-
Cisco Security Appliance Command Reference, Version 8.0
-
About This Guide
-
Using the Command Line Interface
- A through B Commands
- C Commands
- D through F Commands
- G through I Commands
- J through L Commands
- M through O Commands
- P though R Commands
-
S Commands
-
same-security-traffic -- show asdm sessions
-
show asp drop -- show curpriv
-
show ddns -- show ipv6 traffic
-
show isakmp sa -- show route
-
show running-config -- show running-config isakmp
-
show running-config ldap -- show running-config webvpn auto-signon
-
show service-policy -- show xlate
-
shun -- sysopt radius ignore-secret
-
- T through Z Commands
-
Table Of Contents
shun through sysopt radius ignore-secret Commands
smart-tunnel auto-signon enable
ssl certificate-authentication
sso-server value (group-policy webvpn)
sso-server value (username webvpn)
subject-name (crypto ca certificate map)
subject-name (crypto ca trustpoint)
svc profiles (group-policy or username attributes)
sysopt connection preserve-vpn-flows
sysopt connection reclassify-vpn
shun through sysopt radius ignore-secret Commands
shun
To block connections from an attacking host, use the shun command in privileged EXEC mode. To disable a shun, use the no form of this command.
shun src_ip [dst_ip src_port dest_port [protocol]] [vlan vlan_id]
no shun src_ip [vlan vlan_id]
Syntax Description
Defaults
The default protocol is 0 (any protocol).
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The shun command lets you block connections from an attacking host. Packets matching the values in the command are dropped and logged until the blocking function is removed manually or by the Cisco IPS sensor. The blocking function of the shun command is applied whether or not a connection with the specified host address is currently active.
If you specify the destination address, source and destination ports, and the protocol, then you narrow the shun to connections that match those parameters.
You can only have one shun command per source IP address.
Because the shun command is used to block attacks dynamically, it is not displayed in the security appliance configuration.
Whenever an interface is removed, all shuns that are attached to that interface are also removed. If you add a new interface or replace the same interface (using the same name), then you must add that interface to the IPS sensor if you want the IPS sensor to monitor that interface.
Examples
The following example shows that the offending host (10.1.1.27) makes a connection with the victim (10.2.2.89) with TCP. The connection in the security appliance connection table reads as follows:
10.1.1.27, 555-> 10.2.2.89, 666 PROT TCPApply the shun command using the following options:
hostname# shun 10.1.1.27 10.2.2.89 555 666 tcpThe command deletes the connection from the security appliance connection table and also prevents packets from 10.1.1.27:555 to 10.2.2.89:666 (TCP) from going through the security appliance.
Related Commands
clear shun
Disables all the shuns that are currently enabled and clears the shun statistics.
show conn
Shows all active connections.
show shun
Displays the shun information.
Related Commands
shutdown
To disable an interface, use the shutdown command in interface configuration mode. To enable an interface, use the no form of this command.
shutdown
no shutdown
Syntax Description
This command has no arguments or keywords.
Defaults
All physical interfaces are shut down by default. Allocated interfaces in security contexts are not shut down in the configuration.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
•
•
Command History
7.0(1)
This command was moved from a keyword of the interface command to an interface configuration mode command.
Usage Guidelines
The default state of an interface depends on the type and the context mode.
In multiple context mode, all allocated interfaces are enabled by default, no matter what the state of the interface is in the system execution space. However, for traffic to pass through the interface, the interface also has to be enabled in the system execution space. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.
In single mode or in the system execution space, interfaces have the following default states:
•
•
•
Note
Examples\
The following example enables a main interface:
hostname(config)# interface gigabitethernet0/2hostname(config-if)# speed 1000hostname(config-if)# duplex fullhostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownThe following example enables a subinterface:
hostname(config)# interface gigabitethernet0/2.1hostname(config-subif)# vlan 101hostname(config-subif)# nameif dmz1hostname(config-subif)# security-level 50hostname(config-subif)# ip address 10.1.2.1 255.255.255.0hostname(config-subif)# no shutdownThe following example shuts down the subinterface:
hostname(config)# interface gigabitethernet0/2.1hostname(config-subif)# vlan 101hostname(config-subif)# nameif dmz1hostname(config-subif)# security-level 50hostname(config-subif)# ip address 10.1.2.1 255.255.255.0hostname(config-subif)# shutdownRelated Commands
clear xlate
Resets all translations for existing connections, causing the connections to be reset.
interface
Configures an interface and enters interface configuration mode.
shutdown (ca-server mode)
To disable the local Certificate Authority (CA) server and render the enrollment interface inaccessible to users, use the shutdown command in CA server configuration mode. To enable the CA server, lock down the configuration from changes, and to render the enrollment interface accessible, use the no form of this command.
[ no ] shutdown
Syntax Description
This command has no arguments or keywords.
Defaults
Initially, by default, the CA server is shut down.
Command Modes
The following table shows the modes in which you can enter the command:
CA server configuration
•
—
•
—
—
Command History
Usage Guidelines
This command in CA server mode is similar to the shutdown command in interface mode. At setup time, the local CA server is shutdown by default and must be enabled using the no shutdown command. When you use the no shutdown command for the first time, you enable the CA server and generate the CA server certificate and keypair.
Note
To enable the CA server and lock down the current configuration with the no shutdown command, a 7-character password is required to encode and archive a PKCS12 file containing the CA certificate and keypair that is to be generated. The file is stored to the storage identified by a previously specified database path command.
Examples
The following example disables the local CA server and renders the enrollment interface inaccessible:
hostname(config)# crypto ca serverhostname(config-ca-server)# shutdownhostname(config-ca-server)#The following example enables the local CA server and makes the enrollment interface accessible:
hostname(config)# crypto ca serverhostname(config-ca-server)# no shutdownhostname(config-ca-server)#hostname(config-ca-server)# no shutdown% Some server settings cannot be changed after CA certificate generation.% Please enter a passphrase to protect the private key% or type Return to exitPassword: caserverRe-enter password: caserverKeypair generation process begin. Please wait...hostname(config-ca-server)#Related Commands
sla monitor
To create an SLA operation, use the sla monitor command in global configuration mode. To remove the SLA operation, use the no form of this command.
sla monitor sla_id
no sla monitor sla_id
Syntax Description
sla_id
Specifies the ID of the SLA being configured. If the SLA does not already exist, it is created. Valid values are from 1 to 2147483647.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The sla monitor command creates SLA operations and enters SLA Monitor configuration mode. Once you enter this command, the command prompt changes to hostname(config-sla-monitor)# to indicate that you are in SLA Monitor configuration mode. If the SLA operation already exists, and a type has already been defined for it, then the prompt appears as hostname(config-sla-monitor-echo)#. You can create a maximum of 2000 SLA operations. Only 32 SLA operations may be debugged at any time.
The no sla monitor command removes the specified SLA operation and the commands used to configure that operation.
After you configure an SLA operation, you must schedule the operation with the sla monitor schedule command. You cannot modify the configuration of the SLA operation after scheduling it. To modify the the configuration of a scheduled SLA operation, you must use the no sla monitor command to remove the selected SLA operation completely. Removing an SLA operation also removes the associated sla monitor schedule command. Then you can reenter the SLA operation configuration.
To display the current configuration settings of the operation, use the show sla monitor configuration command. To display operational statistics of the SLA operation, use the show sla monitor operation-state command. To see the SLA commands in the configuration, use the show running-config sla monitor command.
Examples
The following example configures an SLA operation with an ID of 123 and creates a tracking entry with the ID of 1 to track the reachability of the SLA:
hostname(config)# sla monitor 123hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outsidehostname(config-sla-monitor-echo)# timeout 1000hostname(config-sla-monitor-echo)# frequency 3hostname(config)# sla monitor schedule 123 life forever start-time nowhostname(config)# track 1 rtr 123 reachabilityRelated Commands
sla monitor schedule
To schedule an SLA operation, use the sla monitor schedule command in global configuration mode. To remove SLA operation schedule, and place the operation in the pending state, use the no form of this command.
sla monitor schedule sla-id [life {forever | seconds}] [start-time {hh:mm[:ss] [month day | day month] | pending | now | after hh:mm:ss}] [ageout seconds] [recurring]
no sla monitor schedule sla-id
Syntax Description
Defaults
The defaults are as follows:
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
When an SLA operation is in an active state, it immediately begins collecting information. The following time line shows the age-out process of the operation:
W----------------------X----------------------Y----------------------Z•
•
•
•
The age out process, if used, starts counting down at W, is suspended between X and Y, and is reset to its configured size are starts counting down again at Y. When an SLA operation ages out, the SLA operation configuration is removed from the running configuration. It is possible for the operation to age out before it executes (that is, Z can occur before X). To ensure that this does not happen, the difference between the operation configuration time and start time (X and W) must be less than the age-out seconds.
The recurring keyword is only supported for scheduling single SLA operations. You cannot schedule multiple SLA operations using a single sla monitor schedule command. The life value for a recurring SLA operation should be less than one day. The ageout value for a recurring operation must be "never" (which is specified with the value 0), or the sum of the life and ageout values must be more than one day. If the recurring option is not specified, the operations are started in the existing normal scheduling mode.
You cannot modify the configuration of the SLA operation after scheduling it. To modify the configuration of a scheduled SLA operation, you must use the no sla monitor command to remove the selected SLA operation completely. Removing an SLA operation also removes the associated sla monitor schedule command. Then you can reenter the SLA operation configuration.
Examples
The following example shows SLA operation 25 scheduled to begin actively collecting data at 3:00 p.m. on April 5. This operation will age out after 12 hours of inactivity. When this SLA operation ages out, all configuration information for the SLA operation is removed from the running configuration.
hostname(config)# sla monitor schedule 25 life 43200 start-time 15:00 apr 5 ageout 43200The following example shows SLA operation 1 schedule to begin collecting data after a 5-minute delay. The default life of one hour applies.
hostname(config)# sla monitor schedule 1 start after 00:05:00The following example shows SLA operation 3 scheduled to begin collecting data immediately and is scheduled to run indefinitely:
hostname(config)# sla monitor schedule 3 life forever start-time nowThe following example shows SLA operation 15 scheduled to begin automatically collecting data every day at 1:30 a.m.:
hostname(config)# sla monitor schedule 15 start-time 01:30:00 recurringRelated Commands
show sla monitor configuration
Displays the SLA configuration settings.
sla monitor
Defines an SLA monitoring operation.
smart-tunnel auto-signon enable
To enable smart tunnel auto sign-on in clientless (browser-based) SSL VPN sessions, use the smart-tunnel auto-signon enable command in group-policy webvpn configuration mode or username webvpn configuration mode.
[no] smart-tunnel auto-signon enable list [domain domain]
To remove the smart-tunnel auto-signon enable command from the group policy or username and inherit it from the default group-policy, use the no form of the command.
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
group-policy webvpn configuration mode
•
—
•
—
—
username webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
The smart-tunnel auto sign-on feature supports only applications communicating HTTP and HTTPS using the Microsoft WININET library. For example, Microsoft Internet Explorer uses the WININET dynamic linked library to communicate with web servers.
You must use the smart-tunnel auto-signon list command to create a list of servers first. You can assign only one list to a group policy or username.
Examples
The following commands enable the smart tunnel auto sign-on list named HR:
hostname(config-group-policy)# webvpnhostname(config-group-webvpn)# smart-tunnel auto-signon enable HRhostname(config-group-webvpn)The following command enables the smart tunnel auto sign-on list named HR and adds the domain named CISCO to the username during authentication:
hostname(config-group-webvpn)# smart-tunnel auto-signon enable HR domain CISCOThe following command removes the smart tunnel auto sign-on list named HR from the group policy and inherits the smart tunnel auto sign-on list command from the default group policy:
hostname(config-group-webvpn)# no smart-tunnel auto-signon enable HRRelated Command
s
smart-tunnel auto-signon list
To create a list of servers for which to automate the submission of credentials in smart tunnel connections, use the smart-tunnel auto-signon list command in webvpn configuration mode.
[no] smart-tunnel auto-signon list [use-domain] {ip ip-address [netmask] | host hostname-mask}
Use this command for each server you want to add to a list. To remove an entry from a list, use the no form of the command, specifying both the list and the IP address or hostname, as it appears in the security appliance configuration. To display the smart tunnel auto sign-on list entries, enter the show running-config webvpn smart-tunnel command in privileged EXEC mode.
To remove an entire list of servers from the security appliance configuration, use the no form of the command, specifying only the list.
no smart-tunnel auto-signon list
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
The smart-tunnel auto sign-on feature supports only applications communicating HTTP and HTTPS using the Microsoft WININET library. For example, Microsoft Internet Explorer uses the WININET dynamic linked library to communicate with web servers.
Following the population of a smart tunnel auto sign-on list, use the smart-tunnel auto-signon enable list command in group policy webvpn or username webvpn mode to assign the list.
Examples
The following command adds all hosts in the subnet and adds the Windows domain to the username if authentication requires it:
asa2(config-webvpn)# smart-tunnel auto-signon HR use-domain ip 192.32.22.56 255.255.255.0The following command removes that entry from the list:
asa2(config-webvpn)# no smart-tunnel auto-signon HR use-domain ip 192.32.22.56 255.255.255.0The command shown above also removes the list named HR if the entry removed is the only entry in the list. Otherwise, the following command removes the entire list from the security appliance configuration:
asa2(config-webvpn)# no smart-tunnel auto-signon HRThe following command adds all hosts in the domain to the smart tunnel auto sign-on list named intranet:
asa2(config-webvpn)# smart-tunnel auto-signon intranet host *.exampledomain.comThe following command removes that entry from the list:
asa2(config-webvpn)# no smart-tunnel auto-signon intranet host *.exampledomain.comRelated Command
s
smart-tunnel auto-start
To start smart tunnel access automatically upon user login in a clientless (browser-based) SSL VPN session, use the smart-tunnel auto-start command in group-policy webvpn configuration mode or username webvpn configuration mode.
smart-tunnel auto-start list
To remove the smart-tunnel command from the group policy or username and inherit the [no] smart-tunnel command from the default group-policy, use the no form of the command.
no smart-tunnel
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
group-policy webvpn configuration mode
•
—
•
—
—
username webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
This command requires that you use the smart-tunnel list command to create the list of applications first.
Examples
The following commands start smart tunnel access for a list of applications named apps1:
hostname(config-group-policy)# webvpnhostname(config-group-webvpn)# smart-tunnel auto-start apps1hostname(config-group-webvpn)The following commands remove the list named apps1 from the group policy and inherit the smart tunnel commands from the default group policy:
hostname(config-group-policy)# webvpnhostname(config-group-webvpn)# no smart-tunnelhostname(config-group-webvpn)Related Command
s
smart-tunnel disable
To prevent smart tunnel access through clientless (browser-based) SSL VPN sessions, use the smart-tunnel disable command in group-policy webvpn configuration mode or username webvpn configuration mode.
smart-tunnel disable
To remove a smart-tunnel command from the group policy or username and inherit the [no] smart-tunnel command from the default group-policy, use the no form of the command.
no smart-tunnel
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
group-policy webvpn configuration mode
•
—
•
—
—
username webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
By default, smart tunnels are not enabled, so the smart-tunnel disable command is necessary only if the (default) group policy or username configuration contains a smart-tunnel auto-start or smart-tunnel enable command that you do not want applied for the group policy or username in question.
Examples
The following commands prevent smart tunnel access:
hostname(config-group-policy)# webvpnhostname(config-group-webvpn)# smart-tunnel disablehostname(config-group-webvpn)Related Command
s
smart-tunnel enable
To enable smart tunnel access through clientless (browser-based) SSL VPN sessions, use the smart-tunnel enable command in group-policy webvpn configuration mode or username webvpn configuration mode.
smart-tunnel enable list
To remove the smart-tunnel command from the group policy or username and inherit the [no] smart-tunnel command from the default group-policy, use the no form of the command.
no smart-tunnel
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
group-policy webvpn configuration mode
•
—
•
—
—
username webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
The smart-tunnel enable command assigns a list of applications eligible for smart tunnel access to a group policy or username. It requires the user to start smart tunnel access manually, using the Application Access > Start Smart Tunnels button on the clientless-SSL-VPN portal page. Alternatively, you can use the smart-tunnel auto-start command to start smart tunnel access automatically upon user login.
Both commands require that you use the smart-tunnel list command to create the list of applications first.
Examples
The following commands enable the smart tunnel list named apps1:
hostname(config-group-policy)# webvpnhostname(config-group-webvpn)# smart-tunnel enable apps1hostname(config-group-webvpn)The following commands remove the list named apps1 from the group policy and inherit the smart tunnel list from the default group policy:
hostname(config-group-policy)# webvpnhostname(config-group-webvpn)# no smart-tunnelhostname(config-group-webvpn)Related Command
s
smart-tunnel list
To populate a list of applications that can use a clientless (browser-based) SSL VPN session to connect to private sites, use the smart-tunnel list command in webvpn configuration mode.
[no] smart-tunnel list list application path [platform OS] [hash]
To remove an application from a list, use the no form of the command, specifying the entry. To remove an entire list of applications from the security appliance configuration, use the no form of the command, specifying only the list.
no smart-tunnel list list
Syntax Description
Defaults
Windows is the default platform.
Command Modes
The following table shows the modes in which you can enter the command:
webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
You can configure more than one smart tunnel list on a security appliance, but you cannot assign more than one smart tunnel list to a given group policy or username. To populate a smart tunnel list, enter the smart-tunnel list command once for each application, entering the same list string, but specifying an application and path that is unique for the OS. Enter the command once for each OS you want the list to support.
The session ignores a list entry if the OS does not match the one indicated in the entry. It also ignores an entry if the path to the application is not present.
To view the smart tunnel list entries in the SSL VPN configuration, enter the show running-config webvpn smart-tunnel command in privileged EXEC mode.
The path must match the one on the computer, but it does not have to be complete. For example, the path can consist of nothing more than the executable file and its extension.
Smart tunnels have the following requirements:
•
•
•
•
On Microsoft Windows, only Winsock 2, TCP-based applications are eligible for smart tunnel access.
On Mac OS, applications using TCP that are dynamically linked to the SSL library can work over a smart tunnel. The following types of applications do not work over a smart tunnel:
•
•
•
•
•
On Mac OS, only applications started from the portal page can establish smart tunnel sessions. This requirement includes smart tunnel support for Firefox.Using Firefox to start another instance of Firefox during the first use of a smart tunnel requires the user profile named csco_st. If this user profile is not present, the session prompts the user to create one.
The following limitations apply to smart tunnels:
•
•
•
•
•
Note
Entering a hash provides a reasonable assurance that clientless SSL VPN does not qualify an illegitimate file that matches the string you specified in the path. Because the checksum varies with each version or patch of an application, the hash you enter can only match one version or patch on the remote host. To specify a hash for more than one version of an application, enter the smart-tunnel list command once for each version, entering the same list string, but specifying the unique application string and unique hash value in each command.
Note
Following the configuration of a smart tunnel list, use the smart-tunnel auto-start or smart-tunnel enable command to assign the list to group policies or usernames.
Examples
The following command adds a Microsoft Windows application named connect.exe to a smart tunnel list named apps1:
hostname(config-webvpn)# smart-tunnel list apps1 LotusSametime connect.exeThe following command adds the Windows application msimn.exe and requires that the hash of the application on the remote host match the last string entered to qualify for smart tunnel access:
hostname(config-webvpn)# smart-tunnel list apps1 OutlookExpress msimn.exe 4739647b255d3ea865554e27c3f96b9476e75061The following command provides smart tunnel support for the Mac OS browser Safari:
hostname(config-webvpn)# smart-tunnel list apps1 Safari /Applications/Safari platform macRelated Command
s
smartcard-removal-disconnect
To disconnect or retain an IPsec client session if the smart card is removed from the user's computer, use the smartcard-removal-disconnect command in group-policy configuration mode.
smartcard-removal-disconnect {enable | disable}
To remove the smartcard-removal-disconnect command from the group policy and inherit the setting from the default group-policy, use the no form of the command.
no smartcard-removal-disconnect
Syntax Description
Defaults
enable
Command Modes
The following table shows the modes in which you can enter the command:
group-policy configuration mode
•
—
•
—
—
Command History
Usage Guidelines
By default, the IPsec client session disconnects if the smart card used for authentication is removed. Enter the smartcard-removal-disconnect disable command if you do not want to require users to keep their smart cards in the computer for the duration of the connection.
Examples
The following command lets the client session continue even if the smart card is removed from the user's computer:
hostname(config-group-policy)# smartcard-removal-disconnect disablehostname(config-group-policy)The following command terminates the client session if the smart card is removed from the user's computer:
hostname(config-group-policy)# smartcard-removal-disconnect enablesmtp from-address
To specify the e-mail address to use in the E-mail From: field for all e-mails generated by the local CA server (such as distribution of one-time passwords) use the smtp from-address command in CA server configuration mode. To reset the e-mail address to the default, use the no form of this command.
smtp from-address e-mail_address
no smtp from-address
Syntax Description
e-mail_address
Specifies the e-mail address appearing in the From: field of all e-mails generated by the CA server.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
CA server configuration
•
—
•
—
—
Command History
Examples
The following example specifies that the From: field of all e-mails from the local CA server include ca-admin@asa1-ca.example.com:
hostname(config)# crypto ca serverhostname(config-ca-server)# smtp from-address ca-admin@asa1-ca.example.comhostname(config-ca-server)#The following example resets the From: field of all e-mails from the local CA server to the default address admin@asa1-ca.example.com:
hostname(config)# crypto ca serverhostname(config-ca-server)# smtp from-address admin@asa1-ca.example.comhostname(config-ca-server)#Related Commands
smtp subject
To customize the text that appears in the subject field of all e-mails generated by the local Certificate Authority (CA) server (such as distribution of one-time passwords), use the smtp subject command in CA server configuration mode. To reset the text to the default, use the no form of this command.
smtp subject subject-line
no smtp subject
Syntax Description
subject-line
Specifies the text appearing in the Subj: field of all e-mails sent from the CA server. The maximum number of characters is 127.
Defaults
By default, the text in the Subj: field is "Certificate Enrollment Invitation".
Command Modes
The following table shows the modes in which you can enter the command:
CA server configuration
•
—
•
—
—
Command History
Examples
The following example specifies that the text Action: Enroll for a certificate appear in the Subj: field of all e-mails from the CA server:
hostname(config)# crypto ca serverhostname(config-ca-server)# smtp subject Action: Enroll for a certificatehostname(config-ca-server)#The following example resets the Subj: field text for all e-mails from the CA server to the default text "Certificate Enrollment Invitation":
hostname(config)# crypto ca serverhostname(config-ca-server)# no smtp subjecthostname(config-ca-server)#Related Commands
smtps
To enter SMTPS configuration mode, use the smtps command in global configuration mode. To remove any commands entered in SMTPS command mode, use the no version of this command. SMTPS is a TCP/IP protocol that lets you to send e-mail over an SSL connection.
smtps
no smtps
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example shows how to enter SMTPS configuration mode:
hostname(config)# smtpshostname(config-smtps)#Related Commands
clear configure smtps
Removes the SMTPS configuration.
show running-config smtps
Displays the running configuration for SMTPS.
smtp-server
To configure an SMTP server, use the smtp-server command in global configuration mode. To remove the attribute from the configuration, use the no version of this command.
The security appliance includes an internal SMTP client that the Events system can use to notify external entities that a certain event has occurred. You can configure SMTP servers to receive these event notices, and then forward them to specified e-mail addresses. The SMTP facility is active only when you enable E-mail events an the security appliance.
smtp-server {primary_server} [backup_server]
no smtp-server
Syntax Description
Defaults
No SMTP server is configured by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Examples
The following example shows how to set an SMTP server with an IP address of 10.1.1.24, and a backup SMTP server with an IP address of 10.1.1.34:
hostname(config)# smtp-server 10.1.1.24 10.1.1.34snmp-map
To identify a specific map for defining the parameters for SNMP inspection, use the snmp-map command in global configuration mode. To remove the map, use the no form of this command.
snmp-map map_name
no snmp-map map_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the snmp-map command to identify a specific map to use for defining the parameters for SNMP inspection. When you enter this command, the system enters the SNMP map configuration mode, which lets you enter the different commands used for defining the specific map. After defining the SNMP map, you use the inspect snmp command to enable the map. Then you use the class-map, policy-map, and service-policy commands to define a class of traffic, to apply the inspect command to the class, and to apply the policy to one or more interfaces.
Examples
The following example shows how to identify SNMP traffic, define a SNMP map, define a policy, and apply the policy to the outside interface.
hostname(config)# access-list snmp-acl permit tcp any any eq 161hostname(config)# access-list snmp-acl permit tcp any any eq 162hostname(config)# class-map snmp-porthostname(config-cmap)# match access-list snmp-aclhostname(config-cmap)# exithostname(config)# snmp-map inbound_snmphostname(config-snmp-map)# deny version 1hostname(config-snmp-map)# exithostname(config)# policy-map inbound_policyhostname(config-pmap)# class snmp-porthostname(config-pmap-c)# inspect snmp inbound_snmphostname(config-pmap-c)#Related Commands
snmp-server community
To set the SNMP community string, use the snmp-server community command in global configuration mode. To remove the community string, use the no form of this command.
snmp-server community text
no snmp-server community [text]
Syntax Description
Defaults
The community string is public.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The SNMP community string is a shared secret among the SNMP management station and the network nodes being managed. The security appliance uses a key to determine whether the incoming SNMP request is valid. For example, you could designate a site with a community string and then configure the routers, security appliance, and the management station with this same string. The security appliance uses this string and does not respond to requests with an invalid community string.
Examples
The following example sets the community string to wallawallabingbang:
hostname(config)# snmp-server community wallawallabingbangRelated Commands
snmp-server contact
To set the SNMP server contact name, use the snmp-server contact command in global configuration mode. To remove the SNMP contact name, use the no form of this command.
snmp-server contact text
no snmp-server contact [text]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example sets the SNMP server contact as Pat Johnson:
hostname(config)# snmp-server contact Pat JohnsonRelated Commands
snmp-server enable
To enable the SNMP server on the security appliance, use the snmp-server enable command in global configuration mode. To disable the SNMP server, use the no form of this command.
snmp-server enable
no snmp-server enable
Syntax Description
This command has no arguments or keywords.
Defaults
The SNMP server is enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
This command lets you enable and disable SNMP easily, without having to configure and reconfigure the SNMP traps or other configuration.
Examples
The following example enables SNMP, configures the SNMP host and traps, and then sends traps as system messages.
hostname(config)# snmp-server enablehostname(config)# snmp-server community wallawallabingbanghostname(config)# snmp-server location Building 42, Sector 54hostname(config)# snmp-server contact Sherlock Holmeshostname(config)# snmp-server host perimeter 10.1.2.42hostname(config)# snmp-server enable traps allhostname(config)# logging history 7hostname(config)# logging enableRelated Commands
snmp-server enable traps
To enable the security appliance to send traps to the NMS, use the snmp-server enable traps command in global configuration mode. To disable traps, use the no form of this command.
snmp-server enable traps [all | syslog | snmp [trap] [...] | entity [trap] [...] | ipsec [trap] [...] | remote-access [trap]]
no snmp-server enable traps [all | syslog | snmp [trap] [...] | entity [trap] [...] | ipsec [trap] [...] | remote-access [trap]]
Syntax Description
Defaults
The default configuration has all snmp traps enabled (snmp-server enable traps snmp authentication linkup linkdown coldstart). You can disable these traps using the no form of this command with the snmp keyword. However, the clear configure snmp-server command restores the default enabling of SNMP traps.
If you enter this command and do not specify a trap type, then the default is syslog. (The default snmp traps continue to be enabled along with the syslog trap.)
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Enter this command for each feature type to enable individual traps or sets of traps, or enter the all keyword to enable all traps.
To send traps to the NMS, enter the logging history command, and enable logging using the logging enable command.
Examples
The following example enables SNMP, configures the SNMP host and traps, and then sends traps as system messages.
hostname(config)# snmp-server enablehostname(config)# snmp-server community wallawallabingbanghostname(config)# snmp-server location Building 42, Sector 54hostname(config)# snmp-server contact Sherlock Holmeshostname(config)# snmp-server host perimeter 10.1.2.42hostname(config)# snmp-server enable traps allhostname(config)# logging history 7hostname(config)# logging enableRelated Commands
snmp-server group
To configure a new SNMP group, use the snmp-server group command in global configuration mode. To remove a specified SNMP group, use the no form of this command.
snmp-server group group-name {v3 {auth | noauth | priv}}
no snmp-server group group-name {v3 {auth | noauth | priv}}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
To use the Version 3 security model, you must first configure an SNMP group, then configure an SNMP user, and then configure an SNMP host. You must also specify Version 3 and a security level. When a community string is configured internally, two groups with the name "public" are automatically created—one for the Version 1 security model and one for the Version 2c security model. When you delete a community string, both configured groups are automatically deleted.
Note
Examples
The following example show how the security appliance can receive SNMP requests using the SNMP Version 3 security model, which includes creating a group, creating a user, and creating a host:
hostname(config)# snmp-server group v3 vpn-group privhostname(config)# snmp-server user admin vpn group v3 auth sha letmein priv 3des cisco123hostname(config)# snmp-server host mgmt 10.0.0.1 version 3 priv adminRelated Commands
clear configure snmp-server
Clears the SNMP configuration counters.
snmp-server host
Sets the SNMP host address.
snmp-server user
Creates a new SNMP user.
snmp-server host
To specify the NMS that can use SNMP on the security appliance, use the snmp-server host command in global configuration mode. To disable the NMS, use the no form of this command.
snmp-server host {interface {hostname | ip_address}} [trap | poll] [community 0 | 8 community-string] [version {1 | 2c | 3 username}] [udp-port port]
no snmp-server host {interface {hostname | ip_address}} [trap | poll] [community 0 | 8 community-string] [version {1 | 2c | 3 username}] [udp-port port]
Syntax Description
Defaults
The default UDP port is 162.
The default version is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Preexisting
This command was preexisting.
8.0(5)
Support for encrypted passwords was added.
Usage Guidelines
You can specify up to 32 NMSs. If you configure the snmp-server host command on a port that is currently in use, the following message appears:
Warning
The existing SNMP thread continues to poll every 60 seconds until the port is available, and issues syslog message %ASA-1-212001 if the port is still in use.
Examples
To use the Version 3 security model, you must configure an SNMP group first, then an SNMP user, and then an SNMP host. The username must already be configured on the device. When a device is configured as the standby unit of a failover pair, the SNMP engine ID and user configuration are replicated from the active unit. This action allows a transparent switchover from an SNMP Version 3 query perspective. No configuration changes are necessary in the NMS to accommodate a switchover event.
After you have used an encrypted community string, only the encrypted form is visible to all systems (for example, CLI, ASDM, CSM, and so on). The clear text password is not visible.
The encrypted community string is always generated by the security appliance; you normally enter the clear text form.
During bootup or upgrade of the security appliance, single-digit passwords and passwords starting with a digit followed by a whitespace are no longer supported. For example, 0 pass and 1 are invalid passwords.
Note
The following example sets the host to 10.1.2.42 attached to the perimeter interface:
hostname(config)# snmp-server host perimeter 10.1.2.42The following example show how the security appliance can receive SNMP requests using the SNMP Version 3 security model, which includes creating a group, creating a user, and creating a host:
hostname(config)# snmp-server group v3 vpn-group privhostname(config)# snmp-server user admin vpn group v3 auth sha letmein priv 3des cisco123hostname(config)# snmp-server host mgmt 10.0.0.1 version 3 priv adminThe following example sets the host to use an encrypted community string:
hostname(config)# snmp-server host mgmt 1.2.3.4 community 8 LvAu+JdFG+GjPmZYlKvAhXpb28E=The following example sets the host to use an unencrypted community string:
hostname(config)# snmp-server host mgmt 1.2.3.4 community 0 ciscoRelated Commands
snmp-server listen-port
To set the listening port for SNMP requests, use the snmp-server listen-port command in global configuration mode. To restore the default port, use the no form of the command.
snmp-server listen-port lport
no snmp-server listen-port lport
Syntax Description
lport
The port on which incoming requests will be accepted. The default port is 1611 .
1 The snmp-server listen-port command is only available in admin context, and is not available in the system context.
Defaults
The default port is 161.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
If you configure the snmp-server listen-port command on a port that is currently in use, the following message appears:
Warning
The existing SNMP thread continues to poll every 60 seconds until the port is available, and issues syslog message %ASA-1-212001 if the port is still in use.
Examples
The following example sets the listening port to 192:
hostname(config)# snmp-server listen-port 192Related Commands
snmp-server location
To set the security appliance location for SNMP, use the snmp-server location command in global configuration mode. To remove the location, use the no form of this command.
snmp-server location text
no snmp-server location [text]
Syntax Description
location text
Specifies the security appliance location. The location text is case sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example sets the security appliance location for SNMP as Building 42, Sector 54:
hostname(config)# snmp-server location Building 42, Sector 54Related Commands
snmp-server user
To configure a new SNMP user, use the snmp-server user command in global configuration mode. To remove a specified SNMP user, use the no form of this command.
snmp-server user username group-name {v3 [encrypted] [auth {md5 | sha} auth-password]} [priv {des | 3des | aes {128 | 192 | 256}} priv-password]
no snmp-server user username group-name {v3 [encrypted] [auth {md5 | sha} auth-password]} [priv {des | 3des | aes {128 | 192 | 256}} priv-password]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
An SNMP user must be part of an SNMP group. To use the Version 3 security model, you must first configure an SNMP group, then configure an SNMP user, and then configure an SNMP host.
Note
When the snmp-server user configuration is displayed on the console or written to a file (for example, the startup-configuration file), the localized authentication and privacy digests always appear instead of a plain-text password. This usage is required by RFC 3414, Section 11.2.
Note
During bootup or upgrade of the security appliance, single-digit passwords and passwords starting with a digit followed by a whitespace are no longer supported. For example, 0 pass and 1 are invalid passwords.
Examples
The following example show how the security appliance can receive SNMP requests using the SNMP Version 3 security model:
hostname(config)# snmp-server group engineering v3 authhostname(config)# snmp-server user engineering v3 auth sha mypasswordRelated Commands
software-version
To identify the Server and User-Agent header fields, which expose the software version of either a server or an endpoint, use the software-version command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.
software-version action {mask | log} [log}
no software-version action {mask | log} [log}
Syntax Description
mask
Masks the software version in the SIP message.
log
Specifies standalone or additional log in case of violation.
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to identify the software version in a SIP inspection policy map:
hostname(config)# policy-map type inspect sip sip_maphostname(config-pmap)# parametershostname(config-pmap-p)# software-version action logRelated Commands
speed
To set the speed of a copper (RJ-45) Ethernet interface, use the speed command in interface configuration mode. To restore the speed setting to the default, use the no form of this command.
speed {auto | 10 | 100 | 1000 | nonegotiate}
no speed [auto | 10 | 100 | 1000 | nonegotiate]
Syntax Description
Defaults
For copper interfaces, the default is speed auto.
For fiber interfaces, the default is no speed nonegotiate.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
•
Command History
7.0(1)
This command was moved from a keyword of the interface command to an interface configuration mode command.
Usage Guidelines
Set the speed on the physical interface only.
If your network does not support auto detection, set the speed to a specific value.
For RJ-45 interfaces on the ASA 5500 series adaptive security appliance, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.
If you set the speed to anything other than auto on PoE ports, if available, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.
Examples
The following example sets the speed to 1000BASE-T:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# speed 1000hostname(config-if)# duplex fullhostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownRelated Commands
split-dns
To enter a list of domains to be resolved through the split tunnel, use the split-dns command in group-policy configuration mode. To delete a list, use the no form of this command.
To delete all split tunneling domain lists, use the no split-dns command without arguments. This deletes all configured split tunneling domain lists, including a null list created by issuing the split-dns none command.
When there are no split tunneling domain lists, users inherit any that exist in the default group policy. To prevent users from inheriting such split tunneling domain lists, use the split-dns none command.
split-dns {value domain-name1 domain-name2 domain-nameN | none}
no split-dns [domain-name domain-name2 domain-nameN]
Syntax Description
Defaults
Split DNS is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
Use a single space to separate each entry in the list of domains. There is no limit on the number of entries, but the entire string can be no longer than 255 characters. You can use only alphanumeric characters, hyphens (-), and periods (.).
The no split-dns command, when used without arguments, deletes all current values, including a null value created by issuing the split-dns none command.
Neither the AnyConnect VPN Client nor the SSL VPN Client supports split DNS.
Examples
The following example shows how to configure the domains Domain1, Domain2, Domain3 and Domain4 to be resolved through split tunneling for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# split-dns value Domain1 Domain2 Domain3 Domain4Related Commands
split-horizon
To reenable EIGRP split horizon, use the split-horizon command in interface configuration mode. To disable EIGRP split horizon, use the no form of this command.
split-horizon eigrp as-number
no split-horizon eigrp as-number
Syntax Description
Defaults
The split-horizon command is enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
For networks that include links over X.25 packet-switched networks, you can use the neighbor command to defeat the split horizon feature. As an alternative, you can explicitly specify the no split-horizon eigrp command in your configuration. However, if you do so, you must similarly disable split horizon for all routers and access servers in any relevant multicast groups on that network.
In general, it is best that you not change the default state of split horizon unless you are certain that your application requires the change in order to properly advertise routes. If split horizon is disabled on a serial interface and that interface is attached to a packet-switched network, you must disable split horizon for all routers and access servers in any relevant multicast groups on that network.
Examples
The following example disables EIGRP split horizon on interface Ethernet0/0:
hostname(config)# interface Ethernet0/0hostname(config-if)# no split-horizon eigrp 100Related Commands
router eigrp
Creates an EIGRP routing process and enters configuration mode for that process.
split-tunnel-network-list
To create a network list for split tunneling, use the split-tunnel-network-list command in group-policy configuration mode. To delete a network list, use the no form of this command.
To delete all split tunneling network lists, use the no split-tunnel-network-list command without arguments. This deletes all configured network lists, including a null list created by issuing the split-tunnel-network-list none command.
When there are no split tunneling network lists, users inherit any network lists that exist in the default or specified group policy. To prevent users from inheriting such network lists, use the split-tunnel-network-list none command.
Split tunneling network lists distinguish networks that require traffic to travel across the tunnel from those that do not require tunneling.
split-tunnel-network-list {value access-list name | none}
no split-tunnel-network-list value [access-list name]
Syntax Description
Defaults
By default, there are no split tunneling network lists.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
The security appliance makes split tunneling decisions on the basis of a network list, which is a standard ACL that consists of a list of addresses on the private network.
The no split-tunnel-network-list command, when used without arguments, deletes all current network lists, including a null value created by issuing the split-tunnel-network-list none command.
Examples
The following example shows how to set a network list called FirstList for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# split-tunnel-network-list FirstListRelated Commands
split-tunnel-policy
To set a split tunneling policy, use the split-tunnel-policy command in group-policy configuration mode. To remove the split-tunnel-policy attribute from the running configuration, use the no form of this command. This enables inheritance of a value for split tunneling from another group policy.
Split tunneling lets a remote-access IPSec client conditionally direct packets over an IPSec tunnel in encrypted form, or to a network interface in cleartext form. With split-tunneling enabled, packets not bound for destinations on the other side of the IPSec tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination.
This command applies this split tunneling policy to a specific network.
split-tunnel-policy {tunnelall | tunnelspecified | excludespecified}
no split-tunnel-policy
Syntax Description
Defaults
Split tunneling is disabled by default, which is tunnelall.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Command History
Usage Guidelines
Split tunneling is primarily a traffic management feature, not a security feature. In fact, for optimum security, we recommend that you not enable split tunneling.
Examples
The following example shows how to set a split tunneling policy of tunneling only specified networks for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# split-tunnel-policy tunnelspecifiedRelated Commands
spoof-server
To substitute a string for the server header field for HTTP protocol inspection, use the spoof-server command in parameters configuration mode. To disable this feature, use the no form of this command.
spoof-server string
no spoof-server string
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Usage Guidelines
WebVPN streams are not subject to the spoof-server comand.
Examples
The following example shows how to substitute a string for the server header field in an HTTP inspection policy map:
hostname(config-pmap-p)# spoof-server stringRelated Commands
sq-period
To specify the interval between each successful posture validation in a NAC Framework session and the next query for changes in the host posture, use the sq-period command in nac-policy-nac-framework configuration mode. To remove the command from the NAC policy, use the no form of this command.
sq-period seconds
no sq-period [seconds]
Syntax Description
Defaults
The default value is 300.
Command Modes
The following table shows the modes in which you can enter the command:
nac-policy-nac-framework configuration
•
—
•
—
—
Command History
7.3(0)
"nac-" removed from command name. Command moved from group-policy configuration mode to nac-policy-nac-framework configuration mode.
7.2(1)
This command was introduced.
Usage Guidelines
The security appliance starts the status query timer after each successful posture validation and status query response. The expiration of this timer triggers a query for changes in the host posture, referred to as a status query.
Examples
The following example changes the value of the status query timer to 1800 seconds:
hostname(config-nac-policy-nac-framework)# sq-period 1800hostname(config-nac-policy-nac-framework)The following example removes the status query timer from the NAC Framework policy:
hostname(config-nac-policy-nac-framework)# no sq-periodhostname(config-nac-policy-nac-framework)Related Commands
ssh
To add SSH access to the security appliance, use the ssh command in global configuration mode. To disable SSH access to the security appliance, use the no form of this command. This command supports IPv4 and IPv6 addresses.
ssh {ip_address mask | ipv6_address/prefix} interface
no ssh {ip_address mask | ipv6_address/prefix} interface
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The ssh ip_address command specifies hosts or networks that are authorized to initiate an SSH connection to the security appliance. You can have multiple ssh commands in the configuration. The no form of the command removes a specific SSH command from the configuration. Use the clear configure ssh command to remove all SSH commands.
Before you can begin using SSH to the security appliance, you must generate a default RSA key using the crypto key generate rsa command.
The following security algorithms and ciphers are supported on the security appliance:
•
•
•
•
The following SSH Version 2 features are not supported on the security appliance:
•
•
•
•
•
Examples
The following example shows how to configure the inside interface to accept SSH version 2 connections from a management console with the IP address 10.1.1.1. The idle session timeout is set to 60 minutes and SCP is enabled.
hostname(config)# ssh 10.1.1.1 255.255.255.0 insidehostname(config)# ssh version 2hostname(config)# ssh copy enablehostname(config)# ssh timeout 60Related Commands
ssh disconnect
To disconnect an active SSH session, use the ssh disconnect command in privileged EXEC mode.
ssh disconnect session_id
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
You must specify a session ID. Use the show ssh sessions command to obtain the ID of the SSH session you want to disconnect.
Examples
The following example shows an SSH session being disconnected:
hostname# show ssh sessionsSID Client IP Version Mode Encryption Hmac State Username0 172.69.39.39 1.99 IN aes128-cbc md5 SessionStarted patOUT aes128-cbc md5 SessionStarted pat1 172.23.56.236 1.5 - 3DES - SessionStarted pat2 172.69.39.29 1.99 IN 3des-cbc sha1 SessionStarted patOUT 3des-cbc sha1 SessionStarted pathostname# ssh disconnect 2hostname# show ssh sessionsSID Client IP Version Mode Encryption Hmac State Username0 172.69.39.29 1.99 IN aes128-cbc md5 SessionStarted patOUT aes128-cbc md5 SessionStarted pat1 172.23.56.236 1.5 - 3DES - SessionStarted patRelated Commands
show ssh sessions
Displays information about active SSH sessions to the security appliance.
ssh timeout
Sets the timeout value for idle SSH sessions.
ssh scopy enable
To enable Secure Copy (SCP) on the security appliance, use the ssh scopy enable command in global configuration mode. To disable SCP, use the no form of this command.
ssh scopy enable
no ssh scopy enable
Syntax Description
This command has no keywords or arguments.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
SCP is a server-only implementation; it will be able to accept and terminate connections for SCP but can not initiate them. The security appliance has the following restrictions:
•
•
•
•
Before initiating the file transfer, the security appliance check available Flash memory. If there is not enough available space, the security appliance terminates the SCP connection. If you are overwriting a file in Flash memory, you still need to have enough free space for the file being copied to the security appliance. The SCP process copies the file to a temporary file first, then copies the temporary file over the file being replaced. If you do not have enough space in Flash to hold the file being copied and the file being overwritten, the security appliance terminates the SCP connection.
Examples
The following example shows how to configure the inside interface to accept SSH Version 2 connections from a management console with the IP address, 10.1.1.1. The idle session timeout is set to 60 minutes, and SCP is enabled.
hostname(config)# ssh 10.1.1.1 255.255.255.0 insidehostname(config)# ssh version 2hostname(config)# ssh scopy enablehostname(config)# ssh timeout 60Related Commands
ssh timeout
To change the default SSH session idle timeout value, use the ssh timeout command in global configuration mode. To restore the default timeout value, use the no form of this command.
ssh timeout number
no ssh timeout
Syntax Description
number
Specifies the duration in minutes that an SSH session can remain inactive before being disconnected. Valid values are from 1 to 60 minutes.
Defaults
The default session timeout value is 5 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The ssh timeout command specifies the duration in minutes that a session can be idle before being disconnected. The default duration is 5 minutes.
Examples
The following example shows how to configure the inside interface to accept only SSH version 2 connections from a management console with the IP address 10.1.1.1. The idle session timeout is set to 60 minutes and SCP is enabled.
hostname(config)# ssh 10.1.1.1 255.255.255.0 insidehostname(config)# ssh version 2hostname(config)# ssh copy enablehostname(config)# ssh timeout 60Related Commands
ssh version
To restrict the version of SSH accepted by the security appliance, use the ssh version command in global configuration mode. To restore the default value, use the no form of this command. The default values permits SSH Version 1 and SSH Version 2 connections to the security appliance.
ssh version {1 | 2}
no ssh version [1 | 2]
Syntax Description
1
Specifies that only SSH Version 1 connections are supported.
2
Specifies that only SSH Version 2 connections are supported.
Defaults
By default, both SSH Version 1 and SSH Version 2 are supported.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
1 and 2 specify which version of SSH the security appliance is restricted to using. The no form of the command returns the security appliance to the default stance, which is compatible mode (both version can be used).
Examples
The following example shows how to configure the inside interface to accept SSH Version 2 connections from a management console with the IP address 10.1.1.1. The idle session timeout is set to 60 minutes and SCP is enabled.
hostname(config)# ssh 10.1.1.1 255.255.255.0 insidehostname(config)# ssh version 2hostname(config)# ssh copy enablehostname(config)# ssh timeout 60Related Commands
ssl certificate-authentication
To enable client certificate authentication, use the ssl certificate-authentication command in global configuration mode. To disable ssl certificate authentication, use the no version of this command.
ssl certificate-authentication interface interface-name port port-number
no ssl certificate-authentication interface interface-name port port-number
Syntax Description
interface-name
The name of the selected interface, such as inside, management, and outside.
port-number
The TCP port number, an integer in the range 1-65535.
Defaults
This feature is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
This command replaces the deprecated http authentication-certificate command.
Examples
The following example shows how to configure the security appliance to use the SSL certificate authentication feature:
hostname(config)# ssl certificate-authentication interface inside port 330Related Commands
ssl client-version
To specify the SSL/TLS protocol version the security appliance uses when acting as a client, use the ssl client-version command in global configuration mode. To revert to the default, any, use the no version of this command. This command lets you restrict the versions of SSL/TLS that the security appliance sends.
ssl client-version [any | sslv3-only | tlsv1-only]
no ssl client-version
Syntax Description
Defaults
The default value is any.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
TCP Port Forwarding does not work when a WebVPN user connects with some SSL versions, as follows:
Negotiate SSLv3
Java downloads
Negotiate SSLv3/TLSv1
Java downloads
Negotiate TLSv1
Java does NOT download
TLSv1Only
Java does NOT download
SSLv3Only
Java does NOT download
The issue is that JAVA only negotiates SSLv3 in the client Hello packet when you launch the Port Forwarding application.Examples
The following example shows how to configure the security appliance to communicate using only TLSv1 when acting as an SSL client:
hostname(config)# ssl client-version tlsv1-onlyRelated Commands
ssl encryption
To specify the encryption algorithms that the SSL/TLS protocol uses, use the ssl encryption command in global configuration mode. Issuing the command again overwrites the previous setting. The ordering of the algorithms determines preference for their use. You can add or remove algorithms to meet the needs of your environment. To restore the default, which is the complete set of encryption algorithms, use the no version of the command.
ssl encryption [3des-sha1] [des-sha1] [rc4-md5] [aes128-sha1] [aes256-sha1] [possibly others]
no ssl encryption
Syntax Description
Defaults
The default is to have all algorithms available in the following order:
[3des-sha1] [des-sha1] [rc4-md5] [possibly others]
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The ASDM License tab reflects the maximum encryption the license supports, not the value you configure.
Examples
The following example shows how to configure the security appliance to use the 3des-sha1 and des-sha1 encryption algorithms:
hostname(config)# ssl encryption 3des-sha1 des-sha1Related Commands
ssl server-version
To specify the SSL/TLS protocol version the security appliance uses when acting as a server, use the ssl server-version command in global configuration mode. To revert to the default, any, use the no version of this command. This command lets you restrict the versions of SSL/TSL that the security appliance accepts.
ssl server-version [any | sslv3 | tlsv1 | sslv3-only | tlsv1-only]
no ssl server-version
Syntax Description
Defaults
The default value is any.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
TCP Port Forwarding does not work when a WebVPN user connects with some SSL versions, as follows:
Negotiate SSLv3
Java downloads
Negotiate SSLv3/TLSv1
Java downloads
Negotiate TLSv1
Java does NOT download
TLSv1Only
Java does NOT download
SSLv3Only
Java does NOT download
If you configure e-mail proxy, do not set thhe SSL version to TLSv1 Only. Outlook and Outlook Express do not support TLS.
Examples
The following example shows how to configure the security appliance to communicate using only TLSv1 when acting as an SSL server:
hostname(config)# ssl server-version tlsv1-onlyRelated Commands
ssl trust-point
To specify the certificate trustpoint that represents the SSL certificate for an interface, use the ssl trust-point command with the interface argument in global configuration mode. If you do not specify an interface, this command creates the fallback trustpoint for all interfaces that do not have a trustpoint configured. To remove an SSL trustpoint from the configuration that does not specify an interface, use the no version of this command. To remove an entry that does specify an interface, use the no ssl trust-point {trustpoint [interface]} version of the command.
ssl trust-point {trustpoint [interface]}
no ssl trust-point
Syntax Description
Defaults
The default is no trustpoint association. The security appliance uses the default self-generated RSA key-pair certificate.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
Observe these guidelines when using this command:
•
•
•
•
•
The following example explains how to use the no versions of this command:
The configuration includes these SSL trustpoints:
ssl trust-point tp1
ssl trust-point tp2 outside
Issue the command:
no ssl trust-point
Then show run ssl will have:
ssl trust-point tp2 outside
Examples
The following example shows how to configure an ssl trustpoint called FirstTrust for the inside interface, and a trustpoint called DefaultTrust with no associated interface.
hostname(config)# ssl trust-point FirstTrust insidehostname(config)# ssl trust-point DefaultTrustThe next example shows how to use the no version of the command to delete a trustpoint that has no associated interface:
hostname(config)# show running-configuration sslssl trust-point FirstTrust insidessl trust-point DefaultTrusthostname(config)# no ssl trust-pointhostname(config)# show running-configuration sslssl trust-point FirstTrust insideThe next example shows how to delete a trustpoint that does have an associated interface:
hostname(config)# show running-configuration sslssl trust-point FirstTrust insidessl trust-point DefaultTrusthostname(config)# no ssl trust-point FirstTrust insidehostname(config)# show running-configuration sslssl trust-point DefaultTrustRelated Commands
sso-server
To create a Single Sign-On (SSO) server for security appliance user authentication, use the sso-server command in webvpn configuration mode. With this command, you must specify the SSO server type.
To remove an SSO server, use the no form of this command.
sso-server name type [siteminder | saml-v1.1-post ]
no sso-server name
Note
Syntax Description
Syntax DescriptionSyntax Description
Defaults
There is no default value or behavior.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The sso-server command lets you create an SSO server.
In the authentication, the security appliance acts as a proxy for the WebVPN user to the SSO server. The security appliance currently supports the SiteMinder SSO server (formerly Netegrity SiteMinder) and the SAML POST-type SSO server. Currently, the available arguments for the type option are restricted to siteminder or saml-V1.1-post.
Examples
The following example, entered in webvpn configuration mode, creates a SiteMinder-type SSO server named "example1":
hostname(config)# webvpnhostname(config-webvpn)# sso-server example1 type siteminderhostname(config-webvpn-sso-siteminder)#The following example, entered in webvpn configuration mode, creates a SAML, Version 1.1, POST-type SSO server named "example2":
hostname(config)# webvpnhostname(config-webvpn)# sso-server example2 type saml-v1.1-posthostname(config-webvpn-sso-saml)#Related Commands
sso-server value (group-policy webvpn)
To assign an SSO server to a group policy, use the sso-server value command in webvpn configuration mode available in group-policy configuration mode.
To remove the assignment and use the default policy, use the no form of this command.
To prevent inheriting the default policy, use the sso-server none command.
sso-server {value name | none}
[no] sso-server value name
Syntax Description
Syntax DescriptionSyntax Description
Defaults
The default policy assigned to the group is DfltGrpPolicy.
Command Modes
The following table shows the modes in which you can enter the command:
group-policy webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
The sso-server value command, when entered in group-policy webvpn mode, lets you assign an SSO server to a group policy.
Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The security appliance currently supports the SiteMinder-type of SSO server and the SAML POST-type SSO server.
This command applies to both types of SSO Servers.
Note
Examples
The following example commands create the group policy my-sso-grp-pol and assigns it to the SSO server named example:
hostname(config)# group-policy my-sso-grp-pol internalhostname(config)# group-policy my-sso-grp-pol attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# sso-server value examplehostname(config-group-webvpn)#Related Commands
Related Commandshostname
sso-server value (username webvpn)
To assign an SSO server to a user policy, use the sso-server value command in webvpn configuration mode available in username configuration mode.
To remove an SSO server assignment for a user, use the no form of this command.
When a user policy inherits an unwanted SSO server assignment from a group policy, use the sso-server none command to remove the assignment.
sso-server {value name | none}
[no] sso-server value name
Syntax Description
Syntax DescriptionSyntax Description
Defaults
The default is for the user policy to use the SSO server assignment in the group policy.
Command Modes
The following table shows the modes in which you can enter the command:
username webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The security appliance currently supports the SiteMinder-type of SSO server and the SAML POST-type SSO server.
This command applies to both types of SSO Servers.
The sso-server value command lets you assign an SSO server to a user policy.
Note
Examples
The following example commands assign the SSO server named my-sso-server to the user policy for a WebVPN user named Anyuser:
hostname(config)# username Anyuser attributeshostname(config-username)# webvpnhostname(config-username-webvpn)# sso-server value my-sso-serverhostname(config-username-webvpn)#Related Commands
start-url
To enter the URL at which to retrieve an optional pre-login cookie, use the start-url command in aaa-server-host configuration mode. This is an SSO with HTTP Forms command.
start-url string
Note
Syntax Description
Syntax DescriptionSyntax Description
Defaults
There is no default value or behavior.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server-host configuration
•
—
•
—
—
Command History
Usage Guidelines
The WebVPN server of the security appliance can use an HTTP POST request to submit a single sign-on authentication request to an authenticating web server. The authenticating web server may execute a pre-login sequence by sending a Set-Cookie header along with the login page content. You can discover this by connecting directly to the authenticating web server's login page with your browser. If the web server sets a cookie when the login page loads and if this cookie is relevant for the following login session, you must use the start-url command to enter the URL at which the cookie is retrieved. The actual login sequence starts after the pre-login cookie sequence with the form submission to the authenticating web server.
Note
Examples
The following example, entered in aaa-server host configuration mode, specifies a URL for retrieving the pre-login cookie of https://example.com/east/Area.do?Page-Grp1:
hostname(config)# aaa-server testgrp1 (inside) host example.comhostname(config-aaa-server-host)# start-url https://example.com/east/Area.do?Page=Grp1hostname(config-aaa-server-host)#Related Commands
state-checking
To enforce state checking for H.323, use the state-checking command in parameters configuration mode. To disable this feature, use the no form of this command.
state-checking [h225 | ras]
no state-checking [h225 | ras]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to enforce state checking for RAS on an H.323 call:
hostname(config)# policy-map type inspect h323 h323_maphostname(config-pmap)# parametershostname(config-pmap-p)# state-checking ras
