-
Cisco ASA Series Command Reference
-
About this Guide
-
Using the Command Line Interface
- A through B Commands
-
C Commands
-
cache -- clear compression
-
clear configure -- clear configure http
-
clear configure flow-export-- clear configure zonelabs-integrity
-
clear conn -- clear isakmp sa
-
clear local-host -- clear xlate
-
client-access-rule -- crl-configure
-
crypto ca authenticate -- crypto ipsec ikev1 transform-set mode transport
-
crypto isakmp disconnect-notify -- cxsc auth-proxy port
-
-
D through F Commands
-
database path -- debug cxsc
-
debug dap -- debug http-map
-
debug icmp -- debug ospfv3
-
debug parser cache -- debug xml
-
default -- dhcp-server
-
dhcpd address -- distribute-list out
-
dns domain-lookup -- dynamic-filter whitelist
-
eigrp log-neighbor-changes -- export webvpn webcontent
-
failover -- fallback
-
file-bookmarks -- functions
-
- G through I Commands
- J through L Commands
- M through O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- shape
-
show aaa kerberos -- show asdm sessions
-
show asp cluster counter -- show asp table vpn-context
-
show blocks -- show cpu
-
show crashinfo -- show curpriv
-
show ddns update interface -- show environment
-
show failover -- show ipsec stats traffic
-
show ipv6 access-list -- show ipv6
-
show isakmp ipsec-over-tcp stats -- show ospf virtual-links
-
show nac-policy -- show ospf virtual-links
-
show pager -- show route
-
show running-config -- show running-config ctl-provider
-
show running-config ddns -- show running-config isakmp
-
show running-config ipv6 router -- show running-config router
-
show running-config same-security-traffic -- show running-config xlate
-
show scansafe -- show switch vlan
-
show tcpstat -- show traffic
-
show uauth -- show xlate
-
shun -- snmp-server user
-
software-version -- storage-objects
-
subject-name -- sysopt radius ignore-secret
-
- T through Z Commands
-
Cisco IOS Commands for the ASASM
-
Feedback
Table Of Contents
integrity through ip verify reverse-path Commands
interface (vpn load-balancing)
integrity through ip verify reverse-path Commands
integrity
To specify the ESP integrity algorithm in an IKEv2 security association (SA) for AnyConnect IPsec connections, use the integrity command in IKEv2 policy configuration mode. To remove the command and use the default setting, use the no form of this command:
integrity {md5 | sha | sha256 | sha384 | sha512 | null}
no integrity {md5 | sha | sha256 | sha384 | sha512 | null}
Syntax Description
Defaults
The default is sha (SHA 1 algorithm).
Usage Guidelines
An IKEv2 SA is a key used in phase 1 to enable IKEv2 peers to communicate securely in phase 2. After entering the crypto ikev2 policy command, use the integrity command to set the integrity algorithm for the ESP protocol.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
8.4(1)
This command was added.
8.4(2)
The sha256, sha384, and sha512 keywords were added for SHA 2 support.
9.0(1)
Added the null option as an IKEv2 integrity algorithm.
Examples
The following example enters IKEv2 policy configuration mode and sets the integrity algorithm to MD5:
hostname(config)# crypto ikev2 policy 1hostname(config-ikev2-policy)# integrity md5Related Commands
intercept-dhcp
To enable DHCP Intercept, use the intercept-dhcp enable command in group-policy configuration mode. To remove the intercept-dhcp attribute from the running configuration and allow the users to inherit a DHCP Intercept configuration from the default or other group policy, use the no form of this command.
intercept-dhcp netmask {enable | disable}
no intercept-dhcp
Syntax Description
disable
Disables DHCP Intercept.
enable
Enables DHCP Intercept.
netmask
Provides the subnet mask for the tunnel IP address.
Defaults
DHCP Intercept is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
To disable DHCP Intercept, use the intercept-dhcp disable command.
A Microsoft XP anomaly results in the corruption of domain names if split tunnel options exceed 255 bytes. To avoid this problem, the ASA limits the number of routes it sends to 27 to 40 routes, with the number of routes dependent on the classes of the routes.
DHCP Intercept lets Microsoft XP clients use split-tunneling with the ASA. The ASA replies directly to the Microsoft Windows XP client DHCP Inform message, providing that client with the subnet mask, domain name, and classless static routes for the tunnel IP address. For Windows clients prior to XP, DHCP Intercept provides the domain name and subnet mask. This is useful in environments in which using a DHCP server is not advantageous.
Examples
The following example shows how to set DHCP Intercepts for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# intercept-dhcp enableinterface
To configure an interface and enter interface configuration mode, use the interface command in global configuration mode. To remove a subinterface, use the no form of this command; you cannot remove a physical interface or a mapped interface.
For physical interfaces (for all models except the ASASM):
interface physical_interface
For subinterfaces (not available for the ASA 5505 or the ASASM, or for the Management interface on the ASA 5512-X through ASA 5555-X):
interface {physical_interface | redundant number | port-channel number}.subinterface
no interface {physical_interface | redundant number | port-channel number}.subinterface
For multiple context mode when a mapped name is assigned:
interface mapped_name
Syntax Description
Defaults
By default, the ASA automatically generates interface commands for all physical interfaces.
In multiple context mode, the ASA automatically generates interface commands for all interfaces allocated to the context using the allocate-interface command.
The default state of an interface depends on the type and the context mode:
•
•
–
–
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
7.0(1)
This command was modified to allow for new subinterface naming conventions and to change arguments to be separate commands under interface configuration mode.
Usage Guidelines
In interface configuration mode, you can configure hardware settings (for physical interfaces), assign a name, assign a VLAN, assign an IP address, and configure many other settings, depending on the type of interface and the security context mode.
For an enabled interface to pass traffic, configure the following interface configuration mode commands: nameif, and, for routed mode, ip address. For subinterfaces, also configure the vlan command.
If you change interface settings, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.
The Management 0/0 interface on the ASA 5512-X through ASA 5555-X has the following characteristics:
•
•
•
•
•
Examples
The following example configures parameters for the physical interface in single mode:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# speed 1000hostname(config-if)# duplex fullhostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownThe following example configures parameters for a subinterface in single mode:
hostname(config)# interface gigabitethernet0/1.1hostname(config-subif)# vlan 101hostname(config-subif)# nameif dmz1hostname(config-subif)# security-level 50hostname(config-subif)# ip address 10.1.2.1 255.255.255.0hostname(config-subif)# no shutdownThe following example configures interface parameters in multiple context mode for the system configuration, and allocates the gigabitethernet 0/1.1 subinterface to contextA:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# speed 1000hostname(config-if)# duplex fullhostname(config-if)# no shutdownhostname(config-if)# interface gigabitethernet0/1.1hostname(config-subif)# vlan 101hostname(config-subif)# no shutdownhostname(config-subif)# context contextAhostname(config-ctx)# ...hostname(config-ctx)# allocate-interface gigabitethernet0/1.1The following example configures parameters in multiple context mode for the context configuration:
hostname/contextA(config)# interface gigabitethernet0/1.1hostname/contextA(config-if)# nameif insidehostname/contextA(config-if)# security-level 100hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0hostname/contextA(config-if)# no shutdownRelated Commands
interface bvi
To configure the bridge virtual interface (BVI) for a bridge group, use the interface bvi command in global configuration mode. To remove the BVI configuration, use the no form of this command.
interface bvi bridge_group_number
no interface bvi bridge_group_number
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Usage Guidelines
Use this command to enter interface configuration mode so you can configure a management IP address for the bridge group. If you do not want the overhead of security contexts, or want to maximize your use of security contexts, you can group interfaces together in a bridge group, and then configure multiple bridge groups, one for each network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the ASA, and traffic must exit the ASA before it is routed by an external router back to another bridge group in the ASA. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a syslog server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context. At least one bridge group is required per context or in single mode.
Each bridge group requires a management IP address. The ASA uses this IP address as the source address for packets originating from the bridge group. The management IP address must be on the same subnet as the connected network. For IPv4 traffic, the management IP address is required to pass any traffic. For IPv6 traffic, you must, at a minimum, configure the link-local addresses to pass traffic, but a global management address is recommended for full functionality, including remote management and other management operations. For another method of management, you can configure the Management interface, separate from any bridge groups.
You can configure up to 8 bridge groups in single mode or per context in multiple mode. Note that you must use at least one bridge group; data interfaces must belong to a bridge group. Each bridge group can include up to four interfaces.
Note
Note
Examples
The following example includes two bridge groups of three interfaces each, plus a management-only interface:
interface gigabitethernet 0/0nameif insidesecurity-level 100bridge-group 1no shutdowninterface gigabitethernet 0/1nameif outsidesecurity-level 0bridge-group 1no shutdowninterface gigabitethernet 0/2nameif dmzsecurity-level 50bridge-group 1no shutdowninterface bvi 1ip address 10.1.3.1 255.255.255.0 standby 10.1.3.2interface gigabitethernet 1/0nameif insidesecurity-level 100bridge-group 2no shutdowninterface gigabitethernet 1/1nameif outsidesecurity-level 0bridge-group 2no shutdowninterface gigabitethernet 1/2nameif dmzsecurity-level 50bridge-group 2no shutdowninterface bvi 2ip address 10.3.5.8 255.255.255.0 standby 10.3.5.9interface management 0/0nameif mgmtsecurity-level 100ip address 10.2.1.1 255.255.255.0 standby 10.2.1.2no shutdownRelated Commands
interface port-channel
To configure an EtherChannel interface and enter interface configuration mode, use the interface port-channel command in global configuration mode. To remove an EtherChannel interface, use the no form of this command.
interface port-channel number
no interface port-channel number
Syntax Description
Defaults
By default, port-channel interfaces are enabled. However, for traffic to pass through the EtherChannel, the channel group physical interfaces must also be enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
In interface configuration mode, you can assign a name, assign an IP address, and configure many other settings.
For an enabled interface to pass traffic, configure the following interface configuration mode commands: nameif, and, for routed mode, ip address.
If you change interface settings, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.
Note
For more information about interfaces, see the CLI configuration guide.
Examples
The following example configures three interfaces as part of an EtherChannel. It also sets the system priority to be a higher priority, and GigabitEthernet 0/2 to be a higher priority than the other interfaces in case more than eight interfaces are assigned to the EtherChannel.
hostname(config)# lacp system-priority 1234hostname(config-if)# interface GigabitEthernet0/0hostname(config-if)# channel-group 1 mode activehostname(config-if)# interface GigabitEthernet0/1hostname(config-if)# channel-group 1 mode activehostname(config-if)# interface GigabitEthernet0/2hostname(config-if)# lacp port-priority 1234hostname(config-if)# channel-group 1 mode passivehostname(config-if)# interface Port-channel1hostname(config-if)# lacp max-bundle 4hostname(config-if)# port-channel min-bundle 2hostname(config-if)# port-channel load-balance dst-ipRelated Commands
interface redundant
To configure a redundant interface and enter interface configuration mode, use the interface redundant command in global configuration mode. To remove a redundant interface, use the no form of this command.
interface redundant number
no interface redundant number
Syntax Description
number
Specifies a logical redundant interface ID, between 1 and 8. A space between redundant and the ID is optional.
Defaults
By default, redundant interfaces are enabled. However, for traffic to pass through the redundant interface, the member physical interfaces must also be enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
A redundant interface pairs an active and a standby physical interface (see the member-interface command). When the active interface fails, the standby interface becomes active and starts passing traffic.
All ASA configuration refers to the logical redundant interface instead of the member physical interfaces.
In interface configuration mode, you can assign a name, assign an IP address, and configure many other settings.
For an enabled interface to pass traffic, configure the following interface configuration mode commands: nameif, and, for routed mode, ip address.
If you change interface settings, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.
Note
For more information about interfaces, see the CLI configuration guide.
Examples
The following example creates two redundant interfaces:
hostname(config)# interface redundant 1hostname(config-if)# member-interface gigabitethernet 0/0hostname(config-if)# member-interface gigabitethernet 0/1hostname(config-if)# interface redundant 2hostname(config-if)# member-interface gigabitethernet 0/2hostname(config-if)# member-interface gigabitethernet 0/3Related Commands
interface vlan
For the ASA 5505 and ASASM, to configure a VLAN interface and enter interface configuration mode, use the interface vlan command in global configuration mode. To remove a VLAN interface, use the no form of this command.
interface vlan number
no interface vlan number
Syntax Description
number
Specifies a VLAN ID.
For the ASA 5505, use an ID between 1 and 4090. The VLAN interface ID is enabled by default on VLAN 1.
For the ASASM, use an ID between 2 to 1000 and from 1025 to 4094.
Defaults
By default, VLAN interfaces are enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
For the ASASM, you can add any VLAN ID to the configuration, but only VLANs that are assigned to the ASA by the switch can pass traffic. To view all VLANs assigned to the ASA, use the show vlan command. If you add an interface for a VLAN that is not yet assigned to the ASA by the switch, the interface will be in the down state. When you assign the VLAN to the ASA, the interface changes to an up state. See the show interface command for more information about interface states.
In interface configuration mode, you can assign a name, assign an IP address, and configure many other settings.
For an enabled interface to pass traffic, configure the following interface configuration mode commands: nameif, and, for routed mode, ip address. For the ASA 5505 switch physical interfaces, assign the physical interface to the VLAN interface using the switchport access vlan command.
If you change interface settings, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.
For more information about interfaces, see the CLI configuration guide.
Examples
The following example configures three VLAN interfaces. The third home interface cannot forward traffic to the work inteface.
hostname(config)# interface vlan 100hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address dhcphostname(config-if)# no shutdownhostname(config-if)# interface vlan 200hostname(config-if)# nameif workhostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface vlan 300hostname(config-if)# no forward interface vlan 200hostname(config-if)# nameif homehostname(config-if)# security-level 50hostname(config-if)# ip address 10.2.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/0hostname(config-if)# switchport access vlan 100hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/1hostname(config-if)# switchport access vlan 200hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/2hostname(config-if)# switchport access vlan 200hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/3hostname(config-if)# switchport access vlan 200hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/4hostname(config-if)# switchport access vlan 300hostname(config-if)# no shutdownThe following example configures five VLAN interfaces, including the failover interface, which is configured separately using the failover lan command:
hostname(config)# interface vlan 100hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface vlan 200hostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.2.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface vlan 300hostname(config-if)# nameif dmzhostname(config-if)# security-level 50hostname(config-if)# ip address 10.3.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface vlan 400hostname(config-if)# nameif backup-isphostname(config-if)# security-level 50hostname(config-if)# ip address 10.1.2.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# failover lan faillink vlan500hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2 255.255.255.0hostname(config)# interface ethernet 0/0hostname(config-if)# switchport access vlan 100hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/1hostname(config-if)# switchport access vlan 200hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/2hostname(config-if)# switchport access vlan 300hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/3hostname(config-if)# switchport access vlan 400hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/4hostname(config-if)# switchport access vlan 500hostname(config-if)# no shutdownRelated Commands
interface (vpn load-balancing)
To specify a non-default public or private interface for VPN load-balancing in the VPN load-balancing virtual cluster, use the interface command in vpn load-balancing mode. To remove the interface specification and revert to thte default interface, use the no form of this command.
interface {lbprivate | lbpublic} interface-name
no interface {lbprivate | lbpublic}
Syntax Description
Defaults
If you omit the interface command, the lbprivate interface defaults to inside, and the lbpublic interface defaults to outside.
Command Modes
The following table shows the modes in which you can enter the command:
vpn load-balancing
•
—
•
—
—
Command History
Usage Guidelines
You must have first used the vpn load-balancing command to enter vpn load-balancing configuration mode.
You must also have previously used the interface, ip address and nameif commands to configure and assign a name to the interface that you are specifying in this command.
Examples
The following is an example of a vpn load-balancing command sequence that includes an interface command that specifies the public interface of the cluster as "test" one that reverts the private interface of the cluster to the default (inside):
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# no interface lbprivatehostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# participatehostname(config-load-balancing)# participate
Related Commands
interface-policy
To specify the policy for failover when monitoring detects an interface failure, use the interface-policy command in failover group configuration mode. To restore the default values, use the no form of this command.
interface-policy num[%]
no interface-policy num[%]
Syntax Description
num
Specifies a number from 1 to 100 when used as a percentage, or 1 to the maximum number of interfaces.
%
(Optional) Specifies that the number num is a percentage of the monitored interfaces.
Defaults
If the failover interface-policy command is configured for the unit, then the default for the interface-policy failover group command assumes that value. If not, then num is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Failover group configuration
•
•
—
—
•
Command History
Usage Guidelines
There is no space between the num argument and the optional % keyword.
If the number of failed interfaces meets the configured policy and the other ASA is functioning correctly, the ASA will mark itself as failed and a failover may occur (if the active ASA is the one that fails). Only interfaces that are designated as monitored by the monitor-interface command count towards the policy.
Examples
The following partial example shows a possible configuration for a failover group:
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# interface-policy 25%hostname(config-fover-group)# exithostname(config)#Related Commands
internal-password
To display an additional password field on the clientless SSL VPN portal page, use the internal-password command in webvpn configuration mode. This additional password is used by the ASA to authenticate users to file servers for whom SSO is allowed.
To disable the ability to use an internal password, use the no version of the command.
internal-password enable
no internal password
Syntax Description
Defaults
The default is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
If enabled, end users type a second password when logging in to a clientless SSL VPN session. The clientless SSL VPN server sends an SSO authentication request, including the username and password, to the authenticating server using HTTPS. If the authenticating server approves the authentication request, it returns an SSO authentication cookie to the clientless SSL VPN server. This cookie is kept on the ASA on behalf of the user and used to authenticate the user to secure websites within the domain protected by the SSO server.
The internal password feature is useful if you require that the internal password be different from the SSL VPN password. In particular, you can use one-time passwords for authentication to the ASA, and another password for internal sites.
Examples
The following example shows how to enable the internal password:
hostname(config)#webvpnhostname(config-webvpn)#internal password enablehostname(config-webvpn)#Related Commands
webvpn
Enters webvpn configuration mode, which lets you configure attributes for clientless SSL VPN connections.
interval maximum
To configure the maximum interval between update attempts by a DDNS update method, use the interval command in DDNS-update-method mode. To remove an interval for a DDNS update method from the running configuration, use the no form of this command.
interval maximum days hours minutes seconds
no interval maximum days hours minutes seconds
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Ddns-update-method configuration
•
—
•
•
—
Command History
Usage Guidelines
The days, hours, minutes, and seconds are added together to arrive at the total interval.
Examples
The following example configures a method called ddns-2 to attempt an update every 3 minutes and 15 seconds:
hostname(config)# ddns update method ddns-2hostname(DDNS-update-method)# interval maximum 0 0 3 15Related Commands
invalid-ack
To set the action for packets with an invalid ACK, use the invalid-ack command in tcp-map configuration mode. To set the value back to the default, use the no form of this command. This command is part of the TCP normalization policy enabled using the set connection advanced-options command.
invalid-ack {allow | drop}
no invalid-ack
Syntax Description
Defaults
The default action is to drop packets with an invalid ACK.
Command Modes
The following table shows the modes in which you can enter the command:
Tcp-map configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable TCP normalization, use the Modular Policy Framework:
1.
a.
2.
3.
a.
b.
4.
You might see invalid ACKs in the following instances:
•
•
Note
Examples
The following example sets the ASA to allow packets with an invalid ACK:
hostname(config)# tcp-map tmaphostname(config-tcp-map)# invalid-ack allowhostname(config)# class-map cmaphostname(config-cmap)# match anyhostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# set connection advanced-options tmaphostname(config)# service-policy pmap globalhostname(config)#Related Commands
ip address
To set the IP address for an interface (in routed mode) or for the bridge virtual interface (BVI) or management interface (transparent mode), use the ip address command in interface configuration mode. To remove the IP address, use the no form of this command.
ip address ip_address [mask] [standby ip_address | cluster-pool poolname]
no ip address [ip_address]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
•
—
Command History
Usage Guidelines
This command also sets the standby address for failover.
Multiple Context Mode Guidelines
In single context routed firewall mode, each interface address must be on a unique subnet. In multiple context mode, if this interface is on a shared interface, then each IP address must be unique but on the same subnet. If the interface is unique, this IP address can be used by other contexts if desired.
Transparent Firewall Guidelines
A transparent firewall does not participate in IP routing. The only IP configuration required for the ASA is to set the BVI address. This address is required because the ASA uses this address as the source address for traffic originating on the ASA, such as system messages or communications with AAA servers. You can also use this address for remote management access. This address must be on the same subnet as the upstream and downstream routers. For multiple context mode, set the management IP address within each context. For models that include a Management interface, you can also set an IP address for this interface for management purposes.
Failover Guidelines
The standby IP address must be on the same subnet as the main IP address.
ASA Clustering Guidelines
You can only set the cluster pool for an individual interface after you configure the cluster interface mode to be individual (cluster-interface mode individual command). The only exception is for the management-only interface(s):
•
•
Examples
The following example sets the IP addresses and standby addresses of two interfaces:
hostname(config)# interface gigabitethernet0/2hostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2hostname(config-if)# no shutdownhostname(config-if)# interface gigabitethernet0/3hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address 10.1.2.1 255.255.255.0 standby 10.1.2.2hostname(config-if)# no shutdownThe following example sets the management address and standby address of bridge group 1:
hostname(config)# interface bvi 1hostname(config-if)# ip address 10.1.3.1 255.255.255.0 standby 10.1.3.2Related Commands
ip address dhcp
To use DHCP to obtain an IP address for an interface, use the ip address dhcp command in interface configuration mode. To disable the DHCP client for this interface, use the no form of this command.
ip address dhcp [setroute]
no ip address dhcp
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
Reenter this command to reset the DHCP lease and request a new lease.
If you do not enable the interface using the no shutdown command before you enter the ip address dhcp command, some DHCP requests might not be sent.
Note
Examples
The following example enables DHCP on the Gigabitethernet0/1 interface:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# no shutdownhostname(config-if)# ip address dhcpRelated Commands
ip address pppoe
To enable PPPoE, use the ip address pppoe command in interface configuration mode. To disable PPPoE, use the no form of this command.
ip address [ip_address [mask]] pppoe [setroute]
no ip address [ip_address [mask]] pppoe
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
PPPoE combines two widely accepted standards, Ethernet and PPP, to provide an authenticated method of assigning IP addresses to client systems. ISPs deploy PPPoE because it supports high-speed broadband access using their existing remote access infrastructure and because it is easier for customers to use.
Before you set the IP address using PPPoE, configure the vpdn commands to set the username, password, and authentication protocol. If you enable this command on more than one interface, for example for a backup link to your ISP, then you can assign each interface to a different VPDN group if necessary using the pppoe client vpdn group command.
The maximum transmission unit (MTU) size is automatically set to 1492 bytes, which is the correct value to allow PPPoE transmission within an Ethernet frame.
Reenter this command to reset and restart the PPPoE session.
You cannot set this command at the same time as the ip address command or the ip address dhcp command.
Examples
The following example enables PPPoE on the Gigabitethernet 0/1 interface:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address pppoehostname(config-if)# no shutdownThe following example manually sets the IP address for a PPPoE interface:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address 10.1.1.1 255.255.255.0 pppoehostname(config-if)# no shutdownRelated Commands
ip-address-privacy
To enable IP address privacy, use the ip-address-privacy command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.
ip-address-privacy
no ip-address-privacy
Syntax Description
This command has no arguments or keywords.
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to enable IP address privacy over SIP in a SIP inspection policy map:
hostname(config)# policy-map type inspect sip sip_maphostname(config-pmap)# parametershostname(config-pmap-p)# ip-address-privacyRelated Commands
ip audit attack
To set the default actions for packets that match an attack signature, use the ip audit attack command in global configuration mode. To restore the default action (to reset the connection), use the no form of this command.
ip audit attack [action [alarm] [drop] [reset]]
no ip audit attack
Syntax Description
Defaults
The default action is to send and alarm.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
You can specify multiple actions, or no actions. You can override the action you set with this command when you configure an audit policy using the ip audit name command. If you do not specify the action in the ip audit name command, then the action you set with this command is used.
For a list of signatures, see the ip audit signature command.
Examples
The following example sets the default action to alarm and reset for packets that match an attack signature. The audit policy for the inside interface overrides this default to be alarm only, while the policy for the outside interface uses the default setting set with the ip audit attack command.
hostname(config)# ip audit attack action alarm resethostname(config)# ip audit name insidepolicy attack action alarmhostname(config)# ip audit name outsidepolicy attackhostname(config)# ip audit interface inside insidepolicyhostname(config)# ip audit interface outside outsidepolicyRelated Commands
ip audit info
To set the default actions for packets that match an informational signature, use the ip audit info command in global configuration mode. To restore the default action (to generate an alarm), use the no form of this command. You can specify multiple actions, or no actions.
ip audit info [action [alarm] [drop] [reset]]
no ip audit info
Syntax Description
Defaults
The default action is to generate an alarm.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
You can override the action you set with this command when you configure an audit policy using the ip audit name command. If you do not specify the action in the ip audit name command, then the action you set with this command is used.
For a list of signatures, see the ip audit signature command.
Examples
The following example sets the default action to alarm and reset for packets that match an informational signature. The audit policy for the inside interface overrides this default to be alarm and drop, while the policy for the outside interface uses the default setting set with the ip audit info command.
hostname(config)# ip audit info action alarm resethostname(config)# ip audit name insidepolicy info action alarm drophostname(config)# ip audit name outsidepolicy infohostname(config)# ip audit interface inside insidepolicyhostname(config)# ip audit interface outside outsidepolicyRelated Commands
ip audit interface
To assign an audit policy to an interface, use the ip audit interface command in global configuration mode. To remove the policy from the interface, use the no form of this command.
ip audit interface interface_name policy_name
no ip audit interface interface_name policy_name
Syntax Description
interface_name
Specifies the interface name.
policy_name
The name of the policy you added with the ip audit name command. You can assign an info policy and an attack policy to each interface.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example applies audit policies to the inside and outside interfaces:
hostname(config)# ip audit name insidepolicy1 attack action alarmhostname(config)# ip audit name insidepolicy2 info action alarmhostname(config)# ip audit name outsidepolicy1 attack action resethostname(config)# ip audit name outsidepolicy2 info action alarmhostname(config)# ip audit interface inside insidepolicy1hostname(config)# ip audit interface inside insidepolicy2hostname(config)# ip audit interface outside outsidepolicy1hostname(config)# ip audit interface outside outsidepolicy2Related Commands
ip audit name
To create a named audit policy that identifies the actions to take when a packet matches a predefined attack signature or informational signature, use the ip audit name command in global configuration mode. To remove the policy, use the no form of this command.
ip audit name name {info | attack} [action [alarm] [drop] [reset]]
no ip audit name name {info | attack} [action [alarm] [drop] [reset]]
Syntax Description
Defaults
If you do not change the default actions using the ip audit attack and ip audit info commands, then the default action for attack signatures and informational signatures is to generate an alarm.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Signatures are activities that match known attack patterns. For example, there are signatures that match DoS attacks. To apply the policy, assign it to an interface using the ip audit interface command. You can assign an info policy and an attack policy to each interface.
For a list of signatures, see the ip audit signature command.
If traffic matches a signature, and you want to take action against that traffic, use the shun command to prevent new connections from the offending host and to disallow packets from any existing connection.
Examples
The following example sets an audit policy for the inside interface to generate an alarm for attack and informational signatures, while the policy for the outside interface resets the connection for attacks:
hostname(config)# ip audit name insidepolicy1 attack action alarmhostname(config)# ip audit name insidepolicy2 info action alarmhostname(config)# ip audit name outsidepolicy1 attack action resethostname(config)# ip audit name outsidepolicy2 info action alarmhostname(config)# ip audit interface inside insidepolicy1hostname(config)# ip audit interface inside insidepolicy2hostname(config)# ip audit interface outside outsidepolicy1hostname(config)# ip audit interface outside outsidepolicy2Related Commands
ip audit signature
To disable a signature for an audit policy, use the ip audit signature command in global configuration mode. To reenable the signature, use the no form of this command.
ip audit signature signature_number disable
no ip audit signature signature_number
Syntax Description
disable
Disables the signature.
signature_number
Specifies the signature number to disable. See Table 26-1 for a list of supported signatures.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
You might want to disable a signature if legitimate traffic continually matches a signature, and you are willing to risk disabling the signature to avoid large numbers of alarms. Table 26-1 lists supported signatures and system message numbers.
Examples
The following example disables signature 6100:
hostname(config)# ip audit signature 6100 disableRelated Commands
ip-comp
To enable LZS IP compression, use the ip-comp enable command in group-policy configuration mode. To disable IP compression, use the ip-comp disable command.To remove the ip-comp attribute from the running configuration, use the no form of this command.
ip-comp {enable | disable}
no ip-comp
Syntax Description
Defaults
IP compression is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
The no form of this command enables inheritance of a value from another group policy. Enabling data compression might speed up data transmission rates for remote dial-in users connecting with modems.
Caution
If the endpoints generate IP compression traffic, you should disable IP compression to prevent improper decompression of the packets. If IP compression is enabled on a particular LAN to LAN tunnel, host A cannot communicate with host B when trying to pass IP compression data from one side of the tunnel to other side.
Note
Examples
The following example shows how to enable IP compression for the group policy named "FirstGroup":
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# ip-comp enableip local pool
To configure IP address pools, use the ip local pool command in global configuration mode. To delete the address pool, use the no form of this command.
ip local pool poolname first-address—last-address [mask mask]
no ip local pool poolname
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced.
9.0(1)
You can use an IP local pool for the cluster pool in the ip address command to support ASA clustering.
Usage Guidelines
You must supply the mask value when the IP addresses assigned to VPN clients belonging to a non-standard network and the data could be routed incorrectly if you use the default mask. A typical example is when the IP local pool contains 10.10.10.0/255.255.255.0 addresses, since this is a Class A network by default. This could cause some routing issues when the VPN client needs to access different subnets within the 10 network over different interfaces. For example, if a printer, address 10.10.100.1/255.255.255.0 is available via interface 2, but the 10.10.10.0 network is available over the VPN tunnel and therefore interface 1, the VPN client would be confused as to where to route data destined for the printer. Both the 10.10.10.0 and 10.10.100.0 subnets fall under the 10.0.0.0 Class A network so the printer data may be sent over the VPN tunnel.
Examples
The following example configures an IP address pool named firstpool. The starting address is 10.20.30.40 and the ending address is 10.20.30.50. The network mask is 255.255.255.0.
hostname(config)# ip local pool firstpool 10.20.30.40-10.20.30.50 mask 255.255.255.0Related Commands
ip-phone-bypass
To enable IP Phone Bypass, use the ip-phone-bypass enable command in group-policy configuration mode.To remove the IP phone Bypass attribute from the running configuration, use the no form of this command.
ip-phone-bypass {enable | disable}
no ip-phone-bypass
Syntax Description
Defaults
IP Phone Bypass is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
To disable IP Phone Bypass, use the ip-phone-bypass disable command. The no form of this command option allows inheritance of a value for IP Phone Bypass from another group policy.
IP Phone Bypass lets IP phones behind hardware clients connect without undergoing user authentication processes. If enabled, secure unit authentication remains in effect.
You need to configure IP Phone Bypass only if you have enabled user authentication.
You also need to configure the mac-exempt option to exempt the clients from authentication. See the vpnclient mac-exempt command for more information.
Examples
The following example shows how to enable IP Phone Bypass for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# ip-phone-bypass enableRelated Commands
user-authentication
Requires users behind a hardware client to identify themselves to the ASA before connecting.
ips
To divert traffic from the ASA to the AIP SSM for inspection, use the ips command in class configuration mode. To remove this command, use the no form of this command.
ips {inline | promiscuous} {fail-close | fail-open} [sensor {sensor_name | mapped_name}]
no ips {inline | promiscuous} {fail-close | fail-open} [sensor {sensor_name | mapped_name}]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
Usage Guidelines
The ASA 5500 series supports the AIP SSM, which runs advanced IPS software that provides proactive, full-featured intrusion prevention services to stop malicious traffic, including worms and network viruses, before they can affect your network. Before or after you configure the ips command on the ASA, configure the security policy on the AIP SSM. You can either session to the AIP SSM from the ASA (the session command) or you can connect directly to the AIP SSM using SSH or Telnet on its mangement interface. Alternatively, you can use ASDM. For more information about configuring the AIP SSM, see Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface.
To configure the ips command, you must first configure the class-map command, policy-map command, and the class command.
The AIP SSM runs a separate application from the ASA. It is, however, integrated into the ASA traffic flow. The AIP SSM does not contain any external interfaces itself, other than a management interface. When you apply the ips command for a class of traffic on the ASA, traffic flows through the ASA and the AIP SSM in the following way:
1.
2.
3.
4.
5.
6.
7.
Examples
The following example diverts all IP traffic to the AIP SSM in promiscuous mode, and blocks all IP traffic if the AIP SSM card fails for any reason:
hostname(config)# access-list IPS permit ip any anyhostname(config)# class-map my-ips-classhostname(config-cmap)# match access-list IPShostname(config-cmap)# policy-map my-ips-policyhostname(config-pmap)# class my-ips-classhostname(config-pmap-c)# ips promiscuous fail-closehostname(config-pmap-c)# service-policy my-ips-policy globalThe following example diverts all IP traffic destined for the 10.1.1.0 network and the 10.2.1.0 network to the AIP SSM in inline mode, and allows all traffic through if the AIP SSM card fails for any reason. For the my-ips-class traffic, sensor1 is used; for the my-ips-class2 traffic, sensor2 is used.
hostname(config)# access-list my-ips-acl permit ip any 10.1.1.0 255.255.255.0hostname(config)# access-list my-ips-acl2 permit ip any 10.2.1.0 255.255.255.0hostname(config)# class-map my-ips-classhostname(config-cmap)# match access-list my-ips-aclhostname(config)# class-map my-ips-class2hostname(config-cmap)# match access-list my-ips-acl2hostname(config-cmap)# policy-map my-ips-policyhostname(config-pmap)# class my-ips-classhostname(config-pmap-c)# ips inline fail-open sensor sensor1hostname(config-pmap)# class my-ips-class2hostname(config-pmap-c)# ips inline fail-open sensor sensor2hostname(config-pmap-c)# service-policy my-ips-policy interface outsideRelated Commands
ipsec-udp
To enable IPsec over UDP, use the ipsec-udp enable command in group-policy configuration mode. To remove the IPsec over UDP attribute from the current group policy, use the no form of this command.
ipsec-udp {enable | disable}
no ipsec-udp
Syntax Description
Defaults
IPsec over UDP is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
The no form of this command enables inheritance of a value for IPsec over UDP from another group policy.
IPsec over UDP, sometimes called IPsec through NAT, lets a Cisco VPN Client or hardware client connect via UDP to an ASA that is running NAT.
To disable IPsec over UDP, use the ipsec-udp disable command.
To use IPsec over UDP, you must also configure the ipsec-udp-port command.
The Cisco VPN Client must also be configured to use IPsec over UDP (it is configured to use it by default). The VPN 3002 requires no configuration to use IPsec over UDP.
IPsec over UDP is proprietary, applies only to remote access connections, and requires mode configuration, which means that the ASA exchanges configuration parameters with the client while negotiating SAs.
Using IPsec over UDP may slightly degrade system performance.
The ipsec-udp-port command is not supported on an ASA5505 operating as a VPN client. The ASA 5505 in client mode can initiate IPsec sessions on UDP ports 500 and/or 4500.
Examples
The following example shows how to configure IPsec over UDP for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# ipsec-udp enableRelated Commands
ipsec-udp-port
To set a UDP port number for IPsec over UDP, use the ipsec-udp-port command in group-policy configuration mode. To disable the UDP port, use the no form of this command.
ipsec-udp-port port
no ipsec-udp-port
Syntax Description
Defaults
The default port is 10000.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
The no form of this command enables inheritance of a value for the IPsec over UDP port from another group policy.
In IPsec negotiations. the ASA listens on the configured port and forwards UDP traffic for that port even if other filter rules drop UDP traffic.
You can configure multiple group policies with this feature enabled, and each group policy can use a different port number.
Examples
The following example shows how to set an IPsec UDP port to port 4025 for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# ipsec-udp-port 4025Related Commands
ipsec-udp
Lets a Cisco VPN Client or hardware client connect via UDP to an ASA that is running NAT.
ip verify reverse-path
To enable Unicast RPF, use the ip verify reverse-path command in global configuration mode. To disable this feature, use the no form of this command.
ip verify reverse-path interface interface_name
no ip verify reverse-path interface interface_name
Syntax Description
Defaults
This feature is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.
Normally, the ASA only looks at the destination address when determining where to forward the packet. Unicast RPF instructs the ASA to also look at the source address; this is why it is called Reverse Path Forwarding. For any traffic that you want to allow through the ASA, the ASA routing table must include a route back to the source address. See RFC 2267 for more information.
For outside traffic, for example, the ASA can use the default route to satisfy Unicast RPF protection. If traffic enters from an outside interface, and the source address is not known to the routing table, the ASA uses the default route to correctly identify the outside interface as the source interface.
If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, then the ASA drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the ASA drops the packet because the matching route (the default route) indicates the outside interface.
Unicast RPF is implemented as follows:
•
•
Examples
The following example enables Unicast RPF on the outside interface:
hostname(config)# ip verify reverse-path interface outsideRelated Commands
