|
|
|
Support for the ASA 5585-X |
We introduced support for the ASA 5585-X with Security Services Processor (SSP)-10, -20, -40, and -60. Note Support was previously added in 8.2(3) and 8.2(4); the ASA 5585-X is not supported in 8.3(x). |
No Payload Encryption hardware for export |
You can purchase the ASA 5585-X with No Payload Encryption. For export to some countries, payload encryption cannot be enabled on the Cisco ASA 5500 series. The ASA software senses a No Payload Encryption model, and disables the following features:
- Unified Communications
- VPN
You can still install the Strong Encryption (3DES/AES) license for use with management connections. For example, you can use ASDM HTTPS/SSL, SSHv2, Telnet and SNMPv3. You can also download the dynamic database for the Botnet Traffic Filer (which uses SSL). |
|
L2TP/IPsec Support on Android Platforms |
We now support VPN connections between Android mobile devices and ASA 5500 series devices, when using the L2TP/IPsec protocol and the native Android VPN client. Mobile devices must be using the Android 2.1, or later, operating system. Also available in Version 8.2(5). |
UTF-8 Character Support for AnyConnect Passwords |
AnyConnect 3.0 used with ASA 8.4(1), supports UTF-8 characters in passwords sent using RADIUS/MSCHAP and LDAP protocols. |
IPsec VPN Connections with IKEv2 |
Internet Key Exchange Version 2 (IKEv2) is the latest key exchange protocol used to establish and control Internet Protocol Security (IPsec) tunnels. The ASA now supports IPsec with IKEv2 for the AnyConnect Secure Mobility Client, Version 3.0(1), for all client operating systems. On the ASA, you enable IPsec connections for users in the group policy. For the AnyConnect client, you specify the primary protocol (IPsec or SSL) for each ASA in the server list of the client profile. IPsec remote access VPN using IKEv2 was added to the AnyConnect Essentials and AnyConnect Premium licenses. Site-to-site sessions were added to the Other VPN license (formerly IPsec VPN). The Other VPN license is included in the Base license. We modified the following commands: vpn-tunnel-protocol, crypto ikev2 policy, crypto ikev2 enable, crypto ipsec ikev2, crypto dynamic-map, crypto map. |
SSL SHA-2 digital signature |
This release supports the use of SHA-2 compliant signature algorithms to authenticate SSL VPN connections that use digital certificates. Our support for SHA-2 includes all three hash sizes: SHA-256, SHA-384, and SHA-512. SHA-2 requires AnyConnect 2.5.1 or later (2.5.2 or later recommended). This release does not support SHA-2 for other uses or products. This feature does not involve configuration changes. Caution: To support failover of SHA-2 connections, the standby ASA must be running the same image. To support this feature, we added the Signature Algorithm field to the show crypto ca certificate command to identify the digest algorithm used when generating the signature. |
SCEP Proxy |
SCEP Proxy provides the AnyConnect Secure Mobility Client with support for automated third-party certificate enrollment. Use this feature to support AnyConnect with zero-touch, secure deployment of device certificates to authorize endpoint connections, enforce policies that prevent access by non-corporate assets, and track corporate assets. This feature requires an AnyConnect Premium license and will not work with an Essentials license. We introduced or modified the following commands: crypto ikev2 enable, scep-enrollment enable, scep-forwarding-url, debug crypto ca scep-proxy, secondary-username-from-certificate, secondary-pre-fill-username. |
Host Scan Package Support |
This feature provides the necessary support for the ASA to install or upgrade a Host Scan package and enable or disable Host Scan. This package may either be a standalone Host Scan package or one that ASA extracts from an AnyConnect Next Generation package. In previous releases of AnyConnect, an endpoint’s posture was determined by Cisco Secure Desktop (CSD). Host Scan was one of many features bundled in CSD. Unbundling Host Scan from CSD gives AnyConnect administrators greater freedom to update and install Host Scan separately from the other features of CSD. We introduced the following command: csd hostscan image path. |
Kerberos Constrained Delegation (KCD) |
This release implements the KCD protocol transition and constrained delegation extensions on the ASA. KCD provides Clientless SSL VPN (also known as WebVPN) users with SSO access to any web services protected by Kerberos. Examples of such services or applications include Outlook Web Access (OWA), Sharepoint, and Internet Information Server (IIS). Implementing protocol transition allows the ASA to obtain Kerberos service tickets on behalf of remote access users without requiring them to authenticate to the KDC (through Kerberos). Instead, a user authenticates to ASA using any of the supported authentication mechanisms, including digital certificates and Smartcards, for Clientless SSL VPN (also known as WebVPN). When user authentication is complete, the ASA requests and obtains an impersonate ticket, which is a service ticket for ASA on behalf of the user. The ASA may then use the impersonate ticket to obtain other service tickets for the remote access user. Constrained delegation provides a way for domain administrators to limit the network resources that a service trusted for delegation (for example, the ASA) can access. This task is accomplished by configuring the account under which the service is running to be trusted for delegation to a specific instance of a service running on a specific computer. We modified the following commands: kcd-server, clear aaa, show aaa, test aaa-server authentication. |
Clientless SSL VPN browser support |
The ASA now supports clientless SSL VPN with Apple Safari 5. |
Clientless VPN Auto Sign-on Enhancement |
Smart tunnel now supports HTTP-based auto sign-on on Firefox as well as Internet Explorer. Similar to when Internet Explorer is used, the administrator decides to which hosts a Firefox browser will automatically send credentials. For some authentication methods, if may be necessary for the administrator to specify a realm string on the ASA to match that on the web application (in the Add Smart Tunnel Auto Sign-on Server window). You can now use bookmarks with macro substitutions for auto sign-on with Smart tunnel as well. The POST plug-in is now obsolete. The former POST plug-in was created so that administrators could specify a bookmark with sign-on macros and receive a kick-off page to load prior to posting the the POST request. The POST plug-in approach allows requests that required the presence of cookies, and other header items, fetched ahead of time to go through. The administrator can now specify pre-load pages when creating bookmarks to achieve the same functionality. Same as the POST plug-in, the administrator specifies the pre-load page URL and the URL to send the POST request to. You can now replace the default preconfigured SSL VPN portal with your own portal. The administrators do this by specifying a URL as an External Portal. Unlike the group-policy home page, the External Portal supports POST requests with macro substitution (for auto sign-on) as well as pre-load pages. We introduced or modified the following command: smart-tunnel auto-signon. |
Expanded Smart Tunnel application support |
Smart Tunnel adds support for the following applications:
- Microsoft Outlook Exchange Server 2010 (native support).
Users can now use Smart Tunnel to connect Microsoft Office Outlook to a Microsoft Exchange Server.
- Microsoft Sharepoint/Office 2010.
Users can now perform remote file editing using Microsoft Office 2010 Applications and Microsoft Sharepoint by using Smart Tunnel. |
|
EtherChannel support (ASA 5510 and higher) |
You can configure up to 48 802.3ad EtherChannels of eight active interfaces each. Note You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel. We introduced the following commands: channel-group, lacp port-priority, interface port-channel, lacp max-bundle, port-channel min-bundle, port-channel load-balance, lacp system-priority, clear lacp counters, show lacp, show port-channel. |
Bridge groups for transparent mode |
If you do not want the overhead of security contexts, or want to maximize your use of security contexts, you can group interfaces together in a bridge group, and then configure multiple bridge groups, one for each network. Bridge group traffic is isolated from other bridge groups. You can configure up to 8 bridge groups in single mode or per context in multiple mode, with 4 interfaces maximum per bridge group. Note Although you can configure multiple bridge groups on the ASA 5505, the restriction of 2 data interfaces in transparent mode on the ASA 5505 means you can only effectively use 1 bridge group. We introduced the following commands: interface bvi, bridge-group, show bridge-group. |
|
Increased contexts for the ASA 5550, 5580, and 5585-X |
For the ASA 5550 and ASA 5585-X with SSP-10, the maximum contexts was increased from 50 to 100. For the ASA 5580 and 5585-X with SSP-20 and higher, the maximum was increased from 50 to 250. |
Increased VLANs for the ASA 5580 and 5585-X |
For the ASA 5580 and 5585-X, the maximum VLANs was increased from 250 to 1024. |
Additional platform support |
Google Chrome has been added as a supported platform for ASA Version 8.4. Both 32-bit and 64-bit platforms are supported on Windows XP, Vista, and 7 and Mac OS X Version 6.0. |
Increased connections for the ASA 5580 and 5585-X |
We increased the firewall connection limits:
- ASA 5580-20—1,000,000 to 2,000,000.
- ASA 5580-40—2,000,000 to 4,000,000.
- ASA 5585-X with SSP-10: 750,000 to 1,000,000.
- ASA 5585-X with SSP-20: 1,000,000 to 2,000,000.
- ASA 5585-X with SSP-40: 2,000,000 to 4,000,000.
- ASA 5585-X with SSP-60: 2,000,000 to 10,000,000.
|
Increased AnyConnect VPN sessions for the ASA 5580 |
The AnyConnect VPN session limit was increased from 5,000 to 10,000. |
Increased Other VPN sessions for the ASA 5580 |
The other VPN session limit was increased from 5,000 to 10,000. |
High Availability Features
|
Stateful Failover with Dynamic Routing Protocols |
Routes that are learned through dynamic routing protocols (such as OSPF and EIGRP) on the active unit are now maintained in a Routing Information Base (RIB) table on the standby unit. Upon a failover event, traffic on the secondary active unit now passes with minimal disruption because routes are known. Routes are synchronized only for link-up or link-down events on an active unit. If the link goes up or down on the standby unit, dynamic routes sent from the active unit may be lost. This is normal, expected behavior. We modified the following commands: show failover, show route, show route failover. |
Unified Communication Features
|
UC Protocol Inspection Enhancements |
SIP Inspection and SCCP Inspection are enhanced to support new features in the Unified Communications Solutions; such as, SCCP v2.0 support, support for GETPORT messages in SCCP Inspection, SDP field support in INVITE messages with SIP Inspection, and QSIG tunneling over SIP. Additionally, the Cisco Intercompany Media Engine supports Cisco RT Lite phones and third-party video endpoints (such as, Tandberg). We did not modify any commands. |
|
DCERPC Enhancement |
DCERPC Inspection was enhanced to support inspection of RemoteCreateInstance RPC messages. We did not modify an commands. |
Troubleshooting and Monitoring Features
|
SNMP traps and MIBs |
Supports the following additional keywords: connection-limit-reached, entity cpu-temperature, cpu threshold rising, entity fan-failure, entity power-supply, ikev2 stop | start, interface-threshold, memory-threshold, nat packet-discard, warmstart. The entPhysicalTable reports entries for sensors, fans, power supplies, and related components. Supports the following additional MIBs: ENTITY-SENSOR-MIB, CISCO-ENTITY-SENSOR-EXT-MIB, CISCO-ENTITY-FRU-CONTROL-MIB, CISCO-PROCESS-MIB, CISCO-ENHANCED-MEMPOOL-MIB, CISCO-L4L7MODULE-RESOURCE-LIMIT-MIB, NAT-MIB, EVENT-MIB, EXPRESSION-MIB Supports the following additional traps: warmstart, cpmCPURisingThreshold, mteTriggerFired, cirResourceLimitReached, natPacketDiscard, ciscoEntSensorExtThresholdNotification. We introduced or modified the following commands: snmp cpu threshold rising, snmp interface threshold, snmp-server enable traps. |
TCP Ping Enhancement |
TCP ping allows users whose ICMP echo requests are blocked to check connectivity over TCP. With the TCP ping enhancement you can specify a source IP address and a port and source interface to send pings to a hostname or an IPv4 address. We modified the following command: ping tcp. |
Show Top CPU Processes |
You can now monitor the processes that run on the CPU to obtain information related to the percentage of the CPU used by any given process. You can also see information about the load on the CPU, broken down per process, at 5 minutes, 1 minute, and 5 seconds prior to the log time. Information is updated automatically every 5 seconds to provide real-time statistics, and a refresh button in the pane allows a manual data refresh at any time. We introduced the following command: show process cpu-usage sorted. |
|
Password Encryption Visibility |
You can show password encryption in a security context. We modified the following command: show password encryption. |