-
Cisco ASA Series Command Reference, 8.4, 8.5, 8.6, and 8.7
-
About this Guide
-
Using the Command Line Interface
- A through B Commands
- C Commands
- D through F Commands
- G through I Commands
- J through L Commands
- M through O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- show asdm sessions
-
show asp drop -- show curpriv
-
show ddns -- show ipv6 traffic
-
show isakmp sa -- show route
-
show running-config -- show running-config isakmp
-
show running-config ldap -- show running-config wccp
-
show service-policy -- show xlate
-
shun -- sysopt radius ignore-secret
-
- T through Z Commands
-
Cisco IOS Commands for the ASASM
-
Feedback
Table Of Contents
acl-netmask-convert through auto-update timeout Commands
address (dynamic-filter blacklist or whitelist)
address-pool (tunnel-group general attributes mode)
address-pools (group-policy attributes configuration mode)
anyconnect profiles (group-policy or username attributes)
anyconnect routing-filtering-ignore
application-access hide-details
authenticated-session-username
authentication-attr-from-server
authentication-server-group (imap4s, pop3s, smtps)
authentication-server-group (tunnel-group general-attributes)
acl-netmask-convert through auto-update timeout Commands
acl-netmask-convert
To specify how the ASA treats netmasks received in a downloadable ACL from a RADIUS server that is accessed by using the aaa-server host command, use the acl-netmask-convert command in aaa-server host configuration mode. To remove the specified behavior for the ASA, use the no form of this command.
acl-netmask-convert {auto-detect | standard | wildcard}
no acl-netmask-convert
Syntax Description
Defaults
By default, no conversion from wildcard netmask expressions is performed.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server-host configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the acl-netmask-convert command with the wildcard or auto-detect keywords when a RADIUS server provides downloadable ACLs that contain netmasks in wildcard format. The ASA expects downloadable ACLs to contain standard netmask expressions, whereas Cisco VPN 3000 series concentrators expect downloadable ACLs to contain wildcard netmask expressions that are the reverse of a standard netmask expression. A wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. The acl-netmask-convert command helps minimize the effects of these differences on how you configure downloadable ACLs on your RADIUS servers.
The auto-detect keyword is helpful when you are uncertain how the RADIUS server is configured; however, wildcard netmask expressions with "holes" in them cannot be unambiguously detected and converted. For example, the wildcard netmask 0.0.255.0 permits anything in the third octet and can be used validly on Cisco VPN 3000 series concentrators, but the ASA may not detect this expression as a wildcard netmask.
Examples
The following example configures a RADIUS AAA server named "srvgrp1" on host "192.168.3.4", enables conversion of downloadable ACL netmasks, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures authentication port 1650:
hostname(config)#aaa-server svrgrp1 protocol radiushostname(config-aaa-server-group)#aaa-server svrgrp1 host 192.168.3.4hostname(config-aaa-server-host)#acl-netmask-convert wildcardhostname(config-aaa-server-host)#timeout 9hostname(config-aaa-server-host)#retry-interval 7hostname(config-aaa-server-host)#authentication-port 1650hostname(config-aaa-server-host)#exithostname(config)#Related Commands
action
To either apply access policies to a session or teminate the session, use the action command in dynamic-access-policy-record configuration mode. To reset the session to apply an access policy to a session, use the no form of this command.
action {continue | terminate}
no action {continue | terminate}
Syntax Description
Defaults
The default value is continue.
Command Modes
The following table shows the modes in which you can enter the command:
Dynamic-access-policy-record configuration
•
•
•
—
—
Command History
Usage Guidelines
Use the continue keyword to apply the access policies to the session in all of the selected DAP records. Use the terminate keyword to terminate the connection in any of the selected DAP records.
Examples
The following example shows how to terminate a session for the DAP policy Finance:
hostname (config)#config-dynamic-access-policy-record Financehostname(config-dynamic-access-policy-record)#action terminatehostname(config-dynamic-access-policy-record)#Related Commands
action-uri
To specify a web server URI to receive a username and password for single sign-on authentication, use the action-uri command in aaa-server-host configuration mode. This is an SSO with HTTP Forms command. To reset the URI parameter value, use the no form of this command.
action-uri string
no action-uri
Note
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server-host configuration
•
—
•
—
—
Command History
Usage Guidelines
A URI or Uniform Resource Identifier is a compact string of characters that identifies a point of content on the Internet, whether it be a page of text, a video or sound clip, a still or animated image, or a program. The most common form of URI is the web page address, which is a particular form or subset of URI called a URL.
The WebVPN server of the ASA can use a POST request to submit a single sign-on authentication request to an authenticating web server. To accomplish this, configure the ASA to pass a username and a password to an action URI on an authenticating web server using an HTTP POST request. The action-uri command specifies the location and name of the authentication program on the web server to which the ASA sends the POST request.
You can discover the action URI on the authenticating web server by connecting to the web server login page directly with a browser. The URL of the login web page displayed in your browser is the action URI for the authenticating web server.
For ease of entry, you can enter URIs on multiple, sequential lines. The ASA then concatenates the lines into the URI as you enter them. While the maximum characters per action-uri line is 255 characters, you can enter fewer characters on each line.
Note
Examples
The following example specifies the URI on www.example.com:
http://www.example.com/auth/index.html/appdir/authc/forms/MCOlogin.fcc?TYPE=33554433&REALMOID=06-000a1311-a828-1185-ab41-8333b16a0008&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$5FZmjnk3DRNwNjk2KcqVCFbIrNT9%2bJ0H0KPshFtg6rB1UV2PxkHqLw%3d%3d&TARGET=https%3A%2F%2Fauth.example.com
hostname(config)# aaa-server testgrp1 host www.example.comhostname(config-aaa-server-host)# action-uri http://www.example.com/auth/index.htmhostname(config-aaa-server-host)# action-uri l/appdir/authc/forms/MCOlogin.fcc?TYPhostname(config-aaa-server-host)# action-uri 554433&REALMOID=06-000a1311-a828-1185hostname(config-aaa-server-host)# action-uri -ab41-8333b16a0008&GUID=&SMAUTHREASONhostname(config-aaa-server-host)# action-uri =0&METHOD=GET&SMAGENTNAME=$SM$5FZmjnkhostname(config-aaa-server-host)# action-uri 3DRNwNjk2KcqVCFbIrNT9%2bJ0H0KPshFtg6rhostname(config-aaa-server-host)# action-uri B1UV2PxkHqLw%3d%3d&TARGET=https%3A%2Fhostname(config-aaa-server-host)# action-uri %2Fauth.example.comhostname(config-aaa-server-host)#
Note
Related Commands
activation-key
To enter a license activation key on the ASA, use the activation-key command in privileged EXEC mode.
activation-key [noconfirm] activation_key [activate | deactivate]
Syntax Description
Defaults
By default, your ASA ships with a license already installed. This license might be the Base License, to which you want to add more licenses, or it might already have all of your licenses installed, depending on what you ordered and what your vendor installed for you. See the show activation-key command to determine which licenses you have installed.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Obtaining an Activation Key
To obtain an activation key, you need a Product Authorization Key, which you can purchase from your Cisco account representative. You need to purchase a separate Product Activation Key for each feature license. For example, if you have the Base License, you can purchase separate keys for Advanced Endpoint Assessment and for additional SSL VPN sessions.
After obtaining the Product Authorization Keys, register them on Cisco.com at one of the following URLs.
If you are a registered user of Cisco.com, go to the following website:
http://www.cisco.com/go/license
•
http://www.cisco.com/go/license/public
Context Mode Guidelines
•
•
Failover Guidelines
•
•
Older versions of ASA software required that the licenses match on each unit. Starting with Version 8.3(1), you no longer need to install identical licenses. Typically, you buy a license only for the primary unit; for Active/Standby failover, the secondary unit inherits the primary license when it becomes active. If you have licenses on both units, they combine into a single running failover cluster license.
•
Upgrade and Downgrade Guidelines
Your activation key remains compatible if you upgrade to the latest version from any previous version. However, you might have issues if you want to maintain downgrade capability:
•
–
–
•
–
–
Additional Guidelines and Limitations
•
•
•
•
•
Examples
The following example shows how to change the activation key on the ASA:
hostname# activation-key 0xd11b3d48 0xa80a4c0a 0x48e0fd1c 0xb0443480 0x843fc490The following is sample output from the activation-key command that shows output for failover when the new activation key is different than the old activation key:
hostname# activation-key 0xyadayada 0xyadayada 0xyadayada 0xyadayada 0xyadayadaValidating activation key. This may take a few minutes...The following features available in the running permanent activation key are NOT available in the new activation key:Failover is different.running permanent activation key: Restricted (R)new activation key: Unrestricted (UR)WARNING: The running activation key was not updated with the requested key.Proceed with updating flash activation key? [y]Flash permanent activation key was updated with the requested key.The following is sample output from a license file:
Serial Number Entered: 123456789jaNumber of Virtual Firewalls Selected: 10Formula One device: ASA 5520Failover : EnabledVPN-DES : EnabledVPN-3DES-AES : EnabledSecurity Contexts : 10GTP/GPRS : DisabledSSL VPN Peers : DefaultTotal VPN Peers : 750Advanced Endpoint Assessment : DisabledAnyConnect for Mobile : EnabledAnyConnect for Cisco VPN Phone : DisabledShared License : DisabledUC Phone Proxy Sessions : DefaultTotal UC Proxy Sessions : DefaultAnyConnect Essentials : DisabledBotnet Traffic Filter : DisabledIntercompany Media Engine : Enabled------------------------------------------THE FOLLOWING ACTIVATION KEY IS VALID FOR:ASA SOFTWARE RELEASE 8.2+ ONLY.Platform = asa123456789JA: yadayda1 yadayda1 yadayda1 yadayda1 yadayda1------------------------------------------THE FOLLOWING ACTIVATION KEY IS VALID FOR:ALL ASA SOFTWARE RELEASES, BUT EXCLUDES ANY8.2+ FEATURES FOR BACKWARDS COMPATIBILITY.Platform = asa123456789JA: yadayda2 yadayda2 yadayda2 yadayda2 yadayda2Related Commands
activex-relay
To incorporate applications that need ActiveX over the clientless portal, use the activex-relay command in group-policy webvpn configuration mode or username webvpn configuration mode. Use the no form of this command to inherit the activex-relay command from the default group policy.
activex-relay {enable | disable}
no activex-relay
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy webvpn configuration
•
—
•
—
—
Username webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
Use the activex-relay enable command to let users launch ActiveX from the WebVPN browser for any HTML content that has the object tags (such as images, audio, videos, JAVA applets, ActiveX, pdf, or flash). These applications use the WebVPN session to download and upload ActiveX controls. The ActiveX relay remains in force until the WebVPN session closes. If you plan to use something like Microsoft OWA 2007, you should disable ActiveX.
Note
Examples
The following example enables ActiveX controls on WebVPN sessions associated with a given group policy:
hostname(config-group-policy)# webvpnhostname(config-group-webvpn)# activex-relay enablehostname(config-group-webvpn)The following example disables ActiveX controls on WebVPN sessions associated with a given username:
hostname(config-username-policy)# webvpnhostname(config-username-webvpn)# activex-relay disablehostname(config-username-webvpn)ad-agent-mode
To enables the AD Agent mode so that you can configure the Active Directory Agent for the Cisco Identify Firewall instance, use the ad-agent-mode command in global configuration mode.
ad-agent-mode
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
To configure the Active Directory Agent for the Identity Firewall, you must enter the ad-agent-mode command, which is a submode of the aaa-server command. Entering the ad-agent-mode command enters the aaa server group configuration mode.
Periodically or on-demand, the AD Agent monitors the Active Directory server security event log file via WMI for user login and logoff events. The AD Agent maintains a cache of user ID and IP address mappings. and notifies the ASA of changes.
Configure the primary and secondary AD Agents for the AD Agent Server Group. When the ASA detects that the primary AD Agent is not responding and a secondary agent is specified, the ASA switches to secondary AD Agent. The Active Directory server for the AD agent uses RADIUS as the communication protocol; therefore, you should specify a key attribute for the shared secret between ASA and AD Agent.
Examples
The following example shows how to enable ad-agent-mode while configuring the Active Directory Agent for the Identity Firewall:
hostname(config)# aaa-server adagent protocol radiushostname(config)# ad-agent-modehostname(config-aaa-server-group)# aaa-server adagent (inside) host 192.168.1.101hostname(config-aaa-server-host)# key mysecrethostname(config-aaa-server-hostkey)# user-identity ad-agent aaa-server adagenthostname(config-aaa-server-host)# test aaa-server ad-agentRelated Commands
address (dynamic-filter blacklist or whitelist)
To add an IP address to the Botnet Traffic Filter blacklist or whitelist, use the address command in dynamic-filter blacklist or whitelist configuration mode. To remove the address, use the no form of this command. The static database lets you augment the dynamic database with domain names or IP addresses that you want to whitelist or blacklist.
address ip_address mask
no address ip_address mask
Syntax Description
ip_address
Adds an IP address to the blacklist.
mask
Defines the subnet mask for the IP address. The mask can be for a single host or for a subnet.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Dynamic-filter blacklist or whitelist configuration
•
•
•
•
—
Command History
Usage Guidelines
After you enter the dynamic-filter whitelist or blacklist configuration mode, you can manually enter domain names or IP addresses (host or subnet) that you want to tag as good names in a whitelist or bad names in a blacklist using the address and name commands.
You can enter this command multiple times for multiple entries. You can add up to 1000 blacklist and 1000 whitelist entries.
Examples
The following example creates entries for the blacklist and whitelist:
hostname(config)# dynamic-filter blacklisthostname(config-llist)# name bad1.example.comhostname(config-llist)# name bad2.example.comhostname(config-llist)# address 10.1.1.1 255.255.255.0hostname(config-llist)# dynamic-filter whitelisthostname(config-llist)# name good.example.comhostname(config-llist)# name great.example.comhostname(config-llist)# name awesome.example.comhostname(config-llist)# address 10.1.1.2 255.255.255.255Related Commands
address (media-termination)
To specify the address for a media termination instance to use for media connections to the Phone Proxy feature, use the address command in the media-termination configuration mode. To remove the address from the media termination configuration, use the no form of this command.
address ip_address [interface intf_name]
no address ip_address [interface intf_name]
Syntax Description
Defaults
There are no default settings for this command.
Command Modes
The following table shows the modes in which you can enter the command:
Media-termination configuration
•
—
•
—
—
Command History
Usage Guidelines
The ASA must have IP addresses for media termination that meet the following criteria:
For the media termination instance, you can configure a global media-termination address for all interfaces or configure a media-termination address for different interfaces. However, you cannot use a global media-termination address and media-termination addresses configured for each interface at the same time.
If you configure a media termination address for multiple interfaces, you must configure an address on each interface that the ASA uses when communicating with IP phones.
The IP addresses are publicly routable addresses that are unused IP addresses within the address range on the interface.
See the CLI configuration guide for the complete list of prerequisites that you must follow when creating the media termination instance and configuring the media termination addresses.
Examples
The following example shows the use of the media-termination address command to specify the IP address to use for media connections:
hostname(config)# media-termination mediaterm1hostname(config-media-termination)# address 192.0.2.25 interface insidehostname(config-media-termination)# address 10.10.0.25 interface outsideRelated Commands
phone-proxy
Configures the Phone Proxy instance.
media-termination
Configures the media termination instance to apply to a Phone Proxy instance.
address-pool (tunnel-group general attributes mode)
To specify a list of address pools for allocating addresses to remote clients, use the address-pool command in tunnel-group general-attributes configuration mode. To eliminate address pools, use the no form of this command.
address-pool [(interface name)] address_pool1 [...address_pool6]
no address-pool [(interface name)] address_pool1 [...address_pool6]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general-attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can enter multiples of each of these commands, one per interface. If an interface is not specified, then the command specifies the default for all interfaces that are not explicitly referenced.
The address-pools settings in the group-policy address-pools command override the local pool settings in the tunnel group address-pool command.
The order in which you specify the pools is significant. The ASA allocates addresses from these pools in the order in which the pools appear in this command.
Examples
The following example entered in config-tunnel-general configuration mode, specifies a list of address pools for allocating addresses to remote clients for an IPsec remote-access tunnel group test:
hostname(config)# tunnel-group test type remote-accesshostname(config)# tunnel-group test generalhostname(config-tunnel-general)# address-pool (inside) addrpool1 addrpool2 addrpool3hostname(config-tunnel-general)#Related Commands
address-pools (group-policy attributes configuration mode)
To specify a list of address pools for allocating addresses to remote clients, use the address-pools command in group-policy attributes configuration mode. To remove the attribute from the group policy and enable inheritance from other sources of group policy, use the no form of this command.
address-pools value address_pool1 [...address_pool6]
no address-pools value address_pool1 [...address_pool6]
address-pools none
no address-pools none
Syntax Description
Defaults
By default, the address pool attribute allows inheritance.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
The address-pools settings in this command override the local pool settings in the group. You can specify a list of up to six local address pools to use for local address allocation.
The order in which you specify the pools is significant. The ASA allocates addresses from these pools in the order in which the pools appear in this command.
The command address-pools none disables this attribute from being inherited from other sources of policy, such as the DefaultGrpPolicy. The command no address pools none removes the address-pools none command from the configuration, restoring the default value, which is to allow inheritance.
Examples
The following example entered in config-general configuration mode, configures pool_1 and pool_20 as lists of address pools to use for allocating addresses to remote clients for GroupPolicy1:
hostname(config)# ip local pool pool_1 192.168.10.1-192.168.10.100 mask 255.255.0.0hostname(config)# ip local pool pool_20 192.168.20.1-192.168.20.200 mask 255.255.0.0hostname(config)# group-policy GroupPolicy1 attributeshostname(config-group-policy)# address-pools value pool_1 pool_20hostname(config-group-policy)#Related Commands
admin-context
To set the admin context for the system configuration, use the admin-context command in global configuration mode.
admin-context name
Syntax Description
Defaults
For a new ASA in multiple context mode, the admin context is called "admin."
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
You can set any context to be the admin context, as long as the context configuration resides on the internal flash memory.
You cannot remove the current admin context, unless you remove all contexts using the clear configure context command.
The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the ASA software or allowing remote management for an administrator), it uses one of the contexts that is designated as the admin context.
Examples
The following example sets the admin context to be "administrator":
hostname(config)# admin-context administratorRelated Commands
allocate-interface
To allocate interfaces to a security context, use the allocate-interface command in context configuration mode. To remove an interface from a context, use the no form of this command.
allocate-interface physical_interface [map_name] [visible | invisible]
no allocate-interface physical_interface
allocate-interface physical_interface.subinterface[-physical_interface.subinterface] [map_name[-map_name]] [visible | invisible]
no allocate-interface physical_interface.subinterface[-physical_interface.subinterface]
Syntax Description
invisible
(Default) Allows context users to only see the mapped name (if configured) in the show interface command.
map_name
(Optional) Sets a mapped name.
The map_name is an alphanumeric alias for the interface that can be used within the context instead of the interface ID. If you do not specify a mapped name, the interface ID is used within the context. For security purposes, you might not want the context administrator to know which interfaces are being used by the context.
A mapped name must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, or an underscore. For example, you can use the following names:
int0intaint_0For subinterfaces, you can specify a range of mapped names.
See the "Usage Guidelines" section for more information about ranges.
physical_interface
Sets the interface ID, such as gigabitethernet0/1. See the interface command for accepted values. Do not include a space between the interface type and the port number.
subinterface
Sets the subinterface number. You can identify a range of subinterfaces.
visible
(Optional) Allows context users to see physical interface properties in the show interface command even if you set a mapped name.
Defaults
The interface ID is invisible in the show interface command output by default if you set a mapped name.
Command Modes
The following table shows the modes in which you can enter the command:
Context configuration
•
•
—
—
•
Command History
Usage Guidelines
You can enter this command multiple times to specify different ranges. To change the mapped name or visible setting, reenter the command for a given interface ID, and set the new values; you do not need to enter the no allocate-interface command and start over. If you remove the allocate-interface command, the ASA removes any interface-related configuration in the context.
Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA adaptive security appliance, you can use the dedicated management interface, Management 0/0, (either the physical interface or a subinterface) as a third interface for management traffic.
Note
You can assign the same interfaces to multiple contexts in routed mode, if desired. Transparent mode does not allow shared interfaces.
If you specify a range of subinterfaces, you can specify a matching range of mapped names. Follow these guidelines for ranges:
•
int0-int10If you enter gigabitethernet0/1.1-gigabitethernet0/1.5 happy1-sad5, for example, the command fails.
•
gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int100If you enter gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int15, for example, the command fails.
Examples
The following example shows gigabitethernet0/1.100, gigabitethernet0/1.200, and gigabitethernet0/2.300 through gigabitethernet0/1.305 assigned to the context. The mapped names are int1 through int8.
hostname(config-ctx)# allocate-interface gigabitethernet0/1.100 int1hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int2hostname(config-ctx)# allocate-interface gigabitethernet0/2.300-gigabitethernet0/2.305 int3-int8Related Commands
allocate-ips
To allocate an IPS virtual sensor to a security context if you have the AIP SSM installed, use the allocate-ips command in context configuration mode. To remove a virtual sensor from a context, use the no form of this command.
allocate-ips sensor_name [mapped_name] [default]
no allocate-ips sensor_name [mapped_name] [default]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Context configuration
•
•
—
—
•
Command History
Usage Guidelines
You can assign one or more IPS virtual sensors to each context. Then, when you configure the context to send traffic to the AIP SSM using the ips command, you can specify a sensor that is assigned to the context; you cannot specify a sensor that you did not assign to the context. If you do not assign any sensors to a context, then the default sensor configured on the AIP SSM is used. You can assign the same sensor to multiple contexts.
Note
Examples
The following example assigns sensor1 and sensor2 to context A, and sensor1 and sensor3 to context B. Both contexts map the sensor names to "ips1" and "ips2." In context A, sensor1 is set as the default sensor, but in context B, no default is set so the default that is configured on the AIP SSM is used.
hostname(config-ctx)# context Ahostname(config-ctx)# allocate-interface gigabitethernet0/0.100 int1hostname(config-ctx)# allocate-interface gigabitethernet0/0.102 int2hostname(config-ctx)# allocate-interface gigabitethernet0/0.110-gigabitethernet0/0.115 int3-int8hostname(config-ctx)# allocate-ips sensor1 ips1 defaulthostname(config-ctx)# allocate-ips sensor2 ips2hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/test.cfghostname(config-ctx)# member goldhostname(config-ctx)# context samplehostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int1hostname(config-ctx)# allocate-interface gigabitethernet0/1.212 int2hostname(config-ctx)# allocate-interface gigabitethernet0/1.230-gigabitethernet0/1.235 int3-int8hostname(config-ctx)# allocate-ips sensor1 ips1hostname(config-ctx)# allocate-ips sensor3 ips2hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/sample.cfghostname(config-ctx)# member silverRelated Commands
allow-ssc-mgmt
To set an interface on the ASA 5505 to be the SSC management interface, use the allow-ssc-mgmt command in interface configuration mode. To unassign an interface, use the no form of this command.
allow-ssc-mgmt
no allow-ssc-mgmt
Syntax Description
This command has no arguments or keywords.
Command Default
This command is enabled in the factory default configuration for VLAN 1.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
—
Command History
Usage Guidelines
An SSC does not have any external interfaces. You can configure a VLAN as a management VLAN to allow access to an internal management IP address over the backplane. By default, VLAN 1 is enabled for the SSC management address. You can only assign one VLAN as the SSC management VLAN.
Do not configure NAT for the management address if you intend to access it using ASDM. For initial setup with ASDM, you need to access the real address. After initial setup (where you set the password in the SSC), you can configure NAT and supply ASDM with the translated address when you want to access the SSC.
Examples
The following example disables management access on VLAN 1, and enables it for VLAN 2:
hostname(config)# interface vlan 1hostname(config-if)# no allow-ssc-mgmthostname(config-if)# interface vlan 2hostname(config-if)# allow-ssc-mgmtRelated Commands
always-on-vpn
To configure the behavior of the AnyConnect Always-On-VPN functionality, use the always-on-vpn command in group policy configuration mode.
Syntax Description
To use the always-on-vpn setting configured in the AnyConnect profile:
always-on-vpn profile-setting
To switch off the Always-On-VPN functionality:
always-on-vpn disable
Command Default
Always-On-VPN functionality is switched off by default.
Command History
Usage Guidelines
To enable Always-On-VPN functionality for AnyConnect users, configure an AnyConnect profile in the profile editor. Then configure the group-policy attributes for the appropriate policy.
Examples
The following example disables management access on VLAN 1, and enables it for VLAN 2:
hostname(config)# group-policy <group policy> attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# always-on-vpn profile-settingRelated Commands
anyconnect ask
To enable the ASA to prompt remote SSL VPN client users to download the client, use the anyconnect ask command in the group policy webvpn or username webvpn configuration mode. To disable prompting for download of the client, use the no form of this command.
anyconnect ask {none | enable [default {webvpn | anyconnect} timeout value]}
no anyconnect ask none [default {webvpn | anyconnect}]
Syntax Description
Defaults
The default for this command is anyconnect ask none default webvpn. The ASA immediately displays the portal page for clientless connections.
Command Modes
The following table shows the modes in which you can enter the command:
Group policy webvpn configuration
•
—
•
—
—
Username webvpn configuration
•
—
•
—
—
Command History
8.0(2)
This command was introduced.
8.4(1)
The anyconnect ask command replaced the svc ask command.
Usage Guidelines
Figure 2-1 shows the prompt displayed to remote users when either default anyconnect timeout value or default webvpn timeout value is configured:
Figure 2-1 Prompt Displayed to Remote Users for SSL VPN Client Download
Examples
The following example configures the ASA to prompt the remote user to download the client or go to the portal page and wait 10 seconds for user response before downloading the client:
hostname(config-group-webvpn)# anyconnect ask enable default svc timeout 10Related Commands
anyconnect df-bit-ignore
To ignore the DF bit in packets that need fragmentation, use the anyconnect-df-bit-ignore command in group policy webvpn configuration mode. To acknowledge the DF bits that need fragmentation, use the no form of the command.
anyconnect df-bit-ignore {enable | none}
no anyconnect df-bit-ignore {enable | none}
Syntax Description
Defaults
By default, this option is not enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group policy webvpn configuration
•
—
•
—
—
Command History
8.2(2)
The svc df-bit-ignore command was introduced.
8.4(1)
The anyconnect df-bit-ignore command replaced the svc df-bit-ignore command.
Examples
vmb-5520(config-group-webvpn)# anyconnect routing-filtering-ignore ?config-group-webvpn mode commands/options:enable Enable Routing/Filtering for AnyConnect Clientnone Disable Routing/Filtering for AnyConnect Clientanyconnect dpd-interval
To enable Dead Peer Detection (DPD) on the ASA and to set the frequency that either the remote client or the ASA performs DPD over SSL VPN connections, use the anyconnect dpd-interval command in group policy or username webvpn mode. To remove the command from the configuration and cause the value to be inherited, use the no form of this command.
This command applies to IKEv2. IKEv1 DPD is configured by the isakmp keepalive command.
anyconnect dpd-interval {[gateway {seconds | none}] | [client {seconds | none}]}
no anyconnect dpd-interval {[gateway {seconds | none}] | [client {seconds | none}]}
Syntax Description
Defaults
DPD is enabled and set to 30 seconds for both the ASA (gateway) and the client.
Command Modes
The following table shows the modes in which you can enter the command:
Group policy webvpn configuration
•
—
•
—
—
Username webvpn configuration
•
—
•
—
—
Command History
Examples
In the following example, the user configures the DPD frequency performed by the ASA (gateway) to 3000 seconds, and the DPD frequency performed by the client to 1000 seconds, for the existing group policy sales:
hostname(config)# group-policy sales attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# anyconnect dpd-interval gateway 3000hostname(config-group-webvpn)# anyconnect dpd-interval client 1000anyconnect dtls compression
To enable compression on low bandwidth links for a specific group or user, use the anyconnect dtls compression command in group policy webvpn or username webvpn configuration mode. To delete the configuration from the group, use the no form of the command.
anyconnect dtls compression {lzs | none}
no anyconnect dtls compression {lzs | none}
Syntax Description
Defaults
The default is to not enable AnyConnect compression.
Command Modes
The following table shows the modes in which you can enter the command:
Group policy webvpn configuration
•
—
•
—
—
Username webvpn configuration
•
—
•
—
—
Command History
Examples
The following examples shows the sequence to disable compression:
asa# config terminalasa(config)# group-policy DfltGrpPolicy attributesasa(config-group-policy)# webvpnasa(config-group-webvpn)# anyconnect ssl compression noneasa(config-group-webvpn)# anyconnect dtls compression noneanyconnect enable
To enable the ASA to download an AnyConnect client to remote computers, use the anyconnect enable command from webvpn configuration mode. To remove the command from the configuration, use the no form of this command:
anyconnect enable
no anyconnect enable
Defaults
The default is disabled. The ASA does not download the client.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration
•
—
•
—
—
Command History
7.1(1)
This command was introduced as svc enable.
8.4(1)
The anyconnect enable command replaced the svc enable command.
Usage Guidelines
Entering the no anyconnect enable command does not terminate active sessions.
The anyconnect enable command must be issued after configuring the AnyConnect images with the anyconnect image xyz command. If the anyconnect enable command is not entered, AnyConnect does not function as expected, and the show webvpn svc command considers the SSL VPN client as not enabled rather than listing the installed AnyConnect packages.
Examples
In the following example, the user enables the ASA to download the client:
(config)# webvpn(config-webvpn)# anyconnect enableRelated Commands
anyconnect firewall-rule
To establish a public or provide ACL firewall, use the anyconnect firewall-rule command in group policy webvpn or username webvpn configuration mode.
anyconnect firewall-rule <client interface> <public | private> <ACL>
Syntax Description
ACL
Specifies the access control list.
client interface
Specifies the client interface.
private
Configures a private interface rule.
public
Configures a public interface rule.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group policy webvpn configuration
•
—
•
—
—
Username webvpn configuration
•
—
•
—
—
Command History
8.3(1)
This command was introduced.
8.4(1)
The anyconnect firewall-rule command replaced the svc firewall-rule command.
Usage Guidelines
The following guidelines clarify how the AnyConnect client uses the firewall:
•
•
Be aware of the following differences in behavior for each operating system:
•
•
•
•
•
For extensive information about the AnyConnect client firewall including ACL rule examples for local printing and tethered device support, see the AnyConnect Administrator Guide.
Note
Examples
The following example enables the ACL AnyConnect_Client_Local_Print as a public firewall:
hostname(config)# group-policy example_group attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# anyconnect firewall-rule client-interface public value AnyConnect_Client_Local_PrintRelated Commands
anyconnect image
To install or upgrade the AnyConnect distribution package and add it to the running configuration, use the anyconnect image command in webvpn configuration mode. To remove the AnyConnect distribution package from the running configuration, use the no form of this command:
anyconnect image path order [regex expression]
no anyconnect image path order [regex expression]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
webvpn configuration
•
—
•
—
—
Command History
7.1(1)
This command was introduced.
8.0(1)
The regex keyword was added.
8.4(1)
The anyconnect image command replaced the svc image command.
Usage Guidelines
Numbering the package files establishes the order in which the ASA downloads portions of them to the remote PC, until it achieves a match with the operating system. The ASA downloads the package file with the lowest number first. Therefore, you should assign the lowest number to the package file that matches the most commonly encountered operating system used on remote PCs.
The default order is 1. If you do not specify the order argument, each time you enter the svc image command, you overwrite the image that was previously considered number 1.
You can enter the anyconnect image command for each client package file in any order. For example, you can specify the package file to be downloaded second (order 2) before entering the anyconnect image command specifying the package file to be downloaded first (order 1).
For mobile users, you can decrease the connection time of the mobile device by using the regex keyword. When the browser connects to the ASA, it includes the User-Agent string in the HTTP header. When the ASA receives the string, if the string matches an expression configured for an image, it immediately downloads that image without testing the other client images.
Note
The ASA expands both AnyConnect client and Cisco Secure Desktop (CSD) package files in cache memory. In order for the ASA to successfully expand the package files, there must be enough cache memory to store the images and files of the package file.
If the ASA detects that there is not enough cache memory to expand a package, it displays an error message to the console. The following example shows an error message reported after an attempt was made to install a package file with the svc image command:
hostname(config-webvpn)# anyconnect image disk0:/anyconnect-win-3.0.0520-k9.pkgERROR: File write error (check disk space)ERROR: Unable to load SVC image - extraction failedIf this occurs when you attempt to install a package file, examine the amount of cache memory remaining and the size of any previously installed packages with the dir cache:/ command from global configuration mode.
Note
Examples
The following example loads AnyConnect client package files for Windows, MAC, and Linux in that order:
hostname(config)# webvpnhostname(config-webvpn)# anyconnect image disk0:/anyconnect-win-3.0.0527-k9.pkg 1hostname(config-webvpn)# anyconnect image disk0:/anyconnect-macosx-i386-3.0.0414-k9.pkg 2hostname(config-webvpn)# anyconnect image disk0:/anyconnect-linux-3.0.0414-k9.pkg 3hostname(config-webvpn)The next example shows the output of the show webvpn anyconnect command, which displays the file AnyConnect client packages loaded and their order:
hostname(config-webvpn)# show webvpn anyconnect1. disk0:/anyconnect-win-3.0.0527-k9.pkg 1 dyn-regex=/Windows NT/CISCO STC win2k+3,0,0527Hostscan Version 3.0.0527Tue 10/19/2010 16:16:56.252. disk0:/anyconnect-macosx-i386-3.0.0414-k9.pkg 2 dyn-regex=/Intel Mac OS X/CISCO STC Darwin_i3863.0.0414Wed Oct 20 20:39:53 MDT 20103. disk0:/anyconnect-linux-3.0.0414-k9.pkg 3 dyn-regex=/Linux i[1-9]86/CISCO STC Linux3.0.0414Wed Oct 20 20:42:02 MDT 20103 AnyConnect Client(s) installedhostname(config-webvpn)#Related Commands
anyconnect keep-installer
To enable the permanent installation of an SSL VPN client on a remote PC, use the anyconnect keep-installer command in group-policy webvpn or username webvpn configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of this command :
anyconnect keep-installer {installed | none}
no anyconnect keep-installer {installed | none}
Syntax Description
Defaults
Permanent installation of the client is enabled. The client remains on the remote computer at the end of the session.
Command Modes
The following table shows the modes in which you can enter the command:
Group policy webvpn configuration
•
—
•
—
—
Username webvpn configuration
•
—
•
—
—
Command History
7.1(1)
This command was introduced.
8.4(1)
The anyconnect keep-installer command replaced the svc keep-installer command.
Usage Guidelines
This command does not apply to versions of AnyConnect after 2.5, but is still available for backward compatibility. Using the anyconnect keep-installer command does not affect AnyConnect 3.0 or later.
Examples
In the following example, the user enters group policy webvpn configuration mode and configures the group policy to remove the client at the end of the session:
hostname(config-group-policy)#webvpnhostname(config-group-webvpn)# anyconnect keep-installer nonehostname(config-group-webvpn)#Related Commands
anyconnect modules
To specify the names of modules that the AnyConnect SSL VPN Client requires for optional features, use the anyconnect modules command in group policy webvpn or username webvpn configuration mode. To remove the command from the configuration, use the no form of this command.
anyconnect modules {none | value string}
no anyconnect modules {none | value string}
Syntax Description
string
The name of the optional module, up to 256 characters. Separate multiple strings with commas.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group policy webvpn configuration
•
—
•
—
—
Username webvpn configuration
•
—
•
—
—
Command History
8.0(2)
This command was introduced as svc modules.
8.4(1)
The anyconnect modules form of the command was introduced.
Usage Guidelines
To minimize download time, the client only requests downloads (from the ASA) of modules that it needs for each feature that it supports. The anyconnect modules command enables the ASA to download these modules.
The following table shows the string values that represent AnyConnect Modules.
Examples
In the following example, the user enters group-policy attributes mode for the group policy PostureModuleGroup, enters webvpn configuration mode for the group policy, and specifies the string posture and telemetry so that the AnyConnect Posture Module and AnyConnect Telemetry Module will be downloaded to the endpoint when it connects to the ASA:
hostname> enPassword:hostname# config thostname(config)# group-policy PostureModuleGroup attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# anyconnect modules value posture,telemetryhostname(config-group-webvpn)# write memBuilding configuration...Cryptochecksum: 40975338 b918425d 083b391f 9e5a5c6922055 bytes copied in 3.440 secs (7351 bytes/sec)[OK]hostname(config-group-webvpn)#To remove a module from a group policy, resend the command, specifying only the module values that you want to keep. For example, the following command removes the telemetry module:
hostname(config-group-webvpn)# anyconnect modules value postureRelated Commands
anyconnect mtu
To adjust the MTU size for SSL VPN connections established by the Cisco AnyConnect VPN Client, use the anyconnect mtu command in group policy webvpn or username webvpn configuration mode. To remove the command from the configuration, use the no form of this command.
anyconnect mtu size
no anyconnect mtu size
Syntax Description
Defaults
The default size is 1406. The default for this command in the default group policy is no svc mtu.
Command Modes
The following table shows the modes in which you can enter the command:
Group policy webvpn configuration
•
—
•
—
—
Username webvpn configuration
•
—
•
—
—
Command History
8.0(2)
This command was introduced.
8.4(1)
The anyconnect mtu form of the command replaced svc mtu.
Usage Guidelines
This command affects only the AnyConnect client. The Cisco SSL VPN Client is not capable of adjusting to different MTU sizes. In addition, this command affects AnyConnect client connections established in only SSL and those established in SSL with DTLS.
The MTU size is adjusted automatically based on the MTU of the interface that the connection uses, minus the IP/UDP/DTLS overhead.
The minimum MTU allowed on an IPv6 enabled interface is 1280 bytes; however, if IPsec is enabled on the interface, the MTU value should not be set below 1380 because of the overhead of IPsec encryption. Setting the interface below 1380 bytes may result in dropped packets.
Examples
The following example configures the MTU size to 500 bytes for the group policy telecommuters:
hostname(config)# group-policy telecommuters attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# anyconnect mtu 500Related Commands
anyconnect profiles (group-policy or username attributes)
To specify a CVC profiles package downloaded to Cisco AnyConnect VPN Client (CVC) users, use the anyconnect profiles command in group policy webvpn or username attributes webvpn configuration mode. To remove the command from the configuration and cause the value it to be inherited, use the no form of this command.
anyconnect profiles {value profile | none}
no anyconnect profiles {value profile | none } [type type]
Syntax Description
profile
The name of the profile.
type type
The user who corresponds to the standard AnyConnect profile or any alphanumeric value.
Defaults
The default is none. The ASA does not download profiles.
Command Modes
The following table shows the modes in which you can enter the command:
Group policy webvpn configuration
•
—
•
—
—
Username webvpn configuration
•
—
•
—
—
Command History
8.0(2)
This command was introduced.
8.3
The optional type value was introduced.
8.4(1)
The anyconnect profiles form of the command replaced svc profiles.
Usage Guidelines
When entered in group policy webvpn or username attributes webvpn configuration mode, this command enables the ASA to download profiles to CVC users on a group policy or username basis. To download a CVC profile to all CVC users, use this command in webvpn configuration mode.
A CVC profile is a group of configuration parameters that the CVC uses to configure the connection entries that appear in the CVC user interface, including the names and addresses of host computers. You can create and save profiles using the CVC user interface. You can also edit this file with a text editor and set advanced parameters that are not available through the user interface.
The CVC installation contains one profile template (cvcprofile.xml) that you can edit and use as a basis to create other profile files. For more information about editing CVC profiles, see the Cisco AnyConnect VPN Client Administrator Guide.
Examples
In the following example, the user queries the anyconnect profiles value command, which displays the available profiles:
asa1(config-group-webvpn)# anyconnect profiles value ?config-group-webvpn mode commands/options:Available configured profile packages:engineeringsalesThen the user configures the group policy to use the CVC profile sales:
asa1(config-group-webvpn)# anyconnect profiles salesRelated Commands
anyconnect profiles (webvpn)
To specify a file as a profiles package that the ASA loads in cache memory and makes available to group policies and username attributes of Cisco AnyConnect VPN Client (CVC) users, use the anyconnect profiles command in webvpn configuration mode. To remove the command from the configuration and cause the ASA to unload the package file from cache memory, use the no form of this command.
anyconnect profiles {profile path}
no anyconnect profiles {profile path}
Syntax Description
path
The path and filename of the profile file in flash memory of the ASA.
profile
The name of the profile to create in cache.
Defaults
The default is none. The ASA does not load a profiles package in cache memory.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration
•
—
•
—
—
Command History
8.0(2)
This command was introduced.
8.4(1)
The anyconnect profiles form of the command replaced svc profiles.
Usage Guidelines
A CVC profile is a group of configuration parameters that the CVC uses to configure the connection entries that appear in the CVC user interface, including the names and addresses of host computers. You can create and save profiles using the CVC user interface.
You can also edit this file with a text editor and set advanced parameters that are not available through the user interface. The CVC installation contains one profile template (cvcprofile.xml) that you can edit and use as a basis to create other profile files. For more information about editing CVC profiles, see the Cisco AnyConnect VPN Client Administrator Guide.
After you create a new CVC profile and upload it to flash memory, identify the XML file to the ASA as a profile using the anyconnect profiles command in webvpn configuration mode. The command loads the files in cache memory on the ASA. Then you can specify the profile for a group or user with the anyconnect profiles command in group policy webvpn configuation or username attributes configuration mode.
Examples
In the following example, the user previously created two new profile files (sales_hosts.xml and engineering_hosts.xml) from the cvcprofile.xml file provided in the CVC installation and uploaded them to flash memory of the ASA.
Now the user identifies these files to the ASA as CVC profiles, specifying the names sales and engineering:
asa1(config-webvpn)# anyconnect profiles sales disk0:sales_hosts.xmlasa1(config-webvpn)# anyconnect profiles engineering disk0:engineering_hosts.xmlEntering the dir cache:stc/profiles command shows the profiles loaded into cache memory:
asa1(config-webvpn)# dir cache:stc/profilesDirectory of cache:stc/profiles/0 ---- 774 11:54:41 Nov 22 2006 engineering.pkg0 ---- 774 11:54:29 Nov 22 2006 sales.pkg2428928 bytes total (18219008 bytes free)asa1(config-webvpn)#Now these profiles are available to the svc profiles command in group policy webvpn configuration or username attributes configurate mode:
asa1(config)# group-policy sales attributesasa1(config-group-policy)# webvpnasa1(config-group-webvpn)# anyconnect profiles value ?config-group-webvpn mode commands/options:Available configured profile packages:engineeringsalesRelated Commands
anyconnect routing-filtering-ignore
To notify the AnyConnect client that it should ignore routing and filtering rules, use the anyconnect routing-filtering-ignore command in group policy webvpn configuration mode. To turn off the notification of ignoring routing and filtering rules, use the no form of the command.
anyconnect routing-filtering-ignore {enable | none}
no anyconnect routing-filtering-ignore {enable | none}
Syntax Description
enable
Enables routing and filtering rules for AnyConnect client.
none
Disables routing and filtering rules for AnyConnect client.
Defaults
By default, this option is not enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group policy webvpn configuration
•
—
•
—
—
Command History
Examples
vmb-5520(config-group-webvpn)# anyconnect routing-filtering-ignore ?config-group-webvpn mode commands/options:enable Enable Routing/Filtering for AnyConnect Clientnone Disable Routing/Filtering for AnyConnect Clientanyconnect ssl compression
To enable compression of http data over an SSL VPN connection for a specific group or user, use the anyconnect ssl compression command in the group policy webvpn or username webvpn configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of this command.
anyconnect ssl compression {deflate | lzs | none}
no anyconnect ssl compression {deflate | lzs | none}
Syntax Description
deflate
Enables a deflate compression algorithm.
lzs
Enables a stateless compression algorithm.
none
Disables compression.
Defaults
Compression is set to none (disabled).
Command Modes
The following table shows the modes in which you can enter the command:
Group policy webvpn configuration
•
—
•
—
—
Username webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
For SSL VPN connections, the compression command configured in webvpn configuration mode overrides the anyconnect ssl compression command configured in group policy and username webvpn modes.
Examples
In the following example, SVC compression is disabled for the group policy sales:
hostname(config)# group-policy sales attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# anyconnect ssl compression noneRelated Commands
anyconnect ssl df-bit-ignore
To enable the forced fragmentation of packets on an SSL VPN connection (allowing them to pass through the tunnel) for a specific group or user, use the anyconnect ssl df-bit-ignore command in the group policy webvpn or username webvpn configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of this command.
anyconnect ssl df-bit-ignore {enable | disable}
no anyconnect ssl df-bit-ignore
Syntax Description
enable
Enable DF-bit ignore for AnyConnect with SSL.
disable
Disable DF-bit for AnyConnect with SSL.
Defaults
DF bit ignore is set to disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group policy webvpn configuration
•
—
•
—
—
Username webvpn configuration
•
—
•
—
—
Command History
8.4(1)
The anyconnect ssl df-bit-ignore form of the command replaced svc df-bit-ignore.
Usage Guidelines
This feature allows the force fragmentation of packets that have the DF bit set, allowing them to pass through the tunnel. An example use case is for servers in your network that do not respond correctly to TCP MSS negotiations.
Examples
In the following example, DF bit ignore is enabled for the group policy sales:
hostname(config)# group-policy sales attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# anyconnect ssl df-bit-ignore enableRelated Commands
anyconnect ssl dtls enable
To enable Datagram Transport Layer Security (DTLS) connections on an interface for specific groups or users establishing SSL VPN connections with the Cisco AnyConnect VPN Client, use the anyconnect ssl dtls enable command in group policy webvpn or username attributes webvpn configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of this command.
anyconnect ssl dtls enable interface
no anyconnect ssl dtls enable interface
Syntax Description
Defaults
The default is enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group policy webvpn configuration
•
—
•
—
—
Username webvpn configuration
•
—
•
—
—
Command History
8.0(2)
This command was introduced.
8.4(1)
The anyconnect ssl dtls form of the command replaced svc dtls.
Usage Guidelines
Enabling DTLS allows the AnyConnect client establishing an SSL VPN connection to use two simultaneous tunnels—an SSL tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.
If you do not enable DTLS, AnyConnect client users establishing SSL VPN connections connect with an SSL tunnel only.
This command enables DTLS for specific groups or users. To enable DTLS for all AnyConnect client users, use the anyconnect ssl dtls enable command in webvpn configuration mode.
Examples
The following example enters group policy webvpn configuration mode for the group policy sales and enables DTLS:
hostname(config)# group-policy sales attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# anyconnect ssl dtls enableRelated Commands
anyconnect ssl keepalive
To configure the frequency of keepalive messages that a remote client sends to the ASA over SSL VPN connections, use the anyconnect ssl keepalive command in group policy webvpn or username webvpn configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of this command.
anyconnect ssl keepalive {none | seconds}
no anyconnect ssl keepalive {none | seconds}
Syntax Description
none
Disables keepalive messages.
seconds
Enables keepalive messages and specifies the frequency of the messages, from 15 to 600 seconds.
Defaults
The default is 20 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Group policy webvpn configuration
•
—
•
—
—
Username webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
Both the Cisco SSL VPN Client (SVC) and the Cisco AnyConnect VPN Client can send keepalive messages when they establish SSL VPN connections to the ASA.
You can adjust the frequency of keepalive messages (specified by seconds), to ensure that an SSL VPN connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle.
Adjusting the frequency also ensures that the client does not disconnect and reconnect when the remote user is not actively running a socket-based application, such as Microsoft Outlook or Microsoft Internet Explorer.
Note
Examples
In the following example, the user configures the ASA to enable the client to send keepalive messages, with a frequency of 300 seconds (5 minutes), for the existing group policy named sales:
hostname(config)# group-policy sales attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# anyconnect ssl keepalive 300Related Commands
anyconnect ssl rekey
To enable a remote client to perform a rekey on an SSL VPN connection, use the anyconnect ssl rekey command in group-policy webvpn or username webvpn configuration mode.To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
anyconnect ssl rekey {method {ssl | new-tunnel} | time minutes | none}
no anyconnect ssl rekey {method {ssl | new-tunnel} | time minutes | none}
Syntax Description
Defaults
The default is none (disabled).
Command Modes
The following table shows the modes in which you can enter the command:
Group policy webvpn configuration
•
—
•
—
—
Username webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
The Cisco AnyConnect Secure Mobility Client can perform a rekey on an SSL VPN connection to the ASA. Configuring the rekey method as ssl or new-tunnel specifies that the client establishes a new tunnel during rekey instead of the SSL renegotiation taking place during the rekey.
Examples
In the following example, the user specifies that remote clients belonging to the group policy sales renegotiate with SSL during rekey, and rekey occurs 30 minutes after the session begins:
hostname(config)# group-policy sales attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# anyconnect ssl rekey method sslhostname(config-group-webvpn)# anyconnect ssl rekey time 30Related Commands
anyconnect-essentials
To enable AnyConnect Essentials on the ASA, use the anyconnect-essentials command in group policy webvpn configuration mode. To disable the use of AnyConnect Essentials and enable the premium AnyConnect client instead, use the no form of this command.
anyconnect-essentials
no anyconnect-essentials
Defaults
AnyConnect Essentials is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
Use this command to toggle between using the full AnyConnect SSL VPN client and the AnyConnect Essentials SSL VPN client, assuming that the full AnyConnect client license is installed. AnyConnect Essentials is a separately licensed SSL VPN client, entirely configured on the ASA, that provides the premium AnyConnect capability, with the following exceptions:
•
•
The AnyConnect Essentials client provides remote end users running Microsoft Windows Vista, Windows Mobile, Windows XP or Windows 2000, Linux, or Macintosh OS X, with the benefits of a Cisco SSL VPN client.
You enable or disable the AnyConnect Essentials license by using the anyconnect-essentials command, which is meaningful only after you have installed the AnyConnect Essentials license on the ASA. Without this license, this command returns the following error message:
ERROR: Command requires AnyConnect Essentials license
Note
When the AnyConnect Essentials license is enabled, AnyConnect clients use Essentials mode, and Clientless SSL VPN access is disabled. When the AnyConnect Essentials license is disabled, AnyConnect clients use the full AnyConnect SSL VPN Client license.
If you have active clientless SSL VPN connections, and you enable the AnyConnect Essentials license, then all connections are logged off and will need to be reestablished.
Examples
In the following example, the user enters webvpn configuration mode and enables the AnyConnect Essentials VPN client:
hostname(config)# webvpnhostname(config-webvpn)# anyconnect-essentialsapcf
To enable an Application Profile Customization Framework profile, use the apcf command in webvpn configuration mode. To disable a particular APCF script, use the no form of this command. To disable all APCF scripts, use the no form of this command without arguments.
apcf URL/filename.ext
no apcf [URL/filename.ext]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you enter the command:
Webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
The apcf command enables the ASA to handle non-standard web applications and web resources so that they render correctly over a WebVPN connection. An APCF profile contains a script that specifies when (pre, post), where (header, body, request, response), and what data to transform for a particular application.
You can use multiple APCF profiles on the ASA. When you do, the ASA applies each one of them in the order of oldest to newest.
We recommend that you use the APCF command only with the support of the Cisco TAC.
Examples
The following example shows how to enable an APCF named apcf1, located on flash memory at /apcf:
hostname(config)#webvpnhostname(config-webvpn)#apcf flash:/apcf/apcf1.xmlhostname(config-webvpn)#This example shows how to enable an APCF named apcf2.xml, located on an HTTPS server called myserver, port 1440, at /apcf:
hostname(config)#webvpnhostname(config-webvpn)#apcf https://myserver:1440/apcf/apcf2.xmlhostname(config-webvpn)#Related Commands
appl-acl
To identify a previously configured web-type ACL to apply to a session, use the appl-acl command in dap webvpn configuration mode. To remove the attribute from the configuration, use the no form of this command; to remove all web-type ACLs, use the no form of this command without arguments.
appl-acl identifier
no appl-acl [identifier]
Syntax Description
Defaults
No default value or behaviors.
Command Modes
The following table shows the modes in which you can enter the command:
Dap webvpn configuration
•
•
•
—
—
Command History
Usage Guidelines
To configure web-type ACLs, use the access-list_webtype command in global configuration mode.
Use the appl-acl command multiple times to apply more than one web-type ACL to the DAP policy.
Examples
The following example shows how to apply the previously configured web-type ACL called newacl to the dynamic access policy:
hostname (config)# config-dynamic-access-policy-recordFinancehostname(config-dynamic-access-policy-record)#webvpnhostname(config-dynamic-access-policy-record)#appl-acl newaclRelated Commands
dynamic-access-policy-record
Creates a DAP record.
access-list_webtype
Creates a web-type ACL.
application-access
To customize the Application Access fiels of the WebVPN Home page that is displayed to authenticated WebVPN users, and the Application Access window that is launched when the user selects an application, use the application-access command in customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of this command.
application-access {title | message | window} {text | style} value
no application-access {title | message | window} {text | style} value
Syntax Description
Defaults
The default title text of the Application Access field is "Application Access".
The default title style of the Application Access field is:
background-color:#99CCCC;color:black;font-weight:bold;text-transform:uppercase
The default message text of the Application Access field is "Start Application Client".
The default message style of the Application Access field is:
background-color:#99CCCC;color:maroon;font-size:smaller.
The default window text of the Application Access window is:
"Close this window when you finish using Application Access. Please wait for the table to be displayed before starting applications.".
The default window style of the Application Access window is:
background-color:#99CCCC;color:black;font-weight:bold.
Command Modes
The following table shows the modes in which you can enter the command:
Customization configuration
•
—
•
—
—
Command History
Usage Guidelines
This command is accessed by using the webvpn command or the tunnel-group webvpn-attributes command.
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
The following tips can help you make the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
The following example customizes the background color of the Application Access field to the RGB hex value 66FFFF, a shade of green:
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# application-access title style background-color:#66FFFFRelated Commands
application-access hide-details
To hide application details that are displayed in the WebVPN Applications Access window, use the application-access hide-details command in customization configuration mode, which is accessed by using the webvpn command or the tunnel-group webvpn-attributes command. To remove the command from the configuration and cause the value to be inherited, use the no form of this command.
application-access hide-details {enable | disable}
no application-access [hide-details {enable | disable}]
Syntax Description
disable
Does not hide application details in the Application Access window.
enable
Hides application details in the Application Access window.
Defaults
The default is disabled. Application details appear in the Application Access window.
Command Modes
The following table shows the modes in which you can enter the command:
Customization configuration
•
—
•
—
—
Command History
Examples
The following example disables the appearance of the application details:
hostname(config)# webvpnhostname(config-webvpn)# customization ciscohostname(config-webvpn-custom)# application-access hide-details disableRelated Commands
area
To create an OSPF area, use the area command in router configuration mode. To remove the area, use the no form of this command.
area area_id
no area area_id
Syntax Description
area_id
The ID of the area being created. You can specify the identifier as either a decimal number or an IP address. Valid decimal values range from 0 to 4294967295.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
The area that you create does not have any parameters set. Use the related area commands to set the area parameters.
Examples
The following example shows how to create an OSPF area with an area ID of 1:
hostname(config-router)# area 1hostname(config-router)#Related Commands
area authentication
To enable authentication for an OSPF area, use the area authentication command in router configuration mode. To disable area authentication, use the no form of this command.
area area_id authentication [message-digest]
no area area_id authentication [message-digest]
Syntax Description
Defaults
Area authentication is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
If the specified OSPF area does not exist, it is created when this command is entered. Entering the area authentication command without the message-digest keyword enables simple password authentication. Including the message-digest keyword enables MD5 authentication.
Examples
The following example shows how to enable MD5 authentication for area 1:
hostname(config-router)# area 1 authentication message-digesthostname(config-router)#Related Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
area default-cost
To specify a cost for the default summary route sent into a stub or NSSA, use the area default-cost command in router configuration mode. To restore the default cost value, use the no form of this command.
area area_id default-cost cost
no area area_id default-cost
Syntax Description
Defaults
The default value of cost is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
If the specified area has not been previously defined using the area command, this command creates the area with the specified parameters.
Examples
The following example show how to specify a default cost for summary route sent into a stub or NSSA:
hostname(config-router)# area 1 default-cost 5hostname(config-router)#Related Commands
area filter-list prefix
To filter prefixes advertised in Type 3 LSAs between OSPF areas of an ABR, use the area filter-list prefix command in router configuration mode. To change or cancel the filter, use the no form of this command.
area area_id filter-list prefix list_name {in | out}
no area area_id filter-list prefix list_name {in | out}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
If the specified area has not been previously defined using the area command, this command creates the area with the specified parameters.
Only Type 3 LSAs can be filtered. If an ASBR is configured in the private network, then it will send Type 5 LSAs (describing private networks) which are flooded to the entire AS including the public areas.
Examples
The following example filters prefixes that are sent from all other areas to area 1:
hostname(config-router)# area 1 filter-list prefix-list AREA_1 inhostname(config-router)#Related Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
area nssa
To configure an area as an NSSA, use the area nssa command in router configuration mode. To remove the NSSA designation from the area, use the no form of this command.
area area_id nssa [no-redistribution] [default-information-originate [metric-type {1 | 2}] [metric value]] [no-summary]
no area area_id nssa [no-redistribution] [default-information-originate [metric-type {1 | 2}] [metric value]] [no-summary]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
If the specified area has not been previously defined using the area command, this command creates the area with the specified parameters.
If you configure one option for an area, and later specify another option, both options are set. For example, entering the following two command separately results in a single command with both options set in the configuration:
area 1 nssa no-redistributionarea area_id nssa default-information-originateExamples
The following example shows how setting two options separately results in a single command in the configuration:
hostname(config-router)# area 1 nssa no-redistributionhostname(config-router)# area 1 nssa default-information-originatehostname(config-router)# exithostname(config-router)# show running-config router ospf 1router ospf 1area 1 nssa no-redistribution default-information-originateRelated Commands
area stub
Defines the area as a stub area.
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
area range
To consolidate and summarize routes at an area boundary, use the area range command in router configuration mode. To disable this function, use the no form of this command.
area area_id range address mask [advertise | not-advertise]
no area area_id range address mask [advertise | not-advertise]
Syntax Description
Defaults
The address range status is set to advertise.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
If the specified area has not been previously defined using the area command, this command creates the area with the specified parameters.
The area range command is used only with ABRs. It is used to consolidate or summarize routes for an area. The result is that a single summary route is advertised to other areas by the ABR. Routing information is condensed at area boundaries. External to the area, a single route is advertised for each address range. This behavior is called route summarization. You can configure multiple area range commands for an area. Thus, OSPF can summarize addresses for many different sets of address ranges.
The no area area_id range ip_address netmask not-advertise command removes only the not-advertise optional keyword.
Examples
The following example specifies one summary route to be advertised by the ABR to other areas for all subnets on network 10.0.0.0 and for all hosts on network 192.168.110.0:
hostname(config-router)# area 10.0.0.0 range 10.0.0.0 255.0.0.0hostname(config-router)# area 0 range 192.168.110.0 255.255.255.0hostname(config-router)#Related Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
area stub
To define an area as a stub area, use the area stub command in router configuration mode. To remove the stub area function, use the no form of this command.
area area_id [no-summary]
no area area_id [no-summary]
Syntax Description
Defaults
The default behaviors are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
The command is used only on an ABR attached to a stub or NSSA.
There are two stub area router configuration commands: the area stub and area default-cost commands. In all routers and access servers attached to the stub area, the area should be configured as a stub area using the area stub command. Use the area default-cost command only on an ABR attached to the stub area. The area default-cost command provides the metric for the summary default route generated by the ABR into the stub area.
Examples
The following example configures the specified area as a stub area:
hostname(config-router)# area 1 stubhostname(config-router)#Related Commands
area virtual-link
To define an OSPF virtual link, use the area virtual-link command in router configuration mode. To reset the options or remove the virtual link, use the no form of this command.
area area_id virtual-link router_id [authentication [message-digest | null]] [hello-interval seconds] [retransmit-interval seconds] [transmit-delay seconds] [dead-interval seconds [[[[authentication-key[0 | 8] key ] | [message-digest-key key_id md5 [0 | 8] key ]]]]
no area area_id virtual-link router_id [authentication [message-digest | null]] [hello-interval seconds] [retransmit-interval seconds] [transmit-delay seconds] [dead-interval seconds [[[[authentication-key [0 | 8] key ] | [message-digest-key key_id md5 [0 | 8] key ]]]]
Syntax Description
Note
Defaults
The defaults are as follows:
•
•
•
•
•
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
In OSPF, all areas must be connected to a backbone area. If the connection to the backbone is lost, it can be repaired by establishing a virtual link.
The smaller the hello interval, the faster topological changes are detected, but more routing traffic ensues.
The setting of the retransmit interval should be conservative, or needless retransmissions occur. The value should be larger for serial lines and virtual links.
The transmit delay value should take into account the transmission and propagation delays for the interface.
The specified authentication key is used only when authentication is enabled for the backbone with the area area_id authentication command.
The two authentication schemes, simple text and MD5 authentication, are mutually exclusive. You can specify one or the other or neither. Any keywords and arguments you specify after authentication-key [0 | 8] key or message-digest-key key_id md5[0 | 8] key are ignored. Therefore, specify any optional arguments before such a keyword-argument combination.
If the authentication type is not specified for an interface, the interface uses the authentication type specified for the area. If no authentication type has been specified for the area, the area default is null authentication.
Note
To remove an option from a virtual link, use the no form of the command with the option that you want removed. To remove the virtual link, use the no area area_id virtual-link command.
Examples
The following example establishes a virtual link with MD5 authentication:
hostname(config-router)# area 10.0.0.0 virtual-link 10.3.4.5 message-digest-key 3 md5 8 sa5721bk47Related Commands
arp
To add a static ARP entry to the ARP table, use the arp command in global configuration mode. To remove the static entry, use the no form of this command.
arp interface_name ip_address mac_address [alias]
no arp interface_name ip_address mac_address
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Although hosts identify a packet destination by an IP address, the actual delivery of the packet on Ethernet relies on the Ethernet MAC address. When a router or host wants to deliver a packet on a directly connected network, it sends an ARP request asking for the MAC address associated with the IP address, and then delivers the packet to the MAC address according to the ARP response. The host or router keeps an ARP table so it does not have to send ARP requests for every packet it needs to deliver. The ARP table is dynamically updated whenever ARP responses are sent on the network, and if an entry is not used for a period of time, it times out. If an entry is incorrect (for example, the MAC address changes for a given IP address), the entry times out before it can be updated.
A static ARP entry maps a MAC address to an IP address and identifies the interface through which the host is reached. Static ARP entries do not time out, and might help you solve a networking problem. In transparent firewall mode, the static ARP table is used with ARP inspection (see the arp-inspection command).
Note
Examples
The following example creates a static ARP entry for 10.1.1.1 with the MAC address 0009.7cbe.2100 on the outside interface:
hostname(config)# arp outside 10.1.1.1 0009.7cbe.2100Related Commands
arp permit-nonconnected
To enable the ARP cache to also include non-directly-connected subnets, use the arp permit-nonconnected command in global configuration mode. To disable non-connected subnets, use the no form of this command.
arp permit-nonconnected
no arp permit-nonconnected
Syntax Description
This command has no arguments or keywords.
Command Default
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The ASA ARP cache only contains entries from directly-connected subnets by default. This command lets you enable the ARP cache to also include non-directly-connected subnets. We do not recommend enabling this feature unless you know the security risks. This feature could facilitate denial of service (DoS) attack against the ASA; a user on any interface could send out many ARP replies and overload the ASA ARP table with false entries.
You may want to use this feature if you use:
•
•
Examples
The following example enables non-connected subnets:
hostname(config)# arp permit non-connectedRelated Commands
arp-inspection
To enable ARP inspection for transparent firewall mode, use the arp-inspection command in global configuration mode. To disable ARP inspection, use the no form of this command.
arp-inspection interface_name enable [flood | no-flood]
no arp-inspection interface_name enable
Syntax Description
Defaults
By default, ARP inspection is disabled on all interfaces; all ARP packets are allowed through the ASA. When you enable ARP inspection, the default is to flood non-matching ARP packets.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Usage Guidelines
Configure static ARP entries using the arp command before you enable ARP inspection.
ARP inspection checks all ARP packets against static ARP entries (see the arp command) and blocks mismatched packets. This feature prevents ARP spoofing.
When you enable ARP inspection, the ASA compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table, and takes the following actions:
•
•
•
Note
ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP spoofing). ARP spoofing can enable a "man-in-the-middle" attack. For example, a host sends an ARP request to the gateway router; the gateway router responds with the gateway router MAC address. The attacker, however, sends another ARP response to the host with the attacker MAC address instead of the router MAC address. The attacker can now intercept all the host traffic before forwarding it on to the router.
ARP inspection ensures that an attacker cannot send an ARP response with the attacker MAC address, so long as the correct MAC address and the associated IP address are in the static ARP table.
Note
Examples
The following example enables ARP inspection on the outside interface and sets the ASA to drop any ARP packets that do not match the static ARP entry:
hostname(config)# arp outside 209.165.200.225 0009.7cbe.2100hostname(config)# arp-inspection outside enable no-floodRelated Commands
arp permit-nonconnected
To allow population of the ARP cache for nonconnected subnets, use the arp permit-nonconnected command in global configuration mode. To restore the default setting, use the no form of this command.
arp permit-nonconnected
no arp permit-nonconnected
Syntax Description
This command has no arguments or keywords.
Defaults
The default setting is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
You can enable the population of the ARP cache for nonconnected subnet entries using this command.
Examples
The following example enables population of the ARP cache for nonconnected subnets:
hostname(config)# arp permit-nonconnectedRelated Commands
arp
Adds a static ARP entry.
show arp statistics
Shows ARP statistics.
show running-config arp timeout
Shows the current configuration of the ARP timeout.
arp timeout
To set the time before the ASA rebuilds the ARP table, use the arp timeout command in global configuration mode. To restore the default timeout, use the no form of this command.
arp timeout seconds
no arp timeout seconds
Syntax Description
Defaults
The default value is 14,400 seconds (4 hours).
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Rebuilding the ARP table automatically updates new host information and removes old host information. You might want to reduce the timeout because the host information changes frequently.
Examples
The following example changes the ARP timeout to 5,000 seconds:
hostname(config)# arp timeout 5000Related Commands
asdm disconnect
To terminate an active ASDM session, use the asdm disconnect command in privileged EXEC mode.
asdm disconnect session
Syntax Description
session
The session ID of the active ASDM session to be terminated. You can display the session IDs of all active ASDM sessions using the show asdm sessions command.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
7.0(1)
This command was changed from the pdm disconnect command to the asdm disconnect command.
Usage Guidelines
Use the show asdm sessions command to display a list of active ASDM sessions and their associated session IDs. Use the asdm disconnect command to terminate a specific session.
When you terminate an ASDM session, any remaining active ASDM sessions keep their associated session ID. For example, if there are three active ASDM sessions with the session IDs of 0, 1, and 2, and you terminate session 1, the remaining active ASDM sessions keep the session IDs 0 and 2. The next new ASDM session in this example would be assigned a session ID of 1, and any new sessions after that would begin with the session ID 3.
Examples
The following example terminates an ASDM session with a session ID of 0. The show asdm sessions commands display the active ASDM sessions before and after the asdm disconnect command is entered.
hostname# show asdm sessions0 192.168.1.11 192.168.1.2hostname# asdm disconnect 0hostname# show asdm sessions1 192.168.1.2Related Commands
show asdm sessions
Displays a list of active ASDM sessions and their associated session ID.
asdm disconnect log_session
To terminate an active ASDM logging session, use the asdm disconnect log_session command in privileged EXEC mode.
asdm disconnect log_session session
Syntax Description
session
The session ID of the active ASDM logging session to be terminated. You can display the session IDs of all active ASDM sessions using the show asdm log_sessions command.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
Use the show asdm log_sessions command to display a list of active ASDM logging sessions and their associated session IDs. Use the asdm disconnect log_session command to terminate a specific logging session.
Each active ASDM session has one or more associated ASDM logging sessions. ASDM uses the logging session to retrieve syslog messages from the ASA. Terminating a log session may have an adverse effect on the active ASDM session. To terminate an unwanted ASDM session, use the asdm disconnect command.
Note
When you terminate an ASDM logging session, any remaining active ASDM logging sessions keep their associated session ID. For example, if there are three active ASDM logging sessions with the session IDs of 0, 1, and 2, and you terminate session 1, the remaining active ASDM logging sessions keep the session IDs 0 and 2. The next new ASDM logging session in this example would be assigned a session ID of 1, and any new logging sessions after that would begin with the session ID 3.
Examples
The following example terminates an ASDM session with a session ID of 0. The show asdm log_sessions commands display the active ASDM sessions before and after the asdm disconnect log_sessions command is entered.
hostname# show asdm log_sessions0 192.168.1.11 192.168.1.2hostname# asdm disconnect 0hostname# show asdm log_sessions1 192.168.1.2Related Commands
show asdm log_sessions
Displays a list of active ASDM logging sessions and their associated session ID.
asdm history enable
To enable ASDM history tracking, use the asdm history enable command in global configuration mode. To disable ASDM history tracking, use the no form of this command.
asdm history enable
no asdm history enable
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
7.0(1)
This command was changed from the pdm history enable command to the asdm history enable command.
Usage Guidelines
The information obtained by enabling ASDM history tracking is stored in the ASDM history buffer. You can view this information using the show asdm history command. The history information is used by ASDM for device monitoring.
Examples
The following example enables ASDM history tracking:
hostname(config)# asdm history enablehostname(config)#Related Commands
asdm image
To specify the location of the ASDM software image in flash memory, use the asdm image command in global configuration mode. To remove the image location, use the no form of this command.
asdm image url
no asdm image [url]
Syntax Description
Defaults
If you do not include this command in your startup configuration, the ASA uses the first ASDM image it finds at startup. It searches the root directory of internal Flash memory and then external flash memory. The ASA then inserts the asdm image command into the running configuration if it discovered an image.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
You can store more than one ASDM software image in flash memory. If you enter the asdm image command to specify a new ASDM software image while there are active ASDM sessions, the new command does not disrupt the active sessions; active ASDM sessions continue to use the ASDM software image they started with. New ASDM sessions use the new software image. If you enter the no asdm image command, the command is removed from the configuration. However, you can still access ASDM from the ASA using the last-configured image location.
If you do not include this command in your startup configuration, the ASA uses the first ASDM image it finds at startup. It searches the root directory of internal flash memory and then external flash memory. The ASA then inserts the asdm image command into the running configuration if it discovered an image. Be sure to save the running configuration to the startup configuration using the write memory command. If you do not save the asdm image command to the startup configuration, every time you reboot, the ASA searches for an ASDM image and inserts the asdm image command into your running configuration. If you are using Auto Update, the automatic addition of this command at startup causes the configuration on the ASA not to match the configuration on the Auto Update Server. This mismatch causes the ASA to download the configuration from the Auto Update Server. To avoid unnecessary Auto Update activity, save the asdm image command to the startup configuration.
Examples
The following example sets the ASDM image to asdm.bin:
hostname(config)# asdm image flash:/asdm.binhostname(config)#Related Commands
show asdm image
Displays the current ASDM image file.
boot
Sets the software image and startup configuration files.
asdm location
Caution
asdm location ip_addr netmask if_name
asdm location ipv6_addr/prefix if_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
7.0(1)
This command was changed from the pdm location command to the asdm location command.
Usage Guidelines
Do not manually configure or remove this command.
asp load-balance per-packet
For multi-core ASAs, to change the load balancing behavior, use the asp load-balance per-packet command in global configuration mode. The default behavior is to allow only one core to receive packets from an interface receive ring at a time. The asp load-balance per-packet command changes this behavior to allow multiple cores to receive packets from an interface receive ring and work on them independently. The default behavior is optimized for scenarios where packets are received uniformly on all interface rings. The per-packet behavior is optimized for scenarios where traffic is asymmetrically distributed on interface receive rings. To restore the default load-balancing mechanism, use the no form of this command.
asp load-balance per-packet
no asp load-balance per-packet
Syntax Description
This command has no arguments or keywords.
Command Default
By default, the load-balancing mechanism favors many interfaces.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
Performance on the ASAs with multiple cores can vary depending on the number of processors, the number of interface receive rings, and the nature of the traffic passing through. Using the asp load-balance per-packet command allows multiple cores to work simultaneously on packets received from a single interface receive ring. This command provides for parallel processing if the packets received are spread over many independent connections. Note that this command can cause additional queuing overhead for packets from the same and related connections because these packets are processed by one core.
If the system drops packets, and show cpu is far less than 100%, then this command may help your throughput if the packets belong to many unrelated connections. The CPU usage is a good indicator as to how many cores are effectively being used. For example on the ASA 5580-40 which includes 8 cores, if two cores are used, then show cpu will be 25%; four cores will be 50%; and six cores will be 75%.
See also the show asp load-balance command.
Examples
The following example enables per-packet load balancing:
hostname(config)# asp load-balance per-packetRelated Commands
asr-group
To specify an asymmetrical routing interface group ID, use the asr-group command in interface configuration mode. To remove the ID, use the no form of this command.
asr-group group_id
no asr-group group_id
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
—
•
—
Command History
Usage Guidelines
When Active/Active failover is enabled, you may encounter situations in which load balancing causes the return traffic for outbound connections to be routed through an active context on the peer unit, and the context for the outbound connection is in the standby group.
The asr-group command causes incoming packets to be reclassified with the interface of the same asr-group if a flow with the incoming interface cannot be found. If reclassification finds a flow with another interface, and the associated context is in standby state, then the packet is forwarded to the active unit for processing.
Stateful Failover must be enabled for this command to take effect.
You can view ASR statistics using the show interface detail command. These statistics include the number of ASR packets sent, received, and dropped on an interface.
Note
Examples
The following example assigns the selected interfaces to the asymmetric routing group 1.
Context ctx1 configuration:
hostname/ctx1(config)# interface Ethernet2hostname/ctx1(config-if)# nameif outsidehostname/ctx1(config-if)# ip address 192.168.1.11 255.255.255.0 standby 192.168.1.21hostname/ctx1(config-if)# asr-group 1Context ctx2 configuration:
hostname/ctx2(config)# interface Ethernet3hostname/ctx2(config-if)# nameif outsidehostname/ctx2(config-if)# ip address 192.168.1.31 255.255.255.0 standby 192.168.1.41hostname/ctx2(config-if)# asr-group 1Related Commands
interface
Enters interface configuration mode.
show interface
Displays interface statistics.
assertion-consumer-url
To identify the URL that the security device accesses to contact the assertion consumer service, use the assertion-consumer-url command in the webvpn configuration mode for that specific SAML-type SSO server. To remove the URL from the assertion, use the no form of this command.
assertion-consumer-url url
no assertion-consumer-url [url]
Syntax Description
url
Specifies the URL of the assertion consumer service used by the SAML-type SSO server. The URL must start with either http:// or https: and must be less than 255 alphanumeric characters.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The ASA currently supports the SAML POST-type SSO server and the SiteMinder-type of SSO server.
This command applies only to SAML-type SSO Servers.
If the URL begins with HTTPS, the requirement is to install the root certificate for the assertion consumer service SSL certificate.
The following example specifies the assertion-consumer-url for a SAML-type SSO server:
hostname(config-webvpn)# sso server myhostname type saml-v1.1-posthostname(config-webvpn-sso-saml# assertion-consumer-url https://saml-server/postconsumerhostname(config-webvpn-sso-saml#Related Commands
attribute
To specify attribute value pairs that the ASA writes to the DAP attribute database, enter the attribute command in dap test attributes mode.
attribute name value
Syntax Description
Command Default
No default value or behaviors.
Command Modes
The following table shows the modes in which you can enter the command:
DAP attributes configuration mode
•
•
•
—
—
Command History
Usage Guidelines
Use this command multiple times to enter multiple attribute value pairs.
Normally the ASA retrieves user authorization attributes from the AAA server and retrieves endpoint attributes from Cisco Secure Desktop, Host Scan, CNA or NAC. For the test command, you specify the user authorization and endpoint attributes in this attributes mode. The ASA writes them to an attribute database that the DAP subsystem references when evaluating the AAA selection attributes and endpoint select attributes for a DAP record.
Examples
The following example assumes that ASA selects two DAP records if the authenticated user is a member of the SAP group and has anti-virus software installed on the endpoint system. The Endpoint ID for the anti-virus software endpoint rule is nav.
The DAP records have the following policy attributes:
action = continue
action = continue
port-forward = enable hostlist1
url-list = links2
—
url-entry = enable
hostname #test dynamic-access-policy attributeshostname(config-dap-test-attr)#attribute aaa.ldap.memberof SAPhostname(config-dap-test-attr)#attribute endpoint.av.nav.exists truehostname(config-dap-test-attr)#exithostname #test dynamic-access-policy executePolicy Attributes:action = continueport-forward = enable hostlist1url-list = links2url-entry = enablehostname #Related Commands
l
auth-cookie-name
To specify the name of an authentication cookie, use the auth-cookie-name command in aaa-server host configuration mode. This is an SSO with HTTP Forms command.
auth-cookie-name
Syntax Description
Syntax DescriptionSyntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server host configuration
•
—
•
—
—
Command History
Usage Guidelines
The WebVPN server of the ASA uses an HTTP POST request to submit a single sign-on authentication request to an SSO server. If authentication succeeds, the authenticating web server passes back an authentication cookie to the client browser. The client browser then authenticates to other web servers in the SSO domain by presenting the authentication cookie. The auth-cookie-name command configures name of the authentication cookie to be used for SSO by the ASA.
A typical authentication cookie format is Set-Cookie: <cookie name>=<cookie value> [;<cookie attributes>]. In the following authentication cookie example, SMSESSION is the name that would be configured with the auth-cookie-name command:
Set-Cookie:SMSESSION=yN4Yp5hHVNDgs4FT8dn7+Rwev41hsE49XlKc+1twie0gqnjbhkTkUnR8XWP3hvDH6PZPbHIHtWLDKTa8 ngDB/lbYTjIxrbDx8WPWwaG3CxVa3adOxHFR8yjD55GevK3ZF4ujgU1lhO6fta0dSSOSepWvnsCb7IFxCw+MGiw0o8 8uHa2t4l+SillqfJvcpuXfiIAO06D/dapWriHjNoi4llJOgCst33wEhxFxcWy2UWxs4EZSjsI5GyBnefSQTPVfma5d c/emWor9vWr0HnTQaHP5rg5dTNqunkDEdMIHfbeP3F90cZejVzihM6igiS6P/CEJAjE;Domain=.example.com;Pa th=/Examples
The following example specifies the authentication cookie name of SMSESSION for the authentication cookie received from a web server named example.com:
hostname(config)# aaa-server testgrp1 host example.comhostname(config-aaa-server-host)# auth-cookie-name SMSESSIONhostname(config-aaa-server-host)#Related Commands
authenticated-session-username
To specify which authentication username to associate with the session when double authentication is enabled, use the authenticated-session-username command in tunnel-group general-attributes mode. To remove the attribute from the configuration, use the no form of this command.
authenticated-session-username {primary | secondary}
no authenticated-session-username
Syntax Description
clientless
Use the username from the secondary authentication server.
primary
(Default) Use the username from the primary authentication server.
Defaults
The default value is primary.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general-attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
This command is meaningful only when double authentication is enabled. The authenticated-session-username command selects the authentication server from which the ASA extracts the username to associate with the session.
Examples
The following example, entered in global configuration mode, creates an IPsec remote access tunnel group named remotegrp and specifies the use of the username from the secondary authentication server for the connection:
hostname(config)# tunnel-group remotegrp type ipsec_rahostname(config)# tunnel-group remotegrp general-attributeshostname(config-tunnel-webvpn)# authenticated-session-username secondaryhostname(config-tunnel-webvpn)#Related Commands
authentication-attr-from-server
To specify which authentication server authorization attributes to apply to the connection when double authentication is enabled, use the authentication-attr-from-server command in tunnel-group general-attributes mode. To remove the attribute from the configuration, use the no form of this command.
authentication-attr-from-server {primary | secondary}
no authentication-attr-from-server
Syntax Description
secondary
Use the secondary authentication server.
primary
(Default) Use the primary authentication server.
Defaults
The default value is primary.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general-attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
This command is meaningful only when double authentication is enabled. The authentication-attr-from-server command selects the authentication server from which the ASA extracts the authorization attributes to be applied to the connection.
Examples
The following example, entered in global configuration mode, creates an IPsec remote access tunnel group named remotegrp and specifies that the authorization attributes to be applied to the connection must come from the secondary authentication server:
hostname(config)# tunnel-group remotegrp type ipsec_rahostname(config)# tunnel-group remotegrp general-attributeshostname(config-tunnel-webvpn)# authentication-attr-from-server secondaryhostname(config-tunnel-webvpn)#Related Commands
authentication-certificate
To request a certificate from a WebVPN client establing a connection, use the authentication-certificate command in webvpn configuration mode. To cancel the requirement for a client certificate, use the no form of this command.
authentication-certificate interface-name
no authentication-certificate [interface-name]
Syntax Description
interface-name
The name of the interface used to establish the connection. Available interfaces names are:
•
•
Defaults
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
For this command to take effect, WebVPN must already be enabled on the corresponding interface. An interface is configured and named with the interface, IP address, and nameif commands.
This command applies only to WebVPN client connections, however the ability to specify client certificate authentication for management connections with the http authentication-certificate command is available on all platforms, including the platforms that do not support WebVPN.
The ASA validates certificates against the PKI trustpoints. If a certificate does not pass validation, then one of the following actions occurs:
Examples
The following example configures certificate authentication for WebVPN user connections on the outside interface:
hostname(config)# webvpnhostname(config-webvpn)# authentication-certificate outsidehostname(config-webvpn)#Related Commands
authentication-exclude
To enable end users to browse to configured links without logging in to clientless SSL VPN,, enter the authentication-exclude command in webvpn configuration mode. Use this command multiple times to permit acccess to multiple sites.
authentication-exclude url-fnmatch
Syntax Description
Command Default
Disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
This feature is useful when you require that some internal resources be available for public use via SSL VPN.
You need to distribute information about the links to end users in an SSL VPN-mangled form, for example, by browsing to these resources using SSL VPN and copying the resulting URLS into the information about links that you distribute.
Examples
The following example shows how to exempt two sites from authentication requirements:
hostname(config)#webvpnhostname(config-webvpn)#authentication-exclude http://www.example.com/public/*hostname(config-webvpn)#authentication-exclude *example.htmlhostname(config-webvpn)# hostname #authentication
To configure the authentication method for WebVPN and e-mail proxies, use the authentication command in various modes. To restore the default method, use the no form of this command. The ASA authenticates users to verify their identity.
authentication {[aaa] [certificate] [mailhost] [piggyback]}
no authentication [aaa] [certificate] [mailhost] [piggyback]
Syntax Description
Defaults
The following table shows the default authentication methods for WebVPN and e-mail proxies:
IMAP4S
Mailhost (required)
POP3S
Mailhost (required)
SMTPS
AAA
WebVPN
AAA
Command Modes
The following table shows the modes in which you can enter the command:
Command History
Usage Guidelines
At least one authentication method is required. For WebVPN, for example, you can specify AAA authentication, certificate authentication, or both. You can specify these in either order.
WebVPN certificate authentication requires that HTTPS user certificates be required for the respective interfaces. That is, for this selection to be operational, before you can specify certificate authentication, you must have specified the interface in an authentication-certificate command.
If you enter this command in webvpn configuration mode, it is transformed to the same command in tunnel-group webvpn-attributes configuration mode.
For WebVPN, you can require both AAA and certificate authentication, in which case users must provide both a certificate and a username and password. For e-mail proxy authentication, you can require more than one authentication method. Specifying the command again overwrites the current configuration.
Examples
The following example shows how to require that WebVPN users provide certificates for authentication:
hostname(config)# webvpnhostname(config-webvpn)# authentication certificateRelated Commands
authentication eap-proxy
For L2TP over IPsec connections, to enable EAP and permit the ASA to proxy the PPP authentication process to an external RADIUS authentication server, use the authentication eap-proxy command in tunnel-group ppp-attributes configuration mode. To return the command to its default setting (permit CHAP and MS-CHAP), use the no form of this command.
authentication eap-proxy
no authentication eap-proxy
Syntax Description
This command has no keywords or arguments.
Defaults
EAP is not a permitted authentication protocol.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group ppp-attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can apply this attribute only to the L2TP/IPsec tunnel group type.
Examples
The following example entered in config-ppp configuration mode, permits EAP for PPP connections for the tunnel group named pppremotegrp:
hostname(config)# tunnel-group pppremotegrp type IPSec/IPSechostname(config)# tunnel-group pppremotegrp ppp-attributeshostname(config-ppp)# authentication eaphostname(config-ppp)#Related Commands
authentication key eigrp
To enable authentication of EIGRP packets and specify the authentication key, use the authentication key eigrp command in interface configuration mode. To disable EIGRP authentication, use the no form of this command.
authentication key eigrp as-number key key-id key-id
no authentication key eigrp as-number
Syntax Description
Defaults
EIGRP authentication is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
You must configure both the authentication mode eigrp and the authentication key eigrp commands on an interface to enable EIGRP message authentication. Use the show running-config interface command to view the authentication commands configured on an interface.
Examples
The following examples shows EIGRP authentication configured on interface GigabitEthernet0/3:
hostname(config)# interface Gigabit0/3hostname(config-if)# authentication mode eigrp md5hostname(config-if)# authentication key eigrp 100 thisismykey key_id 5Related Commands
authentication mode eigrp
Specifies the type of authentication used for EIGRP authentication.
authentication mode eigrp
To specify the type of authentication used for EIGRP authentication, use the authentication mode eigrp command in interface configuration mode. To restore the default authentication method, use the no form of this command.
authentication mode eigrp as-num md5
no authentication mode eigrp as-num md5
Syntax Description
as-num
The autonomous system number of the EIGRP routing process.
md5
Uses MD5 for EIGRP message authentication.
Defaults
No authentication is provided by default.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
You must configure both the authentication mode eigrp and the authentication key eigrp commands on an interface to enable EIGRP message authentication. Use the show running-config interface command to view the authentication commands configured on an interface.
Examples
The following examples shows EIGRP authentication configured on interface GigabitEthernet0/3:
hostname(config)# interface GigabitEthernet0/3hostname(config-if)# authentication mode eigrp 100 md5hostname(config-if)# authentication key eigrp 100 thisismykey key_id 5Related Commands
authentication key eigrp
Enables authentication of EIGRP packets and specifies the authentication key.
authentication ms-chap-v1
For L2TP over IPsec connections, to enable Microsoft CHAP, Version 1 authentication for PPP, use the authentication ms-chap-v1 command in tunnel-group ppp-attributes configuration mode. This protocol is similar to CHAP but more secure in that the server stores and compares only encrypted passwords rather than cleartext passwords as in CHAP. This protocol also generates a key for data encryption by MPPE. To return the command to its default setting (permit CHAP and MS-CHAP), use the no form of this command. To disable Microsoft CHAP, Version 1, use the no form of this command.
authentication ms-chap-v1
no authentication ms-chap-v1
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group ppp-attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can apply this attribute only to the L2TP/IPsec tunnel group type.
Related Commands
authentication ms-chap-v2
For L2TP over IPsec connections, to enable Microsoft CHAP, Version 2 authentication for PPP, use the authentication ms-chap-v1 command in tunnel-group ppp-attributes configuration mode. To return the command to its default setting (permit CHAP and MS-CHAP), use the no form of this command.
authentication ms-chap-v2
no authentication ms-chap-v2
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group ppp-attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can apply this attribute only to the L2TP/IPsec tunnel-group type.
This protocol is similar to CHAP but more secure in that the server stores and compares only encrypted passwords rather than cleartext passwords as in CHAP. This protocol also generates a key for data encryption by MPPE.
Related Commands
authentication pap
For L2TP over IPsec connections, to permit PAP authentiation for PPP, use the authentication pap command in tunnel-group ppp-attributes configuration mode. To return the command to its default setting (permit CHAP and MS-CHAP), use the no form of this command.
authentication pap
no authentication pap
Syntax Description
This command has no keywords or arguments.
Defaults
PAP is not a permitted authentication protocol.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group ppp-attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can apply this attribute only to the L2TP/IPsec tunnel group type.
This protocol passes a cleartext username and password during authentication and is not secure.
Examples
The following example entered in config-ppp configuration mode, permits PAP for PPP connections for a tunnel group named pppremotegrps:
hostname(config)# tunnel-group pppremotegrp type IPSec/IPSechostname(config)# tunnel-group pppremotegrp ppp-attributeshostname(config-ppp)# authentication paphostname(config-ppp)#Related Commands
authentication-certificate
To request a certificate from a WebVPN client establing a connection, use the authentication-certificate command in webvpn configuration mode. To cancel the requirement for a client certificate, use the no form of this command.
authentication-certificate interface-name
no authentication-certificate [interface-name]
Syntax Description
interface-name
The name of the interface used to establish the connection. Available interfaces names are:
•
•
Defaults
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
For this command to take effect, WebVPN must already be enabled on the corresponding interface. An interface is configured and named with the interface, IP address, and nameif commands.
This command applies only to WebVPN client connections, however the ability to specify client certificate authentication for management connections with the http authentication-certificate command is available on all platforms, including the platforms that do not support WebVPN.
The ASA validates certificates against the PKI trustpoints. If a certificate does not pass validation, then one of the following actions occurs:
Examples
The following example configures certificate authentication for WebVPN user connections on the outside interface:
hostname(config)# webvpnhostname(config-webvpn)# authentication-certificate outsidehostname(config-webvpn)#Related Commands
authentication-port
To specify the port number used for RADIUS authentication for this host, use the authentication-port command in aaa-server configuration host configuration mode. To remove the authentication port specification, use the no form of this command. This command specifies the destination TCP/UDP port number of the remote RADIUS server hosts to which you want to assign authentication functions:
authentication-port port
no authentication-port
Syntax Description
Defaults
By default, the device listens for RADIUS on port 1645 (in compliance with RFC 2058). If the port is not specified, the RADIUS authentication default port number (1645) is used.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server host configuration
•
•
•
•
—
Command History
7.0(1)
Semantic change to the command to support the specification of server ports on a per-host basis for server groups that contain RADIUS servers.
Usage Guidelines
If your RADIUS authentication server uses a port other than 1645, you must configure the ASA for the appropriate port prior to starting the RADIUS service with the aaa-server command.
This command is valid only for server groups that are configured for RADIUS.
Examples
The following example configures a RADIUS AAA server named "srvgrp1" on host "1.2.3.4", sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures authentication port 1650.
hostname(config)#aaa-server svrgrp1 protocol radiushostname(config-aaa-server-group)#aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)#timeout 9hostname(config-aaa-server-host)#retry-interval 7hostname(config-aaa-server-host)#authentication-port 1650hostname(config-aaa-server-host)#exithostname(config)#Related Commands
authentication-server-group (imap4s, pop3s, smtps)
To specify the set of authentication servers to use for e-mail proxies, use the authentication-server-group command in various modes. To remove authentication servers from the configuration, use the no form of this command.
authentication-server-group group_tag
no authentication-server-group
Syntax Description
group_tag
Identifies the previously configured authentication server or group of servers. Use the aaa-server command to configure authentication servers.
Defaults
No authentication servers are configured by default.
Command Modes
The following table shows the modes in which you can enter the command:
Imap4s configuration
•
—
•
—
—
Pop3s configuration
•
—
•
—
—
Smtps configuration
•
—
•
—
—
Command History
Usage Guidelines
The ASA authenticates users to verify their identity.
If you configure AAA authentication, you must configure this attribute as well. Otherwise, authentication always fails.
Examples
The next example shows how to configure IMAP4S e-mail proxy to use the set of authentication servers named "IMAP4SSVRS":
hostname(config)#imap4shostname(config-imap4s)# authentication-server-group IMAP4SSVRSRelated Commands
aaa-server host
Configures authentication, authorization, and accounting servers.
authentication-server-group (tunnel-group general-attributes)
To specify the AAA server group to use for user authentication for a tunnel group, use the authentication-server-group command in tunnel-group general-attributes configuration mode. To return this attribute to the default, use the no form of this command.
authentication-server-group [(interface_name)] server_group [LOCAL]
no authentication-server-group [(interface_name)] server_group
Syntax Description
Defaults
The default setting for the server-group in this command is LOCAL.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general-attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can apply this attribute to all tunnel-group types.
Use the aaa-server command to configure authentication servers and the aaa-server-host command to add servers to a previously configured AAA server group.
Examples
The following example entered in config-general configuration mode, configures an authentication server group named aaa-server456 for an IPsec remote-access tunnel group named remotegrp:
hostname(config)# tunnel-group remotegrp type ipsec-rahostname(config)# tunnel-group remotegrp general-attributeshostname(config-tunnel-general)# authentication-server-group aaa-server456hostname(config-tunnel-general)#Related Commands
authorization-required
To require users to authorize successfully prior to connecting, use the authorization-required command in various modes. To remove the attribute from the configuration, use the no form of this command.
authorization-required
no authorization-required
Syntax Description
This command has no arguments or keywords.
Defaults
Authorization-required is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Command History
Examples
The following example, entered in global configuration mode, requires authorization based on the complete DN for users connecting through a remote-access tunnel group named remotegrp. The first command configures the tunnel-group type as ipsec_ra (IPsec remote access) for the remote group named remotegrp. The second command enters tunnel-group general-attributes configuration mode for the specified tunnel group, and the last command specifies that authorization is required for the named tunnel group.
hostname(config)# tunnel-group remotegrp type ipsec_rahostname(config)# tunnel-group remotegrp general-attributeshostname(config-tunnel-general)# authorization-requiredhostname(config-tunnel-general)#Related Commands
authorization-server-group
To specify the set of authorization servers to use with WebVPN and e-mail proxies, use the authorization-server-group command in various modes. To remove authorization servers from the configuration, use the no form of this command.
authorization-server-group group_tag
no authorization-server-group
Syntax Description
group_tag
Identifies the previously configured authorization server or group of servers. Use the aaa-server command to configure authorization servers.
Defaults
No authorization servers are configured by default.
Command Modes
The following table shows the modes in which you can enter the command:
Command History
7.0(1)
This command was introduced.
7.1(1)
This command was deprecated in webvpn configuration mode and moved to tunnel-group general-attributes configuration mode.
Usage Guidelines
The ASA uses authorization to verify the level of access to network resources that users are permitted.
If you enter this command in webvpn configuration mode, it is transformed to the same command in tunnel-group general-attributes mode.
When VPN Authorization is defined as LOCAL, the attributes configured in the default group policy DfltGrpPolicy are enforced.
Examples
The following example shows how to configure POP3S e-mail proxy to use the set of authorization servers named "POP3Spermit":
hostname(config)#pop3shostname(config-pop3s)# authorization-server-group POP3SpermitThe following example entered in config-general configuration mode, configures an authorization server group named "aaa-server78" for an IPsec remote-access tunnel group named "remotegrp":
hostname(config)# tunnel-group remotegrp type ipsec-rahostname(config)# tunnel-group remotegrp general-attributeshostname(config-tunnel-general)# authorization-server-group aaa-server78hostname(config-tunnel-general)#Related Commands
auth-prompt
To specify or change the AAA challenge text for through-the-ASA user sessions, use the auth-prompt command in global configuration mode. To remove the authentication challenge text, use the no form of this command.
auth-prompt prompt [prompt | accept | reject] string
no auth-prompt prompt [ prompt | accept | reject]
Syntax Description
Defaults
If you do not specify an authentication prompt:
•
hostname(config)#,•
hostname(config-aaa-server-group)#•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
The auth-prompt command lets you specify the AAA challenge text for HTTP, FTP, and Telnet access through the ASA when requiring user authentication from TACACS+ or RADIUS servers. This text is primarily for cosmetic purposes and displays above the username and password prompts that users view when logging in.
If the user authentication occurs from Telnet, you can use the accept and reject options to display different status prompts to indicate that the authentication attempt is accepted or rejected by the AAA server.
If the AAA server authenticates the user, the ASA displays the auth-prompt accept text, if specified, to the user; otherwise it displays the reject text, if specified. Authentication of HTTP and FTP sessions displays only the challenge text at the prompt. The accept and reject text are not displayed.
Note
Examples
The following example sets the authentication prompt to the string "Please enter your username and password.":
hostname(config)# auth-prompt prompt Please enter your username and passwordAfter this string is added to the configuration, users see the following:
Please enter your username and passwordUser Name:Password:For Telnet users, you can also provide separate messages to display when the ASA accepts or rejects the authentication attempt; for example:
hostname(config)# auth-prompt reject Authentication failed. Try again.hostname(config)# auth-prompt accept Authentication succeeded.The following example sets the authentication prompt for a successful authentication to the string, "You're OK."
hostname(config)# auth-prompt accept You're OK.After successfully authenticating, the user sees the following message:
You're OK.Related Commands
auto-signon
To configure the ASA to automatically pass user login credentials for Clientless SSL VPN connections on to internal servers, use the auto-signon command in any of three modes: webvpn configuration, webvpn group configuration, or webvpn username configuration mode. The authentication method can be NTLM (includes NTLMv1 and NTLMv2), HTTP Basic authentication, or both. To disable auto-signon to a particular server, use the no form of this command with the original ip, uri, and auth-type arguments. To disable auto-signon to all servers, use the no form of this command without arguments.
auto-signon allow {ip ip-address ip-mask | uri resource-mask} auth-type {basic | ftp | ntlm | all}
no auto-signon [allow {ip ip-address ip-mask | uri resource-mask} auth-type {basic | ftp | ntlm | all}]
Syntax Description
Syntax DescriptionSyntax Description
Defaults
By default, this feature is disabled for all servers.
Command Modes
The following table shows the modes in which you can enter the command:
Command History
7.1(1)
This command was introduced.
8.0(1)
NTLMv2 support was added. The ntlm keyword includes both NTLMv1 and NTLMv2.
Usage Guidelines
The auto-signon command is a single sign-on method for Clientless SSL VPN users. It passes the login credentials (username and password) to internal servers for authentication using NTLM authentication, HTTP Basic authentication, or both. Multiple auto-signon commands can be entered and are processed according to the input order (early commands take precedence).
You can use the auto-signon feature in three modes: webvpn configuration group-policy, webvpn configuration, or webvpn username configuration mode. The typical precedence behavior applies, where username supersedes group, and group supersedes global. The mode you choose depends upon the desired scope of authentication:
Webvpn configuration
All WebVPN users globally
Webvpn group configuration
A subset of WebVPN users defined by a group policy
Webvpn username configuration
An individual WebVPN user
Examples
The following example commands configure auto-signon for all Clientless users, using NTLM authentication, to servers with IP addresses ranging from 10.1.1.0 to 10.1.1.255:
hostname(config)# webvpnhostname(config-webvpn)# auto-signon allow ip 10.1.1.0 255.255.255.0 auth-type ntlmThe following example commands configure auto-signon for all Clientless users, using HTTP Basic authentication, to servers defined by the URI mask https://*.example.com/*:
hostname(config)# webvpnhostname(config-webvpn)# auto-signon allow uri https://*.example.com/* auth-type basicThe following example commands configure auto-signon for Clientless users ExamplePolicy group policy, using either HTTP Basic or NTLM authentication, to servers defined by the URI mask https://*.example.com/*:hostname(config)# group-policy ExamplePolicy attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# auto-signon allow uri https://*.example.com/* auth-type allThe following example commands configure auto-signon for a user named Anyuser, using HTTP Basic authentication, to servers with IP addresses ranging from 10.1.1.0 to 10.1.1.255:
hostname(config)# username Anyuser attributeshostname(config-username)# webvpnhostname(config-username-webvpn)# auto-signon allow ip 10.1.1.0 255.255.255.0 auth-type basicRelated Commands
show running-config webvpn auto-signon
Displays auto-signon assignments of the running configuration.
auto-summary
To enable the automatic summarization of subnet routes into network-level routes, use the auto-summary command in router configuration mode. To disable route summarization, use the no form of this command.
auto-summary
no auto-summary
Syntax Description
This command has no arguments or keywords.
Defaults
Route summarization is enabled for RIP Version 1, RIP Version 2, and EIGRP.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
Route summarization reduces the amount of routing information in the routing tables.
RIP Version 1 always uses automatic summarization. You cannot disable automatic summarization for RIP Version 1.
If you are using RIP Version 2, you can turn off automatic summarization by specifying the no auto-summary command. Disable automatic summarization if you must perform routing between disconnected subnets. When automatic summarization is disabled, subnets are advertised.
EIGRP summary routes are given an administrative distance value of 5. You cannot configure this value.
Only the no form of this command appears in the running configuration.
Examples
The following example disables RIP route summarization:
hostname(config)# router riphostname(config-router)# network 10.0.0.0hostname(config-router)# version 2hostname(config-router)# no auto-summaryThe following example disables automatic EIGRP route summarization:
hostname(config)# router eigrp 100hostname(config-router)# network 10.0.0.0hostname(config-router)# no auto-summaryRelated Commands
auto-update device-id
To configure the ASA device ID for use with an Auto Update Server, use the auto-update device-id command in global configuration mode. To remove the device ID, use the no form of this command.
auto-update device-id [hardware-serial | hostname | ipaddress [if_name] | mac-address [if_name] | string text]
no auto-update device-id [hardware-serial | hostname | ipaddress [if_name] | mac-address [if_name] | string text]
Syntax Description
Defaults
The default ID is the hostname.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Examples
The following example sets the device ID to the serial number:
hostname(config)# auto-update device-id hardware-serialRelated Commands
auto-update poll-at
To schedule a specific time for the adaptive security appliance to poll the Auto Update Server, use the auto-update poll-at command from global configuration mode. To remove all specified scheduling times for the adaptive security appliance to poll the Auto Update Server, use the no form of this command.
auto-update poll-at days-of-the-week time [randomize minutes] [retry_count [retry_period]]
no auto-update poll-at days-of-the-week time [randomize minutes] [retry_count [retry_period]]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
The auto-update poll-at command specifys a time at which to poll for updates. If you enable the randomize option, the polling occurs at a random time within the range of the first time and the specified number of minutes. The auto-update poll-at and auto-update poll-period commands are mutually exclusive. Only one of them can be configured.
Examples
In the following example, the adaptive security appliance polls the Auto Update Server every Friday and Saturday night at a random time between 10:00 p.m. and 11:00 p.m. If the adaptive security appliance is unable to contact the server, it tries two more times every 10 minutes.
hostname(config)# auto-update poll-at Friday Saturday 22:00 randomize 60 2 10hostname(config)# auto-update server http://192.168.1.114/aus/autoupdate.aspRelated Commands
auto-update poll-period
To configure how often the ASA checks for updates from an Auto Update Server, use the auto-update poll-period command in global configuration mode. To reset the parameters to the defaults, use the no form of this command.
auto-update poll-period poll_period [retry_count [retry_period]]
no auto-update poll-period poll_period [retry_count [retry_period]]
Syntax Description
Defaults
The default poll period is 720 minutes (12 hours).
The default number of times to try reconnecting to the Auto Update Server if the first attempt fails is 0.
The default period to wait between connection attempts is 5 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
The auto-update poll-at and auto-update poll-period commands are mutually exclusive. Only one of them can be configured.
Examples
The following example sets the poll period to 360 minutes, the retries to 1, and the retry period to 3 minutes:
hostname(config)# auto-update poll-period 360 1 3Related Commands
auto-update server
To identify the Auto Update Server, use the auto-update server command in global configuration mode. To remove the server, use the no form of this command.
auto-update server url [source interface] [verify-certificate]
no auto-update server url [source interface] [verify-certificate]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
7.0(1)
This command was introduced.
7.2(1)
The command was modified to add support for multiple servers.
Usage Guidelines
The ASA periodically contacts the Auto Update Server for any configuration, operating system, and ASDM updates.
You can configure multiple servers to work with auto update. When checking for updates, a connection is made to the first server, but if that fails then the next server will be contacted. This will continue until all the servers have been tried. If all of them fail to connect, then a retry starting with the first server is attempted if the auto-update poll-period is configured to retry the connection.
For auto update functionality to work properly, you must use the boot system configuration command and ensure it specifies a valid boot image. Likewise, the asdm image command must be used with auto update to update the ASDM software image.
If the interface specified in the source interface argument is the same interface specified with the management-access command, requests to the Auto Update Server will be sent over the VPN tunnel.
Examples
The following example sets the Auto Update Server URL and specifies the interface outside:
hostname(config)# auto-update server http://10.1.1.1:1741/ source outsideRelated Commands
auto-update timeout
To set a timeout period in which to contact the Auto Update Server, use the auto-update timeout command in global configuration mode. To remove the timeout, use the no form of this command.
auto-update timeout period
no auto-update timeout [period]
Syntax Description
Defaults
The default timeout is 0, which sets the ASA to never time out.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
A timeout condition is reported with syslog message 201008.
If the Auto Update Server has not been contacted for the timeout period, the ASA stops all traffic through the ASA. Set a timeout to ensure that the ASA has the most recent image and configuration.
Examples
The following example sets the timeout to 24 hours:
hostname(config)# auto-update timeout 1440
Related Commands
