Cisco Cisco ASA 5585-X with No Payload Encryption 릴리즈 노트
11
Release Notes for Cisco ASDM, Version 6.2(x)
OL-18973-03
New Features
H.239 Message Support
in H.323 Application
Inspection
in H.323 Application
Inspection
In this release, the adaptive security appliance supports the H.239 standard as part of H.323
application inspection. H.239 is a standard that provides the ability for H.300 series endpoints to
open an additional video channel in a single call. In a call, an endpoint (such as a video phone),
sends a channel for video and a channel for data presentation. The H.239 negotiation occurs on the
H.245 channel. The adaptive security appliance opens a pinhole for the additional media channel.
The endpoints use open logical channel message (OLC) to signal a new channel creation. The
message extension is part of H.245 version 13. The decoding and encoding of the telepresentation
session is enabled by default. H.239 encoding and decoding is preformed by ASN.1 coder.
application inspection. H.239 is a standard that provides the ability for H.300 series endpoints to
open an additional video channel in a single call. In a call, an endpoint (such as a video phone),
sends a channel for video and a channel for data presentation. The H.239 negotiation occurs on the
H.245 channel. The adaptive security appliance opens a pinhole for the additional media channel.
The endpoints use open logical channel message (OLC) to signal a new channel creation. The
message extension is part of H.245 version 13. The decoding and encoding of the telepresentation
session is enabled by default. H.239 encoding and decoding is preformed by ASN.1 coder.
In ASDM, see Configuration > Firewall > Service Policy Rules > Add Service Policy Rule Wizard
> Rule Actions > Protocol Inspection > H.323 H.225. Click Configure and then choose the H.323
Inspect Map.
> Rule Actions > Protocol Inspection > H.323 H.225. Click Configure and then choose the H.323
Inspect Map.
Processing H.323
Endpoints When the
Endpoints Do Not Send
OLCAck
Endpoints When the
Endpoints Do Not Send
OLCAck
H.323 application inspection has been enhanced to process common H.323 endpoints. The
enhancement affects endpoints using the extendedVideoCapability OLC with the H.239 protocol
identifier. Even when an H.323 endpoint does not send OLCAck after receiving an OLC message
from a peer, the adaptive security appliance propagates OLC media proposal information into the
media array and opens a pinhole for the media channel (extendedVideoCapability).
enhancement affects endpoints using the extendedVideoCapability OLC with the H.239 protocol
identifier. Even when an H.323 endpoint does not send OLCAck after receiving an OLC message
from a peer, the adaptive security appliance propagates OLC media proposal information into the
media array and opens a pinhole for the media channel (extendedVideoCapability).
In ASDM, see Configuration > Firewall > Service Policy Rules > Add Service Policy Rule Wizard
> Rule Actions > Protocol Inspection > H.323 H.225.
> Rule Actions > Protocol Inspection > H.323 H.225.
IPv6 in transparent
firewall mode
firewall mode
Transparent firewall mode now participates in IPv6 routing. Prior to this release, the adaptive
security appliance could not pass IPv6 traffic in transparent mode. You can now configure an IPv6
management address in transparent mode, create IPv6 access lists, and configure other IPv6
features; the adaptive security appliance recognizes and passes IPv6 packets.
security appliance could not pass IPv6 traffic in transparent mode. You can now configure an IPv6
management address in transparent mode, create IPv6 access lists, and configure other IPv6
features; the adaptive security appliance recognizes and passes IPv6 packets.
All IPv6 functionality is supported unless specifically noted.
In ASDM, see Configuration > Device Management > Management Access > Management IP
Address.
Address.
Botnet Traffic Filter
Malware is malicious software that is installed on an unknowing host. Malware that attempts
network activity such as sending private data (passwords, credit card numbers, key strokes, or
proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection
to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections
against a dynamic database of known bad domain names and IP addresses, and then logs any
suspicious activity. You can also supplement the dynamic database with a static database by
entering IP addresses or domain names in a local “blacklist” or “whitelist.”
network activity such as sending private data (passwords, credit card numbers, key strokes, or
proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection
to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections
against a dynamic database of known bad domain names and IP addresses, and then logs any
suspicious activity. You can also supplement the dynamic database with a static database by
entering IP addresses or domain names in a local “blacklist” or “whitelist.”
Note
This feature requires the Botnet Traffic Filter license. See the following licensing document
for more information:
for more information:
In ASDM, see Configuration > Firewall > Botnet Traffic Filter.
AIP SSC card for the
ASA 5505
ASA 5505
The AIP SSC offers IPS for the ASA 5505 adaptive security appliance. Note that the AIP SSM does
not support virtual sensors.
not support virtual sensors.
In ASDM, see Configuration > Device Setup > SSC Setup and Configuration > IPS.
IPv6 support for IPS
You can now send IPv6 traffic to the AIP SSM or SSC when your traffic class uses the match any
command, and the policy map specifies the ips command.
command, and the policy map specifies the ips command.
In ASDM, see Configuration > Firewall > Service Policy Rules.
Management Features
Table 4
New Features for ASA Version 8.2(1)/ASDM Version 6.2(1) (continued)
Feature
Description