Примечания к выпуску для Cisco Cisco ASA 5545-X Adaptive Security Appliance - No Payload Encryption
6
Cisco ASA 5580 Series Release Notes Version 8.1(2)
OL-15086-02
New Features
Persistent IPsec
Tunneled Flows
Tunneled Flows
With the persistent IPsec tunneled flows feature enabled, the security appliance preserves and
resumes stateful (TCP) tunneled flows after the tunnel drops, then recovers. All other flows are
dropped when the tunnel drops and must reestablish when a new tunnel comes up. Preserving the
TCP flows allows some older or sensitive applications to keep working through a short-lived tunnel
drop. This feature supports IPsec LAN-to-LAN tunnels and Network Extension Mode tunnels from
a hardware client. It does not support IPsec or AnyConnect/SSL VPN remote access tunnels. See
the sysopt connection preserve-vpn-flows command. This option is disabled by default.
resumes stateful (TCP) tunneled flows after the tunnel drops, then recovers. All other flows are
dropped when the tunnel drops and must reestablish when a new tunnel comes up. Preserving the
TCP flows allows some older or sensitive applications to keep working through a short-lived tunnel
drop. This feature supports IPsec LAN-to-LAN tunnels and Network Extension Mode tunnels from
a hardware client. It does not support IPsec or AnyConnect/SSL VPN remote access tunnels. See
the sysopt connection preserve-vpn-flows command. This option is disabled by default.
Show Active Directory
Groups
Groups
The CLI command show ad-groups was added to list the active directory groups. ASDM Dynamic
Access Policy uses this command to present the administrator with a list of MS AD groups that can
be used to define the VPN policy.
Access Policy uses this command to present the administrator with a list of MS AD groups that can
be used to define the VPN policy.
Smart Tunnel over Mac
OS
OS
Smart tunnels now support Mac OS.
Firewall Features
NetFlow Filtering
You can filter NetFlow events based on traffic and event-type, and then send records to different
collectors. For example, you can log all flow-create events to one collector, but log flow-denied
events to a different collector. See the flow-export event-type command.
collectors. For example, you can log all flow-create events to one collector, but log flow-denied
events to a different collector. See the flow-export event-type command.
NetFlow Delay Flow
Creation Event
Creation Event
For short-lived flows, NetFlow collecting devices benefit from processing a single event as opposed
to seeing two events: flow creation and teardown. You can now configure a delay before sending
the flow creation event. If the flow is torn down before the timer expires, only the flow teardown
event will be sent. See the flow-export delay flow-create command.
to seeing two events: flow creation and teardown. You can now configure a delay before sending
the flow creation event. If the flow is torn down before the timer expires, only the flow teardown
event will be sent. See the flow-export delay flow-create command.
Note
The teardown event includes all information regarding the flow; there is no loss of
information.
information.
QoS Traffic Shaping
If you have a device that transmits packets at a high speed, such as the adaptive security appliance
with Fast Ethernet, and it is connected to a low speed device such as a cable modem, then the cable
modem is a bottleneck at which packets are frequently dropped. To manage networks with differing
line speeds, you can configure the security appliance to transmit packets at a fixed slower rate. See
the shape command.
with Fast Ethernet, and it is connected to a low speed device such as a cable modem, then the cable
modem is a bottleneck at which packets are frequently dropped. To manage networks with differing
line speeds, you can configure the security appliance to transmit packets at a fixed slower rate. See
the shape command.
See also the crypto ipsec security-association replay command, which lets you configure the
IPSec anti-replay window size. One side-effect of priority queueing is packet re-ordering. For
IPSec packets, out-of-order packets that are not within the anti-replay window generate warning
syslog messages. These warnings become false alarms in the case of priority queueing. This new
command avoids possible false alarms.
IPSec anti-replay window size. One side-effect of priority queueing is packet re-ordering. For
IPSec packets, out-of-order packets that are not within the anti-replay window generate warning
syslog messages. These warnings become false alarms in the case of priority queueing. This new
command avoids possible false alarms.
Table 2
New Features for ASA Version 8.1(2) (continued)
Feature
Description