Cisco Systems ASA 5510 Network Router User Manual


  Open as PDF
of 2086
 
1-7
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 1 Introduction to the Cisco ASA 5500 Series
New Features
Additional ephemeral
Diffie-Hellman ciphers for
SSL encryption
The ASA now supports the following ephemeral Diffie-Hellman (DHE) SSL cipher suites:
DHE-AES128-SHA1
DHE-AES256-SHA1
These cipher suites are specified in RFC 3268, Advanced Encryption Standard (AES)
Ciphersuites for Transport Layer Security (TLS).
When supported by the client, DHE is the preferred cipher because it provides Perfect Forward
Secrecy. See the following limitations:
DHE is not supported on SSL 3.0 connections, so make sure to also enable TLS 1.0 for the
SSL server.
Some popular applications do not support DHE, so include at least one other SSL
encryption method to ensure that a cipher suite common to both the SSL client and server
can be used.
Some clients may not support DHE, including AnyConnect 2.5 and 3.0, Cisco Secure
Desktop, and Internet Explorer 9.0.
We modified the following screen: Configuration > Device Management > Advanced > SSL
Settings.
This feature is not available in 8.5(1) or 8.6(1).
File System Features
Image verification Support for SHA-512 image integrity checking was added.
This feature is not available in 8.5(1) or 8.6(1).
Failover Features
Configure the connection
replication rate during a bulk
sync
You can now configure the rate at which the ASA replicates connections to the standby unit
when using Stateful Failover. By default, connections are replicated to the standby unit during
a 15 second period. However, when a bulk sync occurs (for example, when you first enable
failover), 15 seconds may not be long enough to sync large numbers of connections due to a
limit on the maximum connections per second. For example, the maximum connections on the
ASA is 8 million; replicating 8 million connections in 15 seconds means creating 533 K
connections per second. However, the maximum connections allowed per second is 300 K. You
can now specify the rate of replication to be less than or equal to the maximum connections per
second, and the sync period will be adjusted until all the connections are synced.
This feature is not available in 8.6(1). This feature is also in 8.5(1.7).
Application Inspection Features
SunRPC change from
dynamic ACL to pin-hole
mechanism
Previously, Sun RPC inspection does not support outbound access lists because the inspection
engine uses dynamic access lists instead of secondary connections.
In this release, when you configure dynamic access lists on the ASA, they are supported on the
ingress direction only and the ASA drops egress traffic destined to dynamic ports. Therefore,
Sun RPC inspection implements a pinhole mechanism to support egress traffic. Sun RPC
inspection uses this pinhole mechanism to support outbound dynamic access lists.
This feature is not available in 8.5(1) or 8.6(1).
Table 1-3 New Features for ASA Version 8.4(4.1)/ASDM Version 6.4(9) (continued)
Feature Description