-
Cisco ASA Series Command Reference, 8.4, 8.5, 8.6, and 8.7
-
About this Guide
-
Using the Command Line Interface
- A through B Commands
- C Commands
- D through F Commands
- G through I Commands
- J through L Commands
- M through O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- show asdm sessions
-
show asp drop -- show curpriv
-
show ddns -- show ipv6 traffic
-
show isakmp sa -- show route
-
show running-config -- show running-config isakmp
-
show running-config ldap -- show running-config wccp
-
show service-policy -- show xlate
-
shun -- sysopt radius ignore-secret
-
- T through Z Commands
-
Cisco IOS Commands for the ASASM
-
Feedback
Table Of Contents
uc-ime through zonelabs integrity ssl-client-authentication Commands
url-list (group-policy webvpn)
user-authentication-idle-timeout
user-identity action ad-agent-down
user-identity action domain-controller-down
user-identity action mac-address-mismatch
user-identity action netbios-response-fail
user-identity ad-agent aaa-server
user-identity ad-agent active-user-database
user-identity ad-agent hello-timer
user-identity inactive-user-timer
user-identity poll-import-user-group-timer
user-identity update active-user-database
user-identity update import-user
validation-policy (crypto ca trustpoint)
webvpn (group-policy and username modes)
zonelabs-integrity fail-timeout
zonelabs-integrity server-address
zonelabs-integrity ssl-certificate-port
zonelabs-integrity ssl-client-authentication
uc-ime through zonelabs integrity ssl-client-authentication Commands
uc-ime
To create the Cisco Intercompany Media Engine proxy instance, use the uc-ime command in global configuration mode. To remove the proxy instance, use the no form of this command.
uc-ime uc-ime_name
no uc-ime uc-ime_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
Configures the Cisco Intercompany Media Engine proxy. Cisco Intercompany Media Engine enables companies to interconnect on-demand, over the Internet with advanced features made available by VoIP technologies. Cisco Intercompany Media Engine allows for business-to-business federation between Cisco Unified Communications Manager clusters in different enterprises by utilizing peer-to-peer, security, and SIP protocols to create dynamic SIP trunks between businesses. A collection of enterprises work together to end up looking like one large business with inter-cluster trunks between them.
You must create the media termination instance before you specify it in the Cisco Intercompany Media Engine proxy.
Only one Cisco Intercompany Media Engine proxy can be configured on the ASA.
Examples
The following example shows how to configure a Cisco Intercompany Media Engine proxy by using the uc-ime command.
hostname(config)#uc-ime local_uc-ime_proxyhostname(config-uc-ime)# media-termination ime-media-termhostname(config-uc-ime)# ucm address 192.168.10.30 trunk-security-mode non-securehostname(config-uc-ime)# ticket epoch 1 password password1234hostname(config-uc-ime)# fallback monitoring timer 120hostname(config-uc-ime)# fallback hold-down timer 30Related Commands
ucm
To configure which Cisco Unified Communication Managers (UCM) that the Cisco Intercompany Media Engine Proxy connects to, use the ucm command in global configuration mode. To remove the the Cisco UCM that are connected to the Cisco Intercompanuy Media Engine Proxy, use the no form of this command.
ucm address ip_address trunk-security-mode {nonsecure | secure}
no ucm address ip_address trunk-security-mode {nonsecure | secure}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
UC-IME configuration
•
—
•
—
—
Command History
Usage Guidelines
Specifies the Cisco UCM server in the enterprise.
You can enter multiple ucm commands for the Cisco Intercompany Media Engine proxy.
Note
Specifying secure for Cisco UCM or Cisco UCM cluster indicates that Cisco UCM or Cisco UCM cluster is initiating TLS; therefore, you must set up configure TLS for components.
You can specify the secure option in this task or you can update it later while configuring TLS for the enterprise.
TLS within the enterprise refers to the security status of the Cisco Intercompany Media Engine trunk as seen by the adaptive security appliance.
If the transport security for the Cisco Intercompany Media Engine trunk changes on Cisco UCM, it must be changed on the adaptive security appliance as well. A mismatch will result in call failure. The adaptive security appliance does not support SRTP with non-secure IME trunks. The adaptive security appliance assumes SRTP is allowed with secure trunks. So `SRTP Allowed' must be checked for IME trunks if TLS is used. The adaptive security appliance supports SRTP fallback to RTP for secure IME trunk calls.
The proxy sits on the edge of the enterprise and inspects SIP signaling between SIP trunks created between enterprises. It terminates TLS signaling from the Internet and initiates TCP or TLS to Cisco UCM.
Transport Layer Security (TLS) is a cryptographic protocol that provides security for communications over networks such as the Internet. TLS encrypts the segments of network connections at the Transport Layer end-to-end.
This task is not required if TCP is allowable within the inside network.
Key steps for Configuring TLS within the local enterprise:
•
•
•
Authentication via TLS: In order for the ASA to act as a porty on behalf of N enterprises, the Cisco UCMs must be able to accept the one certificate from the ASA. This can be done by associating all the UC-IME SIP trunks with the same SIP security profile containing the same subject name as that of the one presented by the ASA because the Cisco UCM extracts the subject name from the certificate and compares that with the name configured in the security profile.
Examples
The following example shows ...:
hostname(config)#uc-ime local_uc-ime_proxyhostname(config-uc-ime)# media-termination ime-media-termhostname(config-uc-ime)# ucm address 192.168.10.30 trunk-security-mode non-securehostname(config-uc-ime)# ticket epoch 1 password password1234hostname(config-uc-ime)# fallback monitoring timer 120hostname(config-uc-ime)# fallback hold-down timer 30Related Commands
undebug
To disable the display of debug information in the current session, use the undebug command in privileged EXEC mode.
undebug {command | all}
Syntax Description
command
Disables debug for the specified command. See the Usage Guidelines for information about the supported commands.
all
Disables all debug output.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
The following commands can be used with the undebug command. For more information about debugging a specific command, or for the associated arguments and keywords for a specific debug command, see the entry for debug command.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Examples
The example disabled all debug output:
hostname(config)# undebug allRelated Commands
unix-auth-gid
To set the UNIX group ID, use the unix-auth-gid command in group-policy webvpn configuration mode. To remove this command from the configuration, use the no version of this command.
unix-auth-gid <identifier>
no storage-objects
Syntax Description
Defaults
The default is 65534.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
The string specifies a network file system (NetFS) location. Only SMB and FTP protocols are supported; for example, smb://(NetFS location) or ftp://(NetFS location). You use the name of this location in the storage-objects command.
Examples
The following example sets the UNIX group ID to 4567:
hostname(config)#group-policy test attributeshostname(config-group-policy)#webvpnhostname(config-group-webvpn)#unix-auth-gid 4567Related Commands
unix-auth-uid
To set the UNIX user ID, use the unix-auth-uid command in group-policy webvpn configuration mode. To remove this command from the configuration, use the no version of this command.
unix-auth-gid <identifier>
no storage-objects
Syntax Description
Defaults
The default is 65534.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
The string specifies a network file system (NetFS) location. Only SMB and FTP protocols are supported; for example, smb://(NetFS location) or ftp://(NetFS location). You use the name of this location in the storage-objects command.
Examples
The following example sets the UNIX user ID to 333:
hostname(config)#group-policy test attributeshostname(config-group-policy)#webvpnhostname(config-group-webvpn)#unix-auth-gid 333Related Commands
upload-max-size
To specify the maximum size allowed for an object to upload, use the upload-max-size command in group-policy webvpn configuration mode. To remove this object from the configuration, use the no version of this command.
upload-max-size <size>
no upload-max-size
Syntax Description
Defaults
The default size is 2147483647.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
Setting the size to 0 effectively disallows object uploading.
Examples
The following example sets the maximum size for a uploaded object to 1500 bytes:
hostname(config)#group-policy test attributeshostname(config-group-policy)#webvpnhostname(config-group-webvpn)#upload-max-size 1500Related Commands
uri-non-sip
To identify the non-SIP URIs present in the Alert-Info and Call-Info header fields, use the uri-non-sip command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.
uri-non-sip action {mask | log} [log}
no uri-non-sip action {mask | log} [log}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to identify the non-SIP URIs present in the Alert-Info and Call-Info header fields in a SIP inspection policy map:
hostname(config)# policy-map type inspect sip sip_maphostname(config-pmap)# parametershostname(config-pmap-p)# uri-non-sip action logRelated Commands
url
To maintain the list of static URLs for retrieving CRLs, use the url command in crl configure configuration mode. The crl configure configuration mode is accessible from the crypto ca trustpoint configuration mode. To delete an existing URL, use the no form of this command.
url index url
no url index url
Syntax Description
index
Specifies a value from 1 to 5 that determines the rank of each URL in the list. The ASA tries the URL at index 1 first.
url
Specifies the URL from which to retrieve the CRL.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
CRL configure configuration
•
—
•
—
—
Command History
Usage Guidelines
You cannot overwrite existing URLs. To replace an existing URL, first delete it using the no form of this command.
Examples
The following example enters ca-crl configuration mode, and sets up an index 3 for creating and maintaining a list of URLs for CRL retrieval and configures the URL https://foobin.com from which to retrieve CRLs:
hostname(configure)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# url 3 https://foobin.comhostname(ca-crl)#Related Commands
crl configure
Enters ca-crl configuration mode.
crypto ca trustpoint
Enters trustpoint configuration mode.
policy
Specifies the source for retrieving CRLs.
url-block
To manage the URL buffers used for web server responses while waiting for a filtering decision from the filtering server, use the url-block command. To remove the configuration, use the no form of this command.
url-block block block_buffer
no url-block block block_buffer
url-block mempool-size memory_pool_size
no url-block mempool-size memory_pool_size
url-block url-size long_url_size
no url-block url-size long_url_size
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
For Websense filtering servers, the url-block url-size command allows filtering of long URLs, up to 4 KB. For Secure Computing, the url-block url-size command allows filtering of long URLs, up to 3 KB. For both Websense and N2H2 filtering servers, the url-block block command causes the ASA to buffer packets received from a web server in response to a web client request while waiting for a response from the URL filtering server. This improves performance for the web client compared to the default ASA behavior, which is to drop the packets and to require the web server to retransmit the packets if the connection is permitted.
If you use the url-block block command and the filtering server permits the connection, the ASA sends the blocks to the web client from the HTTP response buffer and removes the blocks from the buffer. If the filtering server denies the connection, the ASA sends a deny message to the web client and removes the blocks from the HTTP response buffer.
Use the url-block block command to specify the number of blocks to use for buffering web server responses while waiting for a filtering decision from the filtering server.
Use the url-block url-size command with the url-block mempool-size command to specify the maximum length of a URL to be filtered and the maximum memory to assign to the URL buffer. Use these commands to pass URLs longer than 1159 bytes, up to a maximum of 4096 bytes, to the Websense or Secure-Computing server. The url-block url-size command stores URLs longer than 1159 bytes in a buffer and then passes the URL to the Websense or Secure-Computing server (through a TCP packet stream) so that the Websense or Secure-Computing server can grant or deny access to that URL.
Examples
The following example assigns 56 1550-byte blocks for buffering responses from the URL filtering server:
hostname#(config)# url-block block 56Related Commands
url-cache
To enable URL caching for URL responses received from a Websense server and to set the size of the cache, use the url-cache command in global configuration mode. To remove the configuration, use the no form of this command.
url-cache { dst | src_dst } kbytes [ kb ]
no url-cache { dst | src_dst } kbytes [ kb ]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
Note
The url-cache command provides a configuration option to cache responses from the URL server.
Use the url-cache command to enable URL caching, set the size of the cache, and display cache statistics.
Caching stores URL access privileges in memory on the ASA. When a host requests a connection, the ASA first looks in the URL cache for matching access privileges instead of forwarding the request to the Websense server. Disable caching with the no url-cache command.
Note
Using the URL cache does not update the Websense accounting logs for Websense protocol Version 1. If you are using Websense protocol Version 1, let Websense run to accumulate logs so you can view the Websense accounting information. After you get a usage profile that meets your security needs, enable url-cache to increase throughput. Accounting logs are updated for Websense protocol Version 4 URL filtering while using the url-cache command.
Examples
The following example caches all outbound HTTP connections based on the source and destination addresses:
hostname(config)# url-cache src_dst 128Related Commands
url-entry
To enable or disable the ability to enter any HTTP/HTTPS URL on the portal page, use the url-entry command in dap webvpn configuration mode.
url-entry enable | disable
Defaults
No default value or behaviors.
Command Modes
The following table shows the modes in which you can enter the command:
Dap webvpn configuration
•
•
•
—
—
Command History
Usage Guidelines
Examples
The following example shows how to enable URL entryfor the DAP record called Finance:
hostname (config) config-dynamic-access-policy-recordFinancehostname(config-dynamic-access-policy-record)#webvpnhostname(config-dynamic-access-policy-record)#url-entry enableRelated Commands
dynamic-access-policy-record
Creates a DAP record.
file-entry
Enables or disables the ability to enter file server names to access.
url-length-limit
To configure the maximum length of the URL allowed in the RTSP message, use the url-length-limit command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.
url-length-limit length
no url-length-limit length
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure the URL length limit in an RTSP inspection policy map:
hostname(config)# policy-map type inspect rtsp rtsp_maphostname(config-pmap)# parametershostname(config-pmap-p)# url-length-limit 50Related Commands
url-list (removed)
You can no longer use this command to define URl lists for access over SSL VPN connections. Now use the import command to import the XML object that defines a URL list. See the import- and export-url-list commands for more information.
Defaults
There is no default URL list.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration mode
•
—
•
—
—
Command History
Usage Guidelines
You use the url-list command in global configuration mode to create one or more lists of URLs. To allow access to the URLs in a list for a specific group policy or user, use the listname you create here with the url-list command in webvpn mode.
Examples
The following example shows how to create a URL list called Marketing URLs that provides access to www.cisco.com, www.example.com, and www.example.org. The following table provides values that the example uses for each application.
Marketing URLs
Cisco Systems
http://www.cisco.com
Marketing URLs
Example Company, Inc.
http://www.example.com
Marketing URLs
Example Organization
http://www.example.org
hostname(config)#url-list Marketing URLs Cisco Systems http://www.cisco.comhostname(config)#url-list Marketing URLs Example Company, Inc. http://www.example.comhostname(config)#url-list Marketing URLs Example Organization http://www.example.orgRelated Commands
url-list (group-policy webvpn)
To apply a list of WebVPN servers and URLs to a particular user or group policy, use the url-list command in group-policy webvpn configuration mode or in username webvpn configuration mode. To remove a list, including a null value created by using the url-list none command, use the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting a url list, use the url-list none command. Using the command a second time overrides the previous setting.
url-list {value name | none} [index]
no url-list
Syntax Description
Defaults
There is no default URL list.
Command Modes
The following table shows the modes in which you enter the commands:
Group-policy webvpn mode
•
—
•
—
—
Username mode
•
—
•
—
—
Command History
Usage Guidelines
Using the command a second time overrides the previous setting.
Before you can use the url-list command in webvpn mode to identify a URL list that you want to display on the WebVPN home page for a user or group policy, you must create the list via an XML object. Use the import command in global configuration mode to download a URL list to the security appliance. Then use the url-list command to apply a list to a particular group policy or user.
Examples
The following example applies a URL list called FirstGroupURLs for the group policy named FirstGroup and assigns it first place among the URL lists:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#webvpnhostname(config-group-webvpn)# url-list value FirstGroupURLs 1Related Commands
url-server
To identify an N2H2 or Websense server for use with the filter command, use the url-server command in global configuration mode. To remove the configuration, use the no form of this command.
N2H2
url-server [<(if_name)>] vendor {smartfilter | n2h2} host <local_ip> [port <number>] [timeout <seconds>] [protocol {TCP [connections <number>]} | UDP]
no url-server [<(if_name)>] vendor {smartfilter | n2h2} host <local_ip> [port <number>] [timeout <seconds>] [protocol {TCP [connections <number>]} | UDP]
Websense
url-server (if_name) vendor websense host local_ip [timeout seconds] [protocol {TCP | UDP | connections num_conns] | version]
no url-server (if_name) vendor websense host local_ip [timeout seconds] [protocol {TCP | UDP [connections num_conns] | version]
Syntax Description
N2H2
Websense
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
Command History
Usage Guidelines
The url-server command designates the server running the N2H2 or Websense URL filtering application. The limit is 16 URL servers in single context mode and 4 URL servers in multi mode; however, and you can use only one application at a time, either N2H2 or Websense. Additionally, changing your configuration on the ASA does not update the configuration on the application server; this must be done separately, according to the vendor instructions.
The url-server command must be configured before issuing the filter command for HTTPS and FTP. If all URL servers are removed from the server list, then all filter commands related to URL filtering are also removed.
Once you designate the server, enable the URL filtering service with the filter url command.
Use the show url-server statistics command to view server statistic information including unreachable servers.
Follow these steps to filter URLs:
Step 1
Step 2
Step 3
Step 4
Step 5
For more information about Filtering by N2H2, visit N2H2's website at:
http://www.n2h2.com
For more information on Websense filtering services, visit the following website:
http://www.websense.com/
Examples
Using N2H2, the following example filters all outbound HTTP connections except those from the 10.0.2.54 host:
hostname(config)# url-server (perimeter) vendor n2h2 host 10.0.1.1hostname(config)# filter url http 0 0 0 0hostname(config)# filter url except 10.0.2.54 255.255.255.255 0 0Using Websense, the following example filters all outbound HTTP connections except those from the 10.0.2.54 host:
hostname(config)# url-server (perimeter) vendor websense host 10.0.1.1 protocol TCP version 4hostname(config)# filter url http 0 0 0 0hostname(config)# filter url except 10.0.2.54 255.255.255.255 0 0Related Commands
urgent-flag
To allow or clear the URG pointer through the TCP normalizer, use the urgent-flag command in tcp-map configuration mode. To remove this specification, use the no form of this command.
urgent-flag {allow | clear}
no urgent-flag {allow | clear}
Syntax Description
allow
Allows the URG pointer through the TCP normalizer.
clear
Clears the URG pointer through the TCP normalizer.
Defaults
The urgent flag and urgent offset are clear by default.
Command Modes
The following table shows the modes in which you can enter the command:
Tcp-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the newTCP map using the policy-map command. Activate TCP inspection with service-policy commands.
Use the tcp-map command to enter tcp-map configuration mode. Use the urgent-flag command in tcp-map configuration mode to allow the urgent flag.
The URG flag is used to indicate that the packet contains information that is of higher priority than other data within the stream. The TCP RFC is vague about the exact interpretation of the URG flag, therefore, end systems handle urgent offsets in different ways, which may make the end system vulnerable to attacks. The default behavior is to clear the URG flag and offset.
Examples
The following example shows how to allow the urgent flag:
hostname(config)# tcp-map tmaphostname(config-tcp-map)# urgent-flag allowhostname(config)# class-map cmaphostname(config-cmap)# match port tcp eq 513hostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# set connection advanced-options tmaphostname(config)# service-policy pmap globalRelated Commands
user
To create a user in a user group object that supports the Identity Firewall feature, use the user command in the user-group object configuration mode. Use the no form of this command to remove the user. from the object.
user [domain_nickname\]user_name
[no] user [domain_nickname\]user_name
Syntax Description
Defaults
If you do not specify the domain_nickname argument, the user is created in the LOCAL domain configured for the Identity Firewall feature.
Command Modes
The following table shows the modes in which you can enter the command:
Object-group user configuration
•
•
•
•
—
Command History
Usage Guidelines
The ASA sends an LDAP query to the Active Directory server for user groups globally defined in the Active Directory domain controller. The ASA imports these groups for the Identity Firewall feature. However, the ASA might have localized network resources that are not defined globally that require local user groups with localized security policies. Local user groups can contain nested groups and user groups that are imported from Active Directory. The ASA consolidates local and Active Directory groups. A user can belong to local user groups and user groups imported from Active Directory.
The ASA supports up to 256 user groups (including imported user groups and local user groups).
You active user group objects by including them within an access group, capture, or service policy.
Within a user group object, you can define the following object types:
•
The name of an imported user must be the sAMAccountName, which is unique, rather than the common name (cn), which might not be unique. However, some Active Directory server administrators might require that the sAMAccountName and the cn be identical. In this case, the cn that the ASA displays in the output of the show user-identity ad-group-member command can be used for imported users defined by the user object.
•
The group name of the user-group must be the sAMAccountName, which is unique, rather than the cn, which might not be unique. However, some Active Directory server administrators might require that the sAMAccountName and the cn be identical. In this case, the cn that the ASA displays in the output of the show user-identity ad-group-member command can be used in the user_group_name argument specified with the user-group keyword.
Note
•
Note
•
Examples
The following example shows how to use the user command with the user-group object command to add a user in a user group object for use with the Identity Firewall feature:
hostname(config)# object-group user sampleuser1-grouphostname(config-object-group user)# description group members of sampleuser1-grouphostname(config-object-group user)# user-group CSCO\\group.sampleusers-allhostname(config-object-group user)# user CSCO\user2hostname(config-object-group user)# exithostname(config)# object-group user sampleuser2-grouphostname(config-object-group user)# description group members of sampleuser2-grouphostname(config-object-group user)# group-object sampleuser1-grouphostname(config-object-group user)# user-group CSCO\\group.sampleusers-marketinghostname(config-object-group user)# user CSCO\user3Related Commands
user-alert
To enable broadcast of an urgent message to all clientless SSL VPN users with currently active session, use the user-alert command in privileged EXEC mode. To disable the message, use the no form of this command.
user-alert string cancel
no user-alert
Syntax Description
Defaults
No message.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
When you issue this command, end users see a pop-up browser window with the configured message. This command causes no change in the ASA configuration file.
Examples
The following example shows how to enable DAP trace debugging:
hostname #We will reboot the security appliance at 11:00 p.m. EST time. We apologize for any inconvenience.hostname #user-authentication
To enable user authentication, use the user-authentication enable command in group-policy configuration mode. To disable user authentication, use the user-authentication disable command. To remove the user authentication attribute from the running configuration, use the no form of this command. This option allows inheritance of a value for user authentication from another group policy.
When enabled, user authentication requires that individual users behind a hardware client authenticate to gain access to the network across the tunnel.
user-authentication {enable | disable}
no user-authentication
Syntax Description
Defaults
User authentication is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Command History
Usage Guidelines
Individual users authenticate according to the order of authentication servers that you configure.
If you require user authentication on the primary ASA, be sure to configure it on any backup servers as well.
Examples
The following example shows how to enable user authentication for the group policy named "FirstGroup":
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#user-authentication enableRelated Commands
user-authentication-idle-timeout
To set an idle timeout for individual users behind hardware clients, use the user-authentication-idle-timeout command in group-policy configuration mode. To delete the idle timeout value, use the no form of this command. This option allows inheritance of an idle timeout value from another group policy. To prevent inheriting an idle timeout value, use the user-authentication-idle-timeout none command.
If there is no communication activity by a user behind a hardware client in the idle timeout period, the ASA terminates the connection.
user-authentication-idle-timeout {minutes | none}
no user-authentication-idle-timeout
Syntax Description
Defaults
30 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Command History
Usage Guidelines
The minimum is 1 minute, the default is 30 minutes, and the maximum is 10,080 minutes.
This timer terminates only the client's access through the VPN tunnel, not the VPN tunnel itself.
The idle timeout indicated in response to the show uauth command is always the idle timeout value of the user who authenticated the tunnel on the Cisco Easy VPN remote device.
Examples
The following example shows how to set an idle timeout value of 45 minutes for the group policy named "FirstGroup":
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#user-authentication-idle-timeout 45Related Commands
user-authentication
Requires users behind hardware clients to identify themselves to the ASA before connecting.
user-group
To add a user group imported from Microsoft Active Directory to the group created with the object-group user command for use with the Identity Firewall feature, use the user-group command in the user-group object configuration mode. Use the no form of this command to remove the user group from the object.
user-group [domain_nickname\]user_group_name
[no] user-group [domain_nickname\]user_group_name
Syntax Description
Defaults
If you do not specify the domain_nickname argument, the user group is created in the LOCAL domain configured for the Identity Firewall feature.
Command Modes
The following table shows the modes in which you can enter the command:
Object-group user configuration
•
•
•
•
—
Command History
Usage Guidelines
The ASA sends an LDAP query to the Active Directory server for user groups globally defined in the Active Directory domain controller. The ASA imports these groups for the Identity Firewall feature. However, the ASA might have localized network resources that are not defined globally that require local user groups with localized security policies. Local user groups can contain nested groups and user groups that are imported from Active Directory. The ASA consolidates local and Active Directory groups. A user can belong to local user groups and user groups imported from the Active Directory.
The ASA supports up to 256 user groups (including imported user groups and local user groups).
You active user group objects by including them within an access group, capture, or service policy.
Within a user group object, you can define the following object types:
•
The name of an imported user must be the sAMAccountName, which is unique, rather than the common name (cn), which might not be unique. However, some Active Directory server administrators might require that the sAMAccountName and the cn be identical. In this case, the cn that the ASA displays in the output of the show user-identity ad-group-member command can be used for imported users defined by the user object.
•
The group name of the user-group must be the sAMAccountName, which is unique, rather than the cn, which might not be unique. However, some Active Directory server administrators might require that the sAMAccountName and the cn be identical. In this case, the cn that the ASA displays in the output of the show user-identity ad-group-member command can be used in the user_group_name argument specified with the user-group keyword.
Note
•
Note
•
Examples
The following example shows how to use the user-group command with the user-group object command to add a user group in a user group object for use with the Identity Firewall feature:
hostname(config)# object-group user sampleuser1-grouphostname(config-object-group user)# description group members of sampleuser1-grouphostname(config-object-group user)# user-group CSCO\\group.sampleusers-allhostname(config-object-group user)# user CSCO\user2hostname(config-object-group user)# exithostname(config)# object-group user sampleuser2-grouphostname(config-object-group user)# description group members of sampleuser2-grouphostname(config-object-group user)# group-object sampleuser1-grouphostname(config-object-group user)# user-group CSCO\\group.sampleusers-marketinghostname(config-object-group user)# user CSCO\user3Related Commands
user-identity action ad-agent-down
To set the action for the Cisco Identify Firewall instance when the Active Directory Agent is unresponsive, use the user-identity action ad-agent-down command in global configuration mode. To remove this action for the Identity Firewall instance, use the no form of this command.
user-identity action ad-agent-down disable-user-identity-rule
no user-identity action ad-agent-down disable-user-identity-rule
Syntax Description
This command has no arguments or keywords.
Defaults
By default, this command is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
Specifies the action when the AD Agent is not responding.
When the AD Agent is down and the user-identity action ad-agent-down is configured, the ASA disables the user identity rules associated with the users in that domain. Additionally, the status of all user IP addresses in that domain are marked as disabled in the output displayed by the show user-identity user command.
Examples
The following example shows how to enable this action for the Identity Firewall:
hostname(config)#user-identity action ad-agent-down disable-user-identity-ruleRelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity action domain-controller-down
To set the action for the Cisco Identify Firewall instance when the Active Directory domain controller is down, use the user-identity action domain-controller-down command in global configuration mode. To remove the action, use the no form of this command.
user-identity action domain-controller-down domain_nickname disable-user-identity-rule
no user-identity action domain-controller-down domain_nickname disable-user-identity-rule
Syntax Description
Defaults
By default, this command is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
Specifies the action when the domain is down because Active Directory domain controller is not responding.
When the domain is down and the disable-user-identity-rule keyword is configured, the ASA disables the user identity-IP address mappings for that domain. Additionally, the status of all user IP addresses in that domain are marked as disabled in the output displayed by the show user-identity user command.
Examples
The following example shows how to configure this action for the Identity Firewall:
hostname(config)# user-identity action domain-controller-down SAMPLE disable-user-identity-ruleRelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity action mac-address-mismatch
To set the action for the Cisco Identify Firewall instance when a user's MAC address is found to be inconsistent with the ASA device IP address, use the user-identity action netbios-response-fail command in global configuration mode. To remove the action, use the no form of this command.
user-identity action netbios-response-fail remove-user-ip
no user-identity action netbios-response-fail remove-user-ip
Syntax Description
This command has no arguments or keywords.
Defaults
By default, the ASA uses remove-user-ip when this command is specified.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
Specifies the action when a user's MAC address is found to be inconsistent with the ASA device IP address currently mapped to that MAC address.
When the user-identity action mac-address-mismatch command is configured, the ASA removes the user identity-IP address mapping for that client.
Examples
The following example shows how to configure the Identity Firewall:
hostname(config)#user-identity action mac-address-mismatch remove-user-ipRelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity action netbios-response-fail
To set the action when a client does not respond to a NetBIOS probe for the Cisco Identify Firewall instance, use the user-identity action netbios-response-fail command in global configuration mode. To remove the action, use the no form of this command.
user-identity action netbios-response-fail remove-user-ip
no user-identity action netbios-response-fail remove-user-ip
Syntax Description
This command has no arguments or keywords.
Defaults
By default, this command is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
Specifies the action when a client does not respond to a NetBIOS probe. For example, the network connection might be blocked to that client or the client is not active.
When the user-identity action remove-user-ip is configured, the ASA removed the user identity-IP address mapping for that client.
Examples
The following example shows how to configure the Identity Firewall:
hostname(config)#user-identity action netbios-response-fail remove-user-ipRelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity ad-agent aaa-server
To define the server group of the AD Agent for the Cisco Identify Firewall instance, use the user-identity ad-agent aaa-server command in AAA server host configuration mode. To remove the action, use the no form of this command.
user-identity user-identity ad-agent aaa-server aaa_server_group_tag
no user-identity user-identity ad-agent aaa-server aaa_server_group_tag
Syntax Description
Defaults
This command has no defaults.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa server host configuration
•
•
•
—
—
Command History
Usage Guidelines
The first server defined in aaa_server_group_tag variable is the primary AD Agent and the second server defined is the secondary AD Agent.
The Identity Firewall supports defining only two AD Agent hosts.
When the ASA detects that the primary AD Agent is down and a secondary agent is specified, it switches to the secondary AD Agent. The AAA server for the AD agent uses RADIUS as the communication protocol, and should specify the key attribute for the shared secret between the ASA and AD Agent.
Examples
The following example shows how to define the AD Agent AAA server host for the Identity Firewall:
hostname(config-aaa-server-hostkey)# user-identity ad-agent aaa-server adagentRelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity ad-agent active-user-database
To define how the ASA retrieves the user identity-IP address mapping information from the AD Agent for the Cisco Identify Firewall instance, use the user-identity action netbios-response-fail command in global configuration mode. To remove the configuration, use the no form of this command.
user-identity ad-agent active-user-database {on-demand|full-download}
no user-identity ad-agent active-user-database {on-demand|full-download}
Syntax Description
This command has no arguments or keywords.
Defaults
By default, the ASA 5505 uses the on-demand option. The other ASA platforms use the full-download option.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
Defines how the ASA retrieves the user identity-IP address mapping information from the AD Agent:
•
•
By default, the ASA 5505, uses the on-demand option. The other ASA platforms use the full-download option.
Full downloads are event driven, meaning that subsequent requests to download the database, send just the updates to the user identity-IP address mapping database.
When the ASA registers a change request with the AD Agent, the AD Agent sends a new event to the ASA.
Examples
The following example shows how to configure this option for the Identity Firewall:
hostname(config)# user-identity ad-agent active-user-database full-downloadRelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity ad-agent hello-timer
To define the timer between the ASA and the AD Agent for the Cisco Identify Firewall instance, use the user-identity ad-agent hello-timer command in global configuration mode. To remove the configuration, use the no form of this command.
user-identity ad-agent hello-timer seconds seconds retry-times number
no user-identity ad-agent hello-timer seconds seconds retry-times number
Syntax Description
number
Specifies the number of times to retry the timer.
seconds
Specifies the length of time for the timer.
Defaults
By default, the hello timer is set to 30 seconds and 5 retries.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
Defines the hello timer between the ASA and the AD Agent.
The hello timer between the ASA and the AD Agent defines how frequently the ASA exchanges hello packets. The ASA uses the hello packet to obtain ASA replication status (in-sync or out-of-sync) and domain status (up or down). If the ASA does not receive a response from the AD Agent, it resends a hello packet after the specified interval.
By default, the hello timer is set to 30 seconds and 5 retries.
Examples
The following example shows how to configure this option for the Identity Firewall:
hostname(config)# user-identity ad-agent hello-timer seconds 20 retry-times 3Related Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity default-domain
To specify the default domain for the Cisco Identify Firewall instance, use the user-identity default-domain command in global configuration mode. To remove the default domain, use the no form of this command.
user-identity default-domain domain_NetBIOS_name
no user-identity default-domain domain_NetBIOS_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
For domain_NetBIOS_name, enter a name up to 32 characters consisting of [a-z], [A-Z], [0-9], [!@#$%^&()-_=+[]{};,.] except '.' and ' ' at the first character. If the domain name contains a space, enclose the entire name in quotation marks. The domain name is not case sensitive.
The default domain is used for all users and user groups when a domain has not been explicitly configured for those users or groups. When a default domain is not specified, the default domain for users and groups is LOCAL. For multiple context mode, you can set a default domain name for each context, as well as within the system execution space.
Note
The Identity Firewall uses the LOCAL domain for all locally defined user groups or locally defined users. Users logging in through a web portal (cut-through proxy) are designated as belonging to the Active Directory domain with which they authenticated. Users logging in through a VPN are designated as belonging to the LOCAL domain unless the VPN is authenticated by LDAP with the Active Directory, so that the Identity Firewall can associate the users with their Active Directory domain.
Examples
The following example shows how to configure the default domain for the Identity Firewall:
hostname(config)# user-identity default-domain SAMPLERelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity domain
To associate the domain for the Cisco Identify Firewall instance, use the user-identity domain command in global configuration mode. To remove the domain association, use the no form of this command.
user-identity domain domain_nickname aaa-server aaa_server_group_tag
no user-identity domain_nickname aaa-server aaa_server_group_tag
Syntax Description
domain_nickname
Specifies the domain name for the Identity Firewall.
aaa_server_group_tag
Specifies the AAA Server group associated with the Identity Firewall.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
Associates the LDAP parameters defined for the AAA server for importing user group queries with the domain name.
For domain_nickname, enter a name up to 32 characters consisting of [a-z], [A-Z], [0-9], [!@#$%^&()-_=+[]{};,.] except '.' and ' ' at the first character. If the domain name contains a space, you must enclose that space character in quotation marks. The domain name is not case sensitive.
Examples
The following example shows how to associate the domain for the Identity Firewall:
hostname(config)# user-identity domain SAMPLE aaa-server dsRelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity enable
To create the Cisco Identify Firewall instance, use the user-identity enable command in global configuration mode. To disable the Identity Firewall instance, use the no form of this command.
user-identity enable
no user-identity enable
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
No usage guidelines.
Examples
The following example shows how to enable the Identity Firewall:
hostname(config)#user-identity enableRelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity inactive-user-timer
To specify the amount of time before a user is considered idle for the Cisco Identify Firewall instance, use the user-identity inactive-user-timer command in global configuration mode. To remove the timer, use the no form of this command.
user-identity inactive-user-timer minutes minutes
no user-identity inactive-user-timer minutes minutes
Syntax Description
minutes
Specifies the amount of time in minutes before a user is considered idle, indicating the ASA has not received traffic from the user's IP address for the specified amount of time.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
When the timer expires, the user's IP address is marked as inactive and removed from the local cached user identity-IP address mappings database and the ASA no longer notifies the AD Agent about that IP address removal. Existing traffic is still allowed to pass. When this command is specified, the ASA runs an inactive timer even when the NetBIOS Logout Probe is configured.
By default, the idle timeout is set to 60 minutes.
Note
Examples
The following example shows how to configure the Identity Firewall:
hostname(config)# user-identity inactive-user-timer minutes 120Related Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity logout-probe
To enable NetBIOS probing for the Cisco Identify Firewall instance, use the user-identity logout-probe command in global configuration mode. To remove the disable probing, use the no form of this command.
user-identity logout-probe netbios local-system probe-time minutes minutes retry-interval seconds seconds retry-count times [user-not-needed|match-any|exact-match]
no user-identity logout-probe netbios local-system probe-time minutes minutes retry-interval seconds seconds retry-count times [user-not-needed|match-any|exact-match]
Syntax Description
minutes
Specifies the number of minutes between probes.
seconds
Specifies the length of time for the retry interval.
times
Specifies the number of times to retry the probe.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
To minimize the NetBIOS packets, the ASA only sends a NetBIOS probe to a client when the user has been idle for more than the specified number of minutes.
Set the NetBIOS probe timer from1 to 65535 minutes and the retry interval from 1 to 256 retries. Specify the number of times to retry the probe:
•
•
•
The Identity Firewall only performs NetBIOS probing for those users identities that are in the active state and exist in at least one security policy. The ASA does not perform NetBIOS probing for clients where the users logged in through cut-through proxy or by using VPN.
Examples
The following example shows how to configure the Identity Firewall:
hostname(config)# user-identity logout-probe netbios local-system probe-time minutes 10 retry-interval seconds 10 retry-count 2 user-not-neededRelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity poll-import-user-group-timer
To specify the amount of time before the ASA queries the Active Directory server for user group information for the Cisco Identify Firewall instance, use the user-identity poll-import-user-group-timer command in global configuration mode. To remove the timer, use the no form of this command.
user-identity poll-import-user-group-timer hours hours
no user-identity poll-import-user-group-timer hours hours
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
Specifies the amount of time before the ASA queries the Active Directory server for user group information.
If a user is added to or deleted from an Active Directory group, the ASA received the updated user group after the import group timer ran.
By default, the poll timer is 8 hours.
To immediately update user group information, enter the user-identity update import-user command.
Examples
The following example shows how to configure the Identity Firewall:
hostname(config)# user-identity poll-import-user-group-timer hours 1Related Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity static user
To create a new user-IP address mapping or set a user's IP address to inactive for the Cisco Identify Firewall feature, use the user-identity static user command in global configuration mode. To remove this configuration for the Identity Firewall, use the no form of this command.
user-identity static user [domain\] user_name host_ip
no user-identity static user [domain\] user_name host_ip
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
There are no usage guidelines for this command.
Examples
The following example shows how to enable this action for the Identity Firewall:
hostname(config)#user-identity static user SAMPLE\user1 192.168.1.101Related Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity update active-user-database
To download the entire active-user database from Active Directory Agent, use the user-identity update active-user-database command in global configuration mode.
user-identity update active-user-database [timeout minutes minutes]
Syntax Description
Defaults
The default timeout is 5 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
This command downloads the entire active-user database from Active Directory Agent.
This command starts the update operation, generates a starting update log and returns immediately. When the update operation finishes or is aborted at timer expiration, another syslog message is generated. Only one outstanding update operation is allowed. Rerunning the command displays an error message.
When the command finishes running, the ASA displays [Done] at the command prompt, then generates a syslog message.
Examples
The following example shows how to enable this action for the Identity Firewall:
hostname# user-identity update active-user-databaseERROR: one update active-user-database operation is already in progress[Done] user-identity update active-user-databaseRelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity update import-user
To download the entire active-user database from Active Directory Agent, use the user-identity update active-user-database command in global configuration mode.
user-identity update import-user [[domain_nickname\\] user_group_name [timeout seconds seconds]]
Syntax Description
Defaults
The ASA retries the update up to 5 times and generates warning messages as necessary.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
This command updates the specified import user group database by querying the Active Directory server immediately, without waiting for the expiration of the poll-import user group timer. There is no command to update the local user group, because the group ID database is updated whenever the local user group has a configuration change.
This command does not block the console to wait for the return of the LDAP query.
This command starts the update operation, generates a starting update log and returns immediately. When the update operation finishes or is aborted at timer expiration, another syslog message is generated. Only one outstanding update operation is allowed. Rerunning the command displays an error message.
If the LDAP query is successful, the ASA stores retrieved user data in the local database and changes the user/group association accordingly. If the update operation is successful, you can run the show user-identity user-of-group domain\\group command to list all stored users under this group.
The ASA checks after each update for all imported groups. If an activated Active Directory group does not exist in Active Directory, the ASA generates a syslog message.
If user_group_name is not specified, the ASA starts the LDAP update service immediately and tries to periodically update all activated groups. The LDAP update service runs in the background and periodically updates import user groups via an LDAP query on the Active Directory server.
At system boot up time, if there are import user groups defined in access groups, the ASA retrieves user/group data via LDAP queries. If errors occur during the update, the ASA retries the update up to 5 times and generates warning messages as necessary.
When the command finishes running, the ASA displays [Done] at the command prompt, then generates a syslog message.
Examples
The following example shows how to enable this action for the Identity Firewall:
hostname# user-identity update import-user group.sample-group1ERROR: Update import-user group is already in progress[Done] user-identity update import-user group.sample-group1Related Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-identity user-not-found
To enable user-not-found tracking for the Cisco Identify Firewall instance, use the user-identity user-not-found command in global configuration mode. To remove this tracking for the Identity Firewall instance, use the no form of this command.
user-identity user-not-found enable
no user-identity user-not-found enable
Syntax Description
This command has no arguments or keywords.
Defaults
By default, this command is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
Only the last 1024 IP addresses are tracked.
Examples
The following example shows how to enable this action for the Identity Firewall:
hostname(config)#user-identity user-not-found enableRelated Commands
clear configure user-identity
Clears the configuration for the Identity Firewall feature.
user-message
To specify a text message to display when a DAP record is selected, use the user-message command in dynamic-access-policy-record mode. To remove this message, use the no version of the command. If you use the command more than once for the same DAP record, the newer message replaces the previous message.
user-message message
no user-message
Syntax Description
message
The message for users assigned to this DAP record. Maximum 128 characters. If the message contains spaces, enclose it in double quotation marks.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Dynamic-access-policy- record
•
•
•
—
—
Command History
Usage Guidelines
For a successful SSL VPN connection, the portal page displays a flashing, clickable icon that lets the user see the message(s) associated with the connection. If the connection is terminated from a DAP policy (action = terminate), and if there is a user message configured in that DAP record, then that message displays on the login screen.
If more than one DAP record applies to a connection, the ASA combines the applicable user messages and displays them as a single string.
Examples
The following example shows how to set a user message of "Hello Money Managers" for the DAP record called Finance.
hostname (config) config-dynamic-access-policy-recordFinancehostname(config-dynamic-access-policy-record)#user-message "Hello Money Managers"hostname(config-dynamic-access-policy-record)#Related Commands
user-parameter
To specify the name of the HTTP POST request parameter in which a username must be submitted for SSO authentication, use the user-parameter command in aaa-server-host configuration mode. This is an SSO with HTTP Forms command.
user-parameter name
Note
Syntax Description
Syntax DescriptionSyntax Description
string
The name of the username parameter included in the HTTP POST request. The maximum name size is 128 characters.
Defaults
There is no default value or behavior.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server-host configuration
•
—
•
—
—
Command History
Usage Guidelines
The WebVPN server of the ASA uses an HTTP POST request to submit a single sign-on authentication request to an SSO server. The required command user-parameter specifies that the HTTP POST request must include a username parameter for SSO authentication.
Note
Examples
The following example, entered in aaa-server-host configuration mode, specifies that the username parameter userid be included in the HTTP POST request used for SSO authentication:
hostname(config)# aaa-server testgrp1 host example.comhostname(config-aaa-server-host)# user-parameter useridhostname(config-aaa-server-host)#Related Commands
user-statistics
To activate the collection of user statistics by MPF and match lookup actions for the Identify Firewall, use the user-statistics command in policy-map configuration mode. To remove collection of user statistics, use the no form of this command.
user-statistics [accounting | scanning]
no user-statistics [accounting | scanning]
Syntax Description
accounting
(Optional) Specifies that the ASA collect the sent packet count, sent drop count, and received packet count.
scanning
(Optional) Specifies that the ASA collect only the send drop count.
Defaults
By default, this command is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Policy-map configuration
•
•
•
•
—
Command History
Usage Guidelines
When you configure a policy map to collect user statistics, the ASA collects detailed statistics for selected users. When you specify the user-statistics command without the accounting or scanning keywords, the ASA collects both accounting and scanning statistics.
Examples
The following example shows how to activate user statistics for the Identity Firewall:
hostname(config)#class-map c-identity-example-1hostname(config-cmap)#match access-list identity-example-1hostname(config-cmap)# exithostname(config)#policy-map p-identity-example-1hostname(config-pmap)#class c-identity-example-1hostname(config-pmap)#user-statistics accountinghostname(config-pmap)# exithostname(config)#service-policy p-identity-example-1 interface outsideRelated Commands
user-storage
To store personalized user information between clientless SSL VPN sessions, use the user storage command in group-policy webvpn mode. To disable user storage, use the no versionof the command.
user-storage NETFS-location [username username password password]
no user-storage]
Syntax Description
Defaults
User storage is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
group-policy webvpn mode
•
—
•
—
—
Command History
8.0(2)
This command was introduced.
8.4(6)
Prevented the password being shown in clear text during "show run."
Usage Guidelines
User-storage allows you to store cached credentials and cookies at a location other than the ASA flash. This command provides single sign on for personal bookmarks of a clientless SSL VPN user. The user credentials are stored in an encrypted format on the FTP/CIFS/SMB server as a <user_id>.cps file that is not decryptable.
Although the username, password, and preshared key are shown in the configuration, this poses no security risk because the ASA stores this information in encrypted form, using an internal algorithm.
If data is encrypted on an external FTP or SMB server, you can define personal bookmarks within the portal page by selecting add bookmark (for example: user-storage cifs://jdoe:test@10.130.60.49/SharedDocs). You can create personalized URLs for all plugin protocols as well.
Note
Examples
The following example shows how to set user storage for a user called newuser with a password of 12345678 at a file share called anyshare, and a path of anyfiler02a/new_share:
hostname(config)#wgroup-policy DFLTGrpPolicy attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)#user-storage cifs://newuser:12345678@anyfiler02a/new_sharehostname(config-group_webvpn)#Related Commands
storage-key
Specifies a storage key to protect the data stored between sessions.
storage-objects
Configures storage objects for the data stored between sessions.
username (8.4(3) and earlier)
To add a user to the ASA database, enter the username command in global configuration mode. To remove a user, use the no version of this command with the username that you want to remove. To remove all usernames, use the no version of this command without appending a username.
username name {nopassword | password password [mschap | encrypted | nt-encrypted]} [privilege priv_level]
no username name
Syntax Description
Defaults
The default privilege level is 2.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
7.0.1
This command was introduced.
7.2(1)
The mschap and nt-encrypted keywords were added.
Usage Guidelines
The login command uses this database for authentication.
If you add users to the local database who can gain access to the CLI and whom you do not want to enter privileged mode, you should enable command authorization. (See the aaa authorization command command.) Without command authorization, users can access privileged EXEC mode (and all commands) at the CLI using their own password if their privilege level is 2 or greater (2 is the default). Alternatively, you can use AAA authentication so the user will not be able to use the login command, or you can set all local users to level 1 so you can control who can use the enable password to access privileged EXEC mode.
By default, VPN users that you add with this command have no attributes or group policy association. You must configure all values explicitly using the username attributes command.
When password authentication policy is enabled, you can no longer change your own password or delete your own account with the username command. You can, however, change your password with the change-password command.
Examples
The following example shows how to configure a user named "anyuser" with a password of 12345678 and a privilege level of 12:
hostname(config)#username anyuser password 12345678 privilege 12Related Commands
username (8.4(4.1) and later)
To add a user to the ASA database, enter the username command in global configuration mode. To remove a user, use the no version of this command with the username that you want to remove. To remove all usernames, use the no version of this command without appending a username. To enable the system to restore a password creation date at boot time or when copying a file to the running configuration, enter the username command in non-interactive configuration mode.
[no] username name {nopassword | password password [mschap | encrypted | nt-encrypted]} [privilege priv_level]
username name [password-date date]
Syntax Description
Defaults
The default privilege level is 2.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Non-interactive configuration
•
•
•
•
—
Command History
7.0.1
This command was introduced.
7.2(1)
The mschap and nt-encrypted keywords were added.
8.4(4.1)
The password-date date option was added.
Usage Guidelines
The login command uses this database for authentication.
If you add users to the local database who can gain access to the CLI and whom you do not want to enter privileged mode, you should enable command authorization. (See the aaa authorization command command.) Without command authorization, users can access privileged EXEC mode (and all commands) at the CLI using their own password if their privilege level is 2 or greater (2 is the default). Alternatively, you can use AAA authentication so the user will not be able to use the login command, or you can set all local users to level 1 so you can control who can use the enable password to access privileged EXEC mode.
By default, VPN users that you add with this command have no attributes or group policy association. You must configure all values explicitly using the username attributes command.
When password authentication policy is enabled, you can no longer change your own password or delete your own account with the username command. You can, however, change your password with the change-password command.
To display the username password date, use the show running-config all username command.
Note
Examples
The following example shows how to configure a user named "anyuser" with a password of 12345678 and a privilege level of 12:
hostname(config)#username anyuser password 12345678 privilege 12Related Commands
username-from-certificate
To specify the field in a certificate to use as the username for authorization, use the username-from-certificate command in tunnel-group general-attributes mode. The DN of the peer certificate used as username for authorization
To remove the attribute from the configuration and restore default values, use the no form of this command.
username-from-certificate {primary-attr [secondary-attr] | use-entire-name}
no username-from-certificate
Syntax Description
Defaults
The default value for the primary attribute is CN (Common Name).
The default value for the secondary attribute is OU (Organization Unit).
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general-attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
This command selects the field in the certificate to use as the username. It replaces the deprecated authorization-dn-attributes command in Release 8.0.4 and following. The username-from-certificate command forces the security appliance to use the specified certificate field as the username for username/password authorization.
To use this derived username in the pre-fill username from certificate feature for username/passwordauthentication or authorization, you must also configure the pre-fill-username command in tunnel-group webvpn-attributes mode. That is, to use the pre-fill username feature, you must configure both commands.
Possible values for primary and secondary attributes include the following:
Examples
The following example, entered in global configuration mode, creates an IPSec remote access tunnel group named remotegrp and specifies the use of CN (Common Name) as the primary attribute and OU as the secondary attribute to use to derive a name for an authorization query from a digital certificate:
hostname(config)# tunnel-group remotegrp type ipsec_rahostname(config)# tunnel-group remotegrp general-attributeshostname(config-tunnel-general)# username-from-certificate CN OUhostname(config-tunnel-general)#The following example shows how to modify the tunnel-group attributes to configure the pre-fill username.
username-from-certificate {use-entire-name | use-script | <primary-attr>} [secondary-attr] secondary-username-from-certificate {use-entire-name | use-script | <primary-attr>} [secondary-attr] ; used only for double-authenticationRelated Commands
username attributes
To enter the username attributes mode, use the username attributes command in username configuration mode. To remove all attributes for a particular user, use the no form of this command and append the username. To remove all attributes for all users, use the no form of this command without appending a username. The attributes mode lets you configure attribute-value pairs for a specified user.
username {name} attributes
no username [name] attributes
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Username
•
—
•
—
—
Command History
7.0(1)
This command was introduced.
8.0(2)
The service-type attribute was added.
8.4(4.1)
The ssh authentication publickey key [hashed] attribute was added.
Usage Guidelines
The internal user authentication database consists of the users entered with the username command. The login command uses this database for authentication. You can configure the username attributes using either the username command or the username attributes command.
The syntax of the commands in config-username mode have the following characteristics in common:
•
•
•
The username attributes command enters config-username mode, in which you can configure any of the following attributes:
You configure webvpn-mode attributes for the username by entering the username attributes command and then entering the webvpn command in username webvpn configuration mode. See the description of the webvpn command (group-policy attributes and username attributes modes) for details.
Examples
The following example shows how to enter username attributes configuration mode for a user named "anyuser":
hostname(config)#username anyuser attributeshostname(config-username)#Related Commands
username-prompt
To customize the username prompt of the WebVPN page login box that is displayed to WebVPN users when they connect to the security appliance, use the username-prompt command from webvpn customization mode:
username-prompt {text | style} value
[no] username-prompt {text | style} value
To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
Syntax Description
Defaults
The default is text of the username prompt is "USERNAME:".
The default style of the username prompt is color:black;font-weight:bold;text-align:right.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn customization
•
—
•
—
—
Command History
Usage Guidelines
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
In the following example, the text is changed to "Corporate Username:", and the default style is changed with the font weight increased to bolder:
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# username-prompt text Corporate Username:F1-asa1(config-webvpn-custom)# username-prompt style font-weight:bolderRelated Commands
group-prompt
Customizes the group prompt of the WebVPN page.
password-prompt
Customizes the password prompt of the WebVPN page.
validate-attribute
To validate RADIUS attributes when using RADIUS accounting, use the validate attribute command in radius-accounting parameter configuration mode, which is accessed by using the inspect radius-accounting command.
This option is disabled by default.
validate-attribute [attribute_number]
no validate-attribute [attribute_number]
Syntax Description
attribute_number
The RADIUS attribute to be validated with RADIUS accounting. Values range from 1-191. Vendor Specific Attributes are not supported.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
radius-accounting parameter configuration
•
•
•
•
—
Command History
Usage Guidelines
When this command is configured, the security appliance will also do a match on these attributes in addition to the Framed IP attribute. Multiple instances of this command are allowed.
You can find a list of RADIUS attribute types here:
http://www.iana.org/assignments/radius-types
Examples
The following example shows how to enable RADIUS accounting for the user name RADIUS attribute:
hostname(config)# policy-map type inspect radius-accounting rahostname(config-pmap)# parametershostname(config-pmap-p)# validate attribute 1Related Commands
inspect radius-accounting
Sets inspection for RADIUS accounting.
parameters
Sets parameters for an inspection policy map.
validation-policy (crypto ca trustpoint)
To specify the conditions under which a trustpoint can be used to validate the certificates associated with an incoming user connection, use the validation-policy command in crypto ca trustpoint configuration mode. To specify that the trustpoint cannot be used for the named condition, use the no form of the command.
[no] validation-policy {ssl | ipsec} [no-chain] [subordinate-only]
Syntax Description
Defaults
No default value or behavior.
Command Modes
The following table shows the modes in which you can enter the command:
Command History
Crypto ca trustpoint configuration
•
•
•
•
—
Usage Guidelines
Remote-access VPNs can use Secure Sockets Layer (SSL) VPN, IP Security (IPSec), or both, depending on deployment requirements, to permit access to virtually any network application or resource. The validation-policy command allows you to specify the protocol type permitted to access on-board CA certificates.
The no-chain option with this command prevents a security applicance from supporting subordinate CA certificates that are not configured as trustpoints on the security appliance.
The security appliance can have two trustpoints with the same CA resulting in two different identity certificates from the same CA. This option is disabled automatically if the trustpoint is authenticated to a CA that is already associated with another trustpoint that has enabled this feature. This prevents ambiguity in the choice of path-validation parameters. If the user attempts to activate this feature on a trustpoint that has been authenticated to a CA already associated with another trustpoint that has enabled this feature, the action is not permitted. No two trustpoints can have this setting enabled and be authenticated to the same CA.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint, central, and designates it an SSL trustpoint:
hostname(config)# crypto ca trustpoint centralhostname(config-ca-trustpoint)# validation-policy sslhostname(config-ca-trustpoint)#The following example enters crypto ca trustpoint configuration mode for trustpoint, checkin1,and sets it to accept certificates that are subordinate to the specified trustpoint.
hostname(config)# crypto ca trustpoint checkin1hostname(config-ca-trustpoint)# validation-policy subordinates-onlyhostname(config-ca-trustpoint)#Related Commands
verify
To verify the checksum of a file, use the verify command in privileged EXEC mode.
verify path
verify /[md5 path [md5-value] | sha-512] signature
Syntax Description
Defaults
The current flash device is the default file system.
Note
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Use the verify command to verify the checksum of a file before using it.
Each software image that is distributed on disk uses a single checksum for the entire image. This checksum is displayed only when the image is copied into Flash memory; it is not displayed when the image file is copied from one disk to another.
Before loading or duplicating a new image, record the checksum and MD5 information for the image so that you can verify the checksum when you copy the image into Flash memory or onto a server. A variety of image information is available on Cisco.com.
To display the contents of Flash memory, use the show flash command. The Flash contents listing does not include the checksum of individual files. To recompute and verify the image checksum after the image has been copied into Flash memory, use the verify command. Note, however, that the verify command only performs a check on the integrity of the file after it has been saved in the file system. It is possible for a corrupt image to be transferred to the security appliance and saved in the file system without detection. If a corrupt image is transferred successfully to the security appliance, the software will be unable to tell that the image is corrupted and the file will verify successfully.
To use the message-digest5 (MD5) hash algorithm to ensure file validation, use the verify command with the /md5 option. MD5 is an algorithm (defined in RFC 1321) that is used to verify data integrity through the creation of a unique 128-bit message digest. The /md5 option of the verify command allows you to check the integrity of the security appliance software image by comparing its MD5 checksum value against a known MD5 checksum value for the image. MD5 values are now made available on Cisco.com for all security appliance software images for comparison against local system image values.
To perform the MD5 integrity check, issue the verify command using the /md5 keyword. For example, issuing the verify /md5 flash:cdisk.bin command will calculate and display the MD5 value for the software image. Compare this value with the value available on Cisco.com for this image.
Alternatively, you can get the MD5 value from Cisco.com first, then specify this value in the command syntax. For example, issuing the verify /md5 flash:cdisk.bin 8b5f3062c4cacdbae72571440e962233 command will display a message verifying that the MD5 values match or that there is a mismatch. A mismatch in MD5 values means that either the image is corrupt or the wrong MD5 value was entered.
If neither MD5 nor SHA-512 is specified, a SHA-512 based integrity check is performed on Version 8.4(4.1) images and later, and an MD5-based integrity check is performed on Version 8.4(3) images and earlier.
Examples
The following example shows the verify command used on an image file called cdisk.bin. Some of the text was removed for clarity:
hostname# verify cdisk.bin!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Done!Embedded Hash MD5: af5a155f3d5c128a271282c33277069bComputed Hash MD5: af5a155f3d5c128a271282c33277069bCCO Hash MD5: b569fff8bbf8087f355aaf22ef46b782Signature VerifiedVerified disk0:/cdisk.binhostname#Related Commands
version
To specify the version of RIP used globally by the ASA, use the version command in router configuration mode. To restore the defaults, use the no form of this command.
version {1 | 2}
no version
Syntax Description
Defaults
The ASA accepts Version 1 and Version 2 packets but sends only Version 1 packets.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
You can override the global setting on a per-interface basis by entering the rip send version and rip receive version commands on an interface.
If you specify RIP version 2, you can enable neighbor authentication and use MD5-based encryption to authenticate the RIP updates.
Examples
The following example configures the ASA to send and receive RIP Version 2 packets on all interfaces:
hostname(config)# router riphostname(config-router)# network 10.0.0.0hostname(config-router)# version 2Related Commands
virtual http
To configure a virtual HTTP server, use the virtual http command in global configuration mode. To disable the virtual server, use the no form of this command.
virtual http ip_address [warning]
no virtual http ip_address [warning]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
When you use HTTP authentication on the ASA (see the aaa authentication match or the aaa authentication include command), the ASA uses basic HTTP authentication by default. You can change the authentication method so that the ASA redirects HTTP connections to web pages generated by the ASA itself using the aaa authentication listener command with the redirect keyword.
However, if you continue to use basic HTTP authentication, then you might need the virtual http command when you have cascading HTTP authentications.
If the destination HTTP server requires authentication in addition to the ASA, then the virtual http command lets you authenticate separately with the ASA (via a AAA server) and with the HTTP server. Without virtual HTTP, the same username and password you used to authenticate with the ASA is sent to the HTTP server; you are not prompted separately for the HTTP server username and password. Assuming the username and password is not the same for the AAA and HTTP servers, then the HTTP authentication fails.
This command redirects all HTTP connections that require AAA authentication to the virtual HTTP server on the ASA. The ASA prompts for the AAA server username and password. After the AAA server authenticates the user, the ASA redirects the HTTP connection back to the original server, but it does not include the AAA server username and password. Because the username and password are not included in the HTTP packet, the HTTP server prompts the user separately for the HTTP server username and password.
For inbound users (from lower security to higher security), you must also include the virtual HTTP address as a destination interface in the access list applied to the source interface. Moreover, you must add a static command for the virtual HTTP IP address, even if NAT is not required (using the no nat-control command). An identity NAT command is typically used (where you translate the address to itself).
For outbound users, there is an explicit permit for traffic, but if you apply an access list to an inside interface, be sure to allow access to the virtual HTTP address. A static statement is not required.
Note
Examples
The following example shows how to enable virtual HTTP along with AAA authentication:
hostname(config)# virtual http 209.165.202.129hostname(config)# access-list ACL-IN extended permit tcp any host 209.165.200.225 eq httphostname(config)# access-list ACL-IN remark This is the HTTP server on the insidehostname(config)# access-list ACL-IN extended permit tcp any host 209.165.202.129 eq httphostname(config)# access-list ACL-IN remark This is the virtual HTTP addresshostname(config)# access-group ACL-IN in interface outsidehostname(config)# static (inside, outside) 209.165.202.129 209.165.202.129 netmask 255.255.255.255hostname(config)# access-list AUTH extended permit tcp any host 209.165.200.225 eq httphostname(config)# access-list AUTH remark This is the HTTP server on the insidehostname(config)# access-list AUTH extended permit tcp any host 209.165.202.129 eq httphostname(config)# access-list AUTH remark This is the virtual HTTP addresshostname(config)# aaa authentication match AUTH outside tacacs+Related Commands
virtual telnet
To configure a virtual Telnet server on the ASA, use the virtual telnet command in global configuration mode. You might need to authenticate users with the virtual Telnet server if you require authentication for other types of traffic for which the ASA does not supply an authentication prompt. To disable the server, use the no form of this command.
virtual telnet ip_address
no virtual telnet ip_address
Syntax Description
ip_address
Sets the IP address for the virtual Telnet server on the ASA. Make sure this address is an unused address that is routed to the ASA.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Although you can configure network access authentication for any protocol or service (see the aaa authentication match or aaa authentication include command), you can authenticate directly with HTTP, Telnet, or FTP only. A user must first authenticate with one of these services before other traffic that requires authentication is allowed through. If you do not want to allow HTTP, Telnet, or FTP through the ASA, but want to authenticate other types of traffic, you can configure virtual Telnet; the user Telnets to a given IP address configured on the ASA, and the ASA provides a Telnet prompt.
You must configure authentication for Telnet access to the virtual Telnet address as well as the other services you want to authenticate using the authentication match or aaa authentication include command.
When an unauthenticated user connects to the virtual Telnet IP address, the user is challenged for a username and password, and then authenticated by the AAA server. Once authenticated, the user sees the message "Authentication Successful." Then, the user can successfully access other services that require authentication.
For inbound users (from lower security to higher security), you must also include the virtual Telnet address as a destination interface in the access list applied to the source interface. Moreover, you must add a static command for the virtual Telnet IP address, even if NAT is not required (using the no nat-control command). An identity NAT command is typically used (where you translate the address to itself).
For outbound users, there is an explicit permit for traffic, but if you apply an access list to an inside interface, be sure to allow access to the virtual Telnet address. A static statement is not required.
To logout from the ASA, reconnect to the virtual Telnet IP address; you are prompted to log out.
Examples
This example shows how to enable virtual Telnet along with AAA authentication for other services:
hostname(config)# virtual telnet 209.165.202.129hostname(config)# access-list ACL-IN extended permit tcp any host 209.165.200.225 eq smtphostname(config)# access-list ACL-IN remark This is the SMTP server on the insidehostname(config)# access-list ACL-IN extended permit tcp any host 209.165.202.129 eq telnethostname(config)# access-list ACL-IN remark This is the virtual Telnet addresshostname(config)# access-group ACL-IN in interface outsidehostname(config)# static (inside, outside) 209.165.202.129 209.165.202.129 netmask 255.255.255.255hostname(config)# access-list AUTH extended permit tcp any host 209.165.200.225 eq smtphostname(config)# access-list AUTH remark This is the SMTP server on the insidehostname(config)# access-list AUTH extended permit tcp any host 209.165.202.129 eq telnethostname(config)# access-list AUTH remark This is the virtual Telnet addresshostname(config)# aaa authentication match AUTH outside tacacs+Related Commands
vlan
To assign a VLAN ID to a subinterface, use the vlan command in interface configuration mode. To remove a VLAN ID, use the no form of this command. Subinterfaces require a VLAN ID to pass traffic. VLAN subinterfaces let you configure multiple logical interfaces on a single physical interface. VLANs let you keep traffic separate on a given physical interface, for example, for multiple security contexts.
vlan id
no vlan
Syntax Description
id
Specifies an integer between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
•
Command History
7.0(1)
This command was moved from a keyword of the interface command to an interface configuration mode command.
Usage Guidelines
You can only assign a single VLAN to a subinterface, and not to the physical interface. Each subinterface must have a VLAN ID before it can pass traffic. To change a VLAN ID, you do not need to remove the old VLAN ID with the no option; you can enter the vlan command with a different VLAN ID, and the ASA changes the old ID.
You need to enable the physical interface with the no shutdown command to let subinterfaces be enabled. If you enable subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. Therefore, you cannot prevent traffic from passing through the physical interface by bringing down the interface. Instead, ensure that the physical interface does not pass traffic by leaving out the nameif command. If you want to let the physical interface pass untagged packets, you can configure the nameif command as usual.
The maximum number of subinterfaces varies depending on your platform. See the CLI configuration guide for the maximum subinterfaces per platform.
Examples
The following example assigns VLAN 101 to a subinterface:
hostname(config)# interface gigabitethernet0/0.1hostname(config-subif)# vlan 101hostname(config-subif)# nameif dmz1hostname(config-subif)# security-level 50hostname(config-subif)# ip address 10.1.2.1 255.255.255.0hostname(config-subif)# no shutdownThe following example changes the VLAN to 102:
hostname(config)# show running-config interface gigabitethernet0/0.1interface GigabitEthernet0/0.1vlan 101nameif dmz1security-level 50ip address 10.1.2.1 255.255.255.0hostname(config)# interface gigabitethernet0/0.1hostname(config-interface)# vlan 102hostname(config)# show running-config interface gigabitethernet0/0.1interface GigabitEthernet0/0.1vlan 102nameif dmz1security-level 50ip address 10.1.2.1 255.255.255.0Related Commands
vlan (group-policy)
To assign a VLAN to a group policy, use the vlan command in group-policy configuration mode. To remove the VLAN from the configuration of the group policy and replace it with the VLAN setting of the default group policy, use the no form of this command.
[no] vlan {vlan_id |none}
Syntax Description
Defaults
The default value is none.
Command Modes
The following table shows the modes in which you can enter the command:
group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
This command specifies the egress VLAN interface for sessions assigned to this group policy. The ASA forwards all traffic on this group to that VLAN. You can assign a VLAN to each group policy to simplify access control. Use this command as an alternative to using ACLs to filter traffic on a session.
Examples
The following command assigns the VLAN 1 to the group policy:
hostname(config-group-policy)# vlan 1hostname(config-group-policy)The following command removes VLAN mapping from the group policy:
hostname(config-group-policy)# vlan nonehostname(config-group-policy)Related Commands
vnmc org
To define the organization path on the ASA 1000V, use the vnmc org command in global configuration mode. To remove the organization path on the ASA 1000V, use the no form of this command.
vnmc org org-path
no vnmc org org-path
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
You can create only one organization path for each ASA 1000V that you have installed.
To change the organization hierarchy, enter the no vnmc org org-path command. The following actions occur after you enter this command:
•
•
•
Define the new organization hierarchy by re-entering the vnmc org org-path command.
This command is only available when the ASA 1000V is managed in ASDM mode.
Examples
The following example shows how to configure the VNMC organization path:
hostname (config)# vnmc org root/cisco/eng/webRelated Commands
vnmc policy-agent
To configure the VNMC policy agent and enter VNMC policy configuration mode, use the vnmc policy-agent command in global configuration mode. To disable the VNMC policy agent configuration, use the no form of this command.
vnmc policy-agent
no vnmc policy-agent
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The VNMC IP address and the shared secret must be the same for the policy agent as was configured for the VNMC. The VNMC must be reachable through the management0/0 interface.
Examples
The following example shows how to configure the VNMC policy agent:
hostname (config)# vnmc policy-agenthostname (config-vnmc-policy-agent)# registration host 10.1.1.4hostname (config-vnmc-policy-agent)# shared-secret *****hostname (config-vnmc-policy-agent)# login username admin password C!sco123Trustpoint CA certificate accepted.route {from 0.0.0.0/0 to 0.0.0.0/0 via: 127.0.0.1 port = 10000proxyprotocol: socks_v5}Related Commands
vnmc org
Defines the organization hierarchy for the ASA 1000V to use on the VNMC.
show running-config vnmc policy-agent
Displays the VNMC policy agent configuration.
vpath path-mtu
To configure the vPath path MTU threshold, use the vpath path-mtu command in global configuration mode. To disable the vPath path MTU threshold configuration, use the no form of this command.
vpath path-mtu bytes
no vpath path-mtu bytes
Syntax Description
Defaults
The default is 9000 bytes.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The ASA receives encapsulated packets from virtual machines (VMs) using a packet-redirection mechanism known as vPath. Due to the size of these vPath headers (up to 82 bytes), it is possible for a payload to require fragmentation after the vPath header has been added. The ASA 1000V has the ability to transparently handle this overhead without requiring the VMs to reduce their MTU to account for these additional bytes. The ASA 1000V can split a packet exceeding the uplink MTU into two vPath fragments when adding the vPath encapsulation before sending the fragments over Ethernet. The vPath fragments are reassembled by the Virtual Ethernet Module (VEM) in the Nexus 1000V switch before the packet is delivered to the destination VM.
The vpath path-mtu command configures how the vPath module in the ASA 1000V fragments a packet so that it complies with the MTU on the path from the ASA 1000V to the destination VM. The vPath module operates below the IP layer on the ASA 1000V and is therefore independent of IP fragmentation (see the interface mtu command). The VEM and vPath module on the ASA 1000V work together to present a valid IP datagram (fragment or otherwise) to the VMs and to the ASA 1000V. The ASA 1000V enforces a TCP MSS setting that already accounts for the additional overhead for vPath.
There may be other encapsulations in the path between the ASA 1000V and the VM. For example, if VXLAN is used between the ASA 1000V and the VM, then 50 additional bytes are used for the packets.
To avoid vPath fragmentation when additional overhead is present, do one of the following:
•
•
•
Examples
The following example shows how to configure the vPath path MTU setting to handle VXLAN overhead of 50 bytes:
hostname (config)# vpath path-mtu 8950Related Commands
vpdn group
To create or edit a vpdn group and configure PPPoE client settings, use the vpdn group command in global configuration mode. To remove a group policy from the configuration, use the no form of this command.
vpdn group group_name {localname username | request dialout pppoe | ppp authentication {chap | mschap | pap}}
no vpdn group group_name {localname name | request dialout pppoe | ppp authentication {chap | mschap | pap}}
Note
Syntax Description
Defaults
default behavior or values. See Usage Guidelines.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
Virtual Private Dial-up Networking (VPDN) is used to provide long distance, point-to-point connections between remote dial-in users and a private network. VDPN on the security appliance uses the Layer 2 tunnelling technology PPPoE to establish dial-up networking connections from the remote user to the private network across a public network.
PPPoE is the Point-to-Point Protocol (PPP) over Ethernet. PPP is designed to work with network layer protocols such as IP, IPX, and ARA. PPP also has CHAP and PAP as built-in security mechanisms.
The show vpdn session pppoe command displays session information for PPPOE connections. The clear configure vpdn group command removes all vpdn group commands from the configuration and stops all the active L2TP and PPPoE tunnels. The clear configure vpdn username command removes all the vpdn username commands from the configuration.
Because PPPoE encapsulates PPP, PPPoE relies on PPP to perform authentication and ECP and CCP functions for client sessions operating within the VPN tunnel. Additionally, PPPoE is not supported in conjunction with DHCP because PPP assigns the IP address for PPPoE.
Note
To define a VPDN group to be used for PPPoE, use the vpdn group group_name request dialout pppoe command. Then use the pppoe client vpdn group command from interface configuration mode to associate a VPDN group with a PPPoE client on a particular interface.
If your ISP requires authentication, use the vpdn group group_name ppp authentication {chap | mschap | pap} command to select the authentication protocol used by your ISP.
Use the vpdn group group_name localname username command to associate the username assigned by your ISP with the VPDN group.
Use the vpdn username username password password command to create a username and password pair for the PPPoE connection. The username must be a username that is already associated with the VPDN group specified for PPPoE.
Note
The PPPoE client functionality is turned off by default, so after VPDN configuration, enable PPPoE with the ip address if_name pppoe [setroute] command. The setroute option causes a default route to be created if no default route exists.
As soon as PPPoE is configured, the security appliance attempts to find a PPPoE access concentrator with which to communicate. When a PPPoE connection is terminated, either normally or abnormally, the security appliance attempts to find a new access concentrator with which to communicate.
The following ip address commands should not be used after a PPPoE session is initiated because they will terminate the PPPoE session:
•
•
•
Examples
The following example creates a vdpn group telecommuters and configures the PPPoE client:
F1(config)# vpdn group telecommuters request dialout pppoeF1(config)# vpdn group telecommuters localname user1F1(config)# vpdn group telecommuters ppp authentication papF1(config)# vpdn username user1 password test1F1(config)# interface GigabitEthernet 0/1F1(config-subif)# ip address pppoe setrouteRelated Commands
vpdn username
To create a username and password pair for PPPoE connections, use the vpdn username command in global configuration mode.
vpdn username username password password [store-local]
no vpdn username username password password [store-local]
Note
Syntax Description
Defaults
No default behavior or values. See Usage Guidelines.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The vpdn username must be a username that is already associated with the VPDN group specified with the vpdn group group_name localname username command.
The clear configure vpdn username command removes all the vpdn username commands from the configuration.
Examples
The following example creates the vpdn username bob_smith with the password telecommuter9/8:
F1(config)# vpdn username bob_smith password telecommuter9/8Related Commands
vpn-access-hours
To associate a group policy with a configured time-range policy, use the vpn-access-hours command in group-policy configuration mode or username configuration mode. To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a time-range value from another group policy. To prevent inheriting a value, use the vpn-access-hours none command.
vpn-access hours value {time-range} | none
no vpn-access hours
Syntax Description
Defaults
Unrestricted.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Username
•
—
•
—
—
Command History
Examples
The following example shows how to associate the group policy named FirstGroup with a time-range policy called 824:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#vpn-access-hours 824Related Commands
time-range
Sets days of the week and hours of the day for access to the network, including start and end dates.
vpn-addr-assign
To specify a method for assigning IP addresses to remote access clients, use the vpn-addr-assign command in global configuration mode. To remove the attribute from the configuration, use the no version of this command. To remove all configured VPN address assignment methods from the ASA, user the no version of this command. without arguments.
vpn-addr-assign {aaa | dhcp | local [reuse-delay delay]}
no vpn-addr-assign {aaa | dhcp | local [reuse-delay delay]}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
7.0(1)
This command was introduced.
8.0.3
The reuse-delay option was introduced.
Usage Guidelines
If you choose DHCP, you should also use the dhcp-network-scope command to define the range of IP addresses that the DHCP server can use. You must use the dhcp-server command to indicate the IP addresses that the DHCP server uses.
If you choose local, you must also use the ip-local-pool command to define the range of IP addresses to use. You then use the vpn-framed-ip-address and vpn-framed-netmask commands to assign IP addresses and netmasks to individual users.
With the local pool, you can use the reuse-delay delay option to adjust the delay before a released IP address can be reused. Increasing the delay prevents problems firewalls may experience when an IP address is returned to the pool and reassigned quickly.
If you choose AAA, you obtain IP addresses from either a previously configured RADIUS server.
Examples
The following example shows how to configure DHCP as the address assignment method:
hostname(config)#vpn-addr-assign dhcpRelated Commands
vpn-filter
To specify the name of the ACL to use for VPN connections, use the vpn-filter command in group policy or username mode. To remove the ACL, including a null value created by issuing the vpn-filter none command, use the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting values, use the vpn-filter none command.
You configure ACLs to permit or deny various types of traffic for this user or group policy. You then use the vpn-filter command to apply those ACLs.
vpn-filter {value ACL name | none}
no vpn-filter
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Username
•
—
•
—
—
Command History
Usage Guidelines
Clientless SSL VPN does not use the ACL defined in the vpn-filter command.
By design, the vpn-filter feature allows for traffic to be filtered in inbound direction only. The outbound rule is automatically compiled. When creating an icmp access-list, do not specify icmp type in the access-list formatting if you want directional filters.
Examples
The following example shows how to set a filter that invokes an access list named acl_vpn for the group policy named FirstGroup:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#vpn-filter value acl_vpnRelated Commands
vpn-framed-ip-address
To specify the IP address to assign to a particular user, use the vpn-framed-ip-address command in username mode. To remove the IP address, use the no form of this command.
vpn-framed-ip-address {ip_address} {subnet_mask}
no vpn-framed-ip-address
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Username
•
—
•
—
—
Command History
Examples
The following example shows how to set an IP address of 10.92.166.7 for a user named anyuser:
hostname(config)#username anyuser attributeshostname(config-username)#vpn-framed-ip-address 10.92.166.7 255.255.255.254vpn-group-policy
To have a user inherit attributes from a configured group policy, use the vpn-group-policy command in username configuration mode. To remove a group policy from a user configuration, use the no version of this command. Using this command lets users inherit attributes that you have not configured at the username level.
vpn-group-policy {group-policy name}
no vpn-group-policy {group-policy name}
Syntax Description
Defaults
By default, VPN users have no group policy association.
Command Modes
The following table shows the modes in which you can enter the command:
Username
•
—
•
—
—
Command History
Usage Guidelines
You can override the value of an attribute in a group policy for a particular user by configuring it in username mode, if that attribute is available in username mode.
Examples
The following example shows how to configure a user named anyuser to use attributes from the group policy named FirstGroup:
hostname(config)#username anyuser attributeshostname(config-username)# vpn-group-policy FirstGroupRelated Commands
vpn-idle-timeout
To configure a user timeout period use the vpn-idle-timeout command in group-policy configuration mode or in username configuration mode. If there is no communication activity on the connection in this period, the ASA terminates the connection. You can optionally extend the timeout alert-interval from the default one minute.
To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a time-out value from another group policy. To prevent inheriting a value, use the vpn-idle-timeout none command.
vpn-idle-timeout {minutes | none} [alert-interval minutes]
no vpn-idle-timeout
no vpn-idle-timeout alert-interval
Syntax Description
Defaults
30 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Username
•
—
•
—
—
Command History
Usage Guidelines
The AnyConnect client supports session resumption for SSL and IKEv2 connection. With this capability, end user devices can go into sleep mode, lose their WiFi, or any of the like and resume the same connection upon return.
Examples
The following example shows how to set a VPN idle timeout of 15 minutes for the group policy named "FirstGroup":
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#vpn-idle-timeout 30The security appliance uses the default-idle-timeout value if no idle timeout is defined for a user, if the vpn-idle-timeout value is 0, or if the value does not fall into the valid range.
Related Commands
vpn load-balancing
To enter vpn load-balancing mode, in which you can configure VPN load balancing and related functions, use the vpn load-balancing command in global configuration mode.
vpn load-balancing
Note
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration mode
•
—
•
—
—
Command History
7.0(1)
This command was introduced.
8.0(2)
Added support for ASA Model 5510 with a Plus license and models above 5520.
Usage Guidelines
A load-balancing cluster can include security appliance models 5510 (with a Plus license), or ASA 5520 and above. You can also include VPN 3000 Series Concentrators in the cluster. While mixed configurations are possible, administration is generally simpler if the cluster is homogeneous.
Use the vpn load-balancing command to enter vpn load-balancing mode. The following commands are available in vpn load-balancing mode:
•
•
•
•
•
•
•
•
•
See the individual command descriptions for detailed information.
Examples
The following is an example of the vpn load-balancing command; note the change in the prompt:
hostname(config)# vpn load-balancinghostname(config-load-balancing)#The following is an example of a VPN load-balancing command sequence that includes an interface command that specifies the public interface of the cluster as "test" and the private interface of the cluster as "foo":
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# nat 192.168.10.10hostname(config-load-balancing)# priority 9hostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# interface lbprivate foohostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# cluster key 123456789hostname(config-load-balancing)# cluster encryptionhostname(config-load-balancing)# cluster port 9023hostname(config-load-balancing)# participate
vpn-session-db
To specify the maximum number of VPN sessions or AnyConnect client VPN sessions, use the vpn-session-db command from global configuration mode. To remove the limit from the configuration, use the no form of the command:
vpn-sessiondb {max-anyconnect-premium-or-essentials-limit <number> | max-other-vpn-limit <number>}
Syntax Description
Defaults
By default, the ASA does not limit the number of VPN sessions lower than the licensed maximum.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example sets the maximum AnyConnect sessions to 200:
hostname(config)# vpn-sessiondb max-anyconnect-premium-or-essentials-limit 200Related Commands
vpn-sessiondb logoff
Logs off all or specific types of IPsec VPN and WebVPN sessions.
vpn-sessiondb max-webvpn-session-limit
Sets a maximum number of WebVPN sessions.
vpn-sessiondb logoff
To log off all or selected VPN sessions, use the vpn-sessiondb logoff command in global configuration mode.
vpn-sessiondb logoff {all | anyconnect | email-proxy | index index_number | ipaddress IPaddr | l2l | name username | protocol protocol-name | ra-ikev1-ipsec | tunnel-group groupname | vpn-lb | webvpn} [noconfirm]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example shows how to log off all AnyConnect client sessions:
hostname# vpn-sessiondb logoff anyconnectThe next example shows how to log off all IPSec sessions:
hostname# vpn-sessiondb logoff protocol IPSecvpn-session-timeout
To configure a maximum amount of time allowed for VPN connections, use the vpn-session-timeout command in group-policy configuration mode or in username configuration mode. At the end of this period of time, the ASA terminates the connection. You can optionally extend the timeout alert-interval from the default one minute.
To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a time-out value from another group policy. To prevent inheriting a value, use the vpn-session-timeout none command.
vpn-session-timeout {minutes | none} [alert-interval minutes]
no vpn-session-timeout
no vpn-session-timeout alert-interval
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Username
•
—
•
—
—
Command History
Examples
The following example shows how to set a VPN session timeout of 180 minutes for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# vpn-session-timeout 180Related Commands
vpn-simultaneous-logins
To configure the number of simultaneous logins permitted for a user, use the vpn-simultaneous-logins command in group-policy configuration mode or username configuration mode. To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a value from another group policy. Enter 0 to disable login and prevent user access.
vpn-simultaneous-logins {integer}
no vpn-simultaneous-logins
Syntax Description
Defaults
The default is 3 simultaneous logins.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Username
•
—
•
—
—
Command History
Usage Guidelines
Enter 0 to disable login and prevent user access.
Note
Stale AnyConnect, IPSec Client, or Clientless sessions (sessions that are terminated abnormally) might remain in the session database, even though a "new" session has been established with the same username.
If the value of vpn-simultaneous-logins is 1, and the same user logs in again after an abnormal termination, then the stale session is removed from the database and the new session is established. If, however, the existing session is still an active connection and the same user logs in again, perhaps from another PC, the first session is logged off and removed from the database, and the new session is established.
If the number of simultaneous logins is a value greater than 1, then, when you have reached that maximum number and try to log in again, the session with the longest idle time is logged off. If all current sessions have been idle an equally long time, then the oldest session is logged off. This action frees up a session and allows the new login.
Examples
The following example shows how to allow a maximum of 4 simultaneous logins for the group policy named FirstGroup:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#vpn-simultaneous-logins 4vpn-tunnel-protocol
To configure a VPN tunnel type (IPsec with IKEv1 or IKEv2, L2TP over IPSec, SSL, or clientless SSL), use the vpn-tunnel-protocol command in group-policy configuration mode or username configuration mode. To remove the attribute from the running configuration, use the no form of this command.
vpn-tunnel-protocol {ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless}
no vpn-tunnel-protocol {ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless}
Syntax Description
Defaults
The default is IPsec.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Username configuration
•
—
•
—
—
Command History
Usage Guidelines
Use this command to configure one or more tunneling modes. You must configure at least one tunneling mode for users to connect over a VPN tunnel.
Note
Examples
The following example shows how to configure WebVPN and IPSec tunneling modes for the group policy named "FirstGroup":
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#vpn-tunnel-protocol webvpnhostname(config-group-policy)#vpn-tunnel-protocol IPSecRelated Commands
vpnclient connect
To attempt to establish an Easy VPN Remote connection to the configured server or servers, use the vpnclient connect command in global configuration mode.
vpnclient connect
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
EXEC
•
—
•
—
—
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA model 5505.
Examples
The following example shows how to attempt to establish an Easy VPN Remote connection to a configured EasyVPN server:
hostname(config)#vpnclient connecthostname(config)#vpnclient enable
To enable the Easy VPN Remote feature, use the vpnclient enable command in global configuration mode. To disable the Easy VPN Remote feature, use the no form of this command:
vpnclient enable
no vpnclient enable
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA 5505.
If you enter the vpnclient enable command, the ASA 5505 functions as a Easy VPN hardware client (also called "Easy VPN Remote").
Examples
The following example shows how to enable the Easy VPN Remote feature:
hostname(config)#vpnclient enablehostname(config)#The following example shows how to disable the Easy VPN Remote feature:
hostname(config)#no vpnclient enablehostname(config)#vpnclient ipsec-over-tcp
To configure the ASA 5505 running as an Easy VPN hardware client to use TCP-encapsulated IPSec, use the vpnclient ipsec-over-tcp command in global configuration mode. To remove the attribute from the running configuration, use the no form of this command.
vpnclient ipsec-over-tcp [port tcp_port]
no vpnclient ipsec-over-tcp
Syntax Description
port
(Optional) Specifies the use of a particular port.
tcp_port
(Required if you specify the keyword port.) Specifies the TCP port number to be used for a TCP-encapsulated IPSec tunnel.
Defaults
The Easy VPN Remote connection uses port 10000 if the command does not specify a port number.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA 5505 running as an Easy VPN hardware client (also called "Easy VPN Remote").
By default, the Easy VPN client and server encapsulate IPSec in User Datagram Protocol (UDP) packets. Some environments, such as those with certain firewall rules, or NAT and PAT devices, prohibit UDP. To use standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key Exchange (IKE, UDP 500) in such environments, you must configure the client and the server to encapsulate IPSec within TCP packets to enable secure tunneling. If your environment allows UDP, however, configuring IPSec over TCP adds unnecessary overhead.
If you configure an ASA 5505 to use TCP-encapsulated IPSec, enter the following command to let it send large packets over the outside interface:
hostname(config)# crypto ipsec df-bit clear-df outsidehostname(config)#This command clears the Don't Fragment (DF) bit from the encapsulated header. A DF bit is a bit within the IP header that determines whether the packet can be fragmented. This command lets the Easy VPN hardware client send packets that are larger than the MTU size.
Examples
The following example shows how to configure the Easy VPN hardware client to use TCP-encapsulated IPSec, using the default port 10000, and to let it send large packets over the outside interface:
hostname(config)#vpnclient ipsec-over-tcphostname(config)# crypto ipsec df-bit clear-df outsidehostname(config)#The next example shows how to configure the Easy VPN hardware client to use TCP-encapsulated IPSec, using the port 10501, and to let it send large packets over the outside interface:
hostname(config)#vpnclient ipsec-over-tcp port 10501hostname(config)# crypto ipsec df-bit clear-df outsidehostname(config)#vpnclient mac-exempt
To exempt devices behind an Easy VPN Remote connection from individual user authentication requirements, use the vpnclient mac-exempt command in global configuration mode. To remove the attribute from the running configuration, use the no form of this command.
vpnclient mac-exempt mac_addr_1 mac_mask_1 [mac_addr_2 mac_mask_2...mac_addr_n mac_mask_n]
no vpnclient mac-exempt
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA model 5505.
Devices such as Cisco IP phones, wireless access points, and printers are incapable of performing authentication, and therefore do not authenticate when individual unit authentication is enabled. If individual user authentication is enabled, you can use this command to exempt such devices from authentication. The exemption of devices from individual user authentication is also called "device pass-through."
The format for specifying the MAC address and mask in this command uses three hex digits, separated by periods; for example, the MAC mask ffff.ffff.ffff matches just the specified MAC address. A MAC mask of all zeroes matches no MAC address, and a MAC mask of ffff.ff00.0000 matches all devices made by the same manufacturer.
Note
hostname(config-group-policy)#user-authentication enable
hostname(config-group-policy)#ip-phone-bypass enableExamples
Cisco IP phones have the Manufacturer ID 00036b, so the following command exempts any Cisco IP phone, including Cisco IP phones, you might add in the future:
hostname(config)#vpnclient mac-exempt 0003.6b00.0000 ffff.ff00.0000hostname(config)#The next example provides greater security but less flexibility because it exempts one specific Cisco IP phone:
hostname(config)#vpnclient mac-exempt 0003.6b54.b213 ffff.ffff.ffffhostname(config)#vpnclient management
To generate IPSec tunnels for management access to the Easy VPN hardware client, use the vpnclient management command in global configuration mode.
vpnclient management tunnel ip_addr_1 ip_mask_1 [ip_addr_2 ip_mask_2...ip_addr_n ip_mask_n]
vpnclient management clear
To remove the attribute from the running configuration, use the no form of this command, which sets up IPSec tunnels exclusively for management in accordance with the split-tunnel-policy and split-tunnel-network-list commands.
no vpnclient management
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA 5505 running as an Easy VPN Client (also called "Easy VPN Remote"). It assumes the ASA 5505 configuration contains the following commands:
vpnclient server to specify the peer.
vpnclient mode to specify the client mode (PAT) or network extension mode.
One of the following:
•
•
vpnclient enable to enable the ASA 5505 as an Easy VPN Client.
Note
Note
Examples
The following example shows how to generate an IPSec tunnel from the outside interface of the ASA 5505 to the host with the IP address/mask combination 192.168.10.10 255.255.255.0:
hostname(config)#vpnclient management tunnel 192.168.10.0 255.255.255.0hostname(config)#The following example shows how to provide management access to the outside interface of the ASA 5505 without using IPSec:
hostname(config)# vpnclient management clearhostname(config)#vpnclient mode
To configure the Easy VPN Remote connection for either client mode or network extension mode, use the vpnclient mode command in global configuration mode. To remove the attribute from the running configuration, use the no form of this command.
vpnclient mode {client-mode | network-extension-mode}
no vpnclient mode
Syntax Description
client-mode
Configures the Easy VPN Remote connection to use client mode (PAT).
network-extension-mode
Configures the Easy VPN Remote connection to use network extension mode (NEM).
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA 5505 running as an Easy VPN Client (also called "Easy VPN Remote). The Easy VPN Client supports one of two modes of operation: client mode or NEM. The mode of operation determines whether the inside hosts, relative to the Easy VPN Client, are accessible from the Enterprise network over the tunnel. Specifying a mode of operation is mandatory before making a connection because Easy VPN Client does not have a default mode.
•
•
Note
Examples
The following example shows how to configure an Easy VPN Remote connection for client mode:
hostname(config)#vpnclient mode client-modehostname(config)#The following example shows how to configure an Easy VPN Remote connection for NEM:
hostname(config)#vpnclient mode network-extension-modehostname(config)#vpnclient nem-st-autoconnect
To configure the Easy VPN Remote connection to automatically initiate IPSec data tunnels when NEM and split tunneling are configured, use the vpnclient nem-st-autoconnect command in global configuration mode. To remove the attribute from the running configuration, use the no form of this command.
vpnclient nem-st-autoconnect
no vpnclient nem-st-autoconnect
Syntax Description
This command has no keywords or arguments.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA 5505 running as an Easy VPN Client (also called "Easy VPN Remote").
Before entering the vpnclient nem-st-autoconnect command, ensure that network extension mode is enabled for the hardware client. Network extension mode lets hardware clients present a single, routable network to the remote private network over the VPN tunnel. IPSec encapsulates all traffic from the private network behind the hardware client to networks behind the ASA. PAT does not apply. Therefore, devices behind the ASA have direct access to devices on the private network behind the hardware client over the tunnel, and only over the tunnel, and vice versa. The hardware client must initiate the tunnel. After the tunnel is up, either side can initiate data exchange.
Note
IPSec data tunnels are automatically initiated and sustained when in network extension mode, except when split-tunneling is configured.
Examples
The following example shows how to configure an Easy VPN Remote connection to automatically connect in network extension mode with split-tunneling configured. Network extension mode is enabled for the group policy FirstGroup:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)# nem enablehostname(config)#vpnclient nem-st-autoconnecthostname(config)#Related Commands
vpnclient server-certificate
To configure the Easy VPN Remote connection to accept only connections to Easy VPN servers with the specific certificates specified by the certificate map, use the vpnclient server-certificate command in global configuration mode. To remove the attribute from the running configuration, use the no form of this command.
vpnclient server-certificate certmap_name
no vpnclient server-certificate
Syntax Description
certmap_name
Specifies the name of a certificate map that specifies the acceptable Easy VPN server certificate. The maximum length is 64 characters.
Defaults
Easy VPN server certificate filtering is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA model 5505.
Use this command to enable Easy VPN server certificate filtering. You define the certificate map itself using the crypto ca certificate map and crypto ca certificate chain commands.
Examples
The following example shows how to configure an Easy VPN Remote connection to support only connections to Easy VPN servers with the certificate map name homeservers:
hostname(config)#vpnclient server-certificate homeservershostname(config)#Related Commands
certificate
Adds the indicated certificate.
vpnclient trustpoint
Configures the RSA identity certificate to be used by the Easy VPN Remote connection.
vpnclient server
To configure the primary and secondary IPSec servers, for the Easy VPN Remote connection, use the vpnclient server command in global configuration mode. To remove the attribute from the running configuration, use the no form of this command.
vpnclient server ip_primary_address [ip_secondary_address_1 ... ipsecondary_address_10]
no vpnclient server
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA model 5505.
A server must be configured before a connection can be established. The vpnclient server command supports IPv4 addresses, the names database, or DNS names and resolves addresses in that order.
You can use either the IP address or the hostname of a server.
Examples
The following example associates the name headend-1 with the address 10.10.10.10 and uses the vpnclient server command to specify three servers: headend-dns.domain.com (primary), headend-1 (secondary), and 192.168.10.10 (secondary):
hostname(config)#nameshostname(config)# 10.10.10.10 headend-1hostname(config)# vpnclient server headend-dns.domain.com headend-1 192.168.10.10hostname(config)#The following example shows how to configure a VPN client primary IPSec server with the IP address 10.10.10.15 and secondary servers with the IP addresses 10.10.10.30 and 192.168.10.45.
hostname(config)#vpnclient server 10.10.10.15 10.10.10.30 192.168.10.10hostname(config)#vpnclient trustpoint
To configure the RSA identity certificate to be used by the Easy VPN Remote connection, use the vpnclient trustpoint command in global configuration mode. To remove the attribute from the running configuration, use the no form of this command.
vpnclient trustpoint trustpoint_name [chain]
no vpnclient trustpoint
Syntax Description
chain
Sends the entire certificate chain.
trustpoint_name
Specifies the name of a trustpoint identifying the RSA certificate to use for authentication.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA model 5505 and only when using digital certificates.
Define the trustpoint using the crypto ca trustpoint command. A trustpoint represents a CA identity and possibly a device identity, based on a certificate issued by the CA. The commands within the trustpoint sub mode control CA-specific configuration parameters which specify how the ASA obtains the CA certificate, how the ASA obtains its certificate from the CA, and the authentication policies for user certificates issued by the CA.
Examples
The following example shows how to configure an Easy VPN Remote connection to use the specific identity certificate named central and to send the entire certificate chain:
hostname(config)# crypto ca trustpoint centralhostname(config)#vpnclient trustpoint central chainhostname(config)#Related Commands
crypto ca trustpoint
Enters the trustpoint submode for the specified trustpoint and manages trustpoint information.
vpnclient username
To configure the VPN username and password for the Easy VPN Remote connection, use the vpnclient username command in global configuration mode. To remove the attribute from the running configuration, use the no form of this command.
vpnclient username xauth_username password xauth password
no vpnclient username
Syntax Description
xauth_password
Specifies the password to use for XAUTH. The maximum length is 64 characters.
xauth_username
Specifies the username to use for XAUTH. The maximum length is 64 characters.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA model 5505.
The XAUTH username and password parameters are used when secure unit authentication is disabled and the server requests XAUTH credentials. If secure unit authentication is enabled, these parameters are ignored, and the ASA prompts the user for a username and password.
Examples
The following example shows how to configure the Easy VPN Remote connection to use the XAUTH username testuser and the password ppurkm1:
hostname(config)#vpnclient username testuser password ppurkm1hostname(config)#vpnclient vpngroup
To configure the VPN tunnel group name and password for the Easy VPN Remote connection, use the vpnclient vpngroup command in global configuration mode. To remove the attribute from the running configuration, use the no form of this command.
vpnclient vpngroup group_name password preshared_key
no vpnclient vpngroup
Syntax Description
Defaults
If the configuration of the ASA 5505 running as an Easy VPN client does not specify a tunnel group, the client attempts to use an RSA certificate.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA 5505 running as an Easy VPN client (also called "Easy VPN Remote").
Use the pre-shared key as the password. You must configure a server before establishing a connection.
Examples
The following example shows how to configure an Easy VPN Remote connectionwith a VPN tunnel group with the group name TestGroup1 and the password my_key123.
hostname(config)#vpnclient vpngroup TestGroup1 password my_key123hostname(config)#Related Commands
vpnclient trustpoint
Configures the RSA identity certificate to be used by the Easy VPN connection.
vpnsetup
To display a list of steps for configuring VPN connections on the ASA, use the vpnsetup command from global configuration mode.
vpnsetup {ipsec-remote-access | l2tp-remote-access | site-to-site | ssl-remote-access} steps
Syntax Description
Defaults
This command has no default settings
Command Modes
The following table shows the modes in which you can enter the command:
global configuration
•
—
•
—
—
Command History
Examples
The following example shows the output of the vpnsetup ssl-remote-access steps command:
hostname(config-t)# vpnsetup ssl-remote-access stepsSteps to configure a remote access SSL VPN remote access connection and AnyConnect with examples:1. Configure and enable interfaceinterface GigabitEthernet0/0ip address 10.10.4.200 255.255.255.0nameif outsideno shutdowninterface GigabitEthernet0/1ip address 192.168.0.20 255.255.255.0nameif insideno shutdown2. Enable WebVPN on the interfacewebvpnenable outside3. Configure default routeroute outside 0.0.0.0 0.0.0.0 10.10.4.2004. Configure AAA authentication and tunnel grouptunnel-group DefaultWEBVPNGroup type remote-accesstunnel-group DefaultWEBVPNGroup general-attributesauthentication-server-group LOCAL5. If using LOCAL database, add users to the Databaseusername test password t3stP@ssw0rdusername test attributesservice-type remote-accessProceed to configure AnyConnect VPN client:6. Point the ASA to an AnyConnect imagewebvpnsvc image anyconnect-win-2.1.0148-k9.pkg7. enable AnyConnectsvc enable8. Add an address pool to assign an ip address to the AnyConnect clientip local pool client-pool 192.168.1.1-192.168.1.254 mask 255.255.255.09. Configure group policygroup-policy DfltGrpPolicy internalgroup-policy DfltGrpPolicy attributesvpn-tunnel-protocol svc webvpnhostname(config-t)#Related Commands
wccp
To allocate space and to enable support of the specified Web Cache Communication Protocol (WCCP) service for participation in a service group, use the wccp command in global configuration mode. To disable the service group and deallocate space, use the no form of this command.
wccp {web-cache | service-number} [redirect-list access-list] [group-list access-list] [password password]
no wccp {web-cache | service-number} [redirect-list access-list] [group-list access-list] [password password [0 | 7]]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example shows how to enable WCCP for participation in a service group:
hostname(config)# wccp web-cache redirect-list jeeves group-list wooster password whathoRelated Commands
show wccp
Displays the WCCP configuration.
wccp redirect
Enables support of WCCP redirection.
wccp redirect
To enable packet redirection on the ingress of an interface using Web Cache Communication Protocol (WCCP), use the wccp redirect command. To disable WCCP redirection, use the no form of this command.
wccp interface interface_name service redirect in
no wccp interface interface_name service redirect in
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example shows how to enable WCCP redirection on the inside interface for the web-cache service:
hostname(config)# wccp interface inside web-cache redirect inRelated Commands
show wccp
Displays the WCCP configuration.
wccp
Enables support of WCCP with service groups.
web-agent-url
To specify the SSO server URL to which the ASA makes SiteMinder-type SSO authentication requests, use the web-agent-url command in config-webvpn-sso-siteminder mode.
To remove an SSO server authentication URL, use the no form of this command.
web-agent-url url
no web-agent-url url
Note
Syntax Description
Syntax DescriptionSyntax Description
url
Specifies the authentication URL of the SiteMinder-type SSO server. Must contain http:// or https://.
Defaults
By default, an authentication URL is not configured.
Command Modes
The following table shows the modes in which you can enter the command:
config-webvpn-sso-siteminder
•
—
•
—
—
Command History
Usage Guidelines
Single-sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The SSO server has a URL that handles authentication requests.
This command applies only to the SiteMinder type of SSO server.
Use the web-agent-url command to configure the ASA to send authentications to this URL. Before configuring the authentication URL, you must create the SSO server using the sso-server command.
For https communication between the security appliance and SSO-server, make sure that the SSL encryption settings match on both sides. On the security appliance, verify this with the ssl encryption command.
Examples
The following example, entered in config-webvpn-sso-siteminder mode, specifies an authentication URL of http://www.example.com/webvpn:
hostname(config-webvpn)# sso-server example type siteminderhostname(config-webvpn-sso-siteminder)# web-agent-url http://www.example.com/webvpnhostname(config-webvpn-sso-siteminder)#Related Commands
web-applications
To customize the Web Application box of the WebVPN Home page that is displayed to authenticated WebVPN users, use the web-applications command from webvpn customization mode:
web-applications {title | message | dropdown} {text | style} value
[no] web-applications {title | message | dropdown} {text | style} value
To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
Syntax Description
Defaults
The default title text is "Web Application".
The default title style is background-color:#99CCCC;color:black;font-weight:bold;text-transform:
uppercaseThe default message text is "Enter Web Address (URL)".
The default message style is background-color:#99CCCC;color:maroon;font-size:smaller.
The default dropdown text is "Web Bookmarks".
The default dropdown style is border:1px solid black;font-weight:bold;color:black;font-size:80%.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn customization
•
—
•
—
—
Command History
Usage Guidelines
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
The following example changes the title to "Applications", and the color of the text to blue:
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# web-applications title text ApplicationsF1-asa1(config-webvpn-custom)# web-applications title style color:blueRelated Commands
web-bookmarks
To customize the Web Bookmarks title or links on the WebVPN Home page that is displayed to authenticated WebVPN users, use the web-bookmarks command from webvpn customization mode:
web-bookmarks {link {style value} | title {style value | text value}}
[no] web-bookmarks {link {style value} | title {style value | text value}}
To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
Syntax Description
Defaults
The default link style is color:#669999;border-bottom: 1px solid #669999;text-decoration:none.
The default title style is color:#669999;background-color:#99CCCC;font-weight:bold.
The default title text is "Web Bookmarks".
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn customization
•
—
•
—
—
Command History
Usage Guidelines
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
The following example customizes the Web Bookmarks title to "Corporate Web Bookmarks":
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# web-bookmarks title text Corporate Web BookmarksRelated Commands
webvpn
To enter webvpn mode, in global configuration mode, enter the webvpn command. To remove any commands entered with this command, use the no webvpn command. These webvpn commands apply to all WebVPN users.
These webvpn commands let you configure AAA servers, default group policies, default idle timeout, http and https proxies, and NBNS servers for WebVPN, as well as the appearance of WebVPN screens that end users see.
webvpn
no webvpn
Syntax Description
This command has no arguments or keywords.
Defaults
WebVPN is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This WebVPN mode lets you configure global settings for WebVPN. WebVPN mode, which you enter from either group-policy mode or username mode, lets you customize a WebVPN configuration for specific users or group policies. The ASA clientless SSL VPN configuration supports only one http-proxy and one https-proxy when configuring servers.
Examples
The following example shows how to enter WebVPN command mode:
hostname(config)#webvpnhostname(config-webvpn)#webvpn (group-policy and username modes)
To enter this webvpn mode, use the webvpn command in group-policy configuration mode or in username configuration mode. To remove all commands entered in webvpn mode, use the no form of this command. These webvpn commands apply to the username or group policy from which you configure them.
Webvpn commands for group policies and usernames define access to files, MAPI proxy, URLs and TCP applications over WebVPN. They also identify ACLs and types of traffic to filter.
webvpn
no webvpn
Syntax Description
This command has no arguments or keywords.
Defaults
WebVPN is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Username
•
—
•
—
—
Command History
Usage Guidelines
Webvpn mode, which you enter from global configuration mode, lets you configure global settings for WebVPN. The webvpn command in group-policy attributes configuration mode or username attributes configuration mode applies the settings specified in the webvpn command to the group or user specified in the parent command. In other words, webvpn mode, described in this section, and which you enter from group-policy or username mode, lets you customize a WebVPN configuration for specific users or group policies.
The webvpn attributes that you apply for a specific group policy in group-policy attributes mode override those specified in the default group policy. The WebVPN attributes that you apply for a specific user in username attributes mode override both those in the default group policy and those in the group policy to which that user belongs. Essentially, these commands let you tweak the settings that would otherwise be inherited from the default group or the specified group policy. For information about the WebVPN settings, see the description of the webvpn command in global configuration mode.
The following table lists the attributes you can configure in webvpn group-policy attributes and username attributes mode. See the individual command descriptions for details.
Examples
The following example shows how to enter webvpn mode for the group policy named "FirstGroup":
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#webvpnhostname(config-webvpn)#The following example shows how to enter webvpn mode for the username named "test":
hostname(config)#group-policy test attributeshostname(config-username)#webvpnhostname(config-webvpn)#Related Commands
who
To display active Telnet administration sessions on the ASA, use the who command in privileged EXEC mode.
who [local_ip]
Syntax Description
local_ip
(Optional) Specifies to limit the listing to one internal IP address or network address, either IPv4 or IPv6.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
The who command allows you to display the TTY_ID and IP address of each Telnet client that is currently logged into the ASA.
Examples
This example shows the output of the who command when a client is logged into the ASA through a Telnet session:
hostname# who0: 100.0.0.2hostname# who 100.0.0.20: 100.0.0.2hostname#Related Commands
kill
Terminate a Telnet session.
telnet
Adds Telnet access to the ASA console and sets the idle timeout.
window-variation
To drop a connection with a window size variation, use the window-variation command in tcp-map configuration mode. To remove this specification, use the no form of this command.
window variation {allow-connection | drop-connection}
no window variation {allow-connection | drop-connection}
Syntax Description
Defaults
The default action is to allow the connection.
Command Modes
The following table shows the modes in which you can enter the command:
Tcp-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.
Use the tcp-map command to enter tcp-map configuration mode. Use the window-variation command in tcp-map configuration mode to drop all connections with a window size that has been shrunk.
The window size mechanism allows TCP to advertise a large window and to subsequently advertise a much smaller window without having accepted too much data. From the TCP specification, "shrinking the window" is strongly discouraged. When this condition is detected, the connection can be dropped.
Examples
The following example shows how to drop all connections with a varied window size:
hostname(config)# access-list TCP extended permit tcp any anyhostname(config)# tcp-map tmaphostname(config-tcp-map)# window-variation drop-connectionhostname(config)# class-map cmaphostname(config-cmap)# match access-list TCPhostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# set connection advanced-options tmaphostname(config)# service-policy pmap globalRelated Commands
wins-server
To set the IP address of the primary and secondary WINS servers, use the wins-server command in group-policy configuration mode. To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a WINS server from another group policy. To prevent inheriting a server, use the wins-server none command.
wins-server value {ip_address} [ip_address] | none
no wins-server
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Command History
Usage Guidelines
Every time you issue the wins-server command you overwrite the existing setting. For example, if you configure WINS server x.x.x.x and then configure WINS server y.y.y.y, the second command overwrites the first, and y.y.y.y becomes the sole WINS server. The same holds true for multiple servers. To add a WINS server rather than overwrite previously configured servers, include the IP addresses of all WINS servers when you enter this command.
Examples
The following example shows how to configure WINS servers with the IP addresses 10.10.10.15, 10.10.10.30, and 10.10.10.45 for the group policy named FirstGroup:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#wins-server value 10.10.10.15 10.10.10.30 10.10.10.45without-csd
To exempt certain users from running Cisco Secure Desktop on a per connection profile basis if they enter one of the entries in the group-urls table to establish the VPN session, use the without-csd command in tunnel webvpn configuration mode. To remove this command from the configuration, use the no form of the command.
hostname(config-tunnel-webvpn)# without-csdhostname(config-tunnel-webvpn)#Syntax Description
This command has no arguments or keywords.
Defaults
No default values. If the configuration of this ASA contains a csd enable command, the default behavior is to run Cisco Secure Desktop on each endpoint.
Command Modes
The following table shows the modes in which you can enter the command:
tunnel webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
This command prevents Cisco Secure Desktop from running on the endpoint if the user enters a URL in the url-group list configured on this connection profile (called a tunnel group in the CLI). Entering this command prevents the detection of endpoint conditions for these sessions, so you may need to adjust the dynamic access policy (DAP) configuration.
Examples
The first command in the following example creates a group-url in which "example.com" is the domain of the security appliance and "no-csd" is the unique portion of the URL. When the user enters this URL, the ASA assigns this connection profile to the session. The group-url command is required for the without-csd command to have an effect. The without-csd command exempts the user from running Cisco Secure Desktop.
hostname(config-tunnel-webvpn)# group-url https://example.com/no-csd enablehostname(config-tunnel-webvpn)# without-csdhostname(config-tunnel-webvpn)#Related Commands
write erase
To erase the startup configuration, use the write erase command in privileged EXEC mode. The running configuration remains intact.
write erase
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
This command is not supported within a security context. Context startup configurations are identified by the config-url command in the system configuration. If you want to delete a context configuration, you can remove the file manually from the remote server (if specified) or clear the file from Flash memory using the delete command in the system execution space.
Examples
The following example erases the startup configuration:
hostname# write eraseErase configuration in flash memory? [confirm] yRelated Commands
write memory
To save the running configuration to the startup configuration, use the write memory command in privileged EXEC mode.
write memory [all [/noconfirm]]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
The running configuration is the configuration currently running in memory, including any changes you made at the command line. Changes are only preserved between reboots if you save them to the startup configuration, which is the configuration loaded into running memory at startup. The location of the startup configuration for single context mode and for the system in multiple context mode can be changed from the default location (a hidden file) to a location of your choosing using the boot config command. For multiple context mode, a context startup configuration is at the location specified by the config-url command in the system configuration.
In multiple context mode, you can enter the write memory command in each context to save the current context configuration. To save all context configurations, enter the write memory all command in the system execution space. Context startup configurations can reside on external servers. In this case, the ASA saves the configuration back to the server specified by the config-url command, except for HTTP and HTTPS URLs, which do not allow you to save the configuration back to the server. After the ASA saves each context with the write memory all command, the following message appears:
`Saving context `b' ... ( 1/3 contexts saved ) 'Sometimes, a context is not saved because of an error. See the following information for errors:
•
The context 'context a' could not be saved due to Unavailability of resources•
The context 'context a' could not be saved due to non-reachability of destination•
Unable to save the configuration for the following contexts as these contexts are locked.context `a' , context `x' , context `z' .A context is only locked if another user is already saving the configuration or in the process of deleting the context.
•
Unable to save the configuration for the following contexts as these contexts have read-only config-urls:context `a' , context `b' , context `c' .•
The context 'context a' could not be saved due to Unknown errorsBecause the system uses the admin context interfaces to access context startup configurations, the write memory command also uses the admin context interfaces. The write net command, however, uses the context interfaces to write a configuration to a TFTP server.
The write memory command is equivalent to the copy running-config startup-config command.
Examples
The following example saves the running configuration to the startup configuration:
hostname# write memoryBuilding configuration...Cryptochecksum: e43e0621 9772bebe b685e74f 748e445419319 bytes copied in 3.570 secs (6439 bytes/sec)[OK]hostname#Related Commands
write net
To save the running configuration to a TFTP server, use the write net command in privileged EXEC mode.
write net [server:[filename] | :filename]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
The running configuration is the configuration currently running in memory, including any changes you made at the command line.
In multiple context mode, this command saves only the current configuration; you cannot save all contexts with a single command. You must enter this command separately for the system and for each context. The write net command uses the context interfaces to write a configuration to a TFTP server. The write memory command, however, uses the admin context interfaces to save to the startup configuration because the system uses the admin context interfaces to access context startup configurations.
The write net command is equivalent to the copy running-config tftp command.
Examples
The following example sets the TFTP server and filename in the tftp-server command:
hostname# tftp-server inside 10.1.1.1 /configs/contextbackup.cfghostname# write netThe following example sets the server and filename in the write net command. The tftp-server command is not populated.
hostname# write net 10.1.1.1:/configs/contextbackup.cfgThe following example sets the server and filename in the write net command. The tftp-server command supplies the directory name, and the server address is overridden.
hostname# tftp-server 10.1.1.1 configshostname# write net 10.1.2.1:context.cfgRelated Commands
write standby
To copy the ASA or context running configuration to the failover standby unit, use the write standby command in privileged EXEC mode.
write standby
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
You should only use this command if the configuration standby unit or failover group becomes out-of-sync with the configuration of the active unit or failover group. This typically happens when commands are entered on the standby unit or failover group.
For Active/Standby failover, the write standby command writes the configuration stored in the RAM of the active failover unit to the RAM on the standby unit. Use the write standby command if the primary and secondary unit configurations have different information. Enter this command on the active unit.
For Active/Active failover, the write standby command behaves as follows:
•
•
Note
Note
When Stateful Failover is enabled, the write standby command also replicates state information to the standby unit after the configuration replication is complete.
Examples
The following example writes the current running configuration to the standby unit:
hostname# write standbyBuilding configuration...[OK]hostname#Related Commands
write terminal
To show the running configuration on the terminal, use the write terminal command in privileged EXEC mode.
write terminal
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
This command is equivalent to the show running-config command.
Examples
The following example writes the running configuration to the terminal:
hostname# write terminal: Saved:ASA Version 7.0(0)61multicast-routingnamesname 10.10.4.200 outside!interface GigabitEthernet0/0nameif insidesecurity-level 100ip address 10.86.194.60 255.255.254.0webvpn enable...Related Commands
zonelabs-integrity fail-close
To configure the ASA so that connections to VPN clients close when the connection between the ASA and the Zone Labs Integrity Firewall Server fails, use the zonelabs-integrity fail-close command in global configuration mode.To reinstate the default whereby the VPN connections remain open on failure of the Zone Labs connection, use the no form of this command.
zonelabs-integrity fail-close
no zonelabs-integrity fail-close
Syntax DescriptionDescription
This command has no arguments or keywords.
Defaults
By default, the conncection remains open on failure.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
If the primary Zone Labs Integrity Firewall Server does not respond to the ASA, the ASA still establishes VPN client connections to the private network by default. It also maintains open, existing connections. This ensures that the enterprise VPN is not distrupted by the failure of a firewall server. If, however, you do not want the VPN connections to remain operational if the Zone Labs Integrity Firewall Server fails, use the zonelabs-integrity fail-close command.
To return to the default condition whereby the ASA maintains client VPN connections if the connection to the Zone Labs Integrity Firewall Server fails, use the zonelabs-integrity fail-open command.
Examples
The following example configures the ASA to close the VPN client connections if the Zone Labs Integrity Firewall Server fails to respond or if the connection is interrupted:
hostname(config)# zonelabs-integrity fail-closehostname(config)#Related Commands
zonelabs-integrity fail-open
To keep remote VPN client connections to the ASA open after the connection between the ASA and the Zone Labs Integrity Firewall Server fails, use the zonelabs-integrity fail-open command in global configuration mode. To close connections to VPN clients upon failure of the Zone Labs server connection, use the no form of this command.
zonelabs-integrity fail-open
no zonelabs-integrity fail-open
Syntax Description
This command has no arguments or keywords.
Defaults
By default, remote VPN connections remain open if the ASA does not establish or maintain a connection to the Zone Labs Integrity Firewall Server.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
If the primary Zone Labs Integrity Firewall Server does not respond to the ASA, the ASA still establishes VPN client connections to the private network by default. It also maintains existing open connections. This ensures that the enterprise VPN is not disrupted by the failure of a firewall server. If, however, you do not want the VPN connections to remain operational if the Zone Labs Integrity Firewall Server fails, use the zonelabs-integrity fail-close command. To then return to the default condition whereby the ASA maintains client VPN connections if the connection to the Zone Labs Integrity Firewall Server fails, use the zonelabs-integrity fail-open command or the no zonelabs-integrity fail-open command.
Examples
The following example reinstates the default condition whereby the VPN client connections remain open if the connection to the Zone Labs Integrity Firewall Server fails:
hostname(config)# zonelabs-integrity fail-openhostname(config)#Related Commands
zonelabs-integrity fail-timeout
To specify the time in seconds before the ASA declares a nonresponsive Zone Labs Integrity Firewall Server unreachable, use the zonelabs-integrity fail-timeout command in global configuration mode. To restore the default timeout of 10 seconds, use the no form of this command without an argument.
zonelabs-integrity fail-timeout timeout
no zonelabs-integrity fail-timeout
Syntax Description
timeout
The number of seconds before the ASA declares a nonresponsive Zone Labs Integrity Firewall Servers unreachable. The acceptable range is from 5 to 20 seconds.
Defaults
The default timeout value is 10 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
If the ASA waits for the specified number of seconds without a response from the Zone Labs server, the server is declared nonresponsive. Connections to VPN clients either remain open by default or if configured to do so with the zonelabs-integrity fail-open command. If, however, the zonelabs-integrity fail-close command has been issued, the connections will close when the ASA declares the Integrity server unresponsive.
Examples
The following example configures the ASA to declare the active Zone Labs Intergity Server to be unreachable after 12 seconds:
hostname(config)# zonelabs-integrity fail-timeout 12hostname(config)#Related Commands
zonelabs-integrity interface
To specify a ASA interface for communication with the Zone Labs Integrity Server, use the zonelabs-integrity interface command in global configuration mode. To reset the Zone Labs Integrity Firewall Server interface back to the default of none, use the no form of this command.
zonelabs-integrity interface interface
no zonelabs-integrity interface
Syntax Description
interface
Specifies the ASA interface on which the Zone Labs Integrity Firewall Server communicates. It is often an interface name created with the nameif command.
Defaults
By default, the Zone Labs Integrity Firewall Server interface is set to none.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example configures three Zone Labs Intergity Servers using IP addresses ranging from 10.0.0.5 to 10.0.0.7. The commands also configure the ASA to listen to the server on port 300 and on an interface called inside:
hostname(config)# zonelabs-integrity server-address 10.0.0.5 10.0.0.6 10.0.0.7hostname(config)# zonelabs-integrity port 300hostname(config)# zonelabs-integrity interface insidehostname(config)#Related Commands
zonelabs-integrity port
To specify a port on the ASA for communicating with a Zone Labs Integrity Firewall Server, use the zonelabs-integrity port command in global configuration mode. To revert to the default port of 5054 for the Zone Labs Integrity Firewall Server, use the no form of this command.
zonelabs-integrity port port_number
no zonelabs-integrity port port_number
Syntax Description
port
Specifies a Zone Labs Integrity Firewall Server port on the ASA.
port_number
The number of the Zone Labs Integrity Firewall Server port. It can range from 10 to 10000.
Defaults
The default Zone Labs Integrity Firewall Server port is 5054.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The ASA listens to the Zone Labs Integrity Firewall Server on the port and interface configured with the zonelabs-integrity port and zonelabs-integrity interface commands respectively.
Note
Examples
The following example configures a Zone Labs Integrity Servers using the IP address 10.0.0.5. The commands also configure the ASA to listen to the active Zone Labs server on port 300 instead of the default 5054 port:
hostname(config)# zonelabs-integrity server-address 10.0.0.5hostname(config)# zonelabs-integrity port 300hostname(config)#Related Commands
zonelabs-integrity server-address
To add Zone Labs Integrity Firewall Servers to the ASA configuration, use the zonelabs-integrity server-address command in global configuration mode. Specify the Zone Labs server by either IP address or hostname.
To remove Zone Labs Integrity Firewall Servers from the running configuration, use the no form of this command without arguments.
zonelabs-integrity server-address {hostname1 | ip-address1}
no zonelabs-integrity server-address
Note
Syntax Description
Command Default
By default, no Zone Labs Integrity Firewall Servers are configured.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
With this release, you can configure one Zone Labs Integrity Firewall Server. If that server fails, configure another Integrity Server first and then reestablish the client VPN session.
To specify a server by hostname, you must first configure the Zone Labs server name using the name command. Before using the name command, use the names command to enable it.
Note
Examples
The following example assigns the server name ZL-Integrity-Svr to the IP address 10.0.0.5 and configures a Zone Labs Intergity Server using that name:
hostname(config)# nameshostname(config)# name 10.0.0.5 ZL-Integrity-Svrhostname(config)# zonelabs-integrity server-address ZL-Integrity-Svrhostname(config)#Related Commands
zonelabs-integrity ssl-certificate-port
To specify a ASA port to which the Zone Labs Integrity Firewall Server will connect when retrieving an SSL certificate, use the zonelabs-integrity ssl-certificate-port command in global configuration mode. To revert to the default port number (80), use the no form of this command without an argument.
zonelabs-integrity ssl-certificate-port cert-port-number
no zonelabs-integrity ssl-certificate-port
Syntax Description
cert-port-number
Specifies a port number on which the ASA expects the Zone Labs Integrity Firewall Server to connect when requesting an SSL certificate.
Defaults
By default, the ASA expects the Zone Labs Integrity Firewall Server to request an SSL certificate on port 80.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
For SSL communications between the ASA and the Zone Labs Integrity Firewall Server, the ASA is the SSL server and the Zone Labs server is the SSL client. When initiating an SSL connection, the certificate of the SSL server (ASA) must be authenticated by the client (Zone Labs server). The zonelabs-integrity ssl-certificate-port command specifies the port to which the Zone Labs server connects when requesting the SSL server certificate.
Examples
The following example configures port 30 on the ASA to receive SSL certificate requests from the Zone Labs Integrity Server:
hostname(config)# zonelabs-integrity ssl-certificate-port 30hostname(config)#Related Commands
zonelabs-integrity ssl-client-authentication
To enable authentication of the Zone Labs Integrity Firewall Server SSL certificate by the ASA, use the zonelabs-integrity ssl-client-authentication command in global configuration mode with the enable argument. To disable authentication of the Zone Labs SSL certificate, use the disable argument or use the no form of this command without an argument.
zonelabs-integrity ssl-client-authentication {enable | disable}
no zonelabs-integrity ssl-client-authentication
Syntax Description
enable
Specifies that the ASA authenticates the SSL certificate of the Zone Labs Integrity Firewall Server.
disable
Specifies the IP address of the Zone Labs Integrity Firewall Server.
Defaults
By default, ASA authentication of the Zone Labs Integrity Firewall Server SSL certificate is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
For SSL communications between the ASA and the Zone Labs Integrity Firewall Server, the ASA is the SSL server and the Zone Labs server is the SSL client. When initiating an SSL connection, the certificate of the SSL server (ASA) must be authenticated by the client (Zone Labs server). Authentication of the client certificate is optional, however. You use the zonelabs-integrity ssl-client-authentication command to enable or disable ASA authentication of the Zone Lab server (SSL client) certificate.
Examples
The following example configures the ASA to authenticate the SSL certificate of the Zone Labs Integrity Server:
hostname(config)# zonelabs-integrity ssl-client-authentication enablehostname(config)#Related Commands
