Table Of Contents
Cisco ASA 5500 Series Release Notes Version 8.0(2)
26 December 2008
This document includes the following sections:
This release supports the following products:
•Cisco ASA 5500 Series adaptive security appliance, Version 8.0(2)
•ASDM, Version 6.0(2)
•Cisco AnyConnect VPN Client, Version 2.0(1)
•Cisco Secure Desktop, Version 3.2
•Cisco Intrusion Prevention System, Version 6.0
Cisco ASA 5500 Series Adaptive Security Appliance
The Cisco ASA 5500 series adaptive security appliances are purpose-built solutions that combine the most effective security and VPN services with the innovative Cisco Adaptive Identification and Mitigation (AIM) architecture.
Designed as a key component of the Cisco Self-Defending Network, the adaptive security appliance provides proactive threat defense that stops attacks before they spread through the network, controls network activity and application traffic, and delivers flexible VPN connectivity. The result is a powerful multifunction network adaptive security appliance family that provides the security breadth and depth for protecting small and medium-sized business and enterprise networks while reducing the overall deployment and operations costs and complexities associated with providing this new level of security.
For more information on all the new features, see New Features.
Additionally, the adaptive security appliance software supports Cisco Adaptive Security Device Manager (ASDM). ASDM delivers world-class security management and monitoring through an intuitive, easy-to-use web-based management interface. Bundled with the adaptive security appliance, ASDM accelerates adaptive security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services that complement the advanced integrated security and networking features offered by the market-leading suite of the adaptive security appliance. Its secure, web-based design enables anytime, anywhere access to adaptive security appliances. For more information on ASDM, see the Cisco ASDM Release Notes Version 6.0(2).
Cisco AnyConnect VPN Client
The Cisco AnyConnect VPN client is also supported in this release. It works with the adaptive security appliance to connect remote users running Microsoft Windows Vista, Windows XP, Windows 2000, Linux, or Macintosh OS X with the benefits of a Cisco SSL VPN client, and supports applications and functions unavailable to a clientless, browser-based SSL VPN connection. For more information, see the Release Notes for Cisco AnyConnect VPN Client, Version 2.0.
Cisco Intrusion Prevention System
IPS is also supported in this release. For more information, go to the following URL:
The sections that follow list the system requirements for operating an adaptive security appliance. This section includes the following topics:
Table 1 lists the DRAM memory requirements for the adaptive security appliance. The memory listed in this table is the default value that ships with each adaptive security appliance.
Table 1 DRAM Memory Requirements
ASA Model Default DRAM Memory (MB)
All adaptive security appliances require a minimum of 64 MB of internal CompactFlash, and they all ship with a minimum of 128 MB of internal CompactFlash.
If your adaptive security appliance has only 64 MB of internal CompactFlash, you should not store multiple system images, or multiple images of the new AnyConnect VPN client components, client/server plugins, or Cisco Secure Desktop.
We recommend that you purchase a 256 MB or 512 MB CompactFlash upgrade from Cisco, choosing from the following part numbers:
•ASA5500-CF-256 MB = ASA 5500 Series CompactFlash, 256 MB
•ASA5500-CF-512 MB = ASA 5500 Series CompactFlash, 512 MB
You can check the size of internal flash and the amount of free flash memory on the adaptive security appliance by doing the following:
•ASDM—Click Tools > File Management. The amounts of total and available flash memory appear on the bottom left in the pane.
•CLI—In Privileged EXEC mode, enter the dir command. The amounts of total and available flash memory appear at the bottom of the output.
For example:hostname # dirDirectory of disk0:/2 drwx 4096 11:22:00 Dec 01 2006 csco_config43 -rwx 14358528 08:46:02 Feb 19 2007 cdisk.bin44 -rwx 4634 14:32:48 Sep 17 2004 first-backup45 -rwx 4096 09:55:02 Sep 21 2004 fsck-245146 -rwx 4096 09:55:02 Sep 21 2004 fsck-250547 -rwx 774 10:48:04 Nov 21 2006 profile.tmpl48 -rwx 406963 12:45:34 Feb 06 2007 svc3 drwx 8192 03:35:24 Feb 02 2007 log49 drwx 4096 07:10:54 Aug 09 2006 150 -rwx 21601 14:20:40 Dec 17 2004 tftp51 -rwx 17489 06:36:40 Dec 06 2006 custom.xml136 -rwx 12456368 10:25:08 Feb 20 2007 asdmfile53 -rwx 20498 13:04:54 Feb 12 2007 tomm_english54 drwx 4096 14:18:56 Jan 14 2007 sdesktop56 -rwx 14358528 08:32:30 Feb 19 2007 asa800-215-k8.bin57 -rwx 10971 09:38:54 Apr 20 2006 cli.lua58 -rwx 6342320 08:44:54 Feb 19 2007 asdm-600110.bin59 -rwx 0 04:38:52 Feb 12 2007 LOCAL-CA-SERVER.udb60 -rwx 322 15:47:42 Nov 29 2006 tmpAsdmCustomization18486124008 -rwx 65111 10:27:48 Feb 20 2007 tomm_backup.cfg61 -rwx 416354 11:50:58 Feb 07 2007 sslclient-win-220.127.116.11.pkg62 -rwx 23689 08:48:04 Jan 30 2007 asa1_backup.cfg63 -rwx 45106 07:19:18 Feb 12 2007 securedesktop_asa_3_2_0_54.pkg64 -rwx 224 01:22:44 Oct 02 2006 LOCAL-CA-SERVER.crl65 drwx 4096 12:37:24 Feb 20 2007 LOCAL-CA-SERVER66 -rwx 425 11:45:52 Dec 05 2006 anyconnect67 -rwx 1555 10:18:04 Sep 29 2006 LOCAL-CA-SERVER_00001.p1268 -rwx 0 12:33:54 Oct 01 2006 LOCAL-CA-SERVER.cdb69 -rwx 3384309 07:21:46 Feb 12 2007 securedesktop_asa_3_2_0_57.pkg70 -rwx 774 05:57:48 Nov 22 2006 cvcprofile.xml71 -rwx 338 15:48:40 Nov 29 2006 tmpAsdmCustomization43040652672 -rwx 32 09:35:40 Dec 08 2006 LOCAL-CA-SERVER.ser73 -rwx 2205678 07:19:22 Jan 05 2007 vpn-win32-Release-2.0.0156-k9.pkg74 -rwx 3380111 11:39:36 Feb 12 2007 securedesktop_asa_3_2_0_56.pkg62881792 bytes total (3854336 bytes free)hostname #
In a failover configuration, the two units must have the same hardware configuration, must be the same model, must have the same number and types of interfaces, and must have the same amount of RAM. For more information, see the "Configuring Failover" chapter in the Cisco Security Appliance Command Line Configuration Guide.
Note If you use two units with different flash memory sizes, make sure that the unit with the smaller flash memory has enough space for the software images and configuration files.
Operating System and Browser Requirements
For the latest OS and browser test results, see the Cisco ASA 5500 Series VPN Compatibility Reference.
Determining the Software Version
Use the show version command to verify the software version of your adaptive security appliance. Alternatively, the software version appears on the Cisco ASDM home page.
Upgrading to a New Software Version
ASA Version 8.0(2) delivers major enhancements to SSL VPN Remote Access services providing advanced capabilities that simplify the management and deployment of SSL VPNs while enhancing end-user services and ease-of-use. Highlights of Version 8.0(2) for Remote Access include:
•Secure access anywhere, even unmanaged endpoints, through customizable, localizable clientless access
•Flexible access policies on a per-user, per-session, per-machine basis, enabling appropriate access for employees and partners based on their identity and the posture of their endpoints
•Always up-to-date full-tunnel access through the new AnyConnect client, including Dynamic Transport Layer Security support for latency-sensitive applications like VoIP
•Microsoft Windows Vista (32- and 64-bit) and MacOS X support
SSL VPN customers are encouraged to upgrade to Version 8.0(2).
ASA Version 8.0(2) also provides new functionality for firewall customers, as listed below. However, given this release is primarily targeted towards our SSL VPN customers, customers who remain satisfied with the firewall feature content of the ASA Version 7.x series are encouraged to remain on 7.x until such time as they have a business requirement for Version 8.0(2). To support customers choosing to remain on 7.x versions, release updates across all 7.x have been made available.
If you have a Cisco.com login, you can obtain software from the following website:
You must upgrade or downgrade from Version 7.2.(x) to Version 8.0(2) and vice versa, because older versions of the ASA images do not recognize new ASDM images, and new ASA images do not recognize old ASDM images.
You can also use the CLI to download the image. For more information, see the "Downloading Software or Configuration Files to Flash Memory" section in the Cisco Security Appliance Command Line Configuration Guide.
To upgrade from Version 7.2.(x) to Version 8.0(2), perform the following steps:
Step 1 Make a backup copy of your current configuration file.
Step 2 To retain and use an existing portal customization or URL list, make sure that clientless SSL VPN is enabled on the adaptive security appliance by doing the following:
•ASDM—Choose Configuration > Remote Access VPN > Clientless SSL VPN to enable clientless SSL VPN connections on the appropriate interface.
•CLI—Enter the webvpn enable command in global configuration mode to enable clientless SSL VPN connections on the appropriate interface.
Step 3 Load the new Version 8.0(2) image from the following website:
Step 4 Restart the device to load the Version 8.0(2) image.
Step 5 Load the new ASDM 6.0 image from the following website:
Step 6 Enter the following command to tell the adaptive security appliance where to find the ASDM image:hostname(config)# asdm image disk0:/asdmfilename (no spaces after the / character, or within the filename itself)
Upgrading to Version 8.0 for Portal Customization and URL Lists
Version 8.0 extends the functionality for configuring customization and URL lists, and the new process is incompatible with previous versions. During the software upgrade to 8.0, the adaptive security appliance preserves your current configuration by using old settings to generate new customization objects and URL lists. This process occurs only once, and is more than a simple transformation from the old format to the new one, because the old values are only a partial subset of the new ones.
Note Version 7.2 portal customizations and URL lists work only if clientless SSL VPN (WebVPN) configuration is enabled on the appropriate interface in the Version 7.2(x) configuration file before you upgrade to Version 8.0(2).
After you upgrade to Version 8.0(2), to make any changes to existing URL lists or customizations, you must use the new export/import webvpn url-list commands that replace the 7.2 url-list a commands in webvpn mode.
Similarly, to make changes to the portal customization, use the new export/import webvpn customization commands. For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
The group policy, username, and tunnel group still enforce the url-list and customization objects.
Downgrading to Version 7.2(x) Software
To downgrade from Version 8.0(2) to 7.2(x), perform the following steps:
Step 1 Load the 7.2(x) image from the following website:
Step 2 Restart the device to load the 7.2(x) image.
Step 3 Load the ASDM 5.2(x) image from the following website:
Step 4 Enter the following command to tell the adaptive security appliance where to find the ASDM image:hostname(config)# asdm image disk0:/asdmfilename (no spaces after the / character, or within the filename itself)
Installing or Upgrading Cisco Secure Desktop
Cisco Secure Desktop Release 3.2 requires ASA Version 8.0(2). You do not need to restart the adaptive security appliance after you install or upgrade Cisco Secure Desktop.
Note Archive and delete the Secure Desktop desktop/data.xml configuration file before upgrading to Cisco Secure Desktop 3.2. To create a clean configuration file, uninstall Cisco Secure Desktop before reinstalling it.
The expanded flexibility provided by a prelogin assessment sequence editor, and replacement of the Cisco Secure Desktop feature policies with a dynamic access policy (DAP) configured on the adaptive security appliance, are incompatible with Cisco Secure Desktop 3.1.1 configurations. Cisco Secure Desktop automatically inserts a new, default configuration file when it detects that one is not present.
For consistency with the previous release notes, these instructions provide the CLI commands needed to install Secure Desktop. You may, however, prefer to use ASDM. To do so, choose Configuration > Remote Access VPN > Secure Desktop Manager > Setup and click Help.
To install or upgrade the Cisco Secure Desktop software, perform the following steps:
Step 1 Retrieve the securedesktop_asa_3_2_0_build.pkg file from the following website and install it on the flash memory card of the adaptive security appliance:
Step 2 Enter the following commands to access webvpn configuration mode:
hostname# config terminal
Step 3 To validate the Cisco Secure Desktop distribution package and add it to the running configuration, enter the following command in webvpn configuration mode:
hostname(config-webvpn)# csd image disk0:/securedesktop_asa_3_2_0_build.pkg
Step 4 To enable Cisco Secure Desktop for management and remote user access, use the csd enable command in webvpn configuration mode. To disable Cisco Secure Desktop, use the no form of this command.
hostname(config-webvpn)# csd enable
New FeaturesReleased: June 18, 2007
Table 2 lists the new features forASA and PIX Version 8.0(2).
Note There was no 8.0(1) release.
Table 2 New Features for ASA and PIX Version 8.0(2)
The adaptive security appliance supports EIGRP or EIGRP stub routing.
High Availability Features
Remote command execution in Failover pairs
You can execute commands on the peer unit in a failover pair without having to connect directly to the peer. This works for both Active/Standby and Active/Active failover.
CSM configuration rollback support
Adds support for the Cisco Security Manager configuration rollback feature in failover configurations.
Failover pair Auto Update support
You can use an Auto Update server to update the platform image and configuration in failover pairs.
Stateful Failover for SIP signaling
SIP media and signaling connections are replicated to the standby unit.
A logical redundant interface pairs an active and a standby physical interface. When the active interface fails, the standby interface becomes active and starts passing traffic. You can configure a redundant interface to increase the adaptive security appliance reliability. This feature is separate from device-level failover, but you can configure redundant interfaces as well as failover if desired. You can configure up to eight redundant interface pairs.
Virtual IPS sensors with the AIP SSM
The AIP SSM running IPS software Version 6.0 and above can run multiple virtual sensors, which means you can configure multiple security policies on the AIP SSM. You can assign each context or single mode adaptive security appliance to one or more virtual sensors, or you can assign multiple security contexts to the same virtual sensor. See the IPS documentation for more information about virtual sensors, including the maximum number of sensors supported.
You can reset the password on the SSM hardware module.
VPN Authentication Features 1
Combined certificate and username/password login
An administrator requires a username and password in addition to a certificate for login to SSL VPN connections.
Internal domain username/password
Provides a password for access to internal resources for users who log in with credentials other than a domain username and password, for example, with a one-time password. This is a password in addition to the one a user enters when logging in.
Generic LDAP support
This includes OpenLDAP and Novell LDAP. Expands LDAP support available for authentication and authorization.
The adaptive security appliance includes an onscreen keyboard option for the login page and subsequent authentication requests for internal resources. This provides additional protection against software-based keystroke loggers by requiring a user to use a mouse to click characters in an onscreen keyboard for authentication, rather than entering the characters on a physical keyboard.
SAML SSO verified with RSA Access Manager
The adaptive security appliance supports Security Assertion Markup Language (SAML) protocol for Single Sign On (SSO) with RSA Access Manager (Cleartrust and Federated Identity Manager).
Version 8.0(2) adds support for NTLMv2 authentication for Windows-based clients.
Local certificate authority
Provides a certificate authority on the adaptive security appliance for use with SSL VPN connections, both browser- and client-based.
Provides OCSP revocation checking for SSL VPN.
Cisco Secure Desktop Features
As a condition for the completion of a Cisco AnyConnect or clientless SSL VPN connection, the remote computer scans for a greatly expanded collection of antivirus and antispyware applications, firewalls, operating systems, and associated updates. It also scans for any registry entries, filenames, and process names that you specify. It sends the scan results to the adaptive security appliance. The adaptive security appliance uses both the user login credentials and the computer scan results to assign a Dynamic Access Policy (DAP).
With an Advanced Endpoint Assessment License, you can enhance Host Scan by configuring an attempt to update noncompliant computers to meet version requirements.
Cisco can provide timely updates to the list of applications and versions that Host Scan supports in a package that is separate from Cisco Secure Desktop.
Simplified prelogin assessment and periodic checks
Cisco Secure Desktop now simplifies the configuration of prelogin and periodic checks to perform on remote Microsoft Windows computers. Cisco Secure Desktop lets you add, modify, remove, and place conditions on endpoint checking criteria using a simplified, graphical view of the checks. As you use this graphical view to configure sequences of checks, link them to branches, deny logins, and assign endpoint profiles, Cisco Secure Desktop Manager records the changes to an XML file. You can configure the adaptive security appliance to use returned results in combination with many other types of data, such as the connection type and multiple group settings, to generate and apply a DAP to the session.
VPN Access Policy Features
Dynamic access policies (DAP)
VPN gateways operate in dynamic environments. Multiple variables can affect each VPN connection, for example, intranet configurations that frequently change, the various roles each user may inhabit within an organization, and logins from remote access sites with different configurations and levels of security. The task of authorizing users is much more complicated in a VPN environment than it is in a network with a static configuration.
Dynamic Access Policies (DAP) on the adaptive security appliance let you configure authorization that addresses these many variables. You create a dynamic access policy by setting a collection of access control attributes that you associate with a specific user tunnel or session. These attributes address issues of multiple group membership and endpoint security. That is, the adaptive security appliance grants access to a particular user for a particular session based on the policies you define. It generates a DAP at the time the user connects by selecting and/or aggregating attributes from one or more DAP records. It selects these DAP records based on the endpoint security information of the remote device and the AAA authorization information for the authenticated user. It then applies the DAP record to the user tunnel or session.
Lets you differentiate regular remote access users and administrative users under the same database, either RADIUS or LDAP. You can create and restrict access to the console via various methods (TELNET and SSH, for example) to administrators only. It is based on the IETF RADIUS service-type attribute.
VLAN support for remote access VPN connections
Provides support for mapping (tagging) of client traffic at the group or user level. This feature is compatible with clientless as well as IPsec and SSL tunnel-based connections.
VPN load balancing for the ASA 5510
Extends load balancing support to ASA 5510 adaptive security appliances that have a Security Plus license.
Crypto conditional debug
Lets users debug an IPsec tunnel on the basis of predefined crypto conditions such as the peer IP address, connection-ID of a crypto engine, and security parameter index (SPI). By limiting debug messages to specific IPSec operations and reducing the amount of debug output, you can better troubleshoot the adaptive security appliance with a large number of tunnels.
Browser-based SSL VPN Features
Enhanced portal design
Version 8.0(2) includes an enhanced end user interface that is more cleanly organized and visually appealing.
Supports administrator-defined customization of all user-visible content.
Support for FTP
You can provide file access via FTP in additional to CIFS (Windows-based).
Version 8.0(2) adds a framework for supporting TCP-based applications without requiring a pre-installed client application. Java applets let users access these applications from the browser-enabled SSL VPN portal. Initial support is for TELNET, SSH, RDP, and VNC.
A smart tunnel is a connection between an application and a remote site, using a browser-based SSL VPN session with the adaptive security appliance as the pathway. Version 8.0(2) lets you identify the applications to which you want to grant smart tunnel access, and lets you specify the path to the application and the SHA-1 hash of its checksum to check before granting it access. Lotus SameTime and Microsoft Outlook Express are examples of applications to which you might want to grant smart tunnel access.
The remote host originating the smart tunnel connection must be running Microsoft Windows Vista, Windows XP, or Windows 2000, and the browser must be enabled with Java, Microsoft ActiveX, or both.
Administrators can populate the clientless portal with RSS newsfeed information, which lets company news or other information display on a user screen.
Personal bookmark support
Users can define their own bookmarks. These bookmarks are stored on a file server.
Adds support for several complex forms of web content over clientless connections, including Adobe flash and Java WebStart.
Allows access to IPv6 resources over a public IPv4 connection.
Lets browser-based SSL VPN users connecting from Windows operating systems browse shared file systems and perform the following operations: view folders, view folder and file properties, create, move, copy, copy from the local host to the remote host, copy from the remote host to the local host, and delete. Internet Explorer indicates when a web folder is accessible. Accessing this folder launches another window, providing a view of the shared folder, on which users can perform web folder functions, assuming the properties of the folders and documents permit them.
Microsoft Sharepoint enhancement
Extends Web Access support for Microsoft Sharepoint, integrating Microsoft Office applications available on the machine with the browser to view, change, and save documents shared on a server. Version 8.0(2) supports Windows Sharepoint Services 2.0 in Windows Server 2003.
HTTP/HTTPS Proxy Features
Proxy exclusion list
Lets you configure a list of URLs to exclude from the HTTP requests the adaptive security appliance can send to an external proxy server.
VPN Network Access Control Features
SSL VPN tunnel support
The adaptive security appliance provides NAC posture validation of endpoints that establish AnyConnect VPN client sessions.
Support for audit services
You can configure the adaptive security appliance to pass the IP address of the client to an optional audit server if the client does not respond to a posture validation request. The audit server uses the host IP address to challenge the host directly to assess its health. For example, it might challenge the host to determine whether its virus checking software is active and up-to-date. After the audit server completes its interaction with the remote host, it passes a token to the posture validation server, indicating the health of the remote host. If the token indicates the remote host is healthy, the posture validation server sends a network access policy to the adaptive security appliance for application to the traffic on the tunnel.
Application Inspection Features
Modular policy framework inspect class map
Traffic can match one of multiple match commands in an inspect class map; formerly, traffic had to match all match commands in a class map to match the class map.
AIC for encrypted streams and AIC Arch changes
Provides HTTP inspection into TLS, which allows AIC/MPF inspection in WebVPN HTTP and HTTPS streams.
TLS Proxy for SCCP and SIP2
Enables inspection of encrypted traffic. Implementations include SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with the Cisco CallManager.
SIP enhancements for CCM
Improves interoperability with CCM 5.0 and 6.x with respect to signaling pinholes.
IPv6 support for SIP
The SIP inspection engine supports IPv6 addresses. IPv6 addresses can be used in URLs, in the Via header field, and SDP fields.
Full RTSP PAT support
Provides TCP fragment reassembly support, a scalable parsing routine on RTSP, and security enhancements that protect RTSP traffic.
Access List Features
Enhanced service object group
Lets you configure a service object group that contains a mix of TCP services, UDP services, ICMP-type services, and any protocol. It removes the need for a specific ICMP-type object group and protocol object group. The enhanced service object group also specifies both source and destination services. The access list CLI now supports this behavior.
Ability to rename access list
Lets you rename an access list.
Live access list hit counts
Includes the hit count for ACEs from multiple access lists. The hit count value represents how many times traffic hits a particular access rule.
Attack Prevention Features
Set connection limits for management traffic to the adaptive security appliance
For a Layer 3/4 management class map, you can specify the set connection command.
You can enable basic threat detection and scanning threat detection to monitor attacks such as DoS attacks and scanning attacks. For scanning attacks, you can automatically shun attacking hosts. You can also enable scan threat statistics to monitor both valid and invalid traffic for hosts, ports, protocols, and access lists.
Transparent firewall NAT support
You can configure NAT for a transparent firewall.
You can enable secure connections to the syslog server using SSL or TLS with TCP, and encrypted system log message content. Not supported on the PIX series adaptive security appliance.
1 Clientless SSL VPN features are not supported on the PIX security appliance.
2 TLS proxy is not supported on the PIX security appliance.
This section lists important notes related to Version 8.0(2).
No .NET over Clientless
Clientless sessions do not support .NET framework applications (CSCsv29942).
Replacing the Code Signing Certificate
ASAs provide a temporary code signing certificate to sign Java applets. The temporary certificate lets Java applets perform their intended functions without a warning message. ASA administrators should replace the temporary certificate before it expires with their own code signing certificate issued by a trusted certificate authority (CA). This CA can be a public CA, such as Verisign, GoDaddy or Thawte, or an enterprise CA that is trusted by the employees' web browser. Without a valid certificate, end users will see a warning message when they use any Java applets.
To generate the certificate signing request and key using manual enrollment (also called terminal enrollment) on the ASA,
Step 1 Generate a Certificate Signing Request (CSR).
For example:hostname(config)# crypto key generate rsa label CodeSignerINFO: The name for the keys will be: CodeSignerKeypair generation process begin. Please wait...hostname(config)# crypto ca trustpoint CodeSignerhostname(config-ca-trustpoint)# enrollment terminalhostname(config-ca-trustpoint)# subject-name CN=ASA-Code-Signer,O=Companynamehostname(config-ca-trustpoint)# keypair CodeSignerhostname(config-ca-trustpoint)# id-usage code-signer
Step 2 Enroll it with either an internal or external CA.For example:hostname(config-ca-trustpoint)# crypto ca enroll CodeSigner% Start certificate enrollment ..% The subject name in the certificate will be: CN=ASA-Code-Signer,O=Companyname% The fully-qualified domain name in the certificate will be: hostname.domain.com% Include the device serial number in the subject name? [yes/no]: nDisplay Certificate Request to terminal? [yes/no]: yCertificate Request follows:-----BEGIN CERTIFICATE REQUEST-----text-of-certificate-request-----END CERTIFICATE REQUEST-----Redisplay enrollment request? [yes/no]: n
Step 3 Submit the certificate request to a CA.
Step 4 Once the CA issues the certificate, import it using the following command:hostname(config)# crypto ca import CodeSigner certificate% The fully-qualified domain name in the certificate will be: wb5540-FO.frqa.cisco.comEnter the base 64 encoded certificate.End with the word "quit" on a line by itself-----BEGIN CERTIFICATE-----text-of-certificate-----END CERTIFICATE-----quitINFO: Certificate successfully importedhostname(config)# crypto ca authenticate CodeSignerEnter the base 64 encoded CA certificate.End with the word "quit" on a line by itself-----BEGIN CERTIFICATE-----text-of-certificate-----END CERTIFICATE-----quitINFO: Certificate has the following attributes:Fingerprint: 359ff10c 4449e182 045d9133 d64378acDo you accept this certificate? [yes/no]: yesTrustpoint CA certificate accepted.% Certificate successfully imported
Step 5 Go to webvpn mode.
For example,hostname(config)# webvpn
Step 6 Configure the new trustpoint for signing Clientless SSL Java objects.
java-trustpoint trustpointnameFor example,hostname(config-webvpn)# java-trustpoint <trustpointname>hostname(config-webvpn)# write memory
Step 7 Save the configuration changes.
hostname(config-webvpn)# write memory
Importing an existing code signing certificate with a key pair
If you got a code signing certificate online using a web form with a third-party vendor such as Verisign or Entrust, or an internal CA, import it as follows:
Step 1 Export the certificate to a PKCS12 file (with a private key).
Step 2 Go to step 3 if the code signing certificate and key are in PEM format. Otherwise, convert the file to PEM (base64) format. The following examples each identify a tool to convert the file, the command syntax, and an example:
openssl base64 -in name-of-DER-file.extension -out same-name.pem
openssl base64 -in ie-export.pfx -out ie-export.pem
certutil -encode name-of-DER-file.extension same-name.pem
certutil -encode ie-export.pfx ie-export.pem
This step is especially needed if you used Internet Explorer to export the certificate.
Step 3 Enter the following command to import the file into the ASA.
crypto ca import trustpoint-name pkcs12 passphrase
For example:hostname(config)# crypto ca import CodeSigner pkcs12 Wh0zitsEnter the base 64 encoded pkcs12.End with the word "quit" on a line by itself:-----BEGIN PKCS12-----text-of-PKCS12-----END PKCS12-----quitINFO: Import PKCS12 operation completed successfully
Step 4 Enter the following commands to designate the trustpoint as a code-signer:
crypto ca trustpoint trustpoint-name
For example,hostname(config)# crypto ca trustpoint CodeSignerhostname(config)# id-usage code-signer
Step 5 Go to webvpn mode.
For example,hostname(config)# webvpn
Step 6 Enter the following command to configure the new trustpoint for signing Clientless SSL Java objects:
For example,hostname(config-webvpn)# java-trustpoint CodeSigner
Step 7 Save the configuration changes.
hostname(config-webvpn)# write memory
Web Folders May Require a Microsoft Patch
Web folders do not work if both of the following are true:
•Microsoft Internet Explorer 7 is installed on Microsoft Windows XP or 2000.
•Microsoft Office is not installed.
In the initial 8.0(2) release, the adaptive security appliance software disables web folders in the portal when this occurs. In releases following 8.0(2), including maintenance releases, the software does not disable web folders. In that case, the user sees "My Computer" opened instead of the targeted web folder. Remote users can use web folders after installing a Microsoft patch from either of the following pages:
In some language versions of Windows, web folders also fail to open if web folder requests have non-ASCII characters. In this case, the requests of the corresponding locale fail to specify the encoding in use. Remote users can also avoid this issue by installing the patch from either of the pages above.
JInitiator and SSL Certificates
Oracle JInitiator is the licensed Oracle version of Sun JVM. Some forms-based applications require JInitiator to run. This requirement might apply to some applications running over clientless SSL VPN on the adaptive security appliances.
Complications occur in applying an SSL certificate to the JInitiator, a requirement for loading JInitiator onto the adaptive security appliance. The solution is to import the SSL certificate to the JInitiator keystore.
To import the SSL certificate to the JInitiator keystore, perform the following steps:
Step 1 Double-click the yellow lock in the status bar of Internet Explorer.
Step 2 Navigate to the Certification Path tab to see whether the self-signed certificate has a root certificate. If it does, select the root certificate and click the View Certificate button. If no root certificate exists, continue with the self-signed certificate.
Step 3 Click the Details tab and click Copy to File.
Step 4 Save the certificate as Base-64 encoded.
Step 5 Open the Base-64 encoded certificate in a text-editor. Copy the entire contents (including the BEGIN CERTIFICATE and END CERTIFICATE lines).
Step 6 Open the certdb.txt file in the lib/security directory of Oracle JInitiator (for example, C:\Program Files\Oracle\JInitiator 18.104.22.168\lib\security\certdb.txt). Add the copied certificate to this file and prepend it with comment lines (beginning with #) to explain what the certificate is.
Step 7 Close any open web browsers to close the associated JVMs and start the application again. The JInitiator application should work.
CSA Interoperability with the AnyConnect Client and Cisco Secure Desktop
If your remote users have Cisco Security Agent (CSA) installed, you must import new CSA policies to the remote users to enable the AnyConnect VPN client and Cisco Secure Desktop to interoperate with the adaptive security appliance.
To enable the AnyConnect VPN client and Cisco Secure Desktop, perform the following steps:
Step 1 Retrieve the CSA policies for the AnyConnect client and Cisco Secure Desktop. You can get the files from:
•The CD that shipped with the adaptive security appliance.
The software download page for the ASA 5500 Series adaptive security appliance at http://www.cisco.com/cisco/pub/software/portal/select.html
•The filenames are AnyConnect-CSA.zip and CSD-for-CSA-updates.zip.
Step 2 Extract the .export files from the .zip package files.
Step 3 Choose the correct version of the .export file to import. The Version 5.2 export files work for CSA Versions 5.2 and higher. The 5.x export files are for CSA Versions 5.0 and 5.1.
Step 4 Import the file using the Maintenance > Export/Import tab on the CSA Management Center.
Step 5 Attach the new rule module to your VPN policy and generate rules.
For more information, see the CSA document Using Management Center for Cisco Security Agents 5.2. Specific information about exporting policies is located in the section, Exporting and Importing Configurations.
Toggling the HTTP Server Off and On While Using ASDM
ASDM becomes nonfunctional if you toggle the HTTP server off and on. The work around is to reload the adaptive security appliance.
Using the Priority-Queue Configuration on ASA 5505
On ASA 5505 only, configuring priority-queue on one interface overwrites the same configuration on all other interfaces (that is, only the last applied configuration is present on all interfaces). In addition, if the priority-queue configuration is removed from one interface, it is removed from all interfaces.
To work around this issue, configure the priority-queue command on only one interface. If different interfaces need different settings for the queue-limit and/or tx-ring-limit commands, use the largest of all queue-limits and the smallest of all tx-ring-limits on any one interface (CSCsi13132).
VLAN ID Range Support on ASA 5505
The range for VLAN IDs has been increased from 1-1001 to 1-4090.
Java Applet Plug-in Connected Status
Some open-source, Java applet plug-ins display a status of "connected" and "online" even if the session to the destination service is not set up. The applet displays the incorrect status information, not the adaptive security appliance.
Cache Cleaner Support
Cache Cleaner, available as part of Cisco Secure Desktop, supports clientless (browser-based) SSL VPN connections over Macintosh; Linux; and Windows 98, ME, 2000, XP, and Vista. Cache Cleaner also supports Weblaunch of Cisco AnyConnect on a PC running Windows 2000 or XP. Cache Cleaner does not support the standalone startup of AnyConnect client from any computer.
When you access Microsoft Word from Sharepoint in a clientless SSL VPN session, do not use the "Save As" option to save a file with its existing filename. Use the "Save" option to overwrite the existing file, and the "Save As" option to save the file with a new filename (CSCsi21048).
ASA Version 8.0(2) clientless SSL VPN software does not support Explorer View in Sharepoint 2.0.
Insertion or Removal of Flash Memory Card
If you use the Linux OS, when you insert or remove an external flash memory card, a system log message is not recorded (CSCsg64799).
AnyConnect Client Sessions
A reestablished AnyConnect client session fails to displace an AnyConnect client session that is terminated abnormally (CSCsi40917).
High Availability Active/Standby Configuration
When the adaptive security appliance is operating in a high-availability active/standby configuration and a failover occurs, causing the standby adaptive security appliance to resume current connections, the MacOS X AnyConnect connections might disconnect. If the MacOS X AnyConnect connection disconnects after a failover, you must reconnect (CSCsi44920).
IPv6 SSL VPN failover (as well as IPv6 failover in general) is not supported in ASA Version 8.0(2).
Version 8.0(2) does not support MAPI proxy either via Port Forwarding or Smart Tunnels. The work around is to use AnyConnect for Microsoft Exchange.
Open Source Software Usage
For a list of the open source software used in ASA Version 8.0(2), see the Open Source Software Licenses for ASA and PIX Security Appliances document on Cisco.com.
•Symptom: SSL connections from browsers and AnyConnect fail if the certificate being used contains the following enhanced key usage "IP security IKE intermediate (22.214.171.124.126.96.36.199.2)". This is the default way of issuing certificates via SCEP enrollment to a Microsoft 2003 Enterprise CA with the newer certificate templates.
–Use terminal enrollment instead of SCEP to get an ASA certificate.
–Changing the SCEP policy module on the 2003 CA may alleviate this issue.
•Symptom: If the validity date for a a certificate is issued beyond the year 2099, it will fail to authenticate and an error will be generated when attempting to authenticate it.
–Limit the validity period of the certificate to less than the recommended end date of 03:14:08 UTC, January 19, 2038
•Symptom: User prompted for credentials when permstore and auto-signon are both enabled.
Both auto-signon and permanent-storage are enabled for the server requiring authentication.
–Disable auto-signon for this server. Enable auto-signon only for servers having the same login credentials as WebVPN.
Note Because credentials used by auto-signon take precedence over permanent-storage of user credentials, do not enable auto signon for servers that do not require authentication or that use credentials different from the adaptive security appliance. When auto signon is enabled, the adaptive security appliance passes on the login credentials that the user entered to log into the adaptive security appliance regardless of what credentials are in user storage.
DAP and Anti-Virus, Anti-Spyware, and Personal Firewall Programs
The adaptive security appliance uses a DAP policy when the user attributes matches the configured AAA and endpoint attributes. The Prelogin Assessment and Host Scan modules of Cisco Secure Desktop return information to the adaptive security appliance about the configured endpoint attributes, and the DAP subsystem uses that information to select a DAP record that matches the values of those attributes.
Most, but not all, anti-virus, anti-spyware, and personal firewall programs support active scan, which means that the programs are memory-resident, and therefore always running. Host Scan checks to see if an endpoint has a program installed, and if it is memory-resident as follows:
•If the installed program does not support active scan, Host Scan reports the presence of the software. The DAP system selects DAP records that specify the program.
•If the installed program does support active scan, and active scan is enabled for the program, Host Scan reports the presence of the software. Again the adaptive security appliance selects DAP records that specify the program.
•If the installed program does support active scan and active scan is disabled for the program, Host Scan ignores the presence of the software. The adaptive security appliance does not select DAP records that specify the program. Further, the output of the debug trace command, which includes a lot of information about DAP, does not indicate the program presence, even though it is installed.
This behavior provides improved security from 8.0 Beta releases, which counted as matches users who had anti-virus, anti-spyware, and personal firewall programs installed but not running.
Online help for Dynamic Access Policies mentions but does not include examples. The examples are in the ASDM Configuration Guide, available on cisco.com.
Backing Up Configuration Files
Configuration files in Version 8.0(2) include the following:
•Startup and running configuration files.
• Files you import using the import webvpn command. Currently these files include customizations, URL lists, web contents, plug-ins, and language translations.
• DAP policies (dap.xml).
• CSD configurations (data.xml).
• Digital keys and certificates (we do not recommend automatic backups for security reasons).
• Local CA user database and certificate status files (we do not recommend automatic backups of the CA key for security reasons).
The CLI lets you back up and restore individual elements of your configuration using the copy, save, export and import commands.
We now also provide a sample script that lets you automate these backups. That is, you can use a script to back up and restore multiple files, rather than executing a series of CLI commands.
For more information and step-by-step instructions for using CLI commands and/or a script to back up and restore your configuration files, see the "Backing Up Configuration Files" section in the Cisco Security Appliance Command Line Interface Configuration Guide.
The default size of the cache filesystem (20 Mb) is not enough to support all four versions of the AnyConnect packages (Windows, Linux, Mac OS X arch386, Mac OS X ppc) and CSD. If you want to install all five client packages on the adaptive security appliance, you should first increase the maximum size of cache filesystem entering the (config-webvpn)# cache-fs limit command The recommended size of cache filesystem is 22 Mb.
The following sections describe the caveats for Version 8.0(2).
For your convenience in locating caveats in the Cisco Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
To become a registered cisco.com user, go to the following website:
Open Caveats - Version 8.0(2)
For additional information on the adaptive security appliance, go to:
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2008 Cisco Systems, Inc.
All rights reserved.