Learn the new features of the Cisco ASA Firewall

Introducing some of the features available on FireWall Cisco ASA


FireWall Cisco ASA product line provides advanced Stateful concentrator and firewall functionality in one device, and for some models, integrated intrusion prevention (IPS) or security modules. Security and Integrated Content Control (CSC).

This type of Cisco Firewall includes many advanced features, such as multiple security contexts (similar to virtual firewalls), transparent firewall (Layer 2) or active firewall (Layer 3), advanced testing tools. High, IPsec VPN, SSL VPN, support SSL VPN without application and many other features.




In this first article, Ciscodata will give an overview of the outstanding features available on the Cisco ASA firewall appliance product line.

The content will include the following sections:

- Hardware and software compatibility
- VPN parameters
- New feature
- Overview of firewall functions
- Overview of VPN functions
- Overview of security context
In each model there will be a lot of different devices and for the system to operate and operate most stably, the first thing that needs to be is compatibility between these devices.

1. Cisco ASA compatibility
The first thing to mention is the ASA and ASDM compatibility with typical firewall products such as ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5516-X, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5585-X.

Many types are suitable for home and business: Best router for multiple devices


This diverse combination gives you more solutions, more choices to meet your intended use.

- Cisco ASA Series supports VPN platforms

Compatibility of ASA series software versions with adaptive security device manager and Cisco AnyConnect secure mobile client releases.
Web browsers are also supported by accessing SSL VPN ASAs Releases and higher versions. Endpoint operating systems are supported by AnyConnect Releases 3.1 and later, IPsec clients are also supported to access the VPN to ASA.

Firepower 4100/9300 Compatibility with ASA or Firepower Threat Defense

- Firepower 2100 ASA and FXOS Bundle versions

- ASAv Hypervisor compatibility

ASA Services Module, IOS and Switch compatible

- ASA REST API compatibility

- Compatible with wireless ASA 5506W-X software

- Compatible ASA and ASA FirePOWER Module

ASA 5585-X SSP and compatible network module

- ASA and Firepower Threat Defense Clustering support external hardware

- ASA and Cisco Infrastructure, Policy, and Application Controller Compatibility (APIC).

2. Deliver new features on Cisco ASA
Cisco ASA comes in a wide variety of versions, and the most recent feature has been added to the version 8.6 update.

Details of the features can be mentioned as:

- Hardware features

- IPS feature

- Support IPS SSP for ASA 5512-X through ASA 5555-X

Support for IPS SSP software module for ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X and ASA 5555-X.

- Remote access features

SSL VPN Clientless Browser Support, ASA now supports SSL VPN clientless with Microsoft Internet Explorer 9 and Firefox 4 also available in Version 8.4 (3).

- Compression for DTLS and TLS

To improve throughput, Cisco now supports compression for DTLS and TLS on AnyConnect 3.0 or later. Each tunneling method is configured for compression separately, and the preferred configuration is to have both SSL and DTLS compression as LZS. This feature enhances migration from old VPN clients.

Note using data compression on high speed remote access connections that transmit highly compressed data requires considerable processing power on the ASA. With other activity and traffic on ASA, the number of sessions that can be supported on the platform will decrease.

3. Client SSL session timeout warning
This feature allows you to create custom messages to alert users that their VPN session is about to end due to inactivity or session timeout.
We introduce the following commands: vpn-session-timeout distance warning, also available in Version 8.4 (3).

4. Multiple context mode features
MAC address prefixing automatically

In multi-context mode, ASA now switches automatic MAC address generation profiles to use the default prefix. ASA automatically prefixes it based on the last two bytes of the interface MAC address. This conversion happens automatically when you reload or if you can recreate the MAC address.

The generation prefix method offers many benefits, including better assurance of unique MAC addresses on a segment. You can see the automatically generated prefix by entering the show mac-address running-config command. If you want to change the prefix, you can reconfigure the feature with a custom prefix. The legacy method of MAC address generation is no longer available.

Note To maintain unnecessary upgrade to failover pairs, ASA does not convert the MAC address method in an existing configuration on reload if failover is enabled. However, we strongly recommend that you manually change the money method