Cisco Cisco ASA 5555-X Adaptive Security Appliance 發佈版本通知

 lists the new features for ASA Version 8.4(4.1)/ASDM Version 6.4(9).

Version 8.4(4) was removed from Cisco.com due to build issues; please upgrade to Version 8.4(4.1) or 
later.

ARP cache additions for 
non-connected subnets

The ASA ARP cache only contains entries from directly-connected subnets by default. You can 
now enable the ARP cache to also include non-directly-connected subnets. We do not 
recommend enabling this feature unless you know the security risks. This feature could 
facilitate denial of service (DoS) attack against the ASA; a user on any interface could send out 
many ARP replies and overload the ASA ARP table with false entries.

You may want to use this feature if you use:

Secondary subnets.

Proxy ARP on adjacent routes for traffic forwarding.

We modified the following screen: Configuration > Device Management > Advanced > ARP > 
ARP Static Table.

NAT-MIB 
cnatAddrBindNumberOfEnt
ries and 
cnatAddrBindSessionCount 
OIDs to allow polling for 
Xlate count.

Support was added for the NAT-MIB cnatAddrBindNumberOfEntries and 
cnatAddrBindSessionCount OIDs to support xlate_count and max_xlate_count for SNMP.

This data is equivalent to the show xlate count command.

FIPS and Common Criteria 
certifications

The FIPS 140-2 Non-Proprietary Security Policy was updated as part of the Level 2 FIPS 140-2 
validation for the Cisco ASA 5500 series, which includes the Cisco ASA 5505, ASA 5510, 
ASA 5520, ASA 5540, ASA 5550, ASA 5580, and ASA 5585-X.

The Common Criteria Evaluation Assurance Level 4 (EAL4) was updated, which provides the 
basis for a specific Target of Evaluation (TOE) of the Cisco ASA and VPN platform solutions.