Table Of Contents
aaa authentication secure-http-client
aaa local authentication attempts max-fail
accounting-server-group (webvpn)
authentication-server-group (webvpn)
authorization-dn-attributes (webvpn)
authorization-required (webvpn)
authorization-server-group (webvpn)
A through B Commands
aaa accounting
To enable, disable, or view TACACS+, or RADIUS user accounting (on a server designated by the aaa-server host command), use the aaa accounting command in global configuration mode. To disable these functions use the no form of this command.
aaa accounting {include | exclude} service interface-name local-ip local-mask foreign-ip foreign-mask server-tag
no aaa accounting {include | exclude} service interface-name local-ip local-mask foreign-ip foreign-mask server-tag
aaa accounting {include | exclude} service interface-name server-tag
no aaa accounting {include | exclude} service interface-name server-tag
Syntax Description
Defaults
For protocol/port, the TCP protocol appears as 6, the UDP protocol appears as 17, and so on, and port is the TCP or UDP destination port. A port value of 0 (zero) means all ports. For protocols other than TCP and UDP, the port is not applicable and should not be used.
By default, AAA accounting for administrative access is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
User accounting services keep a record of which network services a user has accessed. These records are kept on the designated AAA server or servers. Accounting information is sent only to the active server in a server group unless you enable simultaneous accounting.
Before you can use this command, you must first designate an AAA server with the aaa-server command.
To enable accounting for traffic that is specified by an access list, use the aaa accounting match command.
Note
For outbound connections, first use the nat command to determine which IP addresses can access the security appliance. For inbound connections, first use the static and access-list extended command statements to determine which inside IP addresses can be accessed through the security appliance from the outside network.
If you want to allow connections to come from any host, code the local IP address and netmask as 0.0.0.0 0.0.0.0, or 0 0. The same convention applies to the foreign host IP address and netmask; 0.0.0.0 0.0.0.0 means any foreign host.
Examples
The following example enables accounting on all connections:
hostname(config)# aaa-server mygroup protocol tacacs+hostname(config)# aaa-server mygroup (inside) host 192.168.10.10 thekey timeout 20hostname(config)# aaa authentication include any inside 0 0 0 0 mygrouphostname(config)# aaa authorization include any inside 0 0 0 0 mygrouphostname(config)# aaa accounting include any inside 0 0 0 0 mygrouphostname(config)# aaa authentication serial console mygroupThis example specifies that the authentication server with the IP address 192.168.10.10 resides on the inside interface and is in the TACACS+ server group. The next three command statements specify that any users starting outbound connections to any foreign host will be authenticated using TACACS+, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command statement specifies that access to the security appliance serial console requires authentication from the TACACS+ server.
Related Commands
aaa accounting console
To enable support for AAA accounting for administrative access, use the aaa accounting console command in global configuration mode. To disable support for aaa accounting for administrative access, use the no form of this command.
aaa accounting {serial| telnet | ssh | enable} console server-tag
no aaa accounting {serial | telnet | ssh | enable} console server-tag
Syntax Description
Defaults
By default, AAA accounting for administrative access is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
You must specify the name of the server group, previously specified in an aaa-server command.
Examples
The following example specifies that accounting records will be generated for all Telnet transactions, and that these records are sent to the server named adminserver.
hostname(config)# aaa accounting telnet console adminserverRelated Commands
aaa accounting command
To configure command accounting so that the security appliance sends to the accounting server each command entered by an administrator, use the aaa accounting command command in global configuration mode. To disable support for AAA command privilege accounting, use the no form of this command. The aaa accounting command command indicates the minimum level that must be associated with a command for an accounting record to be generated.
aaa accounting command [ privilege level ] server-tag
no aaa accounting command [ privilege level ] server-tag
Syntax Description
Defaults
The default privilege level is 0. By default, AAA command-privilege accounting for administrative access is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
When you configure the aaa accounting command command, each command entered by an administrator/user is recorded and sent to the accounting server or servers. The optional privilege specification indicates the minimum privilege level that must be associated with a command for an accounting record to be generated.
This command applies only to TACACS+ servers.
You must specify the name of the server or group, previously specified in an aaa-server command, to which this command applies.
Examples
The following example specifies that accounting records will be generated for any command at privilege level 6 or higher, and that these records are sent to the server from the group named adminserver.
hostname(config)# aaa accounting command privilege 6 adminserverRelated Commands
aaa accounting match
To enable accounting for traffic that is identified by an access list, use the aaa accounting match command in global configuration mode. To disable accounting for traffic that is identified by an access list, use the no form of this command. The aaa accounting match command specifies an access list name that must be matched, as well as an interface name and a server tag.
aaa accounting match acl-name interface-name server-tag
no aaa accounting match acl-name interface-name server-tag
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The aaa accounting match command requires that you specify an ACL that permits the traffic for which you want the security appliance to send accounting data to AAA servers. The security appliance performs accounting for traffic permitted by the ACL and does not perform accounting for traffic denied by the ACL.
Before you can use this command, you must first create the AAA-server group tag by using the aaa-server protocol command.
User accounting services keep a record of which network services a user has accessed. These records are kept on the designated AAA servers. Accounting information is sent only to the active server in a server group unless simultaneous accounting is enabled. See the accounting-mode command for more information.
Examples
The following example enables accounting for traffic matching an ACL, acl2, followed by the output of the show access-list command that displays the ACL:
hostname(config) # aaa accounting match acl2 outside radserver1hostname(config) # show access-list acl12access-list acl12; 1 elementsaccess-list acl12 line 1 extended permit tcp any any (hitcnt=54021)Related Commands
aaa authentication
To include or exclude user authentication for traffic through the security appliance, use the aaa authentication command with the include or exclude keywords in global configuration mode. To disable user authentication, use the no form of this command.
Authentication lets you control access by requiring a valid username and password. You can configure the security appliance to authenticate the following items:
•
–
–
–
–
•
•
Each authentication server has a single pool of users. If you use the same server for multiple authentication rules and types, then a user needs to authenticate only one time for all rules and types, until the session expires. For example, if you configure the security appliance to authenticate Telnet and FTP, and a user successfully authenticates for Telnet, then as long as the session exists, the user does not also have to authenticate for FTP.
aaa authentication include | exclude authentication-service interface-name local-ip local-mask [foreign-ip foreign-mask] server-tag
no aaa authentication include | exclude authentication-service interface-name local-ip local-mask [foreign-ip foreign-mask] server-tag
aaa authentication {ftp | telnet | http | https } challenge disable
no aaa authentication {ftp | telnet | http | https } challenge disable
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
To include or exclude traffic for authentication, you must designate an authentication server with the aaa-server command before using the aaa authentication command. Each combination of local and foreign IP addresses can have one aaa authentication command for inbound connections and one for outbound connections. A session whose IP address is identified by the aaa-server authentication command starts a connection through FTP, Telnet, HTTP, or HTTPS and is prompted for a username and password. If the username and password are verified by the designated authentication server, the security appliance allows further traffic between the authenticating host and the client address.
Use the interface-name, local-ip, and foreign-ip variables to define where access is sought and from whom. The address for local-ip is always on the highest security level interface and foreign-ip is always on the lowest.
Note
For the local and foreign IP address masks, you can use 0 as a shorthand representation if the IP address is 0.0.0.0. Use 255.255.255.255 for a host.
The authentication servers determine whether a user can or cannot access the system, what services can be accessed, and what IP addresses the user can access. The security appliance proxies FTP, HTTP, HTTPS, and Telnet to display the credentials prompts.
Note
local access authentication
To configure a AAA server (TACACS+, RADIUS, or LOCAL) to authenticate administrators, choose one of the following access authentication service options: serial for serial console access, telnet for Telnet access, ssh for SSH access, http for HTTP access, and enable for enable-mode access.
cut-through authentication
For cut-through proxy and "to the box" authentication, you can also use the local security appliance user authentication database by specifying the server group tag LOCAL. If LOCAL is specified for server-tag and the local user credential database is empty, the following warning message appears:
Warning:local database is empty! Use 'username' command to define local users.Conversely, if the local database becomes empty when LOCAL is still present in the command, the following warning message appears:
Warning:Local user database is empty and there are still commands using 'LOCAL' for authentication.The cut-through authentication service options are as follows: telnet, ftp, http, https, icmp/type, proto, tcp/port, and udp/port. The variable proto can be any supported IP protocol value or name: for example, ip or igmp. Only Telnet, FTP, HTTP, or HTTPS traffic triggers interactive user authentication.
The authentication ports that the security appliance supports for AAA are fixed:
•
•
•
•
For this reason, do not use Static PAT to reassign ports for services you want to authenticate. In other words, when the port to authenticate is not one of the three known ports, the security appliance rejects the connection instead of authenticating it.
You can enter an ICMP message type number for type to include or exclude that specific ICMP message type from authentication. For example, icmp/8 includes or excludes type 8 (echo request) ICMP messages.
The tcp/0 option enables authentication for all TCP traffic, which includes FTP, HTTP, HTTPS, and Telnet. When a specific port is specified, only the traffic with a matching destination port is included or excluded for authentication. Note that FTP, Telnet, HTTP, and HTTPS are equivalent to tcp/21, tcp/23, tcp/80, and tcp/443, respectively.
If you specify ip, all IP traffic is included or excluded for authentication, depending on whether include or exclude is specified. When all IP traffic is included for authentication, following are the expected behaviors:
•
•
Enabling Authentication
The aaa authentication command enables or disables the following features:
•
•
The prompts users see requesting AAA credentials differ among the services that can access the security appliance for authentication: Telnet, FTP, HTTP, and HTTPS:
Note
You can specify an interface name with the aaa authentication command. For example, if you specified aaa authentication include tcp outside 0 0 server-tag, the security appliance authenticates a tcp connection originating on the outside interface.
Note
TACACS+ and RADIUS servers
You can have up to 15 single-mode server groups or 4 multi-mode server groups. Each group can have up to 16 servers in single mode or 4 servers in multi-mode. The servers can be either TACACS+ or RADIUS servers—set with the aaa-server command. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
The security appliance permits only one authentication type per network. For example, if one network connects through the security appliance using TACACS+ for authentication, another network connecting through the security appliance can authenticate with RADIUS, but one network cannot authenticate with both TACACS+ and RADIUS.
Note
Examples
The following examples show some uses of the aaa authentication command:
Example 1:
The following example includes for authentication TCP traffic on the outside interface, with a local IP address of 192.168.0.0 and a netmask of 255.255.0.0, with a remote/foreign IP address of all hosts, and using a server named "tacacs+". The second command line excludes Telnet traffic on the outside interface with a local address of 192.168.38.0, with a remote/foreign IP address of all hosts:
hostname(config)# aaa authentication include tcp outside 192.168.0.0 255.255.0.0 0.0.0.0 0.0.0.0 tacacs+hostname(config)# aaa authentication exclude telnet outside 192.168.38.0 255.255.255.0 0.0.0.0 0.0.0.0 tacacs+Example 2:
The following examples demonstrate ways to use the interface-name parameter. The security appliance has an inside network of 192.168.1.0, an outside network of 209.165.201.0 (subnet mask 255.255.255.224), and a perimeter network of 209.165.202.128 (subnet mask 255.255.255.224).
This example enables authentication for connections originated from the inside network to the outside network:
hostname(config)# aaa authentication include tcp inside 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+Example 3:
This example enables authentication for connections originated from the inside network to the perimeter network:
hostname(config)#aaa authentication include tcp inside 192.168.1.0 255.255.255.0 209.165.202.128 255.255.255.224 tacacs+Example 4:
This example enables authentication for connections originated from the outside network to the inside network:
hostname(config)# aaa authentication include tcp outside 209.165.201.0 255.255.255.224 192.168.1.0 255.255.255.0 tacacs+Example 5:
This example enables authentication for connections originated from the outside network to the perimeter network:
hostname(config)# aaa authentication include tcp outside 209.165.201.0 255.255.255.224 209.165.202.128 255.255.255.224 tacacs+Example 6:
This example enables authentication for connections originated from the perimeter network to the outside network:
hostname(config)#aaa authentication include tcp inside 209.165.202.128 255.255.255.224 209.165.201.0 255.255.255.224 tacacs+Example 7:
This example specifies that IP addresses 10.0.0.1 through 10.0.0.254 must be authenticated by the security appliance when establishing connections through the outside interfac. In this example, the first aaa authentication command requires authentication of all FTP, HTTP, and Telnet sessions. The second aaa authentication command lets host 10.0.0.42 start outbound connections without being authenticated. This example uses a server group named tacacs+.
hostname(config)# nat (inside) 1 10.0.0.0 255.255.255.0hostname(config)# aaa authentication include tcp inside 0 0 tacacs+hostname(config)# aaa authentication exclude tcp inside 10.0.0.42 255.255.255.255 tacacs+Example 8:
This example permits inbound access to a tcp IP address in the range of 209.165.201.1 through 209.165.201.30 indicated by the 209.165.201.0 network address (subnet mask 255.255.255.224). All services are permitted by the access-list command, and the aaa authentication command requires authentication on HTTP. The authentication server is at IP address 10.16.1.20 on the inside interface.
hostname(config)# aaa-server AuthIn protocol tacacs+hostname(config)# aaa-server AuthIn (inside) host 10.16.1.20 thisisakey timeout 20hostname(config)# access-list acl-out permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224hostname(config)# access-group acl-out in interface outsidehostname(config)# aaa authentication include http inside 0 0 0 0 AuthInRelated Commands
aaa authentication console
To enable authentication service for access to the security appliance console over an SSH, HTTP, or Telnet connection or from the Console connector on the security appliance, use the aaa authentication console command in global configuration mode. This command also lets you enable access to privileged EXEC mode. To disable this authentication service, use the no form of this command.
aaa authentication {serial | enable | telnet | ssh | http} console {server-tag [LOCAL] | LOCAL}
no aaa authentication {serial | enable | telnet | ssh | http} console {server-tag [LOCAL] | LOCAL}
Syntax Description
Defaults
By default, fallback to the local database is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
If you enable CLI authentication, the security appliance prompts you for your username and password to log in. After you enter your information, you have access to user EXEC mode.
To enter privileged EXEC mode, enter the enable command or the login command (if you are using the local database only).
If you configure enable authentication, the security appliance prompts you for your username and password. If you do not configure enable authentication, enter the system enable password when you enter the enable command (set by the enable password command). However, if you do not use enable authentication, after you enter the enable command, you are no longer logged in as a particular user. To maintain your username, use enable authentication. This feature is particularly useful when you perform command authorization, where usernames are important to determine the commands a user can enter.
For authentication using the local database, you can use the login command, which maintains the username but requires no configuration to turn on authentication.
Before the security appliance can authenticate a Telnet, SSH, or HTTP user, you must first configure access to the security appliance using the telnet, ssh, and http commands. These commands identify the IP addresses that are allowed to communicate with the security appliance. Telnet access to the security appliance console is available from any internal interface, and from the outside interface with IPSec configured. SSH access to the security appliance console is available from any interface.
The http keyword authenticates the ASDM client that accesses the security appliance using HTTPS. You only need to configure HTTP authentication if you want to use a AAA server. By default, ASDM uses the local database for authentication even if you do not configure this command. HTTP management authentication does not support the SDI protocol for a AAA server group.
If you use a AAA server group for authentication, you can configure the security appliance to use the local database as a fallback method if the AAA server is unavailable. Specify the server group name followed by LOCAL (LOCAL is case sensitive). We recommend that you use the same username and password in the local database as the AAA server because the security appliance prompt does not give any indication which method is being used.
You can alternatively use the local database as your main method of authentication (with no fallback) by entering LOCAL alone.
The maximum username prompt for HTTP authentication is 30 characters. The maximum password length is 16 characters.
As the following table shows, the action of the prompts for authenticated access to the security appliance console differ, depending on the option you choose with this command.
If the SSH authentication request times out (which implies the AAA servers may be down or not available), you can gain access to the security appliance using the username pix and the login password (set with the password command). By default, the login password is cisco.
If a aaa authentication http console command statement is not defined, you can gain access to the security appliance using ASDM with no username and the security appliance enable password (set with the enable password command). If the aaa commands are defined, but the HTTP authentication requests a time out, which implies the AAA servers might be down or not available, you can gain access to the security appliance using the default administrator username and the enable password. By default, the enable password is not set.
Examples
The following example shows use of the aaa authentication console command for a Telnet connection to a RADIUS server with the server tag "radius":
hostname(config)# aaa authentication telnet console radiusThe following example identifies the server group "AuthIn" for administrative authentication.
hostname(config)# aaa authentication enable console AuthInThe following example shows use of the aaa authentication console command with fallback to the LOCAL user database if all the servers in the group "srvgrp1" fail:
hostname(config)# aaa-server svrgrp1 protocol tacacs+hostname(config)# aaa authentication serial console srvgrp1 LOCALRelated Commands
aaa authentication match
To enable the use of a specified access list that must be matched to enable LOCAL, TACACS+, or RADIUS user authentication on a server designated by the aaa-server command or ASDM user authentication, use the aaa authentication match command in global configuration mode. To disable the requirement to match a specified access list, use the no form of this command. The aaa authentication match command specifies the name of an access list, previously defined in an access-list command, that must be matched, and then provides authentication for that match.
aaa authentication match acl-name interface-name server-tag
no aaa authentication match acl-name interface-name server-tag
Syntax Description
acl-name
An access-list command statement name.
interface-name
The interface name from which to authenticate users.
server-tag
The AAA server group tag defined by the aaa-server command.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Using the aaa authentication match command requires that you have previously used the aaa-server command to designate an authentication server—unless you specify LOCAL, and that you have previously used the access-list command to define a named access list. Do not use an access-list command statement that uses the source port to identify matching traffic. The source port is not supported in the match criteria of the aaa authentication match command.
Use the interface-name variable to define where access is sought.
For cut-through proxy, you can also use the local user authentication database by specifying the server group tag LOCAL. If LOCAL is specified for server-tag and the local user credential database is empty, the following warning message appears:
Warning: local database is empty! Use `username' command to define localisms.Conversely, if the local database becomes empty when LOCAL is still present in the command, the following warning message appears:
Warning: local database is empty and there are still commands using `LOCAL' for authentication.Examples
The following set of examples illustrates how to use the aaa authentication match command:
hostname(config)# show access-listaccess-list mylist permit tcp 10.0.0.0 255.255.255.0 172.23.2.0 255.255.255.0 (hitcnt=0) access-list yourlist permit tcp any any (hitcnt=0)hostname(config)# show running-config aaaaaa authentication match mylist outbound TACACS+In this context, the following command:
hostname(config)# aaa authentication match yourlist outbound tacacsis equivalent to this command:
hostname(config)# aaa authentication include TCP/0 outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacsThe aaa command statement list is order-dependent between access-list command statements. If you enter the following command:
hostname(config)# aaa authentication match mylist outbound TACACS+before this command:
hostname(config)# aaa authentication match yourlist outbound tacacsthe security appliance tries to find a match in the mylist access-list command statement group before it tries to find a match in the yourlist access-list command statement group.
Related Commands
aaa authentication secure-http-client
To enable SSL and secure username and password exchange between HTTP clients and the security appliance, use the aaa authentication secure-http-client command in global configuration mode. To disable this function, use the no form of this command. The aaa authentication secure-http-client command offers a secure method for user authentication to the security appliance prior to allowing user HTTP-based web requests to traverse the security appliance.
aaa authentication secure-http-client
no aaa authentication secure-http-client
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The aaa authentication secure-http-client command secures HTTP client authentication (through SSL). This command is used for HTTP cut-through proxy authentication.
The aaa authentication secure-http-client command has the following limitations:
•
•
•
static (inside,outside) tcp 10.132.16.200 www 10.130.16.10 wwwstatic (inside,outside) tcp 10.132.16.200 443 10.130.16.10 443•
Tip
Examples
The following example configures HTTP traffic to be securely authenticated:
hostname(config)# aaa authentication secure-http-clienthostname(config)# aaa authentication include http...where "..." represents your values for authen_service if_name local_ip local_mask [foreign_ip foreign_mask] server_tag.
The following command configures HTTPS traffic to be securely authenticated:
hostname (config)# aaa authentication include https...where "..." represents your values for authentication -service interface-name local-ip local-mask [foreign-ip foreign-mask] server-tag.
Note
Related Commands
aaa authorization
To enable or disable user authorization for services on the specified host, use the aaa authorization command in global configuration mode. To disable user authorization services for a specified host, use the no form of this command. The authentication server determines what services the user is authorized to access.
aaa authorization { include | exclude } service interface-name local-ip local-mask foreign-ip foreign-mask server-tag
no aaa authorization { include | exclude } service interface-name local-ip local-mask foreign-ip foreign-mask server-tag
Syntax Description
Defaults
An IP address of 0 means "all hosts." Setting the local IP address to 0 lets the authorization server decide which hosts are authorized.
Fallback to the local database for authorization is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
7.0
This command was modified for this release. The exclude parameter now allows the user to specify a port to exclude to a specific host or hosts.
Usage Guidelines
Except for its use with command authorization, the aaa authorization command requires previous configuration with the aaa authentication command; however, use of the aaa authentication command does not require use of a aaa authorization command.
The security appliance supports RADIUS authorization with the aaa authorization command only when authentication is performed with a different protocol. RADIUS servers return authorization information along with replies to authentication requests. See the description of the aaa authentication command. The aaa authorization command is permitted with LOCAL servers, only for command authorization, and with RADIUS or TACACS+ servers. You can set a dynamic ACL at the RADIUS server to provide authorization (even if it is not configured on the security appliance).
When VPN authorization is defined as LOCAL, the attributes configured in the default group policy DfltGrpPolicy are enforced. This affects the settings in the tunnel-group and webvpn commands.
Tip
For each IP address, one aaa authorization command is permitted. If you want to authorize more than one service with aaa authorization, use the any parameter for the service type.
If the first attempt at authorization fails and a second attempt causes a timeout, use the service resetinbound command to reset the client that failed the authorization so that it will not retransmit any connections. An example authorization timeout message in Telnet follows.
Unable to connect to remote host: Connection timed outUser authorization services control which network services a user can access. After a user is authenticated, attempts to access restricted services cause the security appliance to verify the access permissions of the user with the designated AAA server.
Note
When specifying the foreign (destination) IP address, use 0 to indicate all hosts. For the destination and local masks, always specify a specific mask value. Use a mask of 0 if the IP address is 0, and use a mask of 255.255.255.255 for a host.
Service Parameter
Services not specified are authorized implicitly. Services specified in the aaa authentication command do not affect the services that require authorization.
For protocol/port:
•
•
hostname(config)# aaa authorization include udp/53-1024 outside 0 0 0 0This example shows how to enable authorization for DNS lookups to the inside interface for all clients and authorizes access to any other services that have ports in the range of 53 to 1024.
A specific authorization rule does not require the equivalent authentication. Authentication is required only with FTP, HTTP, or Telnet to provide an interactive way for the user to enter the authorization credentials.
Note
The valid values for the service option are telnet, ftp, http, https, tcp or 0, tcp or port, udp or port, icmp or port, or protocol [/port]. Only the Telnet, FTP, HTTP, and HTTPS traffic triggers user interactive authentication.
Examples
The following example uses the TACACS+ protocol:
hostname(config)#aaa-server tplus1 protocol tacacs+hostname(config)#aaa-server tplus1 (inside) host 10.1.1.10 thekey timeout 20hostname(config)#aaa authentication include any inside 0 0 0 0 tplus1hostname(config)#aaa authorization include any inside 0 0 0 0hostname(config)#aaa accounting include any inside 0 0 0 0 tplus1hostname(config)#aaa authentication serial console tplus1In this example, the first command statement creates a server group named tplus1 and specifies the TACACS+ protocol for use with this group. The second command specifies that the authentication server with the IP address 10.1.1.10 resides on the inside interface and is in the tplus1 server group. The next three command statements specify that any users starting connections through the outside interface to any foreign host will be authenticated using the tplus1 server group, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command statement specifies that access to the security appliance serial console requires authentication from the tplus1 server group.
The following example enables authorization for DNS lookups from the outside interface:
hostname(config)#aaa authorization include udp/53 outside 0.0.0.0 0.0.0.0The following example enables authorization of ICMP echo-reply packets arriving at the inside interface from inside hosts:
hostname(config)#aaa authorization include 1/0 inside 0.0.0.0 0.0.0.0This means that users cannot ping external hosts if they have not been authenticated using Telnet, HTTP, or FTP.
The following example enables authorization only for ICMP echoes (pings) that arrive at the inside interface from an inside host:
hostname(config)#aaa authorization include 1/8 inside 0.0.0.0 0.0.0.0Related Commands
aaa authorization command
The aaa authorization command command specifies whether command execution is subject to authorization. To enable command authorization, use the aaa authorization command command in global configuration mode. To disable command authorization, use the no form of this command.
aaa authorization command {LOCAL | server-tag}
no aaa authorization command {LOCAL | server-tag}
The following syntax configures administrative authorization to support fallback to the local user database if all servers in the specified server group are disabled. This option is disabled by default.
aaa authorization command server-tag [LOCAL]
no aaa authorization command server-tag [LOCAL]
Syntax Description
Defaults
Fallback to the local database for authorization is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
7.0
This command was modified to allow configuring administrative authorization to support fallback to the local user database if all servers in the specified group are disabled.
Usage Guidelines
When used for command authorization, the aaa authorization command command does not require previous configuration with the aaa authentication command.
The aaa authorization command is supported for use with TACACS+ servers and with LOCAL servers (only for command authorization), but not with RADIUS servers.
Tip
Examples
The following example shows how to enable command authorization using a TACACS+ server group named tplus1:
hostname(config)#aaa authorization command tplus1The following example shows how to configure administrative authorization to support fallback to the local user database if all servers in the tplus1 server group are unavailable.
hostname(config)#aaa authorization command tplus1 LOCALRelated Commands
aaa authorization match
To enable the use of a specified access list that must be matched to enable or disable user authorization services, use the aaa authorization match command in global configuration mode. To disable the use of a specified access list for user authorization services, use the no form of this command. The authentication server determines what services the user is authorized to access.
aaa authorization match acl-name interface-name server-tag
no aaa authorization match acl-name interface-name server-tag
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The aaa authorization match command requires previous configuration with the aaa authentication command; however, use of the aaa authentication command does not require use of any aaa authorization command.
The security appliance supports RADIUS authorization with the aaa authorization command only when authentication is performed with a different protocol. RADIUS servers return authorization information along with replies to authentication requests. See the description of the aaa authentication command. The aaa authorization command is permitted with LOCAL servers, only for command authorization, and with RADIUS or TACACS+ servers. You can set a dynamic ACL at the RADIUS server to provide authorization (even if it is not configured on the security appliance).
Tip
If the first attempt at authorization fails and a second attempt causes a timeout, use the
service resetinbound command to reset the client that failed the authorization so that it will not retransmit any connections. An example authorization timeout message in Telnet follows.Unable to connect to remote host: Connection timed outUser authorization services control which network services a user can access. After a user is authenticated, attempts to access restricted services cause the security appliance to verify the access permissions of the user with the designated AAA server.
Examples
The following example uses the tplus1 server group with the aaa commands:
hostname(config)#aaa-server tplus1 protocol tacacs+hostname(config)#aaa-server tplus1 (inside) host 10.1.1.10 thekey timeout 20hostname(config)#aaa authentication include any inside 0 0 0 0 tplus1hostname(config)#aaa accounting include any inside 0 0 0 0 tplus1hostname(config)#aaa authorization match myacl inside tplus1In this example, the first command statement defines the tplus1 server group as a TACACS+ group. The second command specifies that the authentication server with the IP address 10.1.1.10 resides on the inside interface and is in the tplus1 server group. The next two command statements specify that any connections traversing the inside interface to any foreign host are authenticated using the tplus1 server group, and that all these connections are logged in the accounting database. The last command statement specifies that any connections that match the ACEs in myacl are authorized by the AAA servers in the tplus1 server group.
Related Commands
aaa local authentication attempts max-fail
To limit the number of consecutive failed local login attempts that the security appliance allows any given user account, use the aaa local authentication attempts max-fail command in global configuration mode. This command only affects authentication with the local user database. To disable this feature and allow an unlimited number of consecutive failed local login attempts, use the no form of this command.
aaa local authentication attempts max-fail number
Syntax Description
number
The maximum number of times a user can enter a wrong password before being locked out. This number can be in the range 1-16.
Defaults
No default behavior or values..
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
If you omit this command, there is no limit on the number of times a user can enter an incorrect password.
After a user makes the configured number of attempts with the wrong password, the user is locked out and cannot log in successfully until the administrator unlocks the username. Locking or unlocking a username results in a syslog message.
The administrator cannot be locked out of the device.
The number of failed attempts resets to zero and the lockout status resets to No when the user successfully authenticates or when the security appliance reboots.
Examples
The following example shows use of the aaa local authentication attempts max-limits command to set the maximum number of failed attempts allowed to 2:
hostname(config)# aaa local authentication attempts max-limits 2hostname(config)#Related Commands
aaa mac-exempt
To specify the use of a predefined list of MAC addresses to exempt from authentication and authorization, use the aaa mac-exempt command in global configuration mode. To disable the use of a list of MAC addresses, use the no form of this command. The aaa mac-exempt command exempts a list of MAC addresses from authentication and authorization.
aaa mac-exempt match id
no aaa mac-exempt match id
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Configure the MAC access list number using the mac-list command before using the aaa mac-exempt command. Authorization is automatically exempted for MAC addresses for which authentication is exempted.
Examples
The following example shows how to specify the mac-exempt list:
hostname(config)# aaa mac-exempt mac-list-6Related Commands
aaa proxy-limit
To manually configure the uauth session limit by setting the maximum number of concurrent proxy connections allowed per user, use the aaa proxy-limit command in global configuration mode. To disable proxies, use the disable parameter. To return to the default proxy-limit value (16), use the no form of this command.
aaa proxy-limit proxy_limit
aaa proxy-limit disable
no aaa proxy-limit
Syntax Description
disable
No proxies allowed.
proxy_limit
Specify the number of concurrent proxy connections allowed per user, from 1 to 128.
Defaults
The default proxy-limit value is 16.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
If a source address is a proxy server, consider excluding this IP address from authentication or increasing the number of allowable outstanding AAA requests.
Examples
The following example shows how to set the maximum number of outstanding authentication requests allowed per user:
hostname(config)# aaa proxy-limit 6Related Commands
aaa-server host
To configure a AAA server or to configure AAA server parameters that are host-specific, use the aaa-server host command in global configuration mode. When you use the aaa-server host command, you enter the aaa-server host mode, from which you can specify and manage host-specific AAA server connection data. To remove a host configuration, use the no form of this command:
aaa-server server-tag [(interface-name)] host server-ip [key] [timeout seconds]
no aaa-server server-tag [(interface-name)] host server-ip [key] [timeout seconds]
Syntax Description
Defaults
The default timeout value is 10 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
You can have up to 15 single-mode groups or 4 multi-mode groups. Each group can have up to 16 servers in single mode or 4 servers in multi-mode. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
If aaa accounting is in effect, the accounting information goes only to the active server, unless you specify simultaneous accounting in the aaa-server protocol command.
Since the security appliance version of the aaa-server command supports the specification of server ports on a per-host basis, the following command forms that were available on earlier PIX Firewall systems have been phased out (deprecated), with their semantics changing as indicated. This applies only to server groups that contain RADIUS servers. These commands will be accepted but will no longer be written to the configuration.
•
•
The following are all the host mode commands. Only the ones that apply to the AAA server type for the server group you selected will be available. See the individual command descriptions for details.
accounting-port
RADIUS
1646
acl-netmask-convert
RADIUS
standard
authentication-port
RADIUS
1645
kerberos-realm
Kerberos
—
key1
RADIUS
—
TACACS+
—
ldap-base-dn
LDAP
—
ldap-login-dn
LDAP
—
ldap-login-password
LDAP
—
ldap-naming-attribute
LDAP
—
ldap-scope
LDAP
—
nt-auth-domain-controller
NT
—
radius-common-pw
RADIUS
—
retry-interval
Kerberos
10 seconds
RADIUS
10 seconds
sdi-pre-5-slave
SDI
—
sdi-version
SDI
sdi-5
server-port
Kerberos
88
LDAP
389
NT
139
SDI
5500
TACACS+
49
timeout2
All
10 seconds
1 If you specify the key parameter with the aaa-server command, that parameter has the same effect as using the key command in host mode.
2 If you specify the timeout parameter with the aaa-server command, that parameter has the same effect as using the timeout command in host mode.
The aaa-server command was modified for this release. It is now two separate commands, aaa-server group-tag protocol to enter group mode and aaa-server host to enter host mode.
Examples
The following example configures an SDI AAA server group named "svrgrp1" on host "192.168.3.4", sets the timeout interval to 6 seconds, sets the retry interval to 7 seconds, and configures the SDI version to version 5.
hostname(config)# aaa-server svrgrp1 protocol sdihostname(config-aaa-server-group)# aaa-server svrgrp1 host 192.168.3.4hostname(config-aaa-server-host)# timeout 6hostname(config-aaa-server-host)# retry 7hostname(config-aaa-server-host)# sdi-version sdi-5hostname(config-aaa-server-host)# exithostname(config)#Related Commands
aaa-server protocol
To configure AAA server parameters that are group-specific and common to all hosts, use the aaa-server protocol command in global configuration mode to enter the AAA-server group mode, from which you can configure these group parameters. To remove the designated group, use the no form of this command.
aaa-server server-tag protocol server-protocol
no aaa-server server-tag protocol server-protocol
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
You can have up to 15 single-mode groups or 4 multi-mode groups. Each group can have up to 16 servers in single mode or 4 servers in multi-mode. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
If AAA accounting is in effect, the accounting information goes only to the active server unless you have configured simultaneous accounting.
You control AAA server configuration with two commands: aaa-server protocol to enter AAA-server group mode and aaa-server host to enter AAA-server host mode. In addition, group mode, which you enter by specifying the aaa-server protocol command, supports accounting mode and server reactivation features through the accounting-mode and reactivation-mode commands.
The supported commands in AAA-server group mode are as follows:
•
•
•
See the individual command descriptions for details about these commands.
Examples
The following example shows the use of the aaa-server protocol command to modify details of a TACACS+ server group configuration:
hostname(config)# aaa-server svrgrp1 protocol tacacs+hostname(config-aaa-server-group)# accounting-mode simultaneoushostname(config-aaa-server-group)# reactivation mode timedhostname(config-aaa-server-group)# max-failed attempts 2hostname(config-aaa-server-group)# exithostname(config)#Related Commands
absolute
To define an absolute time when a time range is in effect, use the absolute command in time-range configuration mode. To disable, use the no form of this command.
absolute [end time date] [start time date]
no absolute
Syntax Description
Defaults
If no start time and date are specified, the permit or deny statement is in effect immediately and always on. Similarly, the maximum end time is 23:59 31 December 2035. If no end time and date are specified, the associated permit or deny statement is in effect indefinitely.
Command Modes
The following table shows the modes in which you can enter the command:
Time-range configuration
•
•
•
•
—
Command History
Usage Guidelines
To implement a time-based ACL, use the time-range command to define specific times of the day and week. Then use the with the access-list extended time-range command to bind the time range to an ACL.
Examples
The following example activates an ACL at 8:00 a.m. on 1 January 2006:
hostname(config-time-range)# absolute start 8:00 1 January 2006Because no end time and date are specified, the associated ACL is in effect indefinitely.Related Commands
accept-subordinates
To configure the security appliance to accept subordinate CA certificates if delivered during phase one IKE exchange when not previously installed on the device, use the accept-subordinates command in crypto ca trustpoint configuration mode. To restore the default setting, use the no form of the command.
accept-subordinates
no accept-subordinates
Syntax Description
Defaults
The default setting is on (subordinate certificates are accepted).
Command Modes
The following table shows the modes in which you can enter the
Crypto ca trustpoint configuration
•
•
•
—
—
command:
Command History
Usage Guidelines
During phase 1 processing, an IKE peer might pass both a subordinate certificate and an identity certificate. The subordinate certificate might not be installed on the security appliance. This command lets an administrator support subordinate CA certificates that are not configured as trustpoints on the device without requiring that all subordinate CA certificates of all established trustpoints be acceptable; in other words, this command lets the device authenticate a certificate chain without installing the entire chain locally.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and allows the security appliance to accept subordinate certificates for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# accept-subordinateshostname(ca-trustpoint)#Related Commands
crypto ca trustpoint
Enters trustpoint configuration mode.
default enrollment
Returns enrollment parameters to their defaults.
access-group
To bind an access list to an interface, use the access-group command in global configuration mode. To unbind an access list from the interface, use the no form of this command.
access-group access-list {in | out} interface interface_name [per-user-override]
no access-group access-list {in | out} interface interface_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The access-group command binds an access list to an interface. The access list is applied to traffic inbound to an interface. If you enter the permit option in an access-list command statement, the security appliance continues to process the packet. If you enter the deny option in an access-list command statement, the security appliance discards the packet and generates the following syslog message.
The per-user-override option allows downloaded access lists to override the access list applied to the interface. If the per-user-override optional argument is not present, the security appliance preserves the existing filtering behavior. When per-user-override is present, the security appliance allows the permit or deny status from the per-user access-list (if one is downloaded) associated to a user to override the permit or deny status from the access-group command associated access list. Additionally, the following rules are observed:
•
•
•
Always use the access-list command with the access-group command.
The access-group command binds an access list to an interface. The in keyword applies the access list to the traffic on the specified interface. The out keyword applies the access list to the outbound traffic.
Note
The no access-group command unbinds the access list from the interface interface_name.
The show running config access-group command displays the current access list bound to the interfaces.
The clear configure access-group command removes all the access lists from the interfaces.
Examples
The following example shows how to use the access-group command:
hostname(config)# static (inside,outside) 209.165.201.3 10.1.1.3hostname(config)# access-list acl_out permit tcp any host 209.165.201.3 eq 80hostname(config)# access-group acl_out in interface outsideThe static command provides a global address of 209.165.201.3 for the web server at 10.1.1.3. The access-list command lets any host access the global address using port 80. The access-group command specifies that the access-list command applies to traffic entering the outside interface.
Related Commands
access-list alert-interval
To specify the time interval between deny flow maximum messages, use the access-list alert-interval command in global configuration mode. To return to the default settings, use the no form of this command.
access-list alert-interval secs
no access-list alert-interval
Syntax Description
secs
Time interval between deny flow maximum message generation; valid values are from 1 to 3600 seconds.
Defaults
The default is 300 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Global Configuration
•
•
•
•
—
Command History
Usage Guidelines
The access-list alert-interval command sets the time interval for generating the syslog message 106101. The syslog message 106101 alerts you that the security appliance has reached a deny flow maximum. When the deny flow maximum is reached, another 106101 message is generated if at least secs seconds have occurred since the last 106101 message.
See the access-list deny-flow-max command for information about the deny flow maximum message generation.
Examples
The following example shows how to specify the time interval between deny flow maximum messages:
hostname(config)# access-list alert-interval 30Related Commands
access-list deny-flow-max
To specify the maximum number of concurrent deny flows that can be created, use the access-list deny-flow-max command in global configuration mode. To return to the default settings, use the no form of this command.
access-list deny-flow-max
no access-list deny-flow-max
Syntax Description
This command has no arguments or keywords.
Defaults
The default is 4096.
Command Modes
The following table shows the modes in which you can enter the command:
Global Configuration
•
•
•
•
—
Command History
Usage Guidelines
Syslog message 106101 is generated when the security appliance has reached the maximum number, n, of ACL deny flows.
Examples
The following example shows how to specify the maximum number of concurrent deny flows that can be created:
hostname(config)# access-list deny-flow-max 256Related Commands
access-list ethertype
To configure an access list that controls traffic based on its EtherType, use the access-list ethertype command in global configuration mode. To remove the access list, use the no form of this command.
access-list id ethertype {deny | permit} {ipx | bpdu | mpls-unicast | mpls-multicast | any | hex_number}
no access-list id ethertype {deny | permit} {ipx | bpdu | mpls-unicast | mpls-multicast | any | hex_number}
Syntax Description
Defaults
The defaults are as follows:
•
•
When the log optional keyword is specified, the default level for syslog message 106100 is 6 (informational).
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Usage Guidelines
The security appliance can control any EtherType identified by a 16-bit hexadecimal number. EtherType ACLs support Ethernet V2 frames. 802.3-formatted frames are not handled by the ACL because they use a length field as oppsed to a type field. Bridge protocol data units, which are handled by the ACL, are the only exception; they are SNAP-encapsulated, and the security appliance is designed to specifically handle BPDUs.
Because EtherTypes are connectionless, you need to apply the ACL to both interfaces if you want traffic to pass in both directions.
If you allow MPLS, ensure that LDP and TDP TCP connections are established through the security appliance by configuring both MPLS routers connected to the security appliance to use the IP address on the security appliance interface as the router-id for LDP or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.)
You can apply only one ACL of each type (extended and EtherType) to each direction of an interface. You can also apply the same ACLs on multiple interfaces.
Note
Examples
The following example shows how to add an EtherType access list:
hostname(config)# access-list ETHER ethertype permit ipxhostname(config)# access-list ETHER ethertype permit bpduhostname(config)# access-list ETHER ethertype permit mpls-unicasthostname(config)# access-group ETHER in interface insideRelated Commands
access-list extended
To add an Access Control Entry, use the access-list extended command in global configuration mode. An access list is made up of one or more ACEs with the same access list ID. Access lists are used to control network access or to specify traffic for many feature to act upon. To remove the ACE, use the no form of this command. To remove the entire access list, use the clear configure access-list command.
access-list id [line line-number] [extended] {deny | permit}
{protocol | object-group protocol_obj_grp_id}
{src_ip mask | interface ifc_name | object-group network_obj_grp_id}
[operator port | object-group service_obj_grp_id]
{dest_ip mask | interface ifc_name | object-group network_obj_grp_id}
[operator port | object-group service_obj_grp_id | object-group icmp_type_obj_grp_id]
[log [[level] [interval secs] | disable | default]]
[inactive | time-range time_range_name]no access-list id [line line-number] [extended] {deny | permit} {tcp | udp}
{src_ip mask | interface ifc_name | object-group network_obj_grp_id}
[operator port] | object-group service_obj_grp_id]
{dest_ip mask | interface ifc_name | object-group network_obj_grp_id}
[operator port | object-group service_obj_grp_id | object-group icmp_type_obj_grp_id]
[log [[level] [interval secs] | disable | default]]
[inactive | time-range time_range_name]Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Each ACE that you enter for a given access list name is appended to the end of the access list unless you specify the line number in the ACE.
The order of ACEs is important. When the security appliance decides whether to forward or drop a packet, the security appliance tests the packet against each ACE in the order in which the entries are listed. After a match is found, no more ACEs are checked. For example, if you create an ACE at the beginning of an access list that explicitly permits all traffic, no further statements are ever checked.
Access lists have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot pass. For example, if you want to allow all users to access a network through the security appliance except for particular addresses, then you need to deny the particular addresses and then permit all others.
When you use NAT, the IP addresses you specify for an access list depend on the interface to which the access list is attached; you need to use addresses that are valid on the network connected to the interface. This guideline applies for both inbound and outbound access groups: the direction does not determine the address used, only the interface does.
For TCP and UDP connections, you do not need an access list to allow returning traffic, because the FWSM allows all returning traffic for established, bidirectional connections. For connectionless protocols such as ICMP, however, the security appliance establishes unidirectional sessions, so you either need access lists to allow ICMP in both directions (by applying access lists to the source and destination interfaces), or you need to enable the ICMP inspection engine. The ICMP inspection engine treats ICMP sessions as bidirectional connections.
Because ICMP is a connectionless protocol, you either need access lists to allow ICMP in both directions (by applying access lists to the source and destination interfaces), or you need to enable the ICMP inspection engine. The ICMP inspection engine treats ICMP sessions as stateful connections. To control ping, specify echo-reply (0) (security appliance to host) or echo (8) (host to security appliance). See Table 1 for a list of ICMP types.
You can apply only one access list of each type (extended and EtherType) to each direction of an interface. You can apply the same access lists on multiple interfaces. See the access-group command for more information about applying an access list to an interface.
Note
Table 1 lists the possible ICMP types values.
Examples
The following access list allows all hosts (on the interface to which you apply the access list) to go through the security appliance:
hostname(config)# access-list ACL_IN extended permit ip any anyThe following sample access list prevents hosts on 192.168.1.0/24 from accessing the 209.165.201.0/27 network. All other addresses are permitted.
hostname(config)# access-list ACL_IN extended deny tcp 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224hostname(config)# access-list ACL_IN extended permit ip any anyIf you want to restrict access to only some hosts, then enter a limited permit ACE. By default, all other traffic is denied unless explicitly permitted.
hostname(config)# access-list ACL_IN extended permit ip 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224The following access list restricts all hosts (on the interface to which you apply the access list) from accessing a website at address 209.165.201.29. All other traffic is allowed.
hostname(config)# access-list ACL_IN extended deny tcp any host 209.165.201.29 eq wwwhostname(config)# access-list ACL_IN extended permit ip any anyThe following access list that uses object groups restricts several hosts on the inside network from accessing several web servers. All other traffic is allowed.
hostname(config-network)# access-list ACL_IN extended deny tcp object-group denied object-group web eq wwwhostname(config)# access-list ACL_IN extended permit ip any anyhostname(config)# access-group ACL_IN in interface insideTo temporarily disable an access list that permits traffic from one group of network objects (A) to another group of network objects (B):
hostname(config)# access-list 104 permit ip host object-group A object-group B inactiveTo implement a time-based access list, use the time-range command to define specific times of the day and week. Then use the access-list extended command to bind the time range to an access list. The following example binds an access list named "Sales" to a time range named "New_York_Minute":
hostname(config)# access-list Sales line 1 extended deny tcp host 209.165.200.225 host 209.165.201.1 time-range New_York_Minutehostname(config)#See the time-range command for more information about how to define a time range.
Related Commands
access-list remark
To specify the text of the remark to add before or after an access-list extended command, use the access-list remark command in global configuration mode. To delete the remark, use the no form of this command.
access-list id [line line-num] remark text
no access-list id [line line-num] remark [text]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global Configuration
•
•
•
•
—
Command History
Usage Guidelines
The remark text can be up to 100 characters in length, including spaces and punctuation. The remark text must contain at least 1 non-space character; you cannot enter an empty remark.
You cannot use the access-group command on an ACL that includes a remark only.
Examples
The following example shows how to specify the text of the remark to add before or after an access-list command:
hostname(config)# access-list 77 remark checklistRelated Commands
access-list standard
To add an access list to identify the destination IP addresses of OSPF routes, which can be used in a route map for OSPF redistribution, use the access-list standard command in global configuration mode. To remove the access list, use the no form of this command.
access-list id standard [line line-num] {deny | permit} {any | host ip_address | ip_address subnet_mask}
no access-list id standard [line line-num] {deny | permit} {any | host ip_address | ip_address subnet_mask}
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
When used with the access-group command, the deny optional keyword does not allow a packet to traverse the security appliance. By default, the security appliance denies all packets on the originating interface unless you specifically permit access.
When you specify the protocol to match any Internet protocol, including TCP and UDP, use the ip keyword.
Refer to the object-group command for information on how to configure object groups.
You can use the object-group command to group access lists.
Use the following guidelines for specifying a source, local, or destination address:
•
•
Use host address as an abbreviation for a mask of 255.255.255.255.
Examples
The following example shows how to deny IP traffic through the firewall:
hostname(config)# access-list 77 standard denyThe following example shows how to permit IP traffic through the firewall if conditions are matched:
hostname(config)# access-list 77 standard permitRelated Commands
access-list webtype
To add an access list to the configuration that supports filtering for WebVPN, use the access-list webtype command in global configuration mode. To remove the access list, use the no form of this command.
access-list id webtype {deny | permit} url [url_string | any] [log [[disable | default] | level] [interval secs] [time_range name]]
no access-list id webtype {deny | permit} url [url_string | any] [log [[disable | default] | level] [interval secs] [time_range name]]
access-list id webtype {deny | permit} tcp [host ip_address | ip_address subnet_mask | any] [oper port [port]] [log [[disable | default] | level] [interval secs] [time_range name]]
no access-list id webtype {deny | permit} tcp [host ip_address | ip_address subnet_mask | any] [oper port [port]] [log [[disable | default] | level] [interval secs] [time_range name]]
Syntax Description
Defaults
The defaults are as follows:
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global Configuration
•
•
•
•
—
Command History
Usage Guidelines
The access-list webtype command is used to configure WebVPN filtering. The url specified may be full or partial (no file specified), may include wildcards for the server, or may specify a port.
Valid protocol identifiers are: http, https, cifs, imap4, pop3, and smtp. The url may also contain the keyword any to refer to any url. An asterisk may be used to refer to a subcomponent of a DNS name.
Examples
The following example shows how to deny access to a specific company url:
hostname(config)# access-list acl_company webtype deny url http://*.company.comThe following example shows how to deny access to a specific file:
hostname(config)# access-list acl_file webtype deny url https://www.company.com/dir/file.htmlThe following example shows how to deny http access to anywhere through port 8080:
hostname(config)# access-list acl_company webtype deny url http://my-server:8080/*Related Commands
accounting-mode
To indicate whether accounting messages are sent to a single server (single mode) or sent to all servers in the group (simultaneous mode), use the accounting-mode command in AAA-server group mode. To remove the accounting mode specification, use the no form of this command:
accounting-mode simultaneous
accounting-mode single
no accounting-mode
Syntax Description
simultaneous
Sends accounting messages to all servers in the group.
single
Sends accounting messages to a single server.
Defaults
The default value is single mode
Command Modes
The following table shows the modes in which you can enter the command:
AAA-server group
•
•
•
•
—
Command History
Usage Guidelines
Use the keyword single to send accounting messages to a single server. Use the keyword simultaneous to send accounting messages to all servers in the server group.
This command is meaningful only when the server group is used for accounting (RADIUS or TACACS+).
Examples
The following example shows the use of the accounting-mode command to send accounting messages to all servers in the group:
hostname(config)# aaa-server svrgrp1 protocol tacacs+hostname(config-aaa-server-group)# accounting-mode simultaneoushostname(config-aaa-server-group)# exithostname(config)#Related Commands
accounting-port
To specify the port number used for RADIUS accounting for this host, use the accounting-port command in AAA-server host mode. To remove the authentication port specification, use the no form of this command. This command specifies the destination TCP/UDP port number of the remote RADIUS server hosts to which you want to send accounting records:
accounting-port port
no accounting-port
Syntax Description
Defaults
By default, the device listens for RADIUS on port 1646 for accounting (in compliance with RFC 2058). If the port is not specified, the RADIUS accounting default port number (1646) is used.
Command Modes
The following table shows the modes in which you can enter the command:
AAA-server host
•
•
•
•
—
Command History
Usage Guidelines
If your RADIUS accounting server uses a port other than 1646, you must configure the security appliance for the appropriate port prior to starting the RADIUS service with the aaa-server command.
This command is valid only for server groups that are configured for RADIUS.
Examples
The following example configures a RADIUS AAA server named "srvgrp1" on host "1.2.3.4", sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures accounting port 2222.
hostname(config)# aaa-server svrgrp1 protocol radiushostname(config-aaa-server-group)# aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)# timeout 9hostname(config-aaa-server-host)# retry-interval 7hostname(config-aaa-server-host)# accountinq-port 2222hostname(config-aaa-server-host)# exithostname(config)#Related Commands
accounting-server-group
To specify the aaa-server group for sending accounting records, use the accounting-server-group command in tunnel-group general-attributes configuration mode. To return this command to the default, use the no form of this command.
accounting-server-group server-group
no accounting-server-group
Syntax Description
Defaults
The default setting for this command is NONE.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can apply this attribute to all tunnel-group types.
Examples
The following example entered in config-general configuration mode, configures an accounting server group named aaa-server123 for an IPSec LAN-to-LAN tunnel group xyz:
hostname(config)# tunnel-group xyz type IPSec_L2Lhostname(config)# tunnel-group xyz generalhostname(config-general)# accounting-server-group aaa-server123hostname(config-general)#Related Commands
accounting-server-group (webvpn)
To specify the set of accounting servers to use with WebVPN or e-mail proxy, use the accounting-server-group command. For WebVPN, use this command in webvpn mode. For e-mail proxies (IMAP4S. POP3S, SMTPS), use this command in the applicable e-mail proxy mode. To remove accounting servers from the configuration, use the no form of this command.
The security appliance uses accounting to keep track of the network resources that users access.
accounting-server-group group tag
no accounting-server-group
Syntax Description
group tag
Identifies the previously configured accounting server or group of servers. Use the aaa-server command to configure accounting servers. Maximum length of the group tag is 16 characters.
Defaults
No accounting servers are configured by default.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn
•
•
—
—
•
Imap4s
•
•
—
—
•
Pop3s
•
•
—
—
•
SMTPS
•
•
—
—
•
Command History
Examples
The following example shows how to configure WebVPN services to use the set of accounting servers named WEBVPNACCT:
hostname(config)# webvpnhostname(config-webvpn)# accounting-server-group WEBVPNACCTThe following example shows how to configure POP3S e-mail proxy to use the set of accounting servers named POP3SSVRS:
hostname(config)# pop3shostname(config-pop3s)# accounting-server-group POP3SSVRSRelated Commands
aaa-server host
Configures authentication, authorization, and accounting servers.
acl-netmask-convert
To specify how the security appliance treats netmasks received in a downloadable ACL from a RADIUS server, use the acl-netmask-convert command in AAA-server host mode, which is accessed by using the aaa-server host command. Use the no form of this command to remove the command.
acl-netmask-convert {auto-detect | standard | wildcard}
no acl-netmask-convert
Syntax Description
Defaults
By default, no conversion from wildcard netmask expressions is performed.
Command Modes
The following table shows the modes in which you can enter the command:
AAA-server host
•
•
•
•
—
Command History
Usage Guidelines
Use the acl-netmask-convert command with the wildcard or auto-detect keywords when a RADIUS server provides downloadable ACLs that contain netmasks in wildcard format. The security appliance expects downloadable ACLs to contain standard netmask expressions whereas Cisco Secure VPN 3000 Series Concentrators expect downloadable ACLs to contain wildcard netmask expressions, which are the reverse of a standard netmas expression. A wildcard mask has ones in bit positions to ignore, zeros in bit positions to match.The acl-netmask-convert command helps minimize the effects of these differences upon how you configure downloadable ACLs on your RADIUS servers.
The auto-detect keyword is helpful when you are uncertain how the RADIUS server is configured; however, wildcard netmask expressions with "holes" in them cannot be unambiguously detected and converted. For example, the wildcard netmask 0.0.255.0 permits anything in the third octet and can be used validly on Cisco VPN 3000 Series Concentrators, but the security appliance may not detect this expression as a wildcard netmask.
Examples
The following example configures a RADIUS AAA server named "srvgrp1" on host "192.168.3.4", enables conversion of downloadable ACL netmasks, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures authentication port 1650.
hostname(config)# aaa-server svrgrp1 protocol radiushostname(config-aaa-server-group)# aaa-server svrgrp1 host 192.168.3.4hostname(config-aaa-server-host)# acl-netmask-convert wildcardhostname(config-aaa-server-host)# timeout 9hostname(config-aaa-server-host)# retry-interval 7hostname(config-aaa-server-host)# authentication-port 1650hostname(config-aaa-server-host)# exithostname(config)#Related Commands
activation-key
To change the activation key on the security appliance and check the activation key running on the security appliance against the activation key that is stored as a hidden file in the Flash partition of the security appliance, use the activation-key command in global configuration mode.
activation-key [activation-key-four-tuple| activation-key-five-tuple]
Syntax Description
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
·
·
·
·
Command History
Usage Guidelines
Enter the activation-key-four-tuple as a four-element hexadecimal string with one space between each element, or activation-key-five-tuple as a five-element hexidecimal string withe one space between each element as follows:
0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624eThe leading 0x specifier is optional; all values are assumed to be hexadecimal.
The key is not stored in the configuration file. The key is tied to the serial number.
Examples
This example shows how to change the activation key on the security appliance:
hostname(config)# activation-key 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624eRelated Commands
address-pool
To specify a list of address pools for allocating addresses to remote clients, use the address-pool command in tunnel-group general-attributes configuration mode. To eliminate address pools, use the no form of this command.
address-pool [(interface name)] address_pool1 [...address_pool6]
no address-pool [(interface name)] address_pool1 [...address_pool6]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can enter multiples of each of these commands, one per interface. If an interface is not specified, then the command specifies the default for all interfaces that are not explicitly referenced.
Examples
The following example entered in config-general configuration mode, specifies a list of address pools for allocating addresses to remote clients for an IPSec remote-access tunnel group xyz:
hostname(config)# tunnel-group xyzhostname(config)# tunnel-group xyz generalhostname(config-general)# address-pool (inside) addrpool1 addrpool2 addrpool3hostname(config-general)#Related Commands
admin-context
To set the admin context for the system configuration, use the admin-context command in global configuration mode. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the security appliance software or allowing remote management for an administrator), it uses one of the contexts that is designated as the admin context.
admin-context name
Syntax Description
Defaults
For a new security appliance in multiple context mode, the admin context is called "admin."
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
You can set any context to be the admin context, as long as the context configuration resides on the internal Flash memory.
You cannot remove the current admin context, unless you remove all contexts using the clear configure context command.
Examples
The following example sets the admin context to be "administrator":
hostname(config)# admin-context administratorRelated Commands
alias
To manually translate an address and perform DNS reply modification, use the alias command in global configuration mode. To remove an alias command, use the no form of this command. This command functionality has been replaced by outside NAT commands, including the nat and static commands with the dns keyword. We recommend that you use outside NAT instead of the alias command.
alias interface_name mapped_ip real_ip [netmask]
[no] alias interface_name mapped_ip real_ip [netmask]
Syntax Description
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
You can also use this command to perform address translation on a destination address. For example, if a host sends a packet to 209.165.201.1, you can use the alias command to redirect traffic to another address, such as 209.165.201.30.
Note
After changing or removing an alias command, use the clear xlate command.
You must have an A (address) record in the DNS zone file for the "dnat" address in the alias command.
The alias command has two uses that can be summarized in the following ways:
•
•
The alias command automatically interacts with the DNS servers on your network to ensure that domain name access to the aliased IP address is handled transparently.
You can specify a net alias by using network addresses for the real_ip and mapped_ip IP addresses. For example, the alias 192.168.201.0 209.165.201.0 255.255.255.224 command creates aliases for each IP address between 209.165.201.1 and 209.165.201.30.
To access an alias mapped_ip address with static and access-list commands, specify the mapped_ip address in the access-list command as the address from which traffic is permitted as follows:
hostname(config)# alias (inside) 192.168.201.1 209.165.201.1 255.255.255.255hostname(config)# static (inside,outside) 209.165.201.1 192.168.201.1 netmask 255.255.255.255hostname(config)# access-list acl_out permit tcp host 192.168.201.1 host 209.165.201.1 eq ftp-datahostname(config)# access-group acl_out in interface outsideAn alias is specified with the inside address 192.168.201.1 mapping to the destination address 209.165.201.1.
When the inside network client 209.165.201.2 connects to example.com, the DNS response from an external DNS server to the internal client's query would be altered by the security appliance to be 192.168.201.29. If the security appliance uses 209.165.200.225 through 209.165.200.254 as the global pool IP addresses, the packet goes to the security appliance with SRC=209.165.201.2 and DST=192.168.201.29. The security appliance translates the address to SRC=209.165.200.254 and DST=209.165.201.29 on the outside.
Examples
This example shows that the inside network contains the IP address 209.165.201.29, which on the Internet belongs to example.com. When inside clients try to access example.com, the packets do not go to the security appliance because the client assumes that the 209.165.201.29 is on the local inside network.
To correct this, use the alias command as follows:
hostname(config)# alias (inside) 192.168.201.0 209.165.201.0 255.255.255.224hostname(config)# show running-config aliasalias 192.168.201.0 209.165.201.0 255.255.255.224This example shows a web server that is on the inside at 10.1.1.11 and the static command that was created at 209.165.201.11. The source host is on the outside with address 209.165.201.7. A DNS server on the outside has a record for www.example.com as follows:
dns-server# www.example.com. IN A 209.165.201.11You must include the period at the end of the www.example.com. domain name.
This example shows how to use the alias command:
hostname(config)# alias 10.1.1.11 209.165.201.11 255.255.255.255The security appliance changes the name server replies to 10.1.1.11 for inside clients to directly connect to the web server.
To provide access you also need the following commands:
hostname(config)# static (inside,outside) 209.165.201.11 10.1.1.11hostname(config)# access-list acl_grp permit tcp host 209.165.201.7 host 209.165.201.11 eq telnethostname(config)# access-list acl_grp permit tcp host 209.165.201.11 eq telnet host 209.165.201.7Related Commands
allocate-interface
To allocate interfaces to a security context, use the allocate-interface command in context configuration mode. To remove an interface from a context, use the no form of this command.
allocate-interface physical_interface [map_name] [visible | invisible]
no allocate-interface physical_interface
allocate-interface physical_interface.subinterface[-physical_interface.subinterface] [map_name[-map_name]] [visible | invisible]
no allocate-interface physical_interface.subinterface[-physical_interface.subinterface]
Syntax Description
Defaults
The interface ID is invisible in the show interface command output by default if you set a mapped name.
Command Modes
The following table shows the modes in which you can enter the command:
Context configuration
•
•
—
—
•
Command History
Usage Guidelines
You can enter this command multiple times to specify different ranges. To change the mapped name or visible setting, reenter the command for a given interface ID, and set the new values; you do not need to enter the no allocate-interface command and start over. If you remove the allocate-interface command, the security appliance removes any interface-related configuration in the context.
Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA adaptive security appliance, you can use the dedicated management interface, Management 0/0, (either the physical interface or a subinterface) as a third interface for management traffic.
Note
You can assign the same interfaces to multiple contexts in routed mode, if desired. Transparent mode does not allow shared interfaces.
If you specify a range of subinterfaces, you can specify a matching range of mapped names. Follow these guidelines for ranges:
•
int0-int10If you enter gigabitethernet0/1.1-gigabitethernet0/1.5 happy1-sad5, for example, the command fails.
•
gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int100If you enter gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int15, for example, the command fails.
Examples
The following example shows gigabitethernet0/1.100, gigabitethernet0/1.200, and gigabitethernet0/2.300 through gigabitethernet0/1.305 assigned to the context. The mapped names are int1 through int8.
hostname(config-ctx)# allocate-interface gigabitethernet0/1.100 int1hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int2hostname(config-ctx)# allocate-interface gigabitethernet0/2.300-gigabitethernet0/2.305 int3-int8Related Commands
area
To create an OSPF area, use the area command in router configuration mode. To remove the area, use the no form of this command.
area area_id
no area area_id
Syntax Description
area_id
The ID of the area being created. You can specify the identifier as either a decimal number or an IP address. Valid decimal values range from 0 to 4294967295.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
The area that you create does not have any parameters set. Use the related area commands to set the area parameters.
Examples
The following example shows how to create an OSPF area with an area ID of 1:
hostname(config-router)# area 1hostname(config-router)#Related Commands
area authentication
To enable authentication for an OSPF area, use the area authentication command in router configuration mode. To disable area authentication, use the no form of this command.
area area_id authentication [message-digest]
no area area_id authentication [message-digest]
Syntax Description
Defaults
Area authentication is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
If the specified OSPF area does not exist, it is created when this command is entered. Entering the area authentication command without the message-digest keyword enables simple password authentication. Including the message-digest keyword enables MD5 authentication.
Examples
The following example shows how to enable MD5 authentication for area 1:
hostname(config-router)# area 1 authentication message-digesthostname(config-router)#Related Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
area default-cost
To specify a cost for the default summary route sent into a stub or NSSA, use the area default-cost command in router configuration mode. To restore the default cost value, use the no form of this command.
area area_id default-cost cost
no area area_id default-cost
Syntax Description
Defaults
The default value of cost is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
If the specified area has not been previously defined using the area command, this command creates the area with the specified parameters.
Examples
The following example show how to specify a default cost for summary route sent into a stub or NSSA:
hostname(config-router)# area 1 default-cost 5hostname(config-router)#Related Commands
area filter-list prefix
To filter prefixes advertised in type 3 LSAs between OSPF areas of an ABR, use the area filter-list prefix command in router configuration mode. To change or cancel the filter, use the no form of this command.
area area_id filter-list prefix list_name {in | out}
no area area_id filter-list prefix list_name {in | out}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
If the specified area has not been previously defined using the area command, this command creates the area with the specified parameters.
Only type 3 LSAs can be filtered. If an ASBR is configured in the private network, then it will send type 5 LSAs (describing private networks) which are flooded to the entire AS including the public areas.
Examples
The following example filters prefixes that are sent from all other areas to area 1:
hostname(config-router)# area 1 filter-list prefix-list AREA_1 inhostname(config-router)#Related Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
area nssa
To configure an area as an NSSA, use the area nssa command in router configuration mode. To remove the NSSA designation from the area, use the no form of this command.
area area_id nssa [no-redistribution] [default-information-originate [metric-type {1 | 2}] [metric value]] [no-summary]
no area area_id nssa [no-redistribution] [default-information-originate [metric-type {1 | 2}] [metric value]] [no-summary]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
If the specified area has not been previously defined using the area command, this command creates the area with the specified parameters.
If you configure one option for an area, and later specify another option, both options are set. For example, entering the following two command separately results in a single command with both options set in the configuration:
area 1 nssa no-redistributionarea area_id nssa default-information-originateExamples
The following example shows how setting two options separately results in a single command in the configuration:
hostname(config-router)# area 1 nssa no-redistributionhostname(config-router)# area 1 nssa default-information-originatehostname(config-router)# exithostname(config-router)# show running-config router ospf 1router ospf 1area 1 nssa no-redistribution default-information-originateRelated Commands
