Hardware and Software Compatibility
For a complete list of supported hardware and software, see Cisco ASA Compatibility.
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The ASA provides advanced stateful firewall and VPN concentrator functionality in one device as well as integrated services with add-on modules. The ASA includes many advanced features, such as multiple security contexts (similar to virtualized firewalls), clustering (combining multiple firewalls into a single firewall), transparent (Layer 2) firewall or routed (Layer 3) firewall operation, advanced inspection engines, IPsec VPN, SSL VPN, and clientless SSL VPN support, and many more features.
For a complete list of supported hardware and software, see Cisco ASA Compatibility.
This section lists new features for each release.
Note |
New, changed, and deprecated syslog messages are listed in the syslog message guide. |
There are no new features in this release.
There are no new features in this release.
Feature |
Description |
---|---|
SNMP Features |
|
SNMP polling over site-to-site VPN |
For secure SNMP polling over a site-to-site VPN, include the IP address of the outside interface in the crypto map access-list as part of the VPN configuration. |
Feature |
Description |
---|---|
Licensing Features |
|
ASAv100 permanent license reservation |
The ASAv100 now supports permanent license reservation using product ID L-ASAV100SR-K9=. Note: Not all accounts are approved for permanent license reservation. |
Note |
This release is only supported on the ASAv. |
Feature |
Description |
---|---|
Platform Features |
|
ASAv100 platform |
The ASAv virtual platform has added the ASAv100, a high-end performance model that provides 20 Gbps Firewall throughput levels. The ASAv100 is a subscription-based license, available in terms of 1 year, 3 years, or 5 years. The ASAv100 is supported on VMware ESXi and KVM only. |
Feature |
Description |
||
---|---|---|---|
Platform Features |
|||
ASA for the Firepower 4112 |
We introduced the ASA for the Firepower 4112. No modified commands.
|
||
Firewall Features |
|||
Ability to see port numbers in show access-list output. |
The show access-list command now has the numeric keyword. You can use this to view port numbers in the access control entries rather than names, for example, 80 instead of www. |
||
The object-group icmp-type command is deprecated. |
Although the command remains supported in this release, the object-group icmp-type command is deprecated and might be removed in a future release. Please change all ICMP-type objects to service object groups (object-group service ) and specify service icmp within the object. |
||
Kerberos Key Distribution Center (KDC) authentication. |
You can import a keytab file from a Kerberos Key Distribution Center (KDC), and the system can authenticate that the Kerberos server is not being spoofed before using it to authenticate users. To accomplish KDC authentication, you must set up a host/ASA_hostname service principal name (SPN) on the Kerberos KDC, then export a keytab for that SPN. You then must upload the keytab to the ASA, and configure the Kerberos AAA server group to validate the KDC. New/Modified commands: aaa kerberos import-keytab , clear aaa kerberos keytab , show aaa kerberos keytab , validate-kdc . |
||
High Availability and Scalability Features |
|||
Configuration sync to data units in parallel |
The control unit now syncs configuration changes with data units in parallel by default. Formerly, synching occurred sequentially. New/Modified commands: config-replicate-parallel |
||
Messages for cluster join failure or eviction added to show cluster history |
New messages were added to the show cluster history command for when a cluster unit either fails to join the cluster or leaves the cluster. New/Modified commands: show cluster history |
||
Interface Features |
|||
Speed auto-negotation can be disabled on 1GB fiber interfaces on the Firepower 1000 and 2100 |
You can now configure a Firepower 1100 or 2100 SFP interface to disable auto-negotiation. For 10GB interfaces, you can configure the speed down to 1GB without auto-negotiation; you cannot disable auto-negotiation for an interface with the speed set to 10GB. New/Modified commands: speed nonegotiate |
||
Administrative and Troubleshooting Features |
|||
New connection-data-rate command |
The connection-data-rate command was introduced to provide an overview on data rate of individual connections on the ASA. When this command is enabled, per-flow data rate along with the existing connection information are provided. This information helps to identify and block unwanted connections with high data rates, thereby, ensuring an optimized CPU utilization. New/Modified commands: conn data-rate ,show conn data-rate , show conn detail , clear conn data-rate |
||
HTTPS idle timeout setting |
You can now set the idle timeout for all HTTPS connections to the ASA, including ASDM, WebVPN, and other clients. Formerly, using the http server idle-timeout command, you could only set the ASDM idle timeout. If you set both timeouts, the new command takes precendence. New/Modified commands: http connection idle-timeout |
||
NTPv4 support |
The ASA now supports NTPv4. No modified commands. |
||
New clear logging counter command |
The show logging command provides statistics of messages logged for each logging category configured on the ASA. The clear logging counter command was introduced to clear the logged counters and statistics. New/Modified commands: clear logging counter |
||
Debug command changes for FXOS on the Firepower 1000 and 2100 in Appliance mode |
The debug fxos_parser command has been simplified to provide commonly-used troubleshooting messages about FXOS. Other FXOS debug commands have been moved under the debug menu fxos_parser command. New/Modified commands: debug fxos_parser , debug menu fxos_parser |
||
show tech-support command enhanced |
The show ssl objects and show ssl errors command was added to the output of the show tech-support command. New/Modified commands: show tech-support Also in 9.12(4). |
||
Monitoring Features |
|||
Net-SNMP version 5.8 Support |
The ASA is using Net-SNMP, a suite of applications used to implement SNMP v1, SNMP v2c, and SNMP v3 using both IPv4 and IPv6. No modified commands. |
||
SNMP OIDs and MIBs |
The ASA enhances support for the CISCO-REMOTE-ACCESS-MONITOR-MIB to track rejected/failed authentications from RADIUS over SNMP. This feature implements three SNMP OIDs:
The ASA provides support for the Advanced Encryption Standard (AES) Cipher Algorithm. This feature implements the following SNMP OIDs:
|
||
SNMPv3 Authentication |
You can now use SHA-256 HMAC for user authentication. New/Modified commands: snmp-server user |
||
debug telemetry command. |
You can use the debug telemetry command, debug messages related to telemetry are displayed. The debugs help to identify the cause for errors when generating the telemetry report. New/Modified commands: debug telemetry , show debug telemetry |
||
VPN Features |
|||
DHCP Relay Server Support on VTI |
You can now configure DHCP relay server to forward DHCP messages through VTI tunnel interface. New/Modified commands: dhcprelay server |
||
IKEv2 Support for Multiple Peer Crypto Map |
You can now configure IKEv2 with multi-peer crypto map—when a peer in a tunnel goes down, IKEv2 attempts to establish the SA with the next peer in the list. No modified commands. |
||
Username Options for Multiple Certificate Authentication |
In multiple certificate authentication, you can now specify from which certificate, first (machine certificate) or second (user certificate), you want the attributes to be used for aaa authentication. New/Modified commands: username-from-certificate-choice, secondary-username-from-certificate-choice |
Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall can also protect inside networks from each other, for example, by keeping a human resources network separate from a user network. If you have network resources that need to be available to an outside user, such as a web or FTP server, you can place these resources on a separate network behind the firewall, called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ only includes the public servers, an attack there only affects the servers and does not affect the other inside networks. You can also control when inside users access outside networks (for example, access to the Internet), by allowing only certain addresses out, by requiring authentication or authorization, or by coordinating with an external URL filtering server.
When discussing networks connected to a firewall, the outside network is in front of the firewall, the inside network is protected and behind the firewall, and a DMZ, while behind the firewall, allows limited access to outside users. Because the ASA lets you configure many interfaces with varied security policies, including many inside interfaces, many DMZs, and even many outside interfaces if desired, these terms are used in a general sense only.
A security policy determines which traffic is allowed to pass through the firewall to access another network. By default, the ASA allows traffic to flow freely from an inside network (higher security level) to an outside network (lower security level). You can apply actions to traffic to customize the security policy.
You can apply access rules to limit traffic from inside to outside, or allow traffic from outside to inside. For bridge group interfaces, you can also apply an EtherType access rule to allow non-IP traffic.
Some of the benefits of NAT include the following:
You can use private addresses on your inside networks. Private addresses are not routable on the Internet.
NAT hides the local addresses from other networks, so attackers cannot learn the real address of a host.
NAT can resolve IP routing problems by supporting overlapping IP addresses.
The ASA provides IP fragment protection. This feature performs full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the ASA. Fragments that fail the security check are dropped and logged. Virtual reassembly cannot be disabled.
Although you can use access lists to prevent outbound access to specific websites or FTP servers, configuring and managing web usage this way is not practical because of the size and dynamic nature of the Internet.
You can configure Cloud Web Security on the ASA, or install an ASA module that provides URL and other filtering services, such as ASA CX or ASA FirePOWER. You can also use the ASA in conjunction with an external product such as the Cisco Web Security Appliance (WSA).
Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection.
Some ASA models allow you to configure software modules, or to insert hardware modules into the chassis, to provide advanced services. These modules provide additional traffic inspection and can block traffic based on your configured policies. You can send traffic to these modules to take advantage of these advanced services.
Some network traffic, such as voice and streaming video, cannot tolerate long latency times. QoS is a network feature that lets you give priority to these types of traffic. QoS refers to the capability of a network to provide better service to selected network traffic.
You can limit TCP and UDP connections and embryonic connections. Limiting the number of connections and embryonic connections protects you from a DoS attack. The ASA uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination.
TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets that do not appear normal.
You can configure scanning threat detection and basic threat detection, and also how to use statistics to analyze threats.
Basic threat detection detects activity that might be related to an attack, such as a DoS attack, and automatically sends a system log message.
A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The scanning threat detection feature determines when a host is performing a scan. Unlike IPS scan detection that is based on traffic signatures, the ASA scanning threat detection feature maintains an extensive database that contains host statistics that can be analyzed for scanning activity.
The host database tracks suspicious activity such as connections with no return activity, access of closed service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors.
You can configure the ASA to send system log messages about an attacker or you can automatically shun the host.
The ASA runs in two different firewall modes:
Routed
Transparent
In routed mode, the ASA is considered to be a router hop in the network.
In transparent mode, the ASA acts like a “bump in the wire,” or a “stealth firewall,” and is not considered a router hop. The ASA connects to the same network on its inside and outside interfaces in a "bridge group".
You might use a transparent firewall to simplify your network configuration. Transparent mode is also useful if you want the firewall to be invisible to attackers. You can also use a transparent firewall for traffic that would otherwise be blocked in routed mode. For example, a transparent firewall can allow multicast streams using an EtherType access list.
Routed mode supports Integrated Routing and Bridging, so you can also configure bridge groups in routed mode, and route between bridge groups and regular interfaces. In routed mode, you can replicate transparent mode functionality; if you do not need multiple context mode or clustering, you might consider using routed mode instead.
All traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and either allowed through or dropped. A simple packet filter can check for the correct source address, destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter also checks every packet against the filter, which can be a slow process.
Note |
The TCP state bypass feature allows you to customize the packet flow. |
A stateful firewall like the ASA, however, takes into consideration the state of a packet:
Is this a new connection?
If it is a new connection, the ASA has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the session goes through the “session management path,” and depending on the type of traffic, it might also pass through the “control plane path.”
The session management path is responsible for the following tasks:
Performing the access list checks
Performing route lookups
Allocating NAT translations (xlates)
Establishing sessions in the “fast path”
The ASA creates forward and reverse flows in the fast path for TCP traffic; the ASA also creates connection state information for connectionless protocols like UDP, ICMP (when you enable ICMP inspection), so that they can also use the fast path.
Note |
For other IP protocols, like SCTP, the ASA does not create reverse path flows. As a result, ICMP error packets that refer to these connections are dropped. |
Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path. Layer 7 inspection engines are required for protocols that have two or more channels: a data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.
Is this an established connection?
If the connection is already established, the ASA does not need to re-check packets; most matching packets can go through the “fast” path in both directions. The fast path is responsible for the following tasks:
IP checksum verification
Session lookup
TCP sequence number check
NAT translations based on existing sessions
Layer 3 and Layer 4 header adjustments
Data packets for protocols that require Layer 7 inspection can also go through the fast path.
Some established session packets must continue to go through the session management path or the control plane path. Packets that go through the session management path include HTTP packets that require inspection or content filtering. Packets that go through the control plane path include the control packets for protocols that require Layer 7 inspection.
A VPN is a secure connection across a TCP/IP network (such as the Internet) that appears as a private connection. This secure connection is called a tunnel. The ASA uses tunneling protocols to negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them through the tunnel, and unencapsulate them. The ASA functions as a bidirectional tunnel endpoint: it can receive plain packets, encapsulate them, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination. It can also receive encapsulated packets, unencapsulate them, and send them to their final destination. The ASA invokes various standard protocols to accomplish these functions.
The ASA performs the following functions:
Establishes tunnels
Negotiates tunnel parameters
Authenticates users
Assigns user addresses
Encrypts and decrypts data
Manages security keys
Manages data transfer across the tunnel
Manages data transfer inbound and outbound as a tunnel endpoint or router
The ASA invokes various standard protocols to accomplish these functions.
You can partition a single ASA into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management; however, some features are not supported. See the feature chapters for more information.
In multiple context mode, the ASA includes a configuration for each context that identifies the security policy, interfaces, and almost all the options you can configure on a standalone device. The system administrator adds and manages contexts by configuring them in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the ASA. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context.
The admin context is just like any other context, except that when a user logs into the admin context, then that user has system administrator rights and can access the system and all other contexts.
ASA Clustering lets you group multiple ASAs together as a single logical device. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices.
You perform all configuration (aside from the bootstrap configuration) on the control unit only; the configuration is then replicated to the member units.
For some services, documentation is located outside of the main configuration guides and online help.
Special services allow the ASA to interoperate with other Cisco products; for example, by providing a security proxy for phone services (Unified Communications), or by providing Botnet traffic filtering in conjunction with the dynamic database from the Cisco update server, or by providing WCCP services for the Cisco Web Security Appliance. Some of these special services are covered in separate guides:
Legacy services are still supported on the ASA, however there may be better alternative services that you can use instead. Legacy services are covered in a separate guide:
Cisco ASA Legacy Feature Guide
This guide includes the following chapters:
Configuring RIP
AAA Rules for Network Access
Using Protection Tools, which includes Preventing IP Spoofing (ip verify reverse-path), Configuring the Fragment Size (fragment), Blocking Unwanted Connections (shun), Configuring TCP Options (for ASDM), and Configuring IP Audit for Basic IPS Support (ip audit).
Configuring Filtering Services