Table Of Contents
Cisco ASA 5500 Series Release Notes Version 7.1(1)
Determining the Software Version
Upgrading to a New Software Version
Support for Content Security and Control SSM
Customized Access Control Based on CSD Host Checking
Authentication and Authorization Enhancements
Tunnel Group and Group Policy Enhancements
Group-Based DNS Configuration for WebVPN
New Login Page Option for WebVPN Users
WebVPN Functions and Performance Optimizations
WebVPN Support of Character Encoding for CIFS Files
Compression for WebVPN and SSL VPN Client Connections
Active/Standby Stateful Failover for WebVPN and SVC Connections
Management and Monitoring Support for the CSC SSM
Syslog to Access Rule Correlation
Failover and WebVPN and SVC connections
Readme Document for the Conduits and Outbound List Conversion Tool 1.2
VPN Load Balancing Requirements
Features not Supported in Version 7.1(1)
Downgrading to a Previous Version
Resolved Caveats Open in Release 7.0(4)
Software Configuration Tips on the Cisco TAC Home Page
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Obtaining Technical Assistance
Cisco Technical Support & Documentation Website
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Cisco ASA 5500 Series Release Notes Version 7.1(1)
February 2006Contents
This document includes the following sections:
•
Cisco Product Security Overview
•
•
Introduction
The Cisco ASA 5500 series security appliance are purpose-built solutions that combine best-of-breed security and VPN services with the innovative Cisco Adaptive Identification and Mitigation (AIM) architecture. Designed as a key component of the Cisco Self-Defending Network, the adaptive security appliance provides proactive threat defense that stops attacks before they spread through the network, controls network activity and application traffic, and delivers flexible VPN connectivity. The result is a powerful multifunction network adaptive security appliance family that provides the security breadth and depth for protecting small and medium-sized business and enterprise networks while reducing the overall deployment and operations costs and complexities associated with providing this new level of security. This version introduces significant enhancements to major functional areas including: new Anti-X Services, VPN services, and management/monitoring.
For more information on all the new features, see New Features.
Additionally, the adaptive security appliance software supports Adaptive Security Device Manager. ASDM delivers world-class security management and monitoring through an intuitive, easy-to-use Web-based management interface. Bundled with the adaptive security appliance, ASDM accelerates security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services that complement the advanced integrated security and networking features offered by the market-leading suite of the adaptive security appliance. Its secure, web-based design enables anytime, anywhere access to adaptive security appliances.
System Requirements
The sections that follow list the system requirements for operating an adaptive security appliance. This section includes the following topics:
•
•
Memory Requirements
Table 1 lists the DRAM memory requirements for the adaptive security appliance.
Table 1 DRAM Memory Requirements
ASA 5510
256 MB
ASA 5520
512 MB
ASA 5540
1 GB
All adaptive security appliances require a minimum of 64 MB of internal CompactFlash.
Determining the Software Version
Use the show version command to verify the software version of your adaptive security appliance.
Upgrading to a New Software Version
If you have a Cisco.com (CDC) login, you can obtain software from the following website:
http://www.cisco.com/public/sw-center/products.shtml
You must upgrade or down grade from Version 7.0.(x) to 7.1(1) and vice versa because older versions of the ASA images does not recognize new ASDM images, new ASA images does not recognize old ASDM images.
You can also use command-line interface to download the image, see the "Downloading Software or Configuration Files to Flash Memory" section in the Cisco Security Appliance Command Line Configuration Guide.
To upgrade from Version 7.0.(x) to 7.1(1), you must perform the following steps:
Step 1
Step 2
Step 3
To downgrade from Version 7.1(1) to 7.0.(x), you must perform the following steps:
Step 1
Step 2
Step 3
New Features
This section describes the new features in this version. This section includes the following topics:
•
•
•
•
•
•
•
•
Support for Content Security and Control SSM
This feature combines comprehensive malware protection with advanced message compliance for the multifunction adaptive security appliance. The result is a powerful solution that stops a number of Internet threats including viruses, spyware, spam, hackers, unwelcome visitors and unwanted web content while reducing the operational costs and complexity of deploying and managing multiple point solutions.
The Content Security and Control (CSC) SSM, an integral part of Cisco's Anti-X solution, delivers industry-leading threat protection and content control at the Internet edge providing comprehensive antivirus, anti-spyware, file blocking, anti-spam, anti-phising, URL blocking and filtering, and content filtering services. The CSC SSM services module helps businesses more effectively protect their networks, increase network availability, and increase employee productivity through the following key elements:
For more information, see the "Managing the CSC SSM" section in the Cisco Security Appliance Command Line Configuration Guide.
Cisco Secure Desktop
Cisco Secure Desktop (CSD) is an optional Windows software package you can install on the adaptive security appliance to validate the security of client computers requesting access to your SSL VPN, ensure they remain secure while they are connected, and remove all traces of the session after they disconnect.
After a remote PC running Microsoft Windows connects to the adaptive security appliance, CSD installs itself and uses the IP address and presence of specific files, registry keys, and certificates to identify the type of location from which the PC is connecting. Following user authentication, CSD uses optional criteria as conditions for granting access rights. These criteria include the operating system, antivirus software, antispyware, and personal firewall running on the PC.
To ensure security while a PC is connected to your network, the Secure Desktop, a CSD application that runs on Microsoft Windows XP and Windows 2000 clients, limits the operations available to the user during the session. For remote users with administrator privileges, Secure Desktop uses the 168-bit Triple Data Encryption Standard (3DES) to encrypt the data and files associated with or downloaded during an SSL VPN session. For remote users with lesser privileges, it uses the Rivest Cipher 4 (RC4) encryption algorithm. When the session closes, Secure Desktop overwrites and removes all data from the remote PC using the U.S. Department of Defense (DoD) security standard for securely deleting files. This cleanup ensures that cookies, browser history, temporary files, and downloaded content do not remain after a remote user logs out or an SSL VPN session times out. CSD also uninstalls itself from the client PC.
Cache Cleaner, which wipes out the client cache when the session ends, supports Windows XP, Windows 2000, Windows 9x, Linux, and Apple Macintosh OS X clients.
For more information about the CSD features, see the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators.
Customized Access Control Based on CSD Host Checking
Adaptive security appliances with Cisco Secure Desktop installed can specify an alternative group policy. The adaptive security appliance uses this attribute to limit access rights to remote CSD clients as follows:
•
•
This attribute specifies the name of the alternative group policy to apply. Choose a group policy to differentiate access rights from those associated with the default group policy. The default value is DfltGrpPolicy.
Note
For more information, see the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administration Guide.
SSL VPN Client
SSL VPN client is a VPN tunneling technology that gives remote users the connectivity benefits of an IPSec VPN client without the need for network administrators to install and configure IPSec VPN clients on remote computers. SVC uses the SSL encryption that is already present on the remote computer as well as the WebVPN login and authentication of the adaptive security appliance.
To establish an SVC session, the remote user enters the IP address of a WebVPN interface of the adaptive security appliance in the browser, and the browser connects to that interface and displays the WebVPN login screen. If the user satisfies the login and authentication, and the adaptive security appliance identifies the user as requiring the SVC, the adaptive security appliance downloads the SVC to the remote computer. If the adaptive security appliance identifies the user as having the option to use the SVC, the adaptive security appliance downloads the SVC to the remote computer while presenting a link on the user screen to skip the SVC installation.
After downloading, the SVC installs and configures itself, When the connection terminates, SVC either remains or uninstalls itself (depending on the configuration) from the remote computer.
You can configure SVC with ASDM or with CLI commands.
For more information, see "Configuring SSL VPN Client" in Cisco Security Appliance Command Line Configuration Guide.
Authentication and Authorization Enhancements
Release 7.1(1) includes the following authentication and authorization enhancements.
Override Account Disabled
You can configure the adaptive security appliance to override an account-disabled indication from a AAA server and allow the user to log on anyway.
For more information, see "Configuring IPSec Remote-Access Tunnel Group General Attributes"in Cisco Security Appliance Command Line Configuration Guide. For a complete description of the override account disabled command syntax, see the Cisco Security Appliance Command Reference.
LDAP Support
You can configure the security appliance to authenticate and authorize IPSec VPN users, SSL VPN clients, and WebVPN users to an LDAP directory server. During authentication, the security appliance acts as a client proxy to the LDAP server for the VPN user, and authenticates to the LDAP server in either plain text or using the Simple Authentication and Security Layer (SASL) protocol. The security appliance supports any LDAP V3 or V2 compliant directory server. It supports password management features only on the Sun Microsystems Java System Directory Server and the Microsoft Active Directory server.
For more information, see "LDAP Server Support" in Cisco Security Appliance Command Line Configuration Guide.
Password Management
You can configure the adaptive security appliance to warn end users when their passwords are about to expire. When you configure this feature, the adaptive security appliance notifies the remote user at login that the current password is about to expire or has expired. The adaptive security appliance then offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password. This command is valid for AAA servers that support such notification; that is, RADIUS, RADIUS with an NT server, and LDAP servers. The adaptive security appliance ignores this command if RADIUS or LDAP authentication has not been configured.
Note that this command does not change the number of days before the password expires, but rather specifies the number of days before expiration that the adaptive security appliance starts warning the user that the password is about to expire. The default value is 14 days.
For LDAP server authentication only, you can specify a specific number of days before expiration to begin warning the user about the pending expiration.
For more information, see "Managing Passwords" in Cisco Security Appliance Command Line Configuration Guide. For a complete description of the password management command syntax, see the Cisco Security Appliance Command Reference.
SSO
Single sign-on (SSO) support lets WebVPN users enter a username and password only once to access multiple protected services and web servers. You can choose among the following methods to configure SSO:
•
•
•
For more information, see"Using Single Sign-on with WebVPN" in Cisco Security Appliance Command Line Configuration Guide.
Tunnel Group and Group Policy Enhancements
Release 7.1(1) includes the following new tunnel group and group policy enhancements.
WebVPN Tunnel Group Type
This version adds a WebVPN tunnel group, which lets you configure a tunnel group with WebVPN-specific attributes, including the authentication method to use, the WebVPN customization to apply to the user GUI, the DNS group to use, alternative group names (aliases), group URLs, the NBNS server to use for CIFS name resolution, and an alternative group policy to apply to CSD users to limit access rights to remote CSD clients.
For more information, see"Configuring Tunnel Groups" in Cisco Security Appliance Command Line Configuration Guide. For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
Group-Based DNS Configuration for WebVPN
You can define a list of DNS servers under a group. The list of DNS servers available to a user depends on the group that the user is assigned to. You can specify the DNS server to use for a WebVPN tunnel group. The default value is DefaultDNS.
For more information, see "Group Policies" in Cisco Security Appliance Command Line Configuration Guide. For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
New Login Page Option for WebVPN Users
You can optionally configure WebVPN to display a user login page that offers the user the opportunity to select the tunnel group to use for login. If you configure this option, the login page displays an additional field offering a drop-down menu of groups from which to select. The user is authenticated against the selected group.
For more information, see "Configuring User Attributes" in Cisco Security Appliance Command Line Configuration Guide. For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
Group Alias and Group URL
You can create one or more alternate names by which the user can refer to a tunnel group by specifying one or more group aliases. The group aliases that you specify here appear in the drop-down list on the user login page. Each group can have multiple aliases or no alias. If you want the actual name of the tunnel group to appear on this list, specify it as an alias. This feature is useful when the same group is known by several common names, such as "Devtest" and "QA".
Specifying a group URL eliminates the need for the user to select a group at login. When a user logs in, the adaptive security appliance looks for the user incoming URL in the tunnel-group-policy table. If it finds the URL and if this feature is enabled, then the adaptive security appliance automatically selects the appropriate server and presents the user with only the username and password fields in the login window. If the URL is disabled, the dropdown list of groups also appears, and the user must make the selection.
You can configure multiple URLs (or no URLs) for a group. You can enable or disable each URL individually. You must use a separate specification (group-url command) for each URL. You must specify the entire URL, which can use either the HTTP or HTTPS protocol.
You cannot associate the same URL with multiple groups. The adaptive security appliance verifies the uniqueness of the URL before accepting the URL for a tunnel group.
For more information, see "Configuring Tunnel Groups" in Cisco Security Appliance Command Line Configuration Guide. For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
WebVPN Functions and Performance Optimizations
This version enhances WebVPN performance and functions through the following components:
•
•
•
•
•
•
•
For more information, see "Optimizing WebVPN Performance" in Cisco Security Appliance Command Line Configuration Guide. For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
Citrix Support for WebVPN
WebVPN users can now use a connection to the adaptive security appliance to access Citrix MetaFrame services. In this configuration, the adaptive security appliance functions as the Citrix secure gateway. Therefore you must configure your Citrix Web Interface software to operate in a mode that does not use the Citrix secure gateway. Install an SSL certificate onto the adaptive security appliance interface to which remote users use a fully qualified domain name (FQDN) to connect; this function does not work if you specify an IP address as the common name (CN) for the SSL certificate. The remote user attempts to use the FQDN to communicate with the adaptive security appliance. The remote PC must be able to use DNS or an entry in the System32\drivers\etc\hosts file to resolve the FQDN. Finally, use the functions command to enable Citrix.
For more information, see "Configuring Access to Citrix MetaFrame Services" in Cisco Security Appliance Command Line Configuration Guide. For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
PDA Support for WebVPN
You can access WebVPN from your Pocket PC 2003 or Windows Mobile X. If you are a PDA user, this makes accessing your private network more convenient. This feature requires no configuration.
For more information, see "Using WebVPN with PDAs" in Cisco Security Appliance Command Line Configuration Guide. For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
WebVPN Support of Character Encoding for CIFS Files
WebVPN now supports optional character encoding of portal pages to ensure proper rendering of Common Internet File System files in the intended language. The character encoding supports the character sets identified on the following Web page, including Japanese Shift-JIS characters:
http://www.iana.org/assignments/character-sets
Use the character-encoding command to specify the character set to encode in WebVPN portal pages to be delivered to remote users. By default, the encoding type set on the remote browser determines the character set for WebVPN portal pages.
The character-encoding attribute is a global setting that, by default, all WebVPN portal pages inherit. However, you can use the file-encoding command to specify the encoding for WebVPN portal pages from specific CIFS servers. Thus, you can use different file-encoding values for CIFS servers that require different character encodings.
The mapping of CIFS servers to their appropriate character encoding, globally with the webvpn character-encoding attribute, and individually with file-encoding overrides, provides for the accurate handling and display of CIFS pages when the proper rendering of file names or directory paths, as well as pages, are an issue.
Tip
For more information, see "Configuring File Access" in Cisco Security Appliance Command Line Configuration Guide. For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
Compression for WebVPN and SSL VPN Client Connections
Compression can reduce the size of the transferring packets and increase the communication performance, especially for connections with bandwidth limitations, such as with dialup modems and handheld devices used for remote access.
Compression is enabled by default, for both WebVPN and SVC connections. You can configure compression using ASDM or CLI commands.
You can disable compression for all WebVPN or SVC connections with the compression command from global configuration mode.
You can disable compression for a specific group or user for WebVPN connections with the http-comp command, or for SVC connections with the svc compression command, in the group policy or username webvpn modes.
For more information, see "Using SVC Compression" in Cisco Security Appliance Command Line Configuration Guide. For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
Active/Standby Stateful Failover for WebVPN and SVC Connections
During a failover, WebVPN and SVC connections, as well as IPSec connections, are reestablished with the secondary, standby security appliance for uninterrupted service. Active/standby failover requires a one-to-one active/standby match for each connection.
A security appliance configured for failover shares authentication information about WebVPN users with the standby security appliance. Therefore, after a failover, WebVPN users do not need to reauthenticate.
For SVC connections, after a failover, the SVC reconnects automatically with the standby security appliance.
For more information, severing SVC Sessions" in Cisco Security Appliance Command Line Configuration Guide. For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
WebVPN Customization
You can customize the WebVPN page that users see when they connect to the security appliance, and you can customize the WebVPN home page on a per-user, per-group, or per-tunnel group basis. Users or groups see the custom WebVPN home page after the security appliance authenticates them.
You can use ASDM or CLI commands to customize the WebVPN appearance using Cascading Style Sheet (CSS) parameters. To easily customize, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.
For more information, see "Customizing WebVPN Pages" in Cisco Security Appliance Command Line Configuration Guide. For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
ASDM Improvements
ASDM Improvements include the following:
Management and Monitoring Support for the CSC SSM
ASDM Version 5.1 delivers an industry-first solution that blends the simplicity of Trend Micro's HTML-based configuration panels with the ingenuity of ASDM. This helps ensure consistent policy enforcement, and simplifies the complete provisioning, configuration, and monitoring processes for the rich unified threat management functions offered by the CSC SSM. ASDM provides a complementing monitoring solution with a new CSC SSM homepage and new monitoring panels. Once a CSC SSM is installed, the main ASDM homepage is automatically updated to display a new CSC SSM panel, which provides a historic view into threats, e-mail viruses, live events, and vital module statistics such as last installed software/signature updates, system resources, and more. Within the monitoring section of ASDM, a rich set of analysis tools provide detailed visibility into threats, software updates, resource graphs, and more. The Live Security Event Monitor is a new troubleshooting and monitoring tool that provides real-time updates regarding scanned or blocked e-mail messages, identified viruses/worms, detected attacks, and more. It gives administrators the option to filter messages using regular-expression string matching, so specific attack types and messages can be focused on and analyzed in detail.
Syslog to Access Rule Correlation
This ASDM release introduces a new Syslog to Access Rule Correlation tool that greatly enhances day-to-day security management and troubleshooting activities. With this dynamic tool, security administrators can quickly resolve common configuration issues, along with most user and network connectivity problems. Users can select a syslog message within the Real-Time Syslog Viewer panel, and by simply clicking the Create button at the top of the panel, can invoke the access-control options for that specific syslog. Intelligent defaults help ensure that the configuration process is simple, which helps improve operational efficiency and response times for business-critical functions. The Syslog to Access Rule Correlation tool also offers an intuitive view into syslog messages invoked by user-configured access rules.
Customized Syslog Coloring
ASDM allows for rapid critical system message identification and convenient syslog monitoring by allowing the colored grouping of syslog messages according to syslog level. Users can select the default coloring options, or create their own unique colored syslog profiles for ease of identification.
Auto Applet Download
To run a remote application over WebVPN, a user clicks Start Application Access on the WebVPN homepage to download and start a port-forwarding Java applet. To simplify application access and shorten start time, you can now configure WebVPN to automatically download this port-forwarding applet when the user first logs in to WebVPN.
For more information, see "Downloading the Port-Forwarding Applet Automatically" in Cisco Security Appliance Command Line Configuration Guide. For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
Important Notes
This section lists important notes related to version 7.1(1).
SSL VPN licenses
Beginning with Version 7.1(1), SSL VPN (WebVPN) services require a license. These services are now licensed on a per-user session basis, with licensing levels at 10, 50, 100, 250, 500, 750, 1000, and 2500 user sessions. The complete SSL VPN feature functionality offered by the adaptive security appliance is included in this single SSL VPN license. No per-feature licenses are required. This SSL VPN license has a one-time fee and lasts for the lifetime of the adaptive security appliance. Upon installation of Version 7.1(1) or later, two simultaneous SSL VPN user sessions are included for evaluation.
WebVPN and Subinterfaces
You cannot enable WebVPN on a subinterface.
ActiveX and WebVPN
Many ActiveX controls are custom and require special treatment by WebVPN. Please contact Cisco TAC if your application uses ActiveX controls and you have problems with its functionality over a WebVPN connection (CSCsb85180).
CIFS Files
If a remote user accesses CIFS files using Internet Explorer, the filename in the File Download window might not display some Japanese Shift_JIS characters correctly. However, the Open and Save functions do work properly. This issue does not occur with Netscape.
Failover and WebVPN and SVC connections
To ensure that WebVPN and SVC connections reconnect quickly in the event of a failover, enable the security appliance to respond to incoming client TCP packets with the service resetoutside command from global configuration mode:
[no] service resetoutsideThis command causes the security appliance that takes over the existing WebVPN and SVC connections to send TCP RST packets in response to incoming client TCP packets, causing client connections to reestablish quicker. If you do not enable the service resetoutside command, the security appliance drops TCP packets from failed-over connections and waits for each client to reestablish the TCP connection. This may take longer or result in the session being lost due to timeout.
The following example enables the security appliance to send TCP RST packets:
F1-asa1(config)# service resetoutsideFIPS 140-2
The adaptive security appliances are on the FIPS 140-2 Pre-Validation List.
WebVPN ACLS and DNS Hostname
When a deny webtype URL ACL (DNS-based) is defined, but the DNS-based URL is not reachable, the browser displays "DNS Error" popup. The ACL hit counter does not increment.
If an IP address rather than a DNS name defines a deny webtype URL, then the hit counter does record the traffic flow hitting the ACL, and the browser displays a "Connection Error.".
Proxy Server and ASA
If WebVPN is configured to use an HTTP(S)-proxy server to service all requests for browsing HTTP and/or HTTPS sites, the client/browser may expect the following behavior:
1.
2.
Only when the HTTP(S) proxy server notifies the ASA of the inaccessible URL, can the ASA notify the client browser about the error.
Mismatch PFS
The PFS setting on the VPN client and the security appliance must match.
Readme Document for the Conduits and Outbound List Conversion Tool 1.2
The adaptive security appliance Outbound/Conduit Conversion tool assists in converting configurations with outbound or conduit commands to similar configurations using ACLs. ACL-based configurations provide uniformity and leverage the powerful ACL feature set. ACL based configurations provide the following benefit:
•
VPN Load Balancing Requirements
VPN load balancing for the adaptive security appliance requires an ASA 5520 or ASA 5540. It also requires a 3DES-AES encryption license.
User Upgrade Guide
•
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/migr_vpn/index.htm
Features not Supported in Version 7.1(1)
The following features are not supported in Version 7.1(1):
•
•
•
MIB Support
For information on MIB Support, go to:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
Downgrading to a Previous Version
To downgrade to a previous version of the operating system software (software image), use the downgrade command in privileged EXEC mode. For more information and a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
Open Caveats, Release 7.1(1)
The following open caveats are new in Release 7.1(1).
CSCsb85180
Terminal Services ActiveX client component is not operational via WebVPN.
Workaround: Use the SSL VPN Client (full-tunnel client) to handle this application
CSCsc27946
While using WebVPN clientless access to a Domino web access server, you cannot edit the Domino homepage layout. When you try, an Internet Explorer error occurs.
CSCsc93042
Yahoo game Java applets might fail to load through the WebVPN rewrite engine.
Workaround: Load the Java applet directly, not through WebVPN.
CSCsd00382
SVC connections have downloadable access-lists associated with them. Logging off the session (vpn-sessiondb logoff command) might result in the access-list remaining on the security appliance and potentially interfering with new connections with the same IP address.
CSCsd02916
When using http-proxy, users can access Citrix over a WebVPN connection, even though Citrix metafile is not configured for the group policy.
CSCsd04381
When you attempt to add a file attachment to an existing contact within Outlook Web Access 2000 or 2003 through the WebVPN rewrite engine, a blank modal window opens.
Workaround: Create a new contact and apply an attachment through the rewrite engine. A second option is to access the Outlook Web Access 2000 or 2003 servers directly, and not through WebVPN to initiate the attachment routine to an existing contact.
CSCsd08212
A Webtype ACL with a URI syntax similar to "http(s)://host address/path," fails the ACL check routine. If this is a permit rule, users cannot access that website. However, a Webtype ACL rule with the URI similar to "http(s)://host address" works. The difference between these two ACLs is the "/path". The "/path" might be any share within the specified website, either a file or directory.
Workaround: Define Webtype ACLS with the URI syntax http(s)://host address, for example,
access-list test webtype permit url http://serverA.com).Caveats, Release 7.0(4)
The following sections describe the caveats for the 7.0(4) version.
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation might be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•
•
•
Note
http://www.cisco.com/support/bugtools
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
Open Caveats - Release 7.0(4)
Table 3 list the caveats that remain open from Release 7.0(4).
Resolved Caveats Open in Release 7.0(4)
Table 4 lists the caveats resolved since Release 7.0(4).
Related Documentation
For additional information on the adaptive security appliance, refer to the following documentation found on Cisco.com:
•
•
•
•
•
•
•
•
•
•
•
•
Software Configuration Tips on the Cisco TAC Home Page
The Cisco Technical Assistance Center has many helpful pages. If you have a CDC account you can visit the following websites for assistance:
TAC Troubleshooting, Sample Configurations, Hardware Info, Software Installations and more:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/tsd_products_support_series_home.html
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/techsupport
You can access the Cisco website at this URL:
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Product Documentation DVD
The Product Documentation DVD is a comprehensive library of technical product documentation on a portable medium. The DVD enables you to access multiple versions of installation, configuration, and command guides for Cisco hardware and software products. With the DVD, you have access to the same HTML documentation that is found on the Cisco website without being connected to the Internet. Certain products also have.PDF versions of the documentation available.
The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com users (Cisco direct customers) can order a Product Documentation DVD (product number DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at this URL:
http://www.cisco.com/go/marketplace/
Ordering Documentation
Registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the Cisco Marketplace at this URL:
http://www.cisco.com/go/marketplace/
Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m. (0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by calling 011 408 519-5055. You can also order documentation by e-mail at tech-doc-store-mkpl@external.cisco.com or by fax at 1 408 519-5001 in the United States and Canada, or elsewhere at 011 408 519-5001.
Documentation Feedback
You can rate and provide feedback about Cisco technical documents by completing the online feedback form that appears with the technical documents on Cisco.com.
You can submit comments about Cisco documentation by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate your comments.
Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
From this site, you will find information about how to:
•
•
•
A current list of security advisories, security notices, and security responses for Cisco products is available at this URL:
To see security advisories, security notices, and security responses as they are updated in real time, you can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL:
http://www.cisco.com/en/US/products/products_psirt_rss_feed.html
Reporting Security Problems in Cisco Products
Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you have identified a vulnerability in a Cisco product, contact PSIRT:
•
An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies.
•
In an emergency, you can also reach PSIRT by telephone:
•
•
Tip
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
The link on this page has the current PGP key ID in use.
If you do not have or use PGP, contact PSIRT at the aforementioned e-mail addresses or phone numbers before sending any sensitive material to find other means of encrypting the data.
Obtaining Technical Assistance
Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller.
Cisco Technical Support & Documentation Website
The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Note
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Severity 1 (S1)—An existing network is down, or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operations are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of the network is impaired, while most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•
•
http://www.cisco.com/go/marketplace/
•
•
•
http://www.cisco.com/go/iqmagazine
or view the digital edition at this URL:
http://ciscoiq.texterity.com/ciscoiq/sample/
•
•
http://www.cisco.com/en/US/products/index.html
•
http://www.cisco.com/discuss/networking
•
http://www.cisco.com/en/US/learning/index.html
Guest
