New features in version 8.4(2) – Cisco ASA 5505 User Manual

1-12

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 1 Introduction to the Cisco ASA 5500 Series

New Features

New Features in Version 8.4(2)

Released: June 20, 2011

Table 1-5

lists the new features for ASA Version 8.4(2).

Table 1-5

New Features for ASA Version 8.4(2)

Feature

Description

Firewall Features

Identity Firewall

Typically, a firewall is not aware of the user identities and, therefore, cannot apply security
policies based on identity.

The Identity Firewall in the ASA provides more granular access control based on users’
identities. You can configure access rules and security policies based on usernames and user
groups name rather than through source IP addresses. The ASA applies the security policies
based on an association of IP addresses to Windows Active Directory login information and
reports events based on the mapped usernames instead of network IP addresses.

The Identity Firewall integrates with Window Active Directory in conjunction with an external
Active Directory (AD) Agent that provides the actual identity mapping. The ASA uses
Windows Active Directory as the source to retrieve the current user identity information for
specific IP addresses.

In an enterprise, some users log onto the network by using other authentication mechanisms,
such as authenticating with a web portal (cut-through proxy) or by using a VPN. You can
configure the Identity Firewall to allow these types of authentication in connection with
identity-based access policies.

Identity NAT configurable
proxy ARP and route lookup

In earlier releases for identity NAT, proxy ARP was disabled, and a route lookup was always
used to determine the egress interface. You could not configure these settings. In 8.4(2) and
later, the default behavior for identity NAT was changed to match the behavior of other static
NAT configurations: proxy ARP is enabled, and the NAT configuration determines the egress
interface (if specified) by default. You can leave these settings as is, or you can enable or
disable them discretely. Note that you can now also disable proxy ARP for regular static NAT.

For pre-8.3 configurations, the migration of NAT exempt rules (the nat 0 access-list command)
to 8.4(2) and later now includes the following keywords to disable proxy ARP and to use a
route lookup: no-proxy-arp and route-lookup. The unidirectional keyword that was used for
migrating to 8.3(2) and 8.4(1) is no longer used for migration. When upgrading to 8.4(2) from
8.3(1), 8.3(2), and 8.4(1), all identity NAT configurations will now include the no-proxy-arp
and route-lookup keywords, to maintain existing functionality. The unidirectional keyword
is removed.