Introduction to the Cisco ASA

The Cisco ASA provides advanced stateful firewall and VPN concentrator functionality in one device as well as integrated services with add-on modules. The ASA includes many advanced features, such as multiple security contexts (similar to virtualized firewalls), clustering (combining multiple firewalls into a single firewall), transparent (Layer 2) firewall or routed (Layer 3) firewall operation, advanced inspection engines, IPsec VPN, SSL VPN, and clientless SSL VPN support, and many more features.

Hardware and Software Compatibility

For a complete list of supported hardware and software, see Cisco ASA Compatibility.

New Features

This section lists new features for each release.


Note

New, changed, and deprecated syslog messages are listed in the syslog message guide.


New Features in ASA 9.6(4)

Released: December 13, 2017

There are no new features in this release.

New Features in ASA 9.6(3.1)

Released: April 3, 2017


Note

Version 9.6(3) was removed from Cisco.com due to bug CSCvd78303.


Feature

Description

AAA Features

Separate authentication for users with SSH public key authentication and users with passwords

In releases prior to 9.6(2), you could enable SSH public key authentication (ssh authentication ) without also explicitly enabling AAA SSH authentication with the Local user database (aaa authentication ssh console LOCAL ). In 9.6(2), the ASA required you to explicitly enable AAA SSH authentication. In this release, you no longer have to explicitly enable AAA SSH authentication; when you configure the ssh authentication command for a user, local authentication is enabled by default for users with this type of authentication. Moreover, when you explicitly configure AAA SSH authentication, this configuration only applies for for usernames with passwords, and you can use any AAA server type (aaa authentication ssh console radius_1 , for example). For example, some users can use public key authentication using the local database, and other users can use passwords with RADIUS.

We did not modify any commands.

New Features in ASA 9.6(2)

Released: August 24, 2016

Feature

Description

Platform Features

ASA for the Firepower 4150

We introduced the ASA for the Firepower 4150.

Requires FXOS 2.0.1.

We did not add or modify any commands.

Hot Plug Interfaces on the ASAv

You can add and remove Virtio virtual interfaces on the ASAv while the system is active. When you add a new interface to the ASAv, the virtual machine detects and provisions the interface. When you remove an existing interface, the virtual machine releases any resource associated with the interface. Hot plug interfaces are limited to Virtio virtual interfaces on the Kernel-based Virtual Machine (KVM) hypervisor.

Microsoft Azure support on the ASAv10

Microsoft Azure is a public cloud environment that uses a private Microsoft Hyper V Hypervisor. The ASAv runs as a guest in the Microsoft Azure environment of the Hyper V Hypervisor. The ASAv on Microsoft Azure supports one instance type, the Standard D3, which supports four vCPUs, 14 GB, and four interfaces.

Also in 9.5(2.200).

Through traffic support on the Management 0/0 interface for the ASAv

You can now allow through traffic on the Management 0/0 interface on the ASAv. Previously, only the ASAv on Microsoft Azure supported through traffic; now all ASAvs support through traffic. You can optionally configure this interface to be management-only, but it is not configured by default.

We modified the following command: management-only

Common Criteria Certification

The ASA was updated to comply with the Common Criteria requirements. See the rows in this table for the following features that were added for this certification:

  • ASA SSL Server mode matching for ASDM

  • SSL client RFC 6125 support:

    • Reference Identities for Secure Syslog Server connections and Smart Licensing connections

    • ASA client checks Extended Key Usage in server certificates

    • Mutual authentication when ASA acts as a TLS client for TLS1.1 and 1.2

  • PKI debug messages

  • Crypto Key Zeroization verification

  • IPsec/ESP Transport Mode Support for IKEv2

  • New syslog messages

Firewall Features

DNS over TCP inspection

You can now inspect DNS over TCP traffic (TCP/53).

We added the following command: tcp-inspection

MTP3 User Adaptation (M3UA) inspection

You can now inspect M3UA traffic and also apply actions based on point code, service indicator, and message class and type.

We added or modified the following commands: clear service-policy inspect m3ua {drops | endpoint [IP_address]} , inspect m3ua , match dpc , match opc , match service-indicator , policy-map type inspect m3ua , show asp table classify domain inspect-m3ua , show conn detail , show service-policy inspect m3ua {drops | endpoint IP_address} , ss7 variant , timeout endpoint

Session Traversal Utilities for NAT (STUN) inspection

You can now inspect STUN traffic for WebRTC applications including Cisco Spark. Inspection opens pinholes required for return traffic.

We added or modified the following commands: inspect stun , show conn detail , show service-policy inspect stun

Application layer health checking for Cisco Cloud Web Security

You can now configure Cisco Cloud Web Security to check the health of the Cloud Web Security application when determining if the server is healthy. By checking application health, the system can fail over to the backup server when the primary server responds to the TCP three-way handshake but cannot process requests. This ensures a more reliable system.

We added the following commands: health-check application url , health-check application timeout

Connection holddown timeout for route convergence.

You can now configure how long the system should maintain a connection when the route used by the connection no longer exists or is inactive. If the route does not become active within this holddown period, the connection is freed. You can reduce the holddown timer to make route convergence happen more quickly. However, the 15 second default is appropriate for most networks to prevent route flapping.

We added the following command: timeout conn-holddown

Also in 9.4(3).

Changes in TCP option handling

You can now specify actions for the TCP MSS and MD5 options in a packet’s TCP header when configuring a TCP map. In addition, the default handling of the MSS, timestamp, window-size, and selective-ack options has changed. Previously, these options were allowed, even if there were more than one option of a given type in the header. Now, packets are dropped by default if they contain more than one option of a given type. For example, previously a packet with 2 timestamp options would be allowed, now it will be dropped.

You can configure a TCP map to allow multiple options of the same type for MD5, MSS, selective-ack, timestamp, and window-size. For the MD5 option, the previous default was to clear the option, whereas the default now is to allow it. You can also drop packets that contain the MD5 option. For the MSS option, you can set the maximum segment size in the TCP map (per traffic class). The default for all other TCP options remains the same: they are cleared.

We modified the following command: tcp-options

Transparent mode maximum interfaces per bridge group increased to 64

The maximum interfaces per bridge group was increased from 4 to 64.

We did not modify any commands.

Flow offload support for multicast connections in transparent mode.

You can now offload multicast connections to be switched directly in the NIC on transparent mode Firepower 4100 and 9300 series devices. Multicast offload is available for bridge groups that contain two and only two interfaces.

There are no new commands or ASDM screens for this feature.

Customizable ARP rate limiting

You can set the maximum number of ARP packets allowed per second. The default value depends on your ASA model. You can customize this value to prevent an ARP storm attack.

We added the following commands: arp rate-limit, show arp rate-limit

Ethertype rule support for the IEEE 802.2 Logical Link Control packet's Destination Service Access Point address.

You can now write Ethertype access control rules for the IEEE 802.2 Logical Link Control packet's Destination Service Access Point address. Because of this addition, the bpdu keyword no longer matches the intended traffic. Rewrite bpdu rules for dsap 0x42 .

We modified the following commands: access-list ethertype

Remote Access Features

Pre-fill/Username-from-cert feature for multiple context mode

AnyConnect SSL support is extended, allowing pre-fill/username-from-certificate feature CLIs, previously available only in single mode, to be enabled in multiple context mode as well.

We did not modify any commands.

Flash Virtualization for Remote Access VPN

Remote access VPN in multiple context mode now supports flash virtualization. Each context can have a private storage space and a shared storage place based on the total flash that is available:

  • Private storage—Store files associated only with that user and specific to the content that you want for that user.

  • Shared storage—Upload files to this space and have it accessible to any user context for read/write access once you enable it.

We introduced the following commands: limit-resource storage, storage-url

AnyConnect client profiles supported in multiple context mode

AnyConnect client profiles are supported in multiple context mode. To add a new profile using ASDM, you must have the AnyConnect Secure Mobility Client release 4.2.00748 or 4.3.03013 and later.

Stateful failover for AnyConnect connections in multiple context mode

Stateful failover is now supported for AnyConnect connections in multiple context mode.

We did not modify any commands.

Remote Access VPN Dynamic Access Policy (DAP) is supported in multiple context mode

You can now configure DAP per context in multiple context mode.

We did not modify any commands.

Remote Access VPN CoA (Change of Authorization) is supported in multiple context mode

You can now configure CoA per context in multiple context mode.

We did not modify any commands.

Remote Access VPN localization is supported in multiple context mode

Localization is supported globally. There is only one set of localization files that are shared across different contexts.

We did not modify any commands.

Umbrella Roaming Security module support

You can choose to configure the AnyConnect Secure Mobility Client's Umbrella Roaming Security module for additional DNS-layer security when no VPN is active.

We did not modify any commands.

IPsec/ESP Transport Mode Support for IKEv2

Transport mode is now supported for ASA IKEv2 negotiation. It can be used in place of tunnel (default) mode. Tunnel mode encapsulates the entire IP packet. Transport mode encapsulates only the upper-layer protocols of an IP packet. Transport mode requires that both the source and destination hosts support IPSec, and can only be used when the destination peer of the tunnel is the final destination of the IP packet.

We modified the following command: crypto map set ikev2 mode

Per-packet routing lookups for IPsec inner packets

By default, per-packet adjacency lookups are done for outer ESP packets; lookups are not done for packets sent through the IPsec tunnel. In some network topologies, when a routing update has altered the inner packet’s path, but the local IPsec tunnel is still up, packets through the tunnel may not be routed correctly and fail to reach their destination. To prevent this, use the new option to enable per-packet routing lookups for the IPsec inner packets.

We added the following command: crypto ipsec inner-routing-lookup

Certificate and Secure Connection Features

ASA client checks Extended Key Usage in server certificates

Syslog and Smart licensing Server Certificates must contain “ServerAuth” in the Extended Key Usage field. If not, the connection fails.

Mutual authentication when ASA acts as a TLS client for TLS1.1 and 1.2

If the server requests a client certificate from the ASA for authentication, the ASA will send the client identity certificate configured for that interface. The certificate is configured by the ssl trust-point command.

PKI debug messages

The ASA PKI module makes connections to CA servers such as SCEP enrollment, revocation checking using HTTP, etc. All of these ASA PKI exchanges will be logged as debug traces under debug crypto ca message 5.

ASA SSL Server mode matching for ASDM

For an ASDM user who authenticates with a certificate, you can now require the certificate to match a certificate map.

We modified the following command: http authentication-certificate match

Reference Identities for Secure Syslog Server connections and Smart Licensing connections

TLS client processing now supports rules for verification of a server identity defined in RFC 6125, Section 6. Identity verification will be done during PKI validation for TLS connections to the Syslog Server and the Smart Licensing server only. If the presented identity cannot be matched against the configured reference identity, the connection is not established.

We added or modified the following commands: crypto ca reference-identity, logging host, call home profile destination address

Crypto Key Zeroization verification

The ASA crypto system has been updated to comply with new key zeroization requirements. Keys must be overwritten with all zeros and then the data must be read to verify that the write was successful.

SSH public key authentication improvements

In earlier releases, you could enable SSH public key authentication (ssh authentication ) without also enabling AAA SSH authentication with the Local user database (aaa authentication ssh console LOCAL ). The configuration is now fixed so that you must explicitly enable AAA SSH authentication. To disallow users from using a password instead of the private key, you can now create a username without any password defined.

We modified the following commands: ssh authentication, username

Interface Features

Increased MTU size for the ASA on the Firepower 4100/9300 chassis

You can set the maximum MTU to 9188 bytes on the Firepower 4100 and 9300; formerly, the maximum was 9000 bytes. This MTU is supported with FXOS 2.0.1.68 and later.

We modified the following command: mtu

Routing Features

Bidirectional Forwarding Detection (BFD) Support

The ASA now supports the BFD routing protocol. Support was added for configuring BFD templates, interfaces, and maps. Support for BGP routing protocol to use BFD was also added.

We added or modified the following commands: authentication, bfd echo, bfd interval, bfd map, bfd slow-timers, bfd template, bfd-template, clear bfd counters, echo, debug bfd, neighbor fall-over bfd, show bfd drops, show bfd map, show bfd neighbors, show bfd summary

IPv6 DHCP

The ASA now supports the following features for IPv6 addressing:

  • DHCPv6 Address client—The ASA obtains an IPv6 global address and optional default route from the DHCPv6 server.

  • DHCPv6 Prefix Delegation client—The ASA obtains delegated prefix(es) from a DHCPv6 server. The ASA can then use these prefixes to configure other ASA interface addresess so that StateLess Address Auto Configuration (SLAAC) clients can autoconfigure IPv6 addresses on the same network.

  • BGP router advertisement for delegated prefixes

  • DHCPv6 stateless server—The ASA provides other information such as the domain name to SLAAC clients when they send Information Request (IR) packets to the ASA. The ASA only accepts IR packets, and does not assign addresses to the clients.

We added or modified the following commands: clear ipv6 dhcp statistics, domain-name, dns-server, import, ipv6 address autoconfig, ipv6 address dhcp, ipv6 dhcp client pd, ipv6 dhcp client pd hint, ipv6 dhcp pool, ipv6 dhcp server, network, nis address, nis domain-name, nisp address, nisp domain-name, show bgp ipv6 unicast, show ipv6 dhcp, show ipv6 general-prefix, sip address, sip domain-name, sntp address

High Availability and Scalability Features

Improved sync time for dynamic ACLs from AnyConnect when using Active/Standby failover

When you use AnyConnect on a failover pair, then the sync time for the associated dynamic ACLs (dACLs) to the standby unit is now improved. Previously, with large dACLs, the sync time could take hours during which time the standby unit is busy syncing instead of providing high availability backup.

We did not modify any commands.

Licensing Features

Permanent License Reservation for the ASAv

For highly secure environments where communication with the Cisco Smart Software Manager is not allowed, you can request a permanent license for the ASAv. In 9.6(2), we also added support for this feature for the ASAv on Amazon Web Services. This feature is not supported for Microsoft Azure.

Note 

Not all accounts are approved for permanent license reservation. Make sure you have approval from Cisco for this feature before you attempt to configure it.

We introduced the following commands: license smart reservation, license smart reservation cancel, license smart reservation install, license smart reservation request universal, license smart reservation return

Also in 9.5(2.200).

Satellite Server support for the ASAv

If your devices cannot access the internet for security reasons, you can optionally install a local Smart Software Manager satellite server as a virtual machine (VM).

We did not modify any commands.

Permanent License Reservation for the ASAv Short String enhancement

Due to an update to the Smart Agent (to 1.6.4), the request and authorization codes now use shorter strings.

We did not modify any commands.

Permanent License Reservation for the ASA on the Firepower 4100/9300 chassis

For highly secure environments where communication with the Cisco Smart Software Manager is not allowed, you can request a permanent license for the ASA on the Firepower 9300 and Firepower 4100. All available license entitlements are included in the permanent license, including the Standard Tier, Strong Encryption (if qualified), Security Contexts, and Carrier licenses. Requires FXOS 2.0.1.

All configuration is performed on the Firepower 4100/9300 chassis; no configuration is required on the ASA.

Smart Agent Upgrade for ASAv to v1.6

The smart agent was upgraded from Version 1.1 to Version 1.6. This upgrade supports permanent license reservation and also supports setting the Strong Encryption (3DES/AES) license entitlement according to the permission set in your license account.

Note 

If you downgrade from Version 9.5(2.200), the ASAv does not retain the licensing registration state. You need to re-register with the license smart register idtoken id_token force command; obtain the ID token from the Smart Software Manager.

We introduced the following commands: show license status, show license summary, show license udi, show license usage

We modified the following commands: show license all, show tech-support license

We deprecated the following commands: show license cert, show license entitlement, show license pool, show license registration

Also in 9.5(2.200).

Monitoring Features

Packet capture of type asp-drop supports ACL and match filtering

When you create a packet capture of type asp-drop, you can now also specify an ACL or match option to limit the scope of the capture.

We modified the following command: capture type asp-drop

Forensic Analysis enhancements

You can create a core dump of any process running on the ASA. The ASA also extracts the text section of the main ASA process that you can copy from the ASA for examination.

We modified the following commands: copy system:text, verify system:text, crashinfo force dump process

Tracking Packet Count on a Per-Connection Basis through NetFlow

Two counters were added that allow Netflow users to see the number of Layer 4 packets being sent in both directions on a connection. You can use these counters to determine average packet rates and sizes and to better predict traffic types, anomalies, and events.

We did not modify any commands.

SNMP engineID sync for Failover

In a failover pair, the SNMP engineIDs of the paired ASAs are synced on both units. Three sets of engineIDs are maintained per ASA—synced engineID, native engineID and remote engineID.

An SNMPv3 user can also specify the engineID of the ASA when creating a profile to preserve localized snmp-server user authentication and privacy options. If a user does not specify the native engineID, the show running config output will show two engineIDs per user.

We modified the following command: snmp-server user

Also in 9.4(3).

New Features in ASA 9.6(1)

Released: March 21, 2016


Note

The ASAv 9.5.2(200) features, including Microsoft Azure support, are not available in 9.6(1). They are available in 9.6(2).


Feature

Description

Platform Features

ASA for the Firepower 4100 series

We introduced the ASA for the Firepower 4110, 4120, and 4140.

Requires FXOS 1.1.4.

We did not add or modify any commands.

SD card support for the ISA 3000

You can now use an SD card for external storage on the ISA 3000. The card appears as disk3 in the ASA file system. Note that plug and play support requires hardware version 2.1 and later. Use the show module command to check your hardware version.

We did not add or modify any commands.

Dual power supply support for the ISA 3000

For dual power supplies in the ISA 3000, you can establish dual power supplies as the expected configuration in the ASA OS. If one power supply fails, the ASA issues an alarm. By default, the ASA expects a single power supply and won't issue an alarm as long as it includes one working power supply.

We introduced the following command: power-supply dual .

Firewall Features

Diameter inspection improvements

You can now inspect Diameter over TCP/TLS traffic, apply strict protocol conformance checking, and inspect Diameter over SCTP in cluster mode.

We introduced or modified the following commands: client clear-text , inspect diameter , strict-diameter .

SCTP stateful inspection in cluster mode

SCTP stateful inspection now works in cluster mode. You can also configure SCTP stateful inspection bypass in cluster mode.

We did not add or modify any commands.

H.323 inspection support for the H.255 FACILITY message coming before the H.225 SETUP message for H.460.18 compatibility.

You can now configure an H.323 inspection policy map to allow for H.225 FACILITY messages to come before the H.225 SETUP message, which can happen when endpoints comply with H.460.18.

We introduced the following command: early-message .

Cisco Trustsec support for Security Exchange Protocol (SXP) version 3.

Cisco Trustsec on ASA now implements SXPv3, which enables SGT-to-subnet bindings, which are more efficient than host bindings.

We introduced or modified the following commands: cts sxp mapping network-map maximum_hosts , cts role-based sgt-map , show cts sgt-map , show cts sxp sgt-map , show asp table cts sgt-map .

Flow off-load support for the Firepower 4100 series.

You can identify flows that should be off-loaded from the ASA and switched directly in the NIC for the Firepower 4100 series.

Requires FXOS 1.1.4.

We did not add or modify any commands.

Remote Access Features

IKEv2 Fragmentation, RFC-7383 support

The ASA now supports this standard fragmentation of IKEv2 packets. This allows interoperability with other IKEv2 implementations such as Apple, Strongswan etc. ASA continues to support the current, proprietary IKEv2 fragmentation to maintain backward compatibility with Cisco products that do not support RFC-7383, such as the AnyConnect client.

We introduced the following commands: crypto ikev2 fragmentation , show running-config crypto ikev2 , show crypto ikev2 sa detail

VPN Throughput Performance Enhancements on Firepower 9300 and Firepower 4100 series

The crypto engine accelerator-bias command is now supported on the ASA security module on the Firepower 9300 and Firepower 4100 series. This command lets you “bias” more crypto cores toward either IPSec or SSL.

We modified the following command: crypto engine accelerator-bias

Configurable SSH encryption and HMAC algorithm.

Users can select cipher modes when doing SSH encryption management and can configure HMAC and encryption for varying key exchange algorithms. You might want to change the ciphers to be more or less strict, depending on your application. Note that the performance of secure copy depends partly on the encryption cipher used. By default, the ASA negotiates one of the following algorithms in order: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr. If the first algorithm proposed (3des-cbc) is chosen, then the performance is much slower than a more efficient algorithm such as aes128-cbc. To change the proposed ciphers, use ssh cipher encryption custom aes128-cbc , for example.

We introduced the following commands: ssh cipher encryption, ssh cipher integrity.

Also available in 9.1(7), 9.4(3), and 9.5(3).

HTTP redirect support for IPv6

When you enable HTTP redirect to HTTPS for ASDM access or clientless SSL VPN, you can now redirect traffic sent an to IPv6 address.

We added functionality to the following command: http redirect

Also available in 9.1(7) and 9.4(3).

Routing Features

IS-IS routing

The ASA now supports the Intermediate System to Intermediate System (IS-IS) routing protocol. Support was added for routing data, performing authentication, and redistributing and monitoring routing information using the IS-IS routing protocol.

We introduced the following commands: advertise passive-only, area-password, authentication key, authentication mode, authentication send-only, clear isis, debug isis, distance, domain-password, fast-flood, hello padding, hostname dynamic, ignore-lsp-errors, isis adjacency-filter, isis advertise prefix, isis authentication key, isis authentication mode, isis authentication send-only, isis circuit-type, isis csnp-interval, isis hello-interval, isis hello-multiplier, isis hello padding, isis lsp-interval, isis metric, isis password, isis priority, isis protocol shutdown, isis retransmit-interval, isis retransmit-throttle-interval, isis tag, is-type, log-adjacency-changes, lsp-full suppress, lsp-gen-interval, lsp-refresh-interval, max-area-addresses, max-lsp-lifetime, maximum-paths, metric, metric-style, net, passive-interface, prc-interval, protocol shutdown, redistribute isis, route priority high, route isis, set-attached-bit, set-overload-bit, show clns, show isis, show router isis, spf-interval, summary-address.

High Availability and Scalability Features

Support for site-specific IP addresses in Routed, Spanned EtherChannel mode

For inter-site clustering in routed mode with Spanned EtherChannels, you can now configure site-specific IP addresess in addition to site-specific MAC addresses. The addition of site IP addresses allows you to use ARP inspection on the Overlay Transport Virtualization (OTV) devices to prevent ARP responses from the global MAC address from traveling over the Data Center Interconnect (DCI), which can cause routing problems. ARP inspection is required for some switches that cannot use VACLs to filter MAC addresses.

We modified the following commands: mac-address, show interface

Administrative Features

Longer password support for local username and enable passwords (up to 127 characters)

You can now create local username and enable passwords up to 127 characters (the former limit was 32). When you create a password longer than 32 characters, it is stored in the configuration using a PBKDF2 (Password-Based Key Derivation Function 2) hash. Shorter passwords continue to use the MD5-based hashing method.

We modified the following commands: enable, username

Support for the cempMemPoolTable in the CISCO-ENHANCED-MEMPOOL-MIB

The cempMemPoolTable of the CISCO-ENHANCED-MEMPOOL-MIB is now supported. This is a table of memory pool monitoring entries for all physical entities on a managed system.

Note 

The CISCO-ENHANCED-MEMPOOL-MIB uses 64-bit counters and supports reporting of memory on platforms with more than 4GB of RAM.

We did not add or modify any commands.

Also available in 9.1(7) and 9.4(3).

REST API Version 1.3.1

We added support for the REST API Version 1.3.1.

Firewall Functional Overview

Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall can also protect inside networks from each other, for example, by keeping a human resources network separate from a user network. If you have network resources that need to be available to an outside user, such as a web or FTP server, you can place these resources on a separate network behind the firewall, called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ only includes the public servers, an attack there only affects the servers and does not affect the other inside networks. You can also control when inside users access outside networks (for example, access to the Internet), by allowing only certain addresses out, by requiring authentication or authorization, or by coordinating with an external URL filtering server.

When discussing networks connected to a firewall, the outside network is in front of the firewall, the inside network is protected and behind the firewall, and a DMZ, while behind the firewall, allows limited access to outside users. Because the ASA lets you configure many interfaces with varied security policies, including many inside interfaces, many DMZs, and even many outside interfaces if desired, these terms are used in a general sense only.

Security Policy Overview

A security policy determines which traffic is allowed to pass through the firewall to access another network. By default, the ASA allows traffic to flow freely from an inside network (higher security level) to an outside network (lower security level). You can apply actions to traffic to customize the security policy.

Permitting or Denying Traffic with Access Rules

You can apply access rules to limit traffic from inside to outside, or allow traffic from outside to inside. For bridge group interfaces, you can also apply an EtherType access rule to allow non-IP traffic.

Applying NAT

Some of the benefits of NAT include the following:

  • You can use private addresses on your inside networks. Private addresses are not routable on the Internet.

  • NAT hides the local addresses from other networks, so attackers cannot learn the real address of a host.

  • NAT can resolve IP routing problems by supporting overlapping IP addresses.

Protecting from IP Fragments

The ASA provides IP fragment protection. This feature performs full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the ASA. Fragments that fail the security check are dropped and logged. Virtual reassembly cannot be disabled.

Applying HTTP, HTTPS, or FTP Filtering

Although you can use access lists to prevent outbound access to specific websites or FTP servers, configuring and managing web usage this way is not practical because of the size and dynamic nature of the Internet.

You can configure Cloud Web Security on the ASA, or install an ASA module that provides URL and other filtering services, such as ASA CX or ASA FirePOWER. You can also use the ASA in conjunction with an external product such as the Cisco Web Security Appliance (WSA).

Applying Application Inspection

Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection.

Sending Traffic to Supported Hardware or Software Modules

Some ASA models allow you to configure software modules, or to insert hardware modules into the chassis, to provide advanced services. These modules provide additional traffic inspection and can block traffic based on your configured policies. You can send traffic to these modules to take advantage of these advanced services.

Applying QoS Policies

Some network traffic, such as voice and streaming video, cannot tolerate long latency times. QoS is a network feature that lets you give priority to these types of traffic. QoS refers to the capability of a network to provide better service to selected network traffic.

Applying Connection Limits and TCP Normalization

You can limit TCP and UDP connections and embryonic connections. Limiting the number of connections and embryonic connections protects you from a DoS attack. The ASA uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination.

TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets that do not appear normal.

Enabling Threat Detection

You can configure scanning threat detection and basic threat detection, and also how to use statistics to analyze threats.

Basic threat detection detects activity that might be related to an attack, such as a DoS attack, and automatically sends a system log message.

A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The scanning threat detection feature determines when a host is performing a scan. Unlike IPS scan detection that is based on traffic signatures, the ASA scanning threat detection feature maintains an extensive database that contains host statistics that can be analyzed for scanning activity.

The host database tracks suspicious activity such as connections with no return activity, access of closed service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors.

You can configure the ASA to send system log messages about an attacker or you can automatically shun the host.

Firewall Mode Overview

The ASA runs in two different firewall modes:

  • Routed

  • Transparent

In routed mode, the ASA is considered to be a router hop in the network.

In transparent mode, the ASA acts like a “bump in the wire,” or a “stealth firewall,” and is not considered a router hop. The ASA connects to the same network on its inside and outside interfaces in a "bridge group".

You might use a transparent firewall to simplify your network configuration. Transparent mode is also useful if you want the firewall to be invisible to attackers. You can also use a transparent firewall for traffic that would otherwise be blocked in routed mode. For example, a transparent firewall can allow multicast streams using an EtherType access list.

Stateful Inspection Overview

All traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and either allowed through or dropped. A simple packet filter can check for the correct source address, destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter also checks every packet against the filter, which can be a slow process.


Note

The TCP state bypass feature allows you to customize the packet flow.


A stateful firewall like the ASA, however, takes into consideration the state of a packet:

  • Is this a new connection?

    If it is a new connection, the ASA has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the session goes through the “session management path,” and depending on the type of traffic, it might also pass through the “control plane path.”

    The session management path is responsible for the following tasks:

    • Performing the access list checks

    • Performing route lookups

    • Allocating NAT translations (xlates)

    • Establishing sessions in the “fast path”

    The ASA creates forward and reverse flows in the fast path for TCP traffic; the ASA also creates connection state information for connectionless protocols like UDP, ICMP (when you enable ICMP inspection), so that they can also use the fast path.


    Note

    For other IP protocols, like SCTP, the ASA does not create reverse path flows. As a result, ICMP error packets that refer to these connections are dropped.


    Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path. Layer 7 inspection engines are required for protocols that have two or more channels: a data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.

  • Is this an established connection?

    If the connection is already established, the ASA does not need to re-check packets; most matching packets can go through the “fast” path in both directions. The fast path is responsible for the following tasks:

    • IP checksum verification

    • Session lookup

    • TCP sequence number check

    • NAT translations based on existing sessions

    • Layer 3 and Layer 4 header adjustments

    Data packets for protocols that require Layer 7 inspection can also go through the fast path.

    Some established session packets must continue to go through the session management path or the control plane path. Packets that go through the session management path include HTTP packets that require inspection or content filtering. Packets that go through the control plane path include the control packets for protocols that require Layer 7 inspection.

VPN Functional Overview

A VPN is a secure connection across a TCP/IP network (such as the Internet) that appears as a private connection. This secure connection is called a tunnel. The ASA uses tunneling protocols to negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them through the tunnel, and unencapsulate them. The ASA functions as a bidirectional tunnel endpoint: it can receive plain packets, encapsulate them, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination. It can also receive encapsulated packets, unencapsulate them, and send them to their final destination. The ASA invokes various standard protocols to accomplish these functions.

The ASA performs the following functions:

  • Establishes tunnels

  • Negotiates tunnel parameters

  • Authenticates users

  • Assigns user addresses

  • Encrypts and decrypts data

  • Manages security keys

  • Manages data transfer across the tunnel

  • Manages data transfer inbound and outbound as a tunnel endpoint or router

The ASA invokes various standard protocols to accomplish these functions.

Security Context Overview

You can partition a single ASA into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management; however, some features are not supported. See the feature chapters for more information.

In multiple context mode, the ASA includes a configuration for each context that identifies the security policy, interfaces, and almost all the options you can configure on a standalone device. The system administrator adds and manages contexts by configuring them in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the ASA. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context.

The admin context is just like any other context, except that when a user logs into the admin context, then that user has system administrator rights and can access the system and all other contexts.

ASA Clustering Overview

ASA Clustering lets you group multiple ASAs together as a single logical device. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices.

You perform all configuration (aside from the bootstrap configuration) on the control unit only; the configuration is then replicated to the member units.

Special and Legacy Services

For some services, documentation is located outside of the main configuration guides and online help.

Special Services Guides

Special services allow the ASA to interoperate with other Cisco products; for example, by providing a security proxy for phone services (Unified Communications), or by providing Botnet traffic filtering in conjunction with the dynamic database from the Cisco update server, or by providing WCCP services for the Cisco Web Security Appliance. Some of these special services are covered in separate guides:

Legacy Services Guide

Legacy services are still supported on the ASA, however there may be better alternative services that you can use instead. Legacy services are covered in a separate guide:

Cisco ASA Legacy Feature Guide

This guide includes the following chapters:

  • Configuring RIP

  • AAA Rules for Network Access

  • Using Protection Tools, which includes Preventing IP Spoofing (ip verify reverse-path), Configuring the Fragment Size (fragment), Blocking Unwanted Connections (shun), Configuring TCP Options (for ASDM), and Configuring IP Audit for Basic IPS Support (ip audit).

  • Configuring Filtering Services