1-5
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter1 Introduction to the Cisco ASA 5500 Series
New Features
ARP cache additions for
non-connected subnets
The ASA ARP cache only contains entries from directly-connected subnets by default. You can
now enable the ARP cache to also include non-directly-connected subnets. We do not
recommend enabling this feature unless you know the security risks. This feature could
facilitate denial of service (DoS) attack against the ASA; a user on any interface could send out
many ARP replies and overload the ASA ARP table with false entries.
You may want to use this feature if you use:
Secondary subnets.
Proxy ARP on adjacent routes for traffic forwarding.
We introduced the following command: arp permit-nonconnected.
We modified the following screen: Configuration > Device Management > Advanced > ARP >
ARP Static Table.
This feature is not available in 8.5(1), 8.6(1), or 9.0(1).
Increased maximum
connection limits for service
policy rules
The maximum number of connections for service policy rules was increased from 65535 to
2000000.
We modified the following commands: set connection conn-max, set connection
embryonic-conn-max, set connection per-client-embryonic-max, set connection
per-client-max.
We modified the following screen: Configuration > Firewall > Service Policy Rules >
Connection Settings.
This feature is not available in 8.5(1) or 8.6(1).
Remote Access Features
Host Scan support for low
bandwith or high latency
networks
Host Scan now contacts the ASA periodically while it compiles and sends its dynamic access
policy report to the ASA. The ASA has increased its timers to wait for Host Scan to send its
DAP report. This results in more successful VPN connections especially over high latency
networks such as dial-up or slow broadband.
This feature is not available in 8.5(1), 8.6(1), or 9.0(1).
Monitoring Features
NAT-MIB
cnatAddrBindNumberOfEnt
ries and
cnatAddrBindSessionCount
OIDs to allow polling for
Xlate count.
Support was added for the NAT-MIB cnatAddrBindNumberOfEntries and
cnatAddrBindSessionCount OIDs to support xlate_count and max_xlate_count for SNMP.
This data is equivalent to the show xlate count command.
This feature is not available in 8.5(1), 8.6(1), or 9.0(1).
NSEL Flow-update events have been introduced to provide periodic byte counters for flow traffic. You
can change the time interval at which flow-update events are sent to the NetFlow collector. You
can filter to which collectors flow-update records will be sent.
We introduced the following command: flow-export active refresh-interval.
We modified the following command: flow-export event-type.
This feature is not available in 8.5(1), 8.6(1), or 9.0(1).
Table1-2 New Features for ASA Version 8.4(5)/ASDM Version 7.0(2) (continued)
Feature Description