-
Cisco ASA Series Command Reference
-
About this Guide
-
Using the Command Line Interface
- A through B Commands
-
C Commands
-
cache -- clear compression
-
clear configure -- clear configure http
-
clear configure flow-export-- clear configure zonelabs-integrity
-
clear conn -- clear isakmp sa
-
clear local-host -- clear xlate
-
client-access-rule -- crl-configure
-
crypto ca authenticate -- crypto ipsec ikev1 transform-set mode transport
-
crypto isakmp disconnect-notify -- cxsc auth-proxy port
-
-
D through F Commands
-
database path -- debug cxsc
-
debug dap -- debug http-map
-
debug icmp -- debug ospfv3
-
debug parser cache -- debug xml
-
default -- dhcp-server
-
dhcpd address -- distribute-list out
-
dns domain-lookup -- dynamic-filter whitelist
-
eigrp log-neighbor-changes -- export webvpn webcontent
-
failover -- fallback
-
file-bookmarks -- functions
-
- G through I Commands
- J through L Commands
- M through O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- shape
-
show aaa kerberos -- show asdm sessions
-
show asp cluster counter -- show asp table vpn-context
-
show blocks -- show cpu
-
show crashinfo -- show curpriv
-
show ddns update interface -- show environment
-
show failover -- show ipsec stats traffic
-
show ipv6 access-list -- show ipv6
-
show isakmp ipsec-over-tcp stats -- show ospf virtual-links
-
show nac-policy -- show ospf virtual-links
-
show pager -- show route
-
show running-config -- show running-config ctl-provider
-
show running-config ddns -- show running-config isakmp
-
show running-config ipv6 router -- show running-config router
-
show running-config same-security-traffic -- show running-config xlate
-
show scansafe -- show switch vlan
-
show tcpstat -- show traffic
-
show uauth -- show xlate
-
shun -- snmp-server user
-
software-version -- storage-objects
-
subject-name -- sysopt radius ignore-secret
-
- T through Z Commands
-
Cisco IOS Commands for the ASASM
-
Feedback
Table Of Contents
java-trustpoint through kill Commands
key config-key password-encryption
java-trustpoint through kill Commands
java-trustpoint
To configure the WebVPN Java object signing facility to use a PKCS12 certificate and keying material from a specified trustpoint location, use the java-trustpoint command in webvpn configuration mode.To remove a trustpoint for Java object signing, use the no form of this command.
java-trustpoint trustpoint
no java-trustpoint
Syntax Description
Defaults
By default, a trustpoint for Java object signing is set to none.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
A trustpoint is a representation of a certificate authority (CA) or identity key pair. For the java-trustpoint command, the given trustpoint must contain the X.509 certificate of the application signing entity, the RSA private key corresponding to that certificate, and a certificate authority chain extending up to a root CA. This is typically achieved by using the crypto ca import command to import a PKCS12 formatted bundle. You can obtain a PKCS12 bundle from a trusted CA authority or you can manually create one from an existing X.509 certificate and an RSA private key using open source tools such as openssl.
Note
Examples
The following example first configures a new trustpoint, then configures it for WebVPN Java object signing:
hostname(config)# crypto ca import mytrustpoint pkcs12 mypassphraseEnter the base 64 encoded PKCS12.End with the word "quit" on a line by itself.[ PKCS12 data omitted ]quitINFO: Import PKCS12 operation completed successfully.hostname(config)#The following example configures the new trustpoint for signing WebVPN Java objects:
hostname(config)# webvpnhostname(config)# java-trustpoint mytrustpointhostname(config)#Related Commands
crypto ca import
Imports the certificate and key pair for a trustpoint using PKCS12 data.
join-failover-group
To assign a context to a failover group, use the join-failover-group command in context configuration mode. To restore the default setting, use the no form of this command.
join-failover-group group_num
no join-failover-group group_num
Syntax Description
Defaults
Failover group 1.
Command Modes
The following table shows the modes in which you can enter the command:
Context configuration
•
•
—
•
—
Command History
Usage Guidelines
The admin context is always assigned to failover group 1. You can use the show context detail command to display the failover group and context association.
Before you can assign a context to a failover group, you must create the failover group with the failover group command in the system context. Enter this command on the unit where the context is in the active state. By default, unassigned contexts are members of failover group 1, so if the context had not been previously assigned to a failover group, you should enter this command on the unit that has failover group 1 in the active state.
You must remove all contexts from a failover group, using the no join-failover-group command, before you can remove a failover group from the system.
Examples
The following example assigns a context named ctx1 to failover group 2:
hostname(config)# context ctx1hostname(config-context)# join-failover-group 2hostname(config-context)# exitRelated Commands
jumbo-frame reservation
To enable jumbo frames for supported models, use the jumbo-frame reservation command in global configuration mode. To disable jumbo frames, use the no form of this command.
Note
jumbo-frame reservation
no jumbo-frame reservation
Syntax Description
This command has no arguments or keywords.
Defaults
Jumbo frame reservation is disabled by default.
Jumbo frames are supported by default on the ASASM; you do not need to use this command.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
8.1(1)
This command was introduced for the ASA 5580.
8.2(5)/8.4(1)
We added support for the ASA 5585-X.
8.6(1)
We added support for the ASA 5512-X through ASA 5555-X.
Usage Guidelines
A jumbo frame is an Ethernet packet larger than the standard maximum of 1518 bytes (including Layer 2 header and FCS), up to 9216 bytes. Jumbo frame support requires extra memory, which might limit the maximum use of other features, such as access lists.
Jumbo frames are not supported on the Management n/n interface.
Be sure to set the MTU for each interface that needs to transmit jumbo frames to a higher value than the default 1500; for example, set the value to 9000 using the mtu command. For the ASASM, you do not need to set the jumbo-frame reservation command; it supports jumbo frames by default. Just set the MTU to the desired value.
Also, be sure to configure the MSS (maximum segment size) value for TCP when using jumbo frames. The MSS should be 120 bytes less than the MTU. For example, if you configure the MTU to be 9000, then the MSS should be configured to 8880. You can configure the MSS with the sysopt connection tcpmss command.
Both the primary and the secondary units require a reboot so that the failover pair supports jumbo frames. To avoid downtime, do the following:
•
•
•
Examples
The following example enables jumbo frame reservation, saves the configuration, and reloads the ASA:
hostname(config)# jumbo-frame reservationWARNING: this command will take effect after the running-config is savedand the system has been rebooted. Command accepted.hostname(config)# write memoryBuilding configuration...Cryptochecksum: 718e3706 4edb11ea 69af58d0 0a6b7cb570291 bytes copied in 3.710 secs (23430 bytes/sec)[OK]hostname(config)# reloadProceed with reload? [confirm] YRelated Commands
mtu
Specifies the maximum transmission unit for an interface.
show jumbo-frame reservation
Shows the current configuration of the jumbo-frame reservation command.
kcd-server
To allow the ASA to join an Active Directory domain, use the kcd-server command in webvpn configuration mode. To remove the specified behavior for the ASA, use the no form of this command.
kcd-server aaa-server-group_name user username password password
no kcd-server
Syntax Description
user
Specifies the Active Directory user with service level privileges.
password
Specifies the password for the specified user.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
Use the kcd-server command in webvpn configuration mode to allow the ASA to join an Active Directory domain. The domain controller name and realm are specified in the aaa-server-groupname command. The AAA server group has to be a Kerberos server type. The username and password options do not correspond to a user with Administrator privileges, but they should correspond to a user with service-level privileges on the domain controller. The success or failure status is displayed as the result of this command. The result can also be viewed using the show webvpn kcd command.
Kerberos Constrained Delegation, or KCD, in the ASA environment provides WebVPN users Single Sign-on (SSO) access to all web services that are protected by Kerberos. The ASA maintains a credential on behalf of the user (a service ticket) and uses this ticket to authenticate the user to the services.
In order for the kcd-server command to function, the ASA must establish a trust relationship between the source domain (the domain where the ASA resides) and the target or resource domain (the domain where the web services reside). The ASA, using its unique format, crosses the certification path from the source to the destination domain and acquires the necessary tickets on behalf of the remote access user to access the services.
This path is called cross-realm authentication. During each phase of cross-realm authentication, the ASA relies on the credentials at a particular domain and the trust relationship with the subsequent domain.
To configure the ASA for cross-realm authentication, you must use the following commands to join the Active Directory domain: ntp, hostname, dns domain-lookup, dns server-group.
Examples
The following example shows the usage of the kcd-server command:
hostname(config)#aaa-server kcd-grp protocol kerberoshostname(config-aaa-server-group)#aaa-server kcd-grp host DChostname(config-aaa-server-group)#kerberos-realm EXAMPLE.COMhostname(config)#webvpnhostname(config-webvpn)#kcd-server kcd-grp user Administrator password Cisco123hostname(config-aaa-server-group)#exithostname(config)#The following is a configuration example of cross-realm authentication, where the Domain Controller is 10.1.1.10 (reachable via inside interface) and the domain name is PRIVATE.NET. Additionally, the Service Account username and password on the domain controller is dcuser and dcuser123! .
hostname(config)#config t-----Create an alias for the Domain Controller-------------hostname(config)#name 10.1.1.10 DC----Configure the Name server------------------------------hostname(config)#ntp server DC----Enable a DNS lookup by configuring the DNS server and Domain name --------------hostname(config)#dns domain-lookup insidehostname(config)#dns server-group DefaultDNShostname(config-dns-server-group)#name-server DChostname(config-dns-server-group)#domain-name private.net----Configure the AAA server group with Server and Realm------------------------------hostname(config)#aaa-server KerberosGroup protocol Kerberoshostname(config-asa-server-group)#aaa-server KerberosGroup (inside) host DChostname(config-asa-server-group)#Kerberos-realm PRIVATE.NET----Configure the Domain Join------------------------------hostname(config)#webvpnhostname(config-webvpn)#kcd-server KerberosGroup username dcuser password dcuser123!hostname(config)#Related Commands
keepout
To present an administrator-defined message rather than a login page for new user sessions (when the ASA undergoes a maintenance or troubleshooting period), use the keepout command in webvpn configuration mode. To remove a previously set keepout page, use the no version of the command.
keepout
no keepout string
Syntax Description
Defaults
No keepout page.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
When this command is enabled, the clientless WebVPN portal page becomes unavailable. You receive an administrator-defined message stating the unavailability of the portal rather than a login page for the portal. Use the keepout command to disable clientless access, but still allow AnyConnect access. You can also use this command to indicate portal unavailability when maintenance is occurring.
Examples
The following example shows how to configure a keepout page:
hostname(config)#webvpnhostname(config-webvpn)#keepout "The system is unavailable until 7:00 a.m. EST."hostname(config-webvpn)#Related Commands
webvpn
Enters webvpn configuration mode, which lets you configure attributes for clientless SSL VPN connections.
kerberos-realm
To specify the realm name for this Kerberos server, use the kerberos-realm command in aaa-server host configuration mode. To remove the realm name, use the no form of this command:
kerberos-realm string
no kerberos-realm
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server host configuration
•
•
•
•
—
Command History
Usage Guidelines
This command is valid only for Kerberos servers.
The value of the string argument should match the output of the Microsoft Windows set USERDNSDOMAIN command when it is run on the Windows 2000 Active Directory server for the Kerberos realm. In the following example, EXAMPLE.COM is the Kerberos realm name:
C:\>set USERDNSDOMAINUSERDNSDOMAIN=EXAMPLE.COMThe string argument must use numbers and upper case letters only. The kerberos-realm command is case sensitive, and the ASA does not translate lower case letters to upper case letters.
Examples
The following sequence shows the kerberos-realm command to set the kerberos realm to "EXAMPLE.COM" in the context of configuring a AAA server host:
hostname(config)#aaa-server svrgrp1 protocol kerberoshostname(config-aaa-server-group)#aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)#timeout 9hostname(config-aaa-server-host)#retry 7hostname(config-aaa-server-host)#kerberos-realm EXAMPLE.COMhostname(config-aaa-server-host)#exithostname(config)#Related Commands
key (aaa-server host)
To specify the server secret value used to authenticate the NAS to the AAA server, use the key command in aaa-server host configuration mode. The aaa-server host configuration mode is accessibile from aaa-server protocol configuration mode. To remove the key, use the no form of this command.
key key
no key
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server host configurationj
•
•
•
•
—
Command History
Usage Guidelines
The key value is a case-sensitive, alphanumeric keyword of up to 127 characters, which is the same value as the key on the TACACS+ server. Any characters over 127 are ignored. The key is used between the client and the server for encrypting data between them. The key must be the same on both the client and server systems.The key cannot contain spaces, but other special characters are allowed. The key (server secret) value authenticates the ASA to the AAA server.
This command is valid only for RADIUS and TACACS+ servers.
Examples
The following example configures a TACACS+ AAA server named "srvgrp1" on host "1.2.3.4," sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures the key as "myexclusivemumblekey."
hostname(config)#aaa-server svrgrp1 protocol tacacs+hostname(config-aaa-server-group)#aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)#timeout 9hostname(config-aaa-server-host)#retry-interval 7hostname(config-aaa-server-host)#key myexclusivemumblekeyRelated Commands
key (cluster group)
To set an authentication key for control traffic on the cluster control link, use the key command in ckuster group configuration mode. To remove the key, use the no form of this command.
key shared_secret
no key [shared_secret]
Syntax Description
shared_secret
Sets the shared secret to an ASCII string from 1 to 63 characters. The shared secret is used to generate the key.
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
This command does not affect datapath traffic, including connection state update and forwarded packets, which are always sent in the clear.
Examples
The following example sets a shared secret:
hostname(config)# cluster group cluster1
hostname(cfg-cluster)# key chuntheunavoidable
Related Commands
key config-key password-encryption
To set the passphrase used for generation the encryption key, use the key config-key password-encryption command in global configuration mode. To decrypt passwords encrypted with the pass phrase, use the no form of this command.
key config-key password-encryption [new pass phrase [old pass phrase]]
no key config-key password-encryption [current pass phrase]
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
When this command is enabled it sets the passphrase used for generation the encryption key. If the pass phrase is configured for the first time, then you will not need to enter the current password. Otherwise, you must enter the current password. The new passphrase must be between 8 and 128 character long. All characters except the back space and double quote will be accepted for the passphrase.
The write erase command when followed by the reload command will remove the master passphrase if it is lost.
Examples
The following example sets the passphrase used for generating the encryption key:
hostname(config)#key config-key password-encryptionRelated Commands
password encryption aes
Enables password encryption.
write erase
Removes the master passphrase if it is lost when followed by the reload command.
keypair
To specify the key pair whose public key is to be certified, use the keypair command in crypto ca trustpoint configuration mode. To restore the default setting, use the no form of the command.
keypair name
no keypair
Syntax Description
Defaults
The default setting is not to include the key pair.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
—
Command History
Examples
The following example enters crypto ca trustpoint configuration mode for the trustpoint central, and specifies a key pair to be certified for the trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# keypair exchangeRelated Commands
keysize
To specify the size of the public and private keys generated by the local Certificate Authority (CA) server at user certificate enrollment, use the keysize command in ca-server configuration mode. To reset the keysize to the default length of 1024 bits, use the no form of this command.
keysize {512 | 768 | 1024 | 2048}
no keysize
Syntax Description
Defaults
By default, each key in the key pair is 1024 bits long.
Command Modes
The following table shows the modes in which you can enter the command:
Ca-server configuration
•
—
•
—
—
Command History
Examples
The following example specifies a key size of 2048 bits for all public and private key pairs generated for users by the local CA server:
hostname(config)# crypto ca serverhostname(config-ca-server))# keysize 2048hostname(config-ca-server)#The following example resets the key size to the default length of 1024 bits for all public and private key pairs generated for users by the local CA server:
hostname(config)# crypto ca serverhostname(config-ca-server)# no keysizehostname(config-ca-server)#Related Commands
keysize server
To specify the size of the public and private keys generated by the local Certificate Authority (CA) server for configuring the size of the CA keypair, use the keysize server command in ca-server configuration mode. To reset the keysize to the default length of 1024 bits, use the no form of this command.
keysize server{512 | 768 | 1024 | 2048}
no keysize server
Syntax Description
Defaults
By default, each key in the key pair is 1024 bits long.
Command Modes
The following table shows the modes in which you can enter the command:
Ca-server configuration
•
—
•
—
—
Command History
Examples
The following example specifies a key size of 2048 bits for the CA certificate:
hostname(config)# crypto ca serverhostname(config-ca-server))# keysize server 2048hostname(config-ca-server)#The following example resets the key size to the default length of 1024 bits for the CA certificate:
hostname(config)# crypto ca serverhostname(config-ca-server)# no keysize serverhostname(config-ca-server)#Related Commands
kill
To terminate a Telnet session, use the kill command in privileged EXEC mode.
kill telnet_id
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The kill command lets you terminate a Telnet session. Use the who command to see the Telnet session ID. When you kill a Telnet session, the ASA lets any active commands terminate and then drops the connection without warning.
Examples
The following example shows how to terminate a Telnet session with the ID "2". First, the who command is entered to display the list of active Telnet sessions. Then the kill 2 command is entered to terminate the Telnet session with the ID "2".
hostname# who2: From 10.10.54.0hostname# kill 2Related Commands
telnet
Configures Telnet access to the ASA.
who
Displays a list of active Telnet sessions.
