Configuration > Device Setup > Interfaces > Add/Edit Interface
> General
(Multiple Mode, System) Configuration > Interfaces > Add/Edit Interface
Firewall Features
Botnet Traffic Filter The Botnet Traffic Filter now supports automatic blocking of blacklisted traffic based
Enhancements
on the threat level. You can also view the category and threat level of malware sites
in statistics and reports. Reporting was enhanced to show infected hosts. The 1 hour
timeout for reports for top hosts was removed; there is now no timeout.
The following commands were introduced or modified: dynamic-filter
ambiguous-is-black, dynamic-filter drop blacklist, show dynamic-filter statistics,
show dynamic-filter reports infected-hosts, and show dynamic-filter reports top.
The following screens were introduced or modified:
Configuration > Firewall > Botnet Traffic Filter > Traffic Settings Monitoring
> Botnet Traffic Filter > Infected Hosts
Connection timeouts The idle timeout was changed to apply to all protocols, not just TCP.
for all protocols
The following command was modified: set connection timeout.
The following screen was modified: Configuration > Firewall > Service Policies
> Rule Actions > Connection Settings.
Routing Features
Cisco ASA New Features by Release
190
Cisco ASA New Features
New Features in ASA 8.2(2)/ASDM 6.2(5)
Feature
Description
DHCP RFC
compatibility
(rfc3011, rfc3527) to
resolve routing issues
This enhancement introduces ASA support for DHCP RFCs 3011 (The IPv4 Subnet
Selection Option) and 3527 (Link Selection Sub-option for the Relay Agent
Information Option). For each DHCP server configured for VPN clients, you can
now configure the ASA to send the Subnet Selection option or the Link Selection
option.
The following command was modified: dhcp-server [subnet-selection |
link-selection].
The following screen was modified: Remote Access VPN > Network Access > IPsec
connection profiles > Add/Edit.
Also available in Version 8.0(5).
High Availablility Features
IPv6 Support in
Failover
Configurations
IPv6 is now supported in failover configurations. You can assign active and standby
IPv6 addresses to interfaces and use IPv6 addresses for the failover and Stateful
Failover interfaces.
The following commands were modified: failover interface ip, ipv6 address.
The following screens were modified:
Configuration > Device Management > High Availability > Failover > Setup
Configuration > Device Management > High Availability > Failover > Interfaces
Configuration > Device Management > High Availability > HA/Scalability Wizard
No notifications
when interfaces are
brought up or
brought down during
a switchover event
To distinguish between link up/down transitions during normal operation from link
up/down transitions during failover, no link up/link down traps are sent during a
failover. Also, no syslog messages about link up/down transitions during failover are
sent.
Also available in Version 8.0(5).
AAA Features
100 AAA Server
Groups
You can now configure up to 100 AAA server groups; the previous limit was 15
server groups.
The following command was modified: aaa-server.
The following screen was modified: Configuration > Device Management >
Users/AAA > AAA Server Groups.
Monitoring Features
Cisco ASA New Features by Release
191
Cisco ASA New Features
New Features in ASA 8.2(1)/ASDM 6.2(1)
Feature
Description
Smart Call Home
Smart Call Home offers proactive diagnostics and real-time alerts on the ASA and
provides higher network availability and increased operational efficiency. Customers
and TAC engineers get what they need to resolve problems quickly when an issue is
detected.
Smart Call Home server Version 3.0(1) has limited support for the ASA.
See the “Important Notes” for more information.
The following commands were introduced: call-home, call-home send alert-group,
call-home test, call-home send, service call-home, show call-home, show call-home
registered-module status.
Note
The following screen was introduced: Configuration> Device Management> Smart
Call Home.
New Features in ASA 8.2(1)/ASDM 6.2(1)
Released: May 6, 2009
Hi
Feature
Description
Remote Access Features
One Time Password ASDM now supports administrator authentication using one time passwords (OTPs)
Support for ASDM supported by RSA SecurID (SDI). This feature addresses security concerns about
Authentication
administrators authenticating with static passwords.
New session controls for ASDM users include the ability to limit the session time
and the idle time. When the password used by the ASDM administrator times out,
ASDM prompts the administrator to re-authenticate.
The following commands were introduced: http server idle-timeout and http server
session-timeout. The http server idle-timeout default is 20 minutes, and can be
increased up to a maximum of 1440 minutes.
In ASDM, see Configuration > Device Management > Management Access >
ASDM/HTTPD/Telnet/SSH.
Customizing Secure You can use ASDM to customize the Secure Desktop windows displayed to remote
Desktop
users, including the Secure Desktop background (the lock icon) and its text color,
and the dialog banners for the Desktop, Cache Cleaner, Keystroke Logger, and Close
Secure Desktop windows.
In ASDM, see Configuration > CSD Manager > Secure Desktop Manager.
Cisco ASA New Features by Release
192
Cisco ASA New Features
New Features in ASA 8.2(1)/ASDM 6.2(1)
Feature
Description
Pre-fill Username
from Certificate
The pre-fill username feature enables the use of a username extracted from a certificate
for username/password authentication. With this feature enabled, the username is
“pre-filled” on the login screen, with the user being prompted only for the password.
To use this feature, you must configure both the pre-fill username and the
username-from-certificate commands in tunnel-group configuration mode.
The double-authentication feature is compatible with the pre-fill username feature,
as the pre-fill username feature can support extracting a primary username and a
secondary username from the certificate to serve as the usernames for double
authentication when two usernames are required. When configuring the pre-fill
username feature for double authentication, the administrator uses the following new
tunnel-group general-attributes configuration mode commands:
• secondary-pre-fill-username—Enables username extraction for Clientless or
AnyConnect client connection.
• secondary-username-from-certificate—Allows for extraction of a few standard
DN fields from a certificate for use as a username.
In ASDM, see Configuration> Remote Access VPN > Network (Client) Access >
AnyConnect or Clienltess SSL VPN Connection Profiles > Advanced. Settings
are in the Authentication, Secondary Authentication, and Authorization panes.
Cisco ASA New Features by Release
193
Cisco ASA New Features
New Features in ASA 8.2(1)/ASDM 6.2(1)
Feature
Description
Double
Authentication
The double authentication feature implements two-factor authentication for remote
access to the network, in accordance with the Payment Card Industry Standards
Council Data Security Standard. This feature requires that the user enter two separate
sets of login credentials at the login page. For example, the primary authentication
might be a one-time password, and the secondary authentication might be a domain
(Active Directory) credential. If either authentication fails, the connection is denied.
Both the AnyConnect VPN client and Clientless SSL VPN support double
authentication. The AnyConnect client supports double authentication on Windows
computers (including supported Windows Mobile devices and Start Before Logon),
Mac computers, and Linux computers. The IPsec VPN client, SVC client,
cut-through-proxy authentication, hardware client authentication, and management
authentication do not support double authentication.
Double authentication requires the following new tunnel-group general-attributes
configuration mode commands:
• secondary-authentication-server-group—Specifies the secondary AAA server
group, which cannot be an SDI server group.
• secondary-username-from-certificate—Allows for extraction of a few standard
DN fields from a certificate for use as a username.
• secondary-pre-fill-username—Enables username extraction for Clientless or
AnyConnect client connection.
• authentication-attr-from-server—Specifies which authentication server
authorization attributes are applied to the connection.
• authenticated-session-username—Specifies which authentication username
is associated with the session.
Note
The RSA/SDI authentication server type cannot be used as the
secondary username/password credential. It can only be used for
primary authentication.
In ASDM, see Configuration > Remote Access VPN > Network (Client) Access
or Clientless SSL VPN > AnyConnect Connection Profiles > Add/Edit > Advanced
> Secondary Authentication.
Cisco ASA New Features by Release
194
Cisco ASA New Features
New Features in ASA 8.2(1)/ASDM 6.2(1)
Feature
Description
AnyConnect
Essentials
AnyConnect Essentials is a separately licensed SSL VPN client, entirely configured
on the ASA, that provides the full AnyConnect capability, with the following
exceptions:
• No CSD (including HostScan/Vault/Cache Cleaner)
• No clientless SSL VPN
• Optional Windows Mobile Support
The AnyConnect Essentials client provides remote end users running Microsoft
Windows Vista, Windows Mobile, Windows XP or Windows 2000, Linux, or
Macintosh OS X, with the benefits of a Cisco SSL VPN client.
To configure AnyConnect Essentials, the administrator uses the following command:
anyconnect-essentials—Enables the AnyConnect Essentials feature. If this feature
is disabled (using the no form of this command), the SSL Premium license is used.
This feature is enabled by default.
This license cannot be used at the same time as the shared SSL VPN premium
license.
In ASDM, see Configuration > Remote Access VPN > Network (Client) Access
> Advanced > AnyConnect Essentials License. The AnyConnect Essentials license
must be installed for ASDM to show this pane.
Note
Disabling Cisco
Secure Desktop per
Connection Profile
When enabled, Cisco Secure Desktop automatically runs on all computers that make
SSL VPN connections to the ASA. This new feature lets you exempt certain users
from running Cisco Secure Desktop on a per connection profile basis. It prevents the
detection of endpoint attributes for these sessions, so you might need to adjust the
Dynamic Access Policy (DAP) configuration.
CLI: [no] without-csd command
“Connect Profile” in ASDM is also known as “Tunnel Group” in the CLI.
Additionally, the group-url command is required for this feature. If the SSL
VPN session uses connection-alias, this feature will not take effect.
In ASDM, see Configuration > Remote Access VPN > Clientless SSL VPN Access
> Connection Profiles > Add or Edit > Advanced, Clientless SSL VPN
Configuration.
Note
or
Configuration > Remote Access VPN > Network (Client) Access > AnyConnect
Connection Profiles > Add or Edit > Advanced > SSL VPN.
Cisco ASA New Features by Release
195
Cisco ASA New Features
New Features in ASA 8.2(1)/ASDM 6.2(1)
Feature
Description
Certificate
Authentication Per
Connection Profile
Previous versions supported certificate authentication for each ASA interface, so
users received certificate prompts even if they did not need a certificate. With this
new feature, users receive a certificate prompt only if the connection profile
configuration requires a certificate. This feature is automatic; the ssl certificate
authentication command is no longer needed, but the ASA retains it for backward
compatibility.
In ASDM, see Configuration > Remote Access VPN > Network (Client) Access
> AnyConnect Connection Profiles > Add/Edit > Basic.
or
Configuraiton > Remote Access VPN > Clientless SSL VPN > Connection Profiles
> Add/Edit>Basic.
EKU Extensions for This feature adds the ability to create certificate maps that look at the Extended Key
Certificate Mapping Usage extension of a client certificate and use these values in determining what
connection profile the client should use. If the client does not match that profile, it
uses the default group. The outcome of the connection then depends on whether or
not the certificate is valid and the authentication settings of the connection profile.
The following command was introduced: extended-key-usage.
In ASDM, use the IPSec Certificate to Connection Maps > Rules pane, or
Certificate to SSL VPN Connections Profile Maps pane.
SSL VPN SharePoint Clientless SSL VPN sessions now support Microsoft Office SharePoint Server 2007.
Support for Win
2007 Server
Shared license for
SSL VPN sessions
You can purchase a shared license with a large number of SSL VPN sessions and
share the sessions as needed among a group of ASAs by configuring one of the ASAs
as a shared license server, and the rest as clients. The following commands were
introduced: license-server commands (various), show shared license.
This license cannot be used at the same time as the AnyConnect Essentials
license.
In ASDM, see Configuration > Device Management > Licensing > Shared SSL
VPN Licenses. Also see, Monitoring > VPN > Clientless SSL VPN > Shared
Licenses.
Note
Updated VPN
Wizard
Firewall Features
Cisco ASA New Features by Release
196
The VPN Wizard (accessible by choosing Wizards > IPSec VPN Wizard) was updated.
The step to select IPsec Encryption and Authentication (formerly Step 9 of 11) was
removed because the Wizard now generates default values for these settings. In
addition, the step to select IPsec Settings (Optional) now includes new fields to enable
perfect forwarding secrecy (PFS) and set the Diffie-Hellman Group.
Cisco ASA New Features
New Features in ASA 8.2(1)/ASDM 6.2(1)
Feature
Description
TCP state bypass
If you have asymmetric routing configured on upstream routers, and traffic alternates
between two ASAs, then you can configure TCP state bypass for specific traffic. The
following command was introduced: set connection advanced tcp-state-bypass.
In ASDM, see Configuration > Firewall > Service Policy Rules > Rule Actions >
Connection Settings.
Per-Interface IP
Addresses for the
Media-Termination
Instance Used by the
Phone Proxy
In Version 8.0(4), you configured a global media-termination address (MTA) on the
ASA. In Version 8.2, you can now configure MTAs for individual interfaces (with
a minimum of two MTAs). As a result of this enhancement, the old CLI has been
deprecated. You can continue to use the old configuration if desired. However, if you
need to change the configuration at all, only the new configuration method is accepted;
you cannot later restore the old configuration.
In ASDM, see Configuration > Firewall > Advanced > Encrypted Traffic
Inspection > Media Termination Address.
Displaying the CTL
File for the Phone
Proxy
The Cisco Phone Proxy feature includes the show ctl-file command, which shows
the contents of the CTL file used by the phone proxy. Using the show ctl-file command
is useful for debugging when configuring the phone proxy instance.
This command is not supported in ASDM.
Clearing
Secure-phone Entries
from the Phone
Proxy Database
The Cisco Phone Proxy feature includes the clear phone-proxy secure-phones
command, which clears the secure-phone entries in the phone proxy database. Because
secure IP phones always request a CTL file upon bootup, the phone proxy creates a
database that marks the IP phones as secure. The entries in the secure phone database
are removed after a specified configured timeout (via the timeout secure-phones
command). Alternatively, you can use the clear phone-proxy secure-phones
command to clear the phone proxy database without waiting for the configured
timeout.
This command is not supported in ASDM.
H.239 Message
Support in H.323
Application
Inspection
In this release, the ASA supports the H.239 standard as part of H.323 application
inspection. H.239 is a standard that provides the ability for H.300 series endpoints
to open an additional video channel in a single call. In a call, an endpoint (such as a
video phone), sends a channel for video and a channel for data presentation. The
H.239 negotiation occurs on the H.245 channel. The ASA opens a pinhole for the
additional media channel. The endpoints use open logical channel message (OLC)
to signal a new channel creation. The message extension is part of H.245 version 13.
The decoding and encoding of the telepresentation session is enabled by default.
H.239 encoding and decoding is preformed by ASN.1 coder.
In ASDM, see Configuration > Firewall > Service Policy Rules > Add Service
Policy Rule Wizard > Rule Actions > Protocol Inspection > H.323 H.225. Click
Configure and then choose the H.323 Inspect Map.
Cisco ASA New Features by Release
197
Cisco ASA New Features
New Features in ASA 8.2(1)/ASDM 6.2(1)
Feature
Description
Processing H.323
Endpoints When the
Endpoints Do Not
Send OLCAck
H.323 application inspection has been enhanced to process common H.323 endpoints.
The enhancement affects endpoints using the extendedVideoCapability OLC with
the H.239 protocol identifier. Even when an H.323 endpoint does not send OLCAck
after receiving an OLC message from a peer, the ASA propagates OLC media proposal
information into the media array and opens a pinhole for the media channel
(extendedVideoCapability).
In ASDM, see Configuration > Firewall > Service Policy Rules > Add Service
Policy Rule Wizard > Rule Actions > Protocol Inspection > H.323 H.225.
IPv6 in transparent
firewall mode
Transparent firewall mode now participates in IPv6 routing. Prior to this release, the
ASA could not pass IPv6 traffic in transparent mode. You can now configure an IPv6
management address in transparent mode, create IPv6 access lists, and configure
other IPv6 features; the ASA recognizes and passes IPv6 packets.
All IPv6 functionality is supported unless specifically noted.
In ASDM, see Configuration > Device Management > Management Access >
Management IP Address.
Botnet Traffic Filter Malware is malicious software that is installed on an unknowing host. Malware that
attempts network activity such as sending private data (passwords, credit card numbers,
key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when
the malware starts a connection to a known bad IP address. The Botnet Traffic Filter
checks incoming and outgoing connections against a dynamic database of known bad
domain names and IP addresses, and then logs any suspicious activity. You can also
supplement the dynamic database with a static database by entering IP addresses or
domain names in a local “blacklist” or “whitelist.”
Note
This feature requires the Botnet Traffic Filter license. See the following
licensing document for more information:
http://www.cisco.com/en/US/docs/security/asa/asa82/license/license82.html
The following commands were introduced: dynamic-filter commands (various), and
the inspect dns dynamic-filter-snoop keyword.
In ASDM, see Configuration > Firewall > Botnet Traffic Filter.
AIP SSC card for the The AIP SSC offers IPS for the ASA 5505 ASA. Note that the AIP SSM does not
ASA 5505
support virtual sensors. The following commands were introduced: allow-ssc-mgmt,
hw-module module ip, and hw-module module allow-ip.
In ASDM, see Configuration > Device Setup > SSC Setup and Configuration >
IPS.
IPv6 support for IPS You can now send IPv6 traffic to the AIP SSM or SSC when your traffic class uses
the match any command, and the policy map specifies the ips command.
In ASDM, see Configuration > Firewall > Service Policy Rules.
Management Features
Cisco ASA New Features by Release
198
Cisco ASA New Features
New Features in ASA 8.2(1)/ASDM 6.2(1)
Feature
Description
SNMP version 3 and This release provides DES, 3DES, or AES encryption and support for SNMP Version
encryption
3, the most secure form of the supported security models. This version allows you to
configure authentication characteristics by using the User-based Security Model
(USM).
The following commands were introduced:
• show snmp engineid
• show snmp group
• show snmp-server group
• show snmp-server user
• snmp-server group
• snmp-server user
The following command was modified:
• snmp-server host
In ASDM, see Configuration > Device Management > Management Access >
SNMP.
NetFlow
This feature was introduced in Version 8.1(1) for the ASA 5580; this version
introduces the feature to the other platforms. The new NetFlow feature enhances the
ASA logging capabilities by logging flow-based events through the NetFlow protocol.
In ASDM, see Configuration > Device Management > Logging > Netflow.
Routing Features
Multicast NAT
The ASA now offers Multicast NAT support for group addresses.
Troubleshooting Features
Coredump
functionality
A coredump is a snapshot of the running program when the program has terminated
abnormally. Coredumps are used to diagnose or debug errors and save a crash for
later or off-site analysis. Cisco TAC may request that users enable the coredump
feature to troubleshoot application or system crashes on the ASA.
To enable coredump, use the coredump enable command.
ASDM Features
ASDM Support for
IPv6
All IPv6 functionality is supported unless specifically noted.
Support for Public
You can use ASDM to configure a public server. This allows to you define servers
Server configuration and services that you want to expose to an outside interface.
In ASDM, see Configuration > Firewall > Public Servers.
Cisco ASA New Features by Release
199
Cisco ASA New Features
New Features in Version 8.1
New Features in Version 8.1
New Features in ASA 8.1(2)/ASDM 6.1(5)
Released: October 10, 2008
Feature
Description
Remote Access Features
Auto Sign-On with This feature lets you enable the replacement of logon credentials for WININET
Smart Tunnels for IE connections. Most Microsoft applications use WININET, including Internet Explorer.
Mozilla Firefox does not, so it is not supported by this feature. It also supports
HTTP-based authentication, therefore form-based authentication does not work with
this feature.
Credentials are statically associated to destination hosts, not services, so if initial
credentials are wrong, they cannot be dynamically corrected during runtime. Also,
because of the association with destinations hosts, providing support for an auto
sign-on enabled host may not be desirable if you want to deny access to some of the
services on that host.
To configure a group auto sign-on for smart tunnels, you create a global list of auto
sign-on sites, then assign the list to group policies or user names. This feature is not
supported with Dynamic Access Policy.
In ASDM, see Configuration > Firewall > Advanced > ACL Manager.
Entrust Certificate
Provisioning
ASDM 6.1.3 (which lets you manage security appliances running Versions 8.0x and
8.1x) includes a link to the Entrust website to apply for temporary (test) or discounted
permanent SSL identity certificates for your ASA.
In ASDM, see Configuration > Remote Access VPN > Certificate Management
> Identity Certificates > Enroll ASA SSL VPN head-end with Entrust.
Extended Time for
User
Reauthentication on
IKE Rekey
You can configure the security appliance to give remote users more time to enter
their credentials on a Phase 1 SA rekey. Previously, when reauthenticate-on-rekey
was configured for IKE tunnels and a phase 1 rekey occurred, the security appliance
prompted the user to authenticate and only gave the user approximately 2 minutes to
enter their credentials. If the user did not enter their credentials in that 2 minute
window, the tunnel would be terminated. With this new feature enabled, users now
have more time to enter credentials before the tunnel drops. The total amount of time
is the difference between the new Phase 1 SA being established, when the rekey
actually takes place, and the old Phase 1 SA expiring. With default Phase 1 rekey
times set, the difference is roughly 3 hours, or about 15% of the rekey interval.
In ASDM, see Configuration > Device Management > Certificate Management
> Identity Certificates.
Cisco ASA New Features by Release
200
Cisco ASA New Features
New Features in ASA 8.1(2)/ASDM 6.1(5)
Feature
Description
Persistent IPsec
Tunneled Flows
With the persistent IPsec tunneled flows feature enabled, the security appliance
preserves and resumes stateful (TCP) tunneled flows after the tunnel drops, then
recovers. All other flows are dropped when the tunnel drops and must reestablish
when a new tunnel comes up. Preserving the TCP flows allows some older or sensitive
applications to keep working through a short-lived tunnel drop. This feature supports
IPsec LAN-to-LAN tunnels and Network Extension Mode tunnels from a hardware
client. It does not support IPsec or AnyConnect/SSL VPN remote access tunnels. See
the sysopt connection preserve-vpn-flows command. This option is disabled by
default.
In ASDM, see Configuration > Remote Access VPN > Network (Client) Access
> Advanced > IPsec > System Options. Check the Preserve stateful VPN flows
when the tunnel drops for Network Extension Mode (NEM) checkbox to enable
persistent IPsec tunneled flows.
Show Active
Directory Groups
The CLI command show ad-groups was added to list the active directory groups.
ASDM Dynamic Access Policy uses this command to present the administrator with
a list of MS AD groups that can be used to define the VPN policy.
In ASDM, see Configuration > Remote Access VPN > Clientless SSL VPN Access
> Dynamic Access Policies > Add/Edit DAP > Add/Edit AAA Attribute.
Smart Tunnel over
Mac OS
Smart tunnels now support Mac OS.
In ASDM, see Configuration > Remote Access VPN > Clientless SSL VPN Access
> Portal > Smart Tunnels.
Firewall Features
NetFlow Filtering
You can filter NetFlow events based on traffic and event-type, and then send records
to different collectors. For example, you can log all flow-create events to one collector,
but log flow-denied events to a different collector. See the flow-export event-type
command.
In ASDM, see Configuration > Firewall > Security Policy > Service Policy Rules
> Add/Edit Service Policy Rule > Rule Actions > NetFlow.
NetFlow Delay Flow For short-lived flows, NetFlow collecting devices benefit from processing a single
Creation Event
event as opposed to seeing two events: flow creation and teardown. You can now
configure a delay before sending the flow creation event. If the flow is torn down
before the timer expires, only the flow teardown event will be sent. See the
flow-export delay flow-create command.
The teardown event includes all information regarding the flow; there is no
loss of information.
In ASDM, see Configuration > Device Management > Logging > NetFlow.
Note
Cisco ASA New Features by Release
201
Cisco ASA New Features
New Features in ASA 8.1(2)/ASDM 6.1(5)
Feature
Description
QoS Traffic Shaping If you have a device that transmits packets at a high speed, such as the ASA with
Fast Ethernet, and it is connected to a low speed device such as a cable modem, then
the cable modem is a bottleneck at which packets are frequently dropped. To manage
networks with differing line speeds, you can configure the security appliance to
transmit packets at a fixed slower rate. See the shape command.
See also the crypto ipsec security-association replay command, which lets you
configure the IPSec anti-replay window size. One side-effect of priority queueing is
packet re-ordering. For IPSec packets, out-of-order packets that are not within the
anti-replay window generate warning syslog messages. These warnings become false
alarms in the case of priority queueing. This new command avoids possible false
alarms.
In ASDM, see Configuration > Firewall > Security Policy > Service Policy Rules
> Add/Edit Service Policy Rule > Rule Actions > QoS. Note that the only traffic
class supported for traffic shaping is class-default, which matches all traffic.
TCP Normalization
Enhancements
You can now configure TCP normalization actions for certain packet types. Previously,
the default actions for these kinds of packets was to drop the packet. Now you can
set the TCP normalizer to allow the packets.
• TCP invalid ACK check (the invalid-ack command)
• TCP packet sequence past window check (the seq-past-window command)
• TCP SYN-ACK with data check (the synack-data command)
You can also set the TCP out-of-order packet buffer timeout (the queue command
timeout keyword). Previously, the timeout was 4 seconds. You can now set the
timeout to another value.
The default action for packets that exceed MSS has changed from drop to allow (the
exceed-mss command).
The following non-configurable actions have changed from drop to clear for these
packet types:
• Bad option length in TCP
• TCP Window scale on non-SYN
• Bad TCP window scale value
• Bad TCP SACK ALLOW option
In ASDM, see Configuration > Firewall > Objects > TCP Maps.
TCP Intercept
statistics
You can enable collection for TCP Intercept statistics using the threat-detection
statistics tcp-intercept command, and view them using the show threat-detection
statistics command.
In ASDM, see Configuration > Firewall > Threat Detection.
Cisco ASA New Features by Release
202
Cisco ASA New Features
New Features in ASA 8.1(1)/ASDM 6.1(1)
Feature
Description
Threat detection shun You can now configure the shun timeout for threat detection using the
timeout
threat-detection scanning-threat shun duration command.
In ASDM, see Configuration > Firewall > Threat Detection.
Threat detection host You can now reduce the amount of host statistics collected, thus reducing the system
statistics fine tuning impact of this feature, by using the threat-detection statistics host number-of-rate
command.
In ASDM, see Configuration > Firewall > Threat Detection.
Platform Features
Increased VLANs
The number of VLANs supported on the ASA 5580 are increased from 100 to 250.
SNMP support for
unnamed interfaces
Formerly, SNMP only provided information about interfaces that were configured
using the nameif command. For example, SNMP only sent traps and performed walks
on the IF MIB and IP MIB for interfaces that were named. SNMP was enhanced to
show information about all physical interfaces and logical interfaces; a nameif
command is no longer required to display the interfaces using SNMP.
New Features in ASA 8.1(1)/ASDM 6.1(1)
Released: March 1, 2008
Feature
Description
Introduction of the Cisco
ASA 5580
The Cisco ASA 5580 comes in two models:
• The ASA 5580-20 delivers 5 Gigabits per second of TCP traffic and
UDP performance is even greater. Many features in the system have
been made multi-core capable to achieve this high throughput. In
addition the system delivers greater than 60,000 TCP connections per
second and supports up to 1 million connections.
• The ASA 5580-40 will deliver 10 Gigabits per second of TCP traffic
and similar to ASA 5580-20 the UDP performance will be even greater.
The ASA 5580-40 delivers greater than 120,000 TCP connections per
second and up to 2 million connections in total.
In ASDM, see Home > System Resource Status and Home > Device
Information > Environment Status.
NetFlow
The new NetFlow feature enhances the ASA logging capabilities by logging
flow-based events through the NetFlow protocol. For detailed information
about this feature and the new CLI commands, see the Cisco ASA 5580
Adaptive Security Appliance Command Line Configuration Guide.
In ASDM, see Configuration > Device Management > Logging > Netflow.
Cisco ASA New Features by Release
203
Cisco ASA New Features
New Features in ASA 8.1(1)/ASDM 6.1(1)
Feature
Description
Jumbo frame support
The Cisco ASA 5580 supports jumbo frames when you enter the
jumbo-frame reservation command. A jumbo frame is an Ethernet packet
larger than the standard maximun of 1518 bytes (including Layer 2 header
and FCS), up to 9216 bytes. You can enable support for jumbo frames for
all interfaces by increasing the amount of memory to process Ethernet frames.
Assigning more memory for jumbo frames might limit the the maximum use
of other features, such as access lists.
In ASDM, see Configuration > Device Setup > Interfaces > Add/Edit
Interface > Advanced.
Per-packet load balancing for For multi-core ASAs, the default behavior is to allow only one core to receive
multi-core ASAs
packets from an interface receive ring at a time. The asp load-balance
per-packet command changes this behavior to allow multiple cores to receive
packets from an interface receive ring and work on them independently. The
default behavior is optimized for scenarios where packets are received
uniformly on all interface rings.
We introduced the following commands: asp load-balance per-packet,
show asp load-balance.
Timeout for SIP Provisional
Media
You can now configure the timeout for SIP provisional media using the
timeout sip-provisional-media command.
In ASDM, see Configuration > Firewall > Advanced > Global Timeouts.
Details about the activation
key
You can now view the permanent and temporary activation keys with their
enabled features, including all previously installed temporary keys and their
expiration dates using the show activation key detail command.
In ASDM in single context mode, see Configuration > Device Management
> System Image/Configuration > Activation Key. In ASDM in multiple
context mode, see System > Configuration > Device Management >
Activation Key.
New ASDM online help
engine
ASDM now supports a new look for the online help. The online help now
maintains the topic-based selection of the user from the left bookmark pane
while browsing through the right pane subject matter.
ASDM CPU Core Usage
Graph
In single or multiple mode, the CPU core usage graph allows you to display
the core CPU utilization status from the ASDM Home page.
Intelligent platform
Added support for intelligent platform management interface (IPMI), which
management interface (IPMI) provides the user with information on the status of the power supply, cooling
for ASDM
fans, and temperature of the processors and chassis from the ASDM Home
page.
ASDM Assistant
Cisco ASA New Features by Release
204
The ASDM Assistant is now available from View Menu, instead of the Tools
Menu. The GUI has been changed to simplify the Search mechanism.
Cisco ASA New Features
New Features in Version 8.0
Feature
Description
ASDM Backup and Restore
Enhancement
The backup and restore enhancement allows you to back up configurations
to the local machine and then restore them back on the server as necessary.
Additionally, this feature backs up SSL VPN-related files. This feature is
found in Tools > Backup Configuration, and Tools > Restore
Configuration.
Also supported for Version 8.0.
ASDM Log Viewer
The Log viewer enhancement displays the source and destination port
information parsed from the syslog messages. This information is displayed
on the Monitoring > Logging > Real-Time Log Viewer, and Log Buffer
page.
Also supported for Version 8.0.
Enhanced VPN Search in
ASDM
Added a CLI command-based Search facility that offers intelligent hints
while you are typing in keywords or a command. This search enhancement
only exists on User Accounts, Connection Profiles, and Group Policies pages.
Also supported for Version 8.0.
New Features in Version 8.0
New Features in ASA 8.0(5)/ASDM 6.2(3)
Released: November 3, 2009
Note
Version 8.0(5) is not supported on the PIX security appliance.
Feature
Description
Remote Access Features
Scalable Solutions
for
Waiting-to-Resume
VPN Sessions
An administrator can now keep track of the number of users in the active state and
can look at the statistics. The sessions that have been inactive for the longest time
are marked as idle (and are automatically logged off) so that license capacity is not
reached and new users can log in
The following ASDM screen was modified: Monitoring > VPN > VPN Statistics
> Sessions.
Also available in Version 8.2(2).
Application Inspection Features
Cisco ASA New Features by Release
205
Cisco ASA New Features
New Features in ASA 8.0(5)/ASDM 6.2(3)
Feature
Description
Enabling Call Set up You can enable call setup between H.323 endpoints when the Gatekeeper is inside
Between H.323
the network. The ASA includes options to open pinholes for calls based on the
Endpoints
RegistrationRequest/RegistrationConfirm (RRQ/RCF) messages.
Because these RRQ/RCF messages are sent to and from the Gatekeeper, the calling
endpoint's IP address is unknown and the security appliance opens a pinhole through
source IP address/port 0/0. By default, this option is disabled.
The following command was introduced:ras-rcf-pinholes enable. Use this command
during parameter configuration mode while creating an H.323 Inspection policy map.
The following ASDM screen was modified: Configuration > Firewall > Objects >
Inspect Maps > H.323 > Details > State Checking.
Also available in Version 8.2(2).
Interface Features
In multiple context
mode, auto-generated
MAC addresses now
use a
user-configurable
prefix, and other
enhancements
The MAC address format was changed to allow use of a prefix, to use a fixed starting
value (A2), and to use a different scheme for the primary and secondary unit MAC
addresses in a failover pair.
The MAC addresess are also now persistent accross reloads.
The command parser now checks if auto-generation is enabled; if you want to also
manually assign a MAC address, you cannot start the manual MAC address with A2.
The following command was modified: mac-address auto prefix prefix.
The following ASDM screen was modified: Configuration > Context Management
> Security Contexts.
Also available in Version 8.2(2).
High Availablility Features
No notifications
when interfaces are
brought up or
brought down during
a switchover event
To distinguish between link up/down transitions during normal operation from link
up/down transitions during failover, no link up/link down traps are sent during a
failover. Also, no syslog messages about link up/down transitions during failover are
sent.
Also available in Version 8.2(2).
Routing Features
DHCP RFC
compatibility
(rfc3011, rfc3527) to
resolve routing issues
This enhancement introduces ASA support for DHCP RFCs 3011 (The IPv4 Subnet
Selection Option) and 3527 (Link Selection Sub-option for the Relay Agent
Information Option). For each DHCP server that is configured using the dhcp-server
command, you can now configure the ASA to send the subnet-selection option, and
the link-selection option or neither.
The following ASDM screen was modified: Remote Access VPN > Network Access
> IPsec connection profiles > Add/Edit.
Also available in Version 8.2(2).
Cisco ASA New Features by Release
206
Cisco ASA New Features
New Features in ASA 8.0(4)/ASDM 6.1(3)
Feature
Description
SSM Features
CSC 6.3 Support in
ASDM
ASDM displays Web Reputation, User Group Policies, and User ID Settings in the
Plus License listing on the main home page. CSC 6.3 security event enhancements
are included, such as the new Web Reputation events and user and group
identifications.
New Features in ASA 8.0(4)/ASDM 6.1(3)
Released: August 11, 2008
Feature
Description
Unified Communications FeaturesFootnote.
Phone Proxy
Phone Proxy functionality is supported. ASA Phone Proxy provides similar features
to those of the Metreos Cisco Unified Phone Proxy with additional support for SIP
inspection and enhanced security. The ASA Phone Proxy has the following key
features:
• Secures remote IP phones by forcing the phones to encrypt signaling and media
• Performs certificate-based authentication with remote IP phones
• Terminates TLS signaling from IP phones and initiates TCP and TLS to Cisco
Unified Mobility Advantage servers
• Terminates SRTP and initiates RTP/SRTP to the called party
In ASDM, see Configuration > Firewall > Advanced > Encrypted Traffic
Inspection > Phone Proxy.
Mobility Proxy
Secure connectivity (mobility proxy) between Cisco Unified Mobility Advantage
clients and servers is supported.
Cisco Unified Mobility Advantage solutions include the Cisco Unified Mobile
Communicator, an easy-to-use software application for mobile handsets that extends
enterprise communications applications and services to mobile phones and smart
phones and the Cisco Unified Mobility Advantage server. The mobility solution
streamlines the communication experience, enabling real-time collaboration across
the enterprise.
The ASA in this solution delivers inspection for the MMP (formerly called OLWP)
protocol, the proprietary protocol between Cisco Unified Mobile Communicator and
Cisco Unified Mobility Advantage. The ASA also acts as a TLS proxy, terminating
and reoriginating the TLS signaling between the Cisco Unified Mobile Communicator
and Cisco Unified Mobility Advantage.
In ASDM, see Configuration > Firewall > Advanced > Encrypted Traffic
Inspection > TLS Proxy.
Cisco ASA New Features by Release
207
Cisco ASA New Features
New Features in ASA 8.0(4)/ASDM 6.1(3)
Feature
Description
Presence Federation Secure connectivity (presence federation proxy) between Cisco Unified Presence
Proxy
servers and Cisco/Microsoft Presence servers is supported. With the Presence solution,
businesses can securely connect their Cisco Unified Presence clients back to their
enterprise networks, or share Presence information between Presence servers in
different enterprises.
The ASA delivers functionality to enable Presence for Internet and intra-enterprise
communications. An SSL-enabled Cisco Unified Presence client can establish an
SSL connection to the Presence Server. The ASA enables SSL connectivity between
server to server communication including third-party Presence servers communicating
with Cisco Unified Presence servers. Enterprises share Presence information, and
can use IM applications. The ASA inspects SIP messages between the servers.
In ASDM, see Configuration > Firewall > Service Policy Rules > Add/Edit Service
Policy Rule > Rule Actions > Protocol Inspection or Configuration > Firewall >
Advanced > Encrypted Traffic Inspection > TLS Proxy > Add > Client
Configuration.
Remote Access Features
Auto Sign-On with
Smart Tunnels for
IE1
Footnote.
This feature lets you enable the replacement of logon credentials for WININET
connections. Most Microsoft applications use WININET, including Internet Explorer.
Mozilla Firefox does not, so it is not supported by this feature. It also supports
HTTP-based authentication, therefore form-based authentication does not work with
this feature.
Credentials are statically associated to destination hosts, not services, so if initial
credentials are wrong, they cannot be dynamically corrected during runtime. Also,
because of the association with destinations hosts, providing support for an auto
sign-on enabled host may not be desirable if you want to deny access to some of the
services on that host.
To configure a group auto sign-on for smart tunnels, you create a global list of auto
sign-on sites, then assign the list to group policies or user names. This feature is not
supported with Dynamic Access Policy.
In ASDM, see Firewall > Advanced > ACL Manager.
Entrust Certificate
Provisioning
ASDM includes a link to the Entrust website to apply for temporary (test) or
discounted permanent SSL identity certificates for your ASA.
Footnote.
In ASDM, see Configuration > Remote Access VPN > Certificate Management
> Identity Certificates. Click Enroll ASA SSL VPN head-end with Entrust.
Cisco ASA New Features by Release
208
Cisco ASA New Features
New Features in ASA 8.0(4)/ASDM 6.1(3)
Feature
Description
Extended Time for
User
Reauthentication on
IKE Rekey
You can configure the security appliance to give remote users more time to enter
their credentials on a Phase 1 SA rekey. Previously, when reauthenticate-on-rekey
was configured for IKE tunnels and a phase 1 rekey occurred, the security appliance
prompted the user to authenticate and only gave the user approximately 2 minutes to
enter their credentials. If the user did not enter their credentials in that 2 minute
window, the tunnel would be terminated. With this new feature enabled, users now
have more time to enter credentials before the tunnel drops. The total amount of time
is the difference between the new Phase 1 SA being established, when the rekey
actually takes place, and the old Phase 1 SA expiring. With default Phase 1 rekey
times set, the difference is roughly 3 hours, or about 15% of the rekey interval.
In ASDM, see Configuration > Device Management > Certificate Management
> Identity Certificates.
Persistent IPsec
Tunneled Flows
With the persistent IPsec tunneled flows feature enabled, the security appliance
preserves and resumes stateful (TCP) tunneled flows after the tunnel drops, then
recovers. All other flows are dropped when the tunnel drops and must reestablish
when a new tunnel comes up. Preserving the TCP flows allows some older or sensitive
applications to keep working through a short-lived tunnel drop. This feature supports
IPsec LAN-to-LAN tunnels and Network Extension Mode tunnels from a Hardware
Client. It does not support IPsec or AnyConnect/SSL VPN remote access tunnels.
See the [no] sysopt connection preserve-vpn-flows command. This option is disabled
by default.
In ASDM, see Configuration > Remote Access VPN > Network (Client) Access
> Advanced > IPsec > System Options. Check the Preserve stateful VPN flows
when the tunnel drops for Network Extension Mode (NEM) checkbox to enable
persistent IPsec tunneled flows.
Show Active
Directory Groups
The CLI command show ad-groups was added to list the active directory groups.
ASDM Dynamic Access Policy uses this command to present the administrator with
a list of MS AD groups that can be used to define the VPN policy.
In ASDM, see Configuration > Remote Access VPN > Clientless SSL VPN Access
> Dynamic Access Policies > Add/Edit DAP > Add/Edit AAA Attribute.
Smart Tunnel over
Mac OS1
Footnote.
Local Address Pool
Edit
Smart tunnels now support Mac OS.
In ASDM, see Configuration > Remote Access VPN > Clientless SSL VPN Access
> Portal > Smart Tunnels.
Address pools can be edited without affecting the desired connection. If an address
in use is not being eliminated from the pool, the connection is not affected. However,
if the address in use is being eliminated from the pool, the connection is brought
down.
Also available in Version 7.0(8) and 7.2(4).
Firewall Features
Cisco ASA New Features by Release
209
Cisco ASA New Features
New Features in ASA 8.0(4)/ASDM 6.1(3)
Feature
Description
QoS Traffic Shaping If you have a device that transmits packets at a high speed, such as the ASA with
Fast Ethernet, and it is connected to a low speed device such as a cable modem, then
the cable modem is a bottleneck at which packets are frequently dropped. To manage
networks with differing line speeds, you can configure the security appliance to
transmit packets at a fixed slower rate. See the shape command. See also the crypto
ipsec security-association replay command, which lets you configure the IPSec
anti-replay window size. One side-effect of priority queueing is packet re-ordering.
For IPSec packets, out-of-order packets that are not within the anti-replay window
generate warning syslog messages. These warnings become false alarms in the case
of priority queueing. This new command avoids possible false alarms.
In ASDM, see Configuration > Firewall > Security Policy > Service Policy Rules
> Add/Edit Service Policy Rule > Rule Actions > QoS. Note that the only traffic
class supported for traffic shaping is class-default, which matches all traffic.
Also available in Version 7.2(4).
TCP Normalization
Enhancements
You can now configure TCP normalization actions for certain packet types. Previously,
the default actions for these kinds of packets was to drop the packet. Now you can
set the TCP normalizer to allow the packets.
• TCP invalid ACK check (the invalid-ack command)
• TCP packet sequence past window check (the seq-past-window command)
• TCP SYN-ACK with data check (the synack-data command)
You can also set the TCP out-of-order packet buffer timeout (the queue command
timeout keyword). Previously, the timeout was 4 seconds. You can now set the
timeout to another value.
The default action for packets that exceed MSS has changed from drop to allow (the
exceed-mss command).
The following non-configurable actions have changed from drop to clear for these
packet types:
• Bad option length in TCP
• TCP Window scale on non-SYN
• Bad TCP window scale value
• Bad TCP SACK ALLOW option
In ASDM, see Configuration > Firewall > Objects > TCP Maps.
Also available in Version 7.2(4).
TCP Intercept
statistics
You can enable collection for TCP Intercept statistics using the threat-detection
statistics tcp-intercept command, and view them using the show threat-detection
statistics command.
In ASDM 6.1(5) and later, see Configuration > Firewall > Threat Detection. This
command was not supported in ASDM 6.1(3).
Cisco ASA New Features by Release
210
Cisco ASA New Features
New Features in ASA 8.0(4)/ASDM 6.1(3)
Feature
Description
Threat detection shun You can now configure the shun timeout for threat detection using the
timeout
threat-detection scanning-threat shun duration command.
In ASDM 6.1(5) and later, see Configuration > Firewall > Threat Detection. This
command was not supported in ASDM 6.1(3).
Timeout for SIP
Provisional Media
You can now configure the timeout for SIP provisional media using the timeout
sip-provisional-media command.
In ASDM, see Configuration > Firewall > Advanced > Global Timeouts.
Also available in Version 7.2(4).
clear conn
Command
The clear conn command was added to remove connections.
Fragment full
reassembly
The fragment command was enhanced with the reassembly full keywords to enable
full reassembly for fragments that are routed through the device. Fragments that
terminate at the device are always fully reassembled.
Also available in Version 7.0(8) and 7.2(4).
Also available in Version 7.0(8) and 7.2(4).
Ethertype ACL MAC EtherType ACLs have been enhanced to allow non-standard MACs. Existing default
Enhancement
rules are retained, but no new ones need to be added.
Also available in Version 7.0(8) and 7.2(4).
Troubleshooting and Monitoring Features
capture command
Enhancement
The capture type asp-drop drop_code command now accepts all as the drop_code,
so you can now capture all packets that the ASA drops, including those dropped due
to security checks.
Also available in Version 7.0(8) and 7.2(4).
show asp drop
Command
Enhancement
Output now includes a timestamp indicating when the counters were last cleared (see
the clear asp drop command). It also displays the drop reason keywords next to the
description, so you can easily use the capture asp-drop command using the keyword.
Also available in Version 7.0(8) and 8.0(4).
clear asp table
Command
Added the clear asp table command to clear the hits output by the show asp table
commands.
Also available in Version 7.0(8) and 7.2(4).
show asp table
classify hits
Command
Enhancement
The hits option was added to the show asp table classify command, showing the
timestamp indicating the last time the asp table counters were cleared. It also shows
rules with hits values not equal to zero. This permits users to quickly see what rules
are being hit, especially since a simple configuration may end up with hundreds of
entries in the show asp table classify command.
Also available in Version 7.0(8) and 8.0(4).
Cisco ASA New Features by Release
211
Cisco ASA New Features
New Features in ASA 8.0(4)/ASDM 6.1(3)
Feature
Description
MIB Enhancement
The CISCO-REMOTE-ACCESS-MONITOR-MIB is implemented more completely.
Also available in 8.0(4).
show perfmon
Command
Added the following rate outputs: TCP Intercept Connections Established, TCP
Intercept Attempts, TCP Embryonic Connections Timeout, and Valid Connections
Rate in TCP Intercept.
Also available in Version 7.0(8) and 7.2(4).
memory tracking
Commands
The following new commands are introduced in this release:
• memory tracking enable–This command enables the tracking of heap memory
requests.
• no memory tracking enable–This command disables tracking of heap memory
requests, cleans up all currently gathered information, and returns all heap
memory used by the tool itself to the system.
• clear memory tracking–This command clears out all currently gathered
information but continues to track further memory requests.
• show memory tracking–This command shows currently allocated memory
tracked by the tool, broken down by the topmost caller function address.
• show memory tracking address–This command shows currently allocated
memory broken down by each individual piece of memory. The output lists the
size, location, and topmost caller function of each currently allocated piece
memory tracked by the tool.
• show memory tracking dump–This command shows the size, location, partial
callstack, and a memory dump of the given memory address.
• show memory tracking detail–This command shows various internal details
to be used in gaining insight into the internal behavior of the tool.
Also available in Version 7.0(8) and 7.2(4).
Routing Features
Cisco ASA New Features by Release
212
Cisco ASA New Features
New Features in ASA 8.0(4)/ASDM 6.1(3)
Feature
Description
IPv6 Multicast
The ASA now supports the Multicast Listener Discovery Protocol (MLD) Version
Listener Discovery 2, to discover the presence of multicast address listeners on their directly attached
Protocol v2 Support links, and to discover specifically which multicast addresses are of interest to those
neighboring nodes. The ASA becomes a multicast address listener, or a host, but not
a a multicast router, and responds to Multicast Listener Queries and sends Multicast
Listener Reports only.
The following commands support this feature:
• clear ipv6 mld traffic—The clear ipv6 mld traffic command allows you to
reset all the Multicast Listener Discovery traffic counters.
• show ipv6 mld traffic—The show ipv6 mld command allows you to display
all the Multicast Listener Discovery traffic counters.
• debug ipv6 mld—The enhancement to the debug ipv6 command allows the
user to display the debug messages for MLD, to see whether the MLD protocol
activities are working properly.
• show debug ipv6 mld —The enhancement to the show debug ipv6 command
allows the user to display whether debug ipv6 mld is enabled or disabled.
Also available in Version 7.2(4).
Platform Features
Native VLAN
You can now include the native VLAN in an ASA 5505 trunk port using the
support for the ASA switchport trunk native vlan command.
5505
In ASDM, see Configuration > Device Setup > Interfaces > Switch Ports > Edit
dialog.
Also available in Version 7.2(4).
SNMP support for
unnamed interfaces
Previously, SNMP only provided information about interfaces that were configured
using the nameif command. For example, SNMP only sent traps and performed walks
on the IF MIB and IP MIB for interfaces that were named. Because the ASA 5505
has both unnamed switch ports and named VLAN interfaces, SNMP was enhanced
to show information about all physical interfaces and logical interfaces; a nameif
command is no longer required to display the interfaces using SNMP. These changes
affect all models, and not just the ASA 5505.
Failover Features
failover timeout
Command
The failover timeout command no longer requires a failover license for use with the
static nailed feature.
Also available in Version 7.0(8) and 7.2(4).
ASDM Features
Simplify DNS Panel The DNS Panel on the ASDM GUI has been modified for ease of use. See
Configuration > Device Management > DNS.
Cisco ASA New Features by Release
213
Cisco ASA New Features
New Features in ASA 8.0(3)/ASDM 6.0(3)
Feature
Description
Redesign the File
You can drag-and-drop files in the File Transfer dialog box. To access this dialog
Transfer Dialog box box, go to Tools > File Management, and then click File Transfer.
Clear ACL Hit
Counters
Added functionality enabling users to clear ACL hit counters. See the Firewall >
Advanced > ACL Manager panel.
Renaming ACLs
Added the ability to rename ACLs from ASDM.
See the Firewall > Advanced > ACL Manager panel.
Combine
ASDM has combined the ASDM, HTTPS, SSH, Telnet into one panel. See the
ASDM/HTTPS,
Monitoring > Properties > Device Access > ASDM/HTTPS/Telnet/SSH Sessions
SSH, Telnet into One panel.
Panel
Display all standard
ACLs in ACL
Manager
Added functionality enabling users to display all standard ACL in the ACL Manager.
See the Firewall > Advanced > ACL Manager panel.
1
1 (1) This feature is not supported on the PIX security appliance.
New Features in ASA 8.0(3)/ASDM 6.0(3)
Released: November 7, 2007
Feature
Description
VPN Features
AnyConnect RSA SoftID API Provides support for AnyConnect VPN clients to communicate directly with
Integration
RSA SoftID for obtaining user token codes. It also provides the ability to
specify SoftID message support for a connection profile (tunnel group), and
the ability to configure SDI messages on the security appliance that match
SDI messages received through a RADIUS proxy. This feature ensures the
prompts displayed to the remote client user are appropriate for the action
required during authentication and the AnyConnect client responds
successfully to authentication challenges.
IP Address Reuse Delay
Delays the reuse of an IP address after it has been returned to the IP address
pool. Increasing the delay prevents problems the security appliance may
experience when an IP address is returned to the pool and reassigned quickly.
In ASDM, see Configure > Remote Access VPN > Network (Client) Access
> Address Assignment > Assignment Policy.
Cisco ASA New Features by Release
214
Cisco ASA New Features
New Features in ASA 8.0(3)/ASDM 6.0(3)
Feature
Description
Clientless SSL VPN Caching There are two changes to the clientless SSL VPN caching commands:
Static Content Enhancement The cache-compressed command is deprecated.
The new cache-static-content command configures the ASA to cache all
static content, which means all cacheable Web objects that are not subject
to SSL VPN rewriting. This includes content such as images and PDF files.
The syntax of the command is cache-static-content {enable | disable}. By
default, static content caching is disabled.
Example:
hostname (config) # webvpn
hostname (config-webvpn) # cache
hostname (config-webvpn-cache) # cache-static-content enable
hostname (config-webvpn-cache) #
In ASDM, see Configuration > Remote Access VPN > Clientless SSL
VPN Access > Advanced > Content Cache.
Also available in Version 7.2(3).
Smart Card Removal
Disconnect
This feature allows the central site administrator to configure remote client
policy for deleting active tunnels when a Smart Card is removed. The Cisco
VPN Remote Access Software clients (both IPSec and SSL) will, by default,
tear down existing VPN tunnels when the user removes the Smart Card used
for authentication. The following cli command disconnects existing VPN
tunnels when a smart card is removed: smartcard-removal-disconnect
{enable | disable}. This option is enabled by default.
In ASDM, see Configuration > Remote Access VPN > Network (Client)
Access > Group Policies > Add/Edit Internal/External Group Policies >
More Options.
Also available in Version 7.2(3).
WebVPN load Balancing
The adaptive security appliance now supports the use of FQDNs for load
balancing. To perform WebVPN load balancing using FQDNs, you must
enable the use of FQDNs for load balancing, enter the redirect-fqdn enable
command. Then add an entry for each of your adaptive security appliance
outside interfaces into your DNS server if not already present. Each adaptive
security appliance outside IP address should have a DNS entry associated
with it for lookups. These DNS entries must also be enabled for reverse
lookup. Enable DNS lookups on your adaptive security appliance with the
dns domain-lookup inside command (or whichever interface has a route to
your DNS server). Finally, you must define the ip address, of your DNS
server on the adaptive security appliance. Following is the new CLI associated
with this enhancement: redirect-fqdn {enable | disable}.
In ASDM, see Configuration > VPN > Load Balancing.
Also available in Version 7.2(3).
Application Inspection Features
Cisco ASA New Features by Release
215
Cisco ASA New Features
New Features in ASA 8.0(3)/ASDM 6.0(3)
Feature
Description
WAAS and ASA
Interoperability
The inspect waas command is added to enable WAAS inspection in the
policy-map class configuration mode. This CLI is integrated into Modular
Policy Framework for maximum flexibility in configuring the feature. The
[no] inspect waas command can be configured under a default inspection
class and under a custom class-map. This inspection service is not enabled
by default.
The keyword option waas is added to the show service-policy inspect
command to display WAAS statistics.
show service-policy inspect waas
A new system log message is generated when WAAS optimization is detected
on a connection. All L7 inspection services including IPS are bypassed on
WAAS optimized connections.
System Log Number and Format:
%ASA-6-428001: WAAS confirmed from in_interface:src_ip_addr/src_port
to out_interface:dest_ip_addr/dest_port, inspection services bypassed on this
connection.
A new connection flag "W" is added in the WAAS connection. The show
conn detail command is updated to reflect the new flag.
In ASDM, see Configuration > Firewall > Service Policy Rules > Add/Edit
Service Policy Rule > Rule Actions > Protocol Inspection.
Also available in Version 7.2(3).
DNS Guard Enhancement
Added an option to enable or disable DNS guard. When enabled, this feature
allows only one DNS response back from a DNS request.
In ASDM, see Configuration > Firewall > Objects > Inspect maps > DNS.
Also available in Version 7.2(3).
Cisco ASA New Features by Release
216
Cisco ASA New Features
New Features in ASA 8.0(3)/ASDM 6.0(3)
Feature
Description
Support for ESMTP over TLS This enhancement adds the configuration parameter allow-tls [action log]
in the esmtp policy map. By default, this parameter is not enabled. When it
is enabled, ESMTP inspection would not mask the 250-STARTTLS echo
reply from the server nor the STARTTLS command from the client. After
the server replies with the 220 reply code, the ESMTP inspection turns off
by itself; the ESMTP traffic on that session is no longer inspected. If the
allow-tls action log parameter is configured, the syslog message
ASA-6-108007 is generated when TLS is started on an ESMTP session.
policy-map type inspect esmtp esmtp_map
parameters
allow-tls [action log]
A new line for displaying counters associated with the allow-tls parameter
is added to the show service-policy inspect esmtp command. It is only present
if allow-tls is configured in the policy map. By default, this parameter is not
enabled.
show service-policy inspect esmtp
allow-tls, count 0, log 0
This enhancement adds a new system log message for the allow-tls parameter.
It indicates on an esmtp session the server has responded with a 220 reply
code to the client STARTTLS command. The ESMTP inspection engine will
no longer inspect the traffic on this connection.
System log Number and Format:
%ASA-6-108007: TLS started on ESMTP session between client <client-side
interface-name>:<client IP address>/<client port> and server <server-side
interface-name>:<server IP address>/<server port>
In ASDM, see Configuration > Firewall > Objects > Inspect Map >
ESMTP.
Also available in Version 7.2(3).
High Availability Features
Added Dataplane Keepalive
Mechanism
You can now configure the ASA so that a failover will not occur if the AIP
SSM is upgraded. In previous releases when two ASAs with AIP SSMs are
configured in failover and the AIP SSM software is updated, the ASA triggers
a failover, because the AIP SSM needs to reboot or restart for the software
update to take effect.
Also available in Version 7.0(7) and 7.2(3)
Fully Qualified Domain
Added option in the redirect-fqdn command to send either the fully qualified
Name Support Enhancement domain name (FQDN) or the IP address to the client in a VPN load balancing
cluster.
In ASDM, see Configuration > Device Management >High Availability
> VPN Load Balancing or Configuration > Remote Access VPN >Load
Balancing.
Cisco ASA New Features by Release
217
Cisco ASA New Features
New Features in ASA 8.0(3)/ASDM 6.0(3)
Feature
Description
DHCP Features
DHCP client ID enhancement If you enable the DHCP client for an interface using the ip address dhcp
command, some ISPs expect option 61 to be the interface MAC address. If
the MAC address is not included in the DHCP request packet, then an IP
address will not be assigned. Use this new command to include the interface
MAC address for option 61. If you do not configure this command, the client
ID is as follows: cisco-<MAC>-<interface>-<hostname>.
We introduced the following command: dhcp-client client-id interface
interface_name
We modified the following screen: Configuration > Device Management
> DHCP > DHCP Server; then click Advanced.
Also available in Version 7.2(3).
DHCP client broadcast flag
If you enable the DHCP client for an interface using the ip address dhcp
command, then you can use this command to set the broadcast flag to 1 in
the DHCP packet header when the DHCP client sends a discover requesting
an IP address. The DHCP server listens to this broadcast flag and broadcasts
the reply packet if the flag is set to 1.
If you enter the no dhcp-client broadcast-flag command, the broadcast flag
is set to 0, and the DHCP server unicasts the reply packets to the client with
the offered IP address.
The DHCP client can receive both broadcast and unicast offers from the
DHCP server.
We introduced the following command: dhcp-client broadcast-flag
We modified the following screen: Configuration > Device Management
> DHCP > DHCP Server; then click Advanced.
Platform Features
ASA 5510 Security Plus
License Allows Gigabit
Ethernet for Port 0 and 1
The ASA 5510 ASA now has the security plus license to enable GE (Gigabit
Ethernet) for port 0 and 1. If you upgrade the license from base to security
plus, the capacity of the external port Ethernet0/0 and Ethernet0/1 increases
from the original FE (Fast Ethernet) (100 Mbps) to GE (1000 Mbps). The
interface names will remain Ethernet 0/0 and Ethernet 0/1. Use the speed
command to change the speed on the interface and use the show interface
command to see what speed is currently configured for each interface.
Also available in Version 7.2(3).
ASA 5505 Increased VLAN The ASA 5505 ASA now supports VLAN IDs between 1 and 4090.
range
Originally, only VLAN IDs between 1 and 1001 were supported.
Also available in Version 7.2(3).
Troubleshooting Features
Cisco ASA New Features by Release
218
Cisco ASA New Features
New Features in ASA 8.0(3)/ASDM 6.0(3)
Feature
Description
capture Command
Enhancement
The enhancement to the capture command allows the user to capture traffic
and display it in real time. It also allows the user to specify command line
options to filter traffic without having to configure a separate access list. This
enhancement adds the real-time and five-tupple match options.
capture cap_name [real-time] [dump] [detail [trace] [match prot {host
ip | ip mask | any} [{eq | lt | gt} port] {host ip | ip mask | any} [{eq | lt | gt}
port]]
Also available in Version 7.2(3).
ASDM Features
ASDM banner enhancement The adaptive security appliance software supports an ASDM banner. If
configured, when you start ASDM, this banner text will appear in a dialog
box with the option to continue or disconnect. The Continue option dismisses
the banner and completes login as usual whereas, the Disconnect option
dismisses the banner and terminates the connection. This enhancement
requires the customer to accept the terms of a written policy before
connecting.
Following is the new CLI associated with this enhancement:
banner {exec | login | motd | asdm} text
show banner [exec | login | motd | asdm]
clear banner
In ASDM, see Configuration > Properties > Device Administration >
Banner.
Also available in Version 7.2(3).
Localization Enhancement in ASDM is now enhanced to supports AnyConnect Localization. See
ASDM
Configuration > Remote Access VPN > Network (Client) Access >
AnyConnect Customization, or on the Configuration > RemoteAccess >
Network Access > AnyConnect Customization and Configuration >
RemoteAccess > Language Localization > MST Translation panel.
Time-based License
Enhancement
On the Home page, the License tab of the Device Dashboard tab now includes
the number of days until a time-based license expires (if applicable).
Network Objects
You can now add true network objects that you can use in firewall rules.
Objects can be named, and when you edit an object, the change is inherited
wherever the object is used. Also, when you create a rule, the networks that
you specify in the rule are automatically added to the network object list so
you can reuse them elsewhere. You can name and edit these automatic entries
as well. See Configuration > Firewall > Objects > Network
Objects/Groups.
Cisco ASA New Features by Release
219
Cisco ASA New Features
New Features in ASA 8.0(2)/ASDM 6.0(2)
Feature
Description
Client Software Location
Enhancement
Added support in Client Software Location list to allow client updates from
Linux or Mac systems. See Configure > Remote Access VPN > Language
Localization.
Also available in Version 7.2(3).
CSC Event and Statistic
Reporting Enhancement
With the Cisco Content Security and Control (CSC) 6.2 software, ASDM
provides events and statistics for the new Damage Cleanup Services (DCS)
feature. DCS removes malware from clients and servers and repairs system
registries and memory.
New Features in ASA 8.0(2)/ASDM 6.0(2)
Released: June 18, 2007
Note
There was no 8.0(1)/6.0(1) release.
Feature
Description
Routing Features
EIGRP routing
The ASA supports EIGRP or EIGRP stub routing.
High Availability Features
Remote command execution in
Failover pairs
You can execute commands on the peer unit in a failover pair without
having to connect directly to the peer. This works for both Active/Standby
and Active/Active failover.
CSM configuration rollback
support
Adds support for the Cisco Security Manager configuration rollback
feature in failover configurations.
Failover pair Auto Update support You can use an Auto Update server to update the platform image and
configuration in failover pairs.
Stateful Failover for SIP signaling SIP media and signaling connections are replicated to the standby unit.
Redundant interfaces
Module Features
Cisco ASA New Features by Release
220
A logical redundant interface pairs an active and a standby physical
interface. When the active interface fails, the standby interface becomes
active and starts passing traffic. You can configure a redundant interface
to increase the ASA reliability. This feature is separate from device-level
failover, but you can configure redundant interfaces as well as failover
if desired. You can configure up to eight redundant interface pairs.
Cisco ASA New Features
New Features in ASA 8.0(2)/ASDM 6.0(2)
Feature
Description
Virtual IPS sensors with the AIP
SSM
The AIP SSM running IPS software Version 6.0 and above can run
multiple virtual sensors, which means you can configure multiple security
policies on the AIP SSM. You can assign each context or single mode
adaptive security appliance to one or more virtual sensors, or you can
assign multiple security contexts to the same virtual sensor. See the IPS
documentation for more information about virtual sensors, including the
maximum number of sensors supported.
Password reset
You can reset the password on the SSM hardware module.
VPN Authentication FeaturesFootnote.
Combined certificate and
username/password login
An administrator requires a username and password in addition to a
certificate for login to SSL VPN connections.
Internal domain
username/password
Provides a password for access to internal resources for users who log
in with credentials other than a domain username and password, for
example, with a one-time password. This is a password in addition to
the one a user enters when logging in.
Generic LDAP support
This includes OpenLDAP and Novell LDAP. Expands LDAP support
available for authentication and authorization.
Onscreen keyboard
The ASA includes an onscreen keyboard option for the login page and
subsequent authentication requests for internal resources. This provides
additional protection against software-based keystroke loggers by
requiring a user to use a mouse to click characters in an onscreen
keyboard for authentication, rather than entering the characters on a
physical keyboard.
SAML SSO verified with RSA
Access Manager
The ASA supports Security Assertion Markup Language (SAML)
protocol for Single Sign On (SSO) with RSA Access Manager (Cleartrust
and Federated Identity Manager).
NTLMv2
Version 8.0(2) adds support for NTLMv2 authentication for
Windows-based clients.
Certificate Features
Local certificate authority
Provides a certificate authority on the ASA for use with SSL VPN
connections, both browser- and client-based.
OCSP CRL
Provides OCSP revocation checking for SSL VPN.
Cisco Secure Desktop Features
Cisco ASA New Features by Release
221
Cisco ASA New Features
New Features in ASA 8.0(2)/ASDM 6.0(2)
Feature
Description
Host Scan
As a condition for the completion of a Cisco AnyConnect or clientless
SSL VPN connection, the remote computer scans for a greatly expanded
collection of antivirus and antispyware applications, firewalls, operating
systems, and associated updates. It also scans for any registry entries,
filenames, and process names that you specify. It sends the scan results
to the ASA. The ASA uses both the user login credentials and the
computer scan results to assign a Dynamic Access Policy (DAP).
With an Advanced Endpoint Assessment License, you can enhance Host
Scan by configuring an attempt to update noncompliant computers to
meet version requirements.
Cisco can provide timely updates to the list of applications and versions
that Host Scan supports in a package that is separate from Cisco Secure
Desktop.
Simplified prelogin assessment
and periodic checks
Cisco Secure Desktop now simplifies the configuration of prelogin and
periodic checks to perform on remote Microsoft Windows computers.
Cisco Secure Desktop lets you add, modify, remove, and place conditions
on endpoint checking criteria using a simplified, graphical view of the
checks. As you use this graphical view to configure sequences of checks,
link them to branches, deny logins, and assign endpoint profiles, Cisco
Secure Desktop Manager records the changes to an XML file. You can
configure the ASA to use returned results in combination with many
other types of data, such as the connection type and multiple group
settings, to generate and apply a DAP to the session.
VPN Access Policy Features
Dynamic access policies (DAP)
VPN gateways operate in dynamic environments. Multiple variables can
affect each VPN connection, for example, intranet configurations that
frequently change, the various roles each user may inhabit within an
organization, and logins from remote access sites with different
configurations and levels of security. The task of authorizing users is
much more complicated in a VPN environment than it is in a network
with a static configuration.
Dynamic Access Policies (DAP) on the ASA let you configure
authorization that addresses these many variables. You create a dynamic
access policy by setting a collection of access control attributes that you
associate with a specific user tunnel or session. These attributes address
issues of multiple group membership and endpoint security. That is, the
ASA grants access to a particular user for a particular session based on
the policies you define. It generates a DAP at the time the user connects
by selecting and/or aggregating attributes from one or more DAP records.
It selects these DAP records based on the endpoint security information
of the remote device and the AAA authorization information for the
authenticated user. It then applies the DAP record to the user tunnel or
session.
Cisco ASA New Features by Release
222
Cisco ASA New Features
New Features in ASA 8.0(2)/ASDM 6.0(2)
Feature
Description
Administrator differentiation
Lets you differentiate regular remote access users and administrative
users under the same database, either RADIUS or LDAP. You can create
and restrict access to the console via various methods (TELNET and
SSH, for example) to administrators only. It is based on the IETF
RADIUS service-type attribute.
Platform Enhancements
VLAN support for remote access Provides support for mapping (tagging) of client traffic at the group or
VPN connections
user level. This feature is compatible with clientless as well as IPsec and
SSL tunnel-based connections.
VPN load balancing for the ASA Extends load balancing support to ASA 5510 adaptive security appliances
5510
that have a Security Plus license.
Crypto conditional debug
Lets users debug an IPsec tunnel on the basis of predefined crypto
conditions such as the peer IP address, connection-ID of a crypto engine,
and security parameter index (SPI). By limiting debug messages to
specific IPSec operations and reducing the amount of debug output, you
can better troubleshoot the ASA with a large number of tunnels.
Browser-based SSL VPN Features
Enhanced portal design
Version 8.0(2) includes an enhanced end user interface that is more
cleanly organized and visually appealing.
Customization
Supports administrator-defined customization of all user-visible content.
Support for FTP
You can provide file access via FTP in additional to CIFS
(Windows-based).
Plugin applets
Version 8.0(2) adds a framework for supporting TCP-based applications
without requiring a pre-installed client application. Java applets let users
access these applications from the browser-enabled SSL VPN portal.
Initial support is for TELNET, SSH, RDP, and VNC.
Smart tunnels
A smart tunnel is a connection between an application and a remote site,
using a browser-based SSL VPN session with the ASA as the pathway.
Version 8.0(2) lets you identify the applications to which you want to
grant smart tunnel access, and lets you specify the path to the application
and the SHA-1 hash of its checksum to check before granting it access.
Lotus SameTime and Microsoft Outlook Express are examples of
applications to which you might want to grant smart tunnel access.
The remote host originating the smart tunnel connection must be running
Microsoft Windows Vista, Windows XP, or Windows 2000, and the
browser must be enabled with Java, Microsoft ActiveX, or both.
Cisco ASA New Features by Release
223
Cisco ASA New Features
New Features in ASA 8.0(2)/ASDM 6.0(2)
Feature
Description
RSS newsfeed
Administrators can populate the clientless portal with RSS newsfeed
information, which lets company news or other information display on
a user screen.
Personal bookmark support
Users can define their own bookmarks. These bookmarks are stored on
a file server.
Transformation enhancements
Adds support for several complex forms of web content over clientless
connections, including Adobe flash and Java WebStart.
IPv6
Allows access to IPv6 resources over a public IPv4 connection.
Web folders
Lets browser-based SSL VPN users connecting from Windows operating
systems browse shared file systems and perform the following operations:
view folders, view folder and file properties, create, move, copy, copy
from the local host to the remote host, copy from the remote host to the
local host, and delete. Internet Explorer indicates when a web folder is
accessible. Accessing this folder launches another window, providing a
view of the shared folder, on which users can perform web folder
functions, assuming the properties of the folders and documents permit
them.
Microsoft Sharepoint enhancement Extends Web Access support for Microsoft Sharepoint, integrating
Microsoft Office applications available on the machine with the browser
to view, change, and save documents shared on a server. Version 8.0(2)
supports Windows Sharepoint Services 2.0 in Windows Server 2003.
HTTP/HTTPS Proxy Features
PAC support
Lets you specify the URL of a proxy autoconfiguration file (PAC) to
download to the browser. Once downloaded, the PAC file uses a
JavaScript function to identify a proxy for each URL.
Proxy exclusion list
Lets you configure a list of URLs to exclude from the HTTP requests
the ASA can send to an external proxy server.
VPN Network Access Control Features
SSL VPN tunnel support
Cisco ASA New Features by Release
224
The ASA provides NAC posture validation of endpoints that establish
AnyConnect VPN client sessions.
Cisco ASA New Features
New Features in ASA 8.0(2)/ASDM 6.0(2)
Feature
Description
Support for audit services
You can configure the ASA to pass the IP address of the client to an
optional audit server if the client does not respond to a posture validation
request. The audit server uses the host IP address to challenge the host
directly to assess its health. For example, it might challenge the host to
determine whether its virus checking software is active and up-to-date.
After the audit server completes its interaction with the remote host, it
passes a token to the posture validation server, indicating the health of
the remote host. If the token indicates the remote host is healthy, the
posture validation server sends a network access policy to the ASA for
application to the traffic on the tunnel.
Application Inspection Features
Modular policy framework inspect Traffic can match one of multiple match commands in an inspect class
class map
map; formerly, traffic had to match all match commands in a class map
to match the class map.
AIC for encrypted streams and
AIC Arch changes
Provides HTTP inspection into TLS, which allows AIC/MPF inspection
in WebVPN HTTP and HTTPS streams.
TLS Proxy for SCCP and
SIPFootnote.
Enables inspection of encrypted traffic. Implementations include SSL
encrypted VoIP signaling, namely Skinny and SIP, interacting with the
Cisco CallManager.
SIP enhancements for CCM
Improves interoperability with CCM 5.0 and 6.x with respect to signaling
pinholes.
IPv6 support for SIP
The SIP inspection engine supports IPv6 addresses. IPv6 addresses can
be used in URLs, in the Via header field, and SDP fields.
Full RTSP PAT support
Provides TCP fragment reassembly support, a scalable parsing routine
on RTSP, and security enhancements that protect RTSP traffic.
Access List Features
Enhanced service object group
Lets you configure a service object group that contains a mix of TCP
services, UDP services, ICMP-type services, and any protocol. It removes
the need for a specific ICMP-type object group and protocol object group.
The enhanced service object group also specifies both source and
destination services. The access list CLI now supports this behavior.
Ability to rename access list
Lets you rename an access list.
Live access list hit counts
Includes the hit count for ACEs from multiple access lists. The hit count
value represents how many times traffic hits a particular access rule.
Attack Prevention Features
Cisco ASA New Features by Release
225
Cisco ASA New Features
New Features in ASA 8.0(2)/ASDM 6.0(2)
Feature
Description
Set connection limits for
For a Layer 3/4 management class map, you can specify the set
management traffic to the adaptive connection command.
security appliance
Threat detection
You can enable basic threat detection and scanning threat detection to
monitor attacks such as DoS attacks and scanning attacks. For scanning
attacks, you can automatically shun attacking hosts. You can also enable
scan threat statistics to monitor both valid and invalid traffic for hosts,
ports, protocols, and access lists.
NAT Features
Transparent firewall NAT support You can configure NAT for a transparent firewall.
Monitoring Features
Secure logging
You can enable secure connections to the syslog server using SSL or
TLS with TCP, and encrypted system log message content. Not supported
on the PIX series adaptive security appliance.
ASDM Features
Redesigned Interface
Reorganizes information to provide greater logical consistency and ease
of navigation.
Expanded onscreen help
ASDM describes features and configuration options on screen, which
reduces the need to consult other information sources.
Visual policy editor
The visual policy editor lets an administrator configure access control
policies and posture checking.
Firewall Dashboard
From the home page, you can now track threats to your network by
monitoring traffic that exceeds rate limits, as well as allowed and dropped
traffic by host, access list, port, or protocol.
Accessibility Features
Features such as keyboard navigation, alternate text for graphics, and
improved screen reader support have been added.
Complex Configuration Support
You can move between panes without applying changes, allowing you
to enter multi-pane configurations before applying that configuration to
the device.
Device List
ASDM maintains a list of recently accessed devices, allowing you to
switch between devices and contexts.
SSL VPN configuration wizard
The new SSL VPN configuration wizard provides step-by-step guidance
in configuring basic SSL VPN connections.
Cisco ASA New Features by Release
226
Cisco ASA New Features
New Features in Version 7.2
Feature
Description
Startup Wizard Enhancement
The Startup Wizard now allows you to configure the adaptive ASA to
pass traffic to an installed CSC SSM.
ASDM Assistant Enhancements‘
An assistant for configuring Secure Voice was added.
Packet Capture Wizard
The Packet Capture Wizard assists you in obtaining and downloading
sniffer trace in PCAP format.
Service Policy Rule Wizard
Updated to support IPS Virtualization.
Certificate Management
Enhancements
The certificate management GUI is reorganized and simplified.
23
2 (1) Clientless SSL VPN features are not supported on the PIX security appliance.
3 (2) TLS proxy is not supported on the PIX security appliance.
New Features in Version 7.2
New Features in ASA 7.2(5)/ASDM 5.2(5)
Released: May 11, 2010
There were no new features in ASA 7.2(5)/ASDM 5.2(5)
New Features in ASA 7.2(4)/ASDM 5.2(4)
Released: April 7, 2008
Feature
Description
Remote Access Features
Local Address Pool Edit Address pools can be edited without affecting the desired connection. If an address
in use is not being eliminated from the pool, the connection is not affected.
However, if the address in use is being eliminated from the pool, the connection
is brought down.
Also available in Version 7.0(8) and 8.0(4).
Routing Features
Cisco ASA New Features by Release
227
Cisco ASA New Features
New Features in ASA 7.2(4)/ASDM 5.2(4)
Feature
Description
IPv6 Multicast Listener The ASA now supports the Multicast Listener Discovery Protocol (MLD) Version
Discovery Protocol v2 2, to discover the presence of multicast address listeners on their directly attached
Support
links, and to discover specifically which multicast addresses are of interest to
those neighboring nodes. The ASA becomes a multicast address listener, or a
host, but not a a multicast router, and responds to Multicast Listener Queries and
sends Multicast Listener Reports only.
The following commands support this feature:
• clear ipv6 mld traffic
The clear ipv6 mld traffic command allows you to reset all the Multicast
Listener Discovery traffic counters.
• show ipv6 mld traffic
The show ipv6 mld command allows you to display all the Multicast Listener
Discovery traffic counters.
• debug ipv6 mld
The enhancement to the debug ipv6 command allows the user to display the
debug messages for MLD, to see whether the MLD protocol activities are
working properly.
• show debug ipv6 mld
The enhancement to the show debug ipv6 command allows the user to display
whether debug ipv6 mld is enabled or disabled.
Also available in Version 8.0(4).
Platform Features
Native VLAN Support
on ASA 5505 Trunk
Ports
You can now allow native VLANs on a trunk port (see the switchport trunk
native vlan command).
In ASDM, see Configuration > Device Setup > Interfaces > Switch Ports >
Edit dialog.
Also available in Version 8.0(4).
Connection Features
clear conn Command
The clear conn command was added to remove connections.
Also available in Version 7.0(8) and 8.0(4).
Fragment full
reassembly
The fragment command was enhanced with the reassembly full keywords to
enable full reassembly for fragments that are routed through the device. Fragments
that terminate at the device are always fully reassembled.
Also available in Version 7.0(8) and 8.0(4).
Cisco ASA New Features by Release
228
Cisco ASA New Features
New Features in ASA 7.2(4)/ASDM 5.2(4)
Feature
Description
QoS Traffic Shaping
If you have a device that transmits packets at a high speed, such as the ASA with
Fast Ethernet, and it is connected to a low speed device such as a cable modem,
then the cable modem is a bottleneck at which packets are frequently dropped.
To manage networks with differing line speeds, you can configure the security
appliance to transmit packets at a fixed slower rate. See the shape command. See
also the crypto ipsec security-association replay command, which lets you
configure the IPSec anti-replay window size.
One side-effect of priority queueing is packet re-ordering. For IPSec packets,
out-of-order packets that are not within the anti-replay window generate warning
syslog messages. These warnings become false alarms in the case of priority
queueing. This new feature avoids possible false alarms.
In ASDM, see Configuration > Firewall > Security Policy > Service Policy
Rules > Add/Edit Service Policy Rule > Rule Actions > QoS. Note that the
only traffic class supported for traffic shaping is class-default, which matches all
traffic.
Also available in Version 8.0(4).
Firewall Features
TCP Normalization
Enhancements
You can now configure TCP normalization actions for certain packet types.
Previously, the default actions for these kinds of packets was to drop the packet.
Now you can set the TCP normalizer to allow the packets.
• TCP invalid ACK check (the invalid-ack command)
• TCP packet sequence past window check (the seq-past-window command)
• TCP SYN-ACK with data check (the synack-data command)
You can also set the TCP out-of-order packet buffer timeout (the queue command
timeout keyword). Previously, the timeout was 4 seconds. You can now set the
timeout to another value.
The default action for packets that exceed MSS has changed from drop to allow
(the exceed-mss command).
The following non-configurable actions have changed from drop to clear for these
packet types:
• Bad option length in TCP
• TCP Window scale on non-SYN
• Bad TCP window scale value
• Bad TCP SACK ALLOW option
In ASDM, see the Configuration > Global Objects > TCP Maps pane.
Also available in Version 8.0(4).
Cisco ASA New Features by Release
229
Cisco ASA New Features
New Features in ASA 7.2(4)/ASDM 5.2(4)
Feature
Description
Timeout for SIP
Provisional Media
You can now configure the timeout for SIP provisional media using the timeout
sip-provisional-media command.
In ASDM, see the Configuration > Properties > Timeouts pane.
Also available in Version 8.0(4).
Ethertype ACL MAC
Enhancement
EtherType ACLs have been enhanced to allow non-standard MACs. Existing
default rules are retained, but no new ones need to be added.
Also available in Version 7.0(8) and 8.0(4).
Troubleshooting and Monitoring Features
capture command
Enhancement
The capture type asp-drop drop_code command now accepts all as the
drop_code, so you can now capture all packets that the ASA drops, including
those dropped due to security checks.
Also available in Version 7.0(8) and 8.0(4).
MIB Enhancement
The CISCO-REMOTE-ACCESS-MONITOR-MIB is implemented more
completely.
Also available in 8.0(4).
show asp drop
Output now includes a timestamp indicating when the counters were last cleared
Command Enhancement (see the clear asp drop command). It also displays the drop reason keywords
next to the description, so you can easily use the capture asp-drop command
using the keyword.
Also available in Version 7.0(8) and 8.0(4).
clear asp table
Command
Added the clear asp table command to clear the hits output by the show asp
table commands.
Also available in Version 7.0(8) and 8.0(4).
show asp table classify The hits option was added to the show asp table classify command, showing the
hits Command
timestamp indicating the last time the asp table counters were cleared. It also
shows rules with hits values not equal to zero. This permits users to quickly see
Enhancement
what rules are being hit, especially since a simple configuration may end up with
hundreds of entries in the show asp table classify command.
Also available in Version 7.0(8) and 8.0(4).
show perfmon
Command
Added the following rate outputs: TCP Intercept Connections Established, TCP
Intercept Attempts, TCP Embryonic Connections Timeout, and Valid Connections
Rate in TCP Intercept.
Also available in Version 7.0(8) and 8.0(4).
Cisco ASA New Features by Release
230
Cisco ASA New Features
New Features in ASA 7.2(4)/ASDM 5.2(4)
Feature
Description
memory tracking
Commands
The following new commands are introduced in this release:
• memory tracking enable–This command enables the tracking of heap
memory requests.
• no memory tracking enable–This command disables tracking of heap
memory requests, cleans up all currently gathered information, and returns
all heap memory used by the tool itself to the system.
• clear memory tracking–This command clears out all currently gathered
information but continues to track further memory requests.
• show memory tracking–This command shows currently allocated memory
tracked by the tool, broken down by the topmost caller function address.
• show memory tracking address–This command shows currently allocated
memory broken down by each individual piece of memory. The output lists
the size, location, and topmost caller function of each currently allocated
piece memory tracked by the tool.
• show memory tracking dump–This command shows the size, location,
partial callstack, and a memory dump of the given memory address.
• show memory tracking detail–This command shows various internal details
to be used in gaining insight into the internal behavior of the tool.
Also available in Version 7.0(8) and 8.0(4).
Failover Features
failover timeout
Command
The failover timeout command no longer requires a failover license for use with
the static nailed feature.
Also available in Version 7.0(8) and 8.0(4).
ASDM Features
Network Objects
You can now add true network objects that you can use in firewall rules. Objects
can be named, and when you edit an object, the change is inherited wherever the
object is used. Also, when you create a rule, the networks that you specify in the
rule are automatically added to the network object list so you can reuse them
elsewhere. You can name and edit these automatic entries as well. See
Configuration > Objects > Network Objects/Groups.
Enhanced ASDM Rule
Table
The ASDM rule tables have been redesigned to streamline policy creation.
Cisco ASA New Features by Release
231
Cisco ASA New Features
New Features in ASA 7.2(3)/ASDM 5.2(3)
New Features in ASA 7.2(3)/ASDM 5.2(3)
Released: August 15, 2007
Feature
Description
Remote Access Features
WebVPN load Balancing The adaptive security appliance now supports the use of FQDNs for load balancing.
To perform WebVPN load balancing using FQDNs, you must enable the use of
FQDNs for load balancing, enter the redirect-fqdn enable command. Then add
an entry for each of your adaptive security appliance outside interfaces into your
DNS server if not already present. Each adaptive security appliance outside IP
address should have a DNS entry associated with it for lookups. These DNS entries
must also be enabled for reverse lookup. Enable DNS lookups on your adaptive
security appliance with the dns domain-lookup inside command (or whichever
interface has a route to your DNS server). Finally, you must define the ip address,
of your DNS server on the adaptive security appliance. Following is the new CLI
associated with this enhancement: redirect-fqdn {enable | disable}.
In ASDM, see Configuration > VPN > Load Balancing.
Also available in Version 8.0(3).
Clientless SSL VPN
Caching Static Content
Enhancement
There are two changes to the clientless SSL VPN caching commands:
The cache-compressed command is deprecated.
The new cache-static-content command configures the ASA to cache all static
content, which means all cacheable Web objects that are not subject to SSL VPN
rewriting. This includes content such as images and PDF files.
The syntax of the command is cache-static-content {enable | disable}. By default,
static content caching is disabled.
Example:
hostname (config) # webvpn
hostname (config-webvpn) # cache
hostname (config-webvpn-cache) # cache-static-content enable
hostname (config-webvpn-cache) #
In ASDM, see Configuration > Remote Access VPN > Clientless SSL VPN
Access > Advanced > Content Cache.
Also available in Version 8.0(3).
Cisco ASA New Features by Release
232
Cisco ASA New Features
New Features in ASA 7.2(3)/ASDM 5.2(3)
Feature
Description
Smart Card Removal
Disconnect
This feature allows the central site administrator to configure remote client policy
for deleting active tunnels when a Smart Card is removed. The Cisco VPN Remote
Access Software clients (both IPSec and SSL) will, by default, tear down existing
VPN tunnels when the user removes the Smart Card used for authentication. The
following cli command disconnects existing VPN tunnels when a smart card is
removed: smartcard-removal-disconnect {enable | disable}. This option is
enabled by default.
In ASDM, see Configuration > Remote Access VPN > Network (Client) Access
> Group Policies > Add/Edit Internal/External Group Policies > More
Options.
Also available in Version 8.0(3).
Platform Features
ASA 5510 Security Plus The ASA 5510 ASA now has the security plus license to enable GE (Gigabit
License Allows Gigabit Ethernet) for port 0 and 1. If you upgrade the license from base to security plus,
Ethernet for Port 0 and 1 the capacity of the external port Ethernet0/0 and Ethernet0/1 increases from the
original FE (Fast Ethernet) (100 Mbps) to GE (1000 Mbps). The interface names
will remain Ethernet 0/0 and Ethernet 0/1. Use the speed command to change the
speed on the interface and use the show interface command to see what speed is
currently configured for each interface.
Also available in Version 8.0(3).
ASA 5505 Increased
VLAN range
The ASA 5505 ASA now supports VLAN IDs between 1 and 4090. Originally,
only VLAN IDs between 1 and 1001 were supported.
Also available in Version 8.0(3).
Troubleshooting Features
capture Command
Enhancement
The enhancement to the capture command allows the user to capture traffic and
display it in real time. It also allows the user to specify command line options to
filter traffic without having to configure a separate access list. This enhancement
adds the real-time and five-tupple match options.
capture cap_name [real-time] [dump] [detail [trace] [match prot {host ip | ip
mask | any} [{eq | lt | gt} port] {host ip | ip mask | any} [{eq | lt | gt} port]]
Also available in Version 8.0(3).
Application Inspection Features
Cisco ASA New Features by Release
233
Cisco ASA New Features
New Features in ASA 7.2(3)/ASDM 5.2(3)
Feature
Description
Support for ESMTP over This enhancement adds the configuration parameter allow-tls [action log] in the
TLS
esmtp policy map. By default, this parameter is not enabled. When it is enabled,
ESMTP inspection would not mask the 250-STARTTLS echo reply from the
server nor the STARTTLS command from the client. After the server replies
with the 220 reply code, the ESMTP inspection turns off by itself; the ESMTP
traffic on that session is no longer inspected. If the allow-tls action log parameter
is configured, the syslog message ASA-6-108007 is generated when TLS is started
on an ESMTP session.
policy-map type inspect esmtp esmtp_map
parameters
allow-tls [action log]
A new line for displaying counters associated with the allow-tls parameter is
added to the show service-policy inspect esmtp command. It is only present if
allow-tls is configured in the policy map. By default, this parameter is not enabled.
show service-policy inspect esmtp
allow-tls, count 0, log 0
This enhancement adds a new system log message for the allow-tls parameter. It
indicates on an esmtp session the server has responded with a 220 reply code to
the client STARTTLS command. The ESMTP inspection engine will no longer
inspect the traffic on this connection.
System log Number and Format:
%ASA-6-108007: TLS started on ESMTP session between client <client-side
interface-name>:<client IP address>/<client port> and server <server-side
interface-name>:<server IP address>/<server port>
In ASDM, see Configuration > Firewall > Objects > Inspect Map > ESMTP.
Also available in Version 8.0(3).
DNS Guard
Enhancement
Added an option to enable or disable DNS guard. When enabled, this feature
allows only one DNS response back from a DNS request.
In ASDM, see Configuration > Firewall > Objects > Inspect maps > DNS.
Also available in Version 8.0(3).
Cisco ASA New Features by Release
234
Cisco ASA New Features
New Features in ASA 7.2(3)/ASDM 5.2(3)
Feature
Description
WAAS and ASA
Interoperability
The inspect waas command is added to enable WAAS inspection in the policy-map
class configuration mode. This CLI is integrated into Modular Policy Framework
for maximum flexibility in configuring the feature. The [no] inspect waas
command can be configured under a default inspection class and under a custom
class-map. This inspection service is not enabled by default.
The keyword option waas is added to the show service-policy inspect command
to display WAAS statistics.
show service-policy inspect waas
A new system log message is generated when WAAS optimization is detected on
a connection. All L7 inspection services including IPS are bypassed on WAAS
optimized connections.
System Log Number and Format:
%ASA-6-428001: WAAS confirmed from in_interface:src_ip_addr/src_port to
out_interface:dest_ip_addr/dest_port, inspection services bypassed on this
connection.
A new connection flag "W" is added in the WAAS connection. The show conn
detail command is updated to reflect the new flag.
In ASDM, see Configuration > Firewall > Service Policy Rules > Add/Edit
Service Policy Rule > Rule Actions > Protocol Inspection.
Also available in Version 8.0(3).
DHCP Features
DHCP client ID
enhancement
If you enable the DHCP client for an interface using the ip address dhcp
command, some ISPs expect option 61 to be the interface MAC address. If the
MAC address is not included in the DHCP request packet, then an IP address will
not be assigned. Use this new command to include the interface MAC address
for option 61. If you do not configure this command, the client ID is as follows:
cisco-<MAC>-<interface>-<hostname>.
We introduced the following command: dhcp-client client-id interface
interface_name
We modified the following screen: Configuration > Device Management >
DHCP > DHCP Server; then click Advanced.
Also available in Version 8.0(3).
Module Features
Added Dataplane
Keepalive Mechanism
You can now configure the ASA so that a failover will not occur if the AIP SSM
is upgraded. In previous releases when two ASAs with AIP SSMs are configured
in failover and the AIP SSM software is updated, the ASA triggers a failover,
because the AIP SSM needs to reboot or restart for the software update to take
effect.
Also available in Version 7.0(7) and 8.0(3)
Cisco ASA New Features by Release
235
Cisco ASA New Features
New Features in ASA 7.2(2)/ASDM 5.2(2)
Feature
Description
ASDM Features
ASDM banner
enhancement
The adaptive security appliance software supports an ASDM banner. If configured,
when you start ASDM, this banner text will appear in a dialog box with the option
to continue or disconnect. The Continue option dismisses the banner and completes
login as usual whereas, the Disconnect option dismisses the banner and terminates
the connection. This enhancement requires the customer to accept the terms of a
written policy before connecting.
Following is the new CLI associated with this enhancement:
banner {exec | login | motd | asdm} text
show banner [exec | login | motd | asdm]
clear banner
In ASDM, see Configuration > Properties > Device Administration > Banner.
Also available in Version 8.0(3).
Cisco Content Security
and Control (CSC)
Damage Cleanup
Services (DCS) feature
events and statistics
With the Cisco Content Security and Control (CSC) 6.2 software, ASDM provides
events and statistics for the new Damage Cleanup Services (DCS) feature. DCS
removes malware from clients and servers and repairs system registries and
memory.
Client Software Location Added support in Client Software Location list to allow client updates from Linux
or Mac systems.
In ASDM, see Configuration > Remote Access VPN > Network (Client) Access
> Advanced > IPSec > Upload Software > Client Software.
Also available in Version 8.0(3).
New Features in ASA 7.2(2)/ASDM 5.2(2)
Released: November 22, 2006
Feature
Description
Module Features
Password reset on SSMs You can reset the password on the AIP-SSM and CSC-SSM of user 'cisco' back
to the default value 'cisco'.
We added the following command: hw-module module password-reset.
AAA Features
Cisco ASA New Features by Release
236
Cisco ASA New Features
New Features in ASA 7.2(2)/ASDM 5.2(2)
Feature
Description
HTTP(S) authentication The new aaa authentication listener command enables the ASA to authenticate
challenge flexible
web pages and select the form-based redirection approach that is currently used
configuration
in Version 7.2(1).
7.2(2) reintroduces the choice to use basic HTTP authentication that was available
before 7.2(1). Basic HTTP and HTTPS authentication generates custom login
windows. You can use basic HTTP authentication if:
• You do not want the adaptive security appliance to open listening ports
• You use NAT on a router and you do not want to create a translation rule
for the web page served by the adaptive security appliance
• Basic HTTP authentication might work better with your network. For
example non-browser applications, like when a URL is embedded in email,
might be more compatible with basic authentication.
Note
By default the the aaa authentication listener command is not
present in the configuration, making Version 7.1 aaa behavior the
default for 7.2(2). However, when a Version 7.2(1) configuration
is upgraded to Version 7.2(2), the appropriate aaa authentication
listener commands are added to the configuration so that the aaa
behavior will not be changed by the upgrade.
To support basic HTTP, the virtual http command was restored. This is needed
with basic authentication when you have cascading authentication requests.
In Version 7.2(1), basic authentication was replaced by a form based authentication
approach where HTTP and HTTPS connections are redirected to authentication
pages that are served from the ASA. After successful authentication, the browser
is again redirected to the originally-intended URL. This was done to provide:
• More graceful support authentication challenge processing
• An identical authentication experience for http and https users
A persistent logon/logoff URL for network users This approach does require
listening ports to be opened on the ASA on each interface on which aaa
authentication was enabled.
Interface Features
Cisco ASA New Features by Release
237
Cisco ASA New Features
New Features in ASA 7.2(1)/ASDM 5.2(1)
Feature
Description
Maximum number of
VLANs increased
The maximum number of VLANs for the Security Plus license on the ASA 5505
adaptive security appliance was increased from 5 (3 fully functional; 1 failover;
one restricted to a backup interface) to 20 fully functional interfaces. In addition,
the number of trunk ports was increased from 1 to 8. Now there are 20 fully
functional interfaces, you do not need to use the backup interface command to
cripple a backup ISP interface; you can use a fully-functional interface for it. The
backup interface command is still useful for an Easy VPN configuration.
VLAN limits were also increased for the ASA 5510 adaptive security appliance
(from 10 to 50 for the Base license, and from 25 to 100 for the Security Plus
license), the ASA 5520 adaptive security appliance (from 100 to 150), the ASA
5550 adaptive security appliance (from 200 to 250).
Increased physical
interfaces on the ASA
5510 base license
On the ASA Model 5510, the maximum number of physical interfaces available
has been changed from 3+1 to unlimited (5).
Certification Features
FIPS 140-2
7.2(2) has been submitted for FIPS 140 Level 2 validation.
ASDM Features
Multicast support
Support for the following multicast commands has been added:
• mfib forwarding
• multicast boundary
• pim bidir-neighbor-filter
• pim neighbor-filter
• pim old-register-checksum
Local demo mode
ASDM works when it is connected to a device in a local demo mode.
New Features in ASA 7.2(1)/ASDM 5.2(1)
Released: May 31, 2006
Feature
Platform Features
Cisco ASA New Features by Release
238
Description
Cisco ASA New Features
New Features in ASA 7.2(1)/ASDM 5.2(1)
Feature
Description
ASA 5505 support
The ASA 5505 was introduced in this release. The ASA 5505 is a new model for
small office/home office, enterprise teleworker environments, includes a built-in
8-port Fast Ethernet switch, and supports Easy VPN, Dual ISP, and has many
more features
The ASA 5505 has Power over Ethernet (PoE) switch ports that can be used for
PoE devices, such as IP phones. However, these ports are not restricted to that
use. They can also be used as Ethernet switch ports. If a PoE device is not attached,
power is not supplied to the port.
ASA 5550 support
The ASA 5550 delivers gigabit-class security services and enables Active/Active
high availability for large enterprise and service-provider networks in a reliable,
1RU form-factor. Providing gigabit connectivity in the form of both Ethernetand Fiber-based interfaces with high-density VLAN integration, the ASA 5550
enables businesses to segment their networks into numerous high-performance
zones for improved security.
Easy VPN Features (ASA 5505 Only)
Client Mode (also called
Port Address
Translation) and
Network Extension
Mode
• Client Mode—Hides the IP addresses of devices on the ASA 5505 private
network, so that all traffic from the ASA 5505 private network arrives on
the private network of the central-site ASA with a single-source, assigned
IP address. You cannot ping or access a device on the ASA 5505 private
network from the central site, but you can access the assigned IP address.
• Network Extension Mode—Permits devices behind the ASA to have direct
access to devices on the ASA 5505 private network only through the tunnel.
You can ping or access a device on the ASA 5505 network from the central
site.
The ASA 5505 does not have a default mode; you must specify the one that you
want to use.
Automatic Tunnel
Initiation
Supports NEM, but not Client Mode. It uses a group name, username, and
password stored in the configuration to initiate the tunnel.
IKE and IPsec Support
The ASA 5505 supports preshared keys and certificates (RSA-SIG). The ASA
uses IKE Aggressive Mode for preshared keys and IKE Main Mode for RSA-SIG
based key exchange. Cisco ASA 5505 can initiate IPsec, IPsec over NAT-T, and
IPsec over cTCP sessions.
Secure Unit
Authentication (SUA)
Supports the ASA 5505 authentication with dynamically generated authentication
credentials or with static credentials to be entered at tunnel initiation. With SUA
enabled, the user must manually trigger the IKE tunnel using a browser or an
interactive CLI.
Individual User
Authentication (IUA)
Enables static and one-time password authentication of individual clients on the
inside network. IUA and SUA are independent of each other; they work in
combination or isolation from each other.
Cisco ASA New Features by Release
239
Cisco ASA New Features
New Features in ASA 7.2(1)/ASDM 5.2(1)
Feature
Description
Token-Based
Authentication
Supports Security Dynamics (SDI) SecurID one-time passwords.
Authentication by HTTP Redirects unauthenticated HTTP traffic to a login page if SUA or a username and
Redirection
password are not configured or if IUA is disabled.
Load Balancing
An ASA 5505 configured with dual ISP backup supports cluster-based VPN load
balancing over the two Ethernet ports available in the Internet zone. The
load-balancing scheme involves a “virtual director” IP address that is the destination
of incoming client connections. The server that share a virtual director IP address
form a cluster, where one cluster member acts as the cluster master. The master
receives a request sent to the virtual director and redirects the client, using a
proprietary IKE notify message, to the optimal server in the cluster. The current
ISAKMP session terminates, and a new session is attempted to the optimal server.
If the connection to the optimal server fails, the client reconnects to the primary
server (at the virtual director IP address of the cluster) and repeats the
load-balancing procedure. If the connection to the primary server fails, the client
rolls over to the next configured backup server, which may be the master of another
cluster.
Failover (using Backup
Server List)
You can configure a list of 10 backup servers in addition to the primary server.
The ASA 5505 attempts to establish a tunnel with the primary server. If that
attempt fails, the ASA 5505 attempts to establish a tunnel with other specified
servers in the backup server list in sequence.
Device Pass-Through
Encompasses both IP Phone Pass Through and LEAP Pass Through features.
Certain devices, such as printers and Cisco IP phones, are incapable of performing
authentication, so they cannot participate in IUA. With device pass-through
enabled, the ASA 5505 exempts these devices from authentication if IAU is
enabled.
The Easy VPN Remote feature identifies the devices to exempt, based on a
configured list of MAC addresses. A related issue exists with wireless devices
such as wireless access points and wireless nodes. These devices require
LEAP/PEAP authentication to let wireless nodes participate in the network. It is
only after the LEAP/PEAP authentication stage that the wireless nodes can perform
IUA. The ASA 5505 also bypasses LEAP/PEAP packets when you enable Device
Pass Through, so that the wireless nodes can participate in IUA.
IKE Mode Configuration You can set the attribute values that the ASA 5505 requests after IKE Phase I and
XAUTH. The device at the central site downloads the VPN policy and the ASA
5505 dynamically configures the features based on the security values. Except
for SUA, the Clear Save password, and the backup concentrator list, the dynamic
feature configuration lasts only while the tunnel is up.
Remote Management
Cisco ASA New Features by Release
240
Supports management of the ASA 5505 over the tunnel to the outside interface
with NEM configured, and in the clear to the outside interface.
Cisco ASA New Features
New Features in ASA 7.2(1)/ASDM 5.2(1)
Feature
Description
DNS Resolution of Easy The ASA 5505 resolves the Easy VPN peer names with the DNS server. You can
VPN Peer Names
specify the DNS name of the server/client in the CLI.
Split tunneling
Allows the client decide which traffic to send over the tunnel, based on a
configured list of networks accessible by tunneling to the central site. Traffic
destined to a network other than those listed in the split tunnel network list is sent
out in the clear. A zero-length list indicates no split tunneling, and all traffic travels
over the tunnel.
Push Banner
Allows you to configure a 491-byte banner message to display in HTTP form to
individual users who try to authenticate using IUA.
Application Inspection Features
Enhanced ESMTP
Inspection
This feature allows you to detect attacks, including spam, phising, malformed
message attacks, and buffer overflow and underflow attacks. It also provides
support for application security and protocol conformance, which enforce the
sanity of the ESMTP messages as well as detects several attacks, blocks senders
and receivers, and blocks mail relay.
DCERPC Inspection
This feature allows you to change the default configuration values used for
DCERPC application inspection using a DCERPC inspect map.
DCERPC is a protocol used by Microsoft distributed client and server applications
that allows software clients to execute programs on a server remotely.
Typically, a client queries a server called the Endpoint Mapper (EPM) that listens
on a well-known port number for the dynamically allocated network information
of a required service. The client then sets up a secondary connection to the server
instance that provides the service. The security appliance allows the appropriate
port number and network address and also applies NAT or PAT, if needed, for
the secondary connection.
Enhanced NetBIOS
Inspection
This feature allows you to change the default configuration values used for
NetBIOS application inspection.
NetBIOS application inspection performs NAT for the embedded IP address in
the NetBIOS name service packets and NetBIOS datagram services packets. It
also enforces protocol conformance by checking the various count and length
fields for consistency.
Enhanced H.323
Inspection
This feature allows you to change the default configuration values used for H.323
application inspection.
H.323 inspection supports RAS, H.225, and H.245, and its functionality translates
all embedded IP addresses and ports. It performs state tracking and filtering and
can do a cascade of inspect function activation. H.323 inspection supports phone
number filtering, dynamic T.120 control, H.245 tunneling control, protocol state
tracking, H.323 call duration enforcement, and audio and video control.
Cisco ASA New Features by Release
241
Cisco ASA New Features
New Features in ASA 7.2(1)/ASDM 5.2(1)
Feature
Description
Enhanced DNS
Inspection
This feature allows you to specify actions when a message violates a parameter
that uses a DNS inspection policy map. DNS application inspection supports DNS
message controls that provide protection against DNS spoofing and cache
poisoning. User configurable rules allow filtering based on the DNS header,
domain name, and resource record TYPE and CLASS.
Enhanced FTP
Inspection
This feature allows you to change the default configuration values used for FTP
application inspection.
FTP command filtering and security checks are provided using strict FTP
inspection for improved security and control. Protocol conformance includes
packet length checks, delimiters and packet format checks, command terminator
checks, and command validation.
Blocking FTP based on user values is also supported so that it is possible for FTP
sites to post files for download but restrict access to certain users. You can block
FTP connections based on file type, server name, and other attributes. System
message logs are generated if an FTP connection is denied after inspection.
Enhanced HTTP
Inspection
This feature allows you to change the default configuration values used for HTTP
application inspection.
HTTP application inspection scans HTTP headers and body and performs various
checks on the data. These checks prevent various HTTP constructs, content types,
and tunneling and messaging protocols from traversing the security appliance.
HTTP application inspection can block tunneled applications and non-ASCII
characters in HTTP requests and responses, preventing malicious content from
reaching the web server. Size limiting of various elements in HTTP request and
response headers, URL blocking, and HTTP server header type spoofing are also
supported.
Enhanced Skinny
(SCCP) Inspection
This feature allows you to change the default configuration values used for SCCP
(Skinny) application inspection.
Skinny application inspection performs translation of embedded IP address and
port numbers within the packet data and dynamic opening of pinholes. It also
performs additional protocol conformance checks and basic state tracking.
Enhanced SIP Inspection This feature allows you to change the default configuration values used for SIP
application inspection.
SIP is a widely used protocol for Internet conferencing, telephony, events
notification, and instant messaging. Partially because of its text-based nature and
partially because of its flexibility, SIP networks are subject to a large number of
security threats.
SIP application inspection provides address translation in the message header and
body, dynamic opening of ports, and basic sanity checks. It also supports
application security and protocol conformance, which enforces the sanity of the
SIP messages, as well as detects SIP-based attacks.
Cisco ASA New Features by Release
242
Cisco ASA New Features
New Features in ASA 7.2(1)/ASDM 5.2(1)
Feature
Description
Instant Messaging (IM) This feature allows you to change the default configuration values used for Instant
Inspection
Messaging (IM) application inspection.
Instant Messaging (IM) application inspection provides detailed access control
to control network usage. It also helps stop leakage of confidential data and
propagations of network threats. A regular expression database search that
represents various patterns for Instant Messaging (IM) protocols to be filtered is
applied. A syslog is generated if the flow is not recognized.
The scope can be limited by using an access list to specify any traffic streams to
be inspected. For UDP messages, a corresponding UDP port number is also
configurable. Inspection of Yahoo! Messenger and MSN Messenger instant
messages are supported.
MPF-Based Regular
This feature allows you to define regular expressions in Modular Policy Framework
Expression Classification class maps and match a group of regular expressions that has the match-any
Map
attribute. You can use a regular expression class map to match the content of
certain traffic; for example, you can match URL strings inside HTTP packets.
Radius Accounting
Inspection
This feature allows you to protect against an over-billing attack in the Mobile
Billing Infrastructure. The policy-map type inspect radius-accounting command
was introduced in this version.
GKRCS Support for
H.323
Two control signaling methods are described in the ITU-T H.323 recommendation:
Gatekeeper Routed Control Signaling (GKRCS) and Direct Call Signalling (DCS).
DCS is supported by the Cisco IOS gatekeeper. This feature adds Gatekeeper
Routed Control Signaling (GKRCS) control signaling method support.
Skinny Video Support
This feature adds SCCP version 4.1.2 message support to print the message name
processed by the inspect feature when debug skinny is enabled. CCM 4.0.1
messages are supported.
SIP IP Address Privacy
This feature allows you to retain the outside IP addresses embedded in inbound
SIP packets for all transactions, except REGISTER (because it is exchanged
between the proxy and the phone), to hide the real IP address of the phone. The
REGISTER message and the response to REGISTER message will be exempt
from this operation because this message is exchanged between the phone and
the proxy.
When this feature is enabled, the outside IP addresses in the SIP header and SDP
data of inbound SIP packets will be retained. Use the ip-address-privacy command
to turn on this feature.
RTP/RTCP Inspection
This feature NATs embedded IP addresses and opens pinholes for RTP and RTCP
traffic. This feature ensures that only RTP packets flow on the pinholes opened
by Inspects SIP, Skinny, and H.323. To prevent a malicious application from
sending UDP traffic to make use of the pinholes created on the ASA, this feature
allows you to monitor RTP and RTCP traffic and to enforce the validity of RTP
and RTCP packets.
Remote Access and Site-to-Site VPN Features
Cisco ASA New Features by Release
243
Cisco ASA New Features
New Features in ASA 7.2(1)/ASDM 5.2(1)
Feature
Description
Network Admission
Control
Network Admission Control (NAC) allows you to validate a peer based on its
state. This method is referred to as posture validation (PV). PV can include
verifying that the peer is running applications with the latest patches, and ensuring
that the antivirus files, personal firewall rules, or intrusion protection software
that runs on the remote host are up to date.
An Access Control Server (ACS) must be configured for Network Admission
Control before you configure NAC on the ASA.
As a NAC authenticator, the ASA does the following:
• Initiates the initial exchange of credentials based on IPsec session
establishment and periodic exchanges thereafter.
• Relays credential requests and responses between the peer and the ACS.
• Enforces the network access policy for an IPsec session based on results
from the ACS server.
• Supports a local exception list based on the peer operating system, and
optionally, an ACL.
• (Optional) Requests access policies from the ACS server for a clientless
host.
As an ACS client, the ASA supports the following:
• EAP/RADIUS
• RADIUS attributes required for NAC
NAC on the ASA differs from NAC on Cisco IOS Layer 3 devices (such as routers)
where routers trigger PV based on routed traffic. The ASA enabled with NAC
uses an IPsec VPN session as the trigger for PV. Cisco IOS routers configured
with NAC use an Intercept ACL to trigger PV based on traffic destined for certain
networks. Because external devices cannot access the network behind the ASA
without starting a VPN session, the ASA does not need an intercept ACL as a PV
trigger. During PV, all IPsec traffic from the peer is subject to the default ACL
configured for the peer’s group.
Unlike the Cisco VPN 3000 Concentrator Series, NAC on the ASA supports
stateless failover, initialization of all NAC sessions in a tunnel group, revalidation
of all NAC sessions in a tunnel group, and posture validation exemption lists
configured for each tunnel group. NAC on the ASA does not support non-VPN
traffic, IPv6, security contexts, and WebVPN.
By default, NAC is disabled. You can enable it on a group policy basis.
Cisco ASA New Features by Release
244
Cisco ASA New Features
New Features in ASA 7.2(1)/ASDM 5.2(1)
Feature
Description
L2TP Over IPsec
Layer 2 Tunneling Protocol (L2TP) is a VPN tunneling protocol that allows remote
clients to use the public IP network to communicate securely with private corporate
network servers. L2TP uses PPP over UDP (port 1701) to tunnel the data. L2TP
is based on the client/server model. The function is divided between the L2TP
Network Server (LNS), and the L2TP Access Concentrator (LAC). The LNS
typically runs on a network gateway such as a router, while the LAC can be a
dial-up Network Access Server (NAS), or a PC with a bundled L2TP client such
as Microsoft Windows 2000.
L2TP/IPsec provides the capability to deploy and administer an L2TP VPN
solution alongside the IPsec VPN and firewall services in a single platform.
The primary benefit of configuring L2TP with IPsec in a remote access scenario
is that remote users can access a VPN over a public IP network without a gateway
or a dedicated line, enabling remote access from virtually anyplace with POTS.
An additional benefit is that the only client requirement for VPN access is the use
of Windows 2000 with Microsoft Dial-Up Networking (DUN). No additional
client software, such as Cisco VPN client software, is required.
OCSP Support
The Online Certificate Status Protocol (OCSP) provides an alternative to CRL
for obtaining the revocation status of X.509 digital certificates. Rather than
requiring a client to download a complete and often large certificate revocation
list, OCSP localizes the certificate status on a Validation Authority, which it
queries for the status of a specific certificate.
Multiple L2TP Over
IPsec Clients Behind
NAT
The security appliance can successfully establish remote-access L2TP-over-IPsec
connections to more than one client behind one or more NAT devices. This
enhances the reliability of L2TP over IPsec connections in typical SOHO/branch
office environment environments, where multiple L2TP over IPsec clients must
communicate securely with a central office.
Nokia Mobile
Authentication Support
You can establish a VPN using a handheld Nokia 92xx Communicator series
cellular device for remote access. The authentication protocol that these devices
use is the IKE Challenge/Response for Authenticated Cryptographic Keys
(CRACK) protocol.
Zonelabs Integrity
Server
You can configure the ASA in a network that deploys the Zone Labs Integrity
System to enforce security policies on remote VPN clients. In this case, the ASA
is an edge gateway between the Zone Labs Integrity server and the remote clients.
The Zone Labs Integrity server and the Zone Labs Personal Firewall on the remote
client ensure that a remote client complies with a centrally managed security
policy before the client can access private network resources. You configure the
ASA to pass security policy information between the server and clients to maintain
or close client connections to prevent a server connection failure, and to optionally,
require SSL certificate authentication of both the Integrity server and the ASA.
Cisco ASA New Features by Release
245
Cisco ASA New Features
New Features in ASA 7.2(1)/ASDM 5.2(1)
Feature
Description
Hybrid XAUTH
You can configure hybrid authentication to enhance the IKE security between the
ASA and remote users. With this feature, IKE Phase I requires two steps. The
ASA first authenticates to the remote VPN user with standard public key techniques
and establishes an IKE security association that is unidirectionally authenticated.
An XAUTH exchange then authenticates the remote VPN user. This extended
authentication can use any one of the supported authentication methods. Hybrid
XAUTH allows you to use digital certificates for ASA authentication and a
different method for remote VPN user authentication, such as RADIUS, TACACS+
or SecurID.
IPsec Fragmentation and You can monitor additional IPsec fragmentation and reassembly statistics that
Reassembly Statistics
help to debug IPsec-related fragmentation and reassembly issues. The new statistics
provide information about fragmentation and reassembly both before and after
IPsec processing.
Inspection IPS, CSC and This feature adds support for inspection, IPS, and Trend Micro for WebVPN
URL Filtering for
traffic in clientless mode and port forwarding mode. Support for SVC mode is
WebVPN
preexisting. In all of the modes, the Trend Micro and the IPS engines will be
triggered (if configured).
URL/FTP/HTTPS/Java/Activex filtering using WebSense and N2H2 support has
also been added. DNS inspect will be triggered for the DNS requests.
In port forwarding mode, HTTP, SMTP, FTP, and DNS inspections with the
filtering mechanisms using WebSense and N2H2 support has been added.
Routing Features
Active RIP Support
The ASA supports RIP Version 1 and RIP Version 2. You can only enable one
RIP routing process on the ASA. When you enable the RIP routing process, RIP
is enabled on all interfaces. By default, the security appliance sends RIP Version
1 updates and accepts RIP Version 1 and Version 2 updates.
To specify the version of RIP accepted on an interface, use the rip receive version
command in interface configuration mode.
Standby ISP Support
This feature allows you to configure a link standby ISP if the link to your primary
ISP fails. It uses static routing and object tracking to determine the availability
of the primary route and to activate the secondary route when the primary route
fails.
PPPoE Client
Point-to-Point Protocol over Ethernet (PPPoE) combines two widely accepted
standards, Ethernet and PPP, to provide an authenticated method of assigning IP
addresses to client systems. PPPoE clients are typically personal computers
connected to an ISP over a remote broadband connection, such as DSL or cable
service. ISPs deploy PPPoE because it supports high-speed broadband access
using their existing remote access infrastructure and because it is easier for
customers to use.
Cisco ASA New Features by Release
246
Cisco ASA New Features
New Features in ASA 7.2(1)/ASDM 5.2(1)
Feature
Description
Dynamic DNS Support
You can create dynamic DNS (DDNS) update methods and configure them to
update the Resource Records (RRs) on the DNS server at whatever frequency
you need.
DDNS complements DHCP, which enables users to dynamically and transparently
assign reusable IP addresses to clients. DDNS then provides dynamic updating
and synchronizing of the name to the address and the address to the name mappings
on the DNS server. With this version, the ASA supports the IETF standard for
DNS record updates.
Static Route Tracking
The static route tracking feature provides a method for tracking the availability
of a static route and installing a backup route if the primary route should fail.
We introduced the following commands: clear configure sla, frequency,
num-packets, request-data-size, show sla monitor, show running-config sla,
sla monitor, sla monitor schedule, threshold, timeout, tos, track rtr
We introduced or modified the following screens:
Configuration > Device Setup > Routing > Static Routes > Add Static Route
Configuration > Device Setup > Routing > Static Routes > Add Static Route
> Route Monitoring Options
Multicast Routing
Enhancements
Multicast routing enhancements allows you to define multicast boundaries so that
domains with RPs that have the same IP address do not leak into each other, to
filter PIM neighbors to better control the PIM process, and to filter PIM bidir
neighbors to support mixed bidirectional and sparse-mode networks.
Expanded DNS Domain You can use DNS domain names, such as www.example.com, when configuring
Name Usage
AAA servers and also with the ping, traceroute, and copy commands.
Intra-Interface
Communication for
Clear Traffic
You can now allow any traffic to enter and exit the same interface, and not just
VPN traffic.
IPv6 Security
Enforcement of IPv6
Addresses
This feature allows you to configure the security appliance to require that IPv6
addresses for directly connected hosts use the Modified EUI-64 format for the
interface identifier portion of the address.
Multiple Context Mode Features
Private and Automatic
MAC Address
Assignments and
Generation for Multiple
Context Mode
You can assign a private MAC address (both active and standby for failover) for
each interface. For multiple context mode, you can automatically generate unique
MAC addresses for shared context interfaces, which makes classifying packets
into contexts more reliable.
Resource Management
for Security Contexts
If you find that one or more contexts use too many resources, and they cause other
contexts to be denied connections, for example, then you can configure resource
management to limit the use of resources per context.
The new mac-address auto command allows you to automatically assign private
MAC addresses to each shared context interface.
Cisco ASA New Features by Release
247
Cisco ASA New Features
New Features in ASA 7.2(1)/ASDM 5.2(1)
Feature
Description
Save All Context
You can now save all context configurations at once from the system execution
Configurations from the space using the write memory all command.
System
High Availability Features
Sub-second Failover
This feature allows you to configure failover to detect and respond to failures in
under a second.
Configurable Prompt
With this feature, the user can see the failover status of the security appliance
without having to enter the show failover command and parse the output. This
feature allows users to see the chassis slot number of the failover unit. Previously,
the prompt reflected just the hostname, security context, and configuration mode.
The prompt command provides support for this feature.
Firewall Features
Generic Input Rate
Limiting
This feature prevents denial of service (DoS) attacks on a ASA or on certain
inspection engines on a firewall. The 7.0 release supports egress rate-limiting
(police) functionality and in this release, input rate-limiting functionality extends
the current egress policing functionality.
The police command is extended for this functionality.
Authentication for
All server types can be used for firewall authentication with the following
Through Traffic and
exceptions: HTTP Form protocol supports single sign-on authentication for
Management Access
WebVPN users only and SDI is not supported for HTTP administrative access.
Supports All Servers
Previously Supported for
VPN Clients
Dead Connection
Detection (DCD)
This feature allows the adaptive security appliance to automatically detect and
expire dead connections. In previous versions, dead connections never timed out;
they were given an infinite timeout. Manual intervention was required to ensure
that the number of dead connections did not overwhelm the security appliance.
With this feature, dead connections are detected and expired automatically, without
interfering with connections that can still handle traffic. The set connection timeout
and show service-policy commands provide DCD support.
WCCP
The Web Cache Communication Protocol (WCCP) feature allows you to specify
WCCP service groups and redirect web cache traffic. The feature transparently
redirects selected types of traffic to a group of web cache engines to optimize
resource usage and lower response times.
Filtering Features
Cisco ASA New Features by Release
248
Cisco ASA New Features
New Features in ASA 7.2(1)/ASDM 5.2(1)
Feature
Description
URL Filtering
Enhancements for
Secure Computing
(N2H2)
This feature allows you to enable long URL, HTTPS, and FTP filtering by using
both Websense (the current vendor) and N2H2 (a vendor that has been purchased
by Secure Computing). Previously, the code only enabled the vendor Websense
to provide this type of filtering. The url-block, url-server, and filter commands
provide support for this feature.
Management and Troubleshooting Features
Auto Update
The security appliance can now be configured as an Auto Update server in addition
to being configured as an Auto Update client. The existing client-update command
(which is also used to update VPN clients) is enhanced to support the new Auto
Update server functionality, and includes new keywords and arguments that the
security appliance needs to update security appliances configured as clients. For
the security appliance configured as an Auto Update client, the auto-update
command continues to be the command used to configure the parameters that the
security appliance needs to communicate with the Auto Update server.
Modular Policy
You can now define a Layer 3/4 class map for to-the-security-appliance traffic,
Framework Support for so you can perform special actions on management traffic. For this version, you
Management Traffic
can inspect RADIUS accounting traffic.
Traceroute
The traceroute command allows you to trace the route of a packet to its
destination.
Packet Tracer
The packet tracer tool allows you to trace the life span of a packet through the
ASA to see if it is behaving as expected.
The packet-tracer command provides detailed information about the packets and
how they are processed by the security appliance. If a command from the
configuration did not cause the packet to drop, the packet-tracer command will
provide information about the cause.
The new patent-pending Packet Tracer tool in ASDM lets you easily trace the life
span of a packet through the ASA in an animated packet flow model to see if it
is behaving as expected and simplify troubleshooting no matter how complex the
network design. The tool provides the attributes of a packet such as source and
destination IP addresses with a visual representation of the different phases of the
packet and the relevant configuration, which is accessible with a single click. For
each phase, it displays whether the packet is dropped or allowed.
ASDM Features
Cisco ASA New Features by Release
249
Cisco ASA New Features
New Features in ASA 7.2(1)/ASDM 5.2(1)
Feature
Description
Enhanced ASDM rules
table
The ASDM rule tables have been redesigned to streamline policy creation. In
addition to simplified rule creation that maps more closely with CLI, the rule
tables support most configuration scenarios including super-netting and using an
object group that is associated to more than interface. The use of ASDM location
and ASDM group was removed to simplify the creation of rules. You now have
the ability to:
• Create objects, object-groups and rules from a single panel
• Filter on interfaces, source, destination or services
• Policy query in the rule tbale for advanced filtering using multiple conditions
• Show logs for a particular access rule in the real time log viewer
• Select a rule and packet trace with a single click which will populate with
appropriate packet attributes
• Easily organize and move up and down in the table to change the order of
access list entries
• Expand and display elements in an object group
• See attributes of a object or memebers of a group via tooltips
High Availability and
Scalability Wizard
The High Availability and Scalability Wizard is used to simplify configuration
of Active/Active, Active/Standy failover and VPN Load balancing. The wizard
also intelligently configures the peer device.
Syslog enhancements
Enhancements to the syslog features include:
• Syslog parsing to display source IP, destination IP, syslog ID, date and time
into different columns
• Integrated syslog references with explanations and recommended actionss
for each syslog with a single click
• Syslog coloring based on severity level
• A brief explanation of the syslogs as a tool tip in the log viewer
NAT rules
The creation of NAT rules is simplified.
Object group support
There is now full ASDM support of network, service, protocol and ICMP-type
object groups.
Named IP addresses
The ability to create a name to be associated with an IP Address now exists.
ASDM Assistant
The new ASDM Assistant provides task-oriented guidance to configuring features
such as AAA server, logging filters, SSL VPN Client, and others features. You
can also upload new guides.
Context management
Context management is improved, including context caching and better scalability.
Cisco ASA New Features by Release
250
Cisco ASA New Features
New Features in Version 7.1
Feature
Description
Inspection maps
Predefined low, medium and high security settings simplify creation and
management of inspection maps.
New Features in Version 7.1
New Features in ASA 7.1(2)/ASDM 5.1(2)
Released: March 15, 2006
There were no new features in ASA 7.1(2)/ASDM 5.1(2)
New Features in ASA 7.1(1)/ASDM 5.1(1)
Released: February 6, 2006
Feature
Description
Platform Features
Cisco ASA New Features by Release
251
Cisco ASA New Features
New Features in ASA 7.1(1)/ASDM 5.1(1)
Feature
Support for the Content
Security and Control
(CSC) SSM
Cisco ASA New Features by Release
252
Description
Cisco ASA New Features
New Features in ASA 7.1(1)/ASDM 5.1(1)
Feature
Description
The CSC SSM, an integral part of Cisco’s Anti-X solution, delivers
industry-leading threat protection and content control at the Internet edge providing
comprehensive antivirus, anti-spyware, file blocking, anti-spam, anti-phising,
URL blocking and filtering, and content filtering services. The CSC SSM services
module helps businesses more effectively protect their networks, increase network
availability, and increase employee productivity through the following key
elements:
• Antivirus—Market leading antivirus, from Trend Micro, shields your internal
network resources from both known and unknown virus attacks, at the most
effective point in your infrastructure, the Internet gateway. By cleaning your
email and web traffic at the perimeter, it eliminates the need for resource
intensive malware infection clean-ups and ensures business continuity.
• Anti-Spyware—Blocks spyware from entering your network through web
traffic (HTTP & FTP) and email traffic. Frees-up IT support resources from
costly spyware removal procedures and improves employee productivity by
blocking spyware at the gateway.
• Anti-Spam—Effective blocking of spam with very low false positives helps
to restore the effectiveness of your email communications, so contact with
customers, vendors, and partners continues uninterrupted.
• Anti-Phishing—Identity theft protection guards against phishing attacks
thereby preventing employees inadvertently disclosing company or personal
details which could lead to financial loss.
• Automatic Updates from TrendLabs—The solution is backed and supported
by one of the largest teams of virus, spyware and spam experts in the industry
working 24x7 to ensure that your solution is providing the most up to date
protection – automatically.
• Central Administration—Easy, set-and-forget administration through a
remotely accessible web-console and automated updates reduces IT support
costs.
• Real-time protection for Web access, Mail (SMTP & POP3) and FTP (file
transfer)—Even if the company mail is already protected, many employees
will access their own private web-mail from their company PCs or laptops
introducing yet another entry point for internet borne threats. Similarly,
employees may directly download programs of files which may be similarly
contaminated. Real-time protection of all web traffic at the internet gateway
greatly reduces this often over-looked point of vulnerability.
• Full URL filtering capability with categories, scheduling and cache—URL
filtering can be used to control employee internet usage by blocking access
to inappropriate or non-work related websites improving employee
productivity and limiting the risk of legal action being taken by employees
exposed to offensive web content.
• Email Content Filtering—Email filtering minimizes legal liability for
offensive material transferred by email and enforces regulatory compliance,
helping organizations meet the requirements of legislation such as GLB and
Cisco ASA New Features by Release
253
Cisco ASA New Features
New Features in ASA 7.1(1)/ASDM 5.1(1)
Feature
Description
the Data Protection Act.
General VPN Features
Cisco Secure Desktop
Cisco Secure Desktop (CSD) is an optional Windows software package you can
install on the ASA to validate the security of client computers requesting access
to your SSL VPN, ensure they remain secure while they are connected, and remove
all traces of the session after they disconnect.
After a remote PC running Microsoft Windows connects to the ASA, CSD installs
itself and uses the IP address and presence of specific files, registry keys, and
certificates to identify the type of location from which the PC is connecting.
Following user authentication, CSD uses optional criteria as conditions for granting
access rights. These criteria include the operating system, antivirus software,
antispyware, and personal firewall running on the PC.
To ensure security while a PC is connected to your network, the Secure Desktop,
a CSD application that runs on Microsoft Windows XP and Windows 2000 clients,
limits the operations available to the user during the session. For remote users
with administrator privileges, Secure Desktop uses the 168-bit Triple Data
Encryption Standard (3DES) to encrypt the data and files associated with or
downloaded during an SSL VPN session. For remote users with lesser privileges,
it uses the Rivest Cipher 4 (RC4) encryption algorithm. When the session closes,
Secure Desktop overwrites and removes all data from the remote PC using the
U.S. Department of Defense (DoD) security standard for securely deleting files.
This cleanup ensures that cookies, browser history, temporary files, and
downloaded content do not remain after a remote user logs out or an SSL VPN
session times out. CSD also uninstalls itself from the client PC.
Cache Cleaner, which wipes out the client cache when the session ends, supports
Windows XP, Windows 2000, Windows 9x, Linux, and Apple Macintosh OS X
clients.
Customized Access
Control Based on CSD
Host Checking
Adaptive security appliances with Cisco Secure Desktop installed can specify an
alternative group policy. The ASA uses this attribute to limit access rights to
remote CSD clients as follows:
• Always use it if you set the VPN feature policy to “Use Failure
Group-Policy.”
• Use it if you set the VPN feature policy to “Use Success Group-Policy, if
criteria match” and the criteria then fail to match.
This attribute specifies the name of the alternative group policy to apply. Choose
a group policy to differentiate access rights from those associated with the default
group policy. The default value is DfltGrpPolicy.
Note
Cisco ASA New Features by Release
254
The ASA does not use this attribute if you set the VPN feature policy to
“Always use Success Group-Policy.”
Cisco ASA New Features
New Features in ASA 7.1(1)/ASDM 5.1(1)
Feature
Description
SSL VPN Client
SSL VPN client is a VPN tunneling technology that gives remote users the
connectivity benefits of an IPSec VPN client without the need for network
administrators to install and configure IPSec VPN clients on remote computers.
SVC uses the SSL encryption that is already present on the remote computer as
well as the WebVPN login and authentication of the ASA.
To establish an SVC session, the remote user enters the IP address of a WebVPN
interface of the ASA in the browser, and the browser connects to that interface
and displays the WebVPN login screen. If the user satisfies the login and
authentication, and the ASA identifies the user as requiring the SVC, the ASA
downloads the SVC to the remote computer. If the ASA identifies the user as
having the option to use the SVC, the ASA downloads the SVC to the remote
computer while presenting a link on the user screen to skip the SVC installation.
After downloading, the SVC installs and configures itself, When the connection
terminates, SVC either remains or uninstalls itself (depending on the configuration)
from the remote computer.
WebVPN Functions and This version enhances WebVPN performance and functions through the following
Performance
components:
Optimizations
• Flexible content transformation/rewriting that includes complex JavaScript,
VBScript, and Java
• Server-side and browser caching
• Compression
• Proxy bypass
• Application Profile Customization Framework support
• Application keep-alive and timeout handling
• Support for logical (VLAN) interfaces
Citrix Support for
WebVPN
WebVPN users can now use a connection to the ASA to access Citrix MetaFrame
services. In this configuration, the ASA functions as the Citrix secure gateway.
Therefore you must configure your Citrix Web Interface software to operate in a
mode that does not use the Citrix secure gateway. Install an SSL certificate onto
the ASA interface to which remote users use a fully qualified domain name
(FQDN) to connect; this function does not work if you specify an IP address as
the common name (CN) for the SSL certificate. The remote user attempts to use
the FQDN to communicate with the ASA. The remote PC must be able to use
DNS or an entry in the System32\drivers\etc\hosts file to resolve the FQDN.
Finally, use the functions command to enable Citrix.
PDA Support for
WebVPN
You can access WebVPN from your Pocket PC 2003 or Windows Mobile X. If
you are a PDA user, this makes accessing your private network more convenient.
This feature requires no configuration.
Cisco ASA New Features by Release
255
Cisco ASA New Features
New Features in ASA 7.1(1)/ASDM 5.1(1)
Feature
Description
WebVPN Support of
Character Encoding for
CIFS Files
WebVPN now supports optional character encoding of portal pages to ensure
proper rendering of Common Internet File System files in the intended language.
The character encoding supports the character sets identified on the following
Web page, including Japanese Shift-JIS characters:
http://www.iana.org/assignments/character-sets
Use the character-encoding command to specify the character set to encode in
WebVPN portal pages to be delivered to remote users. By default, the encoding
type set on the remote browser determines the character set for WebVPN portal
pages.
The character-encoding attribute is a global setting that, by default, all WebVPN
portal pages inherit. However, you can use the file-encoding command to specify
the encoding for WebVPN portal pages from specific CIFS servers. Thus, you
can use different file-encoding values for CIFS servers that require different
character encodings.
The mapping of CIFS servers to their appropriate character encoding, globally
with the webvpn character-encoding attribute, and individually with file-encoding
overrides, provides for the accurate handling and display of CIFS pages when the
proper rendering of file names or directory paths, as well as pages, are an issue.
The character-encoding and file-encoding values do not exclude the font
family to be used by the browser. You need to complement the setting of
one these values with the page style command in webvpn customization
command mode to replace the font family if you are using Japanese
Shift_JIS character encoding, or enter the no page style command in
webvpn customization command mode to remove the font family.
Compression for
Compression can reduce the size of the transferring packets and increase the
WebVPN and SSL VPN communication performance, especially for connections with bandwidth
Client Connections
limitations, such as with dialup modems and handheld devices used for remote
access.
Tip
Compression is enabled by default, for both WebVPN and SVC connections. You
can configure compression using ASDM or CLI commands.
You can disable compression for all WebVPN or SVC connections with the
compression command from global configuration mode.
You can disable compression for a specific group or user for WebVPN connections
with the http-comp command, or for SVC connections with the svc compression
command, in the group policy or username webvpn modes.
Active/Standby Stateful During a failover, WebVPN and SVC connections, as well as IPSec connections,
Failover for WebVPN
are reestablished with the secondary, standby security appliance for uninterrupted
and SVC Connections
service. Active/standby failover requires a one-to-one active/standby match for
each connection.
A security appliance configured for failover shares authentication information
about WebVPN users with the standby security appliance. Therefore, after a
failover, WebVPN users do not need to reauthenticate.
For SVC connections, after a failover, the SVC reconnects automatically with the
standby security appliance.
Cisco ASA New Features by Release
256
Cisco ASA New Features
New Features in ASA 7.1(1)/ASDM 5.1(1)
Feature
Description
WebVPN Customization You can customize the WebVPN page that users see when they connect to the
security appliance, and you can customize the WebVPN home page on a per-user,
per-group, or per-tunnel group basis. Users or groups see the custom WebVPN
home page after the security appliance authenticates them.
You can use Cascading Style Sheet (CSS) parameters. To easily customize, we
recommend that you use ASDM, which has convenient features for configuring
style elements, including color swatches and preview capabilities.
Auto Applet Download
To run a remote application over WebVPN, a user clicks Start Application Access
on the WebVPN homepage to download and start a port-forwarding Java applet.
To simplify application access and shorten start time, you can now configure
WebVPN to automatically download this port-forwarding applet when the user
first logs in to WebVPN.
Authentication and Authorization VPN Features
Override Account
Disabled
You can configure the ASA to override an account-disabled indication from a
AAA server and allow the user to log on anyway.
We introduced the following command: override account disabled.
LDAP Support
You can configure the security appliance to authenticate and authorize IPSec VPN
users, SSL VPN clients, and WebVPN users to an LDAP directory server. During
authentication, the security appliance acts as a client proxy to the LDAP server
for the VPN user, and authenticates to the LDAP server in either plain text or
using the Simple Authentication and Security Layer (SASL) protocol. The security
appliance supports any LDAP V3 or V2 compliant directory server. It supports
password management features only on the Sun Microsystems Java System
Directory Server and the Microsoft Active Directory server.
Password Management
You can configure the ASA to warn end users when their passwords are about to
expire. When you configure this feature, the ASA notifies the remote user at login
that the current password is about to expire or has expired. The ASA then offers
the user the opportunity to change the password. If the current password has not
yet expired, the user can still log in using that password. This command is valid
for AAA servers that support such notification; that is, RADIUS, RADIUS with
an NT server, and LDAP servers. The ASA ignores this command if RADIUS or
LDAP authentication has not been configured.
Note that this command does not change the number of days before the password
expires, but rather specifies the number of days before expiration that the ASA
starts warning the user that the password is about to expire. The default value is
14 days.
For LDAP server authentication only, you can specify a specific number of days
before expiration to begin warning the user about the pending expiration.
We introduced the following command: password management.
Cisco ASA New Features by Release
257
Cisco ASA New Features
New Features in ASA 7.1(1)/ASDM 5.1(1)
Feature
Description
Single sign-on (SSO)
Single sign-on (SSO) support lets WebVPN users enter a username and password
only once to access multiple protected services and web servers. You can choose
among the following methods to configure SSO:
• Computer Associates eTrust SiteMinder SSO server (formerly Netegrity
SiteMinder)—You typically would choose to implement SSO with
SiteMinder if your Web site security infrastructure already incorporates
SiteMinder.
• HTTP Forms—A common and standard approach to SSO authentication
that can also qualify as a AAA method. You can use it with other AAA
servers such as RADIUS or LDAP servers.
• SSO with Basic HTTP and NTLM Authentication—The simplest of the
three SSO methods passes WebVPN login credentials for authentication
through to internal servers using basic HTTP or NTLM authentication. This
method does not require an external SSO server.
Tunnel Group and Group Policy VPN Features
WebVPN Tunnel Group This version adds a WebVPN tunnel group, which lets you configure a tunnel
Type
group with WebVPN-specific attributes, including the authentication method to
use, the WebVPN customization to apply to the user GUI, the DNS group to use,
alternative group names (aliases), group URLs, the NBNS server to use for CIFS
name resolution, and an alternative group policy to apply to CSD users to limit
access rights to remote CSD clients.
Group-Based DNS
Configuration for
WebVPN
You can define a list of DNS servers under a group. The list of DNS servers
available to a user depends on the group that the user is assigned to. You can
specify the DNS server to use for a WebVPN tunnel group. The default value is
DefaultDNS.
New Login Page Option You can optionally configure WebVPN to display a user login page that offers
for WebVPN Users
the user the opportunity to select the tunnel group to use for login. If you configure
this option, the login page displays an additional field offering a drop-down menu
of groups from which to select. The user is authenticated against the selected
group.
Cisco ASA New Features by Release
258
Cisco ASA New Features
New Features in ASA 7.1(1)/ASDM 5.1(1)
Feature
Description
Group Alias and Group
URL
You can create one or more alternate names by which the user can refer to a tunnel
group by specifying one or more group aliases. The group aliases that you specify
here appear in the drop-down list on the user login page. Each group can have
multiple aliases or no alias. If you want the actual name of the tunnel group to
appear on this list, specify it as an alias. This feature is useful when the same
group is known by several common names, such as “Devtest” and “QA”.
Specifying a group URL eliminates the need for the user to select a group at login.
When a user logs in, the ASA looks for the user incoming URL in the
tunnel-group-policy table. If it finds the URL and if this feature is enabled, then
the ASA automatically selects the appropriate server and presents the user with
only the username and password fields in the login window. If the URL is disabled,
the dropdown list of groups also appears, and the user must make the selection.
You can configure multiple URLs (or no URLs) for a group. You can enable or
disable each URL individually. You must use a separate specification (group-url
command) for each URL. You must specify the entire URL, which can use either
the HTTP or HTTPS protocol.
You cannot associate the same URL with multiple groups. The ASA verifies the
uniqueness of the URL before accepting the URL for a tunnel group.
ASDM Features
Management and
Monitoring Support for
the CSC SSM
ASDM Version 5.1 delivers an industry-first solution that blends the simplicity
of Trend Micro’s HTML-based configuration panels with the ingenuity of ASDM.
This helps ensure consistent policy enforcement, and simplifies the complete
provisioning, configuration, and monitoring processes for the rich unified threat
management functions offered by the CSC SSM. ASDM provides a complementing
monitoring solution with a new CSC SSM homepage and new monitoring panels.
Once a CSC SSM is installed, the main ASDM homepage is automatically updated
to display a new CSC SSM panel, which provides a historic view into threats,
e-mail viruses, live events, and vital module statistics such as last installed
software/signature updates, system resources, and more. Within the monitoring
section of ASDM, a rich set of analysis tools provide detailed visibility into threats,
software updates, resource graphs, and more. The Live Security Event Monitor
is a new troubleshooting and monitoring tool that provides real-time updates
regarding scanned or blocked e-mail messages, identified viruses/worms, detected
attacks, and more. It gives administrators the option to filter messages using
regular-expression string matching, so specific attack types and messages can be
focused on and analyzed in detail.
Cisco ASA New Features by Release
259
Cisco ASA New Features
New Features in Version 7.0
Feature
Description
Syslog to Access Rule
Correlation
This ASDM release introduces a new Syslog to Access Rule Correlation tool that
greatly enhances day-to-day security management and troubleshooting activities.
With this dynamic tool, security administrators can quickly resolve common
configuration issues, along with most user and network connectivity problems.
Users can select a syslog message within the Real-Time Syslog Viewer panel,
and by simply clicking the Create button at the top of the panel, can invoke the
access-control options for that specific syslog. Intelligent defaults help ensure
that the configuration process is simple, which helps improve operational efficiency
and response times for business-critical functions. The Syslog to Access Rule
Correlation tool also offers an intuitive view into syslog messages invoked by
user-configured access rules.
Customized Syslog
Coloring
ASDM allows for rapid critical system message identification and convenient
syslog monitoring by allowing the colored grouping of syslog messages according
to syslog level. Users can select the default coloring options, or create their own
unique colored syslog profiles for ease of identification.
ASDM and WebVPN
interface
ASDM and WebVPN can now run on the same interface simultaneously.
ASDM Demo Mode
ASDM Demo Mode initial support.
New Features in Version 7.0
New Features in ASA 7.0(8)/ASDM 5.0(8) and ASDM 5.0(9)
Released: June 2, 2008
Note
ASDM 5.0(9) does not include any new features; it includes caveat fixes only.
Feature
Description
Firewall Features
Ethertype ACL MAC
Enhancement
EtherType ACLs have been enhanced to allow non-standard MACs. Existing
default rules are retained, but no new ones need to be added.
Also available in Version 7.2(4) and 8.0(4).
Remote Access Features
Cisco ASA New Features by Release
260
Cisco ASA New Features
New Features in ASA 7.0(8)/ASDM 5.0(8) and ASDM 5.0(9)
Feature
Description
Local Address Pool Edit Address pools can be edited without affecting the desired connection. If an address
in use is not being eliminated from the pool, the connection is not affected.
However, if the address in use is being eliminated from the pool, the connection
is brought down.
Also available in Version 7.2(4) and 8.0(4).
Connection Features
clear conn Command
The clear conn command was added to remove connections.
Also available in Version 7.2(4) and 8.0(4).
Fragment full
reassembly
The fragment command was enhanced with the reassembly full keywords to
enable full reassembly for fragments that are routed through the device. Fragments
that terminate at the device are always fully reassembled.
Also available in Version 7.2(4) and 8.0(4).
Troubleshooting and Monitoring Features
capture command
Enhancement
The capture type asp-drop drop_code command now accepts all as the
drop_code, so you can now capture all packets that the ASA drops, including
those dropped due to security checks.
Also available in Version 7.2(4) and 8.0(4).
show asp drop
Output now includes a timestamp indicating when the counters were last cleared
Command Enhancement (see the clear asp drop command). It also displays the drop reason keywords
next to the description, so you can easily use the capture asp-drop command
using the keyword.
Also available in Version 7.2(4) and 8.0(4).
clear asp table
Command
Added the clear asp table command to clear the hits output by the show asp
table commands.
Also available in Version 7.2(4) and 8.0(4).
show asp table classify The hits option was added to the show asp table classify command, showing the
hits Command
timestamp indicating the last time the asp table counters were cleared. It also
shows rules with hits values not equal to zero. This permits users to quickly see
Enhancement
what rules are being hit, especially since a simple configuration may end up with
hundreds of entries in the show asp table classify command.
Also available in Version 7.2(4) and 8.0(4).
show perfmon
Command
Added the following rate outputs: TCP Intercept Connections Established, TCP
Intercept Attempts, TCP Embryonic Connections Timeout, and Valid Connections
Rate in TCP Intercept.
Also available in Version 7.2(4) and 8.0(4).
Cisco ASA New Features by Release
261
Cisco ASA New Features
New Features in ASA 7.0(8)/ASDM 5.0(8) and ASDM 5.0(9)
Feature
Description
memory tracking
Commands
The following new commands are introduced in this release:
• memory tracking enable–This command enables the tracking of heap
memory requests.
• no memory tracking enable–This command disables tracking of heap
memory requests, cleans up all currently gathered information, and returns
all heap memory used by the tool itself to the system.
• clear memory tracking–This command clears out all currently gathered
information but continues to track further memory requests.
• show memory tracking–This command shows currently allocated memory
tracked by the tool, broken down by the topmost caller function address.
• show memory tracking address–This command shows currently allocated
memory broken down by each individual piece of memory. The output lists
the size, location, and topmost caller function of each currently allocated
piece memory tracked by the tool.
• show memory tracking dump–This command shows the size, location,
partial callstack, and a memory dump of the given memory address.
• show memory tracking detail–This command shows various internal details
to be used in gaining insight into the internal behavior of the tool.
Also available in Version 7.2(4) and 8.0(4).
Failover Features
failover timeout
Command
The failover timeout command no longer requires a failover license for use with
the static nailed feature.
Also available in Version 7.2(4) and 8.0(4).
Usability Features
show access-list Output Expanded access list output is indented to make it easier to read.
Also available in Version 7.2(4) and 8.0(4).
show arp Output
In transparent firewall mode, you might need to know whether an ARP entry is
statically configured or dynamically learned. ARP inspection drops ARP replies
from a legitimate host if a dynamic ARP entry has already been learned. ARP
inspection only works with static ARP entries. The show arp command now shows
each entry with its age if it is dynamic, or no age if it is static.
See Monitoring > Interfaces > ARP Table.
Also available in Version 7.2(4) and 8.0(4).
Cisco ASA New Features by Release
262
Cisco ASA New Features
New Features in ASA 7.0(7)/ASDM 5.0(7)
Feature
Description
show conn Command
The syntax was simplified to use source and destination concepts instead of “local”
and “foreign.” In the new syntax, the source address is the first address entered
and the destination is the second address. The old syntax used keywords like
foreign and port to determine the destination address and port.
ASDM Features
Support for fragment
option
ASDM now supports a fragment option to reassemble packets routed through
ASDM.
To configure this feature, see Configuration > Properties > Advanced >
Fragment.
New Features in ASA 7.0(7)/ASDM 5.0(7)
Released: July 9, 2007
Feature
Description
Module Features
Added Dataplane
Keepalive Mechanism
You can now configure the ASA so that a failover will not occur if the AIP SSM
is upgraded. In previous releases when two ASAs with AIP SSMs are configured
in failover and the AIP SSM software is updated, the ASA triggers a failover,
because the AIP SSM needs to reboot or restart for the software update to take
effect.
Also available in Version 7.2(3) and 8.0(3)
New Features in ASA 7.0(6)/ASDM 5.0(6)
Released: August 22, 2006
There were no new features in ASA 7.0(6)/ASDM 5.0(6)
New Features in ASA 7.0(5)/ASDM 5.0(5)
Released: April 14, 2006
Feature
Description
Application Inspection Features
Cisco ASA New Features by Release
263
Cisco ASA New Features
New Features in ASA 7.0(5)/ASDM 5.0(5)
Feature
Description
Command to Control
DNS Guard
You can now control the DNS guard function. In releases prior to 7.0(5), the DNS
guard functions are always enabled regardless of the configuration of DNS
inspection:
• Stateful tracking of the DNS response with DNS request to match the ID
• Tearing down the DNS connection when all pending requests are responded
This command is effective only on interfaces with DNS inspection disabled (no
inspect dns). When DNS inspection is enabled, the DNS guard function is always
performed.
We introduced the following command: dns guard.
Enhanced IPSEC
Inspection
The ability to open specific pinholes for ESP flows based on existence of an IKE
flow is provided by the enhanced IPSec inspect feature. This feature can be
configured within the MPF infrastructure along with other inspects. The
idle-timeout on the resulting ESP flows is statically set at 10 minutes. There is
no maximum limit on number of ESP flows that can be allowed.
We introduced the following command: inspect ipsec-pass-thru.
Firewall Features
Command to Disable
RST for Denied TCP
Packets
When a TCP packet is denied, the adaptive security appliance always sends a
reset when the packet is going from a high security to a low security interface.
The service resetinbound command is used to enable or disable sending resets
when a TCP packet is denied when going from a low security to a high security
interface. The service resetinbound command is introduced to control sending
RESETs when a packet is denied when going from a high security to a low security
interface. The existing service resetinbound command is enhanced to take an
additional interface option.
We introduced the following commands: service resetoutbound, service
resetinbound.
Platform Features
Increased Connections
and VLANs
The maximum connections and VLANs is increased to the following numbers.
• ASA5510 base license conns 32000->50000 vlans 0->10
• ASA5510 plus license conns 64000->130000 vlans 10->25
• ASA5520 conns 130000->280000 vlans 25->100
• ASA5540 conns 280000->400000 vlans 100->200
Management Features
Password Increased in
Local Database
Cisco ASA New Features by Release
264
Username and enable password length limits increased from 16 to 32 in the
LOCAL database.
Cisco ASA New Features
New Features in ASA 7.0(4)/ASDM 5.0(4)
Feature
Description
Enhanced show
interface and show
traffic Commands
The traffic statistics displayed in both the show interface and show traffic
commands now support 1 minute rate and 5 minute rate for input, output and
drop. The rate is calculated as the delta between the last two sampling points. For
a 1 minute rate and a 5 minute rate, a 1 minute timer and a 5 minute timer are run
constantly for the rates respectively. An example of the new display follows:
1
1
1
5
5
5
minute
minute
minute
minute
minute
minute
input rate 128 pkts/sec, 15600 bytes/sec
output rate 118 pkts/sec, 13646 bytes/sec
drop rate 12 pkts/sec
input rate 112 pkts/sec, 13504 bytes/sec
output rate 101 pkts/sec, 12104 bytes/sec
drop rate 4 pkts/sec
New Features in ASA 7.0(4)/ASDM 5.0(4)
Released: October 15, 2005
Note
There was no 7.0(3)/5.0(3) release.
Feature
Description
Platform Features
Support for the 4GE
SSM
The 4GE Security Services Module (SSM) is an optional I/O card for the adaptive
security appliance. The 4GE SSM expands the total number of ports available on
the security appliance, providing four additional ports with Ethernet (RJ-45) or
SFP (fiber optic) connections.
VPN Features
WebVPN Capture
Feature
The WebVPN capture feature lets you log information about websites that do not
display properly over a WebVPN connection. You can enable the WebVPN
capture feature with the capture command, but note that it has an adverse affect
on the performance of the security appliance. So, be sure to disable this feature
after you have captured the information that you need for troubleshooting.
Auto Update Over a
VPN Tunnel
With this release, the auto-update server command has a new source argument
that lets you specify an interface, such as a VPN tunnel used for management
access and specified by the management-access command:
auto-update server url [source interface] [verify-certificate]
Cisco ASA New Features by Release
265
Cisco ASA New Features
New Features in ASA 7.0(4)/ASDM 5.0(4)
Feature
Description
HTTP proxy applet
The HTTP proxy is an Internet Proxy, that supports both HTTP and HTTPS
connections. The HTTP proxy code modifies the browser proxy configuration
dynamically to redirect all browser HTTP/S requests to the new proxy
configuration. This allows the Java Applet to take over as the proxy for the
browser.
HTTP Proxy can be used in conjunction with the Port Forwarding (Application
Access) feature or by itself.
The HTTP proxy feature only works when using Internet
Explorer.
On some of the older computers, running Windows XP, the RunOnce Reg-Key
is not available, causing the Port Forwarding HTTP-Proxy feature to fail when
attempting to modify Proxy settings on Internet Explorer.
Note
You can mannually change the registry. Complete the following steps to change
the registry manually:
1 Click Start | Run.
2 Type regedit in the open text box, and click OK.
3 Open this folder:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
4 Right click inside the CurrentVersion and select New | Key.
5 Name the new key RunOnce.
6 Click OK.
To configure file access and file browsing, MAPI Proxy, HTTP Proxy, and URL
entry over WebVPN for this user or group policy, use the functions command in
WebVPN mode.
IPSec VPN: Add support Cascading ACLs involves the insertion of deny ACEs to bypass evaluation against
for cascading ACLs
an ACL and resume evaluation against a subsequent ACL in the crypto map set.
Because you can associate each crypto map with different IPSec settings, you can
use deny ACEs to exclude special traffic from further evaluation in the
corresponding crypto map, and match the special traffic to permit statements in
another crypto map to provide or require different security. The sequence number
assigned to the crypto ACL determines its position in the evaluation sequence
within the crypto map set.
Troubleshooting and Monitoring Features
Crashinfo Enhancement Output from the crashinfo command might contain sensitive information that is
inppropriate for viewing by all users connected to the ASA. The new crashinfo
console disable command lets you suppress the output from displaying on the
console.
Cisco ASA New Features by Release
266
Cisco ASA New Features
New Features in ASA 7.0(4)/ASDM 5.0(4)
Feature
Description
Rate limiting of Syslog
messages
The logging rate limit enables you to limit the rate at which system log messages
are generated. You can limit the number of system messages that are generated
during a specified time interval.
You can limit the message generation rate for all messages, a single message ID,
a range of message IDs, or all messages with a particular severity level. To limit
the rate at which system log messages are generated, use the logging rate-limit
command.
Firewall Features
Connection timeout
using Modular Policy
Framework
The new set connection timeout command lets you configure the timeout period,
after which an idle TCP connection is disconnected.
Downloadable ACL
Enhancements
A new feature has been added to ensure that downloadable ACL requests sent to
a RADIUS server come from a valid source through the Message-Authenticator
attribute.
Upon receipt of a RADIUS authentication request that has a username attribute
containing the name of a downloadable ACL, Cisco Secure ACS authenticates
the request by checking the Message-Authenticator attribute. The presence of the
Message-Authenticator attribute prevents malicious use of a downloadable ACL
name to gain unauthorized network access. The Message-Authenticator attribute
and its use are defined in RFC 2869, RADIUS Extensions, available at http://
www.ietf.org.
Converting Wildcards to Some Cisco products, such as the VPN 3000 concentrator and Cisco IOS routers,
Network Mask in
require you to configure dowloadable ACLs with wildcards instead of network
Downloadable ACL
masks. The Cisco ASA 5500 adaptive security appliance, on the other hand,
requires you to configure downloadable ACLs with network masks. This new
feature allows the ASA to convert a wildcard to a netmask internally. Translation
of wildcard netmask expressions means that downloadable ACLs written for Cisco
VPN 3000 series concentrators can be used by the ASA without altering the
configuration of the downloadable ACLs on the RADIUS server.
You can configure ACL netmask conversion on a per-server basis, using the
acl-netmask-convert command, available in the AAA-server configuration mode.
Application Inspection Features
Support GTP Load
If the ASA performs GTP inspection, by default the ASA drops GTP responses
Balancing Across GSNs from GSNs that were not specified in the GTP request. This situation occurs when
you use load-balancing among a pool of GSNs to provide efficiency and scalability
of GPRS. You can enable support for GSN pooling by using the permit response
command. This command configures the ASA to allow responses from any of a
designated set of GSNs, regardless of the GSN to which a GTP request was sent.
Cisco ASA New Features by Release
267
Cisco ASA New Features
New Features in ASA 7.0(2)/ASDM 5.0(2)
New Features in ASA 7.0(2)/ASDM 5.0(2)
Released: July 22, 2005
There were no new features in ASA 7.0(2)/ASDM 5.0(2)
New Features in ASA 7.0(1)/ASDM 5.0(1)
Released: May 31, 2005
Feature
Description
Platform Features
Support for the ASA
5500 series
Support for the ASA 5500 series was introduced, including support for the
following models: ASA 5510, ASA 5520, and ASA 5540.
Firewall Features
Transparent Firewall
(Layer 2 Firewall)
This feature has the ability to deploy the ASA in a secure bridging mode, similar
to a Layer 2 device, to provide rich Layer 2 – 7 firewall security services for the
protected network. This enables businesses to deploy this ASA into existing
network environments without requiring readdressing of the network. While the
ASA can be completely “invisible” to devices on both sides of a protected network,
administrators can manage it via a dedicated IP address (which can be hosted on
a separate interface). Administrators have the ability to specify non-IP (EtherType)
ACLs, in addition to standard ACLs, for access control over Layer 2 devices and
protocols.
We introduced the following commands: arp-inspection, firewall,
mac-address-table, and mac-learn.
Security Contexts
(Virtual Firewall)
This feature introduces the ability to create multiple security contexts (virtual
firewalls) within a single appliance, with each context having its own set of security
policies, logical interfaces, and administrative domain. This provides businesses
a convenient way of consolidating multiple firewalls into a single physical
appliance, yet retaining the ability to manage each of these virtual instances
separately. These capabilities are only available on ASA with either unrestricted
(UR) or failover (FO) licenses. This is a licensed feature, with multiple tiers of
supported security contexts (2, 5, 10, 20, and 50).
We introduced the following commands: admin-context, context (and context
subcommands), changeto, and mode.
Cisco ASA New Features by Release
268
Cisco ASA New Features
New Features in ASA 7.0(1)/ASDM 5.0(1)
Feature
Description
Outbound ACLs and
This feature gives administrators improved flexibility for defining access control
policies by adding support for outbound ACLs and time-based ACLs (building
on top of our existing inbound ACL support). Using these new capabilities,
administrators can now apply access controls as traffic enters an interface or exits
an interface. Time-based access control lists provide administrators greater control
over resource usage by defining when certain ACL entries are active. New
commands allow administrators to define time ranges, and then apply these time
ranges to specific ACLs.
Time-based ACLs
The existing versatile access-list global configuration command was extended
with the time-range command to specify a time-based policy defined using the
time-range global configuration command. Additionally, the access-group global
configuration command supports the out keyword to configure an outbound ACL.
Enabling/Disabling of
ACL Entries
This feature provides a convenient troubleshooting tool that allows administrators
to test and fine-tune ACLs, without the need to remove and replace ACL entries.
EtherType Access
Control
This feature includes very powerful support for performing packet filtering and
logging based on the EtherType of the packets. When operating as a transparent
firewall, this provides tremendous flexibility for permitting or denying non-IP
protocols.
Modular Policy
Framework
This feature introduces a highly flexible and extensible next-generation modular
policy framework. It enables the construction of flow-based policies that identify
specific flows based on administrator-defined conditions, and then apply a set of
services to that flow (such as firewall/inspection policies, VPN policies, QoS
policies, and more). This provides significantly improved granular control over
traffic flows, and the services performed on them. This new framework also
enables inspection engines to have flow-specific settings (which were global in
previous releases).
We introduced the following commands: class-map, policy-map, and
service-policy.
TCP Security Engine
This feature introduces several new foundational capabilities to assist in detecting
protocol and application layer attacks. TCP stream reassembly helps detect attacks
that are spread across a series of packets by reassembling packets into a full packet
stream and performing analysis of the stream. TCP traffic normalization provides
additional techniques to detect attacks including advanced flag and option
checking, detection of data tampering in retransmitted packets, TCP packet
checksum verification, and more.
You can configure the extensive TCP security policy using the set connection
advanced-options in global configuration command and tcp-map global
configuration command.
Cisco ASA New Features by Release
269
Cisco ASA New Features
New Features in ASA 7.0(1)/ASDM 5.0(1)
Feature
Description
Outbound Low Latency This feature supports applications with demanding quality of service (QoS)
Queuing (LLQ) and
requirements through support of Low Latency Queuing (LLQ) and Traffic Policing
Policing
– supporting the ability to have an end-to-end network QoS policy. When enabled,
each interface maintains two queues for outbound traffic – one for latency-sensitive
traffic (such as voice or market-data), and one for latency-tolerant traffic (such
as file transfers). Queue performance can be optimized through a series of
configuration parameters.
The QoS functionality is managed using the following commands: police, priority,
priority-queue, queue-limit, and tx-ring-limit.
Application Inspection Features
Advanced HTTP
Inspection Engine
This feature introduces deep analysis of web traffic, enabling granular control
over HTTP sessions for improved protection from a wide range of web-based
attacks. In addition, this new HTTP inspection engine allows administrative control
over instant messaging applications, peer-to-peer file sharing applications, and
applications that attempt to tunnel over port 80 or any port used for HTTP
transactions. Capabilities provided include RFC compliance enforcement, HTTP
command authorization and enforcement, response validation, Multipurpose
Internet Mail Extension (MIME) type validation and content control, Uniform
Resource Identifier (URI) length enforcement, and more.
A user can define the advanced HTTP Inspection policy using the http-map
global configuration command and then apply it to the inspect http configuration
mode command that was extended to support the specification of a map name.
FTP Inspection Engine
This feature includes the FTP inspection engine which provides new command
filtering support. Building upon the FTP security services previously supported,
such as protocol anomaly detection, protocol state tracking, NAT/PAT support,
and dynamic port opening, Version 7.0 gives administrators granular control over
the usage of 9 different FTP commands, enforcing operations that users/groups
can perform in FTP sessions. Version 7.0 also introduces FTP server cloaking
capabilities, hiding the type and version of the FTP server from those who access
it through ASA.
ESMTP Inspection
Engine
This feature builds on the SMTP (RFC 821) feature with the addition of support
for the SMTP (ESMTP) protocol, featuring a variety of commands defined in
RFC 1869. Supported commands include AUTH, DATA, EHLO, ETRN, HELO,
HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SEND, SOML, and
VRFY (all other commands are automatically blocked to provide an additional
level of security).
The inspect esmtp global configuration command provides inspection services
for SMTP and ESMTP traffic.
Cisco ASA New Features by Release
270
Cisco ASA New Features
New Features in ASA 7.0(1)/ASDM 5.0(1)
Feature
Description
SunRPC / NIS+
inspection engine
The SunRPC inspection engine provides better support for NIS+ and SunRPC
services. Specific enhancements include support for all three versions of the lookup
service - Portmapper v2 and RPCBind v3 and v4.
Use the inspect sunrpc and the sunrpc-server global configuration commands
to configure the SunRPC / NIS+ inspection Engine.
ICMP Inspection Engine This feature introduces an ICMP inspection engine. This engine enables secure
usage of ICMP, by providing stateful tracking for ICMP connections, matching
echo requests with replies. Additional controls are available for ICMP error
messages, which are only permitted for established connections. This release
introduces the ability to NAT ICMP error messages.
Use the inspect icmp and the inspect icmp error commands to configure the
ICMP inspection engine.
GTP Inspection Engine
for Mobile Wireless
Environments
This feature introduces a new inspection engine for securing 3G Mobile Wireless
environments that provide packet switched data services using the GPRS Tunneling
Protocol (GTP). These new advanced GTP inspection services permit mobile
service providers secure interaction with roaming partners and provide mobile
administrators robust filtering capabilities based on GTP specific parameters such
as IMSI prefixes, APN values and more. This is a licensed feature.
The inspect gtp command in the policy-map configuration mode and the gtp-map
global configuration commands are new features introduced in Version 7.0. For
more information on GTP and detailed instructions for configuring your GTP
inspection policy, see the “Managing GTP Inspection” section in the CLI
configuration guide. You may need to install a GTP activation key using the
activation-key exec command.
H.323 Inspection Engine The H.323 inspection engine adds support for the T.38 protocol, an ITU standard
that enables the secure transmission of Fax over IP (FoIP). Both real-time and
store-and-forward FAX methods are supported. The H.323 inspection engine
supports Gatekeeper Routed Call Signaling (GKRCS) in addition to the Direct
Call Signaling (DCS) method currently supported. GKRCS support, based on the
ITU standard, now allows the ASA to handle call signaling messages exchanged
directly between H.323 Gatekeepers.
H.323 Version 3 and 4
Support
This release supports NAT and PAT for H.323 versions 3 and 4 messages, and
in particular, the H.323 v3 feature Multiple Calls on One Call Signaling Channel.
SIP Inspection Engine
This feature adds support for Session Initiation Protocol (SIP)-based instant
messaging clients, such as Microsoft Windows Messenger. Enhancements include
support for features described by RFC 3428 and RFC 3265.
Support for Instant
Messaging Using SIP
Fixup SIP now supports the Instant Messaging (IM) Chat feature on Windows
XP using Windows Messenger RTC client version 4.7.0105 only.
Configurable SIP UDP
Inspection Engine
This provides a CLI-enabled solution for non-Session Information Protocol (SIP)
packets to pass through the ASA instead of being dropped when they use a SIP
UDP port.
Cisco ASA New Features by Release
271
Cisco ASA New Features
New Features in ASA 7.0(1)/ASDM 5.0(1)
Feature
Description
MGCP Inspection
Engine
This feature includes an MGCP inspection engine that supports NAT and PAT
for the MGCP protocol. This ensures seamless security integration in distributed
call processing environments that include MGCP Version 0.1 or 1.0 as the VoIP
protocol.
The inspect mgcp command in the policy-map configuration mode and the
mgcp-map global configuration command enables the user to configure MGCP
inspection policy.
RTSP Inspection Engine This feature introduces NAT support for the Real Time Streaming Protocol (RTSP),
which allows streaming applications such as Cisco IP/TV, Apple Quicktime, and
RealNetworks RealPlayer to operate transparently across NAT boundaries.
SNMP Inspection
Engine
Similar to other new inspection engines, the inspect snmp command in policy-map
configuration mode and the snmp-map global configuration command enables
the user to configure an SNMP inspection policy.
Port Address Translation This release enhances support for the existing H.323 and SIP inspection engines
(PAT) for H.323 and SIP by adding support for Port Address Translation (PAT). Adding support for PAT
Inspection Engines
with H.323 and SIP enables our customers to expand their network address space
using a single global address.
PAT for Skinny
This feature allows Cisco IP Phones to communicate with Cisco CallManager
across the ASA when it is configured with PAT. This is particularly important in
a remote access environment where Skinny IP phones behind a ASA talk to the
CallManager at the corporate site through a VPN.
ILS Inspection Engine
This feature provides an Internet Locator Service (ILS) fixup to support NAT for
ILS and Lightweight Directory Access Protocol (LDAP). Also, with the addition
of this fixup, the ASA supports H.323 session establishment by Microsoft
NetMeeting. Microsoft NetMeeting, SiteServer, and Active Directory products
leverage ILS, which is a directory service, to provide registration and location of
endpoints. ILS supports the LDAP protocol and is LDAPv2 compliant.
Configurable RAS
Inspection Engine
This feature includes an option to turn off the H.323 RAS (Registration, Admission,
and Status) fixup and displays this option, when set, in the configuration. This
enables customers to turn off the RAS fixup if they do not have any RAS traffic,
they do not want their RAS messages to be inspected, or if they have other
applications that utilize the UDP ports 1718 and 1719.
CTIQBE Inspection
Engine
Known also as TAPI/JTAPI Fixup, this feature incorporates a Computer Telephony
Interface Quick Buffer Encoding (CTIQBE) protocol inspection module that
supports NAT, PAT, and bi-directional NAT. This enables Cisco IP SoftPhone
& other Cisco TAPI/JTAPI applications to work and communicate successfully
with Cisco CallManager for call setup and voice traffic across the ASA.
This release supports the inspect ctiqbe 2748 command.
Cisco ASA New Features by Release
272
Cisco ASA New Features
New Features in ASA 7.0(1)/ASDM 5.0(1)
Feature
Description
MGCP Inspection
Engine
This release adds support for Media Gateway Control Protocol (MGCP) 1.0,
enabling messages between Call Agents and VoIP media gateways to pass through
the ASA in a secure manner.
See the inspect mgcp command.
Ability to Configure
Ability to configure TFTP inspection engine inspects the TFTP protocol and
TFTP Inspection Engine dynamically creates connection and xlate, if necessary, to permit file transfer
between a TFTP client and server. Specifically, the fixup inspects TFTP read
request (RRQ), write request (WRQ), and error notification (ERROR).
Note
TFTP Fixup is enabled by default. TFTP Fixup must be enabled if static
PAT is used to redirect TFTP traffics.
Filtering Features
Improved URL Filtering This feature significantly increases the number of concurrent URLs that can be
Performance
processed by improving the communications channel between the ASA and the
Websense servers.
The existing url-server global configuration command now supports the
connections keyword to specify the number of TCP connections in the pool that
is used.
URL Filtering
Enhancements
This release supports N2H2 URL filtering services for URLs up to 1159 bytes.
For Websense, long URL filtering is supported for URLs up to 4096 bytes in
length.
Additionally, this release provides a configuration option to buffer the response
from a web server if its response is faster than the response from either an N2H2
or Websense filtering service server. This prevents the web server’s response from
being loaded twice.
IPSec VPN Features
Incomplete Crypto Map Every static crypto map must define an access list and an IPSec peer. If either is
Enhancements
missing, the crypto map is considered incomplete and a warning message is printed.
Traffic that has not been matched to an complete crypto map is skipped, and the
next entry is tried. Failover hello packets are exempt from the incomplete crypto
map check.
Spoke-to-Spoke VPN
Support
This feature improves support for spoke-to-spoke (and client-to-client) VPN
communications, by providing the ability for encrypted traffic to enter and leave
the same interface. Furthermore, split-tunnel remote access connections can now
be terminated on the outside interface for the ASA, allowing Internet-destined
traffic from remote access user VPN tunnels to leave on the same interface as it
arrived (after firewall rules have been applied).
The same-security-traffic command permits traffic to enter and exit the same
interface when used with the intra-interface keyword enabling spoke-to-spoke
VPN support.
Cisco ASA New Features by Release
273
Cisco ASA New Features
New Features in ASA 7.0(1)/ASDM 5.0(1)
Feature
Description
OSPF Dynamic Routing Support for OSPF has been extended to support neighbors across an IPSec VPN
over VPN
tunnel. This allows the ASA to support dynamic routing updates across a VPN
tunnel to other OSPF peers. OSPF hellos are unicast and encrypted for transport
down the tunnel to an identified neighbor in an RFC- compliant manner.
The ospf network point-to-point non-broadcast command in interface
configuration mode extends comprehensive OSPF dynamic routing services to
support neighbors across IPSec VPN tunnels, providing improved network
reliability for VPN connected networks.
Remote Management
Enhancements
This feature enables administrators to remotely manage firewalls over a VPN
tunnel using the inside interface IP address of the remote ASA. In fact,
administrators can define any ASA interface for management-access. This feature
supports ASDM, SSH, Telnet, SNMP, and so on, that requires a dynamic IP
address. This feature significantly benefits broadband environments.
X.509 Certificate
Support
Support for X.509 certificates has been significantly improved in the ASA, adding
support for n-tier certificate chaining (for environments with a multi-level
certification authority hierarchy), manual enrollment (for environments with
offline certificate authorities), and support for 4096-bit RSA keys. Version 7.0
also includes support for the new certificate authority introduced in Cisco IOS
software, a lightweight X.509 certificate authority designed to simplify roll-out
of PKI-enabled site-to-site VPN environments.
Easy VPN Server
This release supports Cisco Easy VPN server. Cisco Easy VPN server is designed
to function seamlessly with existing VPN headend configured to support Cisco
VPN client and to minimize the administrative overhead for the client by
centralizing VPN configuration at the Cisco Easy VPN server. Examples of Cisco
Easy VPN server products include the Cisco VPN client v3.x and greater and the
Cisco VPN 3002 Hardware client.
Note
Easy VPN Server Load
Balancing Support
The ASA 5500 ASA can participate in cluster-based concentrator load balancing.
It supports VPN 3000 series concentrator load balancing with automatic redirection
to the least utilized concentrator.
Dynamic Downloading
of Backup Easy VPN
Server Information
Support for downloading a list of backup concentrators defined on the headend.
Cisco ASA New Features by Release
274
The ASA already acts as a central site VPN device and supports the
termination of remote access VPN clients.
This feature supports the vpngroup group_name backup-server {{ip1 [ip2...
ip10]} | clear-client-cfg} commands.
Cisco ASA New Features
New Features in ASA 7.0(1)/ASDM 5.0(1)
Feature
Description
Easy VPN Internet
Access Policy
The ASA changes the behavior of a ASA used as an Easy VPN remote device in
regard to Internet access policy for users on the protected network. The new
behavior occurs when split tunneling is enabled on the Easy VPN server. Split
tunneling is a feature that allows users connected through the ASA to access the
Internet in a clear text session, without using a VPN tunnel.
The ASA used as an Easy VPN remote device downloads the split tunneling policy
and saves it in its local Flash memory when it first connects to the Easy VPN
server. If the policy enables split tunneling, users connected to the network
protected by the ASA can connect to the Internet regardless of the status of the
VPN tunnel to the Easy VPN server.
Verify Certificate
Distinguished Name
This feature enables the adaptive security appliances acting as either a VPN peer
for site to site, or as the Easy VPN server in remote access deployments to validate
matching of a certificate to an administrator specified criteria.
Easy VPN Web Interface
for Manual Tunnel
Control User
Authentication and
Tunnel Status
With the introduction of the User-Level Authentication and Secure Unit
Authentication, features the ASA delivers the ability to enter the credentials,
connect/dis-connect the tunnel and monitor the connection using new web pages
served to users when attempting access to the VPN tunnel or unprotected networks
through the ASA. This is only applicable to the Easy VPN server feature.
User-Level
Authentication
Support for individually authenticating clients (IP address based) on the inside
network of the ASA. Both static and One Time Password (OTP) authentication
mechanisms are supported. This is done through a web-based interface.
This feature adds support to the vpn-group-policy command.
Secure Unit
Authentication
This feature provides the ability to use dynamically generated authentication
credentials to authenticate the Easy VPN remote (VPN Hardware client) device.
Flexible Easy VPN
Management Solutions
Managing the ASA using the outside interface will not require the traffic to flow
over the VPN tunnel. You will have the flexibility to require all NMS traffic to
flow over the tunnel or fine tune this policy.
VPN Client Security
Posture Enforcement
This feature introduces the ability to perform VPN client security posture checks
when a VPN connection is initiated. Capabilities include enforcing usage of
authorized host-based security products (such as the Cisco Security Agent) and
verifying its version number, policies, and status (enabled/disabled).
To set personal firewall policies that the security appliance pushes to the VPN
client during IKE tunnel negotiation, use the client-firewall command in
group-policy configuration mode.
VPN Client Update
To configure and change client update parameters, use the client-update command
in tunnel-group ipsec-attributes configuration mode.
Cisco ASA New Features by Release
275
Cisco ASA New Features
New Features in ASA 7.0(1)/ASDM 5.0(1)
Feature
Description
VPN Client Blocking by This feature adds the ability to restrict the different types of VPN clients (software
Operating System and
client, router, VPN 3002, and PIX) that are allowed to connect based on type of
Type
client, operating system version installed, and VPN client software version. When
non-compliant users attempt to connect, they can be directed to a group that
specifically allows connections from non-compliant users.
To configure rules that limit the remote access client types and versions that can
connect via IPSec through the ASA, use the client-access-rule command in
group-policy configuration mode.
Movian VPN Client
Support
This feature introduces support for handheld (PocketPC and Palm) based Movian
VPN clients, securely extending access to your network to mobile employees and
business partners.
New support for Diffie-Hellman Group 7 (ECC) to negotiate perfect forward
secrecy was added to Version 7.0. This option is intended for use with the
MovianVPN client, but can be used with other clients that support D-H Group 7
(ECC).
VPN NAT Transparency This feature extends support for site-to-site and remote-access IPSec-based VPNs
to network environments that implement NAT or PAT, such as airports, hotels,
wireless hot spots, and broadband environments. Version 7.0 also adds support
for Cisco TCP and User Datagram Protocol (UDP) NAT traversal methods as
complementary methods to existing support for the IETF UDP wrapper mechanism
for safe traversal through NAT/PAT boundaries.
See the isakmp global configuration command for additional options when
configuring a NAT traversal policy.
IKE Syslog Support
This feature introduces a small enhancement to IKE syslogging support and a
limited set of IKE event tracing capabilities for scalable VPN troubleshooting.
These enhancements have been added to allow for new syslog message generation
and improved ISAKMP command control.
Diffie-Hellman (DH)
Group 5 Support
This release supports the 1536-bit MODP Group that has been given the group 5
identifier.
Advanced Encryption
Standard (AES)
This feature adds support for securing site-to-site and remote access VPN
connections with the new international encryption standard. It also provides
software-based AES support on all supported the ASA models and
hardware-accelerated AES via the new VAC+ card.
New Ability to Assign This feature introduces the ability to define a subnet mask for each address pool
Netmasks with Address and pass this information onto the client.
Pools
Cryptographic Engine
Known Answer Test
(KAT)
Cisco ASA New Features by Release
276
The function of KAT is to test the instantiation of the ASA crypto engine. The
test will be performed every time during the ASA boot up before the configuration
is read from Flash memory. KAT will be run for valid crypto algorithms for the
current license on the ASA.
Cisco ASA New Features
New Features in ASA 7.0(1)/ASDM 5.0(1)
Feature
Description
Custom Backup
Concentrator Timeout
This feature constitutes a configurable time out on the ASA connection attempts
to a VPN headend, thereby controlling the latency involved in rolling over to the
next backup concentrator on the list.
This feature supports the vpngroup command.
WebVPN Features
Remote Access via Web Version 7.0(1) supports WebVPN on ASA 5500 series security appliances in
Browser (WebVPN)
single, routed mode. WebVPN lets users establish a secure, remote-access VPN
tunnel to the security appliance using a web browser. There is no need for either
a software or hardware client. WebVPN provides easy access to abroad range of
web resources and both web-enabled and legacy applications from almost any
computer that can reach HTTPS Internet sites. WebVPN uses Secure Sockets
Layer Protocol and its successor, Transport Layer Security (SSL/TLS1) to provide
a secure connection between remote users and specific, supported internal resources
that you configure at a central site. The security appliance recognizes connections
that need to be proxied, and the HTTP server interacts with the authentication
subsystem to authenticate users.
CIFS
WebVPN supports the Common Internet Files System, which lets remote users
browse and access preconfigured NT/Active Directory file servers and shares at
a central site. CIFS runs over TCP/IP and uses DNS and NetBIOS for name
resolution.
Port Forwarding
WebVPN port forwarding, also called application access, lets remote users use
TCP-applications over an SSL VPN connection.
Email
WebVPN supports several ways of using email, including IMAP4S, POP3S,
SMTPS, MAPI, and Web Email.
• IMAP4S, POP3S, SMTPS
WebVPN lets remote users use the IMAP4, POP3, and SMTP email protocols
over SSL connections.
• MAPI Proxy
WebVPN supports MAPI, which is remote access to e-mail via MS Outlook
Exchange port forwarding. MS Outlook exchange must be installed on the remote
computer.
• Web Email
Web email is MS Outlook Web Access for Exchange 2000, Exchange 5.5, and
Exchange 2003. It requires an MS Outlook Exchange Server at the central site.
Routing Features
Cisco ASA New Features by Release
277
Cisco ASA New Features
New Features in ASA 7.0(1)/ASDM 5.0(1)
Feature
Description
IPv6 Inspection, Access This feature introduces support for IP version 6 (IPv6) inspection, access control,
Control, and
and management. Full stateful inspection is provided for through-the-box IPv6
Management
traffic in both a dedicated IPv6 mode and in a dual-stack IPv4 / IPv6 mode. In
addition, a ASA can be deployed in a pure IPv6 environment, supporting IPv6
to-the-box management traffic for protocols including SSHv2, Telnet, HTTP, and
ICMP. Inspection engines that support IPv6 traffic in Version 7.0 include HTTP,
FTP, SMTP, UDP, TCP and ICMP.
DHCP Option 66 and
150 Support
This feature enhances the DHCP server on the inside interface of the ASA to
provide TFTP address information to the served DHCP clients. The implementation
responds with one TFTP server for DHCP option 66 requests and with, at most,
two servers for DHCP option 150 requests.
DHCP options 66 and 150 simplify remote deployments of Cisco IP Phones and
Cisco SoftPhone by providing the Cisco CallManager contact information needed
to download the rest of the IP phone configuration.
DHCP Server Support on This release allows as many integrated Dynamic Host Configuration Protocol
Multiple Interfaces
(DHCP) servers to be configured as desired, and on any interface. DHCP client
can be configured only on the outside interface, and DHCP relay agent can be
configured on any interface. However, DHCP server and DHCP relay agent cannot
be configured concurrently on the same ASA, but DHCP client and DHCP relay
agent can be configured concurrently.
We modified the following command: dhcpd address.
Multicast Support
PIM sparse mode was added to allow direct participation in the creation of a
multicast tree using PIM-SM. This capability extends existing multicast support
for IGMP forwarding and for Class D access control policies and ACLs. PIM-SM
provides an alternative to transparent mode operation in multicast environments.
The pim commands and the multicast-routing command added support to the
new functionality in addition to the show mrib EXEC command in this feature.
Interface Features
Common Security-Level This feature extends the security-level policy structure by enabling multiple
for Multiple Interfaces interfaces to share a common security level. This allows for simplified policy
deployments by allowing interfaces with a common security policy (for example
two ports connected into the same DMZ, or multiple zones/departments within a
network) to share a common security level. Communication between interfaces
with the same security level is governed by the ACL on each interface.
See the same-security-traffic command and the inter-interface keyword to
enable traffic between interfaces configured with the same security level.
show interface
Command
Cisco ASA New Features by Release
278
The show interface command has display buffer counters.
Cisco ASA New Features
New Features in ASA 7.0(1)/ASDM 5.0(1)
Feature
Description
Dedicated Out-of-Band
Management Interface
The management-only configuration command has been introduced in the
interface configuration mode to enable dedicated out-of-band management access
to the device.
Modification to GE
The Gigabit Ethernet cards can be configured by hardware in TBI or GMII mode.
Hardware Speed Settings TBI mode does not support half duplex. GMII mode supports both half duplex
and full duplex. All the i8255x controllers used in the ASAs are configured for
TBI and thus cannot support half-duplex mode, hence the half-duplex setting is
removed.
VLAN-based virtual
interfaces
802.1Q VLAN support provides flexibility in managing and provisioning the
ASA. This feature enables the decoupling of IP interfaces from physical interfaces
(hence making it possible to configure logical IP interfaces independent of the
number of interface cards installed), and supplies appropriate handling for IEEE
802.1Q tags.
We introduced the following command: vlan.
NAT Features
Optional Address
Translation Services
This feature simplifies deployment of the ASA by eliminating previous requirement
for address translation policies to be in place before allowing network traffic to
flow. Now, only hosts and networks that require address translation will need to
have address translation policies configured. This feature introduces a new
configuration option, “nat-control”, which allows NAT to be enabled incrementally.
Version 7.0 introduces the nat-control command and preserves the current
behavior for customers upgrading from previous versions of the software. For
new security appliances or devices which have their configurations cleared, the
default will be to not require a NAT policy for traffic to traverse the security
appliance.
High Availability Features
Active/Active Failover
with Asymmetric
Routing Support
This feature builds upon the award-winning ASA high availability architecture,
introducing support for Active/Active failover. This enables two UR licensed or
one UR and one FO-AA licensed ASA to act as a failover pair, both actively
passing traffic at the same time, and with Asymmetric Routing Support. The
Active/Active failover feature leverages the security context feature of this software
release – where each ASA in a failover pair is active for one context and standby
for the other, as an inverse symmetric pair. Another key customer challenge that
we are addressing in Version 7.0 is Asymmetric Routing Support. This will enable
customers with advanced routing topologies, where packets may enter from one
ISP and exit via another ISP, to deploy the ASA to protect those environments
(leveraging the Asymmetric Routing Support introduced in Version 7.0).
To support the Active/Active feature, the failover active command is extended
with the group keyword and this software release introduces the failover group
configuration mode. In addition, the asr-group command in interface configuration
mode extends the Active/Active solution to environments with Asymmetric
Routing.
Cisco ASA New Features by Release
279
Cisco ASA New Features
New Features in ASA 7.0(1)/ASDM 5.0(1)
Feature
Description
VPN Stateful Failover
This feature introduces Stateful Failover for VPN connections, complementing
the award-winning firewall failover services. All security association (SA) state
information and key material is automatically synchronized between the failover
pair members, providing a highly resilient VPN solution.
The VPN Stateful Failover is enabled implicitly when the device operates in single
routed mode. In addition to the show failover EXEC command, which includes
a detailed view of VPN Stateful Failover operations and statistics, the show
isakmp sa, show ipsec sa and show vpnd-sessiondb commands have information
about the tunnels on both the active and standby unit.
Failover Enhancements
This feature enhances failover functionality so that the standby unit in a ASA
failover pair can be configured to use a virtual MAC address. This eliminates
potential “stale” ARP entry issues for devices connected to the ASA failover pair,
in the unlikely event that both ASAs in a failover pair fail at the same time and
only the standby unit remains operational.
show failover Command This new feature enhances the show failover command to display the last
occurrence of a failover.
Failover Support for
HTTP
This feature supports the failover replicate http and show failover commands
to allow the stateful replication of HTTP sessions in a Stateful Failover
environment:
When HTTP replication is enabled, the show failover command displays the
failover replicate http command.
Zero-Downtime
Software Upgrades
This feature introduces the ability for customers to perform software upgrades of
failover pairs without impacting network uptime or connections flowing through
the units. Version 7.0 introduces the ability to do inter-version state sharing
between ASA failover pairs, allowing customers to perform software upgrades
to maintenance releases (for example Version 7.0(1) upgrading to 7.0(2)) without
impacting traffic flowing through the pair (in active/standby failover environments
or Active/Active environments where the pair is not oversubscribed – more that
50% load on each pair member).
General High
Availability
Enhancements
This feature includes many significant enhancements to the Failover operation
and configuration to deliver faster Failover transitions, increased scalability and
even further robustness in failover operation.
The release introduces the following new commands: failover interface-policy,
failover polltime, and failover reload-standby.
Troubleshooting and Monitoring Features
Improved SNMP
Support
Cisco ASA New Features by Release
280
This feature adds support for SNMPv2c, providing new services including 64-bit
counters (useful for packet counters on Gigabit Ethernet interfaces) and support
for bulk MIB data transfers. Additionally, Version 7.0 includes SNMPv2 MIB
(RFC 1907), and the IF-MIB (RFCs 1573 and 2233) and the Cisco IPSec Flow
Monitoring MIB, giving complete visibility into VPN flow statistics including
tunnel uptime, bytes/packets transferred, and more.
Cisco ASA New Features
New Features in ASA 7.0(1)/ASDM 5.0(1)
Feature
Description
CPU Utilization
Monitoring Through
SNMP
This feature supports monitoring of the ASA CPU usage through SNMP. CPU
usage information is still available directly on the ASA through the show cpu
[usage] command, but SNMP provides integration with other network management
software.
SNMP Enhancements
Support for the ASA platform-specific object IDs has been added to the SNMP
mib-2.system.sysObjectID variable. This enables CiscoView Support on the
ASA.
Stack Trace in Flash
Memory
This feature enables the stack trace to be stored in non-volatile Flash Memory,
so that it can be retrieved at a later time for debug/troubleshooting purposes.
ICMP Ping Services
This feature introduces several additions to ping (ICMP echo) services, including
support for IPv6 addresses. The ping command also supports extended options
including data pattern, df-bit, repeat count, datagram size, interval, verbose output,
and sweep range of sizes.
The existing ping EXEC command has been extended with various keywords
and parameters to aid in troubleshooting network connectivity issues. It also
provides support for an interactive mode of operation.
System Health
Monitoring and
Diagnostic Services
This feature provides improved monitoring of the system operation and to help
isolate potential network and ASA issues. The show resource and show counters
commands provide detailed information about resource utilization for the appliance
and security contexts as well as detailed statistics. To monitor the CPU utilization
you may use the new show cpu EXEC command as well as the show process
cpu-hog EXEC commands. To isolate potential software flaws the software
introduces the checkheaps command and related show EXEC command. Finally,
to get a better understanding of the block (packet) utilization, the show blocks
EXEC command provides extensive analytical tools on block queuing and
utilization in the system.
Debug Services
The debug commands have been improved and many new features include to
respective debug support. Furthermore, the debug output is now supported to all
virtual terminals without restrictions. That is, when you enable debug output for
a particular feature, you will be able to view the output without any limitations.
Clearly, the output will be restricted to the session where it was enabled. Finally,
the user can send debug output over syslogs if your security policy allows it and
you wish to do so by leveraging the logging command.
SSL debug Support
Support for the Secure Sockets Layer (SSL) protocol is added to the debug
command. SSL is a protocol for authenticated and encrypted communications
between client and servers such as the ASDM and the ASA.
Cisco ASA New Features by Release
281
Cisco ASA New Features
New Features in ASA 7.0(1)/ASDM 5.0(1)
Feature
Description
Packet Capture
This release supports packet capture. The ASA packet capture provides the ability
to sniff or “see” any traffic accepted or blocked by the ASA. Once the packet
information is captured, you have the option of viewing it on the console,
transferring it to a file over the network using a TFTP server, or accessing it
through a web browser using Secure HTTP. However, the ASA does not capture
traffic unrelated to itself on the same network segment, and this packet capture
feature does not include file system, DNS name resolution, or promiscuous mode
support.
Users can now specify the capture command to store the packet capture in a
circular buffer. The capture will continue writing packets to the buffer until it is
stopped by the administrator.
The ASA introduces additional support to improve the ability of the user to
diagnose device operation by supporting the ability to capture ISAKMP traffic
and only capture packets dropped by the new Accelerated Security Path (ASP).
The existing capture command has been extended with a new type keyword and
parameters to capture ISAKMP, packet drops, and packet drops matching a
specified reason string.
show tech Command
This feature enhances the current show tech command output to include additional
diagnostic information.
Management Features
Storage of Multiple
This release debuts a new Flash file system on the ASA enabling administrators
Configurations in Flash to store multiple configurations on the security appliance. This provides the ability
Memory
to do configuration roll-back in the event of a mis-configuration. Commands are
introduced to manage files on this new file system.
The new Flash file system is capable of storing not only configuration
files but also multiple system images and multiple PIX images when
their is adequate Flash space available.
The boot config global configuration command provides the ability to specify
which configuration file should be used at start-up.
Note
Secure Asset Recovery
This feature introduces the ability to prevent the recovery of configuration data,
certificates and key material if the no service password recovery command is
in a ASAs configuration (while still allowing customers to recover the asset). This
feature is useful in environments where physical security may not be ideal, and
to prevent nefarious individuals gaining access to sensitive configuration data.
Scheduled System
Reload (Reboot)
Administrators now have the ability to schedule a reload on a ASA either at a
specific time, or at an offset from the current time, thus making it simpler to
schedule network downtimes and notify remote access VPN users of an impending
reboot.
Command-Line Interface This feature enhances the CLI “user experience” by incorporating many popular
(CLI) Usability
Cisco IOS software command-line services such as command completion, online
help, and aliasing for improved ease-of-use and common user experience.
Cisco ASA New Features by Release
282
Cisco ASA New Features
New Features in ASA 7.0(1)/ASDM 5.0(1)
Feature
Description
Command-Line Interface This feature lets you enter a new activation key through the ASA command-line
(CLI) Activation Key
interface (CLI), without using the system monitor mode and having to TFTP a
Management
new image. Additionally, the ASA CLI displays the currently running activation
key when you enter the show version command.
show version Command The show version command output now has two interface-related lines, Max
Physical interfaces and Max interfaces. Max interfaces is the total physical and
virtual interfaces.
AAA Features
AAA Integration
Version 7.0(1) native integration with authentication services including Kerberos,
NT Domain, and RSA SecurID (without requiring a separate RADIUS/TACACS+
server) for simplified VPN user authentication. This release also introduces the
ability to generate TACACS+AAA accounting records for tracking administrative
access to ASAs, as well as tracking all configuration changes that are made during
an administrative session.
AAA Fallback for
Administrative Access
This feature introduces the ability to authenticate and authorize requests to fall-back
to a local user database on the ASA. The requirements and design will factor
future compatibility with Cisco IOS software-like “method list” support for the
ASA, and deliver the addition of the LOCAL fallback method.
AAA Integration
Enhancements
This feature debuts native integration with authentication services including
Kerberos, LDAP, and RSA SecurID (without requiring a separate
RADIUS/TACACS+ server) for simplified user and administrator authentication.
This feature also introduces the ability to generate TACACS+AAA accounting
records for tracking administrative access to ASAs, as well as tracking all
configuration changes that are made during an administrative session.
Secure HyperText
Transfer Protocol
(HTTPS) Authentication
Proxy
This feature extends the capabilities of the ASA to securely authenticate HTTP
sessions and adds support for HTTPS Authentication Proxy. To configure secure
authentication of HTTP sessions, use the aaa authentication secure-http-client
command. To configure secure authentication of HTTPS sessions, use the aaa
authentication include https or the aaa authentication include tcp/0 command.
In this release configurations that include the aaa authentication include tcp/0
command will inherit the HTTPS Authentication Proxy feature, which is enabled
by default with a code upgrade to Version 6.3 or later.
Downloadable Access
Control Lists (ACLs)
This feature supports the download of ACLs to the ASA from an access control
server (ACS). This enables the configuration of per-user access lists on a AAA
server, to provide per-user access list authorization, that are then downloadable
through the ACS to the ASA.
This feature is supported for RADIUS servers only and is not supported for
TACACS+ servers.
New Syslog Messaging This feature introduces a new AAA syslog message, which prompts users for their
for AAA authentication Authentication before they can use a service port.
Cisco ASA New Features by Release
283
Cisco ASA New Features
New Features in ASA 7.0(1)/ASDM 5.0(1)
Feature
Description
Per-user-override
This feature allows users to specify a new keyword per-user-override to the
access-group command. When this keyword is specified, it allows the permit/deny
status from the per-user access-list (downloaded via AAA authentication) that is
associated to a user to override the permit/deny status from the access-group
access-list.
Local User
Authentication Database
for Network and VPN
Access
This feature allows cut-through and VPN (using xauth) traffic to be authenticated
using the ASA local username database (as an alternative in addition to the existing
authenticating via an external AAA server).
The server tag variable now accepts the value LOCAL to support cut-through
proxy authentication using Local Database.
ASDM Features
Dynamic Dashboard
(ASDM Home Page)
• Displays detailed device and licensing information for quick identification
of system and resources available.
• Displays real-time system and traffic profiling .
Real-time Log Viewer
• Displays real-time syslog messages.
• Advanced filtering capabilities make it easy to focus on key events.
Improved Java
Web-Based Architecture
• Accelerates the loading of ASDM with optimized applet caching capability.
• Provides anytime, anywhere access to all management and monitoring
features.
Downloadable ASDM
Launcher (on Microsoft
Windows 2000 or XP
operating systems only)
• Lets you download and run ASDM locally on your PC.
• Multiple instances of ASDM Launcher provide administrative access to
multiple security appliances simultaneously, from the same management
workstation.
• Automatically updates the software based on the installed version on the
appliance, enabling consistent security management throughout the network.
Multiple Language
Operating System
Support
Cisco ASA New Features by Release
284
Supports both the English and Japanese versions of the Microsoft Windows
operating systems.
© 2017
Cisco Systems, Inc. All rights reserved.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement