cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

New Features of ASA v9.0(1) - Part 1

5951
Views
5
Helpful
1
Comments

 

Introduction:

This document discusses about some new features of ASA v9.0(1).

 

New Features:

 

1.)Cisco TrustSec integration:

 

This feature provides an access-control solution that is build upon an existing identity-aware infrastructure in order to ensure data confidentiality between the network devices and integrate security access services on the same platform. This feature utilizes a combination of user attributes and end-point attributes to make role-based and identity-based access control decisions.

 

In this release, the ASA integrates with Cisco TrustSec to provide security group based policy enforcement based on the roles of source and destination devices rather than on network IP addresses.

 

Some new or modified commands:

access-list extended,

cts sxp enable

cts server-group

cts sxp default

cts sxp retry period

cts sxp reconcile period

cts sxp connection peer

cts import-pac

cts refresh environment-data

object-group security

security-group

show running-config cts

show running-config object-group

clear configure cts

clear configure object-group

show cts

show object-group

show conn security-group

clear cts

debug cts

 

2.)Cisco Cloud Web Security (ScanSafe):

 

This feature provides content scanning and other malware protection service for web traffic. It can redirect and report about web traffic based on user identity.

 

Note:This feature does not support SSL VPN but you need to be sure to exempt any clientless SSL VPN traffic from the ASA service policy for Cloud Web Security.

 

Some new or modified commands:

class-map type inspect scansafe

default user group

http[s] (parameters)

inspect scansafe

license

match user group

policy-map type inspect scansafe

retry-count

scansafe

scansafe general-options

server {primary | backup}

show conn scansafe

show scansafe server

show scansafe statistics

user-identity monitor

whitelist

 

3.)Extended ACL and object enhancement to filter ICMP traffic by ICMP code:

 

The feature enable the user to permit or deny ICMP traffic on the basis of ICMP code.

 

Some new or modified commands:

access-list extended

service-object

service.

 

4.)Unified communications support on the ASASM:

 

The ASASM now will be supporting all Unified Communications features.

 

 

5.)Per-session PAT:

 

This feature improves the scalability of PAT.

 

a.) ASA clustering, allows each member unit to own PAT connections; multi-session PAT connections have to be forwarded to and owned by the master unit. At the end of a per-session PAT session, the ASA sends a reset and immediately removes the xlate. Such reset causes the end node to immediately release the connection, avoiding the TIME_WAIT state.

 

b.) Multi-session PAT, on the other hand, uses the PAT timeout, by default 30 seconds. For "hit-and-run" traffic, such as HTTP or HTTPS, the per-session feature can dramatically increase the connection rate supported by one address. Without the per-session feature, the maximum connection rate for one address for an IP protocol is approximately 2000 per second. With the per-session feature, the connection rate for one address for an IP protocol is 65535/average-lifetime.

 

By default, all TCP traffic and UDP DNS traffic use a per-session PAT xlate. For traffic that can benefit from multi-session PAT, such as H.323, SIP, or Skinny, you can disable per-session PAT by creating a per-session deny rule.

 

Some new introduced commands:

xlate per-session

show nat pool

 

6.)SunRPC change from dynamic ACL to pin-hole mechanism:

 

In Previous versions, Sun RPC inspection does not support outbound access lists because the inspection engine uses dynamic access lists instead of secondary connections.

 

In this release, when you configure dynamic access lists on the ASA, they are supported on the ingress direction only and the ASA drops egress traffic destined to dynamic ports. Therefore, Sun RPC inspection implements a pinhole mechanism to support egress traffic. Sun RPC inspection uses this pinhole mechanism to support outbound dynamic access lists.

 

Also available in ASA v8.4 (4.1)

 

7.)Inspection reset action change:

 

In previous versions, when ASA dropped a packet due to an inspection engine rule, ASA sends RST to the source device of the dropped packet. This behavior could cause resource issues.

 

In this release, when you configure an inspection engine to use a reset action and a packet triggers a reset, the ASA sends a TCP reset under the following conditions:

 

•The ASA sends a TCP reset to the inside host when the service resetoutbound command is enabled. (The service resetoutbound command is disabled by default.)

 

•The ASA sends a TCP reset to the outside host when the service resetinbound command is enabled. (The service resetinbound command is disabled by default)

 

This behavior ensures that a reset action will reset the connections on the ASA and on inside servers; therefore countering denial of service attacks. For outside hosts, the ASA does not send a reset by default and information is not revealed through a TCP reset.

 

Also available in 8.4(4.1).

 

 

8.)Increased maximum connection limits for service policy rules:

 

The maximum number of connections for service policy rules was increased from 65535 to 2000000.

 

Some modified commands:

set connection conn-max,

set connection embryonic-conn-max,

set connection per-client-embryonic-max,

set connection per-client-max.

 

Reference:

http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp93116

Comments

Multi-Session/Per-Session PAT
I don't quite get the difference between those. Where is the technical difference? I read config-guide and command-reference, but the explanation is not clear enough for me. I understand that Per-session scales better because of decreased timeouts and the possibility to cluster. But why is this not possible in Multi-Session mode? And why are there protocols who benefit from Multi-session PAT, such as H.323, SIP, or Skinny?

Thanks for any explanation.

Florian