Cisco Cisco Catalyst 6500 Series 7600 Series ASA Services Module
12
Release Notes for Cisco ASDM, Version 7.2(x)
New Features
Support for clustering with the Cisco Nexus
9300
9300
The ASA supports clustering when connected to the Cisco Nexus 9300.
Remote Access Features
ISE Change of Authorization
The ISE Change of Authorization (CoA) feature provides a mechanism to
change the attributes of an authentication, authorization, and accounting
(AAA) session after it is established. When a policy changes for a user or user
group in AAA, CoA packets can be sent directly to the ASA from the ISE to
reinitialize authentication and apply the new policy. An Inline Posture
Enforcement Point (IPEP) is no longer required to apply access control lists
(ACLs) for each VPN session established with the ASA.
change the attributes of an authentication, authorization, and accounting
(AAA) session after it is established. When a policy changes for a user or user
group in AAA, CoA packets can be sent directly to the ASA from the ISE to
reinitialize authentication and apply the new policy. An Inline Posture
Enforcement Point (IPEP) is no longer required to apply access control lists
(ACLs) for each VPN session established with the ASA.
When an end user requests a VPN connection the ASA authenticates the user
to the ISE and receives a user ACL that provides limited access to the network.
An accounting start message is sent to the ISE to register the session. Posture
assessment occurs directly between the NAC agent and the ISE. This process
is transparent to the ASA. The ISE sends a policy update to the ASA via a CoA
“policy push.” This identifies a new user ACL that provides increased network
access privileges. Additional policy evaluations may occur during the lifetime
of the connection, transparent to the ASA, via subsequent CoA updates.
to the ISE and receives a user ACL that provides limited access to the network.
An accounting start message is sent to the ISE to register the session. Posture
assessment occurs directly between the NAC agent and the ISE. This process
is transparent to the ASA. The ISE sends a policy update to the ASA via a CoA
“policy push.” This identifies a new user ACL that provides increased network
access privileges. Additional policy evaluations may occur during the lifetime
of the connection, transparent to the ASA, via subsequent CoA updates.
We modified the following screen: Configuration > Remote Access VPN >
AAA/Local Users > AAA Server Groups > Add/Edit AAA Server Group
AAA/Local Users > AAA Server Groups > Add/Edit AAA Server Group
Improved clientless rewriter HTTP 1.1
compression handling
compression handling
The rewriter has been changed so that if the client supports compressed content
and the content will not be rewritten, then it will accept compressed content
from the server. If the content must be rewritten and it is identified as being
compressed, it will be decompressed, rewritten, and if the client supports it,
recompressed.
and the content will not be rewritten, then it will accept compressed content
from the server. If the content must be rewritten and it is identified as being
compressed, it will be decompressed, rewritten, and if the client supports it,
recompressed.
We did not introduce or modify any ASDM screens.
OpenSSL upgrade
The version of OpenSSL on the ASA will be updated to version 1.0.1e.
Note
We disabled the heartbeat option, so the ASA is not vulnerable to the
Heartbleed Bug.
Heartbleed Bug.
We did not introduce or modify any ASDM screens.
Interface Features
Support for 16 active links in an
EtherChannel
EtherChannel
You can now configure up to 16 active links in an EtherChannel. Previously,
you could have 8 active links and 8 standby links. Be sure your switch can
support 16 active links (for example the Cisco Nexus 7000 with with F2-Series
10 Gigabit Ethernet Module).
you could have 8 active links and 8 standby links. Be sure your switch can
support 16 active links (for example the Cisco Nexus 7000 with with F2-Series
10 Gigabit Ethernet Module).
Note
If you upgrade from an earlier ASA version, the maximum active
interfaces is set to 8 for compatibility purposes.
interfaces is set to 8 for compatibility purposes.
We modified the following screen: Configuration > Device Setup > Interfaces
> Add/Edit EtherChannel Interface > Advanced.
> Add/Edit EtherChannel Interface > Advanced.
Table 4
New Features for ASA Version 9.2(1)/ASDM Version 7.2(1) (continued)
Feature
Description