1-10
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter1 Introduction to the Cisco ASA 5500 Series
New Features
Extended PAT for a PAT pool Each PAT IP address allows up to 65535 ports. If 65535 ports do not provide enough
translations, you can now enable extended PAT for a PAT pool. Extended PAT uses 65535 ports
per service, as opposed to per IP address, by including the destination address and port in the
translation information.
This feature is not available in 8.5(1) or 8.6(1).
Configurable timeout for
PAT xla te
When a PAT xlate times out (by default after 30 seconds), and the ASA reuses the port for a
new translation, some upstream routers might reject the new connection because the previous
connection might still be open on the upstream device. The PAT xlate timeout is now
configurable, to a value between 30 seconds and 5 minutes.
This feature is not available in 8.5(1) or 8.6(1).
Automatic NAT rules to
translate a VPN peer’s local
IP address back to the peer’s
real IP address
In rare situations, you might want to use a VPN peer’s real IP address on the inside network
instead of an assigned local IP address. Normally with VPN, the peer is given an assigned local
IP address to access the inside network. However, you might want to translate the local IP
address back to the peer’s real public IP address if, for example, your inside servers and
network security is based on the peer’s real IP address.
You can enable this feature on one interface per tunnel group. Object NAT rules are
dynamically added and deleted when the VPN session is established or disconnected. You can
view the rules using the show nat command.
Note Because of routing issues, we do not recommend using this feature unless you know
you need this feature; contact Cisco TAC to confirm feature compatibility with your
network. See the following limitations:
Only supports Cisco IPsec and AnyConnect Client.
Return traffic to the public IP addresses must be routed back to the ASA so the NAT
policy and VPN policy can be applied.
Does not support load-balancing (because of routing issues).
Does not support roaming (public IP changing).
ASDM does not support this command; enter the command using the Command Line Tool.
Remote Access Features
Clientless SSL VPN browser
support
The ASA now supports clientless SSL VPN with Microsoft Internet Explorer 9 and Firefox 4.
Compression for DTLS and
TLS
To improve throughput, Cisco now supports compression for DTLS and TLS on AnyConnect
3.0 or later. Each tunneling method configures compression separately, and the preferred
configuration is to have both SSL and DTLS compression as LZS. This feature enhances
migration from legacy VPN clients.
Note Using data compression on high speed remote access connections passing highly
compressible data requires significant processing power on the ASA. With other
activity and traffic on the ASA, the number of sessions that can be supported on the
platform is reduced.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL
VPN Access > Group Policies > Edit > Edit Internal Group Policy > Advanced > AnyConnect
Client > SSL Compression.
Table1-4 New Features for ASA Version 8.4(3)/ASDM Version 6.4(7) (continued)
Feature Description