Q. When will the Cisco ASA Software Release 8.2 be available?
A. Cisco
® ASA Software Release 8.2 has a targeted release date of April 13, 2009.
Q. How do I obtain Cisco ASA Software Release 8.2?
Q. Is Cisco ASA Software Release 8.2 restricted to certain ASA models?
A. Cisco ASA Software Release 8.2 is available for all Cisco ASA appliance models. However, it is not available for the Cisco PIX
® platform family.
Q. When will the Cisco ASA Software Release 8.2 be orderable?
A. The target order date for Cisco ASA Software Release 8.2 is May 2009.
Q. Is there a cost to upgrade to Cisco ASA Software Release 8.2?
A. There is no cost to Cisco SMARTnet
® customers to upgrade their Cisco ASA appliance to Cisco ASA Software Release 8.2. Please note that certain features in Cisco ASA Software Release 8.2 require individual licenses. For example, the Botnet Traffic Filter requires an annual license to enable the feature while there will be a price increase for the Cisco Services for global correlation for IPS. The new Cisco ASA Software Release 8.2 licensed features are discussed in the feature section below.
Cisco ASA Software Release 8.2 Features
Cisco ASA Firewall
Q. What advanced protection is provided by the new Botnet Traffic Filter feature in the Cisco ASA Software Release 8.2?
A. The Botnet Traffic Filter provides visibility into infected endpoints on the network that have circumvented existing infection prevention systems. The Botnet Traffic Filter monitors network ports for rogue activity and detects infected internal endpoints sending command and control traffic to external hosts.
Q. How do I use the Botnet Traffic Filter with my organization's existing Cisco Content Security and IPS solutions?
A. The Botnet Traffic Filter is complementary to existing Cisco security solutions. Cisco Content Security and IPS solutions protect endpoints and servers by identifying and preventing malware. The Botnet Traffic Filter assists in identifying endpoints that have already been infected or have bypassed existing endpoint prevention solutions.
Q. Is the Botnet Traffic Filter’s database the same as the one used by the IronPort
® S-Series?
A. No. The databases are not the same. Although both databases are powered by Cisco Security Intelligence Operations, the Botnet Traffic Filter relies on a separate, unique database.
Q. What reports are available with the Botnet Traffic Filter?
A. The Botnet Traffic Filter offers a top infected hosts report, a top botnet domains (or “sites”) report, and a top botnet ports report.
Q. Is there a license to enable the Botnet Traffic Filter?
A. Yes, an annual license is required to enable this feature.
Q. What versions of Simple Network Management Protocol (SNMP) does Cisco ASA Software Release 8.2 support?
A. Cisco ASA Software Release 8.2 supports SNMPv2c and SNMPv3. With SNMPv3, customers can configure secure telemetry with supported SNMP managers and gateways.
Q. Can SNMPv3 be used with the Cisco ASA 5500 Series and with the Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS)?
A. In order to use SNMPv3 between a Cisco ASA appliance and Cisco Security MARS, a third-party SNMPv3-to-SNMPv2 gateway must be used.
Q. What are the details of SNMPv3 implementation on Cisco ASA Software Release 8.2?
A. The SNMPv3 implementation for Cisco ASA Software Release 8.2 supports the user-based security model described in
RFC 3414 and the view-based access control model described in
RFC 3415.
Q. Does Cisco ASA Software Release 8.2 support Cisco Net Flow?
A. Cisco ASA Software Release 8.2 supports the NetFlow Secure Event Logging feature, which uses NetFlow v9 templates. This feature is particularly useful in performing connection logging in high-performance environments.
Q. What does the Cisco ASA Unified Communications Proxy feature for Cisco ASA 5580 provide?
A. The Cisco ASA Unified Communications Proxy feature for the Cisco ASA 5580 extends the popular Unified Communications Proxy features (Phone Proxy, Mobility Proxy, Presence Federation Proxy, and TLS Proxy) to the Cisco ASA 5580. This increases the maximum capacity of the Unified Communications Proxy solution to 10,000 sessions for TLS Proxy, Mobility Proxy, and Presence Federation Proxy, and to 5000 sessions for Phone Proxy.
Q. What new multicast support is provided in Cisco ASA Software Release 8.2?
A. Currently, Cisco ASA Software supports source address Network Address Translation (NAT) on unicast and multicast traffic. However, under certain scenarios, it is necessary to separate internal multicast data streams from external multicast data streams while they are using the same group address. The multicast group NAT feature transfers group addresses of external multicast traffic to other group addresses so that internal hosts can distinguish between the internal and external multicast traffic by subscribing to different multicast groups.
Q. When would it be useful to enable the new TCP state bypass feature in Cisco ASA Software Release 8.2?
A. The TCP state bypass feature allows certain traffic to bypass the TCP state machine. This is particularly useful in asymmetric routing scenarios where two ASA appliances are in different locations and are not Layer 2 adjacent.
Q. How does Cisco ASA Software Release 8.2 improve the Cisco ASA Phone Proxy solution?
A. Cisco ASA Software Release 8.2 includes support of multiple interfaces for the Phone Proxy Media Termination Address. This feature eliminates the need to deploy a NAT device between the internal network and the Cisco ASA Phone Proxy.
Q. Is any new video support included in Cisco ASA Software Release 8.2?
A. Cisco ASA Software Release 8.2 includes enhanced support for H.239 and H.323 Version 6.
Q. Which endpoints have been tested with the H.239 feature in Cisco ASA Software Release 8.2?
A. The H.239 feature has been tested with Tandberg and Polycom video endpoints.
Q. How many VLANs can now be configured on the Cisco ASA 5580?
A. Cisco ASA Software Release 8.2 scales VLAN support to 250 on the ASA 5580.
Q. What Cisco ASA firewall deployment modes are supported for IPv6?
A. IPv6 is supported in both transparent and routed modes. The ASA 8.2 Release introduces transparent mode support.
Q. What new flexible licensing options does Cisco ASA Software Release 8.2 provide?
A. Cisco ASA Software Release 8.2 will support Botnet Traffic Filter licensing, Cisco AnyConnect Essentials licensing, AnyConnect Mobile licensing, and shared licensing.
Cisco ASA VPN
Q. What is the Cisco ASA Software Release 8.2 shared licensing feature?
A. The shared licensing feature enables all internally connected devices in an SSL VPN deployment to share a single SSL VPN license with the total seat count corresponding to the requirements of the deployment. A primary device handles the distribution and management of the shared licenses for all participating devices, while participating devices dynamically obtain (or “lease”) licenses from the primary device.
Q. How do AnyConnect Essentials and AnyConnect Premium differ?
A. Cisco AnyConnect Essentials offers full VPN client connectivity at a lower price than Cisco AnyConnect Premium. Customers who need to deploy clientless SSL or configure Cisco Secure Desktop functions (such as Cisco Secure Desktop Vault, hostscan/posture assessment, cache cleaner, or keystroke logger detection) will appreciate the full feature set offered by Cisco AnyConnect Premium.
Q. Is the AnyConnect Mobile feature compatible with AnyConnect Essentials or shared licenses?
A. The AnyConnect Mobile feature is compatible with AnyConnect Premium, AnyConnect Essentials and shared licenses. The AnyConnect Mobile license is required for each individual platform, regardless of shared licenses or AnyConnect Essentials.
Q. Where can I find more information regarding the licensing options for a Cisco secure remote access solution?
A. Please refer to the following document:
Cisco ASA 5500 Series Adaptive Security Appliance Licensing Information at http://www.cisco.com/en/US/products/ps6120/products_licensing_information_listing.html.
Cisco ASA IPS
Q. Can the Cisco ASA 5500 Series IPS solution support hybrid IPv6 and IPv4 deployments?
A. Yes. The Cisco ASA 5500 Series IPS solution provides protection for pure IPv6 deployments, pure IPv4 deployments, and hybrid IPv6 and IPv4 deployments with a single appliance, for maximum deployment flexibility and investment protection.
Q. Which versions of Cisco ASA Software are required to support IPv6 for IPS?
A. In order to support IPv6 for IPS, Cisco ASA devices must be running a minimum of Cisco ASA Software Release 8.2 and a minimum of Cisco IPS Sensor Software Release 6.2 and E3 engine on the IPS module.
Q. Are the IPv6 for IPS capabilities on Cisco IPS Sensor Software Release 6.2 National Security Agency (NSA) approved?
A. Yes. The IPv6 for IPS capabilities on Cisco IPS Sensor Software Release 6.2 are NSA approved.
Q. What management applications can be used to configure the Cisco ASA AIP SSMs to protect my IPv6 network?
A. The Cisco Adaptive Security Device Manager (ASDM), Cisco IPS Device Manager (IDM), or Cisco IPS Manager Express (IME) can be used to configure the IPv6 and IPv4 IPS capabilities on the Cisco ASA AIP SSMs.
Cisco ASA IPS SSC
Q. What is the Cisco AIP SSC-5?
A. The Cisco Advanced Inspection and Protection Security Services Card 5 (AIP SSC-5) delivers up to 75 Mbps of IPS throughput for the Cisco ASA 5505.
Q. What management applications can I use to configure the Cisco AIP SSC-5?
A. You can use Cisco ASDM, Cisco IPS Device Manager, or Cisco IPS Manager Express to configure the Cisco AIP SSC-5.
Q. How is the Cisco AIP SSC-5 physically different from the Cisco AIP SSM-10, AIP SSM-20, and AIP SSM-40?
A. The Cisco AIP SSC-5 uses a smaller form factor than the AIP SSM-10, AIP SSM-20, and AIP SSM-40. While AIP SSM modules can be used in ASA 5510, 5520, and 5540 appliances, the Cisco AIP SSC-5 can only be used in ASA 5505 appliances. Also, the Cisco AIP SSM-10, AIP SSM-20, and AIP SSM-40 have a dedicated IPS management port. The Cisco AIP SSC-5 is managed via the management port on the host ASA 5505 appliance. The Cisco AIP SSC-5 does not have a dedicated IPS management port on the card.
Q. How is the Cisco AIP SSC-5 management different from Cisco AIP SSMs?
A. The Cisco AIP SSC-5 can be managed with the same management applications as the Cisco AIP SSMs (Cisco Security Manager Version 3.3, Cisco Security MARS, Cisco ASDM, Cisco IPS Device Manager, and Cisco IPS Manager Express). Because the Cisco AIP SSC-5 does not have a dedicated management port on the card, it can only be managed via the host ASA 5505 management interface. With the Cisco AIP SSC-5, customers have a choice of initializing via a GUI with the host ASA 5505 Ethernet management port or via the CLI through the console port.
Q. How is the Cisco AIP SSC-5 feature set different from the Cisco AIP SSM-10, AIP SSM-20, and AIP SSM-40?
A. The Cisco AIP SSC-5 software is based on the same IPS software as that of the Cisco AIP SSM-10, AIP-SSM20, and AIP-SSM40. However, the Cisco AIP SSC-5 does not support Cisco Global Correlation, Cisco Anomaly Detection, virtualization, and custom signature support. Customers requiring these features should consider the Cisco AIP SSM-10, AIP SSM-20, and AIP SSM-40 modules.
Q. Does the Cisco ASA support global correlation on the IPS modules?
A. Global correlation is supported on the IPS SSM modules, but not on the upcoming IPS SSC modules on the ASA 5505.
Q. Is there a price increase on the IPS modules due to global correlation?
A. The value of global correlation is reflected in an adjustment of IPS subscription services prices.
Q. What signature set is supported on the IPS SSC-5?
A. The IPS SSC-5 supports the same signature set as the IPS SSM modules.
Q. Is the software feature set for IPS SSC-5 the same as the IPS SSM modules?
A. No. There are certain software features that are not supported on the IPS SSM modules, including global correlation, anomaly detection and virtualization.
Q. What is the performance of the IPS SSC card on the ASA 5505?
A. The IPS SSC card has a performance of 75 Mbps.
Q. How would a customer get signature updates on the IPS SSC on the ASA 5505?
A. An IPS subscription service, similar to the IPS SSM is required.
Q. Will there be ASA 5505 IPS bundles?
A. Yes. Two bundles will be available. A 10-user bundle with IPS SSC and Sec Plus, and an unlimited-user bundle with IPS SSC and Sec Plus.
Cisco ASDM
Q. Does Cisco ASDM v6.2 support IPv6?
A. Yes. Cisco ASDM now supports configuring ASA devices over an IPv6 network and creating IPv6 firewall policies.
Q. How can the Cisco ASDM Public Server Configuration Wizard be used?
A. The Cisco ASDM Public Server Configuration Wizard assists with configurations that allow specific traffic to traverse the firewall and access targeted internal servers. For example, this might include public access to email or web servers residing in a company’s DMZ.
Additional Questions
Q. Where can I find a complete list of all the new features in Cisco ASA Software Release 8.2?