Cisco Cisco ASA 5555-X Adaptive Security Appliance
9
Release Notes for Cisco ASDM, Version 6.4(x)
New Features
New Features in ASA 8.4(3)/ASDM 6.4(7)
Released: January 9, 2012
Inspection reset action
change
change
Previously, when the ASA dropped a packet due to an inspection engine rule, the ASA sent
only one RST to the source device of the dropped packet. This behavior could cause resource
issues.
only one RST to the source device of the dropped packet. This behavior could cause resource
issues.
In this release, when you configure an inspection engine to use a reset action and a packet
triggers a reset, the ASA sends a TCP reset under the following conditions:
triggers a reset, the ASA sends a TCP reset under the following conditions:
•
The ASA sends a TCP reset to the inside host when the service resetoutbound command
is enabled. (The service resetoutbound command is disabled by default.)
is enabled. (The service resetoutbound command is disabled by default.)
•
The ASA sends a TCP reset to the outside host when the service resetinbound command
is enabled. (The service resetinbound command is disabled by default.)
is enabled. (The service resetinbound command is disabled by default.)
For more information, see the service command in the ASA Cisco ASA 5500 Series Command
Reference.
Reference.
This behavior ensures that a reset action will reset the connections on the ASA and on inside
servers; therefore countering denial of service attacks. For outside hosts, the ASA does not
send a reset by default and information is not revealed through a TCP reset.
servers; therefore countering denial of service attacks. For outside hosts, the ASA does not
send a reset by default and information is not revealed through a TCP reset.
This feature is not available in 8.5(1), 8.6(1), or 8.7(1).
Module Features
ASA 5585-X support for the
ASA CX SSP-10 and -20
ASA CX SSP-10 and -20
The ASA CX module lets you enforce security based on the complete context of a situation.
This context includes the identity of the user (who), the application or website that the user is
trying to access (what), the origin of the access attempt (where), the time of the attempted
access (when), and the properties of the device used for the access (how). With the ASA CX
module, you can extract the full context of a flow and enforce granular policies such as
permitting access to Facebook but denying access to games on Facebook or permitting finance
employees access to a sensitive enterprise database but denying the same to other employees.
This context includes the identity of the user (who), the application or website that the user is
trying to access (what), the origin of the access attempt (where), the time of the attempted
access (when), and the properties of the device used for the access (how). With the ASA CX
module, you can extract the full context of a flow and enforce granular policies such as
permitting access to Facebook but denying access to games on Facebook or permitting finance
employees access to a sensitive enterprise database but denying the same to other employees.
We introduced the following screens:
Home > ASA CX Status
Wizards > Startup Wizard > ASA CX Basic Configuration
Configuration > Firewall > Service Policy Rules > Add Service Policy Rule > Rule Actions >
ASA CX Inspection
Wizards > Startup Wizard > ASA CX Basic Configuration
Configuration > Firewall > Service Policy Rules > Add Service Policy Rule > Rule Actions >
ASA CX Inspection
ASA 5585-X support for
network modules
network modules
The ASA 5585-X now supports additional interfaces on network modules in slot 1. You can
install one or two of the following optional network modules:
install one or two of the following optional network modules:
•
ASA 4-port 10G Network Module
•
ASA 8-port 10G Network Module
•
ASA 20-port 1G Network Module
This feature is not available in 9.0(1), 9.0(2), or 9.1(1).
Table 4
New Features for ASA Version 8.4(4.1)/ASDM Version 6.4(9) (continued)
Feature
Description