Introduction:
This document discusses about some new features of ASA v9.0(1).
New Features:
1.)Cisco TrustSec integration:
This feature provides an access-control solution that is build upon an existing identity-aware infrastructure in order to ensure data confidentiality between the network devices and integrate security access services on the same platform. This feature utilizes a combination of user attributes and end-point attributes to make role-based and identity-based access control decisions.
In this release, the ASA integrates with Cisco TrustSec to provide security group based policy enforcement based on the roles of source and destination devices rather than on network IP addresses.
Some new or modified commands:
access-list extended,
cts sxp enable
cts server-group
cts sxp default
cts sxp retry period
cts sxp reconcile period
cts sxp connection peer
cts import-pac
cts refresh environment-data
object-group security
security-group
show running-config cts
show running-config object-group
clear configure cts
clear configure object-group
show cts
show object-group
show conn security-group
clear cts
debug cts
2.)Cisco Cloud Web Security (ScanSafe):
This feature provides content scanning and other malware protection service for web traffic. It can redirect and report about web traffic based on user identity.
Note:This feature does not support SSL VPN but you need to be sure to exempt any clientless SSL VPN traffic from the ASA service policy for Cloud Web Security.
Some new or modified commands:
class-map type inspect scansafe
default user group
http[s] (parameters)
inspect scansafe
license
match user group
policy-map type inspect scansafe
retry-count
scansafe
scansafe general-options
server {primary | backup}
show conn scansafe
show scansafe server
show scansafe statistics
user-identity monitor
whitelist
3.)Extended ACL and object enhancement to filter ICMP traffic by ICMP code:
The feature enable the user to permit or deny ICMP traffic on the basis of ICMP code.
Some new or modified commands:
access-list extended
service-object
service.
4.)Unified communications support on the ASASM:
The ASASM now will be supporting all Unified Communications features.
5.)Per-session PAT:
This feature improves the scalability of PAT.
a.) ASA clustering, allows each member unit to own PAT connections; multi-session PAT connections have to be forwarded to and owned by the master unit. At the end of a per-session PAT session, the ASA sends a reset and immediately removes the xlate. Such reset causes the end node to immediately release the connection, avoiding the TIME_WAIT state.
b.) Multi-session PAT, on the other hand, uses the PAT timeout, by default 30 seconds. For "hit-and-run" traffic, such as HTTP or HTTPS, the per-session feature can dramatically increase the connection rate supported by one address. Without the per-session feature, the maximum connection rate for one address for an IP protocol is approximately 2000 per second. With the per-session feature, the connection rate for one address for an IP protocol is 65535/average-lifetime.
By default, all TCP traffic and UDP DNS traffic use a per-session PAT xlate. For traffic that can benefit from multi-session PAT, such as H.323, SIP, or Skinny, you can disable per-session PAT by creating a per-session deny rule.
Some new introduced commands:
xlate per-session
show nat pool
6.)SunRPC change from dynamic ACL to pin-hole mechanism:
In Previous versions, Sun RPC inspection does not support outbound access lists because the inspection engine uses dynamic access lists instead of secondary connections.
In this release, when you configure dynamic access lists on the ASA, they are supported on the ingress direction only and the ASA drops egress traffic destined to dynamic ports. Therefore, Sun RPC inspection implements a pinhole mechanism to support egress traffic. Sun RPC inspection uses this pinhole mechanism to support outbound dynamic access lists.
Also available in ASA v8.4 (4.1)
7.)Inspection reset action change:
In previous versions, when ASA dropped a packet due to an inspection engine rule, ASA sends RST to the source device of the dropped packet. This behavior could cause resource issues.
In this release, when you configure an inspection engine to use a reset action and a packet triggers a reset, the ASA sends a TCP reset under the following conditions:
•The ASA sends a TCP reset to the inside host when the service resetoutbound command is enabled. (The service resetoutbound command is disabled by default.)
•The ASA sends a TCP reset to the outside host when the service resetinbound command is enabled. (The service resetinbound command is disabled by default)
This behavior ensures that a reset action will reset the connections on the ASA and on inside servers; therefore countering denial of service attacks. For outside hosts, the ASA does not send a reset by default and information is not revealed through a TCP reset.
Also available in 8.4(4.1).
8.)Increased maximum connection limits for service policy rules:
The maximum number of connections for service policy rules was increased from 65535 to 2000000.
Some modified commands:
set connection conn-max,
set connection embryonic-conn-max,
set connection per-client-embryonic-max,
set connection per-client-max.
Reference:
http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp93116
