Cisco ASA New Features by Release
Available Languages
Contents
- Cisco ASA New Features
- New Features in Version 9.8
- New Features in ASA 9.8(1.200)
- New Features in ASDM 7.8(1.150)
- New Features in ASA 9.8(1)/ASDM 7.8(1)
- New Features in Version 9.7
- New Features in ASDM 7.7(1.151)
- New Features in ASA 9.7(1.4)/ASDM 7.7(1)
- New Features in Version 9.6
- New Features in ASA 9.6(3.1)/ASDM 7.7(1)
- New Features in ASDM 7.6(2.150)
- New Features in ASA 9.6(2)/ASDM 7.6(2)
- New Features in ASA 9.6(1)/ASDM 7.6(1)
- New Features in Version 9.5
- New Features in ASA 9.5(3.9)/ASDM 7.6(2)
- New Features in ASAv 9.5(2.200)/ASDM 7.5(2.153)
- New Features in ASA 9.5(2.1)/ASDM 7.5(2)
- New Features in ASA 9.5(2)/ASDM 7.5(2)
- New Features in ASA 9.5(1.5)/ASDM 7.5(1.112)
- New Features in ASDM 7.5(1.90)
- New Features in ASAv 9.5(1.200)/ASDM 7.5(1)
- New Features in ASA 9.5(1)/ASDM 7.5(1)
- New Features in Version 9.4
- New Features in ASA 9.4(4.5)/ASDM 7.6(2)
- New Features in ASA 9.4(3)/ASDM 7.6(1)
- New Features in ASA 9.4(2.145)/ASDM 7.5(1)
- New Features in ASA 9.4(2)/ASDM 7.5(1)
- New Features in ASA 9.4(1.225)/ASDM 7.5(1)
- New Features in ASA 9.4(1.152)/ASDM 7.4(3)
- New Features in ASAv 9.4(1.200)/ASDM 7.4(2)
- New Features in ASDM 7.4(2)
- New Features in ASA 9.4(1)/ASDM 7.4(1)
- New Features in Version 9.3
- New Features in ASA 9.3(3)/ASDM 7.4(1)
- New Features in ASA 9.3(2)/ASDM 7.3(3)
- New Features in ASA 9.3(2.200)/ASDM 7.3(2)
- New Features in ASA 9.3(2)/ASDM 7.3(2)
- New Features in ASA 9.3(1)/ASDM 7.3(1)
- New Features in Version 9.2
- New Features in ASA 9.2(4)/ ASDM 7.4(3)
- New Features in ASA 9.2(3)/ ASDM 7.3(1.101)
- New Features in ASA 9.2(2.4)/ASDM 7.2(2)
- New Features in ASA 9.2(1)/ASDM 7.2(1)
- New Features in Version 9.1
- New Features in ASA 9.1(7.4)/ASDM 7.5(2.153)
- New Features in ASA 9.1(6)/ASDM 7.1(7)
- New Features in ASA 9.1(5)/ASDM 7.1(6)
- New Features in ASA 9.1(4)/ASDM 7.1(5)
- New Features in ASA 9.1(3)/ASDM 7.1(4)
- New Features in ASA 9.1(2)/ASDM 7.1(3)
- New Features in ASA 9.1(1)/ASDM 7.1(1)
- New Features in Version 9.0
- New Features in ASA 9.0(4)/ASDM 7.1(4)
- New Features in ASA 9.0(3)/ASDM 7.1(3)
- New Features in ASA 9.0(2)/ASDM 7.1(2)
- New Features in ASA 9.0(1)/ASDM 7.0(1)
- New Features in Version 8.7
- New Features in ASA 8.7(1.1)/ASDM 6.7(1)
- New Features in Version 8.6
- New Features in ASA 8.6(1)/ASDM 6.6(1)
- New Features in Version 8.5
- New Features in ASA 8.5(1.7)/ASDM 6.5(1.101)
- New Features in ASA 8.5(1.6)/ASDM 6.5(1)
- New Features in ASA 8.5(1)/ASDM 6.5(1)
- New Features in Version 8.4
- New Features in ASA 8.4(7)/ASDM 7.1(3)
- New Features in ASA 8.4(6)/ASDM 7.1(2.102)
- New Features in ASA 8.4(5)/ASDM 7.0(2)
- New Features in ASA 8.4(4.5)/ASDM 6.4(9.103)
- New Features in ASA 8.4(4.1)/ASDM 6.4(9)
- New Features in ASA 8.4(3)/ASDM 6.4(7)
- New Features in ASA 8.4(2.8)/ASDM 6.4(5.106)
- New Features in ASA 8.4(2)/ASDM 6.4(5)
- New Features in ASA 8.4(1.11)/ASDM 6.4(2)
- New Features in ASA 8.4(1)/ASDM 6.4(1)
- New Features in Version 8.3
- New Features in ASA 8.3(2.25)/ASDM 6.4(5.106)
- New Features in ASA 8.3(2)/ASDM 6.3(2)
- New Features in ASA 8.3(1)/ASDM 6.3(1)
- New Features in Version 8.2
- New Features in ASA 8.2(5.13)/ASDM 6.4(4.106)
- New Features in ASA 8.2(5)/ASDM 6.4(3)
- New Features in ASA 8.2(4.4)/ASDM 6.3(5)
- New Features in ASA 8.2(4.1)/ASDM 6.3(5)
- New Features in ASA 8.2(4)/ASDM 6.3(5)
- New Features in ASA 8.2(3.9)/ASDM 6.3(4)
- New Features in ASA 8.2(3)/ASDM 6.3(3) and 6.3(4)
- New Features in ASA 8.2(2)/ASDM 6.2(5)
- New Features in ASA 8.2(1)/ASDM 6.2(1)
- New Features in Version 8.1
- New Features in ASA 8.1(2)/ASDM 6.1(5)
- New Features in ASA 8.1(1)/ASDM 6.1(1)
- New Features in Version 8.0
- New Features in ASA 8.0(5)/ASDM 6.2(3)
- New Features in ASA 8.0(4)/ASDM 6.1(3)
- New Features in ASA 8.0(3)/ASDM 6.0(3)
- New Features in ASA 8.0(2)/ASDM 6.0(2)
- New Features in Version 7.2
- New Features in ASA 7.2(5)/ASDM 5.2(5)
- New Features in ASA 7.2(4)/ASDM 5.2(4)
- New Features in ASA 7.2(3)/ASDM 5.2(3)
- New Features in ASA 7.2(2)/ASDM 5.2(2)
- New Features in ASA 7.2(1)/ASDM 5.2(1)
- New Features in Version 7.1
- New Features in ASA 7.1(2)/ASDM 5.1(2)
- New Features in ASA 7.1(1)/ASDM 5.1(1)
- New Features in Version 7.0
- New Features in ASA 7.0(8)/ASDM 5.0(8) and ASDM 5.0(9)
- New Features in ASA 7.0(7)/ASDM 5.0(7)
- New Features in ASA 7.0(6)/ASDM 5.0(6)
- New Features in ASA 7.0(5)/ASDM 5.0(5)
- New Features in ASA 7.0(4)/ASDM 5.0(4)
- New Features in ASA 7.0(2)/ASDM 5.0(2)
- New Features in ASA 7.0(1)/ASDM 5.0(1)
Last Updated: June 30, 2017
Cisco ASA New Features
This document lists new features for each release.
Note
New, changed, and deprecated syslog messages are listed in the syslog message guide.
New Features in Version 9.8
New Features in ASA 9.8(1.200)
Released: July 30, 2017
Note
This release is only supported on the ASAv for Microsoft Azure.
High Availability and Scalability Features
Active/Backup High Availability for ASAv on Microsoft Azure
A stateless Active/Backup solution that allows for a failure of the active ASAv to trigger an automatic failover of the system to the backup ASAv in the Microsoft Azure public cloud.
We introduced the following commands: failover cloud
No ASDM support.
New Features in ASA 9.8(1)/ASDM 7.8(1)
Released: May 15, 2017
Platform Features
ASAv50 platform
The ASAv virtual platform has added a high-end performance ASAv50 platform that provides 10 Gbps Firewall throughput levels. The ASAv50 requires ixgbe-vf vNICs, which are supported on VMware and KVM only.
SR-IOV on the ASAv platform
The ASAv virtual platform supports Single Root I/O Virtualization (SR-IOV) interfaces, which allows multiple VMs to share a single PCIe network adapter inside a host. ASAv SR-IOV support is available on VMware, KVM, and AWS only.
Automatic ASP load balancing now supported for the ASAv
Formerly, you could only manually enable and disable ASP load balancing.
We modified the following command: asp load-balance per-packet auto
We modified the following screen: Configuration > Device Management > Advanced > ASP Load Balancing
Support for setting the TLS proxy server SSL cipher suite
You can now set the SSL cipher suite when the ASA acts as a TLS proxy server. Formerly, you could only set global settings for the ASA using the ssl cipher command on the page.
We introduced the following command: server cipher-suite
We modified the following screen: , Add/Edit dialog boxes, Server Configuration page.
Global timeout for ICMP errors
You can now set the idle time before the ASA removes an ICMP connection after receiving an ICMP echo-reply packet. When this timeout is disabled (the default), and you enable ICMP inspection, then the ASA removes the ICMP connection as soon as an echo-reply is received; thus any ICMP errors that are generated for the (now closed) connection are dropped. This timeout delays the removal of ICMP connections so you can receive important ICMP errors.
We added the following command: timeout icmp-error
We modified the following screen: .
High Availability and Scalability Features
Improved cluster unit health-check failure detection
You can now configure a lower holdtime for the unit health check: .3 seconds minimum. The previous minimum was .8 seconds. This feature changes the unit health check messaging scheme to heartbeats in the data plane from keepalives in the control plane. Using heartbeats improves the reliability and the responsiveness of clustering by not being susceptible to control plane CPU hogging and scheduling delays. Note that configuring a lower holdtime increases cluster control link messaging activity. We suggest that you analyze your network before you configure a low holdtime; for example, make sure a ping from one unit to another over the cluster control link returns within the holdtime/3, because there will be three heartbeat messages during one holdtime interval. If you downgrade your ASA software after setting the hold time to .3 - .7, this setting will revert to the default of 3 seconds because the new setting is unsupported.
Note This feature is not available on the Firepower 4100 or 9300.
We modified the following commands: health-check holdtime, show asp drop cluster counter, show cluster info health details
We modified the following screen:
VPN Features
Support for IKEv2, certificate based authentication, and ACL in VTI Virtual Tunnel Interface (VTI) now supports BGP (static VTI). You can now use IKEv2 in standalone and high availability modes. You can use certificate based authentication by setting up a trustpoint in the IPsec profile. You can also apply access lists on VTI using access-group commands to filter ingress traffic.
We introduced the following command in the IPsec profile configuration mode: set trustpoint.
We introduced options to select the trustpoint for certificate based authentication in the following screen:
Mobile IKEv2 (MobIKE) is enabled by default
Mobile devices operating as remote access clients require transparent IP address changes while moving. Supporting MobIKE on ASA allows a current IKE security association (SA) to be updated without deleting the current SA. MobIKE is “always on.”
We introduced the following command: ikev2 mobike-rrc. Used to enable/disable return routability checking.
SAML 2.0 SSO Updates
The default signing method for a signature in a SAML request changed from SHA1 to SHA2, and you can configure which signing method you prefer: rsa-sha1, rsa-sha256, rsa-sha384, or rsa-sha512.
We changed the following command in webvpn mode: saml idp signature can be configured with a value. Disabled is still the default.
We introduced changes to the following screen: .
Change for tunnelgroup webvpn-attributes We changed the pre-fill-username and secondary-pre-fill-username value from clientless to client. We changed the following commands in webvpn mode: pre-fill-username and secondary-pre-fill-usernamecan be configured with a client value.
AAA Features
Login history
By default, the login history is saved for 90 days. You can disable this feature or change the duration, up to 365 days. This feature only applies to usernames in the local database when you enable local AAA authentication for one or more of the management methods (SSH, ASDM, Telnet, and so on).
We introduced the following commands: aaa authentication login-history, show aaa login-history
We introduced the following screen:
Password policy enforcement to prohibit the reuse of passwords, and prohibit use of a password matching a username
You can now prohibit the reuse of previous passwords for up to 7 generations, and you can also prohibit the use of a password that matches a username.
We introduced the following commands: password-history, password-policy reuse-interval, password-policy username-check
We modified the following screen:
Separate authentication for users with SSH public key authentication and users with passwords
In releases prior to 9.6(2), you could enable SSH public key authentication (ssh authentication) without also explicitly enabling AAA SSH authentication with the Local user database (aaa authentication ssh console LOCAL). In 9.6(2), the ASA required you to explicitly enable AAA SSH authentication. In this release, you no longer have to explicitly enable AAA SSH authentication; when you configure the ssh authentication command for a user, local authentication is enabled by default for users with this type of authentication. Moreover, when you explicitly configure AAA SSH authentication, this configuration only applies for usernames with passwords, and you can use any AAA server type (aaa authentication ssh console radius_1, for example). For example, some users can use public key authentication using the local database, and other users can use passwords with RADIUS.
We did not modify any commands.
We did not modify any screens.
Also in Version 9.6(3).
Monitoring and Troubleshooting Features
Saving currently-running packet captures when the ASA crashes
Formerly, active packet captures were lost if the ASA crashed. Now, packet captures are saved to disk 0 at the time of the crash with the filename [context_name.]capture_name.pcap.
We did not modify any commands.
We did not modify any screens.
New Features in Version 9.7
New Features in ASDM 7.7(1.151)
New Features in ASA 9.7(1.4)/ASDM 7.7(1)
Released: April 4, 2017
Note
Verion 9.7(1) was removed from Cisco.com due to bug CSCvd78303.
New Features in Version 9.6
New Features in ASA 9.6(3.1)/ASDM 7.7(1)
Released: April 3, 2017
Note
Version 9.6(3) was removed from Cisco.com due to bug CSCvd78303.
AAA Features
Separate authentication for users with SSH public key authentication and users with passwords
In releases prior to 9.6(2), you could enable SSH public key authentication (ssh authentication) without also explicitly enabling AAA SSH authentication with the Local user database (aaa authentication ssh console LOCAL). In 9.6(2), the ASA required you to explicitly enable AAA SSH authentication. In this release, you no longer have to explicitly enable AAA SSH authentication; when you configure the ssh authentication command for a user, local authentication is enabled by default for users with this type of authentication. Moreover, when you explicitly configure AAA SSH authentication, this configuration only applies for for usernames with passwords, and you can use any AAA server type (aaa authentication ssh console radius_1, for example). For example, some users can use public key authentication using the local database, and other users can use passwords with RADIUS.
We did not modify any commands.
We did not modify any screens.
Also in Version 9.8(1).
New Features in ASA 9.6(2)/ASDM 7.6(2)
Released: August 24, 2016
New Features in ASA 9.6(1)/ASDM 7.6(1)
Released: March 21, 2016
Note
The ASAv 9.5.2(200) features, including Microsoft Azure support, are not available in 9.6(1). They are available in 9.6(2).
Platform Features
ASA for the Firepower 4100 series
We introduced the ASA for the Firepower 4110, 4120, and 4140.
Requires FXOS 1.1.4.
We did not add or modify any commands.
We did not add or modify any screens.
SD card support for the ISA 3000
You can now use an SD card for external storage on the ISA 3000. The card appears as disk3 in the ASA file system. Note that plug and play support requires hardware version 2.1 and later. Use the show module command to check your hardware version.
We did not add or modify any commands.
We did not add or modify any screens.
Dual power supply support for the ISA 3000
For dual power supplies in the ISA 3000, you can establish dual power supplies as the expected configuration in the ASA OS. If one power supply fails, the ASA issues an alarm. By default, the ASA expects a single power supply and won't issue an alarm as long as it includes one working power supply.
We introduced the following command: power-supply dual.
No ASDM support.
You can now inspect Diameter over TCP/TLS traffic, apply strict protocol conformance checking, and inspect Diameter over SCTP in cluster mode.
We introduced or modified the following commands: client clear-text, inspect diameter, strict-diameter.
We added or modified the following screens:
add/edit wizard's tab
SCTP stateful inspection now works in cluster mode. You can also configure SCTP stateful inspection bypass in cluster mode.
We did not add or modify any commands.
We did not add or modify any screens.
H.323 inspection support for the H.255 FACILITY message coming before the H.225 SETUP message for H.460.18 compatibility.
You can now configure an H.323 inspection policy map to allow for H.225 FACILITY messages to come before the H.225 SETUP message, which can happen when endpoints comply with H.460.18.
We introduced the following command: early-message.
We added an option to the Call Attributes tab in the H.323 inspection policy map.
Cisco Trustsec support for Security Exchange Protocol (SXP) version 3.
Cisco Trustsec on ASA now implements SXPv3, which enables SGT-to-subnet bindings, which are more efficient than host bindings.
We introduced or modified the following commands: cts sxp mapping network-map maximum_hosts, cts role-based sgt-map, show cts sgt-map, show cts sxp sgt-map, show asp table cts sgt-map.
We modified the following screens: and the SGT Map Setup dialog boxes.
Flow off-load support for the Firepower 4100 series.
You can identify flows that should be off-loaded from the ASA and switched directly in the NIC for the Firepower 4100 series.
Requires FXOS 1.1.4.
We did not add or modify any commands.
We did not add or modify any screens.
The ASA now supports this standard fragmentation of IKEv2 packets. This allows interoperability with other IKEv2 implementations such as Apple, Strongswan etc. ASA continues to support the current, proprietary IKEv2 fragmentation to maintain backward compatibility with Cisco products that do not support RFC-7383, such as the AnyConnect client.
We introduced the following commands: crypto ikev2 fragmentation, show running-config crypto ikev2, show crypto ikev2 sa detail
VPN Throughput Performance Enhancements on Firepower 9300 and Firepower 4100 series
The crypto engine accelerator-bias command is now supported on the ASA security module on the Firepower 9300 and Firepower 4100 series. This command lets you “bias” more crypto cores toward either IPSec or SSL.
We modified the following command: crypto engine accelerator-bias
We did not add or modify any screens.
Configurable SSH encryption and HMAC algorithm.
Users can select cipher modes when doing SSH encryption management and can configure HMAC and encryption for varying key exchange algorithms. You might want to change the ciphers to be more or less strict, depending on your application. Note that the performance of secure copy depends partly on the encryption cipher used. By default, the ASA negotiates one of the following algorithms in order: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr. If the first algorithm proposed (3des-cbc) is chosen, then the performance is much slower than a more efficient algorithm such as aes128-cbc. To change the proposed ciphers, use ssh cipher encryption custom aes128-cbc, for example.
We introduced the following commands: ssh cipher encryption, ssh cipher integrity.
We introduced the following screen:
Also available in 9.1(7), 9.4(3), and 9.5(3).
HTTP redirect support for IPv6
When you enable HTTP redirect to HTTPS for ASDM access or clientless SSL VPN, you can now redirect traffic sent an to IPv6 address.
We added functionality to the following command: http redirect
We added functionality to the following screen:
Also available in 9.1(7) and 9.4(3).
Routing Features
IS-IS routing
The ASA now supports the Intermediate System to Intermediate System (IS-IS) routing protocol. Support was added for routing data, performing authentication, and redistributing and monitoring routing information using the IS-IS routing protocol.
We introduced the following commands: advertise passive-only, area-password, authentication key, authentication mode, authentication send-only, clear isis, debug isis, distance, domain-password, fast-flood, hello padding, hostname dynamic, ignore-lsp-errors, isis adjacency-filter, isis advertise prefix, isis authentication key, isis authentication mode, isis authentication send-only, isis circuit-type, isis csnp-interval, isis hello-interval, isis hello-multiplier, isis hello padding, isis lsp-interval, isis metric, isis password, isis priority, isis protocol shutdown, isis retransmit-interval, isis retransmit-throttle-interval, isis tag, is-type, log-adjacency-changes, lsp-full suppress, lsp-gen-interval, lsp-refresh-interval, max-area-addresses, max-lsp-lifetime, maximum-paths, metric, metric-style, net, passive-interface, prc-interval, protocol shutdown, redistribute isis, route priority high, route isis, set-attached-bit, set-overload-bit, show clns, show isis, show router isis, spf-interval, summary-address.
We introduced the following screens:
Configuration > Device Setup > Routing > ISIS
Monitoring > Routing > ISIS
High Availability and Scalability Features
Support for site-specific IP addresses in Routed, Spanned EtherChannel mode
For inter-site clustering in routed mode with Spanned EtherChannels, you can now configure site-specific IP addresess in addition to site-specific MAC addresses. The addition of site IP addresses allows you to use ARP inspection on the Overlay Transport Virtualization (OTV) devices to prevent ARP responses from the global MAC address from traveling over the Data Center Interconnect (DCI), which can cause routing problems. ARP inspection is required for some switches that cannot use VACLs to filter MAC addresses.
We modified the following commands: mac-address, show interface
We modified the following screen:
Administrative Features
Longer password support for local username and enable passwords (up to 127 characters)
You can now create local username and enable passwords up to 127 characters (the former limit was 32). When you create a password longer than 32 characters, it is stored in the configuration using a PBKDF2 (Password-Based Key Derivation Function 2) hash. Shorter passwords continue to use the MD5-based hashing method.
We modified the following commands: enable, username
We modified the following screens:
Support for the cempMemPoolTable in the CISCO-ENHANCED-MEMPOOL-MIB
The cempMemPoolTable of the CISCO-ENHANCED-MEMPOOL-MIB is now supported. This is a table of memory pool monitoring entries for all physical entities on a managed system.
Note The CISCO-ENHANCED-MEMPOOL-MIB uses 64-bit counters and supports reporting of memory on platforms with more than 4GB of RAM.
We did not add or modify any commands.
We did not add or modify any screens.
Also available in 9.1(7) and 9.4(3).
REST API Version 1.3.1
We added support for the REST API Version 1.3.1.
New Features in Version 9.5
New Features in ASA 9.5(3.9)/ASDM 7.6(2)
Released: April 11, 2017
Note
Verion 9.5(3) was removed from Cisco.com due to bug CSCvd78303.
Configurable SSH encryption and HMAC algorithm.
Users can select cipher modes when doing SSH encryption management and can configure HMAC and encryption for varying key exchange algorithms. You might want to change the ciphers to be more or less strict, depending on your application. Note that the performance of secure copy depends partly on the encryption cipher used. By default, the ASA negotiates one of the following algorithms in order: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr. If the first algorithm proposed (3des-cbc) is chosen, then the performance is much slower than a more efficient algorithm such as aes128-cbc. To change the proposed ciphers, use ssh cipher encryption custom aes128-cbc, for example.
We introduced the following commands: ssh cipher encryption, ssh cipher integrity.
We introduced the following screen:
Also available in 9.1(7) and 9.4(3).
New Features in ASAv 9.5(2.200)/ASDM 7.5(2.153)
Released: January 28, 2016
Note
This release supports only the ASAv.
Microsoft Azure support on the ASAv10
Microsoft Azure is a public cloud environment that uses a private Microsoft Hyper V Hypervisor. The ASAv runs as a guest in the Microsoft Azure environment of the Hyper V Hypervisor. The ASAv on Microsoft Azure supports one instance type, the Standard D3, which supports four vCPUs, 14 GB, and four interfaces.
Licensing Features
Permanent License Reservation for the ASAv
For highly secure environments where communication with the Cisco Smart Software Manager is not allowed, you can request a permanent license for the ASAv.
Note Not all accounts are approved for permanent license reservation. Make sure you have approval from Cisco for this feature before you attempt to configure it.
We introduced the following commands: license smart reservation, license smart reservation cancel, license smart reservation install, license smart reservation request universal, license smart reservation return
No ASDM support.
Smart Agent Upgrade to v1.6
The smart agent was upgraded from Version 1.1 to Version 1.6. This upgrade supports permanent license reservation and also supports setting the Strong Encryption (3DES/AES) license entitlement according to the permission set in your license account.
Note If you downgrade from Version 9.5(2.200), the ASAv does not retain the licensing registration state. You need to re-register with the license smart register idtoken id_token force commandConfiguration > Device Management > Licensing > Smart Licensing page with the Force registration option; obtain the ID token from the Smart Software Manager.
We introduced the following commands: show license status, show license summary, show license udi, show license usage
We modified the following commands: show license all, show tech-support license
We deprecated the following commands: show license cert, show license entitlement, show license pool, show license registration
We did not change any screens.
New Features in ASA 9.5(2.1)/ASDM 7.5(2)
Released: December 14, 2015
Note
This release supports only the ASA on the Firepower 9300.
Platform Features
VPN support for the ASA on the Firepower 9300
With FXOS 1.1.3, you can now configure VPN features. Flow off-load for the ASA on the Firepower 9300
You can identify flows that should be off-loaded from the ASA and switched directly in the NIC (on the Firepower 9300). This provides improved performance for large data flows in data centers.
Also requires FXOS 1.1.3.
We added or modified the following commands: clear flow-offload, flow-offload enable, set-connection advanced-options flow-offload, show conn detail, show flow-offload.
We added or modified the following screens: , the tab when adding or editing rules under .
Inter-chassis clustering for 6 modules, and inter-site clustering for the ASA on the Firepower 9300
With FXOS 1.1.3, you can now enable inter-chassis, and by extension inter-site clustering. You can include up to 6 modules in up to 6 chassis.
We did not modify any commands.
We did not modify any screens.
Licensing Features
Strong Encryption (3DES) license automatically applied for the ASA on the Firepower 9300
For regular Cisco Smart Software Manager users, the Strong Encryption license is automatically enabled for qualified customers when you apply the registration token on the Firepower 9300.
Note If you are using the Smart Software Manager satellite deployment, to use ASDM and other strong encryption features, after you deploy the ASA you must enable the Strong Encryption (3DES) license using the ASA CLI.
This feature requires FXOS 1.1.3.
We removed the following command for non-satellite configurations: feature strong-encryption
We modified the following screen:
New Features in ASA 9.5(2)/ASDM 7.5(2)
Released: November 30, 2015
Platform Features
Cisco ISA 3000 Support
The Cisco ISA 3000 is a DIN Rail mounted, ruggedized, industrial security appliance. It is low-power, fan-less, with Gigabit Ethernet and a dedicated management port. This model comes with the ASA Firepower module pre-installed. Special features for this model include a customized transparent mode default configuration, as well as a hardware bypass function to allow traffic to continue flowing through the appliance when there is a loss of power.
We introduced the following command: hardware-bypass, hardware-bypass manual, hardware-bypass boot-delay
We modified the following screen:
Also in Version 9.4(1.225).
DCERPC inspection improvements and UUID filtering
DCERPC inspection now supports NAT for OxidResolver ServerAlive2 opnum5 messages. You can also now filter on DCERPC message universally unique identifiers (UUIDs) to reset or log particular message types. There is a new DCERPC inspection class map for UUID filtering.
We introduced the following command: match [not] uuid. We modified the following command: class-map type inspect.
We added the following screen: .
We modified the following screen: .
You can now inspect Diameter traffic. Diameter inspection requires the Carrier license.
We introduced or modified the following commands: class-map type inspect diameter, diameter, inspect diameter, match application-id, match avp, match command-code, policy-map type inspect diameter, show conn detail, show diameter, show service-policy inspect diameter, unsupported
We added or modified the following screens:
and Diameter AVP
add/edit wizard's tab
You can now use the SCTP protocol and port specifications in service objects, access control lists (ACLs) and access rules, and inspect SCTP traffic. SCTP inspection requires the Carrier license.
We introduced the following commands: access-list extended , clear conn protocol sctp, inspect sctp, match ppid, nat static (object), policy-map type inspect sctp, service-object, service, set connection advanced-options sctp-state-bypass, show conn protocol sctp, show local-host connection sctp, show service-policy inspect sctp, timeout sctp
We added or modified the following screens:
add/edit dialogs
add/edit dialogs
add/edit static network object NAT rule, Advanced NAT Settings dialog box
add/edit dialogs
add/edit wizard' s and Connection Settings tabs
Carrier Grade NAT enhancements now supported in failover and ASA clustering
For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, rather than have NAT allocate one port translation at a time (see RFC 6888). This feature is now supported in failover and ASA cluster deployments.
We modified the following command: show local-host
We did not modify any screens.
Captive portal for active authentication on ASA FirePOWER 6.0.
The captive portal feature is required to enable active authentication using identity policies starting with ASA FirePOWER 6.0.
We introduced or modified the following commands: captive-portal, clear configure captive-portal, show running-config captive-portal.
Cisco Locator/ID Separation Protocol (LISP) architecture separates the device identity from its location into two different numbering spaces, making server migration transparent to clients. The ASA can inspect LISP traffic for location changes and then use this information for seamless clustering operation; the ASA cluster members inspect LISP traffic passing between the first hop router and the egress tunnel router (ETR) or ingress tunnel router (ITR), and then change the flow owner to be at the new site.
We introduced or modified the following commands: allowed-eid, clear cluster info flow-mobility counters, clear lisp eid, cluster flow-mobility lisp, debug cluster flow-mobility, debug lisp eid-notify-intercept, flow-mobility lisp, inspect lisp, policy-map type inspect lisp, site-id, show asp table classify domain inspect-lisp, show cluster info flow-mobility counters, show conn, show lisp eid, show service-policy, validate-key
We introduced or modified the following screens:
ASA 5516-X support for clustering
The ASA 5516-X now supports 2-unit clusters. Clustering for 2 units is enabled by default in the base license.
We did not modify any commands.
We did not modify any screens.
Configurable level for clustering trace entries
By default, all levels of clustering events are included in the trace buffer, including many low level events. To limit the trace to higher level events, you can set the minimum trace level for the cluster.
We introduced the following command: trace-level
We did not modify any screens.
Interface Features
Support to map Secondary VLANs to a Primary VLAN
You can now configure one or more secondary VLANs for a subinterface. When the ASA receives traffic on the secondary VLANs, it maps the traffic to the primary VLAN.
We introduced or modified the following commands: vlan secondary, show vlan mapping
We modified the following screens:
PIM Bootstrap Router (BSR) support for multicast routing
The ASA currently supports configuring static RPs to route multicast traffic for different groups. For large complex networks where multiple RPs could exist, the ASA now supports dynamic RP selection using PIM BSR to support mobility of RPs.
We introduced the following commands: clear pim group-map, debug pim bsr, pim bsr-border, pim bsr-candidate, show pim bsr-router, show pim group-map rp-timers
We introduced the following screen:
You can now use the following remote access features in multiple context mode:
AnyConnect 3.x and later (SSL VPN only; no IKEv2 support)
Centralized AnyConnect image configuration
AnyConnect image upgrade
Context Resource Management for AnyConnect connections
Note The AnyConnect Apex license is required for multiple context mode; you cannot use the default or legacy license.
We introduced the following commands: limit-resource vpn anyconnect, limit-resource vpn burst anyconnect
We modified the following screen:
Clientless SSL VPN offers SAML 2.0-based Single Sign-On (SSO) functionality
The ASA acts as a SAML Service Provider.
Clientless SSL VPN conditional debugging
You can debug logs by filtering, based on the filter condition sets, and can then better analyze them.
We introduced the following additions to the debug command:
[no] debug webvpn condition user <user name>
[no] debug webvpn condition group <group name>
[no] debug webvpn condition p-ipaddress <ipv4> [subnet<mask>]
[no] debug webvpn condition p-ipaddress <ipv6> [prefix<prefix>]
debug webvpn condition reset
show debug webvpn condition
show webvpn debug-condition
Clientless SSL VPN cache disabled by default
The clientless SSL VPN cache is now disabled by default. Disabling the clientless SSL VPN cache provides better stability. If you want to enable the cache, you must manually enable it.
webvpn cache no disableWe modified the following command: cache
We modified the following screen:
Licensing Features
Validation of the Smart Call Home/Smart Licensing certificate if the issuing hierarchy of the server certificate changes
Smart licensing uses the Smart Call Home infrastructure. When the ASA first configures Smart Call Home anonymous reporting in the background, it automatically creates a trustpoint containing the certificate of the CA that issued the Smart Call Home server certificate. The ASA now supports validation of the certificate if the issuing hierarchy of the server certificate changes; you can enable the automatic update of the trustpool bundle at periodic intervals.
We introduced the following command: auto-import
We modified the following screen:
New Carrier license
The new Carrier license replaces the existing GTP/GPRS license, and also includes support for SCTP and Diameter inspection. For the ASA on the Firepower 9300, the feature mobile-sp command will automatically migrate to the feature carrier command.
We introduced or modified the following commands: feature carrier, show activation-key, show license, show tech-support, show version
We modified the following screen:
Monitoring Features
SNMP engineID sync
In an HA pair, the SNMP engineIDs of the paired ASAs are synced on both units. Three sets of engineIDs are maintained per ASA—synced engineID, native engineID and remote engineID.
An SNMPv3 user can also specify the engineID of the ASA when creating a profile to preserve localized snmp-server user authentication and privacy options. If a user does not specify the native engineID, the show running config output will show two engineIDs per user.
We modified the following commands: snmp-server user, no snmp-server user
We did not add or modify any screens.
Also available in 9.4(3).
show tech support enhancements
The show tech support command now:
Includes dir all-filesystems output—This output can be helpful in the following cases:
Removes the show kernel cgroup-controller detail output—This command output will remain in the output of show tech-support detail.
We modified the following command: show tech support
We did not add or modify any screens.
Also available in 9.1(7) and 9.4(3).
logging debug-trace persistence
Formerly, when you enabled logging debug-trace to redirect debugs to a syslog server, if the SSH connection were disconnected (due to network connectivity or timeout), then the debugs were removed. Now, debugs persist for as long as the logging command is in effect.
We modified the following command: logging debug-trace
We did not modify any screens.
New Features in ASA 9.5(1.5)/ASDM 7.5(1.112)
Released: November 11, 2015
The 6.0 software version for the ASA FirePOWER module is supported on all previously supported device models.
Support for managing the ASA FirePOWER module through ASDM for the 5512-X through 5585-X.
You can manage the ASA FirePOWER module using ASDM instead of using Firepower Management Center (formerly FireSIGHT Management Center) when running version 6.0 on the module. You can still use ASDM to manage the module on the 5506-X, 5506H-X, 5506W-X, 5508-X, and 5516-X when running 6.0.
No new screens or commands were added.
New Features in ASDM 7.5(1.90)
Released: October 14, 2015
ASDM supports AnyConnect 4.2 and the Network Visibility Module (NVM). NVM enhances the enterprise administrator’s ability to do capacity and service planning, auditing, compliance, and security analytics. The NVM collects the endpoint telemetry and logs both the flow data and the file reputation in the syslog and also exports the flow records to a collector (a third-party vendor), which performs the file analysis and provides a UI interface.
We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile (a new profile called Network Visibility Service Profile)
New Features in ASAv 9.5(1.200)/ASDM 7.5(1)
Released: August 31, 2015
Note
This release supports only the ASAv.
New Features in ASA 9.5(1)/ASDM 7.5(1)
Released: August 12, 2015
Note
This version does not support the Firepower 9300 ASA security module or the ISA 3000.
GTP inspection can now handle GTPv2. In addition, GTP inspection for all versions now supports IPv6 addresses.
We modified the following commands: clear service-policy inspect gtp statistics, clear service-policy inspect gtp pdpmcb, clear service-policy inspect gtp request, match message id, show service-policy inspect gtp pdpmcb, show service-policy inspect gtp request, show service-policy inspect gtp statistics, timeout endpoint
We deprecated the following command: timeout gsn
We modified the following screen: Configuration > Firewall > Objects > Inspect Maps > GTP
IP Options inspection now supports all possible IP options. You can tune the inspection to allow, clear, or drop any standard or experimental options, including those not yet defined. You can also set a default behavior for options not explicitly defined in an IP options inspection map.
We introduced the following commands: basic-security, commercial-security, default, exp-flow-control, exp-measure, extended-security, imi-traffic-description, quick-start, record-route, timestamp
We modified the following screen: Configuration > Firewall > Objects > Inspect Maps > IP Options
For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, rather than have NAT allocate one port translation at a time (see RFC 6888).
We introduced the following commands: xlate block-allocation size, xlate block-allocation maximum-per-host. We added the block-allocation keyword to the nat command.
We introduced the following screen: Configuration > Firewall > Advanced > PAT Port Block Allocation. We added Enable Block Allocation the object NAT and twice NAT dialog boxes.
Inter-site clustering support for Spanned EtherChannel in Routed firewall mode
You can now use inter-site clustering for Spanned EtherChannels in routed mode. To avoid MAC address flapping, configure a site ID for each cluster member so that a site-specific MAC address for each interface can be shared among a site’s units.
We introduced or modified the following commands: site-id, mac-address site-id, show cluster info, show interface
We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration
ASA cluster customization of the auto-rejoin behavior when an interface or the cluster control link fails
You can now customize the auto-rejoin behavior when an interface or the cluster control link fails.
We introduced the following command: health-check auto-rejoin
We introduced the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Auto Rejoin
The ASA cluster now supports GTPv1 and GTPv2 inspection.
We did not modify any commands.
We did not modify any screens.
Cluster replication delay for TCP connections
This feature helps eliminate the “unnecessary work” related to short-lived flows by delaying the director/backup flow creation.
We introduced the following command: cluster replication delay
We introduced the following screen:
Also available for the Firepower 9300 ASA security module in Version 9.4(1.152).
Disable health monitoring of a hardware module in ASA clustering
By default when using clustering, the ASA monitors the health of an installed hardware module such as the ASA FirePOWER module. If you do not want a hardware module failure to trigger failover, you can disable module monitoring.
We modified the following command: health-check monitor-interface service-module
We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Interface Health Monitoring
Enable use of the Management 1/1 interface as the failover link on the ASA 5506H
On the ASA 5506H only, you can now configure the Management 1/1 interface as the failover link. This feature lets you use all other interfaces on the device as data interfaces. Note that if you use this feature, you cannot use the ASA Firepower module, which requires the Management 1/1 interface to remain as a regular management interface.
We modified the following commands: failover lan interface, failover link
We modified the following screen: Configuration > Device Management > High Availability and Scalability > Failover > Setup
IPv6 addresses are now supported for Policy Based Routing.
We introduced the following commands: set ipv6 next-hop, set default ipv6-next hop, set ipv6 dscp
We modified the following screens:
Configuration > Device Setup > Routing > Route Maps > Add Route Map > Policy Based Routing
Configuration > Device Setup > Routing > Route Maps > Add Route Maps > Match Clause
VXLAN support for Policy Based Routing
You can now enable Policy Based Routing on a VNI interface.
We did not modify any commands.
We modified the following screen: Configuration > Device Setup > Interface Settings > Interfaces > Add/Edit Interface > General
Policy Based Routing support for Identity Firewall and Cisco Trustsec
You can configure Identity Firewall and Cisco TrustSec and then use Identity Firewall and Cisco TrustSec ACLs in Policy Based Routing route maps.
We did not modify any commands.
We modified the following screen: Configuration > Device Setup > Routing > Route Maps > Add Route Maps > Match Clause
Separate routing table for management-only interfaces
To segregate and isolate management traffic from data traffic, the ASA now supports a separate routing table for management-only interfaces.
We introduced or modified the following commands: backup, clear ipv6 route management-only, clear route management-only, configure http, configure net, copy, enrollment source, name-server, restore, show asp table route-management-only, show ipv6 route management-only show route management-only
We did not modify any screens.
Protocol Independent Multicast Source-Specific Multicast (PIM-SSM) pass-through support
The ASA now allows PIM-SSM packets to pass through when you enable multicast routing, unless the ASA is the Last-Hop Router. This feature allows greater flexibility in choosing a multicast group while also protecting against different attacks; hosts only receive traffic from explicitly-requested sources.
We did not modify any commands.
We did not modify any screens.
ASA VPN code has been enhanced to support full IPv6 capabilities. No configuration change is necessary for the administrator. Added support and a predefined application template for this new SharePoint version.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks > Add Bookmark List > Select Bookmark Type > Predefined application templates
Added CSCO_WEBVPN_DYNAMIC_URL and CSCO_WEBVPN_MACROLIST to the list of macros when using bookmarks. These macros allow the administrator to configure a single bookmark that can generate multiple bookmark links on the clientless user’s portal and to statically configure bookmarks to take advantage of arbitrarily sized lists provided by LDAP attribute maps.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks
The overall banner length, which is displayed during post-login on the VPN remote client portal, has increased from 500 to 4000.
We modified the following command: banner (group-policy).
We modified the following screen: Configuration > Remote Access VPN > .... Add/Edit Internal Group Policy > General Parameters > Banner
Cisco Easy VPN client on the ASA 5506-X, 5506W-X, 5506H-X, and 5508-X
This release supports Cisco Easy VPN on the ASA 5506-X series and for the ASA 5508-X. The ASA acts as a VPN hardware client when connecting to the VPN headend. Any devices (computers, printers, and so on) behind the ASA on the Easy VPN port can communicate over the VPN; they do not have to run VPN clients individually. Note that only one ASA interface can act as the Easy VPN port; to connect multiple devices to that port, you need to place a Layer 2 switch on the port, and then connect your devices to the switch.
We introduced the following commands: vpnclient enable, vpnclient server, vpnclient mode, vpnclient username, vpnclient ipsec-over-tcp, vpnclient management, vpnclient vpngroup, vpnclient trustpoint, vpnclient nem-st-autoconnect, vpnclient mac-exempt
We introduced the following screen: Configuration > VPN > Easy VPN Remote
Monitoring Features
Show invalid usernames in syslog messages
You can now show invalid usernames in syslog messages for unsuccessful login attempts. The default setting is to hide usernames when the username is invalid or if the validity is unknown. If a user accidentally types a password instead of a username, for example, then it is more secure to hide the “username” in the resultant syslog message. You might want to show invalid usernames to help with troubleshooting login issues.
We introduced the following command: no logging hide username
We modified the following screen: Configuration > Device Management > Logging > Syslog Setup
This feature is also available in 9.2(4) and 9.3(3).
REST API Features
REST API Version 1.2.1
We added support for the REST API Version 1.2.1.
New Features in Version 9.4
New Features in ASA 9.4(4.5)/ASDM 7.6(2)
Released: April 3, 2017
Note
Verion 9.4(4) was removed from Cisco.com due to bug CSCvd78303.
There are no new features in this release.
New Features in ASA 9.4(3)/ASDM 7.6(1)
Released: April 25, 2016
Firewall Features
Connection holddown timeout for route convergence
You can now configure how long the system should maintain a connection when the route used by the connection no longer exists or is inactive. If the route does not become active within this holddown period, the connection is freed. You can reduce the holddown timer to make route convergence happen more quickly. However, the 15 second default is appropriate for most networks to prevent route flapping.
We added the following command: timeout conn-holddown
We modified the following screen:
Configurable SSH encryption and HMAC algorithm.
Users can select cipher modes when doing SSH encryption management and can configure HMAC and encryption for varying key exchange algorithms.
We introduced the following commands: ssh cipher encryption, ssh cipher integrity.
We introduced the following screen:
Also available in 9.1(7).
HTTP redirect support for IPv6
When you enable HTTP redirect to HTTPS for ASDM access or clientless SSL VPN, you can now redirect traffic sent an to IPv6 address.
We added functionality to the following command: http redirect
We added functionality to the following screen:
Also available in 9.1(7).
SNMP engineID sync for Failover
In a failover pair, the SNMP engineIDs of the paired ASAs are synced on both units. Three sets of engineIDs are maintained per ASA—synced engineID, native engineID and remote engineID.
An SNMPv3 user can also specify the engineID of the ASA when creating a profile to preserve localized snmp-server user authentication and privacy options. If a user does not specify the native engineID, the show running config output will show two engineIDs per user.
We modified the following command: snmp-server user
No ASDM support.
show tech support enhancements
The show tech support command now:
Includes dir all-filesystems output—This output can be helpful in the following cases:
Removes the show kernel cgroup-controller detail output—This command output will remain in the output of show tech-support detail.
We modified the following command: show tech support
We did not add or modify any screens.
Also available in 9.1(7).
Support for the cempMemPoolTable in the CISCO-ENHANCED-MEMPOOL-MIB
The cempMemPoolTable of the CISCO-ENHANCED-MEMPOOL-MIB is now supported. This is a table of memory pool monitoring entries for all physical entities on a managed system.
Note The CISCO-ENHANCED-MEMPOOL-MIB uses 64-bit counters and supports reporting of memory on platforms with more than 4GB of RAM.
We did not add or modify any commands.
We did not add or modify any screens.
Also available in 9.1(7).
New Features in ASA 9.4(1.225)/ASDM 7.5(1)
Released: September 17, 2015
Note
This release supports only the Cisco ISA 3000.
Cisco ISA 3000 Support
The Cisco ISA 3000 is a DIN Rail mounted, ruggedized, industrial security appliance. It is low-power, fan-less, with Gigabit Ethernet and a dedicated management port. This model comes with the ASA Firepower module pre-installed. Special features for this model include a customized transparent mode default configuration, as well as a hardware bypass function to allow traffic to continue flowing through the appliance when there is a loss of power.
We introduced the following commands: hardware-bypass, hardware-bypass manual, hardware-bypass boot-delay, show hardware-bypass
We introduced the following screen:
The hardware-bypass boot-delay command is not available in ASDM 7.5(1).
This feature is not available in Version 9.5(1).
New Features in ASA 9.4(1.152)/ASDM 7.4(3)
Released: July 13, 2015
Note
This release supports only the ASA on the Firepower 9300.
We introduced the ASA security module on the Firepower 9300.
Note Firepower Chassis Manager 1.1.1 does not support any VPN features (site-to-site or remote access) for the ASA security module on the Firepower 9300.
High Availability Features
Intra-chassis ASA Clustering for the Firepower 9300
You can cluster up to 3 security modules within the Firepower 9300 chassis. All modules in the chassis must belong to the cluster.
We introduced the following commands: cluster replication delay, debug service-module, management-only individual, show cluster chassis
Licensing Features
Cisco Smart Software Licensing for the ASA on the Firepower 9300
We introduced Smart Software Licensing for the ASA on the Firepower 9300.
We introduced the following commands: feature strong-encryption, feature mobile-sp, feature context
We modified the following screen:
New Features in ASAv 9.4(1.200)/ASDM 7.4(2)
Released: May 12, 2015
Note
This release supports only the ASAv.
New Features in ASA 9.4(1)/ASDM 7.4(1)
Released: March 30, 2015
We introduced the ASA 5506W-X with wireless access point, hardened ASA 5506H-X, ASA 5508-X, and ASA 5516-X models.
We introduced the following command: hw-module module wlan recover image, hw-module module wlan recover image.
Department of Defense Unified Capabilities Requirements (UCR) 2013 Certification
The ASA was updated to comply with the DoD UCR 2013 requirements. See the rows in this table for the following features that were added for this certification:
When you enable FIPS mode on the ASA, additional restrictions are put in place for the ASA to be FIPS 140-2 compliant. Restrictions include:
RSA and DH Key Size Restrictions—Only RSA and DH keys 2K (2048 bits) or larger are allowed. For DH, this means groups 1 (768 bit), 2 (1024 bit), and 5 (1536 bit) are not allowed.
Note Restrictions on the Hash Algorithm for Digital Signatures—Only SHA256 or better is allowed.
SSH Cipher Restrictions—Allowed ciphers: aes128-cbc or aes256-cbc. MACs: SHA1
To see the FIPS certification status for the ASA, see:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf
See the Computer Security Division Computer Security Resource Center site for more information:
If you have multiple SIP signaling flows going through an ASA with multiple cores, SIP inspection performance has been improved. However, you will not see improved performance if you are using a TLS, phone, or IME proxy.
SIP inspection support for Phone Proxy and UC-IME Proxy was removed.
You can no longer use Phone Proxy or UC-IME Proxy when configuring SIP inspection. Use TLS Proxy to inspect encrypted traffic.
We removed the following commands: phone-proxy, uc-ime. We removed the phone-proxy and uc-ime keywords from the inspect sip command.
We removed Phone Proxy and UC-IME Proxy from the Select SIP Inspect Map service policy dialog box.
DCERPC inspection support for ISystemMapper UUID message RemoteGetClassObject opnum3.
The ASA started supporting non-EPM DCERPC messages in release 8.3, supporting the ISystemMapper UUID message RemoteCreateInstance opnum4. This change extends support to the RemoteGetClassObject opnum3 message.
The ASA supports an unlimited number of SNMP server trap hosts per context. The show snmp-server host command output displays only the active hosts that are polling the ASA, as well as the statically configured hosts.
The ASA can inspect the VXLAN header to enforce compliance with the standard format.
We introduced the following command: inspect vxlan.
We modified the following screen: Configuration > Firewall > Service Policy Rules > Add Service Policy Rule > Rule Actions > Protocol Inspection
You can now monitor DHCP statistics and DHCP bindings for IPv6.
We introduced the following screens:
Monitoring > Interfaces > DHCP > IPV6 DHCP Statistics Monitoring > Interfaces > DHCP > IPV6 DHCP Binding.
ESMTP inspection change in default behavior for TLS sessions.
The default for ESMTP inspection was changed to allow TLS sessions, which are not inspected. However, this default applies to new or reimaged systems. If you upgrade a system that includes no allow-tls, the command is not changed.
The change in default behavior was also made in these older versions: 8.4(7.25), 8.5(1.23), 8.6(1.16), 8.7(1.15), 9.0(4.28), 9.1(6.1), 9.2(3.2) 9.3(1.2), 9.3(2.2).
You can now block specific syslogs from being generated on a standby unit.
We introduced the following command: no logging message syslog-id standby.
Enable and disable ASA cluster health monitoring per interface
You can now enable or disable health monitoring per interface. Health monitoring is enabled by default on all port-channel, redundant, and single physical interfaces. Health monitoring is not performed on VLAN subinterfaces or virtual interfaces such as VNIs or BVIs. You cannot configure monitoring for the cluster control link; it is always monitored. You might want to disable health monitoring of non-essential interfaces, for example, the management interface.
We introduced the following command: health-check monitor-interface.
We introduced the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Interface Health Monitoring
You can now configure DHCP relay on the ASA cluster. Client DHCP requests are load-balanced to the cluster members using a hash of the client MAC address. DHCP client and server functions are still not supported.
We introduced the following command: debug cluster dhcp-relay
You can now configure SIP inspection on the ASA cluster. A control flow can be created on any unit (due to load balancing), but its child data flows must reside on the same unit. TLS Proxy configuration is not supported.
We introduced the following command: show cluster service-policy
Policy Based Routing (PBR) is a mechanism by which traffic is routed through specific paths with a specified QoS using ACLs. ACLs let traffic be classified based on the content of the packet’s Layer 3 and Layer 4 headers. This solution lets administrators provide QoS to differentiated traffic, distribute interactive and batch traffic among low-bandwidth, low-cost permanent paths and high-bandwidth, high-cost switched paths, and allows Internet service providers and other organizations to route traffic originating from various sets of users through well-defined Internet connections.
We introduced the following commands: set ip next-hop verify-availability, set ip next-hop, set ip next-hop recursive, set interface, set ip default next-hop, set default interface, set ip df, set ip dscp, policy-route route-map, show policy-route, debug policy-route
We introduced or modified the following screens:
Configuration > Device Setup > Routing > Route Maps > Policy Based Routing Configuration > Device Setup > Routing > Interface Settings > Interfaces.
VXLAN support was added, including VXLAN tunnel endpoint (VTEP) support. You can define one VTEP source interface per ASA or security context.
We introduced the following commands: debug vxlan, default-mcast-group, encapsulation vxlan, inspect vxlan, interface vni, mcast-group, nve, nve-only, peer ip, segment-id, show arp vtep-mapping, show interface vni, show mac-address-table vtep-mapping, show nve, show vni vlan-mapping, source-interface, vtep-nve, vxlan port
We introduced the following screens:
Configuration > Device Setup > Interface Settings > Interfaces > Add > VNI Interface Configuration > Device Setup > Interface Settings > VXLAN
Monitoring Features
Memory tracking for the EEM
We have added a new debugging feature to log memory allocations and memory usage, and to respond to memory logging wrap events.
We introduced or modified the following commands: memory logging, show memory logging, show memory logging include, event memory-logging-wrap
We modified the following screen: Configuration > Device Management > Advanced > Embedded Event Manager > Add Event Manager Applet > Add Event Manager Applet Event
Troubleshooting crashes
The show tech-support command output and show crashinfo command output includes the most recent 50 lines of generated syslogs. Note that you must enable the logging buffer command to enable these results to appear.
TLSv1.2 added support for the following ciphers:
We introduced the following command: ssl ecdh-group.
We modified the following screen: Configuration > Remote Access VPN > Advanced > SSL Settings.
You can now prevent a Clientless SSL VPN session cookie from being accessed by a third party through a client-side script such as Javascript.
Note Use this feature only if Cisco TAC advises you to do so. Enabling this command presents a security risk because the following Clientless SSL VPN features will not work without any warning.
We introduced the following command: http-only-cookie.
We introduced the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > HTTP Cookie.
The ASA now supports security group tagging-based policy control for Clientless SSL remote access to internal applications and websites. This feature uses Citrix’s virtual desktop infrastructure (VDI) with XenDesktop as the delivery controller and the ASA’s content transformation engine.
See the following Citrix product documentation for more information:
Policies for XenDesktop and XenApp: http://support.citrix.com/proddocs/topic/infocenter/ic-how-to-use.html
Managing policies in XenDesktop 7: http://support.citrix.com/proddocs/topic/xendesktop-7/cds-policies-wrapper-rho.html
Using group policy editor for XenDesktop 7 policies: http://support.citrix.com/proddocs/topic/xendesktop-7/cds-policies-use-gpmc.html
OWA 2013 feature support has been added for Clientless SSL VPN
Clientless SSL VPN supports the new features in OWA 2013 except for the following:
Active Directory Federation Services (AD FS) 2.0. The ASA and AD FS 2.0 can't negotiate encryption protocols.
Citrix XenDesktop 7.5 and StoreFront 2.5 support has been added for Clientless SSL VPN
Clientless SSL VPN supports the access of XenDesktop 7.5 and StoreFront 2.5.
See http://support.citrix.com/proddocs/topic/xenapp-xendesktop-75/cds-75-about-whats-new.html for the full list of XenDesktop 7.5 features, and for more details.
See http://support.citrix.com/proddocs/topic/dws-storefront-25/dws-about.html for the full list of StoreFront 2.5 features, and for more details.
When you enable periodic certificate authentication, the ASA stores certificate chains received from VPN clients and re-authenticates them periodically.
We introduced or modified the following commands: periodic-authentication certificate, revocation-check, show vpn-sessiondb
We modified the following screens:
Configuration > Device Management > Certificate Management > Identity Certificates Configuration > Device Management > Certificate Management > CA Certificates
The ASA checks all CA and ID certificates in the trust points for expiration once every 24 hours. If a certificate is nearing expiration, a syslog will be issued as an alert. You can configure the reminder and recurrence intervals. By default, reminders will start at 60 days prior to expiration and recur every 7 days.
We introduced or modified the following commands: crypto ca alerts expiration
We modified the following screens:
Configuration > Device Management > Certificate Management > Identity Certificates Configuration > Device Management > Certificate Management > CA Certificates
Certificates without the CA flag now cannot be installed on the ASA as CA certificates by default. The basic constraints extension identifies whether the subject of the certificate is a CA and the maximum depth of valid certification paths that include this certificate. You can configure the ASA to allow installation of these certificates if desired.
We introduced the following command: ca-check
We modified the following screens: Configuration > Device Management > Certificate Management > CA Certificates
Currently, if the ASA receives an inbound packet on an SA, and the packet’s header fields are not consistent with the selectors for the SA, then the ASA discards the packet. You can now enable or disable sending an IKEv2 notification to the peer. Sending this notification is disabled by default.
Note This feature is supported with AnyConnect 3.1.06060 and later.
We introduced the following command: crypto ikev2 notify invalid-selectors
You can now configure the IKEv2 pre-shared keys in hex.
We introduced the following command: ikev2 local-authentication pre-shared-key hex, ikev2 remote-authentication pre-shared-key hex
ASDM management authorization
You can now configure management authorization separately for HTTP access vs. Telnet and SSH access.
We introduced the following command: aaa authorization http console
We modified the following screen: Configuration > Device Management > Users/AAA > AAA Access > Authorization
When you enable ASDM certificate authentication (http authentication-certificate), you can configure how ASDM extracts the username from the certificate; you can also enable pre-filling the username at the login prompt.
We introduced the following command: http username-from-certificate
We introduced the following screen: Configuration > Device Management > Management Access > HTTP Certificate Rule.
terminal interactive command to enable or disable help when you enter ? at the CLI
Normally, when you enter ? at the ASA CLI, you see command help. To be able to enter ? as text within a command (for example, to include a ? as part of a URL), you can disable interactive help using the no terminal interactive command.
We introduced the following command: terminal interactive
REST API Version 1.1
We added support for the REST API Version 1.1.
Support for token-based authentication (in addition to existing basic authentication)
Client can send log-in request to a specific URL; if successful, a token is returned (in response header). Client then uses this token (in a special request header) for sending additional API calls. The token is valid until explicitly invalidated, or the idle/session timeout is reached.
The REST API agent can now be enabled in multi-context mode; the CLI commands can be issued only in system-context mode (same commands as single-context mode).
Pass-through CLI API commands can be used to configure any context, as follows.
https://<asa_admin_context_ip>/api/cli?context=<context_name>If the context parameter is not present, it is assumed that the request is directed to the admin context.
New Features in Version 9.3
New Features in ASA 9.3(3)/ASDM 7.4(1)
Released: April 22, 2015
You can now show invalid usernames in syslog messages for unsuccessful login attempts. The default setting is to hide usernames when the username is invalid or if the validity is unknown. If a user accidentally types a password instead of a username, for example, then it is more secure to hide the “username” in the resultant syslog message. You might want to show invalid usernames to help with troubleshooting login issues.
We introduced the following command: no logging hide username
New Features in ASA 9.3(2)/ASDM 7.3(3)
Released: February 2, 2015
You can configure ASA FirePOWER on the ASA 5506-X using ASDM; a separate FireSIGHT Management Center is not required, although you can use one instead of ASDM.
We introduced the following screens:
Home > ASA FirePOWER Dashboard
Home > ASA FirePOWER Reporting
Configuration > ASA FirePOWER Configuration
Monitoring > ASA FirePOWER Monitoring
New Features in ASA 9.3(2)/ASDM 7.3(2)
Released: December 18, 2014
We introduced or modified the following commands: service sw-reset-button, upgrade rommon, show environment temperature accelerator
You can configure ASA FirePOWER on the ASA 5506-X using ASDM; a separate FireSIGHT Management Center is not required, although you can use one instead of ASDM. Note: This feature requires ASA 7.3(3).
We introduced the following screens:
Home > ASA FirePOWER Dashboard
Home > ASA FirePOWER Reporting
Configuration > ASA FirePOWER Configuration
Monitoring > ASA FirePOWER Monitoring
ASA FirePOWER passive monitor-only mode using traffic redirection interfaces
You can now configure a traffic forwarding interface to send traffic to the module instead of using a service policy. In this mode, neither the module nor the ASA affects the traffic.
We fully supported the following command: traffic-forward sfr monitor-only. You can configure this in CLI only.
You can now use the following mixed level SSPs in the ASA 5585-X:
Requirements: ASA SSP in slot 0, ASA FirePOWER SSP in slot 1
A REST API was added to support configuring and managing major functions of the ASA.
We introduced or modified the following commands: rest-api image, rest-api agent, show rest-api agent, debug rest-api, show version
ASA images are now signed using a digital signature. The digital signature is verified after the ASA is booted.
We introduced the following commands: copy /noverify, verify /image-signature, show software authenticity keys, show software authenticity file, show software authenticity running, show software authenticity development, software authenticity development, software authenticity key add special, software authenticity key revoke special
The accelerated security path (ASP) load balancing mechanism reduces packet drop and improves throughput by allowing multiple cores of the CPU to receive packets from an interface receive ring and work on them independently.
We introduced the following command: asp load-balance per-packet-auto
We introduced the following screen: Configuration > Device Management > Advanced > ASP Load Balancing
You can now edit ACLs and objects in an isolated configuration session. You can also forward reference objects and ACLs, that is, configure rules and access groups for objects or ACLs that do not yet exist.
We introduced the following commands: clear configuration session, clear session, configure session, forward-reference, show configuration session
SIP support for Trust Verification Services, NAT66, CUCM 10.5(1), and model 8831 phones.
You can now configure Trust Verification Services servers in SIP inspection. You can also use NAT66. SIP inspection has been tested with CUCM 10.5(1).
We introduced the following command: trust-verification-server.
We introduced the following screen: Configuration > Firewall > Objects > Inspection Maps > SIP > Add/Edit SIP Inspect Map > Details > TVS Server
SIP and SCCP inspections were tested and verified with Cisco Unified Communications Manager 10.5(1).
We now support an HTML 5-based browser solution for accessing the Citrix VDI, without requiring the Citrix Receiver client on the desktop.
We now support Clientless SSL VPN features such as the rewriter, smart tunnels, and plugins on all browsers that are supported on Mac OSX 10.9.
Interoperability with standards-based, third-party, IKEv2 remote access clients
We now support VPN connectivity via standards-based, third-party, IKEv2 remote-access clients (in addition to AnyConnect). Authentication support includes preshared keys, certificates, and user authentication via the Extensible Authentication Protocol (EAP).
We introduced or modified the following commands: ikev2 remote-authentication, ikev2 local-authentication, clear vpn-sessiondb, show vpn-sessiondb, vpn-sessiondb logoff
We introduced or modified the following screens:
Wizards > IPsec IKEv2 Remote Access Wizard.
Configuration > Remote Access VPN > Network (Client) Access > IPsec (IKEv2) Connection Profiles
Configuration > Remote Access VPN > Network (Client) Access > IPsec (IKEv2) Connection Profiles > Add/Edit > Advanced > IPsec
Monitoring > VPN > VPN Statistics > Sessions
We now support TLS version 1.2 for secure message transmission for ASDM, Clientless SSVPN, and AnyConnect VPN.
We introduced or modified the following commands: ssl client-version, ssl server-version, ssl cipher, ssl trust-point, ssl dh-group, show ssl, show ssl cipher, show vpn-sessiondb
We deprecated the following command: ssl encryption
We modified the following screens:
Configuration > Device Management > Advanced > SSL Settings
Configuration > Remote Access VPN > Advanced > SSL Settings
AnyConnect 4.0 now supports TLS version 1.2 with the following four additional cipher suites: DHE-RSA-AES256-SHA256, DHE-RSA-AES128-SHA256, AES256-SHA256, and AES128-SHA256.
Smart Software Licensing lets you purchase and manage a pool of licenses. Unlike PAK licenses, smart licenses are not tied to a specific serial number. You can easily deploy or retire ASAvs without having to manage each unit’s license key. Smart Software Licensing also lets you see your license usage and needs at a glance.
We introduced the following commands: clear configure license, debug license agent, feature tier, http-proxy, license smart, license smart deregister, license smart register, license smart renew, show license, show running-config license, throughput level
We introduced or modified the following screens:
Configuration > Device Management > Licensing > Smart License
Configuration > Device Management > Smart Call-Home
Monitoring > Properties > Smart License
Lock configuration changes on the standby unit or standby context in a failover pair
You can now lock configuration changes on the standby unit (Active/Standby failover) or the standby context (Active/Active failover) so you cannot make changes on the standby unit outside normal configuration syncing.
We introduced the following command: failover standby config-lock
We modified the following screen: Configuration > Device Management > High Availability and Scalability > Failover > Setup
ASA clustering inter-site deployment in transparent mode with the ASA cluster firewalling between inside networks
You can now deploy a cluster in transparent mode between inside networks and the gateway router at each site (AKA East-West insertion), and extend the inside VLANs between sites. We recommend using Overlay Transport Virtualization (OTV), but you can use any method that ensures that the overlapping MAC Addresses and IP addresses of the gateway router do not leak between sites. Use a First Hop Redundancy Protocol (FHRP) such as HSRP to provide the same virtual MAC and IP addresses to the gateway routers.
You can group interfaces together into a traffic zone to accomplish traffic load balancing (using Equal Cost Multi-Path (ECMP) routing), route redundancy, and asymmetric routing across multiple interfaces.
Note You cannot apply a security policy to a named zone; the security policy is interface-based. When interfaces in a zone are configured with the same access rule, NAT, and service policy, then load-balancing and asymmetric routing operate correctly.
We introduced or modified the following commands: zone, zone-member, show running-config zone, clear configure zone, show zone, show asp table zone, show nameif zone, show conn long, show local-host zone, show route zone, show asp table routing, clear conn zone, clear local-host zone
We introduced or modified the following screens:
Configuration > Device Setup > Interface Parameters > Zones
Configuration > Device Setup > Interface Parameters > Interfaces
We introduced or modified the following commands: address-family ipv6, bgp router-id, ipv6 prefix-list, ipv6 prefix-list description, ipv6 prefix-list sequence-number, match ipv6 next-hop, match ipv6 route-source, match ipv6- address prefix-list, set ipv6-address prefix -list, set ipv6 next-hop, set ipv6 next-hop peer-address
We introduced the following screen: Configuration > Device Setup > Routing > BGP > IPv6 Family
The CISCO-PRODUCTS-MIB and CISCO-ENTITY-VENDORTYPE-OID-MIB have been updated to support the new ASA 5506-X.
The ASA 5506-X have been added as new products to the SNMP sysObjectID OID and entPhysicalVendorType OID.
The ASA now supports the CISCO-CONFIG-MAN-MIB, which enables you to do the following:
Know which commands have been entered for a specific configuration.
Notify the NMS when a change has occurred in the running configuration.
Track the time stamps associated with the last time that the running configuration was changed or saved.
Track other changes to commands, such as terminal details and command sources.
We modified the following command: snmp-server enable traps
We modified the following screen: Configuration > Device Management > Management Access > SNMP > Configure Traps > SNMP Trap Configuration
The show route-summary command output has been added to the show tech-support detail command.
We now support complete system backup and restoration using the CLI.
We introduced the following commands: backup, restore
We did not modify any screens. This functionality is already available in ASDM.
New Features in ASA 9.3(1)/ASDM 7.3(1)
Released: July 24, 2014
NoteThe ASA 5505 is not supported in this release or later. ASA Version 9.2 was the final release for the ASA 5505.
You can now inspect IPv6 traffic when using SIP, SCCP, and TLS Proxy (using SIP or SCCP).
The ASA now interoperates with Cisco Unified Communications Manager Version 8.6 (including SCCPv21 support).
Transactional Commit Model on rule engine for access groups and NAT
When enabled, a rule update is applied after the rule compilation is completed; without affecting the rule matching performance.
We introduced the following commands: asp rule-engine transactional-commit, show running-config asp rule-engine transactional-commit, clear configure asp rule-engine transactional-commit
We introduced the following screen: Configuration > Device Management > Advanced > Rule Engine
We added support for XenDesktop 7 to clientless SSL VPN. When creating a bookmark with auto sign-on, you can now specify a landing page URL or a Control ID.
We did not modify any commands.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks
Custom attributes define and configure AnyConnect features that have not been incorporated into the ASA, such as Deferred Upgrade. Custom attribute configuration has been enhanced to allow multiple values and longer values, and now requires a specification of their type, name and value. They can now be added to Dynamic Access Policies as well as Group Policies. Previously defined custom attributes will be updated to this enhanced configuration format upon upgrade to 9.3.x.
We introduced or modified the following commands: anyconnect-custom-attr, anyconnect-custom-data, and anyconnect-custom
We introduced or modified the following screens:
Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Custom Attributes
Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Custom Attribute Names
Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add/Edit > Advanced > AnyConnect Client > Custom Attributes
Configuration > Remote Access VPN > Network (Client) Access > Dynamic Access Policies > Add/Edit > AnyConnect Custom Attributes
AnyConnect Identity Extensions (ACIDex) for Desktop Platforms
ACIDex, also known as AnyConnect Endpoint Attributes or Mobile Posture, is the method used by the AnyConnect VPN client to communicate posture information to the ASA. Dynamic Access Polices use these endpoint attributes to authorize users.
The AnyConnect VPN client now provides Platform identification for the desktop operating systems (Windows, Mac OS X, and Linux) and a pool of MAC Addresses which can be used by DAPs.
We did not modify any commands.
We modified the following screen: Configuration > Remote Access VPN > Dynamic Access Policies > Add/Edit > Add/Edit (endpoint attribute), select AnyConnect for the Endpoint Attribute Type. Additional operating systems are in the Platform drop-down list and MAC Address has changed to Mac Address Pool.
TrustSec Security Group Tags (SGT) can now be added to the SGT-IP table on the ASA when a remote user connects.
We introduced the following new command: security-group-tag value
We introduced or modified the following screens:
Configuration > Remote Access VPN > AAA/Local Users > Local Users > Edit User > VPN Policy
Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add a Policy
We added improved support for monitoring module health in clustering.
By default, the ASA monitors the health of an installed hardware module such as the ASA FirePOWER module. If you do not want a hardware module failure to trigger failover, you can disable module monitoring.
We modified the following command: monitor-interface service-module
We modified the following screen: Configuration > Device Management > High Availability and Scalability > Failover > Interfaces
The new auto option in the asp load-balance per-packet command enables the ASA to adaptively switch ASP load balancing per-packet on and off on each interface receive ring. This automatic mechanism detects whether or not asymmetric traffic has been introduced and helps avoid the following issues:
Overruns caused by bulk flows oversubscribing specific interface receive rings
Overruns caused by relatively heavily overloaded interface receive rings, in which a single core cannot sustain the load
We introduced or modified the following commands: asp load-balance per-packet auto, show asp load-balance per-packet, show asp load-balance per-packet history, and clear asp load-balance history
The bridge group maximum was increased from 8 to 250 bridge groups. You can configure up to 250 bridge groups in single mode or per context in multiple mode, with 4 interfaces maximum per bridge group.
We modified the following commands: interface bvi, bridge-group
We modified the following screens:
Configuration > Device Setup > Interfaces
Configuration > Device Setup > Interfaces > Add/Edit Bridge Group Interface
Configuration > Device Setup > Interfaces > Add/Edit Interface
We added support for BGP with ASA clustering.
We introduced the following new command: bgp router-id clusterpool
We modified the following screen: Configuration > Device Setup > Routing > BGP > IPv4 Family > General
We added support for BGP Nonstop Forwarding.
We introduced the following new commands: bgp graceful-restart, neighbor ha-mode graceful-restart
We modified the following screens:
Configuration > Device Setup > Routing > BGP > General
Configuration > Device Setup > Routing > BGP > IPv4 Family > Neighbor
Monitoring > Routing > BGP Neighbors
We added support for BGPv4 advertised map.
We introduced the following new command: neighbor advertise-map
We modified the following screen: Configuration > Device Setup > Routing > BGP > IPv4 Family > Neighbor > Add BGP Neighbor > Routes
OSPFv2 and OSPFv3 support for NSF was added.
We added the following commands: capability, nsf cisco, nsf cisco helper, nsf ietf, nsf ietf helper, nsf ietf helper strict-lsa-checking, graceful-restart, graceful-restart helper, graceful-restart helper strict-lsa-checking
We added the following screens:
Configuration > Device Setup > Routing > OSPF > Setup > NSF Properties
Configuration > Device Setup > Routing > OSPFv3 > Setup > NSF Properties
You can now use security group tagging combined with Ethernet tagging to enforce policies. SGT plus Ethernet Tagging, also called Layer 2 SGT Imposition, enables the ASA to send and receive security group tags on Gigabit Ethernet interfaces using Cisco proprietary Ethernet framing (Ether Type 0x8909), which allows the insertion of source security group tags into plain-text Ethernet frames.
We introduced or modified the following commands: cts manual, policy static sgt, propagate sgt, cts role-based sgt-map, show cts sgt-map, packet-tracer, capture, show capture, show asp drop, show asp table classify, show running-config all, clear configure all, and write memory
We modified the following screens:
Configuration > Device Setup > Interfaces > Add Interface > Advanced
Configuration > Device Setup > Interfaces > Add Redundant Interface > Advanced
Configuration > Device Setup > Add Ethernet Interface > Advanced
Wizards > Packet Capture Wizard
Tools > Packet Tracer
We removed NTLM support for remote access VPN users.
We deprecated the following command: aaa-server protocol nt
We modified the following screen: Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups > Add AAA Server Group
When using the current Java version, the ASDM Launcher requires a trusted certificate. An easy approach to fulfill the certificate requirements is to install a self-signed identity certificate. The ASDM Identity Certificate Wizard makes creating a self-signed identity certificate easy. When you first launch ASDM and do not have a trusted certificate, you are prompted to launch ASDM with Java Web Start; this new wizard starts automatically. After creating the identity certificate, you need to register it with the Java Control Panel. See https://www.cisco.com/go/asdm-certificate for instructions.
We added the following screen: Wizards > ASDM Identity Certificate Wizard
The show traffic command output has been updated to include aggregated traffic for physical interfaces information. To enable this feature, you must first enter the sysopt traffic detailed-statistics command.
The show tech support command now includes show resource usage count all 1 output, including information about xlates, conns, inspects, syslogs, and so on. This information is helpful for diagnosing performance issues.
ASDM can save Botnet Traffic Filter reports as HTML instead of PDF
ASDM can no longer save Botnet Traffic Filter reports as PDF files; it can instead save them as HTML.
The following screen was modified: Monitoring > Botnet Traffic Filter
New Features in Version 9.2
New Features in ASA 9.2(4)/ ASDM 7.4(3)
Released: July 16, 2015
You can now show invalid usernames in syslog messages for unsuccessful login attempts. The default setting is to hide usernames when the username is invalid or if the validity is unknown. If a user accidentally types a password instead of a username, for example, then it is more secure to hide the “username” in the resultant syslog message. You might want to show invalid usernames to help with troubleshooting login issues.
We introduced the following command: no logging hide username
We modified the following screen: Configuration > Device Management > Logging > Syslog Setup
DHCP Relay server validates the DHCP Server Identifier for replies
If the ASA DHCP relay server receives a reply from an incorrect DHCP server, it now verifies that the reply is from the correct server before acting on the reply.
NAT-MIB cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs to allow polling for Xlate count.
Support was added for the NAT-MIB cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs to support xlate_count and max_xlate_count for SNMP.
This data is equivalent to the show xlate count command.
New Features in ASA 9.2(3)/ ASDM 7.3(1.101)
Released: December 15, 2014
You can now prevent a Clientless SSL VPN session cookie from being accessed by a third party through a client-side script such as Javascript.
Note Use this feature only if Cisco TAC advises you to do so. Enabling this command presents a security risk because the following Clientless SSL VPN features will not work without any warning.
We introduced the following command: http-only-cookie
We introduced the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > HTTP Cookie
New Features in ASA 9.2(2.4)/ASDM 7.2(2)
Released: August 12, 2014
NoteVersion 9.2(2) was removed from Cisco.com due to build issues; please upgrade to Version 9.2(2.4) or later.
ASA 5585-X (all models) support for the matching ASA FirePOWER SSP hardware module.
ASA 5512-X through ASA 5555-X support for the ASA FirePOWER software module.
The ASA FirePOWER module supplies next-generation firewall services, including Next-Generation IPS (NGIPS), Application Visibility and Control (AVC), URL filtering, and Advanced Malware Protection (AMP).You can use the module in single or multiple context mode, and in routed or transparent mode.
We introduced or modified the following commands: capture interface asa_dataplane, debug sfr, hw-module module 1 reload, hw-module module 1 reset, hw-module module 1 shutdown, session do setup host ip, session do get-config, session do password-reset, session sfr, sfr, show asp table classify domain sfr, show capture, show conn, show module sfr, show service-policy, sw-module sfr.
We introduced the following screens:
Wizards > Startup Wizard > ASA FirePOWER Basic Configuration
Configuration > Firewall > Service Policy Rules > Add Service Policy Rule > Rule Actions > ASA FirePOWER Inspection
Internet Explorer 11 browser support on Windows 8.1 and Windows 7 for clientless SSL VPN
We added support for Internet Explorer 11 with Windows 7 and Windows 8.1 for clientless SSL VPN..
New Features in ASA 9.2(1)/ASDM 7.2(1)
Released: April 24, 2014
NoteThe ASA 5510, ASA 5520, ASA 5540, ASA 5550, and ASA 5580 are not supported in this release or later. ASA Version 9.1 was the final release for these models.
The Cisco Adaptive Security Virtual Appliance (ASAv) has been added as a new platform to the ASA series.
The ASAv brings full firewall functionality to virtualized environments to secure data center traffic and multi-tenant environments. The ASAv runs on VMware vSphere. You can manage and monitor the ASAv using ASDM or the CLI.
We now support the Border Gateway Protocol (BGP). BGP is an inter autonomous system routing protocol. BGP is used to exchange routing information for the Internet and is the protocol used between Internet service providers (ISP).
We introduced the following commands: router bgp, bgp maxas-limit, bgp log-neighbor-changes, bgp transport path-mtu-discovery, bgp fast-external-fallover, bgp enforce-first-as, bgp asnotation dot, timers bgp, bgp default local-preference, bgp always-compare-med, bgp bestpath compare-routerid, bgp deterministic-med, bgp bestpath med missing-as-worst, policy-list, match as-path, match community, match metric, match tag, as-path access-list, community-list, address-family ipv4, bgp router-id, distance bgp, table-map, bgp suppress-inactive, bgp redistribute-internal, bgp scan-time, bgp nexthop, aggregate-address, neighbor, bgp inject-map, show bgp, show bgp cidr-only, show bgp all community, show bgp all neighbors, show bgp community, show bgp community-list, show bgp filter-list, show bgp injected-paths, show bgp ipv4 unicast, show bgp neighbors, show bgp paths, show bgp pending-prefixes, show bgp prefix-list, show bgp regexp, show bgp replication, show bgp rib-failure, show bgp route-map, show bgp summary, show bgp system-config, show bgp update-group, clear route network, maximum-path, network.
We modified the following commands: show route, show route summary, show running-config router, clear config router, clear route all, timers lsa arrival, timers pacing, timers throttle, redistribute bgp.
We introduced the following screens:
Configuration > Device Setup > Routing > BGP
Monitoring > Routing > BGP Neighbors, Monitoring > Routing > BGP Routes
We modified the following screens:
Configuration > Device Setup > Routing > Static Routes> Add > Add Static Route
Configuration > Device Setup > Routing > Route Maps> Add > Add Route Map
Sending traffic to a Null0 interface results in dropping the packets destined to the specified network. This feature is useful in configuring Remotely Triggered Black Hole (RTBH) for BGP.
We modified the following command: route.
We modified the following screen: Configuration > Device Setup > Routing > Static Routes> Add > Add Static Route
OSPF supports the Fast Hello Packets feature, resulting in a configuration that results in faster convergence in an OSPF network.
We modified the following command: ospf dead-interval
We modified the following screen: Configuration > Device Setup > Routing > OSPF > Interface > Edit OSPF Interface Advanced properties
New OSPF timers were added; old ones were deprecated.
We introduced the following commands: timers lsa arrival, timers pacing, timers throttle.
We removed the following commands: timers spf, timers lsa-grouping-pacing
We modified the following screen: Configuration > Device Setup > Routing > OSPF > Setup > Edit OSPF Process Advanced Properties
Route filtering using ACL is now supported.
We introduced the following command: distribute-list
We introduced the following screen: Configuration > Device Setup > Routing > OSPF > Filtering Rules > Add Filter Rules
Additional OSPF monitoring information was added.
We modified the following commands: show ospf events, show ospf rib, show ospf statistics, show ospf border-routers [detail], show ospf interface brief
OSPF redistribution feature was added.
We added the following command: redistribute bgp
We added the following screen: Configuration > Device Setup > Routing > OSPF > Redistribution
For EIGRP, the Auto-Summary field is now disabled by default.
We modified the following screen: Configuration > Device Setup > Routing > EIGRP > Setup > Edit EIGRP Process Advanced Properties
Support for cluster members at different geographical locations (inter-site) for transparent mode
You can now place cluster members at different geographical locations when using Spanned EtherChannel mode in transparent firewall mode. Inter-site clustering with spanned EtherChannels in routed firewall mode is not supported.
Some switches do not support dynamic port priority with LACP (active and standby links). You can now disable dynamic port priority to provide better compatibility with spanned EtherChannels. You should also follow these guidelines:
Network elements on the cluster control link path should not verify the L4 checksum. Redirected traffic over the cluster control link does not have a correct L4 checksum. Switches that verify the L4 checksum could cause traffic to be dropped.
Port-channel bundling downtime should not exceed the configured keepalive interval.
We introduced the following command: clacp static-port-priority.
We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster
Support for 32 active links in a spanned EtherChannel for clustering
ASA EtherChannels now support up to 16 active links. With spanned EtherChannels, that functionality is extended to support up to 32 active links across the cluster when used with two switches in a vPC and when you disable dynamic port priority. The switches must support EtherChannels with 16 active links, for example, the Cisco Nexus 7000 with with F2-Series 10 Gigabit Ethernet Module.
For switches in a VSS or vPC that support 8 active links, you can now configure 16 active links in the spanned EtherChannel (8 connected to each switch). Previously, the spanned EtherChannel only supported 8 active links and 8 standby links, even for use with a VSS/vPC.
Note If you want to use more than 8 active links in a spanned EtherChannel, you cannot also have standby links; the support for 9 to 32 active links requires you to disable cLACP dynamic port priority that allows the use of standby links.
We introduced the following command: clacp static-port-priority.
We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster
The ASA 5585-X now supports 16-unit clusters.
The ASA supports clustering when connected to the Cisco Nexus 9300.
The ISE Change of Authorization (CoA) feature provides a mechanism to change the attributes of an authentication, authorization, and accounting (AAA) session after it is established. When a policy changes for a user or user group in AAA, CoA packets can be sent directly to the ASA from the ISE to reinitialize authentication and apply the new policy. An Inline Posture Enforcement Point (IPEP) is no longer required to apply access control lists (ACLs) for each VPN session established with the ASA.
When an end user requests a VPN connection the ASA authenticates the user to the ISE and receives a user ACL that provides limited access to the network. An accounting start message is sent to the ISE to register the session. Posture assessment occurs directly between the NAC agent and the ISE. This process is transparent to the ASA. The ISE sends a policy update to the ASA via a CoA “policy push.” This identifies a new user ACL that provides increased network access privileges. Additional policy evaluations may occur during the lifetime of the connection, transparent to the ASA, via subsequent CoA updates.
We introduced the following commands: dynamic-authorization, authorize-only, debug radius dynamic-authorization.
We modified the following commands: without-csd [anyconnect], interim-accounting-update [periodic [interval]].
We removed the following commands: nac-policy, eou, nac-settings.
We modified the following screen: Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups > Add/Edit AAA Server Group
The rewriter has been changed so that if the client supports compressed content and the content will not be rewritten, then it will accept compressed content from the server. If the content must be rewritten and it is identified as being compressed, it will be decompressed, rewritten, and if the client supports it, recompressed.
The version of OpenSSL on the ASA will be updated to version 1.0.1e.
Note We disabled the heartbeat option, so the ASA is not vulnerable to the Heartbleed Bug.
You can now configure up to 16 active links in an EtherChannel. Previously, you could have 8 active links and 8 standby links. Be sure your switch can support 16 active links (for example the Cisco Nexus 7000 with with F2-Series 10 Gigabit Ethernet Module).
Note If you upgrade from an earlier ASA version, the maximum active interfaces is set to 8 for compatibility purposes (the lacp max-bundle command).
We modified the following commands: lacp max-bundle and port-channel min-bundle.
We modified the following screen: Configuration > Device Setup > Interfaces > Add/Edit EtherChannel Interface > Advanced.
The maximum MTU that the ASA can use is 9198 bytes (check for your model’s exact limit at the CLI help). This value does not include the Layer 2 header. Formerly, the ASA let you specify the maximum MTU as 65535 bytes, which was inaccurate and could cause problems. If your MTU was set to a value higher than 9198, then the MTU is automatically lowered when you upgrade. In some cases, this MTU change can cause an MTU mismatch; be sure to set any connecting equipment to use the new MTU value.
We modified the following command: mtu
We modified the following screen: Configuration > Device Setup > Interface Settings > Interfaces > Edit Interface > Advanced
The EEM feature enables you to debug problems and provides general purpose logging for troubleshooting. The EEM responds to events in the EEM system by performing actions. There are two components: events that the EEM triggers, and event manager applets that define actions. You may add multiple events to each event manager applet, which triggers it to invoke the actions that have been configured on it.
We introduced or modified the following commands: event manager applet, description, event syslog id, event none, event timer, event crashinfo, action cli command, output, show running-config event manager, event manager run, show event manager, show counters protocol eem, clear configure event manager, debug event manager, debug menu eem.
We introduced the following screens: Configuration > Device Management > Advanced > Embedded Event Manager, Monitoring > Properties > EEM Applets.
You can now add up to 4000 hosts. The number of supported active polling destinations is 128. You can specify a network object to indicate the individual hosts that you want to add as a host group. You can associate more than one user with one host.
We introduced or modified the following commands: snmp-server host-group, snmp-server user-list, show running-config snmp-server, clear configure snmp-server.
We modified the following screen: Configuration > Device Management > Management Access > SNMP.
The limit on the message size that SNMP sends has been increased to 1472 bytes.
The ASA now supports the cpmCPUTotal5minRev OID.
The ASAv has been added as a new product to the SNMP sysObjectID OID and entPhysicalVendorType OID.
The CISCO-PRODUCTS-MIB and CISCO-ENTITY-VENDORTYPE-OID-MIB have been updated to support the new ASAv platform.
Administrators who have sufficient authorization privileges may enter privileged EXEC mode by entering their authentication credentials once. The auto-enable option was added to the aaa authorization exec command.
We modified the following command: aaa authorization exec.
We modified the following screen: Configuration > Device Management > Users/AAA > AAA Access > Authorization.
Auto Update Server certificate verification enabled by default
The Auto Update Server certificate verification is now enabled by default; for new configurations, you must explicitly disable certificate verification. If you are upgrading from an earlier release, and you did not enable certificate verification, then certificate verification is not enabled, and you see the following warning:
WARNING: The certificate provided by the auto-update servers will not be verified. In order to verify this certificate please use the verify-certificate option.The configuration will be migrated to explicitly configure no verification:.
auto-update server no-verification
We modified the following command: auto-update server [verify-certificate | no-verification].
We modified the following screen: Configuration > Device Management > System/Image Configuration > Auto Update > Add Auto Update Server.
New Features in Version 9.1
New Features in ASA 9.1(7.4)/ASDM 7.5(2.153)
Released: February 19, 2016
NoteVersion 9.1(7) was removed from Cisco.com due to build issues; please upgrade to Version 9.1(7.4) or later.
You can now prevent a Clientless SSL VPN session cookie from being accessed by a third party through a client-side script such as Javascript.
Note Use this feature only if Cisco TAC advises you to do so. Enabling this command presents a security risk because the following Clientless SSL VPN features will not work without any warning.
Sharepoint features that require desktop applications (for example, MS Office applications)
Other non-browser-based and browser plugin-based applications
We introduced the following command: http-only-cookie.
We introduced the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > HTTP Cookie.
Users can select cipher modes when doing SSH encryption management and can configure HMAC and encryption for varying key exchange algorithms.
We introduced the following commands: ssh cipher encryption and ssh cipher integrity.
The clientless SSL VPN cache is now disabled by default. Disabling the clientless SSL VPN cache provides better stability. If you want to enable the cache, you must manually enable it.
webvpn cache no disableWe modified the following command: cache
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Content Cache
When you enable HTTP redirect to HTTPS for ASDM access or clientless SSL VPN, you can now redirect traffic sent an to IPv6 address.
We added functionality to the following command: http redirect
We added functionality to the following screen: Configuration > Device Management > HTTP Redirect
The show tech support command now:
Includes dir all-filesystems output—This output can be helpful in the following cases:
Includes show resource usage count all 1 output—Includes information about xlates, conns, inspects, syslogs, and so on. This information is helpful for diagnosing performance issues.
Removes the show kernel cgroup-controller detail output—This command output will remain in the output of show tech-support detail.
Support for the cempMemPoolTable in the CISCO-ENHANCED-MEMPOOL-MIB
The cempMemPoolTable of the CISCO-ENHANCED-MEMPOOL-MIB is now supported. This is a table of memory pool monitoring entries for all physical entities on a managed system.
Note The CISCO-ENHANCED-MEMPOOL-MIB uses 64-bit counters and supports reporting of memory on platforms with more than 4GB of RAM.
New Features in ASA 9.1(6)/ASDM 7.1(7)
Released: March 2, 2015
The maximum MTU that the ASA can use is 9198 bytes (check for your model’s exact limit at the CLI help). This value does not include the Layer 2 header. Formerly, the ASA let you specify the maximum MTU as 65535 bytes, which was inaccurate and could cause problems. If your MTU was set to a value higher than 9198, then the MTU is automatically lowered when you upgrade. In some cases, this MTU change can cause an MTU mismatch; be sure to set any connecting equipment to use the new MTU value.
We modified the following command: mtu
We modified the following screen: Configuration > Device Setup > Interface Settings > Interfaces > Edit Interface > Advanced
New Features in ASA 9.1(5)/ASDM 7.1(6)
Released: March 31, 2014
The ASA now supports the Secure Copy (SCP) client to transfer files to and from a SCP server.
We introduced the following commands: ssh pubkey-chain, server (ssh pubkey-chain), key-string, key-hash, ssh stricthostkeycheck.
We modified the following command: copy scp.
We modified the following screens:
Tools > File Management > File Transfer > Between Remote Server and Flash Configuration > Device Management > Management Access > File Access > Secure Copy (SCP) Server
Administrators who have sufficient authorization privileges may enter privileged EXEC mode by entering their authentication credentials once. The auto-enable option was added to the aaa authorization exec command.
We modified the following command: aaa authorization exec.
We modified the following screen: Configuration > Device Management > Users/AAA > AAA Access > Authorization.
When enabled, a rule update is applied after the rule compilation is completed; without affecting the rule matching performance.
We introduced the following comands: asp rule-engine transactional-commit, show running-config asp rule-engine transactional-commit, clear configure asp rule-engine transactional-commit.
We introduced the following screen: Configuration > Device Management > Advanced > Rule Engine.
You can now add up to 4000 hosts. The number of supported active polling destinations is 128. You can specify a network object to indicate the individual hosts that you want to add as a host group. You can associate more than one user with one host.
We introduced or modified the following commands: snmp-server host-group, snmp-server user-list, show running-config snmp-server, clear configure snmp-server.
We modified the following screen: Configuration > Device Management > Management Access > SNMP.
NAT-MIB cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs to allow polling for Xlate count.
Support was added for the NAT-MIB cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs to support xlate_count and max_xlate_count for SNMP.
This data is equivalent to the show xlate count command.
UDP traffic, such as streaming media, was being affected by a high number of dropped packets when sent over an AnyConnect DTLS connection. For example, this could result in streaming video playing poorly or cease streaming completely. The reason for this was the relatively small size of the flow control queue.
We increased the DTLS flow-control queue size and offset this by reducing the admin crypto queue size. For TLS sessions, the priority of the crypto command was increased to high to compensated for this change. For both DTLS and TLS sessions, the session will now persist even if packets are dropped. This will prevent media streams from closing and ensure that the number of dropped packets is comparable with other connection methods.
We introduced URL normalization. URL normalization is an additional security feature that includes path normalization, case normalization and scheme normalization. URLs specified in an ACE and portal address bar are normalized before comparison; for making decisions on webvpn traffic filtering.
For example, if you have an https://calo.cisco.com/checkout/Devices bookmark, an https://calo.cisco.com/checkout/Devices/* under web type acl seems to match. However, since URL normalization has been introduced, both bookmark URL and web type ACL are normalized before comparison. In this example, https://calo.cisco.com/checkout/Devices is normalized to https://calo.cisco.com/checkout/Devices and https://calo.cisco.com/checkout/Devices/* stays the same, so the two do not match.
You must configure the following to meet the requirement:
to permit the bookmark URL (https://calo.cisco.com/checkout/Devices), configure the ACL to permit that URL
to permit the URLs within the Devices folder, configure the ACL to permit https://calo.cisco.com/checkout/Devices/*
New Features in ASA 9.1(4)/ASDM 7.1(5)
Released: December 9, 2013
HTML5 WebSockets provide persistent connections between clients and servers. During the establishment of the clientless SSL VPN connection, the handshake appears to the server as an HTTP Upgrade request. The ASA will now proxy this request to the backend and provide a relay after the handshake is complete. Gateway mode is not currently supported.
IPv6 traffic can now be tunneled through IPsec/IKEv2 tunnels. This makes the ASA to AnyConnect VPN connections fully IPv6 compliant. GRE is used when both IPv4 and IPv6 traffic are being tunneled, and when both the client and headend support GRE. For a single traffic type, or when GRE is not supported by the client or the headend, we use straight IPsec.
Note This feature requires AnyConnect Client Version 3.1.05 or later.
Output of the show ipsec sa and show vpn-sessiondb detail anyconnect commands has been updated to reflect the assigned IPv6 address, and to indicate the GRE Transport Mode security association when doing IKEv2 dual traffic.
The vpn-filter command must now be used for both IPv4 and IPv6 ACLs. If the depracated ipv6-vpn-filter command is used to configure IPv6 ACLs the connection will be terminated.
Mobile Devices running Citrix Server Mobile have additional connection options
Support for mobile devices connecting to Citrix server through the ASA now includes selection of a tunnel-group, and RSA Securid for authorization. Allowing mobile users to select different tunnel-groups allows the administrator to use different authentication methods.
We introduced the application-type command to configure the default tunnel group for VDI connections when a Citrix Receiver user does not choose a tunnel-group. A none action was added to the vdi command to disable VDI configuration for a particular group policy or user.
We modified the following screen: Configuration > Remote Access VPN > Clientliess SSL VPN Access > VDI Access.
Split-tunneling of VPN traffic has been enhanced to support both exclude and include ACLs. Exclude ACLs were previously ignored.
Note This feature requires AnyConnect Client Version 3.1.03103 or later.
The ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X now support 2-unit clusters. Clustering for 2 units is enabled by default in the base license; for the ASA 5512-X, you need the Security Plus license.
If you configure the cluster control link as an EtherChannel (recommended), and it is connected to a VSS or vPC pair, you can now increase stability with health check monitoring. For some switches, such as the Nexus 5000, when one unit in the VSS/vPC is shutting down or booting up, EtherChannel member interfaces connected to that switch may appear to be Up to the ASA, but they are not passing traffic on the switch side. The ASA can be erroneously removed from the cluster if you set the ASA holdtime timeout to a low value (such as .8 seconds), and the ASA sends keepalive messages on one of these EtherChannel interfaces. When you enable the VSS/vPC health check feature, the ASA floods the keepalive messages on all EtherChannel interfaces in the cluster control link to ensure that at least one of the switches can receive them.
We modified the following command: health-check [vss-enabled]
We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster
Support for cluster members at different geographical locations (inter-site); Individual Interface mode only
You can now place cluster members at different geographical locations when using individual interface mode. See the configuration guide for inter-site guidelines.
Support for clustering with the Cisco Nexus 5000 and Cisco Catalyst 3750-X
The ASA supports clustering when connected to the Cisco Nexus 5000 and Cisco Catalyst 3750-X.
We modified the following command: health-check [vss-enabled]
We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster
During the DHCP rebind phase, the client now attempts to rebind to other DHCP servers in the tunnel group list. Prior to this release, the client did not rebind to an alternate server, when the DHCP lease fails to renew.
We introduced the following commands: show ip address dhcp lease proxy, show ip address dhcp lease summary, and show ip address dhcp lease server.
We introduced the following screen: Monitoring > Interfaces > DHCP> DHCP Lease Information.
Application Kernel Layer 4 to 7 (AK47) framework-related information is now available in crashinfo dumps. A new option, ak47, has been added to the debug menu command to help in debugging AK47 framework issues. The framework-related information in the crashinfo dump includes the following:
New Features in ASA 9.1(3)/ASDM 7.1(4)
Released: September 18, 2013
You can now configure ASA CX service policies per context on the ASA.
Note Although you can configure per context ASA service policies, the ASA CX module itself (configured in PRSM) is a single context mode device; the context-specific traffic coming from the ASA is checked against the common ASA CX policy.
Requires ASA CX 9.2(1) or later.
ASA 5585-X with SSP-40 and -60 support for the ASA CX SSP-40 and -60
ASA CX SSP-40 and -60 modules can be used with the matching level ASA 5585-X with SSP-40 and -60.
Requires ASA CX 9.2(1) or later.
You can now filter packets that have been captured on the ASA CX backplane using the match or access-list keyword with the capture interface asa_dataplane command. Control traffic specific to the ASA CX module is not affected by the access-list or match filtering; the ASA captures all control traffic. In multiple context mode, configure the packet capture per context. Note that all control traffic in multiple context mode goes only to the system execution space. Because only control traffic cannot be filtered using an access list or match, these options are not available in the system execution space.
Requires ASA CX 9.2(1) or later.
We modified the following command: capture interface asa_dataplane.
A new option, Use backplane channel, was added to the Ingress Traffic Selector screen and the Egress Selector screen, in the Packet Capture Wizard to enable filtering of packets that have been captured on the ASA CX backplane.
You can now view the top bin sizes allocated and the top 10 PCs for each allocated bin size. Previously, you had to enter multiple commands to see this information (the show memory detail command and the show memory binsize command); the new command provides for quicker analysis of memory issues.
We introduced the following command: show memory top-usage.
We added a new type of Smart Call Home message to support ASA clustering.
A Smart Call Home clustering message is sent for only the following three events:
Each message that is sent includes the following information:
The output of the show cluster info command and the show cluster history command on the cluster master
We modified the following commands: show call-home, show running-config call-home.
user-storage value command password is now encrypted in show commands
The password in the user-storage value command is now encrypted when you enter show running-config.
We modified the following command: user-storage value.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policies > More Options > Session Settings.
New Features in ASA 9.1(2)/ASDM 7.1(3)
Released: May 14, 2013
NoteFeatures added in 8.4(6) are not included in 9.1(2) unless they are explicitly listed in this table.
The FIPS 140-2 Non-Proprietary Security Policy was updated as part of the Level 2 FIPS 140-2 validation for the Cisco ASA series, which includes the Cisco ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5580, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5585-X, and the ASA Services Module.
The Common Criteria Evaluation Assurance Level 4 (EAL4) was updated, which provides the basis for a specific Target of Evaluation (TOE) of the Cisco ASA and VPN platform solutions.
Support for IPsec LAN-to-LAN tunnels to encrypt failover and state link communications
Instead of using the proprietary encryption for the failover key (the failover key command), you can now use an IPsec LAN-to-LAN tunnel for failover and state link encryption.
Note Failover LAN-to-LAN tunnels do not count against the IPsec (Other VPN) license.
We introduced or modified the following commands: failover ipsec pre-shared-key, show vpn-sessiondb.
We modified the following screen: Configuration > Device Management > High Availability > Failover > Setup.
Additional ephemeral Diffie-Hellman ciphers for SSL encryption
The ASA now supports the following ephemeral Diffie-Hellman (DHE) SSL cipher suites:
These cipher suites are specified in RFC 3268, Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS).
When supported by the client, DHE is the preferred cipher because it provides Perfect Forward Secrecy. See the following limitations:
DHE is not supported on SSL 3.0 connections, so make sure to also enable TLS 1.0 for the SSL server.
!! set server version ciscoasa(config)# ssl server-version tlsv1 sslv3 !! set client version ciscoasa(config) # ssl client-version anySome popular applications do not support DHE, so include at least one other SSL encryption method to ensure that a cipher suite common to both the SSL client and server can be used.
Some clients may not support DHE, including AnyConnect 2.5 and 3.0, Cisco Secure Desktop, and Internet Explorer 9.0.
We modified the following command: ssl encryption.
We modified the following screen: Configuration > Device Management > Advanced > SSL Settings.
Support for administrator password policy when using the local database
When you configure authentication for CLI or ASDM access using the local database, you can configure a password policy that requires a user to change their password after a specified amount of time and also requires password standards such as a minimum length and the minimum number of changed characters.
We introduced the following commands: change-password, password-policy lifetime, password-policy minimum changes, password-policy minimum-length, password-policy minimum-lowercase, password-policy minimum-uppercase, password-policy minimum-numeric, password-policy minimum-special, password-policy authenticate enable, clear configure password-policy, show running-config password-policy.
We introduced the following screen: Configuration > Device Management > Users/AAA > Password Policy.
You can now enable public key authentication for SSH connections to the ASA on a per-user basis. You can specify a public key file (PKF) formatted key or a Base64 key. The PKF key can be up to 4096 bits. Use PKF format for keys that are too large to for the ASA support of the Base64 format (up to 2048 bits).
We introduced the following commands: ssh authentication.
We introduced the following screens:
Configuration > Device Management > Users/AAA > User Accounts > Edit User Account > Public Key Authentication and Configuration > Device Management > Users/AAA > User Accounts > Edit User Account > Public Key Using PKF.
Also available in 8.4(4.1); PKF key format support is only in 9.1(2).
The SSH server implementation in the ASA now supports AES-CTR mode encryption.
An SSH connection is rekeyed after 60 minutes of connection time or 1 GB of data traffic.
We introduced the following command: show ssh sessions detail.
Support for Diffie-Hellman Group 14 for the SSH Key Exchange
Support for Diffie-Hellman Group 14 for SSH Key Exchange was added. Formerly, only Group 1 was supported.
We introduced the following command: ssh key-exchange.
We modified the following screen: Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH.
You can set the maximum number of simultaneous ASDM, SSH, and Telnet sessions.
We introduced the following commands: quota management-session, show running-config quota management-session, show quota management-session.
We introduced the following screen: Configuration > Device Management > Management Access > Management Session Quota.
Administrator can define a message that appears before a user logs into ASDM for management access. This customizable content is called a pre-login banner, and can notify users of special requirements or important information.
To improve security for management access to the ASA, the default login password for Telnet was removed; you must manually set the password before you can log in using Telnet. Note: The login password is only used for Telnet if you do not configure Telnet user authentication (the aaa authentication telnet console command).
Formerly, when you cleared the password, the ASA restored the default of “cisco.” Now when you clear the password, the password is removed.
The login password is also used for Telnet sessions from the switch to the ASASM (see the session command). For initial ASASM access, you must use the service-module session command, until you set a login password.
We modified the following command: passwd.
The ASA runs its power-on self-test at boot time even if it is not running in FIPS 140-2-compliant mode.
Additional tests have been added to the POST to address the changes in the AES-GCM/GMAC algorithms, ECDSA algorithms, PRNG, and Deterministic Random Bit Generator Validation System (DRBGVS).
The X9.31 implementation has been upgraded to use AES-256 encryption instead of 3DES encryption to comply with the Network Device Protection Profile (NDPP) in single-core ASAs.
Support for SHA-512 image integrity checking was added.
We modified the following command: verify.
You can use private VLANs with the ASASM. Assign the primary VLAN to the ASASM; the ASASM automatically handles secondary VLAN traffic. There is no configuration required on the ASASM for this feature; see the switch configuration guide for more information.
The cpu profile activate command now supports the following:
We modified the following command: cpu profile activate [n-samples] [sample-process process-name] [trigger cpu-usage cpu% [process-name].
You can now configure DHCP relay servers per-interface, so requests that enter a given interface are relayed only to servers specified for that interface. IPv6 is not supported for per-interface DHCP relay.
We introduced or modified the following commands: dhcprelay server (interface config mode), clear configure dhcprelay, show running-config dhcprelay.
We modified the following screen: Configuration > Device Management > DHCP > DHCP Relay.
You can now configure interfaces as trusted interfaces to preserve DHCP Option 82. DHCP Option 82 is used by downstream switches and routers for DHCP snooping and IP Source Guard. Normally, if the ASA DHCP relay agent receives a DHCP packet with Option 82 already set, but the giaddr field (which specifies the DHCP relay agent address that is set by the relay agent before it forwards the packet to the server) is set to 0, then the ASA will drop that packet by default. You can now preserve Option 82 and forward the packet by identifying an interface as a trusted interface.
We introduced or modified the following commands: dhcprelay information trusted, dhcprelay informarion trust-all, show running-config dhcprelay.
We modified the following screen: Configuration > Device Management > DHCP > DHCP Relay.
The ASA 5585-X now supports additional interfaces on network modules in slot 1. You can install one or two of the following optional network modules:
Support for ASA CX monitor-only mode for demonstration purposes
For demonstration purposes only, you can enable monitor-only mode for the service policy, which forwards a copy of traffic to the ASA CX module, while the original traffic remains unaffected.
Another option for demonstration purposes is to configure a traffic-forwarding interface instead of a service policy in monitor-only mode. The traffic-forwarding interface sends all traffic directly to the ASA CX module, bypassing the ASA.
We modified or introduced the following commands: cxsc {fail-close | fail-open} monitor-only, traffic-forward cxsc monitor-only.
We modified the following screen: Configuration > Firewall > Service Policy Rules > Add Service Policy Rule > Rule Actions > ASA CX Inspection.
You can now use NAT 64 in conjunction with the ASA CX module.
Support for NetFlow flow-update events and an expanded set of NetFlow templates
In addition to adding the flow-update events, there are now NetFlow templates that allow you to track flows that experience a change to their IP version with NAT, as well as IPv6 flows that remain IPv6 after NAT.
Two new fields were added for IPv6 translation support.
Several NetFlow field IDs were changed to their IPFIX equivalents.
For more information, see the Cisco ASA Implementation Note for NetFlow Collectors.
EtherType ACL support for IS-IS traffic (transparent firewall mode)
In transparent firewall mode, the ASA can now pass IS-IS traffic using an EtherType ACL.
We modified the following command: access-list ethertype {permit | deny} is-is.
We modified the following screen: Configuration > Device Management > Management Access > EtherType Rules.
Decreased the half-closed timeout minimum value to 30 seconds
The half-closed timeout minimum value for both the global timeout and connection timeout was lowered from 5 minutes to 30 seconds to provide better DoS protection.
We modified the following commands: set connection timeout half-closed, timeout half-closed.
We modified the following screens:
Configuration > Firewall > Service Policy Rules > Connection Settings
Configuration > Firewall > Advanced > Global Timeouts.
The number of IPsec-IKE security associations (SAs) can be limited for IKE v1 now, as well as IKE v2.
We modified the following command: crypto ikev1 limit.
We modified the following screen: Configuration > Site-to-Site VPN > Advanced > IKE Parameters.
For IKE v2 on Site-to-Site, a new algorithm ensures that the encryption algorithm used by child IPsec SAs is not higher strength than the parent IKE. Higher strength algorithms will be downgraded to the IKE level.
This new algorithm is enabled by default. We recommend that you do not disable this feature.
We introduced the following command: crypto ipsec ikev2 sa-strength-enforcement.
For Site-to-Site, IPsec data-based rekeying can be disabled.
We modified the following command: crypto ipsec security-association.
We modified the following screen: Configuration > Site-to-Site > IKE Parameters.
Host Scan and the ASA use an improved process to transfer posture attributes from the client to the ASA. This gives the ASA more time to establish a VPN connection with the client and apply a dynamic access policy.
This release adds support for Windows 8 x86 (32-bit) and Windows 8 x64 (64-bit) operating systems.
We support the following browsers on Windows 8:
CSD 3.6.6215 was updated to enable selection of Windows 8 in the Prelogin Policy operating system check.
ASDM was updated to enable selection of Windows 8 in the DAP Operating System attribute.
Flow-update events have been introduced to provide periodic byte counters for flow traffic. You can change the time interval at which flow-update events are sent to the NetFlow collector. You can filter to which collectors flow-update records will be sent.
We introduced or modified the following commands: flow-export active refresh-interval, flow-export event-type.
We modified the following screens:
Configuration > Device Management > Logging > NetFlow.
Configuration > Firewall > Service Policy Rules > Add Service Policy Rule Wizard - Rule Actions > NetFlow > Add Flow Event
New Features in ASA 9.1(1)/ASDM 7.1(1)
Released: December 3, 2012
NoteFeatures added in 8.4(4.x), 8.4(5), 8.4(6), and 9.0(2) are not included in 9.1(1) unless they were listed in the 9.0(1) feature table.
Support for the ASA CX SSP for the ASA 5512-X through ASA 5555-X
We introduced support for the ASA CX SSP software module for the ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X. The ASA CX software module requires a Cisco solid state drive (SSD) on the ASA. For more information about the SSD, see the ASA 5500-X hardware guide.
We modified the following commands: session cxsc, show module cxsc, sw-module cxsc.
New Features in Version 9.0
New Features in ASA 9.0(3)/ASDM 7.1(3)
Released: July 22, 2013
Note
Features added in 8.4(4.x), 8.4(5), and 8.4(6) are not included in 9.0(3) unless they were listed in the 9.0(1) feature table.
New Features in ASA 9.0(2)/ASDM 7.1(2)
Released: February 25, 2013
NoteFeatures added in 8.4(4.x), 8.4(5), and 8.4(6) are not included in 9.0(2) unless they were listed in the 9.0(1) feature table.
This release adds support for Windows 8 x86 (32-bit) and Windows 8 x64 (64-bit) operating systems.
We support the following browsers on Windows 8:
To improve security for management access to the ASA, the default login password for Telnet was removed; you must manually set the password before you can log in using Telnet. Note: The login password is only used for Telnet if you do not configure Telnet user authentication (the aaa authentication telnet console command).
Formerly, when you cleared the password, the ASA restored the default of “cisco.” Now when you clear the password, the password is removed.
The login password is also used for Telnet sessions from the switch to the ASASM (see the session command). For initial ASASM access, you must use the service-module session command, until you set a login password.
New Features in ASA 9.0(1)/ASDM 7.0(1)
Released: October 29, 2012
NoteFeatures added in 8.4(4.x), 8.4(5), and 8.4(6) are not included in 9.0(1) unless they are explicitly listed in this table.
Cisco TrustSec provides an access-control solution that builds upon an existing identity-aware infrastructure to ensure data confidentiality between network devices and integrate security access services on one platform. In the Cisco TrustSec solution, enforcement devices utilize a combination of user attributes and end-point attributes to make role-based and identity-based access control decisions.
In this release, the ASA integrates with Cisco TrustSec to provide security group based policy enforcement. Access policies within the Cisco TrustSec domain are topology-independent, based on the roles of source and destination devices rather than on network IP addresses.
The ASA can utilize the Cisco TrustSec solution for other types of security group based policies, such as application inspection; for example, you can configure a class map containing an access policy based on a security group.
We introduced or modified the following commands: access-list extended, cts sxp enable, cts server-group, cts sxp default, cts sxp retry period, cts sxp reconcile period, cts sxp connection peer, cts import-pac, cts refresh environment-data, object-group security, security-group, show running-config cts, show running-config object-group, clear configure cts, clear configure object-group, show cts, show object-group, show conn security-group, clear cts, debug cts.
We introduced the following MIB: CISCO-TRUSTSEC-SXP-MIB.
We introduced or modified the following screens:
Configuration > Firewall > Identity by TrustSec
Configuration > Firewall > Objects > Security Groups Object Groups
Configuration > Firewall > Access Rules > Add Access Rules
Monitoring > Properties > Identity by TrustSec > PAC
Monitoring > Properties > Identity by TrustSec > Environment Data
Monitoring > Properties > Identity by TrustSec > SXP Connections
Monitoring > Properties > Identity by TrustSec > IP Mappings
Monitoring > Properties > Connections
Tools > Packet Tracer
Cisco Cloud Web Security provides content scanning and other malware protection service for web traffic. It can also redirect and report about web traffic based on user identity.
Note Clientless SSL VPN is not supported with Cloud Web Security; be sure to exempt any clientless SSL VPN traffic from the ASA service policy for Cloud Web Security.
We introduced or modified the following commands: class-map type inspect scansafe, default user group, http[s] (parameters), inspect scansafe, license, match user group, policy-map type inspect scansafe, retry-count, scansafe, scansafe general-options, server {primary | backup}, show conn scansafe, show scansafe server, show scansafe statistics, user-identity monitor, whitelist.
We introduced or modified the following screens:
Configuration > Device Management > Cloud Web Security
Configuration > Firewall > Objects > Class Maps > Cloud Web Security
Configuration > Firewall > Objects > Class Maps > Cloud Web Security > Add/Edit
Configuration > Firewall > Objects > Inspect Maps > Cloud Web Security
Configuration > Firewall > Objects > Inspect Maps > Cloud Web Security > Add/Edit
Configuration > Firewall > Objects > Inspect Maps > Cloud Web Security > Add/Edit > Manage Cloud Web Security Class Maps
Configuration > Firewall > Identity Options Configuration > Firewall > Service Policy Rules
Monitoring > Properties > Cloud Web Security
Extended ACL and object enhancement to filter ICMP traffic by ICMP code
ICMP traffic can now be permitted/denied based on ICMP code.
We introduced or modified the following commands: access-list extended, service-object, service.
We introduced or modified the following screens:
Configuration > Firewall > Objects > Service Objects/Groups Configuration > Firewall > Access Rule
NAT now supports translation of the DNS PTR record for reverse DNS lookups when using IPv4 NAT, IPv6 NAT, and NAT64 with DNS inspection enabled for the NAT rule.
The per-session PAT feature improves the scalability of PAT and, for ASA clustering, allows each member unit to own PAT connections; multi-session PAT connections have to be forwarded to and owned by the master unit. At the end of a per-session PAT session, the ASA sends a reset and immediately removes the xlate. This reset causes the end node to immediately release the connection, avoiding the TIME_WAIT state. Multi-session PAT, on the other hand, uses the PAT timeout, by default 30 seconds. For “hit-and-run” traffic, such as HTTP or HTTPS, the per-session feature can dramatically increase the connection rate supported by one address. Without the per-session feature, the maximum connection rate for one address for an IP protocol is approximately 2000 per second. With the per-session feature, the connection rate for one address for an IP protocol is 65535/average-lifetime.
By default, all TCP traffic and UDP DNS traffic use a per-session PAT xlate. For traffic that can benefit from multi-session PAT, such as H.323, SIP, or Skinny, you can disable per-session PAT by creating a per-session deny rule.
We introduced the following commands: xlate per-session, clear configure xlate, show running-config xlate.
We introduced the following screen: Configuration > Firewall > Advanced > Per-Session NAT Rules.
The ASA ARP cache only contains entries from directly-connected subnets by default. You can now enable the ARP cache to also include non-directly-connected subnets. We do not recommend enabling this feature unless you know the security risks. This feature could facilitate denial of service (DoS) attack against the ASA; a user on any interface could send out many ARP replies and overload the ASA ARP table with false entries.
You may want to use this feature if you use:
We introduced the following command: arp permit-nonconnected.
We modified the following screen: Configuration > Device Management > Advanced > ARP > ARP Static Table.
Previously, Sun RPC inspection does not support outbound access lists because the inspection engine uses dynamic access lists instead of secondary connections.
In this release, when you configure dynamic access lists on the ASA, they are supported on the ingress direction only and the ASA drops egress traffic destined to dynamic ports. Therefore, Sun RPC inspection implements a pinhole mechanism to support egress traffic. Sun RPC inspection uses this pinhole mechanism to support outbound dynamic access lists.
Previously, when the ASA dropped a packet due to an inspection engine rule, the ASA sent only one RST to the source device of the dropped packet. This behavior could cause resource issues.
In this release, when you configure an inspection engine to use a reset action and a packet triggers a reset, the ASA sends a TCP reset under the following conditions:
The ASA sends a TCP reset to the inside host when the service resetoutbound command is enabled. (The service resetoutbound command is enabled by default.)
The ASA sends a TCP reset to the outside host when the service resetinbound command is enabled. (The service resetinbound command is disabled by default.)
For more information, see the service command in the ASA command reference.
This behavior ensures that a reset action will reset the connections on the ASA and on inside servers; therefore countering denial of service attacks. For outside hosts, the ASA does not send a reset by default and information is not revealed through a TCP reset.
Increased maximum connection limits for service policy rules
The maximum number of connections for service policy rules was increased from 65535 to 2000000.
We modified the following commands: set connection conn-max, set connection embryonic-conn-max, set connection per-client-embryonic-max, set connection per-client-max.
We modified the following screen: Configuration > Firewall > Service Policy Rules > Connection Settings.
ASA Clustering lets you group multiple ASAs together as a single logical device. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices. ASA clustering is supported for the ASA 5580 and the ASA 5585-X; all units in a cluster must be the same model with the same hardware specifications. See the configuration guide for a list of unsupported features when clustering is enabled.
We introduced or modified the following commands: channel-group, clacp system-mac, clear cluster info, clear configure cluster, cluster exec, cluster group, cluster interface-mode, cluster-interface, conn-rebalance, console-replicate, cluster master unit, cluster remove unit, debug cluster, debug lacp cluster, enable (cluster group), health-check, ip address, ipv6 address, key (cluster group), local-unit, mac-address (interface), mac-address pool, mtu cluster, port-channel span-cluster, priority (cluster group), prompt cluster-unit, show asp cluster counter, show asp table cluster chash-table, show cluster, show cluster info, show cluster user-identity, show lacp cluster, show running-config cluster.
We introduced or modified the following screens:
Home > Cluster Dashboard Home > Cluster Firewall Dashboard
Configuration > Device Management > Advanced > Address Pools > MAC Address Pools
Configuration > Device Management > High Availability and Scalability > ASA Cluster
Configuration > Device Management > Logging > Syslog Setup > Advanced
Configuration > Device Setup > Interfaces > Add/Edit Interface > Advanced
Configuration > Device Setup > Interfaces > Add/Edit Interface > IPv6
Configuration > Device Setup > Interfaces > Add/Edit EtherChannel Interface > Advanced
Configuration > Firewall > Advanced > Per-Session NAT Rules
Monitoring > ASA Cluster Monitoring > Properties > System Resources Graphs > Cluster Control Link
Tools > Preferences > General
Tools > System Reload
Tools > Upgrade Software from Local Computer
Wizards > High Availability and Scalability Wizard
Wizards > Packet Capture Wizard
Wizards > Startup Wizard
For OSPFv2 and OSPFv3, bulk synchronization, route synchronization, and spanned EtherChannels are supported in the clustering environment.
For EIGRP, bulk synchronization, route synchronization, and spanned EtherChannels are supported in the clustering environment.
Multicast routing supports clustering.
We introduced or modified the following commands: show route cluster, debug route cluster, show mfib cluster, debug mfib cluster.
To support cluster-wide troubleshooting, you can enable capture of cluster-specific traffic on the master unit using the cluster exec capture command, which is then automatically enabled on all of the slave units in the cluster. The cluster exec keywords are the new keywords that you place in front of the capture command to enable cluster-wide capture.
We modified the following commands: capture, show capture.
We modified the following screen: Wizards > Packet Capture Wizard.
Each unit in the cluster generates syslog messages independently. You can use the logging device-id command to generate syslog messages with identical or different device IDs to make messages appear to come from the same or different units in the cluster.
We modified the following command: logging device-id.
We modified the following screen: Configuration > Logging > Syslog Setup > Advanced > Advanced Syslog Configuration.
Support for clustering with the Cisco Nexus 7000 and Cisco Catalyst 6500
The ASA supports clustering when connected to the Cisco Nexus 7000 and Cisco Catalyst 6500 with Supervisor 32, 720, and 720-10GE.
Configure the connection replication rate during a bulk sync
You can now configure the rate at which the ASA replicates connections to the standby unit when using Stateful Failover. By default, connections are replicated to the standby unit during a 15 second period. However, when a bulk sync occurs (for example, when you first enable failover), 15 seconds may not be long enough to sync large numbers of connections due to a limit on the maximum connections per second. For example, the maximum connections on the ASA is 8 million; replicating 8 million connections in 15 seconds means creating 533 K connections per second. However, the maximum connections allowed per second is 300 K. You can now specify the rate of replication to be less than or equal to the maximum connections per second, and the sync period will be adjusted until all the connections are synchronized.
We introduced the following command: failover replication rate rate.
IPv6 Support on the ASA’s outside interface for VPN Features.
This release of the ASA adds support for IPv6 VPN connections to its outside interface using SSL and IKEv2/IPsec protocols.
This release of the ASA continues to support IPv6 VPN traffic on its inside interface using the SSL protocol as it has in the past. This release does not provide IKEv2/IPsec protocol on the inside interface.
Remote Access VPN support for IPv6: IPv6 Address Assignment Policy
You can configure the ASA to assign an IPv4 address, an IPv6 address, or both an IPv4 and an IPv6 address to an AnyConnect client by creating internal pools of addresses on the ASA or by assigning a dedicated address to a local user on the ASA.
The endpoint must have the dual-stack protocol implemented in its operating system to be assigned both types of addresses.
Assigning an IPv6 address to the client is supported for the SSL protocol. This feature is not supported for the IKEv2/IPsec protocol.
We introduced the following commands: ipv6-vpn-addr-assign, vpn-framed-ipv6-address.
We modified the following screens:
Configuration > Remote Access VPN > Network (Client) Access > Address Assignment > Assignment Policy
Configuration > Remote Access VPN > AAA/Local Users > Local Users > (Edit local user account) > VPN Policy
Remote Access VPN support for IPv6: Assigning DNS Servers with IPv6 Addresses to group policies
DNS servers can be defined in a Network (Client) Access internal group policy on the ASA. You can specify up to four DNS server addresses including up to two IPv4 addresses and up to two IPv6 addresses.
DNS servers with IPv6 addresses can be reached by VPN clients when they are configured to use the SSL protocol. This feature is not supported for clients configured to use the IKEv2/IPsec protocol.
We modified the following command: dns-server value.
We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Group Policies > (Edit group policy) > Servers.
Split tunneling enables you to route some network traffic through the VPN tunnel (encrypted) and to route other network traffic outside the VPN tunnel (unencrypted or “in the clear”). You can now perform split tunneling on IPv6 network traffic by defining an IPv6 policy which specifies a unified access control rule.
IPv6 split tunneling is reported with the telemetric data sent by the Smart Call Home feature. If either IPv4 or IPv6 split tunneling is enabled, Smart Call Home reports split tunneling as “enabled.” For telemetric data, the VPN session database displays the IPv6 data typically reported with session management.
You can include or exclude IPv6 traffic from the VPN “tunnel” for VPN clients configured to use the SSL protocol. This feature is not supported for the IKEv2/IPsec protocol.
We introduced the following command: ipv6-split-tunnel-policy.
We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Group Policies > (Edit group policy) > Advanced > Split Tunneling.
Remote Access VPN support for IPv6: AnyConnect Client Firewall Rules
Access control rules for client firewalls support access list entries for both IPv4 and IPv6 addresses.
ACLs containing IPv6 addresses can be applied to clients configured to use the SSL protocol. This feature is not supported for the IKEv2/IPsec protocol.
We modified the following command: anyconnect firewall-rule.
We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Group Policies > (Edit group policy) > Advanced > AnyConnect Client > Client Firewall.
The Client Protocol Bypass feature allows you to configure how the ASA manages IPv4 traffic when it is expecting only IPv6 traffic or how it manages IPv6 traffic when it is expecting only IPv4 traffic.
When the AnyConnect client makes a VPN connection to the ASA, the ASA could assign it an IPv4, IPv6, or both an IPv4 and IPv6 address. If the ASA assigns the AnyConnect connection only an IPv4 address or only an IPv6 address, you can now configure the Client Bypass Protocol to drop network traffic for which the ASA did not assign an IP address, or allow that traffic to bypass the ASA and be sent from the client unencrypted or “in the clear.”
For example, assume that the ASA assigns only an IPv4 address to an AnyConnect connection and the endpoint is dual stacked. When the endpoint attempts to reach an IPv6 address, if Client Bypass Protocol is disabled, the IPv6 traffic is dropped; however, if Client Bypass Protocol is enabled, the IPv6 traffic is sent from the client in the clear.
This feature can be used by clients configured to use the SSL or IKEv2/IPsec protocol.
We introduced the following command: client-bypass-protocol.
We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Group Policies > (Group Policy) Advanced > AnyConnect Client > Client Bypass Protocol.
Remote Access VPN support for IPv6: IPv6 Interface ID and prefix
You can now specify a dedicated IPv6 address for local VPN users.
This feature benefits users configured to use the SSL protocol. This feature is not supported for the IKEv2/IPsec protocol.
We introduced the following command: vpn-framed-ipv6-address.
We modified the following screen: Configuration > Remote Access VPN > AAA/Local Users > Local Users > (Edit User) > VPN Policy.
Remote Access VPN support for IPv6: Sending ASA FQDN to AnyConnect client
You can return the FQDN of the ASA to the AnyConnect client to facilitate load balancing and session roaming.
This feature can be used by clients configured to use the SSL or IKEv2/IPsec protocol.
We introduced the following command: gateway-fqdn.
We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Group Policies > (Edit group policy) > Advanced > AnyConnect.
Clients with IPv6 addresses can make AnyConnect connections through the public-facing IPv6 address of the ASA cluster or through a GSS server. Likewise, clients with IPv6 addresses can make AnyConnect VPN connections through the public-facing IPv4 address of the ASA cluster or through a GSS server. Either type of connection can be load-balanced within the ASA cluster.
For clients with IPv6 addresses to successfully connect to the ASAs public-facing IPv4 address, a device that can perform network address translation from IPv6 to IPv4 needs to be in the network.
This feature can be used by clients configured to use the SSL or IKEv2/IPsec protocol.
We modified the following commands: show run vpn load-balancing.
We modified the following screen: Configuration > Remote Access VPN > Load Balancing.
Remote Access VPN support for IPv6: Dynamic Access Policies support IPv6 attributes
When using ASA 9.0 or later with ASDM 6.8 or later, you can now specify these attributes as part of a dynamic access policy (DAP):
This feature can be used by clients configured to use the SSL or IKEv2/IPsec protocol.
We modified the following screens:
Configuration > Remote Access VPN > Network (Client) Access > Dynamic Access Policies > Add > Cisco AAA attribute
Configuration > Remote Access VPN > Network (Client) Access > Dynamic Access Policies > Add > Device > Add Endpoint Attribute
Configuration > Remote Access VPN > Network (Client) Access > Dynamic Access Policies > Network ACL Filters (client)
Configuration > Remote Access VPN > Network (Client) Access > Dynamic Access Policies > Webtype ACL Filters (clientless)
Session management output displays the IPv6 addresses in Public/Assigned address fields for AnyConnect connections, site-to-site VPN connections, and Clientless SSL VPN connections. You can add new filter keywords to support filtering the output to show only IPv6 (outside or inside) connections. No changes to IPv6 User Filters exist.
This feature can be used by clients configured to use the SSL protocol. This feature does not support IKEv2/IPsec protocol.
We modified the following command: show vpn-sessiondb.
We modified these screen: Monitoring > VPN > VPN Statistics > Sessions.
NAT now supports IPv6 traffic, as well as translating between IPv4 and IPv6 (NAT64). Translating between IPv4 and IPv6 is not supported in transparent mode.
We modified the following commands: nat (in global and object network configuration mode), show conn, show nat, show nat pool, show xlate.
We modified the following screens:
Configuration > Firewall > Objects > Network Objects/Group
Configuration > Firewall > NAT Rules
DHCP relay is supported for IPv6.
We introduced the following commands: ipv6 dhcprelay server, ipv6 dhcprelay enable, ipv6 dhcprelay timeout, clear config ipv6 dhcprelay, ipv6 nd managed-config-flag, ipv6 nd other-config-flag, debug ipv6 dhcp, debug ipv6 dhcprelay, show ipv6 dhcprelay binding, clear ipv6 dhcprelay binding, show ipv6 dhcprelay statistics, and clear ipv6 dhcprelay statistics.
We modified the following screen: Configuration > Device Management > DHCP > DHCP Relay.
OSPFv3 routing is supported for IPv6. Note the following additional guidelines and limitations for OSPFv2 and OSPFv3:
Clustering
When clustering is configured, OSPFv3 encryption is not supported. An error message appears if you try to configure OSPFv3 encryption in a clustering environment.
When using individual interfaces, make sure that you establish the master and slave units as either OSPFv2 or OSPFv3 neighbors.
When using individual interfaces, OSPFv2 adjacencies can only be established between two contexts on a shared interface on the master unit. Configuring static neighbors is supported only on point-to-point links; therefore, only one neighbor statement is allowed on an interface.
OtherOSPFv2 and OSPFv3 support multiple instances on an interface.
The ESP and AH protocol is supported for OSPFv3 authentication.
We introduced or modified the following commands: ipv6 ospf cost, ipv6 ospf database-filter all out, ipv6 ospf dead-interval, ipv6 ospf hello-interval, ipv6 ospf mtu-ignore, ipv6 ospf neighbor, ipv6 ospf network, ipv6 ospf priority, ipv6 ospf retransmit-interval, ipv6 ospf transmit-delay, ipv6 router ospf, ipv6 router ospf area, ipv6 router ospf default, ipv6 router ospf default-information, ipv6 router ospf distance, ipv6 router ospf exit, ipv6 router ospf ignore, ipv6 router ospf log-adjacency-changes, ipv6 router ospf no, ipv6 router ospf redistribute, ipv6 router ospf router-id, ipv6 router ospf summary-prefix, ipv6 router ospf timers, area range, area virtual-link, default, default-information originate, distance, ignore lsa mospf, log-adjacency-changes, redistribute, router-id, summary-prefix, timers lsa arrival, timers pacing flood, timers pacing lsa-group, timers pacing retransmission, show ipv6 ospf, show ipv6 ospf border-routers, show ipv6 ospf database-filter, show ipv6 ospf flood-list, show ipv6 ospf interface, show ipv6 ospf neighbor, show ipv6 ospf request-list, show ipv6 ospf retransmission-list, show ipv6 ospf summary-prefix, show ipv6 ospf virtual-links, show ospf, show run ipv6 router, clear ipv6 ospf, clear configure ipv6 router, debug ospfv3.
We introduced the following screens:
Configuration > Device Setup > Routing > OSPFv3 > Setup
Configuration > Device Setup > Routing > OSPFv3 > Interface
Configuration > Device Setup > Routing > OSPFv3 > Redistribution
Configuration > Device Setup > Routing > OSPFv3 > Summary Prefix
Configuration > Device Setup > Routing > OSPFv3 > Virtual Link
Monitoring > Routing > OSPFv3 LSAs
Monitoring > Routing > OSPFv3 Neighbors
ACLs now support IPv4 and IPv6 addresses. You can also specify a mix of IPv4 and IPv6 addresses for the source and destination. The IPv6-specific ACLs are deprecated. Existing IPv6 ACLs are migrated to extended ACLs.
ACLs containing IPv6 addresses can be applied to clients configured to use the SSL protocol. This feature is not supported for the IKEv2/IPsec protocol.
We modified the following commands: access-list extended, access-list webtype.
We removed the following commands: ipv6 access-list, ipv6 access-list webtype, ipv6-vpn-filter.
We modified the following screens:
Configuration > Firewall > Access Rules
Configuration > Remote Access VPN > Network (Client) Access > Group Policies > General > More Options
Previously, network object groups could only contain all IPv4 addresses or all IPv6 addresses. Now network object groups can support a mix of both IPv4 and IPv6 addresses.
Note We modified the following command: object-group network.
We modified the following screen: Configuration > Firewall > Objects > Network Objects/Groups.
You can now configure a range of IPv6 addresses for a network object.
We modified the following command: range.
We modified the following screen: Configuration > Firewall > Objects > Network Objects/Groups.
We now support DNS inspection for IPv6 traffic.
We also support translating between IPv4 and IPv6 for the following inspections:
You can now also configure the service policy to generate a syslog message (767001) when unsupported inspections receive and drop IPv6 traffic.
We modified the following command: service-policy fail-close.
We modified the following screen: Configuration > Firewall > Service Policy Rules > Add Service Policy Rule Wizard - Service Policy.
We have added additional support for these browsers, operating systems, web technologies and applications:
Internet browser support: Microsoft Internet Explorer 9, Firefox 4, 5, 6, 7, and 8
Operating system support: Mac OS X 10.7
The clientless SSL VPN rewriter engines were significantly improved to provide better quality and efficacy. As a result, you can expect a better end-user experience for clientless SSL VPN users.
We did not add or modify any commands for this feature.
This feature provides secure remote access for Citrix Receiver applications running on mobile devices to XenApp and XenDesktop VDI servers through the ASA.
For the ASA to proxy Citrix Receiver to a Citrix Server, when users try to connect to Citrix virtualized resource, instead of providing the Citrix Server’s address and credentials, users enter the ASA’s SSL VPN IP address and credentials.
We modified the following command: vdi.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policy > Edit > More Options > VDI Access > Add VDI Server.
This feature improves support for web applications that require dynamic parameters for authentication.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks.
This feature provides proxy support for clientless Java plug-ins when a proxy is configured in client machines' browsers.
The Remote File Explorer provides users with a way to browse the corporate network from their web browser. When users click the Remote File System icon on the Cisco SSL VPN portal page, an applet is launched on the user's system displaying the remote file system in a tree and folder view.
This feature enhances clientless SSL VPN support to enable SSL server certificate verification for remote HTTPS sites against a list of trusted CA certificates.
We modified the following commands: ssl-server-check, crypto, crypto ca trustpool, crl, certificate, revocation-check.
We modified the following screen: Configuration > Remote Access VPN > Certificate Management > Trusted Certificate Pool.
This feature improves throughput performance for AnyConnect TLS/DTLS traffic in multi-core platforms. It accelerates the SSL VPN datapath and provides customer-visible performance gains in AnyConnect, smart tunnels, and port forwarding.
We modified the following commands: crypto engine accelerator-bias and show crypto accelerator.
We modified the following screen: Configuration > Remote Access VPN > Advanced > Crypto Engine.
Custom attributes define and configure AnyConnect features that have not yet been added to ASDM. You add custom attributes to a group policy, and define values for those attributes.
For AnyConnect 3.1, custom attributes are available to support AnyConnect Deferred Upgrade.
Custom attributes can benefit AnyConnect clients configured for either IKEv2/IPsec or SSL protocols.
We added the following command: anyconnect-custom-attr.
A new screen was added: Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Custom Attributes.
The National Standards Association (NSA) specified a set of cryptographic algorithms that devices must support to meet U.S. federal standards for cryptographic strength. RFC 6379 defines the Suite B cryptographic suites. Because the collective set of algorithms defined as NSA Suite B are becoming a standard, the AnyConnect IPsec VPN (IKEv2 only) and public key infrastructure (PKI) subsystems now support them. The next generation encryption (NGE) includes a larger superset of this set adding cryptographic algorithms for IPsec V3 VPN, Diffie-Hellman Groups 14 and 24 for IKEv2, and RSA certificates with 4096 bit keys for DTLS and IKEv2.
The following functionality is added to ASA to support the Suite B algorithms:
New cryptographic algorithms are added for IPsecV3.
Note Suite B algorithm support requires an AnyConnect Premium license for IKEv2 remote access connections, but Suite B usage for other connections or purposes (such as PKI) has no limitations. IPsecV3 has no licensing restrictions.
We introduced or modified the following commands: crypto ikev2 policy, crypto ipsec ikev2 ipsec-proposal, crypto key generate, crypto key zeroize, show crypto key mypubkey, show vpn-sessiondb.
We introduced or modified the following screens:
Monitor > VPN > Encryption Statistics
Configuration > Site-to-Site VPN > Certificate Management > Identity Certificates
Configuration > Site-to-Site VPN > Advanced > System Options
Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > Crypto Maps
Site-to-site VPN tunnels are now supported in multiple context mode.
New resource types, vpn other and vpn burst other, were created to set the maximum number of site-to-site VPN tunnels in each context.
We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation.
We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class.
EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing are not supported.
A new resource class, routes, was created to set the maximum number of routing table entries in each context.
We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation.
We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class.
You can set the firewall mode independently for each security context in multiple context mode, so some can run in transparent mode while others run in routed mode.
We modified the following command: firewall transparent.
You cannot set the firewall mode in ASDM; you must use the command-line interface.
The Cisco 7600 series now supports the ASASM. For specific hardware and software requirements, see: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html.
The ASA CX module lets you enforce security based on the complete context of a situation. This context includes the identity of the user (who), the application or website that the user is trying to access (what), the origin of the access attempt (where), the time of the attempted access (when), and the properties of the device used for the access (how). With the ASA CX module, you can extract the full context of a flow and enforce granular policies such as permitting access to Facebook but denying access to games on Facebook or permitting finance employees access to a sensitive enterprise database but denying the same to other employees.
We introduced or modified the following commands: capture, cxsc, cxsc auth-proxy, debug cxsc, hw-module module password-reset, hw-module module reload, hw-module module reset, hw-module module shutdown, session do setup host ip, session do get-config, session do password-reset, show asp table classify domain cxsc, show asp table classify domain cxsc-auth-proxy, show capture, show conn, show module, show service-policy.
We introduced the following screens:
Wizards > Startup Wizard > ASA CX Basic Configuration
Configuration > Firewall > Service Policy Rules > Add Service Policy Rule > Rule Actions > ASA CX Inspection
ASA 5585-X Dual SSP support for the SSP-10 and SSP-20 (in addition to the SSP-40 and SSP-60); VPN support for Dual SSPs
The ASA 5585-X now supports dual SSPs using all SSP models (you can use two SSPs of the same level in the same chassis). VPN is now supported when using dual SSPs.
New Features in Version 8.7
New Features in ASA 8.7(1.1)/ASDM 6.7(1)
Released: October 16, 2012
NoteVersion 8.7(1) was removed from Cisco.com due to build issues; please upgrade to Version 8.7(1.1) or later.
We introduced support for the ASA 1000V for the Nexus 1000V switch.
You can add one or multiple instances of the ASA 1000V to your deployment using the method of cloning VMs.
You can configure, manage, and monitor the ASA 1000V using the Adaptive Security Device Manager (ASDM), which is the single GUI-based device manager for the ASA.
You can configure and manage the ASA 1000V using the Cisco Virtual Network Management Center (VNMC), which is a GUI-based multi-device manager for multiple tenants.
You can configure and manage the ASA 1000V using XML APIs, which are application programmatic interfaces provided through the Cisco VNMC. This feature is only available in VNMC mode.
Cisco VNMC access and configuration are required to create security profiles. You can configure access to the Cisco VNMC through the Configuration > Device Setup > Interfaces pane in ASDM. Enter the login username and password, hostname, and shared secret to access the Cisco VNMC. Then you can configure security profiles and security profile interfaces. In VNMC mode, use the CLI to configure security profiles.
Security profiles are interfaces that correspond to an edge security profile that has been configured in the Cisco VNMC and assigned in the Cisco Nexus 1000V VSM. Policies for through-traffic are assigned to these interfaces and the outside interface. You can add security profiles through the Configuration > Device Setup > Interfaces pane. You create the security profile by adding its name and selecting the service interface. ASDM then generates the security profile through the Cisco VNMC, assigns the security profile ID, and automatically generates a unique interface name. The interface name is used in the security policy configuration.
We introduced or modified the following commands: interface security-profile, security-profile, mtu, vpath path-mtu, clear interface security-profile, clear configure interface security-profile, show interface security-profile, show running-config interface security-profile, show interface ip brief, show running-config mtu, show vsn ip binding, show vsn security-profile.
We introduced or modified the following screens:
Configuration > Device Setup > Interfaces Configuration > Device Setup > Interfaces > Add Security Profile Monitoring > Interfaces > Security Profiles
The service interface is the Ethernet interface associated with security profile interfaces. You can only configure one service interface, which must be the inside interface.
We introduced the following command: service-interface security-profile all.
We modified the following screen: Configuration > Device Setup > Interfaces.
The VNMC policy agent enables policy configuration through both the ASDM and VNMC modes. It includes a web server that receives XML-based requests from Cisco VNMC over HTTPS and converts it to the ASA 1000V configuration.
We introduced the following commands: vnmc policy-agent, login, shared-secret, registration host, vnmc org, show vnmc policy-agent, show running-config vnmc policy-agent, clear configure vnmc policy-agent.
We modified the following screen: Configuration > Device Setup > Interfaces.
New Features in Version 8.6
New Features in ASA 8.6(1)/ASDM 6.6(1)
Released: February 28, 2012
Note
This ASA software version is only supported on the ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X.
Version 8.6(1) includes all features in 8.4(2), plus the features listed in this table.
Features added in 8.4(3) are not included in 8.6(1) unless they are explicitly listed in this table.
We introduced support for the ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X.
Support for the IPS SSP for the ASA 5512-X through ASA 5555-X
We introduced support for the IPS SSP software module for the ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X.
We introduced or modified the following commands: session, show module, sw-module.
The ASA now supports clientless SSL VPN with Microsoft Internet Explorer 9 and Firefox 4.
To improve throughput, Cisco now supports compression for DTLS and TLS on AnyConnect 3.0 or later. Each tunneling method configures compression separately, and the preferred configuration is to have both SSL and DTLS compression as LZS. This feature enhances migration from legacy VPN clients.
Note Using data compression on high speed remote access connections passing highly compressible data requires significant processing power on the ASA. With other activity and traffic on the ASA, the number of sessions that can be supported on the platform is reduced.
We introduced or modified the following commands: anyconnect dtls compression [lzs | none] and anyconnect ssl compression [deflate | lzs | none].
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policies > Edit > Edit Internal Group Policy > Advanced > AnyConnect Client > SSL Compression.
Allows you to create custom messages to alert users that their VPN session is about to end because of inactivity or a session timeout.
We introduced the following commands: vpn-session-timeout alert-interval, vpn-idle-timeout alert-interval.
We introduced the following screens:
Remote Access VPN > Configuration > Clientless SSL VPN Access > Portal > Customizations > Add/Edit > Timeout Alerts Remote Access VPN > Configuration > Clientless SSL VPN Access > Group Policies > Add/Edit General
In multiple context mode, the ASA now converts the automatic MAC address generation configuration to use a default prefix. The ASA auto-generates the prefix based on the last two bytes of the interface MAC address. This conversion happens automatically when you reload, or if you reenable MAC address generation. The prefix method of generation provides many benefits, including a better guarantee of unique MAC addresses on a segment. You can view the auto-generated prefix by entering the show running-config mac-address command. If you want to change the prefix, you can reconfigure the feature with a custom prefix. The legacy method of MAC address generation is no longer available.
Note To maintain hitless upgrade for failover pairs, the ASA does not convert the MAC address method in an existing configuration upon a reload if failover is enabled. However, we strongly recommend that you manually change to the prefix method of generation. After upgrading, to use the prefix method of MAC address generation, reenable MAC address generation to use the default prefix.
We modified the following command: mac-address auto.
We modified the following screen: Configuration > Context Management > Security Contexts
The maximum number of values that the ASA can receive for a single attribute was increased from 1000 (the default) to 5000, with an allowed range of 500 to 5000. If a response message is received that exceeds the configured limit, the ASA rejects the authentication. If the ASA detects that a single attribute has more than 1000 values, then the ASA generates informational syslog 109036. For more than 5000 attributes, the ASA generates error level syslog 109037.
We introduced the following command: ldap-max-value-range number (Enter this command in aaa-server host configuration mode).
ASDM does not support this command; enter the command using the Command Line Tool.
When an LDAP search results in an attribute with a large number of values, depending on the server configuration, it might return a sub-range of the values and expect the ASA to initiate additional queries for the remaining value ranges. The ASA now makes multiple queries for the remaining ranges, and combines the responses into a complete array of attribute values.
Regular expression matching for the show asp table classifier and show asp table filter commands
You can now enter the show asp table classifier and show asp table filter commands with a regular expression to filter output.
We modified the following commands: show asp table classifier match regex, show asp table filter match regex.
ASDM does not support this command; enter the command using the Command Line Tool.
New Features in Version 8.5
New Features in ASA 8.5(1.7)/ASDM 6.5(1.101)
Released: March 5, 2012
NoteWe recommend that you upgrade to a Cisco.com-posted ASA interim release only if you have a specific problem that it resolves. If you decide to run an interim release in a production environment, keep in mind that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC and will usually remain on the download site only until the next maintenance release is available. If you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature release when it becomes available.
We will document interim release features at the time of the next maintenance or feature release. For a list of resolved caveats for each ASA interim release, see the interim release notes available on the Cisco.com software download site.
Table 1 New Features for ASA Interim Version 8.5(1.7)/ASDM Version 6.5(1.101) The ASA now interoperates with the Catalyst 6500 Supervisor 2T. For hardware and software compatibility, see: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html.
Note You may have to upgrade the FPD image on the ASA. See the Upgrading procedure the in the release notes.
ASDM support for Automatic generation of a MAC address prefix
ASDM now shows that an autogenerated prefix will be used if you do not specify one.
We modified the following screen: Configuration > Context Management > Security Contexts
Configure the connection replication rate during a bulk sync
You can now configure the rate at which the ASA replicates connections to the standby unit when using stateful failover. By default, connections are replicated to the standby unit during a 15 second period. However, when a bulk sync occurs (for example, when you first enable failover), 15 seconds may not be long enough to sync large numbers of connections due to a limit on the maximum connections per second. For example, the maximum connections on the ASA is 8 million; replicating 8 million connections in 15 seconds means creating 533K connections per second. However, the maximum connections allowed per second is 300K. You can now specify the rate of replication to be less than or equal to the maximum connections per second, and the sync period will be adjusted until all the connections are synced.
We introduced the following command: failover replication rate rate.
We modified the following screen: Configuration > Device Management > High Availability > Failover.
New Features in ASA 8.5(1.6)/ASDM 6.5(1)
Released: January 27, 2012
NoteWe recommend that you upgrade to a Cisco.com-posted ASA interim release only if you have a specific problem that it resolves. If you decide to run an interim release in a production environment, keep in mind that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC and will usually remain on the download site only until the next maintenance release is available. If you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature release when it becomes available.
We will document interim release features at the time of the next maintenance or feature release. For a list of resolved caveats for each ASA interim release, see the interim release notes available on the Cisco.com software download site.
Table 2 New Features for ASA Interim Version 8.5(1.6)/ASDM Version 6.5(1) In multiple context mode, the ASA now converts the automatic MAC address generation configuration to use a default prefix. The ASA auto-generates the prefix based on the last two bytes of the backplane MAC address. This conversion happens automatically when you reload, or if you reenable MAC address generation. The prefix method of generation provides many benefits, including a better guarantee of unique MAC addresses on a segment. You can view the auto-generated prefix by entering the show running-config mac-address command. If you want to change the prefix, you can reconfigure the feature with a custom prefix. The legacy method of MAC address generation is no longer available.
Note To maintain hitless upgrade for failover pairs, the ASA does not convert the MAC address method in an existing configuration upon a reload if failover is enabled. However, we strongly recommend that you manually change to the prefix method of generation when using failover. Without the prefix method, ASASMs installed in different slot numbers experience a MAC address change upon failover, and can experience traffic interruption. After upgrading, to use the prefix method of MAC address generation, reenable MAC address generation to use the default prefix.
New Features in ASA 8.5(1)/ASDM 6.5(1)
Released: July 8, 2011
This ASA and ASDM software version is only supported on the ASASM.
Version 8.5(1) includes all features in 8.4(1), plus the features listed in this table. The following features, however, are not supported in No Payload Encryption software, and this release is only available as a No Payload Encryption release:
Features added in 8.4(2) are not included in 8.5(1) unless they are explicitly listed in this table.
Table 3 New Features for ASA Version 8.5(1)/ASDM Version 6.5(1) We introduced support for the ASASM for the Cisco Catalyst 6500 E switch.
You can set the firewall mode independently for each security context in multiple context mode, so some can run in transparent mode while others run in routed mode.
We modified the following command: firewall transparent.
You cannot set the firewall mode in ASDM; you must use the command line interface.
Automatic MAC address generation is now enabled by default in multiple context mode
Automatic generation of MAC addresses is now enabled by default in multiple context mode.
We modified the following command: mac address auto.
We modified the following screen: System > Configuration > Context Management > Security Contexts.
In earlier releases for identity NAT, proxy ARP was disabled, and a route lookup was always used to determine the egress interface. You could not configure these settings. In 8.4(2) and later, the default behavior for identity NAT was changed to match the behavior of other static NAT configurations: proxy ARP is enabled, and the NAT configuration determines the egress interface (if specified) by default. You can leave these settings as is, or you can enable or disable them discretely. Note that you can now also disable proxy ARP for regular static NAT.
For pre-8.3 configurations, the migration of NAT exempt rules (the nat 0 access-list command) to 8.4(2) and later now includes the following keywords to disable proxy ARP and to use a route lookup: no-proxy-arp and route-lookup. The unidirectional keyword that was used for migrating to 8.3(2) and 8.4(1) is no longer used for migration. When upgrading to 8.4(2) from 8.3(1), 8.3(2), and 8.4(1), all identity NAT configurations will now include the no-proxy-arp and route-lookup keywords, to maintain existing functionality. The unidirectional keyword is removed.
We modified the following commands: nat static [no-proxy-arp] [route-lookup] (object network) and nat source static [no-proxy-arp] [route-lookup] (global).
We modified the following screens:
Configuration > Firewall > NAT Rules > Add/Edit Network Object > Advanced NAT Settings Configuration > Firewall > NAT Rules > Add/Edit NAT Rule
You can now specify a pool of PAT addresses instead of a single address. You can also optionally enable round-robin assignment of PAT addresses instead of first using all ports on a PAT address before using the next address in the pool. These features help prevent a large number of connections from a single PAT address from appearing to be part of a DoS attack and makes configuration of large numbers of PAT addresses easy.
Note Currently in 8.5(1), the PAT pool feature is not available as a fallback method for dynamic NAT or PAT. You can only configure the PAT pool as the primary method for dynamic PAT (CSCtq20634).
We modifed the following commands: nat dynamic [pat-pool mapped_object [round-robin]] (object network) and nat source dynamic [pat-pool mapped_object [round-robin]] (global).
We modified the following screens:
Configuration > Firewall > NAT Rules > Add/Edit Network Object Configuration > Firewall > NAT Rules > Add/Edit NAT Rule
The switch supervisor engine can send autostate messages to the ASASM about the status of physical interfaces associated with ASA VLANs. For example, when all physical interfaces associated with a VLAN go down, the autostate message tells the ASA that the VLAN is down. This information lets the ASA declare the VLAN as down, bypassing the interface monitoring tests normally required for determining which side suffered a link failure. Autostate messaging provides a dramatic improvement in the time the ASA takes to detect a link failure (a few milliseconds as compared to up to 45 seconds without autostate support).
Note The switch supports autostate messaging only if you install a single ASA in the chassis.
The ASASM supports VSS when configured on the switches. No ASA configuration is required.
New Features in Version 8.4
New Features in ASA 8.4(6)/ASDM 7.1(2.102)
Released: April 29, 2013
You can now view the top bin sizes allocated and the top 10 PCs for each allocated bin size. Previously, you had to enter multiple commands to see this information (the show memory detail command and the show memory binsize command); the new command provides for quicker analysis of memory issues.
We introduced the following command: show memory top-usage.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
The cpu profile activate command now supports the following:
We modified the following command: cpu profile activate [n-samples] [sample-process process-name] [trigger cpu-usage cpu% [process-name].
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
user-storage value command password is now encrypted in show commands
The password in the user-storage value command is now encrypted when you enter show running-config.
We modified the following command: user-storage value.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policies > More Options > Session Settings.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
New Features in ASA 8.4(5)/ASDM 7.0(2)
Released: October 31, 2012
EtherType ACL support for IS-IS traffic (transparent firewall mode)
In transparent firewall mode, the ASA can now pass IS-IS traffic using an EtherType ACL.
We modified the following command: access-list ethertype {permit | deny} is-is.
We modified the following screen: Configuration > Device Management > Management Access > EtherType Rules.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
The ASA ARP cache only contains entries from directly-connected subnets by default. You can now enable the ARP cache to also include non-directly-connected subnets. We do not recommend enabling this feature unless you know the security risks. This feature could facilitate denial of service (DoS) attack against the ASA; a user on any interface could send out many ARP replies and overload the ASA ARP table with false entries.
You may want to use this feature if you use:
We introduced the following command: arp permit-nonconnected.
We modified the following screen: Configuration > Device Management > Advanced > ARP > ARP Static Table.
Increased maximum connection limits for service policy rules
The maximum number of connections for service policy rules was increased from 65535 to 2000000.
We modified the following commands: set connection conn-max, set connection embryonic-conn-max, set connection per-client-embryonic-max, set connection per-client-max.
We modified the following screen: Configuration > Firewall > Service Policy Rules > Connection Settings.
Host Scan and the ASA use an improved process to transfer posture attributes from the client to the ASA. This gives the ASA more time to establish a VPN connection with the client and apply a dynamic access policy.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
CSD 3.6.6215 was updated to enable selection of Windows 8 in the Prelogin Policy operating system check.
ASDM was updated to enable selection of Windows 8 in the DAP Operating System attribute.
NAT-MIB cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs to allow polling for Xlate count.
Support was added for the NAT-MIB cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs to support xlate_count and max_xlate_count for SNMP.
This data is equivalent to the show xlate count command.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
Flow-update events have been introduced to provide periodic byte counters for flow traffic. You can change the time interval at which flow-update events are sent to the NetFlow collector. You can filter to which collectors flow-update records will be sent.
We introduced the following command: flow-export active refresh-interval.
We modified the following command: flow-export event-type.
We modified the following screens:
Configuration > Device Management > Logging > NetFlow.
Configuration > Firewall > Service Policy Rules > Add Service Policy Rule Wizard - Rule Actions > NetFlow > Add Flow Event
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
Support was added for the ASA 5585-X DC power supply.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
New Features in ASA 8.4(4.5)/ASDM 6.4(9.103)
Released: August 13, 2012
Note
Version 8.4(4.3) was removed from Cisco.com due to build issues; please upgrade to Version 8.4(4.5) or later.
We recommend that you upgrade to a Cisco.com-posted interim release only if you have a specific problem that it resolves. If you decide to run an interim release in a production environment, keep in mind that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC and will remain on the download site only until the next maintenance release is available. If you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature release when it becomes available. We will document interim release features at the time of the next maintenance or feature release. For a list of resolved caveats for each interim release, see the interim release notes available on the Cisco.com software download site.
The ASA ARP cache only contains entries from directly-connected subnets by default. You can now enable the ARP cache to also include non-directly-connected subnets. We do not recommend enabling this feature unless you know the security risks. This feature could facilitate denial of service (DoS) attack against the ASA; a user on any interface could send out many ARP replies and overload the ASA ARP table with false entries.
You may want to use this feature if you use:
We introduced the following command: arp permit-nonconnected.
We modified the following screen: Configuration > Device Management > Advanced > ARP > ARP Static Table.
NAT-MIB cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs to allow polling for Xlate count.
Support was added for the NAT-MIB cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs to support xlate_count and max_xlate_count for SNMP.
This data is equivalent to the show xlate count command.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
New Features in ASA 8.4(4.1)/ASDM 6.4(9)
Released: June 18, 2012
NoteVersion 8.4(4) was removed from Cisco.com due to build issues; please upgrade to Version 8.4(4.1) or later.
The FIPS 140-2 Non-Proprietary Security Policy was updated as part of the Level 2 FIPS 140-2 validation for the Cisco ASA 5500 series, which includes the Cisco ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5580, and ASA 5585-X.
The Common Criteria Evaluation Assurance Level 4 (EAL4) was updated, which provides the basis for a specific Target of Evaluation (TOE) of the Cisco ASA and VPN platform solutions.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).
Support for administrator password policy when using the local database
When you configure authentication for CLI or ASDM access using the local database, you can configure a password policy that requires a user to change their password after a specified amount of time and also requires password standards such as a minimum length and the minimum number of changed characters.
We introduced or modified the following commands: change-password, password-policy lifetime, password-policy minimum changes, password-policy minimum-length, password-policy minimum-lowercase, password-policy minimum-uppercase, password-policy minimum-numeric, password-policy minimum-special, password-policy authenticate enable, clear configure password-policy, show running-config password-policy.
We introduced the following screen: Configuration > Device Management > Users/AAA > Password Policy
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).
You can now enable public key authentication for SSH connections to the ASA on a per-user basis using Base64 key up to 2048 bits.
We introduced the following commands: ssh authentication.
We introduced the following screen: Configuration > Device Management > Users/AAA > User Accounts > Edit User Account > Public Key Authentication
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).
Support for Diffie-Hellman Group 14 for the SSH Key Exchange
Support for Diffie-Hellman Group 14 for SSH Key Exchange was added. Formerly, only Group 1 was supported.
We introduced the following command: ssh key-exchange.
We modified the following screen: Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).
You can set the maximum number of simultaneous ASDM, SSH, and Telnet sessions.
We introduced the following commands: quota management-session, show running-config quota management-session, show quota management-session.
We introduced the following screen: Configuration > Device Management > Management Access > Management Session Quota.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).
Additional ephemeral Diffie-Hellman ciphers for SSL encryption
The ASA now supports the following ephemeral Diffie-Hellman (DHE) SSL cipher suites:
These cipher suites are specified in RFC 3268, Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS).
When supported by the client, DHE is the preferred cipher because it provides Perfect Forward Secrecy. See the following limitations:
DHE is not supported on SSL 3.0 connections, so make sure to also enable TLS 1.0 for the SSL server.
!! set server version ciscoasa(config)# ssl server-version tlsv1 sslv3 !! set client version ciscoasa(config) # ssl client-version anySome popular applications do not support DHE, so include at least one other SSL encryption method to ensure that a cipher suite common to both the SSL client and server can be used.
Some clients may not support DHE, including AnyConnect 2.5 and 3.0, Cisco Secure Desktop, and Internet Explorer 9.0.
We modified the following command: ssl encryption.
We modified the following screen: Configuration > Device Management > Advanced > SSL Settings.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).
Support for SHA-512 image integrity checking was added.
We modified the following command: verify.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).
Hardware-based noise for additional entropy was added to the software-based random number generation process. This change makes pseudo-random number generation (PRNG) more random and more difficult for attackers to get a repeatable pattern or guess the next random number to be used for encryption and decryption operations. Two changes were made to improve PRNG:
Use the current hardware-based RNG for random data to use as one of the parameters for software-based RNG.
If the hardware-based RNG is not available, use additional hardware noise sources for software-based RNG. Depending on your model, the following hardware sensors are used:
We introduced the following commands: show debug menu cts [128 | 129]
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).
The clientless SSL VPN rewriter engines were significantly improved to provide better quality and efficacy. As a result, you can expect a better end-user experience for clientless SSL VPN users.
We did not add or modify any commands for this feature.
Configure the connection replication rate during a bulk sync
You can now configure the rate at which the ASA replicates connections to the standby unit when using Stateful Failover. By default, connections are replicated to the standby unit during a 15 second period. However, when a bulk sync occurs (for example, when you first enable failover), 15 seconds may not be long enough to sync large numbers of connections due to a limit on the maximum connections per second. For example, the maximum connections on the ASA is 8 million; replicating 8 million connections in 15 seconds means creating 533 K connections per second. However, the maximum connections allowed per second is 300 K. You can now specify the rate of replication to be less than or equal to the maximum connections per second, and the sync period will be adjusted until all the connections are synced.
We introduced the following command: failover replication rate rate.
This feature is not available in 8.6(1) or 8.7(1). This feature is also in 8.5(1.7).
Previously, Sun RPC inspection does not support outbound access lists because the inspection engine uses dynamic access lists instead of secondary connections.
In this release, when you configure dynamic access lists on the ASA, they are supported on the ingress direction only and the ASA drops egress traffic destined to dynamic ports. Therefore, Sun RPC inspection implements a pinhole mechanism to support egress traffic. Sun RPC inspection uses this pinhole mechanism to support outbound dynamic access lists.
Previously, when the ASA dropped a packet due to an inspection engine rule, the ASA sent only one RST to the source device of the dropped packet. This behavior could cause resource issues.
In this release, when you configure an inspection engine to use a reset action and a packet triggers a reset, the ASA sends a TCP reset under the following conditions:
The ASA sends a TCP reset to the inside host when the service resetoutbound command is enabled. (The service resetoutbound command is disabled by default.)
The ASA sends a TCP reset to the outside host when the service resetinbound command is enabled. (The service resetinbound command is disabled by default.)
For more information, see the service command in the ASA command reference.
This behavior ensures that a reset action will reset the connections on the ASA and on inside servers; therefore countering denial of service attacks. For outside hosts, the ASA does not send a reset by default and information is not revealed through a TCP reset.
The ASA CX module lets you enforce security based on the complete context of a situation. This context includes the identity of the user (who), the application or website that the user is trying to access (what), the origin of the access attempt (where), the time of the attempted access (when), and the properties of the device used for the access (how). With the ASA CX module, you can extract the full context of a flow and enforce granular policies such as permitting access to Facebook but denying access to games on Facebook or permitting finance employees access to a sensitive enterprise database but denying the same to other employees.
We introduced or modified the following commands: capture, cxsc, cxsc auth-proxy, debug cxsc, hw-module module password-reset, hw-module module reload, hw-module module reset, hw-module module shutdown, session do setup host ip, session do get-config, session do password-reset, show asp table classify domain cxsc, show asp table classify domain cxsc-auth-proxy, show capture, show conn, show module, show service-policy.
We introduced the following screens:
Home > ASA CX Status Wizards > Startup Wizard > ASA CX Basic Configuration
Configuration > Firewall > Service Policy Rules > Add Service Policy Rule > Rule Actions > ASA CX Inspection
The ASA 5585-X now supports additional interfaces on network modules in slot 1. You can install one or two of the following optional network modules:
New Features in ASA 8.4(3)/ASDM 6.4(7)
Released: January 9, 2012
Round robin PAT pool allocation uses the same IP address for existing hosts
When using a PAT pool with round robin allocation, if a host has an existing connection, then subsequent connections from that host will use the same PAT IP address if ports are available.
We did not modify any commands.
If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool.
If you have a lot of traffic that uses the lower port ranges, when using a PAT pool, you can now specify a flat range of ports to be used instead of the three unequal-sized tiers: either 1024 to 65535, or 1 to 65535.
We modified the following commands: nat dynamic [pat-pool mapped_object [flat [include-reserve]]] (object network configuration mode) and nat source dynamic [pat-pool mapped_object [flat [include-reserve]]] (global configuration mode).
We modified the following screens:
Configuration > Firewall > NAT Rules > Add/Edit Network Object
Configuration > Firewall > NAT Rules > Add/Edit NAT Rule
Each PAT IP address allows up to 65535 ports. If 65535 ports do not provide enough translations, you can now enable extended PAT for a PAT pool. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information.
We modified the following commands: nat dynamic [pat-pool mapped_object [extended]] (object network configuration mode) and nat source dynamic [pat-pool mapped_object [extended]] (global configuration mode).
We modified the following screens:
Configuration > Firewall > NAT Rules > Add/Edit Network Object
Configuration > Firewall > NAT Rules > Add/Edit NAT Rule
When a PAT xlate times out (by default after 30 seconds), and the ASA reuses the port for a new translation, some upstream routers might reject the new connection because the previous connection might still be open on the upstream device. The PAT xlate timeout is now configurable, to a value between 30 seconds and 5 minutes.
We introduced the following command: timeout pat-xlate.
We modified the following screen: Configuration > Firewall > Advanced > Global Timeouts.
Automatic NAT rules to translate a VPN peer’s local IP address back to the peer’s real IP address
In rare situations, you might want to use a VPN peer’s real IP address on the inside network instead of an assigned local IP address. Normally with VPN, the peer is given an assigned local IP address to access the inside network. However, you might want to translate the local IP address back to the peer’s real public IP address if, for example, your inside servers and network security is based on the peer’s real IP address.
You can enable this feature on one interface per tunnel group. Object NAT rules are dynamically added and deleted when the VPN session is established or disconnected. You can view the rules using the show nat command.
Note Because of routing issues, we do not recommend using this feature unless you know you need this feature; contact Cisco TAC to confirm feature compatibility with your network. See the following limitations:
We introduced the following command: nat-assigned-to-public-ip interface (tunnel-group general-attributes configuration mode).
ASDM does not support this command; enter the command using the Command Line Tool.
The ASA now supports clientless SSL VPN with Microsoft Internet Explorer 9 and Firefox 4.
To improve throughput, Cisco now supports compression for DTLS and TLS on AnyConnect 3.0 or later. Each tunneling method configures compression separately, and the preferred configuration is to have both SSL and DTLS compression as LZS. This feature enhances migration from legacy VPN clients.
Note Using data compression on high speed remote access connections passing highly compressible data requires significant processing power on the ASA. With other activity and traffic on the ASA, the number of sessions that can be supported on the platform is reduced.
We introduced or modified the following commands: anyconnect dtls compression [lzs | none] and anyconnect ssl compression [deflate | lzs | none].
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policies > Edit > Edit Internal Group Policy > Advanced > AnyConnect Client > SSL Compression.
Allows you to create custom messages to alert users that their VPN session is about to end because of inactivity or a session timeout.
We introduced the following commands: vpn-session-timeout alert-interval, vpn-idle-timeout alert-interval.
We introduced the following screens:
Remote Access VPN > Configuration > Clientless SSL VPN Access > Portal > Customizations > Add/Edit > Timeout Alerts
Remote Access VPN > Configuration > Clientless SSL VPN Access > Group Policies > Add/Edit General
The maximum number of values that the ASA can receive for a single attribute was increased from 1000 (the default) to 5000, with an allowed range of 500 to 5000. If a response message is received that exceeds the configured limit, the ASA rejects the authentication. If the ASA detects that a single attribute has more than 1000 values, then the ASA generates informational syslog 109036. For more than 5000 attributes, the ASA generates error level syslog 109037.
We introduced the following command: ldap-max-value-range number (Enter this command in aaa-server host configuration mode).
ASDM does not support this command; enter the command using the Command Line Tool.
When an LDAP search results in an attribute with a large number of values, depending on the server configuration, it might return a sub-range of the values and expect the ASA to initiate additional queries for the remaining value ranges. The ASA now makes multiple queries for the remaining ranges, and combines the responses into a complete array of attribute values.
Key vendor-specific attributes (VSAs) sent in RADIUS access request and accounting request packets from the ASA
Four New VSAs—Tunnel Group Name (146) and Client Type (150) are sent in RADIUS access request packets from the ASA. Session Type (151) and Session Subtype (152) are sent in RADIUS accounting request packets from the ASA. All four attributes are sent for all accounting request packet types: Start, Interim-Update, and Stop. The RADIUS server (for example, ACS and ISE) can then enforce authorization and policy attributes or use them for accounting and billing purposes.
Regular expression matching for the show asp table classifier and show asp table filter commands
You can now enter the show asp table classifier and show asp table filter commands with a regular expression to filter output.
We modified the following commands: show asp table classifier match regex, show asp table filter match regex.
ASDM does not support this command; enter the command using the Command Line Tool.
New Features in ASA 8.4(2.8)/ASDM 6.4(5.106)
Released: August 31, 2011
NoteWe recommend that you upgrade to a Cisco.com-posted ASA interim release only if you have a specific problem that it resolves. If you decide to run an interim release in a production environment, keep in mind that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC and will usually remain on the download site only until the next maintenance release is available. If you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature release when it becomes available.
We will document interim release features at the time of the next maintenance or feature release. For a list of resolved caveats for each ASA interim release, see the interim release notes available on the Cisco.com software download site.
The ASA now supports clientless SSL VPN with Microsoft Internet Explorer 9 and Firefox 4.
To improve throughput, Cisco now supports compression for DTLS and TLS on AnyConnect 3.0 or later. Each tunneling method configures compression separately, and the preferred configuration is to have both SSL and DTLS compression as LZS. This feature enhances migration from legacy VPN clients.
Note Using data compression on high speed remote access connections passing highly compressible data requires significant processing power on the ASA. With other activity and traffic on the ASA, the number of sessions that can be supported on the platform is reduced.
We introduced or modified the following commands: anyconnect dtls compression [lzs | none] and anyconnect ssl compression [deflate | lzs | none].
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policies > Edit > Edit Internal Group Policy > Advanced > AnyConnect Client > SSL Compression.
Allows you to create custom messages to alert users that their VPN session is about to end because of inactivity or a session timeout.
We introduced the following commands: vpn-session-timeout alert-interval, vpn-idle-timeout alert-interval.
We introduced the following screens:
Remote Access VPN > Configuration > Clientless SSL VPN Access > Portal > Customizations > Add/Edit > Timeout Alerts
Remote Access VPN > Configuration > Clientless SSL VPN Access > Group Policies > Add/Edit General
The maximum number of values that the ASA can receive for a single attribute was increased from 1000 (the default) to 5000, with an allowed range of 500 to 5000. If a response message is received that exceeds the configured limit, the ASA rejects the authentication. If the ASA detects that a single attribute has more than 1000 values, then the ASA generates informational syslog 109036. For more than 5000 attributes, the ASA generates error level syslog 109037.
We introduced the following command: ldap-max-value-range number (Enter this command in aaa-server host configuration mode).
ASDM does not support this command; enter the command using the Command Line Tool.
When an LDAP search results in an attribute with a large number of values, depending on the server configuration, it might return a sub-range of the values and expect the ASA to initiate additional queries for the remaining value ranges. The ASA now makes multiple queries for the remaining ranges, and combines the responses into a complete array of attribute values.
Regular expression matching for the show asp table classifier and show asp table filter commands
You can now enter the show asp table classifier and show asp table filter commands with a regular expression to filter output.
We modified the following commands: show asp table classifier match regex, show asp table filter match regex.
ASDM does not support this command; enter the command using the Command Line Tool.
New Features in ASA 8.4(2)/ASDM 6.4(5)
Released: June 20, 2011
Typically, a firewall is not aware of the user identities and, therefore, cannot apply security policies based on identity.
The Identity Firewall in the ASA provides more granular access control based on users’ identities. You can configure access rules and security policies based on usernames and user groups name rather than through source IP addresses. The ASA applies the security policies based on an association of IP addresses to Windows Active Directory login information and reports events based on the mapped usernames instead of network IP addresses.
The Identity Firewall integrates with Window Active Directory in conjunction with an external Active Directory (AD) Agent that provides the actual identity mapping. The ASA uses Windows Active Directory as the source to retrieve the current user identity information for specific IP addresses.
In an enterprise, some users log onto the network by using other authentication mechanisms, such as authenticating with a web portal (cut-through proxy) or by using a VPN. You can configure the Identity Firewall to allow these types of authentication in connection with identity-based access policies.
We introduced or modified the following commands: user-identity enable, user-identity default-domain, user-identity domain, user-identity logout-probe, user-identity inactive-user-timer, user-identity poll-import-user-group-timer, user-identity action netbios-response-fail, user-identity user-not-found, user-identity action ad-agent-down, user-identity action mac-address-mismatch, user-identity action domain-controller-down, user-identity ad-agent active-user-database, user-identity ad-agent hello-timer, user-identity ad-agent aaa-server, user-identity update import-user, user-identity static user, ad-agent-mode, dns domain-lookup, dns poll-timer, dns expire-entry-timer, object-group user, show user-identity, show dns, clear configure user-identity, clear dns, debug user-identity, test aaa-server ad-agent.
We introduced the following screens:
Configuration > Firewall > Identity Options. Configuration > Firewall > Objects > Local User Groups
Monitoring > Properties > Identity
We modified the following screen:
Configuration > Device Management > Users/AAA > AAA Server Groups > Add/Edit Server Group.
In earlier releases for identity NAT, proxy ARP was disabled, and a route lookup was always used to determine the egress interface. You could not configure these settings. In 8.4(2) and later, the default behavior for identity NAT was changed to match the behavior of other static NAT configurations: proxy ARP is enabled, and the NAT configuration determines the egress interface (if specified) by default. You can leave these settings as is, or you can enable or disable them discretely. Note that you can now also disable proxy ARP for regular static NAT.
For pre-8.3 configurations, the migration of NAT exempt rules (the nat 0 access-list command) to 8.4(2) and later now includes the following keywords to disable proxy ARP and to use a route lookup: no-proxy-arp and route-lookup. The unidirectional keyword that was used for migrating to 8.3(2) and 8.4(1) is no longer used for migration. When upgrading to 8.4(2) from 8.3(1), 8.3(2), and 8.4(1), all identity NAT configurations will now include the no-proxy-arp and route-lookup keywords, to maintain existing functionality. The unidirectional keyword is removed.
We modified the following commands: nat static [no-proxy-arp] [route-lookup] (object network) and nat source static [no-proxy-arp] [route-lookup] (global).
We modified the following screens:
Configuration > Firewall > NAT Rules > Add/Edit Network Object > Advanced NAT Settings
Configuration > Firewall > NAT Rules > Add/Edit NAT Rule
You can now specify a pool of PAT addresses instead of a single address. You can also optionally enable round-robin assignment of PAT addresses instead of first using all ports on a PAT address before using the next address in the pool. These features help prevent a large number of connections from a single PAT address from appearing to be part of a DoS attack and makes configuration of large numbers of PAT addresses easy.
Note Currently in 8.4(2), the PAT pool feature is not available as a fallback method for dynamic NAT or PAT. You can only configure the PAT pool as the primary method for dynamic PAT (CSCtq20634).
We modifed the following commands: nat dynamic [pat-pool mapped_object [round-robin]] (object network) and nat source dynamic [pat-pool mapped_object [round-robin]] (global).
We modified the following screens:
Configuration > Firewall > NAT Rules > Add/Edit Network ObjectConfiguration > Firewall > NAT Rules > Add/Edit NAT Rul
You can configure IPv6 inspection by configuring a service policy to selectively block IPv6 traffic based on the extension header. IPv6 packets are subjected to an early security check. The ASA always passes hop-by-hop and destination option types of extension headers while blocking router header and no next header.
You can enable default IPv6 inspection or customize IPv6 inspection. By defining a policy map for IPv6 inspection you can configure the ASA to selectively drop IPv6 packets based on following types of extension headers found anywhere in the IPv6 packet:
We modified the following commands: policy-map type inspect ipv6, verify-header, match header, match header routing-type, match header routing-address count gt, match header count gt.
We introduced the following screen: Configuration > Firewall > Objects > Inspect Maps > IPv6.
This enhancement allows customers to configure a global clientless SSL VPN access policy to permit or deny clientless SSL VPN sessions based on the data present in the HTTP header. If denied, an error code is returned to the clients. This denial is performed before user authentication and thus minimizes the use of processing resources.
We modified the following command: webvpn portal-access-rule.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Portal Access Rules.
The ASA 8.4(2) clientless SSL VPN core rewriter now supports Microsoft Outlook Web App 2010.
Secure Hash Algorithm SHA-2 Support for IPsec IKEv2 Integrity and PRF
This release supports the Secure Hash Algorithm SHA-2 for increased cryptographic hashing security for IPsec/IKEv2 AnyConnect Secure Mobility Client connections to the ASA. SHA-2 includes hash functions with digests of 256, 384, or 512 bits, to meet U.S. government requirements.
We modified the following commands: integrity, prf, show crypto ikev2 sa detail, show vpn-sessiondb detail remote.
We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > IKE Policies > Add/Edit IKEv2 Policy (Proposal).
Secure Hash Algorithm SHA-2 Support for Digital Signature over IPsec IKEv2
This release supports the use of SHA-2 compliant signature algorithms to authenticate IPsec IKEv2 VPN connections that use digital certificates, with the hash sizes SHA-256, SHA-384, and SHA-512.
SHA-2 digital signature for IPsec IKEv2 connections is supported with the AnyConnect Secure Mobility Client, Version 3.0.1 or later.
This release includes a new policy pushed down to the AnyConnect Secure Mobility Client for resolving DNS addresses over split tunnels. This policy applies to VPN connections using the SSL or IPsec/IKEv2 protocol and instructs the AnyConnect client to resolve all DNS addresses through the VPN tunnel. If DNS resolution fails, the address remains unresolved and the AnyConnect client does not try to resolve the address through public DNS servers.
By default, this feature is disabled. The client sends DNS queries over the tunnel according to the split tunnel policy: tunnel all networks, tunnel networks specified in a network list, or exclude networks specified in a network list.
We introduced the following command: split-tunnel-all-dns.
We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add/Edit Group Policy > Advanced > Split Tunneling (see the Send All DNS Lookups Through Tunnel check box).
(formerly referred to as AnyConnect Identification Extensions for Mobile Device Detection)
You can now configure the ASA to permit or deny VPN connections to mobile devices, enable or disable mobile device access on a per group bases, and gather information about connected mobile devices based on a mobile device’s posture data. The following mobile platforms support this capability: AnyConnect for iPhone/iPad/iPod Versions 2.5.x and AnyConnect for Android Version 2.4.x.
Licensing RequirementsEnforcing remote access controls and gathering posture data from mobile devices requires an AnyConnect Mobile license and either an AnyConnect Essentials or AnyConnect Premium license to be installed on the ASA. You receive the following functionality based on the license you install:
Enterprises that install the AnyConnect Premium license will be able to enforce DAP policies, on supported mobile devices, based on these DAP attributes and any other existing endpoint attributes. This includes allowing or denying remote access from a mobile device.
Enterprises that install the AnyConnect Essentials license will be able to do the following:
Enable or disable mobile device access on a per group basis and to configure that feature using ASDM.
Display information about connected mobile devices via CLI or ASDM without having the ability to enforce DAP policies or deny or allow remote access to those mobile devices.
We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Dynamic Access Policies > Add/Edit Endpoint Attributes > Endpoint Attribute Type:AnyConnect.
You can now use of SHA-2 compliant signature algorithms to authenticate SSL VPN connections that use digital certificates. Our support for SHA-2 includes all three hash sizes: SHA-256, SHA-384, and SHA-512. SHA-2 requires AnyConnect 2.5(1) or later (2.5(2) or later recommended). This release does not support SHA-2 for other uses or products.
Caution: To support failover of SHA-2 connections, the standby ASA must be running the same image.
We modified the following command: show crypto ca certificate (the Signature Algorithm field identifies the digest algorithm used when generating the signature).
SHA2 certificate signature support for Microsoft Windows 7 and Android-native VPN clients
ASA supports SHA2 certificate signature support for Microsoft Windows 7 and Android-native VPN clients when using the L2TP/IPsec protocol.
We did not modify any commands.
Enable/disable certificate mapping to override the group-url attribute
This feature changes the preference of a connection profile during the connection profile selection process. By default, if the ASA matches a certificate field value specified in a connection profile to the field value of the certificate used by the endpoint, the ASA assigns that profile to the VPN connection. This optional feature changes the preference to a connection profile that specifies the group URL requested by the endpoint. The new option lets administrators rely on the group URL preference used by many older ASA software releases.
We introduced the following command: tunnel-group-preference.
We modified the following screens:
Configuration > Remote Access VPN > Clientless SSL VPN > Connection Profiles
Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles
For SSP-40 and SSP-60, you can use two SSPs of the same level in the same chassis. Mixed-level SSPs are not supported (for example, an SSP-40 with an SSP-60 is not supported). Each SSP acts as an independent device, with separate configurations and management. You can use the two SSPs as a failover pair if desired.
Note When using two SSPs in the chassis, VPN is not supported; note, however, that VPN has not been disabled.
We modified the following commands: show module, show inventory, show environment.
We introduced support for the IPS SSP-10, -20, -40, and -60 for the ASA 5585-X. You can only install the IPS SSP with a matching-level SSP; for example, SSP-10 and IPS SSP-10.
For the CSC SSM, support for the following features has been added:
HTTPS traffic redirection: URL filtering and WRS queries for incoming HTTPS connections.
Configuring global approved whitelists for incoming and outgoing SMTP and POP3 e-mail.
We did not modify any commands.
We modified the following screens:
Configuration > Trend Micro Content Security > Mail > SMTP
Configuration > Trend Micro Content Security > Mail > POP3
Configuration > Trend Micro Content Security > Host/Notification Settings
Configuration > Trend Micro Content Security > CSC Setup > Host Configuration
Customers can now help to improve the ASA platform by enabling Anonymous Reporting, which allows Cisco to securely receive minimal error and health information from the device.
We introduced the following commands: call-home reporting anonymous, call-home test reporting anonymous.
We modified the following screen: Configuration > Device Monitoring > Smart Call-Home.
The ASA now supports the ifAlias OID. When you browse the IF-MIB, the ifAlias OID will be set to the value that has been set for the interface description.
Support for Pause Frames for Flow Control on 1-Gigabit Ethernet Interface
You can now enable pause (XOFF) frames for flow control on 1-Gigabit Ethernet interfaces; support was previously added for 10-Gigabit Ethernet interfaces in 8.2(2).
We modified the following command: flowcontrol.
We modified the following screens:
(Single Mode) Configuration > Device Setup > Interfaces > Add/Edit Interface > General
(Multiple Mode, System) Configuration > Interfaces > Add/Edit Interface
Increased SSH security; the SSH default username is no longer supported
Starting in 8.4(2), you can no longer connect to the ASA using SSH with the pix or asa username and the login password. To use SSH, you must configure AAA authentication using the aaa authentication ssh console LOCAL command (CLI) or Configuration > Device Management > Users/AAA > AAA Access > Authentication (ASDM); then define a local user by entering the username command (CLI) or choosing Configuration > Device Management > Users/AAA > User Accounts (ASDM). If you want to use a AAA server for authentication instead of the local database, we recommend also configuring local authentication as a backup method.
H.323 Inspection now supports uni-directional signaling for two-way video sessions. This enhancement allows H.323 Inspection of one-way video conferences supported by Tandberg video phones. Supporting uni-directional signaling allows Tandberg phones to switch video modes (close their side of an H.263 video session and reopen the session using H.264, the compression standard for high-definition video).
We did not modify any commands.
When multiple static routes exist to a network with different metrics, the ASA uses the one with the best metric at the time of connection creation. If a better route becomes available, then this timeout lets connections be closed so a connection can be reestablished to use the better route. The default is 0 (the connection never times out). To take advantage of this feature, change the timeout to a new value.
We modified the following command: timeout floating-conn.
We modified the following screen: Configuration > Firewall > Advanced > Global Timeouts.
If you migrate to 8.3 or later, the ASA creates named network objects to replace inline IP addresses in some features. In addition to named objects, ASDM automatically creates non-named objects for any IP addresses used in the configuration. These auto-created objects are identified by the IP address only, do not have a name, and are not present as named objects in the platform configuration.
When the ASA creates named objects as part of the migration, the matching non-named ASDM-only objects are replaced with the named objects. The only exception are non-named objects in a network object group. When the ASA creates named objects for IP addresses that are inside a network object group, ASDM retains the non-named objects as well, creating duplicate objects in ASDM. To merge these objects, choose Tools > Migrate Network Object Group Members.
We introduced the following screen: Tools > Migrate Network Object Group Members.
See Cisco ASA 5500 Migration to Version 8.3 and Later for more information.
New Features in ASA 8.4(1.11)/ASDM 6.4(2)
Released: May 20, 2011
NoteWe recommend that you upgrade to a Cisco.com-posted interim release only if you have a specific problem that it resolves. If you decide to run an interim release in a production environment, keep in mind that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC and will remain on the download site only until the next maintenance release is available. If you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature release when it becomes available. We will document interim release features at the time of the next maintenance or feature release. For a list of resolved caveats for each interim release, see the interim release notes available on the Cisco.com software download site.
You can now specify a pool of PAT addresses instead of a single address. You can also optionally enable round-robin assignment of PAT addresses instead of first using all ports on a PAT address before using the next address in the pool. These features help prevent a large number of connections from a single PAT address from appearing to be part of a DoS attack and makes configuration of large numbers of PAT addresses easy.
Note Currently in 8.4(1.11), the PAT pool feature is not available as a fallback method for dynamic NAT or PAT. You can only configure the PAT pool as the primary method for dynamic PAT (CSCtq20634).
We modifed the following commands: nat dynamic [pat-pool mapped_object [round-robin]] (object network) and nat source dynamic [pat-pool mapped_object [round-robin]] (global).
We modified the following screens:
Configuration > Firewall > NAT Rules > Add/Edit Network Object Configuration > Firewall > NAT Rules > Add/Edit NAT Rule
New Features in ASA 8.4(1)/ASDM 6.4(1)
Released: January 31, 2011
We introduced support for the ASA 5585-X with Security Services Processor (SSP)-10, -20, -40, and -60.
Note Support was previously added in 8.2(3) and 8.2(4); the ASA 5585-X is not supported in 8.3(x).
You can purchase the ASA 5585-X with No Payload Encryption. For export to some countries, payload encryption cannot be enabled on the Cisco ASA 5500 series. The ASA software senses a No Payload Encryption model, and disables the following features:
You can still install the Strong Encryption (3DES/AES) license for use with management connections. For example, you can use ASDM HTTPS/SSL, SSHv2, Telnet and SNMPv3. You can also download the dynamic database for the Botnet Traffic Filer (which uses SSL).
We now support VPN connections between Android mobile devices and ASA 5500 series devices, when using the L2TP/IPsec protocol and the native Android VPN client. Mobile devices must be using the Android 2.1, or later, operating system.
AnyConnect 3.0 used with ASA 8.4(1), supports UTF-8 characters in passwords sent using RADIUS/MSCHAP and LDAP protocols.
Internet Key Exchange Version 2 (IKEv2) is the latest key exchange protocol used to establish and control Internet Protocol Security (IPsec) tunnels. The ASA now supports IPsec with IKEv2 for the AnyConnect Secure Mobility Client, Version 3.0(1), for all client operating systems.
On the ASA, you enable IPsec connections for users in the group policy. For the AnyConnect client, you specify the primary protocol (IPsec or SSL) for each ASA in the server list of the client profile.
IPsec remote access VPN using IKEv2 was added to the AnyConnect Essentials and AnyConnect Premium licenses.
Site-to-site sessions were added to the Other VPN license (formerly IPsec VPN). The Other VPN license is included in the Base license.
We modified the following commands: vpn-tunnel-protocol, crypto ikev2 policy, crypto ikev2 enable, crypto ipsec ikev2, crypto dynamic-map, crypto map.
We modified the following screens:
Configure > Site-to-Site VPN > Connection Profiles
Configure > Remote Access > Network (Client) Access > AnyConnect Connection Profiles
Network (Client) Access > Advanced > IPsec > IKE Parameters > IKE Policies
Network (Client) Access > Advanced > IPsec > IKE Parameters > IKE Parameters
Network (Client) Access > Advanced > IPsec > IKE Parameters > IKE Proposals
This release supports the use of SHA-2 compliant signature algorithms to authenticate SSL VPN connections that use digital certificates. Our support for SHA-2 includes all three hash sizes: SHA-256, SHA-384, and SHA-512. SHA-2 requires AnyConnect 2.5.1 or later (2.5.2 or later recommended). This release does not support SHA-2 for other uses or products. This feature does not involve configuration changes.
Caution: To support failover of SHA-2 connections, the standby ASA must be running the same image. To support this feature, we added the Signature Algorithm field to the show crypto ca certificate command to identify the digest algorithm used when generating the signature.
SCEP Proxy provides the AnyConnect Secure Mobility Client with support for automated third-party certificate enrollment. Use this feature to support AnyConnect with zero-touch, secure deployment of device certificates to authorize endpoint connections, enforce policies that prevent access by non-corporate assets, and track corporate assets. This feature requires an AnyConnect Premium license and will not work with an Essentials license.
We introduced or modified the following commands: crypto ikev2 enable, scep-enrollment enable, scep-forwarding-url, debug crypto ca scep-proxy, secondary-username-from-certificate, secondary-pre-fill-username.
This feature provides the necessary support for the ASA to install or upgrade a Host Scan package and enable or disable Host Scan. This package may either be a standalone Host Scan package or one that ASA extracts from an AnyConnect Next Generation package.
In previous releases of AnyConnect, an endpoint’s posture was determined by Cisco Secure Desktop (CSD). Host Scan was one of many features bundled in CSD. Unbundling Host Scan from CSD gives AnyConnect administrators greater freedom to update and install Host Scan separately from the other features of CSD.
We introduced the following command: csd hostscan image path.
This release implements the KCD protocol transition and constrained delegation extensions on the ASA. KCD provides Clientless SSL VPN (also known as WebVPN) users with SSO access to any web services protected by Kerberos. Examples of such services or applications include Outlook Web Access (OWA), Sharepoint, and Internet Information Server (IIS).
Implementing protocol transition allows the ASA to obtain Kerberos service tickets on behalf of remote access users without requiring them to authenticate to the KDC (through Kerberos). Instead, a user authenticates to ASA using any of the supported authentication mechanisms, including digital certificates and Smartcards, for Clientless SSL VPN (also known as WebVPN). When user authentication is complete, the ASA requests and obtains an impersonate ticket, which is a service ticket for ASA on behalf of the user. The ASA may then use the impersonate ticket to obtain other service tickets for the remote access user.
Constrained delegation provides a way for domain administrators to limit the network resources that a service trusted for delegation (for example, the ASA) can access. This task is accomplished by configuring the account under which the service is running to be trusted for delegation to a specific instance of a service running on a specific computer.
We modified the following commands: kcd-server, clear aaa, show aaa, test aaa-server authentication.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Microsoft KCD Server.
The ASA now supports clientless SSL VPN with Apple Safari 5.
Smart tunnel now supports HTTP-based auto sign-on on Firefox as well as Internet Explorer. Similar to when Internet Explorer is used, the administrator decides to which hosts a Firefox browser will automatically send credentials. For some authentication methods, if may be necessary for the administrator to specify a realm string on the ASA to match that on the web application (in the Add Smart Tunnel Auto Sign-on Server window). You can now use bookmarks with macro substitutions for auto sign-on with Smart tunnel as well.
The POST plug-in is now obsolete. The former POST plug-in was created so that administrators could specify a bookmark with sign-on macros and receive a kick-off page to load prior to posting the the POST request. The POST plug-in approach allows requests that required the presence of cookies, and other header items, fetched ahead of time to go through. The administrator can now specify pre-load pages when creating bookmarks to achieve the same functionality. Same as the POST plug-in, the administrator specifies the pre-load page URL and the URL to send the POST request to.
You can now replace the default preconfigured SSL VPN portal with your own portal. The administrators do this by specifying a URL as an External Portal. Unlike the group-policy home page, the External Portal supports POST requests with macro substitution (for auto sign-on) as well as pre-load pages.
We introduced or modified the following command: smart-tunnel auto-signon.
We introduced or modified the following screens:
Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Customization.
Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks > Edit > Edit Bookmark
Smart Tunnel adds support for the following applications:
Users can now use Smart Tunnel to connect Microsoft Office Outlook to a Microsoft Exchange Server.
Users can now perform remote file editing using Microsoft Office 2010 Applications and Microsoft Sharepoint by using Smart Tunnel.
You can configure up to 48 802.3ad EtherChannels of eight active interfaces each.
Note You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel.
We introduced the following commands: channel-group, lacp port-priority, interface port-channel, lacp max-bundle, port-channel min-bundle, port-channel load-balance, lacp system-priority, clear lacp counters, show lacp, show port-channel.
We introduced or modified the following screens:
Configuration > Device Setup > Interfaces
Configuration > Device Setup > Interfaces > Add/Edit EtherChannel Interface
Configuration > Device Setup > Interfaces > Add/Edit Interface
Configuration > Device Setup > EtherChannel
If you do not want the overhead of security contexts, or want to maximize your use of security contexts, you can group interfaces together in a bridge group, and then configure multiple bridge groups, one for each network. Bridge group traffic is isolated from other bridge groups. You can configure up to 8 bridge groups in single mode or per context in multiple mode, with 4 interfaces maximum per bridge group.
Note Although you can configure multiple bridge groups on the ASA 5505, the restriction of 2 data interfaces in transparent mode on the ASA 5505 means you can only effectively use 1 bridge group.
We introduced the following commands: interface bvi, bridge-group, show bridge-group.
We modified or introduced the following screens:
Configuration > Device Setup > Interfaces
Configuration > Device Setup > Interfaces > Add/Edit Bridge Group Interface Configuration > Device Setup > Interfaces > Add/Edit Interface
For the ASA 5550 and ASA 5585-X with SSP-10, the maximum contexts was increased from 50 to 100. For the ASA 5580 and 5585-X with SSP-20 and higher, the maximum was increased from 50 to 250.
For the ASA 5580 and 5585-X, the maximum VLANs was increased from 250 to 1024.
Google Chrome has been added as a supported platform for ASA Version 8.4. Both 32-bit and 64-bit platforms are supported on Windows XP, Vista, and 7 and Mac OS X Version 6.0.
The AnyConnect VPN session limit was increased from 5,000 to 10,000.
The other VPN session limit was increased from 5,000 to 10,000.
Routes that are learned through dynamic routing protocols (such as OSPF and EIGRP) on the active unit are now maintained in a Routing Information Base (RIB) table on the standby unit. Upon a failover event, traffic on the secondary active unit now passes with minimal disruption because routes are known. Routes are synchronized only for link-up or link-down events on an active unit. If the link goes up or down on the standby unit, dynamic routes sent from the active unit may be lost. This is normal, expected behavior.
We modified the following commands: show failover, show route, show route failover.
The Unified Communications wizard guides you through the complete configuration and automatically configures required aspects for the Phone Proxy. The wizard automatically creates the necessary TLS proxy, then guides you through creating the Phone Proxy instance, importing and installing the required certificates, and finally enables the SIP and SCCP inspection for the Phone Proxy traffic automatically.
We modified the following screens:
Wizards > Unified Communications Wizard.
Configuration > Firewall > Unified Communications.
SIP Inspection and SCCP Inspection are enhanced to support new features in the Unified Communications Solutions; such as, SCCP v2.0 support, support for GETPORT messages in SCCP Inspection, SDP field support in INVITE messages with SIP Inspection, and QSIG tunneling over SIP. Additionally, the Cisco Intercompany Media Engine supports Cisco RT Lite phones and third-party video endpoints (such as, Tandberg).
DCERPC Inspection was enhanced to support inspection of RemoteCreateInstance RPC messages.
Supports the following additional keywords: connection-limit-reached, entity cpu-temperature, cpu threshold rising, entity fan-failure, entity power-supply, ikev2 stop | start, interface-threshold, memory-threshold, nat packet-discard, warmstart.
The entPhysicalTable reports entries for sensors, fans, power supplies, and related components.
Supports the following additional MIBs: ENTITY-SENSOR-MIB, CISCO-ENTITY-SENSOR-EXT-MIB, CISCO-ENTITY-FRU-CONTROL-MIB, CISCO-PROCESS-MIB, CISCO-ENHANCED-MEMPOOL-MIB, CISCO-L4L7MODULE-RESOURCE-LIMIT-MIB, NAT-MIB, EVENT-MIB, EXPRESSION-MIB
Supports the following additional traps: warmstart, cpmCPURisingThreshold, mteTriggerFired, cirResourceLimitReached, natPacketDiscard, ciscoEntSensorExtThresholdNotification.
We introduced or modified the following commands: snmp cpu threshold rising, snmp interface threshold, snmp-server enable traps.
We modified the following screen: Configuration > Device Management > Management Access > SNMP.
TCP ping allows users whose ICMP echo requests are blocked to check connectivity over TCP. With the TCP ping enhancement you can specify a source IP address and a port and source interface to send pings to a hostname or an IPv4 address.
You can now monitor the processes that run on the CPU to obtain information related to the percentage of the CPU used by any given process. You can also see information about the load on the CPU, broken down per process, at 5 minutes, 1 minute, and 5 seconds prior to the log time. Information is updated automatically every 5 seconds to provide real-time statistics, and a refresh button in the pane allows a manual data refresh at any time.
We introduced the following command: show process cpu-usage sorted.
We introduced the following screen: Monitoring > Properties > CPU - Per Process.
You can show password encryption in a security context.
We modified the following command: show password encryption.
When ASDM loads on a device that has an incompatible ASA software version, a dialog box notifies users that they can select from the following options:
IKEv2 support has been implemented into the AnyConnect VPN Wizard (formerly SSL VPN wizard), the Clientless SSL VPN Wizard, and the Site-to-Site IPsec VPN Wizard (formerly IPSec VPN Wizard) to comply with IPsec remote access requirements defined in federal and public sector mandates. Along with the enhanced security, the new support offers the same end user experience independent of the tunneling protocol used by the AnyConnect client session. IKEv2 also allows other vendors’ VPN clients to connect to the ASAs.
We modified the following wizards: Site-to-Site IPsec VPN Wizard, AnyConnect VPN Wizard, and Clientless SSL VPN Wizard.
For the IPS SSP in the ASA 5585-X, the IPS Basic Configuration screen was added to the startup wizard. Signature updates for the IPS SSP were also added to the Auto Update screen. The Time Zone and Clock Configuration screen was added to ensure the clock is set on the ASA; the IPS SSP gets its clock from the ASA.
We introduced or modified the following screens: Wizards > Startup Wizard > IPS Basic Configuration Wizards > Startup Wizard > Auto Update Wizards > Startup Wizard > Time Zone and Clock Configuration
New Features in Version 8.3
New Features in ASA 8.3(2.25)/ASDM 6.4(5.106)
Released: August 31, 2011
NoteWe recommend that you upgrade to a Cisco.com-posted ASA interim release only if you have a specific problem that it resolves. If you decide to run an interim release in a production environment, keep in mind that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC and will usually remain on the download site only until the next maintenance release is available. If you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature release when it becomes available.
We will document interim release features at the time of the next maintenance or feature release. For a list of resolved caveats for each ASA interim release, see the interim release notes available on the Cisco.com software download site.
The ASA now supports clientless SSL VPN with Microsoft Internet Explorer 9 and Firefox 4.
To improve throughput, Cisco now supports compression for DTLS and TLS on AnyConnect 3.0 or later. Each tunneling method configures compression separately, and the preferred configuration is to have both SSL and DTLS compression as LZS. This feature enhances migration from legacy VPN clients.
Note Using data compression on high speed remote access connections passing highly compressible data requires significant processing power on the ASA. With other activity and traffic on the ASA, the number of sessions that can be supported on the platform is reduced.
We introduced or modified the following commands: anyconnect dtls compression [lzs | none] and anyconnect ssl compression [deflate | lzs | none].
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policies > Edit > Edit Internal Group Policy > Advanced > AnyConnect Client > SSL Compression.
Regular expression matching for the show asp table classifier and show asp table filter commands
You can now enter the show asp table classifier and show asp table filter commands with a regular expression to filter output.
We modified the following commands: show asp table classifier match regex, show asp table filter match regex.
ASDM does not support this command; enter the command using the Command Line Tool.
New Features in ASA 8.3(2)/ASDM 6.3(2)
Released: August 2, 2010
When you configure a syslog server to use TCP, and the syslog server is unavailable, the ASA blocks new connections that generate syslog messages until the server becomes available again (for example, VPN, firewall, and cut-through-proxy connections). This feature has been enhanced to also block new connections when the logging queue on the ASA is full; connections resume when the logging queue is cleared.
This feature was added for compliance with Common Criteria EAL4+. Unless required, we recommend allowing new connections when syslog messages cannot be sent. To allow new connections, configure the syslog server to use UDP or use the logging permit-hostdown command check the Allow user traffic to pass when TCP syslog server is down check box on the Configuration > Device Management > Logging > Syslog Servers pane.
The following commands were modified: show logging.
The following syslog messages were introduced: 414005, 414006, 414007, and 414008
Support has been added for the following:
Syslog message filtering based on multiple text strings that correspond to various columns
Column sorting of messages. For detailed information, see the ASDM configuration guide.
The following screens were modified:
Monitoring > Logging > Real-Time Log Viewer > View
Monitoring > Logging > Log Buffer Viewer > View
Support for clearing syslog messages has been added in the Latest CSC Security Events pane.
2048-bit RSA certificate and Diffie-Hellman Group 5 (DH5) performance improvement
(ASA 5510, ASA 5520, ASA 5540, and ASA 5550 only) We strongly recommend that you enable hardware processing instead of software for large modulus operations such as 2048-bit certificates and DH5 keys. If you continue to use software processing for large keys, you could experience significant performance degradation due to slow session establishment for IPsec and SSL VPN connections. We recommend that you initially enable hardware processing during a low-use or maintenance period to minimize a temporary packet loss that can occur during the transition of processing from software to hardware.
Note For the ASA 5540 and ASA 5550 using SSL VPN, in specific load conditions, you may want to continue to use software processing for large keys. If VPN sessions are added very slowly and the ASA runs at capacity, then the negative impact to data throughput is larger than the positive impact for session establishment.
The following commands were introduced or modified: crypto engine large-mod-accel, clear configure crypto engine, show running-config crypto engine, and show running-config crypto.
In ASDM, use the Command Line Interface tool to enter the crypto engine large-mod-accel command.
Enabling this feature hides the Connections tab in Microsoft Internet Explorer for the duration of an AnyConnect VPN session. Disabling the feature leaves the display of the Connections tab unchanged; the default setting for the tab can be shown or hidden, depending on the user registry settings.
The following command was introduced: msie-proxy lockdown.
In ASDM, use the Command Line Interface tool to enter this command.
You can now configure SSL VPN support for a common secondary password for all authentications or use the primary password as the secondary password.
The following command was modified: secondary-pre-fill-username [use-primary-password | use-common-password] ]
The following screen was modified: Configuration > Remote Access VPN > Clientless SSL Access > Connection Profiles > Add/Edit Clientless SSL VPN Connection Profile > Advanced > Secondary Authentication.
For export to some countries, payload encryption cannot be enabled on the Cisco ASA 5500 series. For version 8.3(2), you can now install a No Payload Encryption image (asa832-npe-k8.bin) on the following models:
Features that are disabled in the No Payload Encryption image include:
Strong encryption for VPN (DES encryption is still available for VPN).
VPN load balancing (note that the CLI GUI is still present; the feature will not function, however).
Downloading of the dynamic database for the Botnet Traffic Filer (Static black and whitelists are still supported. Note that the CLI GUI is still present; the feature will not function, however.).
Management protocols requiring strong encryption, including SSL, SSHv2, and SNMPv3. You can, however, use SSL or SNMPv3 using base encryption (DES). Also, SSHv1 and SNMPv1 and v2 are still available.
If you attempt to install a Strong Encryption (3DES/AES) license, you see the following warning:
WARNING: Strong encryption types have been disabled in this image; the VPN-3DES-AES license option has been ignored.New Features in ASA 8.3(1)/ASDM 6.3(1)
Released: March 8, 2010
Logoff enhancement—Smart tunnel can now be logged off when all browser windows have been closed (parent affinity), or you can right click the notification icon in the system tray and confirm log out.
Tunnel Policy—An administrator can dictate which connections go through the VPN gateway and which do not. An end user can browse the Internet directly while accessing company internal resources with smart tunnel if the administrator chooses.
Simplified configuration of which applications to tunnel—When a smart tunnel is required, a user no longer needs to configure a list of processes that can access smart tunnel and in turn access certain web pages. An “enable smart tunnel” check box for either a bookmark or standalone application allows for an easier configuration process.
Group policy home page—Using a check box in ASDM, administrators can now specify their home page in group policy in order to connect via smart tunnel.
The following commands were introduced: smart-tunnel network, smart-tunnel tunnel-policy.
The following screen was modified: Configuration > Remote Access VPN > AAA/Local Users > Local Users > Edit > VPN Policy > Clientless SSL VPN.
Release 8.3(1) provides browser-based (clientless) VPN access from the following newly supported platforms:
Windows 7 x86 (32-bit) and x64 (64-bit) via Internet Explorer 8.x and Firefox 3.x
Windows Vista x64 via Internet Explorer 7.x/8.x, or Firefox 3.x.
Windows XP x64 via Internet Explorer 6.x/7.x/8.x and Firefox 3.x
Mac OS 10.6.x 32- and 64-bit via Safari 4.x and Firefox 3.x.
Firefox 2.x is likely to work, although we no longer test it.
Release 8.3(1) introduces browser-based support for 64-bit applications on Mac OS 10.5.
Release 8.3(1) now supports smart tunnel access on all 32-bit and 64-bit Windows OSs supported for browser-based VPN access, Mac OS 10.5 running on an Intel processor only, and Mac OS 10.6.x. The ASA does not support port forwarding on 64-bit OSs.
Browser-based VPN access does not support Web Folders on Windows 7, Vista, and Internet Explorer 8.
An ActiveX version of the RDP plug-in is not available for 64-bit browsers.
Note Windows 2000 and Mac OS X 10.4 are no longer supported for browser-based access.
For LAN-to-LAN connections using mixed IPv4 and IPv6 addressing, or all IPv6 addressing, the ASA supports VPN tunnels if both peers are Cisco ASA 5500 series ASAs, and if both inside networks have matching addressing schemes (both IPv4 or both IPv6).
Specifically, the following topologies are supported when both peers are Cisco ASA 5500 series ASAs:
The ASAs have IPv4 inside networks and the outside network is IPv6 (IPv4 addresses on the inside interfaces and IPv6 addresses on the outside interfaces).
The ASAs have IPv6 inside networks and the outside network is IPv4 (IPv6 addresses on the inside interface and IPv4 addresses on the outside interfaces).
The ASAs have IPv6 inside networks and the outside network is IPv6 (IPv6 addresses on the inside and outside interfaces).
Note The defect CSCtd38078 currently prevents the Cisco ASA 5500 series from connecting to a Cisco IOS device as the peer device of a LAN-to-LAN connection.
The following commands were modified or introduced: isakmp enable, crypto map, crypto dynamic-map, tunnel-group, ipv6-vpn-filter, vpn-sessiondb, show crypto isakmp sa, show crypto ipsec sa, show crypto debug-condition, show debug crypto, show vpn-sessiondb, debug crypto condition, debug menu ike.
The following screens were modified or introduced:
Configuration > Site-to-Site VPN > Connection Profiles Configuration > Site-to-Site VPN > Connection Profiles > Basic > Add IPsec Site-to-Site Connection Profile
Configuration > Site-to-Site VPN > Group Policies
Configuration > Site-to-Site VPN > Group Policies > Edit Internal Group Policy
Configuration > Site-to-Site VPN > Advanced > Crypto Maps
Configuration > Site-to-Site VPN > Advanced > Crypto Maps > Add > Create IPsec Rule
Configuration > Site-to-Site VPN > Advanced > ACL Manager
The AnyConnect Profile Editor is a convenient GUI-based configuration tool you can use to configure the AnyConnect 2.5 or later client profile, an XML file containing settings that control client features. Previously, you could only change profile settings manually by editing the XML tags in the profile file. The AnyConnect Profile Editor is a plug-in binary file named anyconnectprof.sgz packaged with the ASDM image and installed in the root directory of disk0:/ in the flash memory on the ASA. This design allows you to update the editor to be compatible with new AnyConnect features available in new client releases.
You can rebrand and customize the screens presented to clientless SSL VPN users using the new Edit Customization Object window in ASDM. You can customize the logon, portal and logout screens, including corporate logos, text messages, and the general layout. Previously, the customization feature was embedded in the ASA software image. Moving it to ASDM provides greater usability for this feature and future enhancements.
The following screen was modified: Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Customization.
ASDM provides a step-by-step guide to configuring Clientless SSL VPN, AnyConnect SSL VPN Remote Access, or IPsec Remote Access using the ASDM Assistant. The ASDM Assistant is more comprehensive than the VPN wizards, which are designed only to get you up and running.
The following screen was modified: Configuration > Remote Access VPN > Introduction > ASDM Assistant.
You can now configure access rules that are applied globally, as well as access rules that are applied to an interface. If the configuration specifies both a global access policy and interface-specific access policies, the interface-specific policies are evaluated before the global policy.
The following command was modified: access-group global.
The following screen was modified: Configuration > Firewall > Access Rules.
You can now create named network objects that you can use in place of a host, a subnet, or a range of IP addresses in your configuration and named service objects that you can use in place of a protocol and port in your configuration. You can then change the object definition in one place, without having to change any other part of your configuration. This release introduces support for network and service objects in the following features:
Note ASDM used network objects internally in previous releases; this feature introduces platform support for network objects.
The following commands were introduced or modified: object network, object service, show running-config object, clear configure object, access-list extended, object-group network.
The following screens were modified or introduced:
Configuration > Firewall > Objects > Network Objects/Groups,
Configuration > Firewall > Objects > Service Objects/Groups
Configuration > Firewall > NAT Rules, Configuration > Firewall > Access Rules
Significantly reduces the network object-group expansion while maintaining a satisfactory level of packet classification performance.
The following commands were modified: show object-group, clear object-group, show access-list.
The following screen was modified: Configuration > Firewall > Access Rules > Advanced.
The NAT configuration was completely redesigned to allow greater flexibility and ease of use. You can now configure NAT using auto NAT, where you configure NAT as part of the attributes of a network object, and manual NAT, where you can configure more advanced NAT options.
The following commands were introduced or modified: nat (in global and object network configuration mode), show nat, show nat pool, show xlate, show running-config nat.
The following commands were removed: global, static, nat-control, alias.
The following screens were modified or introduced:
Configuration > Firewall > Objects > Network Objects/Group Configuration > Firewall > NAT Rules
Use of Real IP addresses in access lists instead of translated addresses
When using NAT, mapped addresses are no longer required in an access list for many features. You should always use the real, untranslated addresses when configuring these features. Using the real address means that if the NAT configuration changes, you do not need to change the access lists.
The following commands and features that use access lists now use real IP addresses. These features are automatically migrated to use real IP addresses when you upgrade to 8.3, unless otherwise noted.
You can now customize the number of rate intervals for which advanced statistics are collected. The default number of rates was changed from 3 to 1. For basic statistics, advanced statistics, and scanning threat detection, the memory usage was improved.
The following commands were modified: threat-detection statistics port number-of-rates, threat-detection statistics protocol number-of-rates, show threat-detection memory.
The following screen was modified: Configuration > Firewall > Threat Detection.
The IP phone support in the Cisco Phone Proxy feature was enhanced to include support for version 19 of the SCCP protocol on the list of supported IP phones.
Cisco Intercompany Media Engine (UC-IME) enables companies to interconnect on-demand, over the Internet with advanced features made available by VoIP technologies. Cisco Intercompany Media Engine allows for business-to-business federation between Cisco Unified Communications Manager clusters in different enterprises by utilizing peer-to-peer, security, and SIP protocols to create dynamic SIP trunks between businesses. A collection of enterprises work together to end up looking like one large business with inter-cluster trunks between them.
The following commands were modified or introduced: uc-ime, fallback hold-down, fallback monitoring, fallback sensitivity-file, mapping-service listening-interface, media-termination, ticket epoch, ucm address, clear configure uc-ime, debug uc-ime, show running-config uc-ime, inspect sip.
The following screens were modified or introduced:
Wizards > Unified Communications Wizard > Cisco Intercompany Media Engine Proxy Configuration > Firewall > Unified Communications, and then click UC-IME Proxy Configuration > Firewall > Service Policy Rules > Add/Edit Service Policy Rule > Rule Actions > Select SIP Inspection Map
SIP inspection has been enhance to support the new Cisco Intercompany Media Engine (UC-IME) Proxy.
The following command was modified: inspect sip.
The following screen was modified: Configuration > Firewall > Service Policy Rules > Add/Edit Service Policy Rule > Rule Actions > Select SIP Inspection Map.
The Unified Communications wizard guides you through the complete configuration and automatically configures required aspects for the following proxies: Cisco Mobility Advantage Proxy, Cisco Presence Federation Proxy, Cisco Intercompany Media Engine proxy. Additionally, the Unified Communications wizard automatically configures other required aspects of the proxies.
The following screens were modified:
Wizards > Unified Communications Wizard
Configuration > Firewall > Unified Communications
The Unified Communications proxy features, such as the Phone Proxy, TLS Proxy, CTL File, and CTL Provider pages, are moved from under the Objects category in the left Navigation panel. to the new Unified Communications category. In addition, this new category contains pages for the new Unified Communications wizard and the UC-IME Proxy page.
ASDM has added enhanced support for static and dynamic routes.
The following screen was modified: Configuration > Device Setup > Routing > Route Maps.
Displays the timestamp, along with the hash value and hit count, for a specified access list.
The following command was modified: show access-list.
The following screen was modified: Configuration > Firewall > Access Rules. (The timestamp appears when you hover the mouse over a cell in the Hits column.)
You can now enable high performance monitoring for ASDM to show the top 200 hosts connected through the ASA. Each entry of a host contains the IP address of the host and the number of connections initiated by the host, and is updated every 120 seconds.
The following commands were introduced: hpm topn enable, clear configure hpm, show running-config hpm.
The following screen was introduced: Home > Firewall Dashboard > Top 200 Hosts.
Failover licenses no longer need to be identical on each unit. The license used for both units is the combined license from the primary and secondary units.
Note For the ASA 5505 and 5510 ASAs, both units require the Security Plus license; the Base license does not support failover, so you cannot enable failover on a standby unit that only has the Base license.
The following commands were modified: show activation-key and show version.
The following screen was modified: Configuration > Device Management > Licensing > Activation Key.
Time-based licenses are now stackable. In many cases, you might need to renew your time-based license and have a seamless transition from the old license to the new one. For features that are only available with a time-based license, it is especially important that the license not expire before you can apply the new license. The ASA allows you to stack time-based licenses so you do not have to worry about the license expiring or about losing time on your licenses because you installed the new one early. For licenses with numerical tiers, stacking is only supported for licenses with the same capacity, for example, two 1000-session SSL VPN licenses. You can view the state of the licenses using the show activation-key command at Configuration > Device Management > Licensing > Activation Key.
Time-based licenses now count down according to the total uptime of the ASA; the system clock does not affect the license.
You can now install multiple time-based licenses, and have one license per feature active at a time.
The following commands were modified: show activation-key and show version.
The following screen was modified: Configuration > Device Management > Licensing > Activation Key.
Discrete activation and deactivation of time-based licenses.
You can now activate or deactivate time-based licenses using a command.
The following command was modified: activation-key [activate | deactivate].
The following screen was modified: Configuration > Device Management > Licensing > Activation Key.
The master passphrase feature allows you to securely store plain text passwords in encrypted format. It provides a master key that is used to universally encrypt or mask all passwords, without changing any functionality. The Backup/Restore feature supports the master passphrase.
The following commands were introduced: key config-key password-encryption, password encryption aes.
The following screens were introduced:
Configuration > Device Management > Advanced > Master Passphrase Configuration > Device Management > Device Administration > Master Passphrase
The Upgrade Software from Cisco.com wizard has changed to allow you to automatically upgrade ASDM and the ASA to more current versions. Note that this feature is only available in single mode and, in multiple context mode, in the System execution space. It is not available in a context.
The following screen was modified: Tools > Check for ASA/ASDM Updates.
The Backup Configurations pane was re-ordered and re-grouped so you can choose the files you want to backup more easily. A Backup Progress pane was added allowing you to visually measure the progress of the backup. And you will see significant performance improvement when using backup or restore.
The following screen was modified: Tools > Backup Configurations or Tools > Restore Configurations.
New Features in Version 8.2
New Features in ASA 8.2(5.13)/ASDM 6.4(4.106)
Released: September 18, 2011
NoteWe recommend that you upgrade to a Cisco.com-posted ASA interim release only if you have a specific problem that it resolves. If you decide to run an interim release in a production environment, keep in mind that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC and will usually remain on the download site only until the next maintenance release is available. If you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature release when it becomes available.
We will document interim release features at the time of the next maintenance or feature release. For a list of resolved caveats for each ASA interim release, see the interim release notes available on the Cisco.com software download site.
The ASA now supports clientless SSL VPN with Microsoft Internet Explorer 9 and Firefox 4.
To improve throughput, Cisco now supports compression for DTLS and TLS on AnyConnect 3.0 or later. Each tunneling method configures compression separately, and the preferred configuration is to have both SSL and DTLS compression as LZS. This feature enhances migration from legacy VPN clients.
Note Using data compression on high speed remote access connections passing highly compressible data requires significant processing power on the ASA. With other activity and traffic on the ASA, the number of sessions that can be supported on the platform is reduced.
We introduced or modified the following commands: anyconnect dtls compression [lzs | none] and anyconnect ssl compression [deflate | lzs | none].
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policies > Edit > Edit Internal Group Policy > Advanced > AnyConnect Client > SSL Compression.
Regular expression matching for the show asp table classifier and show asp table filter commands
You can now enter the show asp table classifier and show asp table filter commands with a regular expression to filter output.
We modified the following commands: show asp table classifier match regex, show asp table filter match regex.
ASDM does not support this command; enter the command using the Command Line Tool.
New Features in ASA 8.2(5)/ASDM 6.4(3)
Released: May 23, 2011
Customers can now help to improve the ASA platform by enabling Anonymous Reporting, which allows Cisco to securely receive minimal error and health information from the device.
We introduced the following commands: call-home reporting anonymous, call-home test reporting anonymous.
We modified the following screen: Configuration > Device Monitoring > Smart Call-Home.
The ASA now supports the ifAlias OID. When you browse the IF-MIB, the ifAlias OID will be set to the value that has been set for the interface description.
This enhancement allows customers to configure a global clientless SSL VPN access policy to permit or deny clientless SSL VPN sessions based on the data present in the HTTP header. If denied, an error code is returned to the clients. This denial is performed before user authentication and thus minimizes the use of processing resources.
We modified the following command: portal-access-rule.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Portal Access Rules.
(formerly referred to as AnyConnect Identification Extensions for Mobile Device Detection)
You can now configure the ASA to permit or deny VPN connections to mobile devices, enable or disable mobile device access on a per-group basis, and gather information about connected mobile devices based on the mobile device posture data. The following mobile platforms support this capability: AnyConnect for iPhone/iPad/iPod Versions 2.5.x and AnyConnect for Android Version 2.4.x. You do not need to enable CSD to configure these attributes in ASDM.
Licensing RequirementsEnforcing remote access controls and gathering posture data from mobile devices requires an AnyConnect Mobile license and either an AnyConnect Essentials or AnyConnect Premium license to be installed on the ASA. You receive the following functionality based on the license you install:
Enterprises that install the AnyConnect Premium license will be able to enforce DAP policies, on supported mobile devices, based on these DAP attributes and any other existing endpoint attributes. This includes allowing or denying remote access from a mobile device.
Enterprises that install the AnyConnect Essentials license will be able to do the following:
Enable or disable mobile device access on a per-group basis and to configure that feature using ASDM.
Display information about connected mobile devices via CLI or ASDM without having the ability to enforce DAP policies or deny or allow remote access to those mobile devices.
We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Dynamic Access Policies > Add/Edit Endpoint Attributes > Endpoint Attribute Type:AnyConnect.
This release includes a new policy pushed down to the AnyConnect Secure Mobility Client for resolving DNS addresses over split tunnels. This policy applies to VPN connections using the SSL or IPsec/IKEv2 protocol and instructs the AnyConnect client to resolve all DNS addresses through the VPN tunnel. If DNS resolution fails, the address remains unresolved and the AnyConnect client does not try to resolve the address through public DNS servers.
By default, this feature is disabled. The client sends DNS queries over the tunnel according to the split tunnel policy—tunnel all networks, tunnel networks specified in a network list, or exclude networks specified in a network list.
We introduced the following command: split-tunnel-all-dns.
We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add/Edit Group Policy > Advanced > Split Tunneling (see the Send All DNS Lookups Through Tunnel check box).
You can now use of SHA-2 compliant signature algorithms to authenticate SSL VPN connections that use digital certificates. Our support for SHA-2 includes all three hash sizes: SHA-256, SHA-384, and SHA-512. SHA-2 requires AnyConnect 2.5(1) or later (2.5(2) or later recommended). This release does not support SHA-2 for other uses or products.
Caution: To support failover of SHA-2 connections, the standby ASA must be running the same image.
We modified the following command: show crypto ca certificate (the Signature Algorithm field identifies the digest algorithm used when generating the signature).
We now support VPN connections between Android mobile devices and ASA 5500 series devices, when using the L2TP/IPsec protocol and the native Android VPN client. Mobile devices must be using the Android 2.1 or later operating system.
We did not modify any commands.
SHA2 certificate signature support for Microsoft Windows 7 and Android-native VPN clients
ASA supports SHA2 certificate signature support for Microsoft Windows 7 and Android-native VPN clients when using the L2TP/IPsec protocol.
We did not modify any commands.
Enable/disable certificate mapping to override the group-url attribute
This feature changes the preference of a connection profile during the connection profile selection process. By default, if the ASA matches a certificate field value specified in a connection profile to the field value of the certificate used by the endpoint, the ASA assigns that profile to the VPN connection. This optional feature changes the preference to a connection profile that specifies the group URL requested by the endpoint. The new option lets administrators rely on the group URL preference used by many older ASA software releases.
We introduced the following command: tunnel-group-preference.
We modified the following screens:
Configuration > Remote Access VPN > Clientless SSL VPN > Connection Profiles
Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles
Support for Pause Frames for Flow Control on 1-Gigabit Ethernet Interface
You can now enable pause (XOFF) frames for flow control on 1-Gigabit Ethernet interfaces; support was previously added for 10-Gigabit Ethernet interfaces in 8.2(2).
We modified the following command: flowcontrol.
We modified the following screens:
(Single Mode) Configuration > Device Setup > Interfaces > Add/Edit Interface > General (Multiple Mode, System) Configuration > Interfaces > Add/Edit Interface
H.323 Inspection now supports uni-directional signaling for two-way video sessions. This enhancement allows H.323 Inspection of one-way video conferences supported by Tandberg video phones. Supporting uni-directional signaling allows Tandberg phones to switch video modes (close their side of an H.263 video session and reopen the session using H.264, the compression standard for high-definition video).
We did not modify any commands.
When multiple static routes exist to a network with different metrics, the ASA uses the one with the best metric at the time of connection creation. If a better route becomes available, then this timeout lets connections be closed so a connection can be reestablished to use the better route. The default is 0 (the connection never times out). To take advantage of this feature, change the timeout to a new value.
We modified the following command: timeout floating-conn.
We modified the following screen: Configuration > Firewall > Advanced > Global Timeouts.
New Features in ASA 8.2(4.4)/ASDM 6.3(5)
Released: March 4, 2011
NoteWe recommend that you upgrade to a Cisco.com-posted interim release only if you have a specific problem that it resolves. If you decide to run an interim release in a production environment, keep in mind that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC and will remain on the download site only until the next maintenance release is available. If you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature release when it becomes available. We will document interim release features at the time of the next maintenance or feature release. For a list of resolved caveats for each interim release, see the Cisco ASA Interim Release Notes available on the Cisco.com software download site.
Support for the IPS SSP-10, -20, -40, and -60 for the ASA 5585-X
We introduced support for the IPS SSP-10, -20, -40, and -60 for the ASA 5585-X. You can only install the IPS SSP with a matching-level SSP; for example, SSP-10 and IPS SSP-10.
By default, Clientless SSL VPN now provides content transformation (rewriting) support for Outlook Web Access (OWA) 2010 traffic.
New Features in ASA 8.2(4.1)/ASDM 6.3(5)
Released: January 18, 2011
NoteWe recommend that you upgrade to a Cisco.com-posted interim release only if you have a specific problem that it resolves. If you decide to run an interim release in a production environment, keep in mind that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC and will remain on the download site only until the next maintenance release is available. If you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature release when it becomes available. We will document interim release features at the time of the next maintenance or feature release. For a list of resolved caveats for each interim release, see the Cisco ASA Interim Release Notes available on the Cisco.com software download site.
This release supports the use of SHA-2 compliant signature algorithms to authenticate SSL VPN connections that use digital certificates. Our support for SHA-2 includes all three hash sizes: SHA-256, SHA-384, and SHA-512. SHA-2 requires AnyConnect 2.5.1 or later (2.5.2 or later recommended). This release does not support SHA-2 for other uses or products. This feature does not involve configuration changes. Caution: To support failover of SHA-2 connections, the standby ASA must be running the same image. To support this feature, we added the Signature Algorithm field to the show crypto ca certificate command to identify the digest algorithm used when generating the signature.
New Features in ASA 8.2(3.9)/ASDM 6.3(4)
Released: November 2, 2010
NoteWe recommend that you upgrade to a Cisco.com-posted interim release only if you have a specific problem that it resolves. If you decide to run an interim release in a production environment, keep in mind that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC and will remain on the download site only until the next maintenance release is available. If you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature release when it becomes available. We will document interim release features at the time of the next maintenance or feature release. For a list of resolved caveats for each interim release, see the Cisco ASA Interim Release Notes available on the Cisco.com software download site.
This release supports the use of SHA-2 compliant signature algorithms to authenticate SSL VPN connections that use digital certificates. Our support for SHA-2 includes all three hash sizes: SHA-256, SHA-384, and SHA-512. SHA-2 requires AnyConnect 2.5.1 or later (2.5.2 or later recommended). This release does not support SHA-2 for other uses or products. This feature does not involve configuration changes. Caution: To support failover of SHA-2 connections, the standby ASA must be running the same image. To support this feature, we added the Signature Algorithm field to the show crypto ca certificate command to identify the digest algorithm used when generating the signature.
New Features in ASA 8.2(3)/ASDM 6.3(3) and 6.3(4)
Released: August 9, 2010
NoteASDM 6.3(4) does not include any new features; it includes a caveat fix required for support of the ASA 5585-X.
Support for the ASA 5585-X with Security Services Processor (SSP)-20 and -60 was introduced.
Note 2048-bit RSA certificate and Diffie-Hellman Group 5 (DH5) performance improvement
(ASA 5510, ASA 5520, ASA 5540, and ASA 5550 only) We strongly recommend that you enable hardware processing instead of software for large modulus operations such as 2048-bit certificates and DH5 keys. If you continue to use software processing for large keys, you could experience significant performance degradation due to slow session establishment for IPsec and SSL VPN connections. We recommend that you initially enable hardware processing during a low-use or maintenance period to minimize a temporary packet loss that can occur during the transition of processing from software to hardware.
Note For the ASA 5540 and ASA 5550 using SSL VPN, in specific load conditions, you may want to continue to use software processing for large keys. If VPN sessions are added very slowly and the ASA runs at capacity, then the negative impact to data throughput is larger than the positive impact for session establishment.
The ASA 5580/5585-X platforms already integrate this capability; therefore, crypto engine commands are not applicable on these platforms.
The following commands were introduced or modified: crypto engine large-mod-accel, clear configure crypto engine, show running-config crypto engine, and show running-config crypto.
In ASDM, use the Command Line Interface tool to enter the crypto engine large-mod-accel command.
Enabling this feature hides the Connections tab in Microsoft Internet Explorer for the duration of an AnyConnect VPN session. Disabling the feature leaves the display of the Connections tab unchanged; the default setting for the tab can be shown or hidden, depending on the user registry settings.
The following command was introduced: msie-proxy lockdown.
In ASDM, use the Command Line Interface tool to enter this command.
This feature enables the AnyConnect client to retain its session information and cookie so that it can seamlessly restore connectivity after the user leaves the office, as long as the session does not exceed the idle timer setting. This feature requires an AnyConnect release that supports TND pause and resume.
New Features in ASA 8.2(2)/ASDM 6.2(5)
Released: January 11, 2010
An administrator can now keep track of the number of users in the active state and can look at the statistics. The sessions that have been inactive for the longest time are marked as idle (and are automatically logged off) so that license capacity is not reached and new users can log in.
The following screen was modified: Monitoring > VPN > VPN Statistics > Sessions.
You can now control which IP packets with specific IP options should be allowed through the ASA. You can also clear IP options from an IP packet, and then allow it through the ASA. Previously, all IP options were denied by default, except for some special cases.
Note This inspection is enabled by default. The following command is added to the default global service policy: inspect ip-options. Therefore, the ASA allows RSVP traffic that contains packets with the Router Alert option (option 20) when the ASA is in routed mode.
The following commands were introduced: policy-map type inspect ip-options, inspect ip-options, eool, nop.
The following screens were introduced:
Configuration > Firewall > Objects > Inspect Maps > IP-Options
Configuration > Firewall > Service Policy > Add/Edit Service Policy Rule > Rule Actions > Protocol Inspection
You can enable call setup between H.323 endpoints when the Gatekeeper is inside the network. The ASA includes options to open pinholes for calls based on the RegistrationRequest/RegistrationConfirm (RRQ/RCF) messages.
Because these RRQ/RCF messages are sent to and from the Gatekeeper, the calling endpoint IP address is unknown and the ASA opens a pinhole through source IP address/port 0/0. By default, this option is disabled.
The following command was introduced: ras-rcf-pinholes enable (under the policy-map type inspect h323 > parameters commands).
The following screen was modified: Configuration > Firewall > Objects > Inspect Maps > H.323 > Details > State Checking.
Mobility Proxy application no longer requires Unified Communications Proxy license
In multiple context mode, auto-generated MAC addresses now use a user-configurable prefix, and other enhancements
The MAC address format was changed to allow use of a prefix, to use a fixed starting value (A2), and to use a different scheme for the primary and secondary unit MAC addresses in a failover pair.
The MAC addresess are also now persistent accross reloads.
The command parser now checks if auto-generation is enabled; if you want to also manually assign a MAC address, you cannot start the manual MAC address with A2.
The following command was modified: mac-address auto prefix prefix.
The following screen was modified: Configuration > Context Management > Security Contexts.
Support for Pause Frames for Flow Control on the ASA 5580 10 Gigabit Ethernet Interfaces
You can now enable pause (XOFF) frames for flow control.
The following command was introduced: flowcontrol.
The following screens were modified:
(Single Mode) Configuration > Device Setup > Interfaces > Add/Edit Interface > General
(Multiple Mode, System) Configuration > Interfaces > Add/Edit Interface
The Botnet Traffic Filter now supports automatic blocking of blacklisted traffic based on the threat level. You can also view the category and threat level of malware sites in statistics and reports. Reporting was enhanced to show infected hosts. The 1 hour timeout for reports for top hosts was removed; there is now no timeout.
The following commands were introduced or modified: dynamic-filter ambiguous-is-black, dynamic-filter drop blacklist, show dynamic-filter statistics, show dynamic-filter reports infected-hosts, and show dynamic-filter reports top.
The following screens were introduced or modified:
Configuration > Firewall > Botnet Traffic Filter > Traffic Settings Monitoring > Botnet Traffic Filter > Infected Hosts
The idle timeout was changed to apply to all protocols, not just TCP.
The following command was modified: set connection timeout.
The following screen was modified: Configuration > Firewall > Service Policies > Rule Actions > Connection Settings.
DHCP RFC compatibility (rfc3011, rfc3527) to resolve routing issues
This enhancement introduces ASA support for DHCP RFCs 3011 (The IPv4 Subnet Selection Option) and 3527 (Link Selection Sub-option for the Relay Agent Information Option). For each DHCP server configured for VPN clients, you can now configure the ASA to send the Subnet Selection option or the Link Selection option.
The following command was modified: dhcp-server [subnet-selection | link-selection].
The following screen was modified: Remote Access VPN > Network Access > IPsec connection profiles > Add/Edit.
IPv6 is now supported in failover configurations. You can assign active and standby IPv6 addresses to interfaces and use IPv6 addresses for the failover and Stateful Failover interfaces.
The following commands were modified: failover interface ip, ipv6 address.
The following screens were modified:
Configuration > Device Management > High Availability > Failover > Setup
Configuration > Device Management > High Availability > Failover > Interfaces
Configuration > Device Management > High Availability > HA/Scalability Wizard
No notifications when interfaces are brought up or brought down during a switchover event
To distinguish between link up/down transitions during normal operation from link up/down transitions during failover, no link up/link down traps are sent during a failover. Also, no syslog messages about link up/down transitions during failover are sent.
You can now configure up to 100 AAA server groups; the previous limit was 15 server groups.
The following command was modified: aaa-server.
The following screen was modified: Configuration > Device Management > Users/AAA > AAA Server Groups.
Smart Call Home offers proactive diagnostics and real-time alerts on the ASA and provides higher network availability and increased operational efficiency. Customers and TAC engineers get what they need to resolve problems quickly when an issue is detected.
Note Smart Call Home server Version 3.0(1) has limited support for the ASA. See the “Important Notes” for more information.
The following commands were introduced: call-home, call-home send alert-group, call-home test, call-home send, service call-home, show call-home, show call-home registered-module status.
The following screen was introduced: Configuration> Device Management> Smart Call Home.
New Features in ASA 8.2(1)/ASDM 6.2(1)
Released: May 6, 2009
ASDM now supports administrator authentication using one time passwords (OTPs) supported by RSA SecurID (SDI). This feature addresses security concerns about administrators authenticating with static passwords.
New session controls for ASDM users include the ability to limit the session time and the idle time. When the password used by the ASDM administrator times out, ASDM prompts the administrator to re-authenticate.
The following commands were introduced: http server idle-timeout and http server session-timeout. The http server idle-timeout default is 20 minutes, and can be increased up to a maximum of 1440 minutes.
In ASDM, see Configuration > Device Management > Management Access > ASDM/HTTPD/Telnet/SSH.
You can use ASDM to customize the Secure Desktop windows displayed to remote users, including the Secure Desktop background (the lock icon) and its text color, and the dialog banners for the Desktop, Cache Cleaner, Keystroke Logger, and Close Secure Desktop windows.
In ASDM, see Configuration > CSD Manager > Secure Desktop Manager.
The pre-fill username feature enables the use of a username extracted from a certificate for username/password authentication. With this feature enabled, the username is “pre-filled” on the login screen, with the user being prompted only for the password. To use this feature, you must configure both the pre-fill username and the username-from-certificate commands in tunnel-group configuration mode.
The double-authentication feature is compatible with the pre-fill username feature, as the pre-fill username feature can support extracting a primary username and a secondary username from the certificate to serve as the usernames for double authentication when two usernames are required. When configuring the pre-fill username feature for double authentication, the administrator uses the following new tunnel-group general-attributes configuration mode commands:
secondary-pre-fill-username—Enables username extraction for Clientless or AnyConnect client connection.
secondary-username-from-certificate—Allows for extraction of a few standard DN fields from a certificate for use as a username.
In ASDM, see Configuration> Remote Access VPN > Network (Client) Access > AnyConnect or Clienltess SSL VPN Connection Profiles > Advanced. Settings are in the Authentication, Secondary Authentication, and Authorization panes.
The double authentication feature implements two-factor authentication for remote access to the network, in accordance with the Payment Card Industry Standards Council Data Security Standard. This feature requires that the user enter two separate sets of login credentials at the login page. For example, the primary authentication might be a one-time password, and the secondary authentication might be a domain (Active Directory) credential. If either authentication fails, the connection is denied.
Both the AnyConnect VPN client and Clientless SSL VPN support double authentication. The AnyConnect client supports double authentication on Windows computers (including supported Windows Mobile devices and Start Before Logon), Mac computers, and Linux computers. The IPsec VPN client, SVC client, cut-through-proxy authentication, hardware client authentication, and management authentication do not support double authentication.
Double authentication requires the following new tunnel-group general-attributes configuration mode commands:
secondary-authentication-server-group—Specifies the secondary AAA server group, which cannot be an SDI server group.
secondary-username-from-certificate—Allows for extraction of a few standard DN fields from a certificate for use as a username.
secondary-pre-fill-username—Enables username extraction for Clientless or AnyConnect client connection.
authentication-attr-from-server—Specifies which authentication server authorization attributes are applied to the connection.
authenticated-session-username—Specifies which authentication username is associated with the session.
Note The RSA/SDI authentication server type cannot be used as the secondary username/password credential. It can only be used for primary authentication.
In ASDM, see Configuration > Remote Access VPN > Network (Client) Access or Clientless SSL VPN > AnyConnect Connection Profiles > Add/Edit > Advanced > Secondary Authentication.
AnyConnect Essentials is a separately licensed SSL VPN client, entirely configured on the ASA, that provides the full AnyConnect capability, with the following exceptions:
The AnyConnect Essentials client provides remote end users running Microsoft Windows Vista, Windows Mobile, Windows XP or Windows 2000, Linux, or Macintosh OS X, with the benefits of a Cisco SSL VPN client.
To configure AnyConnect Essentials, the administrator uses the following command:
anyconnect-essentials—Enables the AnyConnect Essentials feature. If this feature is disabled (using the no form of this command), the SSL Premium license is used. This feature is enabled by default.
Note This license cannot be used at the same time as the shared SSL VPN premium license.
In ASDM, see Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Essentials License. The AnyConnect Essentials license must be installed for ASDM to show this pane.
When enabled, Cisco Secure Desktop automatically runs on all computers that make SSL VPN connections to the ASA. This new feature lets you exempt certain users from running Cisco Secure Desktop on a per connection profile basis. It prevents the detection of endpoint attributes for these sessions, so you might need to adjust the Dynamic Access Policy (DAP) configuration.
Note “Connect Profile” in ASDM is also known as “Tunnel Group” in the CLI. Additionally, the group-url command is required for this feature. If the SSL VPN session uses connection-alias, this feature will not take effect.
In ASDM, see Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles > Add or Edit > Advanced, Clientless SSL VPN Configuration.
Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Add or Edit > Advanced > SSL VPN.
Previous versions supported certificate authentication for each ASA interface, so users received certificate prompts even if they did not need a certificate. With this new feature, users receive a certificate prompt only if the connection profile configuration requires a certificate. This feature is automatic; the ssl certificate authentication command is no longer needed, but the ASA retains it for backward compatibility.
In ASDM, see Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Add/Edit > Basic.
Configuraiton > Remote Access VPN > Clientless SSL VPN > Connection Profiles > Add/Edit>Basic.
This feature adds the ability to create certificate maps that look at the Extended Key Usage extension of a client certificate and use these values in determining what connection profile the client should use. If the client does not match that profile, it uses the default group. The outcome of the connection then depends on whether or not the certificate is valid and the authentication settings of the connection profile.
The following command was introduced: extended-key-usage.
In ASDM, use the IPSec Certificate to Connection Maps > Rules pane, or Certificate to SSL VPN Connections Profile Maps pane.
Clientless SSL VPN sessions now support Microsoft Office SharePoint Server 2007.
You can purchase a shared license with a large number of SSL VPN sessions and share the sessions as needed among a group of ASAs by configuring one of the ASAs as a shared license server, and the rest as clients. The following commands were introduced: license-server commands (various), show shared license.
Note This license cannot be used at the same time as the AnyConnect Essentials license.
In ASDM, see Configuration > Device Management > Licensing > Shared SSL VPN Licenses. Also see, Monitoring > VPN > Clientless SSL VPN > Shared Licenses.
The VPN Wizard (accessible by choosing Wizards > IPSec VPN Wizard) was updated. The step to select IPsec Encryption and Authentication (formerly Step 9 of 11) was removed because the Wizard now generates default values for these settings. In addition, the step to select IPsec Settings (Optional) now includes new fields to enable perfect forwarding secrecy (PFS) and set the Diffie-Hellman Group.
If you have asymmetric routing configured on upstream routers, and traffic alternates between two ASAs, then you can configure TCP state bypass for specific traffic. The following command was introduced: set connection advanced tcp-state-bypass.
In ASDM, see Configuration > Firewall > Service Policy Rules > Rule Actions > Connection Settings.
Per-Interface IP Addresses for the Media-Termination Instance Used by the Phone Proxy
In Version 8.0(4), you configured a global media-termination address (MTA) on the ASA. In Version 8.2, you can now configure MTAs for individual interfaces (with a minimum of two MTAs). As a result of this enhancement, the old CLI has been deprecated. You can continue to use the old configuration if desired. However, if you need to change the configuration at all, only the new configuration method is accepted; you cannot later restore the old configuration.
In ASDM, see Configuration > Firewall > Advanced > Encrypted Traffic Inspection > Media Termination Address.
The Cisco Phone Proxy feature includes the show ctl-file command, which shows the contents of the CTL file used by the phone proxy. Using the show ctl-file command is useful for debugging when configuring the phone proxy instance.
The Cisco Phone Proxy feature includes the clear phone-proxy secure-phones command, which clears the secure-phone entries in the phone proxy database. Because secure IP phones always request a CTL file upon bootup, the phone proxy creates a database that marks the IP phones as secure. The entries in the secure phone database are removed after a specified configured timeout (via the timeout secure-phones command). Alternatively, you can use the clear phone-proxy secure-phones command to clear the phone proxy database without waiting for the configured timeout.
In this release, the ASA supports the H.239 standard as part of H.323 application inspection. H.239 is a standard that provides the ability for H.300 series endpoints to open an additional video channel in a single call. In a call, an endpoint (such as a video phone), sends a channel for video and a channel for data presentation. The H.239 negotiation occurs on the H.245 channel. The ASA opens a pinhole for the additional media channel. The endpoints use open logical channel message (OLC) to signal a new channel creation. The message extension is part of H.245 version 13. The decoding and encoding of the telepresentation session is enabled by default. H.239 encoding and decoding is preformed by ASN.1 coder.
In ASDM, see Configuration > Firewall > Service Policy Rules > Add Service Policy Rule Wizard > Rule Actions > Protocol Inspection > H.323 H.225. Click Configure and then choose the H.323 Inspect Map.
Processing H.323 Endpoints When the Endpoints Do Not Send OLCAck
H.323 application inspection has been enhanced to process common H.323 endpoints. The enhancement affects endpoints using the extendedVideoCapability OLC with the H.239 protocol identifier. Even when an H.323 endpoint does not send OLCAck after receiving an OLC message from a peer, the ASA propagates OLC media proposal information into the media array and opens a pinhole for the media channel (extendedVideoCapability).
In ASDM, see Configuration > Firewall > Service Policy Rules > Add Service Policy Rule Wizard > Rule Actions > Protocol Inspection > H.323 H.225.
Transparent firewall mode now participates in IPv6 routing. Prior to this release, the ASA could not pass IPv6 traffic in transparent mode. You can now configure an IPv6 management address in transparent mode, create IPv6 access lists, and configure other IPv6 features; the ASA recognizes and passes IPv6 packets.
All IPv6 functionality is supported unless specifically noted.
In ASDM, see Configuration > Device Management > Management Access > Management IP Address.
Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses, and then logs any suspicious activity. You can also supplement the dynamic database with a static database by entering IP addresses or domain names in a local “blacklist” or “whitelist.”
Note This feature requires the Botnet Traffic Filter license. See the following licensing document for more information:
http://www.cisco.com/en/US/docs/security/asa/asa82/license/license82.htmlThe following commands were introduced: dynamic-filter commands (various), and the inspect dns dynamic-filter-snoop keyword.
In ASDM, see Configuration > Firewall > Botnet Traffic Filter.
The AIP SSC offers IPS for the ASA 5505 ASA. Note that the AIP SSM does not support virtual sensors. The following commands were introduced: allow-ssc-mgmt, hw-module module ip, and hw-module module allow-ip.
In ASDM, see Configuration > Device Setup > SSC Setup and Configuration > IPS.
You can now send IPv6 traffic to the AIP SSM or SSC when your traffic class uses the match any command, and the policy map specifies the ips command.
In ASDM, see Configuration > Firewall > Service Policy Rules.
This release provides DES, 3DES, or AES encryption and support for SNMP Version 3, the most secure form of the supported security models. This version allows you to configure authentication characteristics by using the User-based Security Model (USM).
The following commands were introduced:
The following command was modified:
In ASDM, see Configuration > Device Management > Management Access > SNMP.
This feature was introduced in Version 8.1(1) for the ASA 5580; this version introduces the feature to the other platforms. The new NetFlow feature enhances the ASA logging capabilities by logging flow-based events through the NetFlow protocol.
In ASDM, see Configuration > Device Management > Logging > Netflow.
The ASA now offers Multicast NAT support for group addresses.
A coredump is a snapshot of the running program when the program has terminated abnormally. Coredumps are used to diagnose or debug errors and save a crash for later or off-site analysis. Cisco TAC may request that users enable the coredump feature to troubleshoot application or system crashes on the ASA.
All IPv6 functionality is supported unless specifically noted.
You can use ASDM to configure a public server. This allows to you define servers and services that you want to expose to an outside interface.
New Features in Version 8.1
