1.)Cisco TrustSec integration:
In this release, the ASA integrates with Cisco TrustSec to provide security group based policy enforcement based on the roles of source and destination devices rather than on network IP addresses.
2.)Cisco Cloud Web Security (ScanSafe):
This feature provides content scanning and other malware protection service for web traffic. It can redirect and report about web traffic based on user identity.
3.)Extended ACL and object enhancement to filter ICMP traffic by ICMP code:
The feature enable the user to permit or deny ICMP traffic on the basis of ICMP code.
This feature improves the scalability of PAT.
a.) ASA clustering, allows each member unit to own PAT connections; multi-session PAT connections have to be forwarded to and owned by the master unit. At the end of a per-session PAT session, the ASA sends a reset and immediately removes the xlate. Such reset causes the end node to immediately release the connection, avoiding the TIME_WAIT state.
b.) Multi-session PAT, on the other hand, uses the PAT timeout, by default 30 seconds. For “hit-and-run” traffic, such as HTTP or HTTPS, the per-session feature can dramatically increase the connection rate supported by one address. Without the per-session feature, the maximum connection rate for one address for an IP protocol is approximately 2000 per second. With the per-session feature, the connection rate for one address for an IP protocol is 65535/average-lifetime.
By default, all TCP traffic and UDP DNS traffic use a per-session PAT xlate. For traffic that can benefit from multi-session PAT, such as H.323, SIP, or Skinny, you can disable per-session PAT by creating a per-session deny rule.
5.)Inspection reset action change:
In previous versions, when ASA dropped a packet due to an inspection engine rule, ASA sends RST to the source device of the dropped packet. This behavior could cause resource issues.
In this release, when you configure an inspection engine to use a reset action and a packet triggers a reset, the ASA sends a TCP reset under the following conditions:
•The ASA sends a TCP reset to the inside host when the service resetoutbound command is enabled. (The service resetoutbound command is disabled by default.)
•The ASA sends a TCP reset to the outside host when the service resetinbound command is enabled. (The service resetinbound command is disabled by default)
This behavior ensures that a reset action will reset the connections on the ASA and on inside servers; therefore countering denial of service attacks. For outside hosts, the ASA does not send a reset by default and information is not revealed through a TCP reset.
6.)Increased maximum connection limits for service policy rules:
The maximum number of connections for service policy rules was increased from 65535 to 2000000.