-
Cisco ASA Series Command Reference, 8.4, 8.5, 8.6, and 8.7
-
About this Guide
-
Using the Command Line Interface
- A through B Commands
- C Commands
- D through F Commands
- G through I Commands
- J through L Commands
- M through O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- show asdm sessions
-
show asp drop -- show curpriv
-
show ddns -- show ipv6 traffic
-
show isakmp sa -- show route
-
show running-config -- show running-config isakmp
-
show running-config ldap -- show running-config wccp
-
show service-policy -- show xlate
-
shun -- sysopt radius ignore-secret
-
- T through Z Commands
-
Cisco IOS Commands for the ASASM
-
Feedback
Table Of Contents
shun through sysopt radius ignore-secret Commands
smart-tunnel auto-signon enable
ssl certificate-authentication
sso-server value (group-policy webvpn)
sso-server value (username webvpn)
subject-name (crypto ca certificate map)
subject-name (crypto ca trustpoint)
sw-module module password-reset
sysopt connection preserve-vpn-flows
sysopt connection reclassify-vpn
shun through sysopt radius ignore-secret Commands
shun
To block connections from an attacking host, use the shun command in privileged EXEC mode. To disable a shun, use the no form of this command.
shun source_ip [dest_ip source_port dest_port [protocol]] [vlan vlan_id]
no shun source_ip [vlan vlan_id]
Syntax Description
Defaults
The default protocol is 0 (any protocol).
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The shun command lets you block connections from an attacking host. All future connections from the source IP address are dropped and logged until the blocking function is removed manually or by the Cisco IPS sensor. The blocking function of the shun command is applied whether or not a connection with the specified host address is currently active.
If you specify the destination address, source and destination ports, and the protocol, then you drop the matching connection as well as placing a shun on all future connections from the source IP address; all future connections are shunned, not just those that match these specific connection parameters.
You can only have one shun command per source IP address.
Because the shun command is used to block attacks dynamically, it is not displayed in the ASA configuration.
Whenever an interface configuration is removed, all shuns that are attached to that interface are also removed. If you add a new interface or replace the same interface (using the same name), then you must add that interface to the IPS sensor if you want the IPS sensor to monitor that interface.
Examples
The following example shows that the offending host (10.1.1.27) makes a connection with the victim (10.2.2.89) with TCP. The connection in the ASA connection table reads as follows:
10.1.1.27, 555-> 10.2.2.89, 666 PROT TCPApply the shun command using the following options:
hostname# shun 10.1.1.27 10.2.2.89 555 666 tcpThe command deletes the specific current connection from the ASA connection table and also prevents all future packets from 10.1.1.27 from going through the ASA.
Related Commands
clear shun
Disables all the shuns that are currently enabled and clears the shun statistics.
show conn
Shows all active connections.
show shun
Displays the shun information.
shutdown
To disable an interface, use the shutdown command in interface configuration mode. To enable an interface, use the no form of this command.
shutdown
no shutdown
Syntax Description
This command has no arguments or keywords.
Defaults
All physical interfaces are shut down by default. Allocated interfaces in security contexts are not shut down in the configuration.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
•
•
Command History
7.0(1)
This command was moved from a keyword of the interface command to an interface configuration mode command.
Usage Guidelines
The default state of an interface depends on the type and the context mode.
In multiple context mode, all allocated interfaces are enabled by default, no matter what the state of the interface is in the system execution space. However, for traffic to pass through the interface, the interface also has to be enabled in the system execution space. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.
In single mode or in the system execution space, interfaces have the following default states:
•
•
•
Note
Examples\
The following example enables a main interface:
hostname(config)# interface gigabitethernet0/2hostname(config-if)# speed 1000hostname(config-if)# duplex fullhostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownThe following example enables a subinterface:
hostname(config)# interface gigabitethernet0/2.1hostname(config-subif)# vlan 101hostname(config-subif)# nameif dmz1hostname(config-subif)# security-level 50hostname(config-subif)# ip address 10.1.2.1 255.255.255.0hostname(config-subif)# no shutdownThe following example shuts down the subinterface:
hostname(config)# interface gigabitethernet0/2.1hostname(config-subif)# vlan 101hostname(config-subif)# nameif dmz1hostname(config-subif)# security-level 50hostname(config-subif)# ip address 10.1.2.1 255.255.255.0hostname(config-subif)# shutdownRelated Commands
clear xlate
Resets all translations for existing connections, causing the connections to be reset.
interface
Configures an interface and enters interface configuration mode.
shutdown (ca-server mode)
To disable the local Certificate Authority (CA) server and render the enrollment interface inaccessible to users, use the shutdown command in CA server configuration mode. To enable the CA server, lock down the configuration from changes, and to render the enrollment interface accessible, use the no form of this command.
[ no ] shutdown
Syntax Description
This command has no arguments or keywords.
Defaults
Initially, by default, the CA server is shut down.
Command Modes
The following table shows the modes in which you can enter the command:
CA server configuration
•
—
•
—
—
Command History
Usage Guidelines
This command in CA server mode is similar to the shutdown command in interface mode. At setup time, the local CA server is shutdown by default and must be enabled using the no shutdown command. When you use the no shutdown command for the first time, you enable the CA server and generate the CA server certificate and keypair.
Note
To enable the CA server and lock down the current configuration with the no shutdown command, a 7-character password is required to encode and archive a PKCS12 file containing the CA certificate and keypair that is to be generated. The file is stored to the storage identified by a previously specified database path command.
Examples
The following example disables the local CA server and renders the enrollment interface inaccessible:
hostname(config)# crypto ca serverhostname(config-ca-server)# shutdownhostname(config-ca-server)#The following example enables the local CA server and makes the enrollment interface accessible:
hostname(config)# crypto ca serverhostname(config-ca-server)# no shutdownhostname(config-ca-server)#hostname(config-ca-server)# no shutdown% Some server settings cannot be changed after CA certificate generation.% Please enter a passphrase to protect the private key% or type Return to exitPassword: caserverRe-enter password: caserverKeypair generation process begin. Please wait...hostname(config-ca-server)#Related Commands
sla monitor
To create an SLA operation, use the sla monitor command in global configuration mode. To remove the SLA operation, use the no form of this command.
sla monitor sla_id
no sla monitor sla_id
Syntax Description
sla_id
Specifies the ID of the SLA being configured. If the SLA does not already exist, it is created. Valid values are from 1 to 2147483647.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The sla monitor command creates SLA operations and enters SLA Monitor configuration mode. Once you enter this command, the command prompt changes to
hostname(config-ca-server)to indicate that you are in SLA Monitor configuration mode. If the SLA operation already exists, and a type has already been defined for it, then the prompt appears ashostname(config-ca-server)You can create a maximum of 2000 SLA operations. Only 32 SLA operations may be debugged at any time.The no sla monitor command removes the specified SLA operation and the commands used to configure that operation.
After you configure an SLA operation, you must schedule the operation with the sla monitor schedule command. You cannot modify the configuration of the SLA operation after scheduling it. To modify the configuration of a scheduled SLA operation, you must use the no sla monitor command to remove the selected SLA operation completely. Removing an SLA operation also removes the associated sla monitor schedule command. Then you can reenter the SLA operation configuration.
To display the current configuration settings of the operation, use the show sla monitor configuration command. To display operational statistics of the SLA operation, use the show sla monitor operation-state command. To see the SLA commands in the configuration, use the show running-config sla monitor command.
Examples
The following example configures an SLA operation with an ID of 123 and creates a tracking entry with the ID of 1 to track the reachability of the SLA:
hostname(config)# sla monitor 123hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outsidehostname(config-sla-monitor-echo)# timeout 1000hostname(config-sla-monitor-echo)# frequency 3hostname(config)# sla monitor schedule 123 life forever start-time nowhostname(config)# track 1 rtr 123 reachabilityRelated Commands
sla monitor schedule
To schedule an SLA operation, use the sla monitor schedule command in global configuration mode. To remove SLA operation schedule, and place the operation in the pending state, use the no form of this command.
sla monitor schedule sla-id [life {forever | seconds}] [start-time {hh:mm[:ss] [month day | day month] | pending | now | after hh:mm:ss}] [ageout seconds] [recurring]
no sla monitor schedule sla-id
Syntax Description
Defaults
The defaults are as follows:
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
When an SLA operation is in an active state, it immediately begins collecting information. The following time line shows the age-out process of the operation:
W----------------------X----------------------Y----------------------Z•
•
•
•
The age out process, if used, starts counting down at W, is suspended between X and Y, and is reset to its configured size are starts counting down again at Y. When an SLA operation ages out, the SLA operation configuration is removed from the running configuration. It is possible for the operation to age out before it executes (that is, Z can occur before X). To ensure that this does not happen, the difference between the operation configuration time and start time (X and W) must be less than the age-out seconds.
The recurring keyword is only supported for scheduling single SLA operations. You cannot schedule multiple SLA operations using a single sla monitor schedule command. The life value for a recurring SLA operation should be less than one day. The ageout value for a recurring operation must be "never" (which is specified with the value 0), or the sum of the life and ageout values must be more than one day. If the recurring option is not specified, the operations are started in the existing normal scheduling mode.
You cannot modify the configuration of the SLA operation after scheduling it. To modify the configuration of a scheduled SLA operation, you must use the no sla monitor command to remove the selected SLA operation completely. Removing an SLA operation also removes the associated sla monitor schedule command. Then you can reenter the SLA operation configuration.
Examples
The following example shows SLA operation 25 scheduled to begin actively collecting data at 3:00 p.m. on April 5. This operation will age out after 12 hours of inactivity. When this SLA operation ages out, all configuration information for the SLA operation is removed from the running configuration.
hostname(config)# sla monitor schedule 25 life 43200 start-time 15:00 apr 5 ageout 43200The following example shows SLA operation 1 schedule to begin collecting data after a 5-minute delay. The default life of one hour applies.
hostname(config)# sla monitor schedule 1 start after 00:05:00The following example shows SLA operation 3 scheduled to begin collecting data immediately and is scheduled to run indefinitely:
hostname(config)# sla monitor schedule 3 life forever start-time nowThe following example shows SLA operation 15 scheduled to begin automatically collecting data every day at 1:30 a.m.:
hostname(config)# sla monitor schedule 15 start-time 01:30:00 recurringRelated Commands
show sla monitor configuration
Displays the SLA configuration settings.
sla monitor
Defines an SLA monitoring operation.
smart-tunnel auto-signon enable
To enable smart tunnel auto sign-on in clientless (browser-based) SSL VPN sessions, use the smart-tunnel auto-signon enable command in group-policy webvpn configuration mode or username webvpn configuration mode.
To remove the smart-tunnel auto-signon enable command from the group policy or username and inherit it from the default group-policy, use the no form of this command.
no smart-tunnel auto-signon enable list [domain domain] [port port] [realm realm string]
Syntax Description
Defaults
No defaults exist for this command.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy webvpn configuration
•
—
•
—
—
Username webvpn configuration
•
—
•
—
—
Command History
8.0(4)
This command was introduced.
8.4(1)
Optional realm and port arguments were introduced.
Usage Guidelines
The smart-tunnel auto sign-on feature supports only applications communicating HTTP and HTTPS using the Microsoft WININET library. For example, Microsoft Internet Explorer uses the WININET dynamic linked library to communicate with web servers.
You must use the smart-tunnel auto-signon list command to create a list of servers first. You can assign only one list to a group policy or username.
A realm string is associated with the protected area of the website and is passed back to the browser either in the authentication prompt or in the HTTP headers during authentication. If adminstrators do not know the corresponding realm, they should perform logon once and get the string from the prompt dialog.
Administrators can now optionally specify a port number for the corresponding hosts. For Firefox, if no port number is specified, auto sign-on is performed on HTTP and HTTPS, accessed by the default port numbers 80 and 443 respectively.
Examples
The following commands enable the smart tunnel auto sign-on list named HR:
hostname(config-group-policy)# webvpnhostname(config-group-webvpn)# smart-tunnel auto-signon enable HRhostname(config-group-webvpn)The following command enables the smart tunnel auto sign-on list named HR and adds the domain named CISCO to the username during authentication:
hostname(config-group-webvpn)# smart-tunnel auto-signon enable HR domain CISCOThe following command removes the smart tunnel auto sign-on list named HR from the group policy and inherits the smart tunnel auto sign-on list command from the default group policy:
hostname(config-group-webvpn)# no smart-tunnel auto-signon enable HRRelated Command
s
smart-tunnel auto-signon list
To create a list of servers for which to automate the submission of credentials in smart tunnel connections, use the smart-tunnel auto-signon list command in webvpn configuration mode.Use this command for each server you want to add to a list.
To remove an entry from a list, use the no form of this command, specifying both the list and the IP address or hostname, as it appears in the ASA configuration.
no smart-tunnel auto-signon list [use-domain] {ip ip-address [netmask] | host hostname-mask}
To display the smart tunnel auto sign-on list entries, enter the show running-config webvpn smart-tunnel command in privileged EXEC mode.
To remove an entire list of servers from the ASA configuration, use the no form of the command, specifying only the list.
no smart-tunnel auto-signon list
Syntax Description
Defaults
No defaults exist for this command.
Command Modes
The following table shows the modes in which you can enter the command:
webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
The smart-tunnel auto sign-on feature supports only applications communicating HTTP and HTTPS using the Microsoft WININET library. For example, Microsoft Internet Explorer uses the WININET dynamic linked library to communicate with web servers.
Following the population of a smart tunnel auto sign-on list, use the smart-tunnel auto-signon enable list command in group policy webvpn or username webvpn mode to assign the list.
Examples
The following command adds all hosts in the subnet and adds the Windows domain to the username if authentication requires it:
asa2(config-webvpn)# smart-tunnel auto-signon HR use-domain ip 192.32.22.56 255.255.255.0The following command removes that entry from the list:
asa2(config-webvpn)# no smart-tunnel auto-signon HR use-domain ip 192.32.22.56 255.255.255.0The command shown above also removes the list named HR if the entry removed is the only entry in the list. Otherwise, the following command removes the entire list from the ASA configuration:
asa2(config-webvpn)# no smart-tunnel auto-signon HRThe following command adds all hosts in the domain to the smart tunnel auto sign-on list named intranet:
asa2(config-webvpn)# smart-tunnel auto-signon intranet host *.exampledomain.comThe following command removes that entry from the list:
asa2(config-webvpn)# no smart-tunnel auto-signon intranet host *.exampledomain.comRelated Command
s
smart-tunnel auto-start
To start smart tunnel access automatically upon user login in a clientless (browser-based) SSL VPN session, use the smart-tunnel auto-start command in group-policy webvpn configuration mode or username webvpn configuration mode.
smart-tunnel auto-start list
To remove the smart-tunnel command from the group policy or username and inherit the [no] smart-tunnel command from the default group-policy, use the no form of the command.
no smart-tunnel
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
group-policy webvpn configuration mode
•
—
•
—
—
username webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
This command requires that you use the smart-tunnel list command to create the list of applications first.
This option to start smart tunnel access upon user login applies only to Windows.
Examples
The following commands start smart tunnel access for a list of applications named apps1:
hostname(config-group-policy)# webvpnhostname(config-group-webvpn)# smart-tunnel auto-start apps1hostname(config-group-webvpn)The following commands remove the list named apps1 from the group policy and inherit the smart tunnel commands from the default group policy:
hostname(config-group-policy)# webvpnhostname(config-group-webvpn)# no smart-tunnelhostname(config-group-webvpn)Related Command
s
smart-tunnel disable
To prevent smart tunnel access through clientless (browser-based) SSL VPN sessions, use the smart-tunnel disable command in group-policy webvpn configuration mode or username webvpn configuration mode.
smart-tunnel disable
To remove a smart-tunnel command from the group policy or username and inherit the [no] smart-tunnel command from the default group-policy, use the no form of the command.
no smart-tunnel
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
group-policy webvpn configuration mode
•
—
•
—
—
username webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
By default, smart tunnels are not enabled, so the smart-tunnel disable command is necessary only if the (default) group policy or username configuration contains a smart-tunnel auto-start or smart-tunnel enable command that you do not want applied for the group policy or username in question.
Examples
The following commands prevent smart tunnel access:
hostname(config-group-policy)# webvpnhostname(config-group-webvpn)# smart-tunnel disablehostname(config-group-webvpn)Related Command
s
smart-tunnel enable
To enable smart tunnel access through clientless (browser-based) SSL VPN sessions, use the smart-tunnel enable command in group-policy webvpn configuration mode or username webvpn configuration mode.
smart-tunnel enable list
To remove the smart-tunnel command from the group policy or username and inherit the [no] smart-tunnel command from the default group-policy, use the no form of the command.
no smart-tunnel
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
group-policy webvpn configuration mode
•
—
•
—
—
username webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
The smart-tunnel enable command assigns a list of applications eligible for smart tunnel access to a group policy or username. It requires the user to start smart tunnel access manually, using the Application Access > Start Smart Tunnels button on the clientless-SSL-VPN portal page. Alternatively, you can use the smart-tunnel auto-start command to start smart tunnel access automatically upon user login.
Both commands require that you use the smart-tunnel list command to create the list of applications first.
Examples
The following commands enable the smart tunnel list named apps1:
hostname(config-group-policy)# webvpnhostname(config-group-webvpn)# smart-tunnel enable apps1hostname(config-group-webvpn)The following commands remove the list named apps1 from the group policy and inherit the smart tunnel list from the default group policy:
hostname(config-group-policy)# webvpnhostname(config-group-webvpn)# no smart-tunnelhostname(config-group-webvpn)Related Command
s
smart-tunnel list
To populate a list of applications that can use a clientless (browser-based) SSL VPN session to connect to private sites, use the smart-tunnel list command in webvpn configuration mode.
[no] smart-tunnel list list application path [platform OS] [hash]
To remove an application from a list, use the no form of the command, specifying the entry. To remove an entire list of applications from the ASA configuration, use the no form of the command, specifying only the list.
no smart-tunnel list list
Syntax Description
Defaults
Windows is the default platform.
Command Modes
The following table shows the modes in which you can enter the command:
webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
You can configure more than one smart tunnel list on a ASA, but you cannot assign more than one smart tunnel list to a given group policy or username. To populate a smart tunnel list, enter the smart-tunnel list command once for each application, entering the same list string, but specifying an application and path that is unique for the OS. Enter the command once for each OS you want the list to support.
The session ignores a list entry if the OS does not match the one indicated in the entry. It also ignores an entry if the path to the application is not present.
To view the smart tunnel list entries in the SSL VPN configuration, enter the show running-config webvpn smart-tunnel command in privileged EXEC mode.
The path must match the one on the computer, but it does not have to be complete. For example, the path can consist of nothing more than the executable file and its extension.
Smart tunnels have the following requirements:
•
•
•
•
On Microsoft Windows, only Winsock 2, TCP-based applications are eligible for smart tunnel access.
On Mac OS, applications using TCP that are dynamically linked to the SSL library can work over a smart tunnel. The following types of applications do not work over a smart tunnel:
•
•
•
•
•
On Mac OS, only applications started from the portal page can establish smart tunnel sessions. This requirement includes smart tunnel support for Firefox. Using Firefox to start another instance of Firefox during the first use of a smart tunnel requires the user profile named csco_st. If this user profile is not present, the session prompts the user to create one.
The following limitations apply to smart tunnels:
•
•
•
•
Note
Entering a hash provides a reasonable assurance that clientless SSL VPN does not qualify an illegitimate file that matches the string you specified in the path. Because the checksum varies with each version or patch of an application, the hash you enter can only match one version or patch on the remote host. To specify a hash for more than one version of an application, enter the smart-tunnel list command once for each version, entering the same list string, but specifying the unique application string and unique hash value in each command.
Note
Following the configuration of a smart tunnel list, use the smart-tunnel auto-start or smart-tunnel enable command to assign the list to group policies or usernames.
Examples
The following command adds the Microsoft Windows application Connect to a smart tunnel list named apps1:
hostname(config-webvpn)# smart-tunnel list apps1 LotusSametime connect.exeThe following command adds the Windows application msimn.exe and requires that the hash of the application on the remote host match the last string entered to qualify for smart tunnel access:
hostname(config-webvpn)# smart-tunnel list apps1 OutlookExpress msimn.exe 4739647b255d3ea865554e27c3f96b9476e75061The following command provides smart tunnel support for the Mac OS browser Safari:
hostname(config-webvpn)# smart-tunnel list apps1 Safari /Applications/Safari platform macRelated Commands
smart-tunnel network
To create a list of hosts to use for configuring smart tunnel tunnel policies, use the smart-tunnel network command in webvpn configuration mode. To disallow a list of hosts for smart tunnel tunnel policies, use the [no] form of this command.
smart-tunnel network
no smart-tunnel network
Syntax Description
host <host mask>
The hostname mask, such as *.cisco.com.
ip <ip address>
The IP address of a network.
netmask
The Netmask of a network.
network name
The name of the network to apply to tunnel policy.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration
•
•
•
Command History
Usage Guidelines
When the smart tunnel is turned on, you can allow traffic outside of the tunnel with the smart-tunnel network command, which configures the network (a set of hosts), and the smart-tunnel tunnel-policy command, which uses the specified smart-tunnel network to enforce a policy on a user.
Examples
The following is a sample of how the smart-tunnel network command is used:
ciscoasa(config-webvpn)# smart-tunnel network testnet ip 192.168.0.0 255.255.255Related Commands
smart-tunnel tunnel-policy
Uses the specified smart-tunnel network to enforce a policy on a user.
smart-tunnel tunnel-policy
To apply smart tunnel tunnel policies to a particular group or user policy, use the smart-tunnel tunnel-policy command in configuration webvpn mode. To unapply smart tunnel tunnel policies to a particular group, use the [no] form of this command.
smart-tunnel tunnel-policy
no smart-tunnel tunnel-policy
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration
•
•
•
Command History
Usage Guidelines
When the smart tunnel is turned on, you can allow traffic outside of the tunnel with the smart-tunnel network command, which configures the network (a set of hosts), and the smart-tunnel tunnel-policy command, which uses the specified smart-tunnel network to enforce a policy on a user.
Examples
The following is a sample of how the smart-tunnel tunnel-policycommand is used:
ciscoasa(config-username-webvpn)# smart-tunnel tunnel-policy tunnelspecified testnetRelated Commands
smart-tunnel network
Creates a list of hosts for configuring smart tunnel policies.
smtp from-address
To specify the e-mail address to use in the E-mail From: field for all e-mails generated by the local CA server (such as distribution of one-time passwords) use the smtp from-address command in CA server configuration mode. To reset the e-mail address to the default, use the no form of this command.
smtp from-address e-mail_address
no smtp from-address
Syntax Description
e-mail_address
Specifies the e-mail address appearing in the From: field of all e-mails generated by the CA server.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
CA server configuration
•
—
•
—
—
Command History
Examples
The following example specifies that the From: field of all e-mails from the local CA server include ca-admin@asa1-ca.example.com:
hostname(config)# crypto ca serverhostname(config-ca-server)# smtp from-address ca-admin@asa1-ca.example.comhostname(config-ca-server)#The following example resets the From: field of all e-mails from the local CA server to the default address admin@asa1-ca.example.com:
hostname(config)# crypto ca serverhostname(config-ca-server)# smtp from-address admin@asa1-ca.example.comhostname(config-ca-server)#Related Commands
smtp subject
To customize the text that appears in the subject field of all e-mails generated by the local Certificate Authority (CA) server (such as distribution of one-time passwords), use the smtp subject command in CA server configuration mode. To reset the text to the default, use the no form of this command.
smtp subject subject-line
no smtp subject
Syntax Description
subject-line
Specifies the text appearing in the Subj: field of all e-mails sent from the CA server. The maximum number of characters is 127.
Defaults
By default, the text in the Subj: field is "Certificate Enrollment Invitation".
Command Modes
The following table shows the modes in which you can enter the command:
CA server configuration
•
—
•
—
—
Command History
Examples
The following example specifies that the text Action: Enroll for a certificate appear in the Subj: field of all e-mails from the CA server:
hostname(config)# crypto ca serverhostname(config-ca-server)# smtp subject Action: Enroll for a certificatehostname(config-ca-server)#The following example resets the Subj: field text for all e-mails from the CA server to the default text "Certificate Enrollment Invitation":
hostname(config)# crypto ca serverhostname(config-ca-server)# no smtp subjecthostname(config-ca-server)#Related Commands
smtps
To enter SMTPS configuration mode, use the smtps command in global configuration mode. To remove any commands entered in SMTPS command mode, use the no version of this command. SMTPS is a TCP/IP protocol that lets you to send e-mail over an SSL connection.
smtps
no smtps
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example shows how to enter SMTPS configuration mode:
hostname(config)#smtpshostname(config-smtps)#Related Commands
clear configure smtps
Removes the SMTPS configuration.
show running-config smtps
Displays the running configuration for SMTPS.
smtp-server
To configure an SMTP server, use the smtp-server command in global configuration mode. To remove the attribute from the configuration, use the no form of this command.
smtp-server {primary_server} [backup_server]
no smtp-server
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
The ASA includes an internal SMTP client that the Events system can use to notify external entities that a certain event has occurred. You can configure SMTP servers to receive these event notices, and then forward them to specified e-mail addresses. The SMTP facility is active only when you enable E-mail events to the ASA.
Examples
The following example shows how to set an SMTP server with an IP address of 10.1.1.24, and a backup SMTP server with an IP address of 10.1.1.34:
hostname(config)#smtp-server 10.1.1.24 10.1.1.34snmp cpu threshold rising
To configure the threshold value for a high CPU threshold and the threshold monitoring period, use the snmp cpu threshold rising command in global configuration mode. To not configure the threshold value and threshold monitoring period, use the no form of this command.
snmp cpu threshold rising threshold_value monitoring_period
no snmp cpu threshold rising threshold_value monitoring_period
Syntax Description
monitoring_period
Defines the monitoring period in minutes.
threshold_value
Defines the threshold level as a percentage of CPU usage.
Defaults
If the snmp cpu threshold rising command is not configured, the default for the high threshold level is set at over 70 percent of CPU usage, and the default for the critical threshold level isset at over 95 percent of CPU usage. The default monitoring period is set to one minute.
Command Modes
The following table shows the modes in which you can enter the command.
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
You cannot configure the critical CPU threshold level, which is maintained at a constant 95 percent. Valid threshold values range from 10 to 94 percent of CPU usage. Valid values for the monitoring period range from 1 to 60 minutes.
Examples
The following example shows how to configure the SNMP CPU threshold level to 75 percent of CPU usage and a monitoring period of 30 minutes:
hostname(config)# snmp cpu threshold 75% 30Related Commands
snmp link threshold
To configure the threshold value for an SNMP physical interface and the threshold value for system memory usage, use the snmp link threshold command in global configuration mode. To clear the threshold value for an SNMP physical interface and the threshold value for system memory usage, use the no form of this command.
snmp link threshold threshold_value
no snmp link threshold threshold_value
Syntax Description
Defaults
If you do not configure the snmp link threshold command, the default threshold value is 70 percent of CPU usage and system memory usage.
Command Modes
The following table shows the modes in which you can enter the command.
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Valid threshold values range from 30 to 99 percent of physical interfaces. The snmp link threshold command is available only in the admin context.
Examples
The following example shows how to configure the SNMP interface threshold value to 75 percent for all physical interfaces:
hostname(config)# snmp link threshold 75%Related Commands
snmp-map
To identify a specific map for defining the parameters for SNMP inspection, use the snmp-map command in global configuration mode. To remove the map, use the no form of this command.
snmp-map map_name
no snmp-map map_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the snmp-map command to identify a specific map to use for defining the parameters for SNMP inspection. When you enter this command, the system enters the SNMP map configuration mode, which lets you enter the different commands used for defining the specific map. After defining the SNMP map, you use the inspect snmp command to enable the map. Then you use the class-map, policy-map, and service-policy commands to define a class of traffic, to apply the inspect command to the class, and to apply the policy to one or more interfaces.
Examples
The following example shows how to identify SNMP traffic, define a SNMP map, define a policy, and apply the policy to the outside interface.
hostname(config)# access-list snmp-acl permit tcp any any eq 161hostname(config)# access-list snmp-acl permit tcp any any eq 162hostname(config)# class-map snmp-porthostname(config-cmap)# match access-list snmp-aclhostname(config-cmap)# exithostname(config)# snmp-map inbound_snmphostname(config-snmp-map)# deny version 1hostname(config-snmp-map)# exithostname(config)# policy-map inbound_policyhostname(config-pmap)# class snmp-porthostname(config-pmap-c)# inspect snmp inbound_snmphostname(config-pmap-c)#Related Commands
snmp-server community
To set the SNMP community string, use the snmp-server community command in global configuration mode. To remove the SNMP community string, use the no form of this command.
snmp-server community [0 | 8] community-string
no snmp-server community [0 | 8] community-string
Syntax Description
Defaults
The default community string is "public."
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Preexisting
This command was preexisting.
8.2(1)
The text argument was changed to the community-string argument.
8.3(1)
Support for encrypted passwords was added.
Usage Guidelines
The SNMP community string is a shared secret among the SNMP management station and the network nodes being managed. It is used only for Version 1 and 2c communication between the management station and the device. The ASA uses a key to determine whether or not the incoming SNMP request is valid.
For example, you could designate a site with a community string and then configure the routers, the ASA, and the management station with this same string. The ASA uses this string and does not respond to requests with an invalid community string.
After you have used an encrypted community string, only the encrypted form is visible to all systems (for example, CLI, ASDM, CSM, and so on). The clear text password is not visible.
The encrypted community string is always generated by the ASA; you normally enter the clear text form.
Note
Examples
The following example sets the community string to "onceuponatime":
hostname(config)# snmp-server community onceuponatimeThe following example sets an encrypted community string:
hostname(config)# snmp-server community 8 LvAu+JdFG+GjPmZYlKvAhXpb28E=The following example sets an unencrypted community string:
hostname(config)# snmp-server community 0 ciscoRelated Commands
snmp-server contact
To set the SNMP server contact name, use the snmp-server contact command in global configuration mode. To remove the SNMP contact name, use the no form of this command.
snmp-server contact text
no snmp-server contact [text]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example sets the SNMP server contact to EmployeeA:
hostname(config)# snmp-server contact EmployeeARelated Commands
snmp-server enable
To enable the SNMP server on the ASA, use the snmp-server enable command in global configuration mode. To disable the SNMP server, use the no form of this command.
snmp-server enable
no snmp-server enable
Syntax Description
This command has no arguments or keywords.
Defaults
The SNMP server is enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
You can enable and disable SNMP easily, without configuring and reconfiguring SNMP traps or other configuration.
Examples
The following example enables SNMP, configures the SNMP host and traps, and then sends traps as syslog messages.
hostname(config)# snmp-server enablehostname(config)# snmp-server community onceuponatimehostname(config)# snmp-server location Building 42, Sector 54hostname(config)# snmp-server contact EmployeeBhostname(config)# snmp-server host perimeter 10.1.2.42hostname(config)# snmp-server enable traps allhostname(config)# logging history 7hostname(config)# logging enableRelated Commands
snmp-server enable traps
To enable the ASA to send traps to the NMS, use the snmp-server enable traps command in global configuration mode. To disable traps, use the no form of this command.
snmp-server enable traps [all | syslog | snmp [trap] [...] | entity [trap] [...] | ipsec [trap] [...] | ikev2 [trap] [...] | remote-access [trap] | connection-limit-reached | cpu threshold rising | link-threshold | memory-threshold | nat [trap]
no snmp-server enable traps [all | syslog | snmp [trap] [...] | entity [trap] [...] | ipsec [trap] [...] | remote-access [trap] | connection-limit-reached | cpu threshold rising | link-threshold | memory-threshold | nat [trap]
Syntax Description
Defaults
The default configuration has all snmp traps enabled (snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart). If you enter this command and do not specify a trap type, then the default is syslog. (The default snmp traps continue to be enabled along with the syslog trap.) All other traps are disabled by default.
You can disable these traps using the no form of this command with the snmp keyword. The clear configure snmp-server command restores the default enabling of SNMP traps.
Command Modes
The following table shows the modes in which you can enter the command.
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable individual traps or sets of traps, enter this command for each feature type. To enable all traps, enter the all keyword.
To send traps to the NMS, enter the logging history command, then enable logging using the logging enable command.
Traps generated in the admin context only include the following:
•
•
•
Traps generated through the admin context only for physically connected interfaces in the system context include the following:
•
All other traps are available in the admin and user contexts.
Note
If the CPU usage is greater than the configured threshold value for the configured monitoring period, a cpu threshold rising trap is generated.
When the used system memory reaches 80 percent, the memory-threshold trap is generated.
Note
Examples
The following example enables SNMP, configures the SNMP host and traps, then sends traps as syslog messages:
hostname(config)# snmp-server enablehostname(config)# snmp-server community onceuponatimehostname(config)# snmp-server location Building 42, Sector 54hostname(config)# snmp-server contact EmployeeBhostname(config)# snmp-server host perimeter 10.1.2.42hostname(config)# snmp-server enable traps allhostname(config)# logging history 7hostname(config)# logging enableRelated Commands
snmp-server group
To configure a new SNMP group, use the snmp-server group command in global configuration mode. To remove a specified SNMP group, use the no form of this command.
snmp-server group group-name {v3 {auth | noauth | priv}}
no snmp-server group group-name {v3 {auth | noauth | priv}}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
8.2(1)
This command was introduced.
8.3(1)
Support for password encryption was added.
Usage Guidelines
To use the Version 3 security model, you must first configure an SNMP group, then configure an SNMP user, and then configure an SNMP host. You must also specify Version 3 and a security level. When a community string is configured internally, two groups with the name "public" are automatically created—one for the Version 1 security model and one for the Version 2c security model. When you delete a community string, both configured groups are automatically deleted.
Note
During bootup or upgrade of the ASA, single-digit passwords and passwords starting with a digit followed by a whitespace are no longer supported. For example, 0 pass and 1 are invalid passwords.
Note
Examples
The following example show how the ASA can receive SNMP requests using the SNMP Version 3 security model, which includes creating a group, creating a user, and creating a host:
hostname(config)# snmp-server group v3 vpn-group privhostname(config)# snmp-server user admin vpn group v3 auth sha letmein priv 3des cisco123hostname(config)# snmp-server host mgmt 10.0.0.1 version 3 priv adminRelated Commands
clear configure snmp-server
Clears the SNMP configuration counters.
snmp-server host
Sets the SNMP host address.
snmp-server user
Creates a new SNMP user.
snmp-server host
To specify the NMS that can use SNMP on the ASA, use the snmp-server host command in global configuration mode. To disable the NMS, use the no form of this command.
snmp-server host {interface {hostname | ip_address}} [trap | poll] [community 0 | 8 community-string] [version {1 | 2c | 3 username}] [udp-port port]
no snmp-server host {interface {hostname | ip_address}} [trap | poll] [community 0 | 8 community-string] [version {1 | 2c | 3 username}] [udp-port port]
Syntax Description
Defaults
The default UDP port is 162.
The default version is 1.
SNMP traps are enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
If you configure the snmp-server host command on a port that is currently in use, the following message appears:
WarningThe existing SNMP thread continues to poll every 60 seconds until the port is available, and issues syslog message %ASA-1-212001 if the port is still in use.
To use the Version 3 security model, you must configure an SNMP group first, then an SNMP user, and then an SNMP host. The username must already be configured on the device. When a device is configured as the standby unit of a failover pair, the SNMP engine ID and user configuration are replicated from the active unit. This action allows a transparent switchover from an SNMP Version 3 query perspective. No configuration changes are necessary in the NMS to accommodate a switchover event.
After you have used an encrypted community string, only the encrypted form is visible to all systems (for example, CLI, ASDM, CSM, and so on). The clear text password is not visible.
The encrypted community string is always generated by the ASA; you normally enter the clear text form.
During bootup or upgrade of the ASA, single-digit passwords and passwords starting with a digit followed by a whitespace are no longer supported. For example, 0 pass and 1 are invalid passwords.
Note
Examples
The following example sets the host to 192.0.2.5, which is attached to the inside interface:
hostname(config)# snmp-server host inside 192.0.2.5hostname(config)# snmp-server host inside 192.0.2.5 version 3 md5aes128 udp-port 190The following example show how the ASA can receive SNMP requests using the SNMP Version 3 security model, which includes creating a group, creating a user, and creating a host:
hostname(config)# snmp-server group v3 vpn-group privhostname(config)# snmp-server user admin vpn group v3 auth sha letmein priv 3des cisco123hostname(config)# snmp-server host mgmt 10.0.0.1 version 3 priv adminThe following example sets the host to use an encrypted community string:
hostname(config)# snmp-server host mgmt 1.2.3.4 community 8 LvAu+JdFG+GjPmZYlKvAhXpb28E=The following example sets the host to use an unencrypted community string:
hostname(config)# snmp-server host mgmt 1.2.3.4 community 0 ciscoRelated Commands
snmp-server listen-port
To set the listening port for SNMP requests, use the snmp-server listen-port command in global configuration mode. To restore the default port, use the no form of the command.
snmp-server listen-port lport
no snmp-server listen-port lport
Syntax Description
lport
The port on which incoming requests will be accepted1 .
1 The snmp-server listen-port command is only available in admin context, and is not available in the system context.
Defaults
The default port is 161.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
If you configure the snmp-server listen-port command on a port that is currently in use, the following message appears:
WarningThe existing SNMP thread continues to poll every 60 seconds until the port is available, and issues syslog message %ASA-1-212001 if the port is still in use.
Examples
The following example sets the listening port to 192:
hostname(config)# snmp-server listen-port 192Related Commands
snmp-server location
To set the ASA location for SNMP, use the snmp-server location command in global configuration mode. To remove the location, use the no form of this command.
snmp-server location text
no snmp-server location [text]
Syntax Description
location text
Specifies the security appliance location. The location text is case sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example sets the ASA location for SNMP as Building 42, Sector 54:
hostname(config)# snmp-server location Building 42, Sector 54Related Commands
snmp-server user
To configure a new SNMP user, use the snmp-server user command in global configuration mode. To remove a specified SNMP user, use the no form of this command.
snmp-server user username group-name {v3 [encrypted] [auth {md5 | sha} auth-password]} [priv {des | 3des | aes {128 | 192 | 256}} priv-password]
no snmp-server user username group-name {v3 [encrypted] [auth {md5 | sha} auth-password]} [priv {des | 3des | aes {128 | 192 | 256}} priv-password]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
An SNMP user must be part of an SNMP group. To use the Version 3 security model, you must first configure an SNMP group, then configure an SNMP user, and then configure an SNMP host.
Note
When the snmp-server user configuration is displayed on the console or written to a file (for example, the startup-configuration file), the localized authentication and privacy digests always appear instead of a plain-text password. This usage is required by RFC 3414, Section 11.2.
Note
During bootup or upgrade of the ASA, single-digit passwords and passwords starting with a digit followed by a whitespace are no longer supported. For example, 0 pass and 1 are invalid passwords.
Examples
The following example show how the ASA can receive SNMP requests using the SNMP Version 3 security model:
hostname(config)# snmp-server group engineering v3 authhostname(config)# snmp-server user engineering v3 auth sha mypasswordRelated Commands
software-version
To identify the Server and User-Agent header fields, which expose the software version of either a server or an endpoint, use the software-version command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.
software-version action {mask | log} [log}
no software-version action {mask | log} [log}
Syntax Description
mask
Masks the software version in the SIP message.
log
Specifies standalone or additional log in case of violation.
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to identify the software version in a SIP inspection policy map:
hostname(config)# policy-map type inspect sip sip_maphostname(config-pmap)# parametershostname(config-pmap-p)# software-version action logRelated Commands
speed
To set the speed of a copper (RJ-45) Ethernet interface, use the speed command in interface configuration mode. To restore the speed setting to the default, use the no form of this command.
speed {auto | 10 | 100 | 1000 | nonegotiate}
no speed [auto | 10 | 100 | 1000 | nonegotiate]
Syntax Description
Defaults
For copper interfaces, the default is speed auto.
For fiber interfaces, the default is no speed nonegotiate.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
•
Command History
7.0(1)
This command was moved from a keyword of the interface command to an interface configuration mode command.
Usage Guidelines
Set the speed on the physical interface only.
If your network does not support auto detection, set the speed to a specific value.
For RJ-45 interfaces on the ASA 5500 series adaptive security appliance, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.
If you set the speed to anything other than auto on PoE ports, if available, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.
Note
Examples
The following example sets the speed to 1000BASE-T:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# speed 1000hostname(config-if)# duplex fullhostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownRelated Commands
split-dns
To enter a list of domains to be resolved through the split tunnel, use the split-dns command in group-policy configuration mode. To delete a list, use the no form of this command.
To delete all split tunneling domain lists, use the no split-dns command without arguments. This deletes all configured split tunneling domain lists, including a null list created by issuing the split-dns none command.
When there are no split tunneling domain lists, users inherit any that exist in the default group policy. To prevent users from inheriting such split tunneling domain lists, use the split-dns none command.
split-dns {value domain-name1 domain-name2 domain-nameN | none}
no split-dns [domain-name domain-name2 domain-nameN]
Syntax Description
Defaults
Split DNS is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
Use a single space to separate each entry in the list of domains. There is no limit on the number of entries, but the entire string can be no longer than 255 characters. You can use only alphanumeric characters, hyphens (-), and periods (.).
The no split-dns command, when used without arguments, deletes all current values, including a null value created by issuing the split-dns none command.
Neither the AnyConnect VPN Client nor the SSL VPN Client supports split DNS.
Examples
The following example shows how to configure the domains Domain1, Domain2, Domain3 and Domain4 to be resolved through split tunneling for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# split-dns value Domain1 Domain2 Domain3 Domain4Related Commands
split-horizon
To reenable EIGRP split horizon, use the split-horizon command in interface configuration mode. To disable EIGRP split horizon, use the no form of this command.
split-horizon eigrp as-number
no split-horizon eigrp as-number
Syntax Description
Defaults
The split-horizon command is enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
For networks that include links over X.25 packet-switched networks, you can use the neighbor command to defeat the split horizon feature. As an alternative, you can explicitly specify the no split-horizon eigrp command in your configuration. However, if you do so, you must similarly disable split horizon for all routers and access servers in any relevant multicast groups on that network.
In general, it is best that you not change the default state of split horizon unless you are certain that your application requires the change in order to properly advertise routes. If split horizon is disabled on a serial interface and that interface is attached to a packet-switched network, you must disable split horizon for all routers and access servers in any relevant multicast groups on that network.
Examples
The following example disables EIGRP split horizon on interface Ethernet0/0:
hostname(config)# interface Ethernet0/0hostname(config-if)# no split-horizon eigrp 100Related Commands
router eigrp
Creates an EIGRP routing process and enters configuration mode for that process.
split-tunnel-all-dns
To enable the AnyConnect Secure Mobility Client to the resolve all DNS addresses through the VPN tunnel, use the split-tunnel-all-dns command from group policy configuration mode.
To remove the command from the running configuration, use the no form of this command. This enables inheritance of the value from another group policy.
split-tunnel-all-dns {disable | enable}
no split-tunnel-all-dns [{disable | enable}]
Syntax Description
Defaults
The default is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
The split-tunnel-all-dns enable command applies to VPN connections using the SSL or IPsec/IKEv2 protocol, and instructs the AnyConnect client to resolve all DNS addresses through the VPN tunnel. If DNS resolution fails, the address remains unresolved and the AnyConnect client does not try to resolve the address through public DNS servers.
By default, this feature is disabled. The client sends DNS queries over the tunnel according to the split tunnel policy—tunnel all networks, tunnel networks specified in a network list, or exclude networks specified in a network list.
Examples
The following example configures the ASA to enable the AnyConnect client to resolve all DNS queries through the VPN tunnel:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# split-tunnel-all-dns enableRelated Commands
split-tunnel-network-list
To create a network list for split tunneling, use the split-tunnel-network-list command in group-policy configuration mode. To delete a network list, use the no form of this command.
To delete all split tunneling network lists, use the no split-tunnel-network-list command without arguments. This deletes all configured network lists, including a null list created by issuing the split-tunnel-network-list none command.
When there are no split tunneling network lists, users inherit any network lists that exist in the default or specified group policy. To prevent users from inheriting such network lists, use the split-tunnel-network-list none command.
Split tunneling network lists distinguish networks that require traffic to travel across the tunnel from those that do not require tunneling.
split-tunnel-network-list {value access-list name | none}
no split-tunnel-network-list value [access-list name]
Syntax Description
Defaults
By default, there are no split tunneling network lists.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
If you use extended ACLs, the source network determines the split-tunneling network. The destination network is ignored. In addition, because any is not an actual IP address or network address, do not use the term for the source in the ACL.
Note
Examples
The following example shows how to set a network list called FirstList for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# split-tunnel-network-list FirstListRelated Commands
split-tunnel-policy
To set a split tunneling policy, use the split-tunnel-policy command in group-policy configuration mode. To remove the split-tunnel-policy attribute from the running configuration, use the no form of this command. This enables inheritance of a value for split tunneling from another group policy.
Split tunneling lets a remote-access VPN client conditionally direct packets over an IPsec or SSL tunnel in encrypted form, or to a network interface in cleartext form. With split-tunneling enabled, packets not bound for destinations on the other side of the IPsec or SSL VPN tunnel endpoint do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination.
This command applies this split tunneling policy to a specific network.
split-tunnel-policy {tunnelall | tunnelspecified | excludespecified}
no split-tunnel-policy
Syntax Description
Defaults
Split tunneling is disabled by default, which is tunnelall.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Command History
Usage Guidelines
Split tunneling is primarily a traffic management feature, not a security feature. In fact, for optimum security, we recommend that you not enable split tunneling.
Examples
The following example shows how to set a split tunneling policy of tunneling only specified networks for the group policy named FirstGroup:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#split-tunnel-policy tunnelspecifiedRelated Commands
spoof-server
To substitute a string for the server header field for HTTP protocol inspection, use the spoof-server command in parameters configuration mode. To disable this feature, use the no form of this command.
spoof-server string
no spoof-server string
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Usage Guidelines
WebVPN streams are not subject to the spoof-server comand.
Examples
The following example shows how to substitute a string for the server header field in an HTTP inspection policy map:
hostname(config-pmap-p)# spoof-server stringRelated Commands
sq-period
To specify the interval between each successful posture validation in a NAC Framework session and the next query for changes in the host posture, use the sq-period command in nac-policy-nac-framework configuration mode. To remove the command from the NAC policy, use the no form of this command.
sq-period seconds
no sq-period [seconds]
Syntax Description
Defaults
The default value is 300.
Command Modes
The following table shows the modes in which you can enter the command:
nac-policy-nac-framework configuration
•
—
•
—
—
Command History
7.3(0)
"nac-" removed from command name. Command moved from group-policy configuration mode to nac-policy-nac-framework configuration mode.
7.2(1)
This command was introduced.
Usage Guidelines
The ASA starts the status query timer after each successful posture validation and status query response. The expiration of this timer triggers a query for changes in the host posture, referred to as a status query.
Examples
The following example changes the value of the status query timer to 1800 seconds:
hostname(config-nac-policy-nac-framework)# sq-period 1800hostname(config-nac-policy-nac-framework)The following example removes the status query timer from the NAC Framework policy:
hostname(config-nac-policy-nac-framework)# no sq-periodhostname(config-nac-policy-nac-framework)Related Commands
ssh
To add SSH access to the ASA, use the ssh command in global configuration mode. To disable SSH access to the ASA, use the no form of this command.
ssh {ip_address mask | ipv6_address/prefix} interface
no ssh {ip_address mask | ipv6_address/prefix} interface
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
This command supports both IPv4 and IPv6 addresses. The ssh ip_address command specifies hosts or networks that are authorized to initiate an SSH connection to the ASA. You can have multiple SSH commands in the configuration. The no form of the command removes a specific SSH command from the configuration. Use the clear configure ssh command to remove all SSH commands.
Before you can begin using SSH to the ASA, you must generate a default RSA key using the crypto key generate rsa command.
The following security algorithms and ciphers are supported on the ASA:
•
•
•
The following SSH Version 2 features are not supported on the ASA:
•
•
•
•
•
Examples
The following example shows how to configure the inside interface to accept SSH version 2 connections from a management console with the IP address 10.1.1.1. The idle session timeout is set to 60 minutes and SCP is enabled.
hostname(config)# ssh 10.1.1.1 255.255.255.0 insidehostname(config)# ssh version 2hostname(config)# ssh copy enablehostname(config)# ssh timeout 60Related Commands
ssh authentication
To enable public key authentication on a per-user basis, use the ssh authentication command in username attributes mode. To disable public key authentication on a per-user basis, use the no form of this command.
ssh authentication {pkf | publickey [nointeractive] key [hashed]}
no ssh authentication {pkf | publickey [nointeractive] key [hashed]}
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Username attributes
•
•
•
•
—
Command History
Usage Guidelines
You can specify a public key file (PKF) formatted key (the pkf keyword) or a Base64 key (the publickey keyword).
The key field and the hashed keyword are only available with the publickey option, and the nointeractive keyword is only available with the pkf option.
When you save the configuration, the hashed key value is saved to the configuration and used when the ASA is rebooted.
When you view the key on the ASA using the show running-config username command, the key is encrypted using a SHA-256 hash. Even if you entered the key as pkf, the ASA hashes the key, and shows it as a hashed publickey. If you need to copy the key from show output, specify the publickey type with the hashed keyword.
Examples
The following example shows how to authenticate using a PKF formatted key:
hostname(config-username)# ssh authentication pkf
Enter an SSH public key formatted file.
End with the word "quit" on a line by itself:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "4096-bit RSA, converted by xxx@xxx from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAACAQDNUvkgza37lB/Q/fljpLAv1BbyAd5PJCJXh/U4LO
hleR/qgIROjpnFaS7Az8/+sjHmq0qXC5TXkzWihvRZbhefyPhPHCi0hIt4oUF2ZbXESA/8
jUT4ehXIUE7FrChffBBtbD4d9FkV8A2gwZCDJBxEM26ocbZCSTx9QC//wt6E/zRcdoqiJG
p4ECEdDaM+56l+yf73NUigO7wYkqcrzjmI1rZRDLVcqtj8Q9qD3MqsV+PkJGSGiqZwnyIl
QbfYxXHU9wLdWxhUbA/xOjJuZ15TQMa7KLs2u+RtrpQgeTGTffIh6O+xKh93gwTgzaZTK4
CQ1kuMrRdNRzza0byLeYPtSlv6Lv6F6dGtwlqrX5a+w/tV/aw9WUg/rapekKloz3tsPTDe
p866AFzU+Z7pVR1389iNuNJHQS7IUA2m0cciIuCM2we/tVqMPYJl+xgKAkuHDkBlMS4i8b
Wzyd+4EUMDGGZVeO+corKTLWFO1wIUieRkrUaCzjComGYZdzrQT2mXBcSKQNWlSCBpCHsk
/r5uTGnKpCNWfL7vd/sRCHyHKsxjsXR15C/5zgHmCTAaGOuIq0Rjo34+61+70PCtYXebxM
Wwm19e3eH2PudZd+rj1dedfr2/IrislEBRJWGLoR/N+xsvwVVM1Qqw1uL4r99CbZF9NghY
NRxCQOY/7K77II==
---- END SSH2 PUBLIC KEY ----quit
INFO: Import of an SSH public key formatted file SUCCEEDED.
hostname(config-username)Related Commands
ssh disconnect
To disconnect an active SSH session, use the ssh disconnect command in privileged EXEC mode.
ssh disconnect session_id
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
You must specify a session ID. Use the show ssh sessions command to obtain the ID of the SSH session you want to disconnect.
Examples
The following example shows an SSH session being disconnected:
hostname# show ssh sessionsSID Client IP Version Mode Encryption Hmac State Username0 172.69.39.39 1.99 IN aes128-cbc md5 SessionStarted patOUT aes128-cbc md5 SessionStarted pat1 172.23.56.236 1.5 - 3DES - SessionStarted pat2 172.69.39.29 1.99 IN 3des-cbc sha1 SessionStarted patOUT 3des-cbc sha1 SessionStarted pathostname# ssh disconnect 2hostname# show ssh sessionsSID Client IP Version Mode Encryption Hmac State Username0 172.69.39.29 1.99 IN aes128-cbc md5 SessionStarted patOUT aes128-cbc md5 SessionStarted pat1 172.23.56.236 1.5 - 3DES - SessionStarted patRelated Commands
show ssh sessions
Displays information about active SSH sessions to the ASA.
ssh timeout
Sets the timeout value for idle SSH sessions.
ssh key-exchange
To exchange keys using either the Diffie-Hellman (DH) Group 1 or DH Group 14 key-exchange method, use the ssh command in global configuration mode. To disable key exchange using either the DH Group 1 or DH Group 14 key-exchange method, use the no form of this command.
ssh key-exchange {dh-group1 | dh-group14}
no ssh key-exchange {dh-group1 | dh-group14}
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Before you can begin using SSH to the ASA, you must generate a default RSA key using the crypto key generate rsa command.
Both the DH Group 1 and Group 14 key-exchange methods for key exchange are supported on the ASA. If no DH group key-exchange method is specified, the DH group 1 key-exchange method is used. For more information about using DH key-exchange methods, see RFC 4253.
Examples
The following example shows how to exchange keys using the DH Group 14 key-exchange method:
hostname(config)# ssh key-exchange dh-group14Related Commands
ssh scopy enable
To enable Secure Copy (SCP) on the ASA, use the ssh scopy enable command in global configuration mode. To disable SCP, use the no form of this command.
ssh scopy enable
no ssh scopy enable
Syntax Description
This command has no keywords or arguments.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
SCP is a server-only implementation; it will be able to accept and terminate connections for SCP but can not initiate them. The ASA has the following restrictions:
•
•
•
•
Before initiating the file transfer, the ASA check available Flash memory. If there is not enough available space, the ASA terminates the SCP connection. If you are overwriting a file in Flash memory, you still need to have enough free space for the file being copied to the ASA. The SCP process copies the file to a temporary file first, then copies the temporary file over the file being replaced. If you do not have enough space in Flash to hold the file being copied and the file being overwritten, the ASA terminates the SCP connection.
Examples
The following example shows how to configure the inside interface to accept SSH Version 2 connections from a management console with the IP address 10.1.1.1. The idle session timeout is set to 60 minutes and SCP is enabled.
hostname(config)# ssh 10.1.1.1 255.255.255.0 insidehostname(config)# ssh version 2hostname(config)# ssh scopy enablehostname(config)# ssh timeout 60Related Commands
ssh timeout
To change the default SSH session idle timeout value, use the ssh timeout command in global configuration mode. To restore the default timeout value, use the no form of this command.
ssh timeout number
no ssh timeout
Syntax Description
number
Specifies the duration in minutes that an SSH session can remain inactive before being disconnected. Valid values are from 1 to 60 minutes.
Defaults
The default session timeout value is 5 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The ssh timeout command specifies the duration in minutes that a session can be idle before being disconnected. The default duration is 5 minutes.
Examples
The following example shows how to configure the inside interface to accept only SSH version 2 connections from a management console with the IP address 10.1.1.1. The idle session timeout is set to 60 minutes and SCP is enabled.
hostname(config)# ssh 10.1.1.1 255.255.255.0 insidehostname(config)# ssh version 2hostname(config)# ssh copy enablehostname(config)# ssh timeout 60Related Commands
ssh version
To restrict the version of SSH accepted by the ASA, use the ssh version command in global configuration mode. To restore the default value, use the no form of this command. The default values permits SSH Version 1 and SSH Version 2 connections to the ASA.
ssh version {1 | 2}
no ssh version [1 | 2]
Syntax Description
1
Specifies that only SSH Version 1 connections are supported.
2
Specifies that only SSH Version 2 connections are supported.
Defaults
By default, both SSH Version 1 and SSH Version 2 are supported.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
1 and 2 specify which version of SSH the ASA is restricted to using. The no form of the command returns the ASA to the default stance, which is compatible mode (both version can be used).
Examples
The following example shows how to configure the inside interface to accept SSH Version 2 connections from a management console with the IP address 10.1.1.1. The idle session timeout is set to 60 minutes and SCP is enabled.
hostname(config)# ssh 10.1.1.1 255.255.255.0 insidehostname(config)# ssh version 2hostname(config)# ssh copy enablehostname(config)# ssh timeout 60Related Commands
ssl certificate-authentication
To enable client certificate authentication for backwards compatibility for versions previous to 8.2(1), use the ssl certificate-authentication command in global configuration mode. To disable ssl certificate authentication, use the no version of this command.
ssl certificate-authentication interface interface-name port port-number
no ssl certificate-authentication interface interface-name port port-number
Syntax Description
interface-name
The name of the selected interface, such as inside, management, and outside.
port-number
The TCP port number, an integer in the range 1-65535.
Defaults
This feature is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
8.0(3)
This command was introduced.
8.2(1)
This command is no longer needed, but the ASA retains it for downgrading to previous versions.
Usage Guidelines
This command replaces the deprecated http authentication-certificate command.
Examples
The following example shows how to configure the ASA to use the SSL certificate authentication feature:
hostname(config)#ssl certificate-authentication interface inside port 330Related Commands
ssl client-version
To specify the SSL/TLS protocol version the ASA uses when acting as a client, use the ssl client-version command in global configuration mode. To revert to the default, any, use the no version of this command. This command lets you restrict the versions of SSL/TLS that the ASA sends.
ssl client-version [any | sslv3-only | tlsv1-only]
no ssl client-version
Syntax Description
Defaults
The default value is any.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
TCP Port Forwarding does not work when a WebVPN user connects with some SSL versions, as follows:
Negotiate SSLv3
Java downloads
Negotiate SSLv3/TLSv1
Java downloads
Negotiate TLSv1
Java does NOT download
TLSv1Only
Java does NOT download
SSLv3Only
Java does NOT download
The issue is that JAVA only negotiates SSLv3 in the client Hello packet when you launch the Port Forwarding application.Examples
The following example shows how to configure the ASA to communicate using only TLSv1 when acting as an SSL client:
hostname(config)#ssl client-version tlsv1-onlyRelated Commands
ssl encryption
To specify the encryption algorithms for the SSL DTLS and TLS protocols, use the ssl encryption command in global configuration mode. Issuing the command again overwrites the previous setting. To restore the default, which is the complete set of encryption algorithms, use the no version of the command.
ssl encryption [3des-sha1] [aes128-sha1] [aes256-sha1] [des-sha1] [dhe-aes128-sha1] [dhe-aes256-sha1] [null-sha1] [rc4-md5] [rc4-sha1]
no ssl encryption
Syntax Description
Defaults
By default, the SSL encryption list on the ASA contains these algorithms in the following order:
1.
2.
3.
4.
5.
6.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
7.0(1)
This command was introduced.
8.4(4.1)
The ASA now supports the following ephemeral Diffie-Hellman (DHE) SSL cipher suites:
•
•
Usage Guidelines
The ordering of the algorithms determines preference for their use. You can add or remove algorithms to meet the needs of your environment.
For FIPS-compliant AnyConnect client SSL connections, you must ensure a FIPS-compliant cipher is the first one specified in the list of SSL encryptions.
Cryptographic operations use symmetric-key algorithms as referenced in http://en.wikipedia.org/wiki/Symmetric-key_algorithm.
When supported by the client, DHE is the preferred cipher because it provides Perfect Forward Security. These cipher suites are specified in RFC 3268, Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS). See the following limitations:
•
!! set server versionhostname(config)# ssl server-version tlsv1 sslv3!! set client versionhostname(config) # ssl client-version any•
•
Examples
The following example shows how to limit the ASA to use only the 3des-sha1 and des-sha1 encryption algorithms:
hostname(config)#ssl encryption 3des-sha1 des-sha1Related Commands
ssl server-version
To specify the SSL/TLS protocol version the ASA uses when acting as a server, use the ssl server-version command in global configuration mode. To revert to the default, any, use the no version of this command. This command lets you restrict the versions of SSL/TSL that the ASA accepts.
ssl server-version [any | sslv3 | tlsv1 | sslv3-only | tlsv1-only]
no ssl server-version
Syntax Description
Defaults
The default value is any.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
TCP Port Forwarding does not work when a WebVPN user connects with some SSL versions, as follows:
Negotiate SSLv3
Java downloads
Negotiate SSLv3/TLSv1
Java downloads
Negotiate TLSv1
Java does NOT download
TLSv1Only
Java does NOT download
SSLv3Only
Java does NOT download
If you configure e-mail proxy, do not set thhe SSL version to TLSv1 Only. Outlook and Outlook Express do not support TLS.
Remote endpoints with FIPS enabled cannot communicate when ssl-version is configured for sslv3 or sslv3-only. For that environment, set ssl server-version to tlsv1 or ssl version-any.
Examples
The following example shows how to configure the ASA to communicate using only TLSv1 when acting as an SSL server:
hostname(config)#ssl server-version tlsv1-onlyRelated Commands
ssl trust-point
To specify the certificate trustpoint that represents the SSL certificate for an interface, use the ssl trust-point command with the interface argument in global configuration mode. If you do not specify an interface, this command creates the fallback trustpoint for all interfaces that do not have a trustpoint configured. To remove an SSL trustpoint from the configuration that does not specify an interface, use the no version of this command. To remove an entry that does specify an interface, use the no ssl trust-point {trustpoint [interface]} version of the command.
ssl trust-point {trustpoint [interface]}
no ssl trust-point
Syntax Description
Defaults
The default is no trustpoint association. The ASA uses the default self-generated RSA key-pair certificate.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
Observe these guidelines when using this command:
•
•
•
•
•
The following example explains how to use the no versions of this command:
The configuration includes these SSL trustpoints:
hostname(config-ca-server)
hostname(config-ca-server)Issue the command:
no ssl trust-point
Then show run ssl will have:
ssl trust-point tp2 outside
Examples
The following example shows how to configure an ssl trustpoint called FirstTrust for the inside interface, and a trustpoint called DefaultTrust with no associated interface.
hostname(config)#ssl trust-point FirstTrust insidehostname(config)#ssl trust-point DefaultTrustThe next example shows how to use the no version of the command to delete a trustpoint that has no associated interface:
hostname(config)#show running-configuration sslssl trust-point FirstTrust insidessl trust-point DefaultTrusthostname(config)# no ssl trust-pointhostname(config)#show running-configuration sslssl trust-point FirstTrust insideThe next example shows how to delete a trustpoint that does have an associated interface:
hostname(config)#show running-configuration sslssl trust-point FirstTrust insidessl trust-point DefaultTrusthostname(config)#no ssl trust-point FirstTrust insidehostname(config)#show running-configuration sslssl trust-point DefaultTrustRelated Commands
sso-server
To create a Single Sign-On (SSO) server for ASA user authentication, use the sso-server command in webvpn configuration mode. With this command, you must specify the SSO server type.
To remove an SSO server, use the no form of this command.
sso-server name type [siteminder | saml-v1.1-post ]
no sso-server name
Note
Syntax Description
Syntax DescriptionSyntax Description
Defaults
There is no default value or behavior.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The sso-server command lets you create an SSO server.
In the authentication, the ASA acts as a proxy for the WebVPN user to the SSO server. The ASA currently supports the SiteMinder SSO server (formerly Netegrity SiteMinder) and the SAML POST-type SSO server. Currently, the available arguments for the type option are restricted to siteminder or saml-V1.1-post.
Examples
The following example, entered in webvpn configuration mode, creates a SiteMinder-type SSO server named "example1":
hostname(config)# webvpnhostname(config-webvpn)# sso-server example1 type siteminderhostname(config-webvpn-sso-siteminder)#The following example, entered in webvpn configuration mode, creates a SAML, Version 1.1, POST-type SSO server named "example2":
hostname(config)# webvpnhostname(config-webvpn)# sso-server example2 type saml-v1.1-posthostname(config-webvpn-sso-saml)#Related Commands
sso-server value (group-policy webvpn)
To assign an SSO server to a group policy, use the sso-server value command in webvpn configuration mode available in group-policy configuration mode.
To remove the assignment and use the default policy, use the no form of this command.
To prevent inheriting the default policy, use the sso-server none command.
sso-server {value name | none}
[no] sso-server value name
Syntax Description
Syntax DescriptionSyntax Description
Defaults
The default policy assigned to the group is DfltGrpPolicy.
Command Modes
The following table shows the modes in which you can enter the command:
group-policy webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
The sso-server value command, when entered in group-policy webvpn mode, lets you assign an SSO server to a group policy.
Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The ASA currently supports the SiteMinder-type of SSO server and the SAML POST-type SSO server.
This command applies to both types of SSO Servers.
Note
Examples
The following example commands create the group policy my-sso-grp-pol and assigns it to the SSO server named example:
hostname(config)# group-policy my-sso-grp-pol internalhostname(config)# group-policy my-sso-grp-pol attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# sso-server value examplehostname(config-group-webvpn)#Related Commands
Related Commandshostname
sso-server value (username webvpn)
To assign an SSO server to a user policy, use the sso-server value command in webvpn configuration mode available in username configuration mode.
To remove an SSO server assignment for a user, use the no form of this command.
When a user policy inherits an unwanted SSO server assignment from a group policy, use the sso-server none command to remove the assignment.
sso-server {value name | none}
[no] sso-server value name
Syntax Description
Syntax DescriptionSyntax Description
Defaults
The default is for the user policy to use the SSO server assignment in the group policy.
Command Modes
The following table shows the modes in which you can enter the command:
username webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The ASA currently supports the SiteMinder-type of SSO server and the SAML POST-type SSO server.
This command applies to both types of SSO Servers.
The sso-server value command lets you assign an SSO server to a user policy.
Note
Examples
The following example commands assign the SSO server named my-sso-server to the user policy for a WebVPN user named Anyuser:
hostname(config)# username Anyuser attributeshostname(config-username)# webvpnhostname(config-username-webvpn)# sso-server value my-sso-serverhostname(config-username-webvpn)#Related Commands
start-url
To enter the URL at which to retrieve an optional pre-login cookie, use the start-url command in aaa-server-host configuration mode. This is an SSO with HTTP Forms command.
start-url string
Note
Syntax Description
Syntax DescriptionSyntax Description
Defaults
There is no default value or behavior.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server-host configuration
•
—
•
—
—
Command History
Usage Guidelines
The WebVPN server of the ASA can use an HTTP POST request to submit a single sign-on authentication request to an authenticating web server. The authenticating web server may execute a pre-login sequence by sending a Set-Cookie header along with the login page content. You can discover this by connecting directly to the authenticating web server's login page with your browser. If the web server sets a cookie when the login page loads and if this cookie is relevant for the following login session, you must use the start-url command to enter the URL at which the cookie is retrieved. The actual login sequence starts after the pre-login cookie sequence with the form submission to the authenticating web server.
Note
Examples
The following example, entered in aaa-server host configuration mode, specifies a URL for retrieving the pre-login cookie of https://example.com/east/Area.do?Page-Grp1:
hostname(config)# aaa-server testgrp1 (inside) host example.comhostname(config-aaa-server-host)# start-url https://example.com/east/Area.do?Page=Grp1hostname(config-aaa-server-host)#Related Commands
state-checking
To enforce state checking for H.323, use the state-checking command in parameters configuration mode. To disable this feature, use the no form of this command.
state-checking [h225 | ras]
no state-checking [h225 | ras]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to enforce state checking for RAS on an H.323 call:
hostname(config)# policy-map type inspect h323 h323_maphostname(config-pmap)# parametershostname(config-pmap-p)# state-checking rasRelated Commandshostname(config-pmap-p)# rtp-conformance
strict-header-validation
To enable strict validation of the header fields in the SIP messages according to RFC 3261, use the strict-header-validation command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.
strict-header-validation action {drop | drop-connection | reset | log} [log}
no strict-header-validation action {drop | drop-connection | reset | log} [log}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to enable strict validation of SIP header fields in a SIP inspection policy map:
hostname(config)# policy-map type inspect sip sip_maphostname(config-pmap)# parametershostname(config-pmap-p)# strict-header-validation action logRelated Commands
strict-http
To allow forwarding of non-compliant HTTP traffic, use the strict-http command in HTTP map configuration mode, which is accessible using the http-map command. To reset this feature to its default behavior, use the no form of the command.
strict-http action {allow | reset | drop} [log]
no strict-http action {allow | reset | drop} [log]
Syntax Description
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
HTTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
Although strict HTTP inspection cannot be disabled, the strict-http action allow command causes the ASA to allow forwarding of non-compliant HTTP traffic. This command overrides the default behavior, which is to deny forwarding of non-compliant HTTP traffic.
Examples
The following example allows forwarding of non-compliant HTTP traffic:
hostname(config)# http-map inbound_httphostname(config-http-map)# strict-http allowhostname(config-http-map)#Related Commands
strip-group
This command applies only to usernames received in the form user@realm. A realm is an administrative domain appended to a username with the "@" delimiter (juser@abc).
To enable or disable strip-group processing, use the strip-group command in tunnel-group general-attributes mode. The ASA selects the tunnel group for IPsec connections by obtaining the group name from the username presented by the VPN client. When strip-group processing is enabled, the ASA sends only the user part of the username for authorization/authentication. Otherwise (if disabled), the ASA sends the entire username including the realm.
To disable strip-group processing, use the no form of this command.
strip-group
no strip-group
Syntax Description
This command has no arguments or keywords.
Defaults
The default setting for this command is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can apply this attribute only to the IPsec remote access tunnel-type.
Note
Examples
The following example configures a remote access tunnel group named "remotegrp" for type IPsec remote access, then enters general configuration mode, sets the tunnel group named "remotegrp" as the default group policy, and then enables strip group for that tunnel group:
hostname(config)# tunnel-group remotegrp type IPSec_rahostname(config)# tunnel-group remotegrp generalhostname(config-tunnel-general)# default-group-policy remotegrphostname(config-tunnel-general)# strip-groupRelated Commands
strip-realm
To enable or disable strip-realm processing, use the strip-realm command in tunnel-group general-attributes configuration mode. Strip-realm processing removes the realm from the username when sending the username to the authentication or authorization server. A realm is an administrative domain appended to a username with the @ delimiter (username@realm). If the command is enabled, the ASA sends only the user part of the username authorization/authentication. Otherwise, the ASA sends the entire username.
To disable strip-realm processing, use the no form of this command.
strip-realm
no strip-realm
Syntax Description
This command has no arguments or keywords.
Defaults
The default setting for this command is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can apply this attribute only to the IPsec remote access tunnel-type.
Examples
The following example configures a remote access tunnel group named "remotegrp" for type IPsec remote access, then enters general configuration mode, sets the tunnel group named "remotegrp" as the default group policy, and then enables strip realm for that tunnel group:
hostname(config)# tunnel-group remotegrp type IPSec_rahostname(config)# tunnel-group remotegrp generalhostname(config-tunnel-general)# default-group-policy remotegrphostname(config-tunnel-general)# strip-realmRelated Commandshostname(config-general)
storage-key
To specify a storage key to protect the date stored between sessions, use the storage-key command in group-policy webvpn configuration mode. To remove this command from the configuration, use the no version of this command.
storage- key { none | value <string>}
no storage-key
Syntax Description
string
Specifies a string to use as the value of the storage key. This string can be up to 64 characters long.
Defaults
The default is none.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
While you can use any character except spaces in the storage key value, we recommend using only the standard alphanumeric character set: 0 through 9 and a through z.
Examples
The following example sets the storage key to the value abc123:
hostname(config)#group-policy test attributeshostname(config-group-policy)#webvpnhostname(config-group-webvpn)#storage-key value abc123Related Commands
storage-objects
Configures storage objects for the data stored between sessions.
storage-objects
To specify which storage objects to use for the data stored between sessions, use the storage-objects command in group-policy webvpn configuration mode. To remove this command from the configuration, use the no version of this command.
storage- objects { none | value <string>}
no storage-objects
Syntax Description
Defaults
The default is none.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
While you can use any character except spaces and commas in the storage object name, we recommend using only the standard alphanumeric character set: 0 through 9 and a through z. Use a comma, with no space, to separate the names of storage objects in the string.
Examples
The following example sets the storage object names to cookies and xyz456:
hostname(config)#group-policy test attributeshostname(config-group-policy)#webvpnhostname(config-group-webvpn)#storage-object value cookies,xyz456Related Commands
storage-key
Configures storage key to use for the data stored between sessions.
user-storage
Configures a location for storing user data between sessions
subject-name (crypto ca certificate map)
To indicate that rule entry is applied to the subject DN of the IPsec peer certificate, use the subject-name command in crypto ca certificate map configuration mode. To remove an subject-name, use the no form of the command.
subject-name [attr tag eq | ne |co | nc string]
no subject-name [attr tag eq | ne |co | nc string]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca certificate map configuration
•
•
•
•
—
Command History
Examples
The following example enters the CA certificate map mode for certificate map 1 and creates a rule entry indicating that the Organization attribute of the certificate subject name must be equal to Central.
hostname(config)# crypto ca certificate map 1hostname(ca-certificate-map)# subject-name attr o eq centralhostname(ca-certificate-map)# exitRelated Commands
subject-name (crypto ca trustpoint)
To include the indicated subject DN in the certificate during enrollment, use the subject-name command in crypto ca trustpoint configuration mode. This is the person or system that uses the certificate. To restore the default setting, use the no form of the command.
subject-name X.500_name
no subject-name
Syntax Description
Defaults
The default setting is not to include the subject name.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
—
—
Command History
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and sets up automatic enrollment at the URL https//:frog.phoobin.com and includes the subject DN OU certs in the enrollment request for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# enrollment url http://frog.phoobin.com/hostname(ca-trustpoint)# subject-name ou=certshostname(ca-trustpoint)#Related Commands
subject-name-default
To specify a generic subject-name distinguished name (DN) to be appended to the username in all user certificates issued by the local CA server, use the subject-name-default command in CA server configuration mode. To reset the subject-name DN to the default value, use the no form of this command.
subject-name-default dn
no subject-name-default
Syntax Description
Defaults
This command is not part of the default configuration. This command specifies the default DN in the certificate. The ASA ignores this command if the user entry has a DN.
Command Modes
The following table shows the modes in which you can enter the command:
CA server configuration
•
—
•
—
—
Command History
Usage Guidelines
The subject-name-default command specifies a common, generic DN to be used with a username to form a subject name for issued certificates. The dn value cn=username is sufficient for this purpose. This command eliminates the need to define a subject-name DN specifically for each user. The DN field is optional when a user is added using the crypto ca server user-db add dn dn command.
The ASA uses this command only when issuing certificates if a user entry does not specify a DN.
Examples
The following example specifies a DN:
hostname(config)# crypto ca serverhostname(config-ca-server)# subject-name-default cn=cisco,cn=example_corp,ou=eng,st=ma, c="cisco systems, inc."hostname(config-ca-server)#Related Commands
subnet
To configure a subnet for a network object, use the subnet command in object configuration mode. Use the no form of this command to remove the object from the configuration.
subnet {ipv4_net_addr net_mask | ipv6_prefix/mask}
no subnet {ipv4_net_addr net_mask | ipv6_prefix/mask}
Syntax Description
ipv4_net_addr
Specifies the IPv4 network address.
net_mask
Specifies the subnet mask.
ipv6_prefix/mask
Specifies the IPv6 prefix and mask.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Object network configuration
•
•
•
•
—
Command History
Usage Guidelines
If you configure an existing network object with a different IP address, the new configuration will replace the existing configuration.
Examples
The following example shows how to create a subnet network object:
hostname (config)# object network OBJECT_SUBNEThostname (config-network-object)# subnet 10.1.1.0 255.255.255.0Related Commands
summary-address (OSPF)
To create aggregate addresses for OSPF, use the summary-address command in router configuration mode. To remove the summary address or specific summary address options, use the no form of this command.
summary-address addr mask [not-advertise] [tag tag_value]
no summary-address addr mask [not-advertise] [tag tag_value]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
Routes learned from other routing protocols can be summarized. Using this command for OSPF causes an OSPF Autonomous System Boundary Router (ASBR) to advertise one external route as an aggregate for all redistributed routes that are covered by the address. This command summarizes only routes from other routing protocols that are being redistributed into OSPF. Use the area range command for route summarization between OSPF areas.
To remove a summary-address command from the configuration, use the no form of the command without specifying any of the optional keywords or arguments. To remove an option from a summary command in the configuration, use the no form of the command with the options that you want removed. See the "Examples" section for more information.
Examples
The following example configures route summarization with a tag set to 3:
hostname(config-router)# summary-address 1.1.0.0 255.255.0.0 tag 3hostname(config-router)#The following example shows how to use the no form of the summary-address command with an option to set that option back to the default value. In this example, the tag value, set to 3 in the previous example, is removed from the summary-address command.
hostname(config-router)# no summary-address 1.1.0.0 255.255.0.0 tag 3hostname(config-router)#The following example removes the summary-address command from the configuration:
hostname(config-router)# no summary-address 1.1.0.0 255.255.0.0hostname(config-router)#Related Commands
summary-address (EIGRP)
To configure a summary for EIGRP on a specific interface, use the summary-address command in interface configuration mode. To remove the summary address, use the no form of this command.
summary-address as-number addr mask [admin-distance]
no summary-address as-number addr mask
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
By default, EIGRP summarizes subnet routes to the network level. Use the no auto-summary command to disable automatic route summarization. Using the summary-address command lets you manually define subnet route summaries on a per-interface basis.
Examples
The following example configures route summarization with a tag set to 3:
hostname(config-router)# summary-address 1.1.0.0 255.255.0.0hostname(config-router)#The following example shows how to use the no form of the summary-address command with an option to set that option back to the default value. In this example, the tag value, set to 3 in the previous example, is removed from the summary-address command.
hostname(config-router)# no summary-address 1.1.0.0 255.255.0.0hostname(config-router)#The following example removes the summary-address command from the configuration:
hostname(config-router)# no summary-address 1.1.0.0 255.255.0.0hostname(config-router)#Related Commands
auto-summary
Automatically creates summary addresses for the EIGRP routing process.
sunrpc-server
To create entries in the SunRPC services table, use the sunrpc-server command in global configuration mode. To remove SunRPC services table entries from the configuration, use the no form of this command.
sunrpc-server ifc_name ip_addr mask service service_type protocol [tcp | udp] port port [- port ] timeout hh:mm:ss
no sunrpc-server ifc_name ip_addr mask service service_type protocol [tcp | udp] port port [- port] timeout hh:mm:ss
no sunrpc-server active service service_type server ip_addr
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The SunRPC services table is used to allow SunRPC traffic through the ASA based on an established SunRPC session for the duration specified by the timeout.
Examples
The following example shows how to create an SunRPC services table:
hostname(config)# sunrpc-server outside 10.0.0.1 255.0.0.0 service 100003 protocol TCP port 111 timeout 0:11:00hostname(config)# sunrpc-server outside 10.0.0.1 255.0.0.0 service 100005 protocol TCP port 111 timeout 0:11:00Related Commands
support-user-cert-validation
To validate a remote user certificate based on the current trustpoint, provided that this trustpoint is authenticated to the CA that issued the remote certificate, use the support-user-cert-validation command in crypto ca trustpoint configuration mode. To restore the default setting, use the no form of the command.
support-user-cert-validation
no support-user-cert-validation
Syntax Description
Defaults
The default setting is to support user certificate validation.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
•
Command History
Usage Guidelines
The ASA can have two trustpoints with the same CA resulting in two different identity certificates from the same CA. This option is automatically disabled if the trustpoint is authenticated to a CA that is already associated with another trustpoint that has enabled this feature. This prevents ambiguity in the choice of path-validation parameters. If the user attempts to activate this feature on a trustpoint that has been authenticated to a CA already associated with another trustpoint that has enabled this feature, the action is not permitted. No two trustpoints can have this setting enabled and be authenticated to the same CA.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and enables the trustpoint central to accept user validation:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# support-user-cert-validationhostname(ca-trustpoint)#Related Commands
crypto ca trustpoint
Enters trustpoint configuration mode.
default enrollment
Returns enrollment parameters to their defaults.
sw-module module password-reset
To reset the password on the software module to the default value, "cisco," use the sw-module module password-reset command in privileged EXEC mode.
sw-module module ips password-reset
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The default password is cisco. After resetting the password, you should change it to a unique value using the module application. Resetting the module password causes the module to reboot. Services are not available while the module is rebooting, which may take several minutes. You can run the show module command to monitor the module state.
The command always prompts for confirmation. If the command succeeds, no other output appears. If the command fails, an error message appears that explains why the failure occurred.
This command is only valid when the module is in the Up state.
Examples
The following example resets a password on a hardware module in slot 1:
hostname# sw-module module ips password-resetReset the password on module ips? [confirm] yRelated Commands
sw-module module recover
To load a recovery software image from disk for a software module, or to configure the image location, use the sw-module module recover command in privileged EXEC mode. You might need to recover a module using this command if, for example, the module is unable to load the current image.
sw-module module ips recover {boot | stop | configure image path}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
If the module suffers a failure, and the module application image cannot run, you can reinstall a new image on the module from the local disk.
This command is only available when the module is in the Up, Down, Unresponsive, or Recovery state. See the show module command for state information. If the module is not in an Up state, the ASA will forcefully shutdown the module. A forced shutdown will destroy the old module disk image, including any configuration, and should only be used as a disaster recovery mechanism.
You can view the recovery configuration using the show module ips recover command.
Note
Examples
The following example sets the module to download an image from disk0:image2:
hostname# sw-module module ips recover configure image disk0:image2The following example recovers the module:
hostname# sw-module module ips recover bootThe module in slot ips will be recovered. This mayerase all configuration and all data on that device andattempt to download a new image for it.Recover module in slot ips? [confirm]Related Commands
sw-module module reload
To reload module software for a software module, use the sw-module module reload command in privileged EXEC mode.
sw-module module ips reload
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
This command differs from the sw-module module reset command, which also performs a reset before reloading the module.
This command is only valid when the module status is Up. See the show module command for state information.
Examples
The following example reloads the IPS module:
hostname# sw-module module ips reloadReload module in slot ips? [confirm] yReload issued for module in slot ips%XXX-5-505002: Module in slot ips is reloading. Please wait...%XXX-5-505006: Module in slot ips is Up.Related Commands
sw-module module reset
To reset the module and then reload the module software, use the sw-module module reset command in privileged EXEC mode.
sw-module module ips reset
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
When the module is in an Up state, the sw-module module reset command prompts you to shut down the software before resetting.
You can recover a module using the sw-module module recover command. If you enter the sw-module module reset command while the module is in a Recover state, the module does not interrupt the recovery process. The sw-module module reset command performs a reset of the module, and the module recovery continues after the reset. You might want to reset the module during recovery if the module hangs; a reset might resolve the issue.
This command differs from the sw-module module reload command, which only reloads the software and does not perform a reset.
This command is only valid when the module status is Up, Down, Unresponsive, or Recover. See the show module command for state information.
Examples
The following example resets an IPS module that is in the Up state:
hostname# sw-module module ips resetThe module in slot ips should be shut down beforeresetting it or loss of configuration may occur.Reset module in slot ips? [confirm] yReset issued for module in slot ips%XXX-5-505001: Module in slot ips is shutting down. Please wait...%XXX-5-505004: Module in slot ips shutdown is complete.%XXX-5-505003: Module in slot ips is resetting. Please wait...%XXX-5-505006: Module in slot ips is Up.Related Commands
sw-module module shutdown
To shut down the module software, use the sw-module module shutdown command in privileged EXEC mode.
sw-module module ips shutdown
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Shutting down the module software prepares the module to be safely powered off without losing configuration data.
This command is only valid when the module status is Up or Unresponsive. See the show module command for state information.
Examples
The following example shuts down an IPS module:
hostname# sw-module module ips shutdownShutdown module in slot ips? [confirm] yShutdown issued for module in slot ipshostname#%XXX-5-505001: Module in slot ips is shutting down. Please wait...%XXX-5-505004: Module in slot ips shutdown is complete.Related Commands
sw-module module uninstall
To uninstall a software module image and associated configuration, use the sw-module module uninstall command in privileged EXEC mode.
sw-module module ips uninstall
Syntax Description
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
This command permanently uninstalls the software module image and associated configuration.
Examples
The following example uninstalls the IPS module image and configuration:
hostname# sw-module module ips uninstall
Module ips will be uninstalled. This will completely remove the
disk image associated with the sw-module including any configuration
that existed within it.
Uninstall module <id>? [confirm]
Related Commands
switchport access vlan
For models with a built-in switch, such as the ASA 5505 adaptive security appliance, use the switchport access vlan command in interface configuration mode to assign a switch port to a VLAN.
switchport access vlan number
no switchport access vlan number
Syntax Description
vlan number
Specifies the VLAN ID to which you want to assign this switch port. The VLAN ID is between 1 and 4090.
Defaults
By default, all switch ports are assigned to VLAN 1.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
—
Command History
Usage Guidelines
In transparent firewall mode, you can configure two active VLANs in the ASA 5505 adaptive security appliance Base license and three active VLANs in the Security Plus license, one of which must be for failover.
In routed mode, you can configure up to three active VLANs in the ASA 5505 adaptive security appliance Base license, and up to 20 active VLANs with the Security Plus license.
An active VLAN is a VLAN with a nameif command configured.
You can assign one or more physical interfaces to each VLAN using the switchport access vlan command. By default, the VLAN mode of the interface is to be an access port (one VLAN associated with the interface). If you want to create a trunk port to pass multiple VLANs on the interface, use the switchport mode access trunk command to change the mode to trunk mode, and then use the switchport trunk allowed vlan command.
Examples
The following example assigns five physical interfaces to three VLAN interfaces:
hostname(config-if)# interface ethernet 0/0hostname(config-if)# switchport access vlan 100hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/1hostname(config-if)# switchport access vlan 200hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/2hostname(config-if)# switchport access vlan 200hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/3hostname(config-if)# switchport access vlan 200hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/4hostname(config-if)# switchport access vlan 300hostname(config-if)# no shutdown...Related Commands
switchport mode
For models with a built-in switch, such as the ASA 5505 adaptive security appliance, use the switchport mode command in interface configuration mode to set the VLAN mode to either access (the default) or trunk.
switchport mode {access | trunk}
no switchport mode {access | trunk}
Syntax Description
Defaults
By default, the mode is access.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
—
Command History
7.2(1)
This command was introduced.
7.2(2)
You can now configure multiple trunk ports, rather than being limited to one trunk.
Usage Guidelines
By default, the VLAN mode of the switch port is to be an access port (one VLAN associated with the switch port). In access mode, assign a switch port to a VLAN using the switchport access vlan command. If you want to create a trunk port to pass multiple VLANs on the switch port, set the mode to trunk mode, and then use the switchport trunk allowed vlan command to assign multiple VLANs to the trunk. If you set the mode to trunk mode, and you have not yet configured the switchport trunk allowed vlan command, the switch port remains in "line protocol down" state and cannot participate in traffic forwarding. Trunk mode is available only with the Security Plus license.
The switchport vlan access command does not take effect unless the mode is set to access mode. The switchport trunk allowed vlan command does not take effect unless the mode is set to trunk mode.
Examples
The following example configures an access mode switch port assigned to VLAN 100, and a trunk mode switch port assigned to VLANs 200 and 300:
hostname(config-if)# interface ethernet 0/0hostname(config-if)# switchport access vlan 100hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/1hostname(config-if)# switchport mode trunkhostname(config-if)# switchport trunk allowed vlan 200,300hostname(config-if)# no shutdown...Related Commands
switchport monitor
For models with a built-in switch, such as the ASA 5505 adaptive security appliance, use the switchport monitor command in interface configuration mode to enable SPAN, also known as switch port monitoring. The port for which you enter this command (called the destination port) receives a copy of every packet transmitted or received on the specified source port. The SPAN feature lets you attach a sniffer to the destination port so you can monitor traffic. You can specify multiple source ports by entering this command multiple times. You can only enable SPAN for one destination port. To disable monitoring of a source port, use the no form of this command.
switchport monitor source_port [tx | rx | both]
no switchport monitor source_port [tx | rx | both]
Syntax Description
Defaults
The default type of traffic to monitor is both.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
—
Command History
Usage Guidelines
If you do not enable SPAN, then attaching a sniffer to one of the switch ports only captures traffic to or from that port. To capture traffic to or from multiple ports, you need to enable SPAN and identify the ports you want to monitor.
Use caution while connecting a SPAN destination port to another switch, as it could result in network loops.
Examples
The following example configures the Ethernet 0/1 port as the destination port which monitors the Ethernet 0/0 and Ethernet 0/2 ports:
hostname(config)# interface ethernet 0/1hostname(config-if)# switchport monitor ethernet 0/0hostname(config-if)# switchport monitor ethernet 0/2Related Commands
switchport protected
For models with a built-in switch, such as the ASA 5505 adaptive security appliance, use the switchport protected command in interface configuration mode to prevent the switch port from communicating with other protected switch ports on the same VLAN. This feature provides extra security to the other switch ports on a VLAN if one switch port becomes compromised.
switchport protected
no switchport protected
Syntax Description
This command has no arguments or keywords.
Defaults
By default, the interfaces are not protected.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
—
Command History
Usage Guidelines
You might want to prevent switch ports from communicating with each other if the devices on those switch ports are primarily accessed from other VLANs, you do not need to allow intra-VLAN access, and you want to isolate the devices from each other in case of infection or other security breach. For example, if you have a DMZ that hosts three web servers, you can isolate the web servers from each other if you apply the switchport protected command to each switch port. The inside and outside networks can both communicate with all three web servers, and vice versa, but the web servers cannot communicate with each other.
Communication to and from unprotected ports is not restricted by this command.
Examples
The following example configures seven switch ports. The Ethernet 0/4, 0/5, and 0/6 are assigned to the DMZ network and are protected from each other.
hostname(config)# interface ethernet 0/0hostname(config-if)# switchport access vlan 100hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/1hostname(config-if)# switchport access vlan 200hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/2hostname(config-if)# switchport access vlan 200hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/3hostname(config-if)# switchport access vlan 200hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/4hostname(config-if)# switchport access vlan 300hostname(config-if)# switchport protectedhostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/5hostname(config-if)# switchport access vlan 300hostname(config-if)# switchport protectedhostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/6hostname(config-if)# switchport access vlan 300hostname(config-if)# switchport protectedhostname(config-if)# no shutdown...Related Commands
switchport trunk
For models with a built-in switch, such as the ASA 5505 adaptive security appliance, use the switchport trunk command in interface configuration mode to assign VLANs to the trunk port. Use the no form of the command to remove a VLAN from the trunk.
switchport trunk {allowed vlans vlan_range | native vlan vlan}
no switchport trunk {allowed vlans vlan_range | native vlan vlan}
Syntax Description
Defaults
By default, no VLANs are assigned to the trunk.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
—
Command History
Usage Guidelines
If you want to create a trunk port to pass multiple VLANs on the switch port, set the mode to trunk mode using the switchport mode trunk command, and then use the switchport trunk command to assign VLANs to the trunk. This switch port cannot pass traffic until you assign at least one VLAN to it. If you set the mode to trunk mode, and you have not yet configured the switchport trunk allowed vlan command, the switch port remains in "line protocol down" state and cannot participate in traffic forwarding. Trunk mode is available only with the Security Plus license. The switchport trunk command does not take effect unless the mode is set to trunk mode using the switchport mode trunk command.
Note
Examples
The following example configures seven VLAN interfaces, including the failover interface which is configured using the failover lan command. VLANs 200, 201, and 202 are trunked on Ethernet 0/1.
hostname(config)# interface vlan 100hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface vlan 200hostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.2.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface vlan 201hostname(config-if)# nameif dept1hostname(config-if)# security-level 90hostname(config-if)# ip address 10.2.2.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface vlan 202hostname(config-if)# nameif dept2hostname(config-if)# security-level 90hostname(config-if)# ip address 10.2.3.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface vlan 300hostname(config-if)# nameif dmzhostname(config-if)# security-level 50hostname(config-if)# ip address 10.3.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface vlan 400hostname(config-if)# nameif backup-isphostname(config-if)# security-level 50hostname(config-if)# ip address 10.1.2.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# failover lan faillink vlan500hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2255.255.255.0hostname(config)# interface ethernet 0/0hostname(config-if)# switchport access vlan 100hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/1hostname(config-if)# switchport mode trunkhostname(config-if)# switchport trunk allowed vlan 200-202hostname(config-if)# switchport trunk native vlan 5hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/2hostname(config-if)# switchport access vlan 300hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/3hostname(config-if)# switchport access vlan 400hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/4hostname(config-if)# switchport access vlan 500hostname(config-if)# no shutdownRelated Commands
synack-data
To set the action for TCP SYNACK packets that contain data, use the synack-data command in tcp-map configuration mode. To set the value back to the default, use the no form of this command. This command is part of the TCP normalization policy enabled using the set connection advanced-options command.
synack-data {allow | drop}
no synack-data
Syntax Description
Defaults
The default action is to drop TCP SYNACK packets that contain data.
Command Modes
The following table shows the modes in which you can enter the command:
Tcp-map configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable TCP normalization, use the Modular Policy Framework:
1.
a.
2.
3.
a.
b.
4.
Examples
The following example sets the ASA to allow TCP SYNACK packets that contain data:
hostname(config)# tcp-map tmaphostname(config-tcp-map)# synack-data allowhostname(config)# class-map cmaphostname(config-cmap)# match anyhostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# set connection advanced-options tmaphostname(config)# service-policy pmap globalhostname(config)#Related Commands
syn-data
To allow or drop SYN packets with data, use the syn-data command in tcp-map configuration mode. To remove this specification, use the no form of this command.
syn-data {allow | drop}
no syn-data {allow | drop}
Syntax Description
Defaults
Packets with SYN data are allowed by default.
Command Modes
The following table shows the modes in which you can enter the command:
Tcp-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.
Use the tcp-map command to enter tcp-map configuration mode. Use the syn-data command in tcp-map configuration mode to drop packets with data in SYN packets.
According to the TCP specification, TCP implementations are required to accept data contained in a SYN packet. Because this is a subtle and obscure point, some implementations may not handle this correctly. To avoid any vulnerabilities to insertion attacks involving incorrect end-system implementations, you may choose to drop packets with data in SYN packets.
Examples
The following example shows how to drop SYN packets with data on all TCP flows:
hostname(config)# access-list TCP extended permit tcp any anyhostname(config)# tcp-map tmaphostname(config-tcp-map)# syn-data drophostname(config)# class-map cmaphostname(config-cmap)# match access-list TCPhostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# set connection advanced-options tmaphostname(config)# service-policy pmap globalhostname(config)#Related Commands
sysopt connection permit-vpn
For traffic that enters the ASA through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpn command in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic. To disable this feature, use the no form of this command.
sysopt connection permit-vpn
no sysopt connection permit-vpn
Syntax Description
This command has no arguments or keywords.
Defaults
This feature is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
By default, the ASA allows VPN traffic to terminate on a ASA interface; you do not need to allow IKE or ESP (or other types of VPN packets) in an interface access list. By default, you also do not need an interface access list for local IP addresses of decrypted VPN packets. Because the VPN tunnel was terminated successfully using VPN security mechanisms, this feature simplifies configuration and maximizes the ASA performance without any security risks. (Group policy and per-user authorization access lists still apply to the traffic.)
You can require an interface access list to apply to the local IP addresses by entering the no sysopt connection permit-vpn command. See the access-list and access-group commands to create an access list and apply it to an interface. The access list applies to the local IP address, and not to the original client IP address used before the VPN packet was decrypted.
Examples
The following example requires decrypted VPN traffic to comply with interface access lists:
hostname(config)# no sysopt connection permit-vpnRelated Commands
sysopt connection preserve-vpn-flows
To preserve and resume stateful (TCP) tunneled IPsec LAN-to-LAN traffic within the timeout period after the tunnel drops and recovers, use the sysopt connection preserve-vpn-flows command. To disable this feature, use the no form of this command.
sysopt connection preserve-vpn-flows
no sysopt connection preserve-vpn-flows
Syntax Description
This command has no arguments or keywords.
Defaults
This feature is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout window, data continues flowing successfully because the security appliance still has access to the state information in the original flow.
This command supports only IPsec LAN-to-LAN tunnels, including Network Extension Mode. It does not support AnyConnect/SSL VPN or IPsec remote-access tunnels.
Examples
The following example specifies that the state information for the tunnel will be preserved and the tunneled IPsec LAN-to-LAN VPN traffic will resume after the tunnel drops and is reestablished within the timeout period:
hostname(config)# no sysopt connection preserve-vpn-flows
To see whether this feature is enabled, enter the show run all command for sysopt:
hostname(config)# show run all sysopt
A sample result follows. For illustrative purposes, in this and all following examples, the preserve-vpn-flows item is bolded:
no sysopt connection timewaitsysopt connection tcpmss 1380sysopt connection tcpmss minimum 0no sysopt nodnsalias inboundno sysopt nodnsalias outboundno sysopt radius ignore-secretsysopt connection permit-vpnno sysopt connection reclassify-vpnno sysopt connection preserve-vpn-flowshostname(config)#sysopt connection reclassify-vpn
To reclassify existing VPN flows, use the sysopt connection reclassify-vpn command in global configuration mode. To disable this feature, use the no form of this command.
sysopt connection reclassify-vpn
no sysopt connection reclassify-vpn
Syntax Description
This command has no arguments or keywords.
Defaults
This feature is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
When VPN tunnels come up, this command reclassifies existing VPN flows to make sure that flows that need encryption get torn down and recreated.
This command only applies for LAN-to-LAN and dynamic VPNs. This command has no effect on EZVPN or VPN client connections.
Examples
The following example enables VPN reclassification:
hostname(config)# sysopt connection reclassify-vpnRelated Commands
sysopt connection tcpmss
To ensure that the maximum TCP segment size does not exceed the value you set and that the maximum is not less than a specified size, use the sysopt connection tcpmss command in global configuration mode. To restore the default setting, use the no form of this command.
sysopt connection tcpmss [minimum] bytes
no sysopt connection tcpmss [minimum] [bytes]
Syntax Description
Defaults
The default maximum value is 1380 bytes. The minimum feature is disabled by default (set to 0).
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Both the host and the server can set the maximum segment size when they first establish a connection. If either maximum exceeds the value you set with the sysopt connection tcpmss command, then the ASA overrides the maximum and inserts the value you set. If either maximum is less than the value you set with the sysopt connection tcpmss minimum command, then the ASA overrides the maximum and inserts the "minimum" value you set (the minimum value is actually the smallest maximum allowed). For example, if you set a maximum size of 1200 bytes and a minimum size of 400 bytes, when a host requests a maximum size of 1300 bytes, then the ASA alters the packet to request 1200 bytes (the maximum). If another host requests a maximum value of 300 bytes, then the ASA alters the packet to request 400 bytes (the minimum).
The default of 1380 bytes allows room for header information so that the total packet size does not exceed 1500 bytes, which is the default MTU for Ethernet. See the following calculation:
1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes
If the host or server does not request a maximum segment size, the ASA assumes that the RFC 793 default value of 536 bytes is in effect.
If you set the maximum size to be greater than 1380, packets might become fragmented, depending on the MTU size (which is 1500 by default). Large numbers of fragments can impact the performance of the ASA when it uses the Frag Guard feature. Setting the minimum size prevents the TCP server from sending many small TCP data packets to the client and impacting the performance of the server and the network.
Note
Examples
The following example sets the maximum size to 1200 and the minimum to 400:
hostname(config)# sysopt connection tcpmss 1200hostname(config)# sysopt connection tcpmss minimum 400Related Commands
sysopt connection timewait
To force each TCP connection to linger in a shortened TIME_WAIT state of at least 15 seconds after the final normal TCP close-down sequence, use the sysopt connection timewait command in global configuration mode. To disable this feature, use the no form of this command. You might want to use this feature if an end host application default TCP terminating sequence is a simultaneous close.
sysopt connection timewait
no sysopt connection timewait
Note
Syntax Description
This command has no arguments or keywords.
Defaults
This feature is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The default behavior of the ASA is to track the shutdown sequence and release the connection after two FINs and the ACK of the last FIN segment. This quick release heuristic enables the ASA to sustain a high connection rate, based on the most common closing sequence, known as the normal close sequence. However, in a simultaneous close, both ends of the transaction initiate the closing sequence, as opposed to the normal close sequence where one end closes and the other end acknowledges prior to initiating its own closing sequence (see RFC 793). Thus, in a simultaneous close, the quick release forces one side of the connection to linger in the CLOSING state. Having many sockets in the CLOSING state can degrade the performance of an end host. For example, some WinSock mainframe clients are known to exhibit this behavior and degrade the performance of the mainframe server. Using the sysopt connection timewait command creates a window for the simultaneous close down sequence to complete.
Examples
The following example enables the timewait feature:
hostname(config)# sysopt connection timewaitRelated Commands
sysopt noproxyarp
To disable proxy ARP for NAT global addresses or VPN client addresses on an interface, use the sysopt noproxyarp command in global configuration mode. To reenable proxy ARP, use the no form of this command.
sysopt noproxyarp interface_name
no sysopt noproxyarp interface_name
Syntax Description
Defaults
Proxy ARP is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
8.0(3)
This command was extended to affect VPN proxy ARPs when the VPN client addresses overlap with an internal network.
Usage Guidelines
If you have a VPN client address pool that overlaps with an existing network, the ASA by default sends proxy ARPs on all interfaces. If you have another interface that is on the same Layer 2 domain, it will see the ARP requests and will answer with the MAC address of its interface. The result of this is that the return traffic of the VPN clients towards the internal hosts will go to the wrong interface and will get dropped. In this case, you need to enter the sysopt noproxyarp command for the interface where you do not want proxy ARPs.
In rare circumstances, you might want to disable proxy ARP for NAT global addresses.
When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A host sends an ARP request asking "Who is this IP address?" The device owning the IP address replies, "I own that IP address; here is my MAC address."
Proxy ARP is when a device responds to an ARP request with its own MAC address, even though the device does not own the IP address. The ASA uses proxy ARP when you configure NAT and specify a global address that is on the same network as the ASA interface. The only way traffic can reach the hosts is if the ASA uses proxy ARP to claim that the ASA MAC address is assigned to destination global addresses.
Examples
The following example disables proxy ARP on the inside interface:
hostname(config)# sysopt noproxyarp insideRelated Commands
sysopt radius ignore-secret
To ignore the authentication key in RADIUS accounting responses, use the sysopt radius ignore-secret command in global configuration mode. To disable this feature, use the no form of this command. You might need to ignore the key for compatibility with some RADIUS servers.
sysopt radius ignore-secret
no sysopt radius ignore-secret
Syntax Description
This command has no arguments or keywords.
Defaults
This feature is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Some RADIUS servers fail to include the key in the authenticator hash within the accounting acknowledgment response. This usage caveat can cause the ASA to continually retransmit the accounting request. Use the sysopt radius ignore-secret command to ignore the key in these acknowledgments, thus avoiding the retransmit problem. (The key identified here is the same one you set with the aaa-server host command.)
Examples
The following example ignores the authentication key in accounting responses:
hostname(config)# sysopt radius ignore-secretRelated Commands
aaa-server host
Identifies a AAA server.
clear configure sysopt
Clears the sysopt command configuration.
show running-config sysopt
Shows the sysopt command configuration.
