Cisco ASA 5505 User Manual

1-8

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 1 Introduction to the Cisco ASA 5500 Series

New Features

Application Inspection Features

SunRPC change from
dynamic ACL to pin-hole
mechanism

Previously, Sun RPC inspection does not support outbound access lists because the inspection
engine uses dynamic access lists instead of secondary connections.

In this release, when you configure dynamic access lists on the ASA, they are supported on the
ingress direction only and the ASA drops egress traffic destined to dynamic ports. Therefore,
Sun RPC inspection implements a pinhole mechanism to support egress traffic. Sun RPC
inspection uses this pinhole mechanism to support outbound dynamic access lists.

This feature is not available in 8.5(1) or 8.6(1).

Inspection reset action
change

Previously, when the ASA dropped a packet due to an inspection engine rule, the ASA sent
only one RST to the source device of the dropped packet. This behavior could cause resource
issues.

In this release, when you configure an inspection engine to use a reset action and a packet
triggers a reset, the ASA sends a TCP reset under the following conditions:

•

The ASA sends a TCP reset to the inside host when the service resetoutbound command
is enabled. (The service resetoutbound command is disabled by default.)

•

The ASA sends a TCP reset to the outside host when the service resetinbound command
is enabled. (The service resetinbound command is disabled by default.)

For more information, see the service command in the ASA command reference.

This behavior ensures that a reset action will reset the connections on the ASA and on inside
servers; therefore countering denial of service attacks. For outside hosts, the ASA does not
send a reset by default and information is not revealed through a TCP reset.

This feature is not available in 8.5(1) or 8.6(1).

Platform Features

Improved pseudo-random
number generation

Hardware-based noise for additional entropy was added to the software-based random number
generation process. This change makes pseudo-random number generation (PRNG) more
random and more difficult for attackers to get a repeatable pattern or guess the next random
number to be used for encryption and decryption operations. Two changes were made to
improve PRNG:

•

Use the current hardware-based RNG for random data to use as one of the parameters for
software-based RNG.

•

If the hardware-based RNG is not available, use additional hardware noise sources for
software-based RNG. Depending on your model, the following hardware sensors are used:

–

ASA 5505—Voltage sensors.

–

ASA 5510 and 5550—Fan speed sensors.

–

ASA 5520, 5540, and 5580—Temperature sensors.

–

ASA 5585-X—Fan speed sensors.

We introduced the following commands: show debug menu cts [128 | 129]

This feature is not available in 8.5(1) or 8.6(1).

Module Features

Table 1-3

New Features for ASA Version 8.4(4.1) (continued)

Feature

Description