so – st

software authenticity development

To enable or disable loading development key signed images, use the software authenticity development command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. Once you enable this option, it persists until you disable loading development key signed images.

software authenticity development { enable | disable }

Syntax Description

disable

Disables loading development key signed images.

enable

Enables loading development key signed images.

Command Default

This command is disabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Parameters configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.3(2)

This command was added.

Examples

The following example shows loading development key signed signatures enabled:


ciscoasa(config)# software authenticity development enable
ciscoasa(config)# show software authenticity development
Loading of development images is enabled
ciscoasa(config)#

The following example shows loading development key signed images disabled:


ciscoasa(config)# software authenticity development disable
ciscoasa(config)# show software authenticity development
Loading of development images is disabled
ciscoasa(config)#

software authenticity key add special

To add a new development key to the SPI flash, use the software authenticity key add special command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode.

software authenticity key add special

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Parameters configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.3(2)

This command was added.

Examples

The following example shows how to add a new development key to SPI flash:


ciscoasa(config)# software authenticity key add special
Writing the key to Primary...Success
Writing the key to Backup...Success
Done!
The following example shows what happens if you try to add a new development image to SPR flash and one already exists:
ciscoasa(config)# software authenticity key add special
Duplicate key found in Primary...Skipping key write
Duplicate key found in Backup...Skipping key write
Done!

software authenticity key revoke special

To delete older development keys from SPI flash, use the software authenticity key revoke special command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode.

software authenticity key revoke special

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Parameters configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.3(2)

This command was added.

Examples

The following example shows how to remove a development key from SPI flash:


ciscoasa(config)# software authenticity key revoke special
Revoking the key with version A...Success
Revoking the key with version A...Success
Done!

software-version

To identify the Server and User-Agent header fields, which expose the software version of either a server or an endpoint, use the software-version command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.

software-version action { mask | log }[ log ]

no software-version action { mask | log }[ log ]

Syntax Description

log

Specifies standalone or additional log in case of violation.

mask

Masks the software version in the SIP message.

Command Default

This command is disabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Parameters configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.2(1)

This command was added.

Examples

The following example shows how to identify the software version in a SIP inspection policy map:


ciscoasa(config)# policy-map type inspect sip sip_map
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# software-version action log

source-interface

To specify the source interface name for the VXLAN VTEP interface, use the source-interface command in nve configuration mode. To remove the interface, use the no form of this command.

source-interfaceinterface_name

no source-interface interface_name

Syntax Description

interface_name

Sets the VTEP source interface name.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Nve configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.4(1)

This command was added.

Usage Guidelines

The VTEP source interface is a regular ASA interface (physical, redundant, EtherChannel, or even VLAN) with which you plan to associate all VNI interfaces. You can configure one VTEP source interface per ASA/security context.

The VTEP source interface can be devoted wholly to VXLAN traffic, although it is not restricted to that use. If desired, you can use the interface for regular traffic and apply a security policy to the interface for that traffic. For VXLAN traffic, however, all security policy must be applied to the VNI interfaces. The VTEP interface serves as a physical port only.

In transparent firewall mode, the VTEP source interface is not part of a BVI, and you do configure an IP address for it, similar to the way the management interface is treated.


Note


If the source interface MTU is less than 1554 bytes, then the ASA automatically raises the MTU to 1554 bytes.

Examples

The following example configures the GigabitEthernet 1/1 interface as the VTEP source interface:


ciscoasa(config)# interface gigabitethernet 1/1
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0
ciscoasa(config-if)# nve 1
ciscoasa(cfg-nve)# source-interface outside
ciscoasa(cfg-nve)# default-mcast-group 236.0.0.100

speed

To set the speed of an interface, use the speed command in interface configuration mode. To restore the speed setting to the default, use the no form of this command.

speed { speed | auto | nonegotiate | sfp-detect }

no speed [ speed | auto | nonegotiate | sfp-detect ]

Syntax Description

auto

Auto detects the speed. RJ-45 only.

nonegotiate

For SFP interfaces (except for the Secure Firewall 3100), no speed nonegotiate sets the speed to 1000 Mbps and enables link negotiation for flow-control parameters and remote fault information. For 10 Gbps interfaces, this option sets the speed down to 1000 Mbps. The nonegotiate keyword is the only keyword available for SFP interfaces. The speed nonegotiate command disables link negotiation. For the Secure Firewall 3100, see the negotiate-auto command.

speed

Sets the speed to a specific setting.

sfp-detect

(Secure Firewall 3100 only) Detects the speed of the installed SFP module and uses the appropriate speed. Duplex is always full, and auto-negotiation is always enabled. This option is useful if you later change the network module to a different model, and want the speed to update automatically. This setting is the default.

Command Default

For RJ-45 interfaces, the default is speed auto .

For SFP interfaces (except for the Secure Firewall 3100), the default is no speed nonegotiate .

For the Secure Firewall 3100, the default is sfp-detect .

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Interface configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was moved from a keyword of the interface command to an interface configuration mode command.

9.14(1)

Speed auto-negotation can be disabled on 1GB fiber interfaces on the Firepower 1000 and 2100 using the speed nonegotiate command.

9.17(1)

We added the sfp-detect keyword for the Secure Firewall 3100.

Usage Guidelines

Set the speed on the physical interface only.

If your network does not support auto detection, set the speed to a specific value.

For RJ-45 interfaces on the ASA 5500 series, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.

If you set the speed to anything other than auto on PoE ports, if available, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.


Note


Do not set the speed command for an ASA 5500-X or an ASA 5585-X with fiber interfaces. Doing so causes a link failure.

Examples

The following example sets the speed to 1000BASE-T:


ciscoasa(config)# interface gigabitethernet0/1
ciscoasa(config-if)# speed 1000
ciscoasa(config-if)# duplex full
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0
ciscoasa(config-if)# no shutdown

spf-interval

To customize IS-IS throttling of shortest path first (SPF) calculations, use the spf-interval command in router isis configuration mode. To restore the default values, use the no form of this command.

spf-interval [ level-1 | level-2 ] spf-max-wait [ spf-initial-wait spf-second-wait ]

no spf-interval [ level-1 | level-2 ] spf-max-wait [ spf-initial-wait spf-second-wait ]

Syntax Description

level-1

(Optional) Apply intervals to Level-1 areas only.

level-2

(Optional) Apply intervals to Level-2 areas only.

spf-max-wait

Indicates the maximum interval (in seconds) between two consecutive SPF calculations. The range is from 1 to 120 seconds. The default is 10 seconds.

spf-initial-wait

(Optional) Indicates the initial SPF calculation delay (in milliseconds) after a topology change. The range is from 1 to 120000 milliseconds. The default is 5500 milliseconds (5.5 seconds).

spf-second-wait

(Optional) Indicates the hold time between the first and second SPF calculation (in milliseconds). The range is from 1 to 120000 milliseconds. The default is 5500 milliseconds (5.5 seconds).

Command Default

spf-max-wait —10 seconds

spf-initial-wait —5500 milliseconds

spf-second-wait —5500 milliseconds

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Router isis configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.6(1)

We introduced this command.

Usage Guidelines

SPF calculations are performed only when the topology changes. They are not performed when external routes change.

The spf-interval command controls how often the software performs the SPF calculation. The SPF calculation is processor-intensive. Therefore, it may be useful to limit how often the calculation is done, especially when the area is large and the topology changes often. Increasing the SPF interval reduces the processor load of the router, but potentially slows down the rate of convergence.

The following description will help you determine whether to change the default values of this command:

  • The spf-initial-wait argument indicates the initial wait time (in milliseconds) after a topology change before the first SPF calculation.

  • The spf-second-wait argument indicates the interval (in milliseconds) between the first and second SPF calculation.

  • Each subsequent wait interval is twice as long as the previous one until the wait interval reaches the spf-max-wait interval specified; the SPF calculations are throttled or slowed down after the initial and second intervals. Once the spf-max-wait interval is reached, the wait interval continues at this interval until the network calms down.

  • After the network calms down and there are no triggers for 2 times the spf-max-wait interval, fast behavior is restored (the initial wait time).

SPF throttling is not a dampening mechanism; that is, SPF throttling does not prevent SPF calculations or mark any route, interface, or router as down. SPF throttling simply increases the intervals between SPF calculations.

Examples

The following example configures intervals for SPF calculations, partial route calculation (PRC), and link-state packet (LSP) generation:


ciscoasa(config)# router isis
ciscoasa(config-router)# spf-interval 5 10 20
ciscoasa(config-router)# prc-interval 5 10 20
ciscoasa(config-router)# lsp-gen-interval 2 50 100

split-dns

To enter a list of domains to be resolved through the split tunnel, use the split-dns command in group-policy configuration mode. To delete a list, use the no form of this command.

To delete all split tunneling domain lists, use the no split-dns command without arguments. This deletes all configured split tunneling domain lists, including a null list created by issuing the split-dns none command.

When there are no split tunneling domain lists, users inherit any that exist in the default group policy. To prevent users from inheriting such split tunneling domain lists, use the split-dns none command.

split-dns { value domain-name1 domain-name2 domain-nameN | none }

no split-dns [ domain-name1 domain-name2 domain-nameN ]

Syntax Description

value domain-name

Provides a domain name that the ASA resolves through the split tunnel.

none

Indicates that there is no split DNS list. Sets a split DNS list with a null value, thereby disallowing a split DNS list. Prevents inheriting a split DNS list from a default or specified group policy.

Command Default

Split DNS is disabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Group-policy configuration

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

Use a single space to separate each entry in the list of domains. There is no limit on the number of entries, but the entire string can be no longer than 492 characters. You can use only alphanumeric characters, hyphens (-), and periods (.).

The no split-dns command, when used without arguments, deletes all current values, including a null value created by issuing the split-dns none command.

Starting with version 3.0.4235, Secure Client supports true split DNS functionality for Windows platforms.

Examples

The following example shows how to configure the domains Domain1, Domain2, Domain3 and Domain4 to be resolved through split tunneling for the group policy named FirstGroup:


ciscoasa(config)# group-policy FirstGroup attributes
ciscoasa(config-group-policy)# split-dns value Domain1 Domain2 Domain3 Domain4

split-horizon

To reenable EIGRP split horizon, use the split-horizon command in interface configuration mode. To disable EIGRP split horizon, use the no form of this command.

split-horizon eigrp as-number

no split-horizon eigrp as-number

Syntax Description

as-number

The autonomous system number of the EIGRP routing process.

Command Default

The split-horizon command is enabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Interface configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

9.0(1)

Multiple context mode is supported.

Usage Guidelines

For networks that include links over X.25 packet-switched networks, you can use the neighbor command to defeat the split horizon feature. As an alternative, you can explicitly specify the no split-horizon eigrp command in your configuration. However, if you do so, you must similarly disable split horizon for all routers and access servers in any relevant multicast groups on that network.

In general, it is best that you not change the default state of split horizon unless you are certain that your application requires the change in order to properly advertise routes. If split horizon is disabled on a serial interface and that interface is attached to a packet-switched network, you must disable split horizon for all routers and access servers in any relevant multicast groups on that network.

Examples

The following example disables EIGRP split horizon on interface Ethernet0/0:


ciscoasa(config)# interface Ethernet0/0
ciscoasa(config-if)# no split-horizon eigrp 100

split-tunnel-all-dns

To enable the Secure Client to the resolve all DNS addresses through the VPN tunnel, use the split-tunnel-all-dns command from group policy configuration mode.

To remove the command from the running configuration, use the no form of this command. This enables inheritance of the value from another group policy.

split-tunnel-all-dns { disable | enable }

no split-tunnel-all-dns [{ disable | enable }]

Syntax Description

disable (default)

The Secure Client sends DNS queries over the tunnel according to the split tunnel policy—tunnel all networks, tunnel networks specified in a network list, or exclude networks specified in a network list.

enable

The Secure Client resolves all DNS addresses through the VPN tunnel.

Command Default

The default is disabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Group-policy configuration

  • Yes

  • Yes

Command History

Release

Modification

8.2(5)

This command was added.

Usage Guidelines

The split-tunnel-all-dns enable command applies to VPN connections using the SSL or IPsec/IKEv2 protocol, and instructs the Secure Client to resolve all DNS addresses through the VPN tunnel. If DNS resolution fails, the address remains unresolved and the Secure Client does not try to resolve the address through public DNS servers.

By default, this feature is disabled. The client sends DNS queries over the tunnel according to the split tunnel policy—tunnel all networks, tunnel networks specified in a network list, or exclude networks specified in a network list.

Examples

The following example configures the ASA to enable the Secure Client to resolve all DNS queries through the VPN tunnel:


ciscoasa(config)# group-policy FirstGroup attributes
ciscoasa(config-group-policy)# split-tunnel-all-dns enable

split-tunnel-network-list

To create a network list for split tunneling, use the split-tunnel-network-list command in group-policy configuration mode. To delete a network list, use the no form of this command.

split-tunnel-network-list { value access-list name | none }

no split-tunnel-network-list value [ access-list name ]

Syntax Description

none

Indicates that there is no network list for split tunneling; the ASA tunnels all traffic.

Sets a split tunneling network list with a null value, thereby disallowing split tunneling. Prevents inheriting a default split tunneling network list from a default or specified group policy.

value access-list name

Identifies an access list that enumerates the networks to tunnel or not tunnel.

Command Default

By default, there are no split tunneling network lists.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Group-policy configuration

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The ASA makes split tunneling decisions on the basis of a network list, which is a standard ACL that consists of a list of addresses on the private network. Split tunneling network lists distinguish networks that require traffic to travel across the tunnel from those that do not require tunneling.

When there are no split tunneling network lists, users inherit any network lists that exist in the default or specified group policy. To prevent users from inheriting such network lists, use the split-tunnel-network-list none command.

To delete all split tunneling network lists, use the no split-tunnel-network-list command without arguments. This deletes all configured network lists, including a null list created by issuing the split-tunnel-network-list none command.


Note


Starting with version 9.7(1), you can specify up to 1200 split networks. In prior releases, the limit is 200 networks.


Examples

The following example shows how to set a network list called FirstList for the group policy named FirstGroup:


ciscoasa(config)# group-policy FirstGroup attributes
ciscoasa(config-group-policy)# split-tunnel-network-list value FirstList

split-tunnel-policy

To set a split tunneling policy, use the split-tunnel-policy command in group-policy configuration mode. To remove the split-tunnel-policy attribute from the running configuration, use the no form of this command.

split-tunnel-policy { tunnelall | tunnelspecified | excludespecified }

no split-tunnel-policy

Syntax Description

excludespecified

Defines a list of networks to which traffic goes in the clear. This feature is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel. This option works with Secure Client only.

split-tunnel-policy

Indicates that you are setting rules for tunneling traffic.

tunnelall

Specifies that no traffic goes in the clear or to any other destination than the ASA. Remote users reach Internet networks through the corporate network and do not have access to local networks.

tunnelspecified

Tunnels all traffic from or to the specified networks. This option enables split tunneling. It lets you create a network list of addresses to tunnel. Data to all other addresses travels in the clear, and is routed by the remote user’s Internet service provider.

Command Default

Split tunneling is disabled by default, which is tunnelall .

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Group-policy configuration

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

Split tunneling is primarily a traffic management feature, not a security feature. In fact, for optimum security, we recommend that you not enable split tunneling.

This enables inheritance of a value for split tunneling from another group policy.

Split tunneling lets a remote-access VPN client conditionally direct packets over an IPsec or SSL tunnel in encrypted form, or to a network interface in cleartext form. With split-tunneling enabled, packets not bound for destinations on the other side of the IPsec or SSL VPN tunnel endpoint do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination.

Examples

The following example shows how to set a split tunneling policy of tunneling only specified networks for the group policy named FirstGroup:


ciscoasa
(config)#
 group-policy FirstGroup attributes
ciscoasa
(config-group-policy)#
 split-tunnel-policy tunnelspecified 

spoof-server

To substitute a string for the server header field for HTTP protocol inspection, use the spoof-server command in parameters configuration mode. To disable this feature, use the no form of this command.

spoof-serverstring

no spoof-server string

Syntax Description

string

String to substitute for the server header field. 82 characters maximum.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Parameters configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.2(1)

This command was added.

Usage Guidelines

WebVPN streams are not subject to the spoof-server comand.

Examples

The following example shows how to substitute a string for the server header field in an HTTP inspection policy map:


ciscoasa(config-pmap-p)# spoof-server 
string

sq-period

To specify the interval between each successful posture validation in a NAC Framework session and the next query for changes in the host posture, use the sq-period command in nac-policy-nac-framework configuration mode. To remove the command from the NAC policy, use the no form of this command.

sq-period seconds

no sq-period [ seconds ]

Syntax Description

seconds

Number of seconds between each successful posture validation. The range is 30 to 1800.

Command Default

The default value is 300.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Nac-policy-nac-framework configuration

  • Yes

  • Yes

Command History

Release

Modification

7.3(0)

“nac-” removed from command name. Command moved from group-policy configuration mode to nac-policy-nac-framework configuration mode.

7.2(1)

This command was added.

Usage Guidelines

The ASA starts the status query timer after each successful posture validation and status query response. The expiration of this timer triggers a query for changes in the host posture, referred to as a status query .

Examples

The following example changes the value of the status query timer to 1800 seconds:


ciscoasa(config-nac-policy-nac-framework)# sq-period 1800
ciscoasa(config-nac-policy-nac-framework)

The following example removes the status query timer from the NAC Framework policy:


ciscoasa(config-nac-policy-nac-framework)# no sq-period
ciscoasa(config-nac-policy-nac-framework)

srv-id

To configure a uri-id in a reference-identity object, use the uri-id command in ca-reference-identity mode. To delete a uri-id in, use the no form of this command. You can access the ca-reference-identity mode by first entering the crypto ca reference-identity command to configure a reference-identity object..

srv-idvalue

no srv-id value

Syntax Description

value

Value of each reference-id.

srv-id

A subjectAltName entry of type otherName whose name form is SRVName as defined in RFC 4985. A SRV-ID identifier may contain both a domain name and an application service type. For example, a SRV-ID of “_imaps.example.net” would be split into a DNS domain name portion of “example.net” and an application service type portion of “imaps.”

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

ca-reference-identity

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.6(2)

We introduced this command.

Usage Guidelines

Once a reference identity has been created, the four identifier types and their associated values can be added or deleted from the reference identity.

The reference identifiers MAY contain information identifying the application service and MUST contain information identifying the DNS domain name.

Examples

The following example creates a reference-identity for a syslog server:


ciscoasa(config)# crypto ca reference-identity syslogServer
ciscoasa(config-ca-ref-identity)# dns-id syslog1-bxb.cisco.com
ciscoasa(config-ca-ref-identity)# cn-id syslog1-bxb.cisco.com

ss7 variant

To identify the SS7 variant used in your network for M3UA inspection, use the ss7 variant command in parameters configuration mode. You can access the parameters configuration mode by first entering the policy-map type inspect m3ua command. Use the no form of this command to return to the default SS7 variant.

ss7 variant { ITU | ANSI | Japan | China }

no ss7 variant { ITU | ANSI | Japan | China }

Syntax Description

ITU

The ITU variant. This is the default.

ANSI

The ANSI variant.

Japan

The Japan variant.

China

The China variant.

Command Default

The default is the ITU SS7 variant.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Parameters configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.6(2)

This command was added.

Usage Guidelines

Use this command to identify the SS7 variant used in your network. After you configure the option and deploy an M3UA policy, you cannot change it unless you first remove the policy.

The variant determines the format of the point codes used in M3UA messages.

  • ITU—Point codes are 14 bit in 3-8-3 format. The value ranges are [0-7]-[0-255]-[0-7]. This is the default SS7 variant.

  • ANSI—Point codes are 24 bit in 8-8-8 format. The value ranges are [0-255]-[0-255]-[0-255].

  • Japan—Point codes are 16 bit in 5-4-7 format. The value ranges are [0-31]-[0-15]-[0-127].

  • China—Point codes are 24 bit in 8-8-8 format. The value ranges are [0-255]-[0-255]-[0-255].

Examples

The following example sets the SS7 variant to ITU.


ciscoasa(config)# policy-map type inspect m3ua m3ua-map 
ciscoasa(config-pmap)# parameters 
ciscoasa(config-pmap-p)# ss7 variant ITU 

ssh

To add SSH access to the ASA, use the ssh command in global configuration mode. To disable SSH access to the ASA, use the no form of this command.

ssh { ip_address mask | ipv6_address/prefix } interface

no ssh { ip_address mask | ipv6_address/prefix } interface

Syntax Description

interface

The ASA interface on which SSH is enabled. Specify any named interface. For bridge groups, specify the bridge group member interface. For VPN management access only (see the management-access command), specify the named BVI interface.

ip_address

IPv4 address of the host or network authorized to initiate an SSH connection to the ASA.

ipv6_address / prefix

The IPv6 address and prefix of the host or network authorized to initiate an SSH connection to the ASA.

mask

Network mask for ip_address .

Command Default

No default behaviors or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

8.4(2)

You can no longer connect to the ASA using SSH with the pix or asa username and the login password. To use SSH, you must configure AAA authentication using the aaa authentication ssh console LOCAL command (CLI) or Configuration > Device Management > Users/AAA > AAA Access > Authentication (ASDM); then define a local user by entering the username command (CLI) or choosing Configuration > Device Management > Users/AAA > User Accounts (ASDM). If you want to use a AAA server for authentication instead of the local database, we recommend also configuring local authentication as a backup method.

8.4(4.1), 9.1(2)

You can enable public key authentication for SSH connections to the ASA on a per-user basis with the ssh authentication command.

9.1(2)

The SSH server implementation in the ASA now supports AES-CTR mode encryption.

9.1(7)/9.4(3)/9.5(3)/9.6(1)

You can configure encryption and integrity ciphers for SSH access using the ssh cipher encryption and ssh cipher integrity commands.

9.6(2)

The aaa authentication ssh console LOCAL command is required for ssh authentication . In Version 9.6(2) and later, you can create a username without any password defined, so you can require public key authentication only.

9.7(1)

If you have a directly-connected SSH management station, you can use a /31 subnet on the ASA and the host to create a point-to-point connection.

9.6(3)/9.8(1)

Separate authentication for users with SSH public key authentication and users with passwords. You no longer have to explicitly enable AAA SSH authentication (aaa authentication ssh console) ; when you configure the ssh authentication command for a user, local authentication is enabled by default for users with this type of authentication. Moreover, when you explicitly configure AAA SSH authentication, this configuration only applies for usernames with passwords, and you can use any AAA server type.

9.9(2)

Virtual interfaces can now be specified.

Usage Guidelines

The ssh ip_address command specifies hosts or networks that are authorized to initiate an SSH connection to the ASA. You can have multiple ssh commands in the configuration.

Before you can begin using SSH to the ASA, you must generate a default RSA key using the crypto key generate rsa command.

To access the ASA interface for SSH access, you do not also need an access rule allowing the host IP address. You only need to configure SSH access according to this section.

SSH access to an interface other than the one from which you entered the ASA is not supported. For example, if your SSH host is located on the outside interface, you can only initiate a management connection directly to the outside interface. The only exception to this rule is through a VPN connection (see the management-access command).

The ASA allows a maximum of 5 concurrent SSH connections per context/single mode, with a maximum of 100 connections divided among all contexts.

The ASA supports the SSH remote shell functionality provided in SSH Version 2 and supports DES and 3DES ciphers.

The following SSH Version 2 features are not supported on the ASA:

  • X11 forwarding

  • Port forwarding

  • SFTP support

  • Kerberos and AFS ticket passing

  • Data compression

To use SSH with a username and password, you must configure AAA authentication using the aaa authentication ssh console LOCAL command; then define a local user by entering the username command. If you want to use a AAA server for authentication instead of the local database, we recommend also configuring local authentication as a backup method.

To use SSH with a local username and public key authentication, configure the ssh authentication command. Only the local database is supported.

In Version 9.6(2) and 9.7(1), the aaa authentication ssh console LOCAL command is required for ssh authentication . In Version 9.6(2) and later, you can create a username without any password defined, so you can require public key authentication only.


Note


Do not use the username command nopassword option to avoid having to create a username with a password; the nopassword option allows any password to be entered, not no password. If you configure the aaa command, then the nopassword option creates a security problem.

For 9.6(1) and earlier and for 9.6(3)/9.8(1) and later, you do not have to configure the aaa authentication ssh console LOCAL command; this command only applies to users with passwords, and you can specify any server type, not just LOCAL. For example, some users can use public key authentication using the local database, and other users can use passwords with RADIUS. If you do configure the aaa authentication ssh console LOCAL command, you can choose to log in with either the username password, or with the private key.

Examples

The following example shows how to generate RSA keys and let a host on the inside interface with an address of 192.168.1.2 access the ASA:


ciscoasa(config)# crypto key generate rsa modulus 1024
ciscoasa(config)# write memory
ciscoasa(config)# aaa authentication ssh console LOCAL
 
WARNING: local database is empty! Use 'username' command to define local users.
ciscoasa(config)# username exampleuser1 password examplepassword1 privilege 15
ciscoasa(config)# ssh 192.168.1.2 255.255.255.255 inside
ciscoasa(config)# ssh timeout 30

ssh authentication

To enable SSH public key authentication on a per-user basis, use the ssh authentication command in username attributes mode. To disable public key authentication on a per-user basis, use the no form of this command.

ssh authentication { pkf | publickey [ nointeractive ] key [ hashed ] }

no ssh authentication { pkf | publickey [ nointeractive ] key [ hashed ] }

Syntax Description

hashed

When you view the key on the ASA using the show running-config username command, the key is encrypted using a SHA-256 hash. Even if you entered the key as pkf , the ASA hashes the key, and shows it as a hashed publickey . If you need to copy the key from show output, specify the publickey type with the hashed keyword.

key

The value of the key argument can be one of the following:

  • When the key argument is supplied and the hashed tag is not specified, the value of the key must be a Base 64 encoded public key that is generated by SSH key generation software that can generate ssh-rsa, ecdsa-sha2-nistp, or ssh-ed25519 raw keys (that is, with no certificates). After you submit the Base 64 encoded public key, that key is then hashed via SHA-256 and the corresponding 32-byte hash is used for all further comparisons.

  • When the key argument is supplied and the hashed tag is specified, the value of the key must have been previously hashed with SHA-256 and be 32 bytes long, with each byte separated by a colon (for parsing purposes).

nointeractive

The nointeractive option suppresses all prompts when importing an SSH public key file formatted key. This noninteractive data entry mode is only intended for ASDM use.

pkf

For a pkf key, you are prompted to paste in a PKF formatted key, up to 4096 bits. Use this format for keys that are too large to paste inline in Base64 format. For example, you can generate a 4096-bit key using ssh keygen, then convert it to PKF, and use the pkf keyword to be prompted for the key.

Note

 
You can use the pkf option with failover, but the PKF key is not automatically replicated to the standby system. You must enter the write standby command to synchronize the PKF key.

publickey

For a publickey , the key is a Base64-encoded public key. You can generate the key using any SSH key generation software (such as ssh keygen) that can generate SSH-RSA raw keys (with no certificates).

Command Default

No default behaviors or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Username attributes

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.4(4.1), 9.1(2)

This command was added.

This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).

9.1(2)

We added the pkf keyword and support for keys up to 4096-bits.

9.6(2)

The aaa authentication ssh console LOCAL command is required for ssh authentication . In Version 9.6(2) and later, you can create a username without any password defined, so you can require public key authentication only.

9.6(3)/9.8(1)

Separate authentication for users with SSH public key authentication and users with passwords. You no longer have to explicitly enable AAA SSH authentication ( aaa authentication ssh console) ; when you configure the ssh authentication command for a user, local authentication is enabled by default for users with this type of authentication. Moreover, when you explicitly configure AAA SSH authentication, this configuration only applies for usernames with passwords, and you can use any AAA server type.

9.16(1)

Support for EdDSA and ECDSA keys was added.

Usage Guidelines

For a local username , you can enable public key authentication instead of password authentication. You can generate a public key/private key pair using any SSH key generation software (such as ssh keygen) that can generate ssh-rsa, ecdsa-sha2-nistp, or ssh-ed25519 raw keys (with no certificates). Use the ssh authentication command to enter the public key on the ASA. The SSH client then uses the private key (and the passphrase you used to create the key pair) to connect to the ASA.

Only the local database is supported.

When you save the configuration, the hashed key value is saved to the configuration and used when the ASA is rebooted.

In Version 9.6(2) and 9.7(1), the aaa authentication ssh console LOCAL command is required for ssh authentication . In Version 9.6(2) and later, you can create a username without any password defined, so you can require public key authentication only.


Note


Do not use the username command nopassword option to avoid having to create a username with a password; the nopassword option allows any password to be entered, not no password. If you configure the aaa command, then the nopassword option creates a security problem.

For 9.6(1) and earlier and for 9.6(3)/9.8(1) and later, you do not have to configure the aaa authentication ssh console LOCAL command; this command only applies to users with passwords, and you can specify any server type, not just LOCAL. For example, some users can use public key authentication using the local database, and other users can use passwords with RADIUS. If you do configure the aaa authentication ssh console LOCAL command, you can choose to log in with either the username password, or with the private key.

Examples

The following example shows how to authenticate using a PKF formatted key:


ciscoasa(config)# crypto key generate eddsa edwards-curve ed25519
ciscoasa(config)# write memory
ciscoasa(config)# username deanwinchester password examplepassword1 privilege 15
ciscoasa(config)# username deanwinchester attributes
ciscoasa(config-username)# ssh authentication pkf
Enter an SSH public key formatted file.
End with the word "quit" on a line by itself:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "256-bit ED25519, converted by dean@dwinchester-mac from "
AAAAC3NzaC1lZDI1NTE5AAAAIDmIeTNfEOnuH0094p1MKX80fW2O216g4trnf7gwWe5Q
---- END SSH2 PUBLIC KEY ----
quit
INFO: Import of an SSH public key formatted file SUCCEEDED.
ciscoasa(config-username)# aaa authentication ssh console LOCAL
ciscoasa(config)# ssh 192.168.1.2 255.255.255.255 inside
         

ssh cipher encryption

Users can select encryption and integrity algorithms when configuring SSH access. For fine grain control over the SSH cipher encryption algorithms, use the ssh cipher encryption command in global configuration mode. Predefined levels are available, which correspond to particular sets of algorithms. Also, you can define a custom list by specifying multiple colon-delimited algorithms. To restore the default, use the no form of this command.

ssh cipher encryption { all | fips | high | low | medium | custom encryption_1 [: encryption_2 [: ...encryption_n ]]}

no ssh cipher encryption { all | fips | high | low | medium | custom encryption_1 [: encryption_2 [: ...encryption_n ]]}

Syntax Description

all

Specifies that all encryption algorithms are accepted.

custom encryption_1 [ : encryption_2 [ : ... encryption_n ]]

Specifies a custom set of encryption algorithms. Enter the show ssh ciphers command to view all available encryption algorithms. For example:

custom 3des-cbc:aes192-cbc:aes256-ctr

fips

Specifies only FIPS-compliant encryption algorithms

high

Specifies only high strength encryption algorithms.

low

Specifies low, medium, and high strength encryption algorithms.

medium

Specifies the medium and high strength encryption algorithms.

Command Default

Medium is the default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.1(7)/9.4(3)/9.5(3)/9.6(1)

This command was added.

9.16(1)

We added the chacha20-poly1305@openssh.com and aes128-gcm@openssh.com algorithms.

Usage Guidelines

This command is used with the ssh cipher integrity command. For encryption algorithms, the following values are possible:

  • all—3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes128-gcm@openssh.com chacha20-poly1305@openssh.com aes192-ctr aes256-ctr

  • fips—aes128-cbc aes256-cbc aes128-gcm@openssh.com

  • high—aes256-cbc aes128-gcm@openssh.com chacha20-poly1305@openssh.com aes256-ctr

  • low—3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr

  • medium—3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr


Note


If FIPS mode is enabled, then only the FIPS encryption and integrity algorithms are allowed.

Optionally, some of the algorithms can be deselected. When FIPS mode is enabled, the intersection of the currently configured algorithms and the FIPS-compliant algorithms is calculated. If not NULL, the resulting configuration is used. If NULL, then the default FIPS-compliant algorithms are used.

The performance of secure copy depends partly on the encryption cipher used. If you choose the medium cipher set, the ASA negotiates one of the following algorithms in order: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr. If the first algorithm proposed (3des-cbc) is chosen, then the performance is much slower than a more efficient algorithm such as aes128-cbc. To change the proposed ciphers, use the ssh cipher encryption command; for example, ssh cipher encryption custom aes128-cbc .

Examples

The following example shows the configuration of some custom SSH encryption algorithms:


ciscoasa(config)# ssh cipher encryption custom 3des-cbc:aes128-cbc:aes192-cbc
         

ssh cipher integrity

Users can select encryption and integrity cipher modes when configuring SSH access. For fine grain control over the SSH cipher integrity algorithms, use the ssh cipher integrity command in global configuration mode. Pre-defined levels are available, which correspond to particular sets of algorithms. Also, a custom list can be defined by specifying multiple colon delimited algorithms. To restore the default, use the no form of this command.

ssh cipher integrity { all | fips | high | low | medium | custom algorithm_1 [: algorithm_2 [: ...algorithm_n ]]}

no ssh cipher integrity { all | fips | high | low | medium | custom algorithm_1 [: algorithm_2 [: ...algorithm_n ]]}

Syntax Description

all

Specifies that all integrity algorithms are accepted.

custom algorithm_1 [: algorithm_2 [: ...algorithm_n ]]

Specifies a custom set of integrity algorithms. Enter the show ssh ciphers command to view all available integrity algorithms. For example:

custom hmac-sha1:hmac-sha1-96:hmac-md5-96

fips

Specifies only FIPS-compliant integrity algorithms

high

Specifies only high strength integrity algorithms.

low

Specifies low, medium, and high strength integrity algorithms.

medium

Specifies the medium and high strength integrity algorithms.

Command Default

(9.12 and later) High is the default.

(9.10 and earlier) Medium is the default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.1(7)/9.4(3)/9.5(3)/9.6(1)

This command was added.

9.12(1)

We added HMAC-SHA256 integrity cipher support. The default is now the high security set of ciphers (hmac-sha1 and hmac-sha2-256). The former default was the medium set.

9.13(1)

The following values of integrity algorithms are considered as insecure and deprecated:

  • all —hmac-sha1-96, hmac-md5, hmac-md5-96, hmac-sha2-256

  • low — hmac-sha1-96 , hmac-md5, hmac-md5-96, hmac-sha2-256

  • medium— hmac-sha1-96

The above values will be removed from later release.

Usage Guidelines

This command is used with the ssh cipher encryption command. For integrity algorithms, the following values are possible:

  • all—hmac-sha1, hmac-sha1-96(Deprecated), hmac-md5(Deprecated), hmac-md5-96(Deprecated), hmac-sha2-256(Deprecated)

  • fips—hmac-sha1, hmac-sha2-256

  • high—hmac-sha1, hmac-sha2-256

  • low—hmac-sha1, hmac-sha1-96(Deprecated), hmac-md5(Deprecated), hmac-md5-96(Deprecated), hmac-sha2-256(Deprecated)

  • medium—hmac-sha1, hmac-sha1-96(Deprecated), hmac-md5, hmac-md5-96, hmac-sha2-256


Note


If FIPS mode is enabled, then only the FIPS encryption and integrity algorithms are allowed.

Optionally, some of the algorithms can be deselected. When FIPS mode is enabled, the intersection of the currently configured algorithms and the FIPS-compliant algorithms is calculated. If not NULL, the resulting configuration is used. If NULL, then the default FIPS-compliant algorithms are used.

Examples

The following example shows the configuration of some custom SSH integrity algorithms:


ciscoasa(config)# ssh cipher integrity custom hmac-sha1-96:hmac-md5

ssh disconnect

To disconnect an active SSH session, use the ssh disconnect command in privileged EXEC mode.

ssh disconnect session_id

Syntax Description

session_id

Disconnects the SSH session specified by the ID number.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

You must specify a session ID. Use the show ssh sessions command to obtain the ID of the SSH session you want to disconnect.

Examples

The following example shows an SSH session being disconnected:


ciscoasa# show ssh sessions
SID Client IP       Version Mode Encryption Hmac     State           Username
0   172.69.39.39    1.99    IN   aes128-cbc md5      SessionStarted  pat
                            OUT  aes128-cbc md5      SessionStarted  pat
1   172.23.56.236   1.5     -    3DES       -        SessionStarted  pat
2   172.69.39.29    1.99    IN   3des-cbc   sha1     SessionStarted  pat
                            OUT  3des-cbc   sha1     SessionStarted  pat
ciscoasa# ssh disconnect 2
ciscoasa# show ssh sessions
SID Client IP       Version Mode Encryption Hmac     State           Username
0   172.69.39.29    1.99    IN   aes128-cbc md5      SessionStarted  pat
                            OUT  aes128-cbc md5      SessionStarted  pat
1   172.23.56.236   1.5     -    3DES       -        SessionStarted  pat

ssh key-exchange group

To set the SSH key exchange method, use the ssh key-exchange group command in global configuration mode. To restore the default, use the no form of this command.

ssh key-exchange group { curve25519-sha256 | dh-group14-sha1 | dh-group14-sha256 | ecdh-sha2-nistp256 }

no ssh key-exchange group

Syntax Description

curve25519-sha256

Uses Elliptic Curve 25519 SHA256 for the key exchange.

dh-group14-sha1

Uses Diffie-Hellman Group 14 SHA1 for the key exchange.

dh-group14-sha256

(Default) Uses Diffie-Hellman Group 14 SHA256 for the key exchange.

ecdh-sha2-nistp256

Uses Elliptic Curve Diffie-Hellman (ECDH) SHA2 NIST P-256 for the key exchange.

Command Default

(9.12 and later) By default, dh-group14-sha256 is used.

(9.10 and earlier) By default, the dh-group1-sha1 is used.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

(Admin context only)

Command History

Release

Modification

9.16(1)

We added the curve25519-sha256 and ecdh-sha2-nistp256 options.

9.13(1)

The dh-group1-sha1 option was deprecated and will be removed in a later release.

9.12(2)

Setting the SSH key exchange mode is restricted to the Admin context in multiple context mode.

9.12(1)

We added the dh-group14-sha256 option, which is also now the default.

8.4(4.1), 9.1(2)

We introduced this command.

This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).

Usage Guidelines

A key exchanges like Diffie-Hellman (DH) provides a shared secret that cannot be determined by either party alone. The key exchange is combined with a signature and the host key to provide host authentication. This key-exchange method provides explicit server authentication. For more information about using DH key-exchange methods, see RFC 4253.

You must set the SSH key exchange in the Admin context; this setting is inherited by all other contexts.

Examples

The following example shows how to exchange keys using the DH Group 14 SHA1 key-exchange method:


ciscoasa(config)# ssh key-exchange group dh-group-14-sha1

ssh key-exchange hostkey

If you do not want to use the default key order (EdDSA, ECDSA, and then RSA), identify the key pair you want to use wih the ssh key-exchange hostkey command in global configuration mode. To restore the default, use the no form of this command.

ssh key-exchange hostkey { rsa | ecdsa | eddsa }

no ssh key-exchange hostname

Syntax Description

ecdsa

Uses the ECDSA key only.

eddsa

Uses the EdDSA key only.

rsa

Uses the RSA key only. You must use a key size 2048 or higher. RSA key support will be removed in a later release, so we suggest using the other supported key types instead.

Command Default

By default, this command is disabled, and keys are tried in the following order: EdDSA, ECDSA, and then RSA.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

(Admin context only)

Command History

Release

Modification

9.16(1)

We introduced this command.

Usage Guidelines

SSH tries keys in the following order: EdDSA, ECDSA, and then RSA. View the keys using the show crypto key mypubkey {eddsa | ecdsa | rsa} command. The keys used by SSH are called <Default-type-Key>. If you override the key order with the ssh key-exchange hostkey rsa command,you must use a key size 2048 or higher. For upgrade compatibility, smaller keys are only supported when you use the default key order. RSA key support will be removed in a later release, so we suggest using the other supported key types instead.

Examples

The following example forces use of the EdDSA key only:


ciscoasa(config)# ssh key-exchange hostkey eddsa

ssh pubkey-chain

To manually add or delete SSH servers and their keys from the ASA database for the on-board Secure Copy (SCP) client, use the ssh pubkey-chain command in global configuration mode. To remove all host keys, use the no form of this command. To remove only a single server key, see the server command.

ssh pubkey-chain

no ssh pubkey-chain

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.1(5)

This command was added.

Usage Guidelines

You can copy files to and from the ASA using the on-board SCP client. The ASA stores the SSH host key for each SCP server to which it connects. You can manually add or delete servers and their keys from the ASA database if desired.

For each server (see the server command), you can specify the key-string (public key) or key-hash (hashed value) of the SSH host.

Examples

The following example adds an already hashed host key for the server at 10.86.94.170:


ciscoasa(config)# ssh pubkey-chain
ciscoasa(config-ssh-pubkey-chain)# server 10.86.94.170
ciscoasa(config-ssh-pubkey-server)# key-hash sha256 65:d9:9d:fe:1a:bc:61:aa:64:9d:fc:ee:99:87:38:df:a8:8e:d9:e9:ff:42:de:e8:8d:2d:bf:a9:2b:85:2e:19

The following example adds a host string key for the server at 10.7.8.9:


ciscoasa(config)# ssh pubkey-chain
ciscoasa(config-ssh-pubkey-chain)# server 10.7.8.9
ciscoasa(config-ssh-pubkey-server)# key-string
Enter the base 64 encoded RSA public key.
End with the word "exit" on a line by itself
ciscoasa(config-ssh-pubkey-server-string)# c1:b1:30:29:d7:b8:de:6c:97:77:10:d7:46:41:63:87
ciscoasa(config-ssh-pubkey-server-string)# exit

ssh scopy enable

To enable Secure Copy (SCP) on the ASA, use the ssh scopy enable command in global configuration mode. To disable SCP, use the no form of this command.

ssh scopy enable

no ssh scopy enable

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

9.1(7)/9.4(3)/9.5(3)/9.6(1)

You can configure encryption and integrity ciphers for SSH access using the ssh cipher encryption and ssh cipher integrity commands.

Usage Guidelines

SCP is a server-only implementation; it will be able to accept and terminate connections for SCP but can not initiate them. The ASA has the following restrictions:

  • There is no directory support in this implementation of SCP, limiting remote client access to the ASA internal files.

  • There is no banner support when using SCP.

  • SCP does not support wildcards.

  • The ASA license must have the VPN-3DES-AES feature to support SSH version 2 connections.

Before initiating the file transfer, the ASA checks available Flash memory. If there is not enough available space, the ASA terminates the SCP connection. If you are overwriting a file in Flash memory, you still need to have enough free space for the file being copied to the ASA. The SCP process copies the file to a temporary file first, then copies the temporary file over the file being replaced. If you do not have enough space in Flash to hold the file being copied and the file being overwritten, the ASA terminates the SCP connection.

The performance of secure copy depends partly on the encryption cipher used. By default, the ASA negotiates one of the following algorithms in order: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr. If the first algorithm proposed (3des-cbc) is chosen, then the performance is much slower than a more efficient algorithm such as aes128-cbc. To change the proposed ciphers, use the ssh cipher encryption command; for example, ssh cipher encryption custom aes128-cbc .

Examples

The following example shows how to configure the inside interface to accept SSH Version 2 connections from a management console with the IP address 10.1.1.1. The idle session timeout is set to 60 minutes and SCP is enabled.


ciscoasa(config)# ssh 10.1.1.1 255.255.255.0 inside
ciscoasa(config)# ssh version 2
ciscoasa(config)# ssh scopy enable
ciscoasa(config)# ssh timeout 60

ssh stack ciscossh

To use the CiscoSSH stack, use the ssh stack ciscossh command in global configuration mode. To use the proprietary ASA SSH stack, use the no form of this command.

ssh stack ciscossh

no ssh stack ciscossh

Command Default

CiscoSSH stack is enabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.17(1)

This command was added.

9.19(1)

This command is now enabled by default.

Usage Guidelines

The ASA supports two SSH stacks for SSH connections: a proprietary SSH stack or the CiscoSSH stack. CiscoSSH is based on OpenSSH. Cisco SSH supports:

  • FIPS compliance

  • Regular updates, including updates from Cisco and the open source community

Note that the CiscoSSH stack does not support:

  • SSH to a different interface over VPN (management-access)

  • EdDSA key pair

  • RSA key pair in FIPS mode

If you need these features, you should use the ASA SSH stack.

There is a small change to SCP functionality with the CiscoSSH stack: to use the ASA copy command to copy a file to or from an SCP server, you have to enable SSH access on the ASA for the SCP server subnet/host using the ssh command.

Examples

The following example shows how to disable the CiscoSSH stack.


ciscoasa(config)# no ssh stack ciscossh
ciscoasa(config)# 

ssh stricthostkeycheck

To enable SSH host key checking for the on-board Secure Copy (SCP) client, use the ssh stricthostkeycheck command in global configuration mode. To disable host key checking, use the no form of this command.

ssh stricthostkeycheck

no ssh stricthostkeycheck

Syntax Description

This command has no arguments or keywords.

Command Default

By default, this command is enabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.1(5)

This command was added.

Usage Guidelines

You can copy files to and from the ASA using the on-board SCP client. When this option is enabled, you are prompted to accept or reject the host key if it is not already stored on the ASA. When this option is disabled, the ASA accepts the host key automatically if it was not stored before.

Examples

The following example enables SSH host key checking:


ciscoasa# ssh stricthostkeycheck
ciscoasa# copy x scp://cisco@10.86.95.9/x
The authenticity of host '10.86.95.9 (10.86.95.9)' can't be established.
RSA key fingerprint is dc:2e:b3:e4:e1:b7:21:eb:24:e9:37:81:cf:bb:c3:2a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.86.95.9' (RSA) to the list of known hosts.
Source filename [x]? 
Address or name of remote host [10.86.95.9]? 
Destination username [cisco]? 
Destination password []? cisco123
Destination filename [x]? 

ssh timeout

To change the default SSH session idle timeout value, use the ssh timeout command in global configuration mode. To restore the default timeout value, use the no form of this command.

ssh timeout number

no ssh timeout

Syntax Description

number

Specifies the duration in minutes that an SSH session can remain inactive before being disconnected. Valid values are from 1 to 60 minutes.

Command Default

The default session timeout value is 5 minutes.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The ssh timeout command specifies the duration in minutes that a session can be idle before being disconnected. The default duration is 5 minutes.

Examples

The following example shows how to configure the inside interface to accept only SSH version 2 connections from a management console with the IP address 10.1.1.1. The idle session timeout is set to 60 minutes and SCP is enabled.


ciscoasa(config)# ssh 10.1.1.1 255.255.255.0 inside
ciscoasa(config)# ssh version 2
ciscoasa(config)# ssh copy enable
ciscoasa(config)# ssh timeout 60

ssh version (Deprecated)

To restrict the version of SSH accepted by the ASA, use the ssh version command in global configuration mode. To restore the default value, use the no form of this command. Only Version 2 is supported.

ssh version 2

no ssh version 2

Syntax Description

2

Specifies that only SSH Version 2 connections are supported.

Command Default

Version 2 is the default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

9.9(1)

Version 1 was deprecated, and the 1 keyword will be removed in a later release. The default setting was also changed from ssh version 1 2 to ssh version 2 only.

9.16(1)

This command was removed.

Usage Guidelines

You should only set the SSH version to version 2.

Examples

The following example shows how to configure the inside interface to accept SSH Version 2 connections from a management console with the IP address 10.1.1.1. The idle session timeout is set to 60 minutes and SCP is enabled.


ciscoasa(config)# ssh 10.1.1.1 255.255.255.0 inside
ciscoasa(config)# ssh version 2
ciscoasa(config)# ssh copy enable
ciscoasa(config)# ssh timeout 60

ssl certificate-authentication

To enable client certificate authentication for backwards compatibility for versions previous to 8.2(1), use the ssl certificate-authentication command in global configuration mode. To disable ssl certificate authentication, use the no version of this command.

ssl certificate-authentication [ fca-timeout timeout-in minutes ] interface interface-name port port-number

no ssl certificate-authentication [ fca-timeout timeout-in minutes ] interface interface-name port port-number

Syntax Description

fca-timeout

Forced certificate authentication timeout value in minutes.

interface-name

The name of the selected interface, such as inside, management, and outside.

port-number

The TCP port number, an integer in the range 1-65535.

Command Default

This feature is disabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.0(3)

This command was added.

8.2(1)

This command is no longer needed, but the ASA retains it for downgrading to previous versions.

Usage Guidelines

This command replaces the deprecated http authentication-certificate command.

Examples

The following example shows how to configure the ASA to use the SSL certificate authentication feature:


ciscoasa
(config)#
 ssl certificate-authentication interface inside port 330

ssl cipher

To specify the encryption algorithms for the SSL, DTLS, and TLS protocols, use the ssl cipher command in global configuration mode. To restore the default, which is the complete set of encryption algorithms, use the no form of this command.

ssl cipher version [ level | custom "string" ]

no ssl cipher version [ level | custom "string" ]

Syntax Description

custom string

Allows full control of the cipher suite using OpenSSL cipher definition strings.

level

Specifies the strength of the cipher and indicates the minimum level of ciphers that are supported. Valid values in increasing order of strength are:

  • all —Includes all ciphers, including NULL-SHA.

  • low —Includes all ciphers except NULL-SHA.

  • medium —Includes all ciphers except NULL-SHA, DES-CBC-SHA, and RC4-MD5.

  • fips —Includes all FIPS-compliant ciphers (excludes NULL-SHA, DES-CBC-SHA, RC4-MD5, RC4-SHA, and DES-CBC3-SHA.

  • high (applies only to TLSv1.2)—Includes only AES-256 with SHA-2 ciphers.

version

Specifies the SSL, DTLS, or TLS protocol version. Supported versions include:

  • default —The set of ciphers for outbound connections.

  • dtlsv1 —The ciphers for DTLSv1 inbound connections.

  • dtlsv1.2 -The ciphers for DTLSv1.2 inbound connections.

  • tlsv1 —The ciphers for TLSv1 inbound connections.

  • tlsv1.1 —The ciphers for TLSv1.1 inbound connections.

  • tlsv1.2 —The ciphers for TLSv1.2 inbound connections.

Command Default

The default is medium for all protocol versions.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.16(1)

Removed support for DES configuration on enabling strong crypto licensing because the DES is considered to be a weak cipher.

If DES is configured when a strong licensing is enabled, DES is converted to strong cipher, AES.

9.12(1)

Removed NULL-SHA from tlv1 supported ciphers on lina. Deprecated and removed ssl cipher tlsv1 all and ssl cipher tlsv1 custom NULL-SHA command.

9.10(1)

dtls1.2 option added.

9.4(1)

All SSLv3 configuration and support removed from the ASA.

9.3(2)

This command was added.

Usage Guidelines

This command replaced the ssl encryption command starting with ASA Version 9.3(2).

The recommended setting is medium . Using high may limit connectivity. Using custom may limit functionality if there are only a few ciphers configured. Restricting the default custom value limits outbound connectivity, including clustering.

For more information about ciphers using OpenSSL, see https://www.openssl.org/docs/apps/ciphers.html.

Use the show ssl ciphers all command to view the list of which ciphers support which versions. For example:


These are the ciphers for the given cipher level; not all ciphers are supported by all versions of SSL/TLS.
These names can be used to create a custom cipher list:
  DHE-RSA-AES256-SHA256 (tlsv1.2)
  AES256-SHA256 (tlsv1.2)
  DHE-RSA-AES128-SHA256 (tlsv1.2)
  AES128-SHA256 (tlsv1.2)
  DHE-RSA-AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
  AES256-SHA (sslv3, tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
  DHE-RSA-AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
  AES128-SHA (sslv3, tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
  DES-CBC3-SHA (sslv3, tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
  RC4-SHA (sslv3, tlsv1)
  RC4-MD5 (sslv3, tlsv1)
  DES-CBC-SHA (sslv3, tlsv1)
  NULL-SHA (sslv3, tlsv1)

The ASA specifies the order of priority for supported ciphers as:

Ciphers supported by TLSv1.2 (1-9)

  1. DHE-RSA-AES256-SHA256

  2. AES256-SHA256

  3. DHE-RSA-AES128-SHA256

  4. AES128-SHA256

  5. DHE-RSA-AES256-SHA

  6. AES256-SHA

  7. DHE-RSA-AES128-SHA

  8. AES128-SHA

  9. DES-CBC3-SHA

Ciphers not supported by TLSv1.1 or TLSv1.2 (10-13)

  1. RC4-SHA

  2. RC4-MD5

  3. DES-CBC-SHA

  4. NULL-SHA

Examples

The following example shows how to configure the ASA to use TLSv1.1 FIPS-compliant ciphers:


ciscoasa
(config)#
 
ssl cipher tlsv1.1 fips

The following example shows how to configure the ASA to use TLSv1 custom ciphers:


ciscoasa
(config)#
 ssl cipher tlsv1 custom "RC4-SHA:ALL"

ssl-client-certificate

To specify the certificate that the ASA should present to the LDAP server as the client certificate when using LDAPS, use the ssl-client-certificate command in aaa-server host configuration mode. To remove the certificate, use the no form of this command.

ssl-client-certificate trustpoint_name

no ssl-client-certificate trustpoint_name

Syntax Description

trustpoint_name

The name of the trustpoint that holds the certificate that the ASA should present to the LDAP server as the client certificate.

Command Default

No default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Aaa-server host configuration (LDAP only)

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release Modification

9.18(1)

This command was added.

Usage Guidelines

This certificate is needed if you configure the LDAP server to verify the client certificate. You must also enable ldap-over-ssl for the server. If you do not configure a certificate, the ASA does not present one when the LDAP server asks for it. If an LDAP server is configured to require a peer certificate, the secure LDAP session will not complete and authentication/authorization requests will fail.

Examples

The following example shows two LDAP servers using different trustpoints for client authentication.


asa(config)# show running-config aaa-server OPENLDAPS 
aaa-server OPENLDAPS protocol ldap
aaa-server OPENLDAPS (manif) host 10.1.1.2
ldap-base-dn DC=example,DC=com
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn cn=admin,dc=example,dc=com
ldap-over-ssl enable
ssl-client-certificate LDAPS_TP_1
server-type auto-detect
aaa-server OPENLDAPS (manif) host 10.2.2.5
ldap-base-dn DC=example,DC=com
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn cn=admin,dc=example,dc=com
ldap-over-ssl enable
ssl-client-certificate LDAPS_TP_2
server-type auto-detect 

ssl client-version

To specify the SSL/TLS protocol version that the ASA uses when acting as a client, use the ssl client-version command in global configuration mode. To revert to the default, use the no form of this command.

ssl client-version [ any | sslv3-only | tlsv1-only | sslv3 | tlsv1 | tlsv1.1 | tlsv1.2 ]

no ssl client-version

Syntax Description

any

Transmits SSLv3 client hellos and negotiates SSLv3 (or greater).

sslv3

Transmits SSLv3 client hellos and negotiates SSLv3 (or greater).

sslv3-only

Transmits SSLv3 client hellos and negotiates SSLv3 (or greater).

Note

 
This option has been deprecated as of Version 9.3(2).

tlsv1

Transmits TLSv1 client hellos and negotiates TLSv1 (or greater).

tlsv1.1

Transmits TLSv1.1 client hellos and negotiates TLSv1.1 (or greater).

tlsv1.2

Transmits TLSv1.2 client hellos and negotiates TLSv1.2 (or greater).

tlsv1-only

Transmits TLSv1 client hellos and negotiates TLSv1 (or greater).

Note

 
This option has been deprecated as of Version 9.3(2).

Command Default

The default value is tlsv1 .

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

9.3(2)

SSLv3 has been deprecated. The default is now tlsv1 instead of any . The any keyword has been deprecated.

Usage Guidelines

If you use the any , sslv3 , or sslv3-only keywords, the command is accepted with the following warning.


WARNING: SSLv3 is deprecated. Use of TLSv1 or greater is recommended.

In the next major ASA release, these keywords will be removed from the ASA.

Examples

The following example shows how to configure the ASA to specify the SSLv3 protocol version when acting as an SSL client:


ciscoasa
(config)#
 ssl client-version any