Cisco ASA Series Cli Configuration Manual page 72

New Features
Table 1-5 New Features for ASA Version 9.0(1)/ASDM Version 7.0(1) (continued)
Feature
Per-session PAT
ARP cache additions for non-connected
subnets
SunRPC change from dynamic ACL to
pin-hole mechanism
Cisco ASA Series CLI Configuration Guide
1-10
Description
The per-session PAT feature improves the scalability of PAT and, for ASA
clustering, allows each member unit to own PAT connections; multi-session
PAT connections have to be forwarded to and owned by the master unit. At the
end of a per-session PAT session, the ASA sends a reset and immediately
removes the xlate. This reset causes the end node to immediately release the
connection, avoiding the TIME_WAIT state. Multi-session PAT, on the other
hand, uses the PAT timeout, by default 30 seconds. For "hit-and-run" traffic,
such as HTTP or HTTPS, the per-session feature can dramatically increase the
connection rate supported by one address. Without the per-session feature, the
maximum connection rate for one address for an IP protocol is approximately
2000 per second. With the per-session feature, the connection rate for one
address for an IP protocol is 65535/average-lifetime.
By default, all TCP traffic and UDP DNS traffic use a per-session PAT xlate.
For traffic that can benefit from multi-session PAT, such as H.323, SIP, or
Skinny, you can disable per-session PAT by creating a per-session deny rule.
We introduced the following commands: xlate per-session, clear configure
xlate, show running-config xlate.
We introduced the following screen: Configuration > Firewall > Advanced >
Per-Session NAT Rules.
The ASA ARP cache only contains entries from directly-connected subnets by
default. You can now enable the ARP cache to also include
non-directly-connected subnets. We do not recommend enabling this feature
unless you know the security risks. This feature could facilitate denial of
service (DoS) attack against the ASA; a user on any interface could send out
many ARP replies and overload the ASA ARP table with false entries.
You may want to use this feature if you use:
•
Secondary subnets.
•
Proxy ARP on adjacent routes for traffic forwarding.
We introduced the following command: arp permit-nonconnected.
We modified the following screen: Configuration > Device Management >
Advanced > ARP > ARP Static Table.
Also available in 8.4(5).
Previously, Sun RPC inspection does not support outbound access lists because
the inspection engine uses dynamic access lists instead of secondary
connections.
In this release, when you configure dynamic access lists on the ASA, they are
supported on the ingress direction only and the ASA drops egress traffic
destined to dynamic ports. Therefore, Sun RPC inspection implements a
pinhole mechanism to support egress traffic. Sun RPC inspection uses this
pinhole mechanism to support outbound dynamic access lists.
Also available in 8.4(4.1).
Chapter 1 Introduction to the Cisco ASA