Cisco Security Appliance Command Reference, Version 8.0
shun -- sysopt radius ignore-secret
Downloads: This chapterpdf (PDF - 1.2MB) The complete bookPDF (PDF - 27.03MB) | Feedback

shun through sysopt radius ignore-secret Commands

Table Of Contents

shun through sysopt radius ignore-secret Commands

shun

shutdown

shutdown (ca-server mode)

sla monitor

sla monitor schedule

smart-tunnel auto-signon enable

smart-tunnel auto-signon list

smart-tunnel auto-start

smart-tunnel disable

smart-tunnel enable

smart-tunnel list

smartcard-removal-disconnect

smtp from-address

smtp subject

smtps

smtp-server

snmp-map

snmp-server community

snmp-server contact

snmp-server enable

snmp-server enable traps

snmp-server group

snmp-server host

snmp-server listen-port

snmp-server location

snmp-server user

software-version

speed

split-dns

split-horizon

split-tunnel-network-list

split-tunnel-policy

spoof-server

sq-period

ssh

ssh disconnect

ssh scopy enable

ssh timeout

ssh version

ssl certificate-authentication

ssl client-version

ssl encryption

ssl server-version

ssl trust-point

sso-server

sso-server value (group-policy webvpn)

sso-server value (username webvpn)

start-url

state-checking

static

strict-header-validation

strict-http

strip-group

strip-realm

storage-key

storage-objects

subject-name (crypto ca certificate map)

subject-name (crypto ca trustpoint)

subject-name-default

summary-address (OSPF)

summary-address (EIGRP)

sunrpc-server

support-user-cert-validation

svc ask

svc compression

svc dpd-interval

svc dtls enable

svc enable

svc image

svc keepalive

svc keep-installer

svc modules

svc mtu

svc profiles (group-policy or username attributes)

svc profiles (webvpn)

svc rekey

switchport access vlan

switchport mode

switchport monitor

switchport protected

switchport trunk

synack-data

syn-data

sysopt connection permit-vpn

sysopt connection preserve-vpn-flows

sysopt connection reclassify-vpn

sysopt connection tcpmss

sysopt connection timewait

sysopt nodnsalias

sysopt noproxyarp

sysopt radius ignore-secret


shun through sysopt radius ignore-secret Commands


shun

To block connections from an attacking host, use the shun command in privileged EXEC mode. To disable a shun, use the no form of this command.

shun source_ip [dest_ip source_port dest_port [protocol]] [vlan vlan_id]

no shun source_ip [vlan vlan_id]

Syntax Description

dest_port

(Optional) Specifies the destination port of a current connection that you want to drop when you place the shun on the source IP address.

dest_ip

(Optional) Specifies the destination address of a current connection that you want to drop when you place the shun on the source IP address.

protocol

(Optional) Specifies the IP protocol of a current connection that you want to drop when you place the shun on the source IP address, such as UDP or TCP. By default, the protocol is 0 (any protocol).

source_ip

Specifies the address of the attacking host. If you only specify the source IP address, all future connections from this address are dropped; current connections remain in place. To drop a current connection and also place the shun, specify the additional parameters of the connection. Note that the shun remains in place for all future connections from the source IP address, regardless of destination parameters.

source_port

(Optional) Specifies the source port of a current connection that you want to drop when you place the shun on the source IP address.

vlan_id

(Optional) Specifies the VLAN ID where the source host resides.


Defaults

The default protocol is 0 (any protocol).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The shun command lets you block connections from an attacking host. All future connections from the source IP address are dropped and logged until the blocking function is removed manually or by the Cisco IPS sensor. The blocking function of the shun command is applied whether or not a connection with the specified host address is currently active.

If you specify the destination address, source and destination ports, and the protocol, then you drop the matching connection as well as placing a shun on all future connections from the source IP address; all future connections are shunned, not just those that match these specific connection parameters.

You can only have one shun command per source IP address.

Because the shun command is used to block attacks dynamically, it is not displayed in the security appliance configuration.

Whenever an interface configuration is removed, all shuns that are attached to that interface are also removed. If you add a new interface or replace the same interface (using the same name), then you must add that interface to the IPS sensor if you want the IPS sensor to monitor that interface.

Examples

The following example shows that the offending host (10.1.1.27) makes a connection with the victim (10.2.2.89) with TCP. The connection in the security appliance connection table reads as follows:

10.1.1.27, 555-> 10.2.2.89, 666 PROT TCP
 
   

Apply the shun command using the following options:

hostname# shun 10.1.1.27 10.2.2.89 555 666 tcp
 
   

The command deletes the specific current connection from the security appliance connection table and also prevents all future packets from 10.1.1.27 from going through the security appliance.

Related Commands

Command
Description

clear shun

Disables all the shuns that are currently enabled and clears the shun statistics.

show conn

Shows all active connections.

show shun

Displays the shun information.


shutdown

To disable an interface, use the shutdown command in interface configuration mode. To enable an interface, use the no form of this command.

shutdown

no shutdown

Syntax Description

This command has no arguments or keywords.

Defaults

All physical interfaces are shut down by default. Allocated interfaces in security contexts are not shut down in the configuration.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.0(1)

This command was moved from a keyword of the interface command to an interface configuration mode command.


Usage Guidelines

The default state of an interface depends on the type and the context mode.

In multiple context mode, all allocated interfaces are enabled by default, no matter what the state of the interface is in the system execution space. However, for traffic to pass through the interface, the interface also has to be enabled in the system execution space. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

In single mode or in the system execution space, interfaces have the following default states:

Physical interfaces—Disabled.

Redundant Interfaces—Enabled. However, for traffic to pass through the redundant interface, the member physical interfaces must also be enabled.

Subinterfaces—Enabled. However, for traffic to pass through the subinterface, the physical interface must also be enabled.


Note This command only disables the software interface. The physical link remains up, and the directly connected device is still recognized as being up even when the corresponding interface is configured with the shutdown command.


Examples\

The following example enables a main interface:

hostname(config)# interface gigabitethernet0/2
hostname(config-if)# speed 1000
hostname(config-if)# duplex full
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
 
   

The following example enables a subinterface:

hostname(config)# interface gigabitethernet0/2.1
hostname(config-subif)# vlan 101
hostname(config-subif)# nameif dmz1
hostname(config-subif)# security-level 50
hostname(config-subif)# ip address 10.1.2.1 255.255.255.0
hostname(config-subif)# no shutdown
 
   

The following example shuts down the subinterface:

hostname(config)# interface gigabitethernet0/2.1
hostname(config-subif)# vlan 101
hostname(config-subif)# nameif dmz1
hostname(config-subif)# security-level 50
hostname(config-subif)# ip address 10.1.2.1 255.255.255.0
hostname(config-subif)# shutdown
 
   

Related Commands

Command
Description

clear xlate

Resets all translations for existing connections, causing the connections to be reset.

interface

Configures an interface and enters interface configuration mode.


shutdown (ca-server mode)

To disable the local Certificate Authority (CA) server and render the enrollment interface inaccessible to users, use the shutdown command in CA server configuration mode. To enable the CA server, lock down the configuration from changes, and to render the enrollment interface accessible, use the no form of this command.

[ no ] shutdown

Syntax Description

This command has no arguments or keywords.

Defaults

Initially, by default, the CA server is shut down.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

CA server configuration


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

This command in CA server mode is similar to the shutdown command in interface mode. At setup time, the local CA server is shutdown by default and must be enabled using the no shutdown command. When you use the no shutdown command for the first time, you enable the CA server and generate the CA server certificate and keypair.


Note The CA configuration cannot be changed once you lock it and generate the CA certificate by issuing the no shutdown command.


To enable the CA server and lock down the current configuration with the no shutdown command, a 7-character password is required to encode and archive a PKCS12 file containing the CA certificate and keypair that is to be generated. The file is stored to the storage identified by a previously specified database path command.

Examples

The following example disables the local CA server and renders the enrollment interface inaccessible:

hostname(config)# crypto ca server
hostname(config-ca-server)# shutdown
hostname(config-ca-server)# 
 
   

The following example enables the local CA server and makes the enrollment interface accessible:

hostname(config)# crypto ca server
hostname(config-ca-server)# no shutdown
hostname(config-ca-server)# 
 
   
hostname(config-ca-server)# no shutdown
 
   
% Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
 
   
Password: caserver
 
   
Re-enter password: caserver
 
   
Keypair generation process begin. Please wait...
 
   
hostname(config-ca-server)#

Related Commands

Command
Description

crypto ca server

Provides access to the CA Server Configuration mode CLI command set, which allows you to configure and manage the local CA.

show crypto ca server

Displays the status of the CA configuration.


sla monitor

To create an SLA operation, use the sla monitor command in global configuration mode. To remove the SLA operation, use the no form of this command.

sla monitor sla_id

no sla monitor sla_id

Syntax Description

sla_id

Specifies the ID of the SLA being configured. If the SLA does not already exist, it is created. Valid values are from 1 to 2147483647.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.2(1)

This command was introduced.


Usage Guidelines

The sla monitor command creates SLA operations and enters SLA Monitor configuration mode. Once you enter this command, the command prompt changes to hostname(config-sla-monitor)# to indicate that you are in SLA Monitor configuration mode. If the SLA operation already exists, and a type has already been defined for it, then the prompt appears as hostname(config-sla-monitor-echo)#. You can create a maximum of 2000 SLA operations. Only 32 SLA operations may be debugged at any time.

The no sla monitor command removes the specified SLA operation and the commands used to configure that operation.

After you configure an SLA operation, you must schedule the operation with the sla monitor schedule command. You cannot modify the configuration of the SLA operation after scheduling it. To modify the the configuration of a scheduled SLA operation, you must use the no sla monitor command to remove the selected SLA operation completely. Removing an SLA operation also removes the associated sla monitor schedule command. Then you can reenter the SLA operation configuration.

To display the current configuration settings of the operation, use the show sla monitor configuration command. To display operational statistics of the SLA operation, use the show sla monitor operation-state command. To see the SLA commands in the configuration, use the show running-config sla monitor command.

Examples

The following example configures an SLA operation with an ID of 123 and creates a tracking entry with the ID of 1 to track the reachability of the SLA:

hostname(config)# sla monitor 123
hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outside 
hostname(config-sla-monitor-echo)# timeout 1000
hostname(config-sla-monitor-echo)# frequency 3
hostname(config)# sla monitor schedule 123 life forever start-time now
hostname(config)# track 1 rtr 123 reachability
 
   

Related Commands

Command
Description

frequency

Specifies the rate at which the SLA operation repeats.

show sla monitor configuration

Displays the SLA configuration settings.

sla monitor schedule

Schedules the SLA operation.

timeout

Sets the amount of time the SLA operation waits for a response.

track rtr

Creates a tracking entry to poll the SLA.


sla monitor schedule

To schedule an SLA operation, use the sla monitor schedule command in global configuration mode. To remove SLA operation schedule, and place the operation in the pending state, use the no form of this command.

sla monitor schedule sla-id [life {forever | seconds}] [start-time {hh:mm[:ss] [month day | day month] | pending | now | after hh:mm:ss}] [ageout seconds] [recurring]

no sla monitor schedule sla-id

Syntax Description

after hh:mm:ss

Indicates that the operation should start the specified number of hours, minutes, and seconds after the command was entered.

ageout seconds

(Optional) Specifies the number of seconds to keep the operation in memory when it is not actively collecting information. After an SLA operation ages out, it is removed from the running configuration.

day

Number of the day to start the operation on. Valid values are from 1 to 31. If a day is not specified, then the current day is used. If you specify a day you must also specify a month.

hh:mm[:ss]

Specifies an absolute start time in 24-hour notation. Seconds are optional. The next time the specified time occurs is implied unless you specify a month and a day.

life forever

(Optional) Schedules the operation to run indefinitely.

life seconds

(Optional) Sets the number of seconds the operation actively collects information.

month

(Optional) Name of the month to start the operation in. If a month is not specified, then the current month is used. I f you specify a month you must also specify a day.

You can enter the full English name of the month or just the first three letters.

now

Indicates that the operation should start as soon as the command is entered.

pending

Indicates that no information is collected. This is the default state.

recurring

(Optional) Indicates that the operation will start automatically at the specified time and for the specified duration every day.

sla-id

The ID of the SLA operation being scheduled.

start-time

Sets the time when the SLA operation starts.


Defaults

The defaults are as follows:

SLA operations are in the pending state until the scheduled time is met. This means that the operation is enabled but not actively collecting data.

The default ageout time is 0 seconds (never ages out).

The default life is 3600 seconds (one hour).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.2(1)

This command was introduced.


Usage Guidelines

When an SLA operation is in an active state, it immediately begins collecting information. The following time line shows the age-out process of the operation:

W----------------------X----------------------Y----------------------Z
 
   

W is the time the SLA operation was configured with the sla monitor command.

X is the start time of the SLA operation. This is when the operation became "active".

Y is the end of life as configured with the sla monitor schedule command (the life seconds have counted down to zero).

Z is the age out of the operation.

The age out process, if used, starts counting down at W, is suspended between X and Y, and is reset to its configured size are starts counting down again at Y. When an SLA operation ages out, the SLA operation configuration is removed from the running configuration. It is possible for the operation to age out before it executes (that is, Z can occur before X). To ensure that this does not happen, the difference between the operation configuration time and start time (X and W) must be less than the age-out seconds.

The recurring keyword is only supported for scheduling single SLA operations. You cannot schedule multiple SLA operations using a single sla monitor schedule command. The life value for a recurring SLA operation should be less than one day. The ageout value for a recurring operation must be "never" (which is specified with the value 0), or the sum of the life and ageout values must be more than one day. If the recurring option is not specified, the operations are started in the existing normal scheduling mode.

You cannot modify the configuration of the SLA operation after scheduling it. To modify the configuration of a scheduled SLA operation, you must use the no sla monitor command to remove the selected SLA operation completely. Removing an SLA operation also removes the associated sla monitor schedule command. Then you can reenter the SLA operation configuration.

Examples

The following example shows SLA operation 25 scheduled to begin actively collecting data at 3:00 p.m. on April 5. This operation will age out after 12 hours of inactivity. When this SLA operation ages out, all configuration information for the SLA operation is removed from the running configuration.

hostname(config)# sla monitor schedule 25 life 43200 start-time 15:00 apr 5 ageout 43200
 
   

The following example shows SLA operation 1 schedule to begin collecting data after a 5-minute delay. The default life of one hour applies.

hostname(config)# sla monitor schedule 1 start after 00:05:00
 
   

The following example shows SLA operation 3 scheduled to begin collecting data immediately and is scheduled to run indefinitely:

hostname(config)# sla monitor schedule 3 life forever start-time now 
 
   

The following example shows SLA operation 15 scheduled to begin automatically collecting data every day at 1:30 a.m.:

hostname(config)# sla monitor schedule 15 start-time 01:30:00 recurring
 
   

Related Commands

Command
Description

show sla monitor configuration

Displays the SLA configuration settings.

sla monitor

Defines an SLA monitoring operation.


smart-tunnel auto-signon enable

To enable smart tunnel auto sign-on in clientless (browser-based) SSL VPN sessions, use the smart-tunnel auto-signon enable command in group-policy webvpn configuration mode or username webvpn configuration mode.

[no] smart-tunnel auto-signon enable list [domain domain]

To remove the smart-tunnel auto-signon enable command from the group policy or username and inherit it from the default group-policy, use the no form of the command.

Syntax Description

list

list is the name of a smart tunnel auto sign-on list already present in the security appliance webvpn configuration.

To view the smart tunnel auto sign-on list entries in the SSL VPN configuration, enter the show running-config webvpn smart-tunnel command in privileged EXEC mode.

domain domain

(Optional). Name of the domain to be added to the username during authentication. If you enter a domain, enter the use-domain keyword in the list entries.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

group-policy webvpn configuration mode

username webvpn configuration mode


Command History

Release
Modification

8.0(4)

This command was introduced.


Usage Guidelines

The smart-tunnel auto sign-on feature supports only applications communicating HTTP and HTTPS using the Microsoft WININET library. For example, Microsoft Internet Explorer uses the WININET dynamic linked library to communicate with web servers.

You must use the smart-tunnel auto-signon list command to create a list of servers first. You can assign only one list to a group policy or username.

Examples

The following commands enable the smart tunnel auto sign-on list named HR:

hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# smart-tunnel auto-signon enable HR
hostname(config-group-webvpn)
 
   

The following command enables the smart tunnel auto sign-on list named HR and adds the domain named CISCO to the username during authentication:

hostname(config-group-webvpn)# smart-tunnel auto-signon enable HR domain CISCO
 
   

The following command removes the smart tunnel auto sign-on list named HR from the group policy and inherits the smart tunnel auto sign-on list command from the default group policy:

hostname(config-group-webvpn)# no smart-tunnel auto-signon enable HR
 
   

Related Command

Command
Description

smart-tunnel auto-signon list

Create a list of servers for which to automate the submission of credentials in smart tunnel connections.

show running-config webvpn smart-tunnel

Displays the smart tunnel configuration on the security appliance.

smart-tunnel auto-start

Starts smart tunnel access automatically upon user login.

smart-tunnel disable

Prevents smart tunnel access.

smart-tunnel list

Adds an entry to a list of applications that can use a Clientless SSL VPN session to connect to private sites.


s

 
   

smart-tunnel auto-signon list

To create a list of servers for which to automate the submission of credentials in smart tunnel connections, use the smart-tunnel auto-signon list command in webvpn configuration mode.

[no] smart-tunnel auto-signon list [use-domain] {ip ip-address [netmask] | host hostname-mask}

Use this command for each server you want to add to a list. To remove an entry from a list, use the no form of the command, specifying both the list and the IP address or hostname, as it appears in the security appliance configuration. To display the smart tunnel auto sign-on list entries, enter the show running-config webvpn smart-tunnel command in privileged EXEC mode.

To remove an entire list of servers from the security appliance configuration, use the no form of the command, specifying only the list.

no smart-tunnel auto-signon list

Syntax Description

host

Server to be identified by its host name or wildcard mask.

hostname-mask

Host name or wildcard mask to auto-authenticate to.

ip

Server to be identified by its IP address and netmask.

ip-address [netmask]

Sub-network of hosts to auto-authenticate to.

list

Name of a list of remote servers. Use quotation marks around the name if it includes a space. The string can be up to 64 characters. The security appliance creates the list if it is not present in the configuration. Otherwise, it adds the entry to the list.

use-domain

(Optional) Add the Windows domain to the username if authentication requires it. If you enter this keyword, be sure to specify the domain name when assigning the smart tunnel list to one or more group policies, or usernames.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

webvpn configuration mode


Command History

Release
Modification

8.0(4)

This command was introduced.


Usage Guidelines

The smart-tunnel auto sign-on feature supports only applications communicating HTTP and HTTPS using the Microsoft WININET library. For example, Microsoft Internet Explorer uses the WININET dynamic linked library to communicate with web servers.

Following the population of a smart tunnel auto sign-on list, use the smart-tunnel auto-signon enable list command in group policy webvpn or username webvpn mode to assign the list.

Examples

The following command adds all hosts in the subnet and adds the Windows domain to the username if authentication requires it:

asa2(config-webvpn)# smart-tunnel auto-signon HR use-domain ip 192.32.22.56 255.255.255.0
 
   

The following command removes that entry from the list:

asa2(config-webvpn)# no smart-tunnel auto-signon HR use-domain ip 192.32.22.56 
255.255.255.0
 
   

The command shown above also removes the list named HR if the entry removed is the only entry in the list. Otherwise, the following command removes the entire list from the security appliance configuration:

asa2(config-webvpn)# no smart-tunnel auto-signon HR
 
   

The following command adds all hosts in the domain to the smart tunnel auto sign-on list named intranet:

asa2(config-webvpn)# smart-tunnel auto-signon intranet host *.exampledomain.com
 
   

The following command removes that entry from the list:

asa2(config-webvpn)# no smart-tunnel auto-signon intranet host *.exampledomain.com
 
   
 
   

Related Command

Command
Description

smart-tunnel auto-signon enable

Enables smart tunnel auto sign-on for the group policy or username specified in the command mode.

smart-tunnel auto-signon enable list

Assigns a smart tunnel auto sign-on list to a group policy or username

show running-config webvpn smart-tunnel

Displays the smart tunnel configuration.

smart-tunnel auto-start

Starts smart tunnel access automatically upon user login.

smart-tunnel enable

Enables smart tunnel access upon user login, but requires the user to start smart tunnel access manually, using the Application Access > Start Smart Tunnels button on the Clientless SSL VPN portal page.


s

smart-tunnel auto-start

To start smart tunnel access automatically upon user login in a clientless (browser-based) SSL VPN session, use the smart-tunnel auto-start command in group-policy webvpn configuration mode or username webvpn configuration mode.

smart-tunnel auto-start list

To remove the smart-tunnel command from the group policy or username and inherit the [no] smart-tunnel command from the default group-policy, use the no form of the command.

no smart-tunnel

Syntax Description

list

list is the name of a smart tunnel list already present in the security appliance webvpn configuration.

To view any smart tunnel list entries already present in the SSL VPN configuration, enter the show running-config webvpn command in privileged EXEC mode.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

group-policy webvpn configuration mode

username webvpn configuration mode


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

This command requires that you use the smart-tunnel list command to create the list of applications first.

Examples

The following commands start smart tunnel access for a list of applications named apps1:

hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# smart-tunnel auto-start apps1
hostname(config-group-webvpn)
 
   

The following commands remove the list named apps1 from the group policy and inherit the smart tunnel commands from the default group policy:

hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# no smart-tunnel
hostname(config-group-webvpn)
 
   

Related Command

Command
Description

show running-config webvpn

Displays the Clientless SSL VPN configuration, including all smart tunnel list entries.

smart-tunnel disable

Prevents smart tunnel access.

smart-tunnel enable

Enables smart tunnel access upon user login, but requires the user to start smart tunnel access manually, using the Application Access > Start Smart Tunnels button on the Clientless SSL VPN portal page.

smart-tunnel list

Adds an entry to a list of applications that can use a Clientless SSL VPN session to connect to private sites.


s

 
   

smart-tunnel disable

To prevent smart tunnel access through clientless (browser-based) SSL VPN sessions, use the smart-tunnel disable command in group-policy webvpn configuration mode or username webvpn configuration mode.

smart-tunnel disable

To remove a smart-tunnel command from the group policy or username and inherit the [no] smart-tunnel command from the default group-policy, use the no form of the command.

no smart-tunnel

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

group-policy webvpn configuration mode

username webvpn configuration mode


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

By default, smart tunnels are not enabled, so the smart-tunnel disable command is necessary only if the (default) group policy or username configuration contains a smart-tunnel auto-start or smart-tunnel enable command that you do not want applied for the group policy or username in question.

Examples

The following commands prevent smart tunnel access:

hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# smart-tunnel disable
hostname(config-group-webvpn)
 
   

Related Command

Command
Description

smart-tunnel auto-start

Starts smart tunnel access automatically upon user login.

smart-tunnel enable

Enables smart tunnel access upon user login, but requires the user to start smart tunnel access manually, using the Application Access > Start Smart Tunnels button on the Clientless SSL VPN portal page.

smart-tunnel list

Adds an entry to a list of applications that can use a Clientless SSL VPN session to connect to private sites.


s

 
   

smart-tunnel enable

To enable smart tunnel access through clientless (browser-based) SSL VPN sessions, use the smart-tunnel enable command in group-policy webvpn configuration mode or username webvpn configuration mode.

smart-tunnel enable list

To remove the smart-tunnel command from the group policy or username and inherit the [no] smart-tunnel command from the default group-policy, use the no form of the command.

no smart-tunnel

Syntax Description

list

list is the name of a smart tunnel list already present in the security appliance webvpn configuration.

To view the smart tunnel list entries in the SSL VPN configuration, enter the show running-config webvpn command in privileged EXEC mode.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

group-policy webvpn configuration mode

username webvpn configuration mode


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

The smart-tunnel enable command assigns a list of applications eligible for smart tunnel access to a group policy or username. It requires the user to start smart tunnel access manually, using the Application Access > Start Smart Tunnels button on the clientless-SSL-VPN portal page. Alternatively, you can use the smart-tunnel auto-start command to start smart tunnel access automatically upon user login.

Both commands require that you use the smart-tunnel list command to create the list of applications first.

Examples

The following commands enable the smart tunnel list named apps1:

hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# smart-tunnel enable apps1
hostname(config-group-webvpn)
 
   

The following commands remove the list named apps1 from the group policy and inherit the smart tunnel list from the default group policy:

hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# no smart-tunnel
hostname(config-group-webvpn)
 
   

Related Command

Command
Description

show running-config webvpn

Displays the Clientless SSL VPN configuration, including all smart tunnel list entries.

smart-tunnel auto-start

Starts smart tunnel access automatically upon user login.

smart-tunnel disable

Prevents smart tunnel access.

smart-tunnel list

Adds an entry to a list of applications that can use a Clientless SSL VPN session to connect to private sites.


s

 
   

smart-tunnel list

To populate a list of applications that can use a clientless (browser-based) SSL VPN session to connect to private sites, use the smart-tunnel list command in webvpn configuration mode.

[no] smart-tunnel list list application path [platform OS] [hash]

To remove an application from a list, use the no form of the command, specifying the entry. To remove an entire list of applications from the security appliance configuration, use the no form of the command, specifying only the list.

no smart-tunnel list list

Syntax Description

list

Name of a list of applications or programs. Use quotation marks around the name if it includes a space. The CLI creates the list if it is not present in the configuration. Otherwise, it adds the entry to the list.

application

Name of the application to be granted smart tunnel access. The string can be up to 64 characters.

path

For Mac OS, the full path to the application. For Windows, the filename of the application; or a full or partial path to the application, including its filename. The string can be up to 128 characters.

platform OS

(Optional if the OS is Microsoft Windows) Enter windows or mac to specify the host of the application.

hash

(Optional and applicable only for Windows) To obtain this value, enter the checksum of the application (that is, the checksum of the executable file) into a utility that calculates a hash using the SHA-1 algorithm. One example of such a utility is the Microsoft File Checksum Integrity Verifier (FCIV), which is available at http://support.microsoft.com/kb/841290/. After installing FCIV, place a temporary copy of the application to be hashed on a path that contains no spaces (for example, c:/fciv.exe), then enter fciv.exe -sha1 application at the command line (for example, fciv.exe -sha1 c:\msimn.exe) to display the SHA-1 hash.

The SHA-1 hash is always 40 hexadecimal characters.


Defaults

Windows is the default platform.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

webvpn configuration mode


Command History

Release
Modification

8.0(2)

This command was introduced.

8.0(4)

Added platform OS.


Usage Guidelines

You can configure more than one smart tunnel list on a security appliance, but you cannot assign more than one smart tunnel list to a given group policy or username. To populate a smart tunnel list, enter the smart-tunnel list command once for each application, entering the same list string, but specifying an application and path that is unique for the OS. Enter the command once for each OS you want the list to support.

The session ignores a list entry if the OS does not match the one indicated in the entry. It also ignores an entry if the path to the application is not present.

To view the smart tunnel list entries in the SSL VPN configuration, enter the show running-config webvpn smart-tunnel command in privileged EXEC mode.

The path must match the one on the computer, but it does not have to be complete. For example, the path can consist of nothing more than the executable file and its extension.

Smart tunnels have the following requirements:

The remote host originating the smart tunnel connection must be running a 32-bit version of Microsoft Windows Vista, Windows XP, or Windows 2000; or Mac OS 10.4 or 10.5.

Users of Microsoft Windows Vista who use smart tunnels or port forwarding must add the URL of the ASA to the Trusted Site zone. To access the Trusted Site zone, they must start Internet Explorer and choose the Tools > Internet Options > Security tab. Vista users can also disable Protected Mode to facilitate smart tunnel access; however, we recommend against this method because it increases the computer's vulnerability to attack.

The browser must be enabled with Java, Microsoft ActiveX, or both.

Smart tunnel support for Mac OS requires Safari 3.1.1 or later.

On Microsoft Windows, only Winsock 2, TCP-based applications are eligible for smart tunnel access.

On Mac OS, applications using TCP that are dynamically linked to the SSL library can work over a smart tunnel. The following types of applications do not work over a smart tunnel:

Applications using dlopen or dlsym to locate libsocket calls

Statically linked applications to locate libsocket calls

Mac OS applications that use two-level name spaces.

Mac OS, console-based applications, such as Telnet, SSH, and cURL.

The PowerPC MAC operating system is not supported with smart tunnel.

On Mac OS, only applications started from the portal page can establish smart tunnel sessions. This requirement includes smart tunnel support for Firefox.Using Firefox to start another instance of Firefox during the first use of a smart tunnel requires the user profile named csco_st. If this user profile is not present, the session prompts the user to create one.

The following limitations apply to smart tunnels:

If the remote computer requires a proxy server to reach the security appliance, the URL of the terminating end of the connection must be in the list of URLs excluded from proxy services. In this configuration, smart tunnels support only basic authentication.

The security appliance does not support the Microsoft Outlook Exchange (MAPI) proxy. Neither the smart tunnel feature nor port forwarding supports MAPI. For Microsoft Outlook Exchange communication using the MAPI protocol, remote users must use AnyConnect.

The smart tunnel auto sign-on feature supports only applications communicating HTTP and HTTPS using the Microsoft WININET library on a Microsoft Windows OS. For example, Microsoft Internet Explorer uses the WININET dynamic linked library to communicate with web servers.

A group policy or local user policy supports no more than one list of applications eligible for smart tunnel access and one list of smart tunnel auto sign-on servers.

A stateful failover does not retain smart tunnel connections. Users must reconnect following a failover.


Note A sudden problem with smart tunnel access may be an indication that a path value is not up-to-date with an application upgrade. For example, the default path to an application typically changes following the acquisition of the company that produces the application and the next upgrade.


Entering a hash provides a reasonable assurance that clientless SSL VPN does not qualify an illegitimate file that matches the string you specified in the path. Because the checksum varies with each version or patch of an application, the hash you enter can only match one version or patch on the remote host. To specify a hash for more than one version of an application, enter the smart-tunnel list command once for each version, entering the same list string, but specifying the unique application string and unique hash value in each command.


Note You must maintain the smart tunnel list in the future if you enter hash values and you want to support future versions or patches of an application with smart tunnel access. A sudden problem with smart tunnel access may be an indication that the application list containing hash values is not up-to-date with an application upgrade. You can avoid this problem by not entering a hash.


Following the configuration of a smart tunnel list, use the smart-tunnel auto-start or smart-tunnel enable command to assign the list to group policies or usernames.

Examples

The following command adds a Microsoft Windows application named connect.exe to a smart tunnel list named apps1:

hostname(config-webvpn)# smart-tunnel list apps1 LotusSametime connect.exe
 
   

The following command adds the Windows application msimn.exe and requires that the hash of the application on the remote host match the last string entered to qualify for smart tunnel access:

hostname(config-webvpn)# smart-tunnel list apps1 OutlookExpress msimn.exe 
4739647b255d3ea865554e27c3f96b9476e75061

The following command provides smart tunnel support for the Mac OS browser Safari:

hostname(config-webvpn)# smart-tunnel list apps1 Safari /Applications/Safari platform mac
 
   
 
   

Related Command

Command
Description

show running-config webvpn smart-tunnel

Displays the smart tunnel configuration on the security appliance.

smart-tunnel auto-start

Starts smart tunnel access automatically upon user login.

smart-tunnel disable

Prevents smart tunnel access.

smart-tunnel enable

Enables smart tunnel access upon user login, but requires the user to start smart tunnel access manually, using the Application Access > Start Smart Tunnels button on the Clientless SSL VPN portal page.


s

smartcard-removal-disconnect

To disconnect or retain an IPsec client session if the smart card is removed from the user's computer, use the smartcard-removal-disconnect command in group-policy configuration mode.

smartcard-removal-disconnect {enable | disable}

To remove the smartcard-removal-disconnect command from the group policy and inherit the setting from the default group-policy, use the no form of the command.

no smartcard-removal-disconnect

Syntax Description

enable

Terminates the IPsec client session if the smart card is removed from the user's computer.

disable

Lets the IPsec client session continue even if the smart card is removed from the user's computer.


Defaults

enable

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

group-policy configuration mode


Command History

Release
Modification

7.0(2)

This command was introduced.


Usage Guidelines

By default, the IPsec client session disconnects if the smart card used for authentication is removed. Enter the smartcard-removal-disconnect disable command if you do not want to require users to keep their smart cards in the computer for the duration of the connection.

Examples

The following command lets the client session continue even if the smart card is removed from the user's computer:

hostname(config-group-policy)# smartcard-removal-disconnect disable
hostname(config-group-policy)
 
   

The following command terminates the client session if the smart card is removed from the user's computer:

hostname(config-group-policy)# smartcard-removal-disconnect enable
 
   
 
   

smtp from-address

To specify the e-mail address to use in the E-mail From: field for all e-mails generated by the local CA server (such as distribution of one-time passwords) use the smtp from-address command in CA server configuration mode. To reset the e-mail address to the default, use the no form of this command.

smtp from-address e-mail_address

no smtp from-address

Syntax Description

e-mail_address

Specifies the e-mail address appearing in the From: field of all e-mails generated by the CA server.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

CA server configuration


Command History

Release
Modification

8.0(2)

This command was introduced.


Examples

The following example specifies that the From: field of all e-mails from the local CA server include ca-admin@asa1-ca.example.com:

hostname(config)# crypto ca server
hostname(config-ca-server)# smtp from-address ca-admin@asa1-ca.example.com
hostname(config-ca-server)# 
 
   

The following example resets the From: field of all e-mails from the local CA server to the default address admin@asa1-ca.example.com:

hostname(config)# crypto ca server
hostname(config-ca-server)# smtp from-address admin@asa1-ca.example.com
hostname(config-ca-server)# 

Related Commands

Command
Description

crypto ca server

Provides access to CA Server Configuration mode CLI command set, which allows you to configure and manage a local CA.

smtp subject

Customizes the text to appear in the subject field of all e-mails generated by the local CA server.


smtp subject

To customize the text that appears in the subject field of all e-mails generated by the local Certificate Authority (CA) server (such as distribution of one-time passwords), use the smtp subject command in CA server configuration mode. To reset the text to the default, use the no form of this command.

smtp subject subject-line

no smtp subject

Syntax Description

subject-line

Specifies the text appearing in the Subj: field of all e-mails sent from the CA server. The maximum number of characters is 127.


Defaults

By default, the text in the Subj: field is "Certificate Enrollment Invitation".

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

CA server configuration


Command History

Release
Modification

8.0(2)

This command was introduced.


Examples

The following example specifies that the text Action: Enroll for a certificate appear in the Subj: field of all e-mails from the CA server:

hostname(config)# crypto ca server
hostname(config-ca-server)# smtp subject Action: Enroll for a certificate
hostname(config-ca-server)# 
 
   

The following example resets the Subj: field text for all e-mails from the CA server to the default text "Certificate Enrollment Invitation":

hostname(config)# crypto ca server
hostname(config-ca-server)# no smtp subject
hostname(config-ca-server)# 

Related Commands

Command
Description

crypto ca server

Provides access to CA Server Configuration mode CLI command set, which allows you to configure and manage a local CA.

smtp from-address

Specifies the e-mail address to use in the E-mail From: field for all e-mails generated by the local CA server.


smtps

To enter SMTPS configuration mode, use the smtps command in global configuration mode. To remove any commands entered in SMTPS command mode, use the no version of this command. SMTPS is a TCP/IP protocol that lets you to send e-mail over an SSL connection.

smtps

no smtps

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to enter SMTPS configuration mode:

hostname(config)# smtps
hostname(config-smtps)#

Related Commands

Command
Description

clear configure smtps

Removes the SMTPS configuration.

show running-config smtps

Displays the running configuration for SMTPS.


smtp-server

To configure an SMTP server, use the smtp-server command in global configuration mode. To remove the attribute from the configuration, use the no version of this command.

The security appliance includes an internal SMTP client that the Events system can use to notify external entities that a certain event has occurred. You can configure SMTP servers to receive these event notices, and then forward them to specified e-mail addresses. The SMTP facility is active only when you enable E-mail events an the security appliance.

smtp-server {primary_server} [backup_server]

no smtp-server

Syntax Description

primary_server

Identifies the primary SMTP server. Use either an IP address or DNS name

backup_server

Identifies a backup SMTP server to relay event messages in the event the primary SMTP server is unavailable. Use either an IP address or DNS name.


Defaults

No SMTP server is configured by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to set an SMTP server with an IP address of 10.1.1.24, and a backup SMTP server with an IP address of 10.1.1.34:

hostname(config)# smtp-server 10.1.1.24 10.1.1.34
 
   

snmp-map

To identify a specific map for defining the parameters for SNMP inspection, use the snmp-map command in global configuration mode. To remove the map, use the no form of this command.

snmp-map map_name

no snmp-map map_name

Syntax Description

map_name

The name of the SNMP map.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

Use the snmp-map command to identify a specific map to use for defining the parameters for SNMP inspection. When you enter this command, the system enters the SNMP map configuration mode, which lets you enter the different commands used for defining the specific map. After defining the SNMP map, you use the inspect snmp command to enable the map. Then you use the class-map, policy-map, and service-policy commands to define a class of traffic, to apply the inspect command to the class, and to apply the policy to one or more interfaces.

Examples

The following example shows how to identify SNMP traffic, define a SNMP map, define a policy, and apply the policy to the outside interface.

hostname(config)# access-list snmp-acl permit tcp any any eq 161 
hostname(config)# access-list snmp-acl permit tcp any any eq 162
hostname(config)# class-map snmp-port 
hostname(config-cmap)# match access-list snmp-acl
hostname(config-cmap)# exit
hostname(config)# snmp-map inbound_snmp
hostname(config-snmp-map)# deny version 1
hostname(config-snmp-map)# exit
hostname(config)# policy-map inbound_policy 
hostname(config-pmap)# class snmp-port
hostname(config-pmap-c)# inspect snmp inbound_snmp 
hostname(config-pmap-c)# 
 
   

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

deny version

Disallows traffic using a specific version of SNMP.

inspect snmp

Enables SNMP application inspection.

policy-map

Associates a class map with specific security actions.


snmp-server community

To set the SNMP community string, use the snmp-server community command in global configuration mode. To remove the community string, use the no form of this command.

snmp-server community text

no snmp-server community [text]

Syntax Description

text

Sets the community string.


Defaults

The community string is public.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The SNMP community string is a shared secret among the SNMP management station and the network nodes being managed. The security appliance uses a key to determine whether the incoming SNMP request is valid. For example, you could designate a site with a community string and then configure the routers, security appliance, and the management station with this same string. The security appliance uses this string and does not respond to requests with an invalid community string.

Examples

The following example sets the community string to wallawallabingbang:

hostname(config)# snmp-server community wallawallabingbang
 
   

Related Commands

Command
Description

snmp-server contact

Sets the SNMP contact name.

snmp-server enable

Enables SNMP on the security appliance.

snmp-server enable traps

Enables SNMP traps.

snmp-server host

Sets the SNMP host address.

snmp-server location

Sets the SNMP server location string.


snmp-server contact

To set the SNMP server contact name, use the snmp-server contact command in global configuration mode. To remove the SNMP contact name, use the no form of this command.

snmp-server contact text

no snmp-server contact [text]

Syntax Description

text

Specifies the name of the contact person or the security appliance system administrator. The name is case sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

The following example sets the SNMP server contact as Pat Johnson:

hostname(config)# snmp-server contact Pat Johnson
 
   

Related Commands

Command
Description

snmp-server community

Sets the SNMP community string.

snmp-server enable

Enables SNMP on the security appliance.

snmp-server enable traps

Enables SNMP traps.

snmp-server host

Sets the SNMP host address.

snmp-server location

Sets the SNMP server location string.


snmp-server enable

To enable the SNMP server on the security appliance, use the snmp-server enable command in global configuration mode. To disable the SNMP server, use the no form of this command.

snmp-server enable

no snmp-server enable

Syntax Description

This command has no arguments or keywords.

Defaults

The SNMP server is enabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

This command lets you enable and disable SNMP easily, without having to configure and reconfigure the SNMP traps or other configuration.

Examples

The following example enables SNMP, configures the SNMP host and traps, and then sends traps as system messages.

hostname(config)# snmp-server enable
hostname(config)# snmp-server community wallawallabingbang
hostname(config)# snmp-server location Building 42, Sector 54
hostname(config)# snmp-server contact Sherlock Holmes
hostname(config)# snmp-server host perimeter 10.1.2.42
hostname(config)# snmp-server enable traps all
hostname(config)# logging history 7
hostname(config)# logging enable
 
   

Related Commands

Command
Description

snmp-server community

Sets the SNMP community string.

snmp-server contact

Sets the SNMP contact name.

snmp-server enable traps

Enables SNMP traps.

snmp-server host

Sets the SNMP host address.

snmp-server location

Sets the SNMP server location string.


snmp-server enable traps

To enable the security appliance to send traps to the NMS, use the snmp-server enable traps command in global configuration mode. To disable traps, use the no form of this command.

snmp-server enable traps [all | syslog | snmp [trap] [...] | entity [trap] [...] | ipsec [trap] [...] | remote-access [trap]]

no snmp-server enable traps [all | syslog | snmp [trap] [...] | entity [trap] [...] | ipsec [trap] [...] | remote-access [trap]]

Syntax Description

all

Enables all traps.

entity [trap]

Enables entity traps. Traps for entity include:

config-change

fru-insert

fru-remove

ipsec [trap]

Enables IPSec traps. Traps for ipsec include:

start

stop

remote-access [trap]

Enables remote access traps. Traps for remote-access include:

session-threshold-exceeded

snmp [trap]

Enables SNMP traps. By default, all SNMP traps are enabled. Traps for snmp include:

authentication

linkup

linkdown

coldstart

syslog

Enables system log message traps.


Defaults

The default configuration has all snmp traps enabled (snmp-server enable traps snmp authentication linkup linkdown coldstart). You can disable these traps using the no form of this command with the snmp keyword. However, the clear configure snmp-server command restores the default enabling of SNMP traps.

If you enter this command and do not specify a trap type, then the default is syslog. (The default snmp traps continue to be enabled along with the syslog trap.)

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Enter this command for each feature type to enable individual traps or sets of traps, or enter the all keyword to enable all traps.

To send traps to the NMS, enter the logging history command, and enable logging using the logging enable command.

Examples

The following example enables SNMP, configures the SNMP host and traps, and then sends traps as system messages.

hostname(config)# snmp-server enable
hostname(config)# snmp-server community wallawallabingbang
hostname(config)# snmp-server location Building 42, Sector 54
hostname(config)# snmp-server contact Sherlock Holmes
hostname(config)# snmp-server host perimeter 10.1.2.42
hostname(config)# snmp-server enable traps all
hostname(config)# logging history 7
hostname(config)# logging enable
 
   

Related Commands

Command
Description

snmp-server community

Sets the SNMP community string.

snmp-server contact

Sets the SNMP contact name.

snmp-server enable

Enables SNMP on the security appliance.

snmp-server host

Sets the SNMP host address.

snmp-server location

Sets the SNMP server location string.


snmp-server group

To configure a new SNMP group, use the snmp-server group command in global configuration mode. To remove a specified SNMP group, use the no form of this command.

snmp-server group group-name {v3 {auth | noauth | priv}}

no snmp-server group group-name {v3 {auth | noauth | priv}}

Syntax Description

auth

Specifies packet authentication without encryption.

group-name

Specifies the name of the group.

noauth

Specifies no packet authentication.

priv

Specifies packet authentication with encryption.

v3

Specifies that the group is using the SNMP Version 3 security model, which is the most secure of the supported security models. This version allows you to explicitly configure authentication characteristics.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

8.0(5)

This command was introduced.


Usage Guidelines

To use the Version 3 security model, you must first configure an SNMP group, then configure an SNMP user, and then configure an SNMP host. You must also specify Version 3 and a security level. When a community string is configured internally, two groups with the name "public" are automatically created—one for the Version 1 security model and one for the Version 2c security model. When you delete a community string, both configured groups are automatically deleted.


Note A user that is configured to belong to a certain group should have the same security model as the group.


Examples

The following example show how the security appliance can receive SNMP requests using the SNMP Version 3 security model, which includes creating a group, creating a user, and creating a host:

hostname(config)# snmp-server group v3 vpn-group priv
hostname(config)# snmp-server user admin vpn group v3 auth sha letmein priv 3des cisco123
hostname(config)# snmp-server host mgmt 10.0.0.1 version 3 priv admin
 
   

Related Commands

Command
Description

clear configure snmp-server

Clears the SNMP configuration counters.

snmp-server host

Sets the SNMP host address.

snmp-server user

Creates a new SNMP user.


snmp-server host

To specify the NMS that can use SNMP on the security appliance, use the snmp-server host command in global configuration mode. To disable the NMS, use the no form of this command.

snmp-server host {interface {hostname | ip_address}} [trap | poll] [community  0 | 8 community-string] [version {1 | 2c | 3 username}] [udp-port port]

no snmp-server host {interface {hostname | ip_address}} [trap | poll] [community 0 | 8 community-string] [version {1 | 2c | 3 username}] [udp-port port]

Syntax Description

0

(Optional) Specifies that an unencrypted (clear text) community string will follow.

8

Specifies that an encrypted community string will follow.

community

Specifies that a non-default string is required for requests from the NMS, or when generating traps sent to the NMS. Valid only for SNMP Version 1 or 2c.

community-string

Specifies the password-like community string that is sent with the notification or in a request from the NMS. The community string can have a maximum of 32 characters. Can be in encrypted or unencrypted (clear text) format.

hostname

Specifies the SNMP notification host, which is usually an NMS or SNMP manager.

interface

Specifies the interface name through which the NMS communicates with the security appliance.

ip_address

Specifies the IP address of an NMS to which SNMP traps should be sent or from which the SNMP requests come. Supports only IPv4 addresses.

poll

(Optional) Specifies that the host is allowed to browse (poll), but no traps can be sent.

port

Sets the UDP port number of the NMS host.

trap

(Optional) Specifies that only traps can be sent, and that this host is not allowed to browse (poll).

udp-port

(Optional) Specifies that SNMP traps must be sent to an NMS host on a non-default port.

version {1 | 2c | 3}

(Optional) Sets the SNMP notification version to use for sending traps to Version 1, 2c, or 3.


Defaults

The default UDP port is 162.

The default version is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.

8.0(5)

Support for encrypted passwords was added.


Usage Guidelines

You can specify up to 32 NMSs. If you configure the snmp-server host command on a port that is currently in use, the following message appears:


Warning The UDP port port is in use by another feature. SNMP requests to the device will fail until the snmp-server listen-port command is configured to use a different port.

The existing SNMP thread continues to poll every 60 seconds until the port is available, and issues syslog message %ASA-1-212001 if the port is still in use.

Examples

To use the Version 3 security model, you must configure an SNMP group first, then an SNMP user, and then an SNMP host. The username must already be configured on the device. When a device is configured as the standby unit of a failover pair, the SNMP engine ID and user configuration are replicated from the active unit. This action allows a transparent switchover from an SNMP Version 3 query perspective. No configuration changes are necessary in the NMS to accommodate a switchover event.

After you have used an encrypted community string, only the encrypted form is visible to all systems (for example, CLI, ASDM, CSM, and so on). The clear text password is not visible.

The encrypted community string is always generated by the security appliance; you normally enter the clear text form.

During bootup or upgrade of the security appliance, single-digit passwords and passwords starting with a digit followed by a whitespace are no longer supported. For example, 0 pass and 1 are invalid passwords.


Note If you downgrade from version 8.0(5) to a lower version of the security appliance software and have configured encrypted passwords, you must first revert the encrypted passwords to clear text using the no key config-key password encryption command, then save the results.


The following example sets the host to 10.1.2.42 attached to the perimeter interface:

hostname(config)# snmp-server host perimeter 10.1.2.42
 
   

The following example show how the security appliance can receive SNMP requests using the SNMP Version 3 security model, which includes creating a group, creating a user, and creating a host:

hostname(config)# snmp-server group v3 vpn-group priv
hostname(config)# snmp-server user admin vpn group v3 auth sha letmein priv 3des cisco123
hostname(config)# snmp-server host mgmt 10.0.0.1 version 3 priv admin
 
   

The following example sets the host to use an encrypted community string:

hostname(config)# snmp-server host mgmt 1.2.3.4 community 8 LvAu+JdFG+GjPmZYlKvAhXpb28E=
 
   

The following example sets the host to use an unencrypted community string:

hostname(config)# snmp-server host mgmt 1.2.3.4 community 0 cisco
 
   

Related Commands

Command
Description

snmp-server community

Sets the SNMP community string.

snmp-server contact

Sets the SNMP contact name.

snmp-server enable

Enables SNMP on the security appliance.

snmp-server enable traps

Enables SNMP traps.

snmp-server location

Sets the SNMP server location string.


snmp-server listen-port

To set the listening port for SNMP requests, use the snmp-server listen-port command in global configuration mode. To restore the default port, use the no form of the command.

snmp-server listen-port lport

no snmp-server listen-port lport

Syntax Description

lport

The port on which incoming requests will be accepted. The default port is 1611 .

1 The snmp-server listen-port command is only available in admin context, and is not available in the system context.


Defaults

The default port is 161.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

If you configure the snmp-server listen-port command on a port that is currently in use, the following message appears:


Warning The UDP port port is in use by another feature. SNMP requests to the device will fail until the snmp-server listen-port command is configured to use a different port.

The existing SNMP thread continues to poll every 60 seconds until the port is available, and issues syslog message %ASA-1-212001 if the port is still in use.

Examples

The following example sets the listening port to 192:

hostname(config)# snmp-server listen-port 192
 
   

Related Commands

Command
Description

snmp-server community

Sets the SNMP community string.

snmp-server contact

Sets the SNMP contact name.

snmp-server enable

Enables SNMP on the security appliance.

snmp-server enable traps

Enables SNMP traps.

snmp-server location

Sets the SNMP server location string.


snmp-server location

To set the security appliance location for SNMP, use the snmp-server location command in global configuration mode. To remove the location, use the no form of this command.

snmp-server location text

no snmp-server location [text]

Syntax Description

location text

Specifies the security appliance location. The location text is case sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

The following example sets the security appliance location for SNMP as Building 42, Sector 54:

hostname(config)# snmp-server location Building 42, Sector 54
 
   

Related Commands

Command
Description

snmp-server community

Sets the SNMP community string.

snmp-server contact

Sets the SNMP contact name.

snmp-server enable

Enables SNMP on the security appliance.

snmp-server enable traps

Enables SNMP traps.

snmp-server host

Sets the SNMP host address.


snmp-server user

To configure a new SNMP user, use the snmp-server user command in global configuration mode. To remove a specified SNMP user, use the no form of this command.

snmp-server user username group-name {v3 [encrypted] [auth {md5 | sha} auth-password]} [priv {des | 3des | aes {128 | 192 | 256}} priv-password]

no snmp-server user username group-name {v3 [encrypted] [auth {md5 | sha} auth-password]} [priv {des | 3des | aes {128 | 192 | 256}} priv-password]

Syntax Description

128

(Optional) Specifies the use of the 128-bit AES algorithm for encryption.

192

(Optional) Specifies the use of the 192-bit AES algorithm for encryption.

256

(Optional) Specifies the use of the 256-bit AES algorithm for encryption.

3des

(Optional) Specifies the use of the 168-bit 3DES algorithm for encryption.

aes

(Optional) Specifies the use of the AES algorithm for encryption.

auth

(Optional) Specifies which authentication level should be used.

auth-password

(Optional) Specifies a string that enables the agent to receive packets from the host. The minimum length is one character; the recommended length is at least eight characters, and should include letters and numbers. The maximum length is 64 characters. You can specify a plain-text password or a localized MD5 digest. If you have the localized MD5 or SHA digest, you can specify that string instead of the plain-text password. The digest should be formatted as aa:bb:cc:dd, where aa, bb, and cc are hexadecimal values. The digest should be exactly 16 octets long.

des

(Optional) Specifies the use of the 56-bit DES algorithm for encryption.

encrypted

(Optional) Specifies whether or not the password appears in encrypted format. Encrypted passwords must be in hexadecimal format.

group-name

Specifies the name of the group to which the user belongs.

md5

(Optional) Specifies the HMAC-MD5-96 authentication level.

priv

Specifies packet authentication with encryption.

priv-password

(Optional) Specifies a string that indicates the privacy user password. The minimum length is one character; the recommended length is at least eight characters, and should include letters and numbers. The maximum length is 64 characters. You can specify a plain-text password or a localized MD5 digest. If you have the localized MD5 or SHA digest, you can specify that string instead of the plain-text password. The digest should be formatted as aa:bb:cc:dd, where aa, bb, and cc are hexadecimal values. The digest should be exactly 16 octets long.

sha

(Optional) Specifies the HMAC-SHA-96 authentication level.

username

Specifies the name of the user on the host that connects to the agent.

v3

Specifies that the SNMP Version 3 security model should be used. Allows the use of the encrypted, priv, or auth keywords.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

8.0(5)

This command was introduced.


Usage Guidelines

An SNMP user must be part of an SNMP group. To use the Version 3 security model, you must first configure an SNMP group, then configure an SNMP user, and then configure an SNMP host.


Note If you forget a password, you cannot recover it, and must reconfigure the user.


When the snmp-server user configuration is displayed on the console or written to a file (for example, the startup-configuration file), the localized authentication and privacy digests always appear instead of a plain-text password. This usage is required by RFC 3414, Section 11.2.


Note You must have a 3DES or AES feature license to configure users with the 3DES or AES algorithm.


During bootup or upgrade of the security appliance, single-digit passwords and passwords starting with a digit followed by a whitespace are no longer supported. For example, 0 pass and 1 are invalid passwords.

Examples

The following example show how the security appliance can receive SNMP requests using the SNMP Version 3 security model:

hostname(config)# snmp-server group engineering v3 auth 
hostname(config)# snmp-server user engineering v3 auth sha mypassword
 
   

Related Commands

Command
Description

clear configure snmp-server

Clears the SNMP server configuration.

snmp-server enable

Enables SNMP on the security appliance.

snmp-server group

Creates a new SNMP group.

snmp-server host

Sets the SNMP host address.


software-version

To identify the Server and User-Agent header fields, which expose the software version of either a server or an endpoint, use the software-version command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.

software-version action {mask | log} [log}

no software-version action {mask | log} [log}

Syntax Description

mask

Masks the software version in the SIP message.

log

Specifies standalone or additional log in case of violation.


Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Parameters configuration


Command History

Release
Modification

7.2(1)

This command was introduced.


Examples

The following example shows how to identify the software version in a SIP inspection policy map:

hostname(config)# policy-map type inspect sip sip_map
hostname(config-pmap)# parameters
hostname(config-pmap-p)# software-version action log
 
   

Related Commands

Command
Description

class

Identifies a class map name in the policy map.

class-map type inspect

Creates an inspection class map to match traffic specific to an application.

policy-map

Creates a Layer 3/4 policy map.

show running-config policy-map

Display all current policy map configurations.


speed

To set the speed of a copper (RJ-45) Ethernet interface, use the speed command in interface configuration mode. To restore the speed setting to the default, use the no form of this command.

speed {auto | 10 | 100 | 1000 | nonegotiate}

no speed [auto | 10 | 100 | 1000 | nonegotiate]

Syntax Description

10

Sets the speed to 10BASE-T.

100

Sets the speed to 100BASE-T.

1000

Sets the speed to 1000BASE-T. For copper Gigabit Ethernet only.

auto

Auto detects the speed.

nonegotiate

For fiber interfaces, sets the speed to 1000 Mbps and does not negotiate link parameters. This command and the no form of this command are the only settings available for fiber interfaces. When you set the value to no speed nonegotiate (the default), the interface enables link negotiation, which exchanges flow-control parameters and remote fault information.


Defaults

For copper interfaces, the default is speed auto.

For fiber interfaces, the default is no speed nonegotiate.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.0(1)

This command was moved from a keyword of the interface command to an interface configuration mode command.


Usage Guidelines

Set the speed on the physical interface only.

If your network does not support auto detection, set the speed to a specific value.

For RJ-45 interfaces on the ASA 5500 series adaptive security appliance, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.

If you set the speed to anything other than auto on PoE ports, if available, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.

Examples

The following example sets the speed to 1000BASE-T:

hostname(config)# interface gigabitethernet0/1
hostname(config-if)# speed 1000
hostname(config-if)# duplex full
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
 
   

Related Commands

Command
Description

clear configure interface

Clears all configuration for an interface.

duplex

Sets the duplex mode.

interface

Configures an interface and enters interface configuration mode.

show interface

Displays the runtime status and statistics of interfaces.

show running-config interface

Shows the interface configuration.


split-dns

To enter a list of domains to be resolved through the split tunnel, use the split-dns command in group-policy configuration mode. To delete a list, use the no form of this command.

To delete all split tunneling domain lists, use the no split-dns command without arguments. This deletes all configured split tunneling domain lists, including a null list created by issuing the split-dns none command.

When there are no split tunneling domain lists, users inherit any that exist in the default group policy. To prevent users from inheriting such split tunneling domain lists, use the split-dns none command.

split-dns {value domain-name1 domain-name2 domain-nameN | none}

no split-dns [domain-name domain-name2 domain-nameN]

Syntax Description

value domain-name

Provides a domain name that the security appliance resolves through the split tunnel.

none

Indicates that there is no split DNS list. Sets a split DNS list with a null value, thereby disallowing a split DNS list. Prevents inheriting a split DNS list from a default or specified group policy.


Defaults

Split DNS is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

Use a single space to separate each entry in the list of domains. There is no limit on the number of entries, but the entire string can be no longer than 255 characters. You can use only alphanumeric characters, hyphens (-), and periods (.).

The no split-dns command, when used without arguments, deletes all current values, including a null value created by issuing the split-dns none command.

Neither the AnyConnect VPN Client nor the SSL VPN Client supports split DNS.

Examples

The following example shows how to configure the domains Domain1, Domain2, Domain3 and Domain4 to be resolved through split tunneling for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# split-dns value Domain1 Domain2 Domain3 Domain4

Related Commands

Command
Description

default-domain

Specifies a default domain name that he IPSec client uses the for DNS queries that omit the domain field.

split-dns

Provides a list of domains to be resolved through the split tunnel.

split-tunnel-network-list

Identifies the access list the security appliance uses to distinguish networks that require tunneling and those that do not.

split-tunnel-policy

Lets an IPSec client conditionally direct packets over an IPSec tunnel in encrypted form, or to a network interface in cleartext form


split-horizon

To reenable EIGRP split horizon, use the split-horizon command in interface configuration mode. To disable EIGRP split horizon, use the no form of this command.

split-horizon eigrp as-number

no split-horizon eigrp as-number

Syntax Description

as-number

The autonomous system number of the EIGRP routing process.


Defaults

The split-horizon command is enabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

For networks that include links over X.25 packet-switched networks, you can use the neighbor command to defeat the split horizon feature. As an alternative, you can explicitly specify the no split-horizon eigrp command in your configuration. However, if you do so, you must similarly disable split horizon for all routers and access servers in any relevant multicast groups on that network.

In general, it is best that you not change the default state of split horizon unless you are certain that your application requires the change in order to properly advertise routes. If split horizon is disabled on a serial interface and that interface is attached to a packet-switched network, you must disable split horizon for all routers and access servers in any relevant multicast groups on that network.

Examples

The following example disables EIGRP split horizon on interface Ethernet0/0:

hostname(config)# interface Ethernet0/0
hostname(config-if)# no split-horizon eigrp 100
 
   

Related Commands

Command
Description

router eigrp

Creates an EIGRP routing process and enters configuration mode for that process.


split-tunnel-network-list

To create a network list for split tunneling, use the split-tunnel-network-list command in group-policy configuration mode. To delete a network list, use the no form of this command.

To delete all split tunneling network lists, use the no split-tunnel-network-list command without arguments. This deletes all configured network lists, including a null list created by issuing the split-tunnel-network-list none command.

When there are no split tunneling network lists, users inherit any network lists that exist in the default or specified group policy. To prevent users from inheriting such network lists, use the split-tunnel-network-list none command.

Split tunneling network lists distinguish networks that require traffic to travel across the tunnel from those that do not require tunneling.

split-tunnel-network-list {value access-list name | none}

no split-tunnel-network-list value [access-list name]

Syntax Description

value access-list name

Identifies an access list that enumerates the networks to tunnel or not tunnel.

none

Indicates that there is no network list for split tunneling; the security appliance tunnels all traffic.

Sets a split tunneling network list with a null value, thereby disallowing split tunneling. Prevents inheriting a default split tunneling network list from a default or specified group policy.


Defaults

By default, there are no split tunneling network lists.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

The security appliance makes split tunneling decisions on the basis of a network list, which is a standard ACL that consists of a list of addresses on the private network.

The no split-tunnel-network-list command, when used without arguments, deletes all current network lists, including a null value created by issuing the split-tunnel-network-list none command.

Examples

The following example shows how to set a network list called FirstList for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# split-tunnel-network-list FirstList

Related Commands

Command
Description

access-list

Creates an access list, or uses a downloadable access list.

default-domain

Specifies a default domain name that he IPSec client uses the for DNS queries that omit the domain field.

split-dns

Provides a list of domains to be resolved through the split tunnel.

split-tunnel-policy

Lets an IPSec client conditionally direct packets over an IPSec tunnel in encrypted form, or to a network interface in cleartext form.


split-tunnel-policy

To set a split tunneling policy, use the split-tunnel-policy command in group-policy configuration mode. To remove the split-tunnel-policy attribute from the running configuration, use the no form of this command. This enables inheritance of a value for split tunneling from another group policy.

Split tunneling lets a remote-access IPSec client conditionally direct packets over an IPSec tunnel in encrypted form, or to a network interface in cleartext form. With split-tunneling enabled, packets not bound for destinations on the other side of the IPSec tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination.

This command applies this split tunneling policy to a specific network.

split-tunnel-policy {tunnelall | tunnelspecified | excludespecified}

no split-tunnel-policy

Syntax Description

excludespecified

Defines a list of networks to which traffic goes in the clear. This feature is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel. This option applies only to the Cisco VPN Client.

split-tunnel-policy

Indicates that you are setting rules for tunneling traffic.

tunnelall

Specifies that no traffic goes in the clear or to any other destination than the security appliance. Remote users reach internet networks through the corporate network and do not have access to local networks.

tunnelspecified

Tunnels all traffic from or to the specified networks. This option enables split tunneling. It lets you create a network list of addresses to tunnel. Data to all other addresses travels in the clear, and is routed by the remote user's internet service provider.


Defaults

Split tunneling is disabled by default, which is tunnelall.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

Split tunneling is primarily a traffic management feature, not a security feature. In fact, for optimum security, we recommend that you not enable split tunneling.

Examples

The following example shows how to set a split tunneling policy of tunneling only specified networks for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# split-tunnel-policy tunnelspecified 

Related Commands

Command
Description

default-domain

Specifies a default domain name that he IPSec client uses the for DNS queries that omit the domain field.

split-dns

Provides a list of domains to be resolved through the split tunnel.

split-tunnel-network-list none

Indicates that no access list exists for split tunneling. All traffic travels across the tunnel.

split-tunnel-network-list value

Identifies the access list the security appliance uses to distinguish networks that require tunneling and those that do not.


spoof-server

To substitute a string for the server header field for HTTP protocol inspection, use the spoof-server command in parameters configuration mode. To disable this feature, use the no form of this command.

spoof-server string

no spoof-server string

Syntax Description

string

String to substitute for the server header field. 82 characters maximum.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Parameters configuration


Command History

Release
Modification

7.2(1)

This command was introduced.


Usage Guidelines

WebVPN streams are not subject to the spoof-server comand.

Examples

The following example shows how to substitute a string for the server header field in an HTTP inspection policy map:

hostname(config-pmap-p)# spoof-server string
 
   

Related Commands

Command
Description

class

Identifies a class map name in the policy map.

class-map type inspect

Creates an inspection class map to match traffic specific to an application.

policy-map

Creates a Layer 3/4 policy map.

show running-config policy-map

Display all current policy map configurations.


sq-period

To specify the interval between each successful posture validation in a NAC Framework session and the next query for changes in the host posture, use the sq-period command in nac-policy-nac-framework configuration mode. To remove the command from the NAC policy, use the no form of this command.

sq-period seconds

no sq-period [seconds]

Syntax Description

seconds

Number of seconds between each successful posture validation. The range is 30 to 1800.


Defaults

The default value is 300.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

nac-policy-nac-framework configuration


Command History

Release
Modification

7.3(0)

"nac-" removed from command name. Command moved from group-policy configuration mode to nac-policy-nac-framework configuration mode.

7.2(1)

This command was introduced.


Usage Guidelines

The security appliance starts the status query timer after each successful posture validation and status query response. The expiration of this timer triggers a query for changes in the host posture, referred to as a status query.

Examples

The following example changes the value of the status query timer to 1800 seconds:

hostname(config-nac-policy-nac-framework)# sq-period 1800
hostname(config-nac-policy-nac-framework)
 
   

The following example removes the status query timer from the NAC Framework policy:

hostname(config-nac-policy-nac-framework)# no sq-period
hostname(config-nac-policy-nac-framework)
 
   

Related Commands

Command
Description

nac-policy

Creates and accesses a Cisco NAC policy, and specifies its type.

nac-settings

Assigns a NAC policy to a group policy.

eou timeout

Changes the number of seconds to wait after sending an EAP over UDP message to the remote host in a NAC Framework configuration.

reval-period

Specifies the interval between each successful posture validation in a NAC Framework session.

debug eap

Enables logging of Extensible Authentication Protocol events to debug NAC Framework messaging.


ssh

To add SSH access to the security appliance, use the ssh command in global configuration mode. To disable SSH access to the security appliance, use the no form of this command. This command supports IPv4 and IPv6 addresses.

ssh {ip_address mask | ipv6_address/prefix} interface

no ssh {ip_address mask | ipv6_address/prefix} interface

Syntax Description

interface

The security appliance interface on which SSH is enabled. If not specified, SSH is enabled on all interfaces except the outside interface.

ip_address

IPv4 address of the host or network authorized to initiate an SSH connection to the security appliance. For hosts, you can also enter a host name.

ipv6_address/prefix

The IPv6 address and prefix of the host or network authorized to initiate an SSH connection to the security appliance.

mask

Network mask for ip_address.


Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The ssh ip_address command specifies hosts or networks that are authorized to initiate an SSH connection to the security appliance. You can have multiple ssh commands in the configuration. The no form of the command removes a specific SSH command from the configuration. Use the clear configure ssh command to remove all SSH commands.

Before you can begin using SSH to the security appliance, you must generate a default RSA key using the crypto key generate rsa command.

The following security algorithms and ciphers are supported on the security appliance:

3DES and AES ciphers for data encryption

HMAC-SHA and HMAC-MD5 algorithms for packet integrity

RSA public key algorithm for host authentication

Diffie-Hellman Group 1 algorithm for key exchange

The following SSH Version 2 features are not supported on the security appliance:

X11 forwarding

Port forwarding

SFTP support

Kerberos and AFS ticket passing

Data compression

Examples

The following example shows how to configure the inside interface to accept SSH version 2 connections from a management console with the IP address 10.1.1.1. The idle session timeout is set to 60 minutes and SCP is enabled.

hostname(config)# ssh 10.1.1.1 255.255.255.0 inside
hostname(config)# ssh version 2
hostname(config)# ssh copy enable
hostname(config)# ssh timeout 60
 
   

Related Commands

Command
Description

clear configure ssh

Clears all SSH commands from the running configuration.

crypto key generate rsa

Generates RSA key pairs for identity certificates.

debug ssh

Displays debug information and error messages for SSH commands.

show running-config ssh

Displays the current SSH commands in the running configuration.

ssh scopy enable

Enables a secure copy server on the security appliance.

ssh version

Restricts the security appliance to using either SSH Version 1 or SSH Version 2.


ssh disconnect

To disconnect an active SSH session, use the ssh disconnect command in privileged EXEC mode.

ssh disconnect session_id

Syntax Description

session_id

Disconnects the SSH session specified by the ID number.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

You must specify a session ID. Use the show ssh sessions command to obtain the ID of the SSH session you want to disconnect.

Examples

The following example shows an SSH session being disconnected:

hostname# show ssh sessions
SID Client IP       Version Mode Encryption Hmac     State           Username
0   172.69.39.39    1.99    IN   aes128-cbc md5      SessionStarted  pat
                            OUT  aes128-cbc md5      SessionStarted  pat
1   172.23.56.236   1.5     -    3DES       -        SessionStarted  pat
2   172.69.39.29    1.99    IN   3des-cbc   sha1     SessionStarted  pat
                            OUT  3des-cbc   sha1     SessionStarted  pat
hostname# ssh disconnect 2
hostname# show ssh sessions
SID Client IP       Version Mode Encryption Hmac     State           Username
0   172.69.39.29    1.99    IN   aes128-cbc md5      SessionStarted  pat
                            OUT  aes128-cbc md5      SessionStarted  pat
1   172.23.56.236   1.5     -    3DES       -        SessionStarted  pat
 
   

Related Commands

Command
Description

show ssh sessions

Displays information about active SSH sessions to the security appliance.

ssh timeout

Sets the timeout value for idle SSH sessions.


ssh scopy enable

To enable Secure Copy (SCP) on the security appliance, use the ssh scopy enable command in global configuration mode. To disable SCP, use the no form of this command.

ssh scopy enable

no ssh scopy enable

Syntax Description

This command has no keywords or arguments.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

SCP is a server-only implementation; it will be able to accept and terminate connections for SCP but can not initiate them. The security appliance has the following restrictions:

There is no directory support in this implementation of SCP, limiting remote client access to the security appliance internal files.

There is no banner support when using SCP.

SCP does not support wildcards.

The security appliance license must have the VPN-3DES-AES feature to support SSH version 2 connections.

Before initiating the file transfer, the security appliance check available Flash memory. If there is not enough available space, the security appliance terminates the SCP connection. If you are overwriting a file in Flash memory, you still need to have enough free space for the file being copied to the security appliance. The SCP process copies the file to a temporary file first, then copies the temporary file over the file being replaced. If you do not have enough space in Flash to hold the file being copied and the file being overwritten, the security appliance terminates the SCP connection.

Examples

The following example shows how to configure the inside interface to accept SSH Version 2 connections from a management console with the IP address, 10.1.1.1. The idle session timeout is set to 60 minutes, and SCP is enabled.

hostname(config)# ssh 10.1.1.1 255.255.255.0 inside
hostname(config)# ssh version 2
hostname(config)# ssh scopy enable
hostname(config)# ssh timeout 60
 
   

Related Commands

Command
Description

clear configure ssh

Clears all SSH commands from the running configuration.

debug ssh

Displays debug information and error messages for SSH commands.

show running-config ssh

Displays the current SSH commands in the running configuration.

ssh

Allows SSH connectivity to the security appliance from the specified client or network.

ssh version

Restricts the security appliance to using either SSH Version 1 or SSH Version 2.


ssh timeout

To change the default SSH session idle timeout value, use the ssh timeout command in global configuration mode. To restore the default timeout value, use the no form of this command.

ssh timeout number

no ssh timeout

Syntax Description

number

Specifies the duration in minutes that an SSH session can remain inactive before being disconnected. Valid values are from 1 to 60 minutes.


Defaults

The default session timeout value is 5 minutes.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The ssh timeout command specifies the duration in minutes that a session can be idle before being disconnected. The default duration is 5 minutes.

Examples

The following example shows how to configure the inside interface to accept only SSH version 2 connections from a management console with the IP address 10.1.1.1. The idle session timeout is set to 60 minutes and SCP is enabled.

hostname(config)# ssh 10.1.1.1 255.255.255.0 inside
hostname(config)# ssh version 2
hostname(config)# ssh copy enable
hostname(config)# ssh timeout 60
 
   

Related Commands

Command
Description

clear configure ssh

Clears all SSH commands from the running configuration.

show running-config ssh

Displays the current SSH commands in the running configuration.

show ssh sessions

Displays information about active SSH sessions to the security appliance.

ssh disconnect

Disconnects an active SSH session.


ssh version

To restrict the version of SSH accepted by the security appliance, use the ssh version command in global configuration mode. To restore the default value, use the no form of this command. The default values permits SSH Version 1 and SSH Version 2 connections to the security appliance.

ssh version {1 | 2}

no ssh version [1 | 2]

Syntax Description

1

Specifies that only SSH Version 1 connections are supported.

2

Specifies that only SSH Version 2 connections are supported.


Defaults

By default, both SSH Version 1 and SSH Version 2 are supported.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

1 and 2 specify which version of SSH the security appliance is restricted to using. The no form of the command returns the security appliance to the default stance, which is compatible mode (both version can be used).

Examples

The following example shows how to configure the inside interface to accept SSH Version 2 connections from a management console with the IP address 10.1.1.1. The idle session timeout is set to 60 minutes and SCP is enabled.

hostname(config)# ssh 10.1.1.1 255.255.255.0 inside
hostname(config)# ssh version 2
hostname(config)# ssh copy enable
hostname(config)# ssh timeout 60
 
   

Related Commands

Command
Description

clear configure ssh

Clears all SSH commands from the running configuration.

debug ssh

Displays debug information and error messages for SSH commands.

show running-config ssh

Displays the current SSH commands in the running configuration.

ssh

Allows SSH connectivity to the security appliance from the specified client or network.


ssl certificate-authentication

To enable client certificate authentication, use the ssl certificate-authentication command in global configuration mode. To disable ssl certificate authentication, use the no version of this command.

ssl certificate-authentication interface interface-name port port-number

no ssl certificate-authentication interface interface-name port port-number

Syntax Description

interface-name

The name of the selected interface, such as inside, management, and outside.

port-number

The TCP port number, an integer in the range 1-65535.


Defaults

This feature is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

8.0(3)

This command was introduced.


Usage Guidelines

This command replaces the deprecated http authentication-certificate command.

Examples

The following example shows how to configure the security appliance to use the SSL certificate authentication feature:

hostname(config)# ssl certificate-authentication interface inside port 330

Related Commands

Command
Description

show running-config ssl

Displays the current set of configured SSL commands.


ssl client-version

To specify the SSL/TLS protocol version the security appliance uses when acting as a client, use the ssl client-version command in global configuration mode. To revert to the default, any, use the no version of this command. This command lets you restrict the versions of SSL/TLS that the security appliance sends.

ssl client-version [any | sslv3-only | tlsv1-only]

no ssl client-version

Syntax Description

any

The security appliance sends SSL version3 hellos, and negotiates either SSL version 3 or TLS version 1.

sslv3-only

The security appliance sends SSL version 3 hellos, and accepts only SSL version 3.

tlsv1-only

The security appliance sends TLSv1 client hellos, and accepts only TLS version 1.


Defaults

The default value is any.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

TCP Port Forwarding does not work when a WebVPN user connects with some SSL versions, as follows:

Negotiate SSLv3

Java downloads

Negotiate SSLv3/TLSv1

Java downloads

Negotiate TLSv1

Java does NOT download

TLSv1Only

Java does NOT download

SSLv3Only

Java does NOT download



The issue is that JAVA only negotiates SSLv3 in the client Hello packet when you launch the Port Forwarding application.

Examples

The following example shows how to configure the security appliance to communicate using only TLSv1 when acting as an SSL client:

hostname(config)# ssl client-version tlsv1-only

Related Commands

Command
Description

clear config ssl

Removes all SSL commands from the configuration, reverting to the default values.

ssl encryption

Specifies the encryption algorithms that the SSL/TLS protocol uses.

show running-config ssl

Displays the current set of configured SSL commands.

ssl server-version

Specifies the SSL/TLS protocol version the security appliance uses when acting as a server.

ssl trust-point

Specifies the certificate trust point that represents the SSL certificate for an interface.


ssl encryption

To specify the encryption algorithms that the SSL/TLS protocol uses, use the ssl encryption command in global configuration mode. Issuing the command again overwrites the previous setting. The ordering of the algorithms determines preference for their use. You can add or remove algorithms to meet the needs of your environment. To restore the default, which is the complete set of encryption algorithms, use the no version of the command.

ssl encryption [3des-sha1] [des-sha1] [rc4-md5] [aes128-sha1] [aes256-sha1] [possibly others]

no ssl encryption

Syntax Description

3des-sha1

Specifies triple DES encryption with Secure Hash Algorithm 1.

des-sha1

Specifies DES encryption with Secure Hash Algorithm 1.

rc4-md5

Specifies RC4 encryption with an MD5 hash function.

aes128-sha1

Specifies triple AES 128-bit encryption with Secure Hash Algorithm 1.

aes256-sha1

Specifies triple AES 256-bit encryption with Secure Hash Algorithm 1.

possibly others

Indicates that more encryption algorithms may be added in future releases.


Defaults

The default is to have all algorithms available in the following order:

[ssl encryption] [rc4-sha1] [aes128-sha1] [aes256-sha1] [3des-sha1]

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

The ASDM License tab reflects the maximum encryption the license supports, not the value you configure.

Examples

The following example shows how to configure the security appliance to use the 3des-sha1 and des-sha1 encryption algorithms:

hostname(config)# ssl encryption 3des-sha1 des-sha1

Related Commands

Command
Description

clear config ssl

Removes all SSL commands from the configuration, reverting to the default values.

show running-config ssl

Displays the current set of configured SSL commands.

ssl client-version

Specifies the SSL/TLS protocol version the security appliance uses when acting as a client.

ssl server-version

Specifies the SSL/TLS protocol version the security appliance uses when acting as a server.

ssl trust-point

Specifies the certificate trust point that represents the SSL certificate for an interface.


ssl server-version

To specify the SSL/TLS protocol version the security appliance uses when acting as a server, use the ssl server-version command in global configuration mode. To revert to the default, any, use the no version of this command. This command lets you restrict the versions of SSL/TSL that the security appliance accepts.

ssl server-version [any | sslv3 | tlsv1 | sslv3-only | tlsv1-only]

no ssl server-version

Syntax Description

any

The security appliance accepts SSL version 2 client hellos, and negotiates either SSL version 3 or TLS version 1.

sslv3

The security appliance accepts SSL version 2 client hellos, and negotiates to SSL version 3.

sslv3-only

The security appliance accepts only SSL version 3 client hellos, and uses only SSL version 3.

tlsv1

The security appliance accepts SSL version 2 client hellos, and negotiates to TLS version 1.

tlsv1-only

The security appliance accepts only TLSv1 client hellos, and uses only TLS version 1.


Defaults

The default value is any.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

TCP Port Forwarding does not work when a WebVPN user connects with some SSL versions, as follows:

Negotiate SSLv3

Java downloads

Negotiate SSLv3/TLSv1

Java downloads

Negotiate TLSv1

Java does NOT download

TLSv1Only

Java does NOT download

SSLv3Only

Java does NOT download


If you configure e-mail proxy, do not set thhe SSL version to TLSv1 Only. Outlook and Outlook Express do not support TLS.

Examples

The following example shows how to configure the security appliance to communicate using only TLSv1 when acting as an SSL server:

hostname(config)# ssl server-version tlsv1-only
 
   

Related Commands

Command
Description

clear config ssl

Removes all ssl commands from the configuration, reverting to the default values.

show running-config ssl

Displays the current set of configured ssl commands.

ssl client-version

Specifies the SSL/TLS protocol version the security appliance uses when acting as a client.

ssl encryption

Specifies the encryption algorithms that the SSL/TLS protocol uses.

ssl trust-point

Specifies the certificate trust point that represents the SSL certificate for an interface.


ssl trust-point

To specify the certificate trustpoint that represents the SSL certificate for an interface, use the ssl trust-point command with the interface argument in global configuration mode. If you do not specify an interface, this command creates the fallback trustpoint for all interfaces that do not have a trustpoint configured. To remove an SSL trustpoint from the configuration that does not specify an interface, use the no version of this command. To remove an entry that does specify an interface, use the no ssl trust-point {trustpoint [interface]} version of the command.

ssl trust-point {trustpoint [interface]}

no ssl trust-point

Syntax Description

interface

The name for the interface to which the trustpoint applies. The nameif command specifies the name of the interface.

trustpoint

The name of the CA trustpoint as configured in the crypto ca trustpoint {name} command.


Defaults

The default is no trustpoint association. The security appliance uses the default self-generated RSA key-pair certificate.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

Observe these guidelines when using this command:

The value for trustpoint must be the name of the CA trustpoint as configured in the crypto ca trustpoint {name} command.

The value for interface must be the nameif name of a previously configured interface.

Removing a trustpoint also removes any ssl trust-point entries that reference that trustpoint.

You can have one ssl trustpoint entry for each interface and one that specifies no interfaces.

You can reuse the same trustpoint for multiple entries.

The following example explains how to use the no versions of this command:

The configuration includes these SSL trustpoints:

ssl trust-point tp1

ssl trust-point tp2 outside

Issue the command:

no ssl trust-point

Then show run ssl will have:

ssl trust-point tp2 outside

Examples

The following example shows how to configure an ssl trustpoint called FirstTrust for the inside interface, and a trustpoint called DefaultTrust with no associated interface.

hostname(config)# ssl trust-point FirstTrust inside
hostname(config)# ssl trust-point DefaultTrust

The next example shows how to use the no version of the command to delete a trustpoint that has no associated interface:

hostname(config)# show running-configuration ssl
ssl trust-point FirstTrust inside
ssl trust-point DefaultTrust
hostname(config)# no ssl trust-point
hostname(config)# show running-configuration ssl
ssl trust-point FirstTrust inside
 
   

The next example shows how to delete a trustpoint that does have an associated interface:

hostname(config)# show running-configuration ssl
ssl trust-point FirstTrust inside
ssl trust-point DefaultTrust
hostname(config)# no ssl trust-point FirstTrust inside
hostname(config)# show running-configuration ssl
ssl trust-point DefaultTrust
 
   

Related Commands

Command
Description

clear config ssl

Removes all SSL commands from the configuration, reverting to the default values.

show running-config ssl

Displays the current set of configured SSL commands.

ssl client-version

Specifies the SSL/TLS protocol version the security appliance uses when acting as a client.

ssl encryption

Specifies the encryption algorithms that the SSL/TLS protocol uses.

ssl server-version

Specifies the SSL/TLS protocol version the security appliance uses when acting as a server.


sso-server

To create a Single Sign-On (SSO) server for security appliance user authentication, use the sso-server command in webvpn configuration mode. With this command, you must specify the SSO server type.

To remove an SSO server, use the no form of this command.

sso-server name type [siteminder | saml-v1.1-post ]

no sso-server name


Note This command is required for SSO authentication.


Syntax Description

Syntax DescriptionSyntax Description

name

Specifies the name of the SSO server. Minimum of 4 characters and maximum of 31 characters.

saml-v1.1-post

Specifies that the security appliance SSO server being configured is a SAML, Version 1.1, SSO server of the POST type.

siteminder

Specifies that the security appliance SSO server being configured is a Computer Associates SiteMinder SSO server.

type

Specifies the type of SSO server. SiteMinder and SAML-V1.1-POST are the only types available.


Defaults

There is no default value or behavior.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Webvpn configuration


Command History

Release
Modification

7.1(1)

This command was introduced.


Usage Guidelines

Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The sso-server command lets you create an SSO server.

In the authentication, the security appliance acts as a proxy for the WebVPN user to the SSO server. The security appliance currently supports the SiteMinder SSO server (formerly Netegrity SiteMinder) and the SAML POST-type SSO server. Currently, the available arguments for the type option are restricted to siteminder or saml-V1.1-post.

Examples

The following example, entered in webvpn configuration mode, creates a SiteMinder-type SSO server named "example1":

hostname(config)# webvpn
hostname(config-webvpn)# sso-server example1 type siteminder
hostname(config-webvpn-sso-siteminder)#
 
   

The following example, entered in webvpn configuration mode, creates a SAML, Version 1.1, POST-type SSO server named "example2":

hostname(config)# webvpn
hostname(config-webvpn)# sso-server example2 type saml-v1.1-post
hostname(config-webvpn-sso-saml)#
 
   

Related Commands

Command
Description

assertion-consumer-url

Identifies the URL for the SAML-type SSO assertion consumer service.

issuer

Specifies the SAML-type SSO server's security device name.

max-retry-attempts

Configures the number of times the security appliance retries a failed SSO authentication attempt.

policy-server-secret

Creates a secret key used to encrypt authentication requests to a SiteMinder SSO server.

request-timeout

Specifies the number of seconds before a failed SSO authentication attempt times out.

show webvpn sso-server

Displays the operating statistics for an SSO server.

test sso-server

Tests an SSO server with a trial authentication request.

trustpoint

Specifies a trustpoint name that contains the certificate to use to sign the SAML-type browser assertion

web-agent-url

Specifies the SSO server URL to which the security appliance makes SiteMinder SSO authentication requests.


sso-server value (group-policy webvpn)

To assign an SSO server to a group policy, use the sso-server value command in webvpn configuration mode available in group-policy configuration mode.

To remove the assignment and use the default policy, use the no form of this command.

To prevent inheriting the default policy, use the sso-server none command.

sso-server {value name | none}

[no] sso-server value name

Syntax Description

Syntax DescriptionSyntax Description

name

Specifies the name of the SSO server being assigned to the group policy.


Defaults

The default policy assigned to the group is DfltGrpPolicy.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

group-policy webvpn configuration


Command History

Release
Modification

7.1(1)

This command was introduced.


Usage Guidelines

The sso-server value command, when entered in group-policy webvpn mode, lets you assign an SSO server to a group policy.

Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The security appliance currently supports the SiteMinder-type of SSO server and the SAML POST-type SSO server.

This command applies to both types of SSO Servers.


Note Enter the same command, sso-server value, in username-webvpn configuration mode to assign SSO servers to user policies.


Examples

The following example commands create the group policy my-sso-grp-pol and assigns it to the SSO server named example:

hostname(config)# group-policy my-sso-grp-pol internal
hostname(config)# group-policy my-sso-grp-pol attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# sso-server value example
hostname(config-group-webvpn)#
 
   

Related Commands

Related Commandshostname

Command
Description

policy-server-secret

Creates a secret key used to encrypt authentication requests to a SiteMinder SSO server.

show webvpn sso-server

Displays the operating statistics for all SSO servers configured on the security device.

sso-server

Creates a single sign-on server.

sso-server value (username webvpn)

Assigns an SSO server to a user policy.

web-agent-url

Specifies the SSO server URL to which the security appliance makes SiteMinder-type SSO authentication requests.


sso-server value (username webvpn)

To assign an SSO server to a user policy, use the sso-server value command in webvpn configuration mode available in username configuration mode.

To remove an SSO server assignment for a user, use the no form of this command.

When a user policy inherits an unwanted SSO server assignment from a group policy, use the sso-server none command to remove the assignment.

sso-server {value name | none}

[no] sso-server value name

Syntax Description

Syntax DescriptionSyntax Description

name

Specifies the name of the SSO server being assigned to the user policy.


Defaults

The default is for the user policy to use the SSO server assignment in the group policy.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

username webvpn configuration


Command History

Release
Modification

7.1(1)

This command was introduced.


Usage Guidelines

Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The security appliance currently supports the SiteMinder-type of SSO server and the SAML POST-type SSO server.

This command applies to both types of SSO Servers.

The sso-server value command lets you assign an SSO server to a user policy.


Note Enter the same command, sso-server value, in group-webvpn configuration mode to assign SSO servers to group policies.


Examples

The following example commands assign the SSO server named my-sso-server to the user policy for a WebVPN user named Anyuser:

hostname(config)# username Anyuser attributes
hostname(config-username)# webvpn
hostname(config-username-webvpn)# sso-server value my-sso-server
hostname(config-username-webvpn)#
 
   

Related Commands

Command
Description

policy-server-secret

Creates a secret key used to encrypt authentication requests to a SiteMinder SSO server.

show webvpn sso-server

Displays the operating statistics for all SSO servers configured on the security device.

sso-server

Creates a single sign-on server.

sso-server value (config-group-webvpn)

Assigns an SSO server to a group policy.

web-agent-url

Specifies the SSO server URL to which the security appliance makes SiteMinder SSO authentication requests.


start-url

To enter the URL at which to retrieve an optional pre-login cookie, use the start-url command in aaa-server-host configuration mode. This is an SSO with HTTP Forms command.

start-url string


Note To configure SSO with the HTTP protocol correctly, you must have a thorough working knowledge of authentication and HTTP protocol exchanges.


Syntax Description

Syntax DescriptionSyntax Description

string

The URL for an SSO server. The maximum URL length is 1024 characters.


Defaults

There is no default value or behavior.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Aaa-server-host configuration


Command History

Release
Modification

7.1(1)

This command was introduced.


Usage Guidelines

The WebVPN server of the security appliance can use an HTTP POST request to submit a single sign-on authentication request to an authenticating web server. The authenticating web server may execute a pre-login sequence by sending a Set-Cookie header along with the login page content. You can discover this by connecting directly to the authenticating web server's login page with your browser. If the web server sets a cookie when the login page loads and if this cookie is relevant for the following login session, you must use the start-url command to enter the URL at which the cookie is retrieved. The actual login sequence starts after the pre-login cookie sequence with the form submission to the authenticating web server.


Note The start-url command is only required in the presence of the pre-login cookie exchange.


Examples

The following example, entered in aaa-server host configuration mode, specifies a URL for retrieving the pre-login cookie of https://example.com/east/Area.do?Page-Grp1:

hostname(config)# aaa-server testgrp1 (inside) host example.com
hostname(config-aaa-server-host)# start-url https://example.com/east/Area.do?Page=Grp1
hostname(config-aaa-server-host)# 

Related Commands

Command
Description

action-uri

Specifies a web server URI to receive a username and password for single sign-on authentication.

auth-cookie-name

Specifies a name for the authentication cookie.

hidden-parameter

Creates hidden parameters for exchange with the authenticating web server.

password-parameter

Specifies the name of the HTTP POST request parameter in which a user password must be submitted for SSO authentication.

user-parameter

Specifies the name of the HTTP POST request parameter in which a username must be submitted for SSO authentication.


state-checking

To enforce state checking for H.323, use the state-checking command in parameters configuration mode. To disable this feature, use the no form of this command.

state-checking [h225 | ras]

no state-checking [h225 | ras]

Syntax Description

h225

Enforces state checking for H.225.

ras

Enforces state checking for RAS.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Parameters configuration


Command History

Release
Modification

7.2(1)

This command was introduced.


Examples

The following example shows how to enforce state checking for RAS on an H.323 call:

hostname(config)# policy-map type inspect h323 h323_map
hostname(config-pmap)# parameters
hostname(config-pmap-p)# state-checking ras
 
   

Related Commandshostname(config-pmap-p)# rtp-conformance

Command
Description

class

Identifies a class map name in the policy map.

class-map type inspect

Creates an inspection class map to match traffic specific to an application.

policy-map

Creates a Layer 3/4 policy map.

show running-config policy-map

Display all current policy map configurations.


static

To configure a persistent one-to-one address translation rule by mapping a real IP address to a mapped IP address, use the static command in global configuration mode. To restore the default settings, use the no form of this command.

For static NAT:

static (real_ifc,mapped_ifc) {mapped_ip | interface} {real_ip [netmask mask] | access-list access_list_name} [dns] [[tcp] max_conns [emb_lim]] [udp udp_max_conns] [norandomseq [nailed]]

no static (real_ifc,mapped_ifc) {mapped_ip | interface} {real_ip [netmask mask] | access-list access_list_name} [dns] [[tcp] max_conns [emb_lim]] [udp udp_max_conns] [norandomseq [nailed]]

For static PAT:

static (real_ifc,mapped_ifc) {tcp | udp} {mapped_ip | interface} mapped_port {real_ip real_port [netmask mask] | access-list access_list_name} [dns] [[tcp] max_conns [emb_lim]] [udp udp_max_conns] [norandomseq [nailed]]

no static (real_ifc,mapped_ifc) {tcp | udp} {mapped_ip | interface} mapped_port {real_ip real_port [netmask mask] | access-list access_list_name} [dns] [[tcp] max_conns [emb_lim]] [udp udp_max_conns] [norandomseq [nailed]]

Syntax Description

access-list access_list_name

Identify the real addresses and destination/source addresses using an extended access list. This feature is known as policy NAT.

Create the extended access list using the access-list extended command. The first address in the access list is the real address; the second address is either the source or destiniation address, depending on where the traffic originates. For example, to translate the real address 10.1.1.1 to the mapped address 192.168.1.1 when 10.1.1.1 sends traffic to the 209.165.200.224 network, the access-list and static commands are:

hostname(config)# access-list TEST extended ip host 10.1.1.1 
209.165.200.224 255.255.255.224
hostname(config)# static (inside,outside) 192.168.1.1 access-list TEST
 
        

In this case, the second address is the destination address. However, the same configuration is used for hosts to originate a connection to the mapped address. For example, when a host on the 209.165.200.224 network initiates a connection to 192.168.1.1, then the second address in the access list is the source address.

This access list should include only permit ACEs. You can optionally specify the real and destination ports in the access list using the eq operator. Policy NAT does not consider the inactive or time-range keywords; all ACEs are considered to be active for policy NAT configuration.

If you specify a network for translation (for example, 10.1.1.0 255.255.255.0), then the security appliance translates the .0 and .255 addresses. If you want to prevent access to these addresses, be sure to configure an access list to deny access.

dns

(Optional) Rewrites the A record, or address record, in DNS replies that match this static. For DNS replies traversing from a mapped interface to any other interface, the A record is rewritten from the mapped value to the real value. Inversely, for DNS replies traversing from any interface to a mapped interface, the A record is rewritten from the real value to the mapped value.

Note DNS inspection must be enabled to support this functionality.

emb_lim

(Optional) Specifies the maximum number of embryonic connections per host. The default is 0, which means unlimited embryonic connections.

Limiting the number of embryonic connections protects you from a DoS attack. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination.

Note An embryonic limit applied using static NAT is applied to all connections to or from the real IP address, and not just connections between the specified interfaces. To apply limits to specific flows, see the set connection command.

interface

Uses the interface IP address as the mapped address. Use this keyword if you want to use the interface address, but the address is dynamically assigned using DHCP.

Note You must use the interface keyword instead of specifying the actual IP address when you want to include the IP address of an interface in a static PAT entry.

mapped_ifc

Specifies the name of the interface connected to the mapped IP address network.

mapped_ip

Specifies the address to which the real address is translated.

mapped_port

Specifies the mapped TCP or UDP port. You can specify ports by either a literal name or a number in the range of 0 to 65535.

You can view valid port numbers online at the following website:

http://www.iana.org/assignments/port-numbers

nailed

(Optional) Allows TCP sessions for asymmetrically routed traffic. This option allows inbound traffic to traverse the security appliance without a corresponding outbound connection to establish the state. This command is used in conjunction with the failover timeout command. The failover timeout command specifies the amount of time after a system boots or becomes active that the nailed sessions are accepted. If not configured, the connections cannot be reestablished.

Note Adding the nailed option to the static command causes TCP state tracking and sequence checking to be skipped for the connection. Using the asr-group command to configure asymmetric routing support is more secure than using the static command with the nailed option and is the recommended method for configuring asymmetric routing support.

netmask mask

Specifies the subnet mask for the real and mapped addresses. For single hosts, use 255.255.255.255. If you do not enter a mask, then the default mask for the IP address class is used, with one exception. If a host-bit is non-zero after masking, a host mask of 255.255.255.255 is used. If you use the access-list keyword instead of the real_ip, then the subnet mask used in the access list is also used for the mapped_ip.

norandomseq

(Optional) Disables TCP ISN randomization protection. Each TCP connection has two ISNs: one generated by the client and one generated by the server. The security appliance randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions.

Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new connection and potentially hijacking the new session.

TCP initial sequence number randomization can be disabled if required. For example:

If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both firewalls to be performing this action, even though this action does not affect the traffic.

If you use eBGP multi-hop through the security appliance, and the eBGP peers are using MD5. Randomization breaks the MD5 checksum.

You use a WAAS device that requires the security appliance not to randomize the sequence numbers of connections.

real_ifc

Specifies the name of the interface connected to the real IP address network.

real_ip

Specifies the real address that you want to translate.

real_port

Specifies the real TCP or UDP port. You can specify ports by either a literal name or a number in the range of 0 to 65535.

You can view valid port numbers online at the following website:

http://www.iana.org/assignments/port-numbers

tcp

For static PAT, specifies the protocol as TCP.

tcp max_conns

Specifies the maximum number of simultaneous TCP connections allowed to the local-host (see the local-host command). The default is 0, which means unlimited connections. (Idle connections are closed after the idle timeout specified by the timeout conn command.)

The recommended method for setting a connection limit is to use the module policy framework by setting a connection-limit on a class within a policy-map.

udp

For static PAT, specifies the protocol as UDP.

udp udp_max_conns

(Optional) Specifies the maximum number of simultaneous UDP connections allowed to the local-host (see the local-host command). The default is 0, which means unlimited connections. (Idle connections are closed after the idle timeout specified by the timeout conn command.)

The recommended method for setting a connection limit is to use the module policy framework by setting a connection-limit on a class within a policy-map.


Defaults

The default value for tcp_max_conns, emb_limit, and udp_max_conns is 0 (unlimited), which is the maximum available.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.2.(1)

NAT is now supported in transparent firewall mode.


Usage Guidelines

Static NAT creates a fixed translation of real address(es) to mapped address(es).With dynamic NAT and PAT, each host uses a different address or port for each subsequent translation. Because the mapped address is the same for each consecutive connection with static NAT, and a persistent translation rule exists, static NAT allows hosts on the destination network to initiate traffic to a translated host (if there is an access list that allows it).


Note For static policy NAT, in undoing the translation, the ACL in the static command is not used. If the destination address in the packet matches the mapped address in the static rule, the static rule is used to untranslate the address.


The main difference between dynamic NAT and a range of addresses for static NAT is that static NAT allows a remote host to initiate a connection to a translated host (if there is an access list that allows it), while dynamic NAT does not. You also need an equal number of mapped addresses as real addresses with static NAT.

Using matching ports is supported for static policy NAT, but it is unsupported for NAT.

Static PAT is the same as static NAT, except it lets you specify the protocol (TCP or UDP) and port for the real and mapped addresses.

This feature lets you identify the same mapped address across many different static statements, so long as the port is different for each statement (you cannot use the same mapped address for multiple static NAT statements).

You cannot use the same real or mapped address in multiple static commands between the same two interfaces, unless you use static PAT. Do not use a mapped address in the static command that is also defined in a global command for the same mapped interface.

When you specify the ports in policy NAT for applications that require application inspection for secondary channels (FTP, VoIP, etc.), the security appliance automatically translates the secondary ports.

If you specify a network for translation (for example, 10.1.1.0 255.255.255.0), then the security appliance translates the .0 and .255 addresses. If you want to prevent access to these addresses, be sure to configure an access list to deny access.

After changing or removing a static command statement, use the clear xlate command to clear the translations.

You can alternatively configure maximum connections, maximum embryonic connections, and TCP sequence randomization using the set connection commands. If you configure these settings for the same traffic using both methods, then the security appliance uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the security appliance disables TCP sequence randomization.

The connection attributes (dns, norandomseq, nailed, tcp, and udp) have a per-host limit. In some cases, such as policy NAT (with an access list) or NAT involving more than two interfaces, a connection attribute can derive its value from multiple nat and static commands. In such cases, the value from the rule that matches the first packet is the value that takes precedent. For example, with the following configuration, TCP connection limits of 100 and 200 can be applicable:

static (inside,dmz) 192.168.1.1 192.168.1.100 tcp 100
static (inside,outside) 192.168.1.1 192.168.1.100 tcp 200
 
   

If the first packet from host 192.168.1.1 is toward the dmz interface, the TCP connection limit is 100 for all subsequent TCP sessions.

Examples

Static NAT Examples

For example, the following policy static NAT example shows a single real address that is translated to two mapped addresses depending on the destination address:

hostname(config)# access-list NET1 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224
hostname(config)# access-list NET2 permit ip host 10.1.2.27 209.165.200.224 
255.255.255.224
hostname(config)# static (inside,outside) 209.165.202.129 access-list NET1
hostname(config)# static (inside,outside) 209.165.202.130 access-list NET2
 
   

The following command maps an inside IP address (10.1.1.3) to an outside IP address (209.165.201.12):

hostname(config)# static (inside,outside) 209.165.201.12 10.1.1.3 netmask 255.255.255.255
 
   

The following command maps the outside address (209.165.201.15) to an inside address (10.1.1.6):

hostname(config)# static (outside,inside) 10.1.1.6 209.165.201.15 netmask 255.255.255.255
 
   

The following command statically maps an entire subnet:

hostname(config)# static (inside,dmz) 10.1.1.0 10.1.2.0 netmask 255.255.255.0
 
   

This example shows how to permit a finite number of users to call in through H.323 using Intel Internet Phone, CU-SeeMe, CU-SeeMe Pro, MeetingPoint, or Microsoft NetMeeting. The static command maps addresses 209.165.201.0 through 209.165.201.30 to local addresses 10.1.1.0 through 10.1.1.30 (209.165.201.1 maps to 10.1.1.1, 209.165.201.10 maps to 10.1.1.10, and so on).

hostname(config)# static (inside, outside) 209.165.201.0 10.1.1.0 netmask 255.255.255.224
hostname(config)# access-list acl_out permit tcp any 209.165.201.0 255.255.255.224 eq h323
hostname(config)# access-group acl_out in interface outside
 
   

This example shows the commands that are used to disable Mail Guard:

hostname(config)# static (dmz1,outside) 209.165.201.1 10.1.1.1 netmask 255.255.255.255
hostname(config)# access-list acl_out permit tcp any host 209.165.201.1 eq smtp
hostname(config)# access-group acl_out in interface outside
hostname(config)# no fixup protocol smtp 25
 
   

In the example, the static command allows you to set up a global address to permit outside hosts access to the 10.1.1.1 mail server host on the dmz1 interface. You shoud set the MX record for DNS to point to the 209.165.201.1 address so that mail is sent to this address. The access-list command allows the outside users to access the global address through the SMTP port (25). The no fixup protocol command disables Mail Guard.

Static PAT Examples

For example, for Telnet traffic initiated from hosts on the 10.1.3.0 network to the security appliance outside interface (10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering the following commands:

hostname(config)# access-list TELNET permit tcp host 10.1.1.15 eq telnet 10.1.3.0 
255.255.255.0
hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet access-list TELNET
 
   

For HTTP traffic initiated from hosts on the 10.1.3.0 network to the security appliance outside interface (10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering:

hostname(config)# access-list HTTP permit tcp host 10.1.1.15 eq http 10.1.3.0 
255.255.255.0
hostname(config)# static (inside,outside) tcp 10.1.2.14 http access-list HTTP
 
   

To redirect Telnet traffic from the security appliance outside interface (10.1.2.14) to the inside host at 10.1.1.15, enter the following command:

hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask 
255.255.255.255
 
   

If you want to allow the preceding real Telnet server to initiate connections, though, then you need to provide additional translation. For example, to translate all other types of traffic, enter the following commands. The original static command provides translation for Telnet to the server, while the nat and global commands provide PAT for outbound connections from the server.

hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask 
255.255.255.255
hostname(config)# nat (inside) 1 10.1.1.15 255.255.255.255
hostname(config)# global (outside) 1 10.1.2.14
 
   

If you also have a separate translation for all inside traffic, and the inside hosts use a different mapped address from the Telnet server, you can still configure traffic initiated from the Telnet server to use the same mapped address as the static statement that allows Telnet traffic to the server. You need to create a more exclusive nat statement just for the Telnet server. Because nat statements are read for the best match, more exclusive nat statements are matched before general statements. The following example shows the Telnet static statement, the more exclusive nat statement for initiated traffic from the Telnet server, and the statement for other inside hosts, which uses a different mapped address.

hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask 
255.255.255.255
hostname(config)# nat (inside) 1 10.1.1.15 255.255.255.255
hostname(config)# global (outside) 1 10.1.2.14
hostname(config)# nat (inside) 2 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 2 10.1.2.78
 
   

To translate a well-known port (80) to another port (8080), enter the following command:

hostname(config)# static (inside,outside) tcp 10.1.2.45 80 10.1.1.16 8080 netmask 
255.255.255.255
 
   

Related Commands

Command
Description

clear configure static

Removes static commands from the configuration.

clear xlate

Clears all translations.

nat

Configures dynamic NAT.

show running-config static

Displays all static commands in the configuration.

timeout conn

Sets the timeout for connections.


strict-header-validation

To enable strict validation of the header fields in the SIP messages according to RFC 3261, use the strict-header-validation command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.

strict-header-validation action {drop | drop-connection | reset | log} [log}

no strict-header-validation action {drop | drop-connection | reset | log} [log}

Syntax Description

drop

Drops the packet if validation occurs.

drop-connection

Drops the connection of a violation occurs.

reset

Resets the connection of a violation occurs.

log

Specifies standalone or additional log in case of violation. It can be associated to any of the actions.


Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Parameters configuration


Command History

Release
Modification

7.2(1)

This command was introduced.


Examples

The following example shows how to enable strict validation of SIP header fields in a SIP inspection policy map:

hostname(config)# policy-map type inspect sip sip_map
hostname(config-pmap)# parameters
hostname(config-pmap-p)# strict-header-validation action log
 
   

Related Commands

Command
Description

class

Identifies a class map name in the policy map.

class-map type inspect

Creates an inspection class map to match traffic specific to an application.

policy-map

Creates a Layer 3/4 policy map.

show running-config policy-map

Display all current policy map configurations.


strict-http

To allow forwarding of non-compliant HTTP traffic, use the strict-http command in HTTP map configuration mode, which is accessible using the http-map command. To reset this feature to its default behavior, use the no form of the command.

strict-http action {allow | reset | drop} [log]

no strict-http action {allow | reset | drop} [log]

Syntax Description

action

The action taken when a message fails this command inspection.

allow

Allows the message.

drop

Closes the connection.

log

(Optional) Generate a syslog.

reset

Closes the connection with a TCP reset message to client and server.


Defaults

This command is enabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

HTTP map configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

Although strict HTTP inspection cannot be disabled, the strict-http action allow command causes the security appliance to allow forwarding of non-compliant HTTP traffic. This command overrides the default behavior, which is to deny forwarding of non-compliant HTTP traffic.

Examples

The following example allows forwarding of non-compliant HTTP traffic:

hostname(config)# http-map inbound_http
hostname(config-http-map)# strict-http allow
hostname(config-http-map)#
 
   

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

debug appfw

Displays detailed information about traffic associated with enhanced HTTP inspection.

http-map

Defines an HTTP map for configuring enhanced HTTP inspection.

inspect http

Applies a specific HTTP map to use for application inspection.

policy-map

Associates a class map with specific security actions.


strip-group

This command applies only to usernames received in the form user@realm. A realm is an administrative domain appended to a username with the "@" delimiter (juser@abc).

To enable or disable strip-group processing, use the strip-group command in tunnel-group general-attributes mode. The security appliance selects the tunnel group for IPSec connections by obtaining the group name from the username presented by the VPN client. When strip-group processing is enabled, the security appliance sends only the user part of the username for authorization/authentication. Otherwise (if disabled), the security appliance sends the entire username including the realm.

To disable strip-group processing, use the no form of this command.

strip-group

no strip-group

Syntax Description

This command has no arguments or keywords.

Defaults

The default setting for this command is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tunnel-group general attributes configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

You can apply this attribute only to the IPSec remote access tunnel-type.


Note Because of a limitation of MSCHAPv2, you cannot perform tunnel group switching when MSCHAPv2 is used for PPP authentication. The hash computation during MSCHAPv2 is bound to the username string (such as user + delimit + group).


Examples

The following example configures a remote access tunnel group named "remotegrp" for type IPSec remote access, then enters general configuration mode, sets the tunnel group named "remotegrp" as the default group policy, and then enables strip group for that tunnel group:

hostname(config)# tunnel-group remotegrp type IPSec_ra
hostname(config)# tunnel-group remotegrp general
hostname(config-tunnel-general)# default-group-policy remotegrp
hostname(config-tunnel-general)# strip-group
 
   

Related Commands

Command
Description

clear-configure tunnel-group

Clears all configured tunnel groups.

group-delimiter

Enables group-name parsing and specifies the delimiter to be used when parsing group names from the user names that are received when tunnels are being negotiated.

show running-config tunnel group

Shows the tunnel group configuration for all tunnel groups or for a particular tunnel group.

tunnel-group general-attributes

Specifies the general attributes for the named tunnel-group.


strip-realm

To enable or disable strip-realm processing, use the strip-realm command in tunnel-group general-attributes configuration mode. Strip-realm processing removes the realm from the username when sending the username to the authentication or authorization server. A realm is an administrative domain appended to a username with the @ delimiter (username@realm). If the command is enabled, the security appliance sends only the user part of the username authorization/authentication. Otherwise, the security appliance sends the entire username.

To disable strip-realm processing, use the no form of this command.

strip-realm

no strip-realm

Syntax Description

This command has no arguments or keywords.

Defaults

The default setting for this command is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tunnel-group general attributes configuration


Command History

Release
Modification

7.0.1

This command was introduced.


Usage Guidelines

You can apply this attribute only to the IPSec remote access tunnel-type.

Examples

The following example configures a remote access tunnel group named "remotegrp" for type IPSec remote access, then enters general configuration mode, sets the tunnel group named "remotegrp" as the default group policy, and then enables strip realm for that tunnel group:

hostname(config)# tunnel-group remotegrp type IPSec_ra
hostname(config)# tunnel-group remotegrp general
hostname(config-tunnel-general)# default-group-policy remotegrp
hostname(config-tunnel-general)# strip-realm

Related Commandshostname(config-general)

Command
Description

clear configure tunnel-group

Clears all configured tunnel groups or the specified tunnel-group.

show running-config tunnel-group

Shows the current tunnel-group configuration.

tunnel-group general-attributes

Specifies the general attributes for the named tunnel-group.


storage-key

To specify a storage key to protect the date stored between sessions, use the storage-key command in group-policy webvpn configuration mode. To remove this command from the configuration, use the no version of this command.

storage- key { none | value <string>}

no storage-key

Syntax Description

string

Specifies a string to use as the value of the storage key. This string can be up to 64 characters long.


Defaults

The default is none.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy webvpn configuration mode


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

While you can use any character except spaces in the storage key value, we recommend using only the standard alphanumeric character set: 0 through 9 and a through z.

Examples

The following example sets the storage key to the value abc123:

hostname(config)# group-policy test attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# storage-key value abc123
 
   

Related Commands

Command
Description

storage-objects

Configures storage objects for the data stored between sessions.


storage-objects

To specify which storage objects to use for the data stored between sessions, use the storage-objects command in group-policy webvpn configuration mode. To remove this command from the configuration, use the no version of this command.

storage- objects { none | value <string>}

no storage-objects

Syntax Description

string

Specifies the name of the storage objects. This string can be up to 64 characters long.


Defaults

The default is none.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy webvpn configuration mode


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

While you can use any character except spaces and commas in the storage object name, we recommend using only the standard alphanumeric character set: 0 through 9 and a through z. Use a comma, with no space, to separate the names of storage objects in the string.

Examples

The following example sets the storage object names to cookies and xyz456:

hostname(config)# group-policy test attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# storage-object value cookies,xyz456
 
   

Related Commands

Command
Description

storage-key

Configures storage key to use for the data stored between sessions.

user-storage

Configures a location for storing user data between sessions


subject-name (crypto ca certificate map)

To indicate that rule entry is applied to the subject DN of the IPSec peer certificate, use the subject-name command in crypto ca certificate map configuration mode. To remove an subject-name, use the no form of the command.

subject-name [attr tag] eq | ne |co | nc string]

no subject-name [attr tag] eq | ne |co | nc string]

Syntax Description

attr tag

Indicates that only the specified attribute value from the certificate DN will be compared to the rule entry string. The tag values are as follows:

DNQ = DN qualifier
GENQ = Generational qualifier
I = Initials
GN = Given name
N = Name
SN = Surname
IP = IP address
SER = Serial number
UNAME = Unstructured name
EA = Email address
T = Title
O = Organization Name
L = Locality
SP = State/Province
C = Country
OU = Organizational unit
CN = Common name

co

Specifies that the rule entry string must be a substring in the DN string or indicated attribute.

eq

Specifies that the DN string or indicated attribute must match the entire rule string.

nc

Specifies that the rule entry string must not be a substring in theDN string or indicated attribute.

ne

Specifies that the DN string or indicated attribute must not match the entire rule string.

string

Specifies the value to be matched.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Crypto ca certificate map configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Examples

The following example enters the CA certificate map mode for certificate map 1 and creates a rule entry indicating that the Organization attribute of the certificate subject name must be equal to Central.

hostname(config)# crypto ca certificate map 1
hostname(ca-certificate-map)# subject-name attr o eq central
hostname(ca-certificate-map)# exit
 
   

Related Commands

Command
Description

crypto ca certificate map

Enters CA certificate map mode.

issuer-name

Identifies the DN from the CA certificate that is to be compared to the rule entry string.

tunnel-group-map

Associates the certificate map entries created using the crypto ca certificate map command with tunnel groups.


subject-name (crypto ca trustpoint)

To include the indicated subject DN in the certificate during enrollment, use the subject-name command in crypto ca trustpoint configuration mode. This is the person or system that uses the certificate. To restore the default setting, use the no form of the command.

subject-name X.500_name

no subject-name

Syntax Description

X.500_name

Defines the X.500 distinguished name. Use commas to separate attribute-value pairs. Insert quotation marks around any value that contains commas or spaces. For example: cn=crl,ou=certs,o="cisco systems, inc.",c=US. The maximum length is 500 characters.


Defaults

The default setting is not to include the subject name.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Crypto ca trustpoint configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Examples

The following example enters crypto ca trustpoint configuration mode for trustpoint central, and sets up automatic enrollment at the URL https//:frog.phoobin.com and includes the subject DN OU certs in the the enrollment request for trustpoint central:

hostname(config)# crypto ca trustpoint central
hostname(ca-trustpoint)# enrollment url http://frog.phoobin.com/ 
hostname(ca-trustpoint)# subject-name ou=certs
hostname(ca-trustpoint)# 

Related Commands

Command
Description

crypto ca trustpoint

Enters trustpoint configuration mode.

default enrollment

Returns enrollment parameters to their defaults.

enrollment url

Specifies the URL for enrolling with a CA.


subject-name-default

To specify a generic subject-name DN to be appended to the username in all user certificates issued by the local CA server, use the subject-name-default command in CA server configuration mode. To reset the subject-name DN to the default value, use the no form of this command.

subject-name-default dn

no subject-name-default

Syntax Description

dn

Specifies the generic subject-name DN included with a username in all user certificates issued by the local CA server. Supported DN attributes are cn (common name), ou (organizational unit, ol (organization locality), st (state), ea (e-mail address), c (company), t (title), and sn (surname). Use commas to separate attribute-value pairs. Insert quotation marks around any value that contains commas or spaces. The dn can be up to 500 characters.


Defaults

This command is not part of the default configuration. This command specifies the default DN in the certificate. The security appliance ignores this command if the user entry has a DN.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

CA server configuration


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

The subject-name-default command specifies a common, generic distinguished name to be used with a username to form a subject name for issued certificates. The dn value cn=username is sufficient for this purpose. This command eliminates the need to define a subject-name DN specifically for each user.

The security appliance uses this command only when issuing certificates if a user entry does not specify a DN. The DN field is optional when a user is added using the crypto ca server user-db add dn dn command.

Examples

The following example specifies a DN:

hostname(config)# crypto ca server
hostname(config-ca-server)# subject-name-default cn=cisco,cn=example_corp,ou=eng,st=ma, 
c="cisco systems, inc."
hostname(config-ca-server)# 
 
   

Related Commands

Command
Description

crypto ca server

Provides access to CA Server Configuration mode CLI command set, which allows you to configure and manage a local CA.

issuer-name

Specifies the subject-name DN of the certificate authority certificate.

keysize

Specifies the size of the public and private keys generated at user certificate enrollment.

lifetime

Specifies the lifetime of the CA certificate, issued certificates, or the CRL.


summary-address (OSPF)

To create aggregate addresses for OSPF, use the summary-address command in router configuration mode. To remove the summary address or specific summary address options, use the no form of this command.

summary-address addr mask [not-advertise] [tag tag_value]

no summary-address addr mask [not-advertise] [tag tag_value]

Syntax Description

addr

Value of the summary address that is designated for a range of addresses.

mask

IP subnet mask that is used for the summary route.

not-advertise

(Optional) Suppresses routes that match the specified prefix/mask pair.

tag tag_value

(Optional) A 32-bit decimal value attached to each external route. This value is not used by OSPF itself. It may be used to communicate information between ASBRs. If none is specified, then the remote autonomous system number is used for routes from BGP and EGP; for other protocols, zero (0) is used. Valid values range from 0 to 4294967295.


Defaults

The defaults are as follows:

tag_value is 0.

Routes that match the specified prefix/mask pair are not suppressed.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Router configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Routes learned from other routing protocols can be summarized. Using this command for OSPF causes an OSPF Autonomous System Boundary Router (ASBR) to advertise one external route as an aggregate for all redistributed routes that are covered by the address. This command summarizes only routes from other routing protocols that are being redistributed into OSPF. Use the area range command for route summarization between OSPF areas.

To remove a summary-address command from the configuration, use the no form of the command without specifying any of the optional keywords or arguments. To remove an option from a summary command in the configuration, use the no form of the command with the options that you want removed. See the "Examples" section for more information.

Examples

The following example configures route summarization with a tag set to 3:

hostname(config-router)# summary-address 1.1.0.0 255.255.0.0 tag 3
hostname(config-router)#
 
   

The following example shows how to use the no form of the summary-address command with an option to set that option back to the default value. In this example, the tag value, set to 3 in the previous example, is removed from the summary-address command.

hostname(config-router)# no summary-address 1.1.0.0 255.255.0.0 tag 3
hostname(config-router)#
 
   

The following example removes the summary-address command from the configuration:

hostname(config-router)# no summary-address 1.1.0.0 255.255.0.0
hostname(config-router)#
 
   

Related Commands

Command
Description

area range

Consolidates and summarizes routes at an area boundary.

router ospf

Enters router configuration mode.

show ospf summary-address

Displays the summary address settings for each OSPF routing process.


summary-address (EIGRP)

To configure a summary for EIGRP on a specific interface, use the summary-address command in interface configuration mode. To remove the summary address, use the no form of this command.

summary-address as-number addr mask [admin-distance]

no summary-address as-number addr mask

Syntax Description

as-number

The autonomous system number. This must be the same as the autonomous system number of your EIGRP routing process.

addr

The summary IP address.

mask

The subnet mask to apply to the IP address.

admin-distance

(Optional) The administrative distance of the summary route. Valid values are from 0 to 255. If not specified, the default value is 5.


Defaults

The defaults are as follows:

EIGRP automatically summarizes routes to the network level, even for a single host route.

The administrative distance of EIGRP summary routes is 5.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

By default, EIGRP summarizes subnet routes to the network level. Use the no auto-summary command to disable automatic route summarization. Using the summary-address command lets you manually define subnet route summaries on a per-interface basis.

Examples

The following example configures route summarization with a tag set to 3:

hostname(config-router)# summary-address 1.1.0.0 255.255.0.0 
hostname(config-router)#
 
   

The following example shows how to use the no form of the summary-address command with an option to set that option back to the default value. In this example, the tag value, set to 3 in the previous example, is removed from the summary-address command.

hostname(config-router)# no summary-address 1.1.0.0 255.255.0.0
hostname(config-router)#
 
   

The following example removes the summary-address command from the configuration:

hostname(config-router)# no summary-address 1.1.0.0 255.255.0.0
hostname(config-router)#
 
   

Related Commands

Command
Description

auto-summary

Automatically creates summary addresses for the EIGRP routing process.


sunrpc-server

To create entries in the SunRPC services table, use the sunrpc-server command in global configuration mode. To remove SunRPC services table entries from the configuration, use the no form of this command.

sunrpc-server ifc_name ip_addr mask service service_type protocol [tcp | udp] port port [- port ] timeout hh:mm:ss

no sunrpc-server ifc_name ip_addr mask service service_type protocol [tcp | udp] port port [- port] timeout hh:mm:ss

no sunrpc-server active service service_type server ip_addr

Syntax Description

ifc_name

Server interface name.

ip_addr

SunRPC server IP address.

mask

Network mask.

port port [- port ]

Specifies the SunRPC protocol port range.

port- port

(Optional) Specifies the SunRPC protocol port range.

protocol tcp

Specifies the SunRPC transport protocol.

protocol udp

Specifies the SunRPC transport protocol.

service

Specifies a service.

service_type

Sets the SunRPC service program number as specified in the sunrpcinfo command.

timeout hh:mm:ss

Specifies the timeout idle time after which the access for the SunRPC service traffic is closed.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

The SunRPC services table is used to allow SunRPC traffic through the security appliance based on an established SunRPC session for the duration specified by the timeout.

Examples

The following example shows how to create an SunRPC services table:

hostname(config)# sunrpc-server outside 10.0.0.1 255.0.0.0 service 100003 protocol TCP 
port 111 timeout 0:11:00
hostname(config)# sunrpc-server outside 10.0.0.1 255.0.0.0 service 100005 protocol TCP 
port 111 timeout 0:11:00
 
   

Related Commands

Command
Description

clear configure sunrpc-server

Clears the Sun remote processor call services from the security appliance.

show running-config sunrpc-server

Displays the information about the SunRPC configuration.


support-user-cert-validation

To validate a remote user certificate based on the current trustpoint, provided that this trustpoint is authenticated to the CA that issued the remote certificate, use the support-user-cert-validation command in crypto ca trustpoint configuration mode. To restore the default setting, use the no form of the command.

support-user-cert-validation

no support-user-cert-validation

Syntax Description

This command has no arguments or keywords.


Defaults

The default setting is to support user certificate validation.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Crypto ca trustpoint configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

The security appliance can have two trustpoints with the same CA resulting in two different identity certificates from the same CA. This option is automatically disabled if the trustpoint is authenticated to a CA that is already associated with another trustpoint that has enabled this feature. This prevents ambiguity in the choice of path-validation parameters. If the user attempts to activate this feature on a trustpoint that has been authenticated to a CA already associated with another trustpoint that has enabled this feature, the action is not permitted. No two trustpoints can have this setting enabled and be authenticated to the same CA.

Examples

The following example enters crypto ca trustpoint configuration mode for trustpoint central, and enables the trustpoint central to accept user validation:

hostname(config)# crypto ca trustpoint central
hostname(ca-trustpoint)# support-user-cert-validation
hostname(ca-trustpoint)# 

Related Commands

Command
Description

crypto ca trustpoint

Enters trustpoint configuration mode.

default enrollment

Returns enrollment parameters to their defaults.


svc ask

To enable the security appliance to prompt remote SSL VPN client users to download the client, use the svc ask command from group policy webvpn or username webvpn configuration modes.

To remove the command from the configuration, use the no form of the command:

svc ask {none | enable [default {webvpn | svc} timeout value]}

no svc ask none [default {webvpn | svc}]

Syntax Description

none

Immediately performs the default action.

enable

Prompts the remote user to download the client or goes to the portal page for clientless connections and waits indefinitely for user response.

default svc timeout value

Prompts the remote user to download the client or goes to the portal page for clientless connections, and waits the duration of value before taking the default action—downloading the client.

default webvpn timeout value

Prompts the remote user to download the client or goes to the portal page for clientless connections, and waits the duration of value before taking the default action—displaying the WebVPN portal page.


Defaults

The default for this command is svc ask none default webvpn. The security appliance immediately displays the portal page for clientless connections.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

group policy webvpn configuration

username webvpn configuration


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

Figure 31-1 shows the prompt displayed to remote users when either default svc timeout value or default webvpn timeout value is configured:

Figure 31-1 Prompt Displayed to Remote Users for SSL VPN Client Download

Examples

The following example configures the security appliance to prompt the remote user to download the client or go to the portal page and to wait 10 seconds for user response before downloading the client:

hostname(config-group-webvpn)# svc ask enable default svc timeout 10

Related Commands

Command
Description

show webvpn svc

Displays information about installed SSL VPN clients.

svc

Enables or requires the SSL VPN client for a specific group or user.

svc image

Specifies a client package file that the security appliance expands in cache memory for downloading to remote PCs.


svc compression

To enable compression of http data over an SSL VPN connection for a specific group or user, use the svc compression command in group policy webvpn or username webvpn configuration modes.

To remove the command from the configuration and cause the value to be inherited, use the no form of the command:

svc compression {deflate | none}

no svc compression {deflate | none}

Syntax Description

deflate

Specifies compression is enabled for the group or user.

none

Specifies compression is disabled for the group or user.


Defaults

By default, compression is set to none (disabled).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

group policy webvpn configuration

username webvpn configuration


Command History

Release
Modification

7.1(1)

This command was introduced.


Usage Guidelines

For SSL VPN connections, the compression command configured from webvpn configuration mode overrides the svc compression command configured in group policy and username webvpn modes.

Examples

In the following example, SVC compression is disabled for the group-policy sales:

hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# svc compression none

Related Commands

Command
Description

compression

Enables compression for all SSL, WebVPN, and IPSec VPN connections.

show webvpn svc

Displays information about installed SSL VPN clients.


svc dpd-interval

To enable Dead Peer Detection (DPD) on the security appliance and to set the frequency that either the remote client or the security appliance performs DPD over SSL VPN connections, use the svc dpd-interval command from group policy or username webvpn mode:

svc dpd-interval {[gateway {seconds | none}] | [client {seconds | none}]}

no svc dpd-interval {[gateway {seconds | none}] | [client {seconds | none}]}

Use the no form of the command to remove the command from the configuration and cause the value to be inherited.

Syntax Description

gateway seconds

Specifies the frequency, from 30 to 3600 seconds, that the security appliance performs DPD.

gateway none

Disables DPD that the security appliance performs.

client seconds

Specifies the frequency, from 30 to 3600 seconds, that the client performs DPD.

client none

Disables DPD that the client performs.


Defaults

The default is DPD is enabled and set to 30 seconds for both the security appliance (gateway) and the client.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

group policy webvpn configuration

username webvpn configuration


Command History

Release
Modification

7.1(1)

This command was introduced.

8.0(3)

The default setting changed from disabled to 30 seconds for both the security appliance (gateway) and the client.


Examples

In the following example, the user configures the DPD frequency performed by the security appliance (gateway) to 3000 seconds, and the DPD frequency performed by the client to 1000 seconds, for the existing group policy sales:

hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# svc dpd-interval gateway 3000
hostname(config-group-webvpn)# svc dpd-interval client 1000

Related Commands

Command
Description

svc

Enables or requires the SSL VPN client for a specific group or user.

svc keepalive

Specifies the frequency at which a client on a remote computer sends keepalive messages to the security appliance over an SSL VPN connection.

svc keep-installer

Disables the automatic uninstalling feature of the client. The client remains installed on the remote PC for future connections.

svc rekey

Enables the client to perform a rekey on an SSL VPN connection.


svc dtls enable

To enable Datagram Transport Layer Security (DTLS) connections on an interface for specific groups or users establishing SSL VPN connections with the Cisco AnyConnect VPN Client, use the dtls enable command from group policy webvpn or username attributes webvpn configuration mode.

To remove the command from the configuration and cause the value to be inherited, use the no form of the command:

dtls enable interface

no dtls enable interface

Syntax Description

interface

The name of the interface.


Defaults

The default is enabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

group policy webvpn configuration

username webvpn configuration


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

Enabling DTLS allows the AnyConnect client establishing an SSL VPN connection to use two simultaneous tunnels—an SSL tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.

If you do not enable DTLS, AnyConnect client users establishing SSL VPN connections connect only with an SSL tunnel.

This command enables DTLS for specific groups or users. To enable DTLS for all AnyConnect client users, use the dtls enable command in webvpn configuration mode.

Examples

The following example enters group policy webvpn configuration mode for the group policy sales and enables DTLS:

hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# svc dtls enable

Related Commands

Command
Description

dtls port

Specifies a UDP port for DTLS.

svc dtls

Enables DTLS for groups or users establishing SSL VPN connections.

vpn-tunnel-protocol

Specifies VPN protocols that the security appliance allows for remote access, including SSL.


svc enable

To enable the security appliance to download an SSL VPN client to remote computers, use the svc enable command from webvpn configuration mode.

To remove the command from the configuration, use the no form of the command:

svc enable

no svc enable

Defaults

The default for this command is disabled. The security appliance does not download the client.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

webvpn configuration


Command History

Release
Modification

7.1.1

This command was introduced.


Usage Guidelines

Entering the no svc enable command does not terminate active sessions.

Examples

In the following example, the user enables the security appliance to download the client:

(config)# webvpn
(config-webvpn)# svc enable
 
   

Related Commands

Command
Description

show webvpn svc

Displays information about SSL VPN clients installed on the security appliance and loaded in cache memory for downloading to remote PCs.

svc localization

Specifies the package file used to store localization files that are downloaded to the Cisco AnyConnect VPN Client.

svc profiles

Specifies the name of the file used to store profiles that the security appliance downloads to the Cisco AnyConnect VPN Client.

svc image

Specifies an SSL VPN client package file that the security appliance expands in cache memory for downloading to remote PCs.


svc image

To specify an SSL VPN client package file that the security appliance expands in cache memory for downloading to remote PCs, use the svc image command from webvpn configuration mode.

To remove the command from the configuration, use the no form of the command:

svc image filename order [regex expression]

no svc image filename order [regex expression]

Syntax Description

filename

Specifies the filename of the package file, up to 255 characters.

order

With multiple client package files, order specifies the order of the package files, from 1 to 65535. The security appliance downloads portions of each client, in the order you specify, to the remote PC until it achieves a match with the operating system.

regex expression

Specifies a string that the security appliance uses to match against the User-Agent string passed by the browser.


Defaults

The default order is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

webvpn configuration


Command History

Release
Modification

7.1.1

This command was introduced.

8.0(1)

The regex expression argument was added.


Usage Guidelines

Numbering the package files establishes the order in which the security appliance downloads portions of them to the remote PC until it achieves a match with the operating system. It downloads the package file with the lowest number first. Therefore, you should assign the lowest number to the package file that matches the most commonly-encountered operating system used on remote PCs.

The default order is 1. If you do not specify the order argument, each time you enter the svc image command, you overwrite the image that was previously considered number 1.

You can enter the svc image command for each client package file in any order. For example, you can specify the package file to be downloaded second (order 2) before entering the svc image command specifying the package file to be downloaded first (order 1).

For mobile users, you can decrease the connection time of the mobile device by using the regex keyword. When the browser connects to the security appliance, it includes the User-Agent string in the HTTP header. When the security appliance receives the string, if the string matches an expression configured for an image, it immediately downloads that image without testing the other client images.

The security appliance expands both SSL VPN client and Cisco Secure Desktop (CSD) package files in cache memory. In order for the security appliance to successfully expand the package files, there must be enough cache memory to store the images and files of the package file.

If the security appliance detects there is not enough cache memory to expand a package, it displays an error message to the console. The following example shows an error message reported after an attempt to install a package file with the svc image command:

hostname(config-webvpn)# svc image disk0:/vpn-win32-Release-2.0.0070-k9.pkg
ERROR: File write error (check disk space)
ERROR: Unable to load SVC image - extraction failed
 
   

If this occurs when you attempt to install an package file, examine the amount of cache memory remaining and the size of any previously installed packages with the dir cache:/ command from global configuration mode. Adjust the cache size limit accordingly with the cache-fs limit command from webvpn configuration mode.

Examples

In the following example, the output of the show webvpn svc command indicates that the windows.pkg file has an order number of 1, and the windows2.pkg file has an order number of 15. When a remote computer establishes a connection, the windows.pkg file downloads first. If the file does not match the operating system, the windows2.pkg file downloads:

hostname(config-webvpn)# show webvpn svc
1. disk0:/windows.pkg 1
  CISCO STC win2k+ 1.0.0
  1,0,2,132
  Thu 08/25/2005 21:51:30.43
 
   
2. disk0:/windows2.pkg 15
  CISCO STC win2k+ 1.0.0
  1,0,0,164
  Thu 02/17/2005 20:09:22.43
 
   
2 SSL VPN Client(s) installed
 
   

The user then reorders the package files using the svc image command, with the windows2.pkg file as the first file downloaded to the remote PC, and the windows.pkg file downloaded second:

hostname(config-webvpn)# svc image windows2.pkg 10 
hostname(config-webvpn)# svc image windows.pkg 20 
 
   
Reentering the show webvpn svc command shows the new order of the files.
 
   
hostname(config-webvpn)# show webvpn svc
1. disk0:/windows2.pkg 10
  CISCO STC win2k+ 1.0.0
  1,0,2,132
  Thu 08/25/2005 21:51:30.43
 
   
2. disk0:/windows.pkg 20
  CISCO STC win2k+ 1.0.0
  1,0,0,164
  Thu 02/17/2005 20:09:22.43
 
   
2 SSL VPN Client(s) installed
 
   

The following example indicates the CSD image (located in sdesktop) and the SSL VPN client image (located in stc) use approximately 5.44 MB of cache memory. To create enough cache memore, the user sets the cache size limit to 6 MB:

hostname(config-webvpn)# dir cache:
 
   
Directory of cache:/
 
   
0      drw-  0           17:06:55 Nov 13 2006  sdesktop
0      drw-  0           16:46:54 Nov 13 2006  stc
 
   
5435392 bytes total (4849664 bytes free)
 
   
hostname(config-webvpn)# cache-fs limit 6
hostname(config-webvpn)#
 
   

Related Commands

Command
Description

cache-fs limit

Limits the size of cache memory.

dir cache:

Displays the contents of cache memory.

show webvpn svc

Displays information about SSL VPN clients installed on the security appliance and loaded in cache memory for downloading to remote PCs.

svc enable

Enables the security appliance to download the client to remote computers.


svc keepalive

To configure the frequency of keepalive messages which a remote client sends to the security appliance over SSL VPN connections, use the svc keepalive command from group policy webvpn or username webvpn configuration modes.

Use the no form of the command to remove the command from the configuration and cause the value to be inherited:

svc keepalive {none | seconds}

no svc keepalive {none | seconds}

Syntax Description

none

Disables keepalive messages.

seconds

Enables keepalive messages and specifies the frequency of the messages, from 15 to 600 seconds.


Defaults

The default is 20 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

group policy webvpn configuration

username webvpn configuration


Command History

Release
Modification

7.1(1)

This command was introduced.

8.0(3)

The default setting changed from disabled to 20 seconds.


Usage Guidelines

Both the legacy Cisco SSL VPN Client (SVC) and the Cisco AnyConnect VPN Client can send keepalive messages when they establish SSL VPN connections to the security appliance.

You can adjust the frequency of keepalive messages (specified by seconds), to ensure that an SSL VPN connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle.

Adjusting the frequency also ensures that the client does not disconnect and reconnect when the remote user is not actively running a socket-based application, such as Microsoft Outlook or Microsoft Internet Explorer.


Note Keepalives are enabled by default. If you disable keepalives, in the event of a failover event, SSL VPN client sessions are not carried over to the standby device.


Examples

In the following example, the user configures the security appliance to enable the client to send keepalive messages, with a frequency of 300 seconds (5 minutes), for the existing group policy named sales:

hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# svc keepalive 300

Related Commands

Command
Description

svc

Enables or requires an SSL VPN client for a specific group or user.

svc dpd-interval

Enables Dead Peer Detection (DPD) on the security appliance, and sets the frequency that either the client or the security appliance performs DPD.

svc keep-installer

Disables the automatic uninstalling feature of the client. The client remains installed on the remote PC for future connections.

svc rekey

Enables the client to perform a rekey on a session.


 
   

svc keep-installer

To enable the permanent installation of an SSL VPN client on a remote PC, use the svc keep-installer command from group-policy webvpn or username webvpn configuration modes.

Use the no form of the command to remove the command from the configuration and cause the value to be inherited:

svc keep-installer {installed | none}

no svc keep-installer {installed | none}

Syntax Description

installed

Disables the automatic uninstalling feature of the client. The client remains installed on the remote PC for future connections..

none

Specifies that the client uninstalls from the remote computer after the active connection terminates.


Defaults

The default is permanent installation of the client is enabled. The client remains on the remote computer at the end of the session.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

group policy webvpn configuration

username webvpn configuration


Command History

Release
Modification

7.1(1)

This command was introduced.


Examples

In the following example, the user enters group policy webvpn configuration mode and configures the group policy to remove the client at the end of the session:

hostname(config-group-policy)#webvpn
hostname(config-group-webvpn)# svc keep-installer none
hostname(config-group-webvpn)#

Related Commands

Command
Description

show webvpn svc

Displays information about SSL VPN clients installed on the security appliance and loaded in cache memory for downloading to remote PCs.

svc

Enables or requires the client for a specific group or user.

svc enable

Enables the security appliance to download client files to remote PCs.

svc image

Specifies a client package file that the security appliance expands in cache memory for downloading to remote PCs.


svc modules

To specify the names of optional modules that the AnyConnect SSL VPN Client requires for optional features, use the svc modules command from group policy webvpn or username webvpn configuration mode.

To remove the command from the configuration, use the no form of the command:

svc modules {none | value string}

no svc modules {none | value string}

Syntax Description

string

The name of the optional module, up to 256 characters. Separate multiple strings with commas.


Defaults

The default is none. The security appliance does not download optional modules.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

group policy webvpn configuration

username webvpn configuration


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

To minimize download time, the client only requests downloads (from the security appliance) of modules that it needs for each feature that it supports. The svc modules command enables the security appliance to download these modules. If you choose none, the security appliance downloads the essential files with no optional modules.

Enable the Start Before Logon (SBL) feature using the vpngina string. This string enables the security appliance to download a graphical identification and authentication (GINA) for the AnyConnect client VPN connection.

For a list of values to enter for all client features, see the release notes for the Cisco AnyConnect VPN Client.

Examples

In the following example, the user enters group-policy attributes mode for the group policy telecommuters, enters webvpn configuration mode for the group policy, and specifies the string vpngina:

hostname(config)# group-policy telecommuters attributes
hostname(config-group-policy)# webvpn
hostame(config-group-webvpn)# svc modules value vpngina

Related Commands

Command
Description

show webvpn svc

Displays information about SSL VPN clients that are loaded in cache memory on the security appliance and available for download.

svc enable

Enables an SSL VPN client for a specific group or user.

svc image

Specifies a SSL VPN client package file that the security appliance expands in cache memory for downloading to remote PCs.


svc mtu

To adjust the MTU size for SSL VPN connections established by the Cisco AnyConnect VPN Client, use the svc mtu command from group policy webvpn or username webvpn configuration mode.

To remove the command from the configuration, use the no form of the command:

svc mtu size

no svc mtu size

Syntax Description

size

The MTU size in bytes, from 256 to 1406 bytes.


Defaults

The default size is 1406.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

group policy webvpn configuration

username webvpn configuration


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

This command affects only the AnyConnect client. The Cisco SSL VPN Client (SVC) is not capable of adjusting to different MTU sizes.

The default for this command in the default group policy is no svc mtu. The MTU size is adjusted automatically based on the MTU of the interface that the connection uses, minus the IP/UDP/DTLS overhead.

This command affects AnyConnect client connections established in only SSL and those established in SSL with DTLS.

Examples

The following example configures the MTU size to 500 bytes for the group policy telecommuters:

hostname(config)# group-policy telecommuters attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# svc mtu 500

Related Commands

Command
Description

svc keep-installer

Disables the automatic uninstalling feature of the client. After the initial download, the client remains on the remote PC after the connection terminates.

svc dtls

Enables DTLS for clients establishing SSL VPN connections.

show run webvpn

Displays configuration information about WebVPN, including svc commands.


svc profiles (group-policy or username attributes)

To specify a profiles package downloaded to Cisco AnyConnect VPN Client users, use the svc profile command from group policy webvpn or username attributes webvpn configuration mode.

To remove the command from the configuration and cause the value it to be inherited, use the no form of the command:

svc profiles {value profile | none}

no svc profiles {value profile | none}

Syntax Description

profile

The name of the profile.


Defaults

The default is none. The security appliance does not download profiles.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

group policy webvpn configuration

username webvpn configuration


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

This command, entered from group policy webvpn or username attributes webvpn configuration mode, enables the security appliance to download profiles to users on a group policy or username basis. To download a profile to all users, use this command from webvpn configuration mode.

A profile is a group of configuration parameters that the client uses to configure the connection entries that appear in the client user interface, including the names and addresses of host computers. You can create and save profiles using the AnyConnect user interface. You can also edit this file with a text editor and set advanced parameters that are not available through the user interface.

The client installation contains one profile template (AnyConnectProfile.tmpl) that you can edit and use as a basis to create other profile files. For more information about editing profiles, see the Cisco AnyConnect VPN Client Administrator Guide.

Examples

In the following example, the user queries the svc profiles value command, which displays the available profiles:

asa1(config-group-webvpn)# svc profiles value ?
 
   
config-group-webvpn mode commands/options:
Available configured profile packages:
  engineering
  sales
 
   

Then the user configures the group policy to use the profile sales:

asa1(config-group-webvpn)# svc profiles sales
 
   

Related Commands

Command
Description

show webvpn svc

Displays information about installed SSL VPN clients.

svc

Enables or requires an SSL VPN client for a specific group or user.

svc image

Specifies a client package file that the security appliance expands in cache memory for downloading to remote PCs.


svc profiles (webvpn)

To specify a file as a profiles package that the security appliance loads in cache memory and makes available to group policies and username attributes of Cisco AnyConnect VPN Client users, use the svc profile command from webvpn configuration mode.

To remove the command from the configuration and cause the security appliance to unload the package file from cache memory, use the no form of the command:

svc profiles {profile path}

no svc profiles {profile path}

Syntax Description

path

The path and filename of the profile file in flash memory of the security appliance.

profile

The name of the profile to create in cache.


Defaults

The default is none. The security appliance does not load a profiles package in cache memory.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

webvpn configuration


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

A profile is a group of configuration parameters that the AnyConnect client uses to configure the connection entries that appear in the user interface, including the names and addresses of host computers. You can create and save profiles using the client user interface.

You can also edit this file with a text editor and set advanced parameters that are not available through the user interface. The client installation contains one profile template (AnyConnectProfile.tmpl) that you can edit and use as a basis to create other profile files. For more information about editing profiles, see the Cisco AnyConnect VPN Client Administrator Guide.

After you create a new profile and upload it to flash memory, identify the XML file to the security appliance as a profile using the svc profiles command in webvpn configuration mode. The command loads the files in cache memory on the security appliance. Then you can specify the profile for a group or user with the svc profiles command from group policy webvpn configuation or username attributes configuration mode.

Examples

In the following example, the user previously created two new profile files (sales_hosts.xml and engineering_hosts.xml) from the AnyConnectProfile.tmpl file provided in the client installation and uploaded them to flash memory of the security appliance.

Now the user identifies these files to the security appliance as AnyConnect profiles, specifying the names sales and engineering:

asa1(config-webvpn)# svc profiles sales disk0:sales_hosts.xml
asa1(config-webvpn)# svc profiles engineering disk0:engineering_hosts.xml
 
   

Entering the dir cache:stc/profiles command shows the profiles loaded into cache memory:

asa1(config-webvpn)# dir cache:stc/profiles
 
   
Directory of cache:stc/profiles/
 
   
0      ----  774         11:54:41 Nov 22 2006  engineering.pkg
0      ----  774         11:54:29 Nov 22 2006  sales.pkg
 
   
2428928 bytes total (18219008 bytes free)
asa1(config-webvpn)#
 
   

Now they are available to the svc profiles command in group policy webvpn configuration or username attributes configurate modes:

asa1(config)# group-policy sales attributes
asa1(config-group-policy)# webvpn
asa1(config-group-webvpn)# svc profiles value ?
 
   
config-group-webvpn mode commands/options:
Available configured profile packages:
  engineering
  sales

Related Commands

Command
Description

show webvpn svc

Displays information about installed SSL VPN clients.

svc

Enables or requires the SSL VPN client for a specific group or user.

svc image

Specifies an SSL VPN package file that the security appliance expands in cache memory for downloading to remote PCs.


svc rekey

To enable a remote client to perform a rekey on an SSL VPN connection, use the svc rekey command from group-policy webvpn or username webvpn configuration mode.

Use the no form of the command to remove the command from the configuration and cause the value to be inherited:

svc rekey {method {ssl | new-tunnel} | time minutes | none}

no svc rekey {method {ssl | new-tunnel} | time minutes | none}

Syntax Description

method ssl

Specifies that SSL renegotiation takes place during rekey.

method new-tunnel

Specifies that the client establishes a new tunnel during rekey.

time minutes

Specifies the number of minutes from the start of the session until the re-key takes place, from 4 to 10080 (1 week).

method none

Disables rekey.


Defaults

The default is none (disabled).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

group policy webvpn configuration

username webvpn configuration


Command History

Release
Modification

7.1(1)

This command was introduced.


Usage Guidelines

Both the legac Cisco SSL VPN Client (SVC) and the Cisco AnyConnect VPN Client can perform a rekey on an SSL VPN connection to the security appliance.

We recommend that you configure SSL as the rekey method.

Examples

In the following example, the user specifies that remote clients belonging to the group policy sales renegotiate with SSL during rekey and rekey occurs 30 minutes after the session begins:

hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# svc rekey method ssl
hostname(config-group-webvpn)# svc rekey time 30

Related Commands

Command
Description

svc

Enables or requires the AnyConnect client for a specific group or user.

svc dpd-interval

Enables Dead Peer Detection (DPD) on the security appliance, and sets the frequency that either the AnyConnect client or the security appliance performs DPD.

svc keepalive

Specifies the frequency at which an AnyConnect client on a remote computer sends keepalive messages to the security appliance.

svc keep-installer

Enables the permanent installation of an AnyConnect client onto a remote computer.


switchport access vlan

For models with a built-in switch, such as the ASA 5505 adaptive security appliance, use the switchport access vlan command in interface configuration mode to assign a switch port to a VLAN.

switchport access vlan number

no switchport access vlan number

Syntax Description

vlan number

Specifies the VLAN ID to which you want to assign this switch port. The VLAN ID is between 1 and 4090.


Defaults

By default, all switch ports are assigned to VLAN 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.2(1)

This command was introduced.


Usage Guidelines

In transparent firewall mode, you can configure two active VLANs in the ASA 5505 adaptive security appliance Base license and three active VLANs in the Security Plus license, one of which must be for failover.

In routed mode, you can configure up to three active VLANs in the ASA 5505 adaptive security appliance Base license, and up to 20 active VLANs with the Security Plus license.

An active VLAN is a VLAN with a nameif command configured.

You can assign one or more physical interfaces to each VLAN using the switchport access vlan command. By default, the VLAN mode of the interface is to be an access port (one VLAN associated with the interface). If you want to create a trunk port to pass multiple VLANs on the interface, use the switchport mode access trunk command to change the mode to trunk mode, and then use the switchport trunk allowed vlan command.

Examples

The following example assigns five physical interfaces to three VLAN interfaces:

 
   
hostname(config-if)# interface ethernet 0/0
hostname(config-if)# switchport access vlan 100
hostname(config-if)# no shutdown
 
   
hostname(config-if)# interface ethernet 0/1
hostname(config-if)# switchport access vlan 200
hostname(config-if)# no shutdown
 
   
hostname(config-if)# interface ethernet 0/2
hostname(config-if)# switchport access vlan 200
hostname(config-if)# no shutdown
 
   
hostname(config-if)# interface ethernet 0/3
hostname(config-if)# switchport access vlan 200
hostname(config-if)# no shutdown
 
   
hostname(config-if)# interface ethernet 0/4
hostname(config-if)# switchport access vlan 300
hostname(config-if)# no shutdown
 
   
...
 
   

Related Commands

Command
Description

interface

Configures an interface and enters interface configuration mode.

show running-config interface

Shows the interface configuration in the running configuration.

switchport mode

Sets the VLAN mode to be access or trunk.

switchport protected

Prevents a switch port from communicating with other switch ports on the same VLAN for extra security.

switchport trunk allowed vlan

Assigns VLANs to a trunk port.


switchport mode

For models with a built-in switch, such as the ASA 5505 adaptive security appliance, use the switchport mode command in interface configuration mode to set the VLAN mode to either access (the default) or trunk.

switchport mode {access | trunk}

no switchport mode {access | trunk}

Syntax Description

access

Sets the switch port to access mode, which allows the switch port to pass traffic for only one VLAN. Packets exit the switch port without an 802.1Q VLAN tag. If a packet enters the switch port with a tag, the packet is dropped.

trunk

Sets the switch port to trunk mode, so it can pass traffic for multiple VLANs. Packets exit the switch port with an 802.1Q VLAN tag. If a packet enters the switch port without a tag, the packet is dropped.


Defaults

By default, the mode is access.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.2(1)

This command was introduced.

7.2(2)

You can now configure multiple trunk ports, rather than being limited to one trunk.


Usage Guidelines

By default, the VLAN mode of the switch port is to be an access port (one VLAN associated with the switch port). In access mode, assign a switch port to a VLAN using the switchport access vlan command. If you want to create a trunk port to pass multiple VLANs on the switch port, set the mode to trunk mode, and then use the switchport trunk allowed vlan command to assign multiple VLANs to the trunk. If you set the mode to trunk mode, and you have not yet configured the switchport trunk allowed vlan command, the switch port remains in "line protocol down" state and cannot participate in traffic forwarding. Trunk mode is available only with the Security Plus license.

The switchport vlan access command does not take effect unless the mode is set to access mode. The switchport trunk allowed vlan command does not take effect unless the mode is set to trunk mode.

Examples

The following example configures an access mode switch port assigned to VLAN 100, and a trunk mode switch port assigned to VLANs 200 and 300:

hostname(config-if)# interface ethernet 0/0
hostname(config-if)# switchport access vlan 100
hostname(config-if)# no shutdown
 
   
hostname(config-if)# interface ethernet 0/1
hostname(config-if)# switchport mode trunk
hostname(config-if)# switchport trunk allowed vlan 200,300
hostname(config-if)# no shutdown
 
   
...
 
   

Related Commands

Command
Description

interface

Configures an interface and enters interface configuration mode.

show running-config interface

Shows the interface configuration in the running configuration.

switchport access vlan

Assigns the switch port to a VLAN.

switchport protected

Prevents a switch port from communicating with other switch port on the same VLAN for extra security.

switchport trunk allowed vlan

Assigns VLANs to a trunk port.


switchport monitor

For models with a built-in switch, such as the ASA 5505 adaptive security appliance, use the switchport monitor command in interface configuration mode to enable SPAN, also known as switch port monitoring. The port for which you enter this command (called the destination port) receives a copy of every packet transmitted or received on the specified source port. The SPAN feature lets you attach a sniffer to the destination port so you can monitor traffic. You can specify multiple source ports by entering this command multiple times. You can only enable SPAN for one destination port. To disable monitoring of a source port, use the no form of this command.

switchport monitor source_port [tx | rx | both]

no switchport monitor source_port [tx | rx | both]

Syntax Description

source_port

Specifies the port you want to monitor. You can specify any Ethernet port as well as the Internal-Data0/1 backplane port that passes traffic between VLAN interfaces. Because the Internal-Data0/1 port is a Gigabit Ethernet port, you might overload the Fast Ethernet destination port with traffic. Monitor the port Internal-Data0/1 with caution.

tx

(Optional) Specifies that only transmitted traffic is monitored.

rx

(Optional) Specifies that only received traffic is monitored.

both

(Optional) Specifies that both transmitted and received traffic is monitored. both is the default.


Defaults

The default type of traffic to monitor is both.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.2(1)

This command was introduced.


Usage Guidelines

If you do not enable SPAN, then attaching a sniffer to one of the switch ports only captures traffic to or from that port. To capture traffic to or from multiple ports, you need to enable SPAN and identify the ports you want to monitor.

Use caution while connecting a SPAN destination port to another switch, as it could result in network loops.

Examples

The following example configures the Ethernet 0/1 port as the destination port which monitors the Ethernet 0/0 and Ethernet 0/2 ports:

hostname(config)# interface ethernet 0/1
hostname(config-if)# switchport monitor ethernet 0/0
hostname(config-if)# switchport monitor ethernet 0/2
 
   

Related Commands

Command
Description

interface

Configures an interface and enters interface configuration mode.

show running-config interface

Shows the interface configuration in the running configuration.

switchport access vlan

Assigns the switch port to a VLAN.

switchport protected

Prevents a switch port from communicating with other switch port on the same VLAN for extra security.


switchport protected

For models with a built-in switch, such as the ASA 5505 adaptive security appliance, use the switchport protected command in interface configuration mode to prevent the switch port from communicating with other protected switch ports on the same VLAN. This feature provides extra security to the other switch ports on a VLAN if one switch port becomes compromised.

switchport protected

no switchport protected

Syntax Description

This command has no arguments or keywords.

Defaults

By default, the interfaces are not protected.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.2(1)

This command was introduced.


Usage Guidelines

You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply the switchport protected command to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other.

Communication to and from unprotected ports is not restricted by this command.

Examples

The following example configures seven switch ports. The Ethernet 0/4, 0/5, and 0/6 are assigned to the DMZ network and are protected from each other.

hostname(config)# interface ethernet 0/0
hostname(config-if)# switchport access vlan 100
hostname(config-if)# no shutdown
 
   
hostname(config-if)# interface ethernet 0/1
hostname(config-if)# switchport access vlan 200
hostname(config-if)# no shutdown
 
   
hostname(config-if)# interface ethernet 0/2
hostname(config-if)# switchport access vlan 200
hostname(config-if)# no shutdown
 
   
hostname(config-if)# interface ethernet 0/3
hostname(config-if)# switchport access vlan 200
hostname(config-if)# no shutdown
 
   
hostname(config-if)# interface ethernet 0/4
hostname(config-if)# switchport access vlan 300
hostname(config-if)# switchport protected
hostname(config-if)# no shutdown
 
   
hostname(config-if)# interface ethernet 0/5
hostname(config-if)# switchport access vlan 300
hostname(config-if)# switchport protected
hostname(config-if)# no shutdown
 
   
hostname(config-if)# interface ethernet 0/6
hostname(config-if)# switchport access vlan 300
hostname(config-if)# switchport protected
hostname(config-if)# no shutdown
 
   
...
 
   

Related Commands

Command
Description

interface

Configures an interface and enters interface configuration mode.

show running-config interface

Shows the interface configuration in the running configuration.

switchport access vlan

Assigns the switch port to a VLAN.

switchport mode

Sets the VLAN mode to be access or trunk.

switchport trunk allowed vlan

Assigns VLANs to a trunk port.


switchport trunk

For models with a built-in switch, such as the ASA 5505 adaptive security appliance, use the switchport trunk command in interface configuration mode to assign VLANs to the trunk port. Use the no form of the command to remove a VLAN from the trunk.

switchport trunk {allowed vlans vlan_range | native vlan vlan}

no switchport trunk {allowed vlans vlan_range | native vlan vlan}

Syntax Description

allowed vlans vlan_range

Identifies one or more VLANs that you can assign to the trunk port. The VLAN ID is between 1 and 4090.

The vlan_range can be identified in one of the following ways:

A single number (n)

A range (n-x)

Separate numbers and ranges by commas, for example:

5,7-10,13,45-100

You can enter spaces instead of commas, but the command is saved to the configuration with commas.

You can include the native VLAN in this command, but it is not required; the native VLAN is passed whether it is included in this command or not.

native vlan vlan

Assigns a native VLAN to the trunk. Packets on the native VLAN are not modified when sent over the trunk.

For example, if a port has VLANs 2, 3 and 4 assigned to it, and VLAN 2 is the native VLAN, then packets on VLAN 2 that egress the port are not modified with an 802.1Q header. Frames that ingress (enter) this port and have no 802.1Q header are put into VLAN 2.

Each port can only have one native VLAN, but every port can have either the same or a different native VLAN.


Defaults

By default, no VLANs are assigned to the trunk.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.2(1)

This command was introduced.

7.2(2)

This command was modified to allow more than 3 VLANs per switch port. Also, you can now configure multiple trunk ports, instead of being limited to only one. This command also uses commas instead of spaces to separate VLAN IDs.

7.2(4)/8.0(4)

Native VLAN support was introduced with the native vlan keywords.


Usage Guidelines

If you want to create a trunk port to pass multiple VLANs on the switch port, set the mode to trunk mode using the switchport mode trunk command, and then use the switchport trunk command to assign VLANs to the trunk. This switch port cannot pass traffic until you assign at least one VLAN to it. If you set the mode to trunk mode, and you have not yet configured the switchport trunk allowed vlan command, the switch port remains in "line protocol down" state and cannot participate in traffic forwarding. Trunk mode is available only with the Security Plus license. The switchport trunk command does not take effect unless the mode is set to trunk mode using the switchport mode trunk command.


Note This command is not downgrade-compatible to Version 7.2(1); the commas separating the VLANs are not recognized in 7.2(1). If you downgrade, be sure to separate the VLANs with spaces, and do not exceed the 3 VLAN limit.


Examples

The following example configures seven VLAN interfaces, including the failover interface which is configured using the failover lan command. VLANs 200, 201, and 202 are trunked on Ethernet 0/1.

hostname(config)# interface vlan 100
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
 
   
hostname(config-if)# interface vlan 200
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.2.1.1 255.255.255.0
hostname(config-if)# no shutdown
 
   
hostname(config-if)# interface vlan 201
hostname(config-if)# nameif dept1
hostname(config-if)# security-level 90
hostname(config-if)# ip address 10.2.2.1 255.255.255.0
hostname(config-if)# no shutdown
 
   
hostname(config-if)# interface vlan 202
hostname(config-if)# nameif dept2
hostname(config-if)# security-level 90
hostname(config-if)# ip address 10.2.3.1 255.255.255.0
hostname(config-if)# no shutdown
 
   
hostname(config-if)# interface vlan 300
hostname(config-if)# nameif dmz
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.3.1.1 255.255.255.0
hostname(config-if)# no shutdown
 
   
hostname(config-if)# interface vlan 400
hostname(config-if)# nameif backup-isp
hostname(config-if)# security-level 50
hostname(config-if)# ip address 10.1.2.1 255.255.255.0
hostname(config-if)# no shutdown
 
   
hostname(config-if)# failover lan faillink vlan500
hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2 
255.255.255.0
 
   
hostname(config)# interface ethernet 0/0
hostname(config-if)# switchport access vlan 100
hostname(config-if)# no shutdown
 
   
hostname(config-if)# interface ethernet 0/1
hostname(config-if)# switchport mode trunk
hostname(config-if)# switchport trunk allowed vlan 200-202
hostname(config-if)# switchport trunk native vlan 5
hostname(config-if)# no shutdown
 
   
hostname(config-if)# interface ethernet 0/2
hostname(config-if)# switchport access vlan 300
hostname(config-if)# no shutdown
 
   
hostname(config-if)# interface ethernet 0/3
hostname(config-if)# switchport access vlan 400
hostname(config-if)# no shutdown
 
   
hostname(config-if)# interface ethernet 0/4
hostname(config-if)# switchport access vlan 500
hostname(config-if)# no shutdown
 
   

Related Commands

Command
Description

interface

Configures an interface and enters interface configuration mode.

show running-config interface

Shows the interface configuration in the running configuration.

switchport access vlan

Assigns the switch port to a VLAN.

switchport mode

Sets the VLAN mode to be access or trunk.

switchport protected

Prevents a switch port from communicating with other switch ports on the same VLAN for extra security.


synack-data

To set the action for TCP SYNACK packets that contain data, use the synack-data command in tcp-map configuration mode. To set the value back to the default, use the no form of this command. This command is part of the TCP normalization policy enabled using the set connection advanced-options command.

synack-data {allow | drop}

no synack-data

Syntax Description

allow

Allows TCP SYNACK packets that contain data.

drop

Drops TCP SYNACK packets that contain data.


Defaults

The default action is to drop TCP SYNACK packets that contain data.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tcp-map configuration


Command History

Release
Modification

7.2(4)/8.0(4)

This command was introduced.


Usage Guidelines

To enable TCP normalization, use the Modular Policy Framework:

1. tcp-map—Identifies the TCP normalization actions.

a. synack-data—In tcp-map configuration mode, you can enter the synack-data command and many others.

2. class-map—Identify the traffic on which you want to perform TCP normalization.

3. policy-map—Identify the actions associated with each class map.

a. class—Identify the class map on which you want to perform actions.

b. set connection advanced-options—Identify the tcp-map you created.

4. service-policy—Assigns the policy map to an interface or globally.

Examples

The following example sets the security appliance to allow TCP SYNACK packets that contain data:

hostname(config)# tcp-map tmap
hostname(config-tcp-map)# synack-data allow
hostname(config)# class-map cmap
hostname(config-cmap)# match any
hostname(config)# policy-map pmap
hostname(config-pmap)# class cmap
hostname(config-pmap)# set connection advanced-options tmap
hostname(config)# service-policy pmap global
hostname(config)#
 
   

Related Commands

Command
Description

class-map

Identifies traffic for a service policy.

policy-map

dentifies actions to apply to traffic in a service policy.

set connection advanced-options

Enables TCP normalization.

service-policy

Applies a service policy to interface(s).

show running-config tcp-map

Shows the TCP map configuration.

tcp-map

Creates a TCP map and allows access to tcp-map configuration mode.


syn-data

To allow or drop SYN packets with data, use the syn-data command in tcp-map configuration mode. To remove this specification, use the no form of this command.

syn-data {allow | drop}

no syn-data {allow | drop}

Syntax Description

allow

Allows SYN packets that contain data.

drop

Drops SYN packets that contain data.


Defaults

Packets with SYN data are allowed by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tcp-map configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.

Use the tcp-map command to enter tcp-map configuration mode. Use the syn-data command in tcp-map configuration mode to drop packets with data in SYN packets.

According to the TCP specification, TCP implementations are required to accept data contained in a SYN packet. Because this is a subtle and obscure point, some implementations may not handle this correctly. To avoid any vulnerabilities to insertion attacks involving incorrect end-system implementations, you may choose to drop packets with data in SYN packets.

Examples

The following example shows how to drop SYN packets with data on all TCP flows:

hostname(config)# access-list TCP extended permit tcp any any
hostname(config)# tcp-map tmap
hostname(config-tcp-map)# syn-data drop
hostname(config)# class-map cmap
hostname(config-cmap)# match access-list TCP
hostname(config)# policy-map pmap
hostname(config-pmap)# class cmap
hostname(config-pmap)# set connection advanced-options tmap
hostname(config)# service-policy pmap global
hostname(config)# 
 
   

Related Commands

Command
Description

class

Specifies a class map to use for traffic classification.

policy-map

Configures a policy; that is, an association of a traffic class and one or more actions.

set connection

Configures connection values.

tcp-map

Creates a TCP map and allows access to tcp-map configuration mode.


sysopt connection permit-vpn

For traffic that enters the security appliance through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpn command in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic. To disable this feature, use the no form of this command.

sysopt connection permit-vpn

no sysopt connection permit-vpn

Syntax Description

This command has no arguments or keywords.

Defaults

This feature is enabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command is now enabled by default. Also, only interface access lists are bypassed; group policy or per-user access lists remain in force.

7.1(1)

This command was changed from sysopt connection permit-ipsec.


Usage Guidelines

By default, the security appliance allows VPN traffic to terminate on a security appliance interface; you do not need to allow IKE or ESP (or other types of VPN packets) in an interface access list. By default, you also do not need an interface access list for local IP addresses of decrypted VPN packets. Because the VPN tunnel was terminated successfully using VPN security mechanisms, this feature simplifies configuration and maximizes the security appliance performance without any security risks. (Group policy and per-user authorization access lists still apply to the traffic.)

You can require an interface access list to apply to the local IP addresses by entering the no sysopt connection permit-vpn command. See the the access-list and access-group commands to create an access list and apply it to an interface. The access list applies to the local IP address, and not to the original client IP address used before the VPN packet was decrypted.

Examples

The following example requires decrypted VPN traffic to comply with interface access lists:

hostname(config)# no sysopt connection permit-vpn
 
   

Related Commands

Command
Description

clear configure sysopt

Clears the sysopt command configuration.

show running-config sysopt

Shows the sysopt command configuration.

sysopt connection tcpmss

Overrides the maximum TCP segment size or ensures that the maximum is not less than a specified size.

sysopt connection timewait

Forces each TCP connection to linger in a shortened TIME_WAIT state after the final normal TCP close-down sequence.


sysopt connection preserve-vpn-flows

To preserve and resume stateful (TCP) tunneled IPsec LAN-to-LAN traffic within the timeout period after the tunnel drops and recovers, use the sysopt connection preserve-vpn-flows command. To disable this feature, use the no form of this command.

sysopt connection preserve-vpn-flows

no sysopt connection preserve-vpn-flows

Syntax Description

This command has no arguments or keywords.

Defaults

This feature is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

8.0(4)

This command was introduced.


Usage Guidelines

With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout window, data continues flowing successfully because the security appliance still has access to the state information in the original flow.

This command supports only IPsec LAN-to-LAN tunnels, including Network Extension Mode. It does not support AnyConnect/SSL VPN or IPsec remote-access tunnels.

Examples

The following example specifies that the state information for the tunnel will be preserved and the tunneled IPsec LAN-to-LAN VPN traffic will resume after the tunnel drops and is reestablished within the timeout period:

hostname(config)# no sysopt connection preserve-vpn-flows

To see whether this feature is enabled, enter the show run all command for sysopt:

hostname(config)# show run all sysopt

A sample result follows. For illustrative purposes, in this and all following examples, the preserve-vpn-flows item is bolded:

	no sysopt connection timewait
	sysopt connection tcpmss 1380
	sysopt connection tcpmss minimum 0
	no sysopt nodnsalias inbound
	no sysopt nodnsalias outbound
	no sysopt radius ignore-secret
	sysopt connection permit-vpn
	no sysopt connection reclassify-vpn
	no sysopt connection preserve-vpn-flows
	hostname(config)#
 
   

sysopt connection reclassify-vpn

To reclassify existing VPN flows, use the sysopt connection reclassify-vpn command in global configuration mode. To disable this feature, use the no form of this command.

sysopt connection reclassify-vpn

no sysopt connection reclassify-vpn

Syntax Description

This command has no arguments or keywords.

Defaults

This feature is enabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

8.0(2)

This command was introduced


Usage Guidelines

When VPN tunnels come up, this command reclassifies existing VPN flows to make sure that flows that need encryption get torn down and recreated.

This command only applies for LAN-to-LAN and dynamic VPNs. This command has no effect on EZVPN or VPN client connections.

Examples

The following example enables VPN reclassification:

hostname(config)# sysopt connection reclassify-vpn
 
   

Related Commands

Command
Description

clear configure sysopt

Clears the sysopt command configuration.

show running-config sysopt

Shows the sysopt command configuration.

sysopt connection permit-vpn

Permits any packets that come from an IPsec tunnel without checking any acess lists for interfaces.

sysopt connection tcpmss

Overrides the maximum TCP segment size or ensures that the maximum is not less than a specified size.

sysopt connection timewait

Forces each TCP connection to linger in a shortened TIME_WAIT state after the final normal TCP close-down sequence.


sysopt connection tcpmss

To ensure that the maximum TCP segment size does not exceed the value you set and that the maximum is not less than a specified size, use the sysopt connection tcpmss command in global configuration mode. To restore the default setting, use the no form of this command.

sysopt connection tcpmss [minimum] bytes

no sysopt connection tcpmss [minimum] [bytes]

Syntax Description

bytes

Sets the maximum TCP segment size in bytes, between 48 and any maximum number. The default value is 1380 bytes. You can disable this feature by setting bytes to 0.

For the minimum keyword, the bytes represent the smallest maximum value allowed.

minimum

Overrides the maximum segment size to be no less than bytes, between 48 and 65535 bytes. This feature is disabled by default (set to 0).


Defaults

The default maximum value is 1380 bytes. The minimum feature is disabled by default (set to 0).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Both the host and the server can set the maximum segment size when they first establish a connection. If either maximum exceeds the value you set with the sysopt connection tcpmss command, then the security appliance overrides the maximum and inserts the value you set. If either maximum is less than the value you set with the sysopt connection tcpmss minimum command, then the security appliance overrides the maximum and inserts the "minimum" value you set (the minimum value is actually the smallest maximum allowed). For example, if you set a maximum size of 1200 bytes and a minimum size of 400 bytes, when a host requests a maximum size of 1300 bytes, then the security appliance alters the packet to request 1200 bytes (the maximum). If another host requests a maximum value of 300 bytes, then the security appliance alters the packet to request 400 bytes (the minimum).

The default of 1380 bytes allows room for header information so that the total packet size does not exceed 1500 bytes, which is the default MTU for Ethernet. See the following calculation:

1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes

If the host or server does not request a maximum segment size, the security appliance assumes that the RFC 793 default value of 536 bytes is in effect.

If you set the maximum size to be greater than 1380, packets might become fragmented, depending on the MTU size (which is 1500 by default). Large numbers of fragments can impact the performance of the security appliance when it uses the Frag Guard feature. Setting the minimum size prevents the TCP server from sending many small TCP data packets to the client and impacting the performance of the server and the network.


Note Although not advised for normal use of this feature, if you encounter the syslog IPFRAG messages 209001 and 209002, you can raise the bytes value.


Examples

The following example sets the maximum size to 1200 and the minimum to 400:

hostname(config)# sysopt connection tcpmss 1200
hostname(config)# sysopt connection tcpmss minimum 400
 
   

Related Commands

Command
Description

clear configure sysopt

Clears the sysopt command configuration.

show running-config sysopt

Shows the sysopt command configuration.

sysopt connection permit-ipsec

Permits any packets that come from an IPSec tunnel without checking any ACLs for interfaces.

sysopt connection timewait

Forces each TCP connection to linger in a shortened TIME_WAIT state after the final normal TCP close-down sequence.


sysopt connection timewait

To force each TCP connection to linger in a shortened TIME_WAIT state of at least 15 seconds after the final normal TCP close-down sequence, use the sysopt connection timewait command in global configuration mode. To disable this feature, use the no form of this command. You might want to use this feature if an end host application default TCP terminating sequence is a simultaneous close.

sysopt connection timewait

no sysopt connection timewait


Note An RST packet (not a normal TCP close-down sequence) will also trigger the 15 second delay. The security appliance holds on to the connection for 15 seconds after receiving the last packet (either FIN/ACK or RST) of the connection.


Syntax Description

This command has no arguments or keywords.

Defaults

This feature is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The default behavior of the security appliance is to track the shutdown sequence and release the connection after two FINs and the ACK of the last FIN segment. This quick release heuristic enables the security appliance to sustain a high connection rate, based on the most common closing sequence, known as the normal close sequence. However, in a simultaneous close, both ends of the transaction initiate the closing sequence, as opposed to the normal close sequence where one end closes and the other end acknowledges prior to initiating its own closing sequence (see RFC 793). Thus, in a simultaneous close, the quick release forces one side of the connection to linger in the CLOSING state. Having many sockets in the CLOSING state can degrade the performance of an end host. For example, some WinSock mainframe clients are known to exhibit this behavior and degrade the performance of the mainframe server. Using the sysopt connection timewait command creates a window for the simultaneous close down sequence to complete.

Examples

The following example enables the timewait feature:

hostname(config)# sysopt connection timewait
 
   

Related Commands

Command
Description

clear configure sysopt

Clears the sysopt command configuration.

show running-config sysopt

Shows the sysopt command configuration.

sysopt connection permit-ipsec

Permits any packets that come from an IPSec tunnel without checking any ACLs for interfaces.

sysopt connection tcpmss

Overrides the maximum TCP segment size or ensures that the maximum is not less than a specified size.


sysopt nodnsalias

To disable DNS inspection that alters the DNS A record address when you use the alias command, use the sysopt nodnsalias command in global configuration mode. To disable this feature, use the no form of this command. You might want to disable DNS application inspection if you want the alias command to perform only NAT, and DNS packet alteration is undesirable.

sysopt nodnsalias {inbound | outbound}

no sysopt nodnsalias {inbound | outbound}

Syntax Description

inbound

Disables DNS record alteration for packets from lower security interfaces to higher security interfaces specified by an alias command.

outbound

Disables DNS record alteration for packets from higher security interfaces specified by an alias command to lower security interfaces.


Defaults

This feature is disabled by default (DNS record address alteration is enabled).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The alias command performs NAT and DNS A record address alteration. In some cases, you might want to disable the DNS record alteration.

Examples

The following example disables the DNS address alteration for inbound packets:

hostname(config)# sysopt nodnsalias inbound
 
   

Related Commands

Command
Description

alias

Translates an outside address and alters the DNS records to accommodate the translation.

clear configure sysopt

Clears the sysopt command configuration.

show running-config sysopt

Shows the sysopt command configuration.

sysopt noproxyarp

Disables proxy ARP on an interface.


sysopt noproxyarp

To disable proxy ARP for NAT global addresses or VPN client addresses on an interface, use the sysopt noproxyarp command in global configuration mode. To reenable proxy ARP, use the no form of this command.

sysopt noproxyarp interface_name

no sysopt noproxyarp interface_name

Syntax Description

interface_name

The interface name for which you want to disable proxy ARP.


Defaults

Proxy ARP is enabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

8.0(3)

This command was extended to affect VPN proxy ARPs when the VPN client addresses overlap with an internal network.


Usage Guidelines

If you have a VPN client address pool that overlaps with an existing network, the security appliance by default sends proxy ARPs on all interfaces. If you have another interface that is on the same Layer 2 domain, it will see the ARP requests and will answer with the MAC address of its interface. The result of this is that the return traffic of the VPN clients towards the internal hosts will go to the wrong interface and will get dropped. In this case, you need to enter the sysopt noproxyarp command for the interface where you do not want proxy ARPs.

In rare circumstances, you might want to disable proxy ARP for NAT global addresses.

When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A host sends an ARP request asking "Who is this IP address?" The device owning the IP address replies, "I own that IP address; here is my MAC address."

Proxy ARP is when a device responds to an ARP request with its own MAC address, even though the device does not own the IP address. The security appliance uses proxy ARP when you configure NAT and specify a global address that is on the same network as the security appliance interfac