-
Cisco Security Appliance Command Reference, Version 7.1
-
About this Guide
-
Using the Command Line Interface
-
aaa accounting through accounting-server-group
-
acl-netmask-convert through auto-update timeout Commands
-
backup-servers through browse networks Commands
-
cache through clear compression Commands
-
clear configure through clear configure vpn-load-balancing Commands
-
clear console-output through clear xlate Commands
-
client-access-rule through crl-configure Commands
-
crypto ca authenticate through customization Commands
-
debug aaa through debug xdmcp Commands
-
default through duplex Commands
-
email through functions Commands
-
gateway through hw-module module shutdown Commands
-
icmp through imap4s Commands
-
inspect ctiqbe through inspect xdmcp Commands
-
interface-dhcp through issuer-name Commands
-
join-failover-group through kill Commands
-
ldap-attribute-map through log-adj-changes Commands
-
logging asdm through logout message Commands
-
mac-address through multicast-routing Commands
-
name through override-account-disable Commands
-
page style through pwd Commands
-
queue-limit through routerospf Commands
-
same-security-traffic through show asdm sessions Commands
-
show asp drop through show curpriv Commands
-
show debug through show ipv6 traffic Commands
-
show isakmp sa through show route Commands
-
show running-config through show running-config isakmp Commands
-
show running-config ldap through show running-config webvpn auto-signon Commands
-
show service-policy through show webvpn svc Commands
-
shun through sysopt uauth allow-http-cache Commands
-
tcp-map through tx-ring-limit Commands
-
urgent-flag through write terminal Commands
-
Feedback
Table Of Contents
urgent-flag through write terminal Commands
user-authentication-idle-timeout
vpn-sessiondb max-session-limit
vpn-sessiondb max-webvpn-session-limit
webvpn (group-policy and username modes)
urgent-flag through write terminal Commands
urgent-flag
To allow or clear the URG pointer through the TCP normalizer, use the urgent-flag command in tcp-map configuration mode. To remove this specification, use the no form of this command.
urgent-flag {allow | clear}
no urgent-flag {allow | clear}
Syntax Description
allow
Allows the URG pointer through the TCP normalizer.
clear
Clears the URG pointer through the TCP normalizer.
Defaults
The urgent flag and urgent offset are clear by default.
Command Modes
The following table shows the modes in which you can enter the command:
Tcp-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the newTCP map using the policy-map command. Activate TCP inspection with service-policy commands.
Use the tcp-map command to enter tcp-map configuration mode. Use the urgent-flag command in tcp-map configuration mode to allow the urgent flag.
The URG flag is used to indicate that the packet contains information that is of higher priority than other data within the stream. The TCP RFC is vague about the exact interpretation of the URG flag, therefore, end systems handle urgent offsets in different ways, which may make the end system vulnerable to attacks. The default behavior is to clear the URG flag and offset.
Examples
The following example shows how to allow the urgent flag:
hostname(config)# tcp-map tmaphostname(config-tcp-map)# urgent-flag allowhostname(config)# class-map cmaphostname(config-cmap)# match port tcp eq 513hostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# set connection advanced-options tmaphostname(config)# service-policy pmap globalRelated Commands
url
To maintain the list of static URLs for retrieving CRLs, use the url command in crl configure configuration mode. The crl configure configuration mode is accessible from the crypto ca trustpoint configuration mode. To delete an existing URL, use the no form of this command.
url index url
no url index url
Syntax Description
index
Specifies a value from 1 to 5 that determines the rank of each URL in the list. The security appliance tries the URL at index 1 first.
url
Specifies the URL from which to retrieve the CRL.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
CRL configure configuration
•
—
•
—
—
Command History
Usage Guidelines
You cannot overwrite existing URLs. To replace an existing URL, first delete it using the no form of this command.
Examples
The following example enters ca-crl configuration mode, and sets up an index 3 for creating and maintaining a list of URLs for CRL retrieval and configures the URL https://foobin.com from which to retrieve CRLs:
hostname(configure)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# url 3 https://foobin.comhostname(ca-crl)#Related Commands
Enters ca-crl configuration mode.
Enters trustpoint configuration mode.
Specifies the source for retrieving CRLs.
url-block
The url-block commands can be used to manage the URL buffers used for web server responses while waiting for a filtering decision from the filtering server. The url-block commands are also used to manage filtering of long URLs. To remove the configuration, use the no form of this command.
url-block block block_buffer_limit
no url-block block block_buffer_limit
Websense only:
url-block url-mempool memory_pool_size
no url-block url-mempool memory_pool_siz
The numeric parameters for the url-block command are lower in multi-context mode than in single-context mode. For example:
Single-context:
url-block block block_buffer_limit—max is 128
url-block url-mempool memory_pool_size—max is 10240
Multi-context:
url-block block block_buffer_limit—max is 16
url-block url-mempool memory_pool_size—max is 512
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
For Websense filtering servers, the url-block url-size command allows filtering of long URLs, up to 4 KB. For both Websense and N2H2 filtering servers, the url-block block command causes the security appliance to buffer packets received from a web server in response to a web client request while waiting for a response from the URL filtering server. This improves performance for the web client compared to the default security appliance behavior, which is to drop the packets and to require the web server to retransmit the packets if the connection is permitted.
If you use the url-block block command and the filtering server permits the connection, the security appliance sends the blocks to the web client from the HTTP response buffer and removes the blocks from the buffer. If the filtering server denies the connection, the security appliance sends a deny message to the web client and removes the blocks from the HTTP response buffer.
Use the url-block block command to specify the number of blocks to use for buffering web server responses while waiting for a filtering decision from the filtering server.
Use the url-block url-size command with the url-block url-mempool command to specify the maximum length of a URL to be filtered by a Websense filtering server and the maximum memory to assign to the URL buffer. Use these commands to pass URLs longer than 1159 bytes, up to a maximum of 4096 bytes, to the Websense server. The url-block url-size command stores URLs longer than 1159 bytes in a buffer and then passes the URL to the Websense server (through a TCP packet stream) so that the Websense server can grant or deny access to that URL.
Examples
The following example assigns 56 1550-byte blocks for buffering responses from the URL filtering server:
hostname#(config)# url-block block 56Related Commands
url-cache
To enable URL caching for URL responses received from an N2H2 or Websense server and to set the size of the cache, use the url-cache command in global configuration mode. To remove the configuration, use the no form of this command.
url-cache {dst | src_dst} kbytes [kb]
no url-cache {dst | src_dst} kbytes [kb]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The url-cache command provides a configuration option to cache responses from the URL server.
Use the url-cache command to enable URL caching, set the size of the cache, and display cache statistics.
Caching stores URL access privileges in memory on the security appliance. When a host requests a connection, the security appliance first looks in the URL cache for matching access privileges instead of forwarding the request to the N2H2 or Websense server. Disable caching with the no url-cache command.
Note
Using the URL cache does not update the Websense accounting logs for Websense protocol Version 1. If you are using Websense protocol Version 1, let Websense run to accumulate logs so you can view the Websense accounting information. After you get a usage profile that meets your security needs, enable url-cache to increase throughput. Accounting logs are updated for Websense protocol Version 4 and for N2H2 URL filtering while using the url-cache command.
Examples
The following example caches all outbound HTTP connections based on the source and destination addresses:
hostname(config)# url-cache src_dst 128Related Commands
url-list
To configure a set of URLs for WebVPN users to access, use the url-list command in global configuration mode. To configure a list with multiple URLs, use this command with the same listname multiple times, once for each URL. To remove an entire configured list, use the no url-list listname command. To remove a configured URL, use the no url-list listname url command.
To configure multiple lists, use this command multiple times, assigning a unique listname to each list.
url-list {listname displayname url}
no url-list listname
no url-list listname url
Syntax Description
Defaults
There is no default URL list.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration mode
•
—
•
—
—
Command History
Usage Guidelines
You use the url-list command in global configuration mode to create one or more lists of URLs. To allow access to the URLs in a list for a specific group policy or user, use the listname you create here with the url-list command in webvpn mode.
Examples
The following example shows how to create a URL list called Marketing URLs that provides access to www.cisco.com, www.example.com, and www.example.org. The following table provides values that the example uses for each application.
Marketing URLs
Cisco Systems
http://www.cisco.com
Marketing URLs
Example Company, Inc.
http://www.example.com
Marketing URLs
Example Organization
http://www.example.org
hostname(config)#url-list Marketing URLs Cisco Systems http://www.cisco.comhostname(config)#url-list Marketing URLs Example Company, Inc. http://www.example.comhostname(config)#url-list Marketing URLs Example Organization http://www.example.orgRelated Commands
url-list (webvpn)
To apply a list of WebVPN servers and URLs to a particular user or group policy, use the url-list command in group-policy webvpn configuration mode or in username webvpn configuration mode. To remove a list, including a null value created by using the url-list none command, use the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting a url list, use the url-list none command. Using the command a second time overrides the previous setting.
url-list {value name | none} [index]
no url-list
Syntax Description
Defaults
There is no default URL list.
Command Modes
The following table shows the modes in which you enter the commands:
Webvpn mode
•
—
•
—
—
Command History
Usage Guidelines
Using the command a second time overrides the previous setting.
Before you can use the url-list command in webvpn mode to identify a URL list that you want to display on the WebVPN home page for a user or group policy, you must create the list. Use the url-list command in global configuration mode to create one or more lists.
Examples
The following example applies a URL list called FirstGroupURLs for the group policy named FirstGroup and assigns it first place among the URL lists:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#webvpnhostname(config-group-webvpn)# url-list value FirstGroupURLs 1Related Commands
url-server
To identify an N2H2 or Websense server for use with the filter command, use the url-server command in global configuration mode. To remove the configuration, use the no form of this command.
N2H2
url-server (if_name) vendor n2h2 host local_ip [port number] [timeout seconds] [protocol {TCP | UDP [connections num_conns]}]
no url-server (if_name) vendor n2h2 host local_ip [port number] [timeout seconds] [protocol {TCP | UDP [connections num_conns]}]
Websense
url-server (if_name) vendor websense host local_ip [timeout seconds] [protocol {TCP | UDP | connections num_conns] | version]
no url-server (if_name) vendor websense host local_ip [timeout seconds] [protocol {TCP | UDP [connections num_conns] | version]
Syntax Description
N2H2
Websense
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The url-server command designates the server running the N2H2 or Websense URL filtering application. The limit is 16 URL servers in single context mode and 4 URL servers in multi mode; however, and you can use only one application at a time, either N2H2 or Websense. Additionally, changing your configuration on the security appliance does not update the configuration on the application server; this must be done separately, according to the vendor instructions.
The url-server command must be configured before issuing the filter command for HTTPS and FTP. If all URL servers are removed from the server list, then all filter commands related to URL filtering are also removed.
Once you designate the server, enable the URL filtering service with the filter url command.
Use the show url-server statistics command to view server statistic information including unreachable servers.
Follow these steps to filter URLs:
Step 1
Step 2
Step 3
Step 4
Step 5
For more information about Filtering by N2H2, visit N2H2's website at:
http://www.n2h2.com
For more information on Websense filtering services, visit the following website:
http://www.websense.com/
Examples
Using N2H2, the following example filters all outbound HTTP connections except those from the 10.0.2.54 host:
hostname(config)# url-server (perimeter) vendor n2h2 host 10.0.1.1hostname(config)# filter url http 0 0 0 0hostname(config)# filter url except 10.0.2.54 255.255.255.255 0 0Using Websense, the following example filters all outbound HTTP connections except those from the 10.0.2.54 host:
hostname(config)# url-server (perimeter) vendor websense host 10.0.1.1 protocol TCP version 4hostname(config)# filter url http 0 0 0 0hostname(config)# filter url except 10.0.2.54 255.255.255.255 0 0Related Commands
user-authentication
To enable user authentication, use the user-authentication enable command in group-policy configuration mode. To disable user authentication, use the user-authentication disable command. To remove the user authentication attribute from the running configuration, use the no form of this command. This option allows inheritance of a value for user authentication from another group policy.
When enabled, user authentication requires that individual users behind a hardware client authenticate to gain access to the network across the tunnel.
user-authentication {enable | disable}
no user-authentication
Syntax Description
Defaults
User authentication is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Command History
Usage Guidelines
Individual users authenticate according to the order of authentication servers that you configure.
If you require user authentication on the primary security appliance, be sure to configure it on any backup servers as well.
Examples
The following example shows how to enable user authentication for the group policy named "FirstGroup":
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#user-authentication enableRelated Commands
user-authentication-idle-timeout
To set an idle timeout for individual users behind hardware clients, use the user-authentication-idle-timeout command in group-policy configuration mode. To delete the idle timeout value, use the no form of this command. This option allows inheritance of an idle timeout value from another group policy. To prevent inheriting an idle timeout value, use the user-authentication-idle-timeout none command.
If there is no communication activity by a user behind a hardware client in the idle timeout period, the security appliance terminates the connection.
user-authentication-idle-timeout {minutes | none}
no user-authentication-idle-timeout
Syntax Description
Defaults
30 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Command History
Usage Guidelines
The minimum is 1 minute, the default is 30 minutes, and the maximum is 10,080 minutes.
Examples
The following example shows how to set an idle timeout value of 45 minutes for the group policy named "FirstGroup":
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#user-authentication-idle-timeout 45Related Commands
user-authentication
Requires users behind hardware clients to identify themselves to the security appliance before connecting.
username
To add a user to the security appliance database, enter the username command in global configuration mode. To remove a user, use the no version of this command with the username you want to remove. To remove all usernames, use the no version of this command without appending a username.
username {name} {nopassword | password password [encrypted]} [privilege priv_level]}
no username [name]
Syntax Description
Defaults
By default, VPN users that you add with this command have no attributes or group policy association. You must configure all values explicitly.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The internal user authentication database consists of the users entered with the username command. The login command uses this database for authentication.
Use the username attributes command to enter config-username mode, in which you can configure any of the following attributes:
Examples
The following example shows how to configure a user named "anyuser" with a n encrypted password of 12345678 and a privilege level of 12:
hostname(config)#username anyuser password 12345678 encrypted privilege 12Related Commands
username attributes
To enter the username attributes mode, use the username attributes command in username configuration mode. To remove all attributes for a particular user, use the no form of this command and append the username. To remove all attributes for all users, use the no form of this command without appending a username. The attributes mode lets you configure Attribute-Value Pairs for a specified user.
username {name} attributes
no username [name] attributes
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Username
•
—
•
—
—
Command History
Usage Guidelines
The internal user authentication database consists of the users entered with the username command. The login command uses this database for authentication. You can configure the username attributes using either the username command or the username attributes command.
The syntax of the commands in config-username mode have the following characteristics in common:
•
•
•
The username attributes command enters config-username mode, in which you can configure any of the following attributes:
You configure webvpn-mode attributes for the username by entering the username attributes command and then entering the webvpn command in username webvpn configuration mode. See the description of the webvpn command (group-policy attributes and username attributes modes) for details.
Examples
The following example shows how to enter username attributes configuration mode for a user named "anyuser":
hostname(config)#username anyuser attributeshostname(config-username)#Related Commands
username-prompt
To customize the username prompt of the WebVPN page login box that is displayed to WebVPN users when they connect to the security appliance, use the username-prompt command from webvpn customization mode:
username-prompt {text | style} value
[no] username-prompt {text | style} value
To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
Syntax Description
Defaults
The default is text of the username prompt is "USERNAME:".
The default style of the username prompt is color:black;font-weight:bold;text-align:right.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn customization
•
—
•
—
—
Command History
Usage Guidelines
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
In the following example, the text is changed to "Corporate Username:", and the default style is changed with the font weight increased to bolder:
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# username-prompt text Corporate Username:F1-asa1(config-webvpn-custom)# username-prompt style font-weight:bolderRelated Commands
group-prompt
Customizes the group prompt of the WebVPN page.
password-prompt
Customizes the password prompt of the WebVPN page.
user-parameter
To specify the name of the HTTP POST request parameter in which a username must be submitted for SSO authentication, use the user-parameter command in aaa-server-host configuration mode. This is an SSO with HTTP Forms command.
user-parameter name
Note
Syntax Description
Syntax DescriptionSyntax Description
string
The name of the username parameter included in the HTTP POST request. The maximum name size is 128 characters.
Defaults
There is no default value or behavior.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server-host configuration
•
—
•
—
—
Command History
Usage Guidelines
The WebVPN server of the security appliance uses an HTTP POST request to submit a single sign-on authentication request to an SSO server. The required command user-parameter specifies that the HTTP POST request must include a username parameter for SSO authentication.
Note
Examples
The following example, entered in aaa-server-host configuration mode, specifies that the username parameter userid be included in the HTTP POST request used for SSO authentication:
hostname(config)# aaa-server testgrp1 host example.comhostname(config-aaa-server-host)# user-parameter useridhostname(config-aaa-server-host)#Related Commands
virtual http
To configure a virtual HTTP server, use the virtual http command in global configuration mode. To disable the virtual server, use the no form of this command. When you use HTTP authentication on the security appliance, and the HTTP server also requires authentication, this command allows you to authenticate separately with the security appliance and with the HTTP server. Without virtual HTTP, the same username and password you used to authenticate with the security appliance is sent to the HTTP server; you are not prompted separately for the HTTP server username and password.
virtual http ip_address [warning]
no virtual http ip_address [warning]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
If you enable HTTP authentication (see the aaa authentication match command or the aaa authentication include command), then the security appliance prompts each user for a username and password so it can authenticate them with a AAA server. After the AAA server authenticates the user, the connection is allowed to continue to the HTTP server. However, the AAA server username and password is still included in the HTTP packet. If the HTTP server also has its own authentication mechanism, then the user is not prompted again for a username and password because there is already a username and password included in the packet. Assuming the username and password is not the same for the AAA and HTTP servers, then the HTTP authentication fails.
To allow a user to be prompted separately by the HTTP server, enable the virtual HTTP server on the security appliance using the virtual http command. This command redirects all HTTP connections that require AAA authentication to the virtual HTTP server on the security appliance. The security appliance prompts for the AAA server username and password. After the AAA server authenticates the user, the security appliance redirects the HTTP connection back to the original server, but it does not include the AAA server username and password. Because the username and password are not included in the HTTP packet, the HTTP server prompts the user separately for the HTTP server username and password.
Caution
Examples
This example shows how to enable virtual HTTP along with AAA authentication:
hostname(config)# access-list HTTP-ACL extended permit tcp 10.1.1.0 any eq 80hostname(config)# aaa authentication match HTTP-ACL inside tacacs+hostname(config)# virtual http 10.1.2.1Related Commands
virtual telnet
To configure a virtual Telnet server on the security appliance, use the virtual telnet command in global configuration mode. You might need to authenticate users with the virtual Telnet server if you require authentication for other types of traffic for which the security appliance does not supply an authentication prompt. To disable the server, use the no form of this command.
virtual telnet ip-address
no virtual telnet ip-address
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Although you can configure network access authentication for any protocol or service (see the aaa authentication match or aaa authentication include command), you can authenticate directly with HTTP, Telnet, or FTP only. A user must first authenticate with one of these services before other traffic that requires authentication is allowed through. If you do not want to allow HTTP, Telnet, or FTP through the security appliance, but want to authenticate other types of traffic, you can configure virtual Telnet; the user Telnets to a given IP address configured on the security appliance, and the security appliance provides a Telnet prompt.
When an unauthenticated user connects to the virtual Telnet IP address, the user is challenged for a username and password, and then authenticated by the AAA server. Once authenticated, the user sees the message "Authentication Successful." Then, the user can successfully access other services that require authentication.
Examples
This example shows how to enable virtual Telnet along with AAA authentication for other services:
hostname(config)# access-list AUTH extended permit tcp 10.1.1.0 host 10.1.2.1 eq telnethostname(config)# access-list AUTH extended permit tcp 10.1.1.0 host 209.165.200.225 eq smtphostname(config)# aaa authentication match AUTH inside tacacs+hostname(config)# virtual telnet 10.1.2.1Related Commands
vlan
To assign a VLAN ID to a subinterface, use the vlan command in interface configuration mode. To remove a VLAN ID, use the no form of this command. Subinterfaces require a VLAN ID to pass traffic. VLAN subinterfaces let you configure multiple logical interfaces on a single physical interface. VLANs let you keep traffic separate on a given physical interface, for example, for multiple security contexts.
vlan id
no vlan
Syntax Description
id
Specifies an integer between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
•
Command History
7.0(1)
This command was moved from a keyword of the interface command to an interface configuration mode command.
Usage Guidelines
You can only assign a single VLAN to a subinterface, and not to the physical interface. Each subinterface must have a VLAN ID before it can pass traffic. To change a VLAN ID, you do not need to remove the old VLAN ID with the no option; you can enter the vlan command with a different VLAN ID, and the security appliance changes the old ID.
You need to enable the physical interface with the no shutdown command to let subinterfaces be enabled. If you enable subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. Therefore, you cannot prevent traffic from passing through the physical interface by bringing down the interface. Instead, ensure that the physical interface does not pass traffic by leaving out the nameif command. If you want to let the physical interface pass untagged packets, you can configure the nameif command as usual.
The maximum number of subinterfaces varies depending on your platform. See the Cisco Security Appliance Command Line Configuration Guide for the maximum subinterfaces per platform.
Examples
The following example assigns VLAN 101 to a subinterface:
hostname(config)# interface gigabitethernet0/0.1hostname(config-subif)# vlan 101hostname(config-subif)# nameif dmz1hostname(config-subif)# security-level 50hostname(config-subif)# ip address 10.1.2.1 255.255.255.0hostname(config-subif)# no shutdownThe following example changes the VLAN to 102:
hostname(config)# show running-config interface gigabitethernet0/0.1interface GigabitEthernet0/0.1vlan 101nameif dmz1security-level 50ip address 10.1.2.1 255.255.255.0hostname(config)# interface gigabitethernet0/0.1hostname(config-interface)# vlan 102hostname(config)# show running-config interface gigabitethernet0/0.1interface GigabitEthernet0/0.1vlan 102nameif dmz1security-level 50ip address 10.1.2.1 255.255.255.0Related Commands
vpn-access-hours
To associate a group policy with a configured time-range policy, use the vpn-access-hours command in group-policy configuration mode or username configuration mode. To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a time-range value from another group policy. To prevent inheriting a value, use the vpn-access-hours none command.
vpn-access hours value {time-range} | none
no vpn-access hours
Syntax Description
Defaults
Unrestricted.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Username
•
—
•
—
—
Command History
Usage Guidelines
Examples
The following example shows how to associate the group policy named FirstGroup with a time-range policy called 824:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#vpn-access-hours 824Related Commands
time-range
Sets days of the week and hours of the day for access to the network, including start and end dates.
vpn-addr-assign
To specify a method for assigning IP addresses to remote access clients, use the vpn-addr-assign command in global configuration mode. To remove the attribute from the configuration, use the no version of this command. To remove all configured Vpn address assignment methods from the security appliance, user the no version of this command. without arguments.
vpn-addr-assign {aaa | dhcp | local}
no vpn-addr-assign [aaa | dhcp | local]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
If you choose DHCP, you must also use the dhcp-network-scope command to define the range of IP addresses that the DHCP server can use.
If you choose local, you must also use the ip-local-pool command to define the range of IP addresses to use. You then use the vpn-framed-ip-address and vpn-framed-netmask commands to assign IP addresses and netmasks to individual users.
If you choose AAA, you obtain IP addresses from either a previously configured RADIUS server.
Examples
The following example shows how to configure DHCP as the address assignment method:
hostname(config)#vpn-addr-assign dhcpRelated Commands
vpn-filter
To specify the name of the ACL to use for VPN connections, use the vpn-filter command in group policy or username mode. To remove the ACL, including a null value created by issuing the vpn-filter none command, use the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting values, use the vpn-filter none command.
You configure ACLs to permit or deny various types of traffic for this user or group policy. You then use the vpn-filter command to apply those ACLs.
vpn-filter {value ACL name | none}
no vpn-filter
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Username
•
—
•
—
—
Command History
Usage Guidelines
WebVPN does not use the ACL defined in the vpn-filter command.
Examples
The following example shows how to set a filter that invokes an access list named acl_vpn for the group policy named FirstGroup:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#vpn-filter value acl_vpnRelated Commands
vpn-framed-ip-address
To specify the IP address to assign to a particular user, use the vpn-framed-ip-address command in username mode. To remove the IP address, use the no form of this command.
vpn-framed-ip-address {ip_address}
no vpn-framed-ip-address
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Username
•
—
•
—
—
Command History
Examples
The following example shows how to set an IP address of 10.92.166.7 for a user named anyuser:
hostname(config)#username anyuser attributeshostname(config-username)#vpn-framed-ip-address 10.92.166.7Related Commands
vpn-framed-ip-netmask
To specify the subnet mask to assign to a particular user, use the vpn-framed-ip-netmask command in username mode. To remove the subnet mask, use the no form of this command.
vpn-framed-ip-netmask {netmask}
no vpn-framed-ip-netmask
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Username
•
—
•
—
—
Command History
Examples
The following example shows how to set a subnet mask of 255.255.255. 254 for a user named anyuser:
hostname(config)#username anyuser attributeshostname(config-username)#vpn-framed-ip-netmask 255.255.255.254
Note
Related Commands
vpn-group-policy
To have a user inherit attributes from a configured group policy, use the vpn-group-policy command in username configuration mode. To remove a group policy from a user configuration, use the no version of this command. Using this command lets users inherit attributes that you have not configured at the username level.
vpn-group-policy {group-policy name}
no vpn-group-policy {group-policy name}
Syntax Description
Defaults
By default, VPN users have no group policy association.
Command Modes
The following table shows the modes in which you can enter the command:
Username
•
—
•
—
—
Command History
Usage Guidelines
You can override the value of an attribute in a group policy for a particular user by configuring it in username mode, if that attribute is available in username mode.
Examples
The following example shows how to configure a user named anyuser to use attributes from the group policy named FirstGroup:
hostname(config)#username anyuser attributeshostname(config-username)# vpn-group-policy FirstGroupRelated Commands
vpn-idle-timeout
To configure a user timeout period use the vpn-idle-timeout command in group-policy configuration mode or in username configuration mode. If there is no communication activity on the connection in this period, the security appliance terminates the connection.
To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a time-out value from another group policy. To prevent inheriting a value, use the vpn-idle-timeout none command.
vpn-idle-timeout {minutes | none}
no vpn-idle-timeout
Syntax Description
Defaults
30 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Username
•
—
•
—
—
Command History
Examples
The following example shows how to set a VPN idle timeout of 15 minutes for the group policy named "FirstGroup":
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#vpn-idle-timeout 30Related Commands
vpn load-balancing
To enter vpn load-balancing mode, in which you can configure VPN load balancing and related functions, use the vpn load-balancing command in global configuration mode.
vpn load-balancing
Note
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration mode
•
—
•
—
—
Command History
Usage Guidelines
Use the vpn load-balancing command to enter vpn load-balancing mode. The following commands are available in vpn load-balancing mode:
cluster encryption
cluster ip address
cluster key
cluster port
interface
nat
participate
priority
See the individual command descriptions for detailed information.
Examples
The following is an example of the vpn load-balancing command; note the change in the prompt:
hostname(config)# vpn load-balancinghostname(config-load-balancing)#The following is an example of a VPN load-balancing command sequence that includes an interface command that specifies the public interface of the cluster as "test" and the private interface of the cluster as "foo":
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# nat 192.168.10.10hostname(config-load-balancing)# priority 9hostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# interface lbprivate foohostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# cluster key 123456789hostname(config-load-balancing)# cluster encryptionhostname(config-load-balancing)# cluster port 9023hostname(config-load-balancing)# participate
vpn-sessiondb logoff
To log off all or selected VPN sessions, use the vpn-sessiondb logoff command in global configuration mode.
vpn-sessiondb logoff {remote | l2l | webvpn | email-proxy | protocol protocol-name | name username | ipaddress IPaddr | tunnel-group groupname | index indexnumber | all}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example shows how to log off all remote-access sessions:
hostname# vpn-sessiondb logoff remoteThe next example shows how to log off all IPSec sessions:
hostname# vpn-sessiondb logoff protocol IPSec
vpn-sessiondb max-session-limit
To limit VPN sessions to a lower value than the security appliance allows, use the vpn-sessiondb max-session-limit command in global configuration mode. To remove the session limit, use the no version of this command. To overwrite the current setting, use the command again.
vpn-sessiondb max-session-limit {session-limit}
no vpn-sessiondb max-session-limit
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies to IPSec VPN sessions,.
Examples
The following example shows how to set a maximum VPN session limit of 450:
hostname# vpn-sessiondb max-session-limit 450Related Commands
vpn-sessiondb logoff
Logs off all or specific types of IPsec VPN and WebVPN sessions.
vpn-sessiondb max-webvpn-session-limit
Sets a maximum number of WebVPN sessions.
vpn-sessiondb max-webvpn-session-limit
To limit WebVPN sessions to a lower value than the security appliance allows, use the vpn-sessiondb max-webvpn-session-limit command in global configuration mode. To remove the session limit, use the no version of this command. To overwrite the current setting, use the command again.
vpn-sessiondb max-webvpn-session-limit {session-limit}
no vpn-sessiondb max-webvpn-session-limit
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies to WebVPN sessions.
Examples
The following example shows how to set a maximum WebVPN session limit of 75:
hostname (config)# vpn-sessiondb max-webvpn-session-limit 75Related Commands
vpn-sessiondb logoff
Logs off all or specific types of IPsec VPN and WebVPN sessions.
vpn-sessiondb max-vpn-session-limit
Sets a maximum number of VPN sessions.
vpn-session-timeout
To configure a maximum amount of time allowed for VPN connections, use the vpn-session-timeout command in group-policy configuration mode or in username configuration mode. At the end of this period of time, the security appliance terminates the connection.
To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a time-out value from another group policy. To prevent inheriting a value, use the vpn-session-timeout none command.
vpn-session-timeout {minutes | none}
no vpn-session-timeout
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Username
•
—
•
—
—
Command History
Examples
The following example shows how to set a VPN session timeout of 180 minutes for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# vpn-session-timeout 180Related Commands
vpn-simultaneous-logins
To configure the number of simultaneous logins permitted for a user, use the vpn-simultaneous-logins command in group-policy configuration mode or username configuration mode. To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a value from another group policy. Enter 0 to disable login and prevent user access.
vpn-simultaneous-logins {integer}
no vpn-simultaneous-logins
Syntax Description
Defaults
The default is 3 simultaneous logins.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Username
•
—
•
—
—
Command History
Usage Guidelines
Enter 0 to disable login and prevent user access.
Examples
The following example shows how to allow a maximum of 4 simultaneous logins for the group policy named FirstGroup:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#vpn-simultaneous-logins 4vpn-tunnel-protocol
To configure a VPN tunnel type (IPSec or WebVPN), use the vpn-tunnel-protocol command in group-policy configuration mode or username configuration mode. To remove the attribute from the running configuration, use the no form of this command.
vpn-tunnel-protocol {webvpn | IPSec}
no vpn-tunnel-protocol [webvpn | IPSec]
Syntax Description
Defaults
IPSec.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Username
•
—
•
—
—
Command History
Usage Guidelines
Use this command to configure one or more tunneling modes. You must configure at least one tunneling mode for users to connect over a VPN tunnel.
Examples
The following example shows how to configure WebVPN and IPSec tunneling modes for the group policy named "FirstGroup":
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#vpn-tunnel-protocol webvpnhostname(config-group-policy)#vpn-tunnel-protocol IPSecweb-agent-url
To specify the SSO server URL to which the security appliance makes SSO authentication requests, use the web-agent-url command in webvpn-sso-siteminder configuration mode. This is an SSO with CA SiteMinder command.
To remove an SSO server authentication URL, use the no form of this command.
web-agent-url url
no web-agent-url url
Note
Syntax Description
Syntax DescriptionSyntax Description
Defaults
By default, an authentication URL is not configured.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn-sso-siteminder configuration
•
—
•
—
—
Command History
Usage Guidelines
Single-sign-on support, available only for WebVPN, lets users access different secure services on different servers without reentering a username and password more than once. The SSO server has a URL that handles authentication requests.
Use the web-agent-url command to configure the security appliance to send authentications to this URL. Before configuring the authentication URL, you must create the SSO server using the sso-server command.
Examples
The following example, entered in webvpn-sso-siteminder configuration mode, specifies an authentication URL of http://www.example.com/webvpn:
hostname(config-webvpn)# sso-server example type siteminderhostname(config-webvpn-sso-siteminder)# web-agent-url http://www.example.com/webvpnhostname(config-webvpn-sso-siteminder)#Related Commands
web-applications
To customize the Web Application box of the WebVPN Home page that is displayed to authenticated WebVPN users, use the web-applications command from webvpn customization mode:
web-applications {title | message | dropdown} {text | style} value
[no] web-applications {title | message | dropdown} {text | style} value
To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
Syntax Description
Defaults
The default title text is "Web Application".
The default title style is background-color:#99CCCC;color:black;font-weight:bold;text-transform:
uppercaseThe default message text is "Enter Web Address (URL)".
The default message style is background-color:#99CCCC;color:maroon;font-size:smaller.
The default dropdown text is "Web Bookmarks".
The default dropdown style is border:1px solid black;font-weight:bold;color:black;font-size:80%.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn customization
•
—
•
—
—
Command History
Usage Guidelines
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
The following example changes the title to "Applications", and the color of the text to blue:
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# web-applications title text ApplicationsF1-asa1(config-webvpn-custom)# web-applications title style color:blueRelated Commands
web-bookmarks
To customize the Web Bookmarks title or links on the WebVPN Home page that is displayed to authenticated WebVPN users, use the web-bookmarks command from webvpn customization mode:
web-bookmarks {link {style value} | title {style value | text value}}
[no] web-bookmarks {link {style value} | title {style value | text value}}
To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
Syntax Description
Defaults
The default link style is color:#669999;border-bottom: 1px solid #669999;text-decoration:none.
The default title style is color:#669999;background-color:#99CCCC;font-weight:bold.
The default title text is "Web Bookmarks".
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn customization
•
—
•
—
—
Command History
Usage Guidelines
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
The following example customizes the Web Bookmarks title to "Corporate Web Bookmarks":
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# web-bookmarks title text Corporate Web BookmarksRelated Commands
webvpn (group-policy and username modes)
To enter this webvpn mode, use the webvpn command in group-policy configuration mode or in username configuration mode. To remove all commands entered in webvpn mode, use the no form of this command. These webvpn commands apply to the username or group policy from which you configure them.
Webvpn commands for group policies and usernames define access to files, MAPI proxy, URLs and TCP applications over WebVPN. They also identify ACLs and types of traffic to filter.
webvpn
no webvpn
Syntax Description
This command has no arguments or keywords.
Defaults
WebVPN is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Username
•
—
•
—
—
Command History
Usage Guidelines
Webvpn mode, which you enter from global configuration mode, lets you configure global settings for WebVPN. The webvpn command in group-policy attributes configuration mode or username attributes configuration mode applies the settings specified in the webvpn command to the group or user specified in the parent command. In other words, webvpn mode, described in this section, and which you enter from group-policy or username mode, lets you customize a WebVPN configuration for specific users or group policies.
The webvpn attributes that you apply for a specific group policy in group-policy attributes mode override those specified in the default group policy. The WebVPN attributes that you apply for a specific user in username attributes mode override both those in the default group policy and those in the group policy to which that user belongs. Essentially, these commands let you tweak the settings that would otherwise be inherited from the default group or the specified group policy. For information about the WebVPN settings, see the description of the webvpn command in global configuration mode.
The following table lists the attributes you can configure in webvpn group-policy attributes and username attributes mode. See the individual command descriptions for details.
Examples
The following example shows how to enter webvpn mode for the group policy named "FirstGroup":
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#webvpnhostname(config-webvpn)#The following example shows how to enter webvpn mode for the username named "test":
hostname(config)#group-policy test attributeshostname(config-username)#webvpnhostname(config-webvpn)#Related Commands
who
To display active Telnet administration sessions on the security appliance, use the who command in privileged EXEC mode.
who [local_ip]
Syntax Description
local_ip
(Optional) Specifies to limit the listing to one internal IP address or network address, either IPv4 or IPv6.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
The who command allows you to display the TTY_ID and IP address of each Telnet client that is currently logged into the security appliance.
Examples
This example shows the output of the who command when a client is logged into the security appliance through a Telnet session:
hostname# who0: 100.0.0.2hostname# who 100.0.0.20: 100.0.0.2hostname#Related Commands
kill
Terminate a Telnet session.
telnet
Adds Telnet access to the security appliance console and sets the idle timeout.
window-variation
To drop a connection with a window size variation, use the window-variation command in tcp-map configuration mode. To remove this specification, use the no form of this command.
window variation {allow-connection | drop-connection}
no window variation {allow-connection | drop-connection}
Syntax Description
Defaults
The default action is to allow the connection.
Command Modes
The following table shows the modes in which you can enter the command:
Tcp-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.
Use the tcp-map command to enter tcp-map configuration mode. Use the window-variation command in tcp-map configuration mode to drop all connections with a window size that has been shrunk.
The window size mechanism allows TCP to advertise a large window and to subsequently advertise a much smaller window without having accepted too much data. From the TCP specification, "shrinking the window" is strongly discouraged. When this condition is detected, the connection can be dropped.
Examples
The following example shows how to drop all connections with a varied window size:
hostname(config)# access-list TCP extended permit tcp any anyhostname(config)# tcp-map tmaphostname(config-tcp-map)# window-variation drop-connectionhostname(config)# class-map cmaphostname(config-cmap)# match access-list TCPhostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# set connection advanced-options tmaphostname(config)# service-policy pmap globalRelated Commands
wins-server
To set the IP address of the primary and secondary WINS servers, use the wins-server command in group-policy configuration mode. To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a WINS server from another group policy. To prevent inheriting a server, use the wins-server none command.
wins-server value {ip_address} [ip_address] | none
no wins-server
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Command History
Usage Guidelines
Every time you issue the wins-server command you overwrite the existing setting. For example, if you configure WINS server x.x.x.x and then configure WINS server y.y.y.y, the second command overwrites the first, and y.y.y.y becomes the sole WINS server. The same holds true for multiple servers. To add a WINS server rather than overwrite previously configured servers, include the IP addresses of all WINS servers when you enter this command.
Examples
The following example shows how to configure WINS servers with the IP addresses 10.10.10.15, 10.10.10.30, and 10.10.10.45 for the group policy named FirstGroup:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#wins-server value 10.10.10.15 10.10.10.30 10.10.10.45write erase
To erase the startup configuration, use the write erase command in privileged EXEC mode. The running configuration remains intact.
write erase
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
This command is not supported within a security context. Context startup configurations are identified by the config-url command in the system configuration. If you want to delete a context configuration, you can remove the file manually from the remote server (if specified) or clear the file from Flash memory using the delete command in the system execution space.
Examples
The following example erases the startup configuration:
hostname# write eraseErase configuration in flash memory? [confirm] yRelated Commands
write memory
To save the running configuration to the startup configuration, use the write memory command in privileged EXEC mode.
write memory
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
The running configuration is the configuration currently running in memory, including any changes you made at the command line. Changes are only preserved between reboots if you save them to the startup configuration, which is the configuration loaded into running memory at startup. For multiple context mode, a context startup configuration is at the location specified by the config-url command in the system configuration.
In multiple context mode, this command saves only the current configuration; you cannot save all contexts with a single command. You must enter this command separately for the system and for each context. Context startup configurations can reside on external servers. In this case, the security appliance saves the configuration back to the server specified by the config-url command, except for HTTP and HTTPS URLs, which do not allow you to save the configuration back to the server. Because the system uses the admin context interfaces to access context startup configurations, the write memory command also uses the admin context interfaces. The write net command, however, uses the context interfaces to write a configuration to a TFTP server.
The write memory command is equivalent to the copy running-config startup-config command.
Examples
The following example saves the running configuration to the startup configuration:
hostname# write memoryBuilding configuration...Cryptochecksum: e43e0621 9772bebe b685e74f 748e445419319 bytes copied in 3.570 secs (6439 bytes/sec)[OK]hostname#Related Commands
Sets the admin context.
Merges the startup configuration with the running configuration.
Specifies the location of the context configuration.
copy running-config startup-config
Copies the running configuration to the startup configuration.
Copies the running configuration to a TFTP server.
write net
To save the running configuration to a TFTP server, use the write net command in privileged EXEC mode.
write net [server:[filename] | :filename]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
The running configuration is the configuration currently running in memory, including any changes you made at the command line.
In multiple context mode, this command saves only the current configuration; you cannot save all contexts with a single command. You must enter this command separately for the system and for each context. The write net command uses the context interfaces to write a configuration to a TFTP server. The write memory command, however, uses the admin context interfaces to save to the startup configuration because the system uses the admin context interfaces to access context startup configurations.
The write net command is equivalent to the copy running-config tftp command.
Examples
The following example sets the TFTP server and filename in the tftp-server command:
hostname# tftp-server inside 10.1.1.1 /configs/contextbackup.cfghostname# write netThe following example sets the server and filename in the write net command. The tftp-server command is not populated.
hostname# write net 10.1.1.1:/configs/contextbackup.cfgThe following example sets the server and filename in the write net command. The tftp-server command supplies the directory name, and the server address is overridden.
hostname# tftp-server 10.1.1.1 configshostname# write net 10.1.2.1:context.cfgRelated Commands
Merges a configuration file from the specified TFTP URL with the running configuration.
copy running-config tftp
Copies the running configuration to a TFTP server.
Shows the running configuration.
Sets a default TFTP server and path for use in other commands.
Saves the running configuration to the startup configuration.
write standby
To copy the security appliance or context running configuration to the failover standby unit, use the write standby command in privileged EXEC mode.
write standby
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
For Active/Standby failover, the write standby command writes the configuration stored in the RAM of the active failover unit to the RAM on the standby unit. Use the write standby command if the primary and secondary unit configurations have different information. Enter this command on the active unit.
For Active/Active failover, the write standby command behaves as follows:
•
•
Note
When Stateful Failover is enabled, the write standby command also replicates state information to the standby unit after the configuration replication is complete.
Examples
The following example writes the current running configuration to the standby unit:
hostname# write standbyBuilding configuration...[OK]hostname#Related Commands
write terminal
To show the running configuration on the terminal, use the write terminal command in privileged EXEC mode.
write terminal
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
This command is equivalent to the show running-config command.
Examples
The following example writes the running configuration to the terminal:
hostname# write terminal: Saved:ASA Version 7.0(0)61multicast-routingnamesname 10.10.4.200 outside!interface GigabitEthernet0/0nameif insidesecurity-level 100ip address 10.86.194.60 255.255.254.0webvpn enable...Related Commands
