Table Of Contents

upgrade-mp through write terminal Commands

upgrade-mp

url

url-block

url-cache

url-server

user-authentication

user-authentication-idle-timeout

username

username attributes

virtual http

virtual telnet

vpn-access-hours

vpn-addr-assign

vpn-filter

vpn-framed-ip-address

vpn-framed-ip-netmask

vpn-group-policy

vpn-idle-timeout

vpn-sessiondb logoff

vpn-sessiondb max-session-limit

vpn-session-timeout

vpn-simultaneous-logins

vpn-tunnel-protocol

who

wins-server

write erase

write memory

write net

write standby

write terminal

upgrade-mp through write terminal Commands

---

upgrade-mp

To upgrade the maintenance partition software, use the upgrade-mp command.

upgrade-mp {http[s]://[user:password@]server[:port]/pathname | tftp[://server/pathname]}

Syntax Description

tftp	Specifies a TFTP server. If you do not specify the server and path, you are prompted for the information. See the tftp-server command to configure a default TFTP server.
http[s]	Specifies an HTTP(S) server.
server	Specifies the HTTP(S) or TFTP server IP address.
pathname	Specifies the pathname and filename of the software image.
user	(Optional) Specifies the HTTP(S) username.
password	(Optional) Specifies the user password.
port	(Optional) Specifies the HTTP(S) port.

Defaults

This command has no default settings.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged mode	•	•	•	—	•

Command History

Release	Modification
1.1(1)	This command was introduced.

Examples

The following example shows how to download an image from a TFTP server:

hostname# upgrade-mp tftp://10.192.1.1/c6svc-mp.2-1-1.bin.gz

Related Commands

Command	Description
copy	Copies a file to Flash memory.

url

To maintain the list of static URLs for retrieving CRLs, use the url command in crl configure configuration mode. The crl configure configuration mode is accessible from the crypto ca trustpoint configuration mode. To delete an existing URL, use the no form of this command.

url index url

no url index url

Syntax Description

index	Specifies a value from 1 to 5 that determines the rank of each URL in the list. The FWSM tries the URL at index 1 first.
url	Specifies the URL from which to retrieve the CRL.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
CRL configure configuration	•	•	•	•	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

You cannot overwrite existing URLs. To replace an existing URL, first delete it using the no form of this command.

Examples

The following example enters crl configure configuration mode, and sets up an index 3 for creating and maintaining a list of URLs for CRL retrieval and configures the URL https://example.com from which to retrieve CRLs:

hostname(configure)# crypto ca trustpoint central

hostname(ca-trustpoint)# crl configure

hostname(ca-crl)# url 3 https://example.com

hostname(ca-crl)# 

Related Commands

Command	Description
crl configure	Enters ca-crl configuration mode.
crypto ca trustpoint	Enters trustpoint configuration mode.
policy	Specifies the source for retrieving CRLs.

url-block

To manage the URL buffers used for web server responses while waiting for a filtering decision from the filtering server, use the url-block command in global configuration mode. To remove the configuration, use the no form of this command.

url-block block block_buffer_limit

no url-block block block_buffer_limit

Websense only:

url-block url-mempool memory_pool_size

no url-block url-mempool memory_pool_siz

Syntax Description

block block_buffer_limit	Creates an HTTP response buffer to store web server responses while waiting for a filtering decision from the filtering server. In single context mode, the permitted values are from 0 to 128, which specifies the number of 1550-byte blocks. In multiple context mode, the permitted values are from 0 to 16.
url-mempool memory_pool_size	For Websense URL filtering only. The size of the URL buffer memory pool in Kilobytes (KB). In single context mode, the permitted values are from 2  to 10240, which specifies a URL buffer memory pool from 2 KB to 10240 KB. In multiple context mode, the permitted values are from 0 to 512.
url-size long_url_size	For Websense URL filtering only. The maximum allowed URL size in KB. The permitted values are 2, 3, or 4, which specifies a maximum URL size of 2 KB, 3 KB, or 4 KB.

Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	•

Command History

Release	Modification
1.1(1)	This command was introduced.

Usage Guidelines

For Websense filtering servers, the url-block url-size command allows filtering of long URLs, up to 4 KB. For both Websense and N2H2 filtering servers, the url-block block command causes the FWSM to buffer packets received from a web server in response to a web client request while waiting for a response from the URL filtering server. This improves performance for the web client compared to the default FWSM behavior, which is to drop the packets and to require the web server to retransmit the packets if the connection is permitted.

If you use the url-block block command and the filtering server permits the connection, the FWSM sends the blocks to the web client from the HTTP response buffer and removes the blocks from the buffer. If the filtering server denies the connection, the FWSM sends a deny message to the web client and removes the blocks from the HTTP response buffer.

Use the url-block block command to specify the number of blocks to use for buffering web server responses while waiting for a filtering decision from the filtering server.

Use the url-block url-size command with the url-block url-mempool command to specify the maximum length of a URL to be filtered by a Websense filtering server and the maximum memory to assign to the URL buffer. Use these commands to pass URLs longer than 1159 bytes, up to a maximum of 4096 bytes, to the Websense server. The url-block url-size command stores URLs longer than 1159 bytes in a buffer and then passes the URL to the Websense server (through a TCP packet stream) so that the Websense server can grant or deny access to that URL.

Examples

The following example assigns 56 1550-byte blocks for buffering responses from the URL filtering server:

hostname#(config)# url-block block 56

Related Commands

Commands	Description
clear url-block block statistics	Clears the block buffer usage counters.
filter url	Directs traffic to a URL filtering server.
show url-block	Displays information about the URL block, which is used for buffering URLs while waiting for responses from an N2H2 or Websense filtering server.
url-cache	Enables URL caching while pending responses from an N2H2 or Websense server and sets the size of the cache.
url-server	Identifies an N2H2 or Websense server for use with the filter command.

url-cache

To enable URL caching while pending responses from an N2H2 or Websense server and to set the size of the cache, use the url-cache command in global configuration mode. To remove the configuration, use the no form of this command.

url-cache {dst |   src_dst} kbytes[kb]

no url-cache {dst |   src_dst} kbytes[kb]

Syntax Description

dst	Cache entries based on the URL destination address. Select this mode if all users share the same URL filtering policy on the N2H2 or Websense server.
kb	(Optional) Indicates that the size given is in kilobytes. FWSM accepts the kb keyword as a convenience in case you add it as a habit.
kbytes	Specifies a value for the cache size within the range 1 to 128 KB.
src_dst	Cache entries based on the both the source address initiating the URL request as well as the URL destination address. Select this mode if users do not share the same URL filtering policy on the N2H2 or Websense server.
statistics	Use the statistics option to display additional URL cache statistics, including the number of cache lookups and hit rate.

Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	•

Command History

Release	Modification
1.1(1)	This command was introduced.

Usage Guidelines

The url-cache command provides a configuration option to buffer the response from a web server if its response is faster than that from the N2H2 or Websense filtering service server. This prevents the web server response from being loaded twice.

Use the url-cache command to enable URL caching, set the size of the cache, and display cache statistics.

Caching stores URL access privileges in memory on the FWSM. When a host requests a connection, the FWSM first looks in the URL cache for matching access privileges instead of forwarding the request to the N2H2 or Websense server. Disable caching with the no url-cache command.

---

Note If you change settings on the N2H2 or Websense server, disable the cache with the no url-cache command and then reenable the cache with the url-cache command.

---

Using the URL cache does not update the Websense accounting logs for Websense protocol Version 1. If you are using Websense protocol Version 1, let Websense run to accumulate logs so that you can view the Websense accounting information. After you get a usage profile that meets your security needs, enable url-cache to increase throughput. Accounting logs are updated for Websense protocol Version 4 and for N2H2 URL filtering while using the url-cache command.

Examples

The following example caches all outbound HTTP connections based on the source and destination addresses:

hostname(config)# url-cache src_dst 128

Related Commands

Commands	Description
clear url-cache statistics	Removes url-cache command statements from the configuration.
filter url	Directs traffic to a URL filtering server.
show url-cache statistics	Displays information about the URL cache, which is used for buffering URLs while waiting for responses from an N2H2 or Websense filtering server.
url-cache	Enables URL caching while pending responses from an N2H2 or Websense server and sets the size of the cache.
url-server	Identifies an N2H2 or Websense server for use with the filter command.

url-server

To identify an N2H2 or Websense server for use with the filter command, use the url-server command in global configuration mode. To remove the configuration, use the no form of this command.

N2H2

url-server (if_name) vendor n2h2 host local_ip [port number] [timeout seconds] [protocol {TCP | UDP [connections num_conns]}]

no url-server (if_name) vendor n2h2 host local_ip [port number] [timeout seconds] [protocol {TCP | UDP [connections num_conns]}]

Websense

url-server (if_name) vendor websense host local_ip [timeout seconds] [protocol {TCP | UDP | connections num_conns] | version]

no url-server (if_name) vendor websense host local_ip [timeout seconds] [protocol {TCP | UDP [connections num_conns] | version]

Syntax Description

N2H2

connections num_conns	Limits the maximum number of connections permitted.
host local_ip	The server that runs the URL filtering application.
if_name	(Optional) The network interface where the authentication server resides. If not specified, the default is inside.
port number	The N2H2 server port. The FWSM also listens for UDP replies on this port. The default port number is 4005.
protocol	The protocol can be configured using TCP or UDP keywords. The default is TCP.
timeout seconds	The maximum idle time permitted before the FWSM switches to the next server you specified. The default is 5 seconds.
vendor n2h2	Indicates URL filtering service vendor is N2H2.

Websense

connections num_conns	Limits the maximum number of connections permitted.
if_name	The network interface where the authentication server resides. If not specified, the default is inside.
host local_ip	The server that runs the URL filtering application.
timeout seconds	The maximum idle time permitted before the FWSM switches to the next server you specified. The default is 5 seconds.
protocol	The protocol can be configured using TCP or UDP keywords. The default is TCP protocol, Version 1.
vendor websense	Indicates URL filtering service vendor is Websense.
version	Specifies protocol Version 1 or 4. The default is TCP protocol Version 1. TCP can be configured using Version 1 or Version 4. UDP can be configured using Version 4 only.

Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	•

Command History

Release	Modification
1.1(1)	This command was introduced.

Usage Guidelines

The url-server command designates the server running the N2H2 or Websense URL filtering application. The limit is 16 URL servers; however, and you can use only one application at a time, either N2H2 or Websense. Additionally, changing your configuration on the FWSM does not update the configuration on the application server; this must be done separately, according to the vendor instructions.

The url-server command must be configured before issuing the filter command for HTTPS and FTP. If all URL servers are removed from the server list, then all filter commands related to URL filtering are also removed.

Once you designate the server, enable the URL filtering service with the filter url command.

To filter URLs, perform the following steps:

---

Step 1 Designate the URL filtering application server with the appropriate form of the vendor-specific url-server command.

Step 2 Enable URL filtering with the filter command.

Step 3 (Optional) Use the url-cache command to enable URL caching to improve perceived response time.

Step 4 (Optional) Enable long URL and HTTP buffering support using the url-block command.

Step 5 Use the show url-block block statistics, show url-cache statistics, or the show url-server statistics commands to view run information.

For more information about Filtering by N2H2, visit the N2H2 website at:

http://www.n2h2.com

---

Note The N2H2 corporation was acquired by Secure Computing in October, 2003.

---

For more information on Websense filtering services, visit the following website:

http://www.websense.com/

---

Examples

Using N2H2, the following example filters all outbound HTTP connections except those from the 10.0.2.54 host:

hostname(config)# url-server (perimeter) vendor n2h2 host 10.0.1.1

hostname(config)# filter url http 0 0 0 0

hostname(config)# filter url except 10.0.2.54 255.255.255.255 0 0

Using Websense, the following example filters all outbound HTTP connections except those from the 10.0.2.54 host:

hostname(config)# url-server (perimeter) host 10.0.1.1 protocol TCP version 4

hostname(config)# filter url http 0 0 0 0

hostname(config)# filter url except 10.0.2.54 255.255.255.255 0 0

Related Commands

Commands	Description
clear url-server	Clears the URL filtering server statistics.
filter url	Directs traffic to a URL filtering server.
show url-block	Displays information about the URL cache, which is used for buffering URLs while waiting for responses from an N2H2 or Websense filtering server.
url-cache	Enables URL caching while pending responses from an N2H2 or Websense server and sets the size of the cache.
url-server	Identifies an N2H2 or Websense server for use with the filter command.

user-authentication

To enable user authentication, use the user-authentication enable command in group-policy configuration mode. To disable user authentication, use the user-authentication disable command. To remove the user authentication attribute from the running configuration, use the no form of this command. This option allows inheritance of a value for user authentication from another group policy.

When enabled, user authentication requires that individual users behind a hardware client authenticate to gain access to the network across the tunnel.

user-authentication {enable | disable}

no user-authentication

Syntax Description

disable	Disables user authentication.
enable	Enables user authentication.

Defaults

User authentication is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Group-policy	•	—	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

Individual users authenticate according to the order of authentication servers that you configure.

If you require user authentication on the primary FWSM, be sure to configure it on any backup servers as well.

Examples

The following example shows how to enable user authentication for the group policy named "FirstGroup":

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# user-authentication enable

Related Commands

Command	Description
ip-phone-bypass	Lets IP phones connect without undergoing user authentication. Secure unit authentication remains in effect.
leap-bypass	Lets LEAP packets from wireless devices behind a VPN client travel across a VPN tunnel prior to user authentication, when enabled. This lets workstations using Cisco wireless access point devices establish LEAP authentication. Then they authenticate again per user authentication.
secure-unit-authentication	Provides additional security by requiring the VPN client to authenticate with a username and password each time the client initiates a tunnel.
user-authentication-idle-timeout	Sets an idle timeout for individual users. If there is no communication activity on a user connection in the idle timeout period, the FWSM terminates the connection.

user-authentication-idle-timeout

To set an idle timeout for individual users behind hardware clients, use the user-authentication-idle-timeout command in group-policy configuration mode. To delete the idle timeout value, use the no form of this command.

user-authentication-idle-timeout {minutes | none}

no user-authentication-idle-timeout

Syntax Description

minutes	Specifies the number of minutes in the idle timeout period. The range is from 1 through 35791394 minutes
none	Permits an unlimited idle timeout period. Sets idle timeout with a null value, thereby disallowing an idle timeout. Prevents inheriting an user authentication idle timeout value from a default or specified group policy.

Defaults

30 minutes.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Group-policy	•	—	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

This option allows inheritance of an idle timeout value from another group policy. To prevent inheriting an idle timeout value, use the user-authentication-idle-timeout none command.

If there is no communication activity by a user behind a hardware client in the idle timeout period, the FWSM terminates the connection.

The minimum is 1 minute, the default is 30 minutes, and the maximum is 10,080 minutes.

Examples

The following example shows how to set an idle timeout value of 45 minutes for the group policy named "FirstGroup":

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# user-authentication-idle-timeout 45

Related Commands

Command	Description
user-authentication	Requires users behind hardware clients to identify themselves to the FWSM before connecting.

username

To add a user to the FWSM database, enter the username command in global configuration mode. To remove a user, use the no version of this command with the username you want to remove. To remove all usernames, use the no version of this command without appending a username.

username {name} {nopassword | password password [encrypted]} [privilege priv_level]}

no username [name]

Syntax Description

encrypted	Indicates that the password is encrypted. When you define a password in the username command, the FWSM encrypts it when it saves it to the configuration for security purposes. When you enter the show running-config command, the username command does not show the actual password; it shows the encrypted password followed by the encrypted keword. For example, if you enter the password "test," the show running-config display would appear to be something like the following: username pat password rvEdRh0xPC8bel7s encrypted The only time you would actually enter the encrypted keyword at the CLI is if you are cutting and pasting a configuration to another FWSM and you are using the same password.
name	Specifies the name of the user as a string from 4 to 15 characters in length.
nopassword	Indicates that this user needs no password.
password password	Sets the password as a string from 3 to 16 characters in length.
privilege priv_level	Sets a privilege level for this use from 0 to 15 (lowest to highest). The default privilege level is 2. This privilege level is used with command authorization.

Defaults

The default privilege level is 2.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	•

Command History

Release	Modification
1.1(1)	This command was introduced.

Usage Guidelines

The login command uses this database for authentication.

If you add users to the local database who can gain access to the CLI and whom you do not want to enter privileged mode, you should enable command authorization. (See the aaa authorization command command.) Without command authorization, users can access privileged EXEC mode (and all commands) at the CLI using their own password if their privilege level is 2 or greater (2 is the default). Alternatively, you can use AAA authentication so the user will not be able to use the login command, or you can set all local users to level 1 so you can control who can use the enable password to access privileged EXEC mode.

By default, VPN users that you add with this command have no attributes or group policy association. You must configure all values explicitly using the username attributes command.

Examples

The following example shows how to configure a user named anyuser with a password of 12345678 and a privilege level of 12:

hostname(config)# username anyuser password 12345678 privilege 12

Related Commands

Command	Description
clear config username	Clears the configuration for a particular user or for all users.
show running-config username	Displays the running configuration for a particular user or for all users.
username attributes	Enters username attributes mode, which lets you configure AVPs for specific users.

username attributes

To enter the username attributes mode, use the username attributes command in username configuration mode. To remove all attributes for a particular user, use the no form of this command and append the username. To remove all attributes for all users, use the no form of this command without appending a username. The attributes mode lets you configure AVPs for a specified user.

username {name} attributes

no username [name] attributes

Syntax Description

name	Provides the name of the user.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Username	•	—	•	—	—

Command History

Release	Modification
3.1(1)	This command was introduced.

Usage Guidelines

The internal user authentication database consists of the users entered with the username command. The login command uses this database for authentication.

The syntax of the commands in attributes mode have the following characteristics in common:

•The no form removes the attribute from the running configuration.

•The none keyword also removes the attribute from the running configuration. But it does so by setting the attribute to a null value, thereby preventing inheritance.

•Boolean attributes have explicit syntax for enabled and disabled settings.

Examples

The following example shows how to enter username attributes configuration mode for a user named anyuser:

hostname(config)# username anyuser attributes

hostname(config-username)# 

Related Commands

Command	Description
clear config username	Clears the username database.
show running-config username	Displays the running configuration for a particular user or for all users.
username	Adds a user to the FWSM database.

virtual http

To configure a virtual HTTP server, use the virtual http command in global configuration mode. To disable the virtual server, use the no form of this command. When you use HTTP authentication on the FWSM, and the HTTP server also requires authentication, this command lets you authenticate separately with the FWSM and with the HTTP server. Without virtual HTTP, the same username and password you used to authenticate with the FWSM is sent to the HTTP server; you are not prompted separately for the HTTP server username and password.

virtual http ip_address [warning]

no virtual http ip_address [warning]

Syntax Description

ip_address	Sets the IP address for the virtual HTTP server on the FWSM. Make sure this address is an unused address that is routed to the FWSM. For example, if you perform NAT for inside addresses when they access the outside, and you want to provide outside access to the virtual HTTP server, you can use one of the global NAT addresses for the virtual HTTP server address.
warning	(Optional) Notifies users that the HTTP connection needs to be redirected to the FWSM. This keyword applies only for text-based browsers, where the redirect cannot happen automatically.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
1.1(1)	This command was introduced.

Usage Guidelines

If you enable HTTP authentication (see the aaa authentication match command or the aaa authentication include command), then the FWSM prompts each user for a username and password so that it can authenticate them with a AAA server. After the AAA server authenticates the user, the connection is allowed to continue to the HTTP server. However, the AAA server username and password is still included in the HTTP packet. If the HTTP server also has its own authentication mechanism, then the user is not prompted again for a username and password because there is already a username and password included in the packet. Assuming the username and password is not the same for the AAA and HTTP servers, then the HTTP authentication fails.

To allow a user to be prompted separately by the HTTP server, enable the virtual HTTP server on the FWSM using the virtual http command. This command redirects all HTTP connections that require AAA authentication to the virtual HTTP server on the FWSM. The FWSM prompts for the AAA server username and password. After the AAA server authenticates the user, the FWSM redirects the HTTP connection back to the original server, but it does not include the AAA server username and password. Because the username and password are not included in the HTTP packet, the HTTP server prompts the user separately for the HTTP server username and password.

---

Caution Do not set the timeout uauth command duration to 0 seconds when using the virtual http command, because this setting prevents HTTP connections to the real web server.

---

Examples

This example shows how to enable virtual HTTP along with AAA authentication:

hostname(config)# access-list HTTP-ACL extended permit tcp 10.1.1.0 any eq 80

hostname(config)# aaa authentication match HTTP-ACL inside tacacs+

hostname(config)# virtual http 10.1.2.1

Related Commands

Command	Description
clear configure virtual	Removes virtual command statements from the configuration.
show running-config virtual	Displays the IP address of the FWSM virtual server.
sysopt uauth allow-http-cache	When you enable the virtual http command, this command lets you use the username and password in the browser cache to reconnect to the virtual server.
virtual telnet	Provides a virtual Telnet server on the FWSM to let users authenticate with the FWSM before initiating other types of connections that require authentication.

virtual telnet

To configure a virtual Telnet server on the FWSM, use the virtual telnet command in global configuration mode. To disable the server, use the no form of this command.

virtual telnet ip-address

no virtual telnet ip-address

Syntax Description

ip_address

Sets the IP address for the virtual Telnet server on the FWSM. Make sure this address is an unused address that is routed to the FWSM. For example, if you perform NAT for inside addresses when they access the outside, and you want to provide outside access to the virtual Telnet server, you can use one of the global NAT addresses for the virtual Telnet server address.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
1.1(1)	This command was introduced.

Usage Guidelines

You might need to authenticate users with the virtual Telnet server if you require authentication for other types of traffic for which the FWSM does not supply an authentication prompt.

Although you can configure network access authentication for any protocol or service (see the aaa authentication match or aaa authentication include command), you can authenticate directly with HTTP, Telnet, or FTP only. A user must first authenticate with one of these services before other traffic that requires authentication is allowed through. If you do not want to allow HTTP, Telnet, or FTP through the FWSM, but want to authenticate other types of traffic, you can configure virtual Telnet; the user Telnets to a given IP address configured on the FWSM, and the FWSM provides a Telnet prompt.

When an unauthenticated user connects to the virtual Telnet IP address, the user is challenged for a username and password, and then authenticated by the AAA server. Once authenticated, the user sees the message "Authentication Successful." Then, the user can successfully access other services that require authentication.

Examples

The following example shows how to enable virtual Telnet along with AAA authentication for other services:

hostname(config)# access-list AUTH extended permit tcp 10.1.1.0 host 10.1.2.1 eq telnet

hostname(config)# access-list AUTH extended permit tcp 10.1.1.0 host 209.165.200.225 eq 
smtp

hostname(config)# aaa authentication match AUTH inside tacacs+

hostname(config)# virtual telnet 10.1.2.1

Related Commands

Command	Description
clear configure virtual	Removes virtual command statements from the configuration.
show running-config virtual	Displays the IP address of the FWSM virtual server.
virtual http	When you use HTTP authentication on the FWSM, and the HTTP server also requires authentication, this command lets you authenticate separately with the FWSM and with the HTTP server. Without virtual HTTP, the same username and password you used to authenticate with the FWSM is sent to the HTTP server; you are not prompted separately for the HTTP server username and password.

vpn-access-hours

To associate a group policy with a configured time-range policy, use the vpn-access-hours command in group-policy configuration mode or username configuration mode. To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a time-range value from another group policy. To prevent inheriting a value, use the vpn-access-hours none command.

vpn-access hours value {time-range} | none

no vpn-access hours

Syntax Description

none	Sets VPN access hours to a null value, thereby allowing no time-range policy. Prevents inheriting a value from a default or specified group policy.
time-range	Specifies the name of a configured time-range policy.

Defaults

Unrestricted.

Command Modes

The following table shows the modes in which you can enter the command: