Multiple DNS server groups
|
9.18(1)
|
You can now use multiple DNS server groups: one group is the default,
while other groups can be associated with specific domains. A DNS
request that matches a domain associated with a DNS server group
will use that group. For example, if you want traffic destined to
inside eng.cisco.com servers to use an inside DNS server, you can
map eng.cisco.com to an inside DNS group. All DNS requests that do
not match a domain mapping will use the default DNS server group,
which has no associated domains. For example, the DefaultDNS group
can include a public DNS server available on the outside
interface.
New/Modified screens:
|
Trusted DNS servers for network-service object domain resolution.
|
9.17(1)
|
You can specify which DNS servers the system should trust when
resolving domain names in network-service objects. This feature
ensures that any DNS domain name resolutions acquire IP addresses
from trusted sources.
New/Modified screens:
|
Change in DNS entry TTL behavior
|
9.17(1)
|
Formerly, the configured value was added to the existing TTL of each
entry (the default was 1 minute). Now, if the expiration timer is
longer than the entry's TTL, the TTL is increased to the expire
entry time value. If the TTL is longer than the expiration timer,
the expire entry time value is ignored; no additional time is added
to the TTL in this case.
New/Modified screens:
|
Stronger local user and enable password requirements
|
9.17(1)
|
For local users and the enable password, the following password
requirements were added:
-
Password length—Minimum 8 characters. Formerly, the minimum
was 3 characters.
-
Repetitive and sequential characters—Three or more
consecutive sequential or repetitive ASCII characters are
disallowed. For example, the following passwords will be
rejected:
-
abcuser1
-
user543
-
useraaaa
-
user2666
New/Modified screens:
|
NTPv4 support
|
9.14(1)
|
The ASA now supports NTPv4.
No modified screens.
|
Additional NTP authentication algorithms
|
9.13(1)
|
Formerly, only MD5 was supported for NTP authentication. The ASA now
supports the following algorithms:
-
MD5
-
SHA-1
-
SHA-256
-
SHA-512
-
AES-CMAC
New/Modified screens:
button > Add NTP Server
Configuration dialog box > Key
Algorithm drop-down list
|
NTP support on IPv6
|
9.12(1)
|
You can now specify an IPv6 address for the NTP server.
New/Modified screens:
button > Add NTP Server Configuration dialog box
|
enable password change now required on login
|
9.12(1)
|
The default enable password is blank. When you try to access privileged EXEC mode on the ASA, you are now required to change the password to
a value of 3 to 127 characters. You cannot keep it blank. The no enable password command is no longer supported.
At the CLI, you can access privileged EXEC mode using the enable command, the login command (with a user at privilege level 2+), or an SSH or Telnet session when you enable aaa authorization exec auto-enable . All of these methods require you to set the enable password.
This password change requirement is not enforced for ASDM logins. In ASDM, by default you can log in without a username and
with the enable password.
No modified screens.
|
ASP load balancing is disabled on the ASA
virtual
|
9.10(1)
|
With the recent integration of DPDK (Dataplane Development Kit) into the ASA
virtual’s accelerated security path (ASP), the ASA
virtual shows better performance with this feature disabled.
|
Automatic ASP load balancing now supported for the ASA
virtual
|
9.8(1)
|
Formerly, you could only manually enable and disable ASP load balancing.
We modified the following screen: Configuration > Device Management > Advanced > ASP Load Balancing
|
PBKDF2 hashing for all local username and enable passwords
|
9.7(1)
|
Local username and enable passwords of
all lengths are stored in the configuration using a PBKDF2
(Password-Based Key Derivation Function 2) hash using SHA-512.
Previously, passwords 32 characters and shorter used the MD5-based
hashing method. Already existing passwords continue to use the
MD5-based hash unless you enter a new password. See the "Software
and Configurations" chapter in the General Operations Configuration
Guide for downgrading guidelines.
We modified the following screens:
|
Dual power
supply support for the ISA 3000
|
9.6(1)
|
For dual
power supplies in the ISA 3000, you can establish dual power supplies as the
expected configuration in the ASA OS. If one power supply fails, the ASA issues
an alarm. By default, the ASA expects a single power supply and won't issue an
alarm as long as it includes one working power supply.
We introduced the following screen:
|
Longer
password support for local
username and
enable
passwords (up to 127 characters)
|
9.6(1)
|
You can
now create local
username and
enable
passwords up to 127 characters (the former limit was 32). When you create a
password longer than 32 characters, it is stored in the configuration using a
PBKDF2 (Password-Based Key Derivation Function 2) hash. Shorter passwords
continue to use the MD5-based hashing method.
We modified the following screens:
|
ISA 3000 hardware bypass
|
9.4(1.225)
|
The ISA 3000 supports a hardware bypass function to allow traffic to continue flowing through the appliance when there is
a loss of power.
We introduced the following screen:
This feature is not available in Version 9.5(1).
|
Automatic ASP Load Balancing
|
9.3(2)
|
You can now enable automatic switching on and off of the ASP load balancing feature.
Note
|
The automatic feature is not supported on the ASA
virtual; only manual enabling and disabling is supported.
|
We modified the following screen: Configuration > Device Management > Advanced > ASP Load Balancing
|
Removal of the default Telnet password
|
9.0(2)/9.1(2)
|
To improve security for management access to the ASA, the default login password for Telnet was removed; you must manually
set the password before you can log in using Telnet.
Note
|
The login password is only used for Telnet if you do not configure Telnet user authentication.
|
Previously, when you cleared the password, the ASA restored the default of “cisco.” Now when you clear the password, the password
is removed.
The login password is also used for Telnet sessions from the switch to the ASASM (see the session command). For initial ASASM access, you must use the service-module session command, until you set a login password.
We did not modify any ASDM screens.
|
Password Encryption Visibility
|
8.4(1)
|
We modified the show password encryption command.
|
Master Passphrase
|
8.3(1)
|
We introduced this feature. The master passphrase allows you to securely store plain text passwords in encrypted format and
provides a key that is used to universally encrypt or mask all passwords, without changing any functionality.
We introduced the following screens:
Configuration > Device Management > Advanced > Master Passphrase
Configuration > Device Management > Device Administration > Master Passphrase
|