-
Cisco Security Appliance Command Reference, Version 7.2
-
About this Guide
-
Using the Command Line Interface
-
aaa accounting command through accounting-server-group Commands
-
acl-netmask-convert through auto-update timeout Commands
-
backup interface through browse networks Commands
-
cache through clear compression Commands
-
clear conn through clear configure vpn-load-balancing Commands
-
clear console-output through clear xlate Commands
-
client-access-rule through crl-configure Commands
-
crypto ca authenticate through customization Commands
-
ddns through debug xdmcp Commands
-
default through duplex Commands
-
email through functions Commands
-
gateway through hw-module module shutdown Commands
-
icmp through imap4s Commands
-
inspect ctiqbe through inspect xdmcp Commands
-
intercept-dhcp through issuer-name Commands
-
java-trustpoint through kill Commands
-
l2tp tunnel hello through log-adj-changes Commands
-
logging asdm through logout message Commands
-
mac-address through multicast-routing Commands
-
name through override-account-disable Commands
-
packet-tracer through pwd Commands
-
queue-limit through router rip Commands
-
same-security-traffic through show asdm sessions Commands
-
show asp drop through show curpriv Commands
-
show ddns through show ipv6 traffic Commands
-
show isakmp sa through show route Commands
-
show running-config through show running-config isakmp Commands
-
show running-config ldap through show running-config webvpn auto-signon Commands
-
show service-policy through show xlate Commands
-
shun through sysopt radius ignore-secret Commands
-
tcp-map through tx-ring-limit Commands
-
urgent-flag through write terminal Commands
-
Table Of Contents
acl-netmask-convert through auto-update timeout Commands
application-access hide-details
authentication (crypto isakmp policy configuration mode)
authentication (tunnel-group webvpn configuration mode)
authentication-server-group (webvpn)
authorization-dn-attributes (tunnel-group general-attributes mode)
authorization-dn-attributes (webvpn)
authorization-required (tunnel-group general-attributes mode)
authorization-required (webvpn)
authorization-server-group (tunnel-group general-attributes mode)
authorization-server-group (webvpn)
acl-netmask-convert through auto-update timeout Commands
acl-netmask-convert
To specify how the security appliance treats netmasks received in a downloadable ACL from a RADIUS server, use the acl-netmask-convert command in AAA-server host mode, which is accessed by using the aaa-server host command. Use the no form of this command to remove the command.
acl-netmask-convert {auto-detect | standard | wildcard}
no acl-netmask-convert
Syntax Description
Defaults
By default, no conversion from wildcard netmask expressions is performed.
Command Modes
The following table shows the modes in which you can enter the command:
AAA-server host
•
•
•
•
—
Command History
Usage Guidelines
Use the acl-netmask-convert command with the wildcard or auto-detect keywords when a RADIUS server provides downloadable ACLs that contain netmasks in wildcard format. The security appliance expects downloadable ACLs to contain standard netmask expressions whereas Cisco Secure VPN 3000 Series Concentrators expect downloadable ACLs to contain wildcard netmask expressions, which are the reverse of a standard netmas expression. A wildcard mask has ones in bit positions to ignore, zeros in bit positions to match.The acl-netmask-convert command helps minimize the effects of these differences upon how you configure downloadable ACLs on your RADIUS servers.
The auto-detect keyword is helpful when you are uncertain how the RADIUS server is configured; however, wildcard netmask expressions with "holes" in them cannot be unambiguously detected and converted. For example, the wildcard netmask 0.0.255.0 permits anything in the third octet and can be used validly on Cisco VPN 3000 Series Concentrators, but the security appliance may not detect this expression as a wildcard netmask.
Examples
The following example configures a RADIUS AAA server named "srvgrp1" on host "192.168.3.4", enables conversion of downloadable ACL netmasks, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures authentication port 1650.
hostname(config)# aaa-server svrgrp1 protocol radiushostname(config-aaa-server-group)# aaa-server svrgrp1 host 192.168.3.4hostname(config-aaa-server-host)# acl-netmask-convert wildcardhostname(config-aaa-server-host)# timeout 9hostname(config-aaa-server-host)# retry-interval 7hostname(config-aaa-server-host)# authentication-port 1650hostname(config-aaa-server-host)# exithostname(config)#Related Commands
action-uri
To specify a web server URI to receive a username and password for single sign-on authentication, use the action-uri command in aaa-server-host configuration mode. This is an SSO with HTTP Forms command.
To reset the URI parameter value, use the no form of the command. Use the action-uri command again to enter a new value.
action-uri string
no action-uri
Note
Syntax Description
Defaults
No default value or behavior.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server-host configuration
•
—
•
—
—
Command History
Usage Guidelines
A URI or Uniform Resource Identifier is a compact string of characters that identifies a point of content on the Internet, whether it be a page of text, a video or sound clip, a still or animated image, or a program. The most common form of URI is the Web page address, which is a particular form or subset of URI called a Uniform Resource Locator (URL).
The WebVPN server of the security appliance can use a POST request to submit a single sign-on authentication request to an authenticating web server. To accomplish this, configure the security appliance to pass a username and a password to an action URI on an authenticating web server using an HTTP POST request. The action-uri command specifies the location and name of the authentication program on the web server to which the security appliance sends the POST request.
You can discover the action URI on the authenticating web server by connecting to the web server's login page directly with a browser. The URL of the login web page displayed in your browser is the action URI for the authenticating web server.
For ease of entry, you can enter URIs on multiple, sequential lines. The security appliance then concatenates the lines into the URI as you enter them. While the maximum characters per action-uri line is 255 characters, you can enter fewer characters on each line.
Note
Examples
In the following example, the URI to receive authentication data is as follows:
http://www.example.com/auth/index.html/appdir/authc/forms/MCOlogin.fcc?TYPE=33554433&REALMOID=06-000a1311-a828-1185-ab41-8333b16a0008&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$5FZmjnk3DRNwNjk2KcqVCFbIrNT9%2bJ0H0KPshFtg6rB1UV2PxkHqLw%3d%3d&TARGET=https%3A%2F%2Fauth.example.com
The following example, entered in aaa-server-host configuration mode, specifies the preceding URI on www.example.com:
hostname(config)# aaa-server testgrp1 host www.example.comhostname(config-aaa-server-host)# action-uri http://www.example.com/auth/index.htmhostname(config-aaa-server-host)# action-uri l/appdir/authc/forms/MCOlogin.fcc?TYPhostname(config-aaa-server-host)# action-uri 554433&REALMOID=06-000a1311-a828-1185hostname(config-aaa-server-host)# action-uri -ab41-8333b16a0008&GUID=&SMAUTHREASONhostname(config-aaa-server-host)# action-uri =0&METHOD=GET&SMAGENTNAME=$SM$5FZmjnkhostname(config-aaa-server-host)# action-uri 3DRNwNjk2KcqVCFbIrNT9%2bJ0H0KPshFtg6rhostname(config-aaa-server-host)# action-uri B1UV2PxkHqLw%3d%3d&TARGET=https%3A%2Fhostname(config-aaa-server-host)# action-uri %2Fauth.example.comhostname(config-aaa-server-host)#
Note
Related Commands
activation-key
To change the activation key on the security appliance and check the activation key running on the security appliance against the activation key that is stored as a hidden file in the Flash partition of the security appliance, use the activation-key command in global configuration mode.
activation-key [activation-key-four-tuple| activation-key-five-tuple]
Syntax Description
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
·
·
·
·
Command History
Usage Guidelines
Enter the activation-key-four-tuple as a four-element hexadecimal string with one space between each element, or activation-key-five-tuple as a five-element hexidecimal string withe one space between each element as follows:
0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624eThe leading 0x specifier is optional; all values are assumed to be hexadecimal.
The key is not stored in the configuration file. The key is tied to the serial number.
Examples
This example shows how to change the activation key on the security appliance:
hostname(config)# activation-key 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624eRelated Commands
address-pool
To specify a list of address pools for allocating addresses to remote clients, use the address-pool command in tunnel-group general-attributes configuration mode. To eliminate address pools, use the no form of this command.
address-pool [(interface name)] address_pool1 [...address_pool6]
no address-pool [(interface name)] address_pool1 [...address_pool6]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can enter multiples of each of these commands, one per interface. If an interface is not specified, then the command specifies the default for all interfaces that are not explicitly referenced.
The address-pools settings in the group-policy address-pools command override the local pool settings in the tunnel group address-pool command.
The order in which you specify the pools is significant. The security appliance allocates addresses from these pools in the order in which the pools appear in this command.
Examples
The following example entered in config-general configuration mode, specifies a list of address pools for allocating addresses to remote clients for an IPSec remote-access tunnel group xyz:
hostname(config)# tunnel-group xyzhostname(config)# tunnel-group xyz generalhostname(config-general)# address-pool (inside) addrpool1 addrpool2 addrpool3hostname(config-general)#Related Commands
address-pools (group policy)
To specify a list of address pools for allocating addresses to remote clients, use the address-pools command in group-policy attributes configuration mode. To remove the attribute from the group policy and enable inheritance from other sources of group policy, use the no form of this command.
address-pools value address_pool1 [...address_pool6]
no address-pools value address_pool1 [...address_pool6]
address-pools none
no address-pools none
Syntax Description
Defaults
By default, the address pool attribute allows inheritance.
Command Modes
The following table shows the modes in which you can enter the command:
group-policy attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
The address-pools settings in this command override the local pool settings in the group. You can specify a list of up to six local address pools to use for local address allocation.
The order in which you specify the pools is significant. The security appliance allocates addresses from these pools in the order in which the pools appear in this command.
The command address-pools none disables this attribute from being inherited from other sources of policy, such as the DefaultGrpPolicy. The command no address pools none removes the address-pools none command from the configuration, restoring the default value, which is to allow inheritance.
Examples
The following example entered in config-general configuration mode, configures pool 1 and pool20 as lists of address pools to use for allocating addresses to remote clients for GroupPolicy1:
hostname(config)# ip local pool pool 192.168.10.1-192.168.10.100 mask 255.255.0.0hostname(config)# ip local pool pool20 192.168.20.1-192.168.20.200 mask 255.255.0.0hostname(config)# group-policy GroupPolicy1 attributeshostname(config-group-policy)# address-pools value pool1 pool20hostname(config-group-policy)#Related Commands
admin-context
To set the admin context for the system configuration, use the admin-context command in global configuration mode. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the security appliance software or allowing remote management for an administrator), it uses one of the contexts that is designated as the admin context.
admin-context name
Syntax Description
Defaults
For a new security appliance in multiple context mode, the admin context is called "admin."
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
You can set any context to be the admin context, as long as the context configuration resides on the internal Flash memory.
You cannot remove the current admin context, unless you remove all contexts using the clear configure context command.
Examples
The following example sets the admin context to be "administrator":
hostname(config)# admin-context administratorRelated Commands
alias
To manually translate an address and perform DNS reply modification, use the alias command in global configuration mode. To remove an alias command, use the no form of this command. This command functionality has been replaced by outside NAT commands, including the nat and static commands with the dns keyword. We recommend that you use outside NAT instead of the alias command.
alias interface_name mapped_ip real_ip [netmask]
[no] alias interface_name mapped_ip real_ip [netmask]
Syntax Description
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
You can also use this command to perform address translation on a destination address. For example, if a host sends a packet to 209.165.201.1, you can use the alias command to redirect traffic to another address, such as 209.165.201.30.
Note
After changing or removing an alias command, use the clear xlate command.
You must have an A (address) record in the DNS zone file for the "dnat" address in the alias command.
The alias command has two uses that can be summarized in the following ways:
•
•
The alias command automatically interacts with the DNS servers on your network to ensure that domain name access to the aliased IP address is handled transparently.
You can specify a net alias by using network addresses for the real_ip and mapped_ip IP addresses. For example, the alias 192.168.201.0 209.165.201.0 255.255.255.224 command creates aliases for each IP address between 209.165.201.1 and 209.165.201.30.
To access an alias mapped_ip address with static and access-list commands, specify the mapped_ip address in the access-list command as the address from which traffic is permitted as follows:
hostname(config)# alias (inside) 192.168.201.1 209.165.201.1 255.255.255.255hostname(config)# static (inside,outside) 209.165.201.1 192.168.201.1 netmask 255.255.255.255hostname(config)# access-list acl_out permit tcp host 192.168.201.1 host 209.165.201.1 eq ftp-datahostname(config)# access-group acl_out in interface outsideAn alias is specified with the inside address 192.168.201.1 mapping to the destination address 209.165.201.1.
When the inside network client 209.165.201.2 connects to example.com, the DNS response from an external DNS server to the internal client's query would be altered by the security appliance to be 192.168.201.29. If the security appliance uses 209.165.200.225 through 209.165.200.254 as the global pool IP addresses, the packet goes to the security appliance with SRC=209.165.201.2 and DST=192.168.201.29. The security appliance translates the address to SRC=209.165.200.254 and DST=209.165.201.29 on the outside.
Examples
This example shows that the inside network contains the IP address 209.165.201.29, which on the Internet belongs to example.com. When inside clients try to access example.com, the packets do not go to the security appliance because the client assumes that the 209.165.201.29 is on the local inside network.
To correct this, use the alias command as follows:
hostname(config)# alias (inside) 192.168.201.0 209.165.201.0 255.255.255.224hostname(config)# show running-config aliasalias 192.168.201.0 209.165.201.0 255.255.255.224This example shows a web server that is on the inside at 10.1.1.11 and the static command that was created at 209.165.201.11. The source host is on the outside with address 209.165.201.7. A DNS server on the outside has a record for www.example.com as follows:
dns-server# www.example.com. IN A 209.165.201.11You must include the period at the end of the www.example.com. domain name.
This example shows how to use the alias command:
hostname(config)# alias 10.1.1.11 209.165.201.11 255.255.255.255The security appliance changes the name server replies to 10.1.1.11 for inside clients to directly connect to the web server.
To provide access you also need the following commands:
hostname(config)# static (inside,outside) 209.165.201.11 10.1.1.11hostname(config)# access-list acl_grp permit tcp host 209.165.201.7 host 209.165.201.11 eq telnethostname(config)# access-list acl_grp permit tcp host 209.165.201.11 eq telnet host 209.165.201.7Related Commands
allocate-interface
To allocate interfaces to a security context, use the allocate-interface command in context configuration mode. To remove an interface from a context, use the no form of this command.
allocate-interface physical_interface [map_name] [visible | invisible]
no allocate-interface physical_interface
allocate-interface physical_interface.subinterface[-physical_interface.subinterface] [map_name[-map_name]] [visible | invisible]
no allocate-interface physical_interface.subinterface[-physical_interface.subinterface]
Syntax Description
invisible
(Default) Allows context users to only see the mapped name (if configured) in the show interface command.
map_name
(Optional) Sets a mapped name.
The map_name is an alphanumeric alias for the interface that can be used within the context instead of the interface ID. If you do not specify a mapped name, the interface ID is used within the context. For security purposes, you might not want the context administrator to know which interfaces are being used by the context.
A mapped name must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, or an underscore. For example, you can use the following names:
int0intaint_0For subinterfaces, you can specify a range of mapped names.
See the "Usage Guidelines" section for more information about ranges.
physical_interface
Sets the interface ID, such as gigabitethernet0/1. See the interface command for accepted values.
subinterface
Sets the subinterface number. You can identify a range of subinterfaces.
visible
(Optional) Allows context users to see physical interface properties in the show interface command even if you set a mapped name.
Defaults
The interface ID is invisible in the show interface command output by default if you set a mapped name.
Command Modes
The following table shows the modes in which you can enter the command:
Context configuration
•
•
—
—
•
Command History
Usage Guidelines
You can enter this command multiple times to specify different ranges. To change the mapped name or visible setting, reenter the command for a given interface ID, and set the new values; you do not need to enter the no allocate-interface command and start over. If you remove the allocate-interface command, the security appliance removes any interface-related configuration in the context.
Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA adaptive security appliance, you can use the dedicated management interface, Management 0/0, (either the physical interface or a subinterface) as a third interface for management traffic.
Note
You can assign the same interfaces to multiple contexts in routed mode, if desired. Transparent mode does not allow shared interfaces.
If you specify a range of subinterfaces, you can specify a matching range of mapped names. Follow these guidelines for ranges:
•
int0-int10If you enter gigabitethernet0/1.1-gigabitethernet0/1.5 happy1-sad5, for example, the command fails.
•
gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int100If you enter gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int15, for example, the command fails.
Examples
The following example shows gigabitethernet0/1.100, gigabitethernet0/1.200, and gigabitethernet0/2.300 through gigabitethernet0/1.305 assigned to the context. The mapped names are int1 through int8.
hostname(config-ctx)# allocate-interface gigabitethernet0/1.100 int1hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int2hostname(config-ctx)# allocate-interface gigabitethernet0/2.300-gigabitethernet0/2.305 int3-int8Related Commands
apcf
To enable an Application Profile Customization Framework profile, use the apcf command in webvpn mode. To disable a particular APCF script, use the no version of the command. To disable all APCF scripts, use the no version of the command without arguments.
apcf URL/filename.ext
no apcf [URL/filename.ext]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you enter the command:
Webvpn mode
•
—
•
—
—
Command History
Usage Guidelines
The Application Profile Customization Framework option enables the security appliance to handle non-standard web applications and web resources so that they render correctly over a WebVPN connection. An APCF profile contains a script that specifies when (pre, post), where (header, body, request, response), and what data to transform for a particular application.
You can use multiple APCF profiles on the security appliance. When you do, the security appliance applies each one of them in the order of oldest to newest.
We recommend that you use the apcf command only with the support of the Cisco TAC.
Examples
The following example shows how to enable an APCF named apcf1, located on flash memory at /apcf.
hostname(config)# webvpnhostname(config-webvpn)# apcf flash:/apcf/apcf1.xmlhostname(config-webvpn)#This example shows how to enable an APCF named apcf2.xml, located on an https server called myserver, port 1440 with the path being /apcf.
hostname(config)# webvpnhostname(config-webvpn)# apcf https://myserver:1440/apcf/apcf2.xmlhostname(config-webvpn)#Related Commands
application-access
To customize the Application Access box of the WebVPN Home page that is displayed to authenticated WebVPN users, and the Application Access window that is launched when the user selects an application, use the application-access command from webvpn customization mode:
application-access {title | message | window} {text | style} value
[no] application-access {title | message | window} {text | style} value
To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
Syntax Description
Defaults
The default title text of the Application Access box is "Application Access".
The default title style of the Application Access box is:
background-color:#99CCCC;color:black;font-weight:bold;text-transform:uppercase
The default message text of the Application Access box is "Start Application Client".
The default message style of the Application Access box is:
background-color:#99CCCC;color:maroon;font-size:smaller.
The default window text of the Application Access window is:
"Close this window when you finish using Application Access. Please wait for the table to be displayed before starting applications.".
The default window style of the Application Access window is:
background-color:#99CCCC;color:black;font-weight:bold.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn customization
•
—
•
—
—
Command History
Usage Guidelines
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
The following example customizes the background color of the Application Access box to the RGB hex value 66FFFF, a shade of green:
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# application-access title style background-color:#66FFFFRelated Commands
