Cisco Cisco ASA 5555-X Adaptive Security Appliance 發佈版本通知

Automatic NAT rules to 
translate a VPN peer’s local 
IP address back to the peer’s 
real IP address

In rare situations, you might want to use a VPN peer’s real IP address on the inside network 
instead of an assigned local IP address. Normally with VPN, the peer is given an assigned local 
IP address to access the inside network. However, you might want to translate the local IP 
address back to the peer’s real public IP address if, for example, your inside servers and 
network security is based on the peer’s real IP address.

You can enable this feature on one interface per tunnel group. Object NAT rules are 
dynamically added and deleted when the VPN session is established or disconnected. You can 
view the rules using the show nat command.

Because of routing issues, we do not recommend using this feature unless you know 
you need this feature; contact Cisco TAC to confirm feature compatibility with your 
network. See the following limitations:

Only supports Cisco IPsec and AnyConnect Client.

Return traffic to the public IP addresses must be routed back to the ASA so the NAT 
policy and VPN policy can be applied.

Does not support load-balancing (because of routing issues).

Does not support roaming (public IP changing).

ASDM does not support this command; enter the command using the Command Line Tool.

Clientless SSL VPN browser 
support

The ASA now supports clientless SSL VPN with Microsoft Internet Explorer 9 and Firefox 4.

Compression for DTLS and 
TLS

To improve throughput, Cisco now supports compression for DTLS and TLS on AnyConnect 
3.0 or later. Each tunneling method configures compression separately, and the preferred 
configuration is to have both SSL and DTLS compression as LZS. This feature enhances 
migration from legacy VPN clients. 

Using data compression on high speed remote access connections passing highly 
compressible data requires significant processing power on the ASA. With other 
activity and traffic on the ASA, the number of sessions that can be supported on the 
platform is reduced.

We modified the following screen: Configuration > Remote Access VPN > Clientless SSL 
VPN Access > Group Policies > Edit > Edit Internal Group Policy > Advanced > AnyConnect 
Client > SSL Compression.

Clientless SSL VPN Session 
Timeout Alerts

Allows you to create custom messages to alert users that their VPN session is about to end 
because of inactivity or a session timeout.

We introduced the following screens:

Remote Access VPN > Configuration > Clientless SSL VPN Access > Portal > Customizations 
> Add/Edit > Timeout Alerts
Remote Access VPN > Configuration > Clientless SSL VPN Access > Group Policies > 
Add/Edit  General