-
Cisco ASA Series Command Reference
-
About this Guide
-
Using the Command Line Interface
- A through B Commands
-
C Commands
-
cache -- clear compression
-
clear configure -- clear configure http
-
clear configure flow-export-- clear configure zonelabs-integrity
-
clear conn -- clear isakmp sa
-
clear local-host -- clear xlate
-
client-access-rule -- crl-configure
-
crypto ca authenticate -- crypto ipsec ikev1 transform-set mode transport
-
crypto isakmp disconnect-notify -- cxsc auth-proxy port
-
-
D through F Commands
-
database path -- debug cxsc
-
debug dap -- debug http-map
-
debug icmp -- debug ospfv3
-
debug parser cache -- debug xml
-
default -- dhcp-server
-
dhcpd address -- distribute-list out
-
dns domain-lookup -- dynamic-filter whitelist
-
eigrp log-neighbor-changes -- export webvpn webcontent
-
failover -- fallback
-
file-bookmarks -- functions
-
- G through I Commands
- J through L Commands
- M through O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- shape
-
show aaa kerberos -- show asdm sessions
-
show asp cluster counter -- show asp table vpn-context
-
show blocks -- show cpu
-
show crashinfo -- show curpriv
-
show ddns update interface -- show environment
-
show failover -- show ipsec stats traffic
-
show ipv6 access-list -- show ipv6
-
show isakmp ipsec-over-tcp stats -- show ospf virtual-links
-
show nac-policy -- show ospf virtual-links
-
show pager -- show route
-
show running-config -- show running-config ctl-provider
-
show running-config ddns -- show running-config isakmp
-
show running-config ipv6 router -- show running-config router
-
show running-config same-security-traffic -- show running-config xlate
-
show scansafe -- show switch vlan
-
show tcpstat -- show traffic
-
show uauth -- show xlate
-
shun -- snmp-server user
-
software-version -- storage-objects
-
subject-name -- sysopt radius ignore-secret
-
- T through Z Commands
-
Cisco IOS Commands for the ASASM
-
Feedback
Table Of Contents
validate-attribute through vpnsetup Commands
validation-policy (crypto ca trustpoint)
validate-attribute through vpnsetup Commands
validate-attribute
To validate RADIUS attributes when using RADIUS accounting, use the validate attribute command in radius-accounting parameter configuration mode, which is accessed by using the inspect radius-accounting command.
This option is disabled by default.
validate-attribute [attribute_number]
no validate-attribute [attribute_number]
Syntax Description
attribute_number
The RADIUS attribute to be validated with RADIUS accounting. Values range from 1-191. Vendor Specific Attributes are not supported.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Radius-accounting parameter configuration
•
•
•
•
—
Command History
Usage Guidelines
When this command is configured, the security appliance will also do a match on these attributes in addition to the Framed IP attribute. Multiple instances of this command are allowed.
You can find a list of RADIUS attribute types here:
http://www.iana.org/assignments/radius-types
Examples
The following example shows how to enable RADIUS accounting for the user name RADIUS attribute:
hostname(config)# policy-map type inspect radius-accounting rahostname(config-pmap)# parametershostname(config-pmap-p)# validate attribute 1Related Commands
inspect radius-accounting
Sets inspection for RADIUS accounting.
parameters
Sets parameters for an inspection policy map.
validation-policy (crypto ca trustpoint)
To specify the conditions under which a trustpoint can be used to validate the certificates associated with an incoming user connection, use the validation-policy command in crypto ca trustpoint configuration mode. To specify that the trustpoint cannot be used for the named condition, use the no form of the command.
[no] validation-policy {ssl-client | ipsec-client} [no-chain] [subordinate-only]
Syntax Description
Defaults
No default value or behavior.
Command Modes
The following table shows the modes in which you can enter the command:
Command History
Crypto ca trustpoint configuration
•
•
•
•
—
Usage Guidelines
Remote-access VPNs can use Secure Sockets Layer (SSL) VPN, IP Security (IPsec), or both, depending on deployment requirements, to permit access to virtually any network application or resource. The validation-policy command allows you to specify the protocol type permitted to access on-board CA certificates.
The no-chain option with this command prevents a security applicance from supporting subordinate CA certificates that are not configured as trustpoints on the security appliance.
The security appliance can have two trustpoints with the same CA resulting in two different identity certificates from the same CA. This option is disabled automatically if the trustpoint is authenticated to a CA that is already associated with another trustpoint that has enabled this feature. This prevents ambiguity in the choice of path-validation parameters. If the user attempts to activate this feature on a trustpoint that has been authenticated to a CA already associated with another trustpoint that has enabled this feature, the action is not permitted. No two trustpoints can have this setting enabled and be authenticated to the same CA.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint, central, and designates it an SSL trustpoint:
hostname(config)# crypto ca trustpoint centralhostname(config-ca-trustpoint)# validation-policy sslhostname(config-ca-trustpoint)#The following example enters crypto ca trustpoint configuration mode for trustpoint, checkin1,and sets it to accept certificates that are subordinate to the specified trustpoint.
hostname(config)# crypto ca trustpoint checkin1hostname(config-ca-trustpoint)# validation-policy subordinates-onlyhostname(config-ca-trustpoint)#Related Commands
validation-usage
To specify the usage types for which validation with this trustpoint is allowed, use the validation-usage command in crypto ca trustpoint configuration mode. To not specify the usage types, use the no form of the command.
validation-usage ipsec-client | ssl-client | ssl-server
no validation-usage ipsec-client | ssl-client | ssl-server
Syntax Description
Defaults
ipsec-client, ssl-client
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
—
•
—
—
Command History
Usage Guidelines
When there are multiple trustpoints associated with the same CA certificate, only one of the trustpoints can be configured for a specific client type. However, one of the trustpoints can be configured for one client type and the other trustpoint with another client type.
If there is a trustpoint associated with the same CA certificate that is already configured with a client type, the new trustpoint is not allowed to be configured with the same client-type setting. The no form of the command clears the setting so that a trustpoint cannot be used for any client validation.
Remote access VPNs can use Secure Sockets Layer (SSL) VPN, IP Security (IPsec), or both, depending on deployment requirements, to permit access to any network application or resource.
Related Commands
crypto ca trustpoint
Enters the crypto ca trustpoint configuration mode for the specified trustpoint.
vdi
To provide secure remote access for Citrix Receiver applications running on mobile devices to XenApp and XenDesktop VDI servers through the ASA, use the vdi command.
vdi type citrix url url domain domain username username password password
Syntax Description
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
In a VDI model, administrators publish desktops pre-loaded with enterprise applications, and end users remotely access these desktops. These virtualized resources appear just as any other resources, such as email, so that users do not need to go through a Citrix Access Gateway to access them. Users log onto the ASA using Citrix Receiver mobile client, and the ASA connects to a pre-defined Citrix XenApp or XenDesktop Server. The administrator must configure the Citrix server's address and logon credentials under Group Policy so that when users connect to their Citrix Virtualized resource, they enter the ASA's SSL VPN IP address and credentials instead of pointing to the Citrix Server's address and credentials. When the ASA has verified the credentials, the receiver client starts to retrieve entitled applications through the ASA.
Supported Mobile Devices
•
•
•
•
•
Examples
If both username and group policy are configured, username settings take precedence over group policy.
configure terminalgroup-policy DfltGrpPolicy attributeswebvpnvdi type <citrix> url <url> domain <domain> username <username> password <password>configure terminalusername <username> attributeswebvpnvdi type <citrix> url <url> domain <domain> username <username> password <password>]Related Commands
debug webvpn citrix
Provides insight into the process of launching Citrix-based applications and desktops.
verify
To verify the checksum of a file, use the verify command in privileged EXEC mode.
verify path
verify [/md5 path] [md5-value]
Syntax Description
Defaults
The current flash device is the default file system.
Note
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Use the verify command to verify the checksum of a file before using it.
Each software image that is distributed on disk uses a single checksum for the entire image. This checksum is displayed only when the image is copied into Flash memory; it is not displayed when the image file is copied from one disk to another.
Before loading or duplicating a new image, record the checksum and MD5 information for the image so that you can verify the checksum when you copy the image into Flash memory or onto a server. A variety of image information is available on Cisco.com.
To display the contents of Flash memory, use the show flash command. The Flash contents listing does not include the checksum of individual files. To recompute and verify the image checksum after the image has been copied into Flash memory, use the verify command. Note, however, that the verify command only performs a check on the integrity of the file after it has been saved in the file system. It is possible for a corrupt image to be transferred to the ASA and saved in the file system without detection. If a corrupt image is transferred successfully to the ASA, the software will be unable to tell that the image is corrupted and the file will verify successfully.
To use the message-digest5 (MD5) hash algorithm to ensure file validation, use the verify command with the /md5 option. MD5 is an algorithm (defined in RFC 1321) that is used to verify data integrity through the creation of a unique 128-bit message digest. The /md5 option of the verify command allows you to check the integrity of the security appliance software image by comparing its MD5 checksum value against a known MD5 checksum value for the image. MD5 values are now made available on Cisco.com for all security appliance software images for comparison against local system image values.
To perform the MD5 integrity check, issue the verify command using the /md5 keyword. For example, issuing the verify /md5 flash:cdisk.bin command will calculate and display the MD5 value for the software image. Compare this value with the value available on Cisco.com for this image.
Alternatively, you can get the MD5 value from Cisco.com first, then specify this value in the command syntax. For example, issuing the verify /md5 flash:cdisk.bin 8b5f3062c4cacdbae72571440e962233 command will display a message verifying that the MD5 values match or that there is a mismatch. A mismatch in MD5 values means that either the image is corrupt or the wrong MD5 value was entered.
Examples
The following example shows the verify command used on an image file called cdisk.bin. Some of the text was removed for clarity:
hostname# verify cdisk.bin!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Done!Embedded Hash MD5: af5a155f3d5c128a271282c33277069bComputed Hash MD5: af5a155f3d5c128a271282c33277069bCCO Hash MD5: b569fff8bbf8087f355aaf22ef46b782Signature VerifiedVerified disk0:/cdisk.binhostname#Related Commands
verify-header
To allow only known IPv6 extension headers and enforces the order of IPv6 extension headers, use the verify-header command in parameters configuration mode. You can access the parameters configuration mode by first entering the policy-map type inspect ipv6 command. To disable these parameters, use the no form of this command.
verify-header {order | type}
no verify-header {order | type}
Syntax Description
order
Enforces the order of IPv6 extension headers as defined in the RFC 2460 specification.
type
Allows only known IPv6 extension headers.
Command Default
Both order and type are enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Usage Guidelines
These parameters are enabled by default. To disable them, enter the no keyword.
Examples
The following example disables the order and type parameters for an IPv6 inspection policy map:
hostname(config)# policy-map type inspect ipv6 ipv6-maphostname(config-pmap)# parametershostname(config-pmap-p)# no verify-header orderhostname(config-pmap-p)# no verify-header typeRelated Commands
version
To specify the version of RIP used globally by the ASA, use the version command in router configuration mode. To restore the defaults, use the no form of this command.
version {1 | 2}
no version
Syntax Description
Defaults
The ASA accepts Version 1 and Version 2 packets but sends only Version 1 packets.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
You can override the global setting on a per-interface basis by entering the rip send version and rip receive version commands on an interface.
If you specify RIP version 2, you can enable neighbor authentication and use MD5-based encryption to authenticate the RIP updates.
Examples
The following example configures the ASA to send and receive RIP Version 2 packets on all interfaces:
hostname(config)# router riphostname(config-router)# network 10.0.0.0hostname(config-router)# version 2Related Commands
virtual http
To configure a virtual HTTP server, use the virtual http command in global configuration mode. To disable the virtual server, use the no form of this command.
virtual http ip_address [warning]
no virtual http ip_address [warning]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
When you use HTTP authentication on the ASA (see the aaa authentication match or the aaa authentication include command), the ASA uses basic HTTP authentication by default. You can change the authentication method so that the ASA redirects HTTP connections to web pages generated by the ASA itself using the aaa authentication listener command with the redirect keyword.
However, if you continue to use basic HTTP authentication, then you might need the virtual http command when you have cascading HTTP authentications.
If the destination HTTP server requires authentication in addition to the ASA, then the virtual http command lets you authenticate separately with the ASA (via a AAA server) and with the HTTP server. Without virtual HTTP, the same username and password you used to authenticate with the ASA is sent to the HTTP server; you are not prompted separately for the HTTP server username and password. Assuming the username and password is not the same for the AAA and HTTP servers, then the HTTP authentication fails.
This command redirects all HTTP connections that require AAA authentication to the virtual HTTP server on the ASA. The ASA prompts for the AAA server username and password. After the AAA server authenticates the user, the ASA redirects the HTTP connection back to the original server, but it does not include the AAA server username and password. Because the username and password are not included in the HTTP packet, the HTTP server prompts the user separately for the HTTP server username and password.
For inbound users (from lower security to higher security), you must also include the virtual HTTP address as a destination interface in the access list applied to the source interface. Moreover, you must add a static command for the virtual HTTP IP address, even if NAT is not required (using the no nat-control command). An identity NAT command is typically used (where you translate the address to itself).
For outbound users, there is an explicit permit for traffic, but if you apply an access list to an inside interface, be sure to allow access to the virtual HTTP address. A static statement is not required.
Note
Examples
The following example shows how to enable virtual HTTP along with AAA authentication:
hostname(config)# virtual http 209.165.202.129hostname(config)# access-list ACL-IN extended permit tcp any host 209.165.200.225 eq httphostname(config)# access-list ACL-IN remark This is the HTTP server on the insidehostname(config)# access-list ACL-IN extended permit tcp any host 209.165.202.129 eq httphostname(config)# access-list ACL-IN remark This is the virtual HTTP addresshostname(config)# access-group ACL-IN in interface outsidehostname(config)# static (inside, outside) 209.165.202.129 209.165.202.129 netmask 255.255.255.255hostname(config)# access-list AUTH extended permit tcp any host 209.165.200.225 eq httphostname(config)# access-list AUTH remark This is the HTTP server on the insidehostname(config)# access-list AUTH extended permit tcp any host 209.165.202.129 eq httphostname(config)# access-list AUTH remark This is the virtual HTTP addresshostname(config)# aaa authentication match AUTH outside tacacs+Related Commands
virtual telnet
To configure a virtual Telnet server on the ASA, use the virtual telnet command in global configuration mode. You might need to authenticate users with the virtual Telnet server if you require authentication for other types of traffic for which the ASA does not supply an authentication prompt. To disable the server, use the no form of this command.
virtual telnet ip_address
no virtual telnet ip_address
Syntax Description
ip_address
Sets the IP address for the virtual Telnet server on the ASA. Make sure this address is an unused address that is routed to the ASA.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Although you can configure network access authentication for any protocol or service (see the aaa authentication match or aaa authentication include command), you can authenticate directly with HTTP, Telnet, or FTP only. A user must first authenticate with one of these services before other traffic that requires authentication is allowed through. If you do not want to allow HTTP, Telnet, or FTP through the ASA, but want to authenticate other types of traffic, you can configure virtual Telnet; the user Telnets to a given IP address configured on the ASA, and the ASA provides a Telnet prompt.
You must configure authentication for Telnet access to the virtual Telnet address as well as the other services you want to authenticate using the authentication match or aaa authentication include command.
When an unauthenticated user connects to the virtual Telnet IP address, the user is challenged for a username and password, and then authenticated by the AAA server. Once authenticated, the user sees the message "Authentication Successful." Then, the user can successfully access other services that require authentication.
For inbound users (from lower security to higher security), you must also include the virtual Telnet address as a destination interface in the access list applied to the source interface. Moreover, you must add a static command for the virtual Telnet IP address, even if NAT is not required (using the no nat-control command). An identity NAT command is typically used (where you translate the address to itself).
For outbound users, there is an explicit permit for traffic, but if you apply an access list to an inside interface, be sure to allow access to the virtual Telnet address. A static statement is not required.
To logout from the ASA, reconnect to the virtual Telnet IP address; you are prompted to log out.
Examples
This example shows how to enable virtual Telnet along with AAA authentication for other services:
hostname(config)# virtual telnet 209.165.202.129hostname(config)# access-list ACL-IN extended permit tcp any host 209.165.200.225 eq smtphostname(config)# access-list ACL-IN remark This is the SMTP server on the insidehostname(config)# access-list ACL-IN extended permit tcp any host 209.165.202.129 eq telnethostname(config)# access-list ACL-IN remark This is the virtual Telnet addresshostname(config)# access-group ACL-IN in interface outsidehostname(config)# static (inside, outside) 209.165.202.129 209.165.202.129 netmask 255.255.255.255hostname(config)# access-list AUTH extended permit tcp any host 209.165.200.225 eq smtphostname(config)# access-list AUTH remark This is the SMTP server on the insidehostname(config)# access-list AUTH extended permit tcp any host 209.165.202.129 eq telnethostname(config)# access-list AUTH remark This is the virtual Telnet addresshostname(config)# aaa authentication match AUTH outside tacacs+Related Commands
vlan
To assign a VLAN ID to a subinterface, use the vlan command in interface configuration mode. To remove a VLAN ID, use the no form of this command. Subinterfaces require a VLAN ID to pass traffic. VLAN subinterfaces let you configure multiple logical interfaces on a single physical interface. VLANs let you keep traffic separate on a given physical interface, for example, for multiple security contexts.
vlan id
no vlan
Syntax Description
id
Specifies an integer between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
•
Command History
7.0(1)
This command was moved from a keyword of the interface command to an interface configuration mode command.
Usage Guidelines
You can only assign a single VLAN to a subinterface, and not to the physical interface. Each subinterface must have a VLAN ID before it can pass traffic. To change a VLAN ID, you do not need to remove the old VLAN ID with the no option; you can enter the vlan command with a different VLAN ID, and the ASA changes the old ID.
You need to enable the physical interface with the no shutdown command to let subinterfaces be enabled. If you enable subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. Therefore, you cannot prevent traffic from passing through the physical interface by bringing down the interface. Instead, ensure that the physical interface does not pass traffic by leaving out the nameif command. If you want to let the physical interface pass untagged packets, you can configure the nameif command as usual.
The maximum number of subinterfaces varies depending on your platform. See the CLI configuration guide for the maximum subinterfaces per platform.
Examples
The following example assigns VLAN 101 to a subinterface:
hostname(config)# interface gigabitethernet0/0.1hostname(config-subif)# vlan 101hostname(config-subif)# nameif dmz1hostname(config-subif)# security-level 50hostname(config-subif)# ip address 10.1.2.1 255.255.255.0hostname(config-subif)# no shutdownThe following example changes the VLAN to 102:
hostname(config)# show running-config interface gigabitethernet0/0.1interface GigabitEthernet0/0.1vlan 101nameif dmz1security-level 50ip address 10.1.2.1 255.255.255.0hostname(config)# interface gigabitethernet0/0.1hostname(config-interface)# vlan 102hostname(config)# show running-config interface gigabitethernet0/0.1interface GigabitEthernet0/0.1vlan 102nameif dmz1security-level 50ip address 10.1.2.1 255.255.255.0Related Commands
vlan (group-policy)
To assign a VLAN to a group policy, use the vlan command in group-policy configuration mode. To remove the VLAN from the configuration of the group policy and replace it with the VLAN setting of the default group policy, use the no form of this command.
[no] vlan {vlan_id |none}
Syntax Description
Defaults
The default value is none.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
This command specifies the egress VLAN interface for sessions assigned to this group policy. The ASA forwards all traffic on this group to that VLAN. You can assign a VLAN to each group policy to simplify access control. Use this command as an alternative to using ACLs to filter traffic on a session.
Examples
The following command assigns the VLAN 1 to the group policy:
hostname(config-group-policy)# vlan 1hostname(config-group-policy)The following command removes VLAN mapping from the group policy:
hostname(config-group-policy)# vlan nonehostname(config-group-policy)Related Commands
vpdn group
To create or edit a vpdn group and configure PPPoE client settings, use the vpdn group command in global configuration mode. To remove a group policy from the configuration, use the no form of this command.
vpdn group group_name {localname username | request dialout pppoe | ppp authentication {chap | mschap | pap}}
no vpdn group group_name {localname name | request dialout pppoe | ppp authentication {chap | mschap | pap}}
Note
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
Command History
Usage Guidelines
Virtual Private Dial-up Networking (VPDN) is used to provide long distance, point-to-point connections between remote dial-in users and a private network. VDPN on the security appliance uses the Layer 2 tunnelling technology PPPoE to establish dial-up networking connections from the remote user to the private network across a public network.
PPPoE is the Point-to-Point Protocol (PPP) over Ethernet. PPP is designed to work with network layer protocols such as IP, IPX, and ARA. PPP also has CHAP and PAP as built-in security mechanisms.
The show vpdn session pppoe command displays session information for PPPOE connections. The clear configure vpdn group command removes all vpdn group commands from the configuration and stops all the active L2TP and PPPoE tunnels. The clear configure vpdn username command removes all the vpdn username commands from the configuration.
Because PPPoE encapsulates PPP, PPPoE relies on PPP to perform authentication and ECP and CCP functions for client sessions operating within the VPN tunnel. Additionally, PPPoE is not supported in conjunction with DHCP because PPP assigns the IP address for PPPoE.
Note
To define a VPDN group to be used for PPPoE, use the vpdn group group_name request dialout pppoe command. Then use the pppoe client vpdn group command from interface configuration mode to associate a VPDN group with a PPPoE client on a particular interface.
If your ISP requires authentication, use the vpdn group group_name ppp authentication {chap | mschap | pap} command to select the authentication protocol used by your ISP.
Use the vpdn group group_name localname username command to associate the username assigned by your ISP with the VPDN group.
Use the vpdn username username password password command to create a username and password pair for the PPPoE connection. The username must be a username that is already associated with the VPDN group specified for PPPoE.
Note
The PPPoE client functionality is turned off by default, so after VPDN configuration, enable PPPoE with the ip address if_name pppoe [setroute] command. The setroute option causes a default route to be created if no default route exists.
As soon as PPPoE is configured, the security appliance attempts to find a PPPoE access concentrator with which to communicate. When a PPPoE connection is terminated, either normally or abnormally, the security appliance attempts to find a new access concentrator with which to communicate.
The following ip address commands should not be used after a PPPoE session is initiated because they will terminate the PPPoE session:
•
•
•
Examples
The following example creates a vdpn group telecommuters and configures the PPPoE client:
F1(config)# vpdn group telecommuters request dialout pppoeF1(config)# vpdn group telecommuters localname user1F1(config)# vpdn group telecommuters ppp authentication papF1(config)# vpdn username user1 password test1F1(config)# interface GigabitEthernet 0/1F1(config-subif)# ip address pppoe setrouteRelated Commands
vpdn username
To create a username and password pair for PPPoE connections, use the vpdn username command in global configuration mode.
vpdn username username password password [store-local]
no vpdn username username password password [store-local]
Note
Syntax Description
Defaults
No default behavior or values. See Usage Guidelines.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
Command History
Usage Guidelines
The vpdn username must be a username that is already associated with the VPDN group specified with the vpdn group group_name localname username command.
The clear configure vpdn username command removes all the vpdn username commands from the configuration.
Examples
The following example creates the vpdn username bob_smith with the password telecommuter9/8:
F1(config)# vpdn username bob_smith password telecommuter9/8Related Commands
vpn-access-hours
To associate a group policy with a configured time-range policy, use the vpn-access-hours command in group-policy configuration mode or username configuration mode. To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a time-range value from another group policy. To prevent inheriting a value, use the vpn-access-hours none command.
vpn-access hours value {time-range} | none
no vpn-access hours
Syntax Description
Defaults
Unrestricted.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Username configuration
•
—
•
—
—
Command History
Examples
The following example shows how to associate the group policy named FirstGroup with a time-range policy called 824:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#vpn-access-hours 824Related Commands
time-range
Sets days of the week and hours of the day for access to the network, including start and end dates.
vpn-addr-assign
To specify a method for assigning IPv4 addresses to remote access clients, use the vpn-addr-assign command in global configuration mode. To remove the attribute from the configuration, use the no version of this command. To remove all configured VPN address assignment methods from the ASA, user the no version of this command. without arguments.
vpn-addr-assign {aaa | dhcp | local [reuse-delay delay]}
no vpn-addr-assign {aaa | dhcp | local [reuse-delay delay]}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
Command History
7.0(1)
This command was introduced.
8.0.3
The reuse-delay option was introduced.
Usage Guidelines
If you choose DHCP, you should also use the dhcp-network-scope command to define the range of IP addresses that the DHCP server can use. You must use the dhcp-server command to indicate the IP addresses that the DHCP server uses.
If you choose local, you must also use the ip-local-pool command to define the range of IP addresses to use. You then use the vpn-framed-ip-address and vpn-framed-netmask commands to assign IP addresses and netmasks to individual users.
With the local pool, you can use the reuse-delay delay option to adjust the delay before a released IP address can be reused. Increasing the delay prevents problems firewalls may experience when an IP address is returned to the pool and reassigned quickly.
If you choose AAA, you obtain IP addresses from either a previously configured RADIUS server.
Examples
The following example shows how to configure DHCP as the address assignment method:
hostname(config)#vpn-addr-assign dhcpRelated Commands
vpn-filter
To specify the name of the ACL to use for VPN connections, use the vpn-filter command in group policy or username mode. To remove the ACL, including a null value created by issuing the vpn-filter none command, use the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting values, use the vpn-filter none command.
You configure ACLs to permit or deny various types of traffic for this user or group policy. You then use the vpn-filter command to apply those ACLs.
vpn-filter {value ACL name | none}
no vpn-filter
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Username
•
—
•
—
—
Command History
Usage Guidelines
Clientless SSL VPN does not use the ACL defined in the vpn-filter command.
By design, the vpn-filter feature allows for traffic to be filtered in inbound direction only. The outbound rule is automatically compiled. When creating an icmp access-list, do not specify icmp type in the access-list formatting if you want directional filters.
Examples
The following example shows how to set a filter that invokes an access list named acl_vpn for the group policy named FirstGroup:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#vpn-filter value acl_vpnRelated Commands
access-list
Creates an access list, or uses a downloadable access list.
ipv6-vpn-filter
Deprecated command which was used previously to specify IPv6 ACLs.
vpn-framed-ip-address
To specify the IPv4 address to assign to an individual user, use the vpn-framed-ip-address command in username mode. To remove the IP address, use the no form of this command.
vpn-framed-ip-address {ip_address} {subnet_mask}
no vpn-framed-ip-address
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Username
•
—
•
—
—
Command History
Examples
The following example shows how to set an IP address of 10.92.166.7 for a user named anyuser:
hostname(config)#username anyuser attributeshostname(config-username)#vpn-framed-ip-address 10.92.166.7 255.255.255.254vpn-framed-ipv6-address
Use the vpn-framed-ipv6-address command in username mode to assign a dedicated IPv6 address to a user. To remove the IP address, use the no form of this command.
vpn-framed-ipv6-address ip_address/subnet_mask
no vpn-framed-ipv6-address ip_address/subnet_mask
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Username
•
—
•
—
—
Command History
Examples
The following example shows how to set an IP address and netmask of 2001::3000:1000:2000:1/64 for a user named anyuser. This address indicates a prefix value of 2001:0000:0000:0000 and an interface ID of 3000:1000:2000:1.
hostname(config)#username anyuser attributeshostname(config-username)#vpn-framed-ipv6-address 2001::3000:1000:2000:1/64hostname(config-username)Related Commands
vpn-framed-ip-address
Specifies an IPv4 address to assign to an individual user.
vpn-group-policy
To have a user inherit attributes from a configured group policy, use the vpn-group-policy command in username configuration mode. To remove a group policy from a user configuration, use the no version of this command. Using this command lets users inherit attributes that you have not configured at the username level.
vpn-group-policy {group-policy name}
no vpn-group-policy {group-policy name}
Syntax Description
Defaults
By default, VPN users have no group policy association.
Command Modes
The following table shows the modes in which you can enter the command:
Username configuration
•
—
•
—
—
Command History
Usage Guidelines
You can override the value of an attribute in a group policy for a particular user by configuring it in username mode, if that attribute is available in username mode.
Examples
The following example shows how to configure a user named anyuser to use attributes from the group policy named FirstGroup:
hostname(config)#username anyuser attributeshostname(config-username)# vpn-group-policy FirstGroupRelated Commands
vpn-idle-timeout
To configure a user timeout period use the vpn-idle-timeout command in group-policy configuration mode or in username configuration mode. If there is no communication activity on the connection in this period, the ASA terminates the connection. You can optionally extend the timeout alert-interval from the default one minute.
To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a time-out value from another group policy. To prevent inheriting a value, use the vpn-idle-timeout none command.
vpn-idle-timeout {minutes | none} [alert-interval minutes]
no vpn-idle-timeout
no vpn-idle-timeout alert-interval
Syntax Description
Defaults
30 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Username
•
—
•
—
—
Command History
Usage Guidelines
The AnyConnect client supports session resumption for SSL and IKEv2 connection. With this capability, end user devices can go into sleep mode, lose their WiFi, or any of the like and resume the same connection upon return.
Examples
The following example shows how to set a VPN idle timeout of 15 minutes for the group policy named "FirstGroup":
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#vpn-idle-timeout 30The security appliance uses the default-idle-timeout value if no idle timeout is defined for a user, if the vpn-idle-timeout value is 0, or if the value does not fall into the valid range.
Related Commands
vpn load-balancing
To enter vpn load-balancing mode, in which you can configure VPN load balancing and related functions, use the vpn load-balancing command in global configuration mode.
vpn load-balancing
Note
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
Command History
7.0(1)
This command was introduced.
8.0(2)
Added support for ASA 5510 with a Plus license and models above 5520.
Usage Guidelines
A load-balancing cluster can include security appliance models 5510 (with a Plus license), or ASA 5520 and above. You can also include VPN 3000 Series Concentrators in the cluster. While mixed configurations are possible, administration is generally simpler if the cluster is homogeneous.
Use the vpn load-balancing command to enter vpn load-balancing mode. The following commands are available in vpn load-balancing mode:
•
•
•
•
•
•
•
•
•
See the individual command descriptions for detailed information.
Examples
The following is an example of the vpn load-balancing command; note the change in the prompt:
hostname(config)# vpn load-balancinghostname(config-load-balancing)#The following is an example of a VPN load-balancing command sequence that includes an interface command that specifies the public interface of the cluster as "test" and the private interface of the cluster as "foo":
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# nat 192.168.10.10hostname(config-load-balancing)# priority 9hostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# interface lbprivate foohostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# cluster key 123456789hostname(config-load-balancing)# cluster encryptionhostname(config-load-balancing)# cluster port 9023hostname(config-load-balancing)# participate
Related Commands
vpn-session-db
To specify the maximum number of VPN sessions or AnyConnect client VPN sessions, use the vpn-session-db command from global configuration mode. To remove the limit from the configuration, use the no form of the command:
vpn-sessiondb {max-anyconnect-premium-or-essentials-limit number | max-other-vpn-limit number}
Syntax Description
Defaults
By default, the ASA does not limit the number of VPN sessions lower than the licensed maximum.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Examples
The following example sets the maximum AnyConnect sessions to 200:
hostname(config)# vpn-sessiondb max-anyconnect-premium-or-essentials-limit 200Related Commands
vpn-sessiondb logoff
Logs off all or specific types of IPsec VPN and WebVPN sessions.
vpn-sessiondb max-webvpn-session-limit
Sets a maximum number of WebVPN sessions.
vpn-sessiondb logoff
To log off all or selected VPN sessions, use the vpn-sessiondb logoff command in global configuration mode.
vpn-sessiondb logoff {all | anyconnect | email-proxy | index index_number | ipaddress IPaddr | l2l | name username | protocol protocol-name | ra-ikev1-ipsec | tunnel-group groupname | vpn-lb | webvpn} [noconfirm]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Examples
The following example shows how to log off all AnyConnect client sessions:
hostname# vpn-sessiondb logoff anyconnectThe next example shows how to log off all IPsec sessions:
hostname# vpn-sessiondb logoff protocol IPsecvpn-session-timeout
To configure a maximum amount of time allowed for VPN connections, use the vpn-session-timeout command in group-policy configuration mode or in username configuration mode. At the end of this period of time, the ASA terminates the connection. You can optionally extend the timeout alert-interval from the default one minute.
To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a time-out value from another group policy. To prevent inheriting a value, use the vpn-session-timeout none command.
vpn-session-timeout {minutes | none} [alert-interval minutes]
no vpn-session-timeout
no vpn-session-timeout alert-interval
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Username configuration
•
—
•
—
—
Command History
Examples
The following example shows how to set a VPN session timeout of 180 minutes for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# vpn-session-timeout 180Related Commands
vpn-simultaneous-logins
To configure the number of simultaneous logins permitted for a user, use the vpn-simultaneous-logins command in group-policy configuration mode or username configuration mode. To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a value from another group policy. Enter 0 to disable login and prevent user access.
vpn-simultaneous-logins {integer}
no vpn-simultaneous-logins
Syntax Description
Defaults
The default is 3 simultaneous logins.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Username configuration
•
—
•
—
—
Command History
Usage Guidelines
Enter 0 to disable login and prevent user access.
Note
Stale AnyConnect, IPsec Client, or Clientless sessions (sessions that are terminated abnormally) might remain in the session database, even though a "new" session has been established with the same username.
If the value of vpn-simultaneous-logins is 1, and the same user logs in again after an abnormal termination, then the stale session is removed from the database and the new session is established. If, however, the existing session is still an active connection and the same user logs in again, perhaps from another PC, the first session is logged off and removed from the database, and the new session is established.
If the number of simultaneous logins is a value greater than 1, then, when you have reached that maximum number and try to log in again, the session with the longest idle time is logged off. If all current sessions have been idle an equally long time, then the oldest session is logged off. This action frees up a session and allows the new login.
Examples
The following example shows how to allow a maximum of 4 simultaneous logins for the group policy named FirstGroup:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#vpn-simultaneous-logins 4vpn-tunnel-protocol
To configure a VPN tunnel type (IPsec with IKEv1 or IKEv2, L2TP over IPsec, SSL, or clientless SSL), use the vpn-tunnel-protocol command in group-policy configuration mode or username configuration mode. To remove the attribute from the running configuration, use the no form of this command.
vpn-tunnel-protocol {ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless}
no vpn-tunnel-protocol {ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless}
Syntax Description
Defaults
The default is IPsec.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Username configuration
•
—
•
—
—
Command History
Usage Guidelines
Use this command to configure one or more tunneling modes. You must configure at least one tunneling mode for users to connect over a VPN tunnel.
Note
Examples
The following example shows how to configure WebVPN and IPsec tunneling modes for the group policy named "FirstGroup":
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#vpn-tunnel-protocol webvpnhostname(config-group-policy)#vpn-tunnel-protocol IPsecRelated Commands
vpnclient connect
To attempt to establish an Easy VPN Remote connection to the configured server or servers, use the vpnclient connect command in global configuration mode.
vpnclient connect
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA 5505.
Examples
The following example shows how to attempt to establish an Easy VPN Remote connection to a configured EasyVPN server:
hostname(config)#vpnclient connecthostname(config)#vpnclient enable
To enable the Easy VPN Remote feature, use the vpnclient enable command in global configuration mode. To disable the Easy VPN Remote feature, use the no form of this command:
vpnclient enable
no vpnclient enable
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA 5505.
If you enter the vpnclient enable command, the ASA 5505 functions as a Easy VPN hardware client (also called "Easy VPN Remote").
Examples
The following example shows how to enable the Easy VPN Remote feature:
hostname(config)#vpnclient enablehostname(config)#The following example shows how to disable the Easy VPN Remote feature:
hostname(config)#no vpnclient enablehostname(config)#vpnclient ipsec-over-tcp
To configure the ASA 5505 running as an Easy VPN hardware client to use TCP-encapsulated IPsec, use the vpnclient ipsec-over-tcp command in global configuration mode. To remove the attribute from the running configuration, use the no form of this command.
vpnclient ipsec-over-tcp [port tcp_port]
no vpnclient ipsec-over-tcp
Syntax Description
port
(Optional) Specifies the use of a particular port.
tcp_port
(Required if you specify the keyword port.) Specifies the TCP port number to be used for a TCP-encapsulated IPsec tunnel.
Defaults
The Easy VPN Remote connection uses port 10000 if the command does not specify a port number.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA 5505 running as an Easy VPN hardware client (also called "Easy VPN Remote").
By default, the Easy VPN client and server encapsulate IPsec in User Datagram Protocol (UDP) packets. Some environments, such as those with certain firewall rules, or NAT and PAT devices, prohibit UDP. To use standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key Exchange (IKE, UDP 500) in such environments, you must configure the client and the server to encapsulate IPsec within TCP packets to enable secure tunneling. If your environment allows UDP, however, configuring IPsec over TCP adds unnecessary overhead.
If you configure an ASA 5505 to use TCP-encapsulated IPsec, enter the following command to let it send large packets over the outside interface:
hostname(config)# crypto ipsec df-bit clear-df outsidehostname(config)#This command clears the Don't Fragment (DF) bit from the encapsulated header. A DF bit is a bit within the IP header that determines whether the packet can be fragmented. This command lets the Easy VPN hardware client send packets that are larger than the MTU size.
Examples
The following example shows how to configure the Easy VPN hardware client to use TCP-encapsulated IPsec, using the default port 10000, and to let it send large packets over the outside interface:
hostname(config)#vpnclient ipsec-over-tcphostname(config)# crypto ipsec df-bit clear-df outsidehostname(config)#The next example shows how to configure the Easy VPN hardware client to use TCP-encapsulated IPsec, using the port 10501, and to let it send large packets over the outside interface:
hostname(config)#vpnclient ipsec-over-tcp port 10501hostname(config)# crypto ipsec df-bit clear-df outsidehostname(config)#vpnclient mac-exempt
To exempt devices behind an Easy VPN Remote connection from individual user authentication requirements, use the vpnclient mac-exempt command in global configuration mode. To remove the attribute from the running configuration, use the no form of this command.
vpnclient mac-exempt mac_addr_1 mac_mask_1 [mac_addr_2 mac_mask_2...mac_addr_n mac_mask_n]
no vpnclient mac-exempt
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA 5505.
Devices such as Cisco IP phones, wireless access points, and printers are incapable of performing authentication, and therefore do not authenticate when individual unit authentication is enabled. If individual user authentication is enabled, you can use this command to exempt such devices from authentication. The exemption of devices from individual user authentication is also called "device pass-through."
The format for specifying the MAC address and mask in this command uses three hex digits, separated by periods; for example, the MAC mask ffff.ffff.ffff matches just the specified MAC address. A MAC mask of all zeroes matches no MAC address, and a MAC mask of ffff.ff00.0000 matches all devices made by the same manufacturer.
Note
hostname(config-group-policy)# user-authentication enable
hostname(config-group-policy)# ip-phone-bypass enableExamples
Cisco IP phones have the Manufacturer ID 00036b, so the following command exempts any Cisco IP phone, including Cisco IP phones, you might add in the future:
hostname(config)#vpnclient mac-exempt 0003.6b00.0000 ffff.ff00.0000hostname(config)#The next example provides greater security but less flexibility because it exempts one specific Cisco IP phone:
hostname(config)#vpnclient mac-exempt 0003.6b54.b213 ffff.ffff.ffffhostname(config)#vpnclient management
To generate IPsec tunnels for management access to the Easy VPN hardware client, use the vpnclient management command in global configuration mode.
vpnclient management tunnel ip_addr_1 ip_mask_1 [ip_addr_2 ip_mask_2...ip_addr_n ip_mask_n]
vpnclient management clear
To remove the attribute from the running configuration, use the no form of this command, which sets up IPsec tunnels exclusively for management in accordance with the split-tunnel-policy and split-tunnel-network-list commands.
no vpnclient management
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA 5505 running as an Easy VPN Client (also called "Easy VPN Remote"). It assumes the ASA 5505 configuration contains the following commands:
vpnclient server to specify the peer.
vpnclient mode to specify the client mode (PAT) or network extension mode.
One of the following:
•
•
vpnclient enable to enable the ASA 5505 as an Easy VPN Client.
Note
Note
Examples
The following example shows how to generate an IPsec tunnel from the outside interface of the ASA 5505 to the host with the IP address/mask combination 192.168.10.10 255.255.255.0:
hostname(config)#vpnclient management tunnel 192.168.10.0 255.255.255.0hostname(config)#The following example shows how to provide management access to the outside interface of the ASA 5505 without using IPsec:
hostname(config)# vpnclient management clearhostname(config)#vpnclient mode
To configure the Easy VPN Remote connection for either client mode or network extension mode, use the vpnclient mode command in global configuration mode. To remove the attribute from the running configuration, use the no form of this command.
vpnclient mode {client-mode | network-extension-mode}
no vpnclient mode
Syntax Description
client-mode
Configures the Easy VPN Remote connection to use client mode (PAT).
network-extension-mode
Configures the Easy VPN Remote connection to use network extension mode (NEM).
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA 5505 running as an Easy VPN Client (also called "Easy VPN Remote). The Easy VPN Client supports one of two modes of operation: client mode or NEM. The mode of operation determines whether the inside hosts, relative to the Easy VPN Client, are accessible from the Enterprise network over the tunnel. Specifying a mode of operation is mandatory before making a connection because Easy VPN Client does not have a default mode.
•
•
Note
Examples
The following example shows how to configure an Easy VPN Remote connection for client mode:
hostname(config)#vpnclient mode client-modehostname(config)#The following example shows how to configure an Easy VPN Remote connection for NEM:
hostname(config)#vpnclient mode network-extension-modehostname(config)#vpnclient nem-st-autoconnect
To configure the Easy VPN Remote connection to automatically initiate IPsec data tunnels when NEM and split tunneling are configured, use the vpnclient nem-st-autoconnect command in global configuration mode. To remove the attribute from the running configuration, use the no form of this command.
vpnclient nem-st-autoconnect
no vpnclient nem-st-autoconnect
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA 5505 running as an Easy VPN Client (also called "Easy VPN Remote").
Before entering the vpnclient nem-st-autoconnect command, ensure that network extension mode is enabled for the hardware client. Network extension mode lets hardware clients present a single, routable network to the remote private network over the VPN tunnel. IPsec encapsulates all traffic from the private network behind the hardware client to networks behind the ASA. PAT does not apply. Therefore, devices behind the ASA have direct access to devices on the private network behind the hardware client over the tunnel, and only over the tunnel, and vice versa. The hardware client must initiate the tunnel. After the tunnel is up, either side can initiate data exchange.
Note
IPsec data tunnels are automatically initiated and sustained when in network extension mode, except when split-tunneling is configured.
Examples
The following example shows how to configure an Easy VPN Remote connection to automatically connect in network extension mode with split-tunneling configured. Network extension mode is enabled for the group policy FirstGroup:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)# nem enablehostname(config)#vpnclient nem-st-autoconnecthostname(config)#Related Commands
vpnclient server-certificate
To configure the Easy VPN Remote connection to accept only connections to Easy VPN servers with the specific certificates specified by the certificate map, use the vpnclient server-certificate command in global configuration mode. To remove the attribute from the running configuration, use the no form of this command.
vpnclient server-certificate certmap_name
no vpnclient server-certificate
Syntax Description
certmap_name
Specifies the name of a certificate map that specifies the acceptable Easy VPN server certificate. The maximum length is 64 characters.
Defaults
Easy VPN server certificate filtering is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA model 5505.
Use this command to enable Easy VPN server certificate filtering. You define the certificate map itself using the crypto ca certificate map and crypto ca certificate chain commands.
Examples
The following example shows how to configure an Easy VPN Remote connection to support only connections to Easy VPN servers with the certificate map name homeservers:
hostname(config)#vpnclient server-certificate homeservershostname(config)#Related Commands
certificate
Adds the indicated certificate.
vpnclient trustpoint
Configures the RSA identity certificate to be used by the Easy VPN Remote connection.
vpnclient server
To configure the primary and secondary IPsec servers, for the Easy VPN Remote connection, use the vpnclient server command in global configuration mode. To remove the attribute from the running configuration, use the no form of this command.
vpnclient server ip_primary_address [ip_secondary_address_1 ... ipsecondary_address_10]
no vpnclient server
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA model 5505.
A server must be configured before a connection can be established. The vpnclient server command supports IPv4 addresses, the names database, or DNS names and resolves addresses in that order.
You can use either the IP address or the hostname of a server.
Examples
The following example associates the name headend-1 with the address 10.10.10.10 and uses the vpnclient server command to specify three servers: headend-dns.example.com (primary), headend-1 (secondary), and 192.168.10.10 (secondary):
hostname(config)#nameshostname(config)# 10.10.10.10 headend-1hostname(config)# vpnclient server headend-dns.example.com headend-1 192.168.10.10hostname(config)#The following example shows how to configure a VPN client primary IPsec server with the IP address 10.10.10.15 and secondary servers with the IP addresses 10.10.10.30 and 192.168.10.45.
hostname(config)#vpnclient server 10.10.10.15 10.10.10.30 192.168.10.10hostname(config)#vpnclient trustpoint
To configure the RSA identity certificate to be used by the Easy VPN Remote connection, use the vpnclient trustpoint command in global configuration mode. To remove the attribute from the running configuration, use the no form of this command.
vpnclient trustpoint trustpoint_name [chain]
no vpnclient trustpoint
Syntax Description
chain
Sends the entire certificate chain.
trustpoint_name
Specifies the name of a trustpoint identifying the RSA certificate to use for authentication.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA model 5505 and only when using digital certificates.
Define the trustpoint using the crypto ca trustpoint command. A trustpoint represents a CA identity and possibly a device identity, based on a certificate issued by the CA. The commands within the trustpoint sub mode control CA-specific configuration parameters which specify how the ASA obtains the CA certificate, how the ASA obtains its certificate from the CA, and the authentication policies for user certificates issued by the CA.
Examples
The following example shows how to configure an Easy VPN Remote connection to use the specific identity certificate named central and to send the entire certificate chain:
hostname(config)# crypto ca trustpoint centralhostname(config)#vpnclient trustpoint central chainhostname(config)#Related Commands
crypto ca trustpoint
Enters the trustpoint submode for the specified trustpoint and manages trustpoint information.
vpnclient username
To configure the VPN username and password for the Easy VPN Remote connection, use the vpnclient username command in global configuration mode. To remove the attribute from the running configuration, use the no form of this command.
vpnclient username xauth_username password xauth password
no vpnclient username
Syntax Description
xauth_password
Specifies the password to use for XAUTH. The maximum length is 64 characters.
xauth_username
Specifies the username to use for XAUTH. The maximum length is 64 characters.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA 5505.
The XAUTH username and password parameters are used when secure unit authentication is disabled and the server requests XAUTH credentials. If secure unit authentication is enabled, these parameters are ignored, and the ASA prompts the user for a username and password.
Examples
The following example shows how to configure the Easy VPN Remote connection to use the XAUTH username testuser and the password ppurkm1:
hostname(config)#vpnclient username testuser password ppurkm1hostname(config)#vpnclient vpngroup
To configure the VPN tunnel group name and password for the Easy VPN Remote connection, use the vpnclient vpngroup command in global configuration mode. To remove the attribute from the running configuration, use the no form of this command.
vpnclient vpngroup group_name password preshared_key
no vpnclient vpngroup
Syntax Description
Defaults
If the configuration of the ASA 5505 running as an Easy VPN client does not specify a tunnel group, the client attempts to use an RSA certificate.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to the ASA 5505 running as an Easy VPN client (also called "Easy VPN Remote").
Use the pre-shared key as the password. You must configure a server before establishing a connection.
Examples
The following example shows how to configure an Easy VPN Remote connectionwith a VPN tunnel group with the group name TestGroup1 and the password my_key123.
hostname(config)#vpnclient vpngroup TestGroup1 password my_key123hostname(config)#Related Commands
vpnclient trustpoint
Configures the RSA identity certificate to be used by the Easy VPN connection.
vpnsetup
To display a list of steps for configuring VPN connections on the ASA, use the vpnsetup command from global configuration mode.
vpnsetup {ipsec-remote-access | l2tp-remote-access | site-to-site | ssl-remote-access} steps
Syntax Description
Defaults
This command has no default settings
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
8.0(3)
This command was introduced.
9.0(1)
Support for multiple context mode was added for site-to-site connections.
Examples
The following example shows the output of the vpnsetup ssl-remote-access steps command:
hostname(config-t)# vpnsetup ssl-remote-access stepsSteps to configure a remote access SSL VPN remote access connection and AnyConnect with examples:1. Configure and enable interfaceinterface GigabitEthernet0/0ip address 10.10.4.200 255.255.255.0nameif outsideno shutdowninterface GigabitEthernet0/1ip address 192.168.0.20 255.255.255.0nameif insideno shutdown2. Enable WebVPN on the interfacewebvpnenable outside3. Configure default routeroute outside 0.0.0.0 0.0.0.0 10.10.4.2004. Configure AAA authentication and tunnel grouptunnel-group DefaultWEBVPNGroup type remote-accesstunnel-group DefaultWEBVPNGroup general-attributesauthentication-server-group LOCAL5. If using LOCAL database, add users to the Databaseusername test password t3stP@ssw0rdusername test attributesservice-type remote-accessProceed to configure AnyConnect VPN client:6. Point the ASA to an AnyConnect imagewebvpnsvc image anyconnect-win-2.1.0148-k9.pkg7. enable AnyConnectsvc enable8. Add an address pool to assign an ip address to the AnyConnect clientip local pool client-pool 192.168.1.1-192.168.1.254 mask 255.255.255.09. Configure group policygroup-policy DfltGrpPolicy internalgroup-policy DfltGrpPolicy attributesvpn-tunnel-protocol svc webvpnhostname(config-t)#Related Commands
