-
Cisco Security Appliance Command Reference, Version 7.1
-
About this Guide
-
Using the Command Line Interface
-
aaa accounting through accounting-server-group
-
acl-netmask-convert through auto-update timeout Commands
-
backup-servers through browse networks Commands
-
cache through clear compression Commands
-
clear configure through clear configure vpn-load-balancing Commands
-
clear console-output through clear xlate Commands
-
client-access-rule through crl-configure Commands
-
crypto ca authenticate through customization Commands
-
debug aaa through debug xdmcp Commands
-
default through duplex Commands
-
email through functions Commands
-
gateway through hw-module module shutdown Commands
-
icmp through imap4s Commands
-
inspect ctiqbe through inspect xdmcp Commands
-
interface-dhcp through issuer-name Commands
-
join-failover-group through kill Commands
-
ldap-attribute-map through log-adj-changes Commands
-
logging asdm through logout message Commands
-
mac-address through multicast-routing Commands
-
name through override-account-disable Commands
-
page style through pwd Commands
-
queue-limit through routerospf Commands
-
same-security-traffic through show asdm sessions Commands
-
show asp drop through show curpriv Commands
-
show debug through show ipv6 traffic Commands
-
show isakmp sa through show route Commands
-
show running-config through show running-config isakmp Commands
-
show running-config ldap through show running-config webvpn auto-signon Commands
-
show service-policy through show webvpn svc Commands
-
shun through sysopt uauth allow-http-cache Commands
-
tcp-map through tx-ring-limit Commands
-
urgent-flag through write terminal Commands
-
Feedback
Table Of Contents
acl-netmask-convert through auto-update timeout Commands
application-access hide-details
authentication (tunnel-group webvpn configuration mode)
authentication-server-group (webvpn)
authorization-dn-attributes (tunnel-group general-attributes mode)
authorization-dn-attributes (webvpn)
authorization-required (tunnel-group general-attributes mode)
authorization-required (webvpn)
authorization-server-group (tunnel-group general-attributes mode)
authorization-server-group (webvpn)
acl-netmask-convert through auto-update timeout Commands
acl-netmask-convert
To specify how the security appliance treats netmasks received in a downloadable ACL from a RADIUS server, use the acl-netmask-convert command in AAA-server host mode, which is accessed by using the aaa-server host command. Use the no form of this command to remove the command.
acl-netmask-convert {auto-detect | standard | wildcard}
no acl-netmask-convert
Syntax Description
Defaults
By default, no conversion from wildcard netmask expressions is performed.
Command Modes
The following table shows the modes in which you can enter the command:
AAA-server host
•
•
•
•
—
Command History
Usage Guidelines
Use the acl-netmask-convert command with the wildcard or auto-detect keywords when a RADIUS server provides downloadable ACLs that contain netmasks in wildcard format. The security appliance expects downloadable ACLs to contain standard netmask expressions whereas Cisco Secure VPN 3000 Series Concentrators expect downloadable ACLs to contain wildcard netmask expressions, which are the reverse of a standard netmas expression. A wildcard mask has ones in bit positions to ignore, zeros in bit positions to match.The acl-netmask-convert command helps minimize the effects of these differences upon how you configure downloadable ACLs on your RADIUS servers.
The auto-detect keyword is helpful when you are uncertain how the RADIUS server is configured; however, wildcard netmask expressions with "holes" in them cannot be unambiguously detected and converted. For example, the wildcard netmask 0.0.255.0 permits anything in the third octet and can be used validly on Cisco VPN 3000 Series Concentrators, but the security appliance may not detect this expression as a wildcard netmask.
Examples
The following example configures a RADIUS AAA server named "srvgrp1" on host "192.168.3.4", enables conversion of downloadable ACL netmasks, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures authentication port 1650.
hostname(config)#aaa-server svrgrp1 protocol radiushostname(config-aaa-server-group)#aaa-server svrgrp1 host 192.168.3.4hostname(config-aaa-server-host)#acl-netmask-convert wildcardhostname(config-aaa-server-host)#timeout 9hostname(config-aaa-server-host)#retry-interval 7hostname(config-aaa-server-host)#authentication-port 1650hostname(config-aaa-server-host)#exithostname(config)#Related Commands
action-uri
To specify a web server URI to receive a username and password for single sign-on authentication, use the action-uri command in aaa-server-host configuration mode. This is an SSO with HTTP Forms command.
To reset the URI parameter value, use the no form of the command. Use the action-uri command again to enter a new value.
action-uri string
no action-uri
Note
Syntax DescriptionSyntax Description
Defaults
No default value or behavior.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server-host configuration
•
—
•
—
—
Command History
Usage Guidelines
A URI or Uniform Resource Identifier is a compact string of characters that identifies a point of content on the Internet, whether it be a page of text, a video or sound clip, a still or animated image, or a program. The most common form of URI is the Web page address, which is a particular form or subset of URI called a Uniform Resource Locator (URL).
The WebVPN server of the security appliance can use a POST request to submit a single sign-on authentication request to an authenticating web server. To accomplish this, configure the security appliance to pass a username and a password to an action URI on an authenticating web server using an HTTP POST request. The action-uri command specifies the location and name of the authentication program on the web server to which the security appliance sends the POST request.
You can discover the action URI on the authenticating web server by connecting to the web server's login page directly with a browser. The URL of the login web page displayed in your browser is the action URI for the authenticating web server.
For ease of entry, you can enter URIs on multiple, sequential lines. The security appliance then concatenates the lines into the URI as you enter them. While the maximum characters per action-uri line is 255 characters, you can enter fewer characters on each line.
Note
Examples
In the following example, the URI to receive authentication data is as follows:
http://www.example.com/auth/index.html/appdir/authc/forms/MCOlogin.fcc?TYPE=33554433&REALMOID=06-000a1311-a828-1185-ab41-8333b16a0008&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$5FZmjnk3DRNwNjk2KcqVCFbIrNT9%2bJ0H0KPshFtg6rB1UV2PxkHqLw%3d%3d&TARGET=https%3A%2F%2Fauth.example.com
The following example, entered in aaa-server-host configuration mode, specifies the preceding URI on www.example.com:
hostname(config)# aaa-server testgrp1 host www.example.comhostname(config-aaa-server-host)# action-uri http://www.example.com/auth/index.htmhostname(config-aaa-server-host)# action-uri l/appdir/authc/forms/MCOlogin.fcc?TYPhostname(config-aaa-server-host)# action-uri 554433&REALMOID=06-000a1311-a828-1185hostname(config-aaa-server-host)# action-uri -ab41-8333b16a0008&GUID=&SMAUTHREASONhostname(config-aaa-server-host)# action-uri =0&METHOD=GET&SMAGENTNAME=$SM$5FZmjnkhostname(config-aaa-server-host)# action-uri 3DRNwNjk2KcqVCFbIrNT9%2bJ0H0KPshFtg6rhostname(config-aaa-server-host)# action-uri B1UV2PxkHqLw%3d%3d&TARGET=https%3A%2Fhostname(config-aaa-server-host)# action-uri %2Fauth.example.comhostname(config-aaa-server-host)#
Note
Related Commands
activation-key
To change the activation key on the security appliance and check the activation key running on the security appliance against the activation key that is stored as a hidden file in the Flash partition of the security appliance, use the activation-key command in global configuration mode.
activation-key [activation-key-four-tuple| activation-key-five-tuple]
Syntax Description
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
·
·
·
·
Command History
Usage Guidelines
Enter the activation-key-four-tuple as a four-element hexadecimal string with one space between each element, or activation-key-five-tuple as a five-element hexidecimal string withe one space between each element as follows:
0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624eThe leading 0x specifier is optional; all values are assumed to be hexadecimal.
The key is not stored in the configuration file. The key is tied to the serial number.
Examples
This example shows how to change the activation key on the security appliance:
hostname(config)# activation-key 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624eRelated Commands
address-pool
To specify a list of address pools for allocating addresses to remote clients, use the address-pool command in tunnel-group general-attributes configuration mode. To eliminate address pools, use the no form of this command.
address-pool [(interface name)] address_pool1 [...address_pool6]
no address-pool [(interface name)] address_pool1 [...address_pool6]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can enter multiples of each of these commands, one per interface. If an interface is not specified, then the command specifies the default for all interfaces that are not explicitly referenced.
Examples
The following example entered in config-general configuration mode, specifies a list of address pools for allocating addresses to remote clients for an IPSec remote-access tunnel group xyz:
hostname(config)# tunnel-group xyzhostname(config)# tunnel-group xyz generalhostname(config-general)# address-pool (inside) addrpool1 addrpool2 addrpool3hostname(config-general)#Related Commands
admin-context
To set the admin context for the system configuration, use the admin-context command in global configuration mode. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the security appliance software or allowing remote management for an administrator), it uses one of the contexts that is designated as the admin context.
admin-context name
Syntax Description
Defaults
For a new security appliance in multiple context mode, the admin context is called "admin."
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
You can set any context to be the admin context, as long as the context configuration resides on the internal Flash memory.
You cannot remove the current admin context, unless you remove all contexts using the clear configure context command.
Examples
The following example sets the admin context to be "administrator":
hostname(config)# admin-context administratorRelated Commands
alias
To manually translate an address and perform DNS reply modification, use the alias command in global configuration mode. To remove an alias command, use the no form of this command. This command functionality has been replaced by outside NAT commands, including the nat and static commands with the dns keyword. We recommend that you use outside NAT instead of the alias command.
alias (interface_name) real_ip mapped_ip [netmask]
no alias (interface_name) real_ip mapped_ip [netmask]
Syntax Description
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
You can also use this command to perform address translation on a destination address. For example, if a host sends a packet to 209.165.201.1, you can use the alias command to redirect traffic to another address, such as 209.165.201.30.
Note
After changing or removing an alias command, use the clear xlate command.
You must have an A (address) record in the DNS zone file for the "dnat" address in the alias command.
The alias command has two uses that can be summarized in the following ways:
•
•
The alias command automatically interacts with the DNS servers on your network to ensure that domain name access to the aliased IP address is handled transparently.
You can specify a net alias by using network addresses for the real_ip and mapped_ip IP addresses. For example, the alias 192.168.201.0 209.165.201.0 255.255.255.224 command creates aliases for each IP address between 209.165.201.1 and 209.165.201.30.
To access an alias mapped_ip address with static and access-list commands, specify the mapped_ip address in the access-list command as the address from which traffic is permitted as follows:
hostname(config)# alias (inside) 192.168.201.1 209.165.201.1 255.255.255.255hostname(config)# static (inside,outside) 209.165.201.1 192.168.201.1 netmask 255.255.255.255hostname(config)# access-list acl_out permit tcp host 192.168.201.1 host 209.165.201.1 eq ftp-datahostname(config)# access-group acl_out in interface outsideAn alias is specified with the inside address 192.168.201.1 mapping to the destination address 209.165.201.1.
When the inside network client 209.165.201.2 connects to example.com, the DNS response from an external DNS server to the internal client's query would be altered by the security appliance to be 192.168.201.29. If the security appliance uses 209.165.200.225 through 209.165.200.254 as the global pool IP addresses, the packet goes to the security appliance with SRC=209.165.201.2 and DST=192.168.201.29. The security appliance translates the address to SRC=209.165.200.254 and DST=209.165.201.29 on the outside.
Examples
This example shows that the inside network contains the IP address 209.165.201.29, which on the Internet belongs to example.com. When inside clients try to access example.com, the packets do not go to the security appliance because the client assumes that the 209.165.201.29 is on the local inside network.
To correct this, use the alias command as follows:
hostname(config)#alias (inside) 192.168.201.0 209.165.201.0 255.255.255.224hostname(config)# show running-config aliasalias 192.168.201.0 209.165.201.0 255.255.255.224This example shows a web server that is on the inside at 10.1.1.11 and the static command that was created at 209.165.201.11. The source host is on the outside with address 209.165.201.7. A DNS server on the outside has a record for www.example.com as follows:
dns-server# www.example.com. IN A 209.165.201.11You must include the period at the end of the www.example.com. domain name.
This example shows how to use the alias command:
hostname(config)# alias 10.1.1.11 209.165.201.11 255.255.255.255The security appliance changes the name server replies to 10.1.1.11 for inside clients to directly connect to the web server.
To provide access you also need the following commands:
hostname(config)# static (inside,outside) 209.165.201.11 10.1.1.11hostname(config)# access-list acl_grp permit tcp host 209.165.201.7 host 209.165.201.11 eq telnethostname(config)# access-list acl_grp permit tcp host 209.165.201.11 eq telnet host 209.165.201.7Related Commands
allocate-interface
To allocate interfaces to a security context, use the allocate-interface command in context configuration mode. To remove an interface from a context, use the no form of this command.
allocate-interface physical_interface [map_name] [visible | invisible]
no allocate-interface physical_interface
allocate-interface physical_interface.subinterface[-physical_interface.subinterface] [map_name[-map_name]] [visible | invisible]
no allocate-interface physical_interface.subinterface[-physical_interface.subinterface]
Syntax Description
invisible
(Default) Allows context users to only see the mapped name (if configured) in the show interface command.
map_name
(Optional) Sets a mapped name.
The map_name is an alphanumeric alias for the interface that can be used within the context instead of the interface ID. If you do not specify a mapped name, the interface ID is used within the context. For security purposes, you might not want the context administrator to know which interfaces are being used by the context.
A mapped name must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, or an underscore. For example, you can use the following names:
int0intaint_0For subinterfaces, you can specify a range of mapped names.
See the "Usage Guidelines" section for more information about ranges.
physical_interface
Sets the interface ID, such as gigabitethernet0/1. See the interface command for accepted values.
subinterface
Sets the subinterface number. You can identify a range of subinterfaces.
visible
(Optional) Allows context users to see physical interface properties in the show interface command even if you set a mapped name.
Defaults
The interface ID is invisible in the show interface command output by default if you set a mapped name.
Command Modes
The following table shows the modes in which you can enter the command:
Context configuration
•
•
—
—
•
Command History
Usage Guidelines
You can enter this command multiple times to specify different ranges. To change the mapped name or visible setting, reenter the command for a given interface ID, and set the new values; you do not need to enter the no allocate-interface command and start over. If you remove the allocate-interface command, the security appliance removes any interface-related configuration in the context.
Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA adaptive security appliance, you can use the dedicated management interface, Management 0/0, (either the physical interface or a subinterface) as a third interface for management traffic.
Note
You can assign the same interfaces to multiple contexts in routed mode, if desired. Transparent mode does not allow shared interfaces.
If you specify a range of subinterfaces, you can specify a matching range of mapped names. Follow these guidelines for ranges:
•
int0-int10If you enter gigabitethernet0/1.1-gigabitethernet0/1.5 happy1-sad5, for example, the command fails.
•
gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int100If you enter gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int15, for example, the command fails.
Examples
The following example shows gigabitethernet0/1.100, gigabitethernet0/1.200, and gigabitethernet0/2.300 through gigabitethernet0/1.305 assigned to the context. The mapped names are int1 through int8.
hostname(config-ctx)# allocate-interface gigabitethernet0/1.100 int1hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int2hostname(config-ctx)# allocate-interface gigabitethernet0/2.300-gigabitethernet0/2.305 int3-int8Related Commands
apcf
To enable an Application Profile Customization Framework profile, use the apcf command in webvpn mode. To disable a particular APCF script, use the no version of the command. To disable all APCF scripts, use the no version of the command without arguments.
apcf URL/filename.ext
no apcf [URL/filename.ext]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you enter the command:
Webvpn mode
•
—
•
—
—
Command History
Usage Guidelines
The Application Profile Customization Framework option enables the security appliance to handle non-standard web applications and web resources so that they render correctly over a WebVPN connection. An APCF profile contains a script that specifies when (pre, post), where (header, body, request, response), and what data to transform for a particular application.
You can use multiple APCF profiles on the security appliance. When you do, the security appliance applies each one of them in the order of oldest to newest.
We recommend that you use the apcf command only with the support of the Cisco TAC.
Examples
The following example shows how to enable an APCF named apcf1, located on flash memory at /apcf.
hostname(config)#webvpnhostname(config-webvpn)#apcf flash:/apcf/apcf1.xmlhostname(config-webvpn)#This example shows how to enable an APCF named apcf2.xml, located on an https server called myserver, port 1440 with the path being /apcf.
hostname(config)#webvpnhostname(config-webvpn)#apcf https://myserver:1440/apcf/apcf2.xmlhostname(config-webvpn)#Related Commands
application-access
To customize the Application Access box of the WebVPN Home page that is displayed to authenticated WebVPN users, and the Application Access window that is launched when the user selects an application, use the application-access command from webvpn customization mode:
application-access {title | message | window} {text | style} value
[no] application-access {title | message | window} {text | style} value
To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
Syntax Description
Defaults
The default title text of the Application Access box is "Application Access".
The default title style of the Application Access box is:
background-color:#99CCCC;color:black;font-weight:bold;text-transform:uppercase
The default message text of the Application Access box is "Start Application Client".
The default message style of the Application Access box is:
background-color:#99CCCC;color:maroon;font-size:smaller.
The default window text of the Application Access window is:
"Close this window when you finish using Application Access. Please wait for the table to be displayed before starting applications.".
The default window style of the Application Access window is:
background-color:#99CCCC;color:black;font-weight:bold.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn customization
•
—
•
—
—
Command History
Usage Guidelines
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
The following example customizes the background color of the Application Access box to the RGB hex value 66FFFF, a shade of green:
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# application-access title style background-color:#66FFFFRelated Commands
application-access hide-details
To hide application details that are displayed in the WebVPN Applications Access window, use the application-access hide-details command from webvpn customization mode:
application-access hide-details {enable | disable}
[no] application-access hide-details {enable | disable}
To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
Syntax Description
enable
Hides application details in the Application Access window.
disable
Does not hide application details in the Application Access window.
Defaults
The default is disabled. Application details display in the Application Access window.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn customization
•
—
•
—
—
Command History
Examples
The following example disables the display of application details:
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# application-access hide-details disableRelated Commands
area
To create an OSPF area, use the area command in router configuration mode. To remove the area, use the no form of this command.
area area_id
no area area_id
Syntax Description
area_id
The ID of the area being created. You can specify the identifier as either a decimal number or an IP address. Valid decimal values range from 0 to 4294967295.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
The area that you create does not have any parameters set. Use the related area commands to set the area parameters.
Examples
The following example shows how to create an OSPF area with an area ID of 1:
hostname(config-router)# area 1hostname(config-router)#Related Commands
area authentication
To enable authentication for an OSPF area, use the area authentication command in router configuration mode. To disable area authentication, use the no form of this command.
area area_id authentication [message-digest]
no area area_id authentication [message-digest]
Syntax Description
Defaults
Area authentication is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
If the specified OSPF area does not exist, it is created when this command is entered. Entering the area authentication command without the message-digest keyword enables simple password authentication. Including the message-digest keyword enables MD5 authentication.
Examples
The following example shows how to enable MD5 authentication for area 1:
hostname(config-router)# area 1 authentication message-digesthostname(config-router)#Related Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
area default-cost
To specify a cost for the default summary route sent into a stub or NSSA, use the area default-cost command in router configuration mode. To restore the default cost value, use the no form of this command.
area area_id default-cost cost
no area area_id default-cost
Syntax Description
Defaults
The default value of cost is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
If the specified area has not been previously defined using the area command, this command creates the area with the specified parameters.
Examples
The following example show how to specify a default cost for summary route sent into a stub or NSSA:
hostname(config-router)# area 1 default-cost 5hostname(config-router)#Related Commands
area filter-list prefix
To filter prefixes advertised in type 3 LSAs between OSPF areas of an ABR, use the area filter-list prefix command in router configuration mode. To change or cancel the filter, use the no form of this command.
area area_id filter-list prefix list_name {in | out}
no area area_id filter-list prefix list_name {in | out}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
If the specified area has not been previously defined using the area command, this command creates the area with the specified parameters.
Only type 3 LSAs can be filtered. If an ASBR is configured in the private network, then it will send type 5 LSAs (describing private networks) which are flooded to the entire AS including the public areas.
Examples
The following example filters prefixes that are sent from all other areas to area 1:
hostname(config-router)# area 1 filter-list prefix-list AREA_1 inhostname(config-router)#Related Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
area nssa
To configure an area as an NSSA, use the area nssa command in router configuration mode. To remove the NSSA designation from the area, use the no form of this command.
area area_id nssa [no-redistribution] [default-information-originate [metric-type {1 | 2}] [metric value]] [no-summary]
no area area_id nssa [no-redistribution] [default-information-originate [metric-type {1 | 2}] [metric value]] [no-summary]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
If the specified area has not been previously defined using the area command, this command creates the area with the specified parameters.
If you configure one option for an area, and later specify another option, both options are set. For example, entering the following two command separately results in a single command with both options set in the configuration:
area 1 nssa no-redistributionarea area_id nssa default-information-originateExamples
The following example shows how setting two options separately results in a single command in the configuration:
hostname(config-router)# area 1 nssa no-redistributionhostname(config-router)# area 1 nssa default-information-originatehostname(config-router)# exithostname(config-router)# show running-config router ospf 1router ospf 1area 1 nssa no-redistribution default-information-originateRelated Commands
area stub
Defines the area as a stub area.
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
area range
To consolidate and summarize routes at an area boundary, use the area range command in router configuration mode. To disable this function, use the no form of this command.
area area_id range address mask [advertise | not-advertise]
no area area_id range address mask [advertise | not-advertise]
Syntax Description
Defaults
The address range status is set to advertise.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
If the specified area has not been previously defined using the area command, this command creates the area with the specified parameters.
The area range command is used only with ABRs. It is used to consolidate or summarize routes for an area. The result is that a single summary route is advertised to other areas by the ABR. Routing information is condensed at area boundaries. External to the area, a single route is advertised for each address range. This behavior is called route summarization. You can configure multiple area range commands for an area. Thus, OSPF can summarize addresses for many different sets of address ranges.
The no area area_id range ip_address netmask not-advertise command removes only the not-advertise optional keyword.
Examples
The following example specifies one summary route to be advertised by the ABR to other areas for all subnets on network 10.0.0.0 and for all hosts on network 192.168.110.0:
hostname(config-router)# area 10.0.0.0 range 10.0.0.0 255.0.0.0hostname(config-router)# area 0 range 192.168.110.0 255.255.255.0hostname(config-router)#Related Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
area stub
To define an area as a stub area, use the area stub command in router configuration mode. To remove the stub area function, use the no form of this command.
area area_id [no-summary]
no area area_id [no-summary]
Syntax Description
Defaults
The default behaviors are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
The command is used only on an ABR attached to a stub or NSSA.
There are two stub area router configuration commands: the area stub and area default-cost commands. In all routers and access servers attached to the stub area, the area should be configured as a stub area using the area stub command. Use the area default-cost command only on an ABR attached to the stub area. The area default-cost command provides the metric for the summary default route generated by the ABR into the stub area.
Examples
The following example configures the specified area as a stub area:
hostname(config-router)# area 1 stubhostname(config-router)#Related Commands
area virtual-link
To define an OSPF virtual link, use the area virtual-link command in router configuration mode. To reset the options or remove the virtual link, use the no form of this command.
area area_id virtual-link router_id [authentication [message-digest | null]] [hello-interval seconds] [retransmit-interval seconds] [transmit-delay seconds] [dead-interval seconds [[authentication-key key] | [message-digest-key key_id md5 key]]
no area area_id virtual-link router_id [authentication [message-digest | null]] [hello-interval seconds] [retransmit-interval seconds] [transmit-delay seconds] [dead-interval seconds [[authentication-key key] | [message-digest-key key_id md5 key]]
Syntax Description
Defaults
The defaults are as follows:
•
•
•
•
•
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
In OSPF, all areas must be connected to a backbone area. If the connection to the backbone is lost, it can be repaired by establishing a virtual link.
The smaller the hello interval, the faster topological changes are detected, but more routing traffic ensues.
The setting of the retransmit interval should be conservative, or needless retransmissions occur. The value should be larger for serial lines and virtual links.
The transmit delay value should take into account the transmission and propagation delays for the interface.
The specified authentication key is used only when authentication is enabled for the backbone with the area area_id authentication command.
The two authentication schemes, simple text and MD5 authentication, are mutually exclusive. You can specify one or the other or neither. Any keywords and arguments you specify after authentication-key key or message-digest-key key_id md5 key are ignored. Therefore, specify any optional arguments before such a keyword-argument combination.
If the authentication type is not specified for an interface, the interface uses the authentication type specified for the area. If no authentication type has been specified for the area, the area default is null authentication.
Note
To remove an option from a virtual link, use the no form of the command with the option that you want removed. To remove the virtual link, use the no area area_id virtual-link command.
Examples
The following example establishes a virtual link with MD5 authentication:
hostname(config-router)# area 10.0.0.0 virtual-link 10.3.4.5 message-digest-key 3 md5 sa5721bk47Related Commands
arp
To add a static ARP entry to the ARP table, use the arp command in global configuration mode. To remove the static entry, use the no form of this command. A static ARP entry maps a MAC address to an IP address and identifies the interface through which the host is reached. Static ARP entries do not time out, and might help you solve a networking problem. In transparent firewall mode, the static ARP table is used with ARP inspection (see the arp-inspection command).
arp interface_name ip_address mac_address [alias]
no arp interface_name ip_address mac_address
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Although hosts identify a packet destination by an IP address, the actual delivery of the packet on Ethernet relies on the Ethernet MAC address. When a router or host wants to deliver a packet on a directly connected network, it sends an ARP request asking for the MAC address associated with the IP address, and then delivers the packet to the MAC address according to the ARP response. The host or router keeps an ARP table so it does not have to send ARP requests for every packet it needs to deliver. The ARP table is dynamically updated whenever ARP responses are sent on the network, and if an entry is not used for a period of time, it times out. If an entry is incorrect (for example, the MAC address changes for a given IP address), the entry times out before it can be updated.
Note
Examples
The following example creates a static ARP entry for 10.1.1.1 with the MAC address 0009.7cbe.2100 on the outside interface:
hostname(config)# arp outside 10.1.1.1 0009.7cbe.2100Related Commands
arp timeout
To set the time before the security appliance rebuilds the ARP table, use the arp timeout command in global configuration mode. To restore the default timeout, use the no form of this command. Rebuilding the ARP table automatically updates new host information and removes old host information. You might want to reduce the timeout because the host information changes frequently.
arp timeout seconds
no arp timeout seconds
Syntax Description
Defaults
The default value is 14,400 seconds (4 hours).
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example changes the ARP timeout to 5,000 seconds:
hostname(config)# arp timeout 5000Related Commands
arp-inspection
To enable ARP inspection for transparent firewall mode, use the arp-inspection command in global configuration mode. To disable ARP inspection, use the no form of this command. ARP inspection checks all ARP packets against static ARP entries (see the arp command) and blocks mismatched packets. This feature prevents ARP spoofing.
arp-inspection interface_name enable [flood | no-flood]
no arp-inspection interface_name enable
Syntax Description
Defaults
By default, ARP inspection is disabled on all interfaces; all ARP packets are allowed through the security appliance. When you enable ARP inspection, the default is to flood non-matching ARP packets.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Usage Guidelines
Configure static ARP entries using the arp command before you enable ARP inspection.
When you enable ARP inspection, the security appliance compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table, and takes the following actions:
•
•
•
Note
ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP spoofing). ARP spoofing can enable a "man-in-the-middle" attack. For example, a host sends an ARP request to the gateway router; the gateway router responds with the gateway router MAC address. The attacker, however, sends another ARP response to the host with the attacker MAC address instead of the router MAC address. The attacker can now intercept all the host traffic before forwarding it on to the router.
ARP inspection ensures that an attacker cannot send an ARP response with the attacker MAC address, so long as the correct MAC address and the associated IP address are in the static ARP table.
Note
Examples
The following example enables ARP inspection on the outside interface and sets the security appliance to drop any ARP packets that do not match the static ARP entry:
hostname(config)# arp outside 209.165.200.225 0009.7cbe.2100hostname(config)# arp-inspection outside enable no-floodRelated Commands
asdm disconnect
To terminate an active ASDM session, use the asdm disconnect command in privileged EXEC mode.
asdm disconnect session
Syntax Description
session
The session ID of the active ASDM session to be terminated. You can display the session IDs of all active ASDM sessions using the show asdm sessions command.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
7.0(1)
This command was changed from the pdm disconnect command to the asdm disconnect command.
Usage Guidelines
Use the show asdm sessions command to display a list of active ASDM sessions and their associated session IDs. Use the asdm disconnect command to terminate a specific session.
When you terminate an ASDM session, any remaining active ASDM sessions keep their associated session ID. For example, if there are three active ASDM sessions with the session IDs of 0, 1, and 2, and you terminate session 1, the remaining active ASDM sessions keep the session IDs 0 and 2. The next new ASDM session in this example would be assigned a session ID of 1, and any new sessions after that would begin with the session ID 3.
Examples
The following example terminates an ASDM session with a session ID of 0. The show asdm sessions commands display the active ASDM sessions before and after the asdm disconnect command is entered.
hostname# show asdm sessions0 192.168.1.11 192.168.1.2hostname# asdm disconnect 0hostname# show asdm sessions1 192.168.1.2Related Commands
show asdm sessions
Displays a list of active ASDM sessions and their associated session ID.
asdm disconnect log_session
To terminate an active ASDM logging session, use the asdm disconnect log_session command in privileged EXEC mode.
asdm disconnect log_session session
Syntax Description
session
The session ID of the active ASDM logging session to be terminated. You can display the session IDs of all active ASDM sessions using the show asdm log_sessions command.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
Use the show asdm log_sessions command to display a list of active ASDM logging sessions and their associated session IDs. Use the asdm disconnect log_session command to terminate a specific logging session.
Each active ASDM session has one or more associated ASDM logging sessions. ASDM uses the logging session to retrieve syslog messages from the security appliance. Terminating a log session may have an adverse effect on the active ASDM session. To terminate an unwanted ASDM session, use the asdm disconnect command.
Note
When you terminate an ASDM logging session, any remaining active ASDM logging sessions keep their associated session ID. For example, if there are three active ASDM logging sessions with the session IDs of 0, 1, and 2, and you terminate session 1, the remaining active ASDM logging sessions keep the session IDs 0 and 2. The next new ASDM logging session in this example would be assigned a session ID of 1, and any new logging sessions after that would begin with the session ID 3.
Examples
The following example terminates an ASDM session with a session ID of 0. The show asdm log_sessions commands display the active ASDM sessions before and after the asdm disconnect log_sessions command is entered.
hostname# show asdm log_sessions0 192.168.1.11 192.168.1.2hostname# asdm disconnect 0hostname# show asdm log_sessions1 192.168.1.2Related Commands
show asdm log_sessions
Displays a list of active ASDM logging sessions and their associated session ID.
asdm group
Caution
asdm group real_grp_name real_if_name
asdm group ref_grp_name ref_if_name reference real_grp_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
7.0(1)
This command was changed from the pdm group command to the asdm group command.
Usage Guidelines
Do not manually configure or remove this command.
asdm history enable
To enable ASDM history tracking, use the asdm history enable command in global configuration mode. To disable ASDM history tracking, use the no form of this command.
asdm history enable
no asdm history enable
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
7.0(1)
This command was changed from the pdm history enable command to the asdm history enable command.
Usage Guidelines
The information obtained by enabling ASDM history tracking is stored in the ASDM history buffer. You can view this information using the show asdm history command. The history information is used by ASDM for device monitoring.
Examples
The following example enables ASDM history tracking:
hostname(config)# asdm history enablehostname(config)#Related Commands
asdm image
To specify the ASDM software image, use the asdm image command in global configuration mode. To remove the image specification, use the no form of this command.
asdm image image_path
no asdm image [image_path]
Syntax Description
image_path
The path to the ASDM image file on the security appliance, for example,
hostname(config)#.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
7.0(1)
This command changed from the pdm image command to the asdm image command.
Usage Guidelines
The asdm image command specifies the ASDM software image used when ASDM sessions are initiated. If this command does not appear in the configuration, ASDM sessions cannot be started.
You can store more than one ASDM software image in Flash memory. Using the asdm image command to specify a new ASDM software image while there are active ASDM sessions does not disrupt the active sessions; active ASDM sessions will continue to use the ASDM software image they started with. New ASDM sessions will use the new software image.
Use the no form of this command to disable ASDM.
Examples
The following example sets the ASDM image to asdm.bin:
hostname(config)# asdm image flash:/asdm.binhostname(config)#Related Commands
asdm location
Caution
asdm location ip_addr netmask if_name
asdm location ipv6_addr/prefix if_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
7.0(1)
This command was changed from the pdm location command to the asdm location command.
Usage Guidelines
Do not manually configure or remove this command.
asr-group
To specify an asymmetrical routing interface group ID, use the asr-group command in interface configuration mode. To remove the ID, use the no form of this command.
asr-group group_id
no asr-group group_id
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
—
•
—
Command History
Usage Guidelines
When Active/Active failover is enabled, you may encounter situations where load balancing causes the return traffic for outbound connections to be routed through an active context on the peer unit, where the context for the outbound connection is in the standby group.
The asr-group command causes incoming packets to be re-classified with the interface of the same asr-group if a flow with the incoming interface cannot be found. If re-classification finds a flow with another interface, and the associated context is in standby state, then the packet is forwarded to the active unit for processing.
Stateful Failover must be enabled for this command to take effect.
You can view ASR statistics using the show interface detail command. These statistics include the number of ASR packets sent, received, and dropped on an interface.
Examples
The following example assigns the selected interfaces to the asymmetric routing group 1.
Context ctx1 configuration:
hostname/ctx1(config)# interface e2hostname/ctx1(config-if)# nameif outsidehostname/ctx1(config-if)# ip address 192.168.1.11 255.255.255.0 standby 192.168.1.21hostname/ctx1(config-if)# asr-group 1Context ctx2 configuration:
hostname/ctx2(config)# interface e3hostname/ctx2(config-if)# nameif outsidehostname/ctx2(config-if)# ip address 192.168.1.31 255.255.255.0 standby 192.168.1.41hostname/ctx2(config-if)# asr-group 1Related Commands
interface
Enters interface configuration mode.
show interface
Displays interface statistics.
auth-cookie-name
To specify the name of an authentication cookie, use the auth-cookie-name command in aaa-server- host configuration mode. This is an SSO with HTTP Forms command.
auth-cookie-name
Syntax Description
Syntax DescriptionSyntax Description
Defaults
There is no default value or behavior.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server-host configuration
•
—
•
—
—
Command History
Usage Guidelines
The WebVPN server of the security appliance uses an HTTP POST request to submit a single sign-on authentication request to an SSO server. If authentication succeeds, the authenticating web server passes back an authentication cookie to the client browser. The client browser then authenticates to other Web servers in the SSO domain by presenting the authentication cookie. The auth-cookie-name command configures name of the authentication cookie to be used for SSO by the security appliance.
A typical authentication cookie format is Set-Cookie: <cookie name>=<cookie value> [;<cookie attributes>]. In the following authentication cookie example, SMSESSION is the name that would be configured with the auth-cookie-name command:
Set-Cookie:SMSESSION=yN4Yp5hHVNDgs4FT8dn7+Rwev41hsE49XlKc+1twie0gqnjbhkTkUnR8XWP3hvDH6PZPbHIHtWLDKTa8 ngDB/lbYTjIxrbDx8WPWwaG3CxVa3adOxHFR8yjD55GevK3ZF4ujgU1lhO6fta0dSSOSepWvnsCb7IFxCw+MGiw0o8 8uHa2t4l+SillqfJvcpuXfiIAO06D/dapWriHjNoi4llJOgCst33wEhxFxcWy2UWxs4EZSjsI5GyBnefSQTPVfma5d c/emWor9vWr0HnTQaHP5rg5dTNqunkDEdMIHfbeP3F90cZejVzihM6igiS6P/CEJAjE;Domain=.example.com;Pa th=/The following example, entered in aaa-server-host configuration mode, specifies the authentication cookie name of SMSESSION for the authentication cookie received from a web server named example.com:
hostname(config)# aaa-server testgrp1 host example.comhostname(config-aaa-server-host)# auth-cookie-name SMSESSIONhostname(config-aaa-server-host)#Related Commands
authentication
To configure authentication methods for WebVPN or e-mail proxy, use the authentication command. For WebVPN, use this command in webvpn mode. For e-mail proxies (IMAP4S. POP3S, SMTPS), use this command in the applicable e-mail proxy mode. To restore the default, AAA, use the no form of this command.
The security appliance authenticates users to verify their identity.
authentication {aaa | certificate | mailhost | piggyback}
no authentication
Syntax Description
Defaults
The following table shows the default authentication method for WebVPN and e-mail proxies:
WebVPN
AAA
IMAP4S
Mailhost (required)
POP3S
Mailhost (required)
SMTPS
AAA
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn
•
—
•
—
—
Imap4s
•
—
•
—
—
Pop3s
•
—
•
—
—
SMTPS
•
—
•
—
—
Command History
7.0(1)
This command was introduced.
7.1(1)
This command was deprecated in webvpn mode and moved to tunnel-group webvpn-attributes mode.
Usage Guidelines
In Release 7.1(1), if you enter this command in webvpn configuration mode, it is transformed to the same command in tunnel-group webvpn-attributes mode.
For WebVPN, you can require both AAA and certificate authentication, in which case users must provide both a certificate and a username and password.
For e-mail proxy authentication, you can require more than one authentication method.
Specifying the command again overwrites the current configuration.
Examples
The following example shows how to require that WebVPN users provide certificates for authentication:
hostname(config)#webvpnhostname(config-webvpn)# authentication certificateauthentication (tunnel-group webvpn configuration mode)
To specify the authentication method for a tunnel-group, use the authentication command in tunnel-group webvpn configuration mode.
authentication aaa [certificate]
authentication certificate [aaa]
Syntax Description
aaa
Specifies the use of a username and password for authentication for this tunnel group.
certificate
Specifies the use of a digital certificate for authentication.
Defaults
The default authentication method is AAA.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group webvpn configuration
•
—
•
—
—
Command History
7.1(1)
This command was moved from webvpn configuration mode to tunnel-group webvpn-attributes configuration mode.
Usage Guidelines
At least one authentication method is required. You can specify AAA authentication, certificate authentication, or both. You can specify these in either order. If you omit the command, the security appliance uses the default authentication method, AAA.
WebVPN certificate authentication requires that HTTPS user certificates be required for the respective interfaces. That is, for this selection to be operational, before you can specify certificate authentication, you must have specified the interface in an http authentication-certificate command.
In Release 7.1(1), if you enter this command in webvpn configuration mode, it is transformed to the same command in tunnel-group webvpn-attributes mode.
Examples
The following example shows an authentication command in tunnel-group-webvpn configuration mode that specifies that the members of the tunnel group "test" must use a username and password for authentication:
hostname(config)# tunnel-group test type webvpnhostname(config)# tunnel-group test webvpn-attributeshostname(config-webvpn)# authentication aaaThe following example shows an authentication command that specifies that the members of the tunnel group "docs" must use a digital certificate for authentication:
hostname(config)# tunnel-group docs type webvpnhostname(config)# tunnel-group docs webvpn-attributeshostname(config-webvpn)# authentication certificateRelated Commands
authentication-port
To specify the port number used for RADIUS authentication for this host, use the authentication-port command in AAA-server host mode. To remove the authentication port specification, use the no form of this command. This command specifies the destination TCP/UDP port number of the remote RADIUS server hosts to which you want to assign authentication functions:
authentication-port port
no authentication-port
Syntax Description
Defaults
By default, the device listens for RADIUS on port 1645 (in compliance with RFC 2058). If the port is not specified, the RADIUS authentication default port number (1645) is used.
Command Modes
The following table shows the modes in which you can enter the command:
AAA-server host
•
•
•
•
—
Command History
7.0(1)
Semantic change to the command to support the specification of server ports on a per-host basis for server groups that contain RADIUS servers.
Usage Guidelines
If your RADIUS authentication server uses a port other than 1645, you must configure the security appliance for the appropriate port prior to starting the RADIUS service with the aaa-server command.
This command is valid only for server groups that are configured for RADIUS.
Examples
The following example configures a RADIUS AAA server named "srvgrp1" on host "1.2.3.4", sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures authentication port 1650.
hostname(config)#aaa-server svrgrp1 protocol radiushostname(config-aaa-server-group)#aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)#timeout 9hostname(config-aaa-server-host)#retry-interval 7hostname(config-aaa-server-host)#authentication-port 1650hostname(config-aaa-server-host)#exithostname(config)#Related Commands
authentication-server-group (webvpn)
To specify the set of authentication servers to use with WebVPN or one of the e-mail proxies, use the authentication-server-group command. For WebVPN, use this command in webvpn mode. For e-mail proxies (IMAP4S. POP3S, or SMTPS), use this command in the applicable e-mail proxy mode. To remove authentication servers from the configuration, use the no form of this command.
The security appliance authenticates users to verify their identity.
authentication-server-group group_tag
no authentication-server-group
Syntax Description
Defaults
No authentication servers are configured by default.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn
•
—
•
—
—
Imap4s
•
—
•
—
—
Pop3s
•
—
•
—
—
SMTPS
•
—
•
—
—
Command History
7.0(1)(1)
This command was introduced.
7.1(1)
This command was deprecated and moved to tunnel-group general-attributes configuration mode.
Usage Guidelines
If you configure AAA authentication, you must configure this attribute as well. Otherwise, authentication always fails.
In Release 7.1(1), if you enter this command in webvpn configuration mode, it is transformed to the same command in tunnel-group general-attributes mode.
Examples
The following example shows how to configure WebVPN services to use the set of authentication servers named "WEBVPNAUTH":
hostname(config)#webvpnhostname(config-webvpn)# authentication-server-group WEBVPNAUTHThe next example shows how to configure IMAP4S e-mail proxy to use the set of authentication servers named "IMAP4SSVRS":
hostname(config)#imap4shostname(config-imap4s)# authentication-server-group IMAP4SSVRSRelated Commands
aaa-server host
Configures authentication, authorization, and accounting servers.
authorization-dn-attributes (tunnel-group general-attributes mode)
To specify what part of the subject DN field to use as the username for authorization, use the authorization-dn-attributes command in tunnel-group general-attributes configuration mode. To return these attributes to their default values, use the no form of this command.
authorization-dn-attributes {primary-attr [secondary-attr] | use-entire-name}
no authorization-dn-attributes
Syntax Description
Defaults
The default value for the primary attribute is CN (Common Name).
The default value for the secondary attribute is OU (Organization Unit).
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general-attributes configuration
•
—
•
—
—
Command History
7.1(1)
This command was deprecated in webvpn configuration mode and moved to tunnel-group general-attributes configuration mode.
Usage Guidelines
In Release 7.1(1), if you enter this command in webvpn configuration mode, it is transformed to the same command in tunnel-group general-attributes mode.
Primary and secondary attributes include the following:
Examples
The following example entered in config-ipsec configuration mode, creates a remote access tunnel group (ipsec_ra) named "remotegrp", specifies IPSec group attributes and defines the Common Name to be used as the username for authorization:
hostname(config)# tunnel-group remotegrp type ipsec_rahostname(config)# tunnel-group remotegrp general-attributeshostname(config-tunnel-general)# authorization-dn-attributes CNhostname(config-tunnel-general)#Related Commands
authorization-dn-attributes (webvpn)
To specify the primary and secondary subject DN fields to use as the username for authorization, use the authorization-dn-attributes command.
For WebVPN, use this command in webvpn mode. For e-mail proxies (IMAP4S. POP3S, or SMTPS), use this command in the applicable e-mail proxy mode. To remove the attribute from the configuration and restore default values, use the no form of this command.
authorization-dn-attributes {primary-attr} [secondary-attr] | use-entire-name}
no authorization-dn-attributes
Syntax Description
Defaults
The default value for the primary attribute is CN (Common Name).
The default value for the secondary attribute is OU (Organization Unit).
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn
•
—
•
—
—
Imap4s
•
—
•
—
—
Pop3s
•
—
•
—
—
SMTPS
•
—
•
—
—
Command History
7.0(1)
This command was introduced.
7.1(1)
This command was deprecated in webvpn configuration mode and moved to tunnel-group general-attributes configuration mode.
Usage Guidelines
The following table explains the DN fields.
In Release 7.1(1), if you enter this command in webvpn configuration mode, it is transformed to the same command in tunnel-group general-attributes mode.
Examples
The following example shows how to specify that WebVPN users must authorize according to their e-mail address (primary attribute) and organization unit (secondary attribute):
hostname(config)#webvpnhostname(config-webvpn)# authorization-dn-attributes EA OURelated Commands
authorization-required
Requires users to authorize successfully prior to connecting.
authorization-required (tunnel-group general-attributes mode)
To require users to authorize successfully to connect, use the authorization-required command in tunnel-group general-attributes configuration mode. To return this attribute to the default, use the no form of this command.
authorization-required
no authorization-required
Defaults
The default setting of this command is disabled.
Syntax Description
This command has no arguments or keywords.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general-attributes configuration
•
—
•
—
—
Command History
7.1(1)
This command was deprecated in webvpn configuration mode and moved to tunnel-group general-attributes configuration mode.
Usage Guidelines
In Release 7.1(1), if you enter this command in webvpn configuration mode, it is transformed to the same command in tunnel-group general-attributes mode.
Examples
The following example, entered in global configuration mode, requires authorization based on the complete DN for users connecting through a remote-access tunnel group named "remotegrp". The first command configures the tunnel-group type as ipsec_ra (IPSec remote access) for the remote group named "remotegrp". The second command enters tunnel-group general-attributes configuration mode for the specified tunnel group, and the last command specifies that authorization is required for the named tunnel group:
hostname(config)# tunnel-group remotegrp type ipsec_rahostname(config)# tunnel-group remotegrp general-attributeshostname(config-tunnel-general)# authorization-requiredhostname(config-tunnel-general)#Related Commands
authorization-required (webvpn)
To require WebVPN users or e-mail proxy users to authorize successfully prior to connecting, use the authorization-required command. For WebVPN, use this command in webvpn mode. For e-mail proxies (IMAP4S. POP3S, or SMTPS), use this command in the applicable e-mail proxy mode. To remove the attribute from the configuration, use the no version of this command.
authorization-required
no authorization-required
Syntax Description
This command has no arguments or keywords.
Defaults
Authorization-required is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn
•
—
•
—
—
Imap4s
•
—
•
—
—
Pop3s
•
—
•
—
—
SMTPS
•
—
•
—
—
Command History
7.0(1)
This command was introduced.
7.1(1)
This command was deprecated in webvpn configuration mode and moved to tunnel-group general-attributes configuration mode.
Usage Guidelines
In Release 7.1(1), if you enter this command in webvpn configuration mode, it is transformed to the same command in tunnel-group general-attributes mode.
Examples
The following example shows how to require authorization for WebVPN users:
hostname(config)#webvpnhostname(config-webvpn)# authorization-requiredRelated Commands
authorization-dn-attributes (webvpn)
Specifies the primary and secondary subject DN fields to use as the username for authorization
authorization-server-group (tunnel-group general-attributes mode)
To specify the aaa-server group for user authorization, use the authorization-server-group command in tunnel-group general-attributes mode. To return this command to the default, use the no form of this command.
authorization-server-group server group
no authorization-server-group
Syntax Description
Defaults
The default setting for this command is no authorization-server-group.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general-attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
In Release 7.1(1), if you enter this command in webvpn configuration mode, it is transformed to the same command in tunnel-group general-attributes mode.
When VPN Authorization is defined as LOCAL, the attributes configured in the default group policy DfltGrpPolicy are enforced.
Examples
The following example entered in config-general configuration mode, configures an authorization server group named "aaa-server78" for an IPSec remote-access tunnel group named "remotegrp":
hostname(config)# tunnel-group remotegrp type ipsec-rahostname(config)# tunnel-group remotegrp general-attributeshostname(config-tunnel-general)# authorization-server-group aaa-server78hostname(config-tunnel-general)#Related Commands
authorization-server-group (webvpn)
To specify the set of authorization servers to use with WebVPN or one of the e-mail proxies, use the authorization-server-group command. For WebVPN, use this command in webvpn mode. For e-mail proxies (IMAP4S. POP3S, SMTPS), use this command in the applicable e-mail proxy mode. To remove authorization servers from the configuration, use the no form of this command.
The security appliance uses authorization to verify the level of access to network resources that users are permitted.
authorization-server-group group_tag
no authorization-server-group
Syntax Description
group_tag
Identifies the previously configured authorization server or group of servers. Use the aaa-server command to configure authorization servers.
Defaults
No authorization servers are configured by default.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn
•
—
•
—
—
Imap4s
•
—
•
—
—
Pop3s
•
—
•
—
—
SMTPS
•
—
•
—
—
Command History
7.0(1)
This command was introduced.
7.1(1)
This command was deprecated in webvpn configuration mode and moved to tunnel-group general-attributes configuration mode.
Usage Guidelines
In Release 7.1(1), if you enter this command in webvpn configuration mode, it is transformed to the same command in tunnel-group general-attributes mode.
Examples
The following example shows how to configure WebVPN services to use the set of authorization servers named "WebVPNpermit":
hostname(config)#webvpnhostname(config-webvpn)# authorization-server-group WebVPNpermitThe following example shows how to configure POP3S e-mail proxy to use the set of authorization servers named "POP3Spermit":
hostname(config)#pop3shostname(config-pop3s)# authorization-server-group POP3SpermitRelated Commands
aaa-server host
Configures authentication, authorization, and accounting servers.
auth-prompt
To specify or change the AAA challenge text for through-the-security appliance user sessions, use the auth-prompt command in global configuration mode. To remove the authentication challenge text, use the no form of this command.
auth-prompt prompt [prompt | accept | reject] string
no auth-prompt prompt [ prompt | accept | reject]
Syntax Description
Defaults
If you do not specify an authentication prompt:
•
hostname(config-aaa-server-group)#,•
hostname(config-aaa-server-host)#•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
The auth-prompt command lets you specify the AAA challenge text for HTTP, FTP, and Telnet access through the security appliance when requiring user authentication from TACACS+ or RADIUS servers. This text is primarily for cosmetic purposes and displays above the username and password prompts that users view when logging in.
If the user authentication occurs from Telnet, you can use the accept and reject options to display different status prompts to indicate that the authentication attempt is accepted or rejected by the AAA server.
If the AAA server authenticates the user, the security appliance displays the auth-prompt accept text, if specified, to the user; otherwise it displays the reject text, if specified. Authentication of HTTP and FTP sessions displays only the challenge text at the prompt. The accept and reject text are not displayed.
Note
Examples
The following example sets the authentication prompt to the string "Please enter your username and password.":
hostname(config)# auth-prompt prompt Please enter your username and passwordAfter this string is added to the configuration, users see the following:
Please enter your username and passwordUser Name:Password:For Telnet users, you can also provide separate messages to display when the security appliance accepts or rejects the authentication attempt; for example:
hostname(config)# auth-prompt reject Authentication failed. Try again.hostname(config)# auth-prompt accept Authentication succeeded.The following example sets the authentication prompt for a successful authentication to the string, "You're OK."
hostname(config)# auth-prompt accept You're OK.
After successfully authenticating, the user sees the following message:
You're OK.Related Commands
auto-signon
To configure the security appliance to automatically pass WebVPN user login credentials on to internal servers, use the auto-signon command in any of three modes: webvpn configuration, webvpn group configuration, or webvpn username configuration mode. The authentication method can be NTLM (NTLMv1), HTTP Basic authentication, or both. To disable auto-signon to a particular server, use the no form of the command with the original ip, uri, and auth-type arguments. To disable auto-signon to all servers, use the no form of the command without arguments.
auto-signon allow {ip ip-address ip-mask | uri resource-mask} auth-type {basic | ntlm | all}
no auto-signon [allow {ip ip-address ip-mask | uri resource-mask} auth-type {basic | ntlm | all}]
Syntax Description
Syntax DescriptionSyntax Description
Defaults
By default, this feature is disabled for all servers.
Command Modes
The following table shows the modes in which you can enter the command:
Command History
Usage Guidelines
The auto-signon command is a single sign-on method for WebVPN users. It passes the WebVPN login credentials (username and password) to internal servers for authentication using NTLM authentication, HTTP Basic authentication, or both. Multiple auto-signon commands can be entered and are processed according to the input order (early commands take precedence).
You can use the auto-signon feature in three modes: webvpn configuration, webvpn group configuration, or webvpn username configuration mode. The typical precedence behavior applies where username supersedes group, and group supersedes global. The mode you choose will depend upon the desired scope of authentication:
Webvpn configuration
All WebVPN users globally
Webvpn group configuration
A subset of WebVPN users defined by a group policy
Webvpn username configuration
An individual WebVPN user
Examples
The following example commands configure auto-signon for all WebVPN users, using NTLM authentication, to servers with IP addresses ranging from 10.1.1.0 to 10.1.1.255:
hostname(config)# webvpnhostname(config-webvpn)# auto-signon allow ip 10.1.1.0 255.255.255.0 auth-type ntlmThe following example commands configure auto-signon for all WebVPN users, using HTTP Basic authentication, to servers defined by the URI mask https://*.example.com/*:
hostname(config)# webvpnhostname(config-webvpn)# auto-signon allow uri https://*.example.com/* auth-type basicThe following example commands configure auto-signon for WebVPN users ExamplePolicy group policy, using either HTTP Basic or NTLM authentication, to servers defined by the URI mask https://*.example.com/*:hostname(config)# group-policy ExamplePolicy attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# auto-signon allow uri https://*.example.com/* auth-type allThe following example commands configure auto-signon for a user named Anyuser, using HTTP Basic authentication, to servers with IP addresses ranging from 10.1.1.0 to 10.1.1.255:
hostname(config)# username Anyuser attributeshostname(config-username)# webvpnhostname(config-username-webvpn)# auto-signon allow ip 10.1.1.0 255.255.255.0 auth-type basicRelated Commands
show running-config webvpn auto-signon
Displays auto-signon assignments of the running configuration.
auto-update device-id
To configure the security appliance device ID for use with an Auto Update Server, use the auto-update device-id command in global configuration mode. To remove the device ID, use the no form of this command.
auto-update device-id [hardware-serial | hostname | ipaddress [if_name] | mac-address [if_name] | string text]
no auto-update device-id [hardware-serial | hostname | ipaddress [if_name] | mac-address [if_name] | string text]
Syntax Description
Command History
Defaults
The default ID is the hostname.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Examples
The following example sets the device ID to the serial number:
hostname(config)# auto-update device-id hardware-serialRelated Commands
auto-update poll-period
To configure how often the security appliance checks for updates from an Auto Update Server, use the auto-update poll-period command in global configuration mode. To reset the parameters to the defaults, use the no form of this command.
auto-update poll-period poll_period [retry_count [retry_period]]
no auto-update poll-period poll_period [retry_count [retry_period]]
Syntax Description
Defaults
The default poll period is 720 minutes (12 hours).
The default number of times to try reconnecting to the Auto Update Server if the first attempt fails is 0.
The default period to wait between connection attempts is 5 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Examples
The following example sets the poll period to 360 minutes, the retries to 1, and the retry period to 3 minutes:
hostname(config)# auto-update poll-period 360 1 3Related Commands
auto-update server
To identify the Auto Update Server, use the auto-update server command in global configuration mode. To remove the server, use the no form of this command. The security appliance periodically contacts the Auto Update Server for any configuration, operating system, and ASDM updates.
auto-update server url [source interface] [verify-certificate]
no auto-update server url [source interface] [verify-certificate]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
Only one server can be configured.
For auto update functionality to work properly, you must use the boot system configuration command and ensure it specifies a valid boot image.
If the interface specified in the source interface argument is the same interface specified with the management-access command, requests to the auto-update server will be sent over the VPN tunnel.
Examples
The following example sets the Auto Update Server URL and specifies the interface outside:
hostname(config)# auto-update server http://10.1.1.1:1741/ source outsideRelated Commands
auto-update timeout
To set a timeout period in which to contact the Auto Update Server, use the auto-update timeout command in global configuration mode. If the Auto Update Server has not been contacted for the timeout period, the security appliance stops all traffic through the security appliance. Set a timeout to ensure that the security appliance has the most recent image and configuration. To remove the timeout, use the no form of this command.
auto-update timeout period
no auto-update timeout [period]
Syntax Description
Defaults
The default timeout is 0, which sets the security appliance to never time out.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
A timeout condition is reported with system log message 201008.
Examples
The following example sets the timeout to 24 hours:
hostname(config)# auto-update timeout 1440
Related Commands
