1-13
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 1 Introduction to the Cisco ASA 5500 Series
New Features
IPv6 Inspection You can configure IPv6 inspection by configuring a service policy to selectively block IPv6
traffic based on the extension header. IPv6 packets are subjected to an early security check. The
ASA always passes hop-by-hop and destination option types of extension headers while
blocking router header and no next header.
You can enable default IPv6 inspection or customize IPv6 inspection. By defining a policy map
for IPv6 inspection you can configure the ASA to selectively drop IPv6 packets based on
following types of extension headers found anywhere in the IPv6 packet:
• Hop-by-Hop Options
• Routing (Type 0)
• Fragment
• Destination Options
• Authentication
• Encapsulating Security Payload
Remote Access Features
Portal Access Rules This enhancement allows customers to configure a global clientless SSL VPN access policy to
permit or deny clientless SSL VPN sessions based on the data present in the HTTP header. If
denied, an error code is returned to the clients. This denial is performed before user
authentication and thus minimizes the use of processing resources.
Also available in Version 8.2(5).
Clientless support for
Microsoft Outlook Web App
2010
The ASA 8.4(2) clientless SSL VPN core rewriter now supports Microsoft Outlook Web App
2010.
Secure Hash Algorithm
SHA-2 Support for IPsec
IKEv2 Integrity and PRF
This release supports the Secure Hash Algorithm SHA-2 for increased cryptographic hashing
security for IPsec/IKEv2 AnyConnect Secure Mobility Client connections to the ASA. SHA-2
includes hash functions with digests of 256, 384, or 512 bits, to meet U.S. government
requirements.
Secure Hash Algorithm
SHA-2 Support for Digital
Signature over IPsec IKEv2
This release supports the use of SHA-2 compliant signature algorithms to authenticate IPsec
IKEv2 VPN connections that use digital certificates, with the hash sizes SHA-256, SHA-384,
and SHA-512.
SHA-2 digital signature for IPsec IKEv2 connections is supported with the AnyConnect Secure
Mobility Client, Version 3.0.1 or later.
Split Tunnel DNS policy for
AnyConnect
This release includes a new policy pushed down to the AnyConnect Secure Mobility Client for
resolving DNS addresses over split tunnels. This policy applies to VPN connections using the
SSL or IPsec/IKEv2 protocol and instructs the AnyConnect client to resolve all DNS addresses
through the VPN tunnel. If DNS resolution fails, the address remains unresolved and the
AnyConnect client does not try to resolve the address through public DNS servers.
By default, this feature is disabled. The client sends DNS queries over the tunnel according to
the split tunnel policy: tunnel all networks, tunnel networks specified in a network list, or
exclude networks specified in a network list.
Also available in Version 8.2(5).
Table 1-5 New Features for ASA Version 8.4(2)/ASDM Version 6.4(5) (continued)
Feature Description