Platform Features

Secure Firewall 3100

We introduced the ASA for the Secure Firewall 3110, 3120, 3130, and 3140. The Secure Firewall 3100 supports up to 8 units for Spanned EtherChannel clustering. You can hot swap a network module of the same type while the firewall is powered up without having to reboot; making other module changes requires a reboot. Secure Firewall 3100 25 Gbps interfaces support Forward Error Correction as well as speed detection based on the SFP installed. The SSDs are self-encrypting drives (SEDs), and if you have 2 SSDs, they form a software RAID.

New/Modified commands: fec, netmod, speed sfp-detect, raid, show raid, show ssd

ASAv support for Autoscale

The ASAv now supports Autoscale for the following Public Cloud offerings:

• Google Cloud Platform (GCP)

• Oracle Cloud Infrastructure (OCI)

Autoscaling increases or decreases the number of ASAv application instances based on capacity requirements.

ASAv for AWS expanded instance support

The ASAv on the AWS Public Cloud now supports AWS Nitro System instances from different Nitro instance families.

ASAv for AWS adds support for these instances:

• c5a.large, c5a.xlarge, c5a.2xlarge, c5a.4xlarge

• c5d.large, c5d.xlarge, c5d.2xlarge, c5d.4xlarge

• c5ad.large, c5ad.xlarge, c5ad.2xlarge, c5ad.4xlarge

• m5n.large, m5n.xlarge, m5n.2xlarge, m5n.4xlarge

• m5zn.large, m5zn.xlarge, m5zn.2xlarge

For a detailed list of supported instances, see the Cisco Adaptive Security Virtual Appliance (ASAv) Data Sheet.

ASAv for Azure expanded instance support

ASAv on the Azure Public Cloud now supports these instances:

• Standard_D8s_v3

• Standard_D16s_v3

• Standard_F8s_v2

• Standard_F16s_v2

For a detailed list of supported instances, see the Cisco Adaptive Security Virtual Appliance (ASAv) Data Sheet.

Intel QuickAssist Technology (QAT) on ASAv

The ASAv supports hardware crypto acceleration for ASAv deployments that use the Intel QuickAssist (QAT) 8970 PCI adapter. Hardware crypto acceleration for the ASAv using QAT is supported on VMware ESXi and KVM only.

Single Root I/O Virtualization (SR-IOV) support for ASAv on OCI.

You can now implement Single Root Input/Output Virtualization (SR-IOV) for ASAv on OCI. SR-IOV can provide performance improvements for ASAv. Mellanox 5 as vNICs are not supported in SR-IOV mode.

Firewall Features

Twice NAT support for fully-qualified domain name (FQDN) objects as the translated (mapped) destination

You can use an FQDN network object, such as one specifying www.example.com, as the translated (mapped) destination address in twice NAT rules. The system configures the rule based on the IP address returned from the DNS server.

Network-service objects and their use in policy-based routing and access control

You can configure network-service objects and use them in extended access control lists for use in policy-based routing route maps and access control groups. Network-service objects include IP subnet or DNS domain name specifications, and optionally protocol and port specifications, that essentially combine network and service objects. This feature also includes the ability to define trusted DNS servers, to ensure that any DNS domain name resolutions acquire IP addresses from trusted sources.

We added or modified the following commands: access-list extended , app-id , clear configure object network-service , clear configure object-group network-service , clear dns ip-cache , clear object , clear object-group , debug network-service , description , dns trusted-source , domain , network-service-member , network-service reload , object-group network-service , object network-service , policy-route cost , set adaptive-interface cost , show asp table classify , show asp table network-service , show dns trusted-source , show dns ip-cache , show object , show object-group , show running-config , subnet .

High Availability and Scalability Features

ASAv30, ASAv50, and ASAv100 clustering for VMware and KVM

ASAv clustering lets you group up to 16 ASAvs together as a single logical device. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices. ASAv clustering supports Individual Interface mode in routed firewall mode; Spanned EtherChannels are not supported. The ASAv uses a VXLAN virtual interface (VNI) for the cluster control link.

New/Modified commands: cluster-interface vni, nve-only cluster, peer-group, show cluster info, show cluster info instance-type, show nve 1

Clearing routes in a high availability group or cluster

Interface Features

Geneve interface support for the ASAv

Geneve encapsulation support was added for the ASAv30, ASAv50, and ASAv100 to support single-arm proxy for the AWS Gateway Load Balancer.

New/Modified commands: debug geneve, debug nve, debug vxlan, encapsulation, packet-tracer geneve, proxy single-arm, show asp drop, show capture, show interface, show nve

Secure Firewall 3100 auto-negotiation can be enabled or disabled for 1Gigabit and higher interfaces.

Secure Firewall 3100 auto-negotiation can be enabled or disabled for 1Gigabit and higher interfaces. For other model SFP ports, the no speed nonegotiate option sets the speed to 1000 Mbps; the new command means you can set auto-negotiation and speed independently.

New/Modified commands: negotiate-auto

Administrative and Troubleshooting Features

Startup time and tmatch compilation status

The show version command now includes information on how long it took to start (boot) up the system. Note that the larger the configuration, the longer it takes to boot up the system.

The new show asp rule-engine command shows status on tmatch compilation. Tmatch compilation is used for an access list that is used as an access group, the NAT table, and some other items. It is an internal process that can consume CPU resources and impact performance while in progress, if you have very large ACLs and NAT tables. Compilation time depends on the size of the access list, NAT table, and so forth.

Enhancements to show access-list element-count output and show tech-support content

The output of the show access-list element-count has be enhanced to show the following:

• When used in the system context in multiple-context mode, the output shows the element count for all access lists across all the contexts.

• When used with object-group search enabled, the output includes details about the number of object groups in the element count.

In addition, the show tech-support output now includes the output show access-list element-count and show asp rule-engine .

CiscoSSH stack

The ASA uses a proprietary SSH stack for SSH connections. You can now choose to use the CiscoSSH stack instead, which is based on OpenSSH. The default stack continues to be the ASA stack. Cisco SSH supports:

• FIPS compliance

• Regular updates, including updates from Cisco and the open source community

Note that the CiscoSSH stack does not support:

• SSH to a different interface over VPN (management-access)

• EdDSA key pair

• RSA key pair in FIPS mode

If you need these features, you should continue to use the ASA SSH stack.

There is a small change to SCP functionality with the CiscoSSH stack: to use the ASA copy command to copy a file to or from an SCP server, you have to enable SSH access on the ASA for the SCP server subnet/host using the ssh command.

New/Modified commands: ssh stack ciscossh

PCAP support in packet tracer

You can replay a PCAP file in packet tracer tool and obtain the trace results. pcap and force are two new keywords that is used to support the usage of PCAP in packet tracer.

New/Modified commands: packet-tracer input and show packet-tracer

Stronger local user and enable password requirements

For local users and the enable password, the following password requirements were added:

• Password length—Minimum 8 characters. Formerly, the minimum was 3 characters.

• Repetitive and sequential characters—Three or more consecutive sequential or repetitive ASCII characters are disallowed. For example, the following passwords will be rejected:

  • abcuser1

  • user543

  • useraaaa

  • user2666

New/Modified commands: enable password , username

Local user lockout changes

The ASA can lock out local users after a configurable number of failed login attempts. This feature did not apply to users with privilege level 15. Also, a user would be locked out indefinitely until an admin unlocked their account. Now, users will be unlocked after 10 minutes unless an admin uses the clear aaa local user lockout command before then. Privilege level 15 users are also now affected by the lockout setting.

New/Modified commands: aaa local authentication attempts max-fail , show aaa local user

SSH and Telnet password change prompt

The first time a local user logs into the ASA using SSH or Telnet, they are prompted to change their password. They will also be prompted for the first login after an admin changes their password. If the ASA reloads, however, users will not be prompted even if it is their first login.

Note that any service that uses the local user database, such as VPN, will also have to use the new password if it was changed during an SSH or Telnet login.

New/Modified commands: show aaa local user

Monitoring Features

SNMP now supports IPv6 when grouping multiple hosts in the form of a network object

The host-group command of snmp-server now supports IPv6 host, range, and subnet objects.

New/Modified commands: snmp-server host-group

VPN Features

Local tunnel id support for IKEv2

Support has been added for local Tunnel id configuration for IKEv2.

New/Modified commands: set ikev2 local-identity

Support for SAML Attributes with DAP constraint

Support has been added for SAML assertion attributes which can be used to make DAP policy selections. It also introduces the ability for a group-policy to be specified by the cisco_group_policy attribute.

Multiple SAML trustpoints in IDP configuration

This feature supports adding multiple IDP trustpoints per SAML IDP configuration for applications that support multiple applications for the same Entity ID.

New/Modified commands: saml idp-trustpoint <trustpoint-name>

AnyConnect Client VPN SAML External Browser

You can now configure VPN SAML External Browser to enable additional authentication choices, such as passwordless authentication, WebAuthN, FIDO2, SSO, U2F, and an improved SAML experience due to the persistence of cookies. When you use SAML as the primary authentication method for a remote access VPN connection profile, you can elect to have the AnyConnect Client use the client’s local browser instead of the AnyConnect Client embedded browser to perform the web authentication. This option enables single sign-on (SSO) between your VPN authentication and other corporate logins. Also choose this option if you want to support web authentication methods, such as biometric authentication and Yubikeys, that cannot be performed in the embedded browser.

New/Modified commands: external-browser

VPN Load balancing with SAML