Cisco ASA Series Command Reference, S Commands
software-version -- storage-objects
Downloads: This chapterpdf (PDF - 455.0KB) The complete bookPDF (PDF - 9.04MB) | Feedback

Table of Contents

software-version through storage-objects Commands

software-version

speed

split-dns

split-horizon

split-tunnel-all-dns

split-tunnel-network-list

split-tunnel-policy

spoof-server

sq-period

ssh

ssh authentication

ssh disconnect

ssh key-exchange

ssh pubkey-chain

ssh scopy enable

ssh stricthostkeycheck

ssh timeout

ssh version

ssl certificate-authentication

ssl client-version

ssl encryption

ssl server-version

ssl trust-point

sso-server

sso-server value (group-policy webvpn)

sso-server value (username webvpn)

start-url

state-checking

strict-header-validation

strict-http

strip-group

strip-realm

storage-key

storage-objects

software-version through storage-objects Commands

software-version

To identify the Server and User-Agent header fields, which expose the software version of either a server or an endpoint, use the software-version command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.

software-version action {mask | log} [log}

no software-version action {mask | log} [log}

 
Syntax Description

log

Specifies standalone or additional log in case of violation.

mask

Masks the software version in the SIP message.

 
Defaults

This command is disabled by default.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Parameters configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

Examples

The following example shows how to identify the software version in a SIP inspection policy map:

ciscoasa(config)# policy-map type inspect sip sip_map
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# software-version action log
 

 
Related Commands

Command
Description

class

Identifies a class map name in the policy map.

class-map type inspect

Creates an inspection class map to match traffic specific to an application.

policy-map

Creates a Layer 3/4 policy map.

show running-config policy-map

Display all current policy map configurations.

speed

To set the speed of a copper (RJ-45) Ethernet interface, use the speed command in interface configuration mode. To restore the speed setting to the default, use the no form of this command.

speed { auto | 10 | 100 | 1000 | nonegotiate }

no speed [ auto | 10 | 100 | 1000 | nonegotiate ]

 
Syntax Description

10

Sets the speed to 10BASE-T.

100

Sets the speed to 100BASE-T.

1000

Sets the speed to 1000BASE-T. For copper Gigabit Ethernet only.

auto

Auto detects the speed.

nonegotiate

For fiber interfaces, sets the speed to 1000 Mbps and does not negotiate link parameters. This command and the no form of this command are the only settings available for fiber interfaces. When you set the value to no speed nonegotiate (the default), the interface enables link negotiation, which exchanges flow-control parameters and remote fault information.

 
Defaults

For copper interfaces, the default is speed auto .

For fiber interfaces, the default is no speed nonegotiate .

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was moved from a keyword of the interface command to an interface configuration mode command.

 
Usage Guidelines

Set the speed on the physical interface only.

If your network does not support auto detection, set the speed to a specific value.

For RJ-45 interfaces on the ASA 5500 series, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.

If you set the speed to anything other than auto on PoE ports, if available, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.


Note Do not set the speed command for an ASA 5500x series or an ASA 5585 with fiber interfaces. Doing so causes a link failure.


Examples

The following example sets the speed to 1000BASE-T:

ciscoasa(config)# interface gigabitethernet0/1
ciscoasa(config-if)# speed 1000
ciscoasa(config-if)# duplex full
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0
ciscoasa(config-if)# no shutdown
 

 
Related Commands

Command
Description

clear configure interface

Clears all configuration for an interface.

duplex

Sets the duplex mode.

interface

Configures an interface and enters interface configuration mode.

show interface

Displays the runtime status and statistics of interfaces.

show running-config interface

Shows the interface configuration.

split-dns

To enter a list of domains to be resolved through the split tunnel, use the split-dns command in group-policy configuration mode. To delete a list, use the no form of this command.

To delete all split tunneling domain lists, use the no split-dns command without arguments. This deletes all configured split tunneling domain lists, including a null list created by issuing the split-dns none command.

When there are no split tunneling domain lists, users inherit any that exist in the default group policy. To prevent users from inheriting such split tunneling domain lists, use the split-dns none command.

split-dns { value domain-name1 domain-name2 domain-nameN | none }

no split-dns [ domain-name domain-name2 domain-nameN ]

 
Syntax Description

value domain-name

Provides a domain name that the ASA resolves through the split tunnel.

none

Indicates that there is no split DNS list. Sets a split DNS list with a null value, thereby disallowing a split DNS list. Prevents inheriting a split DNS list from a default or specified group policy.

 
Defaults

Split DNS is disabled.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

Use a single space to separate each entry in the list of domains. There is no limit on the number of entries, but the entire string can be no longer than 255 characters. You can use only alphanumeric characters, hyphens (-), and periods (.).

The no split-dns command, when used without arguments, deletes all current values, including a null value created by issuing the split-dns none command.

Starting with version 3.0.4235, AnyConnect Secure Mobility Client supports true split DNS functionality for Windows platforms.

Examples

The following example shows how to configure the domains Domain1, Domain2, Domain3 and Domain4 to be resolved through split tunneling for the group policy named FirstGroup:

ciscoasa(config)# group-policy FirstGroup attributes
ciscoasa(config-group-policy)# split-dns value Domain1 Domain2 Domain3 Domain4

 
Related Commands

Command
Description

default-domain

Specifies a default domain name that the IPsec client uses the for DNS queries which omit the domain field.

split-dns

Provides a list of domains to be resolved through the split tunnel.

split-tunnel-network-list

Identifies the access list the ASA uses to distinguish which networks require tunneling.

split-tunnel-policy

Lets an IPsec client conditionally direct packets over an IPsec tunnel in encrypted form, or to a network interface in cleartext form

split-horizon

To reenable EIGRP split horizon, use the split-horizon command in interface configuration mode. To disable EIGRP split horizon, use the no form of this command.

split-horizon eigrp as-number

no split-horizon eigrp as-number

 
Syntax Description

as-number

The autonomous system number of the EIGRP routing process.

 
Defaults

The split-horizon command is enabled.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration

  • Yes

  • Yes
  • Yes

 
Command History

Release
Modification

8.0(2)

This command was introduced.

9.0(1)

Multiple context mode is supported.

 
Usage Guidelines

For networks that include links over X.25 packet-switched networks, you can use the neighbor command to defeat the split horizon feature. As an alternative, you can explicitly specify the no split-horizon eigrp command in your configuration. However, if you do so, you must similarly disable split horizon for all routers and access servers in any relevant multicast groups on that network.

In general, it is best that you not change the default state of split horizon unless you are certain that your application requires the change in order to properly advertise routes. If split horizon is disabled on a serial interface and that interface is attached to a packet-switched network, you must disable split horizon for all routers and access servers in any relevant multicast groups on that network.

Examples

The following example disables EIGRP split horizon on interface Ethernet0/0:

ciscoasa(config)# interface Ethernet0/0
ciscoasa(config-if)# no split-horizon eigrp 100
 

 
Related Commands

Command
Description

router eigrp

Creates an EIGRP routing process and enters configuration mode for that process.

split-tunnel-all-dns

To enable the AnyConnect Secure Mobility Client to the resolve all DNS addresses through the VPN tunnel, use the split-tunnel-all-dns command from group policy configuration mode.

To remove the command from the running configuration, use the no form of this command. This enables inheritance of the value from another group policy.

split-tunnel-all-dns {disable | enable}

no split-tunnel-all-dns [{disable | enable}]

 
Syntax Description

disable (default)

The AnyConnect client sends DNS queries over the tunnel according to the split tunnel policy—tunnel all networks, tunnel networks specified in a network list, or exclude networks specified in a network list.

enable

The AnyConnect client resolves all DNS addresses through the VPN tunnel.

 
Defaults

The default is disabled.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy configuration

  • Yes

  • Yes

 
Command History

Release
Modification

8.2(5)

This command was introduced.

 
Usage Guidelines

The split-tunnel-all-dns enable command applies to VPN connections using the SSL or IPsec/IKEv2 protocol, and instructs the AnyConnect client to resolve all DNS addresses through the VPN tunnel. If DNS resolution fails, the address remains unresolved and the AnyConnect client does not try to resolve the address through public DNS servers.

By default, this feature is disabled. The client sends DNS queries over the tunnel according to the split tunnel policy—tunnel all networks, tunnel networks specified in a network list, or exclude networks specified in a network list.

Examples

The following example configures the ASA to enable the AnyConnect client to resolve all DNS queries through the VPN tunnel:

ciscoasa(config)# group-policy FirstGroup attributes
ciscoasa(config-group-policy)# split-tunnel-all-dns enable

 
Related Commands

Command
Description

default-domain

Specifies a default domain name that the legacy IPsec (IKEv1) VPN client or the AnyConnect VPN Client (SSL) uses for DNS queries that omit the domain field.

split-dns

Provides a list of domains to be resolved through the split tunnel.

split-tunnel-network-list

Identifies the access list the ASA uses to distinguish networks that require tunneling and those that do not.

split-tunnel-policy

Lets a legacy VPN client (IPsec/IKEv1) or the AnyConnect VPN client (SSL) conditionally direct packets over a tunnel in encrypted form, or to a network interface in clear text form

split-tunnel-network-list

To create a network list for split tunneling, use the split-tunnel-network-list command in group-policy configuration mode. To delete a network list, use the no form of this command.

To delete all split tunneling network lists, use the no split-tunnel-network-list command without arguments. This deletes all configured network lists, including a null list created by issuing the split-tunnel-network-list none command.

When there are no split tunneling network lists, users inherit any network lists that exist in the default or specified group policy. To prevent users from inheriting such network lists, use the split-tunnel-network-list none command.

Split tunneling network lists distinguish networks that require traffic to travel across the tunnel from those that do not require tunneling.

split-tunnel-network-list {value access-list name | none}

no split-tunnel-network-list value [ access-list name ]

 
Syntax Description

none

Indicates that there is no network list for split tunneling; the ASA tunnels all traffic.

Sets a split tunneling network list with a null value, thereby disallowing split tunneling. Prevents inheriting a default split tunneling network list from a default or specified group policy.

value access-list name

Identifies an access list that enumerates the networks to tunnel or not tunnel.

 
Defaults

By default, there are no split tunneling network lists.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

The ASA makes split tunneling decisions on the basis of a network list, which is a standard ACL that consists of a list of addresses on the private network.

The no split-tunnel-network-list command, when used without arguments, deletes all current network lists, including a null value created by issuing the split-tunnel-network-list none command.


Note The ASA provides supports for 200 split networks.


Examples

The following example shows how to set a network list called FirstList for the group policy named FirstGroup:

ciscoasa(config)# group-policy FirstGroup attributes
ciscoasa(config-group-policy)# split-tunnel-network-list FirstList

 
Related Commands

Command
Description

access-list

Creates an access list, or uses a downloadable access list.

default-domain

Specifies a default domain name that he IPsec client uses the for DNS queries that omit the domain field.

split-dns

Provides a list of domains to be resolved through the split tunnel.

split-tunnel-policy

Lets an IPsec client conditionally direct packets over an IPsec tunnel in encrypted form, or to a network interface in cleartext form.

split-tunnel-policy

To set a split tunneling policy, use the split-tunnel-policy command in group-policy configuration mode. To remove the split-tunnel-policy attribute from the running configuration, use the no form of this command.

split-tunnel-policy { tunnelall | tunnelspecified | excludespecified }

no split-tunnel-policy

 
Syntax Description

excludespecified

Defines a list of networks to which traffic goes in the clear. This feature is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel.

split-tunnel-policy

Indicates that you are setting rules for tunneling traffic.

tunnelall

Specifies that no traffic goes in the clear or to any other destination than the ASA. Remote users reach Internet networks through the corporate network and do not have access to local networks.

tunnelspecified

Tunnels all traffic from or to the specified networks. This option enables split tunneling. It lets you create a network list of addresses to tunnel. Data to all other addresses travels in the clear, and is routed by the remote user’s Internet service provider.

 
Defaults

Split tunneling is disabled by default, which is tunnelall .

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

Split tunneling is primarily a traffic management feature, not a security feature. In fact, for optimum security, we recommend that you not enable split tunneling.

This enables inheritance of a value for split tunneling from another group policy.

Split tunneling lets a remote-access VPN client conditionally direct packets over an IPsec or SSL tunnel in encrypted form, or to a network interface in cleartext form. With split-tunneling enabled, packets not bound for destinations on the other side of the IPsec or SSL VPN tunnel endpoint do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination.

Examples

The following example shows how to set a split tunneling policy of tunneling only specified networks for the group policy named FirstGroup:

ciscoasa(config)# group-policy FirstGroup attributes
ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified

 
Related Commands

Command
Description

default-domain

Specifies a default domain name that he IPsec client uses the for DNS queries that omit the domain field.

split-dns

Provides a list of domains to be resolved through the split tunnel.

split-tunnel-network-list none

Indicates that no access list exists for split tunneling. All traffic travels across the tunnel.

split-tunnel-network-list value

Identifies the access list the ASA uses to distinguish networks that require tunneling and those that do not.

spoof-server

To substitute a string for the server header field for HTTP protocol inspection, use the spoof-server command in parameters configuration mode. To disable this feature, use the no form of this command.

spoof-server string

no spoof-server string

 
Syntax Description

string

String to substitute for the server header field. 82 characters maximum.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Parameters configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

 
Usage Guidelines

WebVPN streams are not subject to the spoof-server comand.

Examples

The following example shows how to substitute a string for the server header field in an HTTP inspection policy map:

ciscoasa(config-pmap-p)# spoof-server string
 

 
Related Commands

Command
Description

class

Identifies a class map name in the policy map.

class-map type inspect

Creates an inspection class map to match traffic specific to an application.

policy-map

Creates a Layer 3/4 policy map.

show running-config policy-map

Display all current policy map configurations.

sq-period

To specify the interval between each successful posture validation in a NAC Framework session and the next query for changes in the host posture, use the sq-period command in nac-policy-nac-framework configuration mode. To remove the command from the NAC policy, use the no form of this command.

sq-period seconds

no sq-period [ seconds ]

 
Syntax Description

seconds

Number of seconds between each successful posture validation. The range is 30 to 1800.

 
Defaults

The default value is 300.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Nac-policy-nac-framework configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.3(0)

“nac-” removed from command name. Command moved from group-policy configuration mode to nac-policy-nac-framework configuration mode.

7.2(1)

This command was introduced.

 
Usage Guidelines

The ASA starts the status query timer after each successful posture validation and status query response. The expiration of this timer triggers a query for changes in the host posture, referred to as a status query .

Examples

The following example changes the value of the status query timer to 1800 seconds:

ciscoasa(config-nac-policy-nac-framework)# sq-period 1800
ciscoasa(config-nac-policy-nac-framework)
 

The following example removes the status query timer from the NAC Framework policy:

ciscoasa(config-nac-policy-nac-framework)# no sq-period
ciscoasa(config-nac-policy-nac-framework)
 

 
Related Commands

Command
Description

nac-policy

Creates and accesses a Cisco NAC policy, and specifies its type.

nac-settings

Assigns a NAC policy to a group policy.

eou timeout

Changes the number of seconds to wait after sending an EAP over UDP message to the remote host in a NAC Framework configuration.

reval-period

Specifies the interval between each successful posture validation in a NAC Framework session.

debug eap

Enables logging of Extensible Authentication Protocol events to debug NAC Framework messaging.

ssh

To add SSH access to the ASA, use the ssh command in global configuration mode. To disable SSH access to the ASA, use the no form of this command.

ssh { ip_address mask | ipv6_address / prefix } interface

no ssh { ip_address mask | ipv6_address / prefix } interface

 
Syntax Description

interface

The ASA interface on which SSH is enabled. If not specified, SSH is enabled on all interfaces except the outside interface.

ip_address

IPv4 address of the host or network authorized to initiate an SSH connection to the ASA. For hosts, you can also enter a host name.

ipv6_address / prefix

The IPv6 address and prefix of the host or network authorized to initiate an SSH connection to the ASA.

mask

Network mask for ip_address .

 
Defaults

No default behaviors or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

This command supports IPv4 and IPv6 addresses. The ssh ip_address command specifies hosts or networks that are authorized to initiate an SSH connection to the ASA. You can have multiple ssh commands in the configuration. The no form of the command removes a specific SSH command from the configuration. Use the clear configure ssh command to remove all SSH commands.

Before you can begin using SSH to the ASA, you must generate a default RSA key using the crypto key generate rsa command.

The following security algorithms and ciphers are supported on the ASA:

  • 3DES and AES ciphers for data encryption
  • HMAC-SHA and HMAC-MD5 algorithms for packet integrity
  • RSA public key algorithm for host authentication

The following SSH Version 2 features are not supported on the ASA:

  • X11 forwarding
  • Port forwarding
  • SFTP support
  • Kerberos and AFS ticket passing
  • Data compression

Examples

The following example shows how to configure the inside interface to accept SSH version 2 connections from a management console with the IP address 10.1.1.1. The idle session timeout is set to 60 minutes and SCP is enabled.

ciscoasa(config)# ssh 10.1.1.1 255.255.255.0 inside
ciscoasa(config)# ssh version 2
ciscoasa(config)# ssh scopy enable
ciscoasa(config)# ssh timeout 60
 

 
Related Commands

Command
Description

clear configure ssh

Clears all SSH commands from the running configuration.

crypto key generate rsa

Generates RSA key pairs for identity certificates.

debug ssh

Displays debugging information and error messages for SSH commands.

show running-config ssh

Displays the current SSH commands in the running configuration.

ssh scopy enable

Enables a secure copy server on the ASA.

ssh version

Restricts the ASA to using either SSH Version 1 or SSH Version 2.

ssh authentication

To enable public key authentication on a per-user basis, use the ssh authentication command in username attributes mode. To disable public key authentication on a per-user basis, use the no form of this command.

ssh authentication { pkf | publickey [ nointeractive ] key [ hashed ]}

no ssh authentication { pkf | publickey [ nointeractive ] key [ hashed ]}

 
Syntax Description

hashed

Hashed with SHA-256 and 32 bytes long, with each byte separated by a colon (for parsing purposes).

key

The value of the key argument can be one of the following:

  • When the key argument is supplied and the hashed tag is not specified, the value of the key must be a Base 64 encoded public key that is generated by SSH key generation software that can generate SSH-RSA raw keys (that is, with no certificates). After you submit the Base 64 encoded public key, that key is then hashed via SHA-256 and the corresponding 32-byte hash is used for all further comparisons.
  • When the key argument is supplied and the hashed tag is specified, the value of the key must have been previously hashed with SHA-256 and be 32 bytes long, with each byte separated by a colon (for parsing purposes).

nointeractive

The nointeractive option suppresses all prompts when importing an SSH public key file formatted key. This noninteractive data entry mode is only intended for ASDM use.

pkf

For a pkf key, you are prompted to paste in a PKF formatted key, up to 4096 bits. Use this format for keys that are too large to paste inline in Base64 format. For example, you can generate a 4096-bit key using ssh keygen, then convert it to PKF, and use the pkf keyword to be prompted for the key.

Note You can use the pkf option with failover, but the PKF key is not automatically replicated to the standby system. You must enter the write standby command to synchronize the PKF key.

publickey

For a publickey , the key is a Base64-encoded public key. You can generate the key using any SSH key generation software (such as ssh keygen) that can generate SSH-RSA raw keys (with no certificates).

 
Defaults

No default behaviors or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Username attributes

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

9.1(2)

This command was introduced.

 
Usage Guidelines

You can specify a public key file (PKF) formatted key (the pkf keyword) or a Base64 key (the publickey keyword).

The key field and the hashed keyword are only available with the publickey option, and the nointeractive keyword is only available with the pkf option.

When you save the configuration, the hashed key value is saved to the configuration and used when the ASA is rebooted.

When you view the key on the ASA using the show running-config username command, the key is encrypted using a SHA-256 hash. Even if you entered the key as pkf , the ASA hashes the key, and shows it as a hashed publickey . If you need to copy the key from show output, specify the publickey type with the hashed keyword.

Examples

The following example shows how to authenticate using a PKF formatted key:

ciscoasa(config-username)# ssh authentication pkf

 

Enter an SSH public key formatted file.

End with the word "quit" on a line by itself:

---- BEGIN SSH2 PUBLIC KEY ----

Comment: "4096-bit RSA, converted by xxx@xxx from OpenSSH"

AAAAB3NzaC1yc2EAAAADAQABAAACAQDNUvkgza37lB/Q/fljpLAv1BbyAd5PJCJXh/U4LO

hleR/qgIROjpnFaS7Az8/+sjHmq0qXC5TXkzWihvRZbhefyPhPHCi0hIt4oUF2ZbXESA/8

jUT4ehXIUE7FrChffBBtbD4d9FkV8A2gwZCDJBxEM26ocbZCSTx9QC//wt6E/zRcdoqiJG

p4ECEdDaM+56l+yf73NUigO7wYkqcrzjmI1rZRDLVcqtj8Q9qD3MqsV+PkJGSGiqZwnyIl

QbfYxXHU9wLdWxhUbA/xOjJuZ15TQMa7KLs2u+RtrpQgeTGTffIh6O+xKh93gwTgzaZTK4

CQ1kuMrRdNRzza0byLeYPtSlv6Lv6F6dGtwlqrX5a+w/tV/aw9WUg/rapekKloz3tsPTDe

p866AFzU+Z7pVR1389iNuNJHQS7IUA2m0cciIuCM2we/tVqMPYJl+xgKAkuHDkBlMS4i8b

Wzyd+4EUMDGGZVeO+corKTLWFO1wIUieRkrUaCzjComGYZdzrQT2mXBcSKQNWlSCBpCHsk

/r5uTGnKpCNWfL7vd/sRCHyHKsxjsXR15C/5zgHmCTAaGOuIq0Rjo34+61+70PCtYXebxM

Wwm19e3eH2PudZd+rj1dedfr2/IrislEBRJWGLoR/N+xsvwVVM1Qqw1uL4r99CbZF9NghY

NRxCQOY/7K77II==

---- END SSH2 PUBLIC KEY ----quit

INFO: Import of an SSH public key formatted file SUCCEEDED.

ciscoasa(config-username)

 
Related Commands

Command
Description

clear configure ssh

Clears all SSH commands from the running configuration.

debug ssh

Displays debugging information and error messages for SSH commands.

show running-config ssh

Displays the current SSH commands in the running configuration.

ssh version

Restricts the ASA to using either SSH Version 1 or SSH Version 2.

ssh disconnect

To disconnect an active SSH session, use the ssh disconnect command in privileged EXEC mode.

ssh disconnect session_id

 
Syntax Description

session_id

Disconnects the SSH session specified by the ID number.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

You must specify a session ID. Use the show ssh sessions command to obtain the ID of the SSH session you want to disconnect.

Examples

The following example shows an SSH session being disconnected:

ciscoasa# show ssh sessions
SID Client IP Version Mode Encryption Hmac State Username
0 172.69.39.39 1.99 IN aes128-cbc md5 SessionStarted pat
OUT aes128-cbc md5 SessionStarted pat
1 172.23.56.236 1.5 - 3DES - SessionStarted pat
2 172.69.39.29 1.99 IN 3des-cbc sha1 SessionStarted pat
OUT 3des-cbc sha1 SessionStarted pat
ciscoasa# ssh disconnect 2
ciscoasa# show ssh sessions
SID Client IP Version Mode Encryption Hmac State Username
0 172.69.39.29 1.99 IN aes128-cbc md5 SessionStarted pat
OUT aes128-cbc md5 SessionStarted pat
1 172.23.56.236 1.5 - 3DES - SessionStarted pat
 

 
Related Commands

Command
Description

show ssh sessions

Displays information about active SSH sessions to the ASA.

ssh timeout

Sets the timeout value for idle SSH sessions.

ssh key-exchange

To exchange keys using either the Diffie-Hellman (DH) Group 1 or DH Group 14 key-exchange method, use the ssh key-exchange command in global configuration mode. To disable key exchange using either the DH Group 1 or DH Group 14 key-exchange method, use the no form of this command.

ssh key-exchange group { dh-group1 | dh-group14 } sha1

no ssh key-exchange group { dh-group1 | dh-group14 } sha1

 
Syntax Description

dh-group1

Indicates that the DH group 1 key-exchange method will follow and should be used when exchanging keys. DH group 2 is called DH group 1 for legacy reasons.

dh-group14

Indicates that the DH group 14 key-exchange method will follow and should be used when exchanging keys.

group

Indicates that either the DH group 1 key-exchange method or the DH group 14 key-exchange method will follow and should be used when exchanging keys.

key-exchange

Specifies that either the DH group 1 or DH group 14 key-exchange method will follow and should be used when exchanging keys.

sha-1

Specifies that the SHA-1 encryption algorithm should be used.

 
Defaults

No default behaviors or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.4(4)

This command was introduced.

9.1(2)

This command was changed to ssh key-exchange group dh-group1-sha1 .

 
Usage Guidelines

Before you can begin using SSH to the ASA, you must generate a default RSA key using the crypto key generate rsa command.

Both the DH Group 1 and Group 14 key-exchange methods for key exchange are supported on the ASA. If no DH group key-exchange method is specified, the DH group 1 key-exchange method is used. For more information about using DH key-exchange methods, see RFC 4253.


Note This command is not available in the 9.1(1) or 9.1.1(2) release.


Examples

The following example shows how to exchange keys using the DH Group 14 key-exchange method:

ciscoasa(config)# ssh key-exchange dh-group-1-sha1
 

 
Related Commands

Command
Description

clear configure ssh

Clears all SSH commands from the running configuration.

crypto key generate rsa

Generates RSA key pairs for identity certificates.

debug ssh

Displays debugging information and error messages for SSH commands.

show running-config ssh

Displays the current SSH commands in the running configuration.

ssh scopy enable

Enables a secure copy server on the ASA.

ssh version

Restricts the ASA to using either SSH Version 1 or SSH Version 2.

ssh pubkey-chain

To manually add or delete SSH servers and their keys from the ASA database for the on-board Secure Copy (SCP) client, use the ssh pubkey-chain command in global configuration mode. To remove all host keys, use the no form of this command. To remove only a single server key, see the server command.

ssh pubkey-chain

no ssh pubkey-chain

 
Syntax Description

This command has no arguments or keywords.

 
Command Default

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

9.1(5)

We introduced this command.

 
Usage Guidelines

You can copy files to and from the ASA using the on-board SCP client. The ASA stores the SSH host key for each SCP server to which it connects. You can manually add or delete servers and their keys from the ASA database if desired.

For each server (see the server command), you can specify the key-string (public key) or key-hash (hashed value) of the SSH host.

Examples

The following example adds an already hashed host key for the server at 10.86.94.170:

ciscoasa(config)# ssh pubkey-chain
ciscoasa(config-ssh-pubkey-chain)# server 10.86.94.170
ciscoasa(config-ssh-pubkey-server)# key-hash sha256 65:d9:9d:fe:1a:bc:61:aa:64:9d:fc:ee:99:87:38:df:a8:8e:d9:e9:ff:42:de:e8:8d:2d:bf:a9:2b:85:2e:19
 

The following example adds a host string key for the server at 10.7.8.9:

ciscoasa(config)# ssh pubkey-chain

ciscoasa(config-ssh-pubkey-chain)# server 10.7.8.9

ciscoasa(config-ssh-pubkey-server)# key-string

Enter the base 64 encoded RSA public key.

End with the word "exit" on a line by itself

ciscoasa(config-ssh-pubkey-server-string)# c1:b1:30:29:d7:b8:de:6c:97:77:10:d7:46:41:63:87

ciscoasa(config-ssh-pubkey-server-string)# exit

 

 
Related Commands

Command
Description

copy

Copies a file to or from the ASA.

key-hash

Enters a hashed SSH host key.

key-string

Enters a public SSH host key.

server

Adds an SSH server and host key to the ASA database.

ssh stricthostkeycheck

Enables SSH host key checking for the on-board Secure Copy (SCP) client.

ssh scopy enable

To enable Secure Copy (SCP) on the ASA, use the ssh scopy enable command in global configuration mode. To disable SCP, use the no form of this command.

ssh scopy enable

no ssh scopy enable

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

SCP is a server-only implementation; it will be able to accept and terminate connections for SCP but can not initiate them. The ASA has the following restrictions:

  • There is no directory support in this implementation of SCP, limiting remote client access to the ASA internal files.
  • There is no banner support when using SCP.
  • SCP does not support wildcards.
  • The ASA license must have the VPN-3DES-AES feature to support SSH version 2 connections.

Before initiating the file transfer, the ASA check available Flash memory. If there is not enough available space, the ASA terminates the SCP connection. If you are overwriting a file in Flash memory, you still need to have enough free space for the file being copied to the ASA. The SCP process copies the file to a temporary file first, then copies the temporary file over the file being replaced. If you do not have enough space in Flash to hold the file being copied and the file being overwritten, the ASA terminates the SCP connection.

Examples

The following example shows how to configure the inside interface to accept SSH Version 2 connections from a management console with the IP address 10.1.1.1. The idle session timeout is set to 60 minutes and SCP is enabled.

ciscoasa(config)# ssh 10.1.1.1 255.255.255.0 inside
ciscoasa(config)# ssh version 2
ciscoasa(config)# ssh scopy enable
ciscoasa(config)# ssh timeout 60
 

 
Related Commands

Command
Description

clear configure ssh

Clears all SSH commands from the running configuration.

debug ssh

Displays debug information and error messages for SSH commands.

show running-config ssh

Displays the current SSH commands in the running configuration.

ssh

Allows SSH connectivity to the ASA from the specified client or network.

ssh version

Restricts the ASA to using either SSH Version 1 or SSH Version 2.

ssh stricthostkeycheck

To enable SSH host key checking for the on-board Secure Copy (SCP) client, use the ssh stricthostkeycheck command in global configuration mode. To disable host key checking, use the no form of this command.

ssh stricthostkeycheck

no ssh stricthostkeycheck

 
Syntax Description

This command has no arguments or keywords.

 
Command Default

By default, this command is enabled.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes

  • Yes

 
Command History

Release
Modification

9.1(5)

We introduced this command.

 
Usage Guidelines

You can copy files to and from the ASA using the on-board SCP client. When this option is enabled, you are prompted to accept or reject the host key if it is not already stored on the ASA. When this option is disabled, the ASA accepts the host key automatically if it was not stored before.

Examples

The following example enables SSH host key checking:

ciscoasa# ssh stricthostkeycheck

ciscoasa# copy x scp://cisco@10.86.95.9/x

The authenticity of host '10.86.95.9 (10.86.95.9)' can't be established.

RSA key fingerprint is dc:2e:b3:e4:e1:b7:21:eb:24:e9:37:81:cf:bb:c3:2a.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '10.86.95.9' (RSA) to the list of known hosts.

Source filename [x]?

 

Address or name of remote host [10.86.95.9]?

 

Destination username [cisco]?

 

Destination password []? cisco123

 

Destination filename [x]?

 
Related Commands

Command
Description

copy

Copies a file to or from the ASA.

key-hash

Enters a hashed SSH host key.

key-string

Enters a public SSH host key.

server

Adds an SSH server and host key to the ASA database.

ssh pubkey-chain

Manually adds or deletes servers and their keys from the ASA database.

ssh timeout

To change the default SSH session idle timeout value, use the ssh timeout command in global configuration mode. To restore the default timeout value, use the no form of this command.

ssh timeout number

no ssh timeout

 
Syntax Description

number

Specifies the duration in minutes that an SSH session can remain inactive before being disconnected. Valid values are from 1 to 60 minutes.

 
Defaults

The default session timeout value is 5 minutes.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

The ssh timeout command specifies the duration in minutes that a session can be idle before being disconnected. The default duration is 5 minutes.

Examples

The following example shows how to configure the inside interface to accept only SSH version 2 connections from a management console with the IP address 10.1.1.1. The idle session timeout is set to 60 minutes and SCP is enabled.

ciscoasa(config)# ssh 10.1.1.1 255.255.255.0 inside
ciscoasa(config)# ssh version 2
ciscoasa(config)# ssh copy enable
ciscoasa(config)# ssh timeout 60
 

 
Related Commands

Command
Description

clear configure ssh

Clears all SSH commands from the running configuration.

show running-config ssh

Displays the current SSH commands in the running configuration.

show ssh sessions

Displays information about active SSH sessions to the ASA.

ssh disconnect

Disconnects an active SSH session.

ssh version

To restrict the version of SSH accepted by the ASA, use the ssh version command in global configuration mode. To restore the default value, use the no form of this command. The default values permits SSH Version 1 and SSH Version 2 connections to the ASA.

ssh version { 1 | 2 }

no ssh version [ 1 | 2 ]

 
Syntax Description

1

Specifies that only SSH Version 1 connections are supported.

2

Specifies that only SSH Version 2 connections are supported.

 
Defaults

By default, both SSH Version 1 and SSH Version 2 are supported.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

1 and 2 specify which version of SSH the ASA is restricted to using. The no form of the command returns the ASA to the default stance, which is compatible mode (both version can be used).

Examples

The following example shows how to configure the inside interface to accept SSH Version 2 connections from a management console with the IP address 10.1.1.1. The idle session timeout is set to 60 minutes and SCP is enabled.

ciscoasa(config)# ssh 10.1.1.1 255.255.255.0 inside
ciscoasa(config)# ssh version 2
ciscoasa(config)# ssh copy enable
ciscoasa(config)# ssh timeout 60
 

 
Related Commands

Command
Description

clear configure ssh

Clears all SSH commands from the running configuration.

debug ssh

Displays debug information and error messages for SSH commands.

show running-config ssh

Displays the current SSH commands in the running configuration.

ssh

Allows SSH connectivity to the ASA from the specified client or network.

ssl certificate-authentication

To enable client certificate authentication for backwards compatibility for versions previous to 8.2(1), use the ssl certificate-authentication command in global configuration mode. To disable ssl certificate authentication, use the no version of this command.

ssl certificate-authentication interface interface-name port port-number

no ssl certificate-authentication interface interface-name port port-numbe r

 
Syntax Description

interface-name

The name of the selected interface, such as inside, management, and outside.

port-number

The TCP port number, an integer in the range 1-65535.

 
Defaults

This feature is disabled by default.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

8.0(3)

This command was introduced.

8.2(1)

This command is no longer needed, but the ASA retains it for downgrading to previous versions.

 
Usage Guidelines

This command replaces the deprecated http authentication-certificate command.

Examples

The following example shows how to configure the ASA to use the SSL certificate authentication feature:

ciscoasa(config)# ssl certificate-authentication interface inside port 330

 
Related Commands

Command
Description

show running-config ssl

Displays the current set of configured SSL commands.

ssl client-version

To specify the SSL/TLS protocol version that the ASA uses when acting as a client, use the ssl client-version command in global configuration mode. To revert to the default, use the no form of this command.

ssl client-version [ any | sslv3-only | tlsv1-only ]

no ssl client-version

 
Syntax Description

any

Transmits SSLv3 client hellos and negotiates SSLv3 (or greater).

sslv3-only

Transmits SSLv3 client hellos and negotiates SSLv3 (or greater).

Note This option has been deprecated as of Version 9.3(2).

tlsv1-only

Transmits TLSv1 client hellos and negotiates TLSv1 (or greater).

Note This option has been deprecated as of Version 9.3(2).

 
Defaults

The default value is any .

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

For maximum compatibility, use the any keyword.

Examples

The following example shows how to configure the ASA to specify the SSLv3 protocol version when acting as an SSL client:

ciscoasa(config)# ssl client-version any
 

 
Related Commands

Command
Description

clear config ssl

Removes all SSL commands from the configuration, reverting to the default values.

ssl encryption

Specifies the encryption algorithms that the SSL/TLS protocol uses.

show running-config ssl

Displays the current set of configured SSL commands.

ssl server-version

Specifies the minimum protocol version for which the ASA will negotiate an SSL/TLS connection.

ssl trust-point

Specifies the certificate trustpoint that represents the SSL certificate for an interface.

ssl encryption

To specify the encryption algorithms for the SSL, DTLS, and TLS protocols, use the ssl encryption command in global configuration mode . To restore the default, which is the complete set of encryption algorithms, use the no form of this command.

ssl encryption [ 3des-sha1 ] [ aes128-sha1 ] [ aes256-sha1 ] [ des-sha1 ] [null-sha1] [ rc4-md5 ] [rc4-sha1] [ dhe-aes256-sha1 ] [ dhe-aes128-sha1 ]

no ssl encryption

 
Syntax Description

3des-sha1

Specifies triple DES 168-bit encryption with Secure Hash Algorithm 1 (FIPS-compliant).

aes128-sha1

Specifies triple AES 128-bit encryption with Secure Hash Algorithm 1 (FIPS-compliant).

aes256-sha1

Specifies triple AES 256-bit encryption with Secure Hash Algorithm 1 (FIPS-compliant).

dhe-aes128-sha1

Specifies AES 128-bit encryption cipher suites for Transport Layer Security (TLS) (FIPS-compliant).

dhe-aes256-sha1

Specifies AES 256-bit encryption cipher suites for Transport Layer Security (TLS) (FIPS-compliant).

des-sha1

Specifies DES 56-bit encryption with Secure Hash Algorithm 1.

null-sha1

Specifies null encryption with Secure Hash Algorithm 1. This setting enforces message integrity without confidentiality.


Caution If you specify null-sha1, data is not encrypted.

rc4-md5

Specifies RC4 128-bit encryption with an MD5 hash function.

rc4-sha1

Specifies RC4 128-bit encryption with Secure Hash Algorithm 1.

 
Defaults

By default, the SSL encryption list on the ASA contains these algorithms in the following order:

1. RC4-SHA1

2. AES128-SHA1 (FIPS-compliant)

3. AES256-SHA1 (FIPS-compliant)

4. 3DES-SHA1 (FIPS-compliant)

5. DHE-AES256-SHA1 (FIPS-compliant)

6. DHE-AES128-SHA1 (FIPS-compliant)

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

9.1(2)

Support for SSL encryption using the DHE-AES128-SHA1 and DHE-AES256-SHA1 algorithms was added.

 
Usage Guidelines

Issuing the command again overwrites the previous setting. The ASDM License tab reflects the maximum encryption that the license supports, not the value that you configure.

The ordering of the algorithms determines preference for their use. You can add or remove algorithms to meet the needs of your environment.

For FIPS-compliant AnyConnect client SSL connections, you must ensure a FIPS-compliant cipher is the first one specified in the list of SSL encryptions.

Several applications do not support DHE, so include at least one other SSL encryption method to ensure a cipher suite common to both.

Cryptographic operations use symmetric-key algorithms, as referenced in http://en.wikipedia.org/wiki/Symmetric-key_algorithm .

Examples

The following example shows how to configure the ASA to use the 3des-sha1 and des-sha1 encryption algorithms:

ciscoasa(config)# ssl encryption 3des-sha1 des-sha1
 

 
Related Commands

Command
Description

clear config ssl

Removes all SSL commands from the configuration, reverting to the default values.

show running-config ssl

Displays the current set of configured SSL commands.

ssl client-version

Specifies the SSL/TLS protocol version the ASA uses when acting as a client.

ssl server-version

Specifies the minimum protocol version for which the ASA will negotiate an SSL/TLS connection.

ssl trust-point

Specifies the certificate trust point that represents the SSL certificate for an interface.

ssl cipher

Specifies the encryption algorithms for the SSL, DTLS, and TLS protocols.

Note Available as of the 9.3(2) release.

ssl server-version

To set the minimum protocol version for which the ASA will negotiate an SSL/TLS connection, use the ssl server-version command in global configuration mode. To revert to the default, any, use the no form of this command.

ssl server-version [ any | sslv3-only | tlsv1-only | sslv3 | tlsv1 ]

no ssl server-version

 
Syntax Description

any

Accepts SSLv2 client hellos and negotiates the highest common version.

sslv3

Accepts SSLv2 client hellos and negotiates SSLv3 (or greater).

sslv3-only

Accepts SSLv2 client hellos and negotiates SSLv3 (or greater).

Note This option has been deprecated as of Version 9.3(2).

tlsv1

Accepts SSLv2 client hellos and negotiates TLSv1 (or greater).

tlsv1-only

Accepts SSLv2 client hellos and negotiates TLSv1 (or greater).

Note This option has been deprecated as of Version 9.3(2).

 
Defaults

The default value is any .

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

For maximum compatibility, use the any keyword.

Examples

The following example shows how to configure the ASA to negotiate an SSL/TLS connection:

ciscoasa(config)# ssl server-version any
 

 
Related Commands

Command
Description

clear config ssl

Removes all SSL commands from the configuration, reverting to the default values.

show running-config ssl

Displays the current set of configured SSL commands.

ssl client-version

Specifies the SSL/TLS protocol version that the ASA uses when acting as a client.

ssl encryption

Specifies the encryption algorithms that the SSL/TLS protocol uses.

ssl trust-point

Specifies the certificate trustpoint that represents the SSL certificate for an interface.

ssl trust-point

To specify the certificate trustpoint that represents the SSL certificate for an interface, use the ssl trust-point command with the interface argument in global configuration mode. To remove an SSL trustpoint from the configuration that does not specify an interface, use the no form of this command. To remove an entry that does specify an interface, use the no ssl trust-point name [ interface ] form of the command.

ssl trust-point name [ interface [ vpnlb-ip ] | ]

no ssl trust-point name [ interface [ vpnlb-ip ] | ]

 
Syntax Description

interface

Specifies the name for the interface to which the trustpoint applies. The nameif command defines the name of the interface.

name

Specifies the name of the CA trustpoint as configured in the crypto ca trustpoint name command.

vpnlb-ip

Associates this trustpoint with the VPN load-balancing cluster IP address on this interface. Applies only to interfaces.

 
Defaults

The default is no trustpoint association. The ASA uses the default self-generated RSA key-pair certificate.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

If you do not specify an interface , then this entry will represent the fallback trustpoint that is used on all interfaces that are not associated with a trustpoint of their own.

If you enter the ssl trustpoint ? command, the available configured trustpoints appear. If you enter the ssl trust-point name ? command (for example, ssl trust-point mysslcert ? ), the available configured interfaces for the trustpoint-SSL certificate association appear.

You may configure up to 16 trustpoints per interface.

Observe these guidelines when using this command:

  • The value for trustpoint must be the name of the CA trustpoint as configured in the crypto ca trustpoint name command.
  • The value for interface must be the nameif name of a previously configured interface.
  • Removing a trustpoint also removes any ssl trust-point entries that reference that trustpoint.
  • You can have one ssl trust-point entry for each interface and one that specifies no interfaces.
  • You can reuse the same trustpoint for multiple entries.
  • If the following error appears after you enter this command:
error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch@x509_cmp.c:339
 

It means that a user has configured a new certificate to replace a previously configured certificate. No action is required.

  • The certificates are chosen in the following order:

If a connection matches the value of the domain keyword, that certificate is chosen first. ( ssl trust-point name domain domain-name command)

If a connection is made to the load-balancing address, the vpnlb-ip certificate is chosen. ( ssl trust-point name interface vpnlb-ip command)

The certificate configured for the interface. ( ssl trust-point name interface command)

The default certificate not associated with an interface. ( ssl trust-point name command)

The ASA's self-signed, self-generated certificate.

Examples

The following example shows how to configure an SSL trustpoint called FirstTrust for the inside interface, and a trustpoint called DefaultTrust with no associated interface.

ciscoasa(config)# ssl trust-point FirstTrust inside
ciscoasa(config)# ssl trust-point DefaultTrust

 

The following example shows how to use the no form of the command to delete a trustpoint that has no associated interface:

ciscoasa(config)# show running-configuration ssl
ssl trust-point FirstTrust inside
ssl trust-point DefaultTrust
ciscoasa(config)# no ssl trust-point
ciscoasa(config)# show running-configuration ssl
ssl trust-point FirstTrust inside
 

The following example shows how to delete a trustpoint that does have an associated interface:

ciscoasa(config)# show running-configuration ssl
ssl trust-point FirstTrust inside
ssl trust-point DefaultTrust
ciscoasa(config)# no ssl trust-point FirstTrust inside
ciscoasa(config)# show running-configuration ssl
ssl trust-point DefaultTrust
 

 
Related Commands

Command
Description

clear config ssl

Removes all SSL commands from the configuration, reverting to the default values.

show running-config ssl

Displays the current set of configured SSL commands.

ssl client-version

Specifies the SSL/TLS protocol version the ASA uses when acting as a client.

ssl encryption

Specifies the encryption algorithms that the SSL/TLS protocol uses.

ssl server-version

Specifies the minimum protocol version for which the ASA will negotiate an SSL/TLS connection.

show ssl

Displays SSL configuration statistics.

sso-server

To create a Single Sign-On (SSO) server for ASA user authentication, use the sso-server command in webvpn configuration mode. With this command, you must specify the SSO server type.

To remove an SSO server, use the no form of this command.

sso-server name type [siteminder | saml-v1.1-post ]

no sso-server name


Note This command is required for SSO authentication.


 
Syntax Description

 
Syntax DescriptionSyntax Description

name

Specifies the name of the SSO server. Minimum of 4 characters and maximum of 31 characters.

saml-v1.1-post

Specifies that the ASA SSO server being configured is a SAML, Version 1.1, SSO server of the POST type.

siteminder

Specifies that the ASA SSO server being configured is a Computer Associates SiteMinder SSO server.

type

Specifies the type of SSO server. SiteMinder and SAML-V1.1-POST are the only types available.

 
Defaults

There is no default value or behavior.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Webvpn configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

 
Usage Guidelines

Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The sso-server command lets you create an SSO server.

In the authentication, the ASA acts as a proxy for the WebVPN user to the SSO server. The ASA currently supports the SiteMinder SSO server (formerly Netegrity SiteMinder) and the SAML POST-type SSO server. Currently, the available arguments for the type option are restricted to siteminder or saml-V1.1-post .

Examples

The following example, entered in webvpn configuration mode, creates a SiteMinder-type SSO server named “example1”:

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# sso-server example1 type siteminder
ciscoasa(config-webvpn-sso-siteminder)#
 

The following example, entered in webvpn configuration mode, creates a SAML, Version 1.1, POST-type SSO server named “example2”:

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# sso-server example2 type saml-v1.1-post
ciscoasa(config-webvpn-sso-saml)#
 

 
Related Commands

Command
Description

assertion-consumer-url

Identifies the URL for the SAML-type SSO assertion consumer service.

issuer

Specifies the SAML-type SSO server’s security device name.

max-retry-attempts

Configures the number of times the ASA retries a failed SSO authentication attempt.

policy-server-secret

Creates a secret key used to encrypt authentication requests to a SiteMinder SSO server.

request-timeout

Specifies the number of seconds before a failed SSO authentication attempt times out.

show webvpn sso-server

Displays the operating statistics for an SSO server.

test sso-server

Tests an SSO server with a trial authentication request.

trustpoint

Specifies a trustpoint name that contains the certificate to use to sign the SAML-type browser assertion

web-agent-url

Specifies the SSO server URL to which the ASA makes SiteMinder SSO authentication requests.

sso-server value (group-policy webvpn)

To assign an SSO server to a group policy, use the sso-server value command in webvpn configuration mode available in group-policy configuration mode.

To remove the assignment and use the default policy, use the no form of this command.

To prevent inheriting the default policy, use the sso-server none command.

sso-server {value name | none}

[no] sso-server value name

 
Syntax Description

 
Syntax DescriptionSyntax Description

name

Specifies the name of the SSO server being assigned to the group policy.

 
Defaults

The default policy assigned to the group is DfltGrpPolicy.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy webvpn configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

 
Usage Guidelines

The sso-server value command, when entered in group-policy webvpn mode, lets you assign an SSO server to a group policy.

Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The ASA currently supports the SiteMinder-type of SSO server and the SAML POST-type SSO server.

This command applies to both types of SSO Servers.


Note Enter the same command, sso-server value, in username-webvpn configuration mode to assign SSO servers to user policies.


Examples

The following example commands create the group policy my-sso-grp-pol and assigns it to the SSO server named example:

ciscoasa(config)# group-policy my-sso-grp-pol internal
ciscoasa(config)# group-policy my-sso-grp-pol attributes
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# sso-server value example
ciscoasa(config-group-webvpn)#
 

 
Related Commands

 
Related Commandsciscoasa

Command
Description

policy-server-secre t

Creates a secret key used to encrypt authentication requests to a SiteMinder SSO server.

show webvpn sso-server

Displays the operating statistics for all SSO servers configured on the security device.

sso-server

Creates a single sign-on server.

sso-server value (username webvpn)

Assigns an SSO server to a user policy.

web-agent-url

Specifies the SSO server URL to which the ASA makes SiteMinder-type SSO authentication requests.

sso-server value (username webvpn)

To assign an SSO server to a user policy, use the sso-server value command in webvpn configuration mode available in username configuration mode.

To remove an SSO server assignment for a user, use the no form of this command.

When a user policy inherits an unwanted SSO server assignment from a group policy, use the sso-server none command to remove the assignment.

sso-server {value name | none}

[no] sso-server value name

 
Syntax Description

 
Syntax DescriptionSyntax Description

name

Specifies the name of the SSO server being assigned to the user policy.

 
Defaults

The default is for the user policy to use the SSO server assignment in the group policy.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Username webvpn configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

 
Usage Guidelines

Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The ASA currently supports the SiteMinder-type of SSO server and the SAML POST-type SSO server.

This command applies to both types of SSO Servers.

The sso-server value command lets you assign an SSO server to a user policy.


Note Enter the same command, sso-server value, in group-webvpn configuration mode to assign SSO servers to group policies.


Examples

The following example commands assign the SSO server named my-sso-server to the user policy for a WebVPN user named Anyuser:

ciscoasa(config)# username Anyuser attributes
ciscoasa(config-username)# webvpn
ciscoasa(config-username-webvpn)# sso-server value my-sso-server
ciscoasa(config-username-webvpn)#
 

 
Related Commands

Command
Description

policy-server-secret

Creates a secret key used to encrypt authentication requests to a SiteMinder SSO server.

show webvpn sso-server

Displays the operating statistics for all SSO servers configured on the security device.

sso-server

Creates a single sign-on server.

sso-server value (config-group-webvpn)

Assigns an SSO server to a group policy.

web-agent-url

Specifies the SSO server URL to which the ASA makes SiteMinder SSO authentication requests.

start-url

To enter the URL at which to retrieve an optional pre-login cookie, use the start-url command in aaa-server-host configuration mode. This is an SSO with HTTP Forms command.

start-url string


Note To configure SSO with the HTTP protocol correctly, you must have a thorough working knowledge of authentication and HTTP protocol exchanges.


 
Syntax Description

 
Syntax DescriptionSyntax Description

string

The URL for an SSO server. The maximum URL length is 1024 characters.

 
Defaults

There is no default value or behavior.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Aaa-server-host configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.1(1)

This command was introduced.

 
Usage Guidelines

The WebVPN server of the ASA can use an HTTP POST request to submit a single sign-on authentication request to an authenticating web server. The authenticating web server may execute a pre-login sequence by sending a Set-Cookie header along with the login page content. You can discover this by connecting directly to the authenticating web server’s login page with your browser. If the web server sets a cookie when the login page loads and if this cookie is relevant for the following login session, you must use the start-url command to enter the URL at which the cookie is retrieved. The actual login sequence starts after the pre-login cookie sequence with the form submission to the authenticating web server.


Note The start-url command is only required in the presence of the pre-login cookie exchange.


Examples

The following example, entered in aaa-server host configuration mode, specifies a URL for retrieving the pre-login cookie of https://example.com/east/Area.do?Page-Grp1:

ciscoasa(config)# aaa-server testgrp1 (inside) host example.com
ciscoasa(config-aaa-server-host)# start-url https://example.com/east/Area.do?Page=Grp1
ciscoasa(config-aaa-server-host)#

 
Related Commands

Command
Description

action-uri

Specifies a web server URI to receive a username and password for single sign-on authentication.

auth-cookie-name

Specifies a name for the authentication cookie.

hidden-parameter

Creates hidden parameters for exchange with the authenticating web server.

password-parameter

Specifies the name of the HTTP POST request parameter in which a user password must be submitted for SSO authentication.

user-parameter

Specifies the name of the HTTP POST request parameter in which a username must be submitted for SSO authentication.

state-checking

To enforce state checking for H.323, use the state-checking command in parameters configuration mode. To disable this feature, use the no form of this command.

state-checking [h225 | ras]

no state-checking [h225 | ras]

 
Syntax Description

h225

Enforces state checking for H.225.

ras

Enforces state checking for RAS.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Parameters configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

Examples

The following example shows how to enforce state checking for RAS on an H.323 call:

ciscoasa(config)# policy-map type inspect h323 h323_map
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# state-checking ras
 

 
Related Commandsciscoasa(config-pmap-p)# rtp-conformance

Command
Description

class

Identifies a class map name in the policy map.

class-map type inspect

Creates an inspection class map to match traffic specific to an application.

policy-map

Creates a Layer 3/4 policy map.

show running-config policy-map

Display all current policy map configurations.

strict-header-validation

To enable strict validation of the header fields in the SIP messages according to RFC 3261, use the strict-header-validation command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.

strict-header-validation action {drop | drop-connection | reset | log} [log}

no strict-header-validation action {drop | drop-connection | reset | log} [log}

 
Syntax Description

drop

Drops the packet if validation occurs.

drop-connection

Drops the connection of a violation occurs.

reset

Resets the connection of a violation occurs.

log

Specifies standalone or additional log in case of violation. It can be associated to any of the actions.

 
Defaults

This command is disabled by default.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Parameters configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.2(1)

This command was introduced.

Examples

The following example shows how to enable strict validation of SIP header fields in a SIP inspection policy map:

ciscoasa(config)# policy-map type inspect sip sip_map
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# strict-header-validation action log
 

 
Related Commands

Command
Description

class

Identifies a class map name in the policy map.

class-map type inspect

Creates an inspection class map to match traffic specific to an application.

policy-map

Creates a Layer 3/4 policy map.

show running-config policy-map

Display all current policy map configurations.

strict-http

To allow forwarding of non-compliant HTTP traffic, use the strict-http command in HTTP map configuration mode, which is accessible using the http-map command. To reset this feature to its default behavior, use the no form of the command.

strict-http action { allow | reset | drop } [ log ]

no strict-http action { allow | reset | drop } [ log ]

 
Syntax Description

action

The action taken when a message fails this command inspection.

allow

Allows the message.

drop

Closes the connection.

log

(Optional) Generate a syslog.

reset

Closes the connection with a TCP reset message to client and server.

 
Defaults

This command is enabled by default.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

HTTP map configuration

  • Yes
  • Yes
  • Yes
  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 

 
Usage Guidelines

Although strict HTTP inspection cannot be disabled, the strict-http action allow command causes the ASA to allow forwarding of non-compliant HTTP traffic. This command overrides the default behavior, which is to deny forwarding of non-compliant HTTP traffic.

Examples

The following example allows forwarding of non-compliant HTTP traffic:

ciscoasa(config)# http-map inbound_http
ciscoasa(config-http-map)# strict-http allow
ciscoasa(config-http-map)#
 

 
Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

debug appfw

Displays detailed information about traffic associated with enhanced HTTP inspection.

http-map

Defines an HTTP map for configuring enhanced HTTP inspection.

inspect http

Applies a specific HTTP map to use for application inspection.

policy-map

Associates a class map with specific security actions.

strip-group

This command applies only to usernames received in the form user@realm. A realm is an administrative domain appended to a username with the “@” delimiter (juser@abc).

To enable or disable strip-group processing, use the strip-group command in tunnel-group general-attributes mode. The ASA selects the tunnel group for IPsec connections by obtaining the group name from the username presented by the VPN client. When strip-group processing is enabled, the ASA sends only the user part of the username for authorization/authentication. Otherwise (if disabled), the ASA sends the entire username including the realm.

To disable strip-group processing, use the no form of this command.

strip-group

no strip-group

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

The default setting for this command is disabled.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tunnel-group general attributes configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

You can apply this attribute only to the IPsec remote access tunnel-type.


Note Because of a limitation of MSCHAPv2, you cannot perform tunnel group switching when MSCHAPv2 is used for PPP authentication. The hash computation during MSCHAPv2 is bound to the username string (such as user + delimit + group).


Examples

The following example configures a remote access tunnel group named “remotegrp” for type IPsec remote access, then enters general configuration mode, sets the tunnel group named “remotegrp” as the default group policy, and then enables strip group for that tunnel group:

ciscoasa(config)# tunnel-group remotegrp type IPsec_ra
ciscoasa(config)# tunnel-group remotegrp general
ciscoasa(config-tunnel-general)# default-group-policy remotegrp
ciscoasa(config-tunnel-general)# strip-group
 

 
Related Commands

Command
Description

clear-configure tunnel-group

Clears all configured tunnel groups.

group-delimiter

Enables group-name parsing and specifies the delimiter to be used when parsing group names from the user names that are received when tunnels are being negotiated.

show running-config tunnel group

Shows the tunnel group configuration for all tunnel groups or for a particular tunnel group.

tunnel-group general-attributes

Specifies the general attributes for the named tunnel-group.

strip-realm

To enable or disable strip-realm processing, use the strip-realm command in tunnel-group general-attributes configuration mode. Strip-realm processing removes the realm from the username when sending the username to the authentication or authorization server. A realm is an administrative domain appended to a username with the @ delimiter (username@realm). If the command is enabled, the ASA sends only the user part of the username authorization/authentication. Otherwise, the ASA sends the entire username.

To disable strip-realm processing, use the no form of this command.

strip-realm

no strip-realm

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

The default setting for this command is disabled.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tunnel-group general attributes configuration

  • Yes

  • Yes

 
Command History

Release
Modification

7.0.1

This command was introduced.

 
Usage Guidelines

You can apply this attribute only to the IPsec remote access tunnel-type.

Examples

The following example configures a remote access tunnel group named “remotegrp” for type IPsec remote access, then enters general configuration mode, sets the tunnel group named “remotegrp” as the default group policy, and then enables strip realm for that tunnel group:

ciscoasa(config)# tunnel-group remotegrp type IPsec_ra
ciscoasa(config)# tunnel-group remotegrp general
ciscoasa(config-tunnel-general)# default-group-policy remotegrp
ciscoasa(config-tunnel-general)# strip-real
 

storage-key

To specify a storage key to protect the date stored between sessions, use the storage-key command in group-policy webvpn configuration mode. To remove this command from the configuration, use the no version of this command.

storage- key { none | value string }

no storage-key

 
Syntax Description

string

Specifies a string to use as the value of the storage key. This string can be up to 64 characters long.

 
Defaults

The default is none .

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy webvpn configuration mode

  • Yes

  • Yes

 
Command History

Release
Modification

8.0(2)

This command was introduced.

 
Usage Guidelines

While you can use any character except spaces in the storage key value, we recommend using only the standard alphanumeric character set: 0 through 9 and a through z.

Examples

The following example sets the storage key to the value abc123:

ciscoasa(config)# group-policy test attributes
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# storage-key value abc123
 

 
Related Commands

Command
Description

storage-objects

Configures storage objects for the data stored between sessions.

storage-objects

To specify which storage objects to use for the data stored between sessions, use the storage-objects command in group-policy webvpn configuration mode. To remove this command from the configuration, use the no version of this command.

storage- objects { none | value string }

no storage-objects

 
Syntax Description

string

Specifies the name of the storage objects. This string can be up to 64 characters long.

 
Defaults

The default is none .

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy webvpn configuration mode

  • Yes

  • Yes

 
Command History

Release
Modification

8.0(2)

This command was introduced.

 
Usage Guidelines

While you can use any character except spaces and commas in the storage object name, we recommend using only the standard alphanumeric character set: 0 through 9 and a through z. Use a comma, with no space, to separate the names of storage objects in the string.

Examples

The following example sets the storage object names to cookies and xyz456:

ciscoasa(config)# group-policy test attributes
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# storage-object value cookies,xyz456
 

 
Related Commands

Command
Description

storage-key

Configures storage key to use for the data stored between sessions.

user-storage

Configures a location for storing user data between sessions