Cisco ASA 5500 Series Command Reference, 8.2
icmp -- import webvpn webcontent
Downloads: This chapterpdf (PDF - 421.0KB) The complete bookPDF (PDF - 29.05MB) | Feedback

icmp through import webvpn webcontent Commands

Table Of Contents

icmp through import webvpn webcontent Commands

icmp

icmp unreachable

icmp-object

id-cert-issuer

id-mismatch

id-randomization

id-usage (crypto ca trustpoint)

igmp

igmp access-group

igmp forward interface

igmp join-group

igmp limit

igmp query-interval

igmp query-max-response-time

igmp query-timeout

igmp static-group

igmp version

ignore-ipsec-keyusage

ignore lsa mospf

ike-retry-count

im

imap4s

import webvpn AnyConnect-customization

import webvpn customization

import webvpn plug-in protocol

import webvpn translation-table

import webvpn url-list

import webvpn webcontent


icmp through import webvpn webcontent Commands


icmp

To configure access rules for ICMP traffic that terminates at a adaptive security appliance interface, use the icmp command. To remove the configuration, use the no form of this command.

icmp {permit | deny} ip_address net_mask [icmp_type] if_name

no icmp {permit | deny} ip_address net_mask [icmp_type] if_name

Syntax Description

deny

Deny access if the conditions are matched.

icmp_type

(Optional) ICMP message type (see Table 3).

if_name

The interface name.

ip_address

The IP address of the host sending ICMP messages to the interface.

net_mask

The mask to be applied to ip_address.

permit

Permit access if the conditions are matched.


Defaults

The default behavior of the adaptive security appliance is to allow all ICMP traffic to the adaptive security appliance interfaces. However, by default the adaptive security appliance does not respond to ICMP echo requests directed to a broadcast address. The adaptive security appliance also denies ICMP messages received at the outside interface for destinations on a protected interface.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

The icmp command controls ICMP traffic that terminates on any adaptive security appliance interface. If no ICMP control list is configured, then the adaptive security appliance accepts all ICMP traffic that terminates at any interface, including the outside interface. However, by default, the adaptive security appliance does not respond to ICMP echo requests directed to a broadcast address.

The adaptive security appliance only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface.

The icmp deny command disables pinging to an interface, and the icmp permit command enables pinging to an interface. With pinging disabled, the adaptive security appliance cannot be detected on the network. This is also referred to as configurable proxy pinging.

Use the access-list extended or access-group commands for ICMP traffic that is routed through the adaptive security appliance for destinations on a protected interface.

We recommend that you grant permission for the ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic. See RFC 1195 and RFC 1435 for details about Path MTU Discovery.

If an ICMP control list is configured for an interface, then the adaptive security appliance first matches the specified ICMP traffic and then applies an implicit deny for all other ICMP traffic on that interface. That is, if the first matched entry is a permit entry, the ICMP packet continues to be processed. If the first matched entry is a deny entry or an entry is not matched, the adaptive security appliance discards the ICMP packet and generates a syslog message. An exception is when an ICMP control list is not configured; in that case, a permit statement is assumed.

Table 3 lists the supported ICMP type values.

Table 13-1 ICMP Types and Literals 

ICMP Type
Literal

0

echo-reply

3

unreachable

8

echo

11

time-exceeded


Examples

The following example denies all ping requests and permits all unreachable messages at the outside interface:

hostname(config)# icmp permit any unreachable outside
 
   

Continue entering the icmp deny any interface command for each additional interface on which you want to deny ICMP traffic.

The following example permits host 172.16.2.15 or hosts on subnet 172.22.1.0/16 to receive echo-reply messages at the outside interface:

hostname(config)# icmp permit host 172.16.2.15 echo outside 
hostname(config)# icmp permit 172.22.1.0 255.255.0.0 echo outside 
hostname(config)# icmp permit any unreachable outside
 
   

Related Commands

Commands
Description

clear configure icmp

Clears the ICMP configuration.

debug icmp

Enables the display of debug information for ICMP.

show icmp

Displays ICMP configuration.

timeout icmp

Configures the idle timeout for ICMP.


icmp unreachable

To configure the unreachable ICMP message rate limit for ICMP traffic that terminates at a adaptive security appliance interface, use the icmp unreachable command. To remove the configuration, use the no form of this command.

icmp unreachable rate-limit rate burst-size size

no icmp unreachable rate-limit rate burst-size size

Syntax Description

rate-limit rate

Sets the rate limit of unreachable messages, between 1 and 100 messages per second. The default is 1 message per second.

burst-size size

Sets the burst rate, between 1 and 10. This keyword is not currently used by the system, so you can choose any value.


Defaults

The default rate limit is 1 message per second.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.2(2)

This command was introduced.


Usage Guidelines

If you allow ICMP messages, including unreachable messages, to terminate on a adaptive security appliance interface (see the icmp command), then you can control the rate of unreachable messages.

This command, along with the set connection decrement-ttl command, is required to allow a traceroute through the adaptive security appliance that shows the adaptive security appliance as one of the hops.

Examples

The following example enables time to live decrements and sets the ICMP unreachable rate limit:

hostname(config)# policy-map localpolicy1
hostname(config-pmap)# class local_server
hostname(config-pmap-c)# set connection decrement-ttl
hostname(config-pmap-c)# exit
hostname(config)# icmp permit host 172.16.2.15 echo-reply outside 
hostname(config)# icmp permit 172.22.1.0 255.255.0.0 echo-reply outside 
hostname(config)# icmp permit any unreachable outside
hostname(config)# icmp unreachable rate-limit 50 burst-size 1
 
   

Related Commands

Commands
Description

clear configure icmp

Clears the ICMP configuration.

debug icmp

Enables the display of debug information for ICMP.

set connection decrement-ttl

Decrements the time to live value for a packet.

show icmp

Displays ICMP configuration.

timeout icmp

Configures the idle timeout for ICMP.


icmp-object

To add icmp-type object groups, use the icmp-object command in icmp-type configuration mode. To remove network object groups, use the no form of this command.

icmp-object icmp_type

no group-object icmp_type

Syntax Description

icmp_type

Specifies an icmp-type name.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Icmp-type configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The icmp-object command is used with the object-group command to define an icmp-type object. It is used in icmp-type configuration mode.

ICMP type numbers and names include:

Number
ICMP Type Name

0

echo-reply

3

unreachable

4

source-quench

5

redirect

6

alternate-address

8

echo

9

router-advertisement

10

router-solicitation

11

time-exceeded

12

parameter-problem

13

timestamp-request

14

timestamp-reply

15

information-request

16

information-reply

17

address-mask-request

18

address-mask-reply

31

conversion-error

32

mobile-redirect


Examples

The following example shows how to use the icmp-object command in icmp-type configuration mode:

hostname(config)# object-group icmp-type icmp_allowed
hostname(config-icmp-type)# icmp-object echo
hostname(config-icmp-type)# icmp-object time-exceeded
hostname(config-icmp-type)# exit
 
   

Related Commands

Command
Description

clear configure object-group

Removes all the object-group commands from the configuration.

network-object

Adds a network object to a network object group.

object-group

Defines object groups to optimize your configuration.

port-object

Adds a port object to a service object group.

show running-config object-group

Displays the current object groups.


id-cert-issuer

To indicate whether the system accepts peer certificates issued by the CA associated with this trustpoint, use the id-cert-issuer command in crypto ca-trustpoint configuration mode. Use the no form of this command to disallow certificates that were issued by the CA associated with the trustpoint. This is useful for trustpoints that represent widely used root CAs.

id-cert-issuer

no id-cert-issuer

Syntax Description

This command has no arguments or keywords.

Defaults

The default setting is enabled (identity certificates are accepted).

Command Modes

The following table shows the modes in which you can enter the command

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Crypto ca-trustpoint configuration


:

Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Use this command to limit certificate acceptance to those issued by the subordinate certificate of a widely used root certificate. If you do not allow this feature, the adaptive security appliance rejects any IKE peer certificate signed by this issuer.

Examples

The following example enters crypto ca trustpoint configuration mode for trustpoint central, and lets an administrator accept identity certificates signed by the issuer for trustpoint central:

hostname(config)# crypto ca trustpoint central
hostname(ca-trustpoint)# id-cert-issuer
hostname(ca-trustpoint)# 

Related Commands

Command
Description

crypto ca trustpoint

Enters trustpoint submode.

default enrollment

Returns enrollment parameters to their defaults.

enrollment retry count

Specifies the number of retries to attempt to send an enrollment request.

enrollment retry period

Specifies the number of minutes to wait before trying to send an enrollment request.

enrollment terminal

Specifies cut and paste enrollment with this trustpoint.


id-mismatch

To enable logging for excessive DNS ID mismatches, use the id-mismatch command in parameters configuration mode. To disable this feature, use the no form of this command.

id-mismatch [count number duration seconds] action log

no id-mismatch [count number duration seconds] [action log]

Syntax Description

count number

The maximum number of mismatch instances before a system message log is sent.

duration seconds

The period, in seconds, to monitor.


Defaults

This command is disabled by default. The default rate is 30 in the a period of 3 seconds if the options are not specified when the command is enabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Parameters configuration


Command History

Release
Modification

7.2(1)

This command was introduced.


Usage Guidelines

A high rate of DNS ID mismatches may indicate a cache poisoning attack. This command can be enabled to monitor and alert such attempts. A summarized system message log will be printed if the mismatch rate exceeds the configured value. The id-mismatch command provides the system administrator with additional information to the regular event-based system message log.

Examples

The following example shows how to enable ID mismatch in a DNS inspection policy map:

hostname(config)# policy-map type inspect dns preset_dns_map
hostname(config-pmap)# parameters
hostname(config-pmap-p)# id-mismatch action log
 
   

Related Commands

Command
Description

class

Identifies a class map name in the policy map.

class-map type inspect

Creates an inspection class map to match traffic specific to an application.

policy-map

Creates a Layer 3/4 policy map.

show running-config policy-map

Display all current policy map configurations.


id-randomization

To randomize the DNS identifier for a DNS query, use the id-randomization command in parameters configuration mode. To disable this feature, use the no form of this command.

id-randomization

no id-randomization

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled by default. The DNS identifier from the DNS query does not get modified.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Parameters configuration


Command History

Release
Modification

7.2(1)

This command was introduced.


Usage Guidelines

ID randomization helps protect against cache poisening attacks.

Examples

The following example shows how to enable ID randomization in a DNS inspection policy map:

hostname(config)# policy-map type inspect dns preset_dns_map
hostname(config-pmap)# parameters
hostname(config-pmap-p)# id-randomization
 
   

Related Commands

Command
Description

class

Identifies a class map name in the policy map.

class-map type inspect

Creates an inspection class map to match traffic specific to an application.

policy-map

Creates a Layer 3/4 policy map.

show running-config policy-map

Display all current policy map configurations.


id-usage (crypto ca trustpoint)

To specify how the enrolled identity of a certificate can be used, use the id-usage command in crypto ca trustpoint configuration mode. To set the usage of the certificate to the default, ssl-ipsec, use the no form of this command.

id-usage {ssl-ipsec | code-signer}

no id-usage {ssl-ipsec | code-signer}

Syntax Description

code-signer

The device identity represented by this certificate is used as a Java code signer to verify applets provided to remote users.

ssl-ipsec

(Default) The device identity represented by this certificate can be used as the server-side identity for SSL or IPSec-encrypted connections.


Defaults

The id-usage command default is ssl-ipsec.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Crypto ca trustpoint configuration


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

Remote-access VPNs can use SSL, IPSec, or both protocols, depending on deployment requirements, to permit access to virtually any network application or resource. The id-usage command allows you to specify the type of access to various certificate-protected resources.

A CA identity and in some cases, a device identity, is based on a certificate issued by the CA. All of the commands within the crypto ca trustpoint mode control CA-specific configuration parameters, which specify how the adaptive security appliance obtains the CA certificate, how the adaptive security appliance obtains its certificate from the CA, and the authentication policies for user certificates issued by the CA.

Only a single instance of the id-usage command can be present in a trustpoint configuration. To enable the trustpoint for code-signer and/or ssl-ipsec, use a single instance which can specify either or both options.

Examples

The following example enters crypto ca trustpoint configuration mode for trustpoint central, and designates it a code-signer certificate:

hostname(config)# crypto ca trustpoint central
hostname(config-ca-trustpoint)# id-usage code-signer
hostname(config-ca-trustpoint)# 
 
   

The following example enters crypto ca trustpoint configuration mode for trustpoint general, and designates it as both a code-signer certificate and as a server side identity for SSL or IPSec connections:

hostname(config)# crypto ca trustpoint central
hostname(config-ca-trustpoint)# id-usage code-signer ssl-ipsec
hostname(config-ca-trustpoint)# 
 
   

The following example enters crypto ca trustpoint configuration mode for trustpoint checkin1,and resets it to limit its use to SSL or IPSec connections:

hostname(config)# crypto ca trustpoint checkin1
hostname(config-ca-trustpoint)# no id-usage ssl-ipsec
hostname(config-ca-trustpoint)# 

Related Commands

Command
Description

crypto ca trustpoint

Enters trustpoint configuration mode.

java-trustpoint

Configures the WebVPN Java object signing facility to use a PKCS12 certificate and keying material from a specified trustpoint location.

ssl trust-point

Specifies the certificate that represents the SSL certificate for an interface.

trust-point (tunnel-group ipsec-attributes mode)

Specifies the name that identifies the certificate to be sent to the IKE peer,

validation-policy

Specifies conditions for validating certificates associated with user connections.


igmp

To reinstate IGMP processing on an interface, use the igmp command in interface configuration mode. To disable IGMP processing on an interface, use the no form of this command.

igmp

no igmp

Syntax Description

This command has no arguments or keywords.

Defaults

Enabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

Only the no form of this command appears in the running configuration.

Examples

The following example disables IGMP processing on the selected interface:

hostname(config-if)# no igmp
 
   

Related Commands

Command
Description

show igmp groups

Displays the multicast groups with receivers that are directly connected to the adaptive security appliance and that were learned through IGMP.

show igmp interface

Displays multicast information for an interface.


igmp access-group

To control the multicast groups that hosts on the subnet serviced by an interface can join, use the igmp access-group command in interface configuration mode. To disable groups on the interface, use the no form of this command.

igmp access-group acl

no igmp access-group acl

Syntax Description

acl

Name of an IP access list. You can specify a standard or and extended access list. However, if you specify an extended access list, only the destination address is matched; you should specify any for the source.


Defaults

All groups are allowed to join on an interface.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.0(1)

This command was moved to interface configuration mode. Earlier versions required you to enter multicast interface configuration mode, which is no longer available.


Examples

The following example limits hosts permitted by access list 1 to join the group:

hostname(config)# interface gigabitethernet 0/0
hostname(config-if)# igmp access-group 1
 
   

Related Commands

Command
Description

show igmp interface

Displays multicast information for an interface.


igmp forward interface

To enable forwarding of all IGMP host reports and leave messages received to the interface specified, use the igmp forward interface command in interface configuration mode. To remove the forwarding, use the no form of this command.

igmp forward interface if-name

no igmp forward interface if-name

Syntax Description

if-name

Logical name of the interface.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.0(1)

This command was moved to interface configuration mode. Earlier versions required you to enter multicast interface configuration mode, which is no longer available.


Usage Guidelines

Enter this command on the input interface. This command is used for stub multicast routing and cannot be configured concurrently with PIM.

Examples

The following example forwards IGMP host reports from the current interface to the specified interface:

hostname(config)# interface gigabitethernet 0/0
hostname(config-if)# igmp forward interface outside
 
   

Related Commands

Command
Description

show igmp interface

Displays multicast information for an interface.


igmp join-group

To configure an interface to be a locally connected member of the specified group, use the igmp join-group command in interface configuration mode. To cancel membership in the group, use the no form of this command.

igmp join-group group-address

no igmp join-group group-address

Syntax Description

group-address

IP address of the multicast group.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.0(1)

This command was moved to interface configuration mode. Earlier versions required you to enter multicast interface configuration mode, which is no longer available.


Usage Guidelines

This command configures a adaptive security appliance interface to be a member of a multicast group. The igmp join-group command causes the adaptive security appliance to both accept and forward multicast packets destined for the specified multicast group.

To configure the security appliance to forward the multicast traffic without being a member of the multicast group, use the igmp static-group command.

Examples

The following example configures the selected interface to join the IGMP group 255.2.2.2:

hostname(config)# interface gigabitethernet 0/0
hostname(config-if)# igmp join-group 225.2.2.2
 
   

Related Commands

Command
Description

igmp static-group

Configure the interface to be a statically connected member of the specified multicast group.


igmp limit

To limit the number of IGMP states on a per-interface basis, use the igmp limit command in interface configuration mode. To restore the default limit, use the no form of this command.

igmp limit number

no igmp limit [number]

Syntax Description

number

Number of IGMP states allowed on the interface. Valid values range from 0 to 500. The default value is 500. Setting this value to 0 prevents learned groups from being added, but manually defined memberships (using the igmp join-group and igmp static-group commands) are still permitted.


Defaults

The default is 500.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.0(1)

This command was introduced. It replaced the igmp max-groups command.


Examples

The following example limits the number of IGMP states on the interface to 250:

hostname(config)# interface gigabitethernet 0/0
hostname(config-if)# igmp limit 250
 
   

Related Commands

Command
Description

igmp

Reinstates IGMP processing on an interface.

igmp join-group

Configure an interface to be a locally connected member of the specified group.

igmp static-group

Configure the interface to be a statically connected member of the specified multicast group.


igmp query-interval

To configure the frequency at which IGMP host query messages are sent by the interface, use the igmp query-interval command in interface configuration mode. To restore the default frequency, use the no form of this command.

igmp query-interval seconds

no igmp query-interval seconds

Syntax Description

seconds

Frequency, in seconds, at which to send IGMP host query messages. Valid values range from 1 to 3600. The default is 125 seconds.


Defaults

The default query interval is 125 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.0(1)

This command was moved to interface configuration mode. Earlier versions required you to enter multicast interface configuration mode, which is no longer available.


Usage Guidelines

Multicast routers send host query messages to discover which multicast groups have members on the networks attached to the interface. Hosts respond with IGMP report messages indicating that they want to receive multicast packets for specific groups. Host query messages are addressed to the all-hosts multicast group, which has an address of 224.0.0.1 TTL value of 1.

The designated router for a LAN is the only router that sends IGMP host query messages:

For IGMP Version 1, the designated router is elected according to the multicast routing protocol that runs on the LAN.

For IGMP Version 2, the designated router is the lowest IP-addressed multicast router on the subnet.

If the router hears no queries for the timeout period (controlled by the igmp query-timeout command), it becomes the querier.


Caution Changing this value may severely impact multicast forwarding.

Examples

The following example changes the IGMP query interval to 120 seconds:

hostname(config)# interface gigabitethernet 0/0
hostname(config-if)# igmp query-interval 120
 
   

Related Commands

Command
Description

igmp query-max-response-time

Configures the maximum response time advertised in IGMP queries.

igmp query-timeout

Configures the timeout period before the router takes over as the querier for the interface after the previous querier has stopped querying.


igmp query-max-response-time

To specify the maximum response time advertised in IGMP queries, use the igmp query-max-response-time command in interface configuration mode. To restore the default response time value, use the no form of this command.

igmp query-max-response-time seconds

no igmp query-max-response-time [seconds]

Syntax Description

seconds

Maximum response time, in seconds, advertised in IGMP queries. Valid values are from 1 to 25. The default value is 10 seconds.


Defaults

10 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.0(1)

This command was moved to interface configuration mode. Earlier versions required you to enter multicast interface configuration mode, which is no longer available.


Usage Guidelines

This command is valid only when IGMP Version 2 or 3 is running.

This command controls the period during which the responder can respond to an IGMP query message before the router deletes the group.

Examples

The following example changes the maximum query response time to 8 seconds:

hostname(config)# interface gigabitethernet 0/0
hostname(config-if)# igmp query-max-response-time 8
 
   

Related Commands

Command
Description

igmp query-interval

Configures the frequency at which IGMP host query messages are sent by the interface.

igmp query-timeout

Configures the timeout period before the router takes over as the querier for the interface after the previous querier has stopped querying.


igmp query-timeout

To configure the timeout period before the interface takes over as the querier after the previous querier has stopped querying, use the igmp query-timeout command in interface configuration mode. To restore the default value, use the no form of this command.

igmp query-timeout seconds

no igmp query-timeout [seconds]

Syntax Description

seconds

Number of seconds that the router waits after the previous querier has stopped querying and before it takes over as the querier. Valid values are from 60 to 300 seconds. The default value is 255 seconds.


Defaults

The default query interval is 255 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

This command requires IGMP Version 2 or 3.

Examples

The following example configures the router to wait 200 seconds from the time it received the last query before it takes over as the querier for the interface:

hostname(config)# interface gigabitethernet 0/0
hostname(config-if)# igmp query-timeout 200
 
   

Related Commands

Command
Description

igmp query-interval

Configures the frequency at which IGMP host query messages are sent by the interface.

igmp query-max-response-time

Configures the maximum response time advertised in IGMP queries.


igmp static-group

To configure the interface to be a statically connected member of the specified multicast group, use the igmp static-group command in interface configuration mode. To remove the static group entry, use the no form of this command.

igmp static-group group

no igmp static-group group

Syntax Description

group

IP multicast group address.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

When configured with the igmp static-group command, the adaptive security appliance interface does not accept multicast packets destined for the specified group itself; it only forwards them. To configure the adaptive security appliance both accept and forward multicast packets for a speific multicast group, use the igmp join-group command. If the igmp join-group command is configured for the same group address as the igmp static-group command, the igmp join-group command takes precedence, and the group behaves like a locally joined group.

Examples

The following example adds the selected interface to the multicast group 239.100.100.101:

hostname(config)# interface gigabitethernet 0/0
hostname(config-if)# igmp static-group 239.100.100.101
 
   

Related Commands

Command
Description

igmp join-group

Configures an interface to be a locally connected member of the specified group.


igmp version

To configure which version of IGMP the interface uses, use the igmp version command in interface configuration mode. To restore version to the default, use the no form of this command.

igmp version {1 | 2}

no igmp version [1 | 2]

Syntax Description

1

IGMP Version 1.

2

IGMP Version 2.


Defaults

IGMP Version 2.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.0(1)

This command was moved to interface configuration mode. Earlier versions required you to enter multicast interface configuration mode, which is no longer available.


Usage Guidelines

All routers on the subnet must support the same version of IGMP. Hosts can have any IGMP version (1 or 2) and the adaptive security appliance will correctly detect their presence and query them appropriately.

Some commands require IGMP Version 2, such as the igmp query-max-response-time and igmp query-timeout commands.

Examples

The following example configures the selected interface to use IGMP Version 1:

hostname(config)# interface gigabitethernet 0/0
hostname(config-if)# igmp version 1
 
   

Related Commands

Command
Description

igmp query-max-response-time

Configures the maximum response time advertised in IGMP queries.

igmp query-timeout

Configures the timeout period before the router takes over as the querier for the interface after the previous querier has stopped querying.


ignore-ipsec-keyusage

To suppress key-usage checking on IPsec client certificates, use the ignore-ipsec-keyusage command in configure-ca-trustpoint configuration mode. To resume key-usage checking, use the no form of this command.

ignore-ipsec-keyusage

no ignore-ipsec-keyusage

Syntax Description

This command has no arguments or keywords.

Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Config-ca-trustpoint configuration


Command History

Release
Modification

8.0(2)

This command was introduced as a safety measure and was deprecated at the same time. Note that future releases might not offer suppression of key-usage checking.


Usage Guidelines

Use of this command indicates that the values in the Key Usage and extended Key Usage extensions of IPsec remote client certificates are not to be validated. This command ignores key-usage checking and is useful for non-compliant deployments.

Examples

The following example shows how to ignore the results of key-usage checking:

hostname(config)# crypto ca trustpoint central
hostname(config-ca-trustpoint)# 
hostname(config-ca-trustpoint)# ignore-ipsec-keyusage
Notice: This command has been deprecated
hostname(config-ca-trustpoint)# 

Related Commands

Command
Description

crypto ca trustpoint

Enters crypto ca trustpoint configuration mode.


ignore lsa mospf

To suppress the sending of syslog messages when the router receives LSA Type 6 MOSPF packets, use the ignore lsa mospf command in router configuration mode. To restore the sending of the syslog messages, use the no form of this command.

ignore lsa mospf

no ignore lsa mospf

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Router configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Type 6 MOSPF packets are unsupported.

Examples

The following example cause LSA Type 6 MOSPF packets to be ignored:

hostname(config-router)# ignore lsa mospf
 
   

Related Commands

Command
Description

show running-config router ospf

Displays the OSPF router configuration.


ike-retry-count

To configure the maximum number of connection retry attempts a Cisco AnyConnect VPN Client using IKE should make before falling back to SSL to attempt the connection, use the ike-retry-count command in group-policy webvpn configuration mode, or username webvpn configuration mode. To remove this command from the configuration and reset the maximum number of retry attempts to the default value, use the no form of this command.

ike-retry-count {none | value}

no ike-retry-count [none | value]

Syntax Description

none

Specifies that no retry attempts are allowed.

value

Specify the maximum number of connection retry atttempts (1-10) for the Cisco AnyConnect VPN Client to perform after an inital connection failure.


Defaults

The default number of allowed retry attempts is 3.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy webvpn configuration

Username webvpn configuration


Command History

Release
Modification

8.0(2)

This command was introduced


Usage Guidelines

Use the ike-retry-count command to control the number of times that the Cisco AnyConnect VPN Client should attempt to connect using IKE. If the client fails to connect using IKE after the number of retries specified in this command, it falls back to SSL to attempt the connection. This value overrides any value that exists in the Cisco AnyConnect VPN Client.


Note To support fallback from IPSec to SSL, the vpn-tunnel-protocol command must be have with both the svc and ipsec arguments configured.


Examples

The following example sets the IKE retry count to 7 for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# ike-retry-count 7
hostname(config-group-webvpn)#
 
   

The following example sets the IKE retry count to 9 for the username Finance:

hostname(config)# username Finance attributes
hostname(config-username)# webvpn
hostname(config-username-webvpn)# ike-retry-count 9
hostname(config-group-webvpn)#
 
   

Related Commands

Command
Description

group-policy

Creates or edits a group policy.

ike-retry-timeout

Specifies the number of seconds between IKE retry attempts.

username

Adds a user to the adaptive security appliance database.

vpn-tunnel-protocol

Configures a VPN tunnel type (IPSec, L2TP over IPSec, or WebVPN).

webvpn (group-policy or username mode)

Enters group-policy webvpn configuration mode or username webvpn configuration mode.


im

To enable instant messaging over SIP, use the im command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.

im

no im

Syntax Description

This command has no arguments or keywords.

Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Parameters configuration


Command History

Release
Modification

7.2(1)

This command was introduced.


Examples

The following example shows how to enable instant messaging over SIP in a SIP inspection policy map:

hostname(config)# policy-map type inspect sip sip_map
hostname(config-pmap)# parameters
hostname(config-pmap-p)# im
 
   

Related Commands

Command
Description

class

Identifies a class map name in the policy map.

class-map type inspect

Creates an inspection class map to match traffic specific to an application.

policy-map

Creates a Layer 3/4 policy map.

show running-config policy-map

Display all current policy map configurations.


imap4s

To enter IMAP4S configuration mode, use the imap4s command in global configuration mode. To remove any commands entered in IMAP4S command mode, use the no form of this command.

IMAP4 is a client/server protocol in which your Internet server receives and holds e-mail for you. You (or your e-mail client) can view just the heading and the sender of the letter and then decide whether to download the mail. You can also create and manipulate multiple folders or mailboxes on the server, delete messages, or search for certain parts or an entire note. IMAP requires continual access to the server during the time that you are working with your mail. IMAP4S lets you receive e-mail over an SSL connection.

imap4s

no imap4s

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to enter IMAP4S configuration mode:

hostname(config)# imap4s
hostname(config-imap4s)#

Related Commands

Command
Description

clear configure imap4s

Removes the IMAP4S configuration.

show running-config imap4s

Displays the running configuration for IMAP4S.


import webvpn AnyConnect-customization

To import a file that customizes the AnyConnect client GUI, use the import webvpn AnyConnect-customization command from privileged EXEC mode:

import webvpn AnyConnect-customization type type platform platform name name URL

Syntax Description

type

The type of customizing file:

binary—An executable that replaces the AnyConnect GUI.

resource—A resource file, such as the corporate logo.

transform—A transform that customizes the MSI.

platform

The OS of the endpoint device running the AnyConnect client. Specify one of the following: linux, mac-intel, mac-powerpc, win, or win-mobile.

name

The name that identifies the file to import (maximum 64 characters).

url

Remote path and filename from which to import the file, in the form URL/filename (maximum 255 characters).


Defaults

There is no default behavior for this command.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

privileged EXEC


Command History

Release
Modification

8.2(1)

This command was introduced.


Usage Guidelines

For detailed procedures for customizing the AnyConnect client GUI, see the AnyConnect VPN Client Administrator Guide.

Examples

The following example imports the Cisco logo used on the AnyConnect GUI:

hostname# import webvpn AnyConnect-customization type resource platform win name 
company_logo.bmp tftp://209.165.200.225/cisco_logo.gif

Related Commands

Command
Description

import webvpn customization

Imports an XML file to cache memory as a customization object .

revert webvpn customization

Removes a customization object from cache memory.

show import webvpn customization

Displays information about customization objects resident in cache memory.

show import webvpn anyconnect-customization

Imports a file that customizes the AnyConnect client GUI.


import webvpn customization

To load a customization object onto the flash device of the adaptive security appliance, enter the import webvpn customization command in privileged EXEC mode.

import webvpn customization name URL

Syntax Description

name

The name that identifies the customization object. Maximum 64 characters.

URL

Remote path to the source of the XML customization object. Maximum 255 characters.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC mode


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

Make sure WebVPN is enabled on a adaptive security appliance interface before you enter the import customization command. To do so, enter the show running-config command.

The adaptive security appliance does the following when you import a customization object:

Copies the customization object from the URL to the adaptive security appliance file system disk0:/csco_config/customization as MD5name.

Performs a basic XML syntax check on the file. If it is invalid, the adaptive security appliance deletes the file.

Checks that the file in index.ini contains the record MD5name. If not the adaptive security appliance adds MD5name to the file.

Copies the MD5name file to RAMFS /csco_config/customization/ with as ramfs name.

Examples

The following example imports to the security appliance a customization object, General.xml, from the URL 209.165.201.22/customization and names it custom1.

hostname# import webvpn customization custom1 tftp://209.165.201.22/customization 
/General.xml
Accessing 
tftp://209.165.201.22/customization/General.xml...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/csco_config/97/custom1...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
329994 bytes copied in 5.350 secs (65998 bytes/sec)

Related Commands

Command
Description

revert webvpn customization

Removes the specified customization object from the flash device of the adaptive security appliance.

show import webvpn customization

Lists the customization objects present on the flash device of the adaptive security appliance.


import webvpn plug-in protocol

To install a plug-in onto the flash device of the adaptive security appliance, enter the import webvpn plug-in protocol command in privileged EXEC mode.

import webvpn plug-in protocol protocol URL

Syntax Description

protocol

citrix

The Citrix plugin lets the remote user connect to a computer running Citrix Metaframe services.

rdp

The Remote Desktop Protocol plug-in lets the remote user connect to a computer running Microsoft Terminal Services. Cisco redistributes this plug-in without any changes. The web site containing the original is http://properjavardp.sourceforge.net/.

ssh,telnet

The Secure Shell plug-in lets the remote user establish a secure channel to a remote computer, or lets the remote user use Telnet to connect to a remote computer. Cisco redistributes this plug-in without any changes. The web site containing the original is http://javassh.org/.


Caution The import webvpn plug-in protocol ssh,telnet URL command installs both the SSH and Telnet plug-ins. Do not enter this command once for SSH and once for Telnet. When typing the ssh,telnet string, do not insert a space. Use the revert webvpn plug-in protocol command to remove any import webvpn plug-in protocol commands that deviate from these requirements.

vnc

The Virtual Network Computing plug-in lets the remote user use a monitor, keyboard, and mouse to view and control a computer with remote desktop sharing turned on. Cisco redistributes this plug-in without any changes. The web site containing the original is http://www.tightvnc.com/.

URL

Remote path to the source of the plug-in.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC mode


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

Before installing a plug-in:

Make sure Clientless SSL VPN ("webvpn") is enabled on an interface on the adaptive security appliance. To do so, enter the show running-config command.

Create a temporary directory named "plugins" on a local TFTP server (for example, with the hostname "local_tftp_server"), and download the plug-ins from the Cisco web site to the "plugins" directory. Enter the host name or address of the TFTP server and the path to the plug-in you need into the URL field of the import webvpn plug-in protocol command.

The adaptive security appliance does the following when you import a plug-in:

Unpacks the jar file specified in the URL.

Writes the file to the csco-config/97/plugin directory on the adaptive security appliance file system.

Populates the drop-down menu next to the URL attributes in ASDM.

Enables the plug-in for all future Clientless SSL VPN sessions, and adds a main menu option and an option to the drop-down menu next to the Address field of the portal page. Table 13-2 shows the changes to the main menu and address field of the portal page.

Table 13-2 Effects of Plug-ins on the Clientless SSL VPN Portal Page

Plug-in
Main Menu Option Added to Portal Page
Address Field Option Added to Portal Page

citrix

Citrix Client

citrix://

rdp

Terminal Servers

rdp://

ssh,telnet

SSH

ssh://

Telnet

telnet://

vnc

VNC Client

vnc://


The adaptive security appliance does not retain the import webvpn plug-in protocol command in the configuration. Instead, it loads the contents of the csco-config/97/plugin directory automatically. A secondary adaptive security appliance obtains the plug-ins from the primary adaptive security appliance.

When the user in a Clientless SSL VPN session clicks the associated menu option on the portal page, the portal page displays a window to the interface and displays a help pane. The user can select the protocol displayed in the drop-down menu and enter the URL in the Address field to establish a connection.


Note The SSH client only supports SSH Version 1.0.

Some Java plug-ins may report a status of connected or online even when a session to the destination service is not set up. The open-source plug-in reports the status, not the adaptive security appliance.


To remove the respective import webvpn plug-in protocol command and disable support for the protocol, use the revert webvpn plug-in protocol command.

Examples

The following command adds WebVPN support for Citrix:

hostname# import webvpn plug-in protocol citrix 
tftp://209.165.201.22/plugins/ica-plugin.zip
 
   
Accessing 
tftp://209.165.201.22/plugins/ica-plugin.zip...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
Writing file disk0:/csco_config/97/plugin/citrix...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
554543 bytes copied in 13.270 secs (42657 bytes/sec)
 
   

The following command adds Clientless SSL VPN support for RDP:

hostname# import webvpn plug-in protocol rdp tftp://209.165.201.22/plugins/rdp-plugin.jar
Accessing 
tftp://209.165.201.22/plugins/rdp-plugin.jar...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/csco_config/97/plugin/rdp...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
329994 bytes copied in 5.350 secs (65998 bytes/sec)
 
   

The following command adds Clientless SSL VPN support for SSH and Telnet:

hostname# import webvpn plug-in protocol ssh,telnet 
tftp://209.165.201.22/plugins/ssh-plugin.jar
 
   
Accessing 
tftp://209.165.201.22/plugins/ssh-plugin.jar...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!
Writing file disk0:/csco_config/97/plugin/ssh...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
238510 bytes copied in 3.650 secs (79503 bytes/sec)
 
   

The following command adds Clientless SSL VPN support for VNC:

hostname# import webvpn plug-in protocol vnc tftp://209.165.201.22/plugins/vnc-plugin.jar
 
   
Accessing tftp://209.165.201.22/plugins/vnc-plugin.jar...!!!!!!!!!!!!!!!
Writing file disk0:/csco_config/97/plugin/vnc...
!!!!!!!!!!!!!!!
58147 bytes copied in 2.40 secs (29073 bytes/sec)
hostname# 

Related Commands

Command
Description

revert webvpn plug-in protocol

Removes the specified plug-in from the flash device of the adaptive security appliance.

show import webvpn plug-in

Lists the plug-ins present on the flash device of the adaptive security appliance.


import webvpn translation-table

To import a translation table used to translate terms displayed to remote users establishing SSL VPN connections, use the import webvpn translation-table command from privileged EXEC mode.

import webvpn translation-table translation_domain language language url

Syntax Description

language

Specifies a language for the translation table. Enter the value for language in the manner expressed by your browser language options.

translation_domain

The functional area and associated messages visible to remote users. Table 13-3 lists available translation domains.

url

Specifies the URL of the XML file used to create the customization object.


Defaults

This command has no default behavior.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

The adaptive security appliance provides language translation for the portal and screens displayed to users that initiate browser-based, clientless SSL VPN connections, as well as the user interface displayed to AnyConnect VPN Client users.

Each functional area and its messages that is visible to remote users has its own translation domain and is specified by the translation_domain argument. Table 13-3 shows the translation domains and the functional areas translated.

Table 13-3

Translation Domain
Functional Areas Translated

AnyConnect

Messages displayed on the user interface of the Cisco AnyConnect VPN Client.

CSD

Messages for the Cisco Secure Desktop (CSD).

customization

Messages on the logon and logout pages, portal page, and all the messages customizable by the user.

banners

Banners displayed to remote users and messages when VPN access is denied.

PortForwarder

Messages displayed to Port Forwarding users.

url-list

Text that user specifies for URL bookmarks on the portal page.

webvpn

All the layer 7, AAA and portal messages that are not customizable.

plugin-ica

Messages for the Citrix plug-in.

plugin-rdp

Messages for the Remote Desktop Protocol plug-in.

plugin-telnet,ssh

Messages for the Telnet and SSH plug-in.

plugin-vnc

Messages for the VNC plug-in.


Translation Domains and Functional Areas Affected

A translation template is an XML file in the same format as the translation table, but has all the translations empty. The software image package for the adaptive security appliance includes a template for each domain that is part of the standard functionality. Templates for plug-ins are included with the plug-ins and define their own translation domains. Because you can customize the logon and logout pages, portal page, and URL bookmarks for clientless users, the adaptive security appliance generates the customization and url-list translation domain templates dynamically and the template automatically reflects your changes to these functional areas.

Download the template for the translation domain using the export webvpn translation-table command, make changes to the messages, and use the import webvpn translation-table command to create the object. You can view available objects with the show import webvpn translation-table command.

Be sure to specify language in the manner expressed by your browser language options. For example, Microsoft Internet Explorer uses the abbreviation zh for the Chinese language. The translation table imported to the adaptive security appliance must also be named zh.

With the exception of the AnyConnect translation domain, a translation table has no affect, and messages are not translated until you create a customization object, identify a translation table to use in that object, and specify the customization for the group policy or user. Changes to the translation table for the AnyConnect domain are immediately visible to AnyConnect client users. See the import webvpn customization command for more information.

Examples

The following example imports a translation-table for the translation domain affecting the AnyConnect client user interface, and specifies the translation table is for the Chinese language. The show import webvpn translation-table command displays the new object:

hostname# import webvpn translation-table anyconnect language zh 
tftp://209.165.200.225/anyconnect
hostname# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
hostname# show import webvpn translation-table
Translation Tables' Templates:
customization
AnyConnect
CSD
PortForwarder
url-list
webvpn
Citrix-plugin
RPC-plugin
Telnet-SSH-plugin
VNC-plugin
 
   
Translation Tables:
zh AnyConnect

Related Commands

Command
Description

export webvpn translation-table

Exports a translation table.

import webvpn customization

Imports a customization object that references the translation table.

revert

Removes translation tables from flash.

show import webvpn translation-table

Displays available translation table templates and translation tables.


import webvpn url-list

To load a URL list onto the flash device of the adaptive security appliance, enter the import webvpn url-list command in privileged EXEC mode.

import webvpn url-list name URL

Syntax Description

name

The name that identifies the URL list. Maximum 64 characters.

URL

Remote path to the source of the URL list. Maximum 255 characters.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC mode


Command History

Release
Modification

(8.0(2)

This command was introduced.


Usage Guidelines

Make sure WebVPN is enabled on a adaptive security appliance interface before you enter the import url-list command. To do so, enter the show running-config command.

The adaptive security appliance does the following when you import a URL list:

Copies the URL list from the URL to the adaptive security appliance file system disk0:/csco_config/url-lists as name on flash = base 64name.

Performs a basic XML syntax check on the file. If it is invalid, the adaptive security appliance deletes the file.

Checks that the file in index.ini contains the record base 64name. If not the adaptive security appliance adds base 64name to the file.

Copies thename file to RAMFS /csco_config/url-lists/ with ramfs name = name.

Examples

The following example imports to the security appliance a URL list, NewList.xml, from the URL 209.165.201.22/url-lists and names it ABCList.

hostname# import webvpn url-list ABCList tftp://209.165.201.22/url-lists/NewList.xml
Accessing 
tftp://209.165.201.22/url-lists/NewList.xml...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/csco_config/97/ABClist...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
329994 bytes copied in 5.350 secs (65998 bytes/sec)

Related Commands

Command
Description

revert webvpn url-list

Removes the specified URL list from the flash device of the adaptive security appliance.

show import webvpn url-list

Lists the URL lists present on the flash device of the adaptive security appliance.


import webvpn webcontent

To import content to flash memory that is visible to remote Clientless SSL VPN users, use the import webvpn webcontent command from privileged EXEC mode.

import webvpn webcontent <destination url> <source url>

Syntax Description

<source url>

The URL in the adaptive security appliance flash memory where the content resides. Maximum 64 characters.

<destination url>

The URL to export to. Maximum 255 characters.


Defaults

There is no default behavior for this command.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

Content imported with the webcontent option is visible to remote Clientless users. This includes help content visible on the Clientless portal and logos used by customization objects that customize user screens.

Content imported to URLs with the path /+CSCOE+/ is visible only to authorized users.

Content imported to URLs with the path /+CSCOU+/ is visible to both unauthorized and authorized users.

For example, a corporate logo imported as /+CSCOU+/logo.gif could be used in a portal customization object and be visible on the logon page and the portal page. The same logo.gif file imported as /+CSCOE+/logo.gif would only be visible to remote users after they have logged in successfully.

Help content that appears on the various application screens must be imported to specific URLs. Table 13-4 shows the URLs and screen areas for the help content displayed for standard Clientless applications:

Table 13-4 Standard Clientless Applications

URL
Clientless Screen Area

/+CSCOE+/help/<language>/app-access-hlp.inc

Application Access

/+CSCOE+/help/<language>/file-access-hlp.inc

Browse Networks

/+CSCOE+/help/<language>/net_access_hlp.html

AnyConnect Client

/+CSCOE+/help/<language>/web-access-help.inc

Web Access


Table 13-5 shows the URLs and screen areas for the help content displayed for optional plug-in Clientless applications:

Table 13-5 Plug-in Clientless Applications

URL
Clientless Screen Area

/+CSCOE+/help/<language>/ica-hlp.inc

MetaFrame Access

/+CSCOE+/help/<language>/rdp-hlp.inc

Terminal Servers

/+CSCOE+/help/<language>/ssh,telnet-hlp.inc

Telnet/SSH Servers

/+CSCOE+/help/<language>/vnc-hlp.inc

VNC Connections


<language> in the URL path is the language abbreviation you designate for the help content. The adaptive security appliance does not actually translate the file into the language you specify, but labels the file with the language abbreviation.

The following example imports the HTML file application_access_help.html, from a tftp server at 209.165.200.225, to the URL that stores the Application Access help content in flash memory. The URL includes the abbrevation en for the English language:

hostname# import webvpn webcontent /+CSCOE+/help/en/app-access-hlp.inc 
tftp://209.165.200.225/application_access_help.html
!!!!* Web resource `+CSCOE+/help/en/ap-access-hlp.inc' was successfully initialized
hostname#

Examples

The following example imports the HTML file application_access_help.html, from a tftp server at 209.165.200.225, to the URL that stores the Application Access help content in flash memory. The URL includes the abbrevation en for the English language:

hostname# import webvpn webcontent /+CSCOE+/help/en/app-access-hlp.inc 
tftp://209.165.200.225/application_access_help.html
!!!!* Web resource `+CSCOE+/help/en/ap-access-hlp.inc' was successfully initialized
hostname#

Related Commands

Command
Description

export webvpn webcontent

exports previously-imported content visible to Clientless SSL VPN users.

revert webvpn webcontent

Removes content from flash memory.

show import webvpn webcontent

Displays information about imported content.