1-14
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter1 Introduction to the Cisco ASA 5500 Series
New Features
Secure Hash Algorithm
SHA-2 Support for Digital
Signature over IPsec IKEv2
This release supports the use of SHA-2 compliant signature algorithms to authenticate IPsec
IKEv2 VPN connections that use digital certificates, with the hash sizes SHA-256, SHA-384,
and SHA-512.
SHA-2 digital signature for IPsec IKEv2 connections is supported with the AnyConnect Secure
Mobility Client, Version 3.0.1 or later.
Split Tunnel DNS policy for
AnyConnect
This release includes a new policy pushed down to the AnyConnect Secure Mobility Client for
resolving DNS addresses over split tunnels. This policy applies to VPN connections using the
SSL or IPsec/IKEv2 protocol and instructs the AnyConnect client to resolve all DNS addresses
through the VPN tunnel. If DNS resolution fails, the address remains unresolved and the
AnyConnect client does not try to resolve the address through public DNS servers.
By default, this feature is disabled. The client sends DNS queries over the tunnel according to
the split tunnel policy: tunnel all networks, tunnel networks specified in a network list, or
exclude networks specified in a network list.
Also available in Version 8.2(5).
Mobile Posture
(formerly referred to as
AnyConnect Identification
Extensions for Mobile
Device Detection)
You can now configure the ASA to permit or deny VPN connections to mobile devices, enable
or disable mobile device access on a per group bases, and gather information about connected
mobile devices based on a mobile device’s posture data. The following mobile platforms
support this capability: AnyConnect for iPhone/iPad/iPod Versions 2.5.x and AnyConnect for
Android Version 2.4.x.
Licensing Requirements
Enforcing remote access controls and gathering posture data from mobile devices requires an
AnyConnect Mobile license and either an AnyConnect Essentials or AnyConnect Premium
license to be installed on the ASA. You receive the following functionality based on the license
you install:
AnyConnect Premium License Functionality
Enterprises that install the AnyConnect Premium license will be able to enforce DAP
policies, on supported mobile devices, based on these DAP attributes and any other
existing endpoint attributes. This includes allowing or denying remote access from a
mobile device.
AnyConnect Essentials License Functionality
Enterprises that install the AnyConnect Essentials license will be able to do the following:
Enable or disable mobile device access on a per group basis and to configure that
feature using ASDM.
Display information about connected mobile devices via CLI or ASDM without
having the ability to enforce DAP policies or deny or allow remote access to those
mobile devices.
Also available in Version 8.2(5).
Table1-5 New Features for ASA Version 8.4(2) (continued)
Feature Description