ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.2

Microsoft Windows (English and Japanese):

• 8
• 7
• Vista
• 2008 Server
• XP

6 through 10. Version 11 or later is not supported.

1.5 or later

No support

18 or later

6 or later

Apple OS X 10.4 and later

No support

1.5 or later

2 or later

18 or later

6 or later

Red Hat Enterprise Linux 5 (GNOME or KDE):

• Desktop
• Desktop with Workstation

N/A

1.5 or later

N/A

18 or later

6 or later

7 update 51

ASDM Launcher requires trusted certificate

To continue using the Launcher, do one of the following:

• Install a trusted certificate on the ASA from a known CA.
• Install a self-signed certificate and register it with Java. See the ASDM certificate procedure in this document.
• Downgrade Java to 7 update 45 or earlier.
• Alternatively use Java Web Start.

Note ASDM 7.1(5) and earlier are not supported with Java 7 update 51. If you already upgraded Java, and can no longer launch ASDM in order to upgrade it to Version 7.2, then you can either use the CLI to upgrade ASDM, or you can add a security exception in the Java Control Panel for each ASA you want to manage with ASDM. See the “Workaround” section at:

http://java.com/en/download/help/java_blocked.xml

After adding the security exception, launch the older ASDM and then upgrade to 7.2.

In rare cases, online help does not load when using Java Web Start

In rare cases, when launching online help, the browser window loads, but the content fails to appear. The browser reports an error: “Unable to connect”.

Workaround:

• Use the ASDM Launcher

Or:

• Clear the -Djava.net.preferIPv6Addresses=true parameter in Java Runtime Parameters:

a. Launch the Java Control Panel.

b. Click the Java tab.

c. Click View.

d. Clear this parameter: -Djava.net.preferIPv6Addresses=true

e. Click OK, then Apply, then OK again.

7 update 45

ASDM shows a yellow warning about the missing Permissions attribute when using an untrusted certificate

Due to a bug in Java, if you do not have a trusted certificate installed on the ASA, you see a yellow warning about a missing Permissions attribute in the JAR manifest. It is safe to ignore this warning ; ASDM 7.2 includes the Permissions attribute. To prevent the warning from appearing, install a trusted certificate (from a known CA); or generate a self-signed certificate on the ASA by choosing Configuration > Device Management > Certificates > Identity Certificates. Launch ASDM, and when the certificate warning is shown, check the Always trust connections to websites check box.

7

Requires strong encryption license (3DES/AES) on ASA

ASDM requires an SSL connection to the ASA. If the ASA has only the base encryption license (DES), and therefore has weak encryption ciphers for the SSL connection, you cannot launch ASDM. You must uninstall Java 7, and install Java 6 ( http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase6-419409.html). Note that a workaround is required for weak encryption and Java 6 (see below, in this table).

6

No usernames longer than 50 characters

Due to a Java bug, ASDM does not support usernames longer than 50 characters when using Java 6. Longer usernames work correctly for Java 7.

Requires strong encryption license (3DES/AES) on ASA or workaround

When you initially connect a browser to the ASA to load the ASDM splash screen, the browser attempts to make an SSL connection to the ASA. If the ASA has only the base encryption license (DES), and therefore has weak encryption ciphers for the SSL connection, you may not be able to access the ASDM splash screen; most current browsers do not support weak encryption ciphers. Therefore, without the strong encryption license (3DES/AES), use one of the following workarounds:

• If available, use an already downloaded ASDM launcher or Java Web Start shortcut. The Launcher and Web Start shortcut work with Java 6 and weak encryption, even if the browsers do not.
• For Windows Internet Explorer, you can enable DES as a workaround. See http://support.microsoft.com/kb/929708 for details.
• For Firefox on any operating system, you can enable the security.ssl3.dhe_dss_des_sha setting as a workaround. See http://kb.mozillazine.org/About:config to learn how to change hidden configuration preferences.

All

• Self-signed certificate or an untrusted certificate
• IPv6
• Firefox and Safari

When the ASA uses a self-signed certificate or an untrusted certificate, Firefox 4 and later and Safari are unable to add security exceptions when browsing using HTTPS over IPv6. See https://bugzilla.mozilla.org/show_bug.cgi?id=633001. This caveat affects all SSL connections originating from Firefox or Safari to the ASA (including ASDM connections). To avoid this caveat, configure a proper certificate for the ASA that is issued by a trusted certificate authority.

• SSL encryption on the ASA must include both RC4-MD5 and RC4-SHA1 or disable SSL false start in Chrome.
• Chrome

If you change the SSL encryption on the ASA to exclude both RC4-MD5 and RC4-SHA1 algorithms (these algorithms are enabled by default), then Chrome cannot launch ASDM due to the Chrome “SSL false start” feature. We suggest re-enabling one of these algorithms (see the Configuration > Device Management > Advanced > SSL Settings pane); or you can disable SSL false start in Chrome using the --disable-ssl-false-start flag according to http://www.chromium.org/developers/how-tos/run-chromium-with-flags.

IE9 for servers

For Internet Explorer 9.0 for servers, the “Do not save encrypted pages to disk” option is enabled by default (See Tools > Internet Options > Advanced). This option causes the initial ASDM download to fail. Be sure to disable this option to allow ASDM to download.

OS X

On OS X, you may be prompted to install Java the first time you run ASDM; follow the prompts as necessary. ASDM will launch after the installation completes.

All

OS X 10.8 and later

You need to allow ASDM to run because it is not signed with an Apple Developer ID. If you do not change your security preferences, you see an error screen.

1. To allow ASDM to run, right-click (or Ctrl-Click) the Cisco ASDM-IDM Launcher icon, and choose Open.

2. You see a similar error screen; however, you can open ASDM from this screen. Click Open. The ASDM-IDM Launcher opens.

Clientless SSL VPN session cookie access restriction

You can now prevent a Clientless SSL VPN session cookie from being accessed by a third party through a client-side script such as Javascript.

Note Use this feature only if Cisco TAC advises you to do so. Enabling this command presents a security risk because the following Clientless SSL VPN features will not work without any warning.

• Java plug-ins
• Java rewriter
• Port forwarding
• File browser
• Sharepoint features that require desktop applications (for example, MS Office applications)
• AnyConnect Web launch
• Citrix Receiver, XenDesktop, and Xenon
• Other non-browser-based and browser plugin-based applications

We introduced the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > HTTP Cookie

ASA 5585-X (all models) support for the matching ASA FirePOWER SSP hardware module.

ASA 5512-X through ASA 5555-X support for the ASA FirePOWER software module.

The ASA FirePOWER module supplies next-generation firewall services, including Next-Generation IPS (NGIPS), Application Visibility and Control (AVC), URL filtering, and Advanced Malware Protection (AMP).You can use the module in single or multiple context mode, and in routed or transparent mode.

We introduced the following screens:

Home > ASA FirePOWER Status
Wizards > Startup Wizard > ASA FirePOWER Basic Configuration
Configuration > Firewall > Service Policy Rules > Add Service Policy Rule > Rule Actions > ASA FirePOWER Inspection

Internet Explorer 11 browser support on Windows 8.1 and Windows 7 for clientless SSL VPN

We added support for Internet Explorer 11 with Windows 7 and Windows 8.1 for clientless SSL VPN..

We did not modify any screens.

The Cisco Adaptive Security Virtual Appliance (ASAv) has been added as a new platform to the ASA series.

The ASAv brings full firewall functionality to virtualized environments to secure data center traffic and multi-tenant environments. The ASAv runs on VMware vSphere. You can manage and monitor the ASAv using ASDM or the CLI.

BGP Support

We now support the Border Gateway Protocol (BGP). BGP is an inter autonomous system routing protocol. BGP is used to exchange routing information for the Internet and is the protocol used between Internet service providers (ISP).

We introduced the following screens:
Configuration > Device Setup > Routing > BGP
Monitoring > Routing > BGP Neighbors, Monitoring > Routing > BGP Routes

We modified the following screens:
Configuration > Device Setup > Routing > Static Routes> Add > Add Static Route
Configuration > Device Setup > Routing > Route Maps> Add > Add Route Map

Static route for Null0 interface

Sending traffic to a Null0 interface results in dropping the packets destined to the specified network. This feature is useful in configuring Remotely Triggered Black Hole (RTBH) for BGP.

We modified the following screen:
Configuration > Device Setup > Routing > Static Routes> Add > Add Static Route

OSPF support for Fast Hellos

OSPF supports the Fast Hello Packets feature, resulting in a configuration that results in faster convergence in an OSPF network.

We modified the following screen: Configuration > Device Setup > Routing > OSPF > Interface > Edit OSPF Interface Advanced properties

New OSPF Timers

New OSPF timers were added; old ones were deprecated.

We modified the following screen: Configuration > Device Setup > Routing > OSPF > Setup > Edit OSPF Process Advanced Properties

OSPF Route filtering using ACL

Route filtering using ACL is now supported.

We introduced the following screen: Configuration > Device Setup > Routing > OSPF > Filtering Rules > Add Filter Rules

OSPF Monitoring enhancements

Additional OSPF monitoring information was added.

We modified the following commands: show ospf events, show ospf rib, show ospf statistics, show ospf border-routers [detail], show ospf interface brief

OSPF redistribute BGP

OSPF redistribution feature was added.

We added the following screen: Configuration > Device Setup > Routing > OSPF > Redistribution

EIGRP Auto- Summary

For EIGRP, the Auto-Summary field is now disabled by default.

We modified the following screen: Configuration > Device Setup > Routing > EIGRP > Setup > Edit EIGRP Process Advanced Properties

Support for cluster members at different geographical locations (inter-site) for transparent mode

You can now place cluster members at different geographical locations when using Spanned EtherChannel mode in transparent firewall mode. Inter-site clustering with spanned EtherChannels in routed firewall mode is not supported.

We did not modify any ASDM screens.

Static LACP port priority support for clustering

Some switches do not support dynamic port priority with LACP (active and standby links). You can now disable dynamic port priority to provide better compatibility with spanned EtherChannels. You should also follow these guidelines:

• Network elements on the cluster control link path should not verify the L4 checksum. Redirected traffic over the cluster control link does not have a correct L4 checksum. Switches that verify the L4 checksum could cause traffic to be dropped.
• Port-channel bundling downtime should not exceed the configured keepalive interval.

We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster

Support for 32 active links in a spanned EtherChannel for clustering

ASA EtherChannels now support up to 16 active links. With spanned EtherChannels, that functionality is extended to support up to 32 active links across the cluster when used with two switches in a vPC and when you disable dynamic port priority. The switches must support EtherChannels with 16 active links, for example, the Cisco Nexus 7000 with with F2-Series 10 Gigabit Ethernet Module.

For switches in a VSS or vPC that support 8 active links, you can now configure 16 active links in the spanned EtherChannel (8 connected to each switch). Previously, the spanned EtherChannel only supported 8 active links and 8 standby links, even for use with a VSS/vPC.

Note If you want to use more than 8 active links in a spanned EtherChannel, you cannot also have standby links; the support for 9 to 32 active links requires you to disable cLACP dynamic port priority that allows the use of standby links.

We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster

Support for 16 cluster members for the ASA 5585-X

The ASA 5585-X now supports 16-unit clusters.

We did not modify any ASDM screens.

Support for clustering with the Cisco Nexus 9300

The ASA supports clustering when connected to the Cisco Nexus 9300.

ISE Change of Authorization

The ISE Change of Authorization (CoA) feature provides a mechanism to change the attributes of an authentication, authorization, and accounting (AAA) session after it is established. When a policy changes for a user or user group in AAA, CoA packets can be sent directly to the ASA from the ISE to reinitialize authentication and apply the new policy. An Inline Posture Enforcement Point (IPEP) is no longer required to apply access control lists (ACLs) for each VPN session established with the ASA.

When an end user requests a VPN connection the ASA authenticates the user to the ISE and receives a user ACL that provides limited access to the network. An accounting start message is sent to the ISE to register the session. Posture assessment occurs directly between the NAC agent and the ISE. This process is transparent to the ASA. The ISE sends a policy update to the ASA via a CoA “policy push.” This identifies a new user ACL that provides increased network access privileges. Additional policy evaluations may occur during the lifetime of the connection, transparent to the ASA, via subsequent CoA updates.

We modified the following screen: Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups > Add/Edit AAA Server Group

Improved clientless rewriter HTTP 1.1 compression handling

The rewriter has been changed so that if the client supports compressed content and the content will not be rewritten, then it will accept compressed content from the server. If the content must be rewritten and it is identified as being compressed, it will be decompressed, rewritten, and if the client supports it, recompressed.

We did not introduce or modify any ASDM screens.

OpenSSL upgrade

The version of OpenSSL on the ASA will be updated to version 1.0.1e.

Note We disabled the heartbeat option, so the ASA is not vulnerable to the Heartbleed Bug.

We did not introduce or modify any ASDM screens.

Support for 16 active links in an EtherChannel

You can now configure up to 16 active links in an EtherChannel. Previously, you could have 8 active links and 8 standby links. Be sure your switch can support 16 active links (for example the Cisco Nexus 7000 with with F2-Series 10 Gigabit Ethernet Module).

Note If you upgrade from an earlier ASA version, the maximum active interfaces is set to 8 for compatibility purposes.

We modified the following screen: Configuration > Device Setup > Interfaces > Add/Edit EtherChannel Interface > Advanced.

Embedded Event Manager (EEM)

The EEM feature enables you to debug problems and provides general purpose logging for troubleshooting. The EEM responds to events in the EEM system by performing actions. There are two components: events that the EEM triggers, and event manager applets that define actions. You may add multiple events to each event manager applet, which triggers it to invoke the actions that have been configured on it.

We introduced the following screens: Configuration > Device Management > Advanced > Embedded Event Manager, Monitoring > Properties > EEM Applets.

SNMP hosts, host groups, and user lists

You can now add up to 4000 hosts. The number of supported active polling destinations is 128. You can specify a network object to indicate the individual hosts that you want to add as a host group. You can associate more than one user with one host.

We modified the following screen: Configuration > Device Management > Management Access > SNMP.

SNMP message size

The limit on the message size that SNMP sends has been increased to 1472 bytes.

SNMP OIDs and MIBs

The ASA now supports the cpmCPUTotal5minRev OID.

The ASAv has been added as a new product to the SNMP sysObjectID OID and entPhysicalVendorType OID.

The CISCO-PRODUCTS-MIB and CISCO-ENTITY-VENDORTYPE-OID-MIB have been updated to support the new ASAv platform.

The CISCO-VPN-LIC-USAGE-MONITOR-MIB, a new SNMP MIB for monitoring VPN shared license usage, has been added. The OID has the following index: 1.3.6.1.4.1.9.9.816.x.x. This new OID polls the number of active and max-session connections.

We did not introduce or modify any commands.

Administrators who have sufficient authorization privileges may enter privileged EXEC mode by entering their authentication credentials once. The auto-enable option was added to the aaa authorization exec command.

We modified the following screen: Configuration > Device Management > Users/AAA > AAA Access > Authorization.

Auto Update Server certificate verification enabled by default

The Auto Update Server certificate verification is now enabled by default; for new configurations, you must explicitly disable certificate verification. If you are upgrading from an earlier release, and you did not enable certificate verification, then certificate verification is not enabled, and you see the following warning:

The configuration will be migrated to explicitly configure no verification.

We modified the following screen: Configuration > Device Management > System/Image Configuration > Auto Update > Add Auto Update Server.