-
Cisco Security Appliance Command Reference, Version 7.1
-
About this Guide
-
Using the Command Line Interface
-
aaa accounting through accounting-server-group
-
acl-netmask-convert through auto-update timeout Commands
-
backup-servers through browse networks Commands
-
cache through clear compression Commands
-
clear configure through clear configure vpn-load-balancing Commands
-
clear console-output through clear xlate Commands
-
client-access-rule through crl-configure Commands
-
crypto ca authenticate through customization Commands
-
debug aaa through debug xdmcp Commands
-
default through duplex Commands
-
email through functions Commands
-
gateway through hw-module module shutdown Commands
-
icmp through imap4s Commands
-
inspect ctiqbe through inspect xdmcp Commands
-
interface-dhcp through issuer-name Commands
-
join-failover-group through kill Commands
-
ldap-attribute-map through log-adj-changes Commands
-
logging asdm through logout message Commands
-
mac-address through multicast-routing Commands
-
name through override-account-disable Commands
-
page style through pwd Commands
-
queue-limit through routerospf Commands
-
same-security-traffic through show asdm sessions Commands
-
show asp drop through show curpriv Commands
-
show debug through show ipv6 traffic Commands
-
show isakmp sa through show route Commands
-
show running-config through show running-config isakmp Commands
-
show running-config ldap through show running-config webvpn auto-signon Commands
-
show service-policy through show webvpn svc Commands
-
shun through sysopt uauth allow-http-cache Commands
-
tcp-map through tx-ring-limit Commands
-
urgent-flag through write terminal Commands
-
Feedback
Table Of Contents
gateway through hw-module module shutdown Commands
http authentication-certificate
gateway through hw-module module shutdown Commands
gateway
To specify which group of call agents are managing a particular gateway, use the gateway command in MGCP map configuration mode. To remove the configuration, use the no form of this command.
gateway ip_address [group_id]
Syntax Description
gateway
Specifies the group of call agents that are managing a particular gateway
ip_address
The IP address of the gateway.
group_id
The ID of the call agent group, from 0 to 2147483647.
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
MGCP map configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the gateway command to specify which group of call agents are managing a particular gateway. The IP address of the gateway is specified with the ip_address option. The group_id option is a number from 0 to 4294967295 that must correspond with the group_id of the call agents that are managing the gateway. A gateway may only belong to one group.
Examples
The following example allows call agents 10.10.11.5 and 10.10.11.6 to control gateway 10.10.10.115, and allows call agents 10.10.11.7 and 10.10.11.8 to control both gateways 10.10.10.116 and 10.10.10.117:
hostname(config)# mgcp-map mgcp_policyhostname(config-mgcp-map)# call-agent 10.10.11.5 101hostname(config-mgcp-map)# call-agent 10.10.11.6 101hostname(config-mgcp-map)# call-agent 10.10.11.7 102hostname(config-mgcp-map)# call-agent 10.10.11.8 102hostname(config-mgcp-map)# gateway 10.10.10.115 101hostname(config-mgcp-map)# gateway 10.10.10.116 102hostname(config-mgcp-map)# gateway 10.10.10.117 102Related Commands
global
To create a pool of mapped addresses for NAT, use the global command in global configuration mode. To remove the pool of addresses, use the no form of this command.
global (mapped_ifc) nat_id {mapped_ip[-mapped_ip] [netmask mask] | interface}
no global (mapped_ifc) nat_id {mapped_ip[-mapped_ip] [netmask mask] | interface}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
For dynamic NAT and PAT, you first configure a nat command identifying the real addresses on a given interface that you want to translate. Then you configure a separate global command to specify the mapped addresses when exiting another interface (in the case of PAT, this is one address). Each nat command matches a global command by comparing the NAT ID, a number that you assign to each command.
See the nat command for more information about dynamic NAT and PAT.
If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using clear xlate command. However, clearing the translation table disconnects all of the current connections.
Examples
For example, to translate the 10.1.1.0/24 network on the inside interface, enter the following command:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0hostname(config)# global (outside) 1 209.165.201.1-209.165.201.30To identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is exhausted, enter the following commands:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0hostname(config)# global (outside) 1 209.165.201.5hostname(config)# global (outside) 1 209.165.201.10-209.165.201.20To translate the lower security dmz network addresses so they appear to be on the same network as the inside network (10.1.1.0), for example, to simplify routing, enter the following commands:
hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dnshostname(config)# global (inside) 1 10.1.1.45To identify a single real address with two different destination addresses using policy NAT, enter the following commands:
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 255.255.255.224hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224hostname(config)# nat (inside) 1 access-list NET1 tcp 0 2000 udp 10000hostname(config)# global (outside) 1 209.165.202.129hostname(config)# nat (inside) 2 access-list NET2 tcp 1000 500 udp 2000hostname(config)# global (outside) 2 209.165.202.130To identify a single real address/destination address pair that use different ports using policy NAT, enter the following commands:
hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 80hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 23hostname(config)# nat (inside) 1 access-list WEBhostname(config)# global (outside) 1 209.165.202.129hostname(config)# nat (inside) 2 access-list TELNEThostname(config)# global (outside) 2 209.165.202.130Related Commands
group-alias
To create one or more alternate names by which the user can refer to a tunnel-group, use the group-alias command in tunnel-group webvpn configuration mode. To remove an alias from the list, use the no form of this command.
group-alias name [enable | disable]
no group-alias name
Syntax Description
Defaults
No default group alias, but if you do specify a group alias, that alias is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
The group alias that you specify here appears in the drop-down list on the login page. Each group can have multiple aliases or no alias. This command is useful when the same group is known by several common names, such as "Devtest" and "QA".
Examples
The following example shows the commands for configuring the webvpn tunnel group named "devtest" and establishing the aliases "QA" and "Fra-QA" for the group:
hostname(config)# tunnel-group devtest type webvpnhostname(config)# tunnel-group devtest webvpn-attributeshostname(config-tunnel-webvpn)# group-alias QAhostname(config-tunnel-webvpn)# group-alias Fra-QAhostname(config-tunnel-webvpn)#Related Commands
group-delimiter
To enable group-name parsing and specify the delimiter to be used when parsing group names from the user names that are received when tunnels are being negotiated, use the group-delimiter command in global configuration mode. To disable this group-name parsing, use the no form of this command.
group-delimiter delimiter
no group-delimiter
Syntax Description
Defaults
By default, no delimiter is specified, disabling group-name parsing.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The delimiter is used to parse tunnel group names from user names when tunnels are negotiated.
Examples
This example shows the group-delimiter command to change the group delimiter to the hash mark (#):
hostname(config)# group-delimiter #Related Commands
group-lock
To restrict remote users to access through the tunnel group only, issue the group-lock command in group-policy configuration mode or username configuration mode.
To remove the group-lock attribute from the running configuration, use the no form of this command. This option allows inheritance of a value from another group policy. To disable group-lock, use the group-lock none command.
Group-lock restricts users by checking if the group configured in the VPN Client is the same as the tunnel group to which the user is assigned. If it is not, the security appliance prevents the user from connecting. If you do not configure group-lock, the security appliance authenticates users without regard to the assigned group.
group-lock {value tunnel-grp-name | none}
no group-lock
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Username
•
—
•
—
—
Command History
Examples
The following example shows how to set group lock for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# group-lock value tunnel group namegroup-object
To add network object groups, use the group-object command in protocol, network, service, and icmp-type configuration modes. To remove network object groups, use the no form of this command.
group-object obj_grp_id
no group-object obj_grp_id
Syntax Description
obj_grp_id
Identifies the object group (one to 64 characters) and can be any combination of letters, digits, and the "_", "-", "." characters.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Protocol, network, service, icmp-type configuration
•
•
•
•
—
Command History
Usage Guidelines
The group-object command is used with the object-group command to define an object that itself is an object group. It is used in protocol, network, service, and icmp-type configuration modes. This sub-command allows logical grouping of the same type of objects and construction of hierarchical object groups for structured configuration.
Duplicate objects are allowed in an object group if they are group objects. For example, if object 1 is in both group A and group B, it is allowed to define a group C which includes both A and B. It is not allowed, however, to include a group object which causes the group hierarchy to become circular. For example, it is not allowed to have group A include group B and then also have group B include group A.
The maximum allowed levels of a hierarchical object group is 10.
Examples
The following example shows how to use the group-object command in network configuration mode eliminate the need to duplicate hosts:
hostname(config)# object-group network host_grp_1hostname(config-network)# network-object host 192.168.1.1hostname(config-network)# network-object host 192.168.1.2hostname(config-network)# exithostname(config)# object-group network host_grp_2hostname(config-network)# network-object host 172.23.56.1hostname(config-network)# network-object host 172.23.56.2hostname(config-network)# exithostname(config)# object-group network all_hostshostname(config-network)# group-object host_grp_1hostname(config-network)# group-object host_grp_2hostname(config-network)# exithostname(config)# access-list grp_1 permit tcp object-group host_grp_1 any eq ftphostname(config)# access-list grp_2 permit tcp object-group host_grp_2 any eq smtphostname(config)# access-list all permit tcp object-group all-hosts any eq wRelated Commands
group-policy
To create or edit a group policy, use the group-policy command in global configuration mode. To remove a group policy from the configuration, use the no form of this command.
group-policy name {internal [from group-policy_name] | external server-group server_group password server_password}
no group-policy name
Syntax Description
Defaults
No default behavior or values. See Usage Guidelines.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
A default group policy, named "DefaultGroupPolicy," always exists on the security appliance. However, this default group policy does not take effect unless you configure the security appliance to use it. For configuration instructions, see the Cisco Security Appliance Command Line Configuration Guide.
Use the group-policy attributes command to enter config-group-policy mode, in which you can configure any of the group-policy Attribute-Value Pairs. The DefaultGroupPolicy has these Attribute-Value Pairs:
In addition, you can configure webvpn-mode attributes for the group policy, either by entering the webvpn command in config-group-policy mode or by entering the group-policy attributes command and then entering the webvpn command in config-group-webvpn mode. See the description of the group-policy attributes command for details.
Examples
The following example shows how to create an internal group policy with the name "FirstGroup":
hostname(config)#group-policy FirstGroup internalThe next example shows how to create an external group policy with the name "ExternalGroup," the AAA server group "BostonAAA," and the password "12345678":
hostname(config)#group-policy ExternalGroup external server-group BostonAAA password 12345678Related Commands
group-policy attributes
To enter the config-group-policy mode, use the group-policy attributes command in global configuration mode. To remove all attributes from a group policy, user the no version of this command. In config-group-policy mode, you can configure Attribute-Value Pairs for a specified group policy or enter group-policy webvpn configuration mode to configure webvpn attributes for the group.
group-policy name attributes
no group-policy name attributes
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The syntax of the commands in attributes mode have the following characteristics in common:
•
•
•
A default group policy, named DefaultGroupPolicy, always exists on the security appliance. However, this default group policy does not take effect unless you configure the security appliance to use it. For configuration instructions, see the Cisco Security Appliance Command Line Configuration Guide.
The group-policy attributes command enters config-group-policy mode, in which you can configure any of the group-policy Attribute-Value Pairs. The DefaultGroupPolicy has these Attribute-Value Pairs:
In addition, you can configure webvpn-mode attributes for the group policy, by entering the group-policy attributes command and then entering the webvpn command in config-group-policy mode. See the description of the webvpn command (group-policy attributes and username attributes modes) for details.
Examples
The following example shows how to enter group-policy attributes mode for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)#Related Commands
group-prompt
To customize the group prompt of the WebVPN page login box that is displayed to WebVPN users when they connect to the security appliance, use the group-prompt command from webvpn customization mode:
group-prompt {text | style} value
[no] group-prompt {text | style} value
To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
Syntax Description
Defaults
The default text of the group prompt is "GROUP:".
The default style of the group prompt is color:black;font-weight:bold;text-align:right.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn customization
•
—
•
—
—
Command History
Usage Guidelines
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
In the following example, the text is changed to "Corporate Group:", and the default style is changed with the font weight increased to bolder:
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# group-prompt text Corporate Group:F1-asa1(config-webvpn-custom)# group-prompt style font-weight:bolderRelated Commands
password-prompt
Customizes the password prompt of the WebVPN page.
username-prompt
Customizes the username prompt of the WebVPN page.
group-url
To specify incoming URLs or IP addresses for the group, use the group-url command in tunnel-group webvpn configuration mode. To remove a URL from the list, use the no form of this command.
group-url url [enable | disable ]
no group-url url
Syntax Description
disable
Disables the URL, but does not remove it from the list.
enable
Enables the URL.
url
Specifies a URL or IP address for this tunnel group.
Defaults
There is no default URL or IP address, but if you do specify a URL or IP address, it is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
Specifying a group URL or IP address eliminates the need for the user to select a group at login. When a user logs in, the security appliance looks for the user's incoming URL/address in the tunnel-group-policy table. If it finds the URL/address and if group-url is enabled in the tunnel group, then the security appliance automatically selects the associated tunnel group and presents the user with only the username and password fields in the login window. This simplifies the user interface and has the added advantage of never exposing the list of groups to the user. The login window that the user sees uses the customizations configured for that tunnel group.
If the URL/address is disabled and group-alias is configured, then the dropdown list of groups is also displayed, and the user must make a selection.
You can configure multiple URLs/addresses (or none) for a group. Each URL/address can be enabled or disabled individually. You must use a separate group-url command for each URL/address specified. You must specify the entire URL/address, including either the http or https protocol.
You cannot associate the same URL/address with multiple groups. The security appliance verifies the uniqueness of the URL/address before accepting the URL/address for a tunnel group.
The following example shows the commands for configuring the webvpn tunnel group named "test" and establishing two group URLs, "http://www.cisco.com" and "https://supplier.com" for the group:
hostname(config)# tunnel-group test type webvpnhostname(config)# tunnel-group test webvpn-attributeshostname(config-tunnel-webvpn)# group-url http://www.cisco.comhostname(config-tunnel-webvpn)# group-url https://supplier.company.comhostname(config-tunnel-webvpn)#The following example enables the group URLs http://www.cisco.com and http://192.168.10.10 for the tunnel-group named RadiusServer:
hostname(config)# tunnel-group RadiusServer type webvpnhostname(config)# tunnel-group RadiusServer general-attributeshostname(config-tunnel-general)# authentication server-group RADIUShostname(config-tunnel-general)# accounting-server-group RADIUShostname(config-tunnel-general)# tunnel-group RadiusServer webvpn-attributeshostname(config-tunnel-webvpn)# group-alias "Cisco Remote Access" enablehostname(config-tunnel-webvpn)# group-url http://www.cisco.comenablehostname(config-tunnel-webvpn)# group-url http://192.168.10.10enablehostname(config-tunnel-webvpn)#Related Commands
gtp-map
To identify a specific map to use for defining the parameters for GTP, use the gtp-map command in global configuration mode. To remove the map, use the no form of this command.
gtp-map map_name
no gtp-map map_name
Note
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
GPRS is a data network architecture that is designed to integrate with existing GSM networks. It offers mobile subscribers uninterrupted, packet-switched data services to corporate networks and the Internet. For an overview of GTP and how the security appliance ensures secure access over wireless networks, refer to the "Applying Application Layer Protocol Inspection" chapter in the Cisco Security Appliance Command Line Configuration Guide.
Use the gtp-map command to identify a specific map to use for defining the parameters for GTP. When you enter this command, the system enters a configuration mode that lets you enter the different commands used for defining the specific map. After defining the GTP map, you use the inspect gtp command to enable the map. Then you use the class-map, policy-map, and service-policy commands to define a class of traffic, to apply the inspect command to the class, and to apply the policy to one or more interfaces.
Examples
The following example shows how to use the gtp-map command to identify a specific map (gtp-policy) to use for defining the parameters for GTP:
hostname(config)# gtp-map qtp-policyhostname(config-gtpmap)#The following example shows how to use access lists to identify GTP traffic, define a GTP map, define a policy, and apply the policy to the outside interface:
hostname(config)# access-list gtp-acl permit udp any any eq 3386hostname(config)# access-list gtp-acl permit udp any any eq 2123hostname(config)# class-map gtp-traffichostname(config-cmap)# match access-list gtp-aclhostname(config-cmap)# exithostname(config)# gtp-map gtp-policyhostname(config-gtpmap)# request-queue 300hostname(config-gtpmap)# permit mcc 111 mnc 222hostname(config-gtpmap)# message-length min 20 max 300hostname(config-gtpmap)# drop message 20hostname(config-gtpmap)# tunnel-limit 10000hostname(config)# policy-map inspection_policyhostname(config-pmap)# class gtp-traffichostname(config-pmap-c)# inspect gtp gtp-policyhostname(config)# service-policy inspection_policy outsideRelated Commands
help
To display help information for the command specified, use the help command in user EXEC mode.
help {command | ?}
Syntax Description
command
Specifies the command for which to display the CLI help.
?
Displays all commands that are available in the current privilege level and mode.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
•
•
•
•
Command History
Usage Guidelines
The help command displays help information about all commands. You can see help for an individual command by entering the help command followed by the command name. If you do not specify a command name and enter ? instead, all commands that are available in the current privilege level and mode display.
If you enable the pager command and when 24 lines display, the listing pauses, and the following prompt appears:
<--- More --->The More prompt uses syntax similar to the UNIX more command as follows:
•
•
•
Examples
The following example shows how to display help for the rename command:
hostname#help renameUSAGE:rename /noconfirm [{disk0:|disk1:|flash:}] <source path> [{disk0:|disk1:|flash:}] <destination path>DESCRIPTION:rename Rename a fileSYNTAX:/noconfirm No confirmation{disk0:|disk1:|flash:} Optional parameter that specifies the filesystem<source path> Source file path<destination path> Destination file pathhostname#The following examples shows how to display help by entering the command name and a question mark:
hostname(config)# enable ?usage: enable password <pwd> [encrypted]Help is available for the core commands (not the show, no, or clear commands) by entering ? at the command prompt:
hostname(config)# ?aaa Enable, disable, or view TACACS+ or RADIUSuser authentication, authorization and accounting...Related Commands
hic-fail-group-policy
To specify a group policy to grant a WebVPN user access rights that are different from the default group policy, use the hic-fail-group-policy command in tunnel-group-webvpn configuration mode. The no form of this command sets the group policy to the default group policy.
hic-fail-group-policy name
no hic-fail-group-policy
Syntax Description
Defaults
DfltGrpPolicy
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group-webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
This command is valid only for security appliances with Cisco Secure Desktop installed. Host integrity checking, also called System Detection, involves checking the remote PC for a minimal set of criteria that must be satisfied to apply a VPN feature policy. The security appliance uses the value of the hic-fail-group-policy attribute to limit access rights to remote CSD users as follows:
•
•
This attribute specifies the name of the failure group policy to be applied. Use a group policy to differentiate access rights from those associated with the default group policy.
Note
For more information, see the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators.
Examples
The following example creates a WebVPN tunnel group named "FirstGroup" and specifies the failure group policy with the name "group2":
hostname(config)#tunnel-group FirstGroup webvpnhostname(config)#tunnel-group FirstGroup webvpn-attributeshostname(config-tunnel-webvpn)#hic-fail-group-policy group2hostname(config-tunnel-webvpn)#Related Commands
hidden-parameter
To specify hidden parameters in the HTTP POST request that the security appliance submits to the authenticating web server for SSO authentication, use the hidden-parameter command in aaa-server-host configuration mode.
To remove all hidden parameters from the running configuration, use the no form of the command.
This is an SSO with HTTP Forms command.
hidden-parameter string
no hidden-parameter
Note
Syntax Description
Syntax DescriptionSyntax Description
Defaults
No default value or behavior.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server-host configuration
•
—
•
—
—
Command History
Usage Guidelines
The WebVPN server of the security appliance uses an HTTP POST request to submit a single sign-on authentication request to an authenticating web server. That request may require specific hidden parameters from the SSO HTML form—other then username and password—that are not visible to the user. You can discover hidden parameters that the web server expects in the POST request by using a HTTP header analyzer on a form received from the web server.
The command hidden-parameter lets you specify a hidden parameter the web server requires in the authentication POST request. If you use a header analyzer, you can copy and paste the whole hidden parameter string including any encoded URL parameters.
For ease of entry, you can enter a hidden parameter on multiple, sequential lines. The security appliance then concatenates the lines into a single hidden parameter. While the maximum characters per hidden-parameter line is 255 characters, you can enter fewer characters on each line.
Note
Examples
The following example shows a hidden parameter comprised of four form entries and their values, separated by &. Excerpted from the POST request, the four entries and their values are:
•
•
•
%3FEMCOPageCode%3DENG
•
SMENC=ISO-8859-1&SMLOCALE=US-EN&target=https%3A%2F%2Ftools.cisco.com%2Femco%2Fappdir%2FAreaRoot.do%3FEMCOPageCode%3DENG&smauthreason=0
hostname(config)# aaa-server testgrp1 host example.comhostname(config-aaa-server-host)# hidden-parameter SMENC=ISO-8859-1&SMLOCALE=US-EN&targehostname(config-aaa-server-host)# hidden-parameter t=https%3A%2F%2Ftools.cisco.com%2Femchostname(config-aaa-server-host)# hidden-parameter o%2Fappdir%2FAreaRoot.do%3FEMCOPageCohostname(config-aaa-server-host)# hidden-parameter de%3DENG&smauthreason=0hostname(config-aaa-server-host)#Related Commands
homepage
To specify a URL for the web page that displays upon login for this WebVPN user or group policy, use the homepage command in webvpn mode, which you enter from group-policy or username mode. To remove a configured home page, including a null value created by issuing the homepage none command, use the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting a home page, use the homepage none command.
homepage {value url-string | none}
no homepage
Syntax Description
Defaults
There is no default home page.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn mode
•
—
•
—
—
Command History
Examples
The following example shows how to specify www.example.com as the home page for the group policy named FirstGroup:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#webvpnhostname(config-group-webvpn)# homepage value http://www.example.comRelated Commands
webvpn
Use in group-policy configuration mode or in username configuration mode. Lets you enter webvpn mode to configure parameters that apply to group policies or usernames.
hostname
To set the security appliance hostname, use the hostname command in global configuration mode. To restore the default hostname, use the no form of this command. The hostname appears as the command line prompt, and if you establish sessions to multiple devices, the hostname helps you keep track of where you enter commands.
hostname name
no hostname [name]
Syntax Description
name
Specifies a hostname up to 63 characters. A hostname must start and end with a letter or digit, and have as interior characters only letters, digits, or a hyphen.
Defaults
The default hostname depends on your platform.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
7.0(1)
You can no longer use non-alphanumeric characters (other than a hyphen).
Usage Guidelines
For multiple context mode, the hostname that you set in the system execution space appears in the command line prompt for all contexts.
The hostname that you optionally set within a context does not appear in the command line, but can be used for the banner command $(hostname) token.
Examples
The following example sets the hostname to firewall1:
hostname(config)# hostname firewall1firewall1(config)#Related Commands
banner
Sets a login, message of the day, or enable banner.
domain-name
Sets the default domain name.
html-content-filter
To filter Java, ActiveX, images, scripts, and cookies for WebVPN sessions for this user or group policy, use the html-content-filter command in webvpn mode, which you enter from group-policy or username mode. To remove a content filter, use the no form of this command. To remove all content filters, including a null value created by issuing the html-content-filter none command, use the no form of this command without arguments. The no option allows inheritance of a value from another group policy. To prevent inheriting an html content filter, use the html-content-filter none command.
html-content-filter {java | images | scripts | cookies | none}
no html-content-filter [java | images | scripts | cookies | none]
Syntax Description
Defaults
No filtering occurs.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn mode
•
—
•
—
—
Command History
Usage Guidelines
Using the command a second time overrides the previous setting.
Examples
The following example shows how to set filtering of JAVA and ActiveX, cookies, and images for the group policy named FirstGroup:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#webvpnhostname(config-group-webvpn)# html-content-filter java cookies imagesRelated Commands
http
To specify hosts that can access the HTTP server internal to the security appliance, use the http command in global configuration mode. To remove one or more hosts, use the no form of this command. To remove the attribute from the configuration, use the no form of this command without arguments.
http ip_address subnet_mask interface_name
no http
Syntax Description
Defaults
No hosts can access the HTTP server.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example shows how to allow the host with the IP address of 10.10.99.1 and the subnet mask of 255.255.255.255 access to the HTTP server via the outside interface:
hostname(config)# http 10.10.99.1 255.255.255.255 outsideThe next example shows how to allow any host access to the HTTP server via the outside interface:
hostname(config)# http 0.0.0.0 0.0.0.0 outsideRelated Commands
http authentication-certificate
To require authentication via certificate from users who are establishing HTTPS connections, use the http authentication-certificate command in global configuration mode. To remove the attribute from the configuration, use the no version of this command. To remove all http authentication-certificate commands from the configuration, use the no version without arguments.
The security appliance validates certificates against the PKI trust points. If a certificate does not pass validation, the security appliance closes the SSL connection.
http authentication-certificate interface
no http authentication-certificate [interface]
Syntax Description
interface
Specifies the interface on the security appliance that requires certificate authentication.
Defaults
HTTP certificate authentication is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
You can configure certificate authentication for each interface, such that connections on a trusted/inside interface do not have to provide a certificate. You can use the command multiple times to enable certificate authentication on multiple interfaces.
Validation occurs before the URL is known, so this affects both WebVPN and ASDM access.
The ASDM uses its own authentication method in addition to this value. That is, it requires both certificate and username/password authentication if both are configured, or just username/password if certificate authentication is disabled.
Examples
The following example shows how to require certificate authentication for clients connecting to the interfaces named outside and external:
hostname(config)# http authentication-certificate insidehostname(config)# http authentication-certificate externalRelated Commands
http-comp
To enable compression of http data over a WebVPN connection for a specific group or user, use the http-comp command in the group policy and username webvpn modes.
To remove the command from the configuration and cause the value to be inherited, use the no form of the command:
http-comp {gzip | none}
no http-comp {gzip | none}
Syntax Description
gzip
Specifies compression is enabled for the group or user.
none
Specifies compression is disabled for the group or user.
Defaults
By default, compression is set to gzip.
Command Modes
The following table shows the modes in which you can enter the command:
group-policy webvpn
•
—
•
—
—
username webvpn
•
—
•
—
—
Command History
Usage Guidelines
For WebVPN connections, the compression command configured from global configuration mode overrides the http-comp command configured in group policy and username webvpn modes.
Examples
In the following example, compression is disabled for the group-policy sales:
hostname(config)# group-policy sales attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# http-comp noneRelated Commands
http-map
To create an HTTP map for applying enhanced HTTP inspection parameters, use the http-map command in global configuration mode. To remove the command, use the no form of this command.
http-map map_name
no http-map map_name
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The enhanced HTTP inspection feature, which is also known as an application firewall, verifies that HTTP messages conform to RFC 2616, use RFC-defined and supported extension methods, and comply with various other criteria. This can help prevent attackers from using HTTP messages for circumventing network security policy.
Note
In many cases, you can configure the criteria and how the security appliance responds when the criteria are not met. The criteria that you can apply to HTTP messages include the following:
•
•
•
•
•
•
•
•
•
•
Note
Table 13-2 summarizes the configuration commands available in HTTP map configuration mode. Click on an entry to open a command page that provides the detailed syntax for each command.
Examples
The following is sample output showing how to identify HTTP traffic, define an HTTP map, define a policy, and apply the policy to the outside interface.
hostname(config)# class-map http-porthostname(config-cmap)# match port tcp eq 80hostname(config-cmap)# exithostname(config)# http-map inbound_httphostname(config-http-map)# content-length min 100 max 2000 action reset loghostname(config-http-map)# content-type-verification match-req-rsp reset loghostname(config-http-map)# max-header-length request bytes 100 action log resethostname(config-http-map)# max-uri-length 100 action reset loghostname(config-http-map)# exithostname(config)# policy-map inbound_policyhostname(config-pmap)# class http-porthostname(config-pmap-c)# inspect http inbound_httphostname(config-pmap-c)# exithostname(config-pmap)# exithostname(config)# service-policy inbound_policy interface outsideThis example causes the security appliance to reset the connection and create a syslog entry when it detects any traffic that contain the following:
•
•
•
•
Related Commands
http-proxy
To configure an HTTP proxy server, use the http-proxy command in webvpn mode. To remove the HTTP proxy server from the configuration, use the no form of this command.
This is an external proxy server the security appliance uses for HTTP requests.
http-proxy address [port]
no http-proxy
Syntax Description
Defaults
No HTTP proxy server is configured by default.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn
•
—
•
—
—
Command History
Examples
The following example shows how to configure an HTTP proxy server with an IP address of 10.10.10.7 using port 80:
hostname(config)#webvpnhostname(config-webvpn)# http-proxy 10.10.10.7hostname(config-webvpn)http redirect
To specify that the security appliance redirect HTTP connections to HTTPS, use the http redirect command in global configuration mode. To remove a specified http redirect command from the configuration, use the no version of this command. To remove all http redirect commands from the configuration, use the no version of this command without arguments.
http redirect interface [port]
no http redirect [interface]
Syntax Description
Defaults
HTTP redirect is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The interface requires an access list that permits HTTP. Otherwise the security appliance does not listen to port 80, or to any other port that you configure for HTTP.
Examples
The following example shows how to configure HTTP redirect for the inside interface, keeping the default port 80:
hostname(config)# http redirect insideRelated Commands
http server enable
To enable the security appliance HTTP server, use the http server enable command in global configuration mode. To disable the HTTP server, use the no form of this command.
http server enable
no http server enable
Defaults
The HTTP server is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example shows how to enable the HTTP server.
hostname(config)# http server enableRelated Commands
https-proxy
To configure an HTTPS proxy server, use the https-proxy command in webvpn mode. To remove the HTTPS proxy server from the configuration, use the no form of this command.
This is an external proxy server the security appliance uses for HTTPS requests.
https-proxy address [port]
no https-proxy
Syntax Description
Defaults
No HTTPS proxy server is configured by default.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn
•
—
•
—
—
Command History
Examples
The following example shows how to configure an HTTPS proxy server with an IP address of 10.10.10.1 using port 443:
hostname(config)#webvpnhostname(config-webvpn)# https-proxy 10.10.10.1 443hw-module module recover
To load a recovery software image from a TFTP server to an intelligent SSM (for example, the AIP SSM), or to configure network settings to access the TFTP server, use the hw-module module recover command in privileged EXEC mode. You might need to recover an SSM using this command if, for example, the SSM is unable to load a local image. This command is not available for interface SSMs (for example, the 4GE SSM).
hw-module module 1 recover {boot | stop | configure [url tfp_url | ip port_ip_address | gateway gateway_ip_address | vlan vlan_id]}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
This command is only available when the SSM is in the Up, Down, Unresponsive, or Recovery state. See the show module command for state information.
Examples
The following example sets the SSM to download an image from a TFTP server:
hostname# hw-module module 1 recover configureImage URL [tftp://127.0.0.1/myimage]: tftp://10.1.1.1/ids-newimgPort IP Address [127.0.0.2]: 10.1.2.10Port Mask [255.255.255.254]: 255.255.255.0Gateway IP Address [1.1.2.10]: 10.1.2.254VLAN ID [0]: 100The following example recovers the SSM:
hostname# hw-module module 1 recover bootThe module in slot 1 will be recovered. This mayerase all configuration and all data on that device andattempt to download a new image for it.Recover module in slot 1? [confirm]Related Commands
hw-module module reload
To reload an intelligent SSM software (for example, the AIP SSM), use the hw-module module reload command in privileged EXEC mode. This command is not available for interface SSMs (for example, the 4GE SSM).
hw-module module 1 reload
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
This command is only valid when the SSM status is Up. See the show module command for state information.
This command differs from the hw-module module reset command, which also performs a hardware reset.
Examples
The following example reloads the SSM in slot 1:
hostname# hw-module module 1 reloadReload module in slot 1? [confirm] yReload issued for module in slot 1%XXX-5-505002: Module in slot 1 is reloading. Please wait...%XXX-5-505006: Module in slot 1 is Up.Related Commands
hw-module module reset
To shut down and reset the SSM hardware, use the hw-module module reset command in privileged EXEC mode.
hw-module module 1 reset
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
This command is only valid when the SSM status is Up, Down, Unresponsive, or Recover. See the show module command for state information.
When the SSM is in an Up state, the hw-module module reset command prompts you to shut down the software before resetting.
You can recover intelligent SSMs (for example, the AIP SSM) using the hw-module module recover command. If you enter the hw-module module reset while the SSM is in a Recover state, the SSM does not interrupt the recovery process. The the hw-module module reset command performs a hardware reset of the SSM, and the SSM recovery continues after the hardware reset. You might want to reset the SSM during recovery if the SSM hangs; a hardware reset might resolve the issue.
This command differs from the hw-module module reload command which only reloads the software and does not perform a hardware reset.
Examples
The following example resets an SSM in slot 1 that is in the Up state:
hostname# hw-module module 1 resetThe module in slot 1 should be shut down beforeresetting it or loss of configuration may occur.Reset module in slot 1? [confirm] yReset issued for module in slot 1%XXX-5-505001: Module in slot 1 is shutting down. Please wait...%XXX-5-505004: Module in slot 1 shutdown is complete.%XXX-5-505003: Module in slot 1 is resetting. Please wait...%XXX-5-505006: Module in slot 1 is Up.Related Commands
hw-module module shutdown
To shut down the SSM software, use the hw-module module shutdown command in privileged EXEC mode.
hw-module module 1 shutdown
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Shutting down the SSM software prepares the SSM to be safely powered off without losing configuration data.
This command is only valid when the SSM status is Up or Unresponsive. See the show module command for state information.
Examples
The following example shuts down an SSM in slot 1:
hostname# hw-module module 1 shutdownShutdown module in slot 1? [confirm] yShutdown issued for module in slot 1hostname#%XXX-5-505001: Module in slot 1 is shutting down. Please wait...%XXX-5-505004: Module in slot 1 shutdown is complete.Related Commands
