Дорожная карта для Cisco Cisco Catalyst 6500 Series 7600 Series ASA Services Module
Description
Feature
You can now control the DNS guard function. In releases prior to 7.0(5), the DNS
guard functions are always enabled regardless of the configuration of DNS
inspection:
guard functions are always enabled regardless of the configuration of DNS
inspection:
• Stateful tracking of the DNS response with DNS request to match the ID
• Tearing down the DNS connection when all pending requests are responded
This command is effective only on interfaces with DNS inspection disabled (no
inspect dns). When DNS inspection is enabled, the DNS guard function is always
performed.
inspect dns). When DNS inspection is enabled, the DNS guard function is always
performed.
We introduced the following command: dns guard.
Command to Control
DNS Guard
DNS Guard
The ability to open specific pinholes for ESP flows based on existence of an IKE
flow is provided by the enhanced IPSec inspect feature. This feature can be
configured within the MPF infrastructure along with other inspects. The
idle-timeout on the resulting ESP flows is statically set at 10 minutes. There is
no maximum limit on number of ESP flows that can be allowed.
flow is provided by the enhanced IPSec inspect feature. This feature can be
configured within the MPF infrastructure along with other inspects. The
idle-timeout on the resulting ESP flows is statically set at 10 minutes. There is
no maximum limit on number of ESP flows that can be allowed.
We introduced the following command: inspect ipsec-pass-thru.
Enhanced IPSEC
Inspection
Inspection
Firewall Features
When a TCP packet is denied, the adaptive security appliance always sends a
reset when the packet is going from a high security to a low security interface.
The service resetinbound command is used to enable or disable sending resets
when a TCP packet is denied when going from a low security to a high security
interface. The service resetinbound command is introduced to control sending
RESETs when a packet is denied when going from a high security to a low security
interface. The existing service resetinbound command is enhanced to take an
additional interface option.
reset when the packet is going from a high security to a low security interface.
The service resetinbound command is used to enable or disable sending resets
when a TCP packet is denied when going from a low security to a high security
interface. The service resetinbound command is introduced to control sending
RESETs when a packet is denied when going from a high security to a low security
interface. The existing service resetinbound command is enhanced to take an
additional interface option.
We introduced the following commands: service resetoutbound, service
resetinbound.
resetinbound.
Command to Disable
RST for Denied TCP
Packets
RST for Denied TCP
Packets
Platform Features
The maximum connections and VLANs is increased to the following numbers.
• ASA5510 base license conns 32000->50000 vlans 0->10
• ASA5510 plus license conns 64000->130000 vlans 10->25
• ASA5520 conns 130000->280000 vlans 25->100
• ASA5540 conns 280000->400000 vlans 100->200
Increased Connections
and VLANs
and VLANs
Management Features
Username and enable password length limits increased from 16 to 32 in the
LOCAL database.
LOCAL database.
Password Increased in
Local Database
Local Database
Cisco ASA New Features by Release
247
Cisco ASA New Features
New Features in ASA 7.0(5)/ASDM 5.0(5)