New features in version 8.4(3) – Cisco ASA 5505 User Manual

1-9

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 1 Introduction to the Cisco ASA 5500 Series

New Features

New Features in Version 8.4(3)

Released: January 9, 2012

Table 1-4

lists the new features for ASA Version 8.4(3).

ASA 5585-X support for the
ASA CX SSP-10 and -20

The ASA CX module lets you enforce security based on the complete context of a situation.
This context includes the identity of the user (who), the application or website that the user is
trying to access (what), the origin of the access attempt (where), the time of the attempted
access (when), and the properties of the device used for the access (how). With the ASA CX
module, you can extract the full context of a flow and enforce granular policies such as
permitting access to Facebook but denying access to games on Facebook or permitting finance
employees access to a sensitive enterprise database but denying the same to other employees.

We introduced or modified the following commands: capture, cxsc, cxsc auth-proxy, debug
cxsc, hw-module module password-reset, hw-module module reload, hw-module module
reset, hw-module module shutdown, session do setup host ip, session do get-config, session
do password-reset, show asp table classify domain cxsc, show asp table classify domain
cxsc-auth-proxy, show capture, show conn, show module, show service-policy.

This feature is not available in 8.6(1).

ASA 5585-X support for
network modules

The ASA 5585-X now supports additional interfaces on network modules in slot 1. You can
install one or two of the following optional network modules:

•

ASA 4-port 10G Network Module

•

ASA 8-port 10G Network Module

•

ASA 20-port 1G Network Module

This feature is not available in 8.6(1).

Table 1-3

New Features for ASA Version 8.4(4.1) (continued)

Feature

Description

Table 1-4

New Features for ASA Version 8.4(3)

Feature

Description

NAT Features

Round robin PAT pool
allocation uses the same IP
address for existing hosts

When using a PAT pool with round robin allocation, if a host has an existing connection, then
subsequent connections from that host will use the same PAT IP address if ports are available.

We did not modify any commands.

This feature is not available in 8.5(1) or 8.6(1).

Flat range of PAT ports for a
PAT pool

If available, the real source port number is used for the mapped port. However, if the real port
is not available, by default the mapped ports are chosen from the same range of ports as the real
port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only
a small PAT pool.

If you have a lot of traffic that uses the lower port ranges, when using a PAT pool, you can now
specify a flat range of ports to be used instead of the three unequal-sized tiers: either 1024 to
65535, or 1 to 65535.

This feature is not available in 8.5(1) or 8.6(1).