-
Cisco Security Appliance Command Reference, Version 8.0
-
About This Guide
-
Using the Command Line Interface
- A through B Commands
- C Commands
- D through F Commands
- G through I Commands
- J through L Commands
- M through O Commands
- P though R Commands
-
S Commands
-
same-security-traffic -- show asdm sessions
-
show asp drop -- show curpriv
-
show ddns -- show ipv6 traffic
-
show isakmp sa -- show route
-
show running-config -- show running-config isakmp
-
show running-config ldap -- show running-config webvpn auto-signon
-
show service-policy -- show xlate
-
shun -- sysopt radius ignore-secret
-
- T through Z Commands
-
Feedback
Table Of Contents
intercept-dhcp through issuer-name Commands
interface (vpn load-balancing)
ipv6-address-pool (tunnel-group general attributes mode)
isakmp ikev1-user-authentication
intercept-dhcp through issuer-name Commands
intercept-dhcp
To enable DHCP Intercept, use the intercept-dhcp enable command in group-policy configuration mode. To disable DHCP Intercept, use the intercept-dhcp disable command. To remove the intercept-dhcp attribute from the running configuration and allow the users to inherit a DHCP Intercept configuration from the default or other group policy, use the no intercept-dhcp command.
intercept-dhcp netmask {enable | disable}
no intercept-dhcp
Syntax Description
disable
Disables DHCP Intercept.
enable
Enables DHCP Intercept.
netmask
Provides the subnet mask for the tunnel IP address.
Defaults
DHCP Intercept is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
A Microsoft XP anomaly results in the corruption of domain names if split tunnel options exceed 255 bytes. To avoid this problem, the security appliance limits the number of routes it sends to 27 to 40 routes, with the number of routes dependent on the classes of the routes.
DHCP Intercept lets Microsoft XP clients use split-tunneling with the security appliance. The security appliance replies directly to the Microsoft Windows XP client DHCP Inform message, providing that client with the subnet mask, domain name, and classless static routes for the tunnel IP address. For Windows clients prior to XP, DHCP Intercept provides the domain name and subnet mask. This is useful in environments in which using a DHCP server is not advantageous.
Examples
The following example shows how to set DHCP Intercepts for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# intercept-dhcp enableinterface
To configure an interface and enter interface configuration mode, use the interface command in global configuration mode. In interface configuration mode, you can configure hardware settings (for physical interfaces), assign a name, assign a VLAN, assign an IP address, and configure many other settings, depending on the type of interface and the security context mode.
In multiple context mode, you might need to specify the mapped name if one was assigned using the allocate-interface command.
All models can configure parameters for physical interfaces.
All models except for those with a built-in switch, such as the ASA 5505 adaptive security appliance, can create logical redundant interfaces.
All models except for those with a built-in switch, such as the ASA 5505 adaptive security appliance, can create logical subinterfaces that are assigned to a VLAN. Models with a built-in switch include switch ports (called physical interfaces in this command) that you can assign to a VLAN interface; in this case, you do not create a subinterface for the VLAN, but instead create a VLAN interface independent of any physical interfaces. You can then assign one or more physical interfaces to the VLAN interface.
To remove a redundant interface, subinterface, or VLAN interface, use the no form of this command; you cannot remove a physical interface or a mapped interface.
For physical interfaces (for all models):
interface physical_interface
For redundant interfaces (not available for models with a built-in switch):
interface redundant number
no interface redundant number
For subinterfaces (not available for models with a built-in switch):
interface {physical_interface | redundant number}.subinterface
no interface {physical_interface | redundant number}.subinterface
For VLAN interfaces (for models with a built-in switch):
interface vlan number
no interface vlan number
For multiple context mode when a mapped name is assigned:
interface mapped_name
Syntax Description
Defaults
By default, the security appliance automatically generates interface commands for all physical interfaces.
In multiple context mode, the security appliance automatically generates interface commands for all interfaces allocated to the context using the allocate-interface command.
The default state of an interface depends on the type and the context mode.
In multiple context mode, all allocated interfaces are enabled by default, no matter what the state of the interface is in the system execution space. However, for traffic to pass through the interface, the interface also has to be enabled in the system execution space. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.
In single mode or in the system execution space, interfaces have the following default states:
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
For an enabled interface to pass traffic, configure the following interface configuration mode commands: nameif, and, for routed mode, ip address. For subinterfaces, also configure the vlan command. For switch physical interfaces, assign the physical interface to the VLAN interface using the switchport access vlan command.
If you change interface settings, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.
Default Security Level
The default security level is 0. If you name an interface "inside" and you do not set the security level explicitly using the security-level command, then the security appliance sets the security level to 100.
Multiple Context Mode Guidelines
•
•
•
Transparent Firewall Guidelines
Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA 5510 and higher adaptive security appliances, you can use the Management 0/0 interface (either the physical interface or a subinterface) as a third interface for management traffic. The mode is not configurable in this case and must always be management-only.
Subinterface Guidelines
•
•
Redundant Interface Guidelines
•
–
–
–
–
•
•
–
–
Caution
–
–
Built-in Switch Guidelines
For models with a built-in switch, you configure physical parameters and switch parameters (including the VLAN assignment) for the physical interfaces only. You configure all other parameters for the VLAN interface.
For the ASA 5505 adaptive security appliance in transparent firewall mode, you can configure two active VLANs in the Base license and three active VLANs in the Security Plus license, one of which must be for failover. In routed mode, you can configure up to three active VLANs with the Base license, and up to five active VLANs with the Security Plus license. An active VLAN is a VLAN with a nameif command configured. You can configure as many VLANs as you want as long as you limit the number of active VLANs to comply with your license. With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN. You limit the third VLAN using the no forward interface command. With the Security Plus license, you can configure three VLAN interfaces for normal traffic, one VLAN interface for failover, and one VLAN interface as a backup link to your ISP. However, the failover VLAN interface is not configured using the interface vlan command. After you assign a physical interface to the failover VLAN ID, use the failover lan commands to create and configure the VLAN interface. The backup link to the ISP must be identified by the backup interface command under the primary VLAN configuration. This interface does not pass through traffic unless the primary interface fails. See the backup interface command for more information.
Management-Only Interface
The ASA 5510 and higher adaptive security appliances include a dedicated management interface called Management 0/0, which is meant to support traffic to the security appliance. However, you can configure any interface to be a management-only interface using the management-only command. Also, for Management 0/0, you can disable management-only mode so the interface can pass through traffic just like any other interface.
Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA 5510 and higher adaptive security appliances, you can use the Management 0/0 interface (either the physical interface or a subinterface) as a third interface for management traffic. The mode is not configurable in this case and must always be management-only.
Examples
The following example configures parameters for the physical interface in single mode:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# speed 1000hostname(config-if)# duplex fullhostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownThe following example configures parameters for a subinterface in single mode:
hostname(config)# interface gigabitethernet0/1.1hostname(config-subif)# vlan 101hostname(config-subif)# nameif dmz1hostname(config-subif)# security-level 50hostname(config-subif)# ip address 10.1.2.1 255.255.255.0hostname(config-subif)# no shutdownThe following example configures interface parameters in multiple context mode for the system configuration, and allocates the gigabitethernet 0/1.1 subinterface to contextA:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# speed 1000hostname(config-if)# duplex fullhostname(config-if)# no shutdownhostname(config-if)# interface gigabitethernet0/1.1hostname(config-subif)# vlan 101hostname(config-subif)# no shutdownhostname(config-subif)# context contextAhostname(config-ctx)# ...hostname(config-ctx)# allocate-interface gigabitethernet0/1.1The following example configures parameters in multiple context mode for the context configuration:
hostname/contextA(config)# interface gigabitethernet0/1.1hostname/contextA(config-if)# nameif insidehostname/contextA(config-if)# security-level 100hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0hostname/contextA(config-if)# no shutdownThe following example configures three VLAN interfaces. The third home interface cannot forward traffic to the work inteface.
hostname(config)# interface vlan 100hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address dhcphostname(config-if)# no shutdownhostname(config-if)# interface vlan 200hostname(config-if)# nameif workhostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface vlan 300hostname(config-if)# no forward interface vlan 200hostname(config-if)# nameif homehostname(config-if)# security-level 50hostname(config-if)# ip address 10.2.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/0hostname(config-if)# switchport access vlan 100hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/1hostname(config-if)# switchport access vlan 200hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/2hostname(config-if)# switchport access vlan 200hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/3hostname(config-if)# switchport access vlan 200hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/4hostname(config-if)# switchport access vlan 300hostname(config-if)# no shutdown...The following example configures five VLAN interfaces, including the failover interface which is configured separately using the failover lan command:
hostname(config)# interface vlan 100hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface vlan 200hostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.2.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface vlan 300hostname(config-if)# nameif dmzhostname(config-if)# security-level 50hostname(config-if)# ip address 10.3.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface vlan 400hostname(config-if)# nameif backup-isphostname(config-if)# security-level 50hostname(config-if)# ip address 10.1.2.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# failover lan faillink vlan500hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2 255.255.255.0hostname(config)# interface ethernet 0/0hostname(config-if)# switchport access vlan 100hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/1hostname(config-if)# switchport access vlan 200hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/2hostname(config-if)# switchport access vlan 300hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/3hostname(config-if)# switchport access vlan 400hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/4hostname(config-if)# switchport access vlan 500hostname(config-if)# no shutdownThe following example creates two redundant interfaces:
hostname(config)# interface redundant 1hostname(config-if)# member-interface gigabitethernet 0/0hostname(config-if)# member-interface gigabitethernet 0/1hostname(config-if)# interface redundant 2hostname(config-if)# member-interface gigabitethernet 0/2hostname(config-if)# member-interface gigabitethernet 0/3Related Commands
interface (vpn load-balancing)
To specify a non-default public or private interface for VPN load-balancing in the VPN load-balancing virtual cluster, use the interface command in vpn load-balancing mode. To remove the interface specification and revert to thte default interface, use the no form of this command.
interface {lbprivate | lbpublic} interface-name]
no interface {lbprivate | lbpublic}
Syntax Description
Defaults
If you omit the interface command, the lbprivate interface defaults to inside, and the lbpublic interface defaults to outside.
Command Modes
The following table shows the modes in which you can enter the command:
vpn load-balancing
•
—
•
—
—
Command History
Usage Guidelines
You must have first used the vpn load-balancing command to enter vpn load-balancing mode.
You must also have previously used the interface, ip address and nameif commands to configure and assign a name to the interface that you are specifying in this command.
The no form of this command reverts the interface to its default.
Examples
The following is an example of a vpn load-balancing command sequence that includes an interface command that specifies the public interface of the cluster as "test" one that reverts the private interface of the cluster to the default (inside):
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# no interface lbprivatehostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# participateRelated Commandshostname(config-load-balancing)# participate
interface-policy
To specify the policy for failover when monitoring detects an interface failure, use the interface-policy command in failover group configuration mode. To restore the default values, use the no form of this command.
interface-policy num[%]
no interface-policy num[%]
Syntax Description
num
Specifies a number from 1 to 100 when used as a percentage, or 1 to the maximum number of interfaces.
%
(Optional) Specifies that the number num is a percentage of the monitored interfaces.
Defaults
If the failover interface-policy command is configured for the unit, then the default for the interface-policy failover group command assumes that value. If not, then num is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Failover group configuration
•
•
—
—
•
Command History
Usage Guidelines
There is no space between the num argument and the optional % keyword.
If the number of failed interfaces meets the configured policy and the other security appliance is functioning properly, the security appliance will mark itself as failed and a failover may occur (if the active security appliance is the one that fails). Only interfaces that are designated as monitored by the monitor-interface command count towards the policy.
Examples
The following partial example shows a possible configuration for a failover group:
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# interface-policy 25%hostname(config-fover-group)# exithostname(config)#Related Commands
internal-password
To display an additional password field on the clientless SSL VPN portal page, use the internal-password command in webvpn configuration mode. This additional password is used by the security appliance to authenticate users to file servers for which SSO is allowed.
To disable the ability to use an internal password, use the no version of the command.
internal-password enable
no internal password
Syntax Description
Defaults
The default is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
If enabled, end users type a second password when logging in to a clientless SSL VPN session. The Clientless SSL VPN server sends an SSO authentication request, including the username and password, to the authenticating server using HTTPS. If the authenticating server approves the authentication request, it returns an SSO authentication cookie to the Clientless SSL VPN server. This cookie is kept on the security appliance on behalf of the user and used to authenticate the user to secure websites within the domain protected by the SSO server.
The internal password feature is useful if you require that the internal password be different from the SSL VPN password. In particular, you can use one-time passwords for authentication to the security appliance, and another password for internal sites.
Examples
The following example shows how to enable the internal password:
hostname(config)# webvpnhostname(config-webvpn)# internal password enablehostname(config-webvpn)#Related Commands
webvpn
Enters webvpn configuration mode, which lets you configure attributes for clientless SSLVPN connections.
interval maximum
To configure the maximum interval between update attempts by a DDNS update method, use the interval command in DDNS-update-method mode. To remove an interval for a DDNS update method from the running configuration, use the no form of this command.
interval maximum days hours minutes seconds
no interval maximum days hours minutes seconds
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
DDNS-update-method configuration
•
—
•
•
—
Command History
Usage Guidelines
The days, hours, minutes, and seconds are added together to arrive at the total interval.
Examples
The following example configures a method called ddns-2 to attempt an update every 3 minutes and 15 seconds:
hostname(config)# ddns update method ddns-2hostname(DDNS-update-method)# interval maximum 0 0 3 15Related Commands
invalid-ack
To set the action for packets with an invalid ACK, use the invalid-ack command in tcp-map configuration mode. To set the value back to the default, use the no form of this command. This command is part of the TCP normalization policy enabled using the set connection advanced-options command.
invalid-ack {allow | drop}
no invalid-ack
Syntax Description
Defaults
The default action is to drop packets with an invalid ACK.
Command Modes
The following table shows the modes in which you can enter the command:
Tcp-map configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable TCP normalization, use the Modular Policy Framework:
1.
a.
2.
3.
a.
b.
4.
You might see invalid ACKs in the following instances:
•
•
Note
Examples
The following example sets the security appliance to allow packets with an invalid ACK:
hostname(config)# tcp-map tmaphostname(config-tcp-map)# invalid-ack allowhostname(config)# class-map cmaphostname(config-cmap)# match anyhostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# set connection advanced-options tmaphostname(config)# service-policy pmap globalhostname(config)#Related Commands
ip address
To set the IP address for an interface (in routed mode) or for the management address (transparent mode), use the ip address command. For routed mode, enter this command in interface configuration mode. In transparent mode, enter this command in global configuration mode. To remove the IP address, use the no form of this command. This command also sets the standby address for failover.
ip address ip_address [mask] [standby ip_address]
no ip address [ip_address]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Global configuration
—
•
•
•
—
Command History
7.0(1)
For routed mode, this command was changed from a global configuration command to an interface configuration mode command.
Usage Guidelines
In single context routed firewall mode, each interface address must be on a unique subnet. In multiple context mode, if this interface is on a shared interface, then each IP address must be unique but on the same subnet. If the interface is unique, this IP address can be used by other contexts if desired.
A transparent firewall does not participate in IP routing. The only IP configuration required for the security appliance is to set the management IP address. This address is required because the security appliance uses this address as the source address for traffic originating on the security appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access. This address must be on the same subnet as the upstream and downstream routers. For multiple context mode, set the management IP address within each context.
The standby IP address must be on the same subnet as the main IP address.
Examples
The following example sets the IP addresses and standby addresses of two interfaces:
hostname(config)# interface gigabitethernet0/2hostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2hostname(config-if)# no shutdownhostname(config-if)# interface gigabitethernet0/3hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address 10.1.2.1 255.255.255.0 standby 10.1.2.2hostname(config-if)# no shutdownThe following example sets the management address and standby address of a transparent firewall:
hostname(config)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2Related Commands
ip address dhcp
To use DHCP to obtain an IP address for an interface, use the ip address dhcp command in interface configuration mode. To disable the DHCP client for this interface, use the no form of this command.
ip address dhcp [setroute]
no ip address dhcp
Syntax Description
setroute
(Optional) Allows the security appliance to use the default route supplied by the DHCP server.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
Reenter this command to reset the DHCP lease and request a new lease.
If you do not enable the interface using the no shutdown command before you enter the ip address dhcp command, some DHCP requests might not be sent.
Note
Examples
The following example enables DHCP on the gigabitethernet0/1 interface:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# no shutdownhostname(config-if)# ip address dhcpRelated Commands
ip address pppoe
To enable PPPoE, use the ip address pppoe command in interface configuration mode. To disable PPPoE, use the no form of this command.
ip address [ip_address [mask]] pppoe [setroute]
no ip address [ip_address [mask]] pppoe
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
PPPoE combines two widely accepted standards, Ethernet and PPP, to provide an authenticated method of assigning IP addresses to client systems. ISPs deploy PPPoE because it supports high-speed broadband access using their existing remote access infrastructure and because it is easier for customers to use.
Before you set the IP address using PPPoE, configure the vpdn commands to set the username, password, and authentication protocol. If you enable this command on more than one interface, for example for a backup link to your ISP, then you can assign each interface to a different VPDN group if necessary using the pppoe client vpdn group command.
The maximum transmission unit (MTU) size is automatically set to 1492 bytes, which is the correct value to allow PPPoE transmission within an Ethernet frame.
Reenter this command to reset and restart the PPPoE session.
You cannot set this command at the same time as the ip address command or the ip address dhcp command.
Examples
The following example enables PPPoE on the Gigabitethernet 0/1 interface:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address pppoehostname(config-if)# no shutdownThe following example manually sets the IP address for a PPPoE interface:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address 10.1.1.1 255.255.255.0 pppoehostname(config-if)# no shutdownRelated Commands
ip-address-privacy
To enable IP address privacy, use the ip-address-privacy command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.
ip-address-privacy
no ip-address-privacy
Syntax Description
This command has no arguments or keywords.
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to enable IP address privacy over SIP in a SIP inspection policy map:
hostname(config)# policy-map type inspect sip sip_maphostname(config-pmap)# parametershostname(config-pmap-p)# ip-address-privacyRelated Commands
ip audit attack
To set the default actions for packets that match an attack signature, use the ip audit attack command in global configuration mode. To restore the default action (to reset the connection), use the no form of this command. You can specify multiple actions, or no actions.
ip audit attack [action [alarm] [drop] [reset]]
no ip audit attack
Syntax Description
Defaults
The default action is to send and alarm.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
You can override the action you set with this command when you configure an audit policy using the ip audit name command. If you do not specify the action in the ip audit name command, then the action you set with this command is used.
For a list of signatures, see the ip audit signature command.
Examples
The following example sets the default action to alarm and reset for packets that match an attack signature. The audit policy for the inside interface overrides this default to be alarm only, while the policy for the outside interface uses the default setting set with the ip audit attack command.
hostname(config)# ip audit attack action alarm resethostname(config)# ip audit name insidepolicy attack action alarmhostname(config)# ip audit name outsidepolicy attackhostname(config)# ip audit interface inside insidepolicyhostname(config)# ip audit interface outside outsidepolicyRelated Commands
ip audit info
To set the default actions for packets that match an informational signature, use the ip audit info command in global configuration mode. To restore the default action (to generate an alarm), use the no form of this command. You can specify multiple actions, or no actions.
ip audit info [action [alarm] [drop] [reset]]
no ip audit info
Syntax Description
Defaults
The default action is to generate an alarm.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
You can override the action you set with this command when you configure an audit policy using the ip audit name command. If you do not specify the action in the ip audit name command, then the action you set with this command is used.
For a list of signatures, see the ip audit signature command.
Examples
The following example sets the default action to alarm and reset for packets that match an informational signature. The audit policy for the inside interface overrides this default to be alarm and drop, while the policy for the outside interface uses the default setting set with the ip audit info command.
hostname(config)# ip audit info action alarm resethostname(config)# ip audit name insidepolicy info action alarm drophostname(config)# ip audit name outsidepolicy infohostname(config)# ip audit interface inside insidepolicyhostname(config)# ip audit interface outside outsidepolicyRelated Commands
ip audit interface
To assign an audit policy to an interface, use the ip audit interface command in global configuration mode. To remove the policy from the interface, use the no form of this command.
ip audit interface interface_name policy_name
no ip audit interface interface_name policy_name
Syntax Description
interface_name
Specifies the interface name.
policy_name
The name of the policy you added with the ip audit name command. You can assign an info policy and an attack policy to each interface.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example applies audit policies to the inside and outside interfaces:
hostname(config)# ip audit name insidepolicy1 attack action alarmhostname(config)# ip audit name insidepolicy2 info action alarmhostname(config)# ip audit name outsidepolicy1 attack action resethostname(config)# ip audit name outsidepolicy2 info action alarmhostname(config)# ip audit interface inside insidepolicy1hostname(config)# ip audit interface inside insidepolicy2hostname(config)# ip audit interface outside outsidepolicy1hostname(config)# ip audit interface outside outsidepolicy2Related Commands
ip audit name
To create a named audit policy that identifies the actions to take when a packet matches a predefined attack signature or informational signature, use the ip audit name command in global configuration mode. Signatures are activities that match known attack patterns. For example, there are signatures that match DoS attacks. To remove the policy, use the no form of this command.
ip audit name name {info | attack} [action [alarm] [drop] [reset]]
no ip audit name name {info | attack} [action [alarm] [drop] [reset]]
Syntax Description
Defaults
If you do not change the default actions using the ip audit attack and ip audit info commands, then the default action for attack signatures and informational signatures is to generate an alarm.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
To apply the policy, assign it to an interface using the ip audit interface command. You can assign an info policy and an attack policy to each interface.
For a list of signatures, see the ip audit signature command.
If traffic matches a signature, and you want to take action against that traffic, use the shun command to prevent new connections from the offending host and to disallow packets from any existing connection.
Examples
The following example sets an audit policy for the inside interface to generate an alarm for attack and informational signatures, while the policy for the outside interface resets the connection for attacks:
hostname(config)# ip audit name insidepolicy1 attack action alarmhostname(config)# ip audit name insidepolicy2 info action alarmhostname(config)# ip audit name outsidepolicy1 attack action resethostname(config)# ip audit name outsidepolicy2 info action alarmhostname(config)# ip audit interface inside insidepolicy1hostname(config)# ip audit interface inside insidepolicy2hostname(config)# ip audit interface outside outsidepolicy1hostname(config)# ip audit interface outside outsidepolicy2Related Commands
ip audit signature
To disable a signature for an audit policy, use the ip audit signature command in global configuration mode. To reenable the signature, use the no form of this command. You might want to disable a signature if legitimate traffic continually matches a signature, and you are willing to risk disabling the signature to avoid large numbers of alarms.
ip audit signature signature_number disable
no ip audit signature signature_number
Syntax Description
signature_number
Specifies the signature number to disable. See Table 16-1 for a list of supported signatures.
disable
Disables the signature.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Table 16-1 lists supported signatures and system message numbers.
Examples
The following example disables signature 6100:
hostname(config)# ip audit signature 6100 disableRelated Commands
ip-comp
To enable LZS IP compression, use the ip-comp enable command in group-policy configuration mode. To disable IP compression, use the ip-comp disable command.
To remove the ip-comp attribute from the running configuration, use the no form of this command. This enables inheritance of a value from another group policy.
ip-comp {enable | disable}
no ip-comp
Syntax Description
Defaults
IP compression is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
Enabling data compression might speed up data transmission rates for remote dial-in users connecting with modems.
Caution
Examples
The following example shows how to enable IP compression for the group policy named "FirstGroup":
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# ip-comp enableip local pool
To configure IP address pools to be used for VPN remote access tunnels, use the ip local pool command in global configuration mode. To delete address pools, use the no form of this command.
ip local pool poolname first-address—last-address [mask mask]
no ip local pool poolname
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
You must supply the mask value when the IP addresses assigned to VPN clients belong to a non-standard network and the data could be routed incorrectly if you use the default mask. A typical example is when the IP local pool contains 10.10.10.0/255.255.255.0 addresses, since this is a Class A network by default. This could cause some routing issues when the VPN client needs to access different subnets within the 10 network over different interfaces. For example, if a printer, address 10.10.100.1/255.255.255.0 is available via interface 2, but the 10.10.10.0 network is available over the VPN tunnel and therefore interface 1, the VPN client would be confused as to where to route data destined for the printer. Both the 10.10.10.0 and 10.10.100.0 subnets fall under the 10.0.0.0 Class A network so the printer data may be sent over the VPN tunnel.
Examples
The following example configures an IP address pool named firstpool. The starting address is 10.20.30.40 and the ending address is 10.20.30.50. The network mask is 255.255.255.0.
hostname(config)# ip local pool firstpool 10.20.30.40-10.20.30.50 mask 255.255.255.0Related Commands
ip-phone-bypass
To enable IP Phone Bypass, use the ip-phone-bypass enable command in group-policy configuration mode. To disable IP Phone Bypass, use the ip-phone-bypass disable command. To remove the IP phone Bypass attribute from the running configuration, use the no form of this command. This option allows inheritance of a value for IP Phone Bypass from another group policy.
IP Phone Bypass lets IP phones behind hardware clients connect without undergoing user authentication processes. If enabled, secure unit authentication remains in effect.
ip-phone-bypass {enable | disable}
no ip-phone-bypass
Syntax Description
Defaults
IP Phone Bypass is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
You need to configure IP Phone Bypass only if you have enabled user authentication.
Examples
The following example shows how to enable IP Phone Bypass. for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# ip-phone-bypass enableRelated Commands
user-authentication
Requires users behind a hardware client to identify themselves to the security appliance before connecting.
ips
The ASA 5500 series adaptive security appliance supports the AIP SSM, which runs advanced IPS software that provides proactive, full-featured intrusion prevention services to stop malicious traffic, including worms and network viruses, before they can affect your network. To divert traffic from the adaptive security appliance to the AIP SSM for inspection, use the ips command in class configuration mode. To remove this command, use the no form of this command.
ips {inline | promiscuous} {fail-close | fail-open} [sensor {sensor_name | mapped_name}]
no ips {inline | promiscuous} {fail-close | fail-open} [sensor {sensor_name | mapped_name}]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
Usage Guidelines
Before or after you configure the ips command on the adaptive security appliance, configure the security policy on the AIP SSM. You can either session to the AIP SSM from the adaptive security appliance (the session command) or you can connect directly to the AIP SSM using SSH or Telnet on its mangement interface. Alternatively, you can use ASDM. For more information about configuring the AIP SSM, see Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface.
To configure the ips command, you must first configure the class-map command, policy-map command, and the class command.
The AIP SSM runs a separate application from the adaptive security appliance. It is, however, integrated into the adaptive security appliance traffic flow. The AIP SSM does not contain any external interfaces itself, other than a management interface. When you apply the ips command for a class of traffic on the adaptive security appliance, traffic flows through the adaptive security appliance and the AIP SSM in the following way:
1.
2.
3.
4.
5.
6.
7.
Examples
The following example diverts all IP traffic to the AIP SSM in promiscuous mode, and blocks all IP traffic if the AIP SSM card fails for any reason:
hostname(config)# access-list IPS permit ip any anyhostname(config)# class-map my-ips-classhostname(config-cmap)# match access-list IPShostname(config-cmap)# policy-map my-ips-policyhostname(config-pmap)# class my-ips-classhostname(config-pmap-c)# ips promiscuous fail-closehostname(config-pmap-c)# service-policy my-ips-policy globalThe following example diverts all IP traffic destined for the 10.1.1.0 network and the 10.2.1.0 network to the AIP SSM in inline mode, and allows all traffic through if the AIP SSM card fails for any reason. For the my-ips-class traffic, sensor1 is used; for the my-ips-class2 traffic, sensor2 is used.
hostname(config)# access-list my-ips-acl permit ip any 10.1.1.0 255.255.255.0hostname(config)# access-list my-ips-acl2 permit ip any 10.2.1.0 255.255.255.0hostname(config)# class-map my-ips-classhostname(config-cmap)# match access-list my-ips-aclhostname(config)# class-map my-ips-class2hostname(config-cmap)# match access-list my-ips-acl2hostname(config-cmap)# policy-map my-ips-policyhostname(config-pmap)# class my-ips-classhostname(config-pmap-c)# ips inline fail-open sensor sensor1hostname(config-pmap)# class my-ips-class2hostname(config-pmap-c)# ips inline fail-open sensor sensor2hostname(config-pmap-c)# service-policy my-ips-policy interface outsideRelated Commands
ipsec-udp
To enable IPSec over UDP, use the ipsec-udp enable command in group-policy configuration mode. To disable IPSec over UDP, use the ipsec-udp disable command. To remove the IPSec over UDP attribute from the running configuration, use the no form of this command. This enables inheritance of a value for IPSec over UDP from another group policy.
IPSec over UDP, sometimes called IPSec through NAT, lets a Cisco VPN Client or hardware client connect via UDP to a security appliance that is running NAT.
ipsec-udp {enable | disable}
no ipsec-udp
Syntax Description
Defaults
IPSec over UDP is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
To use IPSec over UDP, you must also configure the ipsec-udp-port command.
The Cisco VPN Client must also be configured to use IPSec over UDP (it is configured to use it by default). The VPN 3002 requires no configuration to use IPSec over UDP.
IPSec over UDP is proprietary, it applies only to remote-access connections, and it requires mode configuration, means the security appliance exchanges configuration parameters with the client while negotiating SAs.
Using IPSec over UDP may slightly degrade system performance.
Examples
The following example shows how to set IPSec over UDP for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# ipsec-udp enableRelated Commands
ipsec-udp-port
Specifies the port on which the security appliance listens for UDP traffic.
ipsec-udp-port
To set a UDP port number for IPSec over UDP, use the ipsec-udp-port command in group-policy configuration mode. To disable the UDP port, use the no form of this command. This enables inheritance of a value for the IPSec over UDP port from another group policy.
In IPSec negotiations. the security appliance listens on the configured port and forwards UDP traffic for that port even if other filter rules drop UDP traffic.
ipsec-udp-port port
no ipsec-udp-port
Syntax Description
Defaults
The default port is 10000.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
You can configure multiple group policies with this feature enabled, and each group policy can use a different port number.
Examples
The following example shows how to set an IPSec UDP port to port 4025 for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# ipsec-udp-port 4025Related Commands
ipsec-udp
Lets a Cisco VPN Client or hardware client connect via UDP to a security appliance that is running NAT.
ip verify reverse-path
To enable Unicast RPF, use the ip verify reverse-path command in global configuration mode. To disable this feature, use the no form of this command. Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.
ip verify reverse-path interface interface_name
no ip verify reverse-path interface interface_name
Syntax Description
Defaults
This feature is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
Normally, the security appliance only looks at the destination address when determining where to forward the packet. Unicast RPF instructs the security appliance to also look at the source address; this is why it is called Reverse Path Forwarding. For any traffic that you want to allow through the security appliance, the security appliance routing table must include a route back to the source address. See RFC 2267 for more information.
For outside traffic, for example, the security appliance can use the default route to satisfy the Unicast RPF protection. If traffic enters from an outside interface, and the source address is not known to the routing table, the security appliance uses the default route to correctly identify the outside interface as the source interface.
If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, then the security appliance drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the security appliance drops the packet because the matching route (the default route) indicates the outside interface.
Unicast RPF is implemented as follows:
•
•
Examples
The following example enables Unicast RPF on the outside interface:
hostname(config)# ip verify reverse-path interface outsideRelated Commands
ipv6 access-list
To configure an IPv6 access list, use the ipv6 access-list command in global configuration mode. To remove an ACE, use the no form of this command. Access lists define the traffic that the security appliance allows to pass through or blocks.
ipv6 access-list id [line line-num] {deny | permit} {protocol | object-group protocol_obj_grp_id} {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | object-group network_obj_grp_id} [operator {port [port] | object-group service_obj_grp_id}] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | object-group network_obj_grp_id} [{operator port [port] | object-group service_obj_grp_id}] [log [[level] [interval secs] | disable | default]]
no ipv6 access-list id [line line-num] {deny | permit} {protocol | object-group protocol_obj_grp_id} {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | object-group network_obj_grp_id} [operator {port [port] | object-group service_obj_grp_id}] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | object-group network_obj_grp_id} [{operator port [port] | object-group service_obj_grp_id}] [log [[level] [interval secs] | disable | default]]
ipv6 access-list id [line line-num] {deny | permit} icmp6 {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | object-group network_obj_grp_id} {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | object-group network_obj_grp_id} [icmp_type | object-group icmp_type_obj_grp_id] [log [[level] [interval secs] | disable | default]]
no ipv6 access-list id [line line-num] {deny | permit} icmp6 {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | object-group network_obj_grp_id} {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | object-group network_obj_grp_id} [icmp_type | object-group icmp_type_obj_grp_id] [log [[level] [interval secs] | disable | default]]
Syntax Description
Defaults
When the log keyword is specified, the default level for syslog message 106100 is 6 (informational).
The default logging interval is 300 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
The ipv6 access-list command allows you to specify if an IPv6 address is permitted or denied access to a port or protocol. Each command is called an ACE. One or more ACEs with the same access list name are referred to as an access list. Apply an access list to an interface using the access-group command.
The security appliance denies all packets from an outside interface to an inside interface unless you specifically permit access using an access list. All packets are allowed by default from an inside interface to an outside interface unless you specifically deny access.
The ipv6 access-list command is similar to the access-list command, except that it is IPv6-specific. For additional information about access lists, refer to the access-list extended command.
The ipv6 access-list icmp command is used to filter ICMPv6 messages that pass through the security appliance.To configure the ICMPv6 traffic that is allowed to originate and terminate at a specific interface, use the ipv6 icmp command.
Refer to the object-group command for information on how to configure object groups.
Examples
The following example will allow any host using TCP to access the 3001:1::203:A0FF:FED6:162D server:
hostname(config)# ipv6 access-list acl_grp permit tcp any host 3001:1::203:A0FF:FED6:162DThe following example uses eq and a port to deny access to just FTP:
hostname(config)# ipv6 access-list acl_out deny tcp any host 3001:1::203:A0FF:FED6:162D eq ftphostname(config)# access-group acl_out in interface insideThe following example uses lt to permit access to all ports less than port 2025, which permits access to the well-known ports (1 to 1024):
hostname(config)# ipv6 access-list acl_dmz1 permit tcp any host 3001:1::203:A0FF:FED6:162D lt 1025hostname(config)# access-group acl_dmz1 in interface dmz1Related Commands
ipv6 access-list webtype
To create an ipv6 access list that you can add to a configuration that supports filtering for clientless SSL VPN, use the access-list webtype command in global configuration mode. To remove the access list, use the no form of this command with the entire syntax string as it appears in the configuration.
ipv6 access-list id webtype {deny | permit} url [url_string | any]
no ipv6 access-list id webtype {deny | permit} url [url_string | any]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
You can use the following wildcard characters to define more than one wildcard in the Webtype access list entry:
•
•
•
Examples
The examples in this section show how to use wildcards in IPv6 Webtype access lists.
•
ipv6 access-list test webtype permit url http://ww?.c*co*/•
ipv6 access-list test webtype permit url *://ww?.c*co*/•
ipv6 access-list test webtype permit url *://ww?.c*co*:8[01]/The range operator "[]" in the preceding example specifies that either character 0 or 1 can occur.
•
ipv6 access-list test webtype permit url http://www.[a-z]oo?*/The range operator "[]" in the preceding example specifies that any character in the range from a to z can occur.
•
ipv6 access-list test webtype permit url htt*://*/*cgi?*
Note
Related Commands
ipv6 address
To enable IPv6 and configure the IPv6 addresses on an interface, use the ipv6 address command in interface configuration mode. To remove the IPv6 addresses, use the no form of this command.
ipv6 address {autoconfig | ipv6-prefix/prefix-length [eui-64] | ipv6-address link-local}
no ipv6 address {autoconfig | ipv6-prefix/prefix-length [eui-64] | ipv6-address link-local}
Syntax Description
Defaults
IPv6 is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
Configuring an IPv6 address on an interface enables IPv6 on that interface; you do not need to use the ipv6 enable command after specifying an IPv6 address.
The ipv6 address autoconfig command is used to enable automatic configuration of IPv6 addresses on an interface using stateless autoconfiguration. The addresses are configured based on the prefixes received in Router Advertisement messages. If a link-local address has not been configured, then one is automatically generated for this interface. An error message is displayed if another host is using the link-local address.
The ipv6 address eui-64 command is used to configure an IPv6 address for an interface. If the optional eui-64 is specified, the EUI-64 interface ID will be used in the low order 64 bits of the address. If the value specified for the prefix-length argument is greater than 64 bits, the prefix bits have precedence over the interface ID. An error message will be displayed if another host is using the specified address.
The Modified EUI-64 format interface ID is derived from the 48-bit link-layer (MAC) address by inserting the hex number FFFE between the upper three bytes (OUI field) and the lower 3 bytes (serial number) of the link layer address. To ensure the chosen address is from a unique Ethernet MAC address, the next-to-lowest order bit in the high-order byte is inverted (universal/local bit) to indicate the uniqueness of the 48-bit address. For example, an interface with a MAC address of 00E0.B601.3B7A would have a 64 bit interface ID of 02E0:B6FF:FE01:3B7A.
The ipv6 address link-local command is used to configure an IPv6 link-local address for an interface. The ipv6-address specified with this command overrides the link-local address that is automatically generated for the interface. The link-local address is composed of the link-local prefix FE80::/64 and the interface ID in Modified EUI-64 format. An interface with a MAC address of 00E0.B601.3B7A would have a link-local address of FE80::2E0:B6FF:FE01:3B7A. An error message will be displayed if another host is using the specified address.
Examples
The following example assigns 3FFE:C00:0:1::576/64 as the global address for the selected interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 address 3ffe:c00:0:1::576/64The following example assigns an IPv6 address automatically for the selected interface:
hostname(config)# interface gigabitethernet 0/1hostname(config-if)# ipv6 address autoconfigThe following example assigns IPv6 address 3FFE:C00:0:1::/64 to the selected interface and specifies an EUI-64 interface ID in the low order 64 bits of the address:
hostname(config)# interface gigabitethernet 0/2hostname(onfig-if)# ipv6 address 3FFE:C00:0:1::/64 eui-64The following example assigns FE80::260:3EFF:FE11:6670 as the link-level address for the selected interface:
hostname(config)# interface gigabitethernet 0/3hostname(config-if)# ipv6 address FE80::260:3EFF:FE11:6670 link-localRelated Commands
debug ipv6 interface
Displays debug information for IPv6 interfaces.
show ipv6 interface
Displays the status of interfaces configured for IPv6.
ipv6 enable
To enable IPv6 processing on an interface that has not been configured with an explicit IPv6 address, use the ipv6 enable command in interface configuration mode. To disable IPv6 processing on an interface that has not been configured with an explicit IPv6 address, use the no form of this command.
ipv6 enable
no ipv6 enable
Syntax Description
This command has no arguments or keywords.
Defaults
IPv6 is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
The ipv6 enable command automatically configures an IPv6 link-local unicast address on the interface while also enabling the interface for IPv6 processing.
The no ipv6 enable command does not disable IPv6 processing on an interface that is configured with an explicit IPv6 address.
Examples
The following example enables IPv6 processing on the selected interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 enableRelated Commands
ipv6 enforce-eui64
To enforce the use of Modified EUI-64 format interface identifiers in IPv6 addresses on a local link, use the ipv6 enforce-eui64 command in global configuration mode. To disable Modified EUI-64 address format enforcement, use the no form of this command.
ipv6 enforce-eui64 if_name
no ipv6 enforce-eui64 if_name
Syntax Description
if_name
Specifies the name of the interface, as designated by the nameif command, for which you are enabling Modified EUI-64 address format enforcement.
Defaults
Modified EUI-64 format enforcement is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
When this command is enabled on an interface, the source addresses of IPv6 packets received on that interface are verified against the source MAC addresses to ensure that the interface identifiers use the Modified EUI-64 format. If the IPv6 packets do not use the Modified EUI-64 format for the interface identifier, the packets are dropped and the following system log message is generated:
%PIX|ASA-3-325003: EUI-64 source address check failed.The address format verification is only performed when a flow is created. Packets from an existing flow are not checked. Additionally, the address verification can only be performed for hosts on the local link. Packets received from hosts behind a router will fail the address format verification, and be dropped, because their source MAC address will be the router MAC address and not the host MAC address.
The Modified EUI-64 format interface identifier is derived from the 48-bit link-layer (MAC) address by inserting the hex number FFFE between the upper three bytes (OUI field) and the lower 3 bytes (serial number) of the link layer address. To ensure the chosen address is from a unique Ethernet MAC address, the next-to-lowest order bit in the high-order byte is inverted (universal/local bit) to indicate the uniqueness of the 48-bit address. For example, an interface with a MAC address of 00E0.B601.3B7A would have a 64 bit interface ID of 02E0:B6FF:FE01:3B7A.
Examples
The following example enables Modified EUI-64 format enforcement for IPv6 addresses received on the inside interface:
hostname(config)# ipv6 enforce-eui64 insideRelated Commands
ipv6 address
Configures an IPv6 address on an interface.
ipv6 enable
Enables IPv6 on an interface.
ipv6 icmp
To configure ICMP access rules for an interface, use the ipv6 icmp command in global configuration mode. To remove an ICMP access rule, use the no form of this command.
ipv6 icmp {permit | deny} {ipv6-prefix/prefix-length | any | host ipv6-address} [icmp-type] if-name
no ipv6 icmp {permit | deny} {ipv6-prefix/prefix-length | any | host ipv6-address} [icmp-type] if-name
Syntax Description
Defaults
If no ICMP access rules are defined, all ICMP traffic is permitted.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
ICMP in IPv6 functions the same as ICMP in IPv4. ICMPv6 generates error messages, such as ICMP destination unreachable messages and informational messages like ICMP echo request and reply messages. Additionally, ICMP packets in IPv6 are used in the IPv6 neighbor discovery process and path MTU discovery.
If there are no ICMP rules defined for an interface, all IPv6 ICMP traffic is permitted.
If there are ICMP rules defined for an interface, then the rules are processed in order on a first-match basis followed by an implicit deny all rule. For example, if the first matched rule is a permit rule, the ICMP packet is processed. If the first matched rule is a deny rule, or if the ICMP packet did not match any rule on that interface, then the security appliance discards the ICMP packet and generates a syslog message.
For this reason, the order that you enter the ICMP rules is important. If you enter a rule denying all ICMP traffic from a specific network, and then follow it with a rule permitting ICMP traffic from a particular host on that network, the host rule will never be processed. The ICMP traffic is blocked by the network rule. However, if you enter the host rule first, followed by the network rule, the host ICMP traffic will be allowed, while all other ICMP traffic from that network is blocked.
The ipv6 icmp command configures access rules for ICMP traffic that terminates at the security appliance interfaces. To configure access rules for pass-through ICMP traffic, refer to the ipv6 access-list command.
Examples
The following example denies all ping requests and permits all Packet Too Big messages (to support Path MTU Discovery) at the outside interface:
hostname(config)# ipv6 icmp deny any echo-reply outsidehostname(config)# ipv6 icmp permit any packet-too-big outsideThe following example permits host 2000:0:0:4::2 or hosts on prefix 2001::/64 to ping the outside interface:
hostname(config)# ipv6 icmp permit host 2000:0:0:4::2 echo-reply outsidehostname(config)# ipv6 icmp permit 2001::/64 echo-reply outsidehostname(config)# ipv6 icmp permit any packet-too-big outsideRelated Commands
ipv6 local pool
To configure an IPv6 address pool from which to allocate addresses to remote clients, use the ipv6 local pool command in global configuration mode. To remove the attribute from the configuration, use the no form of this command.
ipv6 local pool pool_name ipv6_address/prefix_length number_of_addresses
no ipv6 local pool pool_name ipv6_address/prefix_length number_of_addresses
Syntax Description
Defaults
By default, the IPv6 local address pool is not configured.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
To assign IPv6 local pools, use either the ipv6-local-pool command in the tunnel-group or the ipv6-address-pools (note the "s" on this one) command in the group policy. The ipv6-address-pools setting in the group policy overrides the ipv6-address-pool setting in the tunnel group.
Examples
The following example, entered in config-general configuration mode, configures an IPv6 address pool named firstipv6pool for use in allocating addresses to remote clients:
hostname(config)# ipv6 local pool firstipv6pool 2001:DB8::1001/32 100
hostname(config)#Related Commands
ipv6 nd dad attempts
To configure the number of consecutive neighbor solicitation messages that are sent on an interface during duplicate address detection, use the ipv6 nd dad attempts command in interface configuration mode. To return to the default number of duplicate address detection messages sent, use the no form of this command.
ipv6 nd dad attempts value
no ipv6 nd dad [attempts value]
Syntax Description
Defaults
The default number of attempts is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
Duplicate address detection verifies the uniqueness of new unicast IPv6 addresses before the addresses are assigned to interfaces (the new addresses remain in a tentative state while duplicate address detection is performed). Duplicate address detection uses neighbor solicitation messages to verify the uniqueness of unicast IPv6 addresses. The frequency at which the neighbor solicitation messages are sent is configured using the ipv6 nd ns-interval command.
Duplicate address detection is suspended on interfaces that are administratively down. While an interface is administratively down, the unicast IPv6 addresses assigned to the interface are set to a pending state.
Duplicate address detection is automatically restarted on an interface when the interface returns to being administratively up. An interface returning to administratively up restarts duplicate address detection for all of the unicast IPv6 addresses on the interface.
Note
When duplicate address detection identifies a duplicate address, the state of the address is set to DUPLICATE and the address is not used. If the duplicate address is the link-local address of the interface, the processing of IPv6 packets is disabled on the interface and an error message similar to the following is issued:
%PIX-4-DUPLICATE: Duplicate address FE80::1 on outsideIf the duplicate address is a global address of the interface, the address is not used and an error message similar to the following is issued:
%PIX-4-DUPLICATE: Duplicate address 3000::4 on outsideAll configuration commands associated with the duplicate address remain as configured while the state of the address is set to DUPLICATE.
If the link-local address for an interface changes, duplicate address detection is performed on the new link-local address and all of the other IPv6 address associated with the interface are regenerated (duplicate address detection is performed only on the new link-local address).
Examples
The following example configures 5 consecutive neighbor solicitation messages to be sent when duplicate address detection is being performed on the tentative unicast IPv6 address of the interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd dad attempts 5The following example disables duplicate address detection on the selected interface:
hostname(config)# interface gigabitethernet 0/1hostname(config-if)# ipv6 nd dad attempts 0Related Commands
ipv6 nd ns-interval
To configure the interval between IPv6 neighbor solicitation retransmissions on an interface, use the ipv6 nd ns-interval command in interface configuration mode. To restore the default value, use the no form of this command.
ipv6 nd ns-interval value
no ipv6 nd ns-interval [value]
Syntax Description
value
The interval between IPv6 neighbor solicitation transmissions, in milliseconds. Valid values range from 1000 to 3600000 milliseconds. The default value is 1000 milliseconds.
Defaults
1000 milliseconds between neighbor solicitation transmissions.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
This value will be included in all IPv6 router advertisements sent out this interface.
Examples
The following example configures an IPv6 neighbor solicitation transmission interval of 9000 milliseconds for Gigabitethernet 0/0:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd ns-interval 9000Related Commands
show ipv6 interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd prefix
To configure which IPv6 prefixes are included in IPv6 router advertisements, use the ipv6 nd prefix command in interface configuration mode. To remove the prefixes, use the no form of this command.
ipv6 nd prefix ipv6-prefix/prefix-length | default [[valid-lifetime preferred-lifetime] | [at valid-date preferred-date] | infinite | no-advertise | off-link | no-autoconfig]
no ipv6 nd prefix ipv6-prefix/prefix-length | default [[valid-lifetime preferred-lifetime] | [at valid-date preferred-date] | infinite | no-advertise | off-link | no-autoconfig]
Syntax Description
Defaults
All prefixes configured on interfaces that originate IPv6 router advertisements are advertised with a valid lifetime of 2592000 seconds (30 days) and a preferred lifetime of 604800 seconds (7 days), and with both the "onlink" and "autoconfig" flags set.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
This command allows control over the individual parameters per prefix, including whether or not the prefix should be advertised.
By default, prefixes configured as addresses on an interface using the ipv6 address command are advertised in router advertisements. If you configure prefixes for advertisement using the ipv6 nd prefix command, then only these prefixes are advertised.
The default keyword can be used to set default parameters for all prefixes.
A date can be set to specify the expiration of a prefix. The valid and preferred lifetimes are counted down in real time. When the expiration date is reached, the prefix will no longer be advertised.
When onlink is "on" (by default), the specified prefix is assigned to the link. Nodes sending traffic to such addresses that contain the specified prefix consider the destination to be locally reachable on the link.
When autoconfig is "on" (by default), it indicates to hosts on the local link that the specified prefix can be used for IPv6 autoconfiguration.
Examples
The following example includes the IPv6 prefix 2001:200::/35, with a valid lifetime of 1000 seconds and a preferred lifetime of 900 seconds, in router advertisements sent out on the specified interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd prefix 2001:200::/35 1000 900Related Commands
ipv6 address
Configures an IPv6 address and enables IPv6 processing on an interface.
show ipv6 interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd ra-interval
To configure the interval between IPv6 router advertisement transmissions on an interface, use the ipv6 nd ra-interval command in interface configuration mode. To restore the default interval, use the no form of this command.
ipv6 nd ra-interval [msec] value
no ipv6 nd ra-interval [[msec] value]
Syntax Description
Defaults
200 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
The interval between transmissions should be less than or equal to the IPv6 router advertisement lifetime if the security appliance is configured as a default router by using the ipv6 nd ra-lifetime command. To prevent synchronization with other IPv6 nodes, randomly adjust the actual value used to within 20 percent of the specified value.
Examples
The following example configures an IPv6 router advertisement interval of 201 seconds for the selected interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd ra-interval 201Related Commands
ipv6 nd ra-lifetime
Configures the lifetime of an IPv6 router advertisement.
show ipv6 interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd ra-lifetime
To configure the "router lifetime" value in IPv6 router advertisements on an interface, use the ipv6 nd ra-lifetime command in interface configuration mode. To restore the default value, use the no form of this command.
ipv6 nd ra-lifetime seconds
no ipv6 nd ra-lifetime [seconds]
Syntax Description
Defaults
1800 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
The "router lifetime" value is included in all IPv6 router advertisements sent out the interface. The value indicates the usefulness of the security appliance as a default router on this interface.
Setting the value to a non-zero value to indicates that the security appliance should be considered a default router on this interface. The no-zero value for the "router lifetime" value should not be less than the router advertisement interval.
Setting the value to 0 indicates that the security appliance should not be considered a default router on this interface.
Examples
The following example configures an IPv6 router advertisement lifetime of 1801 seconds for the selected interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd ra-lifetime 1801Related Commands
ipv6 nd reachable-time
To configure the amount of time that a remote IPv6 node is considered reachable after a reachability confirmation event has occurred, use the ipv6 nd reachable-time command in interface configuration mode. To restore the default time, use the no form of this command.
ipv6 nd reachable-time value
no ipv6 nd reachable-time [value]
Syntax Description
Defaults
0 milliseconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
The configured time enables detecting unavailable neighbors. Shorter configured times enable detecting unavailable neighbors more quickly; however, shorter times consume more IPv6 network bandwidth and processing resources in all IPv6 network devices. Very short configured times are not recommended in normal IPv6 operation.
To see the reachable time used by the security appliance, including the actual value when this comamnd is set to 0, use the show ipv6 interface command to display information about the IPv6 interface, including the ND reachable time being used.
Examples
The following example configures an IPv6 reachable time of 1700000 milliseconds for the selected interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd reachable-time 1700000Related Commands
show ipv6 interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd suppress-ra
To suppress IPv6 router advertisement transmissions on a LAN interface, use the ipv6 nd suppress-ra command in interface configuration mode. To reenable the sending of IPv6 router advertisement transmissions on a LAN interface, use the no form of this command.
ipv6 nd suppress-ra
no ipv6 nd suppress-ra
Syntax Description
This command has no arguments or keywords.
Defaults
Router advertisements are automatically sent on LAN interfaces if IPv6 unicast routing is enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
Use the no ipv6 nd suppress-ra command to enable the sending of IPv6 router advertisement transmissions on non-LAN interface types (for example serial or tunnel interfaces).
Examples
The following example suppresses IPv6 router advertisements on the selected interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd suppress-raRelated Commands
show ipv6 interface
Displays the usability status of interfaces configured for IPv6.
ipv6 neighbor
To configure a static entry in the IPv6 neighbor discovery cache, use the ipv6 neighbor command in global configuration mode. To remove a static entry from the neighbor discovery cache, use the no form of this command.
ipv6 neighbor ipv6_address if_name mac_address
no ipv6 neighbor ipv6_address if_name [mac_address]
Syntax Description
Defaults
Static entries are not configured in the IPv6 neighbor discovery cache.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
The ipv6 neighbor command is similar to the arp command. If an entry for the specified IPv6 address already exists in the neighbor discovery cache—learned through the IPv6 neighbor discovery process—the entry is automatically converted to a static entry. These entries are stored in the configuration when the copy command is used to store the configuration.
Use the show ipv6 neighbor command to view static entries in the IPv6 neighbor discovery cache.
The clear ipv6 neighbors command deletes all entries in the IPv6 neighbor discovery cache except static entries. The no ipv6 neighbor command deletes a specified static entry from the neighbor discovery cache; the command does not remove dynamic entries—entries learned from the IPv6 neighbor discovery process—from the cache. Disabling IPv6 on an interface by using the no ipv6 enable command deletes all IPv6 neighbor discovery cache entries configured for that interface except static entries (the state of the entry changes to INCMP [Incomplete]).
Static entries in the IPv6 neighbor discovery cache are not modified by the neighbor discovery process.
Examples
The following example adds a static entry for the an inside host with an IPv6 address of 3001:1::45A and a MAC address of 0002.7D1A.9472 to the neighbor discovery cache:
hostname(config)# ipv6 neighbor 3001:1::45A inside 0002.7D1A.9472Related Commands
clear ipv6 neighbors
Deletes all entries in the IPv6 neighbor discovery cache, except static entries.
show ipv6 neighbor
Displays IPv6 neighbor cache information.
ipv6 route
To add an IPv6 route to the IPv6 routing table, use the ipv6 route command in global configuration mode. To remove an IPv6 default route, use the no form of this command.
ipv6 route if_name ipv6-prefix/prefix-length ipv6-address [administrative-distance | tunneled]
no ipv6 route if_name ipv6-prefix/prefix-length ipv6-address [administrative-distance | tunneled]
Syntax Description
Defaults
By default, the administrative-distance is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
Use the show ipv6 route command to view the contents of the IPv6 routing table.
You can define a separate default route for tunneled traffic along with the standard default route. When you create a default route with the tunneled option, all traffic from a tunnel terminating on the security appliance that cannot be routed using learned or static routes, is sent to this route. For traffic emerging from a tunnel, this route overrides over any other configured or learned default routes.
The following restrictions apply to default routes with the tunneled option:
•
•
•
You cannot define more than one default route with the tunneled option; ECMP for tunneled traffic is not supported.
Examples
The following example routes packets for network 7fff::0/32 to a networking device on the inside interface at 3FFE:1100:0:CC00::1 with an administrative distance of 110:
hostname(config)# ipv6 route inside 7fff::0/32 3FFE:1100:0:CC00::1 110Related Commands
debug ipv6 route
Displays debug messages for IPv6 routing table updates and route cache updates.
show ipv6 route
Displays the current contents of the IPv6 routing table.
ipv6-address-pool (tunnel-group general attributes mode)
To specify a list of IPv6 address pools for allocating addresses to remote clients, use the ipv6-address-pool command in tunnel-group general-attributes configuration mode. To eliminate IPv6 address pools, use the no form of this command.
ipv6-address-pool [(interface_name)] ipv6_address_pool1 [...ipv6_address_pool6]
no ipv6-address-pool [(interface_name)] ipv6_address_pool1 [...ipv6_address_pool6]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can enter multiples of each of these commands, one per interface. If an interface is not specified, then the command specifies the default for all interfaces that are not explicitly referenced.
The IPv6 address-pool settings in the group-policy ipv6-address-pools command override the IPv6 address pool settings in the tunnel group ipv6-address-pool command.
The order in which you specify the pools is significant. The security appliance allocates addresses from these pools in the order in which the pools appear in this command.
Examples
The following example entered in config-tunnel-general configuration mode, specifies a list of IPv6 address pools for allocating addresses to remote clients for an IPSec remote-access tunnel group test:
hostname(config)# tunnel-group test type remote-accesshostname(config)# tunnel-group test general-attributeshostname(config-tunnel-general)# ipv6-address-pool (inside) ipv6addrpool1 ipv6addrpool2 ipv6addrpool3hostname(config-tunnel-general)#Related Commands
ipv6-address-pools
To specify a list of up to six IPv6 address pools from which to allocate addresses to remote clients, use the ipv6-address-pools command in group-policy attributes configuration mode. To remove the attribute from the group policy and enable inheritance from other sources of group policy, use the no form of this command.
ipv6-address-pools value ipv6_address_pool1 [...ipv6_address_pool6]
no ipv6-address-pools value ipv6_address_pool1 [...ipv6_address_pool6]
ipv6-address-pools none
no ipv6-address-pools none
Syntax Description
Defaults
By default, the IPv6 address pools attribute is not configured.
Command Modes
The following table shows the modes in which you can enter the command:
group-policy attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
To configure IPv6 address pools, use the ipv6 local pool command.
The order in which you specify the pools in the ipv6-address-pools command is significant. The security appliance allocates addresses from these pools in the order in which the pools appear in this command.
The command ipv6-address-pools none disables this attribute from being inherited from other sources of policy, such as the DefaultGrpPolicy. The command no ipv6-address-pools none removes the ipv6-address-pools none command from the configuration, restoring the default value, which is to allow inheritance.
Examples
The following example, entered in config-general configuration mode, configures an IPv6 address pool named firstipv6pool for use in allocating addresses to remote clients, then associates that pool with GroupPolicy1:
hostname(config)# ipv6 local pool firstipv6pool 2001:DB8::1000/32 100hostname(config)# group-policy GroupPolicy1 attributeshostname(config-group-policy)# ipv6-address-pools value firstipv6poolhostname(config-group-policy)#Related Commands
ipv6-vpn-filter
To specify the name of the ACL to use for VPN connections, use the ipv6-vpn-filter command in group policy or username mode. To remove the ACL, including a null value created by issuing the ipv6-vpn-filter none command, use the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting values, use the ipv6-vpn-filter none command.
You configure ACLs to permit or deny various types of traffic for this user or group policy. You then use the ipv6-vpn-filter command to apply those ACLs.
ipv6-vpn-filter {value IPV6-ACL-NAME | none}
no ipv6-vpn-filter
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Username
•
—
•
—
—
Command History
Usage Guidelines
Clientless SSL VPN does not use the ACL defined in the ipv6-vpn-filter command.
Examples
The following example shows how to set a filter that invokes an access list named ipv6_acl_vpn for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# ipv6-vpn-filter value ipv6_acl_vpnRelated Commands
isakmp am-disable
To disable inbound aggressive mode connections, use the isakmp am-disable command in global configuration mode. To enable inbound aggressive mode connections, use the no form of this command.
isakmp am-disable
no isakmp am-disable
Syntax Description
This command has no arguments or keywords.
Defaults
The default value is enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
7.0(1)
This command was introduced.
7.2(1)
This command was deprecated. The crypto isakmp am-disable command replaces it.
Examples
The following example, entered in global configuration mode, disables inbound aggressive mode connections:
hostname(config)# isakmp am-disableRelated Commands
isakmp disconnect-notify
To enable disconnect notification to peers, use the isakmp disconnect-notify command in global configuration mode. To disable disconnect notification, use the no form of this command.
isakmp disconnect-notify
no isakmp disconnect-notify
Syntax Description
This command has no arguments or keywords.
Defaults
The default value is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
7.0(1)
This command was introduced.
7.2(1)
This command was deprecated. The crypto isakmp disconnect-notify command replaces it.
Examples
The following example, entered in global configuration mode, enables disconnect notification to peers:
hostname(config)# isakmp disconnect-notifyRelated Commands
isakmp enable
To enable ISAKMP negotiation on the interface on which the IPSec peer communicates with the security appliance, use the isakmp enable command in global configuration mode. To disable ISAKMP on the interface, use the no form of this command.
isakmp enable interface-name
no isakmp enable interface-name
Syntax Description
interface-name
Specifies the name of the interface on which to enable or disable ISAKMP negotiation.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Preexisting
This command was preexisting.
7.2(1)
This command was deprecated. The crypto isakmp enable command replaces it.
Examples
The following example, entered in global configuration mode, shows how to disable ISAKMP on the inside interface:
hostname(config)# no isakmp enable insideRelated Commands
isakmp identity
To set the Phase 2 ID to be sent to the peer, use the isakmp identity command in global configuration mode. To return to the default setting, use the no form of this command.
isakmp identity {address | hostname | key-id key-id-string | auto}
no isakmp identity {address | hostname | key-id key-id-string | auto}
Syntax Description
Defaults
The default ISAKMP identity is isakmp identity hostname.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Preexisting
This command was preexisting.
7.2(1)
This command was deprecated. The crypto isakmp identity command replaces it.
Examples
The following example, entered in global configuration mode, enables ISAKMP negotiation on the interface for communicating with the IPSec peer, depending on connection type:
hostname(config)# isakmp identity autoRelated Commands
isakmp ikev1-user-authentication
To configure hybrid authentication during IKE, use the isakmp ikev1-user-authentication command in tunnel-group ipsec-attributes configuration mode. To disable hybrid authentication, use the no form of this command.
isakmp ikev1-user-authentication [interface] {none | xauth | hybrid}
no isakmp ikev1-user-authentication [interface] {none | xauth | hybrid}
Syntax Description
Defaults
The default authentication method is XAUTH or extended user authentication. The default interface is all interfaces.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group ipsec-attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You use this command when you need to use digital certificates for security appliance authentication and a different, legacy method for remote VPN user authentication, such as RADIUS, TACACS+ or SecurID. This command breaks phase 1 of IKE down into the following two steps, together called hybrid authentication:
1.
2.
Note
When you omit the optional interface parameter, the command applies to all the interfaces and serves as a back-up when the per-interface command is not specified. When there are two isakmp ikev1-user-authentication commands specified for a tunnel group, and one uses the interface parameter and one does not, the one specifying the interface takes precedence for that particular interface.
Examples
The following example commands enable hybrid XAUTH on the inside interface for a tunnel group called example-group:
hostname(config)# tunnel-group example-group type ipsec-rahostname(config)# tunnel-group example-group ipsec-attributeshostname(config-tunnel-ipsec)# isakmp ikev1-user-authentication (inside) hybridhostname(config-tunnel-ipsec)#Related Commands
isakmp ipsec-over-tcp
To enable IPSec over TCP, use the isakmp ipsec-over-tcp command in global configuration mode. To disable IPSec over TCP, use the no form of this command.
isakmp ipsec-over-tcp [port port1...port10]
no isakmp ipsec-over-tcp [port port1...port10]
Syntax Description
Defaults
The default value is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
7.0(1)
This command was introduced.
7.2(1)
This command was deprecated. The crypto isakmp ipsec-over-tcp command replaces it.
Examples
This example, entered in global configuration mode, enables IPSec over TCP on port 45:
hostname(config)# isakmp ipsec-over-tcp port 45Related Commands
isakmp keepalive
To configure IKE DPD, use the isakmp keepalive command in tunnel-group ipsec-attributes configuration mode. In every tunnel group, IKE keepalives are enabled by default with default threshold and retry values. To return the keepalive parameters to enabled with default threshold and retry values, use the no form of this command.
isakmp keepalive [threshold seconds] [retry seconds] [disable]
no isakmp keepalive disable
Syntax Description
Defaults
The default for a remote access group is a threshold of 300 seconds and a retry of 2 seconds.
For a LAN-to-LAN group, the default is a threshold of 10 seconds and a retry of 2 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group ipsec attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can apply this attribute only to IPSec remote-access and IPSec LAN-to-LAN tunnel-group types.
Examples
The following example entered in config-ipsec configuration mode, configures IKE DPD, establishes a threshold of 15, and specifies a retry interval of 10 for the IPSec LAN-to-LAN tunnel group with the IP address 209.165.200.225:
hostname(config)# tunnel-group 209.165.200.225 type IPSec_L2Lhostname(config)# tunnel-group 209.165.200.225 ipsec-attributeshostname(config-tunnel-ipsec)# isakmp keepalive threshold 15 retry 10hostname(config-tunnel-ipsec)#Related Commands
isakmp nat-traversal
To enable NAT traversal globally, check that ISAKMP is enabled (you can enable it with the isakmp enable command) in global configuration mode and then use the isakmp nat-traversal command. If you have enabled NAT traversal, you can disable it with the no form of this command.
isakmp nat-traversal natkeepalive
no isakmp nat-traversal natkeepalive
Syntax Description
Defaults
By default, NAT traversal (isakmp nat-traversal) is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Preexisting
This command was preexisting.
7.2(1)
This command was deprecated. The crypto isakmp nat-traversal command replaces it.
Usage Guidelines
Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.
The security appliance supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps.
This command enables NAT-T globally on the security appliance. To disable in a crypto-map entry, use the crypto map set nat-t-disable command.
Examples
The following example, entered in global configuration mode, enables ISAKMP and then enables NAT traversal with an interval of 30 seconds:
hostname(config)# isakmp enablehostname(config)# isakmp nat-traversal 30Related Commands
isakmp policy authentication
To specify an authentication method within an IKE policy, use the isakmp policy authentication command in global configuration mode. IKE policies define a set of parameters for IKE negotiation. To remove the ISAKMP authentication method, use the related clear configure command.
isakmp policy priority authentication {crack | pre-share | rsa-sig}
Syntax Description
Defaults
The default ISAKMP policy authentication is pre-share.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
If you specify RSA signatures, you must configure the security appliance and its peer to obtain certificates from a certification authority (CA). If you specify preshared keys, you must separately configure these preshared keys within the security appliance and its peer.
Examples
The following example, entered in global configuration mode, shows use of the isakmp policy authentication command. This example sets the authentication method of RSA Signatures to be used within the IKE policy with the priority number of 40.
hostname(config)# isakmp policy 40 authentication rsa-sigRelated Commands
isakmp policy encryption
To specify the encryption algorithm to use within an IKE policy, use the isakmp policy encryption command in global configuration mode. To reset the encryption algorithm to the default value, which is des, use the no form of this command.
isakmp policy priority encryption {aes | aes-192| aes-256 | des | 3des}
no isakmp policy priority encryption {aes | aes-192| aes-256 | des | 3des}
Syntax Description
Defaults
The default ISAKMP policy encryption is 3des.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Preexisting
This command was preexisting.
7.2(1)
This command was deprecated. The crypto isakmp policy encryption command replaces it.
Examples
The following example, entered in global configuration mode, shows use of the isakmp policy encryption command; it sets 128-bit key AES encryption as the algorithm to be used within the IKE policy with the priority number of 25.
hostname(config)# isakmp policy 25 encryption aesThe following example, entered in global configuration mode, sets the 3DES algorithm to be used within the IKE policy with the priority number of 40.
hostname(config)# isakmp policy 40 encryption 3deshostname(config)#Related Commands
isakmp policy group
To specify the Diffie-Hellman group for an IKE policy, use the isakmp policy group command in global configuration mode. IKE policies define a set of parameters to use during IKE negotiation. To reset the Diffie-Hellman group identifier to the default value, use the no form of this command.
isakmp policy priority group {1 | 2 | 5}
no isakmp policy priority group
Syntax Description
Defaults
The default is group 2.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
There are three group options: 768-bit (DH Group 1), 1024-bit (DH Group 2), and 1536-bit (DH Group 5). The 1024-bit and 1536-bit Diffie-Hellman Groups provide stronger security, but require more CPU time to execute.
Note
AES support is available on security appliances licensed for VPN-3DES only. Due to the large key sizes provided by AES, ISAKMP negotiation should use Diffie-Hellman (DH) group 5 instead of group 1 or group 2. This is done with the isakmp policy priority group 5 command.Examples
The following example, entered in global configuration mode, shows use of the isakmp policy group command. This example sets group 2, the 1024-bit Diffie Hellman, to use for the IKE policy with the priority number of 40.
hostname(config)# isakmp policy 40 group 2Related Commands
isakmp policy hash
To specify the hash algorithm for an IKE policy, use the isakmp policy hash command in global configuration mode. IKE policies define a set of parameters to be used during IKE negotiation.
To reset the hash algorithm to the default value of SHA-1, use the no form of this command.
isakmp policy priority hash {md5 | sha}
no isakmp policy priority hash
Syntax Description
Defaults
The default hash algorithm is SHA-1 (HMAC variant).
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Preexisting
This command was preexisting.
7.2(1)
This command was deprecated. The crypto isakmp policy hash command replaces it.
Usage Guidelines
There are two hash algorithm options: SHA-1 and MD5. MD5 has a smaller digest and is considered to be slightly faster than SHA-1.
Examples
The following example, entered in global configuration mode, shows use of the isakmp policy hash command. This example specifies that the MD5 hash algorithm be used within the IKE policy, with the priority number of 40.
hostname(config)# isakmp policy 40 hash md5Related Commands
isakmp policy lifetime
To specify the lifetime of an IKE security association before it expires, use the isakmp policy lifetime command in global configuration mode. Use the no form of this command to reset the security association lifetime to the default value of 86,400 seconds (one day).
isakmp policy priority lifetime seconds
no isakmp policy priority lifetime
Syntax Description
Defaults
The default value is 86,400 seconds (one day).
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Preexisting
This command was preexisting.
7.2(1)
This command was deprecated. The crypto isakmp policy lifetime command replaces it.
Usage Guidelines
When IKE begins negotiations, it seeks to agree upon the security parameters for its own session. Then the security association at each peer refers to the agreed-upon parameters. The peers retain the security association until the lifetime expires. Before a security association expires, subsequent IKE negotiations can use it, which can save time when setting up new IPSec security associations. The peers negotiate new security associations before current security associations expire.
With longer lifetimes, the security appliance sets up future IPSec security associations more quickly. Encryption strength is great enough to ensure security without using very fast rekey times, on the order of every few minutes. We recommend that you accept the default, but y ou can specify an infinite lifetime if the peer does not propose a lifetime.
Note
The following example, entered in global configuration mode, shows use of the isakmp policy lifetime command. This example sets the lifetime of the IKE security association to 50,400 seconds (14 hours) within the IKE policy with the priority number of 40.Examples
The following example, entered in global configuration mode, sets the lifetime of the IKE security association to 50,4000 seconds (14 hours) within the IKE policy with the priority number of 40.
hostname(config)# isakmp policy 40 lifetime 50400The following example, entered in global configuration mode, sets the IKE security association to an infinite lifetime.
hostname(config)# isakmp policy 40 lifetime 0Related Commands
isakmp reload-wait
To enable waiting for all active sessions to voluntarily terminate before rebooting the security appliance, use the isakmp reload-wait command in global configuration mode. To disable waiting for active sessions to terminate and to proceed with a reboot of the security appliance, use the no form of this command.
isakmp reload-wait
no isakmp reload-wait
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
7.0
This command was introduced.
7.2(1)
This command was deprecated. The crypto isakmp reload-wait command replaces it.
Examples
The following example, entered in global configuration mode, tells the security appliance to wait until all active sessions have terminated before rebooting.
hostname(config)# isakmp reload-waitRelated Commands
issuer
To specify the security device that is sending assertions to a SAML-type SSO server, use the issuer command in webvpn-sso-saml configuration mode for that specific SAML type. To remove the issuer name, use the no form of this command.
issuer identifier
no issuer [identifier]
Syntax Description
identifier
Specifies a security device name, usually the hostname of the device. An identifier must be less than 65 alphanumeric characters.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn-sso-saml configuration
•
—
•
—
—
Command History
Usage Guidelines
Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The security appliance currently supports the SAML POST-type SSO server and the SiteMinder-type of SSO server.
This command applies only to SAML-type SSO Servers.
Examples
The following example specifies the issuer name for a security device named asa1.mycompany.com:
hostname(config-webvpn)# sso server myhostname type saml-v1.1-posthostname(config-webvpn-sso-saml# issuer asa1.example.comhostname(config-webvpn-sso-saml#Related Commands
issuer-name
To specify the issuer-name DN of all issued certificates, use the issuer-name command in local Certificate Authority (CA) server configuration mode. To remove the subject-DN from the certificate authority certificate, use the no form of this command.
issuer-name DN-string
no issuer-name [DN-string]
Syntax Description
Defaults
The default issuer-name is cn=hostame.domain-name, such as cn=asa.example.com.
Command Modes
The following table shows the modes in which you can enter the command:
CA server configuration
•
—
•
—
—
Command History
7.3(1)
This command was introduced.
8.0(2)
Support for quotation marks added to retain commas in DN-string values.
Usage Guidelines
This command specifies the issuer name that appears on any certificate created by this local CA server. Use this optional command if you want the issuer name to be different from the default CA name.
Note
Examples
The following example configures certificate authentication:
hostname(config)# crypto ca serverhostname(config-ca-server)# issuer-name cn=asa-ca.example.com,ou=Eng,o=Example,c="cisco systems, inc."hostname(config-ca-server)#Related Commands
