Beruflich Dokumente
Kultur Dokumente
Version 7.5(x)
First Published: August 31, 2015
This document contains release information for Cisco ASDM Version 7.5(x) for the Cisco ASA series.
Important Notes
E-mail proxy commands to be deprecatedIn ASA Version 9.5(2), the e-mail proxy commands (imap4s,
pop3s, smtps) and subcommands will no longer be supported.
Select AAA commands to be deprecatedIn ASA Version 9.5(2), these AAA commands and subcommands
(override-account-disable, authentication crack) will no longer be supported.
CSD commands to be deprecated or migratedIn ASA Version 9.5(2), the CSD commands (csd image, show
webvpn csd image, show webvpn csd, show webvpn csd hostscan, show webvpn csd hostscan image)
will no longer be supported.
The following CSD commands will migrate: csd enable migrates to hostscan enable; csd hostscan image
migrates to hostscan image.
System Requirements
www.cisco.com
1
Operating System
Internet
Explorer
Firefox
Safari
Chrome
Java SE
Plug-in
Yes
Yes
No support
Yes
7.0 or later
No support
Yes
Yes
Yes (64-bit
version only)
7.0 or later
N/A
Yes
N/A
Yes
7.0 or later
Browser
8
7
Server 2008
Server 2012
Desktop
Desktop with Workstation
Table 2
Java
Version
Conditions
Notes
7 update
51
Note: ASDM 7.1(5) and earlier are not supported with Java 7 update
51. If you already upgraded Java, and can no longer launch ASDM in
order to upgrade it to Version 7.2 or later, then you can either use the
CLI to upgrade ASDM, or you can add a security exception in the Java
Control Panel for each ASA you want to manage with ASDM. See the
Workaround section at:
http://java.com/en/download/help/java_blocked.xml
After adding the security exception, launch the older ASDM and then
upgrade to 7.2 or later.
In rare cases, online help does not
load when using Java Web Start
In rare cases, when launching online help, the browser window loads,
but the content fails to appear. The browser reports an error: Unable
to connect.
Workaround:
7 update
45
Table 2
Java
Version
Conditions
Notes
Table 2
Java
Version
Conditions
Notes
All
Self-signed certificate or an
untrusted certificate
IPv6
Chrome
For Internet Explorer 9.0 for servers, the Do not save encrypted
pages to disk option is enabled by default (See Tools > Internet
Options > Advanced). This option causes the initial ASDM download
to fail. Be sure to disable this option to allow ASDM to download.
OS X
On OS X, you may be prompted to install Java the first time you run
ASDM; follow the prompts as necessary. ASDM will launch after the
installation completes.
Table 2
Java
Version
Conditions
Notes
All
You need to allow ASDM to run because it is not signed with an Apple
Developer ID. If you do not change your security preferences, you see
an error screen.
2. You see a similar error screen; however, you can open ASDM
from this screen. Click Open. The ASDM-IDM Launcher opens.
VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New Features
Table 3
Feature
Description
Platform Features
Microsoft Hyper-V supervisor
support
The ASAv5 now only requires 1 GB RAM to operate. Formerly, it required 2 GB. For
already-deployed ASAv5s, you should reduce the allocated memory to 1 GB or you
will see an error that you are using more memory than is licensed.
Feature
Description
Firewall Features
GTPv2 inspection and
improvements to GTPv0/1
inspection
GTP inspection can now handle GTPv2. In addition, GTP inspection for all versions
now supports IPv6 addresses.
IP Options inspection
improvements
IP Options inspection now supports all possible IP options. You can tune the
inspection to allow, clear, or drop any standard or experimental options, including
those not yet defined. You can also set a default behavior for options not explicitly
defined in an IP options inspection map.
We modified the following screen: Configuration > Firewall > Objects > Inspect
Maps > GTP
We modified the following screen: Configuration > Firewall > Objects > Inspect
Maps > IP Options
Carrier Grade NAT
enhancements
For carrier-grade or large-scale PAT, you can allocate a block of ports for each host,
rather than have NAT allocate one port translation at a time (see RFC 6888).
We introduced the following screen: Configuration > Firewall > Advanced > PAT
Port Block Allocation. We added Enable Block Allocation the object NAT and twice
NAT dialog boxes.
You can now use inter-site clustering for Spanned EtherChannels in routed mode.
To avoid MAC address flapping, configure a site ID for each cluster member so that
a site-specific MAC address for each interface can be shared among a sites units.
We modified the following screen: Configuration > Device Management > High
Availability and Scalability > ASA Cluster > Cluster Configuration
Table 4
Feature
Description
You can now customize the auto-rejoin behavior when an interface or the cluster
control link fails.
This feature helps eliminate the unnecessary work related to short-lived flows by
delaying the director/backup flow creation.
We introduced the following screen: Configuration > Device Management > High
Availability and Scalability > ASA Cluster > Auto Rejoin
We introduced the following screen: Configuration > Device Management > High
Availability and Scalability > ASA Cluster Replication
Also available for the Firepower 9300 ASA security module in Version 9.4(1.152).
Disable health monitoring of a
hardware module in ASA
clustering
By default when using clustering, the ASA monitors the health of an installed
hardware module such as the ASA FirePOWER module. If you do not want a
hardware module failure to trigger failover, you can disable module monitoring.
We modified the following screen: Configuration > Device Management > High
Availability and Scalability > ASA Cluster > Cluster Interface Health Monitoring
On the ASA 5506H only, you can now configure the Management 1/1 interface as
the failover link. This feature lets you use all other interfaces on the device as data
interfaces. Note that if you use this feature, you cannot use the ASA Firepower
module, which requires the Management 1/1 interface to remain as a regular
management interface.
We modified the following screen: Configuration > Device Management > High
Availability and Scalability > Failover > Setup
Routing Features
Support for IPv6 in Policy Based
Routing
You can configure Identity Firewall and Cisco TrustSec and then use Identity Firewall
and Cisco TrustSec ACLs in Policy Based Routing route maps.
To segregate and isolate management traffic from data traffic, the ASA now
supports a separate routing table for management-only interfaces.
We modified the following screen: Configuration > Device Setup > Interface
Settings > Interfaces > Add/Edit Interface > General
We modified the following screen: Configuration > Device Setup > Routing > Route
Maps > Add Route Maps > Match Clause
10
Table 4
Feature
Description
The ASA now allows PIM-SSM packets to pass through when you enable multicast
routing, unless the ASA is the Last-Hop Router. This feature allows greater flexibility
in choosing a multicast group while also protecting against different attacks; hosts
only receive traffic from explicitly-requested sources.
We did not modify any screens.
ASA VPN code has been enhanced to support full IPv6 capabilities. No configuration
change is necessary for the administrator.
Added support and a predefined application template for this new SharePoint
version.
We modified the following screen: Configuration > Remote Access VPN >
Clientless SSL VPN Access > Portal > Bookmarks > Add Bookmark List > Select
Bookmark Type > Predefined application templates
The overall banner length, which is displayed during post-login on the VPN remote
client portal, has increased from 500 to 4000.
We modified the following screen: Configuration > Remote Access VPN > ....
Add/Edit Internal Group Policy > General Parameters > Banner
This release supports Cisco Easy VPN on the ASA 5506-X series and for the ASA
5508-X. The ASA acts as a VPN hardware client when connecting to the VPN
headend. Any devices (computers, printers, and so on) behind the ASA on the Easy
VPN port can communicate over the VPN; they do not have to run VPN clients
individually. Note that only one ASA interface can act as the Easy VPN port; to
connect multiple devices to that port, you need to place a Layer 2 switch on the port,
and then connect your devices to the switch.
We introduced the following screen: Configuration > VPN > Easy VPN Remote
Monitoring Features
Show invalid usernames in
syslog messages
You can now show invalid usernames in syslog messages for unsuccessful login
attempts. The default setting is to hide usernames when the username is invalid or
if the validity is unknown. If a user accidentally types a password instead of a
username, for example, then it is more secure to hide the username in the
resultant syslog message. You might want to show invalid usernames to help with
troubleshooting login issues.
We modified the following screen: Configuration > Device Management > Logging
> Syslog Setup
This feature is also available in 9.2(4) and 9.3(3).
11
8.2(x)
8.4(6)
9.5(1) or later
8.3(x)
8.4(6)
9.5(1) or later
9.5(1) or later
9.5(1) or later
8.5(1)
9.0(4) or 9.1(2)
9.5(1) or later
8.6(1)
9.0(4) or 9.1(2)
9.5(1) or later
9.0(1)
9.0(4) or 9.1(2)
9.5(1) or later
9.0(2) or later
9.5(1) or later
9.1(1)
9.1(2)
9.5(1) or later
9.1(2) or later
9.5(1) or later
9.2(x)
9.5(1) or later
9.3(x)
9.5(1) or later
9.4(x)
9.5(1) or later
For detailed steps about upgrading, see the 9.5 upgrade guide.
Open Bugs
All open bugs severity 3 and higher for each version are included in the following searches:
Resolved Bugs
All resolved bugs for each version are included in the following searches:
12
Related Documentation
For additional information on the ASA, see Navigating the Cisco ASA Series Documentation.
13
14