Table Of Contents
Release Notes for Cisco ASDM, Version 6.2, for ASA and PIX
ASDM Client Operating System and Browser Requirements
New Features by Platform Release
New Features in Version 8.2(1)
New Features in Version 8.1(2)
New Features in Version 8.1(1)
New Features in Version 8.0(5)
New Features in Version 8.0(4)
New Features in Version 8.0(3)
New Features in Version 8.0(2)
Upgrading the Security Appliance
Ignored and View-Only Commands
Effects of Unsupported Commands
Discontinuous Subnet Masks Not Supported
Interactive User Commands Not Supported by the ASDM CLI Tool
Open and Resolved Caveats for Software Version 6.2
Open Caveats for Software Version 6.2
Resolved Caveats for Software Version 6.2.3
Resolved Caveats for Software Version 6.2.1
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco ASDM, Version 6.2, for ASA and PIX
November 2009
This document contains release information for Cisco ASDM Version 6.2 on Cisco ASA 5500 series and Cisco PIX 500 series security appliances. It includes the following sections:
•
ASDM Client Operating System and Browser Requirements
•
•
•
•
Important Notes
This section describes new enhancements or procedures or documentation issues that have been implemented since the last release, and includes the following topics:
•
AIP SSC Setup Screen in ASDM
AIP (IPS) users will be unable to use ASDM to set up SSC if you mistype a password in the SSC-setup screen.
ASDM Launcher Upgrade Failure
Upgrading from a previous version of ASDM, such as ASDM 6.1.5.51, which includes ASDM Launcher 1.5.30, sometimes fails in the following two ways on Windows XP or Vista:
•
•
Running dm-launcher.msi may produce an error 1307 or 1316 dialog giving the full pathname of the file that either cannot be found or for which a network error occurred.Workaround : To recover from such events, use the Add or Remove Programs control panel to remove the Cisco ASDM Launcher or Cisco ASDM-IDM Launcher. (Any of the ASDM on IP address programs do not need to be removed.) Afterwards, evoke a web browser; access ASDM with a URL such as https://<IP_Address >/admin; and install the new ASDM-IDM Launcher with the "Install ASDM Launcher and Run ASDM" button.
ASDM Client Operating System and Browser Requirements
Table 1 lists the supported and recommended client operating systems and Java for ASDM.
Table 1 Operating System and Browser Requirements
Microsoft Windows
Windows 7
Windows Vista
Windows 2003 Server (English or Japanese version)
Windows XP
Internet Explorer 6.0, 7.0, 8.0 with Sun Java SE2 Plug-in 5.0 (1.5.0), or 6.0
Firefox 1.5, 2.0, 3.0, and 3.5 with Java SE Plug-in 5.0 (1.5.0), or 6.0
SSL Encryption Settings—All available encryption options are enabled for SSL in the browser preferences.
Note
Note
Apple Macintosh
Apple Macintosh OS X, 10.4, 10.5, 10.6
Firefox1.5, 2.0, 3.0, and 3.5, or Safari 2.0 with Java SE Plug-in 5.0 (1.5.0), or 6.03 4
Linux
Red Hat Desktop, Red Hat Enterprise Linux WS version 5 running GNOME or KDE
Firefox 1.5, 2.0, 3.0, and 3.5 with Java SE Plug-in 5.0 (1.5.0), or 6.0
1 The recommended minimal resolution for your browser should be 1024 x 768.
2 Obtain Sun Java from java.sun.com.
3 With Apple Macintosh, only 32-bit Java SE will be supported. Currently, this also excludes Java 6. The 32-bit Java can run on a 64-bit Mac OS.
4 If you are trying to launch ASDM on a Macintosh, be aware that recent Java upgrades do not automatically register the changed location of the Java Web Start application, which should handle JNLP extension files. To reconcile this problem, simply go to the directory /System/Library/CoreServices in the Mac Finder. After you have opened the folder in this directory, when you select Run ASDM and Run Startup Wizard, a dialog appears that allows you to associate JNLP files with Java Web Start.
Note
Important: This procedure is not needed with operating systems that correct CSCsv28869: ASA/PIX 8.0(4.11), ASA 8.1(2.5), or ASA 8.2 or later.
On the Mac, go to Applications > Utilities > Java > Java Preferences. From the Java Preferences dialog, select View. The Java Cache Viewer dialog appears. Select Applications from the Show pull-down menu. Select the ASDM on ip_addr row in the table that you want to delete, select `X' to remove the selected item, and click OK.
Next, from the Java Preferences dialog, select Settings. Then select Delete Files. Choose all options from this pop-up dialog and click Delete. On the Temporary Files Setting dialog, click OK.
Go to the Java Preferences menu and select Quit Java Preferences. If the deleted desktop IP address application still appears on the desktop, drag and drop the application into the trash. Launch ASDM from a web browser, either Safari or Firefox, and, if desired, install a new ASDM desktop application when prompted.
Note
Supported Platforms and SSMs
Note
ASDM Version 6.2 supports the following platforms and releases:
•
•
•
•
•
•
ASDM Version 6.2(3) supports the following SSMs and releases:
•
•
•
New ASDM Features
Table 2 lists the new features for ASDM Version 6.2.3
Note
New Features by Platform Release
This section lists the new features available in each supported platform release. Because ASDM supports multiple platform releases, and the ASDM documentation includes features for all releases, you should see these sections to determine if a feature is in your release. This section includes the following topics:
•
•
•
•
•
•
•
New Features in Version 8.2(1)
Hi
Table 3 lists the new features for Version 8.2(1).
Table 3 New Features for ASA Version 8.2(1)
One Time Password Support for ASDM Authentication
ASDM now supports administrator authentication using one time passwords (OTPs) supported by RSA SecurID (SDI). This feature addresses security concerns about administrators authenticating with static passwords.
New session controls for ASDM users include the ability to limit the session time and the idle time. When the password used by the ASDM administrator times out, ASDM prompts the administrator to re-authenticate.
The following commands were introduced: http server idle-timeout and http server session-timeout. The http server idle-timeout default is 20 minutes, and can be increased up to a maximum of 1440 minutes.
In ASDM, see Configuration > Device Management > Management Access > ASDM/HTTPD/Telnet/SSH.
Customizing Secure Desktop
You can use ASDM to customize the Secure Desktop windows displayed to remote users, including the Secure Desktop background (the lock icon) and its text color, and the dialog banners for the Desktop, Cache Cleaner, Keystroke Logger, and Close Secure Desktop windows.
In ASDM, see Configuration > CSD Manager > Secure Desktop Manager.
Pre-fill Username from Certificate
The pre-fill username feature enables the use of a username extracted from a certificate for username/password authentication. With this feature enabled, the username is "pre-filled" on the login screen, with the user being prompted only for the password. To use this feature, you must configure both the pre-fill username and the username-from-certificate commands in tunnel-group configuration mode.
The double-authentication feature is compatible with the pre-fill username feature, as the pre-fill username feature can support extracting a primary username and a secondary username from the certificate to serve as the usernames for double authentication when two usernames are required. When configuring the pre-fill username feature for double authentication, the administrator uses the following new tunnel-group general-attributes configuration mode commands:
•
•
In ASDM, see In ASDM, see Configuration> Remote Access VPN > Network (Client) Access > AnyConnect or Clienltess SSL VPN Connection Profiles > Advanced. Settings are in Authentication, Secondary Authentication, and Authorization panels.
Double Authentication
The double authentication feature implements two-factor authentication for remote access to the network, in accordance with the Payment Card Industry Standards Council Data Security Standard. This feature requires that the user enter two separate sets of login credentials at the login page. For example, the primary authentication might be a one-time password, and the secondary authentication might be a domain (Active Directory) credential. If either authentication fails, the connection is denied.
Both the AnyConnect VPN client and Clientless SSL VPN support double authentication. The AnyConnect client supports double authentication on Windows computers (including supported Windows Mobile devices and Start Before Logon), Mac computers, and Linux computers. The IPsec VPN client, SVC client, cut-through-proxy authentication, hardware client authentication, and management authentication do not support double authentication.
Double authentication requires the following new tunnel-group general-attributes configuration mode commands:
•
•
•
•
•
Note
In ASDM, see Configuration > Remote Access VPN > Network (Client) Access or Clientless SSL VPN > AnyConnect Connection Profiles > Add/Edit > Advanced > Secondary Authentication.
AnyConnect Essentials
AnyConnect Essentials is a separately licensed SSL VPN client, entirely configured on the security appliance, that provides the full AnyConnect capability, with the following exceptions:
•
•
•
The AnyConnect Essentials client provides remote end users running Microsoft Windows Vista, Windows Mobile, Windows XP or Windows 2000, Linux, or Macintosh OS X, with the benefits of a Cisco SSL VPN client.
To configure AnyConnect Essentials, the administrator uses the following command:
anyconnect-essentials—Enables the AnyConnect Essentials feature. If this feature is disabled (using the no form of this command), the SSL Premium license is used. This feature is enabled by default.
Note
In ASDM, see Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Essentials License. The AnyConnect Essentials license must be installed for ASDM to show this pane.
Disabling Cisco Secure Desktop per Connection Profile
When enabled, Cisco Secure Desktop automatically runs on all computers that make SSL VPN connections to the security appliance. This new feature lets you exempt certain users from running Cisco Secure Desktop on a per connection profile basis. It prevents the detection of endpoint attributes for these sessions, so you might need to adjust the Dynamic Access Policy (DAP) configuration.
CLI: [no] without-csd command
Note
In ASDM, see Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles > Add or Edit > Advanced, Clientless SSL VPN Configuration.
or
Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Add or Edit > Advanced > SSL VPN.
Certificate Authentication Per Connection Profile
Previous versions supported certificate authentication for each security appliance interface, so users received certificate prompts even if they did not need a certificate. With this new feature, users receive a certificate prompt only if the connection profile configuration requires a certificate. This feature is automatic; the ssl certificate authentication command is no longer needed, but the security appliance retains it for backward compatibility.
In ASDM, see Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Add/Edit > Basic.
or
Configuraiton > Remote Access VPN > Clientless SSL VPN > Connection Profiles > Add/Edit>Basic.
EKU Extensions for Certificate Mapping
This feature adds the ability to create certificate maps that look at the Extended Key Usage extension of a client certificate and use these values in determining what connection profile the client should use. If the client does not match that profile, it uses the default group. The outcome of the connection then depends on whether or not the certificate is valid and the authentication settings of the connection profile.
The following command was introduced: extended-key-usage.
In ASDM, use the IPSec Certificate to Connection Maps > Rules pane, or Certificate to SSL VPN Connections Profile Maps pane.
SSL VPN SharePoint Support for Win 2007 Server
Clientless SSL VPN sessions now support Microsoft Office SharePoint Server 2007.
Shared license for SSL VPN sessions
You can purchase a shared license with a large number of SSL VPN sessions and share the sessions as needed among a group of security appliances by configuring one of the security appliances as a shared license server, and the rest as clients. The following commands were introduced: license-server commands (various), show shared license.
Note
In ASDM, see Configuration > Device Management > Licensing > Shared SSL VPN Licenses. Also see, Monitoring > VPN > Clientless SSL VPN > Shared Licenses.
TCP state bypass
If you have asymmetric routing configured on upstream routers, and traffic alternates between two security appliances, then you can configure TCP state bypass for specific traffic. The following command was introduced: set connection advanced tcp-state-bypass.
In ASDM, see Configuration > Firewall > Service Policy Rules > Rule Actions > Connection Settings.
Per-Interface IP Addresses for the Media-Termination Instance Used by the Phone Proxy
In Version 8.0(4), you configured a global media-termination address (MTA) on the security appliance. In Version 8.2, you can now configure MTAs for individual interfaces (with a minimum of two MTAs). As a result of this enhancement, the old CLI has been deprecated. You can continue to use the old configuration if desired. However, if you need to change the configuration at all, only the new configuration method is accepted; you cannot later restore the old configuration.
In ASDM, see Configuration > Firewall > Advanced > Encrypted Traffic Inspection > Media Termination Address.
Displaying the CTL File for the Phone Proxy
The Cisco Phone Proxy feature includes the show ctl-file command, which shows the contents of the CTL file used by the phone proxy. Using the show ctl-file command is useful for debugging when configuring the phone proxy instance.
This command is not supported in ASDM.
Clearing Secure-phone Entries from the Phone Proxy Database
The Cisco Phone Proxy feature includes the clear phone-proxy secure-phones command, which clears the secure-phone entries in the phone proxy database. Because secure IP phones always request a CTL file upon bootup, the phone proxy creates a database that marks the IP phones as secure. The entries in the secure phone database are removed after a specified configured timeout (via the timeout secure-phones command). Alternatively, you can use the clear phone-proxy secure-phones command to clear the phone proxy database without waiting for the configured timeout.
This command is not supported in ASDM.
H.239 Message Support in H.323 Application Inspection
In this release, the security appliance supports the H.239 standard as part of H.323 application inspection. H.239 is a standard that provides the ability for H.300 series endpoints to open an additional video channel in a single call. In a call, an endpoint (such as a video phone), sends a channel for video and a channel for data presentation. The H.239 negotiation occurs on the H.245 channel. The security appliance opens a pinhole for the additional media channel. The endpoints use open logical channel message (OLC) to signal a new channel creation. The message extension is part of H.245 version 13. The decoding and encoding of the telepresentation session is enabled by default. H.239 encoding and decoding is preformed by ASN.1 coder.
In ASDM, see Configuration > Firewall > Service Policy Rules > Add Service Policy Rule Wizard > Rule Actions > Protocol Inspection > H.323 H.225. Click Configure and then choose the H.323 Inspect Map.
Processing H.323 Endpoints When the Endpoints Do Not Send OLCAck
H.323 application inspection has been enhanced to process common H.323 endpoints. The enhancement affects endpoints using the extendedVideoCapability OLC with the H.239 protocol identifier. Even when an H.323 endpoint does not send OLCAck after receiving an OLC message from a peer, the security appliance propagates OLC media proposal information into the media array and opens a pinhole for the media channel (extendedVideoCapability).
In ASDM, see Configuration > Firewall > Service Policy Rules > Add Service Policy Rule Wizard > Rule Actions > Protocol Inspection > H.323 H.225.
IPv6 in transparent firewall mode
Transparent firewall mode now participates in IPv6 routing. Prior to this release, the security appliance could not pass IPv6 traffic in transparent mode. You can now configure an IPv6 management address in transparent mode, create IPv6 access lists, and configure other IPv6 features; the security appliance recognizes and passes IPv6 packets.
All IPv6 functionality is supported unless specifically noted.
In ASDM, see Configuration > Device Management > Management Access > Management IP Address.
Botnet Traffic Filter
Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses, and then logs any suspicious activity. You can also supplement the dynamic database with a static database by entering IP addresses or domain names in a local "blacklist" or "whitelist."
Note
http://www.cisco.com/en/US/docs/security/asa/asa82/license/license82.htmlThe following commands were introduced: dynamic-filter commands (various), and the inspect dns dynamic-filter-snoop keyword.
In ASDM, see Configuration > Firewall > Botnet Traffic Filter.
AIP SSC card for the ASA 5505
The AIP SSC offers IPS for the ASA 5505 security appliance. Note that the AIP SSM does not support virtual sensors. The following commands were introduced: allow-ssc-mgmt, hw-module module ip, and hw-module module allow-ip.
In ASDM, see Configuration > Device Setup > SSC Setup and Configuration > IPS.
IPv6 support for IPS
You can now send IPv6 traffic to the AIP SSM or SSC when your traffic class uses the match any command, and the policy map specifies the ips command.
In ASDM, see Configuration > Firewall > Service Policy Rules.
SNMP version 3 and encryption
This release provides DES, 3DES, or AES encryption and support for SNMP Version 3, the most secure form of the supported security models. This version allows you to configure authentication characteristics by using the User-based Security Model (USM).
The following commands were introduced:
•
•
•
•
•
•
The following command was modified:
•
In ASDM, see Configuration > Device Management > Management Access > SNMP.
Multicast NAT
The security appliance now offers Multicast NAT support for group addresses.
Coredump functionality
A coredump is a snapshot of the running program when the program has terminated abnormally. Coredumps are used to diagnose or debug errors and save a crash for later or off-site analysis. Cisco TAC may request that users enable the coredump feature to troubleshoot application or system crashes on the security appliance.
To enable coredump, see the coredump enable command.
New Features in Version 8.1(2)
Table 4 lists the new features for Version 8.1(2).
Note
New Features in Version 8.1(1)
Table 5 lists the new features for Version 8.1(1).
Note
New Features in Version 8.0(5)
Hi
Table 6 lists the new features for Version 8.0(5).
Note
New Features in Version 8.0(4)
Note
Table 7 lists the new features for Version 8.0(4).
Table 7 New Features for ASA and PIX Version 8.0(4)
Phone Proxy
Phone Proxy functionality is supported. ASA Phone Proxy provides similar features to those of the Metreos Cisco Unified Phone Proxy with additional support for SIP inspection and enhanced security. The ASA Phone Proxy has the following key features:
•
•
•
•
In ASDM, see Configuration > Firewall > Advanced > Encrypted Traffic Inspection > Phone Proxy.
Mobility Proxy
Secure connectivity (mobility proxy) between Cisco Unified Mobility Advantage clients and servers is supported.
Cisco Unified Mobility Advantage solutions include the Cisco Unified Mobile Communicator, an easy-to-use software application for mobile handsets that extends enterprise communications applications and services to mobile phones and smart phones and the Cisco Unified Mobility Advantage server. The mobility solution streamlines the communication experience, enabling real-time collaboration across the enterprise.
The ASA in this solution delivers inspection for the MMP (formerly called OLWP) protocol, the proprietary protocol between Cisco Unified Mobile Communicator and Cisco Unified Mobility Advantage. The ASA also acts as a TLS proxy, terminating and reoriginating the TLS signaling between the Cisco Unified Mobile Communicator and Cisco Unified Mobility Advantage.
In ASDM, see Configuration > Firewall > Advanced > Encrypted Traffic Inspection > TLS Proxy.
Presence Federation Proxy
Secure connectivity (presence federation proxy) between Cisco Unified Presence servers and Cisco/Microsoft Presence servers is supported. With the Presence solution, businesses can securely connect their Cisco Unified Presence clients back to their enterprise networks, or share Presence information between Presence servers in different enterprises.
The ASA delivers functionality to enable Presence for Internet and intra-enterprise communications. An SSL-enabled Cisco Unified Presence client can establish an SSL connection to the Presence Server. The ASA enables SSL connectivity between server to server communication including third-party Presence servers communicating with Cisco Unified Presence servers. Enterprises share Presence information, and can use IM applications. The ASA inspects SIP messages between the servers.
In ASDM, see Configuration > Firewall > Service Policy Rules > Add/Edit Service Policy Rule > Rule Actions > Protocol Inspection or Configuration > Firewall > Advanced > Encrypted Traffic Inspection > TLS Proxy > Add > Client Configuration.
Auto Sign-On with Smart Tunnels for IE1
This feature lets you enable the replacement of logon credentials for WININET connections. Most Microsoft applications use WININET, including Internet Explorer. Mozilla Firefox does not, so it is not supported by this feature. It also supports HTTP-based authentication, therefore form-based authentication does not work with this feature.
Credentials are statically associated to destination hosts, not services, so if initial credentials are wrong, they cannot be dynamically corrected during runtime. Also, because of the association with destinations hosts, providing support for an auto sign-on enabled host may not be desirable if you want to deny access to some of the services on that host.
To configure a group auto sign-on for smart tunnels, you create a global list of auto sign-on sites, then assign the list to group policies or user names. This feature is not supported with Dynamic Access Policy.
In ASDM, see Firewall > Advanced > ACL Manager.
Entrust Certificate Provisioning1
ASDM includes a link to the Entrust website to apply for temporary (test) or discounted permanent SSL identity certificates for your ASA.
In ASDM, see Configuration > Remote Access VPN > Certificate Management > Identity Certificates. Click Enroll ASA SSL VPN head-end with Entrust.
Extended Time for User Reauthentication on IKE Rekey
You can configure the security appliance to give remote users more time to enter their credentials on a Phase 1 SA rekey. Previously, when reauthenticate-on-rekey was configured for IKE tunnels and a phase 1 rekey occurred, the security appliance prompted the user to authenticate and only gave the user approximately 2 minutes to enter their credentials. If the user did not enter their credentials in that 2 minute window, the tunnel would be terminated. With this new feature enabled, users now have more time to enter credentials before the tunnel drops. The total amount of time is the difference between the new Phase 1 SA being established, when the rekey actually takes place, and the old Phase 1 SA expiring. With default Phase 1 rekey times set, the difference is roughly 3 hours, or about 15% of the rekey interval.
In ASDM, see Configuration > Device Management > Certificate Management > Identity Certificates.
Persistent IPsec Tunneled Flows
With the persistent IPsec tunneled flows feature enabled, the security appliance preserves and resumes stateful (TCP) tunneled flows after the tunnel drops, then recovers. All other flows are dropped when the tunnel drops and must reestablish when a new tunnel comes up. Preserving the TCP flows allows some older or sensitive applications to keep working through a short-lived tunnel drop. This feature supports IPsec LAN-to-LAN tunnels and Network Extension Mode tunnels from a Hardware Client. It does not support IPsec or AnyConnect/SSL VPN remote access tunnels. See the [no] sysopt connection preserve-vpn-flows command. This option is disabled by default.
In ASDM, see Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > System Options. Check the Preserve stateful VPN flows when the tunnel drops for Network Extension Mode (NEM) checkbox to enable persistent IPsec tunneled flows.
Show Active Directory Groups
The CLI command show ad-groups was added to list the active directory groups. ASDM Dynamic Access Policy uses this command to present the administrator with a list of MS AD groups that can be used to define the VPN policy.
In ASDM, see Configuration > Remote Access VPN > Clientless SSL VPN Access > Dynamic Access Policies > Add/Edit DAP > Add/Edit AAA Attribute.
Smart Tunnel over Mac OS1
Smart tunnels now support Mac OS.
In ASDM, see Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Smart Tunnels.
QoS Traffic Shaping
If you have a device that transmits packets at a high speed, such as the security appliance with Fast Ethernet, and it is connected to a low speed device such as a cable modem, then the cable modem is a bottleneck at which packets are frequently dropped. To manage networks with differing line speeds, you can configure the security appliance to transmit packets at a fixed slower rate. See the shape command. See also the crypto ipsec security-association replay command, which lets you configure the IPSec anti-replay window size. One side-effect of priority queueing is packet re-ordering. For IPSec packets, out-of-order packets that are not within the anti-replay window generate warning syslog messages. These warnings become false alarms in the case of priority queueing. This new command avoids possible false alarms.
In ASDM, see Configuration > Firewall > Security Policy > Service Policy Rules > Add/Edit Service Policy Rule > Rule Actions > QoS. Note that the only traffic class supported for traffic shaping is class-default, which matches all traffic.
TCP Normalization Enhancements
You can now configure TCP normalization actions for certain packet types. Previously, the default actions for these kinds of packets was to drop the packet. Now you can set the TCP normalizer to allow the packets.
•
•
•
You can also set the TCP out-of-order packet buffer timeout (the queue command timeout keyword). Previously, the timeout was 4 seconds. You can now set the timeout to another value.
The default action for packets that exceed MSS has changed from drop to allow (the exceed-mss command).
The following non-configurable actions have changed from drop to clear for these packet types:
•
•
•
•
In ASDM, see Configuration > Firewall > Objects > TCP Maps.
TCP Intercept statistics
You can enable collection for TCP Intercept statistics using the threat-detection statistics tcp-intercept command, and view them using the show threat-detection statistics command.
In ASDM 6.1(5) and later, see Configuration > Firewall > Threat Detection. This command was not supported in ASDM 6.1(3).
Threat detection shun timeout
You can now configure the shun timeout for threat detection using the threat-detection scanning-threat shun duration command.
In ASDM 6.1(5) and later, see Configuration > Firewall > Threat Detection. This command was not supported in ASDM 6.1(3).
Timeout for SIP Provisional Media
You can now configure the timeout for SIP provisional media using the timeout sip-provisional-media command.
In ASDM, see Configuration > Firewall > Advanced > Global Timeouts.
Native VLAN support for the ASA 5505
You can now include the native VLAN in an ASA 5505 trunk port using the switchport trunk native vlan command.
In ASDM, see Configuration > Device Setup > Interfaces > Switch Ports > Edit dialog.
1 This feature is not supported on the PIX security appliance.
New Features in Version 8.0(3)
Table 8 lists the new features for Version 8.0(3).
New Features in Version 8.0(2)
Table 1-9 lists the new features for Version 8.0(2).
Note
Table 1-9 New Features for ASA and PIX Version 8.0(2)
EIGRP routing
The security appliance supports EIGRP or EIGRP stub routing.
Remote command execution in Failover pairs
You can execute commands on the peer unit in a failover pair without having to connect directly to the peer. This works for both Active/Standby and Active/Active failover.
CSM configuration rollback support
Adds support for the Cisco Security Manager configuration rollback feature in failover configurations.
Failover pair Auto Update support
You can use an Auto Update server to update the platform image and configuration in failover pairs.
Stateful Failover for SIP signaling
SIP media and signaling connections are replicated to the standby unit.
Redundant interfaces
A logical redundant interface pairs an active and a standby physical interface. When the active interface fails, the standby interface becomes active and starts passing traffic. You can configure a redundant interface to increase the security appliance reliability. This feature is separate from device-level failover, but you can configure redundant interfaces as well as failover if desired. You can configure up to eight redundant interface pairs.
Password reset
You can reset the password on the SSM hardware module.
Combined certificate and username/password login
An administrator requires a username and password in addition to a certificate for login to SSL VPN connections.
Internal domain username/password
Provides a password for access to internal resources for users who log in with credentials other than a domain username and password, for example, with a one-time password. This is a password in addition to the one a user enters when logging in.
Generic LDAP support
This includes OpenLDAP and Novell LDAP. Expands LDAP support available for authentication and authorization.
Onscreen keyboard
The security appliance includes an onscreen keyboard option for the login page and subsequent authentication requests for internal resources. This provides additional protection against software-based keystroke loggers by requiring a user to use a mouse to click characters in an onscreen keyboard for authentication, rather than entering the characters on a physical keyboard.
SAML SSO verified with RSA Access Manager
The security appliance supports Security Assertion Markup Language (SAML) protocol for Single Sign On (SSO) with RSA Access Manager (Cleartrust and Federated Identity Manager).
NTLMv2
Version 8.0(2) adds support for NTLMv2 authentication for Windows-based clients.
Local certificate authority
Provides a certificate authority on the security appliance for use with SSL VPN connections, both browser- and client-based.
OCSP CRL
Provides OCSP revocation checking for SSL VPN.
Host Scan
As a condition for the completion of a Cisco AnyConnect or clientless SSL VPN connection, the remote computer scans for a greatly expanded collection of antivirus and antispyware applications, firewalls, operating systems, and associated updates. It also scans for any registry entries, filenames, and process names that you specify. It sends the scan results to the security appliance. The security appliance uses both the user login credentials and the computer scan results to assign a Dynamic Access Policy (DAP).
With an Advanced Endpoint Assessment License, you can enhance Host Scan by configuring an attempt to update noncompliant computers to meet version requirements.
Cisco can provide timely updates to the list of applications and versions that Host Scan supports in a package that is separate from Cisco Secure Desktop.
Simplified prelogin assessment and periodic checks
Cisco Secure Desktop now simplifies the configuration of prelogin and periodic checks to perform on remote Microsoft Windows computers. Cisco Secure Desktop lets you add, modify, remove, and place conditions on endpoint checking criteria using a simplified, graphical view of the checks. As you use this graphical view to configure sequences of checks, link them to branches, deny logins, and assign endpoint profiles, Cisco Secure Desktop Manager records the changes to an XML file. You can configure the security appliance to use returned results in combination with many other types of data, such as the connection type and multiple group settings, to generate and apply a DAP to the session.
Dynamic access policies (DAP)
VPN gateways operate in dynamic environments. Multiple variables can affect each VPN connection, for example, intranet configurations that frequently change, the various roles each user may inhabit within an organization, and logins from remote access sites with different configurations and levels of security. The task of authorizing users is much more complicated in a VPN environment than it is in a network with a static configuration.
Dynamic Access Policies (DAP) on the security appliance let you configure authorization that addresses these many variables. You create a dynamic access policy by setting a collection of access control attributes that you associate with a specific user tunnel or session. These attributes address issues of multiple group membership and endpoint security. That is, the security appliance grants access to a particular user for a particular session based on the policies you define. It generates a DAP at the time the user connects by selecting and/or aggregating attributes from one or more DAP records. It selects these DAP records based on the endpoint security information of the remote device and the AAA authorization information for the authenticated user. It then applies the DAP record to the user tunnel or session.
Administrator differentiation
Lets you differentiate regular remote access users and administrative users under the same database, either RADIUS or LDAP. You can create and restrict access to the console via various methods (TELNET and SSH, for example) to administrators only. It is based on the IETF RADIUS service-type attribute.
VLAN support for remote access VPN connections
Provides support for mapping (tagging) of client traffic at the group or user level. This feature is compatible with clientless as well as IPsec and SSL tunnel-based connections.
VPN load balancing for the ASA 5510
Extends load balancing support to ASA 5510 security appliances that have a Security Plus license.
Crypto conditional debug
Lets users debug an IPsec tunnel on the basis of predefined crypto conditions such as the peer IP address, connection-ID of a crypto engine, and security parameter index (SPI). By limiting debug messages to specific IPSec operations and reducing the amount of debug output, you can better troubleshoot the security appliance with a large number of tunnels.
Enhanced portal design
Version 8.0(2) includes an enhanced end user interface that is more cleanly organized and visually appealing.
Customization
Supports administrator-defined customization of all user-visible content.
Support for FTP
You can provide file access via FTP in additional to CIFS (Windows-based).
Plugin applets
Version 8.0(2) adds a framework for supporting TCP-based applications without requiring a pre-installed client application. Java applets let users access these applications from the browser-enabled SSL VPN portal. Initial support is for TELNET, SSH, RDP, and VNC.
Smart tunnels
A smart tunnel is a connection between an application and a remote site, using a browser-based SSL VPN session with the security appliance as the pathway. Version 8.0(2) lets you identify the applications to which you want to grant smart tunnel access, and lets you specify the path to the application and the SHA-1 hash of its checksum to check before granting it access. Lotus SameTime and Microsoft Outlook Express are examples of applications to which you might want to grant smart tunnel access.
The remote host originating the smart tunnel connection must be running Microsoft Windows Vista, Windows XP, or Windows 2000, and the browser must be enabled with Java, Microsoft ActiveX, or both.
RSS newsfeed
Administrators can populate the clientless portal with RSS newsfeed information, which lets company news or other information display on a user screen.
Personal bookmark support
Users can define their own bookmarks. These bookmarks are stored on a file server.
Transformation enhancements
Adds support for several complex forms of web content over clientless connections, including Adobe flash and Java WebStart.
IPv6
Allows access to IPv6 resources over a public IPv4 connection.
Web folders
Lets browser-based SSL VPN users connecting from Windows operating systems browse shared file systems and perform the following operations: view folders, view folder and file properties, create, move, copy, copy from the local host to the remote host, copy from the remote host to the local host, and delete. Internet Explorer indicates when a web folder is accessible. Accessing this folder launches another window, providing a view of the shared folder, on which users can perform web folder functions, assuming the properties of the folders and documents permit them.
Microsoft Sharepoint enhancement
Extends Web Access support for Microsoft Sharepoint, integrating Microsoft Office applications available on the machine with the browser to view, change, and save documents shared on a server. Version 8.0(2) supports Windows Sharepoint Services 2.0 in Windows Server 2003.
HTTP Proxy
PAC support
Lets you specify the URL of a proxy autoconfiguration file (PAC) to download to the browser. Once downloaded, the PAC file uses a JavaScript function to identify a proxy for each URL.
HTTPS Proxy
Proxy exclusion list
Lets you configure a list of URLs to exclude from the HTTP requests the security appliance can send to an external proxy server.
SSL VPN tunnel support
The security appliance provides NAC posture validation of endpoints that establish AnyConnect VPN client sessions.
Support for audit services
You can configure the security appliance to pass the IP address of the client to an optional audit server if the client does not respond to a posture validation request. The audit server uses the host IP address to challenge the host directly to assess its health. For example, it might challenge the host to determine whether its virus checking software is active and up-to-date. After the audit server completes its interaction with the remote host, it passes a token to the posture validation server, indicating the health of the remote host. If the token indicates the remote host is healthy, the posture validation server sends a network access policy to the security appliance for application to the traffic on the tunnel.
Modular policy framework inspect class map
Traffic can match one of multiple match commands in an inspect class map; formerly, traffic had to match all match commands in a class map to match the class map.
AIC for encrypted streams and AIC Arch changes
Provides HTTP inspection into TLS, which allows AIC/MPF inspection in WebVPN HTTP and HTTPS streams.
TLS Proxy for SCCP and SIP2
Enables inspection of encrypted traffic. Implementations include SSL encrypted VoIP signaling, namely Skinny and SIP, interacting with the Cisco CallManager.
SIP enhancements for CCM
Improves interoperability with CCM 5.0 and 6.x with respect to signaling pinholes.
Full RTSP PAT support
Provides TCP fragment reassembly support, a scalable parsing routine on RTSP, and security enhancements that protect RTSP traffic.
Enhanced service object group
Lets you configure a service object group that contains a mix of TCP services, UDP services, ICMP-type services, and any protocol. It removes the need for a specific ICMP-type object group and protocol object group. The enhanced service object group also specifies both source and destination services. The access list CLI now supports this behavior.
Ability to rename access list
Lets you rename an access list.
Live access list hit counts
Includes the hit count for ACEs from multiple access lists. The hit count value represents how many times traffic hits a particular access rule.
Set connection limits for management traffic to the security appliance
For a Layer 3/4 management class map, you can specify the set connection command.
Threat detection
You can enable basic threat detection and scanning threat detection to monitor attacks such as DoS attacks and scanning attacks. For scanning attacks, you can automatically shun attacking hosts. You can also enable scan threat statistics to monitor both valid and invalid traffic for hosts, ports, protocols, and access lists.
Transparent firewall NAT support
You can configure NAT for a transparent firewall.
Virtual IPS sensors with the AIP SSM
The AIP SSM running IPS software Version 6.0 and above can run multiple virtual sensors, which means you can configure multiple security policies on the AIP SSM. You can assign each context or single mode security appliance to one or more virtual sensors, or you can assign multiple security contexts to the same virtual sensor. See the IPS documentation for more information about virtual sensors, including the maximum number of sensors supported.
Secure logging
You can enable secure connections to the syslog server using SSL or TLS with TCP, and encrypted system log message content. Not supported on the PIX series security appliance.
IPv6 support for SIP
The SIP inspection engine supports IPv6 addresses. IPv6 addresses can be used in URLs, in the Via header field, and SDP fields.
1 Clientless SSL VPN features are not supported on the PIX security appliance.
2 TLS proxy is not supported on the PIX security appliance.
Upgrading the Security Appliance
This section describes how to upgrade the security appliance to a new ASDM release. If you have a Cisco.com login, you can obtain ASDM from one of the following websites:
http://www.cisco.com/pcgi-bin/tablebuild.pl/asa
or
http://www.cisco.com/pcgi-bin/tablebuild.pl/pix
Note
If you have a previous release of ASDM on your security appliance and want to upgrade to the latest release, you can do so from within ASDM. We recommend that you upgrade the ASDM image before the platform image. ASDM is backward compatible, so you can upgrade the platform image using the new ASDM; you cannot use an old ASDM with a new platform image.
Note
But, if ASA or PIX is running version 8.0 or later, then ASDM 6.2 is backward compatible and may be upgraded before the ASA or PIX operating system.To upgrade ASDM, perform the following steps:
Step 1
Optionally, you can download a new platform image to your PC if the installed image is earlier than 8.0.
Step 2
Step 3
a.
b.
c.
Step 4
Step 5
If your security appliance does not have enough memory to hold two ASDM images, overwrite the old image with the new one by specifying the same destination filename. You can rename the image after it was uploaded using the Tools > File Management tool.
If you have enough memory for both versions, you can specify a different name for the new version. If you need to revert to the old version, it is still in your Flash memory.
Step 6
When ASDM is finished uploading, the following message appears:
"ASDM Image is Uploaded to Flash Successfully."
Step 7
Step 8
If your security appliance does not have enough memory to hold two ASDM images, overwrite the old image with the new one by specifying the same destination filename. You can rename the image after it was uploaded using the Tools > File Management tool.
Step 9
Tools > System Reload tool.Make sure to choose "Save the running configuration at time of reload".
Step 10
Unsupported Commands
ASDM supports almost all commands available for the adaptive security appliance, but ASDM ignores some commands in an existing configuration. Most of these commands can remain in your configuration; see Tools > Show Commands Ignored by ASDM on Device for more information.
This section includes the following topics:
•
•
•
•
Ignored and View-Only Commands
Table 10 lists commands that ASDM supports in the configuration when added through the CLI, but that cannot be added or edited in ASDM. If ASDM ignores the command, it does not appear in the ASDM GUI at all. If the command is view-only, then it appears in the GUI, but you cannot edit it.
Effects of Unsupported Commands
•
•
Monitor-only mode allows access to the following functions:
–
–
To exit Monitor-only mode, use the CLI tool or access the security appliance console, and remove the alias command. You can use outside NAT instead of the alias command. See the Cisco Security Appliance Command Reference for more information.
Note
Configuration > Device Management > Users/AAA > AAA Access.
Discontinuous Subnet Masks Not Supported
ASDM does not support discontinuous subnet masks such as 255.255.0.255. For example, you cannot use the following:
ip address inside 192.168.2.1 255.255.0.255Interactive User Commands Not Supported by the ASDM CLI Tool
The ASDM CLI tool does not support interactive user commands. If you enter a CLI command that requires interactive confirmation, ASDM prompts you to enter "[yes/no]" but does not recognize your input. ASDM then times out waiting for your response.
For example:
1.
2.
ASDM generates the default 1024-bit RSA key.
3.
Instead of regenerating the RSA keys by overwriting the previous one, ASDM displays the following error:
Do you really want to replace them? [yes/no]:WARNING: You already have RSA ke0000000000000$A keyInput line must be less than 16 characters in length.%Please answer 'yes' or 'no'.Do you really want to replace them [yes/no]:%ERROR: Timed out waiting for a response.ERROR: Failed to create new RSA keys names <Default-RSA-key>Workaround:
•
•
crypto key generate rsa noconfirmOpen and Resolved Caveats for Software Version 6.2
The following section lists the open and resolved caveats in ASDM software Version 6.2.
•
•
•
Open Caveats for Software Version 6.2
Table 11 lists the open caveats for Version 6.2.
Resolved Caveats for Software Version 6.2.3
Table 12 lists the resolved caveats for Version 6.2.3
Resolved Caveats for Software Version 6.2.1
Table 13 lists the resolved caveats for Version 6.2.1
End-User License Agreement
For information on the end-user license agreement, go to: http://www.cisco.com/univercd/cc/td/doc/es_inpck/eu1jen__.pdf
Related Documentation
For additional information on ASDM or its platforms, see Navigating the Cisco ASA 5500 Series Documentation:
http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
CCDE, CCSI, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
©2009 Cisco Systems, Inc. All rights reserved.
Guest
