-
Cisco ASA Series Command Reference
-
About this Guide
-
Using the Command Line Interface
- A through B Commands
-
C Commands
-
cache -- clear compression
-
clear configure -- clear configure http
-
clear configure flow-export-- clear configure zonelabs-integrity
-
clear conn -- clear isakmp sa
-
clear local-host -- clear xlate
-
client-access-rule -- crl-configure
-
crypto ca authenticate -- crypto ipsec ikev1 transform-set mode transport
-
crypto isakmp disconnect-notify -- cxsc auth-proxy port
-
-
D through F Commands
-
database path -- debug cxsc
-
debug dap -- debug http-map
-
debug icmp -- debug ospfv3
-
debug parser cache -- debug xml
-
default -- dhcp-server
-
dhcpd address -- distribute-list out
-
dns domain-lookup -- dynamic-filter whitelist
-
eigrp log-neighbor-changes -- export webvpn webcontent
-
failover -- fallback
-
file-bookmarks -- functions
-
- G through I Commands
- J through L Commands
- M through O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- shape
-
show aaa kerberos -- show asdm sessions
-
show asp cluster counter -- show asp table vpn-context
-
show blocks -- show cpu
-
show crashinfo -- show curpriv
-
show ddns update interface -- show environment
-
show failover -- show ipsec stats traffic
-
show ipv6 access-list -- show ipv6
-
show isakmp ipsec-over-tcp stats -- show ospf virtual-links
-
show nac-policy -- show ospf virtual-links
-
show pager -- show route
-
show running-config -- show running-config ctl-provider
-
show running-config ddns -- show running-config isakmp
-
show running-config ipv6 router -- show running-config router
-
show running-config same-security-traffic -- show running-config xlate
-
show scansafe -- show switch vlan
-
show tcpstat -- show traffic
-
show uauth -- show xlate
-
shun -- snmp-server user
-
software-version -- storage-objects
-
subject-name -- sysopt radius ignore-secret
-
- T through Z Commands
-
Cisco IOS Commands for the ASASM
-
Feedback
Table Of Contents
mfib forwarding through mus server Commands
mfib forwarding through mus server Commands
mfib forwarding
To reenable MFIB forwarding on an interface, use the mfib forwarding command in interface configuration mode. To disable MFIB forwarding on an interface, use the no form of this command.
mfib forwarding
no mfib forwarding
Syntax Description
This command has no arguments or keywords.
Defaults
The multicast-routing command enables MFIB forwarding on all interfaces by default.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
When you enable multicast routing, MFIB forwarding is enabled on all interfaces by default. Use the no form of the command to disable MFIB forwarding on a specific interface. Only the no form of the command appears in the running configuration.
When MFIB forwarding is disabled on an interface, the interface does not accept any multicast packets unless specifically configured through other methods. IGMP packets are also prevented when MFIB forwarding is disabled.
Examples
The following example disables MFIB forwarding on the specified interface:
hostname(config)# interface GigabitEthernet 0/0hostname(config-if)# no mfib forwardingRelated Commands
migrate
To migrate a LAN-to-LAN (IKEv1) or remote access configuration (SSL or IKEv1) to IKEv2, use the migrate command from global configuration mode:
migrate {l2l | remote-access {ikev2 | ssl} | overwrite}
Syntax Description
Defaults
•
Command Modes
The following table shows the modes in which you enter the command:
global configuration
•
—
•
•
—
Command History
8.4(1)
This command was introduced.
9.0(1)
Support for multiple context mode was added.
Usage Guidelines
The migrate l2l command migrates all LAN-to-LAN IKEv1 configuration to IKEv2.
If you use the overwrite keyword, the ASA overwrites any existing IKEv2 configuration with migrated commands instead of merging them.
The migrate remote-access command migrates the IKEv1 or SSL settings to IKEv2, but you must still perform these configuration tasks:
•
•
•
•
•
•
•
•
•
Related Commands
crypto ikev2 enable
Enables IKEv2 negotiation on the interface on which the IPsec peers communicate.
show run crypto ikev2
Displays IKEv2 configuration information.
min-object-size
To set a minimum size for objects that the ASA can cache for WebVPN sessions, use the min-object-size command in cache mode. To change the size, use the command again. To set no minimum object size, enter a value of zero (0).
min-object-size integer range
Syntax Description
Defaults
The default size is 0 KB.
Command Modes
The following table shows the modes in which you enter the command:
Cache mode
•
—
•
—
—
Command History
Usage Guidelines
The minimum object size must be smaller than the maximum object size. The ASA calculates the size after compressing the object, if cache compression is enabled.
Examples
The following example shows how to set a maximum object size of 40 KB:
hostname(config)#webvpnhostname(config-webvpn)#cachehostname(config-webvpn-cache)# min-object-size 40hostname(config-webvpn-cache)#Related Commands
mkdir
To create a new directory, use the mkdir command in privileged EXEC mode.
mkdir [/noconfirm] [disk0: | disk1: | flash:]path
Syntax Description
Defaults
If you do not specify a path, the directory is created in the current working directory.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
If a directory with the same name already exists, then the new directory is not created.
Examples
The following example shows how to make a new directory called "backup":
hostname# mkdir backupRelated Commands
mobile-device portal
To change the clientless vpn access web portal from the mini-portal to the full-browser portal, for all mobile devices, use the mobile-device portal command from webvpn configuration mode. You will only need to make this configuration for smart phones running older operating systems such as Windows CE. You will not need to configure this option using modern smart phones as they use the full-browser portal by default.
mobile-device portal {full}
no mobile-device portal {full}
Syntax Description
mobile-device portal {full}
Changes the clientless vpn access portal from the mini-portal to the full-browser portal for all mobile devices.
Command Default
Before you run the command, the default behavior is that some mobile devices will get clientless vpn access through the mini-portal and some will use the full portal.
Command Modes
The following table shows the modes in which you can enter the command:
webvpn configuration
•
—
•
—
—
Command History
8.2(5)
We introduced this command simultaneouslyin 8.2(5) and 8.4(2).
8.4(2)
We introduced this command simultaneously in 8.2(5) and 8.4(2).
Usage Guidelines
Use this command only if you are recommended to do so by Cisco Technical Assistance Center (TAC).
Examples
Changes the clientless vpn access portal to a full-browser portal for all mobile devices.
hostname# config thostname(config)# webvpnhostname(config-webvpn)# mobile-device portal fullRelated Commands
mode
To set the security context mode to single or multiple, use the mode command in global configuration mode. You can partition a single ASA into multiple virtual devices, known as security contexts. Each context behaves like an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone appliances. In single mode, the ASA has a single configuration and behaves as a single device. In multiple mode, you can create multiple contexts, each with its own configuration. The number of contexts allowed depends on your license.
mode {single | multiple} [noconfirm]
Syntax Description
multiple
Sets multiple context mode.
noconfirm
(Optional) Sets the mode without prompting you for confirmation. This option is useful for automated scripts.
single
Sets the context mode to single.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
In multiple context mode, the ASA includes a configuration for each context that identifies the security policy, interfaces, and almost all the options you can configure on a stand-alone device (see the config-url command to identify the context configuration location). The system administrator adds and manages contexts by configuring them in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the ASA. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context.
When you change the context mode using the mode command, you are prompted to reboot.
The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If you need to copy your configuration to another device, set the mode on the new device to match using the mode command.
When you convert from single mode to multiple mode, the ASA converts the running configuration into two files: a new startup configuration that comprises the system configuration, and admin.cfg that comprises the admin context (in the root directory of the internal Flash memory). The original running configuration is saved as old_running.cfg (in the root directory of the internal Flash memory). The original startup configuration is not saved. The ASA automatically adds an entry for the admin context to the system configuration with the name "admin."
If you convert from multiple mode to single mode, you might want to first copy a full startup configuration (if available) to the ASA; the system configuration inherited from multiple mode is not a complete functioning configuration for a single mode device.
Not all features are supported in multiple context mode. See the CLI configuration guide for more information.
Examples
The following example sets the mode to multiple:
hostname(config)# mode multipleWARNING: This command will change the behavior of the deviceWARNING: This command will initiate a RebootProceed with change mode? [confirm] yConvert the system configuration? [confirm] yFlash Firewall mode: multiple****** --- SHUTDOWN NOW ---****** Message to all terminals:****** change modeRebooting....Booting system, please wait...The following example sets the mode to single:
hostname(config)# mode singleWARNING: This command will change the behavior of the deviceWARNING: This command will initiate a RebootProceed with change mode? [confirm] yFlash Firewall mode: single****** --- SHUTDOWN NOW ---****** Message to all terminals:****** change modeRebooting....Booting system, please wait...Related Commands
context
Configures a context in the system configuration and enters context configuration mode.
show mode
Shows the current context mode, either single or multiple.
monitor-interface
To enable health monitoring on a specific interface, use the monitor-interface command in global configuration mode. To disable interface monitoring, use the no form of this command.
monitor-interface if_name
no monitor-interface if_name
Syntax Description
Defaults
Monitoring of physical interfaces is enabled by default; monitoring of logical interfaces is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The number of interfaces that can be monitored for the ASA is platform dependent and can be determined by viewing the show failover command output.
Hello messages are exchanged during every interface poll frequency time period between the ASA failover pair. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds).
Monitored failover interfaces can have the following status:
•
•
•
•
•
•
In Active/Active failover, this command is only valid within a context.
Examples
The following example enables monitoring on an interface named "inside":
hostname(config)# monitor-interface insidehostname(config)#Related Commands
more
To display the contents of a file, use the more command in privileged EXEC mode.
more {/ascii | /binary| /ebcdic | disk0: | disk1: | flash: | ftp: | http: | https: | system: | tftp:}filename
Syntax Description
Defaults
ASCII mode
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The more filesystem: command prompts you to enter the alias of the local directory or file systems.
Note
Examples
The following example shows how to display the contents of a local file named "test.cfg":
hostname# more test.cfg: Saved: Written by enable_15 at 10:04:01 Apr 14 2005XXX Version X.X(X)nameif vlan300 outside security10enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedhostname testfixup protocol ftp 21fixup protocol h323 H225 1720fixup protocol h323 ras 1718-1719fixup protocol ils 389fixup protocol rsh 514fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol sip 5060fixup protocol skinny 2000namesaccess-list deny-flow-max 4096access-list alert-interval 300access-list 100 extended permit icmp any anyaccess-list 100 extended permit ip any anypager lines 24icmp permit any outsidemtu outside 1500ip address outside 172.29.145.35 255.255.0.0no asdm history enablearp timeout 14400access-group 100 in interface outside!interface outside!route outside 0.0.0.0 0.0.0.0 172.29.145.1 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absoluteaaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radiusaaa-server LOCAL protocol localsnmp-server host outside 128.107.128.179snmp-server location my_context, USAsnmp-server contact admin@example.comsnmp-server community publicno snmp-server enable trapsfloodguard enablefragment size 200 outsideno sysopt route dnattelnet timeout 5ssh timeout 5terminal width 511gdb enablemgcp command-queue 0Cryptochecksum:00000000000000000000000000000000: endRelated Commands
cd
Changes to the specified directory.
pwd
Displays the current working directory.
mount (CIFS)
To make a Common Internet File System (CIFS) accessible to the security appliance, use the mount command in global configuration mode. This command lets you enter mount cifs configuration mode. To un-mount the CIFS network file system, use the no form of this command.
mount name type cifs server server-name share share status enable | status disable [domain domain-name ] username username password password
[no] mount name type cifs server server-name share share status enable | status disable [domain domain-name ] username username password password
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Mount cifs configuration
•
•
•
—
•
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
The mount command uses the Installable File System (IFS) to mount the CIFS file system. IFS, a filesystem API, enables the security appliance to recognize and load drivers for file systems.
The mount command attaches the CIFS file system on the security appliance to the UNIX file tree. Conversely, the no mount command detaches it.
The mount-name specified in the mount command is used by other CLI commands to refer to the filesystem already mounted on the security appliance. For example, the database command, which sets up file storage for the Local Certificate Authority, needs the mount name of an existing mounted file system to save database files to non-flash storage.
The CIFS remote file-access protocol is compatible with the way applications share data on local disks and network file servers. Running over TCP/IP and using the Internet's global DNS, CIFS is an enhanced version of Microsoft's open, cross-platform Server Message Block (SMB) protocol, the native file-sharing protocol in the Windows operating systems.
Always exit from the root shell after using the mount command. The exit keyword in mount-cifs-config mode returns the user to global configuration mode.
In order to reconnect, remap your connections to storage.
Note
Examples
The following example mounts cifs://amer;chief:big-boy@myfiler02/my_share as the label, cifs_share:
hostname(config)#mount cifs_share type CIFShostname (config-mount-cifs)#server myfiler02aRelated Commands
mount (FTP)
To make a File Transfer Protocol (FTP) file system accessible to the security appliance, use the mount name type ftp command in global configuration mode to enter mount FTP configuration mode. The no mount name type ftp command is used to unmount the FTP network file system.
[no] mount name type ftp server server-name path pathname status enable | status disable mode active | mode passive username username password password
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Mount-ftp-configuration
•
•
•
—
•
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
The mount name type ftp command uses the Installable File System (IFS) to mount the specified network file system. IFS, a filesystem API, enables the security appliance to recognize and load drivers for file systems.
To confirm that the FTP file system actually is mounted, use the dir all-filesystems instruction
The mount-name specified in the mount command is used when other CLI commands refer to the filesystem already mounted on the security appliance. For example, the database command, which sets up file storage for the local certificate authority, needs the mount name of a mounted file system to save database files to non-flash storage.
Note
Note
Examples
This example mounts ftp://amor;chief:big-kid@myfiler02 as the label, my ftp:
hostname(config)#mount myftp type ftp server myfiler02a path status enable username chief password big-kidRelated Commands
debug webvpn
Logs WebVPN debugging messages.
ftp mode passive
Controls interaction between the FTP client on the security appliance and the FTP server.
mroute
To configure a static multicast route, use the mroute command in global configuration mode. To remove a static multicast route, use the no form of this command.
mroute src smask {in_if_name [dense output_if_name] | rpf_addr} [distance]
no mroute src smask {in_if_name [dense output_if_name] | rpf_addr} [distance]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command lets you statically configure where multicast sources are located. The ASA expects to receive multicast packets on the same interface as it would use to send unicast packets to a specific source. In some cases, such as bypassing a route that does not support multicast routing, multicast packets may take a different path than the unicast packets.
Static multicast routes are not advertised or redistributed.
Use the show mroute command displays the contents of the multicast route table. Use the show running-config mroute command to display the mroute commands in the running configuration.
Examples
The following example shows how configure a static multicast route using the mroute command:
hostname(config)# mroute 172.16.0.0 255.255.0.0 insideRelated Commands
mschapv2-capable
To enable MS-CHAPv2 authentication requests to the RADIUS server, use the mschapv2-capable command in aaa-server host configuration mode. To disable MS-CHAPv2, use the no form of this command.
mschapv2-capable
no mschapv2-capable
Syntax Description
This command has no arguments or keywords.
Defaults
MS-CHAPv2 is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server host configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable MS-CHAPv2 as the protocol used between the ASA and the RADIUS server for a VPN connection, password management must be enabled in the tunnel-group general-attributes. Enabling password management generates an MS-CHAPv2 authentication request from the ASA to the RADIUS server. See the description of the password-management command for details.
If you use double authentication and enable password management in the tunnel group, then the primary and secondary authentication requests include MS-CHAPv2 request attributes. If a RADIUS server does not support MS-CHAPv2, then you can configure that server to send a non-MS-CHAPv2 authentication request by using the no mschapv2-capable command.
Examples
The following example disables MS-CHAPv2 for the RADIUS server authsrv1.cisco.com:
hostname(config)# aaa-server rsaradius protocol radiushostname(config-aaa-server-group)# aaa-server rsaradius (management) host authsrv1.cisco.comhostname(config-aaa-server-host)# key secretpasswordhostname(config-aaa-server-host)# authentication-port 21812hostname(config-aaa-server-host)# accounting-port 21813hostname(config-aaa-server-host)# no mschapv2-capableRelated Commands
msie-proxy except-list
To configure browser proxy exception list settings for a local bypass on the client device, enter the msie-proxy except-list command in group-policy configuration mode. To remove the attribute from the configuration, use the no form of the command.
msie-proxy except-list {value server[:port] | none}
no msie-proxy except-list
Syntax Description
Defaults
By default, msie-proxy except-list is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
The line containing the proxy server IP address or hostname and the port number must be less than 100 characters long.
Note
Refer to the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.1 for further information about proxy settings.
Examples
The following example shows how to set a Microsoft Internet Explorer proxy exception list, consisting of the server at IP address 192.168.20.1, using port 880, for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# msie-proxy except-list value 192.168.20.1:880hostname(config-group-policy)#Related Commands
show running-configuration group-policy
Shows the value of the configured group-policy attributes.
clear configure group-policy
Removes all configured group-policy attributes.
msie-proxy local-bypass
To configure browser proxy local-bypass settings for a client device, enter the msie-proxy local-bypass command in group-policy configuration mode. To remove the attribute from the configuration, use the no form of the command.
msie-proxy local-bypass {enable | disable}
no msie-proxy local-bypass {enable | disable}
Syntax Description
disable
Disables browser proxy local-bypass settings for a client device.
enable
Enables browser proxy local-bypass settings for a client device.
Defaults
By default, msie-proxy local-bypass is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
Refer to the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.1 for further information about proxy settings.
Note
Examples
The following example shows how to enable Microsoft Internet Explorer proxy local-bypass for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# msie-proxy local-bypass enablehostname(config-group-policy)#
Related Commands
show running-configuration group-policy
Shows the value of the configured group-policy attributes.
clear configure group-policy
Removes all configured group-policy attributes.
msie-proxy lockdown
Enabling this feature hides the Connections tab in the browser for the duration of an AnyConnect VPN session. Disabling the feature leaves the display of the Connections tab unchanged
To hide the Connections tab for the duration of an AnyConnect VPN session or to leave it unchanged, use the msie-proxy lockdown command in group-policy configuration mode.
msie-proxy lockdown [enable | disable]
Syntax Description
disable
Leaves the Connections tab in browser unchanged.
enable
Hides the Connections tab in browser for the duration of an AnyConnect VPN session.
Defaults
The default value of this command in the default group policy is enable. Each group policy inherits its default values from the default group policy.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
•
•
—
—
Command History
Usage Guidelines
This command makes a temporary change to the user registry for the duration of the AnyConnect VPN session. When AnyConnect closes the VPN session, it returns the registry to the state it was in before the session.
You might enable this feature to prevent users from specifying a proxy service and changing LAN settings. Preventing user access to these settings enhances endpoint security during the AnyConnect session.
Note
Refer to the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.1 for further information about proxy settings.
Examples
The following example hides the Connections tab for the duration of the AnyConnect session:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# msie-proxy lockdown enableThe following example leaves the Connections tab unchanged:
hostname(config-group-policy)# msie-proxy lockdown disableRelated Commands
msie-proxy method
To configure the browser proxy actions ("methods") for a client device, enter the msie-proxy method command in group-policy configuration mode. To remove the attribute from the configuration, use the no form of the command.
msie-proxy method [auto-detect | no-modify | no-proxy | use-server | use-pac-url]
no msie-proxy method [auto-detect | no-modify | no-proxy | use-server | use-pac-url]
Note
Syntax Description
Defaults
The default method is use-server.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
The line containing the proxy server IP address or hostname and the port number can contain up to 100 characters.
This command supports the following combinations of options:
•
•
•
You can use a text editor to create a proxy auto-configuration (.pac) file for your browser. A .pac file is a JavaScript file that contains logic that specifies one or more proxy servers to be used, depending on the contents of the URL. The .pac file resides on a web server. When you specify use-pac-url, the browser uses the .pac file to determine the proxy settings. Use the msie-proxy pac-url command to specify the URL from which to retrieve the .pac file.
Note
Refer to the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.1 for further information about proxy settings.
Examples
The following example shows how to configure auto-detect as the Microsoft Internet Explorer proxy setting for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# msie-proxy method auto-detecthostname(config-group-policy)#The following example configures the Microsoft Internet Explorer proxy setting for the group policy named FirstGroup to use the server QAserver, port 1001 as the server for the client PC:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# msie-proxy server QAserver:port 1001hostname(config-group-policy)# msie-proxy method use-serverhostname(config-group-policy)#Related Commands
msie-proxy pac-url
To tell a browser where to look for proxy information, enter the msie-proxy pac-url command in group-policy configuration mode. To remove the attribute from the configuration, use the no form of the command.
msie-proxy pac-url {none | value url}
no msie-proxy pac-url
Syntax Description
none
Specifies that there is no URL value.
value url
Specifies the URL of the website at which the browser can get the proxy auto-configuration file that defines the proxy server or servers to use.
Defaults
The default value is none.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
Requirements
To use the proxy auto-configuration feature, the remote user must use the Cisco AnyConnect VPN Client. To enable the use of the proxy auto-configuration URL, you must also configure the msie-proxy method command with the use-pac-url option.
Why Use This Command
Many network environments define HTTP proxies that connect a web browser to a particular network resource. The HTTP traffic can reach the network resource only if the proxy is specified in the browser and the client routes the HTTP traffic to the proxy. SSLVPN tunnels complicate the definition of HTTP proxies because the proxy required when tunneled to an enterprise network can differ from that required when connected to the Internet via a broadband connection or when on a third-party network.
In addition, companies with large networks might need to configure more than one proxy server and let users choose between them, based on transient conditions. By using .pac files, an administrator can author a single script file that determines which of numerous proxies to use for all client computers throughout the enterprise.
The following are some examples of how you might use a PAC file:
•
•
•
•
How to Use the Proxy Auto-Configuration Feature
You can use a text editor to create a proxy auto-configuration (.pac) file for your browser. A .pac file is a JavaScript file that contains logic that specifies one or more proxy servers to be used, depending on the contents of the URL. Use the msie-proxy pac-url command to specify the URL from which to retrieve the .pac file. Then, when you specify use-pac-url in the msie-proxy method command, the browser uses the .pac file to determine the proxy settings.
Note
Refer to the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.1 for further information about proxy settings.
Examples
The following example shows how to configure a browser to get its proxy setting from the URL www.example.com for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# msie-proxy pac-url value http://www.example.comhostname(config-group-policy)#The following example disables the proxy auto-configuration feature for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# msie-proxy pac-url nonehostname(config-group-policy)#Related Commands
msie-proxy server
To configure a browser proxy server and port for a client device, enter the msie-proxy server command in group-policy configuration mode. To remove the attribute from the configuration, use the no form of the command.
msie-proxy server {value server[:port] | none}
no msie-proxy server
Syntax Description
Defaults
By default, no msie-proxy server is specified.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
The line containing the proxy server IP address or hostname and the port number must be less than 100 characters long.
Note
Refer to the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.1 for further information about proxy settings.
Examples
The following example shows how to configure the IP address 192.168.10.1 as a Microsoft Internet Explorer proxy server, using port 880, for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# msie-proxy server value 192.168.21.1:880hostname(config-group-policy)#Related Commands
show running-configuration group-policy
Shows the value of the configured group-policy attributes.
clear configure group-policy
Removes all configured group-policy attributes.
mtu
To specify the maximum transmission unit for an interface, use the mtu command in global configuration mode. To reset the MTU block size to 1500 for Ethernet interfaces, use the no form of this command. This command supports IPv4 and IPv6 traffic.
mtu interface_name bytes
no mtu interface_name bytes
Syntax Description
bytes
Number of bytes in the MTU; valid values are from 64 to 65,535 bytes.
interface_name
Internal or external network interface name.
Defaults
The default bytes is 1500 for Ethernet interfaces.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Usage Guidelines
The mtu command lets you to set the data size that is sent on a connection. Data that is larger than the MTU value is fragmented before being sent.
The ASA supports IP path MTU discovery (as defined in RFC 1191), which allows a host to dynamically discover and cope with the differences in the maximum allowable MTU size of the various links along the path. Sometimes, the ASA cannot forward a datagram because the packet is larger than the MTU that you set for the interface, but the "don't fragment" (DF) bit is set. The network software sends a message to the sending host, alerting it to the problem. The host has to fragment packets for the destination so that they fit the smallest packet size of all the links along the path.
The default MTU is 1500 bytes in a block for Ethernet interfaces (which is also the maximum). This value is sufficient for most applications, but you can pick a lower number if network conditions require it.
When using the Layer 2 Tunneling Protocol (L2TP), we recommend that you set the MTU size to 1380 to account for the L2TP header and IPsec header length.
The minimum MTU allowed on an IPv6 enabled interface is 1280 bytes; however, if IPsec is enabled on the interface, the MTU value should not be set below 1380 because of the overhead of IPsec encryption. Setting the interface below 1380 bytes may result in dropped packets.
Examples
This example shows how to specify the MTU for an interface:
hostname(config)# show running-config mtumtu outside 1500mtu inside 1500hostname(config)# mtu inside 8192hostname(config)# show running-config mtumtu outside 1500mtu inside 8192Related Commands
clear configure mtu
Clears the configured maximum transmission unit values on all interfaces.
show running-config mtu
Displays the current maximum transmission unit block size.
mtu cluster
To set the maximum transmission unit of the cluster control link, use the mtu cluster command in global configuration mode. To restore the default setting, use the no form of this command.
mtu cluster bytes
no mtu cluster [bytes]
Syntax Description
bytes
Specifies the maximum transmission unit for the cluster control link interface, between 64 and 65,535 bytes. The default MTU is 1500 bytes.
Command Default
The default MTU is 1500 bytes.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
We suggest setting the MTU to 1600 bytes or greater, which requires you to enable jumbo frame reservation using the jumbo-frame reservation command.
This command is a global configuration command, but is also part of the bootstrap configuration, which is not replicated between units.
Examples
The following example sets the cluster control link MTU to 9000 bytes:
hostname(config)# mtu cluster 9000
Related Commands
cluster-interface
Identifies the cluster control link interface.
jumbo frame-reservation
Enables use of jumbo Ethernet frames.
multicast boundary
To configure a multicast boundary for administratively-scoped multicast addresses, use the multicast boundary command in interface configuration mode. To remove the boundary, use the no form of this command. A multicast boundary restricts multicast data packet flows and enables reuse of the same multicast group address in different administrative domains.
multicast boundary acl [filter-autorp]
no multicast boundary acl [filter-autorp]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
Use this command to configure an administratively scoped boundary on an interface to filter multicast group addresses in the range defined by the acl argument. A standard access list defines the range of addresses affected. When this command is configured, no multicast data packets are allowed to flow across the boundary in either direction. Restricting multicast data packet flow enables reuse of the same multicast group address in different administrative domains.
If you configure the filter-autorp keyword, the administratively scoped boundary also examines Auto-RP discovery and announcement messages and removes any Auto-RP group range announcements from the Auto-RP packets that are denied by the boundary ACL. An Auto-RP group range announcement is permitted and passed by the boundary only if all addresses in the Auto-RP group range are permitted by the boundary ACL. If any address is not permitted, the entire group range is filtered and removed from the Auto-RP message before the Auto-RP message is forwarded.
Examples
The following example sets up a boundary for all administratively scoped addresses and filters the Auto-RP messages:
hostname(config)# access-list boundary_test deny 239.0.0.0 0.255.255.255hostname(config)# access-list boundary_test permit 224.0.0.0 15.255.255.255hostname(config)# interface GigabitEthernet0/3hostname(config-if)# multicast boundary boundary_test filter-autorpRelated Commands
multicast-routing
To enable IP multicast routing on the ASA, use the multicast routing command in global configuration mode. To disable IP multicast routing, use the no form of this command.
multicast-routing
no multicast-routing
Syntax Description
This command has no arguments or keywords.
Defaults
The multicast-routing command enables PIM and IGMP on all interfaces by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The multicast-routing command enables PIM and IGMP on all interfaces.
Note
If the security appliance is the PIM RP, use the untranslated outside address of the security appliance as the RP address.
The number of entries in the multicast routing tables are limited by the amount of RAM on the system. Table 35-1 lists the maximum number of entries for specific multicast tables based on the amount of RAM on the security appliance. Once these limits are reached, any new entries are discarded.
Table 35-1 Entry Limits for Multicast Tables
1000
3000
5000
1000
3000
5000
3000
7000
12000
Examples
The following example enables IP multicast routing on the ASA:
hostname(config)# multicast-routingRelated Commands
mus
To specify the IP range and interface on which the ASA identifies the WSA, use the mus command in global configuration mode. To turn the service off, use the no form of this command. This command supports IPv4 and IPv6 traffic. Only WSAs found on the specified subnet and interface are registered.
mus IPv4 address IPv4 mask interface_name
no mus IPv4 address IPv4 mask interface_name
Note
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The following commands are possible:
•
•
•
•
Examples
The following example allows WSA servers on the 1.2.3.x subnet to access secure mobility solutions on the inside interface:
hostname(config)# mus 1.2.3.0 255.255.255.0 insideRelated Commands
mus host
To specify the MUS hostname on the ASA, enter the mus host command in global configuration mode. This is the telemetry URL sent from the ASA to the AnyConnect Client. The AnyConnect clients use this URL to contact the WSA in the private network for MUS-related services. To remove any commands entered with this command, use the no mus host command.
mus host host name
no mus host
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
You can enable AnyConnect Secure Mobility for a given port. The WSA port values are 1 through 21000. If a port is not specified in the command, port 11999 is used.
You must configure AnyConnect Secure Mobility shared secret before executing this command.
Note
Examples
The following example shows how to enter the AnyConnect Secure Mobility host and WebVPN command submode:
hostname(config)# webvpnhostname(config-webvpn)# mus 0.0.0.0 0.0.0.0 insidehostname(config-webvpn)# mus password abcdefgh123hostname(config-webvpn)# mus server enable 960 # non-default porthostname(config-webvpn)# mus host mus.cisco.comRelated Commands
mus password
To set up shared secred for AnyConnect Secure Mobility communications, enter the mus password command in global configuration mode. To remove the shared secred, use the no mus password command.
mus password
no mus password
Note
Syntax Description
This command has no arguments or keywords.
Defaults
.The valid password is defined by the regular expression [0-9, a-z, A-Z,:;_/-]{8,20}. The overall length of the shared secret password is a minimum of 8 characters and maximum of 20 characters.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This WebVPN submode lets you configure global settings for WebVPN. You can set up the shared secret for AnyConnect Secure Mobility communications.
Examples
The following example shows how to enter an AnyConnect Secure Mobility password and WebVPN command submode:
hostname(config)#mus password <password_string>hostname(config-webvpn)#Related Commands
mus server
To specify the port on which the ASA listens for WSA communication, enter the mus server command in global configuration mode. To remove any commands entered with this command, use the no mus server command.
mus server enable
no mus server enable
Note
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
You must specify a port the AnyConnect Secure Mobility service uses. The communication between the ASA and the WSA is by a secure SSL connection on a port specified by the administrator with values of 1 through 21000.
You must configure AnyConnect Secure Mobility shared secret before executing this command.
Examples
The following example shows how to enter the AnyConnect Secure Mobility password and WebVPN command submode:
hostname(config-webvpn)#mus server enable?webvpn mode commands/optionsport Configure WSA porthostname(config-webvpn)# mus server enable port 12000Related Commands
