AAA Features

Separate authentication for users with SSH public key authentication and users with passwords

In releases prior to 9.6(2), you could enable SSH public key authentication (ssh authentication ) without also explicitly enabling AAA SSH authentication with the Local user database (aaa authentication ssh console LOCAL ). In 9.6(2), the ASA required you to explicitly enable AAA SSH authentication. In this release, you no longer have to explicitly enable AAA SSH authentication; when you configure the ssh authentication command for a user, local authentication is enabled by default for users with this type of authentication. Moreover, when you explicitly configure AAA SSH authentication, this configuration only applies for for usernames with passwords, and you can use any AAA server type (aaa authentication ssh console radius_1 , for example). For example, some users can use public key authentication using the local database, and other users can use passwords with RADIUS.

We did not modify any commands.

Platform Features

ASA for the Firepower 4150

We introduced the ASA for the Firepower 4150.

Requires FXOS 2.0.1.

We did not add or modify any commands.

Hot Plug Interfaces on the ASAv

You can add and remove Virtio virtual interfaces on the ASAv while the system is active. When you add a new interface to the ASAv, the virtual machine detects and provisions the interface. When you remove an existing interface, the virtual machine releases any resource associated with the interface. Hot plug interfaces are limited to Virtio virtual interfaces on the Kernel-based Virtual Machine (KVM) hypervisor.

Microsoft Azure support on the ASAv10

Microsoft Azure is a public cloud environment that uses a private Microsoft Hyper V Hypervisor. The ASAv runs as a guest in the Microsoft Azure environment of the Hyper V Hypervisor. The ASAv on Microsoft Azure supports one instance type, the Standard D3, which supports four vCPUs, 14 GB, and four interfaces.

Also in 9.5(2.200).

Through traffic support on the Management 0/0 interface for the ASAv

You can now allow through traffic on the Management 0/0 interface on the ASAv. Previously, only the ASAv on Microsoft Azure supported through traffic; now all ASAvs support through traffic. You can optionally configure this interface to be management-only, but it is not configured by default.

We modified the following command: management-only

Common Criteria Certification

The ASA was updated to comply with the Common Criteria requirements. See the rows in this table for the following features that were added for this certification:

• ASA SSL Server mode matching for ASDM

• SSL client RFC 6125 support:

  • Reference Identities for Secure Syslog Server connections and Smart Licensing connections

  • ASA client checks Extended Key Usage in server certificates

  • Mutual authentication when ASA acts as a TLS client for TLS1.1 and 1.2

• PKI debug messages

• Crypto Key Zeroization verification

• IPsec/ESP Transport Mode Support for IKEv2

• New syslog messages

Firewall Features

DNS over TCP inspection

You can now inspect DNS over TCP traffic (TCP/53).

We added the following command: tcp-inspection

MTP3 User Adaptation (M3UA) inspection

You can now inspect M3UA traffic and also apply actions based on point code, service indicator, and message class and type.

We added or modified the following commands: clear service-policy inspect m3ua {drops | endpoint [IP_address]} , inspect m3ua , match dpc , match opc , match service-indicator , policy-map type inspect m3ua , show asp table classify domain inspect-m3ua , show conn detail , show service-policy inspect m3ua {drops | endpoint IP_address} , ss7 variant , timeout endpoint

Session Traversal Utilities for NAT (STUN) inspection

You can now inspect STUN traffic for WebRTC applications including Cisco Spark. Inspection opens pinholes required for return traffic.

We added or modified the following commands: inspect stun , show conn detail , show service-policy inspect stun

Application layer health checking for Cisco Cloud Web Security

You can now configure Cisco Cloud Web Security to check the health of the Cloud Web Security application when determining if the server is healthy. By checking application health, the system can fail over to the backup server when the primary server responds to the TCP three-way handshake but cannot process requests. This ensures a more reliable system.

We added the following commands: health-check application url , health-check application timeout

Connection holddown timeout for route convergence.

You can now configure how long the system should maintain a connection when the route used by the connection no longer exists or is inactive. If the route does not become active within this holddown period, the connection is freed. You can reduce the holddown timer to make route convergence happen more quickly. However, the 15 second default is appropriate for most networks to prevent route flapping.

We added the following command: timeout conn-holddown

Also in 9.4(3).

Changes in TCP option handling

You can now specify actions for the TCP MSS and MD5 options in a packet’s TCP header when configuring a TCP map. In addition, the default handling of the MSS, timestamp, window-size, and selective-ack options has changed. Previously, these options were allowed, even if there were more than one option of a given type in the header. Now, packets are dropped by default if they contain more than one option of a given type. For example, previously a packet with 2 timestamp options would be allowed, now it will be dropped.

You can configure a TCP map to allow multiple options of the same type for MD5, MSS, selective-ack, timestamp, and window-size. For the MD5 option, the previous default was to clear the option, whereas the default now is to allow it. You can also drop packets that contain the MD5 option. For the MSS option, you can set the maximum segment size in the TCP map (per traffic class). The default for all other TCP options remains the same: they are cleared.

We modified the following command: tcp-options

Transparent mode maximum interfaces per bridge group increased to 64

The maximum interfaces per bridge group was increased from 4 to 64.

We did not modify any commands.

Flow offload support for multicast connections in transparent mode.

You can now offload multicast connections to be switched directly in the NIC on transparent mode Firepower 4100 and 9300 series devices. Multicast offload is available for bridge groups that contain two and only two interfaces.

There are no new commands or ASDM screens for this feature.

Customizable ARP rate limiting

You can set the maximum number of ARP packets allowed per second. The default value depends on your ASA model. You can customize this value to prevent an ARP storm attack.

We added the following commands: arp rate-limit, show arp rate-limit

Ethertype rule support for the IEEE 802.2 Logical Link Control packet's Destination Service Access Point address.

You can now write Ethertype access control rules for the IEEE 802.2 Logical Link Control packet's Destination Service Access Point address. Because of this addition, the bpdu keyword no longer matches the intended traffic. Rewrite bpdu rules for dsap 0x42 .

We modified the following commands: access-list ethertype

Remote Access Features

Pre-fill/Username-from-cert feature for multiple context mode

AnyConnect SSL support is extended, allowing pre-fill/username-from-certificate feature CLIs, previously available only in single mode, to be enabled in multiple context mode as well.

We did not modify any commands.

Flash Virtualization for Remote Access VPN

Remote access VPN in multiple context mode now supports flash virtualization. Each context can have a private storage space and a shared storage place based on the total flash that is available:

• Private storage—Store files associated only with that user and specific to the content that you want for that user.

• Shared storage—Upload files to this space and have it accessible to any user context for read/write access once you enable it.

We introduced the following commands: limit-resource storage, storage-url

AnyConnect client profiles supported in multiple context mode

AnyConnect client profiles are supported in multiple context mode. To add a new profile using ASDM, you must have the AnyConnect Secure Mobility Client release 4.2.00748 or 4.3.03013 and later.

Stateful failover for AnyConnect connections in multiple context mode

Stateful failover is now supported for AnyConnect connections in multiple context mode.

We did not modify any commands.

Remote Access VPN Dynamic Access Policy (DAP) is supported in multiple context mode

You can now configure DAP per context in multiple context mode.

We did not modify any commands.

Remote Access VPN CoA (Change of Authorization) is supported in multiple context mode

You can now configure CoA per context in multiple context mode.

We did not modify any commands.

Remote Access VPN localization is supported in multiple context mode

Localization is supported globally. There is only one set of localization files that are shared across different contexts.

We did not modify any commands.

Umbrella Roaming Security module support

You can choose to configure the AnyConnect Secure Mobility Client's Umbrella Roaming Security module for additional DNS-layer security when no VPN is active.

We did not modify any commands.

IPsec/ESP Transport Mode Support for IKEv2

Transport mode is now supported for ASA IKEv2 negotiation. It can be used in place of tunnel (default) mode. Tunnel mode encapsulates the entire IP packet. Transport mode encapsulates only the upper-layer protocols of an IP packet. Transport mode requires that both the source and destination hosts support IPSec, and can only be used when the destination peer of the tunnel is the final destination of the IP packet.

We modified the following command: crypto map set ikev2 mode

Per-packet routing lookups for IPsec inner packets

By default, per-packet adjacency lookups are done for outer ESP packets; lookups are not done for packets sent through the IPsec tunnel. In some network topologies, when a routing update has altered the inner packet’s path, but the local IPsec tunnel is still up, packets through the tunnel may not be routed correctly and fail to reach their destination. To prevent this, use the new option to enable per-packet routing lookups for the IPsec inner packets.

We added the following command: crypto ipsec inner-routing-lookup

Certificate and Secure Connection Features

ASA client checks Extended Key Usage in server certificates

Syslog and Smart licensing Server Certificates must contain “ServerAuth” in the Extended Key Usage field. If not, the connection fails.

Mutual authentication when ASA acts as a TLS client for TLS1.1 and 1.2

PKI debug messages

The ASA PKI module makes connections to CA servers such as SCEP enrollment, revocation checking using HTTP, etc. All of these ASA PKI exchanges will be logged as debug traces under debug crypto ca message 5.

ASA SSL Server mode matching for ASDM

For an ASDM user who authenticates with a certificate, you can now require the certificate to match a certificate map.

We modified the following command: http authentication-certificate match

Reference Identities for Secure Syslog Server connections and Smart Licensing connections

TLS client processing now supports rules for verification of a server identity defined in RFC 6125, Section 6. Identity verification will be done during PKI validation for TLS connections to the Syslog Server and the Smart Licensing server only. If the presented identity cannot be matched against the configured reference identity, the connection is not established.

We added or modified the following commands: crypto ca reference-identity, logging host, call home profile destination address

Crypto Key Zeroization verification

The ASA crypto system has been updated to comply with new key zeroization requirements. Keys must be overwritten with all zeros and then the data must be read to verify that the write was successful.

SSH public key authentication improvements

In earlier releases, you could enable SSH public key authentication (ssh authentication ) without also enabling AAA SSH authentication with the Local user database (aaa authentication ssh console LOCAL ). The configuration is now fixed so that you must explicitly enable AAA SSH authentication. To disallow users from using a password instead of the private key, you can now create a username without any password defined.

We modified the following commands: ssh authentication, username

Interface Features

Increased MTU size for the ASA on the Firepower 4100/9300 chassis

You can set the maximum MTU to 9188 bytes on the Firepower 4100 and 9300; formerly, the maximum was 9000 bytes. This MTU is supported with FXOS 2.0.1.68 and later.

We modified the following command: mtu

Routing Features

Bidirectional Forwarding Detection (BFD) Support

The ASA now supports the BFD routing protocol. Support was added for configuring BFD templates, interfaces, and maps. Support for BGP routing protocol to use BFD was also added.

We added or modified the following commands: authentication, bfd echo, bfd interval, bfd map, bfd slow-timers, bfd template, bfd-template, clear bfd counters, echo, debug bfd, neighbor fall-over bfd, show bfd drops, show bfd map, show bfd neighbors, show bfd summary

IPv6 DHCP

The ASA now supports the following features for IPv6 addressing:

• DHCPv6 Address client—The ASA obtains an IPv6 global address and optional default route from the DHCPv6 server.

• DHCPv6 Prefix Delegation client—The ASA obtains delegated prefix(es) from a DHCPv6 server. The ASA can then use these prefixes to configure other ASA interface addresess so that StateLess Address Auto Configuration (SLAAC) clients can autoconfigure IPv6 addresses on the same network.

• BGP router advertisement for delegated prefixes

• DHCPv6 stateless server—The ASA provides other information such as the domain name to SLAAC clients when they send Information Request (IR) packets to the ASA. The ASA only accepts IR packets, and does not assign addresses to the clients.

We added or modified the following commands: clear ipv6 dhcp statistics, domain-name, dns-server, import, ipv6 address autoconfig, ipv6 address dhcp, ipv6 dhcp client pd, ipv6 dhcp client pd hint, ipv6 dhcp pool, ipv6 dhcp server, network, nis address, nis domain-name, nisp address, nisp domain-name, show bgp ipv6 unicast, show ipv6 dhcp, show ipv6 general-prefix, sip address, sip domain-name, sntp address

High Availability and Scalability Features

Improved sync time for dynamic ACLs from AnyConnect when using Active/Standby failover

When you use AnyConnect on a failover pair, then the sync time for the associated dynamic ACLs (dACLs) to the standby unit is now improved. Previously, with large dACLs, the sync time could take hours during which time the standby unit is busy syncing instead of providing high availability backup.

We did not modify any commands.

Licensing Features

Permanent License Reservation for the ASAv

For highly secure environments where communication with the Cisco Smart Software Manager is not allowed, you can request a permanent license for the ASAv. In 9.6(2), we also added support for this feature for the ASAv on Amazon Web Services. This feature is not supported for Microsoft Azure.

We introduced the following commands: license smart reservation, license smart reservation cancel, license smart reservation install, license smart reservation request universal, license smart reservation return

Also in 9.5(2.200).

Satellite Server support for the ASAv

If your devices cannot access the internet for security reasons, you can optionally install a local Smart Software Manager satellite server as a virtual machine (VM).

We did not modify any commands.

Permanent License Reservation for the ASAv Short String enhancement

Due to an update to the Smart Agent (to 1.6.4), the request and authorization codes now use shorter strings.

We did not modify any commands.

Permanent License Reservation for the ASA on the Firepower 4100/9300 chassis

For highly secure environments where communication with the Cisco Smart Software Manager is not allowed, you can request a permanent license for the ASA on the Firepower 9300 and Firepower 4100. All available license entitlements are included in the permanent license, including the Standard Tier, Strong Encryption (if qualified), Security Contexts, and Carrier licenses. Requires FXOS 2.0.1.

All configuration is performed on the Firepower 4100/9300 chassis; no configuration is required on the ASA.

Smart Agent Upgrade for ASAv to v1.6

The smart agent was upgraded from Version 1.1 to Version 1.6. This upgrade supports permanent license reservation and also supports setting the Strong Encryption (3DES/AES) license entitlement according to the permission set in your license account.

We introduced the following commands: show license status, show license summary, show license udi, show license usage

We modified the following commands: show license all, show tech-support license

We deprecated the following commands: show license cert, show license entitlement, show license pool, show license registration

Also in 9.5(2.200).

Monitoring Features

Packet capture of type asp-drop supports ACL and match filtering

When you create a packet capture of type asp-drop, you can now also specify an ACL or match option to limit the scope of the capture.

We modified the following command: capture type asp-drop

Forensic Analysis enhancements

You can create a core dump of any process running on the ASA. The ASA also extracts the text section of the main ASA process that you can copy from the ASA for examination.

We modified the following commands: copy system:text, verify system:text, crashinfo force dump process

Tracking Packet Count on a Per-Connection Basis through NetFlow

Two counters were added that allow Netflow users to see the number of Layer 4 packets being sent in both directions on a connection. You can use these counters to determine average packet rates and sizes and to better predict traffic types, anomalies, and events.

We did not modify any commands.

SNMP engineID sync for Failover

In a failover pair, the SNMP engineIDs of the paired ASAs are synced on both units. Three sets of engineIDs are maintained per ASA—synced engineID, native engineID and remote engineID.

An SNMPv3 user can also specify the engineID of the ASA when creating a profile to preserve localized snmp-server user authentication and privacy options. If a user does not specify the native engineID, the show running config output will show two engineIDs per user.

We modified the following command: snmp-server user

Also in 9.4(3).

Platform Features

ASA for the Firepower 4100 series

We introduced the ASA for the Firepower 4110, 4120, and 4140.

Requires FXOS 1.1.4.

We did not add or modify any commands.

SD card support for the ISA 3000

You can now use an SD card for external storage on the ISA 3000. The card appears as disk3 in the ASA file system. Note that plug and play support requires hardware version 2.1 and later. Use the show module command to check your hardware version.

We did not add or modify any commands.

Dual power supply support for the ISA 3000

For dual power supplies in the ISA 3000, you can establish dual power supplies as the expected configuration in the ASA OS. If one power supply fails, the ASA issues an alarm. By default, the ASA expects a single power supply and won't issue an alarm as long as it includes one working power supply.

We introduced the following command: power-supply dual .

Firewall Features

Diameter inspection improvements

You can now inspect Diameter over TCP/TLS traffic, apply strict protocol conformance checking, and inspect Diameter over SCTP in cluster mode.

We introduced or modified the following commands: client clear-text , inspect diameter , strict-diameter .

SCTP stateful inspection in cluster mode

SCTP stateful inspection now works in cluster mode. You can also configure SCTP stateful inspection bypass in cluster mode.

We did not add or modify any commands.

H.323 inspection support for the H.255 FACILITY message coming before the H.225 SETUP message for H.460.18 compatibility.

You can now configure an H.323 inspection policy map to allow for H.225 FACILITY messages to come before the H.225 SETUP message, which can happen when endpoints comply with H.460.18.

We introduced the following command: early-message .

Cisco Trustsec support for Security Exchange Protocol (SXP) version 3.

Cisco Trustsec on ASA now implements SXPv3, which enables SGT-to-subnet bindings, which are more efficient than host bindings.

We introduced or modified the following commands: cts sxp mapping network-map maximum_hosts , cts role-based sgt-map , show cts sgt-map , show cts sxp sgt-map , show asp table cts sgt-map .

Flow off-load support for the Firepower 4100 series.

You can identify flows that should be off-loaded from the ASA and switched directly in the NIC for the Firepower 4100 series.

Requires FXOS 1.1.4.

We did not add or modify any commands.

Remote Access Features

IKEv2 Fragmentation, RFC-7383 support

The ASA now supports this standard fragmentation of IKEv2 packets. This allows interoperability with other IKEv2 implementations such as Apple, Strongswan etc. ASA continues to support the current, proprietary IKEv2 fragmentation to maintain backward compatibility with Cisco products that do not support RFC-7383, such as the AnyConnect client.

We introduced the following commands: crypto ikev2 fragmentation , show running-config crypto ikev2 , show crypto ikev2 sa detail

VPN Throughput Performance Enhancements on Firepower 9300 and Firepower 4100 series

The crypto engine accelerator-bias command is now supported on the ASA security module on the Firepower 9300 and Firepower 4100 series. This command lets you “bias” more crypto cores toward either IPSec or SSL.

We modified the following command: crypto engine accelerator-bias

Configurable SSH encryption and HMAC algorithm.

Users can select cipher modes when doing SSH encryption management and can configure HMAC and encryption for varying key exchange algorithms. You might want to change the ciphers to be more or less strict, depending on your application. Note that the performance of secure copy depends partly on the encryption cipher used. By default, the ASA negotiates one of the following algorithms in order: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr. If the first algorithm proposed (3des-cbc) is chosen, then the performance is much slower than a more efficient algorithm such as aes128-cbc. To change the proposed ciphers, use ssh cipher encryption custom aes128-cbc , for example.

We introduced the following commands: ssh cipher encryption, ssh cipher integrity.

Also available in 9.1(7), 9.4(3), and 9.5(3).

HTTP redirect support for IPv6

When you enable HTTP redirect to HTTPS for ASDM access or clientless SSL VPN, you can now redirect traffic sent an to IPv6 address.

We added functionality to the following command: http redirect

Also available in 9.1(7) and 9.4(3).

Routing Features

IS-IS routing

The ASA now supports the Intermediate System to Intermediate System (IS-IS) routing protocol. Support was added for routing data, performing authentication, and redistributing and monitoring routing information using the IS-IS routing protocol.

We introduced the following commands: advertise passive-only, area-password, authentication key, authentication mode, authentication send-only, clear isis, debug isis, distance, domain-password, fast-flood, hello padding, hostname dynamic, ignore-lsp-errors, isis adjacency-filter, isis advertise prefix, isis authentication key, isis authentication mode, isis authentication send-only, isis circuit-type, isis csnp-interval, isis hello-interval, isis hello-multiplier, isis hello padding, isis lsp-interval, isis metric, isis password, isis priority, isis protocol shutdown, isis retransmit-interval, isis retransmit-throttle-interval, isis tag, is-type, log-adjacency-changes, lsp-full suppress, lsp-gen-interval, lsp-refresh-interval, max-area-addresses, max-lsp-lifetime, maximum-paths, metric, metric-style, net, passive-interface, prc-interval, protocol shutdown, redistribute isis, route priority high, route isis, set-attached-bit, set-overload-bit, show clns, show isis, show router isis, spf-interval, summary-address.

High Availability and Scalability Features

Support for site-specific IP addresses in Routed, Spanned EtherChannel mode

For inter-site clustering in routed mode with Spanned EtherChannels, you can now configure site-specific IP addresess in addition to site-specific MAC addresses. The addition of site IP addresses allows you to use ARP inspection on the Overlay Transport Virtualization (OTV) devices to prevent ARP responses from the global MAC address from traveling over the Data Center Interconnect (DCI), which can cause routing problems. ARP inspection is required for some switches that cannot use VACLs to filter MAC addresses.

We modified the following commands: mac-address, show interface

Administrative Features

Longer password support for local username and enable passwords (up to 127 characters)

You can now create local username and enable passwords up to 127 characters (the former limit was 32). When you create a password longer than 32 characters, it is stored in the configuration using a PBKDF2 (Password-Based Key Derivation Function 2) hash. Shorter passwords continue to use the MD5-based hashing method.

We modified the following commands: enable, username

Support for the cempMemPoolTable in the CISCO-ENHANCED-MEMPOOL-MIB

The cempMemPoolTable of the CISCO-ENHANCED-MEMPOOL-MIB is now supported. This is a table of memory pool monitoring entries for all physical entities on a managed system.

We did not add or modify any commands.

Also available in 9.1(7) and 9.4(3).

REST API Version 1.3.1

We added support for the REST API Version 1.3.1.