Cisco Cisco ASA 5505 Adaptive Security Appliance
3
Cisco ASDM Release Notes Version 6.0(3)
OL-14862-02
New Features
Smart Card Removal Disconnect
This feature allows the central site administrator to configure remote client policy for
deleting active tunnels when a Smart Card is removed. The Cisco VPN Remote Access
Software clients (both IPSec and SSL) will, by default, tear down existing VPN tunnels
when the user removes the Smart Card used for authentication. The following cli
command disconnects existing VPN tunnels when a smart card is removed:
smartcard-removal-disconnect {enable | disable}. This option is enabled by default.
deleting active tunnels when a Smart Card is removed. The Cisco VPN Remote Access
Software clients (both IPSec and SSL) will, by default, tear down existing VPN tunnels
when the user removes the Smart Card used for authentication. The following cli
command disconnects existing VPN tunnels when a smart card is removed:
smartcard-removal-disconnect {enable | disable}. This option is enabled by default.
In ASDM, see Configuration > Remote Access VPN > Network (Client) Access > Group
Policies > Add/Edit Internal/External Group Policies > More Options.
Policies > Add/Edit Internal/External Group Policies > More Options.
Also available in Version 7.2(3).
WebVPN load Balancing
The adaptive security appliance now supports the use of FQDNs for load balancing. To
perform WebVPN load balancing using FQDNs, you must enable the use of FQDNs for
load balancing, enter the redirect-fqdn enable command. Then add an entry for each of
your adaptive security appliance outside interfaces into your DNS server if not already
present. Each adaptive security appliance outside IP address should have a DNS entry
associated with it for lookups. These DNS entries must also be enabled for reverse
lookup. Enable DNS lookups on your adaptive security appliance with the dns
domain-lookup inside command (or whichever interface has a route to your DNS
server). Finally, you must define the ip address, of your DNS server on the adaptive
security appliance. Following is the new CLI associated with this enhancement:
redirect-fqdn {enable | disable}.
perform WebVPN load balancing using FQDNs, you must enable the use of FQDNs for
load balancing, enter the redirect-fqdn enable command. Then add an entry for each of
your adaptive security appliance outside interfaces into your DNS server if not already
present. Each adaptive security appliance outside IP address should have a DNS entry
associated with it for lookups. These DNS entries must also be enabled for reverse
lookup. Enable DNS lookups on your adaptive security appliance with the dns
domain-lookup inside command (or whichever interface has a route to your DNS
server). Finally, you must define the ip address, of your DNS server on the adaptive
security appliance. Following is the new CLI associated with this enhancement:
redirect-fqdn {enable | disable}.
In ASDM, see Configuration > VPN > Load Balancing.
Also available in Version 7.2(3).
Application Inspection Features
WAAS and ASA Interoperability
The inspect waas command is added to enable WAAS inspection in the policy-map class
configuration mode. This CLI is integrated into Modular Policy Framework for maximum
flexibility in configuring the feature. The [no] inspect waas command can be configured
under a default inspection class and under a custom class-map. This inspection service is
not enabled by default.
configuration mode. This CLI is integrated into Modular Policy Framework for maximum
flexibility in configuring the feature. The [no] inspect waas command can be configured
under a default inspection class and under a custom class-map. This inspection service is
not enabled by default.
The keyword option waas is added to the show service-policy inspect command to
display WAAS statistics.
display WAAS statistics.
show service-policy inspect waas
A new system log message is generated when WAAS optimization is detected on a
connection. All L7 inspection services including IPS are bypassed on WAAS optimized
connections.
connection. All L7 inspection services including IPS are bypassed on WAAS optimized
connections.
System Log Number and Format:
%ASA-6-428001: WAAS confirmed from in_interface:src_ip_addr/src_port to
out_interface:dest_ip_addr/dest_port, inspection services bypassed on this connection.
out_interface:dest_ip_addr/dest_port, inspection services bypassed on this connection.
A new connection flag "W" is added in the WAAS connection. The show conn detail
command is updated to reflect the new flag.
command is updated to reflect the new flag.
In ASDM, see Configuration > Firewall > Service Policy Rules > Add/Edit Service
Policy Rule > Rule Actions > Protocol Inspection.
Policy Rule > Rule Actions > Protocol Inspection.
Also available in Version 7.2(3).
Table 1
New Features for ASA and PIX Version 8.0(3)/ASDM Version 6.0(3) (continued)
Feature
Description