int – ipu

integrity

To specify the ESP integrity algorithm in an IKEv2 security association (SA) for AnyConnect IPsec connections, use the integrity command in IKEv2 policy configuration mode. To remove the command and use the default setting, use the no form of this command:

integrity { md5 | sha | sha256 | sha384 | sha512 | null }

no integrity { md5 | sha | sha256 | sha384 | sha512 | null }

Syntax Description

md5

Specifies the MD5 algorithm for the ESP integrity protection.

null

Allows an administrator to choose null as the IKEv2 integrity algorithm when AES-GCM is specified as the encryption algorithm.

sha

(Default) Specifies the Secure Hash Algorithm (SHA) SHA 1, defined in the U.S. Federal Information Processing Standard (FIPS), for ESP integrity protection.

sha256

Specifies the Secure Hash Algorithm SHA 2 with the 256-bit digest.

sha384

Specifies the Secure Hash Algorithm SHA 2 with the 384-bit digest.

sha512

Specifies the Secure Hash Algorithm SHA 2 with the 512-bit digest.

Command Default

The default is sha ( SHA 1 algorithm).

Usage Guidelines

An IKEv2 SA is a key used in phase 1 to enable IKEv2 peers to communicate securely in phase 2. After entering the crypto ikev2 policy command, use the integrity command to set the integrity algorithm for the ESP protocol.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

Command History

Release

Modification

8.4(1)

This command was added.

8.4(2)

The sha256, sha384, and sha512 keywords were added for SHA 2 support.

9.0(1)

The null option as an IKEv2 integrity algorithm was added.

Examples

The following example enters IKEv2 policy configuration mode and sets the integrity algorithm to MD5:


ciscoasa(config)# crypto ikev2 policy 1
ciscoasa(config-ikev2-policy)# integrity md5

intercept-dhcp

To enable DHCP Intercept, use the intercept-dhcp enable command in group-policy configuration mode. To remove the intercept-dhcp attribute from the running configuration and allow the users to inherit a DHCP Intercept configuration from the default or other group policy, use the no form of this command.

intercept-dhcp netmask { enable | disable }

no intercept-dhcp

Syntax Description

disable

Disables DHCP Intercept.

enable

Enables DHCP Intercept.

netmask

Provides the subnet mask for the tunnel IP address.

Command Default

DHCP Intercept is disabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global-policy configuration

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

To disable DHCP Intercept, use the intercept-dhcp disable command.

A Microsoft XP anomaly results in the corruption of domain names if split tunnel options exceed 255 bytes. To avoid this problem, the ASA limits the number of routes it sends to 27 to 40 routes, with the number of routes dependent on the classes of the routes.

DHCP Intercept lets Microsoft XP clients use split-tunneling with the ASA. The ASA replies directly to the Microsoft Windows XP client DHCP Inform message, providing that client with the subnet mask, domain name, and classless static routes for the tunnel IP address. For Windows clients prior to XP, DHCP Intercept provides the domain name and subnet mask. This is useful in environments in which using a DHCP server is not advantageous.

Examples

The following example shows how to set DHCP Intercepts for the group policy named FirstGroup:


ciscoasa(config)# group-policy FirstGroup attributes
ciscoasa(config-group-policy)# intercept-dhcp enable

interface (global)

To configure an interface and enter interface configuration mode, use the interface command in global configuration mode. To remove a subinterface, use the no form of this command; you cannot remove a physical interface or a mapped interface.

For physical interfaces (for all models except the ASASM):

interface physical_interface

For subinterfaces (not available for the ASA 5505 or the ASASM, or for the Management interface on the ASA 5506-X through ASA 5555-X):

interface { physical_interface | redundant number | port-channel number } . subinterface

no interface { physical_interface | redundant number | port-channel number } . subinterface

For multiple context mode when a mapped name is assigned:

interface mapped_name

Syntax Description

mapped_name

In multiple context mode, specifies the mapped name if it was assigned using the allocate-interface command.

physical_interface

Specifies the physical interface type, slot, and port number as type [slot / ]port . A space between the type and slot/port is optional.

The physical interface types include the following:

  • ethernet

  • gigabitethernet

  • tengigabitethernet

  • management

Enter the type followed by slot/port, for example, gigabitethernet 0/1 .

The management interface is meant for management traffic only. You can, however, use it for through traffic if desired, depending on your model (see the management-only command).

See the hardware documentation that came with your model to identify the interface type, slot, and port number.

subinterface

Specifies an integer between 1 and 4294967293 designating a logical subinterface. The maximum number of subinterfaces varies depending on your ASA model. Subinterfaces are not available for the ASA 5505, ASASM, or for the management interface on the ASA 5512-X through ASA 5555-X. See the configuration guide for the maximum subinterfaces (or VLANs) per platform. An interface with one or more VLAN subinterfaces is automatically configured as an 802.1Q trunk.

Command Default

By default, the ASA automatically generates interface commands for all physical interfaces.

In multiple context mode, the ASA automatically generates interface commands for all interfaces allocated to the context using the allocate-interface command.

The default state of an interface depends on the type and the context mode:

  • Multiple context mode, context—All allocated interfaces are enabled by default, no matter what the state of the interface is in the system execution space. However, for traffic to pass through the interface, the interface also has to be enabled in the system execution space. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

  • Single mode or multiple context mode, system—Interfaces have the following default states:

    • Physical interfaces—Disabled.

    • Subinterfaces—Enabled. However, for traffic to pass through the subinterface, the physical interface must also be enabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was modified to allow for new subinterface naming conventions and to change arguments to be separate commands under interface configuration mode.

Usage Guidelines

In interface configuration mode, you can configure hardware settings (for physical interfaces), assign a name, assign a VLAN, assign an IP address, and configure many other settings, depending on the type of interface and the security context mode.

For an enabled interface to pass traffic, configure the following interface configuration mode commands: nameif , and, for routed mode, ip address . For subinterfaces, also configure the vlan command.

If you change interface settings, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.

The Management 0/0 interface on the ASA 5512-X through ASA 5555-X has the following characteristics:

  • No through traffic support

  • No subinterface support

  • No priority queue support

  • No multicast MAC support

  • The IPS SSP software module shares the Management 0/0 interface. Separate MAC addresses and IP addresses are supported for the ASA and IPS module. You must perform configuration of the IPS IP address within the IPS operating system. However, physical characteristics (such as enabling the interface) are configured on the ASA.

Examples

The following example configures parameters for the physical interface in single mode:


ciscoasa(config)# interface gigabitethernet0/1
ciscoasa(config-if)# speed 1000
ciscoasa(config-if)# duplex full
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0
ciscoasa(config-if)# no shutdown

The following example configures parameters for a subinterface in single mode:


ciscoasa(config)# interface gigabitethernet0/1.1
ciscoasa(config-subif)# vlan 101
ciscoasa(config-subif)# nameif dmz1
ciscoasa(config-subif)# security-level 50
ciscoasa(config-subif)# ip address 10.1.2.1 255.255.255.0
ciscoasa(config-subif)# no shutdown

The following example configures interface parameters in multiple context mode for the system configuration, and allocates the gigabitethernet 0/1.1 subinterface to contextA:


ciscoasa(config)# interface gigabitethernet0/1
ciscoasa(config-if)# speed 1000
ciscoasa(config-if)# duplex full
ciscoasa(config-if)# no 
shutdown
ciscoasa(config-if)# interface gigabitethernet0/1.1
ciscoasa(config-subif)# vlan 101
ciscoasa(config-subif)# no shutdown
ciscoasa(config-subif)# context contextA
ciscoasa(config-ctx)# ...
ciscoasa(config-ctx)# allocate-interface gigabitethernet0/1.1

The following example configures parameters in multiple context mode for the context configuration:


ciscoasa/contextA(config)# interface gigabitethernet0/1.1
ciscoasa/contextA(config-if)# nameif inside
ciscoasa/contextA(config-if)# security-level 100
ciscoasa/contextA(config-if)# ip address 10.1.2.1 255.255.255.0
ciscoasa/contextA(config-if)# no shutdown

interface (vpn load-balancing)

To specify a non-default public or private interface for VPN load-balancing in the VPN load-balancing virtual cluster, use the interface command in vpn load-balancing mode. To remove the interface specification and revert to thte default interface, use the no form of this command.

interface { lbprivate | lbpublic } interface-name

interface { lbprivate | lbpublic }

Syntax Description

interface-name

The name of the interface to be configured as the public or private interface for the VPN load-balancing cluster.

lbprivate

Specifies that this command configures the private interface for VPN load-balancing.

lbpublic

Specifies that this command configures the public interface for VPN load-balancing.

Command Default

If you omit the interface command, the lbprivate interface defaults to inside , and the lbpublic interface defaults to outside .

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

vpn load-balancing

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

You must have first used the vpn load-balancing command to enter vpn load-balancing configuration mode.

You must also have previously used the interface , ip address and nameif commands to configure and assign a name to the interface that you are specifying in this command.

Examples

The following is an example of a vpn load-balancing command sequence that includes an interface command that specifies the public interface of the cluster as “test” one that reverts the private interface of the cluster to the default (inside):


ciscoasa(config)# interface GigabitEthernet 0/1
ciscoasa(config-if)# ip address 209.165.202.159 255.255.255.0
ciscoasa(config)# nameif test
ciscoasa(config)# interface GigabitEthernet 0/2
ciscoasa(config-if)# ip address 209.165.201.30 255.255.255.0
ciscoasa(config)# nameif foo
ciscoasa(config)# vpn load-balancing
ciscoasa(config-load-balancing)# interface lbpublic test
ciscoasa(config-load-balancing)# no
 interface lbprivate
ciscoasa(config-load-balancing)# cluster ip address 209.165.202.224
ciscoasa(config-load-balancing)# participate

ciscoasa(config-load-balancing)# participate

interface bvi

To configure the bridge virtual interface (BVI) for a bridge group, use the interface bvi command in global configuration mode. To remove the BVI configuration, use the no form of this command.

interface bvi bridge_group_number

no interface bvi bridge_group_number

Syntax Description

bridge_group_number

Specifies the bridge group number as an integer between 1 and 100; for 9.3(1) and later, the range is increased to between 1 and 250.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.4(1)

This command was added.

9.3(1)

The number range was increased to between 1 and 250 to support 250 BVIs.

9.6(2)

The maximum interfaces per bridge group was increased from 4 to 64.

Usage Guidelines

Use this command to enter interface configuration mode so you can configure a management IP address for the bridge group. If you do not want the overhead of security contexts, or want to maximize your use of security contexts, you can group interfaces together in a bridge group, and then configure multiple bridge groups, one for each network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the ASA, and traffic must exit the ASA before it is routed by an external router back to another bridge group in the ASA. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a syslog server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context. At least one bridge group is required per context or in single mode.

Each bridge group requires a management IP address. The ASA uses this IP address as the source address for packets originating from the bridge group. The management IP address must be on the same subnet as the connected network. For IPv4 traffic, the management IP address is required to pass any traffic. For IPv6 traffic, you must, at a minimum, configure the link-local addresses to pass traffic, but a global management address is recommended for full functionality, including remote management and other management operations. For another method of management, you can configure the Management interface, separate from any bridge groups.

For 9.2 and earlier, You can configure up to 8 bridge groups in single mode or per context in multiple mode; for 9.3(1) and later, you can configure up to 250 bridge groups. Each bridge group can include up to 4 interfaces. In 9.6(2) and later, you can add up to 64 interfaces to a bridge group. You cannot assign the same interface to more than one bridge group. Note that you must use at least 1 bridge group; data interfaces must belong to a bridge group.


Note


Although you can configure multiple bridge groups on the ASA 5505, the restriction of 2 data interfaces in transparent mode on the ASA 5505 means you can only effectively use 1 bridge group.

Note


For a separate management interface, a non-configurable bridge group (ID 301) is automatically added to your configuration. This bridge group is not included in the bridge group limit.

Note


The ASA does not support traffic on secondary networks; only traffic on the same network as the management IP address is supported.

Examples

The following example includes two bridge groups of three interfaces each, plus a management-only interface:


interface gigabitethernet 0/0
nameif inside
security-level 100
bridge-group 1
no shutdown
interface gigabitethernet 0/1
nameif outside
security-level 0
bridge-group 1
no shutdown
interface gigabitethernet 0/2
nameif dmz
security-level 50
bridge-group 1
no shutdown
interface bvi 1
ip address 10.1.3.1 255.255.255.0 standby 10.1.3.2
interface gigabitethernet 1/0
nameif inside
security-level 100
bridge-group 2
no shutdown
interface gigabitethernet 1/1
nameif outside
security-level 0
bridge-group 2
no shutdown
interface gigabitethernet 1/2
nameif dmz
security-level 50
bridge-group 2
no shutdown
interface bvi 2
ip address 10.3.5.8 255.255.255.0 standby 10.3.5.9
interface management 0/0
nameif mgmt
security-level 100
ip address 10.2.1.1 255.255.255.0 standby 10.2.1.2
no shutdown

interface loopback

To create a loopback interface, use the interface loopback command in the global configuration mode. Use the no form of the command to remove the loopback interface.

interface loopback number

no interface loopback number

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command.

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Usage Guidelines

A loopback interface is software-only interface that emulates a physical interface. The loopback interface is reachable through multiple physical interfaces. You can only use a loopback interface for to/from the device traffic.

The following features support the loopback interface:

  • AAA

  • BGP

  • DNS

  • HTTP

  • ICMP

  • SNMP

  • SSH

  • Syslog

  • Telnet

  • VTI source interface

Command History

Release

Modification

9.18(2)

This command was added.

9.19(1)

Support for VTI was added.

9.20(1)

Support for DNS, HTTP, and ICMP was added.

Examples

The following example creates a new loopback interface:


ciscoasa(config)# interface loopback 10

interface-policy

To specify the policy for failover when monitoring detects an interface failure, use the interface-policy command in failover group configuration mode. To restore the default values, use the no form of this command.

interface-policy num [ % ]

no interface-policy num [ % ]

Syntax Description

num

Specifies a number from 1 to 100 when used as a percentage, or 1 to the maximum number of interfaces.

%

(Optional) Specifies that the number num is a percentage of the monitored interfaces.

Command Default

If the failover interface-policy command is configured for the unit, then the default for the interface-policy failover group command assumes that value. If not, then num is 1.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Failover group Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

There is no space between the num argument and the optional % keyword.

If the number of failed interfaces meets the configured policy and the other ASA is functioning correctly, the ASA will mark itself as failed and a failover may occur (if the active ASA is the one that fails). Only interfaces that are designated as monitored by the monitor-interface command count towards the policy.

Examples

The following partial example shows a possible configuration for a failover group:


ciscoasa(config)# failover group 1
 
ciscoasa(config-fover-group)# primary
ciscoasa(config-fover-group)# preempt 100
ciscoasa(config-fover-group)# interface-policy 25%
ciscoasa(config-fover-group)# exit
ciscoasa(config)#

interface port-channel

To configure an EtherChannel interface and enter interface configuration mode, use the interface port-channel command in global configuration mode. To remove an EtherChannel interface, use the no form of this command.

interfaceport-channelnumber

no interface port-channel number

Syntax Description

number

Specifies the EtherChannel channel group ID, between 1 and 48. This interface was created automatically when you added an interface to the channel group. If you have not yet added an interface, then this command creates the port-channel interface.

Note

 
You need to add at least one member interface to the port-channel interface before you can configure logical parameters for it, such as a name.

Command Default

By default, port-channel interfaces are enabled. However, for traffic to pass through the EtherChannel, the channel group physical interfaces must also be enabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.4(1)

This command was added.

Usage Guidelines

In interface configuration mode, you can assign a name, assign an IP address, and configure many other settings.

For an enabled interface to pass traffic, configure the following interface configuration mode commands: nameif , and, for routed mode, ip address .

If you change interface settings, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.


Note


This command is not supported on the ASA 5505 or the ASASM. You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel.

For more information about interfaces, see the CLI configuration guide.

Examples

The following example configures three interfaces as part of an EtherChannel. It also sets the system priority to be a higher priority, and GigabitEthernet 0/2 to be a higher priority than the other interfaces in case more than eight interfaces are assigned to the EtherChannel.


ciscoasa(config)# lacp system-priority 1234
ciscoasa(config-if)# interface GigabitEthernet0/0
ciscoasa(config-if)# channel-group 1 mode active
ciscoasa(config-if)# interface GigabitEthernet0/1
ciscoasa(config-if)# channel-group 1 mode active
ciscoasa(config-if)# interface GigabitEthernet0/2
ciscoasa(config-if)# lacp port-priority 1234
ciscoasa(config-if)# channel-group 1 mode passive
ciscoasa(config-if)# interface Port-channel1
ciscoasa(config-if)# lacp max-bundle 4
ciscoasa(config-if)# port-channel min-bundle 2
ciscoasa(config-if)# port-channel load-balance dst-ip

interface redundant

To configure a redundant interface and enter interface configuration mode, use the interface redundant command in global configuration mode. To remove a redundant interface, use the no form of this command.

interface redundant number

no interface redundant number

Syntax Description

number

Specifies a logical redundant interface ID, between 1 and 8. A space between redundant and the ID is optional.

Command Default

By default, redundant interfaces are enabled. However, for traffic to pass through the redundant interface, the member physical interfaces must also be enabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

Usage Guidelines

A redundant interface pairs an active and a standby physical interface (see the member-interface command). When the active interface fails, the standby interface becomes active and starts passing traffic.

All ASA configuration refers to the logical redundant interface instead of the member physical interfaces.

In interface configuration mode, you can assign a name, assign an IP address, and configure many other settings.

For an enabled interface to pass traffic, configure the following interface configuration mode commands: nameif , and, for routed mode, ip address .

If you change interface settings, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.


Note


This command is not supported on the ASA 5505 or the ASASM.

For more information about interfaces, see the CLI configuration guide.

Examples

The following example creates two redundant interfaces:


ciscoasa(config)# interface redundant 1
ciscoasa(config-if)# member-interface gigabitethernet 0/0
ciscoasa(config-if)# member-interface gigabitethernet 0/1
ciscoasa(config-if)# interface redundant 2
ciscoasa(config-if)# member-interface gigabitethernet 0/2
ciscoasa(config-if)# member-interface gigabitethernet 0/3

interface tunnel

To create a new VTI tunnel interface, use the interface tunnel command in the Global Configuration mode. Use the no form of the command to remove the VTI tunnel interface.

interface tunnel number

no interface tunnel number

Syntax Description

number

Assigns a number to the tunnel interface. This can be any value between 0-1024.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command.

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • No

  • Yes

  • No

  • -

Command History

Release

Modification

9.7(1)

We introduced this command and its submodes.

9.16(1)

The number of tunnel interfaces supported was increased from 100 to 1024 per device.

Examples

The following example creates a new tunnel interface:


ciscoasa(config)# interface tunnel 10

interface vlan

For the ASA 5505 and ASASM, to configure a VLAN interface and enter interface configuration mode, use the interface vlan command in global configuration mode. To remove a VLAN interface, use the no form of this command.

interface vlan number

no interface vlan number

Syntax Description

number

Specifies a VLAN ID.

For the ASA 5505, use an ID between 1 and 4090. The VLAN interface ID is enabled by default on VLAN 1.

For the ASASM, use an ID between 2 to 1000 and from 1025 to 4094.

Command Default

By default, VLAN interfaces are enabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.2(1)

This command was added.

8.4(1)

ASASM support was added.

Usage Guidelines

For the ASASM, you can add any VLAN ID to the configuration, but only VLANs that are assigned to the ASA by the switch can pass traffic. To view all VLANs assigned to the ASA, use the show vlan command. If you add an interface for a VLAN that is not yet assigned to the ASA by the switch, the interface will be in the down state. When you assign the VLAN to the ASA, the interface changes to an up state. See the show interface command for more information about interface states.

In interface configuration mode, you can assign a name, assign an IP address, and configure many other settings.

For an enabled interface to pass traffic, configure the following interface configuration mode commands: nameif , and, for routed mode, ip address . For the ASA 5505 switch physical interfaces, assign the physical interface to the VLAN interface using the switchport access vlan command.

If you change interface settings, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.

For more information about interfaces, see the CLI configuration guide.

Examples

The following example configures three VLAN interfaces. The third home interface cannot forward traffic to the work interface.


ciscoasa(config)# interface vlan 100
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip address dhcp
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface vlan 200
ciscoasa(config-if)# nameif work
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface vlan 300
ciscoasa(config-if)# no forward interface vlan 200
ciscoasa(config-if)# nameif home
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# ip address 10.2.1.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface ethernet 0/0
ciscoasa(config-if)# switchport access vlan 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface ethernet 0/1
ciscoasa(config-if)# switchport access vlan 200
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface ethernet 0/2
ciscoasa(config-if)# switchport access vlan 200
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface ethernet 0/3
ciscoasa(config-if)# switchport access vlan 200
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface ethernet 0/4
ciscoasa(config-if)# switchport access vlan 300
ciscoasa(config-if)# no shutdown

The following example configures five VLAN interfaces, including the failover interface, which is configured separately using the failover lan command:


ciscoasa(config)# interface vlan 100
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface vlan 200
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 10.2.1.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface vlan 300
ciscoasa(config-if)# nameif dmz
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# ip address 10.3.1.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface vlan 400
ciscoasa(config-if)# nameif backup-isp
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# ip address 10.1.2.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# failover lan faillink vlan500
ciscoasa(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2 255.255.255.0
ciscoasa(config)# interface ethernet 0/0
ciscoasa(config-if)# switchport access vlan 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface ethernet 0/1
ciscoasa(config-if)# switchport access vlan 200
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface ethernet 0/2
ciscoasa(config-if)# switchport access vlan 300
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface ethernet 0/3
ciscoasa(config-if)# switchport access vlan 400
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface ethernet 0/4
ciscoasa(config-if)# switchport access vlan 500
ciscoasa(config-if)# no shutdown

interface vni

To configure a VXLAN Network Identifier (VNI) interface and enter interface configuration mode, use the interface vni command in global configuration mode. To remove a VNI interface, use the no form of this command.

interface vni number

no interface vni number

Syntax Description

number

Sets the ID between 1 and 10000. This ID is only an internal interface identifier.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.4(1)

This command was added.

Usage Guidelines

You must associate a VNI interface with a VTEP source interface using the vtep-nve command. You must also set the VXLAN segment-id .

Examples

The following example configures the GigabitEthernet 1/1 interface as the VTEP source interface, and associates the VNI 1 interface wth it:


ciscoasa(config)# interface gigabitethernet 1/1
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0
ciscoasa(config)# nve 1
ciscoasa(cfg-nve)# source-interface outside
ciscoasa(config)# interface vni 1
ciscoasa(config-if)# segment-id 1000
ciscoasa(config-if)# vtep-nve 1
ciscoasa(config-if)# nameif vxlan1000
ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
ciscoasa(config-if)# ipv6 address 2001:0DB8::BA98:0:3210/48
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# mcast-group 236.0.0.100

interim-accounting-update

To enable the generation of RADIUS interim-accounting-update messages for the AAA server group, use the interim-accounting-update command in aaa-server group configuration mode. To disable interim-accounting-update messages, use the no form of this command.

interim-accounting-update [ periodic [ hours ] ]

no interim-accounting-update [ periodic [ hours ] ]

Syntax Description

periodic [hours ]

(Optional) Enables the periodic generation and transmission of accounting records for every VPN session that is configured to send accounting records to the server group in question. You can optionally include the interval, in hours, for sending these updates. The default is 24 hours, the range is 1 to 120.

Use this option for a server group configured for ISE Change of Authentication.

Command Default

By default interim-accounting-update is not enabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

aaa-server group configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.2(1)

The periodic keyword was added.

Usage Guidelines

If you use this command without the periodic keyword, the ASA sends interim-accounting-update messages only when a VPN tunnel connection is added to a clientless VPN session. When this happens the accounting update is generated in order to inform the RADIUS server of the newly assigned IP address.

If you are using the server group to configure ISE Change of Authorization for a remote access VPN, add the periodic keyword. Period reporting includes AnyConnect connections as well as clientless sessions.

ISE maintains a directory of active sessions based on the accounting records that it receives from NAS devices like the ASA. However, if ISE does not receive any indication that the session is still active accounting message or posture transactions) for a period of 5 days, it will remove the session record from its database. To ensure that long-lived VPN connections are not removed, configure the group to send periodic interim-accounting-update messages to ISE for all active sessions.

Examples

The following example shows how to configure an ISE server group for dynamic authorization (CoA) updates and hourly periodic accounting. Included is the tunnel group configuration that configures password authentication with ISE.


ciscoasa(config)# aaa-server ise protocol radius
ciscoasa(config-aaa-server-group)# interim-accounting-update periodic 1
ciscoasa(config-aaa-server-group)# dynamic-authorization
ciscoasa(config-aaa-server-group)# exit
ciscoasa(config)# aaa-server ise (inside) host 10.1.1.3
ciscoasa(config-aaa-server-host)# key sharedsecret
ciscoasa(config-aaa-server-host)# exit
ciscoasa(config)# tunnel-group aaa-coa general-attributes
ciscoasa(config-tunnel-general)# address-pool vpn
ciscoasa(config-tunnel-general)# authentication-server-group ise
ciscoasa(config-tunnel-general)# accounting-server-group ise
ciscoasa(config-tunnel-general)# exit

The following example shows how to configure a tunnel group for local certificate validation and authorization with ISE. In this case, you include the authorize-only command in the server group configuration, because the server group will not be used for authentication.


ciscoasa(config)# aaa-server ise protocol radius
ciscoasa(config-aaa-server-group)# authorize-only
ciscoasa(config-aaa-server-group)# interim-accounting-update periodic 1
ciscoasa(config-aaa-server-group)# dynamic-authorization
ciscoasa(config-aaa-server-group)# exit
ciscoasa(config)# aaa-server ise (inside) host 10.1.1.3
ciscoasa(config-aaa-server-host)# key sharedsecret
ciscoasa(config-aaa-server-host)# exit
ciscoasa(config)# tunnel-group aaa-coa general-attributes
ciscoasa(config-tunnel-general)# address-pool vpn
ciscoasa(config-tunnel-general)# authentication certificate
ciscoasa(config-tunnel-general)# authorization-server-group ise
ciscoasa(config-tunnel-general)# accounting-server-group ise
ciscoasa(config-tunnel-general)# exit

internal-password

To display an additional password field on the clientless SSL VPN portal page, use the internal-password command in webvpn configuration mode. This additional password is used by the ASA to authenticate users to file servers for whom SSO is allowed.

To disable the ability to use an internal password, use the no version of the command.

internal-passwordenable

no internal password

Syntax Description

enable

Enables use of an internal password.

Command Default

The default is disabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Webvpn configuration

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

Usage Guidelines

If enabled, end users type a second password when logging in to a clientless SSL VPN session. The clientless SSL VPN server sends an SSO authentication request, including the username and password, to the authenticating server using HTTPS. If the authenticating server approves the authentication request, it returns an SSO authentication cookie to the clientless SSL VPN server. This cookie is kept on the ASA on behalf of the user and used to authenticate the user to secure websites within the domain protected by the SSO server.

The internal password feature is useful if you require that the internal password be different from the SSL VPN password. In particular, you can use one-time passwords for authentication to the ASA, and another password for internal sites.

Examples

The following example shows how to enable the internal password:


ciscoasa
(config)# 
webvpn
ciscoasa
(config-webvpn)#
 internal password enable
ciscoasa(config-webvpn)#

internal-port

To specify the VXLAN internal port for a VNI interface for the ASA virtual on Azure for the Azure Gateway Load Balancer (GWLB), use the internal-port command in interface configuration mode. To remove the port, use the no form of this command.

internal-port port

no internal-port port

Syntax Description

port

Sets the port between 1024 and 65535.

Command Default

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Interface configuration

  • Yes

  • Yes

Command History

Release

Modification

9.19(1)

This command was added.

Usage Guidelines

In an Azure service chain, ASA virtuals act as a transparent gateway that can intercept packets between the internet and the customer service. The ASA virtual defines an external interface and an internal interface on a single NIC by utilizing VXLAN segments in a paired proxy.

Examples

The following example configures the VNI 1 interface for Azure GWLB:


ciscoasa(config)# interface vni 1
ciscoasa(config-if)# proxy paired
ciscoasa(config-if)# internal-segment-id 1000
ciscoasa(config-if)# external-segment-id 1001
ciscoasa(config-if)# internal-port 101
ciscoasa(config-if)# external-port 102
ciscoasa(config-if)# vtep-nve 1
ciscoasa(config-if)# nameif vxlan1000
ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
ciscoasa(config-if)# ipv6 address 2001:0DB8::BA98:0:3210/48
ciscoasa(config-if)# security-level 50

internal-segment-id

To specify the VXLAN internal segment ID for a VNI interface for the ASA virtual on Azure for the Azure Gateway Load Balancer (GWLB), use the internal-segment-id command in interface configuration mode. To remove the ID, use the no form of this command.

internal-segment-id id

no internal-segment-id id

Syntax Description

id

Sets the ID between 1 and 16777215.

Command Default

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Interface configuration

  • Yes

  • Yes

Command History

Release

Modification

9.19(1)

This command was added.

Usage Guidelines

In an Azure service chain, ASA virtuals act as a transparent gateway that can intercept packets between the internet and the customer service. The ASA virtual defines an external interface and an internal interface on a single NIC by utilizing VXLAN segments in a paired proxy.

Examples

The following example configures the VNI 1 interface for Azure GWLB:


ciscoasa(config)# interface vni 1
ciscoasa(config-if)# proxy paired
ciscoasa(config-if)# internal-segment-id 1000
ciscoasa(config-if)# external-segment-id 1001
ciscoasa(config-if)# internal-port 101
ciscoasa(config-if)# external-port 102
ciscoasa(config-if)# vtep-nve 1
ciscoasa(config-if)# nameif vxlan1000
ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
ciscoasa(config-if)# ipv6 address 2001:0DB8::BA98:0:3210/48
ciscoasa(config-if)# security-level 50

interval maximum

To configure the maximum interval between update attempts by a DDNS update method, use the interval command in DDNS-update-method mode. To remove an interval for a DDNS update method from the running configuration, use the no form of this command.

interval maximum days hours minutes seconds

no interval maximum days hours minutes seconds

Syntax Description

days

Specifies the number of days between update attempts with a range of 0 to 364.

hours

Specifies the number of hours between update attempts with a range of 0 to 23.

minutes

Specifies the number of minutes between update attempts with a range of 0 to 59.

seconds

Specifies the number of seconds between update attempts with a range of 0 to 59.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Ddns-update-method configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.2(1)

This command was added.

Usage Guidelines

The days, hours, minutes, and seconds are added together to arrive at the total interval.

Examples

The following example configures a method called ddns-2 to attempt an update every 3 minutes and 15 seconds:


ciscoasa(config)# ddns update method ddns-2
ciscoasa(DDNS-update-method)# interval maximum 0 0 3 15

invalid-ack

To set the action for packets with an invalid ACK, use the invalid-ack command in tcp-map configuration mode. To set the value back to the default, use the no form of this command. This command is part of the TCP normalization policy enabled using the set connection advanced-options command.

invalid-ack { allow | drop }

no invalid-ack

Syntax Description

allow

Allows packets with an invalid ACK.

drop

Drops packets with an invalid ACK.

Command Default

The default action is to drop packets with an invalid ACK.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Tcp-map configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.2(4)/8.0(4)

This command was added.

Usage Guidelines

To enable TCP normalization, use the Modular Policy Framework:

  1. tcp-map —Identifies the TCP normalization actions.

    1. invalid-ack —In tcp-map configuration mode, you can enter the invalid-ack command and many others.

  2. class-map —Identify the traffic on which you want to perform TCP normalization.

  3. policy-map —Identify the actions associated with each class map.

    1. class —Identify the class map on which you want to perform actions.

    2. set connection advanced-options —Identify the TCP map you created.

  4. service-policy —Assigns the policy map to an interface or globally.

You might see invalid ACKs in the following instances:

  • In the TCP connection SYN-ACK-received status, if the ACK number of a received TCP packet is not exactly the same as the sequence number of the next TCP packet sending out, it is an invalid ACK.

  • Whenever the ACK number of a received TCP packet is greater than the sequence number of the next TCP packet sending out, it is an invalid ACK.


Note


TCP packets with an invalid ACK are automatically allowed for WAAS connections.

Examples

The following example sets the ASA to allow packets with an invalid ACK:


ciscoasa(config)# tcp-map tmap
ciscoasa(config-tcp-map)# invalid-ack allow
ciscoasa(config)# class-map cmap
ciscoasa(config-cmap)# match any
ciscoasa(config)# policy-map pmap
ciscoasa(config-pmap)# class cmap
ciscoasa(config-pmap)# set connection advanced-options tmap
ciscoasa(config)# service-policy pmap global
ciscoasa(config)#

ip address

To set the IP address for an interface (in routed mode) or for the bridge virtual interface (BVI) (routed or transparent mode), use the ip address command in interface configuration mode. To remove the IP address, use the no form of this command.

ip address ip_address [ mask ] standby ip_address | cluster-pool poolname ]

no ip address [ ip_address ]

Syntax Description

cluster-pool poolname

(Optional) For ASA clustering, sets the cluster pool of addresses defined by the ip local pool command. The main cluster IP address defined by the ip_address argument belongs to the current master unit only. Each cluster member receives a local IP address from this pool.

You cannot determine the exact address assigned to each unit in advance; to see the address used on each unit, enter the show ip local pool poolname command. Each cluster member is assigned a member ID when it joins the cluster. The ID determines the local IP used from the pool.

ip_address

The IP address for the interface.

mask

(Optional) The subnet mask for the IP address. If you do not set the mask, the ASA uses the default mask for the IP address class.

standby ip_address

(Optional) For failover, sets the IP address for the standby unit.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Interface Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

For routed mode, this command was changed from a global configuration command to an interface configuration mode command.

8.4(1)

For transparent mode, bridge groups were added. You now set the IP address for the BVI, and not globally.

9.0(1)

The cluster-pool keyword was added to support ASA clustering.

9.7(1)

For routed interfaces, you can configure an IP address on a 31-bit subnet for point-to-point connections.

Usage Guidelines

This command also sets the standby address for failover.

Multiple Context Mode Guidelines

In single context routed firewall mode, each interface address must be on a unique subnet. In multiple context mode, if this interface is on a shared interface, then each IP address must be unique but on the same subnet. If the interface is unique, this IP address can be used by other contexts if desired.

Transparent Firewall Guidelines

A transparent firewall does not participate in IP routing. The only IP configuration required for the ASA is to set the BVI address. This address is required because the ASA uses this address as the source address for traffic originating on the ASA, such as system messages or communications with AAA servers. You can also use this address for remote management access. This address must be on the same subnet as the upstream and downstream routers. For multiple context mode, set the management IP address within each context. For models that include a Management interface, you can also set an IP address for this interface for management purposes.

Failover Guidelines

The standby IP address must be on the same subnet as the main IP address.

ASA Clustering Guidelines

You can only set the cluster pool for an individual interface after you configure the cluster interface mode to be individual (cluster-interface mode individual command). The only exception is for the management-only interface(s):

  • You can always configure the management-only interface as an individual interface, even in spanned EtherChannel mode. The management interface can be an individual interface even in transparent firewall mode.

  • In spanned EtherChannel mode, if you configure the management interface as an individual interface, you cannot enable dynamic routing for the management interface. You must use a static route.

/31 Subnet Guidelines

For routed interfaces, you can configure an IP address on a 31-bit subnet for point-to-point connections. The 31-bit subnet includes only 2 addresses; normally, the first and last address in the subnet is reserved for the network and broadcast, so a 2-address subnet is not usable. However, if you have a point-to-point connection and do not need network or broadcast addresses, a 31-bit subnet is a useful way to preserve addresses in IPv4. For example, the failover link between 2 ASAs only requires 2 addresses; any packet that is transmitted by one end of the link is always received by the other, and broadcasting is unnecessary. You can also have a directly-connected management station running SNMP or Syslog.

  • 31-Bit Subnet and Clustering—You can use a 31-bit subnet mask for Spanned EtherChannels. Individual interfaces (including the Management IP address in Spanned EtherChannel mode) do not support a 31-bit subnet. You also cannot use the 31-bit subnet for the Cluster Control Link.

  • 31-Bit Subnet and Failover—For failover, when you use a 31-bit subnet for the ASA interface IP address, you cannot configure a standby IP address for the interface because there are not enough addresses. Normally, an interface for failover should have a standby IP address so the active unit can perform interface tests to ensure standby interface health. Without a standby IP address, the ASA cannot perform any network tests; only the link state can be tracked. For the failover and optional separate state link, which are point-to-point connections, you can also use a 31-bit subnet.

  • 31-Bit Subnet and Management—If you have a directly-connected management station, you can use a point-to-point connection for SSH or HTTP on the ASA, or for SNMP or Syslog on the management station.

  • 31-Bit Subnet Unsupported Features—The following features do not support the 31-Bit subnet:

    • BVI interfaces for bridge groups— The bridge group requires at least 3 host addresses: the BVI, and two hosts connected to two bridge group member interfaces. you must use a /29 subnet or smaller.

    • Multicast Routing

Examples

The following example sets the IP addresses and standby addresses of two interfaces:


ciscoasa(config)# interface gigabitethernet0/2
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface gigabitethernet0/3
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip address 10.1.2.1 255.255.255.0 standby 10.1.2.2
ciscoasa(config-if)# no shutdown

The following example sets the management address and standby address of bridge group 1:


ciscoasa(config)# interface bvi 1
ciscoasa(config-if)# ip address 10.1.3.1 255.255.255.0 standby 10.1.3.2

ip address dhcp

To use DHCP to obtain an IP address for an interface, use the ip address dhcp command in interface configuration mode. To disable the DHCP client for this interface, use the no form of this command.

ip address dhcp [ setroute ]

no ip address dhcp

Syntax Description

setroute

(Optional) Allows the ASA to use the default route supplied by the DHCP server.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Interface configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was changed from a global configuration command to an interface configuration mode command. You can also enable this command on any interface, instead of only the outside interface.

Usage Guidelines

Reenter this command to reset the DHCP lease and request a new lease.

If you do not enable the interface using the no shutdown command before you enter the ip address dhcp command, some DHCP requests might not be sent.


Note


The ASA rejects any leases that have a timeout of less than 32 seconds.

Examples

The following example enables DHCP on the Gigabitethernet0/1 interface:


ciscoasa(config)# interface gigabitethernet0/1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# ip address dhcp

ip address pppoe

To enable PPPoE, use the ip address pppoe command in interface configuration mode. To disable PPPoE, use the no form of this command.

ip address [ ip_address [ mask ] ] pppoe [ setroute ]

no ip address [ ip_address [ mask ] ] pppoe

Syntax Description

ip_address

Manually sets the IP address instead of receiving an address from the PPPoE server.

mask

Specifies the subnet mask for the IP address. If you do not set the mask, the ASA uses the default mask for the IP address class.

setroute

Lets the ASA use the default route supplied by the PPPoE server. If the PPPoE server does not send a default route, the ASA creates a default route with the address of the access concentrator as the gateway.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Interface configuration

  • Yes

  • Yes

Command History

Release

Modification

7.2(1)

This command was added.

Usage Guidelines

PPPoE combines two widely accepted standards, Ethernet and PPP, to provide an authenticated method of assigning IP addresses to client systems. ISPs deploy PPPoE because it supports high-speed broadband access using their existing remote access infrastructure and because it is easier for customers to use.

Before you set the IP address using PPPoE, configure the vpdn commands to set the username, password, and authentication protocol. If you enable this command on more than one interface, for example for a backup link to your ISP, then you can assign each interface to a different VPDN group if necessary using the pppoe client vpdn group command.

The maximum transmission unit (MTU) size is automatically set to 1492 bytes, which is the correct value to allow PPPoE transmission within an Ethernet frame.

Reenter this command to reset and restart the PPPoE session.

You cannot set this command at the same time as the ip address command or the ip address dhcp command.

Examples

The following example enables PPPoE on the Gigabitethernet 0/1 interface:


ciscoasa(config)# interface gigabitethernet0/1
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip address pppoe
ciscoasa(config-if)# no shutdown

The following example manually sets the IP address for a PPPoE interface:


ciscoasa(config)# interface gigabitethernet0/1
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0 pppoe
ciscoasa(config-if)# no shutdown

ip-address-privacy

To enable IP address privacy, use the ip-address-privacy command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.

ip-address-privacy

no ip-address-privacy

Syntax Description

This command has no arguments or keywords.

Command Default

This command is disabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Parameters Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.2(1)

This command was added.

Examples

The following example shows how to enable IP address privacy over SIP in a SIP inspection policy map:


ciscoasa(config)# policy-map type inspect sip sip_map
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# ip-address-privacy

ip audit attack

To set the default actions for packets that match an attack signature, use the ip audit attack command in global configuration mode. To restore the default action (to reset the connection), use the no form of this command.

ip audit attack [ action [ alarm ] [ drop ] [ reset ] ]

no ip audit attack

Syntax Description

action

(Optional) Specifies that you are defining a set of default actions. If you do not follow this keyword with any actions, then the ASA takes no action. If you do not enter the action keyword, the ASA assumes you entered it, and the action keyword appears in the configuration.

alarm

(Default) Generates a system message showing that a packet matched a signature.

drop

(Optional) Drops the packet.

reset

(Optional) Drops the packet and closes the connection.

Command Default

The default action is to send and alarm.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

You can specify multiple actions, or no actions. You can override the action you set with this command when you configure an audit policy using the ip audit name command. If you do not specify the action in the ip audit name command, then the action you set with this command is used.

For a list of signatures, see the ip audit signature command.

Examples

The following example sets the default action to alarm and reset for packets that match an attack signature. The audit policy for the inside interface overrides this default to be alarm only, while the policy for the outside interface uses the default setting set with the ip audit attack command.


ciscoasa(config)# ip audit attack action alarm reset
ciscoasa(config)# ip audit name insidepolicy attack action alarm
ciscoasa(config)# ip audit name outsidepolicy attack
ciscoasa(config)# ip audit interface inside insidepolicy
ciscoasa(config)# ip audit interface outside outsidepolicy

ip audit info

To set the default actions for packets that match an informational signature, use the ip audit info command in global configuration mode. To restore the default action (to generate an alarm), use the no form of this command. You can specify multiple actions, or no actions.

ip audit info [ action [ alarm ] [ drop ] [ reset ] ]

no ip audit info

Syntax Description

action

(Optional) Specifies that you are defining a set of default actions. If you do not follow this keyword with any actions, then the ASA takes no action. If you do not enter the action keyword, the ASA assumes you entered it, and the action keyword appears in the configuration.

alarm

(Default) Generates a system message showing that a packet matched a signature.

drop

(Optional) Drops the packet.

reset

(Optional) Drops the packet and closes the connection.

Command Default

The default action is to generate an alarm.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

You can override the action you set with this command when you configure an audit policy using the ip audit name command. If you do not specify the action in the ip audit name command, then the action you set with this command is used.

For a list of signatures, see the ip audit signature command.

Examples

The following example sets the default action to alarm and reset for packets that match an informational signature. The audit policy for the inside interface overrides this default to be alarm and drop, while the policy for the outside interface uses the default setting set with the ip audit info command.


ciscoasa(config)# ip audit info action alarm reset
ciscoasa(config)# ip audit name insidepolicy info action alarm drop
ciscoasa(config)# ip audit name outsidepolicy info
ciscoasa(config)# ip audit interface inside insidepolicy
ciscoasa(config)# ip audit interface outside outsidepolicy

ip audit interface

To assign an audit policy to an interface, use the ip audit interface command in global configuration mode. To remove the policy from the interface, use the no form of this command.

ip audit interface interface_name policy_name

no ip audit interface interface_name policy_name

Syntax Description

interface_name

Specifies the interface name.

policy_name

The name of the policy you added with the ip audit name command. You can assign an info policy and an attack policy to each interface.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Examples

The following example applies audit policies to the inside and outside interfaces:


ciscoasa(config)# ip audit name insidepolicy1 attack action alarm
ciscoasa(config)# ip audit name insidepolicy2 info action alarm
ciscoasa(config)# ip audit name outsidepolicy1 attack action reset
ciscoasa(config)# ip audit name outsidepolicy2 info action alarm
ciscoasa(config)# ip audit interface inside insidepolicy1
ciscoasa(config)# ip audit interface inside insidepolicy2
ciscoasa(config)# ip audit interface outside outsidepolicy1
ciscoasa(config)# ip audit interface outside outsidepolicy2

ip audit name

To create a named audit policy that identifies the actions to take when a packet matches a predefined attack signature or informational signature, use the ip audit name command in global configuration mode. To remove the policy, use the no form of this command.

ip audit name name { info | attack } [ action [ alarm ] [ drop ] [ reset ] ]

no ip audit name name { info | attack } [ action [ alarm ] [ drop ] [ reset ] ]

Syntax Description

action

(Optional) Specifies that you are defining a set of actions. If you do not follow this keyword with any actions, then the ASA takes no action. If you do not enter the action keyword, then the ASA uses the default action set by the ip audit attack and ip audit info commands.

alarm

(Optional) Generates a system message showing that a packet matched a signature.

attack

Creates an audit policy for attack signatures; the packet might be part of an attack on your network, such as a DoS attack or illegal FTP commands.

drop

(Optional) Drops the packet.

info

Creates an audit policy for informational signatures; the packet is not currently attacking your network, but could be part of an information-gathering activity, such as a port sweep.

name

Sets the name of the policy.

reset

(Optional) Drops the packet and closes the connection.

Command Default

If you do not change the default actions using the ip audit attack and ip audit info commands, then the default action for attack signatures and informational signatures is to generate an alarm.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

Signatures are activities that match known attack patterns. For example, there are signatures that match DoS attacks. To apply the policy, assign it to an interface using the ip audit interface command. You can assign an info policy and an attack policy to each interface.

For a list of signatures, see the ip audit signature command.

If traffic matches a signature, and you want to take action against that traffic, use the shun command to prevent new connections from the offending host and to disallow packets from any existing connection.

Examples

The following example sets an audit policy for the inside interface to generate an alarm for attack and informational signatures, while the policy for the outside interface resets the connection for attacks:


ciscoasa(config)# ip audit name insidepolicy1 attack action alarm
ciscoasa(config)# ip audit name insidepolicy2 info action alarm
ciscoasa(config)# ip audit name outsidepolicy1 attack action reset
ciscoasa(config)# ip audit name outsidepolicy2 info action alarm
ciscoasa(config)# ip audit interface inside insidepolicy1
ciscoasa(config)# ip audit interface inside insidepolicy2
ciscoasa(config)# ip audit interface outside outsidepolicy1
ciscoasa(config)# ip audit interface outside outsidepolicy2

ip audit signature

To disable a signature for an audit policy, use the ip audit signature command in global configuration mode. To reenable the signature, use the no form of this command.

ip audit signature signature_number disable

no ip audit signature signature_number

Syntax Description

disable

Disables the signature.

signature_number

Specifies the signature number to disable. See Table 3-1 for a list of supported signatures.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

You might want to disable a signature if legitimate traffic continually matches a signature, and you are willing to risk disabling the signature to avoid large numbers of alarms. Table 3-1 lists supported signatures and system message numbers.

Table 1. Signature IDs and System Message Numbers

Signature ID

Message Number

Signature Title

Signature Type

Description

1000

400000

IP options-Bad Option List

Informational

Triggers on receipt of an IP datagram where the list of IP options in the IP datagram header is incomplete or malformed. The IP options list contains one or more options that perform various network management or debugging tasks.

1001

400001

IP options-Record Packet Route

Informational

Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 7 (Record Packet Route).

1002

400002

IP options-Timestamp

Informational

Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 4 (Timestamp).

1003

400003

IP options-Security

Informational

Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 2 (Security options).

1004

400004

IP options-Loose Source Route

Informational

Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 3 (Loose Source Route).

1005

400005

IP options-SATNET ID

Informational

Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 8 (SATNET stream identifier).

1006

400006

IP options-Strict Source Route

Informational

Triggers on receipt of an IP datagram in which the IP option list for the datagram includes option 2 (Strict Source Routing).

1100

400007

IP Fragment Attack

Attack

Triggers when any IP datagram is received with an offset value less than 5 but greater than 0 indicated in the offset field.

1102

400008

IP Impossible Packet

Attack

Triggers when an IP packet arrives with source equal to destination address. This signature will catch the so-called Land Attack.

1103

400009

IP Overlapping Fragments (Teardrop)

Attack

Triggers when two fragments contained within the same IP datagram have offsets that indicate that they share positioning within the datagram. This could mean that fragment A is being completely overwritten by fragment B, or that fragment A is partially being overwritten by fragment B. Some operating systems do not properly handle fragments that overlap in this manner and may throw exceptions or behave in other undesirable ways upon receipt of overlapping fragments, which is how the Teardrop attack works to create a DoS.

2000

400010

ICMP Echo Reply

Informational

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 0 (Echo Reply).

2001

400011

ICMP Host Unreachable

Informational

Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 3 (Host Unreachable).

2002

400012

ICMP Source Quench

Informational

Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 4 (Source Quench).

2003

400013

ICMP Redirect

Informational

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 5 (Redirect).

2004

400014

ICMP Echo Request

Informational

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 8 (Echo Request).

2005

400015

ICMP Time Exceeded for a Datagram

Informational

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 11(Time Exceeded for a Datagram).

2006

400016

ICMP Parameter Problem on Datagram

Informational

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 12 (Parameter Problem on Datagram).

2007

400017

ICMP Timestamp Request

Informational

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 13 (Timestamp Request).

2008

400018

ICMP Timestamp Reply

Informational

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 14 (Timestamp Reply).

2009

400019

ICMP Information Request

Informational

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 15 (Information Request).

2010

400020

ICMP Information Reply

Informational

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 16 (ICMP Information Reply).

2011

400021

ICMP Address Mask Request

Informational

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 17 (Address Mask Request).

2012

400022

ICMP Address Mask Reply

Informational

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 18 (Address Mask Reply).

2150

400023

Fragmented ICMP Traffic

Attack

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and either the more fragments flag is set to 1 (ICMP) or there is an offset indicated in the offset field.

2151

400024

Large ICMP Traffic

Attack

Triggers when a IP datagram is received with the protocol field of the IP header set to 1(ICMP) and the IP length > 1024.

2154

400025

Ping of Death Attack

Attack

Triggers when a IP datagram is received with the protocol field of the IP header set to 1(ICMP), the Last Fragment bit is set, and ( IP offset * 8 ) + ( IP data length) > 65535 that is to say, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8 byte units) plus the rest of the packet is greater than the maximum size for an IP packet.

3040

400026

TCP NULL flags

Attack

Triggers when a single TCP packet with none of the SYN, FIN, ACK, or RST flags set has been sent to a specific host.

3041

400027

TCP SYN+FIN flags

Attack

Triggers when a single TCP packet with the SYN and FIN flags are set and is sent to a specific host.

3042

400028

TCP FIN only flags

Attack

Triggers when a single orphaned TCP FIN packet is sent to a privileged port (having port number less than 1024) on a specific host.

3153

400029

FTP Improper Address Specified

Informational

Triggers if a port command is issued with an address that is not the same as the requesting host.

3154

400030

FTP Improper Port Specified

Informational

Triggers if a port command is issued with a data port specified that is <1024 or >65535.

4050

400031

UDP Bomb attack

Attack

Triggers when the UDP length specified is less than the IP length specified. This malformed packet type is associated with a denial of service attempt.

4051

400032

UDP Snork attack

Attack

Triggers when a UDP packet with a source port of either 135, 7, or 19 and a destination port of 135 is detected.

4052

400033

UDP Chargen DoS attack

Attack

This signature triggers when a UDP packet is detected with a source port of 7 and a destination port of 19.

6050

400034

DNS HINFO Request

Informational

Triggers on an attempt to access HINFO records from a DNS server.

6051

400035

DNS Zone Transfer

Informational

Triggers on normal DNS zone transfers, in which the source port is 53.

6052

400036

DNS Zone Transfer from High Port

Informational

Triggers on an illegitimate DNS zone transfer, in which the source port is not equal to 53.

6053

400037

DNS Request for All Records

Informational

Triggers on a DNS request for all records.

6100

400038

RPC Port Registration

Informational

Triggers when attempts are made to register new RPC services on a target host.

6101

400039

RPC Port Unregistration

Informational

Triggers when attempts are made to unregister existing RPC services on a target host.

6102

400040

RPC Dump

Informational

Triggers when an RPC dump request is issued to a target host.

6103

400041

Proxied RPC Request

Attack

Triggers when a proxied RPC request is sent to the portmapper of a target host.

6150

400042

ypserv (YP server daemon) Portmap Request

Informational

Triggers when a request is made to the portmapper for the YP server daemon (ypserv) port.

6151

400043

ypbind (YP bind daemon) Portmap Request

Informational

Triggers when a request is made to the portmapper for the YP bind daemon (ypbind) port.

6152

400044

yppasswdd (YP password daemon) Portmap Request

Informational

Triggers when a request is made to the portmapper for the YP password daemon (yppasswdd) port.

6153

400045

ypupdated (YP update daemon) Portmap Request

Informational

Triggers when a request is made to the portmapper for the YP update daemon (ypupdated) port.

6154

400046

ypxfrd (YP transfer daemon) Portmap Request

Informational

Triggers when a request is made to the portmapper for the YP transfer daemon (ypxfrd) port.

6155

400047

mountd (mount daemon) Portmap Request

Informational

Triggers when a request is made to the portmapper for the mount daemon (mountd) port.

6175

400048

rexd (remote execution daemon) Portmap Request

Informational

Triggers when a request is made to the portmapper for the remote execution daemon (rexd) port.

6180

400049

rexd (remote execution daemon) Attempt

Informational

Triggers when a call to the rexd program is made. The remote execution daemon is the server responsible for remote program execution. This may be indicative of an attempt to gain unauthorized access to system resources.

6190

400050

statd Buffer Overflow

Attack

Triggers when a large statd request is sent. This could be an attempt to overflow a buffer and gain access to system resources.

Examples

The following example disables signature 6100:


ciscoasa(config)# ip audit signature 6100 disable

ip-client

To allow FXOS to initiate management traffic and send it out of a Firepower 2100 ASA data interface, use the ip-client command in global configuration mode. To disable traffic initiation, use the no form of this command.

ip-clientinterface_name

no ip-client interface_name

Syntax Description

interface_name

Specifies the interface name through which FXOS can send management traffic.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.8(2)

We added this command.

Usage Guidelines

You can enable FXOS management traffic initiation on ASA data interfaces, which is required for SNMP traps, or NTP and DNS server access, for example. For incoming management traffic, see the fxos permit command.

In the FXOS configuration, make sure the default gateway is set to 0.0.0.0, which sets the ASA as the gateway. See the FXOS set out-of-band command.

Examples

The following allows FXOS traffic initiation through the outside interface:


ciscoasa(config)# ip-client outside

ip-comp

To enable LZS IP compression, use the ip-comp enable command in group-policy configuration mode. To disable IP compression, use the ip-comp disable command.To remove the ip-comp attribute from the running configuration, use the no form of this command.

ip-comp { enable | disable }

no ip-comp

Syntax Description

disable

Disables IP compression.

enable

Enables IP compression.

Command Default

IP compression is disabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Group-policy configuratio

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The no form of this command enables inheritance of a value from another group policy. Enabling data compression might speed up data transmission rates for remote dial-in users connecting with modems.


Caution


Data compression increases the memory requirement and CPU utilization for each user session and consequently decreases the overall throughput of the ASA. For this reason, we recommend that you enable data compression only for remote users connecting with a modem. Design a group policy specific to modem users, and enable compression only for them.

If the endpoints generate IP compression traffic, you should disable IP compression to prevent improper decompression of the packets. If IP compression is enabled on a particular LAN to LAN tunnel, host A cannot communicate with host B when trying to pass IP compression data from one side of the tunnel to other side.


Note


When the ip-comp command is enabled and IPsec fragmentation is configured for “before-encryption,” you cannot have IPsec compression (ip-comp_option and pre-encryption). The IP header sent to the crypto chip becomes obfuscated (because of the compression), causing the crypto chip to generate an error when processing the supplied outbound packet. You might also check your MTU level to ensure that it is a small amount (such as 600 bytes).

Examples

The following example shows how to enable IP compression for the group policy named “FirstGroup”:


ciscoasa(config)# group-policy FirstGroup attributes
ciscoasa(config-group-policy)# ip-comp enable

ip local pool

To configure IP address pools, use the ip local pool command in global configuration mode. To delete the address pool, use the no form of this command.

ip local pool poolname first-address-last-address [ mask mask ]

no ip local pool poolname

Syntax Description

first-address

Specifies the starting address in the range of IP addresses.

last-address

Specifies the final address in the range of IP addresses.

mask mask

(Optional) Specifies a subnet mask for the pool of addresses. You cannot use a 255.255.255.254 (/31) or 255.255.255.255 (/32) subnet mask.

poolname

Specifies the name of the IP address pool.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

9.0(1)

IP local pool for the cluster pool in the ip address command to support ASA clustering was added.

Usage Guidelines

You must supply the mask value when the IP addresses assigned to VPN clients belonging to a non-standard network and the data could be routed incorrectly if you use the default mask. A typical example is when the IP local pool contains 10.10.10.0/255.255.255.0 addresses, since this is a Class A network by default. This could cause some routing issues when the VPN client needs to access different subnets within the 10 network over different interfaces. For example, if a printer, address 10.10.100.1/255.255.255.0 is available via interface 2, but the 10.10.10.0 network is available over the VPN tunnel and therefore interface 1, the VPN client would be confused as to where to route data destined for the printer. Both the 10.10.10.0 and 10.10.100.0 subnets fall under the 10.0.0.0 Class A network so the printer data may be sent over the VPN tunnel.

Examples

The following example configures an IP address pool named firstpool. The starting address is 10.20.30.40 and the ending address is 10.20.30.50. The network mask is 255.255.255.0.


ciscoasa(config)# ip local pool firstpool 10.20.30.40-10.20.30.50 mask 255.255.255.0

ip unnumbered

To borrow or inherit an IP address from an interface (for example, a loopback interface), use the ip unnumbered command in the interface configuration mode. To stop inheriting an ip address from an interface, use the no form of this command.

ip unnumbered interface-name

no ip unnumbered

Syntax Description

interface-name

Specifies the name of an interface to inherit the IP address..

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Interface Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.19(1)

This command was added.

Usage Guidelines

The ip unnumbered command is used to inherit the IP address of the selected interface as the address for the current interface.

Examples

The following example borrows the IP address from the loopback interface:

ciscoasa(config)# interface tunnel 1

ciscoasa(conf-if)# ip unnumbered loopback1

ip-phone-bypass

To enable IP Phone Bypass, use the ip-phone-bypass enable command in group-policy configuration mode.To remove the IP phone Bypass attribute from the running configuration, use the no form of this command.

ip-phone-bypass { enable | disable }

no ip-phone-bypass

Syntax Description

disable

Disables IP Phone Bypass.

enable

Enables IP Phone Bypass.

Command Default

IP Phone Bypass is disabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Group-policy configuration

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

To disable IP Phone Bypass, use the ip-phone-bypass disable command. The no form of this command option allows inheritance of a value for IP Phone Bypass from another group policy.

IP Phone Bypass lets IP phones behind hardware clients connect without undergoing user authentication processes. If enabled, secure unit authentication remains in effect.

You need to configure IP Phone Bypass only if you have enabled user authentication.

You also need to configure the mac-exempt option to exempt the clients from authentication. See the vpnclient mac-exempt command for more information.

Examples

The following example shows how to enable IP Phone Bypass for the group policy named FirstGroup:


ciscoasa(config)# group-policy FirstGroup attributes
ciscoasa(config-group-policy)# ip-phone-bypass enable

ips

To divert traffic from the ASA to the AIP SSM for inspection, use the ips command in class configuration mode. To remove this command, use the no form of this command.

ips { inline | promiscuous } { fail-close | fail-open } [ sensor { sensor_name | mapped_name } ]

no ips { inline | promiscuous } { fail-close | fail-open } [ sensor { sensor_name | mapped_name } ]

Syntax Description

fail-close

Blocks traffic if the AIP SSM fails.

fail-open

Permits traffic if the AIP SSM fails.

inline

Directs packets to the AIP SSM; the packet might be dropped as a result of IPS operation.

promiscuous

Duplicates packets for the AIP SSM; the original packet cannot be dropped by the AIP SSM.

sensor {sensor_name | mapped_name }

Sets the virtual sensor name for this traffic. If you use virtual sensors on the AIP SSM (using Version 6.0 or above), you can specify a sensor name using this argument. To see available sensor names, enter the ips ... sensor ? command. Available sensors are listed. You can also use the show ips command.

If you use multiple context mode on the ASA, you can only specify sensors that you assigned to the context (see the allocate-ips command). Use the mapped_name argument if configured in the context.

If you do not specify a sensor name, then the traffic uses the default sensor. In multiple context mode, you can specify a default sensor for the context. In single mode or if you do not specify a default sensor in multiple mode, the traffic uses the default sensor that is set on the AIP SSM.

If you enter a name that does not yet exist on the AIP SSM, you get an error, and the command is rejected.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Class configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

8.0(2)

Virtual sensor support was added.

Usage Guidelines

The ASA 5500 series supports the AIP SSM, which runs advanced IPS software that provides proactive, full-featured intrusion prevention services to stop malicious traffic, including worms and network viruses, before they can affect your network. Before or after you configure the ips command on the ASA, configure the security policy on the AIP SSM. You can either session to the AIP SSM from the ASA (the session command) or you can connect directly to the AIP SSM using SSH or Telnet on its management interface. Alternatively, you can use ASDM. For more information about configuring the AIP SSM, see Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface.

To configure the ips command, you must first configure the class-map command, policy-map command, and the class command.

The AIP SSM runs a separate application from the ASA. It is, however, integrated into the ASA traffic flow. The AIP SSM does not contain any external interfaces itself, other than a management interface. When you apply the ips command for a class of traffic on the ASA, traffic flows through the ASA and the AIP SSM in the following way:

  1. Traffic enters the ASA.

  2. Firewall policies are applied.

  3. Traffic is sent to the AIP SSM over the backplane (using the inline keyword; See the promiscuous keyword for information about only sending a copy of the traffic to the AIP SSM).

  4. The AIP SSM applies its security policy to the traffic, and takes appropriate actions.

  5. Valid traffic is sent back to the ASA over the backplane; the AIP SSM might block some traffic according to its security policy, and that traffic is not passed on.

  6. VPN policies are applied (if configured).

  7. Traffic exits the ASA.

Examples

The following example diverts all IP traffic to the AIP SSM in promiscuous mode, and blocks all IP traffic if the AIP SSM card fails for any reason:


ciscoasa(config)# access-list IPS permit ip any any
ciscoasa(config)# class-map my-ips-class
ciscoasa(config-cmap)# match access-list IPS
ciscoasa(config-cmap)# policy-map my-ips-policy
ciscoasa(config-pmap)# class my-ips-class
ciscoasa(config-pmap-c)# ips promiscuous fail-close
ciscoasa(config-pmap-c)# service-policy my-ips-policy global

The following example diverts all IP traffic destined for the 10.1.1.0 network and the 10.2.1.0 network to the AIP SSM in inline mode, and allows all traffic through if the AIP SSM card fails for any reason. For the my-ips-class traffic, sensor1 is used; for the my-ips-class2 traffic, sensor2 is used.


ciscoasa(config)# access-list my-ips-acl permit ip any 10.1.1.0 255.255.255.0
ciscoasa(config)# access-list my-ips-acl2 permit ip any 10.2.1.0 255.255.255.0
ciscoasa(config)# class-map my-ips-class
ciscoasa(config-cmap)# match access-list my-ips-acl
ciscoasa(config)# class-map my-ips-class2
ciscoasa(config-cmap)# match access-list my-ips-acl2
ciscoasa(config-cmap)# policy-map my-ips-policy
ciscoasa(config-pmap)# class my-ips-class
ciscoasa(config-pmap-c)# ips inline fail-open sensor sensor1
ciscoasa(config-pmap)# class my-ips-class2
ciscoasa(config-pmap-c)# ips inline fail-open sensor sensor2
ciscoasa(config-pmap-c)# service-policy my-ips-policy interface outside

ipsec-udp

To enable IPsec over UDP, use the ipsec-udp enable command in group-policy configuration mode. To remove the IPsec over UDP attribute from the current group policy, use the no form of this command.

ipsec-udp { enable | disable }

no ipsec-udp

Syntax Description

disable

Disables IPsec over UDP.

enable

Enables IPsec over UDP.

Command Default

IPsec over UDP is disabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Group-policy configuration

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The no form of this command enables inheritance of a value for IPsec over UDP from another group policy.

IPsec over UDP, sometimes called IPsec through NAT, lets a Cisco VPN Client or hardware client connect via UDP to an ASA that is running NAT.

To disable IPsec over UDP, use the ipsec-udp disable command.

To use IPsec over UDP, you must also configure the ipsec-udp-port command.

The Cisco VPN Client must also be configured to use IPsec over UDP (it is configured to use it by default). The VPN 3002 requires no configuration to use IPsec over UDP.

IPsec over UDP is proprietary, applies only to remote access connections, and requires mode configuration, which means that the ASA exchanges configuration parameters with the client while negotiating SAs.

Using IPsec over UDP may slightly degrade system performance.

The ipsec-udp-port command is not supported on an ASA5505 operating as a VPN client. The ASA 5505 in client mode can initiate IPsec sessions on UDP ports 500 and/or 4500.

Examples

The following example shows how to configure IPsec over UDP for the group policy named FirstGroup:


ciscoasa(config)# group-policy FirstGroup attributes
ciscoasa(config-group-policy)# ipsec-udp enable

ipsec-udp-port

To set a UDP port number for IPsec over UDP, use the ipsec-udp-port command in group-policy configuration mode. To disable the UDP port, use the no form of this command.

ipsec-udp-portport

noipsec-udp-port

Syntax Description

port

Identifies the UDP port number using an integer in the range of 4001 through 49151.

Command Default

The default port is 10000.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Group-policy configuratio

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The no form of this command enables inheritance of a value for the IPsec over UDP port from another group policy.

In IPsec negotiations. the ASA listens on the configured port and forwards UDP traffic for that port even if other filter rules drop UDP traffic.

You can configure multiple group policies with this feature enabled, and each group policy can use a different port number.

Examples

The following example shows how to set an IPsec UDP port to port 4025 for the group policy named FirstGroup:


ciscoasa(config)# group-policy FirstGroup attributes
ciscoasa(config-group-policy)# ipsec-udp-port 4025