AAA Features

Platform Features

ASA for the Firepower 4150

We introduced the ASA for the Firepower 4150.

Requires FXOS 2.0.1.

We did not add or modify any screens.

Hot Plug Interfaces on the ASAv

You can add and remove Virtio virtual interfaces on the ASAv while the system is active. When you add a new interface to the ASAv, the virtual machine detects and provisions the interface. When you remove an existing interface, the virtual machine releases any resource associated with the interface. Hot plug interfaces are limited to Virtio virtual interfaces on the Kernel-based Virtual Machine (KVM) hypervisor.

Microsoft Azure support on the ASAv10

Microsoft Azure is a public cloud environment that uses a private Microsoft Hyper V Hypervisor. The ASAv runs as a guest in the Microsoft Azure environment of the Hyper V Hypervisor. The ASAv on Microsoft Azure supports one instance type, the Standard D3, which supports four vCPUs, 14 GB, and four interfaces.

Also in 9.5(2.200).

Through traffic support on the Management 0/0 interface for the ASAv

You can now allow through traffic on the Management 0/0 interface on the ASAv. Previously, only the ASAv on Microsoft Azure supported through traffic; now all ASAvs support through traffic. You can optionally configure this interface to be management-only, but it is not configured by default.

Common Criteria Certification

The ASA was updated to comply with the Common Criteria requirements. See the rows in this table for the following features that were added for this certification:

• ASA SSL Server mode matching for ASDM

• SSL client RFC 6125 support:

  • Reference Identities for Secure Syslog Server connections and Smart Licensing connections

  • ASA client checks Extended Key Usage in server certificates

  • Mutual authentication when ASA acts as a TLS client for TLS1.1 and 1.2

• PKI debug messages

• Crypto Key Zeroization verification

• IPsec/ESP Transport Mode Support for IKEv2

• New syslog messages

Firewall Features

DNS over TCP inspection

You can now inspect DNS over TCP traffic (TCP/53).

We modified the following page: Configuration > Firewall > Objects > Inspection Maps > DNS Add/Edit dialog box

MTP3 User Adaptation (M3UA) inspection

You can now inspect M3UA traffic and also apply actions based on point code, service indicator, and message class and type.

We added or modified the following pages: Configuration > Firewall > Objects > Inspection Maps > M3UA; the Rule Action > Protocol Inspection tab for service policy rules

Session Traversal Utilities for NAT (STUN) inspection

You can now inspect STUN traffic for WebRTC applications including Cisco Spark. Inspection opens pinholes required for return traffic.

We added an option to the Rule Actions > Protocol Inspection tab of the Add/Edit Service Policy dialog box

Application layer health checking for Cisco Cloud Web Security

You can now configure Cisco Cloud Web Security to check the health of the Cloud Web Security application when determining if the server is healthy. By checking application health, the system can fail over to the backup server when the primary server responds to the TCP three-way handshake but cannot process requests. This ensures a more reliable system.

We modified the following screen: Configuration > Device Management > Cloud Web Security

Connection holddown timeout for route convergence.

You can now configure how long the system should maintain a connection when the route used by the connection no longer exists or is inactive. If the route does not become active within this holddown period, the connection is freed. You can reduce the holddown timer to make route convergence happen more quickly. However, the 15 second default is appropriate for most networks to prevent route flapping.

We modified the following screen: Configuration > Firewall > Advanced > Global Timeouts

Also in 9.4(3).

Changes in TCP option handling

You can now specify actions for the TCP MSS and MD5 options in a packet’s TCP header when configuring a TCP map. In addition, the default handling of the MSS, timestamp, window-size, and selective-ack options has changed. Previously, these options were allowed, even if there were more than one option of a given type in the header. Now, packets are dropped by default if they contain more than one option of a given type. For example, previously a packet with 2 timestamp options would be allowed, now it will be dropped.

You can configure a TCP map to allow multiple options of the same type for MD5, MSS, selective-ack, timestamp, and window-size. For the MD5 option, the previous default was to clear the option, whereas the default now is to allow it. You can also drop packets that contain the MD5 option. For the MSS option, you can set the maximum segment size in the TCP map (per traffic class). The default for all other TCP options remains the same: they are cleared.

We modified the following screen: Configuration > Firewall > Objects > TCP Maps Add/Edit dialog box

Transparent mode maximum interfaces per bridge group increased to 64

The maximum interfaces per bridge group was increased from 4 to 64.

We did not modify any screens.

Flow offload support for multicast connections in transparent mode.

You can now offload multicast connections to be switched directly in the NIC on transparent mode Firepower 4100 and 9300 series devices. Multicast offload is available for bridge groups that contain two and only two interfaces.

There are no new commands or ASDM screens for this feature.

Customizable ARP rate limiting

You can set the maximum number of ARP packets allowed per second. The default value depends on your ASA model. You can customize this value to prevent an ARP storm attack.

We modified the following screen: Configuration > Device Management > Advanced > ARP > ARP Static Table

Ethertype rule support for the IEEE 802.2 Logical Link Control packet's Destination Service Access Point address.

You can now write Ethertype access control rules for the IEEE 802.2 Logical Link Control packet's Destination Service Access Point address. Because of this addition, the bpdu keyword no longer matches the intended traffic. Rewrite bpdu rules for dsap 0x42 .

We modified the following screen: Configuration > Firewall > EtherType Rules.

Remote Access Features

Pre-fill/Username-from-cert feature for multiple context mode

AnyConnect SSL support is extended, allowing pre-fill/username-from-certificate feature CLIs, previously available only in single mode, to be enabled in multiple context mode as well.

We did not modify any screens.

Flash Virtualization for Remote Access VPN

Remote access VPN in multiple context mode now supports flash virtualization. Each context can have a private storage space and a shared storage place based on the total flash that is available:

• Private storage—Store files associated only with that user and specific to the content that you want for that user.

• Shared storage—Upload files to this space and have it accessible to any user context for read/write access once you enable it.

We modified the following screens: Configuration > Context Management > Resource Class > Add Resource Class

Configuration > Context Management > Security Contexts

AnyConnect client profiles supported in multiple context mode

AnyConnect client profiles are supported in multiple context mode. To add a new profile using ASDM, you must have the AnyConnect Secure Mobility Client release 4.2.00748 or 4.3.03013 and later.

Umbrella Roaming Security module support

You can choose to configure the AnyConnect Secure Mobility Client's Umbrella Roaming Security module for additional DNS-layer security when no VPN is active.

We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile.

IPsec/ESP Transport Mode Support for IKEv2

Transport mode is now supported for ASA IKEv2 negotiation. It can be used in place of tunnel (default) mode. Tunnel mode encapsulates the entire IP packet. Transport mode encapsulates only the upper-layer protocols of an IP packet. Transport mode requires that both the source and destination hosts support IPSec, and can only be used when the destination peer of the tunnel is the final destination of the IP packet.

We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > IPsec Proposals (Transform Sets) > IKEv2 proposals > Add/Edit

Per-packet routing lookups for IPsec inner packets

By default, per-packet adjacency lookups are done for outer ESP packets; lookups are not done for packets sent through the IPsec tunnel. In some network topologies, when a routing update has altered the inner packet’s path, but the local IPsec tunnel is still up, packets through the tunnel may not be routed correctly and fail to reach their destination. To prevent this, use the new option to enable per-packet routing lookups for the IPsec inner packets.

We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > Crypto Maps adding the Enable IPsec Inner Routing Lookup checkbox.

Certificate and Secure Connection Features

ASA client checks Extended Key Usage in server certificates

Syslog and Smart licensing Server Certificates must contain “ServerAuth” in the Extended Key Usage field. If not, the connection fails.

Mutual authentication when ASA acts as a TLS client for TLS1.1 and 1.2

PKI debug messages

The ASA PKI module makes connections to CA servers such as SCEP enrollment, revocation checking using HTTP, etc. All of these ASA PKI exchanges will be logged as debug traces under debug crypto ca message 5.

ASA SSL Server mode matching for ASDM

For an ASDM user who authenticates with a certificate, you can now require the certificate to match a certificate map.

We modified the following screen: Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH

Reference Identities for Secure Syslog Server connections and Smart Licensing connections

TLS client processing now supports rules for verification of a server identity defined in RFC 6125, Section 6. Identity verification will be done during PKI validation for TLS connections to the Syslog Server and the Smart Licensing server only. If the presented identity cannot be matched against the configured reference identity, the connection is not established.

We modifed the following screens:

Configuration > Remote Access VPN > Advanced

Configuration > Device Management > Logging > Syslog Servers > Add/Edit

Configuration > Device Management > Smart Call Home

Crypto Key Zeroization verification

The ASA crypto system has been updated to comply with new key zeroization requirements. Keys must be overwritten with all zeros and then the data must be read to verify that the write was successful.

SSH public key authentication improvements

In earlier releases, you could enable SSH public key authentication without also enabling AAA SSH authentication with the Local user database . The configuration is now fixed so that you must explicitly enable AAA SSH authentication. To disallow users from using a password instead of the private key, you can now create a username without any password defined.

We modifed the following screens:

Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH

Configuration > Device Management > Users/AAA > User Accounts > Add/Edit User Account

Interface Features

Increased MTU size for the ASA on the Firepower 4100/9300 chassis

You can set the maximum MTU to 9188 bytes on the Firepower 4100 and 9300; formerly, the maximum was 9000 bytes. This MTU is supported with FXOS 2.0.1.68 and later.

We modified the following screen: Configuration > Device Setup > Interface Settings > Interfaces > Advanced

Routing Features

Bidirectional Forwarding Detection (BFD) Support

The ASA now supports the BFD routing protocol. Support was added for configuring BFD templates, interfaces, and maps. Support for BGP routing protocol to use BFD was also added.

We added or modified the following screens:

Configuration > Device Setup > Routing > BFD > Template

Configuration > Device Setup > Routing > BFD > Interface

Configuration > Device Setup > Routing > BFD > Map

Configuration > Device Setup > Routing > BGP > IPv6 Family > Neighbors

IPv6 DHCP

The ASA now supports the following features for IPv6 addressing:

• DHCPv6 Address client—The ASA obtains an IPv6 global address and optional default route from the DHCPv6 server.

• DHCPv6 Prefix Delegation client—The ASA obtains delegated prefix(es) from a DHCPv6 server. The ASA can then use these prefixes to configure other ASA interface addresess so that StateLess Address Auto Configuration (SLAAC) clients can autoconfigure IPv6 addresses on the same network.

• BGP router advertisement for delegated prefixes

• DHCPv6 stateless server—The ASA provides other information such as the domain name to SLAAC clients when they send Information Request (IR) packets to the ASA. The ASA only accepts IR packets, and does not assign addresses to the clients.

We added or modified the following screens:

Configuration > Device Setup > Interface Settings > Interfaces > Add Interface > IPv6

Configuration > Device Management > DHCP > DHCP Pool

Configuration > Device Setup > Routing > BGP > IPv6 Family > Networks

Monitoring > interfaces > DHCP

High Availability and Scalability Features

Improved sync time for dynamic ACLs from AnyConnect when using Active/Standby failover

When you use AnyConnect on a failover pair, then the sync time for the associated dynamic ACLs (dACLs) to the standby unit is now improved. Previously, with large dACLs, the sync time could take hours during which time the standby unit is busy syncing instead of providing high availability backup.

We did not modify any screens.

Licensing Features

Permanent License Reservation for the ASAv

For highly secure environments where communication with the Cisco Smart Software Manager is not allowed, you can request a permanent license for the ASAv. In 9.6(2), we also added support for this feature for the ASAv on Amazon Web Services. This feature is not supported for Microsoft Azure.

We introduced the following commands: license smart reservation, license smart reservation cancel, license smart reservation install, license smart reservation request universal, license smart reservation return

No ASDM support.

Also in 9.5(2.200).

Permanent License Reservation for the ASAv Short String enhancement

Due to an update to the Smart Agent (to 1.6.4), the request and authorization codes now use shorter strings.

We did not modify any screens.

Permanent License Reservation for the ASA on the Firepower 4100/9300 chassis

For highly secure environments where communication with the Cisco Smart Software Manager is not allowed, you can request a permanent license for the ASA on the Firepower 9300 and Firepower 4100. All available license entitlements are included in the permanent license, including the Standard Tier, Strong Encryption (if qualified), Security Contexts, and Carrier licenses. Requires FXOS 2.0.1.

All configuration is performed on the Firepower 4100/9300 chassis; no configuration is required on the ASA.

Smart Agent Upgrade for ASAv to v1.6

The smart agent was upgraded from Version 1.1 to Version 1.6. This upgrade supports permanent license reservation and also supports setting the Strong Encryption (3DES/AES) license entitlement according to the permission set in your license account.

We did not change any screens.

Also in 9.5(2.200).

Monitoring Features

Packet capture of type asp-drop supports ACL and match filtering

When you create a packet capture of type asp-drop, you can now also specify an ACL or match option to limit the scope of the capture.

We did not modify any screens.

Forensic Analysis enhancements

You can create a core dump of any process running on the ASA. The ASA also extracts the text section of the main ASA process that you can copy from the ASA for examination.

We did not modify any screens.

Tracking Packet Count on a Per-Connection Basis through NetFlow

Two counters were added that allow Netflow users to see the number of Layer 4 packets being sent in both directions on a connection. You can use these counters to determine average packet rates and sizes and to better predict traffic types, anomalies, and events.

We did not modify any screens.

SNMP engineID sync for Failover

In a failover pair, the SNMP engineIDs of the paired ASAs are synced on both units. Three sets of engineIDs are maintained per ASA—synced engineID, native engineID and remote engineID.

An SNMPv3 user can also specify the engineID of the ASA when creating a profile to preserve localized snmp-server user authentication and privacy options. If a user does not specify the native engineID, the show running config output will show two engineIDs per user.

We modified the following command: snmp-server user

No ASDM support.

Also in 9.4(3).

Platform Features

ASA for the Firepower 4100 series

We introduced the ASA for the Firepower 4110, 4120, and 4140.

Requires FXOS 1.1.4.

We did not add or modify any screens.

SD card support for the ISA 3000

You can now use an SD card for external storage on the ISA 3000. The card appears as disk3 in the ASA file system. Note that plug and play support requires hardware version 2.1 and later. Use the show module command to check your hardware version.

We did not add or modify any screens.

Dual power supply support for the ISA 3000

For dual power supplies in the ISA 3000, you can establish dual power supplies as the expected configuration in the ASA OS. If one power supply fails, the ASA issues an alarm. By default, the ASA expects a single power supply and won't issue an alarm as long as it includes one working power supply.

No ASDM support.

Firewall Features

Diameter inspection improvements

You can now inspect Diameter over TCP/TLS traffic, apply strict protocol conformance checking, and inspect Diameter over SCTP in cluster mode.

We added or modified the following screens:

Configuration > Firewall > Objects > Inspect Maps > Diameter

Configuration > Firewall > Service Policy add/edit wizard's Rule Actions > Protocol Inspection tab

SCTP stateful inspection in cluster mode

SCTP stateful inspection now works in cluster mode. You can also configure SCTP stateful inspection bypass in cluster mode.

We did not add or modify any screens.

H.323 inspection support for the H.255 FACILITY message coming before the H.225 SETUP message for H.460.18 compatibility.

You can now configure an H.323 inspection policy map to allow for H.225 FACILITY messages to come before the H.225 SETUP message, which can happen when endpoints comply with H.460.18.

We added an option to the Call Attributes tab in the H.323 inspection policy map.

Cisco Trustsec support for Security Exchange Protocol (SXP) version 3.

Cisco Trustsec on ASA now implements SXPv3, which enables SGT-to-subnet bindings, which are more efficient than host bindings.

We modified the following screens: Configuration > Firewall > Identity By TrustSec and the SGT Map Setup dialog boxes.

Flow off-load support for the Firepower 4100 series.

You can identify flows that should be off-loaded from the ASA and switched directly in the NIC for the Firepower 4100 series.

Requires FXOS 1.1.4.

We did not add or modify any screens.

Remote Access Features

IKEv2 Fragmentation, RFC-7383 support

The ASA now supports this standard fragmentation of IKEv2 packets. This allows interoperability with other IKEv2 implementations such as Apple, Strongswan etc. ASA continues to support the current, proprietary IKEv2 fragmentation to maintain backward compatibility with Cisco products that do not support RFC-7383, such as the AnyConnect client.

VPN Throughput Performance Enhancements on Firepower 9300 and Firepower 4100 series

The crypto engine accelerator-bias command is now supported on the ASA security module on the Firepower 9300 and Firepower 4100 series. This command lets you “bias” more crypto cores toward either IPSec or SSL.

We did not add or modify any screens.

Configurable SSH encryption and HMAC algorithm.

Users can select cipher modes when doing SSH encryption management and can configure HMAC and encryption for varying key exchange algorithms. You might want to change the ciphers to be more or less strict, depending on your application. Note that the performance of secure copy depends partly on the encryption cipher used. By default, the ASA negotiates one of the following algorithms in order: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr. If the first algorithm proposed (3des-cbc) is chosen, then the performance is much slower than a more efficient algorithm such as aes128-cbc. To change the proposed ciphers, use ssh cipher encryption custom aes128-cbc , for example.

We introduced the following screen: Configuration > Device Management > Advanced > SSH Ciphers

Also available in 9.1(7), 9.4(3), and 9.5(3).

HTTP redirect support for IPv6

When you enable HTTP redirect to HTTPS for ASDM access or clientless SSL VPN, you can now redirect traffic sent an to IPv6 address.

We added functionality to the following screen: Configuration > Device Management > HTTP Redirect

Also available in 9.1(7) and 9.4(3).

Routing Features

IS-IS routing

The ASA now supports the Intermediate System to Intermediate System (IS-IS) routing protocol. Support was added for routing data, performing authentication, and redistributing and monitoring routing information using the IS-IS routing protocol.

We introduced the following screens:

Configuration > Device Setup > Routing > ISIS

Monitoring > Routing > ISIS

High Availability and Scalability Features

Support for site-specific IP addresses in Routed, Spanned EtherChannel mode

For inter-site clustering in routed mode with Spanned EtherChannels, you can now configure site-specific IP addresess in addition to site-specific MAC addresses. The addition of site IP addresses allows you to use ARP inspection on the Overlay Transport Virtualization (OTV) devices to prevent ARP responses from the global MAC address from traveling over the Data Center Interconnect (DCI), which can cause routing problems. ARP inspection is required for some switches that cannot use VACLs to filter MAC addresses.

We modified the following screen: Configuration > Device Setup > Interface Settings > Interfaces > Add/Edit EtherChannel Interface > Advanced

Administrative Features

Longer password support for local username and enable passwords (up to 127 characters)

You can now create local username and enable passwords up to 127 characters (the former limit was 32). When you create a password longer than 32 characters, it is stored in the configuration using a PBKDF2 (Password-Based Key Derivation Function 2) hash. Shorter passwords continue to use the MD5-based hashing method.

We modified the following screens:

Configuration > Device Setup > Device Name/Password > Enable Password

Configuration > Device Management > Users/AAA > User Accounts > Add/Edit User Account > Identity

Support for the cempMemPoolTable in the CISCO-ENHANCED-MEMPOOL-MIB

The cempMemPoolTable of the CISCO-ENHANCED-MEMPOOL-MIB is now supported. This is a table of memory pool monitoring entries for all physical entities on a managed system.

We did not add or modify any screens.

Also available in 9.1(7) and 9.4(3).

REST API Version 1.3.1

We added support for the REST API Version 1.3.1.