Filter
Top Products
2-2
Cisco ASDM User Guide
OL-16647-01
Chapter 2 Introduction to the Security Appliance
New Features by Platform Release
Table 2-1 lists the new features for Version 8.1(2).
Note Version 8.1(x) is only supported on the Cisco ASA 5580 adaptive security appliance.
Table 2-1 New Features for ASA Version 8.1(2)
Feature Description
Remote Access Features
Auto Sign-On with
Smart Tunnels for IE
This feature lets you enable the replacement of logon credentials for WININET connections. Most
Microsoft applications use WININET, including Internet Explorer. Mozilla Firefox does not, so it
is not supported by this feature. It also supports HTTP-based authentication, therefore form-based
authentication does not work with this feature.
Credentials are statically associated to destination hosts, not services, so if initial credentials are
wrong, they cannot be dynamically corrected during runtime. Also, because of the association with
destinations hosts, providing support for an auto sign-on enabled host may not be desirable if you
want to deny access to some of the services on that host.
To configure a group auto sign-on for smart tunnels, you create a global list of auto sign-on sites,
then assign the list to group policies or user names. This feature is not supported with Dynamic
Access Policy.
In ASDM, see Configuration > Firewall > Advanced > ACL Manager.
Entrust Certificate
Provisioning
ASDM 6.1.3 (which lets you manage security appliances running Versions 8.0x and 8.1x) includes
a link to the Entrust website to apply for temporary (test) or discounted permanent SSL identity
certificates for your ASA.
In ASDM, see Configuration > Remote Access VPN > Certificate Management > Identity
Certificates > Enroll ASA SSL VPN head-end with Entrust.
Extended Time for User
Reauthentication on IKE
Rekey
You can configure the security appliance to give remote users more time to enter their credentials
on a Phase 1 SA rekey. Previously, when reauthenticate-on-rekey was configured for IKE tunnels
and a phase 1 rekey occurred, the security appliance prompted the user to authenticate and only
gave the user approximately 2 minutes to enter their credentials. If the user did not enter their
credentials in that 2 minute window, the tunnel would be terminated. With this new feature enabled,
users now have more time to enter credentials before the tunnel drops. The total amount of time is
the difference between the new Phase 1 SA being established, when the rekey actually takes place,
and the old Phase 1 SA expiring. With default Phase 1 rekey times set, the difference is roughly 3
hours, or about 15% of the rekey interval.
In ASDM, see Configuration > Device Management > Certificate Management > Identity
Certificates.
Persistent IPsec
Tunneled Flows
With the persistent IPsec tunneled flows feature enabled, the security appliance preserves and
resumes stateful (TCP) tunneled flows after the tunnel drops, then recovers. All other flows are
dropped when the tunnel drops and must reestablish when a new tunnel comes up. Preserving the
TCP flows allows some older or sensitive applications to keep working through a short-lived tunnel
drop. This feature supports IPsec LAN-to-LAN tunnels and Network Extension Mode tunnels from
a hardware client. It does not support IPsec or AnyConnect/SSL VPN remote access tunnels. See
the sysopt connection preserve-vpn-flows command. This option is disabled by default.
In ASDM, see Configuration > Remote Access VPN > Network (Client) Access > Advanced >
IPsec > System Options. Check the Preserve stateful VPN flows when the tunnel drops for
Network Extension Mode (NEM) checkbox to enable persistent IPsec tunneled flows.