-
Cisco ASA Series Command Reference
-
About this Guide
-
Using the Command Line Interface
- A through B Commands
-
C Commands
-
cache -- clear compression
-
clear configure -- clear configure http
-
clear configure flow-export-- clear configure zonelabs-integrity
-
clear conn -- clear isakmp sa
-
clear local-host -- clear xlate
-
client-access-rule -- crl-configure
-
crypto ca authenticate -- crypto ipsec ikev1 transform-set mode transport
-
crypto isakmp disconnect-notify -- cxsc auth-proxy port
-
-
D through F Commands
-
database path -- debug cxsc
-
debug dap -- debug http-map
-
debug icmp -- debug ospfv3
-
debug parser cache -- debug xml
-
default -- dhcp-server
-
dhcpd address -- distribute-list out
-
dns domain-lookup -- dynamic-filter whitelist
-
eigrp log-neighbor-changes -- export webvpn webcontent
-
failover -- fallback
-
file-bookmarks -- functions
-
- G through I Commands
- J through L Commands
- M through O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- shape
-
show aaa kerberos -- show asdm sessions
-
show asp cluster counter -- show asp table vpn-context
-
show blocks -- show cpu
-
show crashinfo -- show curpriv
-
show ddns update interface -- show environment
-
show failover -- show ipsec stats traffic
-
show ipv6 access-list -- show ipv6
-
show isakmp ipsec-over-tcp stats -- show ospf virtual-links
-
show nac-policy -- show ospf virtual-links
-
show pager -- show route
-
show running-config -- show running-config ctl-provider
-
show running-config ddns -- show running-config isakmp
-
show running-config ipv6 router -- show running-config router
-
show running-config same-security-traffic -- show running-config xlate
-
show scansafe -- show switch vlan
-
show tcpstat -- show traffic
-
show uauth -- show xlate
-
shun -- snmp-server user
-
software-version -- storage-objects
-
subject-name -- sysopt radius ignore-secret
-
- T through Z Commands
-
Cisco IOS Commands for the ASASM
-
Feedback
Table Of Contents
police through pppoe client secondary Commands
police through pppoe client secondary Commands
police
To apply QoS policing to a class map, use the police command in class configuration mode. To remove the rate-limiting requirement, use the no form of this command. Policing is a way of ensuring that no traffic exceeds the maximum rate (in bits/second) that you configure, thus ensuring that no one traffic flow can take over the entire resource. When traffic exceeds the maximum rate, the ASA drops the excess traffic. Policing also sets the largest single burst of traffic allowed.
police {output | input} conform-rate [conform-burst] [conform-action [drop | transmit] [exceed-action [drop | transmit]]]
no police
Syntax Description
Defaults
No default behavior or variables.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
—
•
—
—
Command History
7.0(1)
This command was introduced.
7.2(1)
Added the input option. Policing traffic in the inbound direction is now supported.
Usage Guidelines
To enable policing, use the Modular Policy Framework:
1.
2.
a.
b.
3.
Note
Note
You can configure each of the QoS features alone if desired for the ASA. Often, though, you configure multiple QoS features on the ASA so you can prioritize some traffic, for example, and prevent other traffic from causing bandwidth problems.
See the following supported feature combinations per interface:
•
You cannot configure priority queueing and policing for the same set of traffic.
•
Typically, if you enable traffic shaping, you do not also enable policing for the same traffic, although the ASA does not restrict you from configuring this.
See the following guidelines:
•
•
•
•
•
Examples
The following is an example of a police command for the output direction that sets the conform rate to 100,000 bits per second, a burst value of 20,000 bytes, and specifies that traffic that exceeds the burst rate will be dropped:
hostname(config)# policy-map localpolicy1hostname(config-pmap)# class-map firstclasshostname(config-cmap)# class localclasshostname(config-pmap-c)# police output 100000 20000 exceed-action drophostname(config-cmap-c)# class class-defaulthostname(config-pmap-c)#The following example shows how to do rate-limiting on traffic destined to an internal web server:
hostname# access-list http_traffic permit tcp any 10.1.1.0 255.255.255.0 eq 80hostname# class-map http_traffichostname(config-cmap)# match access-list http_traffichostname(config-cmap)# policy-map outside_policyhostname(config-pmap)# class http_traffichostname(config-pmap-c)# police input 56000hostname(config-pmap-c)# service-policy outside_policy interface outsidehostname(config)#Related Commands
policy
To specify the source for retrieving the CRL, use the policy command in ca-crl configuration mode.
policy {static | cdp | both}
Syntax Description
Defaults
The default setting is cdp.
Command Modes
The following table shows the modes in which you can enter the
crl configuration
•
—
•
—
—
command:
Command History
Examples
The following example enters ca-crl configuration mode, and configures CRL retrieval to occur using the CRL distribution point extension in the certificate being checked or if that fails, to use static CDPs:
hostname(configure)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# policy bothRelated Commands
crl configure
Enters ca-crl configuration mode.
crypto ca trustpoint
Enters trustpoint configuration mode.
url
Creates and maintains a list of static URLs for retrieving CRLs.
policy-map
When using the Modular Policy Framework, assign actions to traffic that you identified with a Layer 3/4 class map (the class-map or class-map type management command) by using the policy-map command (without the type keyword) in global configuration mode. To remove a Layer 3/4 policy map, use the no form of this command.
policy-map name
no policy-map name
Syntax Description
name
Specifies the name for this policy map up to 40 characters in length. All types of policy maps use the same name space, so you cannot reuse a name already used by another type of policy map.
Defaults
By default, the configuration includes a policy that matches all default application inspection traffic and applies certain inspections to the traffic on all interfaces (a global policy). Not all inspections are enabled by default. You can only apply one global policy, so if you want to alter the global policy, you need to either edit the default policy or disable it and apply a new one. (An interface policy overrides the global policy for a particular feature.)
The default policy includes the following application inspections:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
The default policy configuration includes the following commands:
class-map inspection_defaultmatch default-inspection-trafficpolicy-map type inspect dns preset_dns_mapparametersmessage-length maximum client automessage-length maximum 512dns-guardprotocol-enforcementnat-rewritepolicy-map global_policyclass inspection_defaultinspect dns preset_dns_mapinspect ftpinspect h323 h225 _default_h323_mapinspect h323 ras _default_h323_mapinspect ip-options _default_ip_options_mapinspect netbiosinspect rshinspect rtspinspect skinnyinspect esmtp _default_esmtp_mapinspect sqlnetinspect sunrpcinspect tftpinspect sipinspect xdmcpCommand Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Configuring Modular Policy Framework consists of four tasks:
1.
2.
3.
4.
The maximum number of policy maps is 64, but you can only apply one policy map per interface. You can apply the same policy map to multiple interfaces. You can identify multiple Layer 3/4 class maps in a Layer 3/4 policy map (see the class command), and you can assign multiple actions from one or more feature types to each class map.
Examples
The following is an example of a policy-map command for connection policy. It limits the number of connections allowed to the web server 10.1.1.1:
hostname(config)# access-list http-server permit tcp any host 10.1.1.1hostname(config)# class-map http-serverhostname(config-cmap)# match access-list http-serverhostname(config)# policy-map global-policyhostname(config-pmap)# description This policy map defines a policy concerning connection to http server.hostname(config-pmap)# class http-serverhostname(config-pmap-c)# set connection conn-max 256The following example shows how multi-match works in a policy map:
hostname(config)# class-map inspection_defaulthostname(config-cmap)# match default-inspection-traffichostname(config)# class-map http_traffichostname(config-cmap)# match port tcp eq 80hostname(config)# policy-map outside_policyhostname(config-pmap)# class inspection_defaulthostname(config-pmap-c)# inspect http http_maphostname(config-pmap-c)# inspect siphostname(config-pmap)# class http_traffichostname(config-pmap-c)# set connection timeout tcp 0:10:0The following example shows how traffic matches the first available class map, and will not match any subsequent class maps that specify actions in the same feature domain:
hostname(config)# class-map telnet_traffichostname(config-cmap)# match port tcp eq 23hostname(config)# class-map ftp_traffichostname(config-cmap)# match port tcp eq 21hostname(config)# class-map tcp_traffichostname(config-cmap)# match port tcp range 1 65535hostname(config)# class-map udp_traffichostname(config-cmap)# match port udp range 0 65535hostname(config)# policy-map global_policyhostname(config-pmap)# class telnet_traffichostname(config-pmap-c)# set connection timeout tcp 0:0:0hostname(config-pmap-c)# set connection conn-max 100hostname(config-pmap)# class ftp_traffichostname(config-pmap-c)# set connection timeout tcp 0:5:0hostname(config-pmap-c)# set connection conn-max 50hostname(config-pmap)# class tcp_traffichostname(config-pmap-c)# set connection timeout tcp 2:0:0hostname(config-pmap-c)# set connection conn-max 2000When a Telnet connection is initiated, it matches class telnet_traffic. Similarly, if an FTP connection is initiated, it matches class ftp_traffic. For any TCP connection other than Telnet and FTP, it will match class tcp_traffic. Even though a Telnet or FTP connection can match class tcp_traffic, the ASA does not make this match because they previously matched other classes.
NetFlow events are configured through Modular Policy Framework. If Modular Policy Framework is not configured for NetFlow, no events are logged. Traffic is matched based on the order in which classes are configured. After a match is detected, no other classes are checked. For NetFlow events, the configuration requirements are as follows:
•
•
•
•
•
•
•
The following example exports all NetFlow events between hosts 10.1.1.1 and 20.1.1.1 to destination 15.1.1.1.
hostname(config)# access-list flow_export_acl permit ip host 10.1.1.1 host 20.1.1.1hostname(config)# class-map flow_export_classhostname(config-cmap)# match access-list flow_export_aclhostname(config)# policy-map global_policyhostname(config-pmap)# class flow_export_classhostname(config-pmap-c)# flow-export event-type all destination 15.1.1.1Related Commands
policy-map type inspect
When using the Modular Policy Framework, define special actions for inspection application traffic by using the policy-map type inspect command in global configuration mode. To remove an inspection policy map, use the no form of this command.
policy-map type inspect application policy_map_name
no policy-map [type inspect application] policy_map_name
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
7.2(1)
This command was introduced.
8.2(1)
Added the ipv6 keyword to support IPv6 inspection.
9.0(1)
Added the scansafe keyword to support Cloud Web Security.
Usage Guidelines
Modular Policy Framework lets you configure special actions for many application inspections. When you enable an inspection engine using the inspect command in the Layer 3/4 policy map (the policy-map command), you can also optionally enable actions as defined in an inspection policy map created by the policy-map type inspect command. For example, enter the inspect http http_policy_map command where http_policy_map is the name of the inspection policy map.
An inspection policy map consists of one or more of the following commands entered in policy-map configuration mode. The exact commands available for an inspection policy map depends on the application.
•
•
•
You can specify multiple class or match commands in the policy map.
Some match commands can specify regular expressions to match text inside a packet. See the regex command and the class-map type regex command, which groups multiple regular expressions.
The default inspection policy map configuration includes the following commands:
policy-map type inspect dns preset_dns_mapparametersmessage-length maximum client automessage-length maximum 512dns-guardprotocol-enforcementnat-rewriteIf a packet matches multiple different match or class commands, then the order in which the ASA applies the actions is determined by internal ASA rules, and not by the order they are added to the policy map. The internal rules are determined by the application type and the logical progression of parsing a packet, and are not user-configurable. For example for HTTP traffic, parsing a Request Method field precedes parsing the Header Host Length field; an action for the Request Method field occurs before the action for the Header Host Length field. For example, the following match commands can be entered in any order, but the match request method get command is matched first.
hostname(config-pmap)# match request header host length gt 100hostname(config-pmap-c)# resethostname(config-pmap-c)# match request method gethostname(config-pmap-c)# logIf an action drops a packet, then no further actions are performed. For example, if the first action is to reset the connection, then it will never match any further match commands. If the first action is to log the packet, then a second action, such as resetting the connection, can occur. (You can configure both the reset (or drop-connection, and so on.) and the log action for the same match command, in which case the packet is logged before it is reset for a given match.)
If a packet matches multiple match or class commands that are the same, then they are matched in the order they appear in the policy map. For example, for a packet with the header length of 1001, it will match the first command below, and be logged, and then will match the second command and be reset. If you reverse the order of the two match commands, then the packet will be dropped and the connection reset before it can match the second match command; it will never be logged.
hostname(config-pmap)# match request header length gt 100hostname(config-pmap-c)# loghostname(config-pmap-c)# match request header length gt 1000hostname(config-pmap-c)# resetA class map is determined to be the same type as another class map or match command based on the lowest priority match command in the class map (the priority is based on the internal rules). If a class map has the same type of lowest priority match command as another class map, then the class maps are matched according to the order they are added to the policy map. If the lowest priority command for each class map is different, then the class map with the higher priority match command is matched first.
See the following guidelines when modifying an inspection policy-map:
•
hostname(config)# policy-map testhostname(config-pmap)# class httpOhostname(config-pmap-c)# no inspect http http-maphostname(config-pmap-c)# inspect http http-map•
hostname(config)# policy-map testhostname(config-pmap)# class siphostname(config-pmap-c)# no inspect sip sip-map1hostname(config-pmap-c)# inspect sip sip-map2Examples
The following is an example of an HTTP inspection policy map and the related class maps. This policy map is activated by the Layer 3/4 policy map, which is enabled by the service policy.
hostname(config)# regex url_example example\.comhostname(config)# regex url_example2 example2\.comhostname(config)# class-map type regex match-any URLshostname(config-cmap)# match regex examplehostname(config-cmap)# match regex example2hostname(config-cmap)# class-map type inspect http match-all http-traffichostname(config-cmap)# match req-resp content-type mismatchhostname(config-cmap)# match request body length gt 1000hostname(config-cmap)# match not request uri regex class URLshostname(config-cmap)# policy-map type inspect http http-map1hostname(config-pmap)# class http-traffichostname(config-pmap-c)# drop-connection loghostname(config-pmap-c)# match req-resp content-type mismatchhostname(config-pmap-c)# reset loghostname(config-pmap-c)# parametershostname(config-pmap-p)# protocol-violation action loghostname(config-pmap-p)# policy-map testhostname(config-pmap)# class test (a Layer 3/4 class map not shown)hostname(config-pmap-c)# inspect http http-map1hostname(config-pmap-c)# service-policy inbound_policy interface outsideRelated Commands
policy-server-secret
To configure a secret key used to encrypt authentication requests to a SiteMinder SSO server, use the policy-server-secret command in webvpn-sso-siteminder configuration mode. To remove a secret key, use the no form of this command.
policy-server-secret secret-key
no policy-server-secret
Note
Syntax Description
Syntax DescriptionSyntax Description
secret-key
The character string used as a secret key to encrypt authentication communications. There is no minimum or maximum number of characters.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Config-webvpn-sso-siteminder configuration
•
—
•
—
—
Command History
Usage Guidelines
Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. You first create the SSO server using the sso-server command. For SiteMinder SSO servers, the policy-server-secret command secures authentication communications between the ASA and the SSO server.
The command argument, secret-key, is similar to a password: you create it, save it, and configure it. It is configured on both the ASA using the policy-server-secret command and on the SiteMinder Policy Server using the Cisco Java plug-in authentication scheme.
This command applies only to the SiteMinder type of SSO server.
Examples
The following command, entered in config-webvpn-sso-siteminder mode and including a random character string as an argument, creates a secret key for SiteMinder SSO server authentication communications:
hostname(config-webvpn)# sso-server my-sso-server type siteminderhostname(config-webvpn-sso-siteminder)# policy-server-secret @#ET&hostname(config-webvpn-sso-siteminder)#Related Commands
polltime interface
To specify the data interface poll and hold times in an Active/Active failover configuration, use the polltime interface command in failover group configuration mode. To restore the default value, use the no form of this command.
polltime interface [msec] time [holdtime time]
no polltime interface [msec] time [holdtime time]
Syntax Description
Defaults
The poll time is 5 seconds.
The holdtime time is 5 times the poll time.
Command Modes
The following table shows the modes in which you can enter the command:
Failover group configuration
•
•
—
—
•
Command History
7.0(1)
This command was introduced.
7.2(1)
The command was changed to include the optional holdtime time value and the ability to specify the poll time in milliseconds.
Usage Guidelines
Use the polltime interface command to change the frequency that hello packets are sent out on interfaces associated with the specified failover group. This command is available for Active/Active failover only. Use the failover polltime interface command in Active/Standby failover configurations.
You cannot enter a holdtime value that is less than 5 times the poll time. With a faster poll time, the ASA can detect failure and trigger failover faster. However, faster detection can cause unnecessary switchovers when the network is temporarily congested. Interface testing begins when a hello packet is not heard on the interface for over half the hold time.
You can include both failover polltime unit and failover polltime interface commands in the configuration.
Note
Examples
The following partial example shows a possible configuration for a failover group. The interface poll time is set to 500 milliseconds and the hold time to 5 seconds for data interfaces in failover group 1.
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# polltime interface msec 500 holdtime 5hostname(config-fover-group)# exithostname(config)#Related Commands
pop3s
To enter POP3S configuration mode, use the pop3s command in global configuration mode. To remove any commands entered in POP3S command mode, use the no version of this command.
POP3 is a client/server protocol in which your Internet server receives and holds e-mail for you. Periodically, you (or your client e-mail receiver) check your mail-box on the server and download any mail. This standard protocol is built into most popular e-mail products. POP3S lets you receive e-mail over an SSL connection.
pop3s
no pop3
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Examples
The following example shows how to enter POP3S configuration mode:
hostname(config)#pop3shostname(config-pop3s)#Related Commands
clear configure pop3s
Removes the POP3S configuration.
show running-config pop3s
Displays the running configuration for POP3S.
port
To specify the port an e-mail proxy listens to, use the port command in the applicable e-mail proxy command mode. To revert to the default value, use the no version of this command.
port {portnum}
no port
Syntax Description
portnum
The port for the e-mail proxy to use. To avoid conflicts with local TCP services, use port numbers in the range 1024 to 65535.
Defaults
The default ports for e-mail proxies are as follows:
Command Modes
The following table shows the modes in which you can enter the command:
Pop3s
•
—
•
—
—
Imap4s
•
—
•
—
—
Smtps
•
—
•
—
—
Command History
Usage Guidelines
To avoid conflicts with local TCP services, use port numbers in the range 1024 to 65535.
Examples
The following example shows how to set port 1066 for the IMAP4S e-mail proxy:
hostname(config)#imap4shostname(config-imap4s)# port 1066port-channel load-balance
For EtherChannels, to specify the load-balancing algorithm, use the port-channel load-balance command in interface configuration mode. To set the value to the default, use the no form of this command.
port-channel load-balance {dst-ip | dst-ip-port | dst-mac | dst-port | src-dst-ip | src-dst-ip-port | src-dst-mac | src-dst-port | src-ip | src-ip-port | src-mac | src-port | vlan-dst-ip | vlan-dst-ip-port | vlan-only | vlan-src-dst-ip | vlan-src-dst-ip-port | vlan-src-ip | vlan-src-ip-port}
no port-channel load-balance
Syntax Description
Command Default
The default is src-dst-ip.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
•
Command History
Usage Guidelines
By default, the ASA balances the packet load on interfaces according to the source and destination IP address (src-dst-ip) of the packet. If you want to change the properties on which the packet is categorized, use this command. For example, if your traffic is biased heavily towards the same source and destination IP addresses, then the traffic assignment to interfaces in the EtherChannel will be unbalanced. Changing to a different algorithm can result in more evenly distributed traffic.
The ASA distributes packets to the interfaces in the EtherChannel by hashing the load-balancing criteria. The hash result is a 3-bit value (0 to 7).
The eight hash result values are distributed in a round robin fashion between the channel group interfaces, starting with the interface with the lowest ID (slot/port). For example, all packets with a hash result of 0 go to GigabitEthernet 0/0, packets with a hash result of 1 go to GigabitEthernet 0/1, packets with a hash result of 2 go to GigabitEthernet 0/2, and so on.
Because there are eight hash result values regardless of how many active interfaces are in the EtherChannel, packets might not be distributed evenly depending on the number of active interfaces.
Table 39-1 shows the load balancing amounts per interface for each number of active interfaces. The active interfaces in bold have even distribution.
If an active interface goes down and is not replaced by a standby interface, then traffic is rebalanced between the remaining links. The failure is masked from both Spanning Tree at Layer 2 and the routing table at Layer 3, so the switchover is transparent to other network devices.
Examples
The following example sets the load-balancing algorithm to use the source and destination IP addresses and ports:
hostname(config)# interface port-channel 1
hostname(config-if)# port-channel load-balance src-dst-ip-port
Related Commands
port-channel min-bundle
For EtherChannels, to specify the minimum number of active interfaces required for the port-channel interface to become active, use the port-channel min-bundle command in interface configuration mode. To set the value to the default, use the no form of this command.
port-channel min-bundle number
no port-channel min-bundle
Syntax Description
number
Specifies the minimum number of active interfaces required for the port-channel interface to become active, between 1 and 8.
Command Default
The default is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
•
Command History
Usage Guidelines
Enter this command for a port-channel interface. If the active interfaces in the channel group falls below this value, then the port-channel interface goes down, and could trigger a device-level failover.
Examples
The following example sets the minimum number of active interfaces required for the port-channel to become active to two:
hostname(config)# interface port-channel 1
hostname(config-if)# port-channel min-bundle 2
Related Commands
port-channel span-cluster
To sets this EtherChannel as a spanned EtherChannel in an ASA cluster, use the port-channel span-cluster command in interface configuration mode. To disable spanning, use the no form of this command.
port-channel span-cluster [vss-load-balance]
no port-channel span-cluster [vss-load-balance]
Syntax Description
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
•
Command History
Usage Guidelines
You must be in spanned EtherChannel mode (cluster interface-mode spanned) to use this feature.
This feature lets you group one or more interfaces per unit into an EtherChannel that spans all units in the cluster. The EtherChannel aggregates the traffic across all the available active interfaces in the channel. A spanned EtherChannel can be configured in both routed and transparent firewall modes. In routed mode, the EtherChannel is configured as a routed interface with a single IP address. In transparent mode, the IP address is assigned to the bridge group, not to the interface. The EtherChannel inherently provides load balancing as part of basic operation.
Examples
The following example creates an EtherChannel (port-channel 2) with the tengigabitethernet 0/8 interface as the only member, and then spans the EtherChannel across the cluster. Two subinterfaces are added to port-channel 2.
interface tengigabitethernet 0/8
channel-group 2 mode activeno shutdowninterface port-channel 2port-channel span-clusterinterface port-channel 2.10vlan 10nameif insideip address 10.10.10.5 255.255.255.0ipv6 address 2001:DB8:1::5/64mac-address 000C.F142.4CDEinterface port-channel 2.20vlan 20nameif outsideip address 209.165.201.1 255.255.255.224ipv6 address 2001:DB8:2::8/64mac-address 000C.F142.5CDERelated Commands
interface
Enters interface configuration mode.
cluster interface-mode
Sets the cluster interface mode, for either Spanned EtherChannels or individual interfaces.
port-forward
To configure the set of applications that users of clientless SSL VPN session can access over forwarded TCP ports, use the port-forward command in webvpn configuration mode.
port-forward {list_name local_port remote_server remote_port description}
To configure access to multiple applications, use this command with the same list_name multiple times, once for each application.
To remove a configured application from a list, use the no port-forward list_name local_port command (you need not include the remote_server and remote_port parameters).
no port-forward listname localport
To remove an entire configured list, use the no port-forward list_name command.
no port-forward list_name
Syntax Description
Defaults
There is no default port forwarding list.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration mode
•
—
•
—
—
Command History
7.0(1)
This command was introduced.
8.0(2)
The command mode was changed to webvpn.
Usage Guidelines
Port forwarding does not support Microsoft Outlook Exchange (MAPI) proxy. However, you can configure Smart Tunnel support for Microsoft Outlook Exchange 2010.
Examples
The following table shows the values used for example applications.
The following example shows how to create a port forwarding list called SalesGroupPorts that provides access to these applications:
hostname(config)#webvpnhostname(config-webvpn)# port-forward SalesGroupPorts 20143 IMAP4Sserver 143 Get Mailhostname(config-webvpn)#port-forward SalesGroupPorts 20025 SMTPSserver 25 Send Mailhostname(config-webvpn)#port-forward SalesGroupPorts 20022 DDTSserver 22 DDTS over SSHhostname(config-webvpn)#port-forward SalesGroupPorts 20023 Telnetserver 23 TelnetRelated Commands
port-forward-name
To configure the display name that identifies TCP port forwarding to end users for a particular user or group policy, use the port-forward-name command in webvpn mode, which you enter from group-policy or username mode. To delete the display name, including a null value created by using the port-forward-name none command, use the no form of the command. The no option restores the default name, "Application Access." To prevent a display name, use the port-forward none command.
port-forward-name {value name | none}
no port-forward-name
Syntax Description
Defaults
The default name is "Application Access."
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn
•
—
•
—
—
Command History
Examples
The following example shows how to set the name, "Remote Access TCP Applications," for the group policy named FirstGroup:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#webvpnhostname(config-group-webvpn)# port-forward-name value Remote Access TCP ApplicationsRelated Commands
port-object
To add a port object to a service object group of the type TCP, UDP, or TCP-UDP, use the port-object command in object-group service configuration mode. To remove port objects, use the no form of this command.
port-object {eq port | range begin_port end_port}
no port-object {eq port | range begin_port end_port}
Syntax Description
range begin_port end_port
Specifies a range of ports (inclusive), between 0 and 65535.
eq port
Specifies the decimal number (between 0 and 65535) or name of a TCP or UDP port for a service object.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Object-network service configuration
•
•
•
•
—
Command History
Usage Guidelines
The port-object command is used with the object-group service protocol command to define an object that is either a specific port or a range of ports.
If a name is specified for a TCP or UDP service, it must be one of the supported TCP or/and UDP names, and must be consistent with the protocol type of the object group. For instance, for a protocol types of tcp, udp, and tcp-udp, the names must be a valid TCP service name, a valid UDP service name, or a valid TCP and UDP service name, respectively.
If a number is specified, translation to its corresponding name (if one exists) based on the protocol type will be made when showing the object.
The following service names are supported:
Examples
This example shows how to use the port-object command in service configuration mode to create a new port (service) object group:
hostname(config)# object-group service eng_service tcphostname(config-service)# port-object eq smtphostname(config-service)# port-object eq telnethostname(config)# object-group service eng_service udphostname(config-service)# port-object eq snmphostname(config)# object-group service eng_service tcp-udphostname(config-service)# port-object eq domainhostname(config-service)# port-object range 2000 2005hostname(config-service)# quitRelated Commands
portal-access-rule
This command allows customers to configure a global clientless SSL VPN access policy to permit or deny clientless SSL VPN sessions based on the data present in HTTP header. If denied, an error code is returned to the clients. This denial is performed before user authentication and thus minimizes the use of processing resources.
portal-access-rule none
portal-access-rule priority [{permit | deny [code code]} {any | user-agent match string}
no portal-access-rule priority [{permit | deny [code code]} {any | user-agent match string}]
clear configure webvpn portal-access-rule
Syntax Description
Defaults
portal-access-rule none
Command Modes
The following table shows the modes in which you can enter the command:
webvpn configuration mode
•
—
•
—
—
Command History
8.2(5)
This command was introduced simultaneously in ASA 8.2.5 and 8.4(2)
8.4(2)
This command was introduced simultaneously in ASA 8.2.5 and 8.4(2)
Usage Guidelines
This check is performed prior to user authentication.
Examples
The following example creates three portal access rules:
•
•
•
hostname(config)# webvpnhostname(config-webvpn)# portal-access-rule 1 deny code 403 user-agent match *Thunderbird*hostname(config-webvpn)# portal-access-rule 10 permit user-agent match "*MSIE 8.0*"hostname(config-webvpn)# portal-access-rule 65535 permit anyRelated Commands
post-max-size
To specify the maximum size allowed for an object to post, use the post-max-size command in group-policy webvpn configuration mode. To remove this object from the configuration, use the no version of this command.
post-max-size <size>
no post-max-size
Syntax Description
Defaults
The default size is 2147483647.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
Setting the size to 0 effectively disallows object posting.
Examples
The following example sets the maximum size for a posted object to 1500 bytes:
hostname(config)#group-policy test attributeshostname(config-group-policy)#webvpnhostname(config-group-webvpn)#post-max-size 1500Related Commands
pppoe client route distance
To configure an administrative distance for routes learned through PPPoE, use the pppoe client route distance command in interface configuration mode. To restore the default setting, use the no form of this command.
pppoe client route distance distance
no pppoe client route distance distance
Syntax Description
distance
The administrative distance to apply to routes learned through PPPoE. Valid values are from 1 to 255.
Defaults
Routes learned through PPPoE are given an administrative distance of 1 by default.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
The pppoe client route distance command is checked only when a route is learned from PPPoE. If the pppoe client route distance command is entered after a route is learned from PPPoE, the administrative distance specified does not affect the existing learned route. Only routes learned after the command was entered have the specified administrative distance.
You must specify the setroute option on the ip address pppoe command to obtain routes through PPPoE.
If PPPoE is configured on multiple interfaces, you must use the pppoe client route distance command on each of the interfaces to indicate the priority of the installed routes. Enablgin PPPoE clients on multiple interfaces is only supported with object tracking.
You cannot configure failover if you obtain IP addresses using PPPoE.
Examples
The following example obtains the default route through PPPoE on GigabitEhternet0/2. The route is tracked by tracking entry object 1. The SLA operation monitors the availability of the 10.1.1.1 gateway off of the outside interface. If the SLA operation fails, then the secondary route obtained on GigabitEthernet0/3 through PPPoE is used.
hostname(config)# sla monitor 123hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outsidehostname(config-sla-monitor-echo)# timeout 1000hostname(config-sla-monitor-echo)# frequency 3hostname(config)# sla monitor schedule 123 life forever start-time nowhostname(config)# track 1 rtr 123 reachabilityhostname(config)# interface GigabitEthernet0/2hostname(config-if)# pppoe client route track 1hostname(config-if)# ip address pppoe setroutehostname(config)# interface GigabitEthernet0/3hostname(config-if)# pppoe client secondary track 1hostname(config-if)# pppoe client route distance 254hostname(config-if)# ip address pppoe setrouteRelated Commands
pppoe client route track
To configure the PPPoE client to associate added routes with a specified tracked object number, use the pppoe client route track command in interface configuration mode. To remove the PPPoE route tracking, use the no form of this command.
pppoe client route track number
no pppoe client route track
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
The pppoe client route track command is checked only when a route is learned from PPPoE. If the pppoe client route track command is entered after a route is learned from PPPoE, the existing learned routes are not associated with a tracking object. Only routes learned after the command was entered are associated with the specified tracking object.
You must specify the setroute option on the ip address pppoe command to obtain routes through PPPoE.
If PPPoE is configured on multiple interfaces, you must use the pppoe client route distance command on each of the interfaces to indicate the priority of the installed routes. Enabling PPPoE clients on multiple interfaces is only supported with object tracking.
You cannot configure failover if you obtain IP addresses using PPPoE.
Examples
The following example obtains the default route through PPPoE on GigabitEhternet0/2. The route is tracked by tracking entry object 1. The SLA operation monitors the availability of the 10.1.1.1 gateway off of the outside interface. If the SLA operation fails, then the secondary route obtained on GigabitEthernet0/3 through PPPoE is used.
hostname(config)# sla monitor 123hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outsidehostname(config-sla-monitor-echo)# timeout 1000hostname(config-sla-monitor-echo)# frequency 3hostname(config)# sla monitor schedule 123 life forever start-time nowhostname(config)# track 1 rtr 123 reachabilityhostname(config)# interface GigabitEthernet0/2hostname(config-if)# pppoe client route track 1hostname(config-if)# ip address pppoe setroutehostname(config)# interface GigabitEthernet0/3hostname(config-if)# pppoe client secondary track 1hostname(config-if)# pppoe client route distance 254hostname(config-if)# ip address pppoe setrouteRelated Commands
pppoe client secondary
To configure the PPPoE client to register as a client of a tracked object and to be brought up or down based on the tracking state, use the pppoe client secondary command in interface configuration mode. To remove the client registration, use the no form of this command.
pppoe client secondary track number
no pppoe client secondary track
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
The pppoe client secondary command is checked only when PPPoE session starts. If the pppoe client route track command is entered after a route is learned from PPPoE, the existing learned routes are not associated with a tracking object. Only routes learned after the command was entered are associated with the specified tracking object.
You must specify the setroute option on the ip address pppoe command to obtain routes through PPPoE.
If PPPoE is configured on multiple interfaces, you must use the pppoe client route distance command on each of the interfaces to indicate the priority of the installed routes. Enabling PPPoE clients on multiple interfaces is only supported with object tracking.
You cannot configure failover if you obtain IP addresses using PPPoE.
Examples
The following example obtains the default route through PPPoE on GigabitEhternet0/2. The route is tracked by tracking entry object 1. The SLA operation monitors the availability of the 10.1.1.1 gateway off of the outside interface. If the SLA operation fails, then the secondary route obtained on GigabitEthernet0/3 through PPPoE is used.
hostname(config)# sla monitor 123hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outsidehostname(config-sla-monitor-echo)# timeout 1000hostname(config-sla-monitor-echo)# frequency 3hostname(config)# sla monitor schedule 123 life forever start-time nowhostname(config)# track 1 rtr 123 reachabilityhostname(config)# interface GigabitEthernet0/2hostname(config-if)# pppoe client route track 1hostname(config-if)# ip address pppoe setroutehostname(config)# interface GigabitEthernet0/3hostname(config-if)# pppoe client secondary track 1hostname(config-if)# pppoe client route distance 254hostname(config-if)# ip address pppoe setrouteRelated Commands
