The Cisco® ASA Adaptive Security Appliance 9.2.1 software release offers significant new routing, clustering, and VPN features. The release is supported on the Cisco ASA Services Module (ASA-SM) as well as the ASA 5505, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, and ASA 5585-X appliances and processors and the ASAv, the new virtual appliance form factor.
● ASAv platform: ASA software 9.2.1 adds support for the new Cisco Adaptive Security Virtual Appliance. The firewall software that previously ran on physical appliances now also runs as a virtual appliance. ASAv is available in two throughput-based versions: 1 Gbps and 2 Gbps. Each version can be purchased with either a bundle of firewall features or a bundle of firewall features and Cisco AnyConnect® premium features.
● BGPv4: ASA 9.2.1 adds support for the Border Gateway Protocol used for interdomain routing. With the help of BGP, customers can peer ASA firewalls with a service provider’s routers, thus optimizing equipment costs. Customers can also take advantage of the rich controls provided by BGP to control route advertisements. ASA software already supports dynamic unicast routing through Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP).
● Clustering enhancements: ASA 9.2.1 adds support for up to 16 members in a cluster and up to 32 active EtherChannel member ports. This expands the available firewalling capacity in a cluster by twofold over previous releases (to a maximum of 640 Gbps). In addition, it supports intersite clustering in a spanned EtherChannel mode. Finally, ASA 9.2.1 validates Cisco Nexus® 9300 interoperability with ASA clustering.
● Remote access VPN enhancements
◦ Change of authorization (CoA): The Cisco Identify Services Engine (ISE) Change of Authorization (CoA) feature provides a mechanism to change the attributes of an authentication, authorization, and accounting (AAA) session after it is established. When a policy changes for a user or user group in AAA, CoA packets can be sent directly to the ASA from ISE to reinitialize authentication and apply the new policy. An Inline Posture Enforcement Point (IPEP) is no longer required to apply access control lists (ACLs) for each VPN session established with the ASA.
◦ Clientless VPN: ASA’s clientless VPN functionality now supports compressed content. Compressed content sent by a server is available to requesting clients through URLs that are massaged by ASA to function correctly.
● Other enhancements
◦ Embedded event manager (EEM): The EEM feature enables VPN customers to debug problems by providing additional logs for troubleshooting. Administrators can now instruct ASA to execute additional troubleshooting commands on the receipt of specific event triggers.
◦ SNMP: ASA 9.2.1 adds support for simultaneous polling by up to 128 Simple Network Management Protocol hosts. Further, it increases the SNMP message size to 1472 bytes. Finally, ASA 9.2.1 adds a new SNMP MIB for monitoring VPN shared license usage.
● Release Notes: http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/release/notes/asarn92.html.
● ASAv product page: http://www.cisco.com/c/en/us/products/security/virtual-adaptive-security-appliance-firewall/index.html.