ad - aq

ad-agent-mode

To enables the AD Agent mode so that you can configure the Active Directory Agent for the Cisco Identify Firewall instance, use the ad-agent-mode command in global configuration mode.

ad-agent-mode

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

Command History

Release

Modification

8.4(2)

This command was added.

Usage Guidelines

To configure the Active Directory Agent for the Identity Firewall, you must enter the ad-agent-mode command, which is a submode of the aaa-server command. Entering the ad-agent-mode command enters the aaa server group configuration mode.

Periodically or on-demand, the AD Agent monitors the Active Directory server security event log file via WMI for user login and logoff events. The AD Agent maintains a cache of user ID and IP address mappings. and notifies the ASA of changes.

Configure the primary and secondary AD Agents for the AD Agent Server Group. When the ASA detects that the primary AD Agent is not responding and a secondary agent is specified, the ASA switches to the secondary AD Agent. The Active Directory server for the AD agent uses RADIUS as the communication protocol; therefore, you should specify a key attribute for the shared secret between the ASA and AD Agent.

Examples

The following example shows how to enable ad-agent-mode while configuring the Active Directory Agent for the Identity Firewall:


ciscoasa(config)# aaa-server adagent protocol radius
ciscoasa(config)# ad-agent-mode
ciscoasa(config-aaa-server-group)# aaa-server adagent (inside) host 192.168.1.101
ciscoasa(config-aaa-server-host)# key mysecret
ciscoasa(config-aaa-server-hostkey)# user-identity ad-agent aaa-server adagent
ciscoasa(config-aaa-server-host)# test aaa-server ad-agent

address (dynamic-filter blacklist, whitelist)

To add an IP address to the Botnet Traffic Filter blacklist or whitelist, use the address command in dynamic-filter blacklist or whitelist configuration mode. To remove the address, use the no form of this command.

address ip_address mask

no address ip_address mask

Syntax Description

ip_address

Adds an IP address to the blacklist.

mask

Defines the subnet mask for the IP address. The mask can be for a single host or for a subnet.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Dynamic-filter blacklist or whitelist configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.2(1)

This command was added.

Usage Guidelines

The static database lets you augment the dynamic database with domain names or IP addresses that you want to whitelist or blacklist. After you enter the dynamic-filter whitelist or blacklist configuration mode, you can manually enter domain names or IP addresses (host or subnet) that you want to tag as good names in a whitelist or bad names in a blacklist using the address and name commands.

You can enter this command multiple times for multiple entries. You can add up to 1000 blacklist and 1000 whitelist entries.

Examples

The following example creates entries for the blacklist and whitelist:


ciscoasa(config)# dynamic-filter blacklist
ciscoasa(config-llist)# name bad1.example.com
ciscoasa(config-llist)# name bad2.example.com
ciscoasa(config-llist)# address 10.1.1.1 255.255.255.0
ciscoasa(config-llist)# dynamic-filter whitelist
ciscoasa(config-llist)# name good.example.com
ciscoasa(config-llist)# name great.example.com
ciscoasa(config-llist)# name awesome.example.com
ciscoasa(config-llist)# address 10.1.1.2
 255.255.255.255

address (media-termination) (Deprecated)

To specify the address for a media termination instance to use for media connections to the Phone Proxy feature, use the address command in the media-termination configuration mode. To remove the address from the media termination configuration, use the no form of this command.

address ip_address [ interface intf_name ]

no address ip_address [ interface intf_name ]

Syntax Description

interface intf_name

Specifies the name of the interface for which the media termination address is used. Only one media-termination address can be configured per interface.

ip_address

Specifies the IP address to use for the media termination instance.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Media-termination configuration

  • Yes

  • Yes

Command History

Release

Modification

8.2(1)

This command was added.

9.4(1)

This command was deprecated along with all phone-proxy and uc-ime commands.

Usage Guidelines

The ASA must have IP addresses for media termination that meet the following criteria:

  • For the media termination instance, you can configure a global media-termination address for all interfaces or configure a media-termination address for different interfaces. However, you cannot use a global media-termination address and media-termination addresses configured for each interface at the same time.

  • If you configure a media termination address for multiple interfaces, you must configure an address on each interface that the ASA uses when communicating with IP phones.

  • The IP addresses are publicly routable addresses that are unused IP addresses within the address range on that interface.

Examples

The following example shows the use of the media-termination address command to specify the IP address to use for media connections:


ciscoasa(config)# media-termination mediaterm1
ciscoasa(config-media-termination)# address 192.0.2.25 interface inside
ciscoasa(config-media-termination)# address 10.10.0.25 interface outside

address-family ipv4

To enter address family to configure a routing session using standard IP Version 4 (IPv4) address prefixes, use the address-family ipv4 command in router configuration mode. To exit address family configuration mode and remove the IPv4 address family configuration from the running configuration, use the no form of this command.

address-family ipv4

no address-family ipv4

Command Default

IPv4 address prefixes are not enabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Router mode configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.2(1)

This command was added.

Usage Guidelines

The address-family ipv4 command places the context router in address family configuration mode, from which you can configure routing sessions that use standard IPv4 address prefixes. To leave address family configuration mode and return to router configuration mode, type exit.


Note


Routing information for address family IPv4 is advertised by default for each BGP routing session configured with the neighbor remote-as command unless you enter the no bgp default ipv4-unicast command before configuring the neighbor remote-as command.

Examples

The following example places the router in address family configuration mode for the IPv4 address family:


ciscoasa(config)# router bgp 5000
ciscoasa(config-router)# address-family ipv4
ciscoasa(config-router-af)# 

address-family ipv6

To enter address family to configure a routing session such as BGP that use using standard IP Version 6 (IPv6) address prefixes, use the address-family ipv6 command in router configuration mode. To exit address family configuration mode and remove the IPv6 address family configuration from the running configuration, use the no form of this command.

address-family ipv6 [ unicast ]

no address-family ipv6

Syntax Description

unicast

(Optional) Specifies IPv6 unicast address prefixes.

Command Default

IPv6 address prefixes are not enabled. Unicast address prefixes are the default when IPv6 address prefixes are configured.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Router mode configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.3(2)

This command was added.

Usage Guidelines

The address-family ipv6 command places the context router in address family configuration mode, from which you can configure routing sessions that use standard IPv6 address prefixes. To leave address family configuration mode and return to router configuration mode, type exit.

Examples

The following example places the router in address family configuration mode for the IPv4 address family:


ciscoasa(config)# router bgp 5000
ciscoasa(config-router)# address-family ipv6
ciscoasa(config-router-af)# 

address-pool

To specify a list of address pools for allocating addresses to remote clients, use the address-pool command in tunnel-group general-attributes configuration mode. To eliminate address pools, use the no form of this command.

address-pool [ ( interface name ) ] address_pool1 [ ...address_pool6 ]

no address-pool [ ( interface name ) ] address_pool1 [ ...address_pool6 ]

Syntax Description

address_pool

Specifies the name of the address pool configured with the ip local pool command. You can specify up to 6 local address pools.

interface name

(Optional) Specifies the interface to be used for the address pool.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Tunnel-group general-attributes configuration

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

You can enter multiples of each of these commands, one per interface. If an interface is not specified, then the command specifies the default for all interfaces that are not explicitly referenced.

The address-pools settings in the group-policy address-pools command override the local pool settings in the tunnel group address-pool command.

The order in which you specify the pools is significant. The ASA allocates addresses from these pools in the order in which the pools appear in this command.

Examples

The following example entered in config-tunnel-general configuration mode, specifies a list of address pools for allocating addresses to remote clients for an IPsec remote-access tunnel group test:


ciscoasa(config)# tunnel-group test type remote-access
ciscoasa(config)# tunnel-group test general
ciscoasa(config-tunnel-general)# address-pool (inside) addrpool1 addrpool2 addrpool3
ciscoasa(config-tunnel-general)# 

address-pools

To specify a list of address pools for allocating addresses to remote clients, use the address-pools command in group-policy attributes configuration mode. To remove the attribute from the group policy and enable inheritance from other sources of group policy, use the no form of this command.

address-pools value address_pool1 [ ...address_pool6 ]

no address-pools value address_pool1 [ ...address_pool6 ]

address-pools none

no address-pools none

Syntax Description

address_pool

Specifies the name of the address pool configured with the ip local pool command. You can specify up to 6 local address pools.

none

Specifies that no address pools are configured and disables inheritance from other sources of group policy.

value

Specifies a list of up to 6 address pools from which to assign addresses.

Command Default

By default, the address pool attribute allows inheritance.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Group-policy attributes configuration

  • Yes

  • Yes

Command History

Release

Modification

7.2(1)

This command was added.

Usage Guidelines

The address pools settings in this command override the local pool settings in the group. You can specify a list of up to six local address pools to use for local address allocation.

The order in which you specify the pools is significant. The ASA allocates addresses from these pools in the order in which the pools appear in this command.

The command address-pools none disables this attribute from being inherited from other sources of policy, such as the DefaultGrpPolicy. The command no address pools none removes the address-pools none command from the configuration, restoring the default value, which is to allow inheritance.

Examples

The following example entered in config-general configuration mode, configures pool_1 and pool_20 as lists of address pools to use for allocating addresses to remote clients for GroupPolicy1:


ciscoasa(config)# ip local pool pool_1 192.168.10.1-192.168.10.100 mask 255.255.0.0
ciscoasa(config)# ip local pool pool_20 192.168.20.1-192.168.20.200 mask 255.255.0.0
ciscoasa(config)# group-policy GroupPolicy1 attributes
ciscoasa(config-group-policy)# address-pools value pool_1 pool_20
ciscoasa(config-group-policy)# 

admin-context

To set the admin context for the system configuration, use the admin-context command in global configuration mode.

admin-context name

Syntax Description

name

Sets the name as a string up to 32 characters long. If you have not defined any contexts yet, then first specify the admin context name with this command. Then, the first context you add using the context command must be the specified admin context name.

This name is case sensitive, so you can have two contexts named “customerA” and “CustomerA,” for example. You can use letters, digits, or hyphens, but you cannot start or end the name with a hyphen.

“System” or “Null” (in upper or lowercase letters) are reserved names, and cannot be used.

Command Default

For a new ASA in multiple context mode, the admin context is called “admin.”

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

You can set any context to be the admin context, as long as the context configuration resides on the internal Flash memory.

You cannot remove the current admin context, unless you remove all contexts using the clear configure context command.

The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the ASA software or allowing remote management for an administrator), it uses one of the contexts that is designated as the admin context.

Examples

The following example sets the admin context to be “administrator”:


ciscoasa(config)# admin-context administrator

advertise passive-only

To configure IS-IS to advertise only prefixes that belong to passive interfaces, use the advertise passive-only command in router isis configuration mode. To remove the restriction, use the no form of this command.

advertise passive-only

no advertise passive-only

Syntax Description

This command has no arguments or keywords.

Command Default

This command has no default behavior.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Router isis configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.6(1)

This command was added.

Usage Guidelines

This command is an IS-IS mechanism to exclude IP prefixes of connected networks from link-state packet (LSP) advertisements, thereby reducing IS-IS convergence time.

Configuring this command per IS-IS instance is a scalable solution to reduce IS-IS convergence time because fewer prefixes will be advertised in the router nonpseudonode LSP.

This command relies on the fact that when enabling IS-IS on a loopback interface, you usually configure the loopback as passive (to prevent sending unnecessary hello packets out through it because there is no chance of finding a neighbor behind it). Thus, if you want to advertise only the loopback and if it has already been configured as passive, configuring the advertise passive-only command per IS-IS instance would prevent the overpopulation of the routing tables.

An alternative to this command is the no isis advertise-prefix command. The no isis advertise-prefix command is a small-scale solution because it is configured per interface.

Examples

The following example uses the advertise passive-only command, which affects the IS-IS instance, and thereby prevents advertising the IP network of Ethernet interface 0. Only the IP address of loopback interface 0 is advertised.


!
!
!
interface Gi0/0
 ip address 192.168.20.1 255.255.255.0
router isis 
!.
int gi0/1
  ip add 171.1.1.1 255.255.255.0
   router isis
!.
router isis 
 passive-interface outside
 net 47.0004.004d.0001.0001.0c11.1111.00
 advertise-passive-only
 log-adjacency-changes
!

aggregate-address

To create an aggregate entry in a Border Gateway Protocol (BGP) database, use the aggregate-address command in address family configuration mode. To disable this function, use the no form of this command.

aggregate-address address mask [ as-set ] [ summary-only ] [ suppress-map map-name ] [ advertise-map map-name ] [ attribute-map map-name ]

no aggregate-address address mask [ as-set ] [ summary-only ] [ suppress-map map-name ] [ advertise-map map-name ] [ attribute-map map-name ]

Syntax Description

address

Aggregate address.

mask

Aggregate mask.

as-set

(Optional) Generates autonomous system set path information.

summary-only

(Optional) Filters all more-specific routes from updates.

suppress-map map-name

(Optional) Specifies the name of the route map used to select the routes to be suppressed.

advertise-map map-name

(Optional) Specifies the name of the route map used to select the routes to create AS_SET origin communities.

attribute-map map-name

(Optional) Specifies the name of the route map used to set the attribute of the aggregate route.

Command Default

The atomic aggregate attribute is set automatically when an aggregate route is created with this command unless the as-set keyword is specified

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Context configuration, Address family configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.2(1)

This command was added.

9.3(2)

This command was modified, to be supported in address-family ipv6 sub-mode.

Usage Guidelines

You can implement aggregate routing in BGP and Multiprotocol BGP (mBGP) either by redistributing an aggregate route into BGP or mBGP, or by using the conditional aggregate routing feature.

Using the aggregate-address command with no keywords will create an aggregate entry in the BGP or mBGP routing table if any more-specific BGP or mBGP routes are available that fall within the specified range. (A longer prefix that matches the aggregate must exist in the Routing Information Base (RIB).) The aggregate route will be advertised as coming from your autonomous system and will have the atomic aggregate attribute set to show that information might be missing. (By default, the atomic aggregate attribute is set unless you specify the as-set keyword.)

Using the as-set keyword creates an aggregate entry using the same rules that the command follows without this keyword, but the path advertised for this route will be an AS_SET consisting of all elements contained in all paths that are being summarized. Do not use this form of the aggregate-address command when aggregating many paths, because this route must be continually withdrawn and updated as autonomous system path reach ability information for the summarized routes changes.

Using the summary-only keyword not only creates the aggregate route (for example, 192.*.*.*) but also suppresses advertisements of more-specific routes to all neighbors. If you want to suppress only advertisements to certain neighbors, you may use the neighbor distribute-list command, with caution. If a more-specific route leaks out, all BGP or mBGP routers will prefer that route over the less-specific aggregate you are generating (using longest-match routing).

Using the suppress-map keyword creates the aggregate route but suppresses advertisement of specified routes. You can use the match clauses of route maps to selectively suppress some more-specific routes of the aggregate and leave others unsuppressed. IP access lists and autonomous system path access lists match clauses are supported.

Using the advertise-map keyword selects specific routes that will be used to build different components of the aggregate route, such as AS_SET or community. This form of the aggregate-address command is useful when the components of an aggregate are in separate autonomous systems and you want to create an aggregate with AS_SET, and advertise it back to some of the same autonomous systems. You must remember to omit the specific autonomous system numbers from the AS_SET to prevent the aggregate from being dropped by the BGP loop detection mechanism at the receiving router. IP access lists and autonomous system path access lists match clauses are supported.

Using the attribute-map keyword allows attributes of the aggregate route to be changed. This form of the aggregate-address command is useful when one of the routes forming the AS_SET is configured with an attribute such as the community no-export attribute, which would prevent the aggregate route from being exported. An attribute map route map can be created to change the aggregate attributes.

Examples

The following example creates an aggregate route and suppresses advertisements of more specific routes to all neighbors.


ciscoasa(config)# router bgp 5000
ciscoasa(config-router)# address-family ipv4
ciscoasa(config-router)# aggregate-address 10.0.0.0 255.0.0.0 summary-only

alarm contact description

To enter a description for the alarm inputs in the ISA 3000, use the alarm contact description command in global configuration mode. To set the default description to the corresponding contact number, use the no form of this command.

alarm contact { 1 | 2 } description string

no alarm contact { 1 | 2 } description

Syntax Description

1 | 2

Specifies the alarm contact for which the description is configured. Enter 1 or 2.

string

Specifies the description. This may be up to 80 alphanumeric characters long, and will be included in syslog messages.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.7(1)

We introduced this command.

Examples

The following example specifies the description for the alarm contact 1:


ciscoasa(config)# alarm contact 1 description Door Open

alarm contact severity

To specify the severity of an alarm in the ISA 3000, use the alarm contact severity command in global configuration mode. To revert to the default severity, use the no form of this command.

alarm contact { 1 | 2 | all } severity { major | minor | none }

no alarm contact { 1 | 2 | all } severity

Syntax Description

{1 | 2 | all }

Specifies the alarm contact for which you are setting the severity. Enter 1, 2, or all.

severity {major | minor | none }

The severity of the alarm triggered by this alarm contact. Besides labeling the alarm with this severity, the severity controls the behavior of the LED associated with the contact.

  • major —The LED blinks red.

  • minor —The LED is solid red. This is the default.

  • none —The LED is off.

Command Default

By default, the severity is minor.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.7(1)

We introduced this command.

Examples

The following example specifies the severity for the alarm contact 1:


ciscoasa(config)# alarm contact 1 severity major
 

alarm contact trigger

To specify a trigger for one or all alarm inputs in the ISA 3000, use the alarm contact trigger command in global configuration mode. To revert to the default trigger, use the no form of this command.

alarm contact { 1 | 2 | all } trigger { open | closed }

alarm contact { 1 | 2 | all } trigger

Syntax Description

{1 | 2 | all }

Specifies the alarm contact for which you are setting the trigger. Enter 1, 2, or all.

trigger {open | closed }

The trigger determines the electrical condition that signals an alert.

  • open —The normal condition for the contact is closed, that is, the electrical current is running through the contact. An alert is triggered if the contact becomes open, that is, the electrical current stops flowing.

  • closed —The normal condition for the contact is open, that is, the electrical current does not run through the contact. An alert is triggered if the contact becomes closed, that is, the electrical current starts running through the contact. This is the default.

Command Default

By default, the closed state is the trigger.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.7(1)

We introduced this command.

Examples

The following example sets the trigger for the alarm contact 1:


ciscoasa(config)# alarm contact 1 trigger open
 

alarm facility input-alarm

To specify the logging and notification options for alarm inputs in the ISA 3000, use the alarm facility input-alarm command in global configuration mode. To remove the logging and notification options, use the no form of this command.

alarm facility input-alarm { 1 | 2 } { notifies | relay | syslog }

no alarm facility input-alarm { 1 | 2 } { notifies | relay | syslog }

Syntax Description

{1 | 2 }

Specifies the alarm contact, 1 or 2.

notifies

Enables the transmission of SNMP traps when an alarm is triggered.

relay

Enables the hardware output relay when an alarm is triggered, which activates the attached external alarm.

syslog

Enables the transmission of syslog messages when an alarm is triggered and when the alarm condition ends.

Command Default

Syslog is enabled by default, the other options are disabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.7(1)

We introduced this command.

Examples

The following examples specify the logging and notification options for alarm input 1:


ciscoasa(config)# alarm facility input-alarm 1 notifies
 
ciscoasa(config)# alarm facility input-alarm 1 relay
 
ciscoasa(config)# alarm facility input-alarm 1 syslog
 

alarm facility power-supply rps

To configure power supply alarms in the ISA 3000, use the alarm facility power-supply rps command in global configuration mode. To disable the power supply alarm, relay, SNMP traps and syslog, use the alarm facility power-supply rps disable command or the no version.

alarm facility power-supply rps { disable | notifies | relay | syslog }

no alarm facility power-supply rps { disable | notifies | relay | syslog }

Syntax Description

disable

Disables the power supply alarm, relay, SNMP traps and syslog.

notifies

Enables the transmission of SNMP traps when an alarm is triggered.

relay

Enables the hardware output relay when an alarm is triggered, which activates the attached external alarm.

syslog

Enables the transmission of syslog messages when an alarm is triggered and when the alarm condition ends.

Command Default

By default, syslog is enabled, relay and notifies are disabled. The alarm is enabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Secuity Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.7(1)

We introduced this command.

Usage Guidelines

The ISA 3000 has two power supplies. By default, the system operates in single-power mode. However, you can configure the system to operate in dual mode, where the second power supply automatically provides power if the primary power supply fails. When you enable dual-mode, the power supply alarm is automatically enabled to send syslog alerts, but you can disable the alert altogether, or also enable SNMP traps or the alarm hardware relay.

The alarm facility power-supply rps disable command disables the power supply alarm, relay, traps and syslog. Using the no alarm facility power-supply rps disable command enables only the power supply alarm. You must enable the relay, SNMP traps, and syslog separately.

You must also configure the power-supply dual command to enable dual mode. The alarm is automatically enabled in dual mode.

Examples

The following example enables dual power supply mode and configures all alert options.


ciscoasa(config)# power-supply dual
 
ciscoasa(config)# alarm facility power-supply rps relay
 
ciscoasa(config)# alarm facility power-supply rps syslog
 
ciscoasa(config)# alarm facility power-supply rps notifies

The following example disables the dual power supply alarm:


ciscoasa(config)# alarm facility power-supply rps disable

alarm facility temperature (actions)

To configure the temperature alarms in the ISA 3000, use the alarm facility temperature command in global configuration mode. To disable the temperature alarms, use the no form of the command.

alarm facility temperature { primary | secondary } { notifies | relay | syslog }

no alarm facility temperature { primary | secondary } { notifies | relay | syslog }

Syntax Description

primary

Configures the primary temperature alarm.

secondary

Configures the secondary temperature alarm.

notifies

Enables the transmission of SNMP traps when an alarm is triggered.

relay

Enables the hardware output relay when an alarm is triggered, which activates the attached external alarm.

syslog

Enables the transmission of syslog messages when an alarm is triggered and when the alarm condition ends.

Command Default

The primary temperature alarm is enabled for all alarm actions.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Secuity Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.7(1)

We introduced this command.

Usage Guidelines

You can configure alarms based on the temperature of the CPU card in the device.

You can set a primary and secondary temperature range using the alarm facility temperature command with the high and low keywords. If the temperature drops below the low threshold, or exceeds the high threshold, the alarm is triggered.

The primary temperature alarm is enabled by default for all alarm actions: output relay, syslog, and SNMP. The default settings for the primary temperature range is -40°C to 92°C.

The secondary temperature alarm is disabled by default. You can set the secondary temperature within the range -35°C to 85°C.

Because the secondary temperature range is more restrictive than the primary range, if you set either the secondary low or high temperature, that setting disables the corresponding primary setting, even if you configure non-default values for the primary setting. You cannot enable two separate high and two separate low temperature alarms.

Thus, in practice, you should configure the primary only, or the secondary only, setting for high and low.

Examples

The following example sets the high and low temperatures for the secondary alarm and enables all alert actions.


ciscoasa(config)# alarm facility temperature secondary low -20
 
ciscoasa(config)# alarm facility temperature secondary high 80
 
ciscoasa(config)# alarm facility temperature secondary notifies
 
ciscoasa(config)# alarm facility temperature secondary relay
 
ciscoasa(config)# alarm facility temperature secondary syslog

alarm facility temperature (high and low thresholds)

To configure the high and low temperature threshold values in the ISA 3000, use the alarm facility temperature {low | high } command in global configuration mode. To remove the threshold values, or to revert the primary value to the default, use the no form of the command.

alarm facility temperature { primary | secondary } { high | low } threshold

no alarm facility temperature { primary | secondary } { high | low } threshold

Syntax Description

primary

Configures the primary temperature alarm.

secondary

Configures the secondary temperature alarm.

high threshold

Configures the high threshold in Celsius. The maximum for primary is 92. The maximum for secondary is 85.

low threshold

Configures the low threshold in Celsius. The minimum for primary is -40. The minimum for secondary is -35.

Command Default

The default primary high temperature is 92°C, the low is –40°C.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.7(1)

We introduced this command.

Usage Guidelines

You can configure alarms based on the temperature of the CPU card in the device.

You can set a primary and secondary temperature range using the alarm facility temperature command with the high and low keywords. If the temperature drops below the low threshold, or exceeds the high threshold, the alarm is triggered.

The primary temperature alarm is enabled by default for all alarm actions: output relay, syslog, and SNMP. The default settings for the primary temperature range is -40°C to 92°C.

The secondary temperature alarm is disabled by default. You can set the secondary temperature within the range -35°C to 85°C.

Because the secondary temperature range is more restrictive than the primary range, if you set either the secondary low or high temperature, that setting disables the corresponding primary setting, even if you configure non-default values for the primary setting. You cannot enable two separate high and two separate low temperature alarms.

Thus, in practice, you should configure the primary only, or the secondary only, setting for high and low.

Examples

The following example sets the high and low temperatures for the secondary alarm and enables all alert actions.


ciscoasa(config)# alarm facility temperature secondary low -20
 
ciscoasa(config)# alarm facility temperature secondary high 80
 
ciscoasa(config)# alarm facility temperature secondary notifies
 
ciscoasa(config)# alarm facility temperature secondary relay
 
ciscoasa(config)# alarm facility temperature secondary syslog

allocate-interface

To allocate interfaces to a security context, use the allocate-interface command in context configuration mode. To remove an interface from a context, use the no form of this command.

allocate-interface physical_interface [ map_name ] [ visible | invisible ]

no allocate-interface physical_interface

allocate-interface physical_interface . subinterface [ - physical interface . subinterface ] [ map_name [ - map_name ] ] [ visible | invisible ]

no allocate-interface physical_interface . subinterface [ - physical interface . subinterface ]

Syntax Description

invisible

(Default) Allows context users to only see the mapped name (if configured) in the show interface command.

map_name

(Optional) Sets a mapped name.

The map_name is an alphanumeric alias for the interface that can be used within the context instead of the interface ID. If you do not specify a mapped name, the interface ID is used within the context. For security purposes, you might not want the context administrator to know which interfaces are being used by the context.

A mapped name must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, or an underscore. For example, you can use the following names:


int0
inta
int_0

For subinterfaces, you can specify a range of mapped names.

See the “Usage Guidelines” section for more information about ranges.

physical_interface

Sets the interface ID, such as gigabit ethernet0/1 . See the interface command for accepted values. Do not include a space between the interface type and the port number.

subinterface

Sets the subinterface number. You can identify a range of subinterfaces.

visible

(Optional) Allows context users to see physical interface properties in the show interface command even if you set a mapped name.

Command Default

The interface ID is invisible in the show interface command output by default if you set a mapped name.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Contxt configuration

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

You can enter this command multiple times to specify different ranges. To change the mapped name or visible setting, reenter the command for a given interface ID, and set the new values; you do not need to enter the no allocate-interface command and start over. If you remove the allocate-interface command, the ASA removes any interface-related configuration in the context.

Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA , you can use the dedicated management interface, Management 0/0, (either the physical interface or a subinterface) as a third interface for management traffic.


Note


The management interface for transparent mode does not flood a packet out the interface when that packet is not in the MAC address table.

You can assign the same interfaces to multiple contexts in routed mode, if desired. Transparent mode does not allow shared interfaces.

If you specify a range of subinterfaces, you can specify a matching range of mapped names. Follow these guidelines for ranges:

  • The mapped name must consist of an alphabetic portion followed by a numeric portion. The alphabetic portion of the mapped name must match for both ends of the range. For example, enter the following range:


int0-int10

If you enter gigabitethernet0/1.1-gigabitethernet0/1.5 happy1-sad5 , for example, the command fails.

  • The numeric portion of the mapped name must include the same quantity of numbers as the subinterface range. For example, both ranges include 100 interfaces:


gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int100

If you enter gigabitethernet0/0.100-gigabitethernet0/0.199 int1-int15 , for example, the command fails.

Examples

The following example shows gigabitethernet0/1.100, gigabitethernet0/1.200, and gigabitethernet0/2.300 through gigabitethernet0/1.305 assigned to the context. The mapped names are int1 through int8.


ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.100 int1
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.200 int2
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/2.300-gigabitethernet0/2.305 int3-int8

allocate-ips

To allocate an IPS virtual sensor to a security context if you have the AIP SSM installed, use the allocate-ips command in context configuration mode. To remove a virtual sensor from a context, use the no form of this command.

allocate-ips sensor_name [ mapped_name ] [ default ]

no allocate-ips sensor_name [ mapped_name ] [ default ]

Syntax Description

default

(Optional) Sets one sensor per context as the default sensor; if the context configuration does not specify a sensor name, the context uses this default sensor. You can only configure one default sensor per context. If you want to change the default sensor, enter the no allocate-ips command to remove the current default sensor before you allocate a new default sensor. If you do not specify a sensor as the default, and the context configuration does not include a sensor name, then traffic uses the default sensor on the AIP SSM.

mapped_name

(Optional) Sets a mapped name as an alias for the sensor name that can be used within the context instead of the actual sensor name. If you do not specify a mapped name, the sensor name is used within the context. For security purposes, you might not want the context administrator to know which sensors are being used by the context. Or you might want to genericize the context configuration. For example, if you want all contexts to use sensors called “sensor1” and “sensor2,” then you can map the “highsec” and “lowsec” senors to sensor1 and sensor2 in context A, but map the “medsec” and “lowsec” sensors to sensor1 and sensor2 in context B.

sensor_name

Sets the sensor name configured on the AIP SSM. To view the sensors that are configured on the AIP SSM, enter allocate-ips ? . All available sensors are listed. You can also enter the show ips command. In the system execution space, the show ips command lists all available sensors; if you enter it in the context, it shows the sensors you already assigned to the context. If you specify a sensor name that does not yet exist on the AIP SSM, you get an error, but the allocate-ips command is entered as-is. Until you create a sensor of that name on the AIP SSM, the context assumes the sensor is down.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Context configuration

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

Usage Guidelines

You can assign one or more IPS virtual sensors to each context. Then, when you configure the context to send traffic to the AIP SSM using the ips command, you can specify a sensor that is assigned to the context; you cannot specify a sensor that you did not assign to the context. If you do not assign any sensors to a context, then the default sensor configured on the AIP SSM is used. You can assign the same sensor to multiple contexts.


Note


You do not need to be in multiple context mode to use virtual sensors; you can be in single mode and use different sensors for different traffic flows.

Examples

The following example assigns sensor1 and sensor2 to context A, and sensor1 and sensor3 to context B. Both contexts map the sensor names to “ips1” and “ips2.” In context A, sensor1 is set as the default sensor, but in context B, no default is set so the default that is configured on the AIP SSM is used.


ciscoasa(config-ctx)# context
 A
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/0.100 int1
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/0.102 int2
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/0.110-gigabitethernet0/0.115 int3-int8
ciscoasa(config-ctx)# allocate-ips sensor1 ips1 default
ciscoasa(config-ctx)# allocate-ips sensor2 ips2
ciscoasa(config-ctx)# config-url
 ftp://user1:passw0rd@10.1.1.1/configlets/test.cfg
ciscoasa(config-ctx)# member gold
ciscoasa(config-ctx)# context
 sample
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.200 int1
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.212 int2
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.230-gigabitethernet0/1.235 int3-int8
ciscoasa(config-ctx)# allocate-ips sensor1 ips1
ciscoasa(config-ctx)# allocate-ips sensor3 ips2
ciscoasa(config-ctx)# config-url
 ftp://user1:passw0rd@10.1.1.1/configlets/sample.cfg
ciscoasa(config-ctx)# member silver

allowed-eid

To configure a LISP inspection map to limit inspected EIDs based on IP address, use the allowed-eid command in parameters configuration mode. You can access the parameters configuration mode by first entering the policy-map type inspect lisp command. To allow all EIDs, use the no form of this command.

allowed-eid access-list eid_acl_name

no allowed-eid access-list eid_acl_name

Syntax Description

access-list eid_acl_name

Specifies an extended ACL where only the destination IP address is matched to the EID embedded address.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Parameters configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.5(2)

We introduced this command.

Usage Guidelines

Configure a LISP inspection map to limit inspected EIDs based on IP address.

About LISP Inspection for Cluster Flow Mobility

The ASA inspects LISP traffic for location changes and then uses this information for seamless clustering operation. With LISP integration, the ASA cluster members can inspect LISP traffic passing between the first hop router and the ETR or ITR, and can then change the flow owner to be at the new site.

Cluster flow mobility includes several inter-related configurations:

  1. (Optional) Limit inspected EIDs based on the host or server IP address—The first hop router might send EID-notify messages for hosts or networks the ASA cluster is not involved with, so you can limit the EIDs to only those servers or networks relevant to your cluster. For example, if the cluster is only involved with 2 sites, but LISP is running on 3 sites, you should only include EIDs for the 2 sites involved with the cluster. See the policy-map type inspect lisp , allowed-eid, and validate-key commands.

  2. LISP traffic inspection—The ASA inspects LISP traffic for the EID-notify message sent between the first hop router and the ITR or ETR. The ASA maintains an EID table that correlates the EID and the site ID. For example, you should inspect LISP traffic with a source IP address of the first hop router and a destination address of the ITR or ETR. See the inspect lisp command.

  3. Service Policy to enable flow mobility on specified traffic—You should enable flow mobility on business-critical traffic. For example, you can limit flow mobility to only HTTPS traffic, and/or to traffic to specific servers. See the cluster flow-mobility lisp command.

  4. Site IDs—The ASA uses the site ID for each cluster unit to determine the new owner. See the site-id command.

  5. Cluster-level configuration to enable flow mobility—You must also enable flow mobility at the cluster level. This on/off toggle lets you easily enable or disable flow mobility for a particular class of traffic or applications. See the flow-mobility lisp command.

Examples

The following example limits EIDs to those on the 10.10.10.0/24 network:


ciscoasa(config)# access-list TRACKED_EID_LISP extended permit ip any 10.10.10.0 255.255.255.0
ciscoasa(config)# policy-map type inspect lisp LISP_EID_INSPECT
ciscoasa(config-pmap)# parameters 
ciscoasa(config-pmap-p)# allowed-eid access-list TRACKED_EID_LISP
ciscoasa(config-pmap-p)# validate-key MadMaxShinyandChrome

allow-ssc-mgmt

To set an interface on the ASA 5505 to be the SSC management interface, use the allow-ssc-mgmt command in interface configuration mode. To unassign an interface, use the no form of this command.

allow-ssc-mgmt

no allow-ssc-mgmt

Syntax Description

This command has no arguments or keywords.

Command Default

This command is enabled in the factory default configuration for VLAN 1.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Interface configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.2(1)

This command was added.

Usage Guidelines

An SSC does not have any external interfaces. You can configure a VLAN as a management VLAN to allow access to an internal management IP address over the backplane. By default, VLAN 1 is enabled for the SSC management address. You can only assign one VLAN as the SSC management VLAN.

Do not configure NAT for the management address if you intend to access it using ASDM. For initial setup with ASDM, you need to access the real address. After initial setup (where you set the password in the SSC), you can configure NAT and supply ASDM with the translated address when you want to access the SSC.

Examples

The following example disables management access on VLAN 1, and enables it for VLAN 2:


ciscoasa(config)# interface vlan 1
ciscoasa(config-if)# no allow-ssc-mgmt
ciscoasa(config-if)# interface vlan 2
ciscoasa(config-if)# allow-ssc-mgmt

allow-tls

To configure ESMTP inspection to allow or prohibit TLS sessions, use the allow-tls command in parameters configuration mode. To disable this feature, use the no form of this command.

allow-tls [ action log ]

no allow-tls

Syntax Description

action log

Whether to log encrypted connections.

Command Default

The allow-tls command is the default for ESMTP inspection.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Parameters configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.0(3)

This command was added.

9.4(1)

The default was changed to allow-tls from no allow-tls. However, this default applies to new or reimaged systems. If you upgrade a system that includes no allow-tls , the command is not changed.

Usage Guidelines

ESMTP inspection cannot inspect encrypted connections. If you want to enforce inspection of all ESMTP sessions, use the no allow-tls command. By disallowing TLS, the STARTTLS indicator is removed from connection requests, forcing the client and server to negotiate clear text connections.

If you want to allow the client and server to negotiate encrypted connections, include the allow-tls command in the parameters section of an ESMTP inspection policy map, and connect the map to the ESMTP inspection service policy. You can also edit the _default_esmtp_map, which is applied when you do not apply your own map.

Examples

The following example shows how to allow encrypted ESMTP sessions, which bypasses ESMTP inspection:


ciscoasa(config)# policy-map type inspect esmtp esmtp_map
 
ciscoasa(config-pmap)# parameters
 
ciscoasa(config-pmap-p)# allow-tls

always-on-vpn

To configure the behavior of the Secure Client Always-On-VPN functionality, use the always-on-vpn command in group policy configuration mode.

always-on-vpn [ profile-setting | disable ]

Syntax Description

disable

Switches off the Always-On-VPN functionality.

profile-setting

Uses the always-on-vpn setting configured in the Secure Client profile.

Command Default

Always-On-VPN functionality is switched on by default.

Command History

Release

Modification

8.3(1)

This command was added.

Usage Guidelines

To enable Always-On-VPN functionality for Secure Client users, configure an Secure Client profile in the profile editor. Then configure the group-policy attributes for the appropriate policy.

Examples

The following example enables always-on functionality for the configured group-policy:


ciscoasa(config)# group-policy <group policy> attributes
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# always-on-vpn profile-setting

anti-replay

To enable anti-replay for GTP-U message sequence numbers, use the anti-replay command in GTP inspection policy map parameters configuration mode. Use the no form of this command disable anti-replay.

anti-replay [ window_size ]

no anti-replay [ window_size ]

Syntax Description

window_size

The size of the sliding window in number of messages. The window size can be 128, 256, 512, or 1024. If you do not enter a value, you get the default, 512.

Command Default

By default, anti-replay is disabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Parameters configuration mode

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.10(1)

This command was introduced.

Usage Guidelines

You can enable anti-replay by specifying a sliding window for GTP-U messages.

The size of the sliding window is in number of messages and can be 128, 256, 512, or 1024. As valid messages appear, the window moves to the new sequence numbers. Sequence numbers are in the range 0-65535, wrapping when they reach the maximum, and they are unique per PDP context. Messages are considered valid if their sequence numbers are within the window.

Anti-replay helps prevent session hijacking or DoS attacks, which can occur when a hacker captures GTP data packets and replays them.

Examples

The following example enables anti-replay with a window size of 512.


ciscoasa(config)# policy-map type inspect gtp gtp-map
 
ciscoasa(config-pmap)# parameters
 
ciscoasa(config-pmap-p)# anti-replay 512

anyconnect ask

To enable the ASA to prompt remote SSL VPN client users to download the client, use the anyconnect ask command in group policy webvpn or username webvpn configuration modes. To remove the command from the configuration, use the no form of the command.

anyconnect ask { none | enable [ default { webvpn | anyconnect } timeout value ] }

no anyconnect ask none [ default { webvpn | anyconnect } ]

Syntax Description

default anyconnect timeout value

Prompts the remote user to download the client or goes to the portal page for clientless connections, and waits the duration of value before taking the default action—downloading the client.

default webvpn timeout value

Prompts the remote user to download the client or goes to the portal page for clientless connections, and waits the duration of value before taking the default action—displaying the WebVPN portal page.

enable

Prompts the remote user to download the client or goes to the portal page for clientless connections and waits indefinitely for user response.

none

Immediately performs the default action.

Command Default

The default for this command is anyconnect ask none default webvpn . The ASA immediately displays the portal page for clientless connections.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Group policy webvpn configuration

  • Yes

  • Yes

Username webvpn configuration

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

8.4(1)

The anyconnect ask command replaced the svc ask command.

Usage Guidelines

<xref> shows the prompt displayed to remote users when either the default anyconnect timeout value command or default webvpn timeout value command is configured:

Examples

The following example configures the ASA to prompt the remote user to download the client or go to the portal page and to wait 10 seconds for user response before downloading the client:


ciscoasa(config-group-webvpn)# anyconnect ask enable default svc timeout 10

anyconnect-custom (Version 9.0 through 9.2)

To set or update the value of a custom attribute, use the anyconnect-custom command in anyconnect-custom-attr configuration mode. To remove the value of a custom attribute, use the no form of this command.

anyconnect-custom attr-name value attr-value

anyconnect-custom attr-name none

no anyconnect-custom attr-name

Syntax Description

attr-name

The name of the attribute in the current group policy, as defined by the anyconnnect-custom-attr command.

none

Immediately performs the default action.

value attr-value

A string containing the attribute value. The value is associated with the attribute name and passed to the client during connection setup. The maximum length is 450 characters.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

anyconnect-custom-attr configuration

  • Yes

  • Yes

Command History

Release

Modification

9.0(1)

This command was added.

Usage Guidelines

This command sets the value of a custom attribute in a group policy. The AnyConnect Administrator’s Guide lists which values are valid for the custom attributes that apply to that release. Custom attributes are created with the anyconnect-custom-attr command.

Multiple instances of this command are supported to build a multiline value for an attribute. All data associated with a given attribute name is delivered to the client in the order that it is entered in the CLI. Individual lines of a multiline value can not be removed.

The no form of this command does not allow the value or none keywords.

If the data associated with an attribute name is entered in multiple CLI lines, it will be sent to the endpoint as a single concatenated string delimited by the newline character (\n).

Examples

The following example configures a custom attribute for an AnyConnect Deferred Update:


ciscoasa(config-group-policy)# anyconnect-custom DeferredUpdateAllowed true

anyconnect-custom (Version 9.3 and later)

To set or update the value of a custom attribute, use the anyconnect-custom command in group-policy or dynamic-access-policy-record configuration mode. To remove a custom attribute, use the no form of this command.

anyconnect-custom attr-type value attr-name

anyconnect-custom attr-type none

no anyconnect-custom attr-type

Syntax Description

attr-type

The type of custom attribute as defined by the anyconnnect-custom-attr command.

none

This custom attribute is explicitly omitted from the policy.

value attr-name

The name of the custom attribute value as defined by the anyconnect-custom-data command.

The custom attribute type and named value is passed to the client during connection setup.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

group-policy or dynamic-access-policy-record

  • Yes

  • Yes

Command History

Release

Modification

9.3(1)

This command has been redefined.

Usage Guidelines

This command sets the value of a custom attribute in a group policy or DAP.

The AnyConnect Administrator’s Guide lists which values are valid for the custom attributes that apply to that release. Custom attributes are created with the anyconnect-custom-attr and anyconnect-custom-data commands.

The no form of this command does not allow the none keyword.

Examples

The following example configures a custom attribute for AnyConnect Deferred Update:


ciscoasa(config-webvpn)# anyconnect-custom-attr DeferredUpdateAllowed
ciscoasa(config-webvpn)# exit
ciscoasa(config)# anyconnect-custom-data DeferredUpdateAllowed def-allowed true
ciscoasa(config-group-policy)# anyconnect-custom DeferredUpdateAllowed def-allowed

anyconnect-custom-attr (Version 9.0 through 9.2)

To create custom attributes, use the anyconnect-custom-attr command in Anyconnect-custom-attr configuration mode. To remove custom attributes, use the no form of this command.

[ no ] anyconnect-custom-attr attr-name [ description description ]

Syntax Description

attr-name

The name of the attribute. This name is referenced in the group policy syntax and in the aggregate auth protocol messages. The maximum length is 32 characters.

description description

A free form description of attribute usage. This text appears in the command help when the custom attribute is referenced from the group-policy attribute configuration mode. The maximum length is 128 characters.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Anyconnect-custom-attr configuration

  • Yes

  • Yes

Command History

Release

Modification

9.0(1)

This command was added.

Usage Guidelines

This command creates custom attributes to support special Secure Client features. After creating custom attributes for a particular feature, you add them to group policies, so that feature can be applied to VPN clients. This command guarantees that all of the defined attribute names are unique.

Some versions of Secure Client use custom attributes to configure features. The release notes and AnyConnect Administrator’s Guide for each version list any features that require custom attributes.

If you try to remove the definition of attribute that is being used in a group policy, an error message will be displayed, and the action will fail. If a user attempts to add an attribute that already exists as a custom attribute, any changes to the description will be incorporated, but the command will otherwise be ignored.

Multiple instances of this command are supported to build a multiline value for an attribute. All data associated with a given attribute name is delivered to the client in the order that it is entered in the CLI. Individual lines of a multiline value can not be removed.

Examples

The following example configures a custom attribute for AnyConnect Deferred Update:


ciscoasa(config-webvpn)# anyconnect-custom-attr DeferredUpdateAllowed description Indicates if the deferred update feature is enabled or not

anyconnect-custom-attr (Version 9.3 and later)

To create custom attribute types, use the anyconnect-custom-attr command in config-webvpn configuration mode. To remove custom attributes, use the no form of this command.

[ no ] anyconnect-custom-attr attr-type [ description description ]

Syntax Description

attr-type

The type of the attribute. This type is referenced in the group policy syntax, and DAP-policy syntax, as well as the aggregate auth protocol messages. The maximum length is 32 characters.

description description

A free form description of attribute usage. This text appears in the command help when the custom attribute is referenced from the group-policy attribute configuration mode. The maximum length is characters.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

config-webvpn

  • Yes

  • Yes

Command History

Release

Modification

9.3(1)

This command has been redefined.

Usage Guidelines

This command creates custom attributes to support special Secure Client features. After creating custom attributes for a particular feature, you define values for them and then add them to group policies so that the related feature can be applied to VPN clients. This command guarantees that all of the defined attribute names are unique.

Some versions of Secure Client use custom attributes to configure features. The release notes and AnyConnect Administrator’s Guide for each version list any features that require custom attributes.

If you try to remove the definition of an attribute that is being used in a group policy, an error message will be displayed, and the action will fail. If a user attempts to add an attribute that already exists as a custom attribute, any changes to the description will be incorporated, but the command will otherwise be ignored.

Examples

The following example configures a custom attribute for AnyConnect Deferred Update:’


ciscoasa(config-webvpn)# anyconnect-custom-attr DeferredUpdateAllowed description Indicates if the deferred update feature is enabled or not

ciscoasa(config)# anyconnect-custom-data DeferredUpdateAllowed def-allowed true


anyconnect-custom-data

To create custom attribute named values, use the anyconnect-custom-data command in global configuration mode. To remove custom attributes, use the no form of this command.

anyconnect-custom-data attr-type attr-name attr-value

no anyconnect-custom-data attr-type attr-name

Syntax Description

attr-type

The type of the attribute previously defined using anyconnect-custom-attr .

attr-name

The name of the attribute with the specified value. It can be referenced in group-policy and dynamic-access-policy-record config mode.

attr-value

A string containing the attribute value.

Maximum length of 420 characters.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global

  • Yes

  • Yes

Command History

Release

Modification

9.3(1)

This command was added.

Usage Guidelines

This command defines custom attribute named values to support special Secure Client features. After creating custom attributes for a particular feature, you define values for them and then add them to DAP or group policies so that the related feature can be applied to VPN clients.

Some versions of Secure Client use custom attributes to configure features. The release notes and AnyConnect Administrator’s Guide for each version list any features that require custom attributes.

If you try to remove the named value of an attribute that is being used in a group policy, an error message will be displayed, and the action will fail.

Multiple instances of this command are supported to build a multiline value for an attribute. All data associated with a given attribute name is delivered to the client in the order that it is entered in the CLI. Individual lines of a multiline value can not be removed.

Examples

The following example configures a custom attribute for AnyConnect Deferred Update:


ciscoasa(config)# anyconnect-custom-data DeferredUpdateAllowed def-allowed true

anyconnect df-bit-ignore

To ignore the DF bit in packets that need fragmentation, use the anyconnect-df-bit-ignore command in group policy webvpn configuration mode. To acknowledge the DF bits that need fragmentation, use the no form of the command.

anyconnect df-bit-ignore { enable | none }

no anyconnect df-bit-ignore { enable | none }

Syntax Description

enable

Enables DF-bit ignore for Secure Client.

none

Disables DF-bit for Secure Client.

Command Default

By default, this option is not enabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Group policy webvpn configuration

  • Yes

  • Yes

Command History

Release

Modification

8.2(2)

The svc df-bit-ignore command was added.

8.4(3)

The anyconnect df-bit-ignore command replaced the svc df-bit-ignore command.

Examples


vmb-5520(config-group-webvpn)# anyconnect routing-filtering-ignore ?
config-group-webvpn mode commands/options:
  enable  Enable Routing/Filtering for AnyConnect Client
  none    Disable Routing/Filtering for AnyConnect Client

anyconnect dpd-interval

To enable Dead Peer Detection (DPD) on the ASA and to set the frequency that either the remote client or the ASA performs DPD over SSL VPN connections, use the anyconnect dpd-interval command in group policy webvpn or username webvpn configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of the command.

anyconnect dpd-interval { [ gateway { seconds | none } ] | [ client { seconds | none } ] }

no anyconnect dpd-interval { [ gateway { seconds | none } ] | [ client { seconds | none } ] }

Syntax Description

client none

Disables the DPD that the client performs.

client seconds

Specifies the frequency, from 30 to 3600 seconds, for which the client performs DPD.

gateway none

Disables DPD testing that the ASA performs.

gateway seconds

Specifies the frequency, from 30 to 3600 seconds, for which the ASA performs DPD. A value of 300 is recommended.

Command Default

The default is DPD is enabled and set to 30 seconds for both the ASA (gateway) and the client.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Group policy webvpn configuration

  • Yes

  • Yes

Username webvpn configuration

  • Yes

  • Yes

Command History

Release

Modification

7.1(1)

This command was added.

8.0(3)

The default setting changed from disabled to 30 seconds for both the ASA (gateway) and the client.

8.4(1)

The anyconnect dpd-interval command replaced the svc dpd-interval command.

Usage Guidelines

The gateway refers to the ASA. You enable DPD and specify the interval with which the ASA waits for any packets from the client. If no packets are received within that interval, the ASA performs the DPD test with three attempts at the same interval. If it doesn’t receive a response from the client, the ASA tears down the TLS/DTLS tunnel.

The DPD process on the ASA gets triggered only when the ASA has a packet to send out toward the client over the TLS/DTLS tunnel.

Examples

The following example shows how to configure the DPD frequency performed by the ASA (gateway) to 3000 seconds, and the DPD frequency performed by the client to 1000 seconds, for the existing group policy sales :


ciscoasa(config)# group-policy sales attributes
ciscoasa(config-group-policy)# webvpn
ciscoasa(config-group-webvpn)# anyconnect dpd-interval gateway 3000
ciscoasa(config-group-webvpn)# anyconnect dpd-interval client 1000

anyconnect dtls compression

To enable compression on low bandwidth links for a specific group or user, use the Secure Client dtls compression command in group policy webvpn or username webvpn configuration mode. To delete the configuration from the group, use the no form of the command.

anyconnect dtls compression { lzs | none }

no anyconnect dtls compression { lzs | none }

Syntax Description

lzs

Enables a stateless compression algorithm.

none

Disables compression.

Command Default

The default is to not enable Secure Client compression.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Group policy webvpn configuration

  • Yes

  • Yes

Username webvpn configuration

  • Yes

  • Yes

Command History

Release

Modification

8.4(2)

This command was added.

Examples

The following examples shows the sequence to disable compression:


asa# config terminal
asa(config)# group-policy DfltGrpPolicy attributes
asa(config-group-policy)# webvpn
asa(config-group-webvpn)# anyconnect ssl compression none
asa(config-group-webvpn)# anyconnect dtls compression none

anyconnect enable

To enable the ASA to download an Secure Client to remote computers or to connect to the ASA using the Secure Client with SSL or IKEv2, use the anyconnect enable command in webvpn configuration mode. To remove the command from the configuration, use the no form of the command.

anyconnect enable

no anyconnect enable

Command Default

The default for this command is disabled. The ASA does not download the client.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Webvpn configuration

  • Yes

  • Yes

Command History

Release

Modification

7.1(1)

This command was added as svc enable.

8.4(1)

The anyconnect enable command replaced the svc enable command.

Usage Guidelines

Entering the no anyconnect enable command does not terminate active sessions.

The anyconnect enable command must be issued after configuring the Secure Client images with the anyconnect image xyz command. To use an Secure Client or Secure Client weblaunch, anyconnect enable is required. If the anyconnect enable command is not issued with SSL or IKEv2, Secure Client does not function as expected and times out with an IPsec VPN connection termination error. As a result, the show webvpn svc command does not consider the SSL VPN client to be enabled and does not list the installed Secure Client packages.

Examples

In the following example shows how to enable the ASA to download the client:


ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# anyconnect enable

anyconnect-essentials

To enable AnyConnect Essentials on the ASA, use the anyconnect-essentials command in group policy webvpn configuration mode. To disable the use of AnyConnect Essentials and enable the premium Secure Client instead, use the no form of the command.

anyconnect-essentials

no anyconnect-essentials

Command Default

AnyConnect Essentials is enabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Webvpn configuration

  • Yes

  • Yes

Command History

Release

Modification

8.2(1)

This command was added.

Usage Guidelines

Use this command to toggle between using the full AnyConnect SSL VPN client and the AnyConnect Essentials SSL VPN client, assuming that the full Secure Client license is installed. AnyConnect Essentials is a separately licensed SSL VPN client, entirely configured on the ASA, that provides the premium Secure Client capability, with the following exceptions:

  • No CSD (including HostScan/Vault/Cache Cleaner)

  • No clientless SSL VPN

The AnyConnect Essentials client provides remote end users running Microsoft Windows Vista, Windows Mobile, Windows XP or Windows 2000, Linux, or Macintosh OS X, with the benefits of a Cisco SSL VPN client.

You enable or disable the AnyConnect Essentials license by using the anyconnect-essentials command, which is meaningful only after you have installed the AnyConnect Essentials license on the ASA. Without this license, this command returns the following error message:


ERROR: Command requires AnyConnect Essentials license

Note


This command only enables or disables the use of AnyConnect Essentials. The AnyConnect Essentials license itself is not affected by the setting of the anyconnect-essentials command.


When the AnyConnect Essentials license is enabled, Secure Client use Essentials mode, and Clientless SSL VPN access is disabled. When the AnyConnect Essentials license is disabled, Secure Client use the full AnyConnect SSL VPN Client license.


Note


This command is not supported on the ASA virtual or devices. See the licensing documentation for more information.


If you have active clientless SSL VPN connections, and you enable the AnyConnect Essentials license, then all connections are logged off and will need to be reestablished.

Examples