Cisco ASA 5505 User Manual

1-17

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 1 Introduction to the Cisco ASA 5500 Series

New Features

IF-MIB ifAlias OID
support

The ASA now supports the ifAlias OID. When you browse the IF-MIB, the ifAlias OID will be set
to the value that has been set for the interface description.

Also available in Version 8.4(2).

Remote Access Features

Portal Access Rules

This enhancement allows customers to configure a global clientless SSL VPN access policy to
permit or deny clientless SSL VPN sessions based on the data present in the HTTP header. If
denied, an error code is returned to the clients. This denial is performed before user authentication
and thus minimizes the use of processing resources.

Also available in Version 8.4(2).

Mobile Posture

(formerly referred to as
AnyConnect
Identification
Extensions for Mobile
Device Detection)

You can now configure the ASA to permit or deny VPN connections to mobile devices, enable or
disable mobile device access on a per-group basis, and gather information about connected mobile
devices based on the mobile device posture data. The following mobile platforms support this
capability: AnyConnect for iPhone/iPad/iPod Versions 2.5.x and AnyConnect for Android Version
2.4.x. You do not need to enable CSD to configure these attributes in ASDM.

Licensing Requirements

Enforcing remote access controls and gathering posture data from mobile devices requires an
AnyConnect Mobile license and either an AnyConnect Essentials or AnyConnect Premium license
to be installed on the ASA. You receive the following functionality based on the license you install:

•

AnyConnect Premium License Functionality

Enterprises that install the AnyConnect Premium license will be able to enforce DAP policies,
on supported mobile devices, based on these DAP attributes and any other existing endpoint
attributes. This includes allowing or denying remote access from a mobile device.

•

AnyConnect Essentials License Functionality

Enterprises that install the AnyConnect Essentials license will be able to do the following:

–

Enable or disable mobile device access on a per-group basis and to configure that feature
using ASDM.

–

Display information about connected mobile devices via CLI or ASDM without having the
ability to enforce DAP policies or deny or allow remote access to those mobile devices.

Also available in Version 8.4(2).

Split Tunnel DNS policy
for AnyConnect

This release includes a new policy pushed down to the AnyConnect Secure Mobility Client for
resolving DNS addresses over split tunnels. This policy applies to VPN connections using the SSL
or IPsec/IKEv2 protocol and instructs the AnyConnect client to resolve all DNS addresses through
the VPN tunnel. If DNS resolution fails, the address remains unresolved and the AnyConnect client
does not try to resolve the address through public DNS servers.

By default, this feature is disabled. The client sends DNS queries over the tunnel according to the
split tunnel policy—tunnel all networks, tunnel networks specified in a network list, or exclude
networks specified in a network list.

Also available in Version 8.4(2).

Table 1-6

New Features for ASA Version 8.2(5) (continued)

Feature

Description