-
Cisco ASA Series Command Reference, 8.4, 8.5, 8.6, and 8.7
-
About this Guide
-
Using the Command Line Interface
- A through B Commands
- C Commands
- D through F Commands
- G through I Commands
- J through L Commands
- M through O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- show asdm sessions
-
show asp drop -- show curpriv
-
show ddns -- show ipv6 traffic
-
show isakmp sa -- show route
-
show running-config -- show running-config isakmp
-
show running-config ldap -- show running-config wccp
-
show service-policy -- show xlate
-
shun -- sysopt radius ignore-secret
-
- T through Z Commands
-
Cisco IOS Commands for the ASASM
-
Feedback
Table Of Contents
crypto am-disable through cxsc auth-proxy port Commands
crypto ca server user-db allow
crypto ca server user-db email-otp
crypto ca server user-db remove
crypto ca server user-db show-otp
crypto ca server user-db write
crypto dynamic-map match address
crypto dynamic-map set nat-t-disable
crypto dynamic-map set reverse route
crypto dynamic-map set ikev1 transform-set
crypto dynamic-map set ikev2 ipsec-proposal
crypto ikev2 limit max-in-negotiation-sa
crypto ikev2 remote-access trust-point
crypto ipsec ikev2 ipsec-proposal
crypto ipsec security-association lifetime
crypto ipsec security-association replay
crypto ipsec ikev1 transform-set (create or remove transform set)
crypto ipsec ikev1 transform-set mode transport
crypto isakmp disconnect-notify
crypto isakmp policy authentication
crypto isakmp policy encryption
crypto large-cert-acceleration enable
crypto map ipsec-isakmp dynamic
crypto map set connection-type
crypto map set ikev2 pre-shared-key
crypto map set ikev1 phase1-mode
crypto map set ikev2 phase1-mode
crypto map set security-association lifetime
crypto map set ikev1 transform-set
crypto map set ikev2 ipsec-proposal
crypto am-disable through cxsc auth-proxy port Commands
crypto am-disable
To disable IPsec IKEv1 inbound aggressive mode connections, use the crypto ikev1 am-disable command in global configuration mode. To enable inbound aggressive mode connections, use the no form of this command.
crypto ikev1 am-disable
no crypto ikev1 am-disable
Syntax Description
This command has no arguments or keywords.
Defaults
The default value is enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example, entered in global configuration mode, disables inbound aggressive mode connections:
hostname(config)# crypto ikev1 am-disableRelated Commands
crypto ca authenticate
To install and authenticate the CA certificates associated with a trustpoint, use the crypto ca authenticate command in global configuration mode. To remove the CA certificate, use the no form of this command.
crypto ca authenticate trustpoint [fingerprint hexvalue] [nointeractive]
no crypto ca authenticate trustpoint
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
If the trustpoint is configured for SCEP enrollment, the CA certificate is downloaded through SCEP. If not, the ASA prompts you to paste the base-64 formatted CA certificate onto the terminal.
The invocations of this command do not become part of the running configuration.
Examples
The following example shows the ASA requesting the certificate of the CA. The CA sends its certificate and the ASA prompts the administrator to verify the certificate of the CA by checking the CA certificate fingerprint. The ASA administrator should verify the fingerprint value displayed with a known, correct value. If the fingerprint displayed by the ASA matches the correct value, you should accept the certificate as valid.
hostname(config)# crypto ca authenticate mycaCertificate has the following attributes:Fingerprint: 0123 4567 89AB CDEF 0123Do you accept this certificate? [yes/no] y#hostname(config)#In the next example, the trustpoint tp9 is configured for terminal-based (manual) enrollment. In this case the ASA prompts the administrator to paste the CA certificate to the terminal. After displaying the fingerprint of the certificate, the ASA prompts the administrator to confirm that the certificate should be retained.
hostname(config)# crypto ca authenticate tp9Enter the base 64 encoded CA certificate.End with a blank line or the word "quit" on a line by itselfMIIDjjCCAvegAwIBAgIQejIaQ3SJRIBMHcvDdgOsKTANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUExETAPBgNVBAcTCEZyYW5rbGluMREwDwYDVQQDEwhCcmlhbnNDQTAeFw0wMjEwMTcxODE5MTJaFw0wNjEwMjQxOTU3MDhaMEAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNQTERMA8GA1UEBxMIRnJhbmtsaW4xETAPBgNVBAMTCEJyaWFuc0NBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdjXEPvNnkZD1bKzahbTHuRot1T8KRUbCP5aWKfqViKJENzI2GnAheArazsAcc4EazLDnpuyyqa0j5LA3MI577MoN1/nll018fbpqOf9eVDPJDkYTvtZ/X3vJgnEjTOWyzT0pXxhdU1b/jgqVE74OvKBzU7A2yoQ2hMYzwVbGkewIDAQABo4IBhzCCAYMwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgFGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBHr3holowFDmniI3FBwKpSEucdtMIIBGwYDVR0fBIIBEjCCAQ4wgcaggcOggcCGgb1sZGFwOi8vL0NOPUJyaWFuc0NBLENOPWJyaWFuLXcyay1zdnIsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9YnJpYW5wZGMsREM9YmRzLERDPWNvbT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Y2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwQ6BBoD+GPWh0dHA6Ly9icmlhbi13Mmstc3ZyLmJyaWFucGRjLmJkcy5jb20vQ2VydEVucm9sbC9CcmlhbnNDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAdLhc4Za3AbMjRq66xH1qJWxKUzd4nE9wOrhGgA1rj4B/Hv2K1gUie34xGqu9OpwqvJgp/vCU12Ciykb1YdSDy/PxN4KtR9Xd1JDQMbu5f20AYqCG5vpPWavCgmgTLcdwKa3ps1YSWGkhWmScHHSiGg1a3tevYVwhHNPA4mWo7sQ=Certificate has the following attributes:Fingerprint: 21B598D5 4A81F3E5 0B24D12E 3F89C2E4% Do you accept this certificate? [yes/no]:yesTrustpoint CA certificate accepted.% Certificate successfully importedhostname(config)#Related Commands
crypto ca certificate chain
To enter certificate chain configuration mode for the indicated trustpoint, use the crypto ca certificate chain command in global configuration mode. To return to global configuration mode, use the exit command.
crypto ca certificate chain trustpoint
Syntax Description
Syntax DescriptionSyntax Description
Defaults
No default values or behaviors.
Command Modes
The following table shows the modes in which you can enter the command
Global configuration
•
•
•
•
—
:
Command History
Examples
The following example enters certificate chain configuration mode for the trustpoint, central:
hostname<config>#crypto ca certificate chain centralhostname<config-cert-chain>#Related Commands
crypto ca certificate map
To enter ca certificate map mode, use the crypto ca configuration map command in global configuration mode. Executing this command places you in ca certificate map mode. Use this group of commands to maintain a prioritized list of certificate mapping rules. The sequence number orders the mapping rules. To remove a crypto CA configuration map rule, use the no form of the command.
crypto ca certificate map {sequence-number | map-name sequence-number}
no crypto ca certificate map {sequence-number | map-name [sequence-number]}
Syntax Description
Defaults
The default value for map-name is DefaultCertificateMap.
Command Modes
The following table shows the modes in which you can enter the command
Global configuration
•
•
•
•
—
:
Command History
Usage Guidelines
Issuing this command places the ASA in ca certificate map configuration mode, where you can configure rules based on the issuer and subject distinguished names (DNs) of the certificate. The general form of these rules is as follows:
DN match-criteria match-value
DN is either subject-name or issuer-name. DNs are defined in the ITU-T X.509 standard.
match-criteria comprise the following expressions or operators:
attr tag
Limits the comparison to a specific DN attribute, such as common name (CN).
co
Contains
eq
Equal
nc
Does not contain
ne
Not equal
The DN matching expressions are case insensitive.
Examples
The following example enters ca certificate map mode with a map named example-map and a sequence number of 1 (rule # 1), and specifies that the common name (CN) attribute of the subject-name must match Example1:
hostname(config)# crypto ca certificate map example-map 1hostname(ca-certificate-map)# subject-name attr cn eq Example1hostname(ca-certificate-map)#The following example enters ca certificate map mode with a map named example-map and a sequence number of 1, and specifies that the subject-name contain the value cisco anywhere within it:
hostname(config)# crypto ca certificate map example-map 1hostname(ca-certificate-map)# subject-name co ciscohostname(ca-certificate-map)#Related Commands
crypto ca crl request
To request a CRL based on the configuration parameters of the specified trustpoint, use the crypto ca crl request command in crypto ca trustpoint configuration mode.
crypto ca crl request trustpoint
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
—
Command History
Usage Guidelines
Invocations of this command do not become part of the running configuration.
Examples
The following example requests a CRL based on the trustpoint named central:
hostname(config)# crypto ca crl request centralhostname(config)#Related Commands
crypto ca enroll
To start the enrollment process with the CA, use the crypto ca enroll command in global configuration mode. For this command to execute successfully, the trustpoint must have been configured correctly.
crypto ca enroll trustpoint [noconfirm]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command
Global configuration
•
•
•
•
—
:
Command History
Usage Guidelines
When the trustpoint is configured for SCEP enrollment, the ASA displays a CLI prompt immediately and displays status messages to the console asynchronously. When the trustpoint is configured for manual enrollment, the ASA writes a base-64-encoded PKCS10 certification request to the console and then displays the CLI prompt.
This command generates interactive prompts that vary depending on the configured state of the referenced trustpoint.
Examples
The following example enrolls for an identity certificate with trustpoint tp1 using SCEP enrollment. The ASA prompts for information not stored in the trustpoint configuration.
hostname(config)# crypto ca enroll tp1%% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide this% password to the CA Administrator in order to revoke your certificate.% For security reasons your password will not be saved in the configuration.% Please make a note of it.Password:Re-enter password:% The fully-qualified domain name in the certificate will be: xyz.example.com% The subject name in the certificate will be: xyz.example.com% Include the router serial number in the subject name? [yes/no]: no% Include an IP address in the subject name? [no]: noRequest certificate from CA [yes/no]: yes% Certificate request sent to Certificate authority.% The certificate request fingerprint will be displayed.% The `show crypto ca certificate' command will also show the fingerprint.hostname(config)#The next command shows manual enrollment of a CA certificate.
hostname(config)# crypto ca enroll tp1
% Start certificate enrollment ..% The fully-qualified domain name in the certificate will be: xyz.example.com% The subject name in the certificate will be: wb-2600-3.example.comif serial number not set in trustpoint, prompt:% Include the router serial number in the subject name? [yes/no]: noIf ip-address not configured in trustpoint:% Include an IP address in the subject name? [no]: yesEnter Interface name or IP Address[]: 1.2.3.4Display Certificate Request to terminal? [yes/no]: yCertificate Request follows:MIIBFTCBwAIBADA6MTgwFAYJKoZIhvcNAQkIEwcxLjIuMy40MCAGCSqGSIb3DQEJAhYTd2ItMjYwMC0zLmNpc2NvLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDTIdvHa4D5wXZ+40sKQV7Uek1E+CC6hm/LRN3p5ULW1KF6bxhA3Q5CQfh4jDxobn+AY8GoeceulS2Zb+mvgNvjAgMBAAGgITAfBgkqhkiG9w0BCQ4xEjAQMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQQFAANBACDhnrEGBVtltG7hp8x6Wz/dgY+ouWcAlzy7QpdGhb1du2P81RYn+8pWRA43cikXMTeM4ykEkZhLjDUgv9t+R9c=---End - This line not part of the certificate request---Redisplay enrollment request? [yes/no]: nohostname(config)#Related Commands
crypto ca export
To export the security appliance trustpoint configuration with all associated keys and certificates in PKCS12 format, or to export the device identity certificate in PEM format, use the crypto ca export command in global configuration mode.
crypto ca export trustpoint identify-certificate
Syntax Description
Syntax DescriptionSyntax Description
Defaults
No default values or behaviors.
Command Modes
The following table shows the modes in which you can enter the command
Global configuration
•
•
•
•
—
:
Command History
7.0(1)
This command was introduced.
8.0(2)
This command was changed to accommodate certificate exporting in PEM format.
Usage Guidelines
Invocations of this command do not become part of the active configuration. The PEM or PKCS12 data is written to the console.
Web browsers use the PKCS12 format to store private keys with accompanying public key certificates protected with a password-based symmetric key. The ASA exports the certificates and keys associated with a trust point in base64-encoded PKCS12 format. This feature can be used to move certificates and keys between ASAs.
PEM encoding of a certificate is a base64 encoding of an X.509 certificate enclosed by PEM headers. This encoding provides a standard method for text-based transfer of certificates between ASAs. PEM encoding can be used to export the proxy-ldc-issuer certificate using a SSL/TLS protocol proxy when the ASA is acting as a client.
Examples
The following example exports the PEM-formatted certificate for trustpoint 222 as a console display:
hostname (config)#crypto ca export 222 identity-certificateExported 222 follows:
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
MIIDjjCCAvegAwIBAgIQejIaQ3SJRIBMHcvDdgOsKTANBgkqhkiG9w0BAQUFADBA
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUExETAPBgNVBAcTCEZyYW5rbGluMREw
DwYDVQQDEwhCcmlhbnNDQTAeFw0wMjEwMTcxODE5MTJaFw0wNjEwMjQxOTU3MDha
MEAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNQTERMA8GA1UEBxMIRnJhbmtsaW4x
ETAPBgNVBAMTCEJyaWFuc0NBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCd
jXEPvNnkZD1bKzahbTHuRot1T8KRUbCP5aWKfqViKJENzI2GnAheArazsAcc4Eaz
LDnpuyyqa0j5LA3MI577MoN1/nll018fbpqOf9eVDPJDkYTvtZ/X3vJgnEjTOWyz
T0pXxhdU1b/jgqVE74OvKBzU7A2yoQ2hMYzwVbGkewIDAQABo4IBhzCCAYMwEwYJ
KwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgFGMA8GA1UdEwEB/wQFMAMBAf8w
HQYDVR0OBBYEFBHr3holowFDmniI3FBwKpSEucdtMIIBGwYDVR0fBIIBEjCCAQ4w
gcaggcOggcCGgb1sZGFwOi8vL0NOPUJyaWFuc0NBLENOPWJyaWFuLXcyay1zdnIs
Q049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENO
PUNvbmZpZ3VyYXRpb24sREM9YnJpYW5wZGMsREM9YmRzLERDPWNvbT9jZXJ0aWZp
Y2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Y2xhc3M9Y1JMRGlzdHJpYnV0
aW9uUG9pbnQwQ6BBoD+GPWh0dHA6Ly9icmlhbi13Mmstc3ZyLmJyaWFucGRjLmJk
cy5jb20vQ2VydEVucm9sbC9CcmlhbnNDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQEw
DQYJKoZIhvcNAQEFBQADgYEAdLhc4Za3AbMjRq66xH1qJWxKUzd4nE9wOrhGgA1r
j4B/Hv2K1gUie34xGqu9OpwqvJgp/vCU12Ciykb1YdSDy/PxN4KtR9Xd1JDQMbu5
f20AYqCG5vpPWavCgmgTLcdwKa3ps1YSWGkhWmScHHSiGg1a3tevYVwhHNPA4mWo
7sQ=
Certificate has the following attributes:
Fingerprint: 21B598D5 4A81F3E5 0B24D12E 3F89C2E4
% Do you accept this certificate? [yes/no]:
Trustpoint CA certificate accepted.
% Certificate successfully imported
hostname<config>#
hostname<config-cert-chain>#
hostname (config)#
Exported 222 follows:
-----BEGIN CERTIFICATE-----
MIIGDzCCBXigAwIBAgIKFiUgwwAAAAAFPDANBgkqhkiG9w0BAQUFADCBnTEfMB0G
CSqGSIb3DQEJARYQd2Jyb3duQGNpc2NvLmNvbTELMAkGA1UEBhMCVVMxCzAJBgNV
BAgTAk1BMREwDwYDVQQHEwhGcmFua2xpbjEWMBQGA1UEChMNQ2lzY28gU3lzdGVthostname (config)#Related Commands
crypto ca import
To install a certificate received from a CA in response to a manual enrollment request or to import the certificate and key pair for a trustpoint using PKCS12 data, use the crypto ca import command in global configuration mode. The ASA prompts you to paste the text to the terminal in base 64 format.
crypto ca import trustpoint certificate [ nointeractive ]
crypto ca import trustpoint pkcs12 passphrase [ nointeractive ]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example manually imports a certificate for the trustpoint Main:
hostname (config)#crypto ca import Main certificate% The fully-qualified domain name in the certificate will be: securityappliance.example.comEnter the base 64 encoded certificate.End with a blank line or the word "quit" on a line by itself[ certificate data omitted ]quitINFO: Certificate successfully importedhostname (config)#The following example manually imports PKCS12 data to a trustpoint central:
hostname (config)#crypto ca import central pkcs12Enter the base 64 encoded pkcs12.End with a blank line or the word "quit" on a line by itself:[ PKCS12 data omitted ]quitINFO: Import PKCS12 operation completed successfullyhostname (config)#The following example, entered in global configuration mode, generates a warning message because there is not enough space in NV RAM to save the RSA keypair:
hostname(config)# crypto ca import central pkcs12 mod 2048INFO: The name for the keys will be: centralKeypair generation process begin. Please wait...NV RAM will not have enough space to save keypair central. Remove any unnecessary keypairs and save the running config before using this keypair.hostname(config)#Related Commands
crypto ca server
To set up and manage a local CA server on the ASA, use the crypto ca server command in global configuration mode to enter ca server configuration mode and access the CA configuration commands. To delete the configured local CA server from the ASA, use the no form of this command.
crypto ca server
no crypto ca server
Defaults
A certificate authority server is not enabled on the ASA.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
There can only be one local CA on an ASA.
The crypto ca server command configures the CA server, but does not enable it. Use the no form of the shutdown command in ca server configuration mode to enable the local CA.
When you activate the CA server with the no shutdown command, you establish the RSA keypair of the CA and a trustpoint named LOCAL-CA-SERVER to hold the self-signed certificate. This newly generated self-signed certificate always has digital signature, crl signing, and certificate signing key usage settings set.
Caution
Examples
The following example enters ca server configuration mode, then lists the local CA server commands available in that mode:
hostname(config)# crypto ca serverhostname(config-ca-server)# ?CA Server configuration commands:cdp-url CRL Distribution Point to be included in the issuedcertificatesdatabase Embedded Certificate Server database locationconfigurationenrollment-retrieval Enrollment-retrieval timeout configurationexit Exit from Certificate Server entry modehelp Help for crypto ca server configuration commandsissuer-name Issuer namekeysize Size of keypair in bits to generate for certificateenrollmentslifetime Lifetime parametersno Negate a command or set its defaultsotp One-Time Password configuration optionsrenewal-reminder Enrollment renewal-reminder time configurationshutdown Shutdown the Embedded Certificate Serversmtp SMTP settings for enrollment E-mail notificationssubject-name-default Subject name default configuration for issuedcertificatesThe following example uses the no form of the crypto ca server command in ca server configuration mode to delete the configured and enabled CA server from the ASA:
hostname(config-ca-server)#no crypto ca serverCertificate server 'remove server' event has been queued for processing.hostname(config)#Related Commands
crypto ca server crl issue
To force the issuance of a Certificate Revocation List (CRL), use the crypto ca server crl issue command in privileged EXEC mode.
crypto ca server crl issue
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
ca server configuration
•
—
•
—
—
Global configuration
•
—
•
—
—
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
Use this command to recover a lost CRL. Normally, the CRL is reissued automatically upon expiration by resigning the existing CRL. The crypto ca server crl issue command regenerates the CRL based on the certificate database and should only be used as required to regenerate a CRL based on the certificate database contents.
Examples
The following example forces the issuance of a CRL by the local CA server:
hostname(config-ca-server)# crypto ca server crl issue
czEZMBcGA1UECxMQRnJhbmtsaW4gRGV2VGVzdDEaMBgGA1UEAxMRbXMtcm9vdC1jhostname(config-ca-server)#Related Commands
crypto ca server revoke
To mark a certificate issued by the local Certificate Authority (CA) server as revoked in the certificate database and the CRL, use the crypto ca server revoke command in privileged EXEC mode.
crypto ca server revoke cert-serial-no
Syntax Description
cert-serial-no
Specifies the serial number of the certificate to be revoked. Enter the serial number in hexadecimal format.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
ca server configuration
•
—
•
—
—
Global configuration
•
—
•
—
—
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
You revoke a specific certificate that has been issued by the local CA on an ASA by entering the crypto ca server revoke command on that ASA. Revocation is accomplished when this command marks the certificate as revoked in the certificate database on the CA server and in the CRL. You specify the certificate to be revoked by entering the certificate serial number in hexadecimal format.
The CRL is regenerated automatically after the specified certificate is revoked.
Examples
The following example revokes the certificate with the serial number 782ea09f issued by the local CA server:
hostname(config-ca-server)## crypto ca server revoke 782ea09f
YS01LTIwMDQwHhcNMDYxMTAyMjIyNjU3WhcNMjQwNTIwMTMzNDUyWjA2MRQwEgYDhostname(config-ca-server)#Related Commands
crypto ca server unrevoke
To unrevoke a revoked certificate issued by the local CA server, use the crypto ca server unrevoke command in privileged EXEC mode.
crypto ca server unrevoke cert-serial-no
Syntax Description
cert-serial-no
Specifies the serial number of the certificate to be unrevoked. Enter the serial number in hexadecimal format.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
ca server configuration
•
—
•
—
—
Global configuration
•
—
•
—
—
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
You unrevoke a revoked certificate issued by the local CA on an ASA by entering the crypto ca server unrevoke command. The validity of the certificate is restored when this command marks the certificate as valid in the certificate database and removes it from the CRL. You specify the certificate to be unrevoked by entering the certificate serial number in hexadecimal format.
The CRL is regenerated after the specified certificate is unrevoked.
Examples
The following example unrevokes the certificate with the serial number 782ea09f issued by the local CA server:
hostname(config-ca-server)# crypto ca server unrevoke 782ea09f
VQQFEwtKTVgwOTQwSzA0TDEeMBwGCSqGSIb3DQEJAhMPQnJpYW4uY2lzY28uY29thostname(config-ca-server)#Related Commands
crypto ca server user-db add
To insert a new user into the CA server user database, use the crypto ca server user-db add command in privileged EXEC mode.
crypto ca server user-db add user [dn dn] [email e-mail-address]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
ca server configuration
•
—
•
—
—
Global configuration
•
—
•
—
—
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
The user argument can be a simple username such as janedoe or an e-mail address such as janedoe@example.com. The username must match the username specified by the end user in the enrollment page.
The username is added to the database as a user without privileges. You must use the crypto ca server allow command to grant enrollment privileges.
The username argument, along with the one-time password, is used to enroll the user on the enrollment interface page.
Note
The email e-mail-address keyword-argument pair is used only as an e-mail address to notify the user for enrollment and renewal reminders and does not appear in the issued certificate.
Inclusion of the e-mail address ensures that the user can be contacted with any questions and is notified of the required one-time password for enrollment.
If an optional dn is not specified for a user, the subject name dn is formed using the username and the subject-name-default DN setting as cn=username, subject-name-default.
Examples
The following example adds a user to the user database with a username of janedoe@example.com with a complete subject-name DN:
hostname(config-ca-server)# crypto ca server user-db add dn "cn=Jane Doe, ou=engineering, o=Example, l=RTP, st=NC, c=US"hostname
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvxxIYKcrb7cJpsiFKwwsQUph5#The following example grants enrollment privileges to the user named jondoe.
hostname(config-ca-server)# crypto ca server user-db allow jondoehostname
4M5Y3CDVKEVF+98HrD6rhd0n/d6R8VYSfu76aeJC5j9Bbn3xOCx2aY5K2enf3SBWRelated Commands
crypto ca server user-db allow
To permit a user or a group of users to enroll in the local CA server database, use the crypto ca server user-db allow command in privileged EXEC mode. This command also includes options to generate and display one-time passwords or to e-mail them to users.
crypto ca server user-db allow {username | all-unenrolled | all-certholders} [display-otp] [email-otp] [replace-otp ]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
ca server configuration
•
—
•
—
—
Global configuration
•
—
•
—
—
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
The replace-otp keyword generates OTPs for all specified users. These new OTPs replace any valid ones generated for the specified users.
The OTP is not stored on the ASA, but is generated and regenerated as required to notify a user or to authenticate a user during enrollment.
Examples
The following example grants enrollment privileges to all users in the database who have not enrolled yet:
hostname(config-ca-server)#crypto ca server user-db allow all-unenrolledhostname(config-ca-server)#The following example grants enrollment privileges to the user named user1:
hostname(config-ca-server)#crypto ca server user-db allow user1hostname(config-ca-server)#Related Commands
crypto ca server user-db email-otp
To e-mail the OTP to a specific user or a subset of users in the local CA server database, use the crypto ca server user-db email-otp command in privileged EXEC mode.
crypto ca server user-db email-otp {username | all-unenrolled | all-certholders}
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
ca server configuration
•
—
•
—
—
Global configuration
•
—
•
—
—
Privileged EXEC
•
—
•
—
—
Command History
Examples
The following example e-mails the OTP to all unenrolled users in the database:
hostname(config-ca-server)# crypto ca server user-db email-otp all-unenrolledhostname(config-ca-server)#The following example e-mails the OTP to the user named user1:
hostname(config-ca-server)# crypto ca server user-db email-otp user1hostname(config-ca-server)#Related Commands
crypto ca server user-db remove
To remove a user from the local CA server user database, use the crypto ca server user-db remove command in privileged EXEC mode.
crypto ca server user-db remove username
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
CA server configuration
•
—
•
—
—
Global configuration
•
—
•
—
—
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
This command removes a username from the CA user database so that user cannot enroll. The command also providees the option to revoke previously issued, valid certificates.
Examples
The following example removes a user with a username, user1, from the CA server user database :
hostname(config-ca-server)# crypto ca server user-db remove user1WARNING: No certificates have been automatically revoked. Certificates issued to user user1 should be revoked if necessary.hostname(config-ca-server)#Related Commands
crypto ca server user-db show-otp
To display the OTP for a specific user or a subset of users in the local CA server database, use the crypto ca server user-db show-otp command in privileged EXEC mode.
crypto ca server user-db show-otp {username | all-certholders | all-unenrolled}
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
ca server configuration
•
—
•
—
—
Global configuration
•
—
•
—
—
Privileged EXEC
•
—
•
—
—
Command History
Examples
The following example displays the OTP for all users who have valid or invalid certificates in the database:
hostname(config-ca-server)# crypto ca server user-db show-otp all-certholdershostname(config-ca-server)#The following example displays the OTP for the user named user1:
hostname(config-ca-server)# crypto ca server user-db show-otp user1hostname(config-ca-server)#Related Commands
crypto ca server user-db write
To configure a directory location to store all the local CA database files, use the crypto ca server user-db write command in privileged EXEC mode.
crypto ca server user-db write
Syntax Description
This command has no keywords or arguments.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
ca server configuration
•
—
•
—
—
Global configuration
•
—
•
—
—
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
The crypto ca server user-db write command is used to save new user-based configuration data to the storage specifed by the database path configuration. The information is generated when new users are added or allowed with the crypto ca server user-db add and crypto ca server user-db allow commands.
Examples
The following example writes the user information configured in the local CA database to storage:
hostname(config-ca-server)# crypto ca server user-db writehostname(config-ca-server)#Related Commands
crypto ca trustpoint
To enter the trustpoint configuration mode for the specified trustpoint, use the crypto ca trustpoint command in global configuration mode. To remove the specified trustpoint, use the no form of this command.
crypto ca trustpoint trustpoint-name
no crypto ca trustpoint trustpoint-name [noconfirm]
Syntax Description
noconfirm
Suppresses all interactive prompting
trustpoint- name
Identifies the name of the trustpoint to manage. The maximum name length is 128 characters.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the crypto ca trustpoint command to declare a CA. Issuing this command puts you in crypto ca trustpoint configuration mode.
This command manages trustpoint information. A trustpoint represents a CA identity and possibly a device identity, based on a certificate issued by the CA. The commands within the trustpoint mode control CA-specific configuration parameters, which specify how the ASA obtains the CA certificate, how the ASA obtains its certificate from the CA, and the authentication policies for user certificates issued by the CA.
You can specify characteristics for the trustpoint using the following commands listed alphabetically in this command reference guide:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Examples
The following example enters ca trustpoint mode for managing a trustpoint named central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)#Related Commands
crypto dynamic-map match address
To match the address of an access list for the dynamic crypto map entry, use the crypto dynamic-map match address command in global configuration mode. To disable the address match, use the no form of this command.
crypto dynamic-map dynamic-map-name dynamic-seq-num match address acl_name
no crypto dynamic-map dynamic-map-name dynamic-seq-num match address acl_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
See the crypto map match address command for additional information about this command.
Examples
The following example shows the use of the crypto dynamic-map command to match address of an access list named aclist1:
hostname(config)# crypto dynamic-map mymap 10 match address aclist1hostname(config)#Related Commands
crypto dynamic-map set nat-t-disable
To disable NAT-T for connections based on this crypto map entry, use the crypto dynamic-map set nat-t-disable command in global configuration mode. To enable NAT-T for this crypto may entry, use the no form of this command.
crypto dynamic-map dynamic-map-name dynamic-seq-num set nat-t-disable
no crypto dynamic-map dynamic-map-name dynamic-seq-num set nat-t-disable
Syntax Description
dynamic-map-name
Specifies the name of the crypto dynamic map set.
dynamic-seq-num
Specifies the number you assign to the crypto dynamic map entry.
Defaults
The default setting is off.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
Use the isakmp nat-traversal command to globally enable NAT-T. Then you can use the crypto dynamic-map set nat-t-disable command to disable NAT-T for specific crypto map entries.
Examples
The following command disables NAT-T for the crypto dynamic map named mymap:
hostname(config)# crypto dynamic-map mymap 10 set nat-t-disablehostname(config)#Related Commands
crypto dynamic-map set peer
See the crypto map set peer command for additional information about this command.
crypto dynamic-map dynamic-map-name dynamic-seq-num set peer ip_address | hostname
no crypto dynamic-map dynamic-map-name dynamic-seq-num set peer ip_address | hostname
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example shows setting a peer for a dynamic-map named mymap to the IP address10.0.0.1:
hostname(config)# crypto dynamic-map mymap 10 set peer 10.0.0.1hostname(config)#Related Commands
crypto dynamic-map set pfs
To specify the dynamic crypto map sets, use the crypto map dynamic-map set pfs command in global configuration mode. To remove the specified dynamic-map crypto map set, use the no form of this command.
See the crypto map set pfs command for additional information about this command.
crypto dynamic-map dynamic-map-name dynamic-seq-num set pfs [group1 | group2 | group5]
no crypto dynamic-map dynamic-map-name dynamic-seq-num set pfs [group1 | group2 | group5]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The crypto dynamic-map commands, such as match address, set peer, and set pfs are described with the crypto map commands. If the peer initiates the negotiation and the local configuration specifies PFS, the peer must perform a PFS exchange or the negotiation fails. If the local configuration does not specify a group, the ASA assumes a default of group2. If the local configuration does not specify PFS, it accepts any offer of PFS from the peer.
When interacting with the Cisco VPN Client, the ASA does not use the PFS value, but instead uses the value negotiated during Phase 1.
Examples
The following example specifies that PFS should be used whenever a new security association is negotiated for the crypto dynamic-map mymap 10. The group specified is group 2:
hostname(config)# crypto dynamic-map mymap 10 set pfs group2hostname(config)#Related Commands
crypto dynamic-map set reverse route
See the crypto map set reverse-route command for additional information about this command.
crypto dynamic-map dynamic-map-name dynamic-seq-num set reverse route
no crypto dynamic-map dynamic-map-name dynamic-seq-num set reverse route
Syntax Description
dynamic-map-name
Specifies the name of the crypto map set.
dynamic-seq-num
Specifies the number you assign to the crypto map entry.
Defaults
The default value for this command is off.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following command enables RRI for the crypto dynamic-map named mymap:
hostname(config)# crypto dynamic-map mymap 10 set reverse routehostname(config)#Related Commands
crypto dynamic-map set ikev1 transform-set
To specify the IKEv1 transform sets to use in a dynamic crypto map entry, use the crypto dynamic-map set ikev1 transform-set command in global configuration mode.
crypto dynamic-map dynamic-map-name dynamic-seq-num set ikev1 transform-set transform-set-name1 [... transform-set-name11]
To remove the transform sets from the dynamic crypto map entry, specify the transform set name in the no form of this command:
no crypto dynamic-map dynamic-map-name dynamic-seq-num set ikev1 transform-set transform-set-name1 [... transform-set-name11]
To remove the dynamic crypto map entry, use the no form of the command and specify all or none of the transform sets:
no crypto dynamic-map dynamic-map-name dynamic-seq-num set ikev1 transform-set
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
7.0
This command was introduced.
7.2(1)
Changed maximum number of transform sets in a crypto map entry.
8.4(1)
Added the ikev1 keyword.
Usage Guidelines
A dynamic crypto map is a crypto map without all of the parameters configured. It acts as a policy template where the missing parameters are later dynamically learned, as the result of an IPsec negotiation, to match the peer requirements. The ASA applies a dynamic crypto map to let a peer negotiate a tunnel if its IP address is not already identified in a previous static or dynamic crypto map. This occurs with the following types of peers:
•
Both LAN-to-LAN and remote access peers can use DHCP to obtain a public IP address. The ASA uses this address only to initiate the tunnel.
•
Peers requesting remote access tunnels typically have private IP addresses assigned by the headend. Generally, LAN-to-LAN tunnels have a predetermined set of private networks that are used to configure static maps and therefore used to establish IPsec SAs.
As an administrator configuring static crypto maps, you might not know the IP addresses that are dynamically assigned (via DHCP or some other method), and you might not know the private IP addresses of other clients, regardless of how they were assigned. VPN clients typically do not have static IP addresses; they require a dynamic crypto map to allow IPsec negotiation to occur. For example, the headend assigns the IP address to a Cisco VPN client during IKE negotiation, which the client then uses to negotiate IPsec SAs.
Dynamic crypto maps can ease IPsec configuration and we recommend them for use in networks where the peers are not always predetermined. Use dynamic crypto maps for Cisco VPN clients (such as mobile users) and routers that obtain dynamically assigned IP addresses.
Tip
Dynamic crypto maps work only to negotiate SAs with remote peers that initiate the connection. The ASA cannot use dynamic crypto maps to initiate connections to a remote peer. With a dynamic crypto map configured, if the outbound traffic matches a permit entry in an access list and the corresponding SA does not yet exist, the ASA drops the traffic.
A crypto map set may include a dynamic crypto map. Dynamic crypto map sets should be the lowest priority crypto maps in the crypto map set (that is, they should have the highest sequence numbers) so that the ASA evaluates other crypto maps first. It examines the dynamic crypto map set only when the other (static) map entries do not match.
Similar to static crypto map sets, a dynamic crypto map set consists of all of the dynamic crypto maps with the same dynamic-map-name. The dynamic-seq-num differentiates the dynamic crypto maps in a set. If you configure a dynamic crypto map, insert a permit ACL to identify the data flow of the IPsec peer for the crypto access list. Otherwise the ASA accepts any data flow identity the peer proposes.
Caution
You can combine static and dynamic map entries within a single crypto map set.
Examples
The following example creates a dynamic crypto map entry named "dynamic0" consisting of the same ten transform sets. The "crypto ipsec transform-set (create or remove transform set)" section shows ten transform set example commands.
hostname(config)# crypto dynamic-map dynamic0 1 set ikev1 transform-set 3des-md5 3des-sha 56des-md5 56des-sha 128aes-md5 128aes-sha 192aes-md5 192aes-sha 256aes-md5 256aes-shahostname(config)#Related Commands
crypto dynamic-map set ikev2 ipsec-proposal
To specify the IPsec proposals for IKEv2 to use in a dynamic crypto map entry, use the crypto dynamic-map set ikev2 ipsec-proposal command in global configuration mode.
crypto dynamic-map dynamic-map-name set ipsec-proposal transform-set-name1 [... transform-set-name11]
Specify the names of the transform sets in the no form of this command to remove them from a dynamic crypto map entry.
no crypto dynamic-map dynamic-map-name set ipsec-proposal transform-set-name1 [... transform-set-name11]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
crypto engine large-mod-accel
To switch large modulus operations on an ASA model 5510, 5520, 5540, or 5550 from software to hardware, use the crypto engine large-mod-accel command in configuration mode. To remove the command from the configuration, use the no form of this command.
crypto engine large-mod-accel
no crypto engine large-mod-accel
Syntax Description
This command has no arguments or keywords.
Defaults
By default, the ASA performs large modulus operations in the software.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
This command is available only with the ASA models 5510, 5520, 5540, and 5550. It switches large modulus operations from software to hardware. The switch to hardware accelerates the following:
•
•
We recommend that you use this command when necessary to improve the connections per second. Depending on the load, it might have a limited performance impact on SSL throughput.
We also recommend that you use either form of this command during a low-use or maintenance period to minimize a temporary packet loss that can occur during the transition of processing from software to hardware or hardware to software.
Note
Examples
The following example switches large modulus operations from software to hardware:
hostname(config)# crypto engine large-mod-accelThe following example removes the previous command from the configuration and switches large modulus operations back to software:
hostname(config)# no crypto engine large-mod-accelRelated Commands
crypto ikev1 enable
To enable ISAKMP IKEv1 negotiation on the interface on which the IPsec peer communicates with the ASA, use the crypto ikev1 enable command in global configuration mode. To disable ISAKMP IKEv1 on the interface, use the no form of this command.
crypto ikev1 enable interface-name
no crypto ikev1 enable interface-name
Syntax Description
interface-name
Specifies the name of the interface on which to enable or disable ISAKMP IKEv1 negotiation.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example, entered in global configuration mode, shows how to disable ISAKMP on the inside interface:
hostname(config)# no crypto isakmp enable insideRelated Commands
crypto ikev1 ipsec-over-tcp
To enable IPsec over TCP, use the crypto ikev1 ipsec-over-tcp command in global configuration mode. To disable IPsec over TCP, use the no form of this command.
crypto ikev1 ipsec-over-tcp [port port1...port10]
no crypto ikev1 ipsec-over-tcp [port port1...port10]
Syntax Description
Defaults
The default value is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
This example, entered in global configuration mode, enables IPsec over TCP on port 45:
hostname(config)# crypto ikev1 ipsec-over-tcp port 45hostname(config)#Related Commands
crypto ikev1 policy
To create an IKEv1 security association (SA) for IPsec connections, use the crypto ikev2 policy command in global configuration mode. The command enters IKEv1 policy configuration mode, where you specify additional IKEv1 SA settings. To remove the policy, use the no form of this command:
crypto ikev1 policy <priority>
no crypto ikev1 policy <priority>
Syntax Description
priority
The policy suite priority. The range is 1-65535, with 1 being the highest and 65535 the lowest
Defaults
There is no default behavior or values.
Usage Guidelines
An IKEv1 SA is a key used in phase 1 to enable IKEv1 peers to communicate securely in phase 2. After entering the crypto ikev1 policy command, you can use additional commands to set the SA encryption algorithm, DH group, integrity algorithm, lifetime, and hash algorithm.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example creates the priority 1 IKEv1 SA and enters enters IKEv1 policy configuration mode:
hostname(config)# crypto ikev1 policy 1hostname(config-ikev2-policy)#Related Commands
crypto ikev2 enable
To enable ISAKMP IKEv2 negotiation on the interface on which the IPsec peer communicates with the ASA, use the crypto ikev2 enable command in global configuration mode. To disable ISAKMP IKEv2 on the interface, use the no form of this command.
crypto ikev2 enable interface-name [client-services [port <port>]]
no crypto ikev2 enable interface-name [client-services [port <port>]]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
Using this command alone will not enable client services.
Examples
The following example, entered in global configuration mode, shows how to enable IKEv2 on the outside interface:
hostname(config)# crypto ikev2 enable outside client-services port 443Related Commands
crypto ikev2 cookie-challenge
To enable the ASA to send cookie challenges to peer devices in response to SA initiate packets, use the crypto ikev2 cookie-challenge command in global configuration mode. To disable cookie challenges, use the no form of this command:
crypto ikev2 cookie-challenge <threshold percentage | always | never
no crypto ikev2 cookie-challenge <threshold percentage | always | never
Syntax Description
Defaults
No default behavior or values.
Usage Guidelines
Cookie-challenging a peer prevents possible denial-of-service (DoS) attacks. An attacker initiates a DoS attack when the peer device sends an SA initiate packet and the ASA sends its response, but the peer device does not respond further. If the peer device does this continually, all the allowed SA requests on the ASA can be used up until it stops responding.
Enabling a threshold percentage using the crypto ikev2 cookie-challenge command limits the number of open SA negotiations. For example, with the default setting of 50%, when 50% of the allowed SAs are in-negotiation (open), the ASA cookie-challenges any additional SA initiate packets that arrive. For the Cisco ASA 5580 with 10000 allowed IKEv2 SAs, after 5000 SAs become open, any more incoming SAs are cookie-challenged.
If used in conjunction with the crypto kev2 limit max in-negotiation-sa command, configure the cookie-challenge threshold lower than the maximum in-negotiation threshold for an effective cross-check.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
In the following example, the cookie-challenge percent threshold is set to 30%:
hostname(config)# crypto ikev2 cookie-challenge 30Related Commands
crypto ikev2 limit max-in-negotiation-sa
To limit the number of IKEv2 in-negotiation (open) SAs on the ASA, use the crypto ikev2 limit max in-negotiation-sa command in global configuration mode. To disable limits on the number of open SAs, use the no form of this command:
crypto ikev2 limit max in-negotiation-sa <threshold percentage>
no crypto ikev2 limit max in-negotiation-sa <threshold percentage>
Syntax Description
Defaults
The default is disabled. The ASA does not limit the number of open SAs.
Usage Guidelines
The crypto kev2 limit max in-negotiation-sa command limits the maximum number of SAs that can be in negotiation at any time. If used in conjunction with the crypto ikev2 cookie-challenge command, configure the cookie-challenge threshold lower than this limit for an effective cross-check.
Unlike the crypto ikev2 cookie-challenge command which challenges incoming connections with a cookie, the crypto kev2 limit max in-negotiation-sa command stops further connections from negotiating to protect against memory and/or CPU attacks that the cookie-challenge feature may be unable to thwart and protects the current connections.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example limits the number of IKEv2 connections that are in-negotation to 70 percent of the maximum allows IKEv2 connections:
hostname(config)# crypto ikev2 limit max in-negotiation-sa 70Related Commands
crypto ikev2 limit max-sa
To limit the number of IKEv2 connections on the ASA, use the crypto ikev2 limit max-sa command in global configuration mode. To disable the limit on the number of connections, use the no form of this command:
crypto ikev2 limit max-sa <number>
no crypto ikev2 limit max-sa <number>
Syntax Description
number
The number of allowed IKEv2 connections allowed on the ASA. After reaching the limit, additional connections are denied. The range is 1 to 10000.
Defaults
The default is disabled. The ASA does not limit the number IKEv2 connections. The maximum number of allowed IKEv2 connections equals the maximum number of connections specified by the license.
Usage Guidelines
The crypto ikev2 limit max-sa command limits the maximum number of SAs on the ASA.
If used in conjunction with the crypto ikev2 cookie-challenge command, configure the cookie-challenge threshold lower than this limit for an effective cross-check.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example limits the number of IKEv2 connections to 5000:,
hostname(config)# crypto ikev2 limit max-sa 5000Related Commands
crypto ikev2 policy
To create an IKEv2 security association (SA) for AnyConnect IPsec connections, use the crypto ikev2 policy command in global configuration mode. The command enters IKEv2 policy configuration mode, where you specify additional IKEv2 SA settings. To remove the policy, use the no form of this command:
crypto ikev2 policy <priority>
no crypto ikev2 policy <priority>
Syntax Description
priority
The policy suite priority. The range is 1-65535, with 1 being the highest and 65535 the lowest
Defaults
There is no default behavior or values.
Usage Guidelines
An IKEv2 SA is a key used in phase 1 to enable IKEv2 peers to communicate securely in phase 2. After entering the crypto ikev2 policy command, you can use additional commands to set the SA encryption algorithm, DH group, integrity algorithm, lifetime, and hash algorithm.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example creates the priority 1 IKEv2 SA and enters enters IKEv2 policy configuration mode:
hostname(config)# crypto ikev2 policy 1hostname(config-ikev2-policy)#Related Commands
crypto ikev2 redirect
To specify the IKEv2 phase at which load-balancing redirection from master to cluster member occurs, use the crypto ikev2 redirect command in global configuration mode. To remove the command, use the no form of this command:
crypto ikev2 redirect {during-init | during-auth}
no crypto ikev2 redirect {during-init | during-auth}
Syntax Description
Defaults
The default is load-balancing redirection to a cluster member occurs during the IKEv2 authentication exchange.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example sets the load-balancing redirection to a cluster member to occur during the IKEv2 initiate exchange:
hostname(config)# crypto ikev2 redirect during-initRelated Commands
crypto ikev2 remote-access trust-point
To specify a global trustpoint to be referenced and used as the identity certificate trustpoint of the ASA for AnyConnect IKEv2 connections, use the crypto ikev2 remote-access trust-point command from tunnel group configuration mode. To remove the command from the configuration, use the no form of the command:
crypto ikev2 remote-access trust-point <name>
no crypto ikev2 remote-access trust-point <name>
Syntax Description
Defaults
There is no default behavior or values.
Usage Guidelines
Use the crypto ikev2 remote-access trust-point command to configure a single trust point for the ASA to authenticate itself to the AnyConnect client for all IKEv2 connections. Using this command allows the AnyConnect client to support group selection for the end user. During authentication, the client GUI presents a drop-list for the user to select a group.
Command Modes
The following table shows the modes in which you can enter the command:
tunnel-group configuration
•
—
•
—
—
Command History
8.4(1)
This command was added.
8.7(1)
This command is not available on the ASA 1000V.
Examples
The following example specifies the trustpoint cisco_asa_trustpoint:
hostname(config)# crypto ikev2 remote-access trust-point cisco_asa_trustpointcrypto ipsec df-bit
To configure DF-bit policy for IPsec packets, use the crypto ipsec df-bit command in global configuration mode.
crypto ipsec df-bit [clear-df | copy-df | set-df] interface
Syntax Description
Defaults
This command is disabled by default. If this command is enabled without a specified setting, the ASA uses the copy-df setting as default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
The DF bit with IPsec tunnels feature lets you specify whether the ASA can clear, set, or copy the Don't Fragment (DF) bit from the encapsulated header. The DF bit within the IP header determines whether a device is allowed to fragment a packet.
Use the crypto ipsec df-bit command in global configuration mode to configure the ASA to specify the DF bit in an encapsulated header. This command treats the DF-bit setting of the clear-text packet and either clears, set, or copies it to the outer IPsec header when encryption is applied.
When encapsulating tunnel mode IPsec traffic, use the clear-df setting for the DF bit. This setting lets the device send packets larger than the available MTU size. Also this setting is appropriate if you do not know the available MTU size.
Examples
The following example, entered in global configuration mode, sets the IPsec DF policy to clear-df:
hostname(config)# crypto ipsec df-bit clear-df outsidehostname(config)#Related Commands
crypto ipsec fragmentation
To configure the fragmentation policy for IPsec packets, use the crypto ipsec fragmentation command in global configuration mode.
crypto ipsec fragmentation {after-encryption | before-encryption} interface
Syntax Description
Defaults
Before-encryption is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
When a packet is near the size of the MTU of the outbound link of the encrypting ASA, and it is encapsulated with IPsec headers, it is likely to exceed the MTU of the outbound link. This causes packet fragmentation after encryption, which makes the decrypting device reassemble in the process path. Pre-fragmentation for IPsec VPNs increases the performance of the device when decrypting by letting it operate in the high performance CEF path instead of the process path.
Pre-fragmentation for IPsec VPNs lets an encrypting device predetermine the encapsulated packet size from information available in transform sets, which are configured as part of the IPsec SA. If the device predetermines that the packet will exceed the MTU of the output interface, the device fragments the packet before encrypting it. This avoids process level reassembly before decryption and helps improve decryption performance and overall IPsec traffic throughput.
The minimum MTU allowed on an IPv6 enabled interface is 1280 bytes; however, if IPsec is enabled on the interface, the MTU value should not be set below 1380 because of the overhead of IPsec encryption. Setting the interface below 1380 bytes may result in dropped packets.
Examples
The following example, entered in global configuration mode, enables pre-fragmentation for IPsec packets globally on the device:
hostname(config)# crypto ipsec fragmentation before-encryption insidehostname(config)#The following example, entered in global configuration mode, disables pre-fragmentation for IPsec packets on the interface:
hostname(config)# crypto ipsec fragmentation after-encryption insidehostname(config)#Related Commands
crypto ipsec ikev2 ipsec-proposal
To create an IKEv2 proposal, use the crypto ipsec ikev2 ipsec-proposal command in global configuration mode. This command creates a proposal and enters ipsec propsal configuration mode where you can specify multiple encryption and integrity types for the proposal. To remove the proposal, use the no form of this command.
crypto ipsec ikev2 ipsec-proposal [proposal tag]
no crypto ipsec ikev2 ipsec-proposal <proposal tag>
Syntax Description
Defaults
There is no default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Examples
The following example creates the IPsec proposal named secure, and enters IPsec proposal configuration mode:
hostname(config)# crypto ipsec ikev2 ipsec-proposal securehostname(config-ipsec-proposal)#Related Commands
crypto ipsec security-association lifetime
To configure global lifetime values, use the crypto ipsec security-association lifetime command in global configuration mode. To reset a crypto ipsec entry lifetime value to the default value, use the no form of this command.
crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}
no crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}
Syntax Description
Defaults
The default number of kilobytes is 4,608,000; the default number of seconds is 28,800.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
The crypto ipsec security-association lifetime command changes global lifetime values used when negotiating IPsec security associations.
IPsec security associations use shared secret keys. These keys and their security associations time out together.
Assuming that the particular crypto map entry has no lifetime values configured, when the ASA requests new security associations during negotiation, it specifies its global lifetime value in the request to the peer; it uses this value as the lifetime of the new security associations. When the ASA receives a negotiation request from the peer, it uses the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.
There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The security association expires after the first of these lifetimes is reached.
The ASA lets the user change crypto map, dynamic map, and ipsec settings on the fly. If this is changed, the ASA brings down only the connections affected by the change. If the user changes an existing access-list associated with a crypto map, specifically by deleting an entry within the access-list, the result is that only the associated connection is brought down. Connections based on other entries in the access-list are not affected.
To change the global timed lifetime, use the crypto ipsec security-association lifetime seconds command. The timed lifetime causes the security association to time out after the specified number of seconds have passed.
To change the global traffic-volume lifetime, use the crypto ipsec security-association lifetime kilobytes command. The traffic-volume lifetime causes the security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security associations' key.
Shorter lifetimes can make it harder to mount a successful key recovery attack, because the attacker has less data encrypted under the same key to work with. However, shorter lifetimes require more CPU processing time for establishing new security associations.
The security association (and corresponding keys) expires according to whichever occurs sooner, either after the number of seconds has passed or after the amount of traffic in kilobytes has passed.
Examples
The following example specifies a global timed lifetime for security associations:
hostname(config)# crypto ipsec-security association lifetime seconds 240hostname(config)#Related Commands
crypto ipsec security-association replay
To configure the IPsec anti-replay window size, use the crypto ipsec security-association replay command in global configuration mode. To reset the window size to the default value, use the no form of this command.
crypto ipsec security-association replay {window-size n | disable}
no crypto ipsec security-association replay {window-size n | disable}
Syntax Description
n
Sets the window size. Values can be 64, 128, 256, 512, or 1024. The default is 64.
disable
Disables anti-replay checking.
Defaults
The default window size is 64.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
Cisco IPsec authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. (Security association anti-replay is a security service in which the receiver can reject old or duplicate packets to protect itself against replay attacks.) The decryptor checks off the sequence numbers that it has seen before. The encryptor assigns sequence numbers in an increasing order. The decryptor remembers the value X of the highest sequence number that it has already seen. N is the window size, and the decryptor also remembers whether it has seen packets having sequence numbers from X-N+1 through X. Any packet with the sequence number X-N is discarded. Currently, N is set at 64, so only 64 packets can be tracked by the decryptor.
At times, however, the 64-packet window size is not sufficient. For example, QoS gives priority to high-priority packets, which could cause some low-priority packets to be discarded even though they could be one of the last 64 packets received by the decryptor; this event can generate warning syslog messages that are false alarms. The crypto ipsec security-association replay command lets you expand the window size, allowing the decryptor to keep track of more than 64 packets.
Increasing the anti-replay window size has no impact on throughput and security. The impact on memory is insignificant because only an extra 128 bytes per incoming IPsec SA is needed to store the sequence number on the decryptor. It is recommended that you use the full 1024 window size to eliminate any future anti-replay problems.
Examples
The following example specifies the anti-replay window size for security associations:
hostname(config)# crypto ipsec security-association replay window-size 1024hostname(config)#Related Commands
crypto ipsec ikev1 transform-set (create or remove transform set)
To create or remove an IKEv1 transform set, use the crypto ipsec ikev1 transform-set command in global configuration mode. This command identifes the IPsec encryption and hash algorithms to be used by the transform set. Tto remove a transform set, use the no form of this command.
crypto ipsec ikev1 transform-set transform-set-name encryption [authentication]
no crypto ipsec ikev1 transform-set transform-set-name encryption [authentication]
Syntax Description
Defaults
The default authentication setting is esp-none (no authentication).
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
7.0
This command was introduced.
7.2(1)
This section was rewritten.
8.4(1)
The ikev1 keyword was added.
Usage Guidelines
Following the configuration of a transform set, you assign it to a crypto map. You can assign up to six transform sets to a crypto map. When the peer attempts to establish an IPsec session, the ASA evaluates the peer against the access list of each crypto map until it finds a match. The ASA then evaluates all of the protocols, algorithms, and other settings negotiated by the peer against those in the transform sets assigned to the crypto map until it finds a match. If the ASA matches the peer's IPsec negotiations to the settings in a transform set, it applies them to the protected traffic as part of its IPsec security association. The ASA terminates the IPsec session if it fails to match the peer to an access list and find an exact match of the security settings of the peer to those in a transform set assigned to the crypto map.
You can specify either the encryption or the authentication first. You can specify the encryption without specifying the authentication. If you specify the authentication in a transform set you are creating, you must specify the encryption with it. If you specify only the authentication in a transform set you are modifying, the transform set retains its current encryption setting.
If you are using AES encryption, we recommend that you use the isakmp policy priority group 5 command, also in in global configuration mode, to assign Diffie-Hellman group 5 to accommodate the large key sizes provided by AES.
Tip
Examples
The following commands show all possible encryption and authentication options, excluding those that specify no encryption and no authentication:
hostname(config)# crypto ipsec ikev1 transform-set 3des-md5 esp-3des esp-md5-hmachostname(config)# crypto ipsec ikev1 transform-set 3des-sha esp-3des esp-sha-hmachostname(config)# crypto ipsec ikev1 transform-set 56des-md5 esp-des esp-md5-hmachostname(config)# crypto ipsec ikev1 transform-set 56des-sha esp-des esp-sha-hmachostname(config)# crypto ipsec ikev1 transform-set 128aes-md5 esp-aes esp-md5-hmachostname(config)# crypto ipsec ikev1 transform-set 128aes-sha esp-aes esp-sha-hmachostname(config)# crypto ipsec ikev1 transform-set 192aes-md5 esp-aes-192 esp-md5-hmachostname(config)# crypto ipsec ikev1 transform-set 192aes-sha esp-aes-192 esp-sha-hmachostname(config)# crypto ipsec ikev1 transform-set 256aes-md5 esp-aes-256 esp-md5-hmachostname(config)# crypto ipsec ikev1 transform-set 256aes-sha esp-aes-256 esp-sha-hmachostname(config)#Related Commands
crypto ipsec ikev1 transform-set mode transport
To specify transport mode for IPsec IKEv1 connections, use the crypto ipsec ikev1 transform-set mode transport command in global configuration mode. To remove the command, use the no form of this command:
crypto ipsec ikev1 transform-set transform-set-name mode {transport}
no crypto ipsec ikev1 transform-set transform-set-name mode {transport}
Syntax Description
transform-set-name
Name of the transform-set being modified. To view the transform sets already present in the configuration, enter the show running-config ipsec command.
Defaults
The default us transport mode is disabled. IPsec uses the networked tunnel mode.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
7.0
This command was introduced.
7.2(1)
This section was rewritten.
8.4(1)
The ikev1 keyword was added.
Usage Guidelines
Use the crypto ipsec ikev1 transform-set mode transport command to specify the host-to-host transport mode for IPsec, instead of the default networked tunnel mode.
Examples
The following commands show all possible encryption and authentication options, excluding those that specify no encryption and no authentication:
hostname(config)# crypto ipsec ikev1 transform-sethostname(config)#Related Commands
crypto isakmp disconnect-notify
To enable disconnect notification to peers, use the crypto isakmp disconnect-notify command in global configuration mode. To disable disconnect notification, use the no form of this command.
crypto isakmp disconnect-notify
no crypto isakmp disconnect-notify
Syntax Description
This command has no arguments or keywords.
Defaults
The default value is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
7.0(1)
The isakmp disconnect-notify command was introduced.
7.2.(1)
The crypto isakmp disconnect-notify command replaces the isakmp disconnect-notify command.
Examples
The following example, entered in global configuration mode, enables disconnect notification to peers:
hostname(config)# crypto isakmp disconnect-notifyRelated Commands
crypto isakmp identity
To set the Phase 1 ID to be sent to the peer, use the crypto isakmp identity command in global configuration mode. To return to the default setting, use the no form of this command.
crypto isakmp identity {address | hostname | key-id key-id-string | auto}
no crypto isakmp identity {address | hostname | key-id key-id-string | auto}
Syntax Description
Defaults
The default ISAKMP identity is crypto isakmp identity auto.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Preexisting
The isakmp identity command was preexisting.
7.2(1)
The crypto isakmp identity command replaces the isakmp identity command.
Examples
The following example, entered in global configuration mode, enables ISAKMP negotiation on the interface for communicating with the IPsec peer, depending on connection type:
hostname(config)# crypto isakmp identity autoRelated Commands
crypto isakmp nat-traversal
To enable NAT traversal globally, check that ISAKMP is enabled (you enable it with the crypto isakmp enable command) in global configuration mode. To disable the NAT traversal, use the no form of this command.
crypto isakmp nat-traversal natkeepalive
no crypto isakmp nat-traversal natkeepalive
Syntax Description
Defaults
By default, NAT traversal is enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
NAT including PAT is used in many networks where IPsec is also used, but there are a number of incompatibilities that prevent IPsec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.
The ASA supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and supports NAT traversal for both dynamic and static crypto maps.
This command enables NAT-T globally on the ASA. To disable in a crypto-map entry, use the crypto map set nat-t-disable command.
Examples
The following example, entered in global configuration mode, enables ISAKMP and then sets NAT traversal with a keepalive interval of 30 seconds:
hostname(config)# crypto isakmp enablehostname(config)# crypto isakmp nat-traversal 30Related Commands
crypto isakmp policy authentication
To specify an authentication method within an IKE policy, use the crypto isakmp policy authentication command in global configuration mode. IKE policies define a set of parameters for IKE negotiation. To remove the ISAKMP authentication method, use the related clear configure command.
crypto isakmp policy priority authentication {crack | pre-share | rsa-sig}
Syntax Description
Defaults
The default ISAKMP policy authentication is pre-share.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
7.0(1)
The isakmp policy authentication command was preexisting.
7.2.(1)
The crypto isakmp policy authentication command replaces the isakmp policy authentication command.
Usage Guidelines
If you specify RSA signatures, you must configure the ASA and its peer to obtain certificates from a CA server. If you specify preshared keys, you must separately configure these preshared keys within the ASA and its peer.
Examples
The following example, entered in global configuration mode, shows how to use the crypto isakmp policy authentication command. This example sets the authentication method of RSA Signatures to be used for the IKE policy with the priority number of 40.
hostname(config)# crypto isakmp policy 40 authentication rsa-sigRelated Commands
crypto isakmp policy encryption
To specify the encryption algorithm to use within an IKE policy, use the crypto isakmp policy encryption command in global configuration mode. To reset the encryption algorithm to the default value, which is des, use the no form of this command.
crypto isakmp policy priority encryption {aes | aes-192| aes-256 | des | 3des}
no crypto isakmp policy priority encryption {aes | aes-192| aes-256 | des | 3des}
Syntax Description
Defaults
The default ISAKMP policy encryption is 3des.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
7.0(1)
The isakmp policy encryption command was preexisting.
7.2.(1)
The crypto isakmp policy encryption command replaces the isakmp policy encryption command.
Examples
The following example, entered in global configuration mode, shows use of the crypto isakmp policy encryption command; it sets 128-bit key AES encryption as the algorithm to be used within the IKE policy with the priority number of 25.
hostname(config)# crypto isakmp policy 25 encryption aesThe following example, entered in global configuration mode, sets the 3DES algorithm to be used within the IKE policy with the priority number of 40.
hostname(config)# crypto isakmp policy 40 encryption 3deshostname(config)#Related Commands
crypto isakmp policy group
To specify the Diffie-Hellman group for an IKE policy, use the crypto isakmp policy group command in global configuration mode. IKE policies define a set of parameters to use during IKE negotiation. To reset the Diffie-Hellman group identifier to the default value, use the no form of this command.
crypto isakmp policy priority group {1 | 2 | 5}
no crypto isakmp policy priority group
Syntax Description
Defaults
The default group policy is group 2.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
There are three group options: 768-bit (DH Group 1), 1024-bit (DH Group 2), and 1536-bit (DH Group 5). The 1024-bit and 1536-bit Diffie-Hellman Groups provide stronger security, but require more CPU time to execute.
Note
AES support is available on security appliances licensed for VPN-3DES only. Due to the large key sizes provided by AES, ISAKMP negotiation should use Diffie-Hellman (DH) group 5 instead of group 1 or group 2. To configures group 5, use the crypto isakmp policy priority group 5 command.
Examples
The following example, entered in global configuration mode, shows how to use the crypto isakmp policy group command. This example sets group 2, the 1024-bit Diffie Hellman, to use for the IKE policy with the priority number of 40.
hostname(config)# crypto isakmp policy 40 group 2Related Commands
crypto isakmp policy hash
To specify the hash algorithm for an IKE policy, use the crypto isakmp policy hash command in global configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the hash algorithm to the default value of SHA-1, use the no form of this command.
crypto isakmp policy priority hash {md5 | sha}
no crypto isakmp policy priority hash
Syntax Description
Defaults
The default hash algorithm is SHA-1 (HMAC variant).
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
7.0(1)
The isakmp policy hash command was preexisting.
7.2.(1)
The crypto isakmp policy hash command replaces the isakmp policy hash command.
Usage Guidelines
There are two hash algorithm options: SHA-1 and MD5. MD5 has a smaller digest and is considered to be slightly faster than SHA-1.
Examples
The following example, entered in global configuration mode, shows how to use the crypto isakmp policy hash command. This example specifies the MD5 hash algorithm for the IKE policy, with the priority number of 40.
hostname(config)# crypto isakmp policy 40 hash md5Related Commands
crypto isakmp policy lifetime
To specify the lifetime of an IKE security association before it expires, use the crypto isakmp policy lifetime command in global configuration mode. You can specify an infinite lifetime if the peer does not propose a lifetime. To reset the security association lifetime to the default value of 86,400 seconds (one day), use the no form of this command .
crypto isakmp policy priority lifetime seconds
no crypto isakmp policy priority lifetime
Syntax Description
Defaults
The default value is 86,400 seconds (one day).
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
7.0(1)
The isakmp policy lifetime command was preexisting.
7.2.(1)
The crypto isakmp policy lifetime command replaces the isakmp policy lifetime command.
Usage Guidelines
When IKE begins negotiations, it seeks to agree upon the security parameters for its own session. Then the security association at each peer refers to the agreed-upon parameters. The peers retain the security association until the lifetime expires. Before a security association expires, subsequent IKE negotiations can use it, which can save time when setting up new IPsec security associations. The peers negotiate new security associations before current security associations expire.
With longer lifetimes, the ASA sets up future IPsec security associations more quickly. Encryption strength is great enough to ensure security without using very fast rekey times, on the order of every few minutes. We recommend that you accept the default.
Note
Examples
The following example, entered in global configuration mode, sets the lifetime of the IKE security association to 50,4000 seconds (14 hours) for the IKE policy with the priority number of 40.
hostname(config)# crypto isakmp policy 40 lifetime 50400The following example, entered in global configuration mode, sets the IKE security association to an infinite lifetime.
hostname(config)# crypto isakmp policy 40 lifetime 0Related Commands
crypto isakmp reload-wait
To enable waiting for all active sessions to voluntarily terminate before rebooting the ASA, use the crypto isakmp reload-wait command in global configuration mode. To disable waiting for active sessions to terminate and to proceed with a reboot of the ASA, use the no form of this command.
crypto isakmp reload-wait
no crypto isakmp reload-wait
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
7.0(1)
The isakmp reload-wait command was introduced.
7.2.(1)
The crypto isakmp reload-wait command replaces the isakmp reload-wait command.
Examples
The following example, entered in global configuration mode, tells the ASA to wait until all active sessions have terminated before rebooting.
hostname(config)# crypto isakmp reload-waitRelated Commands
crypto key generate rsa
To generate RSA key pairs for identity certificates, use the crypto key generate rsa command in global configuration mode.
crypto key generate rsa [usage-keys | general-keys] [label key-pair-label] [modulus size] [noconfirm]
Syntax Description
Defaults
The default key-pair type is general key. The default modulus size is 1024.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the crypto key generate rsa command to generate RSA key pairs to support SSL, SSH, and IPsec connections. The generated key pairs are identified by labels that you can provide as part of the command syntax. Trustpoints that do not reference a key pair can use the default one <Default-RSA-Key>. SSH connections always use this key. This does not affect SSL, because SSL generates its own certificate or key dynamically, unless a trustpoint has one configured.
Note
Caution
Examples
The following example, entered in global configuration mode, generates an RSA key pair with the label mypubkey:
hostname(config)# crypto key generate rsa label mypubkeyINFO: The name for the keys will be: mypubkeyKeypair generation processhostname(config)#The following example, entered in global configuration mode, inadvertently attempts to generate a duplicate RSA key pair with the label mypubkey:
hostname(config)# crypto key generate rsa label mypubkeyWARNING: You already have RSA keys defined named mypubkeyDo you really want to replace them? [yes/no] noERROR: Failed to create new RSA keys named mypubkeyhostname(config)#The following example, entered in global configuration mode, generates an RSA key pair with the default label:
hostname(config)# crypto key generate rsaINFO: The name for the keys will be: <Default-RSA-Key>Keypair generation process begin. Please wait...hostname(config)#The following example, entered in global configuration mode, generates a warning message because there is not enough space to save the RSA keypair:
hostname(config)# crypto key generate rsa label mypubkey mod 2048INFO: The name for the keys will be: mypubkeyKeypair generation process begin. Please wait...NV RAM will not have enough space to save keypair mypubkey. Remove any unnecessary keypairs and save the running config before using this keypair.hostname(config)#Related Commands
crypto key zeroize
Removes RSA key pairs.
show crypto key
Displays the RSA key pairs.
crypto key zeroize
To remove the key pairs of the indicated type (rsa or dsa), use the crypto key zeroize command in global configuration mode.
crypto key zeroize {rsa | dsa} [label key-pair-label] [default] [noconfirm]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command
Global configuration
•
•
•
•
—
:
Command History
Examples
The following example, entered in global configuration mode, removes all RSA key pairs:
hostname(config)# crypto key zeroize rsaWARNING: All RSA keys will be removed.WARNING: All router certs issued using these keys will also be removed.Do you really want to remove these keys? [yes/no] yhostname(config)#Related Commands
crypto key generate dsa
Generates DSA key pairs for identity certificates.
crypto key generate rsa
Generates RSA key pairs for identity certificates.
crypto large-cert-acceleration enable
To enable the ASA to perform 2048-bit RSA key operations in hardware, use the crypto large-cert-acceleration enable command in global configuration mode. To perform 2048-bit RSA key operation in software, use the no crypto large-cert-acceleration enable command.
crypto large-cert-acceleration enable
no crypto large-cert-acceleration enable
Syntax Description
This command has no keywords or arguments.
Defaults
By default, 2048-bit RSA key operations are performed in software.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command is only available on the ASA 5510, ASA 5520, ASA 5540, and ASA 5550 ASAs. The command is not available on the ASA 5580 ASA.
Examples
The following example shows that 2048-bit RSA key operations have been enabled in hardware:
hostname (config)#show running-config crypto large-cert-accelerationcrypto large-cert-acceleration enablehostname (config)#Related Commands
crypto map interface
To apply a previously defined crypto map set to an interface, use the crypto map interface command in global configuration mode. To remove the crypto map set from the interface, use the no form of this command.
crypto map map-name interface interface-name [ipv6-local-address ipv6-address]
no crypto map map-name interface interface-name [ipv6-local-address ipv6-address]
Syntax Description
Syntax DescriptionSyntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
8.3(1)
The ipv6-local-address keyword was added.
Preexisting
This command was preexisting.
Usage Guidelines
Use this command to assign a crypto map set to any active ASA interface. The ASA supports IPsec termination on any and all active interfaces. You must assign a crypto map set to an interface before that interface can provide IPsec services.
You can assign only one crypto map set to an interface. If multiple crypto map entries have the same map-name but a different seq-num, they are part of the same set and are all applied to the interface. The ASA evaluates the crypto map entry with the lowest seq-num first.
Use the ipv6-local-address keyword when you have multiple IPv6 addresses configured on an interface and are configuring the ASA to support LAN-to-LAN VPN tunnels in an IPv6 environment.
Note
Every static crypto map must define three parts: an access list, a transform set, and an IPsec peer. If one of these is missing, the crypto map is incomplete and the ASA moves on to the next entry. However, if the crypto map matches on the access-list but not on either or both of the other two requirements, this ASA drops the traffic.
Use the show running-config crypto map command to ensure that every crypto map is complete. To fix an incomplete crypto map, remove the crypto map, add the missing entries, and reapply it.
Examples
The following example, entered in global configuration mode, assigns the crypto map set named mymap to the outside interface. When traffic passes through the outside interface, the ASA evaluates it against all the crypto map entries in the mymap set. When outbound traffic matches an access list in one of the mymap crypto map entries, the ASA forms a security association using that crypto map entry's configuration.
hostname(config)# crypto map mymap interface outsideThe following example shows the minimum required crypto map configuration:
hostname(config)# crypto map mymap 10 ipsec-isakmphostname(config)# crypto map mymap 10 match address 101hostname(config)# crypto map mymap set transform-set my_t_set1hostname(config)# crypto map mymap set peer 10.0.0.1Related Commands
clear configure crypto map
Clears all configuration for all crypto maps.
show running-config crypto map
Displays the crypto map configuration.
crypto map ipsec-isakmp dynamic
To require a given crypto map entry to refer to a pre-existing dynamic crypto map, use the crypto map ipsec-isakmp dynamic command in global configuration mode. Use the no form of this command to remove the cross reference.
Use the crypto dynamic-map command to create dynamic crypto map entries. After you create a dynamic crypto map set, use the crypto map ipsec-isakmp dynamic command to add the dynamic crypto map set to a static crypto map.
crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name
no crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which
Global configuration
•
—
•
—
—
you can enter the command:
Command History
Usage Guidelines
After you define crypto map entries, you can use the crypto map interface command to assign the dynamic crypto map set to interfaces.
Dynamic crypto maps provide two functions: filtering/classifying traffic to protect, and defining the policy to apply to that traffic. The first use affects the flow of traffic on an interface; the second affects the negotiation performed (via IKE) on behalf of that traffic.
IPsec dynamic crypto maps identify the following:
•
•
•
•
A crypto map set is a collection of crypto map entries, each with a different sequence number (seq-num) but the same map name. Therefore, for a given interface, you could have certain traffic forwarded to one peer with specified security applied to that traffic, and other traffic forwarded to the same or a different peer with different IPsec security applied. To accomplish this you create two crypto map entries, each with the same map name, but each with a different sequence number.
The number you assign as the seq-num argument should not be arbitrary. This number ranks multiple crypto map entries within a crypto map set. A crypto map entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority.
Note
Examples
The following command, entered in global configuration mode, configures the crypto map mymap to refer to a dynamic crypto map named test.
hostname(config)# crypto map mymap ipsec-isakmp dynamic testhostname(config)#Related Commands
clear configure crypto map
Clears all configuration for all crypto maps.
show running-config crypto map
Displays the crypto map configuration.
crypto map match address
To assign an access list to a crypto map entry, use the crypto map match address command in global configuration mode. To remove the access list from a crypto map entry, use the no form of this command.
crypto map map-name seq-num match address acl_name
no crypto map map-name seq-num match address acl_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
This command is required for all static crypto maps. If you are defining a dynamic crypto map (with the crypto dynamic-map command), this command is not required but is strongly recommended.
Use the access-list command to define the access lists. The access list hit counts only increase when the tunnel initiates. Once the tunnel is up, the hit counts do not increase on a per-packet flow. If the tunnel drops, and then reinitiates, the hit count will be increased.
The ASA uses the access lists to differentiate the traffic to protect with IPsec crypto from the traffic that does not need protection. It protects outbound packets that match a permit ACE, and ensures that inbound packets that match a permit ACE have protections.
When the ASA matches a packet to a deny statement, it skips the evaluation of the packet against the remaining ACEs in the crypto map, and resumes evaluation of the packet against the ACEs in the next crypto map in sequence. Cascading ACLs involves the use of deny ACEs to bypass evaluation of the remaining ACEs in an ACL, and the resumption of evaluation of traffic against the ACL assigned to the next crypto map in the crypto map set. Because you can associate each crypto map with different IPsec settings, you can use deny ACEs to exclude special traffic from further evaluation in the corresponding crypto map, and match the special traffic to permit statements in another crypto map to provide or require different security.
Note
In transparent mode, the destination address should be the IP address of the ASA, the management address. Only tunnels to the ASA are allowed in transparent mode.
Related Commands
clear configure crypto map
Clears all configuration for all crypto maps.
show running-config crypto map
Displays the crypto map configuration.
crypto map set connection-type
To specify the connection type for the Backup Site-to-Site feature for this crypto map entry, use the crypto map set connection-type command in global configuration mode. Use the no form of this command to return to the default setting.
crypto map map-name seq-num set connection-type {answer-only | originate-only | bidirectional}
no crypto map map-name seq-num set connection-type {answer-only | originate-only | bidirectional}
Syntax Description
Defaults
The default setting is bidirectional.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The crypto map set connection-type command specifies the connection types for the Backup Lan-to-Lan feature. It allows multiple backup peers to be specified at one end of the connection.
This feature works only between the following platforms:
•
•
•
To configure a backup Lan-to-Lan connection, we recommend you configure one end of the connection as originate-only using the originate-only keyword, and the end with multiple backup peers as answer-only using the answer-only keyword. On the originate-only end, use the crypto map set peer command to order the priority of the peers. The originate-only security appliance attempts to negotiate with the first peer in the list. If that peer does not respond, the ASA works its way down the list until either a peer responds or there are no more peers in the list.
When configured in this way, the originate-only peer initially attempts to establish a proprietary tunnel and negotiate with a peer. Thereafter, either peer can establish a normal Lan-to-Lan connection and data from either end can initiate the tunnel connection.
In transparent firewall mode, you can see this command but the connection-type value cannot be set to anything other than answer-only for crypto map entries that are part of a crypto map that has been attached to the interface.
Table 8-1 lists all supported configurations. Other combinations may result in unpredictable routing issues.
Table 8-1 Supported Backup LAN-to-LAN Connection Types
Originate-Only
Answer-Only
Bi-Directional
Answer-Only
Bi-Directional
Bi-Directional
Examples
The following example, entered in global configuration mode, configures the crypto map mymap and sets the connection-type to originate-only.
hostname(config)# crypto map mymap 10 set connection-type originate-onlyhostname(config)#Related Commands
clear configure crypto map
Clears all configuration for all crypto maps.
show running-config crypto map
Displays the crypto map configuration.
crypto map set ikev2 pre-shared-key
To specify a preshared key for AnyConnect IKEv2 connections, the crypto map set ikev2 pre-shared-key command in global configuration mode. Use the no form of this command to return to the default setting.
crypto map map-name seq-num set ikev2 pre-shared-key key
no crypto map map-name seq-num set ikev2 pre-shared-key key
Syntax Description
map-name
Specifies the name of the crypto map set.
seq-num
Specifies the number you assign to the crypto map entry.
key
Alphanumeric string from 1 to 128 characters.
Defaults
There is no default value or behavior.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example configures the preshared key SKTIWHT:
hostname(config)# crypto map crypto_map_example set ikev2 pre-shared-key SKTIWHTRelated Commands
clear configure crypto map
Clears all configuration for all crypto maps.
show running-config crypto map
Displays the crypto map configuration.
crypto map set inheritance
To set the granularity (single or multiple) of security associations generated for this crypto map entry, use the set inheritance command in global configuration mode. To remove the inheritance setting for this crypto map entry, use the no form of this command.
crypto map map-name seq-num set inheritance {data| rule}
no crypto map map-name seq-num set inheritance {data | rule}
Syntax Description
Defaults
Default value is rule.
Command Modes
The following table shows the modes in which
Global configuration
•
—
•
—
—
you can enter the command:
Command History
Usage Guidelines
This command works only when the ASA is initiating the tunnel, not when responding to a tunnel. Using the data setting may create a large number of IPsec SAs. This consumes memory and results in fewer overall tunnels. You should use the data setting only for extremely security-sensitive applications.
Examples
The following example, entered in global configuration mode, configures the crypto map mymap and sets the inheritance type to data.
hostname(config)# crypto map mymap 10 set inheritance datahostname(config)#Related Commands
clear configure crypto map
Clears all configuration for all crypto maps.
show running-config crypto map
Displays the crypto map configuration.
crypto map set nat-t-disable
To disable NAT-T for connections based on this crypto map entry, use the crypto map set nat-t-disable command in global configuration mode. To enable NAT-T for this crypto may entry, use the no form of this command.
crypto map map-name seq-num set nat-t-disable
no crypto map map-name seq-num set nat-t-disable
Syntax Description
map-name
Specifies the name of the crypto map set.
seq-num
Specifies the number you assign to the crypto map entry.
Defaults
The default setting for this command is not on (therefore NAT-T is enabled by default).
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
Use the isakmp nat-traversal command to globally enable NAT-T. Then you can use the crypto map set nat-t-disable command to disable NAT-T for specific crypto map entries.
Examples
The following command, entered in global configuration mode, disables NAT-T for the crypto map entry named mymap.
hostname(config)# crypto map mymap 10 set nat-t-disablehostname(config)#Related Commands
crypto map set peer
To specify an IPsec peer in a crypto map entry, use the crypto map set peer command in global configuration mode. Use the no form of this command to remove an IPsec peer from a crypto map entry.
crypto map map-name seq-num set peer {ip_address | hostname}{...ip_address10 | hostname10}
no crypto map map-name seq-num set peer {ip_address | hostname}{...ip_address10 | hostname10}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command
Global configuration
•
•
•
—
—
:
Command History
Usage Guidelines
This command is required for all static crypto maps. If you are defining a dynamic crypto map (with the crypto dynamic-map command), this command is not required, and in most cases is not used because, in general, the peer is unknown.
Configuring multiple peers is equivalent to providing a fallback list. For each tunnel, the security appliance attempts to negotiate with the first peer in the list. If that peer does not respond, the security appliance works its way down the list until either a peer responds or there are no more peers in the list. You can set up multiple peers only when using the backup LAN-to-LAN feature (that is, when the crypto map connection type is originate-only). For more information, see the crypto map set connection-type command.
Note
Examples
The following example, entered in global configuration mode, shows a crypto map configuration using IKE to establish the security associations. In this example, you can set up a security association to either the peer at 10.0.0.1 or the peer at 10.0.0.2.
hostname(config)# crypto map mymap 10 ipsec-isakmphostname(config)# crypto map mymap 10 match address 101hostname(config)# crypto map mymap 10 set transform-set my_t_set1hostname(config)# crypto map mymap 10 set peer 10.0.0.1 10.0.0.2Related Commands
clear configure crypto map
Clears all configuration for all crypto maps.
show running-config crypto map
Displays the crypto map configuration.
crypto map set pfs
Use the crypto map set pfs command in global configuration mode to set IPsec to ask for PFS when requesting new security associations for this crypto map entry or that IPsec requires PFS when receiving requests for new security associations. To specify that IPsec should not request PFS, use the no form of this command.
crypto map map-name seq-num set pfs [group1 | group2 | group5]
no crypto map map-name seq-num set pfs [group1 | group2 | group5]
Syntax Description
Defaults
By default PFS is not set.
Command Modes
The following table shows the modes in which you can enter the command
Global configuration
•
•
•
—
—
:
Command History
Usage Guidelines
With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs, which requires additional processing time. PFS adds another level of security because if one key is ever cracked by an attacker, only the data sent with that key is compromised.
During negotiation, this command causes IPsec to request PFS when requesting new security associations for the crypto map entry. If the set pfs statement does not specify a group, the ASA sends the default (group2).
If the peer initiates the negotiation and the local configuration specifies PFS, the peer must perform a PFS exchange or the negotiation fails. If the local configuration does not specify a group, the ASA assumes a default of group2. If the local configuration specifies group2, or group5, that group must be part of the peer's offer or the negotiation fails.
For a negotiation to succeed, PFS has to be set on both ends of the LAN to LAN tunnel (with or without Diffie-Hellman group). If set, the groups have to be an exact match; The ASA does not accept just any offer of PFS from the peer.
The 1536-bit Diffie-Hellman prime modulus group, group5, provides more security than group1, or group2, but requires more processing time than the other groups.
When interacting with the Cisco VPN Client, the ASA does not use the PFS value, but instead uses the value negotiated during Phase 1.
Examples
The following example, entered in global configuration mode, specifies that PFS should be used whenever a new security association is negotiated for the crypto map "mymap 10":
hostname(config)# crypto map mymap 10 ipsec-isakmphostname(config)# crypto map mymap 10 set pfs group2Related Commands
crypto map set ikev1 phase1-mode
To specify the IKEv1 mode for phase 1 when initiating a connection to either main or aggressive, use the crypto map set ikev1 phase1-mode command in global configuration mode. To remove the setting for phase 1 IKEv1 negotiations, use the no form of this command. Including a Diffie-Hellman group with aggressive mode is optional. If one is not included, the ASA uses group 2.
crypto map map-name seq-num set ikev1 phase1-mode {main | aggressive [group1 | group2 | group5]}
no crypto map map-name seq-num set ikev1 phase1-mode {main | aggressive [group1 | group2 | group5]}
Syntax Description
Defaults
Default phase one mode is main.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command works only in initiator mode; not in responder mode.
Examples
The following example, entered in global configuration mode, configures the crypto map my map and sets the phase one mode to aggressive, using group 2.
hostname(config)# crypto map mymap 10 set ikev1 phase1mode aggressive group2hostname(config)#Related Commands
crypto map set ikev2 phase1-mode
To specify the IKEv2 mode for phase 1 when initiating a connection to either main or aggressive, use the crypto map set ikev2 phase1-mode command in global configuration mode. To remove the setting for phase 1 IKEv2 negotiations, use the no form of this command. Including a Diffie-Hellman group with aggressive mode is optional. If one is not included, the ASA uses group 2.
crypto map map-name seq-num set ikev2 phase1-mode {main | aggressive [group1 | group2 | group5]}
no crypto map map-name seq-num set ikev2 phase1-mode {main | aggressive [group1 | group2 | group5]}
Syntax Description
Defaults
Default phase one mode is main.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
7.0
This command was introduced.
8.0(4)
The group 7 command option was deprecated. Attempts to configure group 7 will generate an error message and use group 5 instead.
Usage Guidelines
This command works only in initiator mode; not in responder mode.
Examples
The following example, entered in global configuration mode, configures the crypto map my map and sets the phase one mode to aggressive, using group 2.
hostname(config)# crypto map mymap 10 set ikev2 phase1mode aggressive group2hostname(config)#Related Commands
crypto map set reverse-route
To enable RRI for any connection based on this crypto map entry, use the crypto map set reverse-route command in global configuration mode. To disable reverse route injection for any connection based this crypto map entry, use the no form of this command.
crypto map map-name seq-num set reverse-route
no crypto map map-name seq-num set reverse-route
Syntax Description
map-name
Specifies the name of the crypto map set.
seq-num
Specifies the number you assign to the crypto map entry.
Defaults
The default setting for this command is off.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
The ASA can automatically add static routes to the routing table and announce these routes to its private network or border routers using OSPF.
Examples
The following example, entered in global configuration mode, enables RRI for the crypto map named mymap.
hostname(config)# crypto map mymap 10 set reverse-routehostname(config)#Related Commands
clear configure crypto map
Clears all configuration for all crypto maps.
show running-config crypto map
Displays the crypto map configuration.
crypto map set security-association lifetime
To override (for a particular crypto map entry) the global lifetime value, which is used when negotiating IPsec security associations, use the crypto map set security-association lifetime command in global configuration mode. To reset a crypto map entry's lifetime value to the global value, use the no form of this command.
crypto map map-name seq-num set security-association lifetime {seconds seconds | kilobytes kilobytes}
no crypto map map-name seq-num set security-association lifetime {seconds seconds | kilobytes kilobytes}
Syntax Description
Defaults
The default number of kilobytes is 4,608,000; the default number of seconds is 28,800.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
The crypto map's security associations are negotiated according to the global lifetimes.
IPsec security associations use shared secret keys. These keys and their security associations time out together.
Assuming that the particular crypto map entry has lifetime values configured, when the ASA requests new security associations during security association negotiation, it specifies its crypto map lifetime values in the request to the peer; it uses these values as the lifetime of the new security associations. When the ASA receives a negotiation request from the peer, it uses the smaller of the lifetime values proposed by the peer or the locally configured lifetime values as the lifetime of the new security associations.
There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The session keys/security association expires after the first of these lifetimes is reached. You can specify both with one command.
Note
To change the timed lifetime, use the crypto map set security-association lifetime seconds command. The timed lifetime causes the keys and security association to time out after the specified number of seconds have passed.
Examples
The following command, entered in global configuration mode, specifies a security association lifetime in seconds and kilobytes for crypto map mymap:
hostname(config)# crypto map mymap 10 set security-association lifetime seconds 1400 kilobytes 3000000hostname(config)#Related Commands
clear configure crypto map
Clears all configuration for all crypto maps.
show running-config crypto map
Displays the crypto map configuration.
crypto map set ikev1 transform-set
To specify the IKEv1 transform sets to use in a crypto map entry, use the crypto map set transform-set command in global configuration mode.
crypto map map-name seq-num set transform-set transform-set-name1
[... transform-set-name11]To specifically remove the names of the transform sets from a crypto map entry, use the no form of this commandwith the specified transform set name.
no crypto map map-name seq-num set transform-set transform-set-name1
[... transform-set-name11]To specify all or none of the transform sets and remove the crypto map entry, use the no form of the command.
no crypto map map-name seq-num set transform-set
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which
Global configuration
•
•
•
—
—
you can enter the command:
Command History
7.0
This command was introduced.
7.2(1)
Changed maximum number of transform sets in a crypto map entry.
Usage Guidelines
This command is required for all crypto map entries.
The peer at the opposite end of the IPsec initiation uses the first matching transform set for the security association. If the local ASA initiates the negotiation, the order specified in the crypto map command determines the order in which theASA presents the contents of the transform sets to the peer. If the peer initiates the negotiation, the local ASA uses the first transform set in the crypto map entry that matches the IPsec parameters sent by the peer.
If the peer at the opposite end of the IPsec initiation fails to match the values of the transform sets, IPsec does not establish a security association. The initiator drops the traffic because there is no security association to protect it.
To change the list of transform sets, respecify the new list to replace the old one.
If you use this command to modify a crypto map, the ASA modifies only the crypto map entry with the same sequence number you specify. For example, the ASA inserts the transform set named "56des-sha" in the last position if you enter the following commands:
hostname(config)# crypto map map1 1 set transform-set 128aes-md5 128aes-sha 192aes-md5hostname(config)# crypto map map1 1 transform-set 56des-shahostname(config)#The response to the following command shows the cumulative effect of the previous two commands:
hostname(config)# show running-config crypto mapcrypto map map1 1 set transform-set 128aes-md5 128aes-sha 192aes-md5 56des-shahostname(config)#To reconfigure the sequence of transform sets in a crypto map entry, delete the entry, specifying both the map name and sequence number; then recreate it. For example, the following commands reconfigure the crypto map entry named map2, sequence 3:
asa2(config)# no crypto map map2 3 set transform-setasa2(config)# crypto map map2 3 set transform-set 192aes-sha 192aes-md5 128aes-sha 128aes-md5asa2(config)#Examples
The "crypto ipsec transform-set (create or remove transform set)" section shows ten transform set example commands. The following example creates a crypto map entry named "map2" consisting of the same ten transform sets.
hostname(config)# crypto map map2 10 set transform-set 3des-md5 3des-sha 56des-md5 56des-sha 128aes-md5 128aes-sha 192aes-md5 192aes-sha 256aes-md5 256aes-shahostname(config)#The following example, entered in global configuration mode, shows the minimum required crypto map configuration when the ASA uses IKE to establish the security associations:
hostname(config)# crypto map map2 10 ipsec-isakmphostname(config)# crypto map map2 10 match address 101hostname(config)# crypto map map2 set transform-set 3des-md5hostname(config)# crypto map map2 set peer 10.0.0.1hostname(config)#Related Commands
crypto map set ikev2 ipsec-proposal
To specify the IKEv2 proposal to use in a crypto map entry, use the crypto map set ikev2 ipsec-proposal command in global configuration mode.
crypto map map-name seq-num set ikev2 ipsec-proposal propsal-name1
[... proposal-name11]To specifically remove the names of the proposals from a crypto map entry, use the no form of this commandwith the specified proposal name.
no crypto map map-name seq-num set ikev2 ipsec-proposal propsal-name1
[... proposal-name11]To specify all or none of the proposal and remove the crypto map entry, use the no form of the command.
no crypto map map-name seq-num set ikev2 ipsec-proposal
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which
Global configuration
•
•
•
—
—
you can enter the command:
Command History
Usage Guidelines
For all crypto map entries, an IKEv1 transform set or an IKEv2 proposal is required.
The peer at the opposite end of the IPsec IKEv2 initiation uses the first matching proposal for the security association. If the local ASA initiates the negotiation, the order specified in the crypto map command determines the order in which theASA presents the contents of the proposals to the peer. If the peer initiates the negotiation, the local ASA uses the first proposal in the crypto map entry that matches the IPsec parameters sent by the peer.
If the peer at the opposite end of the IPsec initiation fails to match the values of the proposals, IPsec does not establish a security association. The initiator drops the traffic because there is no security association to protect it.
To change the list of proposals, create a new list and specify it to replace the old one.
If you use this command to modify a crypto map, the ASA modifies only the crypto map entry with the same sequence number you specify. For example, the ASA inserts the proposal named 56des-sha in the last position if you enter the following commands:
hostname(config)# crypto map map1 1 set ikev2 ipsec-proposal 128aes-md5 128aes-sha 192aes-md5hostname(config)# crypto map map1 1 set ikev2 ipsec-proposal 56des-shahostname(config)#The response to the following command shows the cumulative effect of the previous two commands:
hostname(config)# show running-config crypto mapcrypto map map1 1 set ipsec-proposal 128aes-md5 128aes-sha 192aes-md5 56des-shahostname(config)#To reconfigure the sequence of proposals in a crypto map entry, delete the entry, specifying both the map name and sequence number; then recreate it. For example, the following commands reconfigure the crypto map entry named map2, sequence 3:
asa2(config)# no crypto map map2 3 set ikev2 ipsec-proposalasa2(config)# crypto map map2 3 set ikev2 ipsec-proposal 192aes-sha 192aes-md5 128aes-sha 128aes-md5asa2(config)#Examples
The following example creates a crypto map entry named "map2" consisting of ten proposals.
hostname(config)# crypto map map2 10 set ikev2 ipsec-proposal 3des-md5 3des-sha 56des-md5 56des-sha 128aes-md5 128aes-sha 192aes-md5 192aes-sha 256aes-md5 256aes-shahostname(config)#Related Commands
crypto map set trustpoint
To specify the trustpoint that identifies the certificate to send for authentication during Phase 1 negotiations for the crypto map entry, use the crypto map set trustpoint command in global configuration mode. To remove a trustpoint from a crypto map entry, use the no form of this command.
crypto map map-name seq-num set trustpoint trustpoint-name [chain]
no crypto map map-name seq-num set trustpoint trustpoint-name [chain]
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command
Global configuration
•
•
•
—
—
:
Command History
Usage Guidelines
This crypto map command is valid only for initiating a connection. For information on the responder side, see the tunnel-group commands.
Examples
The following example, entered in global configuration mode, specifies a trustpoint named tpoint1 for crypto map mymap and includes the chain of certificates.
hostname(config)# crypto map mymap 10 set trustpoint tpoint1 chainhostname(config)#Related Commands
csc
To enable the adaptive ASA to send network traffic to the CSC SSM, use the csc command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
csc {fail-open | fail-close}
no csc
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
Usage Guidelines
The csc command configures a security policy to send to the CSC SSM all traffic that is matched by the applicable class map. This occurs before the adaptive ASA allows the traffic to continue to its destination.
You can specify how the ASA treats matching traffic when the CSC SSM is not available to scan the traffic. The fail-open keyword specifies that the ASA permits the traffic to continue to its destination even though the CSC SSM is not available. The fail-close keyword specifies that the ASA never lets matching traffic continue to its destination when the CSC SSM is not available.
The CSC SSM can scan HTTP, SMTP, POP3, and FTP traffic. It supports these protocols only when the destination port of the packet requesting the connection is the well-known port for the protocol, that is, CSC SSM can scan only the following connections:
•
•
•
•
If policies using the csc command select connections that misuse these ports for other protocols, the ASA passes the packets to the CSC SSM; however, the CSC SSM passes the packets without scanning them.
To maximize the efficiency of the CSC SSM, configure class maps used by policies implementing the csc command as follows:
•
•
–
–
–
–
FTP Scanning
The CSC SSM supports scanning of FTP file transfers only if the primary channel for the FTP session uses the standard port, which is TCP port 21.
FTP inspection must be enabled for the FTP traffic that you want scanned by the CSC SSM. This is because FTP uses a dynamically assigned secondary channel for data transfer. The ASA determines the port assigned for the secondary channel and opens a pinhole to allow the data transfer to occur. If the CSC SSM is configured to scan FTP data, the ASA diverts the data traffic to the CSC SSM.
You can apply FTP inspection either globally or to the same interface that the csc command is applied to. By default, FTP inspection is enabled globally. If you have not changed the default inspection configuration, no further FTP inspection configuration is required to enable FTP scanning by the CSC SSM.
For more information about FTP inspection or the default inspection configuration, see the CLI configuration guide.
Examples
The ASA should be configured to divert traffic to CSC SSM requests from clients on the inside network for HTTP, FTP, and POP3 connections to the outside network and incoming SMTP connections from outside hosts to the mail server on the DMZ network. HTTP requests from the inside network to the web server on the DMZ network should not be scanned.
The following configuration creates two service policies. The first policy, csc_out_policy, is applied to the inside interface and uses the csc_out access list to ensure that all outbound requests for FTP and POP3 are scanned. The csc_out access list also ensures that HTTP connections from inside to networks on the outside interface are scanned, but the access list includes a deny ACE to exclude HTTP connections from inside to servers on the DMZ network.
The second policy, csc_in_policy, is applied to the outside interface and uses the csc_in access list to ensure that requests for SMTP and HTTP originating on the outside interface and destined for the DMZ network are scanned by the CSC SSM. Scanning HTTP requests protects the web server from HTTP file uploads.
hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 21hostname(config)# access-list csc_out deny tcp 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 eq 80hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 80hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 110hostname(config)# class-map csc_outbound_classhostname(config-cmap)# match access-list csc_outhostname(config)# policy-map csc_out_policyhostname(config-pmap)# class csc_outbound_classhostname(config-pmap-c)# csc fail-closehostname(config)# service-policy csc_out_policy interface insidehostname(config)# access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 25hostname(config)# access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 80hostname(config)# class-map csc_inbound_classhostname(config-cmap)# match access-list csc_inhostname(config)# policy-map csc_in_policyhostname(config-pmap)# class csc_inbound_classhostname(config-pmap-c)# csc fail-closehostname(config)# service-policy csc_in_policy interface outside
Note
Related Commands
csd enable
To enable Cisco Secure Desktop for clientless SSL VPN remote access or remote access using the AnyConnect client, use the csd enable command in webvpn configuration mode. To disable Cisco Secure Desktop, use the no form of this command.
csd enable
no csd enable
CSD is enabled or disabled globally for all remote access connection attempts made to the ASA with one exception.
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
The csd enable command does the following:
1.
2.
3.
4.
5.
Note
•
•
•
•
Exception: Connection profiles for clientless SSL VPN connections can be configured such that CSD will not run on the client computer if the computer is attempting to connect to the ASA using a group URL and CSD is enabled globally. For example:
Y66S3JeZBV88etFmyYJ7rebjUVVQZaFcq79EjoP99IeJ3a89Y7dKvYqq8I3hmYRegroup-name webvpn-attributes
uipm1G6wfKHOrpLZnwIDAQABo4IDujCCA7YwCwYDVR0PBAQDAgWgMBoGA1UdEQQT
MBGCD0JyaWFuLmNpc2NvLmNvbTAdBgNVHQ4EFgQUocM/JeVV3fjZh4wDe0JS74JmExamples
The following example commands shows how to view the status of the Cisco Secure Desktop image and enable it:
hostname(config-webvpn)# show webvpn csdSecure Desktop is not enabled.hostname(config-webvpn)# csd enablehostname(config-webvpn)# show webvpn csdSecure Desktop version 3.1.0.25 is currently installed and enabled.hostname(config-webvpn)#Related Commands
csd hostscan image
To install or upgrade the Cisco Host Scan distribution package and add it to the running configuration, use the csd hostscan image command in webvpn configuration mode. To remove the Host Scan distribution package from the running configuration, use the no form of this command:
csd hostscan image path
no csd hostscan image path
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
Enter the show webvpn csd hostscan command to determine the version of Host Scan image that is currently installed and enabled.
After installing Host Scan with the csd hostscan image command, you need to enable the image using the csd enable command.
Enter the write memory command to save the running configuration to ensure the Host Scan image is available the next time the ASA reboots.
Examples
The following example commands show how to install a Cisco Host Scan package, enable the Host Scan package, view the enabled Host Scan package, and save the configuration on the flash drive:
hostname> enPassword: ******hostname# config thostname(config)# webvpnhostname(config-webvpn)# show webvpn csd hostscanHostscan is not enabled.hostname(config-webvpn)# csd hostscan image disk0:/hostscan_3.0.0333-k9.pkghostname(config-webvpn)# csd enablehostname(config-webvpn)# show webvpn csd hostscanHostscan version 3.0.0333 is currently installed and enabledhostname(config-webvpn)# write memoryBuilding configuration...Cryptochecksum: 2e7126f7 71214c6b 6f3b28c5 72fa0a1e22067 bytes copied in 3.460 secs (7355 bytes/sec)[OK]hostname(config-webvpn)#Related Commands
csd image
To validate the Cisco Secure Desktop distribution package and add it to the running configuration, effectively installing Cisco Secure Desktop, use the csd image command in webvpn configuration mode. To remove the CSD distribution package from the running configuration, use the no form of the command:
csd image path
no csd image [path]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
Enter the show webvpn csd command to determine whether the Cisco Secure Desktop image is enabled before entering this command. The CLI indicates the version of Cisco Secure Desktop image that is currently installed if it is enabled.
Use the csd image command to install a new Cisco Secure Desktop image, or upgrade an existing image, after you download it from http://www.cisco.com/pcgi-bin/tablebuild.pl/securedesktop to your computer, and transfer it to the flash drive. When downloading it, be sure to get the correct file for the ASA; it is in the form securedesktop_asa_<n>_<n>*.pkg.
Entering no csd image removes both management access to Cisco Secure Desktop Manager and remote user access to Cisco Secure Desktop. The ASA does not make any changes to the Cisco Secure Desktop software and the Cisco Secure Desktop configuration on the flash drive when you enter this command.
Note
Examples
The following example commands show how to view the current Cisco Secure Desktop distribution package, view the contents of the flash file system, and upgrade to a new version:
hostname# show webvpn csdSecure Desktop version 3.1.0.24 is currently installed and enabled.hostname# config thostname(config)# webvpnhostname(config-webvpn)# show disk all-#- --length-- -----date/time------ path6 8543616 Nov 02 2005 08:25:36 PDM9 6414336 Nov 02 2005 08:49:50 cdisk.bin10 4634 Sep 17 2004 15:32:48 first-backup11 4096 Sep 21 2004 10:55:02 fsck-245112 4096 Sep 21 2004 10:55:02 fsck-250513 21601 Nov 23 2004 15:51:46 shirley.cfg14 9367 Nov 01 2004 17:15:34 still.jpg15 6594064 Nov 04 2005 09:48:14 asdmfile.510106.rls16 21601 Dec 17 2004 14:20:40 tftp17 21601 Dec 17 2004 14:23:02 bingo.cfg18 9625 May 03 2005 11:06:14 wally.cfg19 16984 Oct 19 2005 03:48:46 tomm_backup.cfg20 319662 Jul 29 2005 09:51:28 sslclient-win-1.0.2.127.pkg21 0 Oct 07 2005 17:33:48 sdesktop22 5352 Oct 28 2005 15:09:20 sdesktop/data.xml23 369182 Oct 10 2005 05:27:58 sslclient-win-1.1.0.133.pkg24 1836210 Oct 12 2005 09:32:10 securedesktop_asa_3_1_0_24.pkg25 1836392 Oct 26 2005 09:15:26 securedesktop_asa_3_1_0_25.pkg38600704 bytes available (24281088 bytes used)******** Flash Card Geometry/Format Info ********COMPACT FLASH CARD GEOMETRYNumber of Heads: 4Number of Cylinders 978Sectors per Cylinder 32Sector Size 512Total Sectors 125184COMPACT FLASH CARD FORMATNumber of FAT Sectors 61Sectors Per Cluster 8Number of Clusters 15352Number of Data Sectors 122976Base Root Sector 123Base FAT Sector 1Base Data Sector 155hostname(config-webvpn)# csd image disk0:securedesktop_asa_3_1_0_25.pkghostname(config-webvpn)# show webvpn csdSecure Desktop version 3.1.0.25 is currently installed and enabled.hostname(config-webvpn)# write memoryBuilding configuration...Cryptochecksum: 5e57cfa8 0e9ca4d5 764c3825 2fc4deb619566 bytes copied in 3.640 secs (6522 bytes/sec)[OK]hostname(config-webvpn)#Related Commands
ctl
To enable the Certificate Trust List (CTL) provider to parse the CTL file from the CTL client and install trustpoints, use the ctl command in ctl provider configuration mode. To remove the configuration, use the no form of this command.
ctl install
no ctl instal
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
ctl provider configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the ctl command in ctl provider configuration mode to enable the CTL provider to parse the CTL file from the CTL client and install trustpoints for entries from the CTL file. Ttrustpoints installed by this command have names prefixed with "_internal_CTL_<ctl_name>." This command is optional and is enabled by default.
If this command is disabled, each CallManager server and CAPFs certificate must be manually imported and installed via the crypto ca trustpoint and crypto ca certificate chain commands.
Examples
The following example shows how to create a CTL provider instance:
hostname(config)# ctl-provider my_ctlhostname(config-ctl-provider)# client interface inside 172.23.45.1hostname(config-ctl-provider)# client username CCMAdministrator password XXXXXX encryptedhostname(config-ctl-provider)# export certificate ccm_proxyhostname(config-ctl-provider)# ctl installRelated Commands
ctl-file (global)
To specify the CTL instance to create for a phone proxy or to parse the CTL file stored in flash memory, use the ctl-file command in global configuration mode. To remove the CTL instance, use the no form of this command.
ctl-file ctl_name noconfirm
no ctl-file ctl_name noconfirm
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
If users have phones that require LSC provisioning, you must also import the CAPF certificate into the ASA from the CUMC when configuring the CTL file instance with the ctl-file command. For kmore information,see the CLI configuration guide.
Note
Using the no form of the command removes the CTL file and all enrolled trustpoints internally created by a phone proxy. Additionally, removing the CTL file destroys all certificates received from the related certificate authority.
Examples
The following example shows the use of the ctl-file command to configure the CTL file for the phone proxy feature:
hostname(config)#ctl-file myctlRelated Commands
ctl-file (phone-proxy)
To specify the CTL instance to use when configuring the Phone Proxy, use the ctl-file command in phone-proxy configuration mode. To remove the CTL instance, use the no form of this command.
ctl-file ctl_name
no ctl-file ctl_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Phone-proxy configuration
•
—
•
—
—
Command History
Examples
The following example shows the use of the ctl-file command to configure the CTL file for the Phone Proxy feature:
hostname(config-phone-proxy)#ctl-file myctlRelated Commands
ctl-file (global)
Specifies the CTL file to create for Phone Proxy configuration or the CTL file to parse from Flash memory.
phone-proxy
Configures the Phone Proxy Instance.
ctl-provider
To configure a Certificate Trust List provider instance in CTL provider mode, use the ctl-provider command in global configuration mode. To remove the configuration, use the no form of this command.
ctl-provider ctl_name
no ctl-provider ctl_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the ctl-provider command to enter CTL provider configuration mode to create a CTL provider instance.
Examples
The following example shows how to create a CTL provider instance:
hostname(config)# ctl-provider my_ctlhostname(config-ctl-provider)# client interface inside 172.23.45.1hostname(config-ctl-provider)# client username CCMAdministrator password XXXXXX encryptedhostname(config-ctl-provider)# export certificate ccm_proxyhostname(config-ctl-provider)# ctl installRelated Commands
customization
To specify the customization to use for a tunnel-group, group, or user, use the customization command from the following modes:
In tunnel-group webvpn-attributes configuration mode and webvpn configuration mode (accessible from global configuration mode):
customization name
no customization name
In webvpn configuration mode (accessible from group-policy attributes configuration mode or username attributes configuration mode):
customization {none | value name}
no customization {none | value name}
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group webvpn-attributes configuration
•
—
•
—
—
Webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
Before entering the customization command in tunnel-group webvpn-attributes cofiguration mode, you must name and configure the customization using the customization command in webvpn configuration mode.
Mode-Dependent Command Options
The keywords available with the customization command differ depending on the mode you are in. In group-policy attributes > webvpn configuration mode and username attributes > webvpn configuration mode, the additional keywords none and value appear. The complete syntax from these modes is:
[no] customization {none | value name}
None disables customization for the group or user, and prevents the customization from being inherited. For example, if you enter the customization none command from username attributes > webvpn mode, the security appliance will not look for the value in the group policy or tunnel group.
name is the name of a customization to apply to the group or user.
To remove the command from the configuration, and cause the value to be inherited, use the no form of the command.
Examples
The following example shows a command sequence that first establishes a WebVPN customization named "123" that defines a password prompt. The example then defines a WebVPN tunnel group named "test" and uses the customization command to specifies the use of the WebVPN customization named "123":
hostname(config)# webvpnhostname(config-webvpn)# customization 123hostname(config-webvpn-custom)# password-prompt Enter passwordhostname(config-webvpn)# exithostname(config)# tunnel-group test type webvpnhostname(config)# tunnel-group test webvpn-attributeshostname(config-tunnel-webvpn)# customization 123hostname(config-tunnel-webvpn)#The next example shows the customization named "cisco" applied to the group policy named "cisco_sales". Note that the additional command option value is required with the customization command entered in group-policy attributes > webvpn configuration mode:
hostname(config)# group-policy cisco_sales attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# customization value ciscoRelated Commands
cxsc
To redirect traffic to the ASA CX module, use the cxsc command in class configuration mode. To remove the ASA CX action, use the no form of this command. You can access the class configuration mode by first entering the policy-map command.
cxsc {fail-close | fail-open} [auth-proxy]
no cxsc {fail-close | fail-open} [auth-proxy]
Syntax Description
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
—
—
Command History
Usage Guidelines
Before or after you configure the cxsc command on the ASA, configure the security policy on the ASA CX module using Cisco Prime Security Manager (PRSM).
To configure the cxsc command, you must first configure the class-map command, policy-map command, and the class command.
Traffic Flow
The ASA CX module runs a separate application from the ASA. It is, however, integrated into the ASA traffic flow. When you apply the cxsc command for a class of traffic on the ASA, traffic flows through the ASA and the ASA CX module in the following way:
1.
2.
3.
4.
5.
6.
7.
8.
Information About Authentication Proxy
When the ASA CX needs to authenticate an HTTP user (to take advantage of identity policies), you must configure the ASA to act as an authentication proxy: the ASA CX module redirects authentication requests to the ASA interface IP address/proxy port. By default, the port is 885 (user configurable with the cxsc auth-proxy port command). Configure this feature as part of the service policy to divert traffic from the ASA to the ASA CX module. If you do not enable the authentication proxy, only passive authentication is available.
Compatibility with ASA Features
The ASA includes many advanced application inspection features, including HTTP inspection. However, the ASA CX module provides more advanced HTTP inspection than the ASA provides, as well as additional features for other applications, including monitoring and controlling application usage.
To take full advantage of the ASA CX module features, see the following guidelines for traffic that you send to the ASA CX module:
•
•
•
•
•
•
Examples
The following example diverts all HTTP traffic to the ASA CX module, and blocks all HTTP traffic if the ASA CX module card fails for any reason:
hostname(config)# access-list ASACX permit tcp any any eq port 80hostname(config)# class-map my-cx-classhostname(config-cmap)# match access-list ASACXhostname(config-cmap)# policy-map my-cx-policyhostname(config-pmap)# class my-cx-classhostname(config-pmap-c)# cxsc fail-close auth-proxyhostname(config-pmap-c)# service-policy my-cx-policy globalThe following example diverts all IP traffic destined for the 10.1.1.0 network and the 10.2.1.0 network to the ASA CX module, and allows all traffic through if the ASA CX module fails for any reason.
hostname(config)# access-list my-cx-acl permit ip any 10.1.1.0 255.255.255.0hostname(config)# access-list my-cx-acl2 permit ip any 10.2.1.0 255.255.255.0hostname(config)# class-map my-cx-classhostname(config-cmap)# match access-list my-cx-aclhostname(config)# class-map my-cx-class2hostname(config-cmap)# match access-list my-cx-acl2hostname(config-cmap)# policy-map my-cx-policyhostname(config-pmap)# class my-cx-classhostname(config-pmap-c)# cxsc fail-open auth-proxyhostname(config-pmap)# class my-cx-class2hostname(config-pmap-c)# cxsc fail-open auth-proxyhostname(config-pmap-c)# service-policy my-cx-policy interface outsideRelated Commands
cxsc auth-proxy port
To set the authentication proxy port for ASA CX module traffic, use the cxsc auth-proxy port command in global configuration mode. To set the port to the default, use the no form of this command.
cxsc auth-proxy port port
no cxsc auth-proxy port [port]
Syntax Description
Command Default
The default port is 885.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
If you enable the authentication proxy when you configure the cxsc command, you can change the port using this command.
When the ASA CX needs to authenticate an HTTP user (to take advantage of identity policies), you must configure the ASA to act as an authentication proxy: the ASA CX module redirects authentication requests to the ASA interface IP address/proxy port. By default, the port is 885. Configure this feature as part of the service policy to divert traffic from the ASA to the ASA CX module. If you do not enable the authentication proxy, only passive authentication is available.
Examples
The following example enables the authentication proxy for ASA CX traffic, then changes the port to 5000:
hostname(config)# access-list ASACX permit tcp any any eq port 80hostname(config)# class-map my-cx-classhostname(config-cmap)# match access-list ASACXhostname(config-cmap)# policy-map my-cx-policyhostname(config-pmap)# class my-cx-classhostname(config-pmap-c)# cxsc fail-close auth-proxyhostname(config-pmap-c)# service-policy my-cx-policy globalhostname(config)# cxsc auth-port 5000Related Commands
