1-15
Cisco ASA Series CLI Configuration Guide
Chapter 1 Introduction to the Cisco ASA
New Features
Remote Access VPN support for IPv6:
AnyConnect Client Firewall Rules
Access control rules for client firewalls support access list entries for both IPv4
and IPv6 addresses.
ACLs containing IPv6 addresses can be applied to clients configured to use the
SSL protocol. This feature is not supported for the IKEv2/IPsec protocol.
We modified the following command: anyconnect firewall-rule.
We modified the following screen: Configuration > Remote Access VPN >
Network (Client) Access > Group Policies > (Edit group policy) > Advanced
> AnyConnect Client > Client Firewall.
Remote Access VPN support for IPv6:
Client Protocol Bypass
The Client Protocol Bypass feature allows you to configure how the ASA
manages IPv4 traffic when it is expecting only IPv6 traffic or how it manages
IPv6 traffic when it is expecting only IPv4 traffic.
When the AnyConnect client makes a VPN connection to the ASA, the ASA
could assign it an IPv4, IPv6, or both an IPv4 and IPv6 address. If the ASA
assigns the AnyConnect connection only an IPv4 address or only an IPv6
address, you can now configure the Client Bypass Protocol to drop network
traffic for which the ASA did not assign an IP address, or allow that traffic to
bypass the ASA and be sent from the client unencrypted or “in the clear.”
For example, assume that the ASA assigns only an IPv4 address to an
AnyConnect connection and the endpoint is dual stacked. When the endpoint
attempts to reach an IPv6 address, if Client Bypass Protocol is disabled, the
IPv6 traffic is dropped; however, if Client Bypass Protocol is enabled, the IPv6
traffic is sent from the client in the clear.
This feature can be used by clients configured to use the SSL or IKEv2/IPsec
protocol.
We introduced the following command: client-bypass-protocol.
We modified the following screen: Configuration > Remote Access VPN >
Network (Client) Access > Group Policies > (Group Policy) Advanced >
AnyConnect Client > Client Bypass Protocol.
Remote Access VPN support for IPv6:
IPv6 Interface ID and prefix
You can now specify a dedicated IPv6 address for local VPN users.
This feature benefits users configured to use the SSL protocol. This feature is
not supported for the IKEv2/IPsec protocol.
We introduced the following command: vpn-framed-ipv6-address.
We modified the following screen: Configuration > Remote Access VPN >
AAA/Local Users > Local Users > (Edit User) > VPN Policy.
Remote Access VPN support for IPv6:
Sending ASA FQDN to AnyConnect client
You can return the FQDN of the ASA to the AnyConnect client to facilitate
load balancing and session roaming.
This feature can be used by clients configured to use the SSL or IKEv2/IPsec
protocol.
We introduced the following command: gateway-fqdn.
We modified the following screen: Configuration > Remote Access VPN >
Network (Client) Access > Group Policies > (Edit group policy) > Advanced
> AnyConnect.
Table 1-5 New Features for ASA Version 9.0(1)/ASDM Version 7.0(1) (continued)
Feature Description
To Next Page
Loading...
