-
null
- acl-netmask-convert
- action
- action cli command
- action-uri
- activate-tunnel-group-script
- activation-key
- activex-relay
- ad-agent-mode
- address (dynamic-filter blacklist, whitelist)
- address (media-termination) (Deprecated)
- address-family ipv4
- address-family ipv6
- address-pool
- address-pools
- admin-context
- advertise passive-only
- aggregate-address
- alarm contact description
- alarm contact severity
- alarm contact trigger
- alarm facility input-alarm
- alarm facility power-supply rps
- alarm facility temperature (actions)
- alarm facility temperature (high and low thresholds)
- allocate-interface
- allocate-ips
- allowed-eid
- allow-ssc-mgmt
- allow-tls
- always-on-vpn
- anti-replay
- anyconnect ask
- anyconnect-custom (Version 9.0 through 9.2)
- anyconnect-custom (Version 9.3 and later)
- anyconnect-custom-attr (Version 9.0 through 9.2)
- anyconnect-custom-attr (Version 9.3 and later)
- anyconnect-custom-data
- anyconnect df-bit-ignore
- anyconnect dpd-interval
- anyconnect dtls compression
- anyconnect enable
- anyconnect-essentials
- anyconnect firewall-rule
- anyconnect image
- anyconnect keep-installer
- anyconnect modules
- anyconnect mtu
- anyconnect profiles (group-policy attributes > webvpn, username attributes > webvpn)
- anyconnect profiles (webvpn)
- anyconnect ssl compression
- anyconnect ssl df-bit-ignore
- anyconnect ssl dtls enable
- anyconnect ssl keepalive
- anyconnect ssl rekey
- apcf
- app-agent heartbeat
- appl-acl
- application-access
- application-access hide-details
acl-netmask-convert through application-access hide-details Commands
acl-netmask-convert
To specify how the ASA treats netmasks received in a downloadable ACL from a RADIUS server that is accessed by using the aaa-server host command, use the acl-netmask-convert command in aaa-server host configuration mode. To remove the specified behavior for the ASA, use the no form of this command.
acl-netmask-convert { auto-detect | standard | wildcard }
Syntax Description
Defaults
By default, no conversion from wildcard netmask expressions is performed.
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
Use the acl-netmask-convert command with the wildcard or auto-detect keywords when a RADIUS server provides downloadable ACLs that contain netmasks in wildcard format. The ASA expects downloadable ACLs to contain standard netmask expressions whereas Cisco VPN 3000 series concentrators expect downloadable ACLs to contain wildcard netmask expressions, which are the reverse of a standard netmas expression. A wildcard mask has ones in bit positions to ignore, zeros in bit positions to match.The acl-netmask-convert command helps minimize the effects of these differences upon how you configure downloadable ACLs on your RADIUS servers.
The auto-detect keyword is helpful when you are uncertain how the RADIUS server is configured; however, wildcard netmask expressions with “holes” in them cannot be unambiguously detected and converted. For example, the wildcard netmask 0.0.255.0 permits anything in the third octet and can be used validly on Cisco VPN 3000 series concentrators, but the ASA may not detect this expression as a wildcard netmask.
Examples
The following example configures a RADIUS AAA server named “srvgrp1” on host “192.168.3.4”, enables conversion of downloadable ACL netmasks, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures authentication port 1650:
ciscoasa(config)# aaa-server svrgrp1 protocol radius
ciscoasa(config-aaa-server-group)# aaa-server svrgrp1 host 192.168.3.4
ciscoasa(config-aaa-server-host)# acl-netmask-convert wildcard
ciscoasa(config-aaa-server-host)# timeout 9
ciscoasa(config-aaa-server-host)# retry-interval 7
ciscoasa(config-aaa-server-host)# authentication-port 1650
ciscoasa(config-aaa-server-host)# exit
ciscoasa(config)#
Related Commands
action
To either apply access policies to a session or terminate the session, use the action command in dynamic-access-policy-record configuration mode. To reset the session to apply an access policy to a session, use the no form of the command.
no action {continue | terminate}
Syntax Description
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
Use the continue keyword to apply the access policies to the session in all of the selected DAP records. Use the terminate keyword to terminate the connection in any of the selected DAP records.
Examples
The following example shows how to terminate a session for the DAP policy Finance:
ciscoasa (config)# config-dynamic-access-policy-record Finance
ciscoasa(config-dynamic-access-policy-record)# action terminate
ciscoasa(config-dynamic-access-policy-record)#
Related Commands
|
|
|
|---|---|
Displays the running configuration for all DAP records, or for the named DAP record. |
action cli command
To configure actions on an event manager applet, use the action cli command command in event manager applet configuration mode. To remove the configured action, enter the no action n command.
action n cli command “ command ”
Syntax Description
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
Use this command to configure actions on an event manager applet.
Examples
The following example shows how to configure actions on an event manager applet:
hostname (config-applet)# action 1 cli command “show version”
Related Commands
|
|
|
|---|---|
Shows statistical information for each configured event manager applet. |
|
action-uri
To specify a web server URI to receive a username and password for single sign-on (SSO) authentication, use the action-uri command in aaa-server-host configuration mode. To reset the URI parameter value, use the no form of the command.
Note
To configure SSO with the HTTP protocol correctly, you must have a thorough working knowledge of authentication and HTTP protocol exchanges.
Syntax Description
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
This is an SSO with HTTP Forms command. A URI or Uniform Resource Identifier is a compact string of characters that identifies a point of content on the Internet, whether it be a page of text, a video or sound clip, a still or animated image, or a software program. The most common form of URI is the web page address, which is a particular form or subset of URI called a URL.
The WebVPN server of the ASA can use a POST request to submit an SSO authentication request to an authenticating web server. To accomplish this, configure the ASA to pass a username and a password to an action URI on an authenticating web server using an HTTP POST request. The action-uri command specifies the location and name of the authentication program on the web server to which the ASA sends the POST request.
You can discover the action URI on the authenticating web server by connecting to the web server login page directly with a browser. The URL of the login web page displayed in your browser is the action URI for the authenticating web server.
For ease of entry, you can enter URIs on multiple, sequential lines. The ASA then concatenates the lines into the URI as you enter them. While the maximum characters per action-uri line is 255 characters, you can enter fewer characters on each line.
Note Any question mark in the string must be preceded by a CTRL-v escape sequence.
Examples
The following example specifies the URI on www.example.com:
http://www.example.com/auth/index.html/appdir/authc/forms/MCOlogin.fcc?TYPE=33554433&REALMOID=06-000a1311-a828-1185-ab41-8333b16a0008&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$5FZmjnk3DRNwNjk2KcqVCFbIrNT9%2bJ0H0KPshFtg6rB1UV2PxkHqLw%3d%3d&TARGET=https%3A%2F%2Fauth.example.com
Note You must include the hostname and protocol in the action URI. In the preceding example, these are included in http://www.example.com at the start of the URI.
Related Commands
activate-tunnel-group-script
This command is used internally to reload an ASDM generated script file when username-from-certificate is configured in tunnel-group sub-mode.
Note Do not use this command in the ASA CLI.
activation-key
To enter a license activation key on the ASA, use the activation-key command in privileged EXEC mode.
activation-key [ noconfirm ] activation_key [ activate | deactivate ]
Syntax Description
Defaults
By default, your ASA ships with a license already installed. This license might be the Base License, to which you want to add more licenses, or it might already have all of your licenses installed, depending on what you ordered and what your vendor installed for you. See the show activation-key command to determine which licenses you have installed.
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
|
|
|||||
Command History
Usage Guidelines
To obtain an activation key, you need a Product Authorization Key, which you can purchase from your Cisco account representative. You need to purchase a separate Product Activation Key for each feature license. For example, if you have the Base License, you can purchase separate keys for Advanced Endpoint Assessment and for additional SSL VPN sessions.
After obtaining the Product Authorization Keys, register them on Cisco.com at one of the following URLs.
http://www.cisco.com/go/license
http://www.cisco.com/go/license/public
- In multiple context mode, apply the activation key in the system execution space.
- Shared licenses are not supported in multiple context mode.
- Shared licenses are not supported in Active/Active mode.
- Failover units do not require the same license on each unit.
Older versions of ASA software required that the licenses match on each unit. Starting with Version 8.3(1), you no longer need to install identical licenses. Typically, you buy a license only for the primary unit; for Active/Standby failover, the secondary unit inherits the primary license when it becomes active. If you have licenses on both units, they combine into a single running failover cluster license.
- For the ASA 5505 and 5510, both units require the Security Plus license; the Base license does not support failover, so you cannot enable failover on a standby unit that only has the Base license.
Upgrade and Downgrade Guidelines
Your activation key remains compatible if you upgrade to the latest version from any previous version. However, you might have issues if you want to maintain downgrade capability:
- Downgrading to Version 8.1 or earlier—After you upgrade, if you activate additional feature licenses that were added before 8.2, then the activation key continues to be compatible with earlier versions if you downgrade. However if you activate feature licenses that were added in 8.2 or later, then the activation key is not backwards compatible. If you have an incompatible license key, then see the following guidelines:
– If you previously entered an activation key in an earlier version, then the ASA uses that key (without any of the new licenses you activated in Version 8.2 or later).
– If you have a new system and do not have an earlier activation key, then you need to request a new activation key compatible with the earlier version.
- Downgrading to Version 8.2 or earlier—Version 8.3 added more robust time-based key usage as well as failover license changes:
– If you have more than one time-based activation key active, when you downgrade, only the most recently activated time-based key can be active. Any other keys are made inactive.
– If you have mismatched licenses on a failover pair, then downgrading will disable failover. Even if the keys are matching, the license used will no longer be a combined license.
Additional Guidelines and Limitations
- The activation key is not stored in your configuration file; it is stored as a hidden file in flash memory.
- The activation key is tied to the serial number of the device. Feature licenses cannot be transferred between devices (except in the case of a hardware failure). If you have to replace your device due to a hardware failure, contact the Cisco Licensing Team to have your existing license transferred to the new serial number. The Cisco Licensing Team will ask for the Product Authorization Key reference number and existing serial number.
- Once purchased, you cannot return a license for a refund or for an upgraded license.
- Although you can activate all license types, some features are incompatible with each other; for example, multiple context mode and VPN. In the case of the AnyConnect Essentials license, the license is incompatible with the following licenses: full SSL VPN license, shared SSL VPN license, and Advanced Endpoint Assessment license. By default, the AnyConnect Essentials license is used instead of the above licenses, but you can disable the AnyConnect Essentials license in the configuration to restore use of the other licenses using the no anyconnect-essentials command.
- Some permanent licenses require you to reload the ASA after you activate them. Table 2-1 lists the licenses that require reloading.
|
|
|
|---|---|
Downgrading any permanent license (for example, going from 10 contexts to 2 contexts). |
Examples
The following example shows how to change the activation key on the ASA:
The following is sample output from the activation-key command that shows output for failover when the new activation key is different than the old activation key:
The following is sample output from a license file:
Related Commands
|
|
|
|---|---|
activex-relay
To incorporate applications that need ActiveX over the clientless portal, use the activex-relay command in group-policy webvpn configuration mode or username webvpn configuration mode. To inherit the activex-relay command from the default group policy, use the no form of this command.
activex-relay { enable | disable }
Syntax Description
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
Use the activex-relay enable command to let users launch ActiveX from the WebVPN browser for any HTML content that has the object tags (such as images, audio, videos, JAVA applets, ActiveX, PDF, or flash). These applications use the WebVPN session to download and upload ActiveX controls. The ActiveX relay remains in force until the WebVPN session closes. If you plan to use something like Microsoft OWA 2007, you should disable ActiveX.
Note Because they have the same functionality, the activex-relay enable command generates smart tunnel logs even if smart tunnel is disabled.
The following example enables ActiveX controls on WebVPN sessions associated with a given group policy:
The following example disables ActiveX controls on WebVPN sessions associated with a given username:
ad-agent-mode
To enables the AD Agent mode so that you can configure the Active Directory Agent for the Cisco Identify Firewall instance, use the ad-agent-mode command in global configuration mode.
Syntax Description
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
To configure the Active Directory Agent for the Identity Firewall, you must enter the ad-agent-mode command, which is a submode of the aaa-server command. Entering the ad-agent-mode command enters the aaa server group configuration mode.
Periodically or on-demand, the AD Agent monitors the Active Directory server security event log file via WMI for user login and logoff events. The AD Agent maintains a cache of user ID and IP address mappings. and notifies the ASA of changes.
Configure the primary and secondary AD Agents for the AD Agent Server Group. When the ASA detects that the primary AD Agent is not responding and a secondary agent is specified, the ASA switches to the secondary AD Agent. The Active Directory server for the AD agent uses RADIUS as the communication protocol; therefore, you should specify a key attribute for the shared secret between the ASA and AD Agent.
Examples
The following example shows how to enable ad-agent-mode while configuring the Active Directory Agent for the Identity Firewall:
Related Commands
|
|
|
Creates a AAA server group and configures AAA server parameters that are group-specific and common to all group hosts. |
|
address (dynamic-filter blacklist, whitelist)
To add an IP address to the Botnet Traffic Filter blacklist or whitelist, use the address command in dynamic-filter blacklist or whitelist configuration mode. To remove the address, use the no form of this command.
Syntax Description
Defines the subnet mask for the IP address. The mask can be for a single host or for a subnet. |
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
The static database lets you augment the dynamic database with domain names or IP addresses that you want to whitelist or blacklist. After you enter the dynamic-filter whitelist or blacklist configuration mode, you can manually enter domain names or IP addresses (host or subnet) that you want to tag as good names in a whitelist or bad names in a blacklist using the address and name commands.
You can enter this command multiple times for multiple entries. You can add up to 1000 blacklist and 1000 whitelist entries.
Examples
The following example creates entries for the blacklist and whitelist:
Related Commands
address (media-termination) (Deprecated)
To specify the address for a media termination instance to use for media connections to the Phone Proxy feature, use the address command in the media-termination configuration mode. To remove the address from the media termination configuration, use the no form of this command.
address ip_address [ interface intf_name ]
no address ip_address [ interface intf_name ]
Syntax Description
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
This command was deprecated along with all phone-proxy and uc-ime commands. |
Usage Guidelines
The ASA must have IP addresses for media termination that meet the following criteria:
- For the media termination instance, you can configure a global media-termination address for all interfaces or configure a media-termination address for different interfaces. However, you cannot use a global media-termination address and media-termination addresses configured for each interface at the same time.
- If you configure a media termination address for multiple interfaces, you must configure an address on each interface that the ASA uses when communicating with IP phones.
- The IP addresses are publicly routable addresses that are unused IP addresses within the address range on that interface.
Examples
The following example shows the use of the media-termination address command to specify the IP address to use for media connections:
Related Commands
|
|
|
|---|---|
Configures the media termination instance to apply to a Phone Proxy instance. |
address-family ipv4
To enter address family to configure a routing session using standard IP Version 4 (IPv4) address prefixes, use the address-family ipv4 command in router configuration mode. To exit address family configuration mode and remove the IPv4 address family configuration from the running configuration, use the no form of this command.
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
The address-family ipv4 command places the context router in address family configuration mode, from which you can configure routing sessions that use standard IPv4 address prefixes. To leave address family configuration mode and return to router configuration mode, type exit.
Note Routing information for address family IPv4 is advertised by default for each BGP routing session configured with the neighbor remote-as command unless you enter the no bgp default ipv4-unicast command before configuring the neighbor remote-as command.
Examples
The following example places the router in address family configuration mode for the IPv4 address family:
Related Commands
|
|
|
|---|---|
Sets the IP version 4 (IPv4) unicast address family as default for BGP peering session. |
|
Adds an entry to the BGP or multiprotocol BGP neighbor table. |
address-family ipv6
To enter address family to configure a routing session such as BGP that use using standard IP Version 6 (IPv6) address prefixes, use the address-family ipv6 command in router configuration mode. To exit address family configuration mode and remove the IPv6 address family configuration from the running configuration, use the no form of this command.
Syntax Description
Defaults
IPv6 address prefixes are not enabled. Unicast address prefixes are the default when IPv6 address prefixes are configured.
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
The address-family ipv6 command places the context router in address family configuration mode, from which you can configure routing sessions that use standard IPv6 address prefixes. To leave address family configuration mode and return to router configuration mode, type exit.
Examples
The following example places the router in address family configuration mode for the IPv4 address family:
Related Commands
|
|
|
|---|---|
address-pool
To specify a list of address pools for allocating addresses to remote clients, use the address-pool command in tunnel-group general-attributes configuration mode. To eliminate address pools, use the no form of this command.
address-pool [( interface name)] address_pool1 [... address_pool6 ]
no address-pool [( interface name)] address_pool1 [... address_pool6 ]
Syntax Description
Specifies the name of the address pool configured with the ip local pool command. You can specify up to 6 local address pools. |
|
(Optional) Specifies the interface to be used for the address pool. |
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
You can enter multiples of each of these commands, one per interface. If an interface is not specified, then the command specifies the default for all interfaces that are not explicitly referenced.
The address-pools settings in the group-policy address-pools command override the local pool settings in the tunnel group address-pool command.
The order in which you specify the pools is significant. The ASA allocates addresses from these pools in the order in which the pools appear in this command.
Examples
The following example entered in config-tunnel-general configuration mode, specifies a list of address pools for allocating addresses to remote clients for an IPsec remote-access tunnel group test:
Related Commands
address-pools
To specify a list of address pools for allocating addresses to remote clients, use the address-pools command in group-policy attributes configuration mode. To remove the attribute from the group policy and enable inheritance from other sources of group policy, use the no form of this command.
address-pools value address_pool1 [... address_pool6 ]
no address-pools value address_pool1 [... address_pool6 ]
Syntax Description
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
The address pools settings in this command override the local pool settings in the group. You can specify a list of up to six local address pools to use for local address allocation.
The order in which you specify the pools is significant. The ASA allocates addresses from these pools in the order in which the pools appear in this command.
The command address-pools none disables this attribute from being inherited from other sources of policy, such as the DefaultGrpPolicy. The command no address pools none removes the address-pools none command from the configuration, restoring the default value, which is to allow inheritance.
Examples
The following example entered in config-general configuration mode, configures pool_1 and pool_20 as lists of address pools to use for allocating addresses to remote clients for GroupPolicy1:
Related Commands
|
|
|
|---|---|
Configures IP address pools to be used for VPN group policies. |
|
Shows the configuration for all group policies or for a particular group policy. |
admin-context
To set the admin context for the system configuration, use the admin-context command in global configuration mode.
Syntax Description
Defaults
For a new ASA in multiple context mode, the admin context is called “admin.”
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
|
|
|||||
Command History
|
|
|
|---|---|
Usage Guidelines
You can set any context to be the admin context, as long as the context configuration resides on the internal Flash memory.
You cannot remove the current admin context, unless you remove all contexts using the clear configure context command.
The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the ASA software or allowing remote management for an administrator), it uses one of the contexts that is designated as the admin context.
Examples
The following example sets the admin context to be “administrator”:
Related Commands
|
|
|
|---|---|
Configures a context in the system configuration and enters context configuration mode. |
|
advertise passive-only
To configure IS-IS to advertise only prefixes that belong to passive interfaces, use the advertise passive-only command in router isis configuration mode. To remove the restriction, use the no form of this command.
Syntax Description
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
This command is an IS-IS mechanism to exclude IP prefixes of connected networks from link-state packet (LSP) advertisements, thereby reducing IS-IS convergence time.
Configuring this command per IS-IS instance is a scalable solution to reduce IS-IS convergence time because fewer prefixes will be advertised in the router nonpseudonode LSP.
This command relies on the fact that when enabling IS-IS on a loopback interface, you usually configure the loopback as passive (to prevent sending unnecessary hello packets out through it because there is no chance of finding a neighbor behind it). Thus, if you want to advertise only the loopback and if it has already been configured as passive, configuring the advertise passive-only command per IS-IS instance would prevent the overpopulation of the routing tables.
An alternative to this command is the no isis advertise-prefix command. The no isis advertise-prefix command is a small-scale solution because it is configured per interface.
Examples
The following example uses the advertise passive-only command, which affects the IS-IS instance, and thereby prevents advertising the IP network of Ethernet interface 0. Only the IP address of loopback interface 0 is advertised.
Related Commands
aggregate-address
To create an aggregate entry in a Border Gateway Protocol (BGP) database, use the aggregate-address command in address family configuration mode. To disable this function, use the no form of this command.
aggregate-address address mask [as-set] [summary-only] [suppress-map map-name][advertise-map map-name] [attribute-map map-name]
no aggregate-address address mask [as-set] [summary-only] [suppress-map map-name][advertise-map map-name] [attribute-map map-name]
Syntax Description
Defaults
The atomic aggregate attribute is set automatically when an aggregate route is created with this command unless the as-set keyword is specified
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
This command was modified, to be supported in address-family ipv6 sub-mode. |
Usage Guidelines
You can implement aggregate routing in BGP and Multiprotocol BGP (mBGP) either by redistributing an aggregate route into BGP or mBGP, or by using the conditional aggregate routing feature.
Using the aggregate-address command with no keywords will create an aggregate entry in the BGP or mBGP routing table if any more-specific BGP or mBGP routes are available that fall within the specified range. (A longer prefix that matches the aggregate must exist in the Routing Information Base (RIB).) The aggregate route will be advertised as coming from your autonomous system and will have the atomic aggregate attribute set to show that information might be missing. (By default, the atomic aggregate attribute is set unless you specify the as-set keyword.)
Using the as-set keyword creates an aggregate entry using the same rules that the command follows without this keyword, but the path advertised for this route will be an AS_SET consisting of all elements contained in all paths that are being summarized. Do not use this form of the aggregate-address command when aggregating many paths, because this route must be continually withdrawn and updated as autonomous system path reach ability information for the summarized routes changes.
Using the summary-only keyword not only creates the aggregate route (for example, 192.*.*.*) but also suppresses advertisements of more-specific routes to all neighbors. If you want to suppress only advertisements to certain neighbors, you may use the neighbor distribute-list command, with caution. If a more-specific route leaks out, all BGP or mBGP routers will prefer that route over the less-specific aggregate you are generating (using longest-match routing).
Using the suppress-map keyword creates the aggregate route but suppresses advertisement of specified routes. You can use the match clauses of route maps to selectively suppress some more-specific routes of the aggregate and leave others unsuppressed. IP access lists and autonomous system path access lists match clauses are supported.
Using the advertise-map keyword selects specific routes that will be used to build different components of the aggregate route, such as AS_SET or community. This form of the aggregate-address command is useful when the components of an aggregate are in separate autonomous systems and you want to create an aggregate with AS_SET, and advertise it back to some of the same autonomous systems. You must remember to omit the specific autonomous system numbers from the AS_SET to prevent the aggregate from being dropped by the BGP loop detection mechanism at the receiving router. IP access lists and autonomous system path access lists match clauses are supported.
Using the attribute-map keyword allows attributes of the aggregate route to be changed. This form of the aggregate-address command is useful when one of the routes forming the AS_SET is configured with an attribute such as the community no-export attribute, which would prevent the aggregate route from being exported. An attribute map route map can be created to change the aggregate attributes.
Examples
The following example creates an aggregate route and suppresses advertisements of more specific routes to all neighbors.
Related Commands
|
|
|
|---|---|
Enters the address family configuration mode to configure a routing session using standard IP Version 4. |
alarm contact description
To enter a description for the alarm inputs in the ISA 3000, use the alarm contact description command in global configuration mode. To set the default description to the corresponding contact number, use the no form of this command.
alarm contact { 1 | 2 } description string
no alarm contact { 1 | 2 } description
Syntax Description
Command Default
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Examples
The following example specifies the description for the alarm contact 1:
Related Commands
alarm contact severity
To specify the severity of an alarm in the ISA 3000, use the alarm contact severity command in global configuration mode. To revert to the default severity, use the no form of this command.
alarm contact { 1 | 2 | all } severity { major | minor | none }
no alarm contact { 1 | 2 | all } severity
Syntax Description
Command Default
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Examples
The following example specifies the severity for the alarm contact 1:
Related Commands
alarm contact trigger
To specify a trigger for one or all alarm inputs in the ISA 3000, use the alarm contact trigger command in global configuration mode. To revert to the default trigger, use the no form of this command.
alarm contact { 1 | 2 | all } trigger { open | closed }
alarm contact { 1 | 2 | all } trigger
Syntax Description
Command Default
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Examples
The following example sets the trigger for the alarm contact 1:
Related Commands
alarm facility input-alarm
To specify the logging and notification options for alarm inputs in the ISA 3000, use the alarm facility input-alarm command in global configuration mode. To remove the logging and notification options, use the no form of this command.
alarm facility input-alarm { 1 | 2 } { notifies | relay | syslog }
no alarm facility input-alarm { 1 | 2 } { notifies | relay | syslog }
Syntax Description
Command Default
Syslog is enabled by default, the other options are disabled.
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Examples
The following examples specify the logging and notification options for alarm input 1:
Related Commands
|
|
|
|---|---|
Displays all triggered alarms, or alarms based on severity specified. |
|
De-energizes the output relay and clears the alarm state of the LED. |
alarm facility power-supply rps
To configure power supply alarms in the ISA 3000, use the alarm facility power-supply rps command in global configuration mode. To disable the power supply alarm, relay, SNMP traps and syslog, use the alarm facility power-supply rps disable command or the no version.
alarm facility power-supply rps { disable | notifies | relay | syslog }
no alarm facility power-supply rps { disable | notifies | relay | syslog }
Syntax Description
Command Default
By default, syslog is enabled, relay and notifies are disabled. The alarm is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
The ISA 3000 has two power supplies. By default, the system operates in single-power mode. However, you can configure the system to operate in dual mode, where the second power supply automatically provides power if the primary power supply fails. When you enable dual-mode, the power supply alarm is automatically enabled to send syslog alerts, but you can disable the alert altogether, or also enable SNMP traps or the alarm hardware relay.
The alarm facility power-supply rps disable command disables the power supply alarm, relay, traps and syslog. Using the no alarm facility power-supply rps disable command enables only the power supply alarm. You must enable the relay, SNMP traps, and syslog separately.
You must also configure the power-supply dual command to enable dual mode. The alarm is automatically enabled in dual mode.
Examples
The following example enables dual power supply mode and configures all alert options.
The following example disables the dual power supply alarm:
Related Commands
alarm facility temperature (actions)
To configure the temperature alarms in the ISA 3000, use the alarm facility temperature command in global configuration mode. To disable the temperature alarms, use the no form of the command.
alarm facility temperature { primary | secondary } { notifies | relay | syslog }
no alarm facility temperature { primary | secondary } { notifies | relay | syslog }
Syntax Description
Command Default
The primary temperature alarm is enabled for all alarm actions.
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
You can configure alarms based on the temperature of the CPU card in the device.
You can set a primary and secondary temperature range using the alarm facility temperature command with the high and low keywords. If the temperature drops below the low threshold, or exceeds the high threshold, the alarm is triggered.
The primary temperature alarm is enabled by default for all alarm actions: output relay, syslog, and SNMP. The default settings for the primary temperature range is -40°C to 92°C.
The secondary temperature alarm is disabled by default. You can set the secondary temperature within the range -35°C to 85°C.
Because the secondary temperature range is more restrictive than the primary range, if you set either the secondary low or high temperature, that setting disables the corresponding primary setting, even if you configure non-default values for the primary setting. You cannot enable two separate high and two separate low temperature alarms.
Thus, in practice, you should configure the primary only, or the secondary only, setting for high and low.
Examples
The following example sets the high and low temperatures for the secondary alarm and enables all alert actions.
Related Commands
alarm facility temperature (high and low thresholds)
To configure the high and low temperature threshold values in the ISA 3000, use the alarm facility temperature { low | high } command in global configuration mode. To remove the threshold values, or to revert the primary value to the default, use the no form of the command.
alarm facility temperature { primary | secondary } { high | low } threshold
no alarm facility temperature { primary | secondary } { high | low } threshold
Syntax Description
Command Default
The default primary high temperature is 92°C, the low is –40°C.
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
You can configure alarms based on the temperature of the CPU card in the device.
You can set a primary and secondary temperature range using the alarm facility temperature command with the high and low keywords. If the temperature drops below the low threshold, or exceeds the high threshold, the alarm is triggered.
The primary temperature alarm is enabled by default for all alarm actions: output relay, syslog, and SNMP. The default settings for the primary temperature range is -40°C to 92°C.
The secondary temperature alarm is disabled by default. You can set the secondary temperature within the range -35°C to 85°C.
Because the secondary temperature range is more restrictive than the primary range, if you set either the secondary low or high temperature, that setting disables the corresponding primary setting, even if you configure non-default values for the primary setting. You cannot enable two separate high and two separate low temperature alarms.
Thus, in practice, you should configure the primary only, or the secondary only, setting for high and low.
Examples
The following example sets the high and low temperatures for the secondary alarm and enables all alert actions.
Related Commands
allocate-interface
To allocate interfaces to a security context, use the allocate-interface command in context configuration mode. To remove an interface from a context, use the no form of this command.
allocate-interface physical_interface [ map_name ] [ visible | invisible ]
no allocate-interface physical_interface
allocate-interface physical_interface . subinterface [ - physical_interface . subinterface ] [ map_name [ - map_name ]] [ visible | invisible ]
no allocate-interface physical_interface . subinterface [ - physical_interface . subinterface ]
Syntax Description
(Default) Allows context users to only see the mapped name (if configured) in the show interface command. |
|
(Optional) Sets a mapped name. The map_name is an alphanumeric alias for the interface that can be used within the context instead of the interface ID. If you do not specify a mapped name, the interface ID is used within the context. For security purposes, you might not want the context administrator to know which interfaces are being used by the context. A mapped name must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, or an underscore. For example, you can use the following names: For subinterfaces, you can specify a range of mapped names. See the “Usage Guidelines” section for more information about ranges. |
|
Sets the interface ID, such as gigabit ethernet0/1. See the interface command for accepted values. Do not include a space between the interface type and the port number. |
|
Sets the subinterface number. You can identify a range of subinterfaces. |
|
(Optional) Allows context users to see physical interface properties in the show interface command even if you set a mapped name. |
Defaults
The interface ID is invisible in the show interface command output by default if you set a mapped name.
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
|
|
|||||
Command History
|
|
|
|---|---|
Usage Guidelines
You can enter this command multiple times to specify different ranges. To change the mapped name or visible setting, reenter the command for a given interface ID, and set the new values; you do not need to enter the no allocate-interface command and start over. If you remove the allocate-interface command, the ASA removes any interface-related configuration in the context.
Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA, you can use the dedicated management interface, Management 0/0, (either the physical interface or a subinterface) as a third interface for management traffic.
Note The management interface for transparent mode does not flood a packet out the interface when that packet is not in the MAC address table.
You can assign the same interfaces to multiple contexts in routed mode, if desired. Transparent mode does not allow shared interfaces.
If you specify a range of subinterfaces, you can specify a matching range of mapped names. Follow these guidelines for ranges:
- The mapped name must consist of an alphabetic portion followed by a numeric portion. The alphabetic portion of the mapped name must match for both ends of the range. For example, enter the following range:
If you enter gigabitethernet0/1.1-gigabitethernet0/1.5 happy1-sad5, for example, the command fails.
- The numeric portion of the mapped name must include the same quantity of numbers as the subinterface range. For example, both ranges include 100 interfaces:
If you enter gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int15, for example, the command fails.
Examples
The following example shows gigabitethernet0/1.100, gigabitethernet0/1.200, and gigabitethernet0/2.300 through gigabitethernet0/1.305 assigned to the context. The mapped names are int1 through int8.
Related Commands
allocate-ips
To allocate an IPS virtual sensor to a security context if you have the AIP SSM installed, use the allocate-ips command in context configuration mode. To remove a virtual sensor from a context, use the no form of this command.
allocate-ips sensor_name [ mapped_name ] [ default ]
no allocate-ips sensor_name [ mapped_name ] [ default ]
Syntax Description
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
|
|
|||||
Command History
|
|
|
|---|---|
Usage Guidelines
You can assign one or more IPS virtual sensors to each context. Then, when you configure the context to send traffic to the AIP SSM using the ips command, you can specify a sensor that is assigned to the context; you cannot specify a sensor that you did not assign to the context. If you do not assign any sensors to a context, then the default sensor configured on the AIP SSM is used. You can assign the same sensor to multiple contexts.
Note You do not need to be in multiple context mode to use virtual sensors; you can be in single mode and use different sensors for different traffic flows.
Examples
The following example assigns sensor1 and sensor2 to context A, and sensor1 and sensor3 to context B. Both contexts map the sensor names to “ips1” and “ips2.” In context A, sensor1 is set as the default sensor, but in context B, no default is set so the default that is configured on the AIP SSM is used.
Related Commands
allowed-eid
To configure a LISP inspection map to limit inspected EIDs based on IP address, use the allowed-eid command in parameters configuration mode. You can access the parameters configuration mode by first entering the policy-map type inspect lisp command. To allow all EIDs, use the no form of this command.
allowed-eid access-list eid_acl_name
no allowed-eid access-list eid_acl_name
Syntax Description
Specifies an extended ACL where only the destination IP address is matched to the EID embedded address. |
Command Default
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
Configure a LISP inspection map to limit inspected EIDs based on IP address.
About LISP Inspection for Cluster Flow Mobility
The ASA inspects LISP traffic for location changes and then uses this information for seamless clustering operation. With LISP integration, the ASA cluster members can inspect LISP traffic passing between the first hop router and the ETR or ITR, and can then change the flow owner to be at the new site.
Cluster flow mobility includes several inter-related configurations:
1. (Optional) Limit inspected EIDs based on the host or server IP address—The first hop router might send EID-notify messages for hosts or networks the ASA cluster is not involved with, so you can limit the EIDs to only those servers or networks relevant to your cluster. For example, if the cluster is only involved with 2 sites, but LISP is running on 3 sites, you should only include EIDs for the 2 sites involved with the cluster. See the policy-map type inspect lisp, allowed-eid, and validate-key commands.
2. LISP traffic inspection—The ASA inspects LISP traffic for the EID-notify message sent between the first hop router and the ITR or ETR. The ASA maintains an EID table that correlates the EID and the site ID. For example, you should inspect LISP traffic with a source IP address of the first hop router and a destination address of the ITR or ETR. See the inspect lisp command.
3. Service Policy to enable flow mobility on specified traffic—You should enable flow mobility on business-critical traffic. For example, you can limit flow mobility to only HTTPS traffic, and/or to traffic to specific servers. See the cluster flow-mobility lisp command.
4. Site IDs—The ASA uses the site ID for each cluster unit to determine the new owner. See the site-id command.
5. Cluster-level configuration to enable flow mobility—You must also enable flow mobility at the cluster level. This on/off toggle lets you easily enable or disable flow mobility for a particular class of traffic or applications. See the flow-mobility lisp command.
Examples
The following example limits EIDs to those on the 10.10.10.0/24 network:
Related Commands
|
|
|
|---|---|
allow-ssc-mgmt
To set an interface on the ASA 5505 to be the SSC management interface, use the allow-ssc-mgmt command in interface configuration mode. To unassign an interface, use the no form of this command.
Syntax Description
Command Default
This command is enabled in the factory default configuration for VLAN 1.
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
An SSC does not have any external interfaces. You can configure a VLAN as a management VLAN to allow access to an internal management IP address over the backplane. By default, VLAN 1 is enabled for the SSC management address. You can only assign one VLAN as the SSC management VLAN.
Do not configure NAT for the management address if you intend to access it using ASDM. For initial setup with ASDM, you need to access the real address. After initial setup (where you set the password in the SSC), you can configure NAT and supply ASDM with the translated address when you want to access the SSC.
Examples
The following example disables management access on VLAN 1, and enables it for VLAN 2:
Related Commands
|
|
|
|---|---|
Sets the hosts that are allowed to access the management IP address. |
allow-tls
To configure ESMTP inspection to allow or prohibit TLS sessions, use the allow-tls command in parameters configuration mode. To disable this feature, use the no form of this command.
Syntax Description
Command Default
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
Usage Guidelines
ESMTP inspection cannot inspect encrypted connections. If you want to enforce inspection of all ESMTP sessions, use the no allow-tls command. By disallowing TLS, the STARTTLS indicator is removed from connection requests, forcing the client and server to negotiate clear text connections.
If you want to allow the client and server to negotiate encrypted connections, include the allow-tls command in the parameters section of an ESMTP inspection policy map, and connect the map to the ESMTP inspection service policy. You can also edit the _default_esmtp_map, which is applied when you do not apply your own map.
Examples
The following example shows how to allow encrypted ESMTP sessions, which bypasses ESMTP inspection:
Related Commands
|
|
|
|---|---|
always-on-vpn
To configure the behavior of the AnyConnect Always-On-VPN functionality, use the always-on-vpn command in group policy configuration mode.
always-on-vpn [ profile-setting | disable ]
Syntax Description
Uses the always-on-vpn setting configured in the AnyConnect profile. |
Command Default
Command History
|
|
|
|---|---|
Usage Guidelines
To enable Always-On-VPN functionality for AnyConnect users, configure an AnyConnect profile in the profile editor. Then configure the group-policy attributes for the appropriate policy.
Examples
The following example enables always-on functionality for the configured group-policy:
Related Commands
|
|
|
|---|---|
anti-replay
To enable anti-replay for GTP-U message sequence numbers, use the anti-replay command in GTP inspection policy map parameters configuration mode. Use the no form of this command disable anti-replay.
no anti-replay [ window_size ]
Syntax Description
The size of the sliding window in number of messages. The window size can be 128, 256, 512, or 1024. If you do not enter a value, you get the default, 512. |
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
You can enable anti-replay by specifying a sliding window for GTP-U messages.
The size of the sliding window is in number of messages and can be 128, 256, 512, or 1024. As valid messages appear, the window moves to the new sequence numbers. Sequence numbers are in the range 0-65535, wrapping when they reach the maximum, and they are unique per PDP context. Messages are considered valid if their sequence numbers are within the window.
Anti-replay helps prevent session hijacking or DoS attacks, which can occur when a hacker captures GTP data packets and replays them.
Examples
The following example enables anti-replay with a window size of 512.
Related Commands
|
|
|
|---|---|
anyconnect ask
To enable the ASA to prompt remote SSL VPN client users to download the client, use the anyconnect ask command in group policy webvpn or username webvpn configuration modes. To remove the command from the configuration, use the no form of the command.
anyconnect ask {none | enable [default {webvpn | anyconnect} timeout value ]}
no anyconnect ask none [default {webvpn | anyconnect}]
Syntax Description
Defaults
The default for this command is anyconnect ask none default webvpn. The ASA immediately displays the portal page for clientless connections.
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
Figure 2-1 shows the prompt displayed to remote users when either the default anyconnect timeout value command or default webvpn timeout value command is configured:
Figure 2-1 Prompt Displayed to Remote Users for SSL VPN Client Download
Examples
The following example configures the ASA to prompt the remote user to download the client or go to the portal page and to wait 10 seconds for user response before downloading the client:
Related Commands
|
|
|
Enables or requires the SSL VPN client for a specific group or user. |
|
Specifies a client package file that the ASA expands in cache memory for downloading to remote PCs. |
anyconnect-custom (Version 9.0 through 9.2)
To set or update the value of a custom attribute, use the anyconnect-custom command in anyconnect-custom-attr configuration mode. To remove the value of a custom attribute, use the no form of this command.
anyconnect-custom attr-name value attr-value
anyconnect-custom attr-name none
no anyconnect-custom attr-name
Syntax Description
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
This command sets the value of a custom attribute in a group policy. The AnyConnect Administrator’s Guide lists which values are valid for the custom attributes that apply to that release. Custom attributes are created with the anyconnect-custom-attr command.
Multiple instances of this command are supported to build a multiline value for an attribute. All data associated with a given attribute name is delivered to the client in the order that it is entered in the CLI. Individual lines of a multiline value can not be removed.
The no form of this command does not allow the value or none keywords.
If the data associated with an attribute name is entered in multiple CLI lines, it will be sent to the endpoint as a single concatenated string delimited by the newline character (\n).
Examples
The following example configures a custom attribute for an AnyConnect Deferred Update:
Related Commands
|
|
|
Displays configuration information about WebVPN, including anyconnect commands. |
|
Displays configuration information about current group policies. |
|
anyconnect-custom (Version 9.3 and later)
To set or update the value of a custom attribute, use the anyconnect-custom command in group-policy or dynamic-access-policy-record configuration mode. To remove a custom attribute, use the no form of this command.
anyconnect-custom attr-type value attr-name
anyconnect-custom attr-type none
no anyconnect-custom attr-type
Syntax Description
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
This command sets the value of a custom attribute in a group policy or DAP.
The AnyConnect Administrator’s Guide lists which values are valid for the custom attributes that apply to that release. Custom attributes are created with the anyconnect-custom-attr and anyconnect-custom-data commands.
The no form of this command does not allow the none keyword.
Examples
The following example configures a custom attribute for AnyConnect Deferred Update:
Related Commands
|
|
|
Displays configuration information about WebVPN, including anyconnect commands. |
|
Displays configuration information about current group policies. |
|
anyconnect-custom-attr (Version 9.0 through 9.2)
To create custom attributes, use the anyconnect-custom-attr command in Anyconnect-custom-attr configuration mode. To remove custom attributes, use the no form of this command.
[no] anyconnect-custom-attr attr-name [description description ]
Syntax Description
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
This command creates custom attributes to support special AnyConnect features. After creating custom attributes for a particular feature, you add them to group policies, so that feature can be applied to VPN clients. This command guarantees that all of the defined attribute names are unique.
Some versions of AnyConnect use custom attributes to configure features. The release notes and AnyConnect Administrator’s Guide for each version list any features that require custom attributes.
If you try to remove the definition of attribute that is being used in a group policy, an error message will be displayed, and the action will fail. If a user attempts to add an attribute that already exists as a custom attribute, any changes to the description will be incorporated, but the command will otherwise be ignored.
Multiple instances of this command are supported to build a multiline value for an attribute. All data associated with a given attribute name is delivered to the client in the order that it is entered in the CLI. Individual lines of a multiline value can not be removed.
Examples
The following example configures a custom attribute for AnyConnect Deferred Update:
Related Commands
anyconnect-custom-attr (Version 9.3 and later)
To create custom attribute types, use the anyconnect-custom-attr command in config-webvpn configuration mode. To remove custom attributes, use the no form of this command.
[no] anyconnect-custom-attr attr-type [description description ]
Syntax Description
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
This command creates custom attributes to support special AnyConnect features. After creating custom attributes for a particular feature, you define values for them and then add them to group policies so that the related feature can be applied to VPN clients. This command guarantees that all of the defined attribute names are unique.
Some versions of AnyConnect use custom attributes to configure features. The release notes and AnyConnect Administrator’s Guide for each version list any features that require custom attributes.
If you try to remove the definition of an attribute that is being used in a group policy, an error message will be displayed, and the action will fail. If a user attempts to add an attribute that already exists as a custom attribute, any changes to the description will be incorporated, but the command will otherwise be ignored.
Examples
The following example configures a custom attribute for AnyConnect Deferred Update:’
ciscoasa(config)# anyconnect-custom-data DeferredUpdateAllowed def-allowed true
Related Commands
|
|
|
Displays configuration information about WebVPN, including anyconnect commands. |
|
Displays configuration information about current group policies. |
|
anyconnect-custom-data
To create custom attribute named values, use the anyconnect-custom-data command in global configuration mode. To remove custom attributes, use the no form of this command.
anyconnect-custom-data attr-type attr-name attr-value
no anyconnect-custom-data attr-type attr-name
Syntax Description
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
This command defines custom attribute named values to support special AnyConnect features. After creating custom attributes for a particular feature, you define values for them and then add them to DAP or group policies so that the related feature can be applied to VPN clients.
Some versions of AnyConnect use custom attributes to configure features. The release notes and AnyConnect Administrator’s Guide for each version list any features that require custom attributes.
If you try to remove the named value of an attribute that is being used in a group policy, an error message will be displayed, and the action will fail.
Multiple instances of this command are supported to build a multiline value for an attribute. All data associated with a given attribute name is delivered to the client in the order that it is entered in the CLI. Individual lines of a multiline value can not be removed.
Examples
The following example configures a custom attribute for AnyConnect Deferred Update:
Related Commands
anyconnect df-bit-ignore
To ignore the DF bit in packets that need fragmentation, use the anyconnect-df-bit-ignore command in group policy webvpn configuration mode. To acknowledge the DF bits that need fragmentation, use the no form of the command.
anyconnect df-bit-ignore {enable | none}
no anyconnect df-bit-ignore {enable | none}
Syntax Description
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
The anyconnect df-bit-ignore command replaced the svc df-bit-ignore command. |
Examples
anyconnect dpd-interval
To enable Dead Peer Detection (DPD) on the ASA and to set the frequency that either the remote client or the ASA performs DPD over SSL VPN connections, use the anyconnect dpd-interval command in group policy webvpn or username webvpn configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
anyconnect dpd-interval {[ gateway { seconds | none }] | [ client { seconds | none }] }
no anyconnect dpd-interval {[ gateway { seconds | none }] | [ client { seconds | none }] }
Syntax Description
Specifies the frequency, from 30 to 3600 seconds, for which the client performs DPD. |
|
Specifies the frequency, from 30 to 3600 seconds, for which the ASA performs DPD. A value of 300 is recommended. |
Defaults
The default is DPD is enabled and set to 30 seconds for both the ASA (gateway) and the client.
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
The default setting changed from disabled to 30 seconds for both the ASA (gateway) and the client. |
|
The anyconnect dpd-interval command replaced the svc dpd-interval command. |
Usage Guidelines
The gateway refers to the ASA. You enable DPD and specify the interval with which the ASA waits for any packets from the client. If no packets are received within that interval, the ASA performs the DPD test with three attempts at the same interval. If it doesn’t receive a response from the client, the ASA tears down the TLS/DTLS tunnel.
Note The DPD process on the ASA gets triggered only when the ASA has a packet to send out toward the client over the TLS/DTLS tunnel.
Examples
The following example shows how to configure the DPD frequency performed by the ASA (gateway) to 3000 seconds, and the DPD frequency performed by the client to 1000 seconds, for the existing group policy sales :
anyconnect dtls compression
To enable compression on low bandwidth links for a specific group or user, use the anyconnect dtls compression command in group policy webvpn or username webvpn configuration mode. To delete the configuration from the group, use the no form of the command.
anyconnect dtls compression {lzs | none }
no anyconnect dtls compression {lzs | none}
Syntax Description
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Examples
The following examples shows the sequence to disable compression:
anyconnect enable
To enable the ASA to download an AnyConnect client to remote computers or to connect to the ASA using the AnyConnect client with SSL or IKEv2, use the anyconnect enable command in webvpn configuration mode. To remove the command from the configuration, use the no form of the command.
Defaults
The default for this command is disabled. The ASA does not download the client.
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
The anyconnect enable command replaced the svc enable command. |
Usage Guidelines
Entering the no anyconnect enable command does not terminate active sessions.
The anyconnect enable command must be issued after configuring the AnyConnect images with the anyconnect image xyz command. To use an AnyConnect client or AnyConnect weblaunch, anyconnect enable is required. If the anyconnect enable command is not issued with SSL or IKEv2, AnyConnect does not function as expected and times out with an IPsec VPN connection termination error. As a result, the show webvpn svc command does not consider the SSL VPN client to be enabled and does not list the installed AnyConnect packages.
Examples
In the following example shows how to enable the ASA to download the client:
Related Commands
anyconnect-essentials
To enable AnyConnect Essentials on the ASA, use the anyconnect-essentials command in group policy webvpn configuration mode. To disable the use of AnyConnect Essentials and enable the premium AnyConnect client instead, use the no form of the command.
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
Use this command to toggle between using the full AnyConnect SSL VPN client and the AnyConnect Essentials SSL VPN client, assuming that the full AnyConnect client license is installed. AnyConnect Essentials is a separately licensed SSL VPN client, entirely configured on the ASA, that provides the premium AnyConnect capability, with the following exceptions:
The AnyConnect Essentials client provides remote end users running Microsoft Windows Vista, Windows Mobile, Windows XP or Windows 2000, Linux, or Macintosh OS X, with the benefits of a Cisco SSL VPN client.
You enable or disable the AnyConnect Essentials license by using the anyconnect-essentials command, which is meaningful only after you have installed the AnyConnect Essentials license on the ASA. Without this license, this command returns the following error message:
Note This command only enables or disables the use of AnyConnect Essentials. The AnyConnect Essentials license itself is not affected by the setting of the anyconnect-essentials command.
When the AnyConnect Essentials license is enabled, AnyConnect clients use Essentials mode, and Clientless SSL VPN access is disabled. When the AnyConnect Essentials license is disabled, AnyConnect clients use the full AnyConnect SSL VPN Client license.
Note This command is not supported on the ASAv. See the licensing documentation for more information.
If you have active clientless SSL VPN connections, and you enable the AnyConnect Essentials license, then all connections are logged off and will need to be reestablished.
Examples
In the following example, the user enters webvpn configuration mode and enables the AnyConnect Essentials VPN client:
anyconnect firewall-rule
To establish a public or provide ACL firewall, use the anyconnect firewall-rule command in either group policy webvpn or username webvpn configuration mode.
anyconnect firewall-rule client interface {public | private} ACL
Syntax Description
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
Usage Guidelines
To function as expected, this command requires a release of the AsyncOS for Web version 7.0 that provides AnyConnect Secure Mobility licensing support for the AnyConnect secure mobility client. It also requires an AnyConnect release that supports AnyConnect Secure Mobility, ASA 8.3, and ASDM 6.3.
The following notes clarify how the AnyConnect client uses the firewall:
- The source IP is not used for firewall rules. The client ignores the source IP information in the firewall rules sent from the ASA. The client determines the source IP depending on whether the rules are public or private. Public rules are applied to all interfaces on the client. Private rules are applied to the virtual adapter.
- The ASA supports many protocols for ACL rules. However, the AnyConnect firewall feature supports only TCP, UDP, ICMP, and IP. If the client receives a rule with a different protocol, it treats it as an invalid firewall rule, and then disables split tunneling and uses full tunneling for security reasons.
Be aware of the following differences in behavior for each operating system:
- For Windows computers, deny rules take precedence over allow rules in Windows Firewall. If the ASA pushes down an allow rule to the AnyConnect client, but the user has created a custom deny rule, the AnyConnect rule is not enforced.
- On Windows Vista, when a firewall rule is created, Vista takes the port number range as a comma-separated string (for example, from 1-300 or 5000-5300). The maximum number of ports allowed is 300. If you specify a number greater than 300 ports, the firewall rule is applied only to the first 300 ports.
- Windows users whose firewall service must be started by the AnyConnect client (not started automatically by the system) may experience a noticeable increase in the time it takes to establish a VPN connection.
- On Mac computers, the AnyConnect client applies rules sequentially in the same order that the ASA applies them. Global rules should always be last.
- For third-party firewalls, traffic is passed only if both the AnyConnect client firewall and the third-party firewall allow that traffic type. If the third-party firewall blocks a specify traffic type that the AnyConnect client allows, the client blocks the traffic.
For more information about the AnyConnect client firewall including ACL rule examples for local printing and tethered device support, see the AnyConnect Administrator’s Guide.
Examples
The following example enables the ACL AnyConnect_Client_Local_Print as a public firewall:
Related Commands
|
|
|
Enables or requires the SSL VPN client for a specific group or user. |
|
Specifies a client package file that the ASA expands in cache memory for downloading to remote PCs. |
anyconnect image
To install or upgrade the AnyConnect distribution package and add it to the running configuration, use the anyconnect image command in webvpn configuration mode. To remove the AnyConnect distribution package from the running configuration, use the no form of the command.
anyconnect image path order [regex expression ]
no anyconnect image path order [regex expression ]
Syntax Description
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
The anyconnect image command replaced the svc image command. |
Usage Guidelines
Numbering the package files establishes the order in which the ASA downloads portions of them to the remote PC until it achieves a match with the operating system. It downloads the package file with the lowest number first. Therefore, you should assign the lowest number to the package file that matches the most commonly-encountered operating system used on remote PCs.
The default order is 1. If you do not specify the order argument, each time that you enter the svc image command, you overwrite the image that was previously considered number 1.
You can enter the anyconnect image command for each client package file in any order. For example, you can specify the package file to be downloaded second ( order 2) before entering the anyconnect image command specifying the package file to be downloaded first ( order 1).
For mobile users, you can decrease the connection time of the mobile device by using the regex keyword . When the browser connects to the ASA, it includes the user-agent string in the HTTP header. When the ASA receives the string, if the string matches an expression configured for an image, it immediately downloads that image without testing the other client images.
Note When using the standalone client, the regex command is ignored. It is used only for the web browser as a performance enhancement, and the regex string is not matched against any user or agent provided by the standalone client.
The ASA expands both AnyConnect client and Cisco Secure Desktop (CSD) package files in cache memory. For the ASA to successfully expand the package files, there must be enough cache memory to store the images and files of the package file.
If the ASA detects there is not enough cache memory to expand a package, it displays an error message to the console. The following example shows an error message reported after an attempt to install a package file with the svc image command:
If this occurs when you attempt to install a package file, examine the amount of cache memory remaining and the size of any previously installed packages with the dir cache:/ command in global configuration mode.
Note If your ASA has only the default internal flash memory size or the default DRAM size (for cache memory) you could have problems storing and loading multiple AnyConnect client packages on the ASA. Even if there is enough space in flash memory to hold the package files, the ASA could run out of cache memory when it unzips and loads the client images. For more information about the ASA memory requirements when deploying AnyConnect, and possibly upgrading the ASA memory, see the latest release notes for the Cisco ASA 5500 series.
Examples
The following example loads AnyConnect client package files for Windows, MAC, and Linux in that order:
The following is sample output from the show webvpn anyconnect command, which displays the AnyConnect client packages loaded and their order:
Related Commands
anyconnect keep-installer
Note This command does not apply to versions of AnyConnect after 2.5, but is still available for backward compatibility. Configuring the anyconnect keep-installer command does not affect AnyConnect 3.0 or later.
To enable the permanent installation of an SSL VPN client on a remote PC, use the anyconnect keep-installer command in group-policy webvpn or username webvpn configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of this command.
anyconnect keep-installer { installed | none }
no anyconnect keep-installer { installed | none }
Syntax Description
Defaults
The default is permanent installation of the client is enabled. The client remains on the remote computer at the end of the session.
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
The anyconnect keep-installer command replaced the svc keep-installer command. |
Examples
In the following example, the user enters group policy webvpn configuration mode and configures the group policy to remove the client at the end of the session:
Related Commands
anyconnect modules
To specify the names of modules that the AnyConnect SSL VPN Client requires for optional features, use the anyconnect modules command in group policy webvpn or username webvpn configuration mode. To remove the command from the configuration, use the no form of the command.
anyconnect modules { none | value string }
no anyconnect modules { none | value string }
Syntax Description
The name of the optional module, up to 256 characters. Separate multiple strings with commas. |
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
The anyconnect modules command replaced the svc modules command. |
Usage Guidelines
To minimize download time, the client only requests downloads (from the ASA) of modules that it needs for each feature that it supports. The anyconnect modules command enables the ASA to download these modules.
The following table shows the string values that represent AnyConnect Modules.
|
|
|
If you choose none, the ASA downloads the essential files with no optional modules. Existing modules are removed from the group policy. |
Examples
In the following example, the user enters group-policy attributes mode for the group policy PostureModuleGroup, enters webvpn configuration mode for the group policy, and specifies the string posture and telemetry so that the AnyConnect Posture Module and AnyConnect Telemetry Module will be downloaded to the endpoint when it connects to the ASA.
To remove a module from a group policy, resend the command specifying only the module values you want to keep. For example, this command removes the telemetry module:
Related Commands
anyconnect mtu
To adjust the MTU size for VPN connections established by the Cisco AnyConnect VPN Client, use the anyconnect mtu command in group policy webvpn or username webvpn configuration mode. To remove the command from the configuration, use the no form of the command.
Syntax Description
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
This command affects only the AnyConnect client. The VPN Client is not capable of adjusting to different MTU sizes.
The default for this command in the default group policy is no svc mtu. The MTU size is adjusted automatically based on the MTU of the interface that the connection uses, minus the IP/UDP/DTLS overhead.
The minimum MTU allowed on an IPv6 enabled interface is 1280 bytes; however, if IPsec is enabled on the interface, the MTU value should not be set below 1380 because of the overhead of IPsec encryption. Setting the interface below 1380 bytes may result in dropped packets.
Examples
The following example configures the MTU size to 500 bytes for the group policy telecommuters :
Related Commands
anyconnect profiles (group-policy attributes > webvpn, username attributes > webvpn)
To specify a CVC profiles package downloaded to Cisco AnyConnect VPN Client (CVC) users, use the anyconnect profiles command in webvpn or configuration mode. You can access the webvpn configuration mode by first entering the group-policy attributes command or the username attributes. To remove the command from the configuration and cause the value it to be inherited, use the no form of the command.
anyconnect profiles { value profile | none }
no anyconnect profiles { value profile | none } [ type type ]
Syntax Description
The user who corresponds to the standard AnyConnect profile or any alphanumeric value. |
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
The anyconnect profiles command replaced the svc profiles command. |
Usage Guidelines
This command, entered in group policy webvpn or username attributes webvpn configuration mode, enables the ASA to download profiles to CVC users on a group policy or username basis. To download a CVC profile to all CVC users, use this command from webvpn configuration mode.
A CVC profile is a group of configuration parameters that the CVC uses to configure the connection entries that appear in the CVC user interface, including the names and addresses of host computers. You can create and save profiles using the CVC user interface. You can also edit this file with a text editor and set advanced parameters that are not available through the user interface.
The CVC installation contains one profile template (cvcprofile.xml) that you can edit and use as a basis for creating other profile files. For more information about editing CVC profiles, see the Cisco AnyConnect VPN Client Administrator Guide.
Examples
In the following example, the user enters the anyconnect profiles value command, which displays the available profiles:
Then the user configures the group policy to use the CVC profile sales:
Related Commands
|
|
|
Enables or requires an SSL VPN client for a specific group or user. |
|
Specifies an AnyConnect client package file that the ASA expands in cache memory for downloading to remote PCs. |
anyconnect profiles (webvpn)
To specify a file as a profiles package that the ASA loads in cache memory and makes available to group policies and username attributes of Cisco AnyConnect VPN Client (CVC) users, use the anyconnect profiles command in webvpn configuration mode. To remove the command from the configuration and cause the ASA to unload the package file from cache memory, use the no form of the command.
anyconnect profiles { profile path}
no anyconnect profiles { profile path}
Syntax Description
The path and filename of the profile file in flash memory of the ASA. |
|
Defaults
The default is none. The ASA does not load a profiles package in cache memory.
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
The anyconnect profiles command replaced the svc profiles command. |
Usage Guidelines
A CVC profile is a group of configuration parameters that the CVC uses to configure the connection entries that appear in the CVC user interface, including the names and addresses of host computers. You can create and save profiles using the CVC user interface.
You can also edit this file with a text editor and set advanced parameters that are not available through the user interface. The CVC installation contains one profile template (cvcprofile.xml) that you can edit and use as a basis for creating other profile files. For more information about editing CVC profiles, see the Cisco AnyConnect VPN Client Administrator Guide.
After you create a new CVC profile and upload it to flash memory, identify the XML file to the ASA as a profile using the anyconnect profiles command in webvpn configuration mode. After you enter this command, files are loaded into cache memory on the ASA. Then you can specify the profile for a group or user with the anyconnect profiles command from group policy webvpn configuation or username attributes configuration mode.
Examples
In the following example, the user previously created two new profile files (sales_hosts.xml and engineering_hosts.xml) from the cvcprofile.xml file provided in the CVC installation and uploaded them to flash memory on the ASA.
Then the user identifies these files to the ASA as CVC profiles, specifying the names sales and engineering :
Entering the dir cache:stc/profiles command shows the profiles that have been loaded into cache memory:
These profiles are available to the svc profiles command in group policy webvpn configuration or username attributes configurate modes:
Related Commands
|
|
|
Enables or requires the SSL VPN client for a specific group or user. |
|
Specifies an AnyConnect package file that the ASA expands in cache memory for downloading to remote PCs. |
anyconnect ssl compression
To enable compression of http data over an SSL VPN connection for a specific group or user, use the anyconnect ssl compression command in group policy webvpn or username webvpn configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
anyconnect ssl compression {deflate | lzs | none}
no anyconnect ssl compression {deflate | lzs | none}
Syntax Description
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
For SSL VPN connections, the compression command configured from webvpn configuration mode overrides the anyconnect ssl compression command configured in group policy and username webvpn mode.
Examples
In the following example, SVC compression is disabled for the group policy sales:
Related Commands
anyconnect ssl df-bit-ignore
To enable the forced fragmentation of packets on an SSL VPN connection (allowing them to pass through the tunnel) for a specific group or user, use the an yconnect ssl df-bit-ignore command in the group policy webvpn or username webvpn configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of this command.
anyconnect ssl df-bit-ignore {enable | disable}
no anyconnect ssl df-bit-ignore
Syntax Description
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
The anyconnect ssl df-bit-ignore form of the command replaced svc df-bit-ignore. |
Usage Guidelines
This feature allows the force fragmentation of packets that have the DF bit set, allowing them to pass through the tunnel. An example use case is for servers in your network that do not respond correctly to TCP MSS negotiations.
Examples
In the following example, DF bit ignore is enabled for the group policy sales:
Related Commands
anyconnect ssl dtls enable
To enable Datagram Transport Layer Security (DTLS) connections on an interface for specific groups or users establishing SSL VPN connections with the Cisco AnyConnect VPN Client, use the anyconnect ssl dtls enable command in group policy webvpn or username attributes webvpn configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
anyconnect ssl dtls enable interface
no anyconnect ssl dtls enable interface
Syntax Description
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
The anyconnect ssl dtls command replaced the svc dtls command. |
Usage Guidelines
Enabling DTLS allows the AnyConnect client establishing an SSL VPN connection to use two simultaneous tunnels—an SSL tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.
If you do not enable DTLS, AnyConnect client users establishing SSL VPN connections connect with an SSL tunnel only.
This command enables DTLS for specific groups or users. To enable DTLS for all AnyConnect client users, use the anyconnect ssl dtls enable command in webvpn configuration mode.
Examples
The following example enters group policy webvpn configuration mode for the group policy sales and enables DTLS:
Related Commands
|
|
|
Enables DTLS for groups or users establishing SSL VPN connections. |
|
Specifies VPN protocols that the ASA allows for remote access, including SSL. |
anyconnect ssl keepalive
To configure the frequency of keepalive messages which a remote client sends to the ASA over SSL VPN connections, use the anyconnect ssl keepalive command in group policy webvpn or username webvpn configuration modes. Use the no form of the command to remove the command from the configuration and cause the value to be inherited.
anyconnect ssl keepalive {none | seconds }
no anyconnect ssl keepalive {none | seconds }
Syntax Description
Enables keepalive messages and specifies the frequency of the messages, from 15 to 600 seconds. |
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
The anyconnect ssl keepalive command replaced the svc keepalive command. |
Usage Guidelines
Both the Cisco SSL VPN Client (SVC) and the Cisco AnyConnect VPN Client can send keepalive messages when they establish SSL VPN connections to the ASA.
You can adjust the frequency of keepalive messages (specified in seconds) to ensure that an SSL VPN connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle.
Adjusting the frequency also ensures that the client does not disconnect and reconnect when the remote user is not actively running a socket-based application, such as Microsoft Outlook or Microsoft Internet Explorer.
Note Keepalives are enabled by default. If you disable keepalives, in the event of a failover event, SSL VPN client sessions are not carried over to the standby device.
Examples
In the following example, the user configures the ASA to enable the client to send keepalive messages, with a frequency of 300 seconds (5 minutes), for the existing group policy named sales :
Related Commands
anyconnect ssl rekey
To enable a remote client to perform a rekey on an SSL VPN connection, use the anyconnect ssl rekey command in group-policy webvpn or username webvpn configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
anyconnect ssl rekey { method { ssl | new-tunnel } | time minutes | none }
no anyconnect ssl rekey { method { ssl | new-tunnel } | time minutes | none }
Syntax Description
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
Usage Guidelines
The Cisco AnyConnect Secure Mobility Client can perform a rekey on an SSL VPN connection to the ASA. Configuring the rekey method as ssl or new-tunnel specifies that the client establishes a new tunnel during rekey instead of the SSL renegotiation taking place during the rekey.
Examples
In the following example, the user specifies that remote clients belonging to the group policy sales renegotiate with SSL during rekey and rekey occurs 30 minutes after the session begins:
Related Commands
apcf
To enable an Application Profile Customization Framework profile, use the apcf command in webvpn configuration mode. To disable a particular APCF script, use the no form of the command. To disable all APCF scripts, use the no form of the command without arguments.
Syntax Description
Defaults
Command Modes
The following table shows the modes in which you enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
The apcf command enables the ASA to handle non-standard web applications and web resources so that they render correctly over a WebVPN connection. An APCF profile contains a script that specifies when (pre, post), where (header, body, request, response), and which data to transform for a particular application.
You can use multiple APCF profiles on the ASA. When you do, the ASA applies each one of them in the order of oldest to newest.
We recommend that you use the APCF command only with the support of the Cisco TAC.
Examples
The following example shows how to enable an APCF named apcf1, located on flash memory at /apcf:
ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# apcf flash:/apcf/apcf1.xml
This example shows how to enable an APCF named apcf2.xml, located on an HTTPS server called myserver, port 1440 with the path /apcf:
ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# apcf https://myserver:1440/apcf/apcf2.xml
Related Commands
|
|
|
|---|---|
Configures minimal content rewriting for a particular application. |
|
app-agent heartbeat
To configure the heartbeat message interval for the app-agent (application agent) running on the ASA to check the health of the Firepower chassis, use the app-agent heartbeat command in global configuration mode.
app-agent heartbeat [ interval ms ] [ retry-count number ]
Note Supported on the Firepower chassis only.
Syntax Description
Sets the amount of time between heartbeats, between 100 and 6000 ms, in multiples of 100. The default is 1000 ms. |
|
Sets the number of retries, between 1 and 30. The default is 3 retries. |
Command Default
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
The ASA checks whether it can communicate over the backplane with the host Firepower chassis.
For the Firepower 4100/9300, the minimum combined time ( interval x retry-count) cannot be less than 600 ms. For example, if you set the interval to 100, and the retry count to 3, then the total combined time is 300 ms, which is not supported. For example, you can set the interval to 100, and the retry count to 6 to meet the minimum time (600 ms).
Examples
The following example sets the interval to 300 ms:
Related Commands
|
|
|
|---|---|
appl-acl
To identify a previously configured webtype ACL to apply to a session, use the appl-acl command in dap webvpn configuration mode. To remove the attribute from the configuration, use the no form of the command. To remove all web-type ACLs, use the no form of the command without arguments.
Syntax Description
The name of the previously configured webtype ACL. The maximum length is 240 characters. |
Defaults
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
To configure webtype ACLs, use the access-list webtype command in global configuration mode.
Use the appl-acl command multiple times to apply more than one webtype ACL to the DAP policy.
Examples
The following example shows how to apply the previously configured webtype ACL called newacl to the dynamic access policy:
ciscoasa (config)# config-dynamic-access-policy-record Finance
ciscoasa(config-dynamic-access-policy-record)# webvpn
ciscoasa(config-dynamic-access-policy-record)# appl-acl newacl
Related Commands
|
|
|
|---|---|
application-access
To customize the Application Access fields of the WebVPN Home page that is displayed to authenticated WebVPN users, and the Application Access window that is launched when the user selects an application, use the application-access command in customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of this command.
application-access { title | message | window } { text | style } value
no application-access { title | message | window } { text | style } value
Syntax Description
Defaults
The default title text of the Application Access field is “Application Access”.
The default title style of the Application Access field is:
background-color:#99CCCC;color:black;font-weight:bold;text-transform:uppercase
The default message text of the Application Access field is “Start Application Client”.
The default message style of the Application Access field is:
background-color:#99CCCC;color:maroon;font-size:smaller.
The default window text of the Application Access window is:
“Close this window when you finish using Application Access. Please wait for the table to be displayed before starting applications.”.
The default window style of the Application Access window is:
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Usage Guidelines
This command is accessed by using the webvpn command or the tunnel-group webvpn-attributes command.
The style option is expressed as any valid Cascading Style Sheet (CSS) parameter. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
The following tips can help you make the most common changes to the WebVPN pages—the page colors:
- You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML.
- RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.
- HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.
Note To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.
Examples
The following example customizes the background color of the Application Access field to the RGB hexadecimal value 66FFFF, a shade of green:
Related Commands
application-access hide-details
To hide application details that are displayed in the WebVPN Applications Access window, use the application-access hide-details command in customization configuration mode, which is accessed by using the webvpn command or the tunnel-group webvpn-attributes command. To remove the command from the configuration and cause the value to be inherited, use the no form of this command.
application-access hide - details {enable | disable}
no application-access [ hide - details {enable | disable}]
Syntax Description
Does not hide application details in the Application Access window. |
|
Defaults
The default is disabled. Application details appear in the Application Access window.
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|||
|---|---|---|---|---|---|
|
|
|
|
|
||
|
|
|
||||
Command History
|
|
|
|---|---|
Examples
The following example disables the appearance of the application details:
Feedback