Cisco Systems Asa5515K9 Users Manual _asacfg_cli

ASA 5500 to the manual 70242a1d-7de2-47db-bb39-a0524b4b647c

2015-01-05

: Cisco-Systems Cisco-Systems-Asa5515K9-Users-Manual-202749 cisco-systems-asa5515k9-users-manual-202749 cisco-systems pdf

Open the PDF directly: View PDF .
Page Count: 1994

Download
Open PDF In Browser	View PDF

Cisco ASA 5500 Series Configuration
Guide using the CLI
Software Version 8.4 and 8.6 for the ASA 5505, ASA 5510, ASA 5520, ASA
5540, ASA 5550, ASA 5580, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA
5545-X, ASA 5555-X, and ASA 5585-X
Released: January 31, 2011
Updated: October 31, 2012

Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883

Text Part Number: N/A, Online only

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)

Cisco ASA 5500 Series Configuration Guide using the CLI
Copyright © 2011-2012 Cisco Systems, Inc. All rights reserved.

CONTENTS
About This Guide

lxv

Document Objectives
Audience

lxv

Related Documentation, page lxv

•

Conventions, page lxvi

•

Obtaining Documentation and Submitting a Service Request, page lxvii

Document Objectives
The purpose of this guide is to help you configure the ASA using the command-line interface. This guide
does not cover every feature, but describes only the most common configuration scenarios.
You can also configure and monitor the ASA by using ASDM, a web-based GUI application. ASDM
includes configuration wizards to guide you through some common configuration scenarios, and online
help for less common scenarios.
This guide applies to the Cisco ASA 5500 series . Throughout this guide, the term “ASA” applies
generically to supported models, unless specified otherwise.

Audience
This guide is for network managers who perform any of the following tasks:
•

Manage network security

•

Install and configure firewalls/ASAs

•

Configure VPNs

•

Configure intrusion detection software

Related Documentation
For more information, see Navigating the Cisco ASA 5500 Series Documentation at
http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html.

Cisco ASA 5500 Series Configuration Guide using the CLI

lxv

About This Guide

Conventions
This document uses the following conventions:
Convention

Indication

bold font

Commands and keywords and user-entered text appear in bold font.

italic font

Document titles, new or emphasized terms, and arguments for which you supply
values are in italic font.

[ ]

Elements in square brackets are optional.

{x | y | z }

Required alternative keywords are grouped in braces and separated by
vertical bars.

[x|y|z]

Optional alternative keywords are grouped in brackets and separated by
vertical bars.

string

A nonquoted set of characters. Do not use quotation marks around the string or
the string will include the quotation marks.

courier

font

Terminal sessions and information the system displays appear in courier font.

< >

Nonprinting characters such as passwords are in angle brackets.

[ ]

Default responses to system prompts are in square brackets.

!, #

An exclamation point (!) or a pound sign (#) at the beginning of a line of code
indicates a comment line.

Note

Means reader take note.

Tip

Means the following information will help you solve a problem.

Caution

Timesaver

Warning

Means reader be careful. In this situation, you might perform an action that could result in equipment
damage or loss of data.

Means the described action saves time. You can save time by performing the action described in
the paragraph.

Means reader be warned. In this situation, you might perform an action that could result in
bodily injury.

Cisco ASA 5500 Series Configuration Guide using the CLI

lxvi

About This Guide

Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as an RSS feed and set content to be
delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently
supports RSS Version 2.0.

Cisco ASA 5500 Series Configuration Guide using the CLI

lxvii

About This Guide

Cisco ASA 5500 Series Configuration Guide using the CLI

lxviii

PA R T

Getting Started with the ASA

CH A P T E R

Introduction to the Cisco ASA 5500 Series
The ASA provides advanced Stateful Firewall and VPN concentrator functionality in one device, and for
some models, an integrated Intrusion Prevention System (IPS) module or an integrated Content Security
and Control (CSC) module. The ASA includes many advanced features, such as multiple security
contexts (similar to virtualized firewalls), transparent (Layer 2) firewall or routed (Layer 3) firewall
operation, advanced inspection engines, IPsec VPN, SSL VPN, clientless SSL VPN support, and many
more features.
This chapter includes the following sections:
•

Hardware and Software Compatibility, page 1-1

•

VPN Specifications, page 1-1

•

New Features, page 1-1

•

Firewall Functional Overview, page 1-24

•

VPN Functional Overview, page 1-28

•

Security Context Overview, page 1-29

Hardware and Software Compatibility
For a complete list of supported hardware and software, see the Cisco ASA Compatibility:
http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html

VPN Specifications
See Supported VPN Platforms, Cisco ASA 5500 Series:
http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html

New Features
This section includes the following topics:
•

New Features in Version 8.6(1), page 1-2

•

New Features in Version 8.4(5), page 1-4

Cisco ASA 5500 Series Configuration Guide using the CLI

1-1

Chapter 1

Introduction to the Cisco ASA 5500 Series

New Features

•

New Features in Version 8.4(4.1), page 1-6

•

New Features in Version 8.4(3), page 1-9

•

New Features in Version 8.4(2), page 1-12

•

New Features in Version 8.4(1), page 1-19

Note

New, changed, and deprecated syslog messages are listed in syslog message guide.

Note

Version 8.4(4) was removed from Cisco.com due to build issues; please upgrade to Version 8.4(4.1) or
later.

New Features in Version 8.6(1)
Released: February 28, 2012

Table 1-1 lists the new features for ASA Version 8.6(1). This ASA software version is only supported
on the ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X.

Note

Version 8.6(1) includes all features in 8.4(2), plus the features listed in this table.
Features added in 8.4(3) are not included in 8.6(1) unless they are explicitly listed in thisw table.

Table 1-1

New Features forASA Version 8.6(1)

Feature

Description

Hardware Features

Support for the ASA 5512-X We introduced support for the ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and
through ASA 5555-X
ASA 5555-X.
IPS Features

Support for the IPS SSP for
the ASA 5512-X through
ASA 5555-X

We introduced support for the IPS SSP software module for the ASA 5512-X, ASA 5515-X,
ASA 5525-X, ASA 5545-X, and ASA 5555-X.
We introduced or modified the following commands: session, show module, sw-module.

Remote Access Features

Clientless SSL VPN browser The ASA now supports clientless SSL VPN with Microsoft Internet Explorer 9 and Firefox 4.
support
Also available in Version 8.4(3).

Cisco ASA 5500 Series Configuration Guide using the CLI

1-2

Chapter 1

Introduction to the Cisco ASA 5500 Series
New Features

Table 1-1

New Features forASA Version 8.6(1) (continued)

Feature

Description

Compression for DTLS and
TLS

To improve throughput, Cisco now supports compression for DTLS and TLS on AnyConnect
3.0 or later. Each tunneling method configures compression separately, and the preferred
configuration is to have both SSL and DTLS compression as LZS. This feature enhances
migration from legacy VPN clients.
Note

Using data compression on high speed remote access connections passing highly
compressible data requires significant processing power on the ASA. With other
activity and traffic on the ASA, the number of sessions that can be supported on the
platform is reduced.

We introduced or modified the following commands: anyconnect dtls compression [lzs |
none] and anyconnect ssl compression [deflate | lzs | none].
Also available in Version 8.4(3).
Clientless SSL VPN Session Allows you to create custom messages to alert users that their VPN session is about to end
Timeout Alerts
because of inactivity or a session timeout.
We introduced the following commands: vpn-session-timeout alert-interval,
vpn-idle-timeout alert-interval.
Also available in Version 8.4(3).
Multiple Context Mode Features

Automatic generation of a
MAC address prefix

In multiple context mode, the ASA now converts the automatic MAC address generation
configuration to use a default prefix. The ASA auto-generates the prefix based on the last two
bytes of the interface MAC address. This conversion happens automatically when you reload,
or if you reenable MAC address generation. The prefix method of generation provides many
benefits, including a better guarantee of unique MAC addresses on a segment. You can view
the auto-generated prefix by entering the show running-config mac-address command. If you
want to change the prefix, you can reconfigure the feature with a custom prefix. The legacy
method of MAC address generation is no longer available.
Note

To maintain hitless upgrade for failover pairs, the ASA does not convert the MAC
address method in an existing configuration upon a reload if failover is enabled.
However, we strongly recommend that you manually change to the prefix method of
generation. After upgrading, to use the prefix method of MAC address generation,
reenable MAC address generation to use the default prefix.

We modified the following command: mac-address auto.
AAA Features

Increased maximum LDAP
values per attribute

The maximum number of values that the ASA can receive for a single attribute was increased
from 1000 (the default) to 5000, with an allowed range of 500 to 5000. If a response message
is received that exceeds the configured limit, the ASA rejects the authentication. If the ASA
detects that a single attribute has more than 1000 values, then the ASA generates informational
syslog 109036. For more than 5000 attributes, the ASA generates error level syslog 109037.
We introduced the following command: ldap-max-value-range number (Enter this command
in aaa-server host configuration mode).
Also available in Version 8.4(3).

Cisco ASA 5500 Series Configuration Guide using the CLI

1-3

Chapter 1

Introduction to the Cisco ASA 5500 Series

New Features

Table 1-1

New Features forASA Version 8.6(1) (continued)

Feature

Description

Support for sub-range of
LDAP search results

When an LDAP search results in an attribute with a large number of values, depending on the
server configuration, it might return a sub-range of the values and expect the ASA to initiate
additional queries for the remaining value ranges. The ASA now makes multiple queries for
the remaining ranges, and combines the responses into a complete array of attribute values.
Also available in Version 8.4(3).

Troubleshooting Features

Regular expression
matching for the show asp
table classifier and show
asp table filter commands

You can now enter the show asp table classifier and show asp table filter commands with a
regular expression to filter output.
We modified the following commands: show asp table classifier match regex, show asp table
filter match regex.
Also available in Version 8.4(3).

New Features in Version 8.4(5)
Released: October 31, 2012

Table 1-2 lists the new features for ASA interim Version 8.4(5)/ASDM Version 7.0(2).
Table 1-2

New Features for ASA Version 8.4(5)/ASDM Version 7.0(2)

Feature

Description

Firewall Features

EtherType ACL support for
IS-IS traffic (transparent
firewall mode)

In transparent firewall mode, the ASA can now pass IS-IS traffic using an EtherType ACL.
We modified the following command: access-list ethertype {permit | deny} is-is.
We modified the following screen: Configuration > Device Management > Management
Access > EtherType Rules.
This feature is not available in 8.5(1), 8.6(1), or 9.0(1).

Cisco ASA 5500 Series Configuration Guide using the CLI

1-4

Chapter 1

Introduction to the Cisco ASA 5500 Series
New Features

Table 1-2

New Features for ASA Version 8.4(5)/ASDM Version 7.0(2) (continued)

Feature

Description

ARP cache additions for
non-connected subnets

The ASA ARP cache only contains entries from directly-connected subnets by default. You can
now enable the ARP cache to also include non-directly-connected subnets. We do not
recommend enabling this feature unless you know the security risks. This feature could
facilitate denial of service (DoS) attack against the ASA; a user on any interface could send out
many ARP replies and overload the ASA ARP table with false entries.
You may want to use this feature if you use:
•

Secondary subnets.

•

Proxy ARP on adjacent routes for traffic forwarding.

We introduced the following command: arp permit-nonconnected.
We modified the following screen: Configuration > Device Management > Advanced > ARP >
ARP Static Table.
This feature is not available in 8.5(1), 8.6(1), or 9.0(1).
Increased maximum
The maximum number of connections for service policy rules was increased from 65535 to
connection limits for service 2000000.
policy rules
We modified the following commands: set connection conn-max, set connection
embryonic-conn-max, set connection per-client-embryonic-max, set connection
per-client-max.
We modified the following screen: Configuration > Firewall > Service Policy Rules >
Connection Settings.
This feature is not available in 8.5(1) or 8.6(1).
Remote Access Features

Host Scan support for low
bandwith or high latency
networks

Host Scan now contacts the ASA periodically while it compiles and sends its dynamic access
policy report to the ASA. The ASA has increased its timers to wait for Host Scan to send its
DAP report. This results in more successful VPN connections especially over high latency
networks such as dial-up or slow broadband.
This feature is not available in 8.5(1), 8.6(1), or 9.0(1).

Monitoring Features

NAT-MIB
cnatAddrBindNumberOfEnt
ries and
cnatAddrBindSessionCount
OIDs to allow polling for
Xlate count.

Support was added for the NAT-MIB cnatAddrBindNumberOfEntries and
cnatAddrBindSessionCount OIDs to support xlate_count and max_xlate_count for SNMP.

NSEL

Flow-update events have been introduced to provide periodic byte counters for flow traffic. You
can change the time interval at which flow-update events are sent to the NetFlow collector. You
can filter to which collectors flow-update records will be sent.

This data is equivalent to the show xlate count command.
This feature is not available in 8.5(1), 8.6(1), or 9.0(1).

We introduced the following command: flow-export active refresh-interval.
We modified the following command: flow-export event-type.
This feature is not available in 8.5(1), 8.6(1), or 9.0(1).

Cisco ASA 5500 Series Configuration Guide using the CLI

1-5

Chapter 1

Introduction to the Cisco ASA 5500 Series

New Features

Table 1-2

New Features for ASA Version 8.4(5)/ASDM Version 7.0(2) (continued)

Feature

Description

Hardware Features

ASA 5585-X DC power
supply support

Support was added for the ASA 5585-X DC power supply.
This feature is not available in 8.5(1), 8.6(1), or 9.0(1).

New Features in Version 8.4(4.1)
Released: June 18, 2012

Table 1-3 lists the new features for ASA Version 8.4(4.1).

Note

Version 8.4(4) was removed from Cisco.com due to build issues; please upgrade to Version 8.4(4.1) or
later.

Table 1-3

New Features for ASA Version 8.4(4.1)

Feature

Description

Certification Features

FIPS and Common Criteria
certifications

The FIPS 140-2 Non-Proprietary Security Policy was updated as part of the Level 2 FIPS 140-2
validation for the Cisco ASA 5500 series adaptive security appliances, which includes the
Cisco ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, and ASA 5585-X.
The Common Criteria Evaluation Assurance Level 4 (EAL4) was updated, which provides the
basis for a specific Target of Evaluation (TOE) of the Cisco ASA and VPN platform solutions.
This feature is not available in 8.5(1) or 8.6(1).

Remote Access Features

Clientless SSL VPN:
Enhanced quality for
rewriter engines

The clientless SSL VPN rewriter engines were significantly improved to provide better quality
and efficacy. As a result, you can expect a better end-user experience for clientless SSL VPN
users.
We did not add or modify any commands for this feature.
This feature is not available in 8.5(1) or 8.6(1).

Authentication and Encryption Features

Support for password policy, The ASA enables administrators with the necessary privileges to do the following for users in
password change, and SSH the current context: modify password policy, change passwords, and authenticate using an SSH
public key authentication
public key.
We introduced or modified the following commands: password-policy lifetime,
password-policy minimum changes, password-policy minimum-length, password-policy
minimum-lowercase, password-policy minimum-uppercase, password-policy
minimum-numeric, password-policy minimum-special, password-policy authenticate
enable, username, username attributes, clear configure username, change-password,
clear configure password-policy, show running-config password-policy.
This feature is not available in 8.5(1) or 8.6(1).

Cisco ASA 5500 Series Configuration Guide using the CLI

1-6

Chapter 1

Introduction to the Cisco ASA 5500 Series
New Features

Table 1-3

New Features for ASA Version 8.4(4.1) (continued)

Feature

Description

Support for maximum
number of management
sessions allowed and
Diffie-Hellman Key
Exchange Group 14 support
for SSH

The maximum number of simultaneous ASDM, SSH, and Telnet sessions allowed was added.
Support for Diffie-Hellman Key Exchange Group 14 for SSH was added.

Additional ephemeral
Diffie-Hellman ciphers for
SSL encryption

We introduced or modified the following commands: quota management-session, show
running-config quota management-session, show quota management-session, ssh.
This feature is not available in 8.5(1) or 8.6(1).
The ASA now supports the following ephemeral Diffie-Hellman (DHE) SSL cipher suites:
•

DHE-AES128-SHA1

•

DHE-AES256-SHA1

These cipher suites are specified in RFC 3268, Advanced Encryption Standard (AES)
Ciphersuites for Transport Layer Security (TLS).
When supported by the client, DHE is the preferred cipher because it provides Perfect Forward
Secrecy. See the following limitations:
•

DHE is not supported on SSL 3.0 connections, so make sure to also enable TLS 1.0 for the
SSL server.
!! set server version
hostname(config)# ssl server-version tlsv1 sslv3
!! set client version
hostname(config) # ssl client-version any

•

Some popular applications do not support DHE, so include at least one other SSL
encryption method to ensure that a cipher suite common to both the SSL client and server
can be used.

•

Some clients may not support DHE, including AnyConnect 2.5 and 3.0, Cisco Secure
Desktop, and Internet Explorer 9.0.

We modified the following command: ssl encryption.
This feature is not available in 8.5(1) or 8.6(1).
File System Features

Image verification

Support for SHA-512 image integrity checking was added.
We modified the following command: verify.
This feature is not available in 8.5(1) or 8.6(1).

Failover Features

Configure the connection
You can now configure the rate at which the ASA replicates connections to the standby unit
replication rate during a bulk when using Stateful Failover. By default, connections are replicated to the standby unit during
sync
a 15 second period. However, when a bulk sync occurs (for example, when you first enable
failover), 15 seconds may not be long enough to sync large numbers of connections due to a
limit on the maximum connections per second. For example, the maximum connections on the
ASA is 8 million; replicating 8 million connections in 15 seconds means creating 533 K
connections per second. However, the maximum connections allowed per second is 300 K. You
can now specify the rate of replication to be less than or equal to the maximum connections per
second, and the sync period will be adjusted until all the connections are synced.
We introduced the following command: failover replication rate rate.
This feature is not available in 8.6(1). This feature is also in 8.5(1.7).

Cisco ASA 5500 Series Configuration Guide using the CLI

1-7

Chapter 1

Introduction to the Cisco ASA 5500 Series

New Features

Table 1-3

New Features for ASA Version 8.4(4.1) (continued)

Feature

Description

Application Inspection Features

SunRPC change from
dynamic ACL to pin-hole
mechanism

Previously, Sun RPC inspection does not support outbound access lists because the inspection
engine uses dynamic access lists instead of secondary connections.
In this release, when you configure dynamic access lists on the ASA, they are supported on the
ingress direction only and the ASA drops egress traffic destined to dynamic ports. Therefore,
Sun RPC inspection implements a pinhole mechanism to support egress traffic. Sun RPC
inspection uses this pinhole mechanism to support outbound dynamic access lists.
This feature is not available in 8.5(1) or 8.6(1).

Inspection reset action
change

Previously, when the ASA dropped a packet due to an inspection engine rule, the ASA sent
only one RST to the source device of the dropped packet. This behavior could cause resource
issues.
In this release, when you configure an inspection engine to use a reset action and a packet
triggers a reset, the ASA sends a TCP reset under the following conditions:
•

The ASA sends a TCP reset to the inside host when the service resetoutbound command
is enabled. (The service resetoutbound command is disabled by default.)

•

The ASA sends a TCP reset to the outside host when the service resetinbound command
is enabled. (The service resetinbound command is disabled by default.)

For more information, see the service command in the ASA command reference.
This behavior ensures that a reset action will reset the connections on the ASA and on inside
servers; therefore countering denial of service attacks. For outside hosts, the ASA does not
send a reset by default and information is not revealed through a TCP reset.
This feature is not available in 8.5(1) or 8.6(1).
Platform Features

Improved pseudo-random
number generation

Hardware-based noise for additional entropy was added to the software-based random number
generation process. This change makes pseudo-random number generation (PRNG) more
random and more difficult for attackers to get a repeatable pattern or guess the next random
number to be used for encryption and decryption operations. Two changes were made to
improve PRNG:
•

Use the current hardware-based RNG for random data to use as one of the parameters for
software-based RNG.

•

If the hardware-based RNG is not available, use additional hardware noise sources for
software-based RNG. Depending on your model, the following hardware sensors are used:
– ASA 5505—Voltage sensors.
– ASA 5510 and 5550—Fan speed sensors.
– ASA 5520, 5540, and 5580—Temperature sensors.
– ASA 5585-X—Fan speed sensors.

We introduced the following commands: show debug menu cts [128 | 129]
This feature is not available in 8.5(1) or 8.6(1).
Module Features

Cisco ASA 5500 Series Configuration Guide using the CLI

1-8

Chapter 1

Introduction to the Cisco ASA 5500 Series
New Features

Table 1-3

New Features for ASA Version 8.4(4.1) (continued)

Feature

Description

ASA 5585-X support for the The ASA CX module lets you enforce security based on the complete context of a situation.
ASA CX SSP-10 and -20
This context includes the identity of the user (who), the application or website that the user is
trying to access (what), the origin of the access attempt (where), the time of the attempted
access (when), and the properties of the device used for the access (how). With the ASA CX
module, you can extract the full context of a flow and enforce granular policies such as
permitting access to Facebook but denying access to games on Facebook or permitting finance
employees access to a sensitive enterprise database but denying the same to other employees.
We introduced or modified the following commands: capture, cxsc, cxsc auth-proxy, debug
cxsc, hw-module module password-reset, hw-module module reload, hw-module module
reset, hw-module module shutdown, session do setup host ip, session do get-config, session
do password-reset, show asp table classify domain cxsc, show asp table classify domain
cxsc-auth-proxy, show capture, show conn, show module, show service-policy.
This feature is not available in 8.6(1).
ASA 5585-X support for
network modules

The ASA 5585-X now supports additional interfaces on network modules in slot 1. You can
install one or two of the following optional network modules:
•

ASA 4-port 10G Network Module

•

ASA 8-port 10G Network Module

•

ASA 20-port 1G Network Module

This feature is not available in 8.6(1).

New Features in Version 8.4(3)
Released: January 9, 2012

Table 1-4 lists the new features for ASA Version 8.4(3).
Table 1-4

New Features for ASA Version 8.4(3)

Feature

Description

NAT Features

Round robin PAT pool
allocation uses the same IP
address for existing hosts

When using a PAT pool with round robin allocation, if a host has an existing connection, then
subsequent connections from that host will use the same PAT IP address if ports are available.
We did not modify any commands.
This feature is not available in 8.5(1) or 8.6(1).

Flat range of PAT ports for a If available, the real source port number is used for the mapped port. However, if the real port
PAT pool
is not available, by default the mapped ports are chosen from the same range of ports as the real
port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only
a small PAT pool.
If you have a lot of traffic that uses the lower port ranges, when using a PAT pool, you can now
specify a flat range of ports to be used instead of the three unequal-sized tiers: either 1024 to
65535, or 1 to 65535.
This feature is not available in 8.5(1) or 8.6(1).

Cisco ASA 5500 Series Configuration Guide using the CLI

1-9

Chapter 1

Introduction to the Cisco ASA 5500 Series

New Features

Table 1-4

New Features for ASA Version 8.4(3) (continued)

Feature

Description

Extended PAT for a PAT pool Each PAT IP address allows up to 65535 ports. If 65535 ports do not provide enough
translations, you can now enable extended PAT for a PAT pool. Extended PAT uses 65535 ports
per service, as opposed to per IP address, by including the destination address and port in the
translation information.
This feature is not available in 8.5(1) or 8.6(1).
Configurable timeout for
PAT xlate

When a PAT xlate times out (by default after 30 seconds), and the ASA reuses the port for a
new translation, some upstream routers might reject the new connection because the previous
connection might still be open on the upstream device. The PAT xlate timeout is now
configurable, to a value between 30 seconds and 5 minutes.
This feature is not available in 8.5(1) or 8.6(1).

Automatic NAT rules to
translate a VPN peer’s local
IP address back to the peer’s
real IP address

In rare situations, you might want to use a VPN peer’s real IP address on the inside network
instead of an assigned local IP address. Normally with VPN, the peer is given an assigned local
IP address to access the inside network. However, you might want to translate the local IP
address back to the peer’s real public IP address if, for example, your inside servers and
network security is based on the peer’s real IP address.
You can enable this feature on one interface per tunnel group. Object NAT rules are
dynamically added and deleted when the VPN session is established or disconnected. You can
view the rules using the show nat command.
Because of routing issues, we do not recommend using this feature unless you know
you need this feature; contact Cisco TAC to confirm feature compatibility with your
network. See the following limitations:

Note

•

Only supports Cisco IPsec and AnyConnect Client.

•

Return traffic to the public IP addresses must be routed back to the ASA so the NAT
policy and VPN policy can be applied.

•

Does not support load-balancing (because of routing issues).

•

Does not support roaming (public IP changing).

We introduced the following command: nat-assigned-to-public-ip interface (tunnel-group
general-attributes configuration mode).
Remote Access Features

Clientless SSL VPN browser The ASA now supports clientless SSL VPN with Microsoft Internet Explorer 9 and Firefox 4.
support

Cisco ASA 5500 Series Configuration Guide using the CLI

1-10

Chapter 1

Introduction to the Cisco ASA 5500 Series
New Features

Table 1-4

New Features for ASA Version 8.4(3) (continued)

Feature

Description

Compression for DTLS and
TLS

We introduced or modified the following commands: anyconnect dtls compression [lzs |
none] and anyconnect ssl compression [deflate | lzs | none].
VPN Session Timeout Alerts Allows you to create custom messages to alert users that their VPN session is about to end
because of inactivity or a session timeout.
We introduced the following commands: vpn-session-timeout alert-interval,
vpn-idle-timeout alert-interval.
AAA Features

Increased maximum LDAP
values per attribute

Support for sub-range of
LDAP search results

Key vendor-specific
attributes (VSAs) sent in
RADIUS access request and
accounting request packets
from the ASA

Four New VSAs—Tunnel Group Name (146) and Client Type (150) are sent in RADIUS access
request packets from the ASA. Session Type (151) and Session Subtype (152) are sent in
RADIUS accounting request packets from the ASA. All four attributes are sent for all
accounting request packet types: Start, Interim-Update, and Stop. The RADIUS server (for
example, ACS and ISE) can then enforce authorization and policy attributes or use them for
accounting and billing purposes.

Troubleshooting Features

Regular expression
matching for the show asp
table classifier and show
asp table filter commands

Cisco ASA 5500 Series Configuration Guide using the CLI

1-11

Chapter 1

Introduction to the Cisco ASA 5500 Series

New Features

New Features in Version 8.4(2)
Released: June 20, 2011

Table 1-5 lists the new features for ASA Version 8.4(2).
Table 1-5

New Features for ASA Version 8.4(2)

Feature

Description

Firewall Features

Identity Firewall

Typically, a firewall is not aware of the user identities and, therefore, cannot apply security
policies based on identity.
The Identity Firewall in the ASA provides more granular access control based on users’
identities. You can configure access rules and security policies based on usernames and user
groups name rather than through source IP addresses. The ASA applies the security policies
based on an association of IP addresses to Windows Active Directory login information and
reports events based on the mapped usernames instead of network IP addresses.
The Identity Firewall integrates with Window Active Directory in conjunction with an external
Active Directory (AD) Agent that provides the actual identity mapping. The ASA uses
Windows Active Directory as the source to retrieve the current user identity information for
specific IP addresses.
In an enterprise, some users log onto the network by using other authentication mechanisms,
such as authenticating with a web portal (cut-through proxy) or by using a VPN. You can
configure the Identity Firewall to allow these types of authentication in connection with
identity-based access policies.

Identity NAT configurable
In earlier releases for identity NAT, proxy ARP was disabled, and a route lookup was always
proxy ARP and route lookup used to determine the egress interface. You could not configure these settings. In 8.4(2) and
later, the default behavior for identity NAT was changed to match the behavior of other static
NAT configurations: proxy ARP is enabled, and the NAT configuration determines the egress
interface (if specified) by default. You can leave these settings as is, or you can enable or
disable them discretely. Note that you can now also disable proxy ARP for regular static NAT.
For pre-8.3 configurations, the migration of NAT exempt rules (the nat 0 access-list command)
to 8.4(2) and later now includes the following keywords to disable proxy ARP and to use a
route lookup: no-proxy-arp and route-lookup. The unidirectional keyword that was used for
migrating to 8.3(2) and 8.4(1) is no longer used for migration. When upgrading to 8.4(2) from
8.3(1), 8.3(2), and 8.4(1), all identity NAT configurations will now include the no-proxy-arp
and route-lookup keywords, to maintain existing functionality. The unidirectional keyword
is removed.

Cisco ASA 5500 Series Configuration Guide using the CLI

1-12

Chapter 1

Introduction to the Cisco ASA 5500 Series
New Features

Table 1-5

New Features for ASA Version 8.4(2) (continued)

Feature

Description

PAT pool and round robin
address assignment

You can now specify a pool of PAT addresses instead of a single address. You can also
optionally enable round-robin assignment of PAT addresses instead of first using all ports on a
PAT address before using the next address in the pool. These features help prevent a large
number of connections from a single PAT address from appearing to be part of a DoS attack
and makes configuration of large numbers of PAT addresses easy.
Note

IPv6 Inspection

Currently in 8.4(2), the PAT pool feature is not available as a fallback method for
dynamic NAT or PAT. You can only configure the PAT pool as the primary method for
dynamic PAT (CSCtq20634).

You can configure IPv6 inspection by configuring a service policy to selectively block IPv6
traffic based on the extension header. IPv6 packets are subjected to an early security check. The
ASA always passes hop-by-hop and destination option types of extension headers while
blocking router header and no next header.
You can enable default IPv6 inspection or customize IPv6 inspection. By defining a policy map
for IPv6 inspection you can configure the ASA to selectively drop IPv6 packets based on
following types of extension headers found anywhere in the IPv6 packet:
•

Hop-by-Hop Options

•

Routing (Type 0)

•

Fragment

•

Destination Options

•

Authentication

•

Encapsulating Security Payload

Remote Access Features

Portal Access Rules

This enhancement allows customers to configure a global clientless SSL VPN access policy to
permit or deny clientless SSL VPN sessions based on the data present in the HTTP header. If
denied, an error code is returned to the clients. This denial is performed before user
authentication and thus minimizes the use of processing resources.
Also available in Version 8.2(5).

Clientless support for
The ASA 8.4(2) clientless SSL VPN core rewriter now supports Microsoft Outlook Web App
Microsoft Outlook Web App 2010.
2010
Secure Hash Algorithm
SHA-2 Support for IPsec
IKEv2 Integrity and PRF

This release supports the Secure Hash Algorithm SHA-2 for increased cryptographic hashing
security for IPsec/IKEv2 AnyConnect Secure Mobility Client connections to the ASA. SHA-2
includes hash functions with digests of 256, 384, or 512 bits, to meet U.S. government
requirements.

Cisco ASA 5500 Series Configuration Guide using the CLI

1-13

Chapter 1

Introduction to the Cisco ASA 5500 Series

New Features

Table 1-5

New Features for ASA Version 8.4(2) (continued)

Feature

Description

Secure Hash Algorithm
SHA-2 Support for Digital
Signature over IPsec IKEv2

This release supports the use of SHA-2 compliant signature algorithms to authenticate IPsec
IKEv2 VPN connections that use digital certificates, with the hash sizes SHA-256, SHA-384,
and SHA-512.
SHA-2 digital signature for IPsec IKEv2 connections is supported with the AnyConnect Secure
Mobility Client, Version 3.0.1 or later.

Split Tunnel DNS policy for This release includes a new policy pushed down to the AnyConnect Secure Mobility Client for
AnyConnect
resolving DNS addresses over split tunnels. This policy applies to VPN connections using the
SSL or IPsec/IKEv2 protocol and instructs the AnyConnect client to resolve all DNS addresses
through the VPN tunnel. If DNS resolution fails, the address remains unresolved and the
AnyConnect client does not try to resolve the address through public DNS servers.
By default, this feature is disabled. The client sends DNS queries over the tunnel according to
the split tunnel policy: tunnel all networks, tunnel networks specified in a network list, or
exclude networks specified in a network list.
Also available in Version 8.2(5).
Mobile Posture
(formerly referred to as
AnyConnect Identification
Extensions for Mobile
Device Detection)

You can now configure the ASA to permit or deny VPN connections to mobile devices, enable
or disable mobile device access on a per group bases, and gather information about connected
mobile devices based on a mobile device’s posture data. The following mobile platforms
support this capability: AnyConnect for iPhone/iPad/iPod Versions 2.5.x and AnyConnect for
Android Version 2.4.x.
Licensing Requirements

Enforcing remote access controls and gathering posture data from mobile devices requires an
AnyConnect Mobile license and either an AnyConnect Essentials or AnyConnect Premium
license to be installed on the ASA. You receive the following functionality based on the license
you install:
•

AnyConnect Premium License Functionality
Enterprises that install the AnyConnect Premium license will be able to enforce DAP
policies, on supported mobile devices, based on these DAP attributes and any other
existing endpoint attributes. This includes allowing or denying remote access from a
mobile device.

•

AnyConnect Essentials License Functionality
Enterprises that install the AnyConnect Essentials license will be able to do the following:
– Enable or disable mobile device access on a per group basis and to configure that

feature using ASDM.
– Display information about connected mobile devices via CLI or ASDM without

having the ability to enforce DAP policies or deny or allow remote access to those
mobile devices.
Also available in Version 8.2(5).

Cisco ASA 5500 Series Configuration Guide using the CLI

1-14

Chapter 1

Introduction to the Cisco ASA 5500 Series
New Features

Table 1-5

New Features for ASA Version 8.4(2) (continued)

Feature

Description

SSL SHA-2 digital signature You can now use of SHA-2 compliant signature algorithms to authenticate SSL VPN
connections that use digital certificates. Our support for SHA-2 includes all three hash sizes:
SHA-256, SHA-384, and SHA-512. SHA-2 requires AnyConnect 2.5(1) or later (2.5(2) or later
recommended). This release does not support SHA-2 for other uses or products.
Caution: To support failover of SHA-2 connections, the standby ASA must be running the same
image.
Also available in Version 8.2(5).
SHA2 certificate signature
support for Microsoft
Windows 7 and
Android-native VPN clients

ASA supports SHA2 certificate signature support for Microsoft Windows 7 and Android-native
VPN clients when using the L2TP/IPsec protocol.

Enable/disable certificate
mapping to override the
group-url attribute

This feature changes the preference of a connection profile during the connection profile
selection process. By default, if the ASA matches a certificate field value specified in a
connection profile to the field value of the certificate used by the endpoint, the ASA assigns
that profile to the VPN connection. This optional feature changes the preference to a
connection profile that specifies the group URL requested by the endpoint. The new option lets
administrators rely on the group URL preference used by many older ASA software releases.

Also available in Version 8.2(5).

Also available in Version 8.2(5).
ASA 5585-X Features

Support for Dual SSPs for
SSP-40 and SSP-60

For SSP-40 and SSP-60, you can use two SSPs of the same level in the same chassis.
Mixed-level SSPs are not supported (for example, an SSP-40 with an SSP-60 is not supported).
Each SSP acts as an independent device, with separate configurations and management. You
can use the two SSPs as a failover pair if desired.
Note

When using two SSPs in the chassis, VPN is not supported; note, however, that VPN
has not been disabled.

Support for the IPS SSP-10, We introduced support for the IPS SSP-10, -20, -40, and -60 for the ASA 5585-X. You can only
-20, -40, and -60
install the IPS SSP with a matching-level SSP; for example, SSP-10 and IPS SSP-10.
Also available in Version 8.2(5).
CSC SSM Features

CSC SSM Support

For the CSC SSM, support for the following features has been added:
•

HTTPS traffic redirection: URL filtering and WRS queries for incoming HTTPS
connections.

•

Configuring global approved whitelists for incoming and outgoing SMTP and POP3
e-mail.

•

E-mail notification for product license renewals.

Monitoring Features

Smart Call-Home
Anonymous Reporting

Customers can now help to improve the ASA platform by enabling Anonymous Reporting,
which allows Cisco to securely receive minimal error and health information from the device.
Also available in Version 8.2(5).

Cisco ASA 5500 Series Configuration Guide using the CLI

1-15

Chapter 1

Introduction to the Cisco ASA 5500 Series

New Features

Table 1-5

New Features for ASA Version 8.4(2) (continued)

Feature

Description

IF-MIB ifAlias OID support The ASA now supports the ifAlias OID. When you browse the IF-MIB, the ifAlias OID will
be set to the value that has been set for the interface description.
Also available in Version 8.2(5).
Interface Features

Support for Pause Frames
You can now enable pause (XOFF) frames for flow control on 1-Gigabit Ethernet interfaces;
for Flow Control on
support was previously added for 10-Gigabit Ethernet interfaces in 8.2(2).
1-Gigabit Ethernet Interface
Also available in Version 8.2(5).
Management Features

Increased SSH security; the
SSH default username is no
longer supported

Unified Communications Features

ASA-Tandberg
Interoperability with H.323
Inspection

H.323 Inspection now supports uni-directional signaling for two-way video sessions. This
enhancement allows H.323 Inspection of one-way video conferences supported by Tandberg
video phones. Supporting uni-directional signaling allows Tandberg phones to switch video
modes (close their side of an H.263 video session and reopen the session using H.264, the
compression standard for high-definition video).
Also available in Version 8.2(5).

Routing Features

Timeout for connections
using a backup static route

When multiple static routes exist to a network with different metrics, the ASA uses the one with
the best metric at the time of connection creation. If a better route becomes available, then this
timeout lets connections be closed so a connection can be reestablished to use the better route.
The default is 0 (the connection never times out). To take advantage of this feature, change the
timeout to a new value.
Also available in Version 8.2(5).

Released: May 23, 2011

Table 1-6 lists the new features for ASA Version 8.2(5).
Table 1-6

New Features for ASA Version 8.2(5)

Feature

Description

Monitoring Features

Smart Call-Home
Anonymous Reporting

Customers can now help to improve the ASA platform by enabling Anonymous Reporting, which
allows Cisco to securely receive minimal error and health information from the device.
Also available in Version 8.4(2).

Cisco ASA 5500 Series Configuration Guide using the CLI

1-16

Chapter 1

Introduction to the Cisco ASA 5500 Series
New Features

Table 1-6

New Features for ASA Version 8.2(5) (continued)

Feature

Description

IF-MIB ifAlias OID
support

The ASA now supports the ifAlias OID. When you browse the IF-MIB, the ifAlias OID will be set
to the value that has been set for the interface description.
Also available in Version 8.4(2).

Remote Access Features

Portal Access Rules

This enhancement allows customers to configure a global clientless SSL VPN access policy to
permit or deny clientless SSL VPN sessions based on the data present in the HTTP header. If
denied, an error code is returned to the clients. This denial is performed before user authentication
and thus minimizes the use of processing resources.
Also available in Version 8.4(2).

Mobile Posture
(formerly referred to as
AnyConnect
Identification
Extensions for Mobile
Device Detection)

You can now configure the ASA to permit or deny VPN connections to mobile devices, enable or
disable mobile device access on a per-group basis, and gather information about connected mobile
devices based on the mobile device posture data. The following mobile platforms support this
capability: AnyConnect for iPhone/iPad/iPod Versions 2.5.x and AnyConnect for Android Version
2.4.x. You do not need to enable CSD to configure these attributes in ASDM.
Licensing Requirements

Enforcing remote access controls and gathering posture data from mobile devices requires an
AnyConnect Mobile license and either an AnyConnect Essentials or AnyConnect Premium license
to be installed on the ASA. You receive the following functionality based on the license you install:
•

AnyConnect Premium License Functionality
Enterprises that install the AnyConnect Premium license will be able to enforce DAP policies,
on supported mobile devices, based on these DAP attributes and any other existing endpoint
attributes. This includes allowing or denying remote access from a mobile device.

•

using ASDM.
– Display information about connected mobile devices via CLI or ASDM without having the

ability to enforce DAP policies or deny or allow remote access to those mobile devices.
Also available in Version 8.4(2).
Split Tunnel DNS policy This release includes a new policy pushed down to the AnyConnect Secure Mobility Client for
for AnyConnect
resolving DNS addresses over split tunnels. This policy applies to VPN connections using the SSL
or IPsec/IKEv2 protocol and instructs the AnyConnect client to resolve all DNS addresses through
the VPN tunnel. If DNS resolution fails, the address remains unresolved and the AnyConnect client
does not try to resolve the address through public DNS servers.
By default, this feature is disabled. The client sends DNS queries over the tunnel according to the
split tunnel policy—tunnel all networks, tunnel networks specified in a network list, or exclude
networks specified in a network list.
Also available in Version 8.4(2).

Cisco ASA 5500 Series Configuration Guide using the CLI

1-17

Chapter 1

Introduction to the Cisco ASA 5500 Series

New Features

Table 1-6

New Features for ASA Version 8.2(5) (continued)

Feature

Description

SSL SHA-2 digital
signature

You can now use of SHA-2 compliant signature algorithms to authenticate SSL VPN connections
that use digital certificates. Our support for SHA-2 includes all three hash sizes: SHA-256,
SHA-384, and SHA-512. SHA-2 requires AnyConnect 2.5(1) or later (2.5(2) or later
recommended). This release does not support SHA-2 for other uses or products.
Caution: To support failover of SHA-2 connections, the standby ASA must be running the same
image.
Also available in Version 8.4(2).

L2TP/IPsec support for
Android

We now support VPN connections between Android mobile devices and ASA 5500 series devices,
when using the L2TP/IPsec protocol and the native Android VPN client. Mobile devices must be
using the Android 2.1 or later operating system.
Also available in Version 8.4(1).

SHA2 certificate
signature support for
Microsoft Windows 7
and Android-native
VPN clients

ASA supports SHA2 certificate signature support for Microsoft Windows 7 and Android-native
VPN clients when using the L2TP/IPsec protocol.

Enable/disable
certificate mapping to
override the group-url
attribute

This feature changes the preference of a connection profile during the connection profile selection
process. By default, if the ASA matches a certificate field value specified in a connection profile
to the field value of the certificate used by the endpoint, the ASA assigns that profile to the VPN
connection. This optional feature changes the preference to a connection profile that specifies the
group URL requested by the endpoint. The new option lets administrators rely on the group URL
preference used by many older ASA software releases.

Also available in Version 8.4(2).

Also available in Version 8.4(2).
Interface Features

You can now enable pause (XOFF) frames for flow control on 1-Gigabit Ethernet interfaces;
Support for Pause
Frames for Flow Control support was previously added for 10-Gigabit Ethernet interfaces in 8.2(2).
on 1-Gigabit Ethernet
Also available in Version 8.4(2).
Interface
Unified Communications Features

ASA-Tandberg
Interoperability with
H.323 Inspection

H.323 Inspection now supports uni-directional signaling for two-way video sessions. This
enhancement allows H.323 Inspection of one-way video conferences supported by Tandberg video
phones. Supporting uni-directional signaling allows Tandberg phones to switch video modes (close
their side of an H.263 video session and reopen the session using H.264, the compression standard
for high-definition video).
Also available in Version 8.4(2).

Routing Features

Timeout for connections When multiple static routes exist to a network with different metrics, the ASA uses the one with
using a backup static
the best metric at the time of connection creation. If a better route becomes available, then this
route
timeout lets connections be closed so a connection can be reestablished to use the better route. The
default is 0 (the connection never times out). To take advantage of this feature, change the timeout
to a new value.
Also available in Version 8.4(2).

Cisco ASA 5500 Series Configuration Guide using the CLI

1-18

Chapter 1

Introduction to the Cisco ASA 5500 Series
New Features

New Features in Version 8.4(1)
Released: January 31, 2011

Table 1-7 lists the new features for ASA Version 8.4(1).
Table 1-7

New Features for ASA Version 8.4(1)

Feature

Description

Hardware Features

Support for the ASA 5585-X We introduced support for the ASA 5585-X with Security Services Processor (SSP)-10, -20,
-40, and -60.
Note

No Payload Encryption
hardware for export

Support was previously added in 8.2(3) and 8.2(4); the ASA 5585-X is not supported
in 8.3(x).

You can purchase the ASA 5585-X with No Payload Encryption. For export to some countries,
payload encryption cannot be enabled on the Cisco ASA 5500 series. The ASA software senses
a No Payload Encryption model, and disables the following features:
•

Unified Communications

•

VPN

L2TP/IPsec Support on
Android Platforms

We now support VPN connections between Android mobile devices and ASA 5500 series
devices, when using the L2TP/IPsec protocol and the native Android VPN client. Mobile
devices must be using the Android 2.1, or later, operating system.
Also available in Version 8.2(5).

UTF-8 Character Support
for AnyConnect Passwords

AnyConnect 3.0 used with ASA 8.4(1), supports UTF-8 characters in passwords sent using
RADIUS/MSCHAP and LDAP protocols.

IPsec VPN Connections with Internet Key Exchange Version 2 (IKEv2) is the latest key exchange protocol used to establish
IKEv2
and control Internet Protocol Security (IPsec) tunnels. The ASA now supports IPsec with
IKEv2 for the AnyConnect Secure Mobility Client, Version 3.0(1), for all client operating
systems.
On the ASA, you enable IPsec connections for users in the group policy. For the AnyConnect
client, you specify the primary protocol (IPsec or SSL) for each ASA in the server list of the
client profile.
IPsec remote access VPN using IKEv2 was added to the AnyConnect Essentials and
AnyConnect Premium licenses.
Site-to-site sessions were added to the Other VPN license (formerly IPsec VPN). The Other
VPN license is included in the Base license.
We modified the following commands: vpn-tunnel-protocol, crypto ikev2 policy, crypto
ikev2 enable, crypto ipsec ikev2, crypto dynamic-map, crypto map.

Cisco ASA 5500 Series Configuration Guide using the CLI

1-19

Chapter 1

Introduction to the Cisco ASA 5500 Series

New Features

Table 1-7

New Features for ASA Version 8.4(1) (continued)

Feature

Description

SSL SHA-2 digital signature This release supports the use of SHA-2 compliant signature algorithms to authenticate SSL
VPN connections that use digital certificates. Our support for SHA-2 includes all three hash
sizes: SHA-256, SHA-384, and SHA-512. SHA-2 requires AnyConnect 2.5.1 or later (2.5.2 or
later recommended). This release does not support SHA-2 for other uses or products. This
feature does not involve configuration changes.
Caution: To support failover of SHA-2 connections, the standby ASA must be running the
same image. To support this feature, we added the Signature Algorithm field to the show
crypto ca certificate command to identify the digest algorithm used when generating the
signature.
SCEP Proxy

SCEP Proxy provides the AnyConnect Secure Mobility Client with support for automated
third-party certificate enrollment. Use this feature to support AnyConnect with zero-touch,
secure deployment of device certificates to authorize endpoint connections, enforce policies
that prevent access by non-corporate assets, and track corporate assets. This feature requires
an AnyConnect Premium license and will not work with an Essentials license.
We introduced or modified the following commands: crypto ikev2 enable, scep-enrollment
enable, scep-forwarding-url, debug crypto ca scep-proxy,
secondary-username-from-certificate, secondary-pre-fill-username.

Host Scan Package Support

This feature provides the necessary support for the ASA to install or upgrade a Host Scan
package and enable or disable Host Scan. This package may either be a standalone Host Scan
package or one that ASA extracts from an AnyConnect Next Generation package.
In previous releases of AnyConnect, an endpoint’s posture was determined by Cisco Secure
Desktop (CSD). Host Scan was one of many features bundled in CSD. Unbundling Host Scan
from CSD gives AnyConnect administrators greater freedom to update and install Host Scan
separately from the other features of CSD.
We introduced the following command: csd hostscan image path.

Kerberos Constrained
Delegation (KCD)

This release implements the KCD protocol transition and constrained delegation extensions on
the ASA. KCD provides Clientless SSL VPN (also known as WebVPN) users with SSO access
to any web services protected by Kerberos. Examples of such services or applications include
Outlook Web Access (OWA), Sharepoint, and Internet Information Server (IIS).
Implementing protocol transition allows the ASA to obtain Kerberos service tickets on behalf
of remote access users without requiring them to authenticate to the KDC (through Kerberos).
Instead, a user authenticates to ASA using any of the supported authentication mechanisms,
including digital certificates and Smartcards, for Clientless SSL VPN (also known as
WebVPN). When user authentication is complete, the ASA requests and obtains an
impersonate ticket, which is a service ticket for ASA on behalf of the user. The ASA may then
use the impersonate ticket to obtain other service tickets for the remote access user.
Constrained delegation provides a way for domain administrators to limit the network
resources that a service trusted for delegation (for example, the ASA) can access. This task is
accomplished by configuring the account under which the service is running to be trusted for
delegation to a specific instance of a service running on a specific computer.
We modified the following commands: kcd-server, clear aaa, show aaa, test aaa-server
authentication.

Clientless SSL VPN browser The ASA now supports clientless SSL VPN with Apple Safari 5.
support

Cisco ASA 5500 Series Configuration Guide using the CLI

1-20

Chapter 1

Introduction to the Cisco ASA 5500 Series
New Features

Table 1-7

New Features for ASA Version 8.4(1) (continued)

Feature

Description

Clientless VPN Auto
Sign-on Enhancement

Smart tunnel now supports HTTP-based auto sign-on on Firefox as well as Internet Explorer.
Similar to when Internet Explorer is used, the administrator decides to which hosts a Firefox
browser will automatically send credentials. For some authentication methods, if may be
necessary for the administrator to specify a realm string on the ASA to match that on the web
application (in the Add Smart Tunnel Auto Sign-on Server window). You can now use
bookmarks with macro substitutions for auto sign-on with Smart tunnel as well.
The POST plug-in is now obsolete. The former POST plug-in was created so that
administrators could specify a bookmark with sign-on macros and receive a kick-off page to
load prior to posting the the POST request. The POST plug-in approach allows requests that
required the presence of cookies, and other header items, fetched ahead of time to go through.
The administrator can now specify pre-load pages when creating bookmarks to achieve the
same functionality. Same as the POST plug-in, the administrator specifies the pre-load page
URL and the URL to send the POST request to.
You can now replace the default preconfigured SSL VPN portal with your own portal. The
administrators do this by specifying a URL as an External Portal. Unlike the group-policy
home page, the External Portal supports POST requests with macro substitution (for auto
sign-on) as well as pre-load pages.
We introduced or modified the following command: smart-tunnel auto-signon.

Expanded Smart Tunnel
application support

Smart Tunnel adds support for the following applications:
•

Microsoft Outlook Exchange Server 2010 (native support).
Users can now use Smart Tunnel to connect Microsoft Office Outlook to a Microsoft
Exchange Server.

•

Microsoft Sharepoint/Office 2010.
Users can now perform remote file editing using Microsoft Office 2010 Applications and
Microsoft Sharepoint by using Smart Tunnel.

Interface Features

EtherChannel support (ASA You can configure up to 48 802.3ad EtherChannels of eight active interfaces each.
5510 and higher)
Note
You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1
on the ASA 5550, as part of an EtherChannel.
We introduced the following commands: channel-group, lacp port-priority, interface
port-channel, lacp max-bundle, port-channel min-bundle, port-channel load-balance,
lacp system-priority, clear lacp counters, show lacp, show port-channel.

Cisco ASA 5500 Series Configuration Guide using the CLI

1-21

Chapter 1

Introduction to the Cisco ASA 5500 Series

New Features

Table 1-7

New Features for ASA Version 8.4(1) (continued)

Feature

Description

Bridge groups for
transparent mode

If you do not want the overhead of security contexts, or want to maximize your use of security
contexts, you can group interfaces together in a bridge group, and then configure multiple
bridge groups, one for each network. Bridge group traffic is isolated from other bridge groups.
You can configure up to 8 bridge groups in single mode or per context in multiple mode, with
4 interfaces maximum per bridge group.
Note

Although you can configure multiple bridge groups on the ASA 5505, the restriction
of 2 data interfaces in transparent mode on the ASA 5505 means you can only
effectively use 1 bridge group.

We introduced the following commands: interface bvi, bridge-group, show bridge-group.
Scalability Features

Increased contexts for the
ASA 5550, 5580, and
5585-X

For the ASA 5550 and ASA 5585-X with SSP-10, the maximum contexts was increased from
50 to 100. For the ASA 5580 and 5585-X with SSP-20 and higher, the maximum was increased
from 50 to 250.

Increased VLANs for the
ASA 5580 and 5585-X

For the ASA 5580 and 5585-X, the maximum VLANs was increased from 250 to 1024.

Additional platform support Google Chrome has been added as a supported platform for ASA Version 8.4. Both 32-bit and
64-bit platforms are supported on Windows XP, Vista, and 7 and Mac OS X Version 6.0.
Increased connections for
the ASA 5580 and 5585-X

We increased the firewall connection limits:
•

ASA 5580-20—1,000,000 to 2,000,000.

•

ASA 5580-40—2,000,000 to 4,000,000.

•

ASA 5585-X with SSP-10: 750,000 to 1,000,000.

•

ASA 5585-X with SSP-20: 1,000,000 to 2,000,000.

•

ASA 5585-X with SSP-40: 2,000,000 to 4,000,000.

•

ASA 5585-X with SSP-60: 2,000,000 to 10,000,000.

Increased AnyConnect VPN The AnyConnect VPN session limit was increased from 5,000 to 10,000.
sessions for the ASA 5580
Increased Other VPN
sessions for the ASA 5580

The other VPN session limit was increased from 5,000 to 10,000.

High Availability Features

Stateful Failover with
Dynamic Routing Protocols

Routes that are learned through dynamic routing protocols (such as OSPF and EIGRP) on the
active unit are now maintained in a Routing Information Base (RIB) table on the standby unit.
Upon a failover event, traffic on the secondary active unit now passes with minimal disruption
because routes are known.
We modified the following commands: show failover, show route, show route failover.

Unified Communication Features

Cisco ASA 5500 Series Configuration Guide using the CLI

1-22

Chapter 1

Introduction to the Cisco ASA 5500 Series
New Features

Table 1-7

New Features for ASA Version 8.4(1) (continued)

Feature

Description

UC Protocol Inspection
Enhancements

SIP Inspection and SCCP Inspection are enhanced to support new features in the Unified
Communications Solutions; such as, SCCP v2.0 support, support for GETPORT messages in
SCCP Inspection, SDP field support in INVITE messages with SIP Inspection, and QSIG
tunneling over SIP. Additionally, the Cisco Intercompany Media Engine supports Cisco RT
Lite phones and third-party video endpoints (such as, Tandberg).
We did not modify any commands.

Inspection Features

DCERPC Enhancement

DCERPC Inspection was enhanced to support inspection of RemoteCreateInstance RPC
messages.
We did not modify an commands.

Troubleshooting and Monitoring Features

SNMP traps and MIBs

Supports the following additional keywords: connection-limit-reached, entity
cpu-temperature, cpu threshold rising, entity fan-failure, entity power-supply,
ikev2 stop | start, interface-threshold, memory-threshold, nat packet-discard, warmstart.
The entPhysicalTable reports entries for sensors, fans, power supplies, and related components.
Supports the following additional MIBs: ENTITY-SENSOR-MIB,
CISCO-ENTITY-SENSOR-EXT-MIB, CISCO-ENTITY-FRU-CONTROL-MIB,
CISCO-PROCESS-MIB, CISCO-ENHANCED-MEMPOOL-MIB,
CISCO-L4L7MODULE-RESOURCE-LIMIT-MIB, NAT-MIB, EVENT-MIB,
EXPRESSION-MIB
Supports the following additional traps: warmstart, cpmCPURisingThreshold,
mteTriggerFired, cirResourceLimitReached, natPacketDiscard,
ciscoEntSensorExtThresholdNotification.
We introduced or modified the following commands: snmp cpu threshold rising, snmp
interface threshold, snmp-server enable traps.

TCP Ping Enhancement

TCP ping allows users whose ICMP echo requests are blocked to check connectivity over TCP.
With the TCP ping enhancement you can specify a source IP address and a port and source
interface to send pings to a hostname or an IPv4 address.
We modified the following command: ping tcp.

Show Top CPU Processes

You can now monitor the processes that run on the CPU to obtain information related to the
percentage of the CPU used by any given process. You can also see information about the load
on the CPU, broken down per process, at 5 minutes, 1 minute, and 5 seconds prior to the log
time. Information is updated automatically every 5 seconds to provide real-time statistics, and
a refresh button in the pane allows a manual data refresh at any time.
We introduced the following command: show process cpu-usage sorted.

Cisco ASA 5500 Series Configuration Guide using the CLI

1-23

Chapter 1

Introduction to the Cisco ASA 5500 Series

Firewall Functional Overview

Table 1-7

New Features for ASA Version 8.4(1) (continued)

Feature

Description

General Features

Password Encryption
Visibility

You can show password encryption in a security context.
We modified the following command: show password encryption.

Firewall Functional Overview
Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall
can also protect inside networks from each other, for example, by keeping a human resources network
separate from a user network. If you have network resources that need to be available to an outside user,
such as a web or FTP server, you can place these resources on a separate network behind the firewall,
called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ
only includes the public servers, an attack there only affects the servers and does not affect the other
inside networks. You can also control when inside users access outside networks (for example, access to
the Internet), by allowing only certain addresses out, by requiring authentication or authorization, or by
coordinating with an external URL filtering server.
When discussing networks connected to a firewall, the outside network is in front of the firewall, the
inside network is protected and behind the firewall, and a DMZ, while behind the firewall, allows limited
access to outside users. Because the ASA lets you configure many interfaces with varied security
policies, including many inside interfaces, many DMZs, and even many outside interfaces if desired,
these terms are used in a general sense only.
This section includes the following topics:
•

Security Policy Overview, page 1-24

•

Firewall Mode Overview, page 1-27

•

Stateful Inspection Overview, page 1-27

Security Policy Overview
A security policy determines which traffic is allowed to pass through the firewall to access another
network. By default, the ASA allows traffic to flow freely from an inside network (higher security level)
to an outside network (lower security level). You can apply actions to traffic to customize the security
policy. This section includes the following topics:
•

Permitting or Denying Traffic with Access Lists, page 1-25

•

Applying NAT, page 1-25

•

Protecting from IP Fragments, page 1-25

•

Using AAA for Through Traffic, page 1-25

•

Applying HTTP, HTTPS, or FTP Filtering, page 1-25

•

Applying Application Inspection, page 1-25

•

Sending Traffic to the IPS Module, page 1-26

Cisco ASA 5500 Series Configuration Guide using the CLI

1-24

Chapter 1

Introduction to the Cisco ASA 5500 Series
Firewall Functional Overview

•

Sending Traffic to the Content Security and Control Module, page 1-26

•

Applying QoS Policies, page 1-26

•

Applying Connection Limits and TCP Normalization, page 1-26

•

Enabling Threat Detection, page 1-26

•

Enabling the Botnet Traffic Filter, page 1-27

•

Configuring Cisco Unified Communications, page 1-27

Permitting or Denying Traffic with Access Lists
You can apply an access list to limit traffic from inside to outside, or allow traffic from outside to inside.
For transparent firewall mode, you can also apply an EtherType access list to allow non-IP traffic.

Applying NAT
Some of the benefits of NAT include the following:
•

You can use private addresses on your inside networks. Private addresses are not routable on the
Internet.

•

NAT hides the local addresses from other networks, so attackers cannot learn the real address of a
host.

•

NAT can resolve IP routing problems by supporting overlapping IP addresses.

Protecting from IP Fragments
The ASA provides IP fragment protection. This feature performs full reassembly of all ICMP error
messages and virtual reassembly of the remaining IP fragments that are routed through the ASA.
Fragments that fail the security check are dropped and logged. Virtual reassembly cannot be disabled.

Using AAA for Through Traffic
You can require authentication and/or authorization for certain types of traffic, for example, for HTTP.
The ASA also sends accounting information to a RADIUS or TACACS+ server.

Applying HTTP, HTTPS, or FTP Filtering
Although you can use access lists to prevent outbound access to specific websites or FTP servers,
configuring and managing web usage this way is not practical because of the size and dynamic nature of
the Internet. We recommend that you use the ASA in conjunction with a separate server running one of
the following Internet filtering products:
•

Websense Enterprise

•

Secure Computing SmartFilter

Applying Application Inspection
Inspection engines are required for services that embed IP addressing information in the user data packet
or that open secondary channels on dynamically assigned ports. These protocols require the ASA to
perform a deep packet inspection.

Cisco ASA 5500 Series Configuration Guide using the CLI

1-25

Chapter 1

Introduction to the Cisco ASA 5500 Series

Firewall Functional Overview

Sending Traffic to the IPS Module
If your model supports the IPS module for intrusion prevention, then you can send traffic to the module
for inspection. The IPS module monitors and performs real-time analysis of network traffic by looking
for anomalies and misuse based on an extensive, embedded signature library. When the system detects
unauthorized activity, it can terminate the specific connection, permanently block the attacking host, log
the incident, and send an alert to the device manager. Other legitimate connections continue to operate
independently without interruption. For more information, see the documentation for your IPS module.

Sending Traffic to the Content Security and Control Module
If your model supports it, the CSC SSM provides protection against viruses, spyware, spam, and other
unwanted traffic. It accomplishes this by scanning the FTP, HTTP, POP3, and SMTP traffic that you
configure the ASA to send to it.

Applying QoS Policies
Some network traffic, such as voice and streaming video, cannot tolerate long latency times. QoS is a
network feature that lets you give priority to these types of traffic. QoS refers to the capability of a
network to provide better service to selected network traffic.

Applying Connection Limits and TCP Normalization
You can limit TCP and UDP connections and embryonic connections. Limiting the number of
connections and embryonic connections protects you from a DoS attack. The ASA uses the embryonic
limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding
an interface with TCP SYN packets. An embryonic connection is a connection request that has not
finished the necessary handshake between source and destination.
TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets
that do not appear normal.

Enabling Threat Detection
You can configure scanning threat detection and basic threat detection, and also how to use statistics to
analyze threats.
Basic threat detection detects activity that might be related to an attack, such as a DoS attack, and
automatically sends a system log message.
A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by
scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The
scanning threat detection feature determines when a host is performing a scan. Unlike IPS scan detection
that is based on traffic signatures, the ASA scanning threat detection feature maintains an extensive
database that contains host statistics that can be analyzed for scanning activity.
The host database tracks suspicious activity such as connections with no return activity, access of closed
service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors.
You can configure the ASA to send system log messages about an attacker or you can automatically shun
the host.

Cisco ASA 5500 Series Configuration Guide using the CLI

1-26

Chapter 1

Introduction to the Cisco ASA 5500 Series
Firewall Functional Overview

Enabling the Botnet Traffic Filter
Malware is malicious software that is installed on an unknowing host. Malware that attempts network
activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data)
can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP
address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database
of known bad domain names and IP addresses (the blacklist), and then logs any suspicious activity. When
you see syslog messages about the malware activity, you can take steps to isolate and disinfect the host.

Configuring Cisco Unified Communications
The Cisco ASA 5500 series is a strategic platform to provide proxy functions for unified
communications deployments. The purpose of a proxy is to terminate and reoriginate connections
between a client and server. The proxy delivers a range of security functions such as traffic inspection,
protocol conformance, and policy control to ensure security for the internal network. An increasingly
popular function of a proxy is to terminate encrypted connections in order to apply security policies
while maintaining confidentiality of connections.

Firewall Mode Overview
The ASA runs in two different firewall modes:
•

Routed

•

Transparent

In routed mode, the ASA is considered to be a router hop in the network.
In transparent mode, the ASA acts like a “bump in the wire,” or a “stealth firewall,” and is not considered
a router hop. The ASA connects to the same network on its inside and outside interfaces.
You might use a transparent firewall to simplify your network configuration. Transparent mode is also
useful if you want the firewall to be invisible to attackers. You can also use a transparent firewall for
traffic that would otherwise be blocked in routed mode. For example, a transparent firewall can allow
multicast streams using an EtherType access list.

Stateful Inspection Overview
All traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and either
allowed through or dropped. A simple packet filter can check for the correct source address, destination
address, and ports, but it does not check that the packet sequence or flags are correct. A filter also checks
every packet against the filter, which can be a slow process.

Note

The TCP state bypass feature allows you to customize the packet flow. See the “TCP State Bypass”
section on page 53-3.
A stateful firewall like the ASA, however, takes into consideration the state of a packet:
•

Is this a new connection?

Cisco ASA 5500 Series Configuration Guide using the CLI

1-27

Chapter 1

Introduction to the Cisco ASA 5500 Series

VPN Functional Overview

If it is a new connection, the ASA has to check the packet against access lists and perform other
tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the
session goes through the “session management path,” and depending on the type of traffic, it might
also pass through the “control plane path.”
The session management path is responsible for the following tasks:
– Performing the access list checks
– Performing route lookups
– Allocating NAT translations (xlates)
– Establishing sessions in the “fast path”

Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are
passed on to the control plane path. Layer 7 inspection engines are required for protocols that have
two or more channels: a data channel, which uses well-known port numbers, and a control channel,
which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.
•

Is this an established connection?
If the connection is already established, the ASA does not need to re-check packets; most matching
packets can go through the “fast” path in both directions. The fast path is responsible for the
following tasks:
– IP checksum verification
– Session lookup
– TCP sequence number check
– NAT translations based on existing sessions
– Layer 3 and Layer 4 header adjustments

For UDP or other connectionless protocols, the ASA creates connection state information so that it
can also use the fast path.
Data packets for protocols that require Layer 7 inspection can also go through the fast path.
Some established session packets must continue to go through the session management path or the
control plane path. Packets that go through the session management path include HTTP packets that
require inspection or content filtering. Packets that go through the control plane path include the
control packets for protocols that require Layer 7 inspection.

VPN Functional Overview
A VPN is a secure connection across a TCP/IP network (such as the Internet) that appears as a private
connection. This secure connection is called a tunnel. The ASA uses tunneling protocols to negotiate
security parameters, create and manage tunnels, encapsulate packets, transmit or receive them through
the tunnel, and unencapsulate them. The ASA functions as a bidirectional tunnel endpoint: it can receive
plain packets, encapsulate them, and send them to the other end of the tunnel where they are
unencapsulated and sent to their final destination. It can also receive encapsulated packets,
unencapsulate them, and send them to their final destination. The ASA invokes various standard
protocols to accomplish these functions.
The ASA performs the following functions:
•

Establishes tunnels

•

Negotiates tunnel parameters

Cisco ASA 5500 Series Configuration Guide using the CLI

1-28

Chapter 1

Introduction to the Cisco ASA 5500 Series
Security Context Overview

•

Authenticates users

•

Assigns user addresses

•

Encrypts and decrypts data

•

Manages security keys

•

Manages data transfer across the tunnel

•

Manages data transfer inbound and outbound as a tunnel endpoint or router

The ASA invokes various standard protocols to accomplish these functions.

Security Context Overview
You can partition a single ASA into multiple virtual devices, known as security contexts. Each context
is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts
are similar to having multiple standalone devices. Many features are supported in multiple context mode,
including routing tables, firewall features, IPS, and management. Some features are not supported,
including VPN and dynamic routing protocols.
In multiple context mode, the ASA includes a configuration for each context that identifies the security
policy, interfaces, and almost all the options you can configure on a standalone device. The system
administrator adds and manages contexts by configuring them in the system configuration, which, like
a single mode configuration, is the startup configuration. The system configuration identifies basic
settings for the ASA. The system configuration does not include any network interfaces or network
settings for itself; rather, when the system needs to access network resources (such as downloading the
contexts from the server), it uses one of the contexts that is designated as the admin context.
The admin context is just like any other context, except that when a user logs into the admin context,
then that user has system administrator rights and can access the system and all other contexts.

Cisco ASA 5500 Series Configuration Guide using the CLI

1-29

Chapter 1
Security Context Overview

Cisco ASA 5500 Series Configuration Guide using the CLI

1-30

Introduction to the Cisco ASA 5500 Series

CH A P T E R

Getting Started
This chapter describes how to get started with your ASA. This chapter includes the following sections:
•

Accessing the Appliance Command-Line Interface, page 2-1

•

Configuring ASDM Access for Appliances, page 2-2

•

Starting ASDM, page 2-6

•

Factory Default Configurations, page 2-10

•

Working with the Configuration, page 2-15

•

Applying Configuration Changes to Connections, page 2-19

Accessing the Appliance Command-Line Interface
For initial configuration, access the CLI directly from the console port. Later, you can configure remote
access using Telnet or SSH according to Chapter 37, “Configuring Management Access.” If your system
is already in multiple context mode, then accessing the console port places you in the system execution
space. See Chapter 5, “Configuring Multiple Context Mode,” for more information about multiple
context mode.

Detailed Steps
Step 1

Connect a PC to the console port using the provided console cable, and connect to the console using a
terminal emulator set for 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.
See the hardware guide for your ASA for more information about the console cable.

Step 2

Press the Enter key to see the following prompt:
hostname>
This prompt indicates that you are in user EXEC mode. Only basic commands are available from user
EXEC mode.

Step 3

To access privileged EXEC mode, enter the following command:
hostname> enable

The following prompt appears:
Password:

Cisco ASA 5500 Series Configuration Guide using the CLI

2-1

Chapter 2

Getting Started

Configuring ASDM Access for Appliances

All non-configuration commands are available in privileged EXEC mode. You can also enter
configuration mode from privileged EXEC mode.
Step 4

Enter the enable password at the prompt.
By default, the password is blank, and you can press the Enter key to continue. See the “Configuring
the Hostname, Domain Name, and Passwords” section on page 10-1 to change the enable password.
The prompt changes to the following:
hostname#

To exit privileged mode, enter the disable, exit, or quit command.
Step 5

To access global configuration mode, enter the following command:
hostname# configure terminal

The prompt changes to the following:
hostname(config)#

You can begin to configure the ASA from global configuration mode. To exit global configuration mode,
enter the exit, quit, or end command.

Configuring ASDM Access for Appliances
ASDM access requires some minimal configuration so you can communicate over the network with a
management interface. This section includes the following topics:
•

Accessing ASDM Using the Factory Default Configuration, page 2-2

•

Accessing ASDM Using a Non-Default Configuration (ASA 5505), page 2-3

•

Accessing ASDM Using a Non-Default Configuration (ASA 5510 and Higher), page 2-5

Accessing ASDM Using the Factory Default Configuration
With a factory default configuration (see the “Factory Default Configurations” section on page 2-10),
ASDM connectivity is preconfigured with default network settings. Connect to ASDM using the
following interface and network settings:
•

The management interface depends on your model:
– ASA 5505—The switch port to which you connect to ASDM can be any port, except for

Ethernet 0/0.
– ASA 5510 and higher—The interface to which you connect to ASDM is Management 0/0.
•

The default management address is 192.168.1.1.

•

The clients allowed to access ASDM must be on the 192.168.1.0/24 network. The default
configuration enables DHCP so your management station can be assigned an IP address in this
range. To allow other client IP addresses to access ASDM, see the “Configuring ASA Access for
ASDM, Telnet, or SSH” section on page 37-1.

To launch ASDM, see the “Starting ASDM” section on page 2-6.

Cisco ASA 5500 Series Configuration Guide using the CLI

2-2

Chapter 2

Getting Started
Configuring ASDM Access for Appliances

Note

To change to multiple context mode, see the “Enabling or Disabling Multiple Context Mode” section on
page 5-15. After changing to multiple context mode, you can access ASDM from the admin context
using the network settings above.

Accessing ASDM Using a Non-Default Configuration (ASA 5505)
If you do not have a factory default configuration, or want to change to transparent firewall mode,
perform the following steps. See also the sample configurations in the “ASA 5505 Default
Configuration” section on page 2-11.

Prerequisites
Access the CLI according to the “Accessing the Appliance Command-Line Interface” section on
page 2-1.

Detailed Steps

Command
Step 1

(Optional)
firewall transparent

Purpose
Enables transparent firewall mode. This command clears your
configuration. See the “Configuring the Firewall Mode” section
on page 4-1 for more information.

Example:
hostname(config)# firewall transparent

Step 2

Do one of the following to configure a management interface, depending on your mode:
Routed mode:
interface vlan number
ip address ip_address [mask]
nameif name
security-level level

Configures an interface in routed mode. The security-level is a
number between 1 and 100, where 100 is the most secure.

Example:
hostname(config)# interface vlan 1
hostname(config-if)# ip address
192.168.1.1 255.255.255.0
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100

Cisco ASA 5500 Series Configuration Guide using the CLI

2-3

Chapter 2

Getting Started

Configuring ASDM Access for Appliances

Command

Purpose

Transparent mode:

Configures a bridge virtual interface and assigns a management
VLAN to the bridge group. The security-level is a number
between 1 and 100, where 100 is the most secure.

interface bvi number
ip address ip_address [mask]
interface vlan number
bridge-group bvi_number
nameif name
security-level level

Example:
hostname(config)# interface bvi 1
hostname(config-if)# ip address
192.168.1.1 255.255.255.0
hostname(config)# interface vlan 1
hostname(config-if)# bridge-group 1
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100

Step 3

interface ethernet 0/n
switchport access vlan number
no shutdown

Enables the management switchport and assigns it to the
management VLAN.

Example:
hostname(config)# interface ethernet 0/1
hostname(config-if)# switchport access
vlan 1
hostname(config-if)# no shutdown

Step 4

dhcpd address ip_address-ip_address
interface_name
dhcpd enable interface_name

Example:
hostname(config)# dhcpd address
192.168.1.5-192.168.1.254 inside
hostname(config)# dhcpd enable inside

Step 5

http server enable

Enables DHCP for the management host on the management
interface network. Make sure you do not include the management
address in the range.
Note

By default, the IPS module, if installed, uses 192.168.1.2
for its internal management address, so be sure not to use
this address in the DHCP range. You can later change the
IPS module management address using the ASA if
required.

Enables the HTTP server for ASDM.

Example:
hostname(config)# http server enable

Step 6

http ip_address mask interface_name

Allows the management host to access ASDM.

Example:
hostname(config)# http 192.168.1.0
255.255.255.0 inside

Step 7

write memory

Saves the configuration.

Example:
hostname(config)# write memory

Step 8

To launch ASDM, see the “Starting ASDM”
section on page 2-6.

Cisco ASA 5500 Series Configuration Guide using the CLI

2-4

Launches ASDM.

Chapter 2

Getting Started
Configuring ASDM Access for Appliances

Examples
The following configuration converts the firewall mode to transparent mode, configures the VLAN 1
interface and assigns it to BVI 1, enables a switchport, and enables ASDM for a management host:
firewall transparent
interface bvi 1
ip address 192.168.1.1 255.255.255.0
interface vlan 1
bridge-group 1
nameif inside
security-level 100
interface ethernet 0/1
switchport access vlan 1
no shutdown
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
http server enable
http 192.168.1.0 255.255.255.0 inside

Accessing ASDM Using a Non-Default Configuration (ASA 5510 and Higher)
If you do not have a factory default configuration, or want to change the firewall or context mode,
perform the following steps.

Prerequisites
Access the CLI according to the “Accessing the Appliance Command-Line Interface” section on
page 2-1.

Detailed Steps

Command
Step 1

(Optional)
firewall transparent

Purpose
Enables transparent firewall mode. This command clears your
configuration. See the “Configuring the Firewall Mode” section
on page 4-1 for more information.

Example:
hostname(config)# firewall transparent

Step 2

interface management 0/0
ip address ip_address mask
nameif name
security-level number
no shutdown

Configures the Management 0/0 interface. The security-level is a
number between 1 and 100, where 100 is the most secure.

Example:
hostname(config)# interface management 0/0
hostname(config-if)# ip address
192.168.1.1 255.255.255.0
hostname(config-if)# nameif management
hostname(config-if)# security-level 100
hostname(config-if)# no shutdown

Cisco ASA 5500 Series Configuration Guide using the CLI

2-5

Chapter 2

Getting Started

Starting ASDM

Step 3

Command

Purpose

dhcpd address ip_address-ip_address
interface_name
dhcpd enable interface_name

Enables DHCP for the management host on the management
interface network. Make sure you do not include the Management
0/0 address in the range.

Example:
hostname(config)# dhcpd address
192.168.1.2-192.168.1.254 management
hostname(config)# dhcpd enable management

Step 4

http server enable

Enables the HTTP server for ASDM.

Example:
hostname(config)# http server enable

Step 5

http ip_address mask interface_name

Allows the management host to access ASDM.

Example:
hostname(config)# http 192.168.1.0
255.255.255.0 management

Step 6

write memory

Saves the configuration.

Example:
hostname(config)# write memory

Step 7

(Optional)
mode multiple

Example:

Sets the mode to multiple mode. When prompted, confirm that
you want to convert the existing configuration to be the admin
context. You are then prompted to reload the ASASM. See
Chapter 5, “Configuring Multiple Context Mode,” for more
information.

hostname(config)# mode multiple

Step 8

To launch ASDM, see the “Starting ASDM”
section on page 2-6.

Launches ASDM.

Examples
The following configuration converts the firewall mode to transparent mode, configures the Management
0/0 interface, and enables ASDM for a management host:
firewall transparent
interface management 0/0
ip address 192.168.1.1 255.255.255.0
nameif management
security-level 100
no shutdown
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
http server enable
http 192.168.1.0 255.255.255.0 management

Starting ASDM
You can start ASDM using two methods:

Cisco ASA 5500 Series Configuration Guide using the CLI

2-6

Chapter 2

Getting Started
Starting ASDM

Note

•

ASDM-IDM Launcher (Windows only)—The Launcher is an application downloaded from the ASA
using a web browser that you can use to connect to any ASA IP address. You do not need to
re-download the launcher if you want to connect to other ASAs. The Launcher also lets you run a
virtual ASDM in Demo mode using files downloaded locally.

•

Java Web Start—For each ASA that you manage, you need to connect with a web browser and then
save or launch the Java Web Start application. You can optionally save the application to your PC;
however you need separate applications for each ASA IP address.

Within ASDM, you can choose a different ASA IP address to manage; the difference between the
Launcher and Java Web Start application functionality rests primarily in how you initially connect to the
ASA and launch ASDM.
This section describes how to connect to ASDM initially, and then launch ASDM using the Launcher or
the Java Web Start application. This section includes the following topics:

Note

•

Connecting to ASDM for the First Time, page 2-7

•

Starting ASDM from the ASDM-IDM Launcher, page 2-8

•

Starting ASDM from the Java Web Start Application, page 2-8

•

Using ASDM in Demo Mode, page 2-9

ASDM allows multiple PCs or workstations to each have one browser session open with the same ASA
software. A single ASA can support up to five concurrent ASDM sessions in single, routed mode. Only
one session per browser per PC or workstation is supported for a specified ASA. In multiple context
mode, five concurrent ASDM sessions are supported per context, up to a maximum of 32 total connections
for each ASA.

Connecting to ASDM for the First Time
To connect to ASDM for the first time to download the ASDM-IDM Launcher or Java Web Start
application, perform the following steps:
Step 1

From a supported web browser on the ASA network, enter the following URL:
https://interface_ip_address/admin

Where interface_ip_address is the management IP address of the ASA. See the “Configuring ASDM
Access for Appliances” section on page 2-2 for more information about management access.
See the ASDM release notes for your release for the requirements to run ASDM.
The ASDM launch page appears with the following buttons:

Step 2

•

Install ASDM Launcher and Run ASDM (Windows only)

•

Run ASDM

•

Run Startup Wizard

To download the Launcher:
a.

Click Install ASDM Launcher and Run ASDM.

Cisco ASA 5500 Series Configuration Guide using the CLI

2-7

Chapter 2

Getting Started

Starting ASDM

Step 3

Enter the username and password, and click OK. For a factory default configuration, leave these
fields empty. With no HTTPS authentication configured, you can gain access to ASDM with no
username and the enable password, which is blank by default. With HTTPS authentication enabled,
enter your username and associated password.

Save the installer to your PC, and then start the installer. The ASDM-IDM Launcher opens
automatically after installation is complete.

See the “Starting ASDM from the ASDM-IDM Launcher” section on page 2-8 to use the Launcher
to connect to ASDM.

To use the Java Web Start application:
a.

Click Run ASDM or Run Startup Wizard.

Save the application to your PC when prompted. You can optionally open it instead of saving it.

See the “Starting ASDM from the Java Web Start Application” section on page 2-8 to use the Java
Web Start application to connect to ASDM.

Starting ASDM from the ASDM-IDM Launcher
To start ASDM from the ASDM-IDM Launcher, perform the following steps.

Prerequisites
Download the ASDM-IDM Launcher according to the “Connecting to ASDM for the First Time” section
on page 2-7.

Detailed Steps
Step 1

Start the ASDM-IDM Launcher application.

Step 2

Enter or choose the ASA IP address or hostname to which you want to connect. To clear the list of IP
addresses, click the trash can icon next to the Device/IP Address/Name field.

Step 3

Enter your username and your password, and then click OK.
For a factory default configuration, leave these fields empty. With no HTTPS authentication configured,
you can gain access to ASDM with no username and the enable password, which is blank by default.
With HTTPS authentication enabled, enter your username and associated password.
If there is a new version of ASDM on the ASA, the ASDM Launcher automatically downloads the new
version and requests that you update the current version before starting ASDM.
The main ASDM window appears.

Starting ASDM from the Java Web Start Application
To start ASDM from the Java Web Start application, perform the following steps.

Cisco ASA 5500 Series Configuration Guide using the CLI

2-8

Chapter 2

Getting Started
Starting ASDM

Prerequisites
Download the Java Web Start application according to the “Connecting to ASDM for the First Time”
section on page 2-7.

Detailed Steps
Step 1

Start the Java Web Start application.

Step 2

Accept any certificates according to the dialog boxes that appear. The Cisco ASDM-IDM Launcher
appears.

Step 3

Enter the username and password, and click OK. For a factory default configuration, leave these fields
empty. With no HTTPS authentication configured, you can gain access to ASDM with no username and
the enable password, which is blank by default. With HTTPS authentication enabled, enter your
username and associated password.
The main ASDM window appears.

Using ASDM in Demo Mode
The ASDM Demo Mode, a separately installed application, lets you run ASDM without having a live
device available. In this mode, you can do the following:
•

Perform configuration and selected monitoring tasks via ASDM as though you were interacting with
a real device.

•

Demonstrate ASDM or ASA features using the ASDM interface.

•

Perform configuration and monitoring tasks with the CSC SSM.

•

Obtain simulated monitoring and logging data, including real-time syslog messages. The data shown
is randomly generated; however, the experience is identical to what you would see when you are
connected to a real device.

This mode has been updated to support the following features:
•

For global policies, an ASA in single, routed mode and intrusion prevention

•

For object NAT, an ASA in single, routed mode and a firewall DMZ.

•

For the Botnet Traffic Filter, an ASA in single, routed mode and security contexts.

•

Site-to-Site VPN with IPv6 (Clientless SSL VPN and IPsec VPN)

•

Promiscuous IDS (intrusion prevention)

•

Unified Communication Wizard

This mode does not support the following:
•

Saving changes made to the configuration that appear in the GUI.

•

File or disk operations.

•

Historical monitoring data.

•

Non-administrative users.

•

These features:
– File menu:

Cisco ASA 5500 Series Configuration Guide using the CLI

2-9

Chapter 2

Getting Started

Factory Default Configurations

Save Running Configuration to Flash
Save Running Configuration to TFTP Server
Save Running Configuration to Standby Unit
Save Internal Log Buffer to Flash
Clear Internal Log Buffer
– Tools menu:

Command Line Interface
Ping
File Management
Update Software
File Transfer
Upload Image from Local PC
System Reload
– Toolbar/Status bar > Save
– Configuration > Interface > Edit Interface > Renew DHCP Lease
– Configuring a standby device after failover
•

Operations that cause a rereading of the configuration, in which the GUI reverts to the original
configuration:
– Switching contexts
– Making changes in the Interface pane
– NAT pane changes
– Clock pane changes

To run ASDM in Demo Mode, perform the following steps:
Step 1

Download the ASDM Demo Mode installer, asdm-demo-version.msi, from the following location:
http://www.cisco.com/cisco/web/download/index.html.

Step 2

Double-click the installer to install the software.

Step 3

Double-click the Cisco ASDM Launcher shortcut on your desktop, or open it from the Start menu.

Step 4

Check the Run in Demo Mode check box.
The Demo Mode window appears.

Factory Default Configurations
The factory default configuration is the configuration applied by Cisco to new ASAs.
•

ASA 5505—The factory default configuration configures interfaces and NAT so that the ASA is
ready to use in your network immediately.

•

ASA 5510 and higher—The factory default configuration configures an interface for management
so you can connect to it using ASDM, with which you can then complete your configuration.

Cisco ASA 5500 Series Configuration Guide using the CLI

2-10

Chapter 2

Getting Started
Factory Default Configurations

The factory default configuration is available only for routed firewall mode and single context mode. See
Chapter 5, “Configuring Multiple Context Mode,” for more information about multiple context mode.
See Chapter 4, “Configuring the Transparent or Routed Firewall,” for more information about routed and
transparent firewall mode. For the ASA 5505, a sample transparent mode configuration is provided in
this section.

Note

In addition to the image files and the (hidden) default configuration, the following folders and files are
standard in flash memory: log/, crypto_archive/, and coredumpinfo/coredump.cfg. The date on these
files may not match the date of the image files in flash memory. These files aid in potential
troubleshooting; they do not indicate that a failure has occurred.
This section includes the following topics:
•

Restoring the Factory Default Configuration, page 2-11

•

ASA 5505 Default Configuration, page 2-11

•

ASA 5510 and Higher Default Configuration, page 2-15

Restoring the Factory Default Configuration
This section describes how to restore the factory default configuration.

Limitations
This feature is available only in routed firewall mode; transparent mode does not support IP addresses
for interfaces. In addition, this feature is available only in single context mode; an ASA with a cleared
configuration does not have any defined contexts to configure automatically using this feature.

Detailed Steps
What to Do Next
See the “Working with the Configuration” section on page 2-15 to start configuring the ASA.

ASA 5505 Default Configuration
The default configuration is available for routed mode only. This section describes the default
configuration and also provides a sample transparent mode configuration that you can copy and paste as
a starting point. This section includes the following topics:
•

ASA 5505 Routed Mode Default Configuration, page 2-11

•

ASA 5505 Transparent Mode Sample Configuration, page 2-13

ASA 5505 Routed Mode Default Configuration
The default factory configuration for the ASA 5505 configures the following:
•

Interfaces—Inside (VLAN 1) and outside (VLAN 2).

•

Switchports enabled and assigned—Ethernet 0/1 through 0/7 switch ports assigned to inside.
Ethernet 0/0 assigned to outside.

Cisco ASA 5500 Series Configuration Guide using the CLI

2-11

Chapter 2

Getting Started

Factory Default Configurations

•

IP addresses— Outside address from DHCP; inside address set manually to 192.168.1.1/24.

•

Network Address Translation (NAT)—All inside IP addresses are translated when accessing the
outside using interface PAT.

•

Traffic flow—IPv4 and IPv6 traffic allowed from inside to outside (this behavior is implicit on the
ASA). Outside users are prevented from accessing the inside.

•

DHCP server—Enabled for inside hosts, so a PC connecting to the inside interface receives an
address between 192.168.1.5 and 192.168.1.254. DNS, WINS, and domain information obtained
from the DHCP client on the outside interface is passed to the DHCP clients on the inside interface.

•

Default route—Derived from DHCP.

•

ASDM access—Inside hosts allowed.

Figure 2-1 shows the traffic flow for an ASA 5505 in routed mode.
Figure 2-1

ASA 5505 Routed Mode

Internet

Internet Gateway Router

outside interface
PAT

outside VLAN 2 (Ethernet 0/0)
(from router DHCP)

inside VLAN 1 (Ethernet 0/1-0/7)
192.168.1.1
ASDM
192.168.1.5
(from ASA DHCP)

330618

IP traffic

The configuration consists of the following commands:
interface Ethernet 0/0
switchport access vlan
no shutdown
interface Ethernet 0/1
switchport access vlan
no shutdown
interface Ethernet 0/2
switchport access vlan
no shutdown
interface Ethernet 0/3
switchport access vlan
no shutdown
interface Ethernet 0/4
switchport access vlan
no shutdown
interface Ethernet 0/5
switchport access vlan
no shutdown
interface Ethernet 0/6
switchport access vlan

Cisco ASA 5500 Series Configuration Guide using the CLI

2-12

Chapter 2

Getting Started
Factory Default Configurations

no shutdown
interface Ethernet 0/7
switchport access vlan 1
no shutdown
interface vlan2
nameif outside
no shutdown
ip address dhcp setroute
interface vlan1
nameif inside
ip address 192.168.1.1 255.255.255.0
security-level 100
no shutdown
object network obj_any
subnet 0 0
nat (inside,outside) dynamic interface
http server enable
http 192.168.1.0 255.255.255.0 inside
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd auto_config outside
dhcpd enable inside
logging asdm informational

Note

For testing purposes, you can allow ping from inside to outside by enabling ICMP inspection. Add the
following commands to the default configuration:
policy-map global_policy
class inspection_default
inspect icmp

ASA 5505 Transparent Mode Sample Configuration
When you change the mode to transparent mode, the configuration is erased. You can copy and paste the
following sample configuration at the CLI to get started. This configuration uses the default
configuration as a starting point. Note the following areas you may need to modify:
•

IP addresses—The IP addresses configured should be changed to match the network to which you
are connecting.

•

Static routes—For some kinds of traffic, static routes are required. See the “MAC Address vs. Route
Lookups” section on page 4-4.

•

Figure 2-2 shows the traffic flow for an ASA 5505 in transparent mode.

Cisco ASA 5500 Series Configuration Guide using the CLI

2-13

Chapter 2
Factory Default Configurations

Figure 2-2

ASA 5505 Transparent Mode

Internet

Internet Gateway Router
192.168.1.3
outside VLAN 2 (Ethernet 0/0)
BVI 1 IP
192.168.1.1
inside VLAN 1 (Ethernet 0/1-0/7)
ASDM
192.168.1.5
(from ASA DHCP)

firewall transparent
interface Ethernet 0/0
switchport access vlan 2
no shutdown
interface Ethernet 0/1
switchport access vlan 1
no shutdown
interface Ethernet 0/2
switchport access vlan 1
no shutdown
interface Ethernet 0/3
switchport access vlan 1
no shutdown
interface Ethernet 0/4
switchport access vlan 1
no shutdown
interface Ethernet 0/5
switchport access vlan 1
no shutdown
interface Ethernet 0/6
switchport access vlan 1
no shutdown
interface Ethernet 0/7
switchport access vlan 1
no shutdown
interface bvi 1
ip address 192.168.1.1 255.255.255.0
interface vlan2
nameif outside
security-level 0
bridge-group 1
no shutdown
interface vlan1
nameif inside
security-level 100
bridge-group 1
no shutdown
http server enable
http 192.168.1.0 255.255.255.0 inside
dhcpd address 192.168.1.5-192.168.1.254 inside

Cisco ASA 5500 Series Configuration Guide using the CLI

2-14

330619

IP traffic

Getting Started

Chapter 2

Getting Started
Working with the Configuration

dhcpd enable inside

Note

For testing purposes, you can allow ping from inside to outside by enabling ICMP inspection. Add the
following commands to the sample configuration:
policy-map global_policy
class inspection_default
inspect icmp

ASA 5510 and Higher Default Configuration
The default factory configuration for the ASA 5510 and higher configures the following:
•

Management interface—Management 0/0 (management).

•

IP address—The management address is 192.168.1.1/24.

•

DHCP server—Enabled for management hosts, so a PC connecting to the management interface
receives an address between 192.168.1.2 and 192.168.1.254.

•

ASDM access—Management hosts allowed.

The configuration consists of the following commands:
interface management 0/0
ip address 192.168.1.1 255.255.255.0
nameif management
security-level 100
no shutdown
asdm logging informational 100
asdm history enable
http server enable
http 192.168.1.0 255.255.255.0 management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable management

Working with the Configuration
This section describes how to work with the configuration. The ASA loads the configuration from a text
file, called the startup configuration. This file resides by default as a hidden file in internal flash memory.
You can, however, specify a different path for the startup configuration. (For more information, see
Chapter 81, “Managing Software and Configurations.”)
When you enter a command, the change is made only to the running configuration in memory. You must
manually save the running configuration to the startup configuration for your changes to remain after a
reboot.
The information in this section applies to both single and multiple security contexts, except where noted.
Additional information about contexts is in Chapter 5, “Configuring Multiple Context Mode.”
This section includes the following topics:
•

Saving Configuration Changes, page 2-16

•

Copying the Startup Configuration to the Running Configuration, page 2-17

Cisco ASA 5500 Series Configuration Guide using the CLI

2-15

Chapter 2

Getting Started

Working with the Configuration

•

Viewing the Configuration, page 2-18

•

Clearing and Removing Configuration Settings, page 2-18

•

Creating Text Configuration Files Offline, page 2-19

Saving Configuration Changes
This section describes how to save your configuration and includes the following topics:
•

Saving Configuration Changes in Single Context Mode, page 2-16

•

Saving Configuration Changes in Multiple Context Mode, page 2-16

Saving Configuration Changes in Single Context Mode
To save the running configuration to the startup configuration, enter the following command:
Command

Purpose

write memory

Saves the running configuration to the startup configuration.
Note

The copy running-config startup-config command is equivalent
to the write memory command.

Example:
hostname# write memory

Saving Configuration Changes in Multiple Context Mode
You can save each context (and system) configuration separately, or you can save all context
configurations at the same time. This section includes the following topics:
•

Saving Each Context and System Separately, page 2-16

•

Saving All Context Configurations at the Same Time, page 2-17

Saving Each Context and System Separately
To save the system or context configuration, enter the following command within the system or context:
Command

Purpose

write memory

Saves the running configuration to the startup configuration.

Example:
hostname# write memory

For multiple context mode, context startup configurations can reside on
external servers. In this case, the ASA saves the configuration back to the
server you identified in the context URL, except for an HTTP or HTTPS
URL, which do not let you save the configuration to the server.
Note

Cisco ASA 5500 Series Configuration Guide using the CLI

2-16

The copy running-config startup-config command is equivalent
to the write memory command.

Chapter 2

Getting Started
Working with the Configuration

Saving All Context Configurations at the Same Time
To save all context configurations at the same time, as well as the system configuration, enter the
following command in the system execution space:
Command

Purpose

write memory all [/noconfirm]

Saves the running configuration to the startup configuration for all contexts
and the system configuration.
If you do not enter the /noconfirm keyword, you see the following prompt:

Example:
hostname# write memory all /noconfirm

Are you sure [Y/N]:

After you enter Y, the ASA saves the system configuration and each
context. Context startup configurations can reside on external servers. In
this case, the ASA saves the configuration back to the server you identified
in the context URL, except for an HTTP or HTTPS URL, which do not let
you save the configuration to the server.
After the ASA saves each context, the following message appears:
‘Saving context ‘b’ ... ( 1/3 contexts saved ) ’

Sometimes, a context is not saved because of an error. See the following information for errors:
•

For contexts that are not saved because of low memory, the following message appears:
The context 'context a' could not be saved due to Unavailability of resources

•

For contexts that are not saved because the remote destination is unreachable, the following message
appears:
The context 'context a' could not be saved due to non-reachability of destination

•

For contexts that are not saved because the context is locked, the following message appears:
Unable to save the configuration for the following contexts as these contexts are
locked.
context ‘a’ , context ‘x’ , context ‘z’ .

A context is only locked if another user is already saving the configuration or in the process of
deleting the context.
•

For contexts that are not saved because the startup configuration is read-only (for example, on an
HTTP server), the following message report is printed at the end of all other messages:
Unable to save the configuration for the following contexts as these contexts have
read-only config-urls:
context ‘a’ , context ‘b’ , context ‘c’ .

•

For contexts that are not saved because of bad sectors in the flash memory, the following message
appears:
The context 'context a' could not be saved due to Unknown errors

Copying the Startup Configuration to the Running Configuration
Copy a new startup configuration to the running configuration using one of the following options.

Cisco ASA 5500 Series Configuration Guide using the CLI

2-17

Chapter 2

Getting Started

Working with the Configuration

Command

Purpose

copy startup-config running-config

Merges the startup configuration with the running configuration. A merge
adds any new commands from the new configuration to the running
configuration. If the configurations are the same, no changes occur. If
commands conflict or if commands affect the running of the context, then
the effect of the merge depends on the command. You might get errors, or
you might have unexpected results.

reload

Reloads the ASA, which loads the startup configuration and discards the
running configuration.

clear configure all
copy startup-config running-config

Loads the startup configuration and discards the running configuration
without requiring a reload.

Viewing the Configuration
The following commands let you view the running and startup configurations.
Command

Purpose

show running-config

Views the running configuration.

show running-config command

Views the running configuration of a specific command.

show startup-config

Views the startup configuration.

Clearing and Removing Configuration Settings
To erase settings, enter one of the following commands.
Command

Purpose

clear configure configurationcommand
[level2configurationcommand]

Clears all the configuration for a specified command. If you only want to
clear the configuration for a specific version of the command, you can
enter a value for level2configurationcommand.

Example:

For example, to clear the configuration for all aaa commands, enter the
following command:

hostname(config)# clear configure aaa

To clear the configuration for only aaa authentication commands, enter
the following command:
hostname(config)# clear configure aaa authentication
no configurationcommand
[level2configurationcommand] qualifier

Disables the specific parameters or options of a command. In this case, you
use the no command to remove the specific configuration identified by
qualifier.

Example:

For example, to remove a specific nat command, enter enough of the
command to identify it uniquely as follows:

hostname(config)# no nat (inside) 1

Cisco ASA 5500 Series Configuration Guide using the CLI

2-18

Chapter 2

Getting Started
Applying Configuration Changes to Connections

Command

Purpose

write erase

Erases the startup configuration.

Example:
hostname(config)# write erase

Erases the running configuration.

clear configure all

Note

Example:
hostname(config)# clear configure all

In multiple context mode, if you enter clear configure all from the
system configuration, you also remove all contexts and stop them
from running. The context configuration files are not erased, and
remain in their original location.

Creating Text Configuration Files Offline
This guide describes how to use the CLI to configure the ASA; when you save commands, the changes
are written to a text file. Instead of using the CLI, however, you can edit a text file directly on your PC
and paste a configuration at the configuration mode command-line prompt in its entirety, or line by line.
Alternatively, you can download a text file to the ASA internal flash memory. See Chapter 81,
“Managing Software and Configurations,” for information on downloading the configuration file to the
ASA.
In most cases, commands described in this guide are preceded by a CLI prompt. The prompt in the
following example is “hostname(config)#”:
hostname(config)# context a

In the text configuration file you are not prompted to enter commands, so the prompt is omitted as
follows:
context a

For additional information about formatting the file, see Appendix A, “Using the Command-Line
Interface.”

Applying Configuration Changes to Connections
When you make security policy changes to the configuration, all new connections use the new security
policy. Existing connections continue to use the policy that was configured at the time of the connection
establishment. To ensure that all connections use the new policy, you need to disconnect the current
connections so they can reconnect using the new policy. To disconnect connections, enter one of the
following commands:

Cisco ASA 5500 Series Configuration Guide using the CLI

2-19

Chapter 2

Getting Started

Applying Configuration Changes to Connections

Command

Purpose

clear local-host [ip_address] [all]

This command reinitializes per-client run-time states such as connection
limits and embryonic limits. As a result, this command removes any
connection that uses those limits. See the show local-host all command to
view all current connections per host.

Example:
hostname(config)# clear local-host all

With no arguments, this command clears all affected through-the-box
connections. To also clear to-the-box connections (including your current
management session), use the all keyword. To clear connections to and
from a particular IP address, use the ip_address argument.
clear conn [all] [protocol {tcp | udp}]
[address src_ip[-src_ip] [netmask mask]]
[port src_port[-src_port]] [address
dest_ip[-dest_ip] [netmask mask]] [port
dest_port[-dest_port]]

Example:
hostname(config)# clear conn all

This command terminates connections in any state. See the show conn
command to view all current connections.
With no arguments, this command clears all through-the-box connections.
To also clear to-the-box connections (including your current management
session), use the all keyword. To clear specific connections based on the
source IP address, destination IP address, port, and/or protocol, you can
specify the desired options.

clear xlate [arguments]

This command clears dynamic NAT sessions; static sessions are not
affected. As a result, it removes any connections using those NAT sessions.

Example:

With no arguments, this command clears all NAT sessions. See the
command reference for more information about the arguments available.

hostname(config)# clear xlate

Cisco ASA 5500 Series Configuration Guide using the CLI

2-20

CH A P T E R

Managing Feature Licenses
A license specifies the options that are enabled on a given ASA. This document describes how to obtain
a license activation key and how to activate it. It also describes the available licenses for each model.

Note

This chapter describes licensing for Version 8.4 and 8.6; for other versions, see the licensing
documentation that applies to your version:
http://www.cisco.com/en/US/products/ps6120/products_licensing_information_listing.html
This chapter includes the following sections:
•

Supported Feature Licenses Per Model, page 3-1

•

Information About Feature Licenses, page 3-20

•

Guidelines and Limitations, page 3-31

•

Configuring Licenses, page 3-32

•

Monitoring Licenses, page 3-38

•

Feature History for Licensing, page 3-46

Supported Feature Licenses Per Model
This section describes the licenses available for each model as well as important notes about licenses.
This section includes the following topics:
•

Licenses Per Model, page 3-1

•

License Notes, page 3-16

•

VPN License and Feature Compatibility, page 3-20

Licenses Per Model
This section lists the feature licenses available for each model:
•

ASA 5505, page 3-2

•

ASA 5510, page 3-3

•

ASA 5520, page 3-4

Cisco ASA 5500 Series Configuration Guide using the CLI

3-1

Chapter 3

Managing Feature Licenses

Supported Feature Licenses Per Model

•

ASA 5540, page 3-5

•

ASA 5550, page 3-6

•

ASA 5580, page 3-7

•

ASA 5512-X, page 3-8

•

ASA 5515-X, page 3-8

•

ASA 5525-X, page 3-9

•

ASA 5545-X, page 3-10

•

ASA 5555-X, page 3-11

•

ASA 5585-X with SSP-10, page 3-12

•

ASA 5585-X with SSP-20, page 3-13

•

ASA 5585-X with SSP-40 and -60, page 3-14

Items that are in italics are separate, optional licenses with which that you can replace the Base or
Security Plus license. You can mix and match licenses, for example, the 24 Unified Communications
license plus the Strong Encryption license; or the 500 AnyConnect Premium license plus the GTP/GPRS
license; or all four licenses together. (See Table 4-1.)
For detailed information about licenses, see the “License Notes” section on page 3-16.
ASA 5505
Table 3-1

ASA 5505 License Features

Licenses

Description (Base License in Plain Text)

Description (Security Plus Lic. in Plain Text)

Firewall Licenses

Botnet Traffic Filter

Disabled

Opt. Time-based lic: Available Disabled

Firewall Conns, Concurrent

10,000

25,000

GTP/GPRS

No support

Intercompany Media Eng.

Disabled

UC Phone Proxy Sessions

Optional license: Available

Optional license: 24

Disabled
2

Opt. Time-based lic: Available

Optional license: Available

Optional license: 24

VPN Licenses

Adv. Endpoint Assessment

Disabled

Optional license: Available

Disabled

Optional license: Available

AnyConnect for Cisco VPN Disabled
Phone

Optional license: Available

Disabled

Optional license: Available

AnyConnect Essentials

Disabled

Optional license: Available
(25 sessions)

Disabled

Optional license: Available
(25 sessions)

AnyConnect for Mobile

Disabled

Optional license: Available

Disabled

Optional license: Available

AnyConnect Premium
(sessions)

Other VPN (sessions)

Optional Permanent or
Time-based licenses:
10

25
1

Total VPN (sessions),
combined all types

up to 25

VPN Load Balancing

No support

General Licenses

Cisco ASA 5500 Series Configuration Guide using the CLI

3-2

2
25

up to 25
No support

Chapter 3

Managing Feature Licenses
Supported Feature Licenses Per Model

Table 3-1

ASA 5505 License Features (continued)

Licenses

Description (Base License in Plain Text)

Description (Security Plus Lic. in Plain Text)

Encryption

Base (DES)

Failover

No support

Opt. lic.: Strong (3DES/AES)

Active/Standby (no stateful failover)

Interfaces of all types, Max. 52
Security Contexts

120

No support

Inside Hosts, concurrent

Opt. lic.: Strong (3DES/AES)

No support

Opt. licenses:

Unlimited

103

Opt. licenses:

Unlimited

VLANs, maximum

Routed mode: 3 (2 regular and 1 restricted)
Transparent mode: 2

Routed mode: 20
Transparent mode: 3 (2 regular and 1 failover)

VLAN Trunks, maximum

No support

8 trunks

1. The total number of VPN sessions depends on your licenses. If you enable AnyConnect Essentials, then the total is the model maximum of 25. If you
enable AnyConnect Premium, then the total is the AnyConnect Premium value plus the Other VPN value, not to exceed 25 sessions.
2. In routed mode, hosts on the inside (Business and Home VLANs) count toward the limit when they communicate with the outside (Internet VLAN),
including when the inside initiates a connection to the outside as well as when the outside initiates a connection to the inside. Note that even when the
outside initiates a connection to the inside, outside hosts are not counted toward the limit; only the inside hosts count. Hosts that initiate traffic between
Business and Home are also not counted toward the limit. The interface associated with the default route is considered to be the outside Internet interface.
If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted
toward the host limit. Use the show local-host command to view host limits.
3. For a 10-user license, the max. DHCP clients is 32. For 50 users, the max. is 128. For unlimited users, the max. is 250, which is the max. for other models.

ASA 5510
Table 3-2

ASA 5510 License Features

Licenses

Description (Base License in Plain Text)

Description (Security Plus Lic. in Plain Text)

Disabled

Firewall Licenses

Botnet Traffic Filter

Optional Time-based license:
Available

Firewall Conns, Concurrent 50,000

130,000

GTP/GPRS

No support

Intercompany Media Eng.

Disabled

UC Phone Proxy Sessions

Optional license: Available

Optional licenses:
24

Disabled
2

100

Optional Time-based license:
Available

Optional license: Available

Optional licenses:
24

100

VPN Licenses

Adv. Endpoint Assessment

Disabled

Optional license: Available

Disabled

Optional license: Available

AnyConnect for Cisco VPN Disabled
Phone

Optional license: Available

Disabled

Optional license: Available

AnyConnect Essentials

Disabled

Optional license: Available
(250 sessions)

Disabled

Optional license: Available
(250 sessions)

AnyConnect for Mobile

Disabled

Optional license: Available

Disabled

Optional license: Available

Cisco ASA 5500 Series Configuration Guide using the CLI

3-3

Chapter 3

Managing Feature Licenses

Supported Feature Licenses Per Model

Table 3-2

ASA 5510 License Features (continued)

Licenses

Description (Base License in Plain Text)

Description (Security Plus Lic. in Plain Text)

AnyConnect Premium
(sessions)

Optional Perm. or Time-based lic,:
10

100

Optional Perm. or Time-based lic:

250

100

250

Optional Shared licenses: Participant or
Server. For the Server:

500-50,000 in
increments of 500

50,000-545,000 in
increments of 1000

Total VPN (sessions),
combined all types

250

Other VPN (sessions)

250

VPN Load Balancing

No support

Supported

50,000-545,000 in
increments of 1000

General Licenses

Encryption

Base (DES)

Failover

No support

Opt. lic.: Strong (3DES/AES)

Base (DES)

Opt. lic.: Strong (3DES/AES)

Active/Standby or Active/Active

Interfaces of all types, Max. 240

440

Interface Speed

All: Fast Ethernet

Ethernet 0/0 and 0/1: Gigabit Ethernet 1
Ethernet 0/2, 0/3, 0/4 (and others): Fast Eth.

Security Contexts

No support

VLANs, Maximum

100

Optional licenses:

1. Although the Ethernet 0/0 and 0/1 ports are Gigabit Ethernet, they are still identified as “Ethernet” in the software.

ASA 5520
Table 3-3

ASA 5520 License Features

Licenses

Description (Base License in Plain Text)

Firewall Licenses

Botnet Traffic Filter

Disabled

Optional Time-based license: Available

Firewall Conns, Concurrent 280,000
GTP/GPRS

Disabled

Optional license: Available

Intercompany Media Eng.

Disabled

Optional license: Available

UC Phone Proxy Sessions

Optional licenses:

100

250

VPN Licenses

Adv. Endpoint Assessment

Disabled

Optional license: Available

AnyConnect for Cisco VPN Disabled
Phone

Optional license: Available

AnyConnect Essentials

Disabled

Optional license: Available (750 sessions)

AnyConnect for Mobile

Disabled

Optional license: Available

Cisco ASA 5500 Series Configuration Guide using the CLI

3-4

500

750

1000

Chapter 3

Managing Feature Licenses
Supported Feature Licenses Per Model

Table 3-3

ASA 5520 License Features (continued)

Licenses

Description (Base License in Plain Text)

AnyConnect Premium
(sessions)

Optional Permanent or Time-based licenses:
10

100

250

500

750

Optional Shared licenses: Participant or Server. For the Server:
500-50,000 in increments of 500
Total VPN (sessions),
combined all types

750

Other VPN (sessions)

750

VPN Load Balancing

Supported

50,000-545,000 in increments of 1000

General Licenses

Encryption

Base (DES)

Optional license: Strong (3DES/AES)

Failover

Active/Standby or Active/Active

Interfaces of all types, Max. 640
Security Contexts

VLANs, Maximum

150

Optional licenses:

ASA 5540
Table 3-4

ASA 5540 License Features

Licenses

Description (Base License in Plain Text)

Firewall Licenses

Botnet Traffic Filter

Disabled

Optional Time-based license: Available

Firewall Conns, Concurrent

400,000

GTP/GPRS

Disabled

Optional license: Available

Intercompany Media Eng.

Disabled

Optional license: Available

UC Phone Proxy Sessions

Optional licenses:

100

250

500

750

1000

2500

1000

2000

VPN Licenses

Adv. Endpoint Assessment

Disabled

Optional license: Available

AnyConnect for Cisco VPN Disabled
Phone

Optional license: Available

AnyConnect Essentials

Disabled

Optional license: Available (2500 sessions)

AnyConnect for Mobile

Disabled

Optional license: Available

AnyConnect Premium
(sessions)

Optional Permanent or Time-based licenses:
10

100

250

500

750

Optional Shared licenses: Participant or Server. For the Server:
500-50,000 in increments of 500
Total VPN (sessions),
combined all types

5000

Other VPN (sessions)

5000

50,000-545,000 in increments of 1000

Cisco ASA 5500 Series Configuration Guide using the CLI

3-5

Chapter 3

Managing Feature Licenses

Supported Feature Licenses Per Model

Table 3-4

ASA 5540 License Features (continued)

Licenses

Description (Base License in Plain Text)

VPN Load Balancing

Supported

General Licenses

Encryption

Base (DES)

Optional license: Strong (3DES/AES)

Failover

Active/Standby or Active/Active

Interfaces of all types, Max. 840
Security Contexts

VLANs, Maximum

200

Optional licenses:

ASA 5550
Table 3-5

ASA 5550 License Features

Licenses

Description (Base License in Plain Text)

Firewall Licenses

Botnet Traffic Filter

Disabled

Optional Time-based license: Available

Firewall Conns, Concurrent 650,000
GTP/GPRS

Disabled

Optional license: Available

Intercompany Media Eng.

Disabled

Optional license: Available

UC Phone Proxy Sessions

Optional licenses:
24

100

250

500

750

1000

2000

3000

1000

2500

VPN Licenses

Adv. Endpoint Assessment

Disabled

Optional license: Available

AnyConnect for Cisco VPN Disabled
Phone

Optional license: Available

AnyConnect Essentials

Disabled

Optional license: Available (5000 sessions)

AnyConnect for Mobile

Disabled

Optional license: Available

AnyConnect Premium
(sessions)

Optional Permanent or Time-based licenses:
10

100

250

500

750

5000

Optional Shared licenses: Participant or Server. For the Server:
500-50,000 in increments of 500
Total VPN (sessions),
combined all types

5000

Other VPN (sessions)

5000

VPN Load Balancing

Supported

50,000-545,000 in increments of 1000

General Licenses

Encryption

Base (DES)

Optional license: Strong (3DES/AES)

Failover

Active/Standby or Active/Active

Interfaces of all types, Max. 1640

Cisco ASA 5500 Series Configuration Guide using the CLI

3-6

Chapter 3

Managing Feature Licenses
Supported Feature Licenses Per Model

Table 3-5

ASA 5550 License Features (continued)

Licenses

Description (Base License in Plain Text)

Security Contexts

VLANs, Maximum

400

Optional licenses:

100

ASA 5580
Table 3-6

ASA 5580 License Features

Licenses

Description (Base License in Plain Text)

Firewall Licenses

Botnet Traffic Filter

Disabled

Optional Time-based license: Available

Firewall Conns, Concurrent 5580-20: 2,000,000

5580-40: 4,000,000

GTP/GPRS

Disabled

Optional license: Available

Intercompany Media Eng.

Disabled

Optional license: Available

UC Phone Proxy Sessions

Optional licenses:
24

100

250

500

750

1000

2000

3000

5000

10,0001

1000

2500

5000

10,000

VPN Licenses

Adv. Endpoint Assessment

Disabled

Optional license: Available

AnyConnect for Cisco VPN Disabled
Phone

Optional license: Available

AnyConnect Essentials

Disabled

Optional license: Available (10000 sessions)

AnyConnect for Mobile

Disabled

Optional license: Available

AnyConnect Premium
(sessions)

Optional Permanent or Time-based licenses:
10

100

250

500

750

Optional Shared licenses: Participant or Server. For the Server:
500-50,000 in increments of 500
Total VPN (sessions),
combined all types

10,000

Other VPN (sessions)

10,000

VPN Load Balancing

Supported

50,000-545,000 in increments of 1000

General Licenses

Encryption

Base (DES)

Optional license: Strong (3DES/AES)

Failover

Active/Standby or Active/Active

Interfaces of all types, Max. 4176
Security Contexts

VLANs, Maximum

1024

Optional licenses:

100

250

1. With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000.

Cisco ASA 5500 Series Configuration Guide using the CLI

3-7

Chapter 3

Managing Feature Licenses

Supported Feature Licenses Per Model

ASA 5512-X

If you have a No Payload Encryption model, then some of the features in Table 3-7 are not supported.
See the “No Payload Encryption Models” section on page 3-30 for a list of unsupported features.
Table 3-7

ASA 5512-X License Features

Licenses

Description (Base License in Plain Text)

Description (Security Plus Lic. in Plain Text)

Disabled

Firewall Licenses

Botnet Traffic Filter

Optional Time-based license:
Available

Firewall Conns, Concurrent 100,000

250,000

GTP/GPRS

No support

Disabled

Optional license: Available

Intercompany Media Eng.

Disabled

Optional license: Available

UC Phone Proxy Sessions

Optional license: Available

Optional licenses:
24

100

2
250

500

Optional licenses:
24

100

250

500

VPN Licenses

Adv. Endpoint Assessment

Disabled

Optional license: Available

Disabled

Optional license: Available

AnyConnect for Cisco VPN Disabled
Phone

Optional license: Available

Disabled

Optional license: Available

AnyConnect Essentials

Disabled

Optional license: Available
(250 sessions)

Disabled

Optional license: Available
(250 sessions)

AnyConnect for Mobile

Disabled

Optional license: Available

Disabled

Optional license: Available

AnyConnect Premium
(sessions)

Optional Perm. or Time-based lic,:
10

100

250

Optional Perm. or Time-based lic:
10

100

250

Optional Shared licenses: Participant or
Server. For the Server:

500-50,000 in
increments of 500

50,000-545,000 in
increments of 1000

Total VPN (sessions),
combined all types

250

Other VPN (sessions)

250

VPN Load Balancing

No support

Supported

50,000-545,000 in
increments of 1000

General Licenses

Encryption

Base (DES)

Failover

No support

Opt. lic.: Strong (3DES/AES)

Base (DES)

Opt. lic.: Strong (3DES/AES)

Active/Standby or Active/Active

Interfaces of all types, Max. 328

528

Security Contexts

No support

IPS Module

Disabled

VLANs, Maximum

Optional license: Available

Optional licenses:

Disabled

Optional license: Available

100

ASA 5515-X

If you have a No Payload Encryption model, then some of the features in Table 3-8 are not supported.
See the “No Payload Encryption Models” section on page 3-30 for a list of unsupported features.

Cisco ASA 5500 Series Configuration Guide using the CLI

3-8

Chapter 3

Managing Feature Licenses
Supported Feature Licenses Per Model

Table 3-8

ASA 5515-X License Features

Licenses

Description (Base License in Plain Text)

Firewall Licenses

Botnet Traffic Filter

Disabled

Optional Time-based license: Available

Firewall Conns, Concurrent

250,000

GTP/GPRS

Disabled

Optional license: Available

Intercompany Media Eng.

Disabled

Optional license: Available

UC Phone Proxy Sessions

Optional licenses:

100

250

500

VPN Licenses

Adv. Endpoint Assessment

Disabled

Optional license: Available

AnyConnect for Cisco VPN Disabled
Phone

Optional license: Available

AnyConnect Essentials

Disabled

Optional license: Available (250 sessions)

AnyConnect for Mobile

Disabled

Optional license: Available

AnyConnect Premium
(sessions)

Optional Permanent or Time-based licenses:
10

100

250

Optional Shared licenses: Participant or Server. For the Server:
500-50,000 in increments of 500
Total VPN (sessions),
combined all types

250

Other VPN (sessions)

250

VPN Load Balancing

Supported

50,000-545,000 in increments of 1000

General Licenses

Encryption

Base (DES)

Optional license: Strong (3DES/AES)

Failover

Active/Standby or Active/Active

Interfaces of all types, Max. 528
Security Contexts

IPS Module

Disabled

VLANs, Maximum

100

Optional licenses:

Optional license: Available

ASA 5525-X

If you have a No Payload Encryption model, then some of the features in Table 3-9 are not supported.
See the “No Payload Encryption Models” section on page 3-30 for a list of unsupported features.
Table 3-9

ASA 5525-X License Features

Licenses

Description (Base License in Plain Text)

Firewall Licenses

Botnet Traffic Filter

Disabled

Firewall Conns, Concurrent

500,000

GTP/GPRS

Disabled

Optional Time-based license: Available
Optional license: Available
Cisco ASA 5500 Series Configuration Guide using the CLI

3-9

Chapter 3

Managing Feature Licenses

Supported Feature Licenses Per Model

Table 3-9

ASA 5525-X License Features (continued)

Licenses

Description (Base License in Plain Text)

Intercompany Media Eng.

Disabled

UC Phone Proxy Sessions

Optional license: Available

Optional licenses:

100

250

500

750

1000

VPN Licenses

Adv. Endpoint Assessment

Disabled

Optional license: Available

AnyConnect for Cisco VPN Disabled
Phone

Optional license: Available

AnyConnect Essentials

Disabled

Optional license: Available (750 sessions)

AnyConnect for Mobile

Disabled

Optional license: Available

AnyConnect Premium
(sessions)

Optional Permanent or Time-based licenses:
10

100

250

500

750

Optional Shared licenses: Participant or Server. For the Server:
500-50,000 in increments of 500
Total VPN (sessions),
combined all types

750

Other VPN (sessions)

750

VPN Load Balancing

Supported

50,000-545,000 in increments of 1000

General Licenses

Encryption

Base (DES)

Optional license: Strong (3DES/AES)

Failover

Active/Standby or Active/Active

Interfaces of all types, Max. 928
Security Contexts

IPS Module

Disabled

VLANs, Maximum

200

Optional licenses:

Optional license: Available

ASA 5545-X

If you have a No Payload Encryption model, then some of the features in Table 3-10 are not supported.
See the “No Payload Encryption Models” section on page 3-30 for a list of unsupported features.
Table 3-10

ASA 5545-X License Features

Licenses

Description (Base License in Plain Text)

Firewall Licenses

Botnet Traffic Filter

Disabled

Optional Time-based license: Available

Firewall Conns, Concurrent

750,000

GTP/GPRS

Disabled

Optional license: Available

Intercompany Media Eng.

Disabled

Optional license: Available

UC Phone Proxy Sessions

Optional licenses:

VPN Licenses

Adv. Endpoint Assessment

Disabled

Optional license: Available

AnyConnect for Cisco VPN Disabled
Phone

Optional license: Available

Cisco ASA 5500 Series Configuration Guide using the CLI

3-10

100

250

500

750

1000

2000

Chapter 3

Managing Feature Licenses
Supported Feature Licenses Per Model

Table 3-10

ASA 5545-X License Features (continued)

Licenses

Description (Base License in Plain Text)

AnyConnect Essentials

Disabled

Optional license: Available (2500 sessions)

AnyConnect for Mobile

Disabled

Optional license: Available

AnyConnect Premium
(sessions)

Optional Permanent or Time-based licenses:
10

100

250

500

750

1000

2500

Optional Shared licenses: Participant or Server. For the Server:
500-50,000 in increments of 500
Total VPN (sessions),
combined all types

2500

Other VPN (sessions)

2500

VPN Load Balancing

Supported

50,000-545,000 in increments of 1000

General Licenses

Encryption

Base (DES)

Optional license: Strong (3DES/AES)

Failover

Active/Standby or Active/Active

Interfaces of all types, Max. 1328
Security Contexts

IPS Module

Disabled

VLANs, Maximum

300

Optional licenses:

Optional license: Available

ASA 5555-X

If you have a No Payload Encryption model, then some of the features in Table 3-11 are not supported.
See the “No Payload Encryption Models” section on page 3-30 for a list of unsupported features.
Table 3-11

ASA 5555-X License Features

Licenses

Description (Base License in Plain Text)

Firewall Licenses

Botnet Traffic Filter

Disabled

Optional Time-based license: Available

Firewall Conns, Concurrent

1,000,000

GTP/GPRS

Disabled

Optional license: Available

Intercompany Media Eng.

Disabled

Optional license: Available

UC Phone Proxy Sessions

Optional licenses:
24

100

250

500

750

1000

2000

3000

VPN Licenses

Adv. Endpoint Assessment

Disabled

Optional license: Available

AnyConnect for Cisco VPN Disabled
Phone

Optional license: Available

AnyConnect Essentials

Disabled

Optional license: Available (5000 sessions)

AnyConnect for Mobile

Disabled

Optional license: Available

Cisco ASA 5500 Series Configuration Guide using the CLI

3-11

Chapter 3

Managing Feature Licenses

Supported Feature Licenses Per Model

Table 3-11

ASA 5555-X License Features (continued)

Licenses

Description (Base License in Plain Text)

AnyConnect Premium
(sessions)

Optional Permanent or Time-based licenses:
10

100

250

500

750

1000

2500

5000

Optional Shared licenses: Participant or Server. For the Server:
500-50,000 in increments of 500
Total VPN (sessions),
combined all types

5000

Other VPN (sessions)

5000

VPN Load Balancing

Supported

50,000-545,000 in increments of 1000

General Licenses

Encryption

Base (DES)

Optional license: Strong (3DES/AES)

Failover

Active/Standby or Active/Active

Interfaces of all types, Max. 2128
Security Contexts

IPS Module

Disabled

VLANs, Maximum

500

Optional licenses:

100

Optional license: Available

ASA 5585-X with SSP-10

If you have a No Payload Encryption model, then some of the features in Table 3-12 are not supported.
See the “No Payload Encryption Models” section on page 3-30 for a list of unsupported features.
Table 3-12

ASA 5585-X with SSP-10 License Features

Licenses

Description (Base License in Plain Text)

Description (Security Plus License in Plain Text)

Firewall Licenses

Botnet Traffic Filter

Disabled

Opt. Time-based lic: Available Disabled

Opt. Time-based lic: Available

Firewall Conns, Concurrent

1,000,000

GTP/GPRS

Disabled

Optional license: Available

Disabled

Optional license: Available

Intercompany Media Eng.

Disabled

Optional license: Available

Disabled

Optional license: Available

UC Phone Proxy Sessions

1,000,000

Optional licenses:

100

250

750

1000

2000

3000

500

Optional licenses:
24

100

250

750

1000

2000

3000

500

VPN Licenses

Adv. Endpoint Assessment

Disabled

Optional license: Available

Disabled

Optional license: Available

AnyConnect for Cisco VPN Disabled
Phone

Optional license: Available

Disabled

Optional license: Available

AnyConnect Essentials

Disabled

Optional license: Available
(5000 sessions)

Disabled

Optional license: Available
(5000 sessions)

AnyConnect for Mobile

Disabled

Optional license: Available

Disabled

Optional license: Available

Cisco ASA 5500 Series Configuration Guide using the CLI

3-12

Chapter 3

Managing Feature Licenses
Supported Feature Licenses Per Model

Table 3-12

ASA 5585-X with SSP-10 License Features (continued)

Licenses

Description (Base License in Plain Text)

Description (Security Plus License in Plain Text)

AnyConnect Premium
(sessions)

Opt. Permanent or Time-based lic.:

100

250

100

250

500

750

1000

2500

5000

500

750

1000

2500

5000

Optional Shared licenses: Participant or
Server. For the Server:

Optional Shared licenses: Participant or Server.
For the Server:

500-50,000 in increments of 500

50,000-545,000 in increments of 1000

Total VPN (sessions),
combined all types

5000

Other VPN (sessions)

5000

VPN Load Balancing

Supported

10 GE I/O

Disabled; fiber ifcs run at 1 GE

Enabled; fiber ifcs run at 10 GE

Encryption

Base (DES)

Failover

Active/Standby or Active/Active

General Licenses

Opt. lic.: Strong (3DES/AES)

Active/Standby or Active/Active

Interfaces of all types, Max. 4176
Security Contexts

4176
Optional licenses:
5

VLANs, Maximum

Opt. lic.: Strong (3DES/AES)

2
50

100

1024

Optional licenses:
5

100

1024

ASA 5585-X with SSP-20

If you have a No Payload Encryption model, then some of the features in Table 3-13 are not supported.
See the “No Payload Encryption Models” section on page 3-30 for a list of unsupported features.
Table 3-13

ASA 5585-X with SSP-20 License Features

Licenses

Description (Base License in Plain Text)

Description (Security Plus Lic. in Plain Text)

Firewall Licenses

Botnet Traffic Filter

Disabled

Opt. Time-based lic: Available Disabled

Firewall Conns, Concurrent

2,000,000

GTP/GPRS

Disabled

Optional license: Available

Disabled

Optional license: Available

Intercompany Media Eng.

Disabled

Optional license: Available

Disabled

Optional license: Available

UC Phone Proxy Sessions

2,000,000

Optional licenses:

100

750

2000

Opt. Time-based lic: Available

250
3000

500
5000

50
1000

10,000

Optional licenses:

100

750

2000

250
3000

500
5000

10,000

50
1000
1

VPN Licenses

Adv. Endpoint Assessment

Disabled

Optional license: Available

AnyConnect for Cisco VPN Disabled
Phone

Optional license: Available

Disabled

Optional license: Available

Cisco ASA 5500 Series Configuration Guide using the CLI

3-13

Chapter 3

Managing Feature Licenses

Supported Feature Licenses Per Model

Table 3-13

ASA 5585-X with SSP-20 License Features (continued)

Licenses

Description (Base License in Plain Text)

Description (Security Plus Lic. in Plain Text)

AnyConnect Essentials

Disabled

Optional license: Available
(10,000 sessions)

Disabled

Optional license: Available
(10,000 sessions)

AnyConnect for Mobile

Disabled

Optional license: Available

Disabled

Optional license: Available

AnyConnect Premium
(sessions)

Optional Permanent or
Time-based licenses:
10

100

250

500

750

100

250

500

750

1000

2500

5000

10,000

1000

2500

5000

10,000

Optional Shared licenses: Participant or
Server. For the Server:

500-50,000 in increments of 500

50,000-545,000 in increments of 1000

Total VPN (sessions),
combined all types

10,000

Other VPN (sessions)

10,000

VPN Load Balancing

Supported

10 GE I/O

Disabled; fiber ifcs run at 1 GE

Enabled; fiber ifcs run at 10 GE

Encryption

Base (DES)

Failover

Active/Standby or Active/Active

General Licenses

Opt. lic.: Strong (3DES/AES)

Active/Standby or Active/Active

Interfaces of all types, Max. 4176
Security Contexts
VLANs, Maximum

Opt. lic.: Strong (3DES/AES)

4176
Optional licenses:

250

100

1024

Optional licenses:

250

100

1024

1. With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000.

ASA 5585-X with SSP-40 and -60

If you have a No Payload Encryption model, then some of the features in Table 3-14 are not supported.
See the “No Payload Encryption Models” section on page 3-30 for a list of unsupported features.

Note

Table 3-14

(8.4(2) and later) For SSP-40 and SSP-60, you can use two SSPs of the same level in the same chassis.
Mixed-level SSPs are not supported (for example, an SSP-40 with an SSP-60 is not supported). Each
SSP acts as an independent device, with separate configurations and management. You can use the two
SSPs as a failover pair if desired. When using two SSPs in the chassis, VPN is not supported; note,
however, that VPN has not been disabled.

ASA 5585-X with SSP-40 and -60 License Features

Licenses

Description (Base License in Plain Text)

Firewall Licenses

Botnet Traffic Filter

Disabled

Optional Time-based license: Available

Cisco ASA 5500 Series Configuration Guide using the CLI

3-14

Chapter 3

Managing Feature Licenses
Supported Feature Licenses Per Model

Table 3-14

ASA 5585-X with SSP-40 and -60 License Features (continued)

Licenses

Description (Base License in Plain Text)

Firewall Conns, Concurrent

5585-X with SSP-40: 4,000,000

GTP/GPRS

Disabled

Optional license: Available

Intercompany Media Eng.

Disabled

Optional license: Available

UC Phone Proxy Sessions

5585-X with SSP-60: 10,000,000

Optional licenses:
24

100

250

500

750

1000

2000

3000

5000

10,0001

1000

2500

5000

10,000

VPN Licenses

Adv. Endpoint Assessment

Disabled

Optional license: Available

AnyConnect for Cisco VPN Disabled
Phone

Optional license: Available

AnyConnect Essentials

Disabled

Optional license: Available (10,000 sessions)

AnyConnect for Mobile

Disabled

Optional license: Available

AnyConnect Premium
(sessions)

Optional Permanent or Time-based licenses:
10

100

250

500

750

Optional Shared licenses: Participant or Server. For the Server:
500-50,000 in increments of 500
Total VPN (sessions),
combined all types

10,000

Other VPN (sessions)

10,000

VPN Load Balancing

Supported

50,000-545,000 in increments of 1000

General Licenses

10 GE I/O

Enabled; fiber ifcs run at 10 GE

Encryption

Base (DES)

Failover

Active/Standby or Active/Active

Optional license: Strong (3DES/AES)

Interfaces of all types, Max. 4176
Security Contexts

VLANs, Maximum

1024

Optional licenses:

100

250

1. With the 10,000-session UC license, the total combined sessions can be 10,000, but the maximum number of Phone Proxy sessions is 5000.

Cisco ASA 5500 Series Configuration Guide using the CLI

3-15

Chapter 3

Managing Feature Licenses

Supported Feature Licenses Per Model

License Notes
Table 3-15 includes common footnotes shared by multiple tables in the “Licenses Per Model” section on
page 3-1.
Table 3-15

License Notes

License

Notes

AnyConnect Essentials

AnyConnect Essentials sessions include the following VPN types:
•

SSL VPN

•

IPsec remote access VPN using IKEv2

This license does not support browser-based (clientless) SSL VPN access or Cisco Secure
Desktop. For these features, activate an AnyConnect Premium license instead of the AnyConnect
Essentials license.
Note

With the AnyConnect Essentials license, VPN users can use a web browser to log in, and
download and start (WebLaunch) the AnyConnect client.

The AnyConnect client software offers the same set of client features, whether it is enabled by
this license or an AnyConnect Premium license.
The AnyConnect Essentials license cannot be active at the same time as the following licenses on
a given ASA: AnyConnect Premium license (all types) or the Advanced Endpoint Assessment
license. You can, however, run AnyConnect Essentials and AnyConnect Premium licenses on
different ASAs in the same network.
By default, the ASA uses the AnyConnect Essentials license, but you can disable it to use other
licenses by using the no anyconnect-essentials command or in ASDM, using the Configuration
> Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Essentials pane.
See also the “VPN License and Feature Compatibility” section on page 3-20.
AnyConnect for Cisco
VPN Phone

In conjunction with an AnyConnect Premium license, this license enables access from hardware
IP phones that have built in AnyConnect compatibility.

Cisco ASA 5500 Series Configuration Guide using the CLI

3-16

Chapter 3

Managing Feature Licenses
Supported Feature Licenses Per Model

Table 3-15

License Notes (continued)

License

Notes

AnyConnect for Mobile

This license provides access to the AnyConnect Client for touch-screen mobile devices running
Windows Mobile 5.0, 6.0, and 6.1. We recommend using this license if you want to support
mobile access to AnyConnect 2.3 and later versions. This license requires activation of one of the
following licenses to specify the total number of SSL VPN sessions permitted: AnyConnect
Essentials or AnyConnect Premium.
Mobile Posture Support

Enforcing remote access controls and gathering posture data from mobile devices requires an
AnyConnect Mobile license and either an AnyConnect Essentials or AnyConnect Premium
license to be installed on the ASA. Here is the functionality you receive based on the license you
install.
•

AnyConnect Premium License Functionality
– Enforce DAP policies on supported mobile devices based on DAP attributes and any

other existing endpoint attributes. This includes allowing or denying remote access from
a mobile device.
•

AnyConnect Essentials License Functionality
– Enable or disable mobile device access on a per group basis and to configure that feature

using ASDM.
– Display information about connected mobile devices via CLI or ASDM without having

the ability to enforce DAP policies or deny or allow remote access to those mobile
devices.
AnyConnect Premium

AnyConnect Premium sessions include the following VPN types:
•

SSL VPN

•

Clientless SSL VPN

•

IPsec remote access VPN using IKEv2

AnyConnect Premium
Shared

A shared license lets the ASA act as a shared license server for multiple client ASAs. The shared
license pool is large, but the maximum number of sessions used by each individual ASA cannot
exceed the maximum number listed for permanent licenses.

Botnet Traffic Filter

Requires a Strong Encryption (3DES/AES) License to download the dynamic database.

Encryption

The DES license cannot be disabled. If you have the 3DES license installed, DES is still available.
To prevent the use of DES when you want to only use strong encryption, be sure to configure any
relevant commands to use only string encryption.

Failover, Active/Active

You cannot use Active/Active failover and VPN; if you want to use VPN, use Active/Standby
failover.

Cisco ASA 5500 Series Configuration Guide using the CLI

3-17

Chapter 3

Managing Feature Licenses

Supported Feature Licenses Per Model

Table 3-15

License Notes (continued)

License

Notes

Intercompany Media
Engine

When you enable the Intercompany Media Engine (IME) license, you can use TLS proxy sessions
up to the configured TLS proxy limit. If you also have a Unified Communications (UC) license
installed that is higher than the default TLS proxy limit, then the ASA sets the limit to be the UC
license limit plus an additional number of sessions depending on your model. You can manually
configure the TLS proxy limit using the tls-proxy maximum-sessions command or in ASDM,
using the Configuration > Firewall > Unified Communications > TLS Proxy pane. To view the
limits of your model, enter the tls-proxy maximum-sessions ? command. If you also install the
UC license, then the TLS proxy sessions available for UC are also available for IME sessions. For
example, if the configured limit is 1000 TLS proxy sessions, and you purchase a 750-session UC
license, then the first 250 IME sessions do not affect the sessions available for UC. If you need
more than 250 sessions for IME, then the remaining 750 sessions of the platform limit are used
on a first-come, first-served basis by UC and IME.
•

For a license part number ending in “K8”, TLS proxy sessions are limited to 1000.

•

For a license part number ending in “K9”, the TLS proxy limit depends on your configuration
and the platform model.

Note

K8 and K9 refer to whether the license is restricted for export: K8 is unrestricted, and K9
is restricted.

You might also use SRTP encryption sessions for your connections:
•

For a K8 license, SRTP sessions are limited to 250.

•

For a K9 license, there is no limit.

Note

Only calls that require encryption/decryption for media are counted toward the SRTP
limit; if passthrough is set for the call, even if both legs are SRTP, they do not count toward
the limit.

Interfaces of all types,
Max.

The maximum number of combined interfaces; for example, VLANs, physical, redundant, bridge
group, and EtherChannel interfaces.

IPS Module

For failover pairs, both units need an IPS module license.

Other VPN

Other VPN sessions include the following VPN types:
•

IPsec remote access VPN using IKEv1

•

IPsec site-to-site VPN using IKEv1

•

IPsec site-to-site VPN using IKEv2

This license is included in the Base license.
Total VPN (sessions),
combined all types

•

Although the maximum VPN sessions add up to more than the maximum VPN AnyConnect
and Other VPN sessions, the combined sessions should not exceed the VPN session limit. If
you exceed the maximum VPN sessions, you can overload the ASA, so be sure to size your
network appropriately.

•

If you start a clientless SSL VPN session and then start an AnyConnect client session from
the portal, 1 session is used in total. However, if you start the AnyConnect client first (from
a standalone client, for example) and then log into the clientless SSL VPN portal, then
2 sessions are used.

Cisco ASA 5500 Series Configuration Guide using the CLI

3-18

Chapter 3

Managing Feature Licenses
Supported Feature Licenses Per Model

Table 3-15

License Notes (continued)

License

Notes

UC Phone Proxy sessions The following applications use TLS proxy sessions for their connections. Each TLS proxy session
used by these applications (and only these applications) is counted against the UC license limit:
•

Phone Proxy

•

Presence Federation Proxy

•

Encrypted Voice Inspection

Other applications that use TLS proxy sessions do not count toward the UC limit, for example,
Mobility Advantage Proxy (which does not require a license) and IME (which requires a separate
IME license).
Some UC applications might use multiple sessions for a connection. For example, if you
configure a phone with a primary and backup Cisco Unified Communications Manager, there are
2 TLS proxy connections, so 2 UC Proxy sessions are used.
You independently set the TLS proxy limit using the tls-proxy maximum-sessions command or
in ASDM, using the Configuration > Firewall > Unified Communications > TLS Proxy pane.
To view the limits of your model, enter the tls-proxy maximum-sessions ? command. When you
apply a UC license that is higher than the default TLS proxy limit, the ASA automatically sets the
TLS proxy limit to match the UC limit. The TLS proxy limit takes precedence over the UC license
limit; if you set the TLS proxy limit to be less than the UC license, then you cannot use all of the
sessions in your UC license.
Note

For license part numbers ending in “K8” (for example, licenses under 250 users), TLS
proxy sessions are limited to 1000. For license part numbers ending in “K9” (for example,
licenses 250 users or larger), the TLS proxy limit depends on the configuration, up to the
model limit. K8 and K9 refer to whether the license is restricted for export: K8 is
unrestricted, and K9 is restricted.
If you clear the configuration (using the clear configure all command, for example), then
the TLS proxy limit is set to the default for your model; if this default is lower than the
UC license limit, then you see an error message to use the tls-proxy maximum-sessions
command to raise the limit again (in ASDM, use the TLS Proxy pane). If you use failover
and enter the write standby command or in ASDM, use File > Save Running
Configuration to Standby Unit on the primary unit to force a configuration
synchronization, the clear configure all command is generated on the secondary unit
automatically, so you may see the warning message on the secondary unit. Because the
configuration synchronization restores the TLS proxy limit set on the primary unit, you
can ignore the warning.

You might also use SRTP encryption sessions for your connections:
•

For K8 licenses, SRTP sessions are limited to 250.

•

For K9 licenses, there is not limit.

Note

VPN Load Balancing

Only calls that require encryption/decryption for media are counted toward the SRTP
limit; if passthrough is set for the call, even if both legs are SRTP, they do not count toward
the limit.

VPN load balancing requires a Strong Encryption (3DES/AES) License.

Cisco ASA 5500 Series Configuration Guide using the CLI

3-19

Chapter 3

Managing Feature Licenses

Information About Feature Licenses

VPN License and Feature Compatibility
Table 3-16 shows how the VPN licenses and features can combine.
For a detailed list of the features supported by the AnyConnect Essentials license and AnyConnect
Premium license, see AnyConnect Secure Mobility Client Features, Licenses, and OSs:
•

Version 3.0:
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/feature/guide/any
connect30features.html

•

Version 2.5:
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/feature/guide/any
connect25features.html

Table 3-16

VPN License and Feature Compatibility

Enable one of the following licenses:1
Supported with:

AnyConnect Essentials

AnyConnect Premium

AnyConnect for Cisco VPN Phone

Yes

AnyConnect for Mobile2

Yes

Advanced Endpoint Assessment

Yes

AnyConnect Premium Shared

Yes

Client-based SSL VPN

Yes

Browser-based (clientless) SSL VPN

Yes

IPsec VPN

Yes

VPN Load Balancing

Yes

Cisco Secure Desktop

Yes

1. You can only have one license type active, either the AnyConnect Essentials license or the AnyConnect Premium license. By
default, the ASA includes an AnyConnect Premium license for 2 sessions. If you install the AnyConnect Essentials license,
then it is used by default. See the no anyconnect-essentials command to enable the Premium license instead.
2. Mobile Posture support is different for the AnyConnect Essentials vs. the AnyConnect Premium license. See Table 3-15 on
page 3-16 for details.

Information About Feature Licenses
A license specifies the options that are enabled on a given ASA. It is represented by an activation key
that is a 160-bit (5 32-bit words or 20 bytes) value. This value encodes the serial number (an 11 character
string) and the enabled features.
This section includes the following topics:
•

Preinstalled License, page 3-21

•

Permanent License, page 3-21

•

Time-Based Licenses, page 3-21

•

Shared AnyConnect Premium Licenses, page 3-23

•

Failover Licenses (8.3(1) and Later), page 3-28

•

No Payload Encryption Models, page 3-30

Cisco ASA 5500 Series Configuration Guide using the CLI

3-20

Chapter 3

Managing Feature Licenses
Information About Feature Licenses

•

Licenses FAQ, page 3-30

Preinstalled License
By default, your ASA ships with a license already installed. This license might be the Base License, to
which you want to add more licenses, or it might already have all of your licenses installed, depending
on what you ordered and what your vendor installed for you. See the “Monitoring Licenses” section on
page 3-38 section to determine which licenses you have installed.

Permanent License
You can have one permanent activation key installed. The permanent activation key includes all licensed
features in a single key. If you also install time-based licenses, the ASA combines the permanent and
time-based licenses into a running license. See the “How Permanent and Time-Based Licenses
Combine” section on page 3-22 for more information about how the ASA combines the licenses.

Time-Based Licenses
In addition to permanent licenses, you can purchase time-based licenses or receive an evaluation license
that has a time-limit. For example, you might buy a time-based AnyConnect Premium license to handle
short-term surges in the number of concurrent SSL VPN users, or you might order a Botnet Traffic Filter
time-based license that is valid for 1 year.
This section includes the following topics:
•

Time-Based License Activation Guidelines, page 3-21

•

How the Time-Based License Timer Works, page 3-21

•

How Permanent and Time-Based Licenses Combine, page 3-22

•

Stacking Time-Based Licenses, page 3-23

•

Time-Based License Expiration, page 3-23

Time-Based License Activation Guidelines
•

You can install multiple time-based licenses, including multiple licenses for the same feature.
However, only one time-based license per feature can be active at a time. The inactive license
remains installed, and ready for use. For example, if you install a 1000-session AnyConnect
Premium license, and a 2500-session AnyConnect Premium license, then only one of these licenses
can be active.

•

If you activate an evaluation license that has multiple features in the key, then you cannot also
activate another time-based license for one of the included features. For example, if an evaluation
license includes the Botnet Traffic Filter and a 1000-session AnyConnect Premium license, you
cannot also activate a standalone time-based 2500-session AnyConnect Premium license.

How the Time-Based License Timer Works
•

The timer for the time-based license starts counting down when you activate it on the ASA.

Cisco ASA 5500 Series Configuration Guide using the CLI

3-21

Chapter 3

Managing Feature Licenses

Information About Feature Licenses

Note

•

If you stop using the time-based license before it times out, then the timer halts. The timer only starts
again when you reactivate the time-based license.

•

If the time-based license is active, and you shut down the ASA, then the timer continues to count
down. If you intend to leave the ASA in a shut down state for an extended period of time, then you
should deactivate the time-based license before you shut down.

We suggest you do not change the system clock after you install the time-based license. If you set the
clock to be a later date, then if you reload, the ASA checks the system clock against the original
installation time, and assumes that more time has passed than has actually been used. If you set the clock
back, and the actual running time is greater than the time between the original installation time and the
system clock, then the license immediately expires after a reload.

How Permanent and Time-Based Licenses Combine
When you activate a time-based license, then features from both permanent and time-based licenses
combine to form the running license. How the permanent and time-based licenses combine depends on
the type of license. Table 3-17 lists the combination rules for each feature license.

Note

Even when the permanent license is used, if the time-based license is active, it continues to count down.
Table 3-17

Time-Based License Combination Rules

Time-Based Feature

Combined License Rule

AnyConnect Premium
Sessions

The higher value is used, either time-based or permanent. For example,
if the permanent license is 1000 sessions, and the time-based license is
2500 sessions, then 2500 sessions are enabled. Typically, you will not
install a time-based license that has less capability than the permanent
license, but if you do so, then the permanent license is used.

Unified Communications
Proxy Sessions

The time-based license sessions are added to the permanent sessions, up
to the platform limit. For example, if the permanent license is 2500
sessions, and the time-based license is 1000 sessions, then 3500 sessions
are enabled for as long as the time-based license is active.

Security Contexts

The time-based license contexts are added to the permanent contexts, up
to the platform limit. For example, if the permanent license is 10
contexts, and the time-based license is 20 contexts, then 30 contexts are
enabled for as long as the time-based license is active.

Botnet Traffic Filter

There is no permanent Botnet Traffic Filter license available; the
time-based license is used.

All Others

The higher value is used, either time-based or permanent. For licenses
that have a status of enabled or disabled, then the license with the
enabled status is used. For licenses with numerical tiers, the higher value
is used. Typically, you will not install a time-based license that has less
capability than the permanent license, but if you do so, then the
permanent license is used.

To view the combined license, see the “Monitoring Licenses” section on page 3-38.

Cisco ASA 5500 Series Configuration Guide using the CLI

3-22

Chapter 3

Managing Feature Licenses
Information About Feature Licenses

Stacking Time-Based Licenses
In many cases, you might need to renew your time-based license and have a seamless transition from the
old license to the new one. For features that are only available with a time-based license, it is especially
important that the license not expire before you can apply the new license. The ASA allows you to stack
time-based licenses so you do not have to worry about the license expiring or about losing time on your
licenses because you installed the new one early.
When you install an identical time-based license as one already installed, then the licenses are combined,
and the duration equals the combined duration.
For example:
1.

You install a 52-week Botnet Traffic Filter license, and use the license for 25 weeks (27 weeks
remain).

You then purchase another 52-week Botnet Traffic Filter license. When you install the second
license, the licenses combine to have a duration of 79 weeks (52 weeks plus 27 weeks).

Similarly:
1.

You install an 8-week 1000-session AnyConnect Premium license, and use it for 2 weeks (6 weeks
remain).

You then install another 8-week 1000-session license, and the licenses combine to be 1000-sessions
for 14 weeks (8 weeks plus 6 weeks).

If the licenses are not identical (for example, a 1000-session AnyConnect Premium license vs. a
2500-session license), then the licenses are not combined. Because only one time-based license per
feature can be active, only one of the licenses can be active. See the “Activating or Deactivating Keys”
section on page 3-33 for more information about activating licenses.
Although non-identical licenses do not combine, when the current license expires, the ASA
automatically activates an installed license of the same feature if available. See the “Time-Based License
Expiration” section on page 3-23 for more information.

Time-Based License Expiration
When the current license for a feature expires, the ASA automatically activates an installed license of
the same feature if available. If there are no other time-based licenses available for the feature, then the
permanent license is used.
If you have more than one additional time-based license installed for a feature, then the ASA uses the
first license it finds; which license is used is not user-configurable and depends on internal operations.
If you prefer to use a different time-based license than the one the ASA activated, then you must
manually activate the license you prefer. See the “Activating or Deactivating Keys” section on page 3-33.
For example, you have a time-based 2500-session AnyConnect Premium license (active), a time-based
1000-session AnyConnect Premium license (inactive), and a permanent 500-session AnyConnect
Premium license. While the 2500-session license expires, the ASA activates the 1000-session license.
After the 1000-session license expires, the ASA uses the 500-session permanent license.

Shared AnyConnect Premium Licenses
A shared license lets you purchase a large number of AnyConnect Premium sessions and share the
sessions as needed among a group of ASAs by configuring one of the ASAs as a shared licensing server,
and the rest as shared licensing participants. This section describes how a shared license works and
includes the following topics:

Cisco ASA 5500 Series Configuration Guide using the CLI

3-23

Chapter 3

Managing Feature Licenses

Information About Feature Licenses

•

Information About the Shared Licensing Server and Participants, page 3-24

•

Communication Issues Between Participant and Server, page 3-25

•

Information About the Shared Licensing Backup Server, page 3-25

•

Failover and Shared Licenses, page 3-25

•

Maximum Number of Participants, page 3-27

Information About the Shared Licensing Server and Participants
The following steps describe how shared licenses operate:
1.

Decide which ASA should be the shared licensing server, and purchase the shared licensing server
license using that device serial number.

Decide which ASAs should be shared licensing participants, including the shared licensing backup
server, and obtain a shared licensing participant license for each device, using each device serial
number.

(Optional) Designate a second ASA as a shared licensing backup server. You can only specify one
backup server.

Note

The shared licensing backup server only needs a participant license.

Configure a shared secret on the shared licensing server; any participants with the shared secret can
use the shared license.

When you configure the ASA as a participant, it registers with the shared licensing server by sending
information about itself, including the local license and model information.

Note

The participant needs to be able to communicate with the server over the IP network; it does
not have to be on the same subnet.

The shared licensing server responds with information about how often the participant should poll
the server.

When a participant uses up the sessions of the local license, it sends a request to the shared licensing
server for additional sessions in 50-session increments.

The shared licensing server responds with a shared license. The total sessions used by a participant
cannot exceed the maximum sessions for the platform model.

Note

The shared licensing server can also participate in the shared license pool. It does not need
a participant license as well as the server license to participate.

a. If there are not enough sessions left in the shared license pool for the participant, then the server

responds with as many sessions as available.
b. The participant continues to send refresh messages requesting more sessions until the server can

adequately fulfill the request.
9.

When the load is reduced on a participant, it sends a message to the server to release the shared
sessions.

Cisco ASA 5500 Series Configuration Guide using the CLI

3-24

Chapter 3

Managing Feature Licenses
Information About Feature Licenses

Note

The ASA uses SSL between the server and participant to encrypt all communications.

Communication Issues Between Participant and Server
See the following guidelines for communication issues between the participant and server:
•

If a participant fails to send a refresh after 3 times the refresh interval, then the server releases the
sessions back into the shared license pool.

•

If the participant cannot reach the license server to send the refresh, then the participant can continue
to use the shared license it received from the server for up to 24 hours.

•

If the participant is still not able to communicate with a license server after 24 hours, then the
participant releases the shared license, even if it still needs the sessions. The participant leaves
existing connections established, but cannot accept new connections beyond the license limit.

•

If a participant reconnects with the server before 24 hours expires, but after the server expired the
participant sessions, then the participant needs to send a new request for the sessions; the server
responds with as many sessions as can be reassigned to that participant.

Information About the Shared Licensing Backup Server
The shared licensing backup server must register successfully with the main shared licensing server
before it can take on the backup role. When it registers, the main shared licensing server syncs server
settings as well as the shared license information with the backup, including a list of registered
participants and the current license usage. The main server and backup server sync the data at 10 second
intervals. After the initial sync, the backup server can successfully perform backup duties, even after a
reload.
When the main server goes down, the backup server takes over server operation. The backup server can
operate for up to 30 continuous days, after which the backup server stops issuing sessions to participants,
and existing sessions time out. Be sure to reinstate the main server within that 30-day period.
Critical-level syslog messages are sent at 15 days, and again at 30 days.
When the main server comes back up, it syncs with the backup server, and then takes over server
operation.
When the backup server is not active, it acts as a regular participant of the main shared licensing server.

Note

When you first launch the main shared licensing server, the backup server can only operate
independently for 5 days. The operational limit increases day-by-day, until 30 days is reached. Also, if
the main server later goes down for any length of time, the backup server operational limit decrements
day-by-day. When the main server comes back up, the backup server starts to increment again
day-by-day. For example, if the main server is down for 20 days, with the backup server active during
that time, then the backup server will only have a 10-day limit left over. The backup server “recharges”
up to the maximum 30 days after 20 more days as an inactive backup. This recharging function is
implemented to discourage misuse of the shared license.

Failover and Shared Licenses
This section describes how shared licenses interact with failover and includes the following topics:
•

“Failover and Shared License Servers” section on page 3-26

Cisco ASA 5500 Series Configuration Guide using the CLI

3-25

Chapter 3

Managing Feature Licenses

Information About Feature Licenses

•

“Failover and Shared License Participants” section on page 3-27

Failover and Shared License Servers
This section describes how the main server and backup server interact with failover. Because the shared
licensing server is also performing normal duties as the ASA, including performing functions such as
being a VPN gateway and firewall, then you might need to configure failover for the main and backup
shared licensing servers for increased reliability.

Note

The backup server mechanism is separate from, but compatible with, failover.
Shared licenses are supported only in single context mode, so Active/Active failover is not supported.
For Active/Standby failover, the primary unit acts as the main shared licensing server, and the standby
unit acts as the main shared licensing server after failover. The standby unit does not act as the backup
shared licensing server. Instead, you can have a second pair of units acting as the backup server, if
desired.
For example, you have a network with 2 failover pairs. Pair #1 includes the main licensing server. Pair
#2 includes the backup server. When the primary unit from Pair #1 goes down, the standby unit
immediately becomes the new main licensing server. The backup server from Pair #2 never gets used.
Only if both units in Pair #1 go down does the backup server in Pair #2 come into use as the shared
licensing server. If Pair #1 remains down, and the primary unit in Pair #2 goes down, then the standby
unit in Pair #2 comes into use as the shared licensing server (see Figure 3-1).

Cisco ASA 5500 Series Configuration Guide using the CLI

3-26

Chapter 3

Managing Feature Licenses
Information About Feature Licenses

Figure 3-1

Failover and Shared License Servers

Key
Blue=Shared license
server in use

Failover Pair #1

Failover Pair #2

(Active)=Active
failover unit
1. Normal Main (Active)
operation:

Main (Standby)

Failover Pair #1

2. Primary main Main (Failed)
server fails over:

Main (Active)

Failover Pair #1

3. Both main Main (Failed)
servers fail:

Main (Failed)

Failover Pair #1

Main (Failed)

Backup (Standby)

Failover Pair #2

Backup (Active)

Backup (Standby)

Failover Pair #2

Backup (Active)

Backup (Standby)

Failover Pair #2

Backup (Failed)

Backup (Active)
251356

4. Both main servers and Main (Failed)
primary backup fail:

Backup (Active)

The standby backup server shares the same operating limits as the primary backup server; if the standby
unit becomes active, it continues counting down where the primary unit left off. See the “Information
About the Shared Licensing Backup Server” section on page 3-25 for more information.

Failover and Shared License Participants
For participant pairs, both units register with the shared licensing server using separate participant IDs.
The active unit syncs its participant ID with the standby unit. The standby unit uses this ID to generate
a transfer request when it switches to the active role. This transfer request is used to move the shared
sessions from the previously active unit to the new active unit.

Maximum Number of Participants
The ASA does not limit the number of participants for the shared license; however, a very large shared
network could potentially affect the performance on the licensing server. In this case, you can increase
the delay between participant refreshes, or you can create two shared networks.

Cisco ASA 5500 Series Configuration Guide using the CLI

3-27

Chapter 3

Managing Feature Licenses

Information About Feature Licenses

Failover Licenses (8.3(1) and Later)
With some exceptions, failover units do not require the same license on each unit. For earlier versions,
see the licensing document for your version.
This section includes the following topics:
•

Failover License Requirements and Exceptions, page 3-28

•

How Failover Licenses Combine, page 3-28

•

Loss of Communication Between Failover Units, page 3-29

•

Upgrading Failover Pairs, page 3-30

Failover License Requirements and Exceptions
Failover units do not require the same license on each unit.
Older versions of ASA software required that the licenses match on each unit. Starting with Version
8.3(1), you no longer need to install identical licenses. Typically, you buy a license only for the primary
unit; for Active/Standby failover, the secondary unit inherits the primary license when it becomes active.
If you have licenses on both units, they combine into a single running failover cluster license.
The exceptions to this rule include:

Note

•

Security Plus license for the ASA 5505, 5510, and 5512-X—The Base license does not support
failover, so you cannot enable failover on a standby unit that only has the Base license.

•

IPS module license for the ASA 5500-X—You must purchase an IPS module license for each unit,
just as you would need to purchase a hardware module for each unit for other models.

•

Encryption license—Both units must have the same encryption license.

A valid permanent key is required; in rare instances, your authentication key can be removed. If your
key consists of all 0’s, then you need to reinstall a valid authentication key before failover can be
enabled.

How Failover Licenses Combine
For failover pairs, the licenses on each unit are combined into a single running failover cluster license.
For Active/Active failover, the license usage of the two units combined cannot exceed the failover cluster
license.
If you buy separate licenses for the primary and secondary unit, then the combined license uses the
following rules:
•

For licenses that have numerical tiers, such as the number of sessions, the values from both the
primary and secondary licenses are combined up to the platform limit. If both licenses in use are
time-based, then the licenses count down simultaneously.
For example:
– You have two ASAs with 10 AnyConnect Premium sessions installed on each; the licenses will

be combined for a total of 20 AnyConnect Premium sessions.
– You have two ASA 5520s with 500 AnyConnect Premium sessions each; because the platform

limit is 750, the combined license allows 750 AnyConnect Premium sessions.

Cisco ASA 5500 Series Configuration Guide using the CLI

3-28

Chapter 3

Managing Feature Licenses
Information About Feature Licenses

Note

In the above example, if the AnyConnect Premium licenses are time-based, you might want
to disable one of the licenses so you do not “waste” a 500 session license from which you
can only use 250 sessions because of the platform limit.

– You have two ASA 5540s, one with 20 contexts and the other with 10 contexts; the combined

license allows 30 contexts. For Active/Active failover, one unit can use 18 contexts and the other
unit can use 12 contexts, for example, for a total of 30; the combined usage cannot exceed the
failover cluster license (in this case, 30).
•

For licenses that have a status of enabled or disabled, then the license with the enabled status is used.

•

For time-based licenses that are enabled or disabled (and do not have numerical tiers), the duration
is the combined duration of both licenses. The primary unit counts down its license first, and when
it expires, the secondary unit starts counting down its license. This rule also applies to Active/Active
failover, even though both units are actively operating.
For example, if you have 48 weeks left on the Botnet Traffic Filter license on both units, then the
combined duration is 96 weeks.

To view the combined license, see the “Monitoring Licenses” section on page 3-38.

Loss of Communication Between Failover Units
If the failover units lose communication for more than 30 days, then each unit reverts to the license
installed locally. During the 30-day grace period, the combined running license continues to be used by
both units.
If you restore communication during the 30-day grace period, then for time-based licenses, the time
elapsed is subtracted from the primary license; if the primary license becomes expired, only then does
the secondary license start to count down.
If you do not restore communication during the 30-day period, then for time-based licenses, time is
subtracted from both primary and secondary licenses, if installed. They are treated as two separate
licenses and do not benefit from the failover combined license. The time elapsed includes the 30-day
grace period.
For example:
1.

You have a 52-week Botnet Traffic Filter license installed on both units. The combined running
license allows a total duration of 104 weeks.

The units operate as a failover unit for 10 weeks, leaving 94 weeks on the combined license (42
weeks on the primary, and 52 weeks on the secondary).

If the units lose communication (for example the primary unit fails over to the secondary unit), the
secondary unit continues to use the combined license, and continues to count down from 94 weeks.

The time-based license behavior depends on when communication is restored:

•

Within 30 days—The time elapsed is subtracted from the primary unit license. In this case,
communication is restored after 4 weeks. Therefore, 4 weeks are subtracted from the primary license
leaving 90 weeks combined (38 weeks on the primary, and 52 weeks on the secondary).

•

After 30 days—The time elapsed is subtracted from both units. In this case, communication is
restored after 6 weeks. Therefore, 6 weeks are subtracted from both the primary and secondary
licenses, leaving 84 weeks combined (36 weeks on the primary, and 46 weeks on the secondary).

Cisco ASA 5500 Series Configuration Guide using the CLI

3-29

Chapter 3

Managing Feature Licenses

Information About Feature Licenses

Upgrading Failover Pairs
Because failover pairs do not require the same license on both units, you can apply new licenses to each
unit without any downtime. If you apply a permanent license that requires a reload (see Table 3-18 on
page 3-34), then you can fail over to the other unit while you reload. If both units require reloading, then
you can reload them separately so you have no downtime.

No Payload Encryption Models
You can purchase some models with No Payload Encryption. For export to some countries, payload
encryption cannot be enabled on the Cisco ASA 5500 series. The ASA software senses a No Payload
Encryption model, and disables the following features:
•

Unified Communications

•

VPN

You can still install the Strong Encryption (3DES/AES) license for use with management connections.
For example, you can use ASDM HTTPS/SSL, SSHv2, Telnet and SNMPv3. You can also download the
dynamic database for the Botnet Traffic Filer (which uses SSL).
When you view the license (see the “Monitoring Licenses” section on page 3-38), VPN and Unified
Communications licenses will not be listed.

Licenses FAQ
Q. Can I activate multiple time-based licenses, for example, AnyConnect Premium and Botnet Traffic

Filter?
A. Yes. You can use one time-based license per feature at a time.
Q. Can I “stack” time-based licenses so that when the time limit runs out, it will automatically use the

next license?
A. Yes. For identical licenses, the time limit is combined when you install multiple time-based licenses.

For non-identical licenses (for example, a 1000-session AnyConnect Premium license and a
2500-session license), the ASA automatically activates the next time-based license it finds for the
feature.
Q. Can I install a new permanent license while maintaining an active time-based license?
A. Yes. Activating a permanent license does not affect time-based licenses.
Q. For failover, can I use a shared licensing server as the primary unit, and the shared licensing backup

server as the secondary unit?
A. No. The secondary unit has the same running license as the primary unit; in the case of the shared

licensing server, they require a server license. The backup server requires a participant license. The
backup server can be in a separate failover pair of two backup servers.
Q. Do I need to buy the same licenses for the secondary unit in a failover pair?

Cisco ASA 5500 Series Configuration Guide using the CLI

3-30

Chapter 3

Managing Feature Licenses
Guidelines and Limitations

A. No. Starting with Version 8.3(1), you do not have to have matching licenses on both units. Typically,

you buy a license only for the primary unit; the secondary unit inherits the primary license when it
becomes active. In the case where you also have a separate license on the secondary unit (for
example, if you purchased matching licenses for pre-8.3 software), the licenses are combined into a
running failover cluster license, up to the model limits.
Q. Can I use a time-based or permanent AnyConnect Premium license in addition to a shared

AnyConnect Premium license?
A. Yes. The shared license is used only after the sessions from the locally installed license (time-based

or permanent) are used up. Note: On the shared licensing server, the permanent AnyConnect
Premium license is not used; you can however use a time-based license at the same time as the
shared licensing server license. In this case, the time-based license sessions are available for local
AnyConnect Premium sessions only; they cannot be added to the shared licensing pool for use by
participants.

Guidelines and Limitations
See the following guidelines for activation keys.
Context Mode Guidelines
•

In multiple context mode, apply the activation key in the system execution space.

•

Shared licenses are not supported in multiple context mode.

Firewall Mode Guidelines

All license types are available in both routed and transparent mode.
Failover Guidelines
•

Shared licenses are not supported in Active/Active mode. See the “Failover and Shared Licenses”
section on page 3-25 for more information.

•

Failover units do not require the same license on each unit.
Older versions of ASA software required that the licenses match on each unit. Starting with Version
8.3(1), you no longer need to install identical licenses. Typically, you buy a license only for the
primary unit; for Active/Standby failover, the secondary unit inherits the primary license when it
becomes active. If you have licenses on both units, they combine into a single running failover
cluster license.

Note
•

Failover units do require the same RAM on both units.

For the ASA 5505 and 5510, both units require the Security Plus license; the Base license does not
support failover, so you cannot enable failover on a standby unit that only has the Base license.

Upgrade and Downgrade Guidelines

Your activation key remains compatible if you upgrade to the latest version from any previous version.
However, you might have issues if you want to maintain downgrade capability:

Cisco ASA 5500 Series Configuration Guide using the CLI

3-31

Chapter 3

Managing Feature Licenses

Configuring Licenses

•

Downgrading to Version 8.1 or earlier—After you upgrade, if you activate additional feature
licenses that were introduced before 8.2, then the activation key continues to be compatible with
earlier versions if you downgrade. However if you activate feature licenses that were introduced in
8.2 or later, then the activation key is not backward compatible. If you have an incompatible license
key, then see the following guidelines:
– If you previously entered an activation key in an earlier version, then the ASA uses that key

(without any of the new licenses you activated in Version 8.2 or later).
– If you have a new system and do not have an earlier activation key, then you need to request a

new activation key compatible with the earlier version.
•

Downgrading to Version 8.2 or earlier—Version 8.3 introduced more robust time-based key usage
as well as failover license changes:
– If you have more than one time-based activation key active, when you downgrade, only the most

recently activated time-based key can be active. Any other keys are made inactive. If the last
time-based license is for a feature introduced in 8.3, then that license still remains the active
license even though it cannot be used in earlier versions. Reenter the permanent key or a valid
time-based key.
– If you have mismatched licenses on a failover pair, then downgrading will disable failover. Even

if the keys are matching, the license used will no longer be a combined license.
– If you have one time-based license installed, but it is for a feature introduced in 8.3, then after

you downgrade, that time-based license remains active. You need to reenter the permanent key
to disable the time-based license.
Additional Guidelines and Limitations
•

The activation key is not stored in your configuration file; it is stored as a hidden file in flash
memory.

•

The activation key is tied to the serial number of the device. Feature licenses cannot be transferred
between devices (except in the case of a hardware failure). If you have to replace your device due
to a hardware failure and it is covered by Cisco TAC, contact the Cisco Licensing Team to have your
existing license transferred to the new serial number. The Cisco Licensing Team will ask for the
Product Authorization Key reference number and existing serial number.

•

Once purchased, you cannot return a license for a refund or for an upgraded license.

•

Although you can activate all license types, some features are incompatible with each other; for
example, multiple context mode and VPN. In the case of the AnyConnect Essentials license, the
license is incompatible with the following licenses: AnyConnect Premium license, shared
AnyConnect Premium license, and Advanced Endpoint Assessment license. By default, the
AnyConnect Essentials license is used instead of the above licenses, but you can disable the
AnyConnect Essentials license in the configuration to restore use of the other licenses using the no
anyconnect-essentials command.

Configuring Licenses
This section includes the following topics:
•

Obtaining an Activation Key, page 3-33

•

Activating or Deactivating Keys, page 3-33

•

Configuring a Shared License, page 3-35

Cisco ASA 5500 Series Configuration Guide using the CLI

3-32

Chapter 3

Managing Feature Licenses
Configuring Licenses

Obtaining an Activation Key
To obtain an activation key, you need a Product Authorization Key, which you can purchase from your
Cisco account representative. You need to purchase a separate Product Activation Key for each feature
license. For example, if you have the Base License, you can purchase separate keys for Advanced
Endpoint Assessment and for additional AnyConnect Premium sessions.
After obtaining the Product Authorization Keys, register them on Cisco.com by performing the
following steps.

Detailed Steps
Step 1

Obtain the serial number for your ASA by entering the following command.
hostname# show activation-key

Step 2

If you are not already registered with Cisco.com, create an account.

Step 3

Go to the following licensing website:
http://www.cisco.com/go/license

Step 4

Enter the following information, when prompted:
•

Product Authorization Key (if you have multiple keys, enter one of the keys first. You have to enter
each key as a separate process.)

•

The serial number of your ASA

•

Your e-mail address

An activation key is automatically generated and sent to the email address that you provide. This key
includes all features you have registered so far for permanent licenses. For time-based licenses, each
license has a separate activation key.
Step 5

If you have additional Product Authorization Keys, repeat Step 4 for each Product Authorization Key.
After you enter all of the Product Authorization Keys, the final activation key provided includes all of
the permanent features you registered.

Activating or Deactivating Keys
This section describes how to enter a new activation key, and how to activate and deactivate time-based
keys.

Prerequisites
•

If you are already in multiple context mode, enter the activation key in the system execution space.

•

Some permanent licenses require you to reload the ASA after you activate them. Table 3-18 lists the
licenses that require reloading.

Cisco ASA 5500 Series Configuration Guide using the CLI

3-33

Chapter 3

Managing Feature Licenses

Configuring Licenses

Table 3-18

Permanent License Reloading Requirements

Model

License Action Requiring Reload

ASA 5505, ASA 5510

Changing between the Base and Security Plus
license.

All models

Changing the Encryption license.

All models

Downgrading any permanent license (for
example, going from 10 contexts to 2 contexts).

Limitations and Restrictions
Your activation key remains compatible if you upgrade to the latest version from any previous version.
However, you might have issues if you want to maintain downgrade capability:
•

(without any of the new licenses you activated in Version 8.2 or later).
– If you have a new system and do not have an earlier activation key, then you need to request a

new activation key compatible with the earlier version.
•

recently activated time-based key can be active. Any other keys are made inactive.
– If you have mismatched licenses on a failover pair, then downgrading will disable failover. Even

if the keys are matching, the license used will no longer be a combined license.

Cisco ASA 5500 Series Configuration Guide using the CLI

3-34

Chapter 3

Managing Feature Licenses
Configuring Licenses

Detailed Steps

Step 1

Command

Purpose

activation-key key [activate | deactivate]

Applies an activation key to the ASA. The key is a five-element
hexadecimal string with one space between each element. The
leading 0x specifier is optional; all values are assumed to be
hexadecimal.

Example:
hostname# activation-key 0xd11b3d48
0xa80a4c0a 0x48e0fd1c 0xb0443480
0x843fc490

You can install one permanent key, and multiple time-based keys.
If you enter a new permanent key, it overwrites the already
installed one.
The activate and deactivate keywords are available for
time-based keys only. If you do not enter any value, activate is the
default. The last time-based key that you activate for a given
feature is the active one. To deactivate any active time-based key,
enter the deactivate keyword. If you enter a key for the first time,
and specify deactivate, then the key is installed on the ASA in an
inactive state. See the “Time-Based Licenses” section on
page 3-21 for more information.

Step 2

(Might be required.)
reload

Example:
hostname# reload

Reloads the ASA. Some permanent licenses require you to reload
the ASA after entering the new activation key. See Table 3-18 on
page 3-34 for a list of licenses that need reloading. If you need to
reload, you will see the following message:
WARNING: The running activation key was not updated with
the requested key. The flash activation key was updated
with the requested key, and will become active after the
next reload.

Configuring a Shared License
This section describes how to configure the shared licensing server and participants. For more
information about shared licenses, see the “Shared AnyConnect Premium Licenses” section on
page 3-23.
This section includes the following topics:
•

Configuring the Shared Licensing Server, page 3-35

•

Configuring the Shared Licensing Backup Server (Optional), page 3-37

•

Configuring the Shared Licensing Participant, page 3-37

Configuring the Shared Licensing Server
This section describes how to configure the ASA to be a shared licensing server.

Prerequisites
The server must have a shared licensing server key.

Cisco ASA 5500 Series Configuration Guide using the CLI

3-35

Chapter 3

Managing Feature Licenses

Configuring Licenses

Detailed Steps

Step 1

Command

Purpose

license-server secret secret

Sets the shared secret, a string between 4 and 128 ASCII
characters. Any participant with this secret can use the licensing
server.

Example:
hostname(config)# license-server secret
farscape

Step 2

(Optional)
license-server refresh-interval seconds

Sets the refresh interval between 10 and 300 seconds; this value
is provided to participants to set how often they should
communicate with the server. The default is 30 seconds.

Example:
hostname(config)# license-server
refresh-interval 100

Step 3

(Optional)

Sets the port on which the server listens for SSL connections from
participants, between 1 and 65535. The default is TCP port
50554.

license-server port port

Example:
hostname(config)# license-server port
40000

Step 4

(Optional)
license-server backup address backup-id
serial_number [ha-backup-id
ha_serial_number]

Identifies the backup server IP address and serial number. If the
backup server is part of a failover pair, identify the standby unit
serial number as well. You can only identify 1 backup server and
its optional standby unit.

Example:
hostname(config)# license-server backup
10.1.1.2 backup-id JMX0916L0Z4
ha-backup-id JMX1378N0W3

Step 5

license-server enable interface_name

Enables this unit to be the shared licensing server. Specify the
interface on which participants contact the server. You can repeat
this command for as many interfaces as desired.

Example:
hostname(config)# license-server enable
inside

Examples
The following example sets the shared secret, changes the refresh interval and port, configures a backup
server, and enables this unit as the shared licensing server on the inside interface and dmz interface:
hostname(config)#
hostname(config)#
hostname(config)#
hostname(config)#
JMX1378N0W3
hostname(config)#

license-server
license-server
license-server
license-server

license-server enable inside

Cisco ASA 5500 Series Configuration Guide using the CLI

3-36

secret farscape
refresh-interval 100
port 40000
backup 10.1.1.2 backup-id JMX0916L0Z4 ha-backup-id

Chapter 3

Managing Feature Licenses
Configuring Licenses

hostname(config)# license-server enable dmz

What to Do Next
See the “Configuring the Shared Licensing Backup Server (Optional)” section on page 3-37, or the
“Configuring the Shared Licensing Participant” section on page 3-37.

Configuring the Shared Licensing Backup Server (Optional)
This section enables a shared license participant to act as the backup server if the main server goes down.

Prerequisites
The backup server must have a shared licensing participant key.

Detailed Steps

Step 1

Command

Purpose

license-server address address secret
secret [port port]

Identifies the shared licensing server IP address and shared secret.
If you changed the default port in the server configuration, set the
port for the backup server to match.

Example:
hostname(config)# license-server address
10.1.1.1 secret farscape

Step 2

license-server backup enable
interface_name

Enables this unit to be the shared licensing backup server. Specify
the interface on which participants contact the server. You can
repeat this command for as many interfaces as desired.

Example:
hostname(config)# license-server backup
enable inside

Examples
The following example identifies the license server and shared secret, and enables this unit as the backup
shared license server on the inside interface and dmz interface:
hostname(config)# license-server address 10.1.1.1 secret farscape
hostname(config)# license-server backup enable inside
hostname(config)# license-server backup enable dmz

What to Do Next
See the “Configuring the Shared Licensing Participant” section on page 3-37.

Configuring the Shared Licensing Participant
This section configures a shared licensing participant to communicate with the shared licensing server.

Cisco ASA 5500 Series Configuration Guide using the CLI

3-37

Chapter 3

Managing Feature Licenses

Monitoring Licenses

Prerequisites
The participant must have a shared licensing participant key.

Detailed Steps

Step 1

Command

Purpose

license-server address address secret
secret [port port]

Identifies the shared licensing server IP address and shared secret.
If you changed the default port in the server configuration, set the
port for the participant to match.

Example:
hostname(config)# license-server address
10.1.1.1 secret farscape

Step 2

(Optional)
license-server backup address address

If you configured a backup server, enter the backup server
address.

Example:
hostname(config)# license-server backup
address 10.1.1.2

Examples
The following example sets the license server IP address and shared secret, as well as the backup license
server IP address:
hostname(config)# license-server address 10.1.1.1 secret farscape
hostname(config)# license-server backup address 10.1.1.2

Monitoring Licenses
This section includes the following topics:
•

Viewing Your Current License, page 3-38

•

Monitoring the Shared License, page 3-44

Viewing Your Current License
This section describes how to view your current license, and for time-based activation keys, how much
time the license has left.

Guidelines
If you have a No Payload Encryption model, then you view the license, VPN and Unified
Communications licenses will not be listed. See the “No Payload Encryption Models” section on
page 3-30 for more information.

Cisco ASA 5500 Series Configuration Guide using the CLI

3-38

Chapter 3

Managing Feature Licenses
Monitoring Licenses

Detailed Steps

Command

Purpose

show activation-key [detail]

This command shows the permanent license, active time-based licenses,
and the running license, which is a combination of the permanent license
and active time-based licenses. The detail keyword also shows inactive
time-based licenses.

Example:
hostname# show activation-key detail

For failover units, this command also shows the “Failover cluster” license,
which is the combined keys of the primary and secondary units.

Examples
Example 3-1

Standalone Unit Output for the show activation-key command

The following is sample output from the show activation-key command for a standalone unit that shows
the running license (the combined permanent license and time-based licenses), as well as each active
time-based license:
hostname# show activation-key
Serial Number: JMX1232L11M
Running Permanent Activation Key: 0xce06dc6b 0x8a7b5ab7 0xa1e21dd4 0xd2c4b8b8 0xc4594f9c
Running Timebased Activation Key: 0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285
Running Timebased Activation Key: 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2
Licensed features for this platform:
Maximum Physical Interfaces
: Unlimited
Maximum VLANs
: 150
Inside Hosts
: Unlimited
Failover
: Active/Active
VPN-DES
: Enabled
VPN-3DES-AES
: Enabled
Security Contexts
: 10
GTP/GPRS
: Enabled
AnyConnect Premium Peers
: 2
AnyConnect Essentials
: Disabled
Other VPN Peers
: 750
Total VPN Peers
: 750
Shared License
: Enabled
Shared AnyConnect Premium Peers : 12000
AnyConnect for Mobile
: Disabled
AnyConnect for Cisco VPN Phone
: Disabled
Advanced Endpoint Assessment
: Disabled
UC Phone Proxy Sessions
: 12
Total UC Proxy Sessions
: 12
Botnet Traffic Filter
: Enabled
Intercompany Media Engine
: Disabled

perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
62 days
62 days
646 days
perpetual

This platform has a Base license.
The flash permanent activation key is the SAME as the running permanent key.
Active Timebased Activation Key:
0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285
Botnet Traffic Filter
: Enabled
646 days
0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2 0xyadayad2
Total UC Proxy Sessions
: 10
62 days

Cisco ASA 5500 Series Configuration Guide using the CLI

3-39

Chapter 3

Managing Feature Licenses

Monitoring Licenses

Example 3-2

Standalone Unit Output for show activation-key detail

The following is sample output from the show activation-key detail command for a standalone unit that
shows the running license (the combined permanent license and time-based licenses), as well as the
permanent license and each installed time-based license (active and inactive):
hostname# show activation-key detail
Serial Number: 88810093382
Running Permanent Activation Key: 0xce06dc6b 0x8a7b5ab7 0xa1e21dd4 0xd2c4b8b8 0xc4594f9c
Running Timebased Activation Key: 0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285
Licensed features for this platform:
Maximum Physical Interfaces
: 8
VLANs
: 20
Dual ISPs
: Enabled
VLAN Trunk Ports
: 8
Inside Hosts
: Unlimited
Failover
: Active/Standby
VPN-DES
: Enabled
VPN-3DES-AES
: Enabled
AnyConnect Premium Peers
: 2
AnyConnect Essentials
: Disabled
Other VPN Peers
: 25
Total VPN Peers
: 25
AnyConnect for Mobile
: Disabled
AnyConnect for Cisco VPN Phone
: Disabled
Advanced Endpoint Assessment
: Disabled
UC Phone Proxy Sessions
: 2
Total UC Proxy Sessions
: 2
Botnet Traffic Filter
: Enabled
Intercompany Media Engine
: Disabled

perpetual
DMZ Unrestricted
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
39 days
perpetual

This platform has an ASA 5505 Security Plus license.
Running Permanent Activation Key: 0xce06dc6b 0x8a7b5ab7 0xa1e21dd4 0xd2c4b8b8 0xc4594f9c
Licensed features for this platform:
Maximum Physical Interfaces
: 8
VLANs
: 20
Dual ISPs
: Enabled
VLAN Trunk Ports
: 8
Inside Hosts
: Unlimited
Failover
: Active/Standby
VPN-DES
: Enabled
VPN-3DES-AES
: Enabled
AnyConnect Premium Peers
: 2
AnyConnect Essentials
: Disabled
Other VPN Peers
: 25
Total VPN Peers
: 25
AnyConnect for Mobile
: Disabled
AnyConnect for Cisco VPN Phone
: Disabled
Advanced Endpoint Assessment
: Disabled
UC Phone Proxy Sessions
: 2
Total UC Proxy Sessions
: 2
Botnet Traffic Filter
: Enabled
Intercompany Media Engine
: Disabled

perpetual
DMZ Unrestricted
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
39 days
perpetual

The flash permanent activation key is the SAME as the running permanent key.
Active Timebased Activation Key:

Cisco ASA 5500 Series Configuration Guide using the CLI

3-40

Chapter 3

Managing Feature Licenses
Monitoring Licenses

0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285
Botnet Traffic Filter
: Enabled
39 days
Inactive Timebased Activation Key:
0xyadayada3 0xyadayada3 0xyadayada3 0xyadayada3 0xyadayada3
AnyConnect Premium Peers
: 25
7 days

Example 3-3

Primary Unit Output in a Failover Pair for show activation-key detail

The following is sample output from the show activation-key detail command for the primary failover
unit that shows:
•

The primary unit license (the combined permanent license and time-based licenses).

•

The “Failover Cluster” license, which is the combined licenses from the primary and secondary
units. This is the license that is actually running on the ASA. The values in this license that reflect
the combination of the primary and secondary licenses are in bold.

•

The primary unit permanent license.

•

The primary unit installed time-based licenses (active and inactive).

hostname# show activation-key detail
Serial Number: P3000000171
Running Permanent Activation Key: 0xce06dc6b 0x8a7b5ab7 0xa1e21dd4 0xd2c4b8b8 0xc4594f9c
Running Timebased Activation Key: 0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285
Licensed features for this platform:
Maximum Physical Interfaces
: Unlimited
Maximum VLANs
: 150
Inside Hosts
: Unlimited
Failover
: Active/Active
VPN-DES
: Enabled
VPN-3DES-AES
: Enabled
Security Contexts
: 12
GTP/GPRS
: Enabled
AnyConnect Premium Peers
: 2
AnyConnect Essentials
: Disabled
Other VPN Peers
: 750
Total VPN Peers
: 750
Shared License
: Disabled
AnyConnect for Mobile
: Disabled
AnyConnect for Cisco VPN Phone
: Disabled
Advanced Endpoint Assessment
: Disabled
UC Phone Proxy Sessions
: 2
Total UC Proxy Sessions
: 2
Botnet Traffic Filter
: Enabled
Intercompany Media Engine
: Disabled

perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
33 days
perpetual

Cisco ASA 5500 Series Configuration Guide using the CLI

3-41

Chapter 3

Managing Feature Licenses

Monitoring Licenses

Other VPN Peers
Total VPN Peers
Shared License
AnyConnect for Mobile
AnyConnect for Cisco VPN Phone
Advanced Endpoint Assessment
UC Phone Proxy Sessions
Total UC Proxy Sessions
Botnet Traffic Filter
Intercompany Media Engine

:
:
:
:
:
:
:
:
:
:

750
750
Disabled
Disabled
Disabled
Disabled

4
4
Enabled
Disabled

perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
33 days
perpetual

This platform has an ASA 5520 VPN Plus license.
Running Permanent Activation Key: 0xce06dc6b 0x8a7b5ab7 0xa1e21dd4 0xd2c4b8b8 0xc4594f9c
Licensed features for this platform:
Maximum Physical Interfaces
: Unlimited
Maximum VLANs
: 150
Inside Hosts
: Unlimited
Failover
: Active/Active
VPN-DES
: Enabled
VPN-3DES-AES
: Disabled
Security Contexts
: 2
GTP/GPRS
: Disabled
AnyConnect Premium Peers
: 2
AnyConnect Essentials
: Disabled
Other VPN Peers
: 750
Total VPN Peers
: 750
Shared License
: Disabled
AnyConnect for Mobile
: Disabled
AnyConnect for Cisco VPN Phone
: Disabled
Advanced Endpoint Assessment
: Disabled
UC Phone Proxy Sessions
: 2
Total UC Proxy Sessions
: 2
Botnet Traffic Filter
: Disabled
Intercompany Media Engine
: Disabled

perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual

The flash permanent activation key is the SAME as the running permanent key.
Active Timebased Activation Key:
0xa821d549 0x35725fe4 0xc918b97b 0xce0b987b 0x47c7c285
Botnet Traffic Filter
: Enabled
33 days
Inactive Timebased Activation Key:
0xyadayad3 0xyadayad3 0xyadayad3 0xyadayad3 0xyadayad3
Security Contexts
: 2
7 days
AnyConnect Premium Peers
: 100

7 days

0xyadayad4 0xyadayad4 0xyadayad4 0xyadayad4 0xyadayad4
Total UC Proxy Sessions
: 100
14 days

Example 3-4

Secondary Unit Output in a Failover Pair for show activation-key detail

The following is sample output from the show activation-key detail command for the secondary
failover unit that shows:
•

The secondary unit license (the combined permanent license and time-based licenses).

•

Cisco ASA 5500 Series Configuration Guide using the CLI

3-42

Chapter 3

Managing Feature Licenses
Monitoring Licenses

•

The secondary unit permanent license.

•

The secondary installed time-based licenses (active and inactive). This unit does not have any
time-based licenses, so none display in this sample output.

hostname# show activation-key detail
Serial Number: P3000000011
Running Activation Key: 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1
Licensed features for this platform:
Maximum Physical Interfaces
: Unlimited
Maximum VLANs
: 150
Inside Hosts
: Unlimited
Failover
: Active/Active
VPN-DES
: Enabled
VPN-3DES-AES
: Disabled
Security Contexts
: 2
GTP/GPRS
: Disabled
AnyConnect Premium Peers
: 2
AnyConnect Essentials
: Disabled
Other VPN Peers
: 750
Total VPN Peers
: 750
Shared License
: Disabled
AnyConnect for Mobile
: Disabled
AnyConnect for Cisco VPN Phone
: Disabled
Advanced Endpoint Assessment
: Disabled
UC Phone Proxy Sessions
: 2
Total UC Proxy Sessions
: 2
Botnet Traffic Filter
: Disabled
Intercompany Media Engine
: Disabled

perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual

This platform has an ASA 5520 VPN Plus license.
Failover cluster licensed features for this platform:
Maximum Physical Interfaces
: Unlimited
perpetual
Maximum VLANs
: 150
perpetual
Inside Hosts
: Unlimited
perpetual
Failover
: Active/Active perpetual
VPN-DES
: Enabled
perpetual
VPN-3DES-AES
: Enabled
perpetual
Security Contexts
: 10
perpetual
GTP/GPRS
: Enabled
perpetual
AnyConnect Premium Peers
: 4
perpetual
AnyConnect Essentials
: Disabled
perpetual
Other VPN Peers
: 750
perpetual
Total VPN Peers
: 750
perpetual
Shared License
: Disabled
perpetual
AnyConnect for Mobile
: Disabled
perpetual
AnyConnect for Cisco VPN Phone
: Disabled
perpetual
Advanced Endpoint Assessment
: Disabled
perpetual
UC Phone Proxy Sessions
: 4
perpetual
Total UC Proxy Sessions
: 4
perpetual
Botnet Traffic Filter
: Enabled
33 days
Intercompany Media Engine
: Disabled
perpetual
This platform has an ASA 5520 VPN Plus license.
Running Permanent Activation Key: 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1 0xyadayad1
Licensed features for this platform:
Maximum Physical Interfaces
: Unlimited
Maximum VLANs
: 150
Inside Hosts
: Unlimited

perpetual
perpetual
perpetual

Cisco ASA 5500 Series Configuration Guide using the CLI

3-43

Chapter 3

Managing Feature Licenses

Monitoring Licenses

Failover
VPN-DES
VPN-3DES-AES
Security Contexts
GTP/GPRS
AnyConnect Premium Peers
AnyConnect Essentials
Other VPN Peers
Total VPN Peers
Shared License
AnyConnect for Mobile
AnyConnect for Cisco VPN Phone
Advanced Endpoint Assessment
UC Phone Proxy Sessions
Total UC Proxy Sessions
Botnet Traffic Filter
Intercompany Media Engine

:
:
:
:
:

:
:
:
:

Active/Active
Enabled
Disabled
2
Disabled
: 2
: Disabled
: 750
: 750
: Disabled
: Disabled
: Disabled
: Disabled
2
2
Disabled
Disabled

perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual

The flash permanent activation key is the SAME as the running permanent key.

Monitoring the Shared License
To monitor the shared license, enter one of the following commands.
Command

Purpose

show shared license [detail | client
[hostname] | backup]

Shows shared license statistics. Optional keywords ar available only for
the licensing server: the detail keyword shows statistics per participant.
To limit the display to one participant, use the client keyword. The
backup keyword shows information about the backup server.
To clear the shared license statistics, enter the clear shared license
command.

show activation-key

Shows the licenses installed on the ASA. The show version command
also shows license information.

show vpn-sessiondb

Shows license information about VPN sessions.

Examples
The following is sample output from the show shared license command on the license participant:
hostname> show shared license
Primary License Server : 10.3.32.20
Version
: 1
Status
: Inactive
Shared license utilization:
SSLVPN:
Total for network :
5000
Available
:
5000
Utilized
:
0
This device:
Platform limit
:
250
Current usage
:
0
High usage
:
0

Cisco ASA 5500 Series Configuration Guide using the CLI

3-44

Chapter 3

Managing Feature Licenses
Monitoring Licenses

Messages Tx/Rx/Error:
Registration
: 0
Get
: 0
Release
: 0
Transfer
: 0

/
/
/
/

0
0
0
0

/
/
/
/

0
0
0
0

The following is sample output from the show shared license detail command on the license server:
hostname> show shared license detail
Backup License Server Info:
Device ID
: ABCD
Address
: 10.1.1.2
Registered
: NO
HA peer ID
: EFGH
Registered
: NO
Messages Tx/Rx/Error:
Hello
: 0 / 0 / 0
Sync
: 0 / 0 / 0
Update
: 0 / 0 / 0
Shared license utilization:
SSLVPN:
Total for network :
Available
:
Utilized
:
This device:
Platform limit
:
Current usage
:
High usage
:
Messages Tx/Rx/Error:
Registration
: 0 / 0
Get
: 0 / 0
Release
: 0 / 0
Transfer
: 0 / 0

500
500
0
250
0
0
/
/
/
/

0
0
0
0

Client Info:
Hostname
: 5540-A
Device ID
: XXXXXXXXXXX
SSLVPN:
Current usage
: 0
High
: 0
Messages Tx/Rx/Error:
Registration
: 1 / 1 / 0
Get
: 0 / 0 / 0
Release
: 0 / 0 / 0
Transfer
: 0 / 0 / 0
...

Cisco ASA 5500 Series Configuration Guide using the CLI

3-45

Chapter 3

Managing Feature Licenses

Feature History for Licensing

Feature History for Licensing
Table 3-19 lists each feature change and the platform release in which it was implemented.
Table 3-19

Feature History for Licensing

Feature Name

Platform
Releases

Feature Information

Increased Connections and VLANs

7.0(5)

Increased the following limits:
•

ASA5510 Base license connections from 32000 to
5000; VLANs from 0 to 10.

•

ASA5510 Security Plus license connections from
64000 to 130000; VLANs from 10 to 25.

•

ASA5520 connections from 130000 to 280000; VLANs
from 25 to 100.

•

ASA5540 connections from 280000 to 400000; VLANs
from 100 to 200.

SSL VPN Licenses

7.1(1)

SSL VPN licenses were introduced.

Increased SSL VPN Licenses

7.2(1)

A 5000-user SSL VPN license was introduced for the ASA
5550 and above.

Increased interfaces for the Base license on the 7.2(2)
ASA 5510

For the Base license on the ASA 5510, the maximum
number of interfaces was increased from 3 plus a
management interface to unlimited interfaces.

Increased VLANs

The maximum number of VLANs for the Security Plus
license on the ASA 5505 was increased from 5 (3 fully
functional; 1 failover; one restricted to a backup interface)
to 20 fully functional interfaces. In addition, the number of
trunk ports was increased from 1 to 8. Now there are 20
fully functional interfaces, you do not need to use the
backup interface command to cripple a backup ISP
interface; you can use a fully-functional interface for it. The
backup interface command is still useful for an Easy VPN
configuration.

7.2(2)

VLAN limits were also increased for the ASA 5510 (from
10 to 50 for the Base license, and from 25 to 100 for the
Security Plus license), the ASA 5520 (from 100 to 150), the
ASA 5550 (from 200 to 250).
Gigabit Ethernet Support for the ASA 5510
Security Plus License

7.2(3)

The ASA 5510 now supports Gigabit Ethernet (1000 Mbps)
for the Ethernet 0/0 and 0/1 ports with the Security Plus
license. In the Base license, they continue to be used as Fast
Ethernet (100 Mbps) ports. Ethernet 0/2, 0/3, and 0/4
remain as Fast Ethernet ports for both licenses.
Note

The interface names remain Ethernet 0/0 and
Ethernet 0/1.

Use the speed command to change the speed on the
interface and use the show interface command to see what
speed is currently configured for each interface.

Cisco ASA 5500 Series Configuration Guide using the CLI

3-46

Chapter 3

Managing Feature Licenses
Feature History for Licensing

Table 3-19

Feature History for Licensing (continued)

Feature Name

Platform
Releases

Advanced Endpoint Assessment License

8.0(2)

Feature Information
The Advanced Endpoint Assessment license was
introduced. As a condition for the completion of a Cisco
AnyConnect or clientless SSL VPN connections, the remote
computer scans for a greatly expanded collection of
antivirus and antispyware applications, firewalls, operating
systems, and associated updates. It also scans for any
registry entries, filenames, and process names that you
specify. It sends the scan results to the ASA. The ASA uses
both the user login credentials and the computer scan results
to assign a Dynamic Access Policy (DAP).
With an Advanced Endpoint Assessment License, you can
enhance Host Scan by configuring an attempt to update
noncompliant computers to meet version requirements.
Cisco can provide timely updates to the list of applications
and versions that Host Scan supports in a package that is
separate from Cisco Secure Desktop.

VPN Load Balancing for the ASA 5510

8.0(2)

VPN load balancing is now supported on the ASA 5510
Security Plus license.

AnyConnect for Mobile License

8.0(3)

The AnyConnect for Mobile license was introduced. It lets
Windows mobile devices connect to the ASA using the
AnyConnect client.

Time-based Licenses

8.0(4)/8.1(2)

Support for time-based licenses was introduced.

Increased VLANs for the ASA 5580

8.1(2)

The number of VLANs supported on the ASA 5580 are
increased from 100 to 250.

Unified Communications Proxy Sessions
license

8.0(4)

The UC Proxy sessions license was introduced. Phone
Proxy, Presence Federation Proxy, and Encrypted Voice
Inspection applications use TLS proxy sessions for their
connections. Each TLS proxy session is counted against the
UC license limit. All of these applications are licensed
under the UC Proxy umbrella, and can be mixed and
matched.
This feature is not available in Version 8.1.

Botnet Traffic Filter License

8.2(1)

The Botnet Traffic Filter license was introduced. The
Botnet Traffic Filter protects against malware network
activity by tracking connections to known bad domains and
IP addresses.

Cisco ASA 5500 Series Configuration Guide using the CLI

3-47

Chapter 3

Managing Feature Licenses

Feature History for Licensing

Table 3-19

Feature History for Licensing (continued)

Feature Name

Platform
Releases

AnyConnect Essentials License

8.2(1)

Feature Information
The AnyConnect Essentials License was introduced. This
license enables AnyConnect VPN client access to the ASA.
This license does not support browser-based SSL VPN
access or Cisco Secure Desktop. For these features, activate
an AnyConnect Premium license instead of the AnyConnect
Essentials license.
Note

With the AnyConnect Essentials license, VPN users
can use a Web browser to log in, and download and
start (WebLaunch) the AnyConnect client.

The AnyConnect client software offers the same set of
client features, whether it is enabled by this license or an
AnyConnect Premium license.
The AnyConnect Essentials license cannot be active at the
same time as the following licenses on a given ASA:
AnyConnect Premium license (all types) or the Advanced
Endpoint Assessment license. You can, however, run
AnyConnect Essentials and AnyConnect Premium licenses
on different ASAs in the same network.
By default, the ASA uses the AnyConnect Essentials
license, but you can disable it to use other licenses by using
the no anyconnect-essentials command.
SSL VPN license changed to AnyConnect
Premium SSL VPN Edition license

8.2(1)

The SSL VPN license name was changed to the
AnyConnect Premium SSL VPN Edition license.

Shared Licenses for SSL VPN

8.2(1)

Shared licenses for SSL VPN were introduced. Multiple
ASAs can share a pool of SSL VPN sessions on an
as-needed basis.

Mobility Proxy application no longer requires
Unified Communications Proxy license

8.2(2)

The Mobility Proxy no longer requires the UC Proxy
license.

10 GE I/O license for the ASA 5585-X with
SSP-20

8.2(3)

We introduced the 10 GE I/O license for the ASA 5585-X
with SSP-20 to enable 10-Gigabit Ethernet speeds for the
fiber ports. The SSP-60 supports 10-Gigabit Ethernet
speeds by default.
Note

10 GE I/O license for the ASA 5585-X with
SSP-10

8.2(4)

We introduced the 10 GE I/O license for the ASA 5585-X
with SSP-10 to enable 10-Gigabit Ethernet speeds for the
fiber ports. The SSP-40 supports 10-Gigabit Ethernet
speeds by default.
Note

Cisco ASA 5500 Series Configuration Guide using the CLI

3-48

The ASA 5585-X is not supported in 8.3(x).

Chapter 3

Managing Feature Licenses
Feature History for Licensing

Table 3-19

Feature History for Licensing (continued)

Feature Name

Platform
Releases

Non-identical failover licenses

8.3(1)

Feature Information
Failover licenses no longer need to be identical on each unit.
The license used for both units is the combined license from
the primary and secondary units.
We modified the following commands: show
activation-key and show version.

Stackable time-based licenses

8.3(1)

Time-based licenses are now stackable. In many cases, you
might need to renew your time-based license and have a
seamless transition from the old license to the new one. For
features that are only available with a time-based license, it
is especially important that the license not expire before you
can apply the new license. The ASA allows you to stack
time-based licenses so you do not have to worry about the
license expiring or about losing time on your licenses
because you installed the new one early.

Intercompany Media Engine License

8.3(1)

The IME license was introduced.

Multiple time-based licenses active at the same 8.3(1)
time

You can now install multiple time-based licenses, and have
one license per feature active at a time.
The following commands were modified: show
activation-key and show version.

Discrete activation and deactivation of
time-based licenses.

8.3(1)

You can now activate or deactivate time-based licenses
using a command.
The following command was modified: activation-key
[activate | deactivate].

AnyConnect Premium SSL VPN Edition license 8.3(1)
changed to AnyConnect Premium SSL VPN
license

The AnyConnect Premium SSL VPN Edition license name
was changed to the AnyConnect Premium SSL VPN
license.

No Payload Encryption image for export

If you install the No Payload Encryption software on the
ASA 5505 through 5550, then you disable Unified
Communications, strong encryption VPN, and strong
encryption management protocols.

8.3(2)

Note

This special image is only supported in 8.3(x); for
No Payload Encryption support in 8.4(1) and later,
you need to purchase a special hardware version of
the ASA.

Increased contexts for the ASA 5550, 5580, and 8.4(1)
5585-X

For the ASA 5550 and ASA 5585-X with SSP-10, the
maximum contexts was increased from 50 to 100. For the
ASA 5580 and 5585-X with SSP-20 and higher, the
maximum was increased from 50 to 250.

Increased VLANs for the ASA 5580 and
5585-X

For the ASA 5580 and 5585-X, the maximum VLANs was
increased from 250 to 1024.

8.4(1)

Cisco ASA 5500 Series Configuration Guide using the CLI

3-49

Chapter 3

Managing Feature Licenses

Feature History for Licensing

Table 3-19

Feature History for Licensing (continued)

Feature Name
Increased connections for the ASA 5580 and
5585-X

Platform
Releases

Feature Information

8.4(1)

We increased the firewall connection limits:
•

ASA 5580-20—1,000,000 to 2,000,000.

•

ASA 5580-40—2,000,000 to 4,000,000.

•

ASA 5585-X with SSP-10: 750,000 to 1,000,000.

•

ASA 5585-X with SSP-20: 1,000,000 to 2,000,000.

•

ASA 5585-X with SSP-40: 2,000,000 to 4,000,000.

•

ASA 5585-X with SSP-60: 2,000,000 to 10,000,000.

AnyConnect Premium SSL VPN license
changed to AnyConnect Premium license

8.4(1)

The AnyConnect Premium SSL VPN license name was
changed to the AnyConnect Premium license. The license
information display was changed from “SSL VPN Peers” to
“AnyConnect Premium Peers.”

Increased AnyConnect VPN sessions for the
ASA 5580

8.4(1)

The AnyConnect VPN session limit was increased from
5,000 to 10,000.

Increased Other VPN sessions for the ASA
5580

8.4(1)

The other VPN session limit was increased from 5,000 to
10,000.

IPsec remote access VPN using IKEv2

8.4(1)

IPsec remote access VPN using IKEv2 was added to the
AnyConnect Essentials and AnyConnect Premium licenses.
IKEv2 site-to-site sessions were added to the Other VPN
license (formerly IPsec VPN). The Other VPN license is
included in the Base license.

No Payload Encryption hardware for export

8.4(1)

For models available with No Payload Encryption (for
example, the ASA 5585-X), the ASA software disables
Unified Communications and VPN features, making the
ASA available for export to certain countries.

Dual SSPs for SSP-20 and SSP-40

8.4(2)

For SSP-40 and SSP-60, you can use two SSPs of the same
level in the same chassis. Mixed-level SSPs are not
supported (for example, an SSP-40 with an SSP-60 is not
supported). Each SSP acts as an independent device, with
separate configurations and management. You can use the
two SSPs as a failover pair if desired. When using two SSPs
in the chassis, VPN is not supported; note, however, that
VPN has not been disabled.

IPS Module license for the ASA 5512-X
through ASA 5555-X

8.6(1)

The IPS SSP software module on the ASA 5512-X, ASA
5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X
requires the IPS module license.

Cisco ASA 5500 Series Configuration Guide using the CLI

3-50

PA R T

Configuring Firewall and Security Context
Modes

CH A P T E R

Configuring the Transparent or Routed Firewall
This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall
works in each firewall mode.
In multiple context mode, you cannot set the firewall mode separately for each context; you can only set
the firewall mode for the entire ASA.
This chapter includes the following sections:
•

Configuring the Firewall Mode, page 4-1

•

Configuring ARP Inspection for the Transparent Firewall, page 4-9

•

Customizing the MAC Address Table for the Transparent Firewall, page 4-13

•

Firewall Mode Examples, page 4-17

Configuring the Firewall Mode
This section describes routed and transparent firewall mode, and how to set the mode. This section
includes the following topics:
•

Information About the Firewall Mode, page 4-1

•

Licensing Requirements for the Firewall Mode, page 4-6

•

Default Settings, page 4-6

•

Guidelines and Limitations, page 4-6

•

Setting the Firewall Mode, page 4-8

•

Feature History for Firewall Mode, page 4-9

Information About the Firewall Mode
This section describes routed and transparent firewall mode and includes the following topics:
•

Information About Routed Firewall Mode, page 4-2

•

Information About Transparent Firewall Mode, page 4-2

Cisco ASA 5500 Series Configuration Guide using the CLI

4-1

Chapter 4

Configuring the Transparent or Routed Firewall

Configuring the Firewall Mode

Information About Routed Firewall Mode
In routed mode, the ASA is considered to be a router hop in the network. It can use OSPF or RIP (in
single context mode). Routed mode supports many interfaces. Each interface is on a different subnet.
You can share interfaces between contexts.
The ASA acts as a router between connected networks, and each interface requires an IP address on a
different subnet. In single context mode, the routed firewall supports OSPF, EIGRP, and RIP. Multiple
context mode supports static routes only. We recommend using the advanced routing capabilities of the
upstream and downstream routers instead of relying on the ASA for extensive routing needs.

Information About Transparent Firewall Mode
Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its
screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a “bump
in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices.
This section describes transparent firewall mode and includes the following topics:
•

Transparent Firewall Network, page 4-2

•

Bridge Groups, page 4-2

•

Management Interface (ASA 5510 and Higher), page 4-3

•

Allowing Layer 3 Traffic, page 4-3

•

Allowed MAC Addresses, page 4-3

•

Passing Traffic Not Allowed in Routed Mode, page 4-3

•

BPDU Handling, page 4-4

•

MAC Address vs. Route Lookups, page 4-4

•

Using the Transparent Firewall in Your Network, page 4-5

Transparent Firewall Network
The ASA connects the same network between its interfaces. Because the firewall is not a routed hop, you
can easily introduce a transparent firewall into an existing network.

Bridge Groups
If you do not want the overhead of security contexts, or want to maximize your use of security contexts,
you can group interfaces together in a bridge group, and then configure multiple bridge groups, one for
each network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another
bridge group within the ASA, and traffic must exit the ASA before it is routed by an external router back
to another bridge group in the ASA. Although the bridging functions are separate for each bridge group,
many other functions are shared between all bridge groups. For example, all bridge groups share a syslog
server or AAA server configuration. For complete security policy separation, use security contexts with
one bridge group in each context.

Note

Each bridge group requires a management IP address. The ASA uses this IP address as the source address
for packets originating from the bridge group. The management IP address must be on the same subnet
as the connected network. For another method of management, see the “Management Interface (ASA
5510 and Higher)” section on page 4-3.

Cisco ASA 5500 Series Configuration Guide using the CLI

4-2

Chapter 4

Configuring the Transparent or Routed Firewall
Configuring the Firewall Mode

The ASA does not support traffic on secondary networks; only traffic on the same network as the
management IP address is supported.

Management Interface (ASA 5510 and Higher)
In addition to each bridge group management IP address, you can add a separate Management slot/port
interface that is not part of any bridge group, and that allows only management traffic to the ASA. For
more information, see the “Management Interface” section on page 6-2.

Allowing Layer 3 Traffic
•

IPv4 and IPv6 traffic is allowed through the transparent firewall automatically from a higher security
interface to a lower security interface, without an access list.

•

ARPs are allowed through the transparent firewall in both directions without an access list. ARP
traffic can be controlled by ARP inspection.

•

For Layer 3 traffic travelling from a low to a high security interface, an extended access list is
required on the low security interface. See Chapter 15, “Adding an Extended Access List,” or
Chapter 19, “Adding an IPv6 Access List,” for more information.

Allowed MAC Addresses
The following destination MAC addresses are allowed through the transparent firewall. Any
MAC address not on this list is dropped.
•

TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF

•

IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF

•

IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF

•

BPDU multicast address equal to 0100.0CCC.CCCD

•

AppleTalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF

Passing Traffic Not Allowed in Routed Mode
In routed mode, some types of traffic cannot pass through the ASA even if you allow it in an access list.
The transparent firewall, however, can allow almost any traffic through using either an extended access
list (for IP traffic) or an EtherType access list (for non-IP traffic).
Non-IP traffic (for example AppleTalk, IPX, BPDUs, and MPLS) can be configured to go through using
an EtherType access list.

Note

The transparent mode ASA does not pass CDP packets, or any packets that do not have a valid EtherType
greater than or equal to 0x600. For example, you cannot pass IS-IS packets. An exception is made for
BPDUs, which are supported.

Passing Traffic For Routed-Mode Features
For features that are not directly supported on the transparent firewall, you can allow traffic to pass
through so that upstream and downstream routers can support the functionality. For example, by using
an extended access list, you can allow DHCP traffic (instead of the unsupported DHCP relay feature) or

Cisco ASA 5500 Series Configuration Guide using the CLI

4-3

Chapter 4

Configuring the Transparent or Routed Firewall

Configuring the Firewall Mode

multicast traffic such as that created by IP/TV. You can also establish routing protocol adjacencies
through a transparent firewall; you can allow OSPF, RIP, EIGRP, or BGP traffic through based on an
extended access list. Likewise, protocols like HSRP or VRRP can pass through the ASA.

BPDU Handling
To prevent loops using the Spanning Tree Protocol, BPDUs are passed by default. To block BPDUs, you
need to configure an EtherType access list to deny them. If you are using failover, you might want to
block BPDUs to prevent the switch port from going into a blocking state when the topology changes.
See the “Transparent Firewall Mode Requirements” section on page 61-11 for more information.

MAC Address vs. Route Lookups
When the ASA runs in transparent mode, the outgoing interface of a packet is determined by performing
a MAC address lookup instead of a route lookup.
Route lookups, however, are necessary for the following traffic types:
•

Traffic originating on the ASA—For example, if your syslog server is located on a remote network,
you must use a static route so the ASA can reach that subnet.

•

Traffic that is at least one hop away from the ASA with NAT enabled—The ASA needs to perform
a route lookup; you need to add a static route on the ASA for the real host address.

•

Voice over IP (VoIP) traffic with inspection enabled, and the endpoint is at least one hop away from
the ASA—For example, if you use the transparent firewall between a CCM and an H.323 gateway,
and there is a router between the transparent firewall and the H.323 gateway, then you need to add
a static route on the ASA for the H.323 gateway for successful call completion.

•

VoIP or DNS traffic with inspection enabled, with NAT enabled, and the embedded address is at least
one hop away from the ASA—To successfully translate the IP address inside VoIP and DNS packets,
the ASA needs to perform a route lookup; you need to add a static route on the ASA for the real host
address that is embedded in the packet.

Cisco ASA 5500 Series Configuration Guide using the CLI

4-4

Chapter 4

Configuring the Transparent or Routed Firewall
Configuring the Firewall Mode

Using the Transparent Firewall in Your Network
Figure 4-1 shows a typical transparent firewall network where the outside devices are on the same subnet
as the inside devices. The inside router and hosts appear to be directly connected to the outside router.
Figure 4-1

Transparent Firewall Network

Internet

10.1.1.1

Network A

Management IP
10.1.1.2

10.1.1.3

Network B

92411

192.168.1.2

Cisco ASA 5500 Series Configuration Guide using the CLI

4-5

Chapter 4

Configuring the Transparent or Routed Firewall

Configuring the Firewall Mode

Figure 4-2 shows two networks connected to the ASA, which has two bridge groups.
Figure 4-2

Transparent Firewall Network with Two Bridge Groups

10.1.1.1
Management IP
Bridge Group 1
10.1.1.2

Management IP
Bridge Group 2
10.2.1.2
10.2.1.3

254279

10.1.1.3

10.2.1.1

Licensing Requirements for the Firewall Mode
The following table shows the licensing requirements for this feature.
Model

License Requirement

All models

Base License.

Default Settings
The default mode is routed mode.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines
•

For the ASA 5500 series appliances, the firewall mode is set for the entire system and all contexts;
you cannot set the mode individually for each context.

Cisco ASA 5500 Series Configuration Guide using the CLI

4-6

Chapter 4

Configuring the Transparent or Routed Firewall
Configuring the Firewall Mode

•

When you change modes, the ASA clears the running configuration because many commands are
not supported for both modes. This action removes any contexts from running. If you then re-add a
context that has an existing configuration that was created for the wrong mode, the context
configuration might not work correctly. Be sure to recreate your context configurations for the
correct mode before you re-add them, or add new contexts with new paths for the new
configurations.

Transparent Firewall Guidelines

Follow these guidelines when planning your transparent firewall network:
•

In transparent firewall mode, the management interface updates the MAC address table in the same
manner as a data interface; therefore you should not connect both a management and a data interface
to the same switch unless you configure one of the switch ports as a routed port (by default Cisco
Catalyst switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on
the management interface from the physically-connected switch, then the ASA updates the
MAC address table to use the management interface to access the switch, instead of the data
interface. This action causes a temporary traffic interruption; the ASA will not re-update the MAC
address table for packets from the switch to the data interface for at least 30 seconds for security
reasons.

•

Each directly-connected network must be on the same subnet.

•

Do not specify the bridge group management IP address as the default gateway for connected
devices; devices need to specify the router on the other side of the ASA as the default gateway.

•

The default route for the transparent firewall, which is required to provide a return path for
management traffic, is only applied to management traffic from one bridge group network. This is
because the default route specifies an interface in the bridge group as well as the router IP address
on the bridge group network, and you can only define one default route. If you have management
traffic from more than one bridge group network, you need to specify a static route that identifies
the network from which you expect management traffic.

See the “Guidelines and Limitations” section on page 9-5 for more guidelines.
IPv6 Guidelines

Supports IPv6.
Additional Guidelines and Limitations
•

When you change firewall modes, the ASA clears the running configuration because many
commands are not supported for both modes. The startup configuration remains unchanged. If you
reload without saving, then the startup configuration is loaded, and the mode reverts back to the
original setting. See the “Setting the Firewall Mode” section on page 4-8 for information about
backing up your configuration file.

•

If you download a text configuration to the ASA that changes the mode with the
firewall transparent command, be sure to put the command at the top of the configuration; the ASA
changes the mode as soon as it reads the command and then continues reading the configuration you
downloaded. If the command appears later in the configuration, the ASA clears all the preceding
lines in the configuration. See the “Downloading Software or Configuration Files to Flash Memory”
section on page 81-2 for information about downloading text files.

Unsupported Features in Transparent Mode

Table 4-1 lists the features are not supported in transparent mode.

Cisco ASA 5500 Series Configuration Guide using the CLI

4-7

Chapter 4

Configuring the Transparent or Routed Firewall

Configuring the Firewall Mode

Table 4-1

Unsupported Features in Transparent Mode

Feature

Description

Dynamic DNS

—

DHCP relay

The transparent firewall can act as a DHCP server, but it does not
support the DHCP relay commands. DHCP relay is not required
because you can allow DHCP traffic to pass through using two
extended access lists: one that allows DCHP requests from the inside
interface to the outside, and one that allows the replies from the server
in the other direction.

Dynamic routing protocols

You can, however, add static routes for traffic originating on the ASA.
You can also allow dynamic routing protocols through the ASA using
an extended access list.

Multicast IP routing

You can allow multicast traffic through the ASA by allowing it in an
extended access list.

QoS

—

VPN termination for through
traffic

The transparent firewall supports site-to-site VPN tunnels for
management connections only. It does not terminate VPN connections
for traffic through the ASA. You can pass VPN traffic through the
ASA using an extended access list, but it does not terminate
non-management connections. SSL VPN is also not supported.

Setting the Firewall Mode
This section describes how to change the firewall mode.

Note

We recommend that you set the firewall mode before you perform any other configuration because
changing the firewall mode clears the running configuration.

Prerequisites
When you change modes, the ASA clears the running configuration (see the “Guidelines and
Limitations” section on page 4-6 for more information).
•

If you already have a populated configuration, be sure to back up your configuration before changing
the mode; you can use this backup for reference when creating your new configuration. See the
“Backing Up Configuration Files or Other Files” section on page 81-8.

•

Use the CLI at the console port to change the mode. If you use any other type of session, including
the ASDM Command Line Interface tool or SSH, you will be disconnected when the configuration
is cleared, and you will have to reconnect to the ASA using the console port in any case.

•

For the ASA 5500 series appiances, set the mode for the whole system in the system execution
space.

Cisco ASA 5500 Series Configuration Guide using the CLI

4-8

Chapter 4

Configuring the Transparent or Routed Firewall
Configuring ARP Inspection for the Transparent Firewall

Detailed Steps

Command

Purpose

firewall transparent

Sets the firewall mode to transparent. To change the mode to routed, enter
the no firewall transparent command.
Note

Example:

You are not prompted to confirm the firewall mode change; the
change occurs immediately.

hostname(config)# firewall transparent

Feature History for Firewall Mode
Table 4-2 lists the release history for each feature change and the platform release in which it was
implemented.
Table 4-2

Feature History for Firewall Mode

Feature Name
Transparent firewall mode

Releases

Feature Information

7.0(1)

A transparent firewall is a Layer 2 firewall that acts like a
“bump in the wire,” or a “stealth firewall,” and is not seen as
a router hop to connected devices.
We introduced the following commands: firewall
transparent, show firewall.

Transparent firewall bridge groups

8.4(1)

Multiple bridge groups are now allowed in transparent
firewall mode. Also, you can now configure up to four
interfaces (per bridge group); formerly, you could only
configure two interfaces in transparent mode.
We introduced the following commands: firewall
transparent, show firewall.

Configuring ARP Inspection for the Transparent Firewall
This section describes ARP inspection and how to enable it and includes the following topics:
•

Information About ARP Inspection, page 4-10

•

Licensing Requirements for ARP Inspection, page 4-10

•

Default Settings, page 4-10

•

Guidelines and Limitations, page 4-10

•

Configuring ARP Inspection, page 4-11

•

Monitoring ARP Inspection, page 4-12

•

Feature History for ARP Inspection, page 4-13

Cisco ASA 5500 Series Configuration Guide using the CLI

4-9

Chapter 4

Configuring the Transparent or Routed Firewall

Configuring ARP Inspection for the Transparent Firewall

Information About ARP Inspection
By default, all ARP packets are allowed through the ASA. You can control the flow of ARP packets by
enabling ARP inspection.
When you enable ARP inspection, the ASA compares the MAC address, IP address, and source interface
in all ARP packets to static entries in the ARP table, and takes the following actions:
•

If the IP address, MAC address, and source interface match an ARP entry, the packet is passed
through.

•

If there is a mismatch between the MAC address, the IP address, or the interface, then the ASA drops
the packet.

•

If the ARP packet does not match any entries in the static ARP table, then you can set the ASA to
either forward the packet out all interfaces (flood), or to drop the packet.

Note

The dedicated management interface, if present, never floods packets even if this parameter
is set to flood.

ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP
spoofing). ARP spoofing can enable a “man-in-the-middle” attack. For example, a host sends an
ARP request to the gateway router; the gateway router responds with the gateway router MAC address.
The attacker, however, sends another ARP response to the host with the attacker MAC address instead
of the router MAC address. The attacker can now intercept all the host traffic before forwarding it on to
the router.
ARP inspection ensures that an attacker cannot send an ARP response with the attacker MAC address,
so long as the correct MAC address and the associated IP address are in the static ARP table.

Licensing Requirements for ARP Inspection
The following table shows the licensing requirements for this feature.
Model

License Requirement

All models

Base License.

Default Settings
By default, all ARP packets are allowed through the ASA.
If you enable ARP inspection, the default setting is to flood non-matching packets.

Guidelines and Limitations
Context Mode Guidelines
•

Supported in single and multiple context mode.

•

In multiple context mode, configure ARP inspection within each context.

Cisco ASA 5500 Series Configuration Guide using the CLI

4-10

Chapter 4

Configuring the Transparent or Routed Firewall
Configuring ARP Inspection for the Transparent Firewall

Firewall Mode Guidelines

Supported only in transparent firewall mode. Routed mode is not supported.

Configuring ARP Inspection
This section describes how to configure ARP inspection and includes the following topics:
•

Task Flow for Configuring ARP Inspection, page 4-11

•

Adding a Static ARP Entry, page 4-11

•

Enabling ARP Inspection, page 4-12

Task Flow for Configuring ARP Inspection
To configure ARP Inspection, perform the following steps:
Step 1

Add static ARP entries according to the “Adding a Static ARP Entry” section on page 4-11. ARP
inspection compares ARP packets with static ARP entries in the ARP table, so static ARP entries are
required for this feature.

Step 2

Enable ARP inspection according to the “Enabling ARP Inspection” section on page 4-12.

Adding a Static ARP Entry
ARP inspection compares ARP packets with static ARP entries in the ARP table. Although hosts identify
a packet destination by an IP address, the actual delivery of the packet on Ethernet relies on the Ethernet
MAC address. When a router or host wants to deliver a packet on a directly connected network, it sends
an ARP request asking for the MAC address associated with the IP address, and then delivers the packet
to the MAC address according to the ARP response. The host or router keeps an ARP table so it does not
have to send ARP requests for every packet it needs to deliver. The ARP table is dynamically updated
whenever ARP responses are sent on the network, and if an entry is not used for a period of time, it times
out. If an entry is incorrect (for example, the MAC address changes for a given IP address), the entry
times out before it can be updated.

Note

The transparent firewall uses dynamic ARP entries in the ARP table for traffic to and from the ASA,
such as management traffic.

Detailed Steps

Command

Purpose

arp interface_name ip_address mac_address

Adds a static ARP entry.

Example:
hostname(config)# arp outside 10.1.1.1
0009.7cbe.2100

Cisco ASA 5500 Series Configuration Guide using the CLI

4-11

Chapter 4

Configuring the Transparent or Routed Firewall

Configuring ARP Inspection for the Transparent Firewall

Examples
For example, to allow ARP responses from the router at 10.1.1.1 with the MAC address 0009.7cbe.2100
on the outside interface, enter the following command:
hostname(config)# arp outside 10.1.1.1 0009.7cbe.2100

What to Do Next
Enable ARP inspection according to the “Enabling ARP Inspection” section on page 4-12.

Enabling ARP Inspection
This section describes how to enable ARP inspection.

Detailed Steps

Command

Purpose

arp-inspection interface_name enable
[flood | no-flood]

Enables ARP inspection.
The flood keyword forwards non-matching ARP packets out all interfaces,
and no-flood drops non-matching packets.
Note

Example:
hostname(config)# arp-inspection outside
enable no-flood

The default setting is to flood non-matching packets. To restrict
ARP through the ASA to only static entries, then set this command
to no-flood.

Examples
For example, to enable ARP inspection on the outside interface, and to drop all non-matching ARP
packets, enter the following command:
hostname(config)# arp-inspection outside enable no-flood

Monitoring ARP Inspection
To monitor ARP inspection, perform the following task:
Command

Purpose

show arp-inspection

Shows the current settings for ARP inspection on all interfaces.

Cisco ASA 5500 Series Configuration Guide using the CLI

4-12

Chapter 4

Configuring the Transparent or Routed Firewall
Customizing the MAC Address Table for the Transparent Firewall

Feature History for ARP Inspection
Table 4-2 lists the release history for each feature change and the platform release in which it was
implemented.
Table 4-3

Feature History for ARP Inspection

Feature Name
ARP inspection

Releases

Feature Information

7.0(1)

ARP inspection compares the MAC address, IP address, and
source interface in all ARP packets to static entries in the
ARP table.
We introduced the following commands: arp,
arp-inspection, and show arp-inspection.

ARP cache additions for non-connected subnets 8.4(5)

The ASA ARP cache only contains entries from
directly-connected subnets by default. You can now enable
the ARP cache to also include non-directly-connected
subnets. We do not recommend enabling this feature unless
you know the security risks. This feature could facilitate
denial of service (DoS) attack against the ASA; a user on
any interface could send out many ARP replies and overload
the ASA ARP table with false entries.
You may want to use this feature if you use:
•

Secondary subnets.

•

Proxy ARP on adjacent routes for traffic forwarding.

We introduced the following command: arp
permit-nonconnected.
This feature is not available in 8.5(1), 8.6(1), or 9.0(1).

Customizing the MAC Address Table for the Transparent
Firewall
This section describes the MAC address table and includes the following topics:
•

Information About the MAC Address Table, page 4-14

•

Licensing Requirements for the MAC Address Table, page 4-14

•

Default Settings, page 4-14

•

Guidelines and Limitations, page 4-14

•

Configuring the MAC Address Table, page 4-15

•

Monitoring the MAC Address Table, page 4-16

•

Feature History for the MAC Address Table, page 4-17

Cisco ASA 5500 Series Configuration Guide using the CLI

4-13

Chapter 4

Configuring the Transparent or Routed Firewall

Customizing the MAC Address Table for the Transparent Firewall

Information About the MAC Address Table
The ASA learns and builds a MAC address table in a similar way as a normal bridge or switch: when a
device sends a packet through the ASA, the ASA adds the MAC address to its table. The table associates
the MAC address with the source interface so that the ASA knows to send any packets addressed to the
device out the correct interface.
The ASA 5505 includes a built-in switch; the switch MAC address table maintains the MAC
address-to-switch port mapping for traffic within each VLAN. This section only discusses the bridge
MAC address table, which maintains the MAC address-to-VLAN interface mapping for traffic that
passes between VLANs.
Because the ASA is a firewall, if the destination MAC address of a packet is not in the table, the ASA
does not flood the original packet on all interfaces as a normal bridge does. Instead, it generates the
following packets for directly connected devices or for remote devices:
•

Packets for directly connected devices—The ASA generates an ARP request for the destination IP
address, so that the ASA can learn which interface receives the ARP response.

•

Packets for remote devices—The ASA generates a ping to the destination IP address so that the ASA
can learn which interface receives the ping reply.

The original packet is dropped.

Licensing Requirements for the MAC Address Table
The following table shows the licensing requirements for this feature.
Model

License Requirement

All models

Base License.

Default Settings
The default timeout value for dynamic MAC address table entries is 5 minutes.
By default, each interface automatically learns the MAC addresses of entering traffic, and the ASA adds
corresponding entries to the MAC address table.

Guidelines and Limitations
Context Mode Guidelines
•

Supported in single and multiple context mode.

•

In multiple context mode, configure the MAC address table within each context.

Firewall Mode Guidelines

Supported only in transparent firewall mode. Routed mode is not supported.

Cisco ASA 5500 Series Configuration Guide using the CLI

4-14

Chapter 4

Configuring the Transparent or Routed Firewall
Customizing the MAC Address Table for the Transparent Firewall

Additional Guidelines

In transparent firewall mode, the management interface updates the MAC address table in the same
manner as a data interface; therefore you should not connect both a management and a data interface to
the same switch unless you configure one of the switch ports as a routed port (by default Cisco Catalyst
switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on the
management interface from the physically-connected switch, then the ASA updates the MAC address
table to use the management interface to access the switch, instead of the data interface. This action
causes a temporary traffic interruption; the ASA will not re-update the MAC address table for packets
from the switch to the data interface for at least 30 seconds for security reasons.

Configuring the MAC Address Table
This section describes how you can customize the MAC address table and includes the following
sections:
•

Adding a Static MAC Address, page 4-15

•

Setting the MAC Address Timeout, page 4-15

•

Disabling MAC Address Learning, page 4-16

Adding a Static MAC Address
Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular
MAC address enters an interface. You can add static MAC addresses to the MAC address table if desired.
One benefit to adding static entries is to guard against MAC spoofing. If a client with the same
MAC address as a static entry attempts to send traffic to an interface that does not match the static entry,
then the ASA drops the traffic and generates a system message. When you add a static ARP entry (see
the “Adding a Static ARP Entry” section on page 4-11), a static MAC address entry is automatically
added to the MAC address table.
To add a static MAC address to the MAC address table, enter the following command:
Command

Purpose

mac-address-table static interface_name
mac_address

Adds a static MAC address entry.
The interface_name is the source interface.

Example:
hostname(config)# mac-address-table static
inside 0009.7cbe.2100

Setting the MAC Address Timeout
The default timeout value for dynamic MAC address table entries is 5 minutes, but you can change the
timeout. To change the timeout, enter the following command:

Cisco ASA 5500 Series Configuration Guide using the CLI

4-15

Chapter 4

Configuring the Transparent or Routed Firewall

Customizing the MAC Address Table for the Transparent Firewall

Command

Purpose

mac-address-table aging-time timeout_value

Sets the MAC address entry timeout.
The timeout_value (in minutes) is between 5 and 720 (12 hours). 5 minutes
is the default.

Example:
hostname(config)# mac-address-table
aging-time 10

Disabling MAC Address Learning
By default, each interface automatically learns the MAC addresses of entering traffic, and the ASA adds
corresponding entries to the MAC address table. You can disable MAC address learning if desired,
however, unless you statically add MAC addresses to the table, no traffic can pass through the ASA.
To disable MAC address learning, enter the following command:
Command

Purpose

mac-learn interface_name disable

Disables MAC address learning.

Example:

The no form of this command reenables MAC address learning. The clear
configure mac-learn command reenables MAC address learning on all
interfaces.

hostname(config)# mac-learn inside disable

Monitoring the MAC Address Table
You can view the entire MAC address table (including static and dynamic entries for both interfaces), or
you can view the MAC address table for an interface. To view the MAC address table, enter the following
command:
Command

Purpose

show mac-address-table [interface_name]

Shows the MAC address table.

Examples
The following is sample output from the show mac-address-table command that shows the entire table:
hostname# show mac-address-table
interface
mac address
type
Time Left
----------------------------------------------------------------------outside
0009.7cbe.2100
static
inside
0010.7cbe.6101
static
inside
0009.7cbe.5101
dynamic
10

The following is sample output from the show mac-address-table command that shows the table for the
inside interface:
hostname# show mac-address-table inside
interface
mac address
type
Time Left
----------------------------------------------------------------------inside
0010.7cbe.6101
static
-

Cisco ASA 5500 Series Configuration Guide using the CLI

4-16

Chapter 4

Configuring the Transparent or Routed Firewall
Firewall Mode Examples

inside

0009.7cbe.5101

dynamic

Feature History for the MAC Address Table
Table 4-2 lists the release history for each feature change and the platform release in which it was
implemented.
Table 4-4

Feature History for the MAC Address Table

Feature Name
MAC address table

Releases

Feature Information

7.0(1)

Transparent firewall mode uses a MAC address table.
We introduced the following commands:
mac-address-table static, mac-address-table aging-time,
mac-learn disable, and show mac-address-table.

Firewall Mode Examples
This section includes examples of how traffic moves through the ASA and includes the following topics:
•

How Data Moves Through the ASA in Routed Firewall Mode, page 4-17

•

How Data Moves Through the Transparent Firewall, page 4-23

How Data Moves Through the ASA in Routed Firewall Mode
This section describes how data moves through the ASA in routed firewall mode and includes the
following topics:
•

An Inside User Visits a Web Server, page 4-18

•

An Outside User Visits a Web Server on the DMZ, page 4-19

•

An Inside User Visits a Web Server on the DMZ, page 4-20

•

An Outside User Attempts to Access an Inside Host, page 4-21

•

A DMZ User Attempts to Access an Inside Host, page 4-22

Cisco ASA 5500 Series Configuration Guide using the CLI

4-17

Chapter 4

Configuring the Transparent or Routed Firewall

Firewall Mode Examples

An Inside User Visits a Web Server
Figure 4-3 shows an inside user accessing an outside web server.
Figure 4-3

Inside to Outside

www.example.com

Outside

209.165.201.2
Source Addr Translation
10.1.2.27
209.165.201.10
10.1.2.1

10.1.1.1

DMZ

User
10.1.2.27

Web Server
10.1.1.3

92404

Inside

The following steps describe how data moves through the ASA (see Figure 4-3):
1.

The user on the inside network requests a web page from www.example.com.

The ASA receives the packet and because it is a new session, the ASA verifies that the packet is
allowed according to the terms of the security policy (access lists, filters, AAA).
For multiple context mode, the ASA first classifies the packet according to either a unique interface
or a unique destination address associated with a context; the destination address is associated by
matching an address translation in a context. In this case, the interface would be unique; the
www.example.com IP address does not have a current address translation in a context.

The ASA translates the local source address (10.1.2.27) to the global address 209.165.201.10, which
is on the outside interface subnet.
The global address could be on any subnet, but routing is simplified when it is on the outside
interface subnet.

The ASA then records that a session is established and forwards the packet from the outside
interface.

Cisco ASA 5500 Series Configuration Guide using the CLI

4-18

Chapter 4

Configuring the Transparent or Routed Firewall
Firewall Mode Examples

When www.example.com responds to the request, the packet goes through the ASA, and because
the session is already established, the packet bypasses the many lookups associated with a new
connection. The ASA performs NAT by translating the global destination address to the local user
address, 10.1.2.27.

The ASA forwards the packet to the inside user.

An Outside User Visits a Web Server on the DMZ
Figure 4-4 shows an outside user accessing the DMZ web server.
Figure 4-4

Outside to DMZ

User

Outside

209.165.201.2

Inside

10.1.1.1

DMZ

Web Server
10.1.1.3

92406

10.1.2.1

Dest Addr Translation
10.1.1.13
209.165.201.3

The following steps describe how data moves through the ASA (see Figure 4-4):
1.

A user on the outside network requests a web page from the DMZ web server using the global
destination address of 209.165.201.3, which is on the outside interface subnet.

The ASA untranslates the destination address to the local address 10.1.1.3.

The ASA receives the packet and because it is a new session, the ASA verifies that the packet is
allowed according to the terms of the security policy (access lists, filters, AAA).
For multiple context mode, the ASA first classifies the packet according to either a unique interface
or a unique destination address associated with a context; the destination address is associated by
matching an address translation in a context. In this case, the classifier “knows” that the DMZ web
server address belongs to a certain context because of the server address translation.

The ASA then adds a session entry to the fast path and forwards the packet from the DMZ interface.

Cisco ASA 5500 Series Configuration Guide using the CLI

4-19

Chapter 4

Configuring the Transparent or Routed Firewall

Firewall Mode Examples

When the DMZ web server responds to the request, the packet goes through the ASA and because
the session is already established, the packet bypasses the many lookups associated with a new
connection. The ASA performs NAT by translating the local source address to 209.165.201.3.

The ASA forwards the packet to the outside user.

An Inside User Visits a Web Server on the DMZ
Figure 4-5 shows an inside user accessing the DMZ web server.
Figure 4-5

Inside to DMZ

Outside

209.165.201.2

10.1.2.1

DMZ

92403

Inside

10.1.1.1

User
10.1.2.27

Web Server
10.1.1.3

The following steps describe how data moves through the ASA (see Figure 4-5):
1.

A user on the inside network requests a web page from the DMZ web server using the destination
address of 10.1.1.3.

The ASA receives the packet and because it is a new session, the ASA verifies that the packet is
allowed according to the terms of the security policy (access lists, filters, AAA).
For multiple context mode, the ASA first classifies the packet according to either a unique interface
or a unique destination address associated with a context; the destination address is associated by
matching an address translation in a context. In this case, the interface is unique; the web server
IP address does not have a current address translation.

The ASA then records that a session is established and forwards the packet out of the DMZ interface.

When the DMZ web server responds to the request, the packet goes through the fast path, which lets
the packet bypass the many lookups associated with a new connection.

Cisco ASA 5500 Series Configuration Guide using the CLI

4-20

Chapter 4

Configuring the Transparent or Routed Firewall
Firewall Mode Examples

The ASA forwards the packet to the inside user.

An Outside User Attempts to Access an Inside Host
Figure 4-6 shows an outside user attempting to access the inside network.
Figure 4-6

Outside to Inside

www.example.com

Outside

209.165.201.2

Inside

User
10.1.2.27

10.1.1.1

DMZ

92407

10.1.2.1

The following steps describe how data moves through the ASA (see Figure 4-6):
1.

A user on the outside network attempts to reach an inside host (assuming the host has a routable
IP address).
If the inside network uses private addresses, no outside user can reach the inside network without
NAT. The outside user might attempt to reach an inside user by using an existing NAT session.

The ASA receives the packet and because it is a new session, the ASA verifies if the packet is
allowed according to the security policy (access lists, filters, AAA).

The packet is denied, and the ASA drops the packet and logs the connection attempt.
If the outside user is attempting to attack the inside network, the ASA employs many technologies
to determine if a packet is valid for an already established session.

Cisco ASA 5500 Series Configuration Guide using the CLI

4-21

Chapter 4

Configuring the Transparent or Routed Firewall

Firewall Mode Examples

A DMZ User Attempts to Access an Inside Host
Figure 4-7 shows a user in the DMZ attempting to access the inside network.
Figure 4-7

DMZ to Inside

Outside

209.165.201.2

10.1.2.1

10.1.1.1

DMZ

User
10.1.2.27

Web Server
10.1.1.3

92402

Inside

The following steps describe how data moves through the ASA (see Figure 4-7):
1.

A user on the DMZ network attempts to reach an inside host. Because the DMZ does not have to
route the traffic on the Internet, the private addressing scheme does not prevent routing.

The ASA receives the packet and because it is a new session, the ASA verifies if the packet is
allowed according to the security policy (access lists, filters, AAA).
The packet is denied, and the ASA drops the packet and logs the connection attempt.

Cisco ASA 5500 Series Configuration Guide using the CLI

4-22

Chapter 4

Configuring the Transparent or Routed Firewall
Firewall Mode Examples

How Data Moves Through the Transparent Firewall
Figure 4-8 shows a typical transparent firewall implementation with an inside network that contains a
public web server. The ASA has an access list so that the inside users can access Internet resources.
Another access list lets the outside users access only the web server on the inside network.
Figure 4-8

Typical Transparent Firewall Data Path

www.example.com

Internet

209.165.201.2
Management IP
209.165.201.6

Host
209.165.201.3

92412

209.165.200.230

Web Server
209.165.200.225

This section describes how data moves through the ASA and includes the following topics:
•

An Inside User Visits a Web Server, page 4-24

•

An Inside User Visits a Web Server Using NAT, page 4-25

•

An Outside User Visits a Web Server on the Inside Network, page 4-26

•

An Outside User Attempts to Access an Inside Host, page 4-27

Cisco ASA 5500 Series Configuration Guide using the CLI

4-23

Chapter 4

Configuring the Transparent or Routed Firewall

Firewall Mode Examples

An Inside User Visits a Web Server
Figure 4-9 shows an inside user accessing an outside web server.
Figure 4-9

Inside to Outside

www.example.com

Internet

209.165.201.2

Host
209.165.201.3

92408

Management IP
209.165.201.6

The following steps describe how data moves through the ASA (see Figure 4-9):
1.

The user on the inside network requests a web page from www.example.com.

The ASA receives the packet and adds the source MAC address to the MAC address table, if
required. Because it is a new session, it verifies that the packet is allowed according to the terms of
the security policy (access lists, filters, AAA).
For multiple context mode, the ASA first classifies the packet according to a unique interface.

The ASA records that a session is established.

If the destination MAC address is in its table, the ASA forwards the packet out of the outside
interface. The destination MAC address is that of the upstream router, 209.165.201.2.
If the destination MAC address is not in the ASA table, the ASA attempts to discover the MAC
address by sending an ARP request or a ping. The first packet is dropped.

The web server responds to the request; because the session is already established, the packet
bypasses the many lookups associated with a new connection.

The ASA forwards the packet to the inside user.

Cisco ASA 5500 Series Configuration Guide using the CLI

4-24

Chapter 4

Configuring the Transparent or Routed Firewall
Firewall Mode Examples

An Inside User Visits a Web Server Using NAT
Figure 4-10 shows an inside user accessing an outside web server.
Figure 4-10

Inside to Outside with NAT

www.example.com

Internet
Static route on router
to 209.165.201.0/27
through security appliance

Source Addr Translation
10.1.2.27
209.165.201.10
10.1.2.1
Management IP
10.1.2.2

Host
10.1.2.27

191243

Security
appliance

The following steps describe how data moves through the ASA (see Figure 4-10):
1.

The user on the inside network requests a web page from www.example.com.

The ASA translates the real address (10.1.2.27) to the mapped address 209.165.201.10.
Because the mapped address is not on the same network as the outside interface, then be sure the
upstream router has a static route to the mapped network that points to the ASA.

The ASA then records that a session is established and forwards the packet from the outside
interface.

If the destination MAC address is in its table, the ASA forwards the packet out of the outside
interface. The destination MAC address is that of the upstream router, 10.1.2.1.
If the destination MAC address is not in the ASA table, the ASA attempts to discover the MAC
address by sending an ARP request and a ping. The first packet is dropped.

The web server responds to the request; because the session is already established, the packet
bypasses the many lookups associated with a new connection.

The ASA performs NAT by translating the mapped address to the real address, 10.1.2.27.

Cisco ASA 5500 Series Configuration Guide using the CLI

4-25

Chapter 4

Configuring the Transparent or Routed Firewall

Firewall Mode Examples

An Outside User Visits a Web Server on the Inside Network
Figure 4-11 shows an outside user accessing the inside web server.
Figure 4-11

Outside to Inside

Host

Internet

209.165.201.2
Management IP
209.165.201.6

209.165.201.1

Web Server
209.165.200.225

92409

209.165.200.230

The following steps describe how data moves through the ASA (see Figure 4-11):
1.

A user on the outside network requests a web page from the inside web server.

The ASA records that a session is established.

If the destination MAC address is in its table, the ASA forwards the packet out of the inside
interface. The destination MAC address is that of the downstream router, 209.165.201.1.
If the destination MAC address is not in the ASA table, the ASA attempts to discover the MAC
address by sending an ARP request and a ping. The first packet is dropped.

The web server responds to the request; because the session is already established, the packet
bypasses the many lookups associated with a new connection.

The ASA forwards the packet to the outside user.

Cisco ASA 5500 Series Configuration Guide using the CLI

4-26

Chapter 4

Configuring the Transparent or Routed Firewall
Firewall Mode Examples

An Outside User Attempts to Access an Inside Host
Figure 4-12 shows an outside user attempting to access a host on the inside network.
Figure 4-12

Outside to Inside

Host

Internet

209.165.201.2

92410

Management IP
209.165.201.6

Host
209.165.201.3

The following steps describe how data moves through the ASA (see Figure 4-12):
1.

A user on the outside network attempts to reach an inside host.

The ASA receives the packet and adds the source MAC address to the MAC address table, if
required. Because it is a new session, it verifies if the packet is allowed according to the terms of the
security policy (access lists, filters, AAA).
For multiple context mode, the ASA first classifies the packet according to a unique interface.

The packet is denied because there is no access list permitting the outside host, and the ASA drops
the packet.

If the outside user is attempting to attack the inside network, the ASA employs many technologies
to determine if a packet is valid for an already established session.

Cisco ASA 5500 Series Configuration Guide using the CLI

4-27

Chapter 4
Firewall Mode Examples

Cisco ASA 5500 Series Configuration Guide using the CLI

4-28

Configuring the Transparent or Routed Firewall

CH A P T E R

Configuring Multiple Context Mode
This chapter describes how to configure multiple security contexts on the ASA and includes the
following sections:
•

Information About Security Contexts, page 5-1

•

Licensing Requirements for Multiple Context Mode, page 5-12

•

Guidelines and Limitations, page 5-13

•

Default Settings, page 5-14

•

Configuring Multiple Contexts, page 5-14

•

Changing Between Contexts and the System Execution Space, page 5-23

•

Managing Security Contexts, page 5-23

•

Monitoring Security Contexts, page 5-27

•

Configuration Examples for Multiple Context Mode, page 5-38

•

Feature History for Multiple Context Mode, page 5-39

Information About Security Contexts
You can partition a single ASA into multiple virtual devices, known as security contexts. Each context
is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts
are similar to having multiple standalone devices. Many features are supported in multiple context mode,
including routing tables, firewall features, IPS, and management. Some features are not supported,
including VPN and dynamic routing protocols.

Note

When the ASA is configured for security contexts (for example, for Active/Active Stateful Failover),
IPsec or SSL VPN cannot be enabled. Therefore, these features are unavailable.
This section provides an overview of security contexts and includes the following topics:
•

Common Uses for Security Contexts, page 5-2

•

Context Configuration Files, page 5-2

•

How the ASA Classifies Packets, page 5-3

•

Cascading Security Contexts, page 5-6

•

Management Access to Security Contexts, page 5-7

Cisco ASA 5500 Series Configuration Guide using the CLI

5-1

Chapter 5

Configuring Multiple Context Mode

Information About Security Contexts

•

Information About Resource Management, page 5-8

•

Information About MAC Addresses, page 5-11

Common Uses for Security Contexts
You might want to use multiple security contexts in the following situations:
•

You are a service provider and want to sell security services to many customers. By enabling
multiple security contexts on the ASA, you can implement a cost-effective, space-saving solution
that keeps all customer traffic separate and secure, and also eases configuration.

•

You are a large enterprise or a college campus and want to keep departments completely separate.

•

You are an enterprise that wants to provide distinct security policies to different departments.

•

You have any network that requires more than one ASA.

Context Configuration Files
This section describes how the ASA implements multiple context mode configurations and includes the
following sections:
•

Context Configurations, page 5-2

•

System Configuration, page 5-2

•

Admin Context Configuration, page 5-2

Context Configurations
The ASA includes a configuration for each context that identifies the security policy, interfaces, and
almost all the options you can configure on a standalone device. You can store context configurations on
the internal flash memory or the external flash memory card, or you can download them from a TFTP,
FTP, or HTTP(S) server.

System Configuration
The system administrator adds and manages contexts by configuring each context configuration location,
allocated interfaces, and other context operating parameters in the system configuration, which, like a
single mode configuration, is the startup configuration. The system configuration identifies basic
settings for the ASA. The system configuration does not include any network interfaces or network
settings for itself; rather, when the system needs to access network resources (such as downloading the
contexts from the server), it uses one of the contexts that is designated as the admin context. The system
configuration does include a specialized failover interface for failover traffic only.

Admin Context Configuration
The admin context is just like any other context, except that when a user logs in to the admin context,
then that user has system administrator rights and can access the system and all other contexts. The
admin context is not restricted in any way, and can be used as a regular context. However, because

Cisco ASA 5500 Series Configuration Guide using the CLI

5-2

Chapter 5

Configuring Multiple Context Mode
Information About Security Contexts

logging into the admin context grants you administrator privileges over all contexts, you might need to
restrict access to the admin context to appropriate users. The admin context must reside on flash memory,
and not remotely.
If your system is already in multiple context mode, or if you convert from single mode, the admin context
is created automatically as a file on the internal flash memory called admin.cfg. This context is named
“admin.” If you do not want to use admin.cfg as the admin context, you can change the admin context.

How the ASA Classifies Packets
Each packet that enters the ASA must be classified, so that the ASA can determine to which context to
send a packet. This section includes the following topics:

Note

•

Valid Classifier Criteria, page 5-3

•

Classification Examples, page 5-4

If the destination MAC address is a multicast or broadcast MAC address, the packet is duplicated and
delivered to each context.

Valid Classifier Criteria
This section describes the criteria used by the classifier and includes the following topics:

Note

•

Unique Interfaces, page 5-3

•

Unique MAC Addresses, page 5-3

•

NAT Configuration, page 5-4

For management traffic destined for an interface, the interface IP address is used for classification.
The routing table is not used for packet classification.

Unique Interfaces
If only one context is associated with the ingress interface, the ASA classifies the packet into that
context. In transparent firewall mode, unique interfaces for contexts are required, so this method is used
to classify packets at all times.

Unique MAC Addresses
If multiple contexts share an interface, then the classifier uses the interface MAC address. The ASA lets
you assign a different MAC address in each context to the same shared interface. By default, shared
interfaces do not have unique MAC addresses; the interface uses the burned-in MAC address in every
context. An upstream router cannot route directly to a context without unique MAC addresses. You can
set the MAC addresses manually when you configure each interface (see the “Configuring the MAC
Address and MTU” section on page 8-9), or you can automatically generate MAC addresses (see the
“Automatically Assigning MAC Addresses to Context Interfaces” section on page 5-22).

Cisco ASA 5500 Series Configuration Guide using the CLI

5-3

Chapter 5

Configuring Multiple Context Mode

Information About Security Contexts

NAT Configuration
If you do not use unique MAC addresses, then the mapped addresses in your NAT configuration are used
to classify packets. We recommend using MAC addresses instead of NAT, so that traffic classification
can occur regardless of the completeness of the NAT configuration.

Classification Examples
Figure 5-1 shows multiple contexts sharing an outside interface. The classifier assigns the packet to
Context B because Context B includes the MAC address to which the router sends the packet.
Figure 5-1

Packet Classification with a Shared Interface using MAC Addresses

Internet

Packet Destination:
209.165.201.1 via MAC 000C.F142.4CDC
GE 0/0.1 (Shared Interface)
Classifier

Context A

GE 0/1.1

MAC 000C.F142.4CDC

Context B

GE 0/1.2

GE 0/1.3

Admin
Network

Inside
Customer A

Inside
Customer B

Host
209.165.202.129

Host
209.165.200.225

Host
209.165.201.1

Cisco ASA 5500 Series Configuration Guide using the CLI

5-4

MAC 000C.F142.4CDB

153367

MAC 000C.F142.4CDA
Admin
Context

Configuring Multiple Context Mode
Information About Security Contexts

Note that all new incoming traffic must be classified, even from inside networks. Figure 5-2 shows a host
on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B
because the ingress interface is Gigabit Ethernet 0/1.3, which is assigned to Context B.
Figure 5-2

Incoming Traffic from Inside Networks

Internet

GE 0/0.1
Admin
Context

Context A

Context B

Classifier

GE 0/1.1

GE 0/1.2

GE 0/1.3

Admin
Network

Inside
Customer A

Inside
Customer B

Host
10.1.1.13

92395

Chapter 5

Cisco ASA 5500 Series Configuration Guide using the CLI

5-5

Chapter 5

Configuring Multiple Context Mode

Information About Security Contexts

For transparent firewalls, you must use unique interfaces. Figure 5-3 shows a host on the Context B
inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress
interface is Gigabit Ethernet 1/0.3, which is assigned to Context B.
Figure 5-3

Transparent Firewall Contexts

Internet

Classifier
GE 0/0.2
GE 0/0.1

GE 0/0.3

Admin
Context

Context A

Context B

GE 1/0.1

GE 1/0.2

GE 1/0.3

Inside
Customer A

Inside
Customer B

Host
10.1.1.13

Host
10.1.2.13

Host
10.1.3.13

92401

Admin
Network

Cascading Security Contexts
Placing a context directly in front of another context is called cascading contexts; the outside interface
of one context is the same interface as the inside interface of another context. You might want to cascade
contexts if you want to simplify the configuration of some contexts by configuring shared parameters in
the top context.

Note

Cascading contexts requires that you configure unique MAC addresses for each context interface.
Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not
recommend using cascading contexts without unique MAC addresses.

Cisco ASA 5500 Series Configuration Guide using the CLI

5-6

Chapter 5

Configuring Multiple Context Mode
Information About Security Contexts

Figure 5-4 shows a gateway context with two contexts behind the gateway.
Figure 5-4

Cascading Contexts

Internet
GE 0/0.2
Outside
Gateway
Context
Inside
GE 0/0.1
(Shared Interface)
Outside

Outside

Admin
Context

Context A

Inside

GE 1/1.43
Inside

153366

GE 1/1.8

Management Access to Security Contexts
The ASA provides system administrator access in multiple context mode as well as access for individual
context administrators. The following sections describe logging in as a system administrator or as a
context administrator:
•

System Administrator Access, page 5-7

•

Context Administrator Access, page 5-8

System Administrator Access
You can access the ASA as a system administrator in two ways:
•

Access the ASA console.
From the console, you access the system execution space, which means that any commands you enter
affect only the system configuration or the running of the system (for run-time commands).

•

Access the admin context using Telnet, SSH, or ASDM.
See Chapter 37, “Configuring Management Access,” to enable Telnet, SSH, and SDM access.

As the system administrator, you can access all contexts.
When you change to a context from admin or the system, your username changes to the default
“enable_15” username. If you configured command authorization in that context, you need to either
configure authorization privileges for the “enable_15” user, or you can log in as a different name for
which you provide sufficient privileges in the command authorization configuration for the context. To

Cisco ASA 5500 Series Configuration Guide using the CLI

5-7

Chapter 5

Configuring Multiple Context Mode

Information About Security Contexts

log in with a username, enter the login command. For example, you log in to the admin context with the
username “admin.” The admin context does not have any command authorization configuration, but all
other contexts include command authorization. For convenience, each context configuration includes a
user “admin” with maximum privileges. When you change from the admin context to context A, your
username is altered, so you must log in again as “admin” by entering the login command. When you
change to context B, you must again enter the login command to log in as “admin.”
The system execution space does not support any AAA commands, but you can configure its own enable
password, as well as usernames in the local database to provide individual logins.

Context Administrator Access
You can access a context using Telnet, SSH, or ASDM. If you log in to a non-admin context, you can
only access the configuration for that context. You can provide individual logins to the context. See
Chapter 37, “Configuring Management Access,” to enable Telnet, SSH, and SDM access and to
configure management authentication.

Information About Resource Management
By default, all security contexts have unlimited access to the resources of the ASA, except where
maximum limits per context are enforced. However, if you find that one or more contexts use too many
resources, and they cause other contexts to be denied connections, for example, then you can configure
resource management to limit the use of resources per context.
The ASA manages resources by assigning contexts to resource classes. Each context uses the resource
limits set by the class.
This section includes the following topics:
•

Resource Limits, page 5-8

•

Default Class, page 5-9

•

Class Members, page 5-10

Resource Limits
When you create a class, the ASA does not set aside a portion of the resources for each context assigned
to the class; rather, the ASA sets the maximum limit for a context. If you oversubscribe resources, or
allow some resources to be unlimited, a few contexts can “use up” those resources, potentially affecting
service to other contexts.
You can set the limit for individual resources, as a percentage (if there is a hard system limit) or as an
absolute value.
You can oversubscribe the ASA by assigning more than 100 percent of a resource across all contexts.
For example, you can set the Bronze class to limit connections to 20 percent per context, and then assign
10 contexts to the class for a total of 200 percent. If contexts concurrently use more than the system limit,
then each context gets less than the 20 percent you intended. (See Figure 5-5.)

Cisco ASA 5500 Series Configuration Guide using the CLI

5-8

Chapter 5

Configuring Multiple Context Mode
Information About Security Contexts

Figure 5-5

Resource Oversubscription

Total Number of System Connections = 999,900
Max. 20%
(199,800)

Maximum connections
allowed.

16%
(159,984)

Connections in use.

12%
(119,988)

Connections denied
because system limit
was reached.

8%
(79,992)

4
5
6
Contexts in Class

104895

4%
(39,996)
10

If you assign an absolute value to a resource across all contexts that exceeds the practical limit of the
ASA, then the performance of the ASA might be impaired.
The ASA lets you assign unlimited access to one or more resources in a class, instead of a percentage or
absolute number. When a resource is unlimited, contexts can use as much of the resource as the system
has available or that is practically available. For example, Context A, B, and C are in the Silver Class,
which limits each class member to 1 percent of the connections, for a total of 3 percent; but the three
contexts are currently only using 2 percent combined. Gold Class has unlimited access to connections.
The contexts in the Gold Class can use more than the 97 percent of “unassigned” connections; they can
also use the 1 percent of connections not currently in use by Context A, B, and C, even if that means that
Context A, B, and C are unable to reach their 3 percent combined limit. (See Figure 5-6.) Setting
unlimited access is similar to oversubscribing the ASA, except that you have less control over how much
you oversubscribe the system.
Figure 5-6

Unlimited Resources

50% 43%
5%

Maximum connections
allowed.

Connections in use.
3%
Connections denied
because system limit
was reached.

A
B
C
Contexts Silver Class

1
2
3
Contexts Gold Class

153211

Default Class
All contexts belong to the default class if they are not assigned to another class; you do not have to
actively assign a context to the default class.

Cisco ASA 5500 Series Configuration Guide using the CLI

5-9

Chapter 5

Configuring Multiple Context Mode

Information About Security Contexts

If a context belongs to a class other than the default class, those class settings always override the default
class settings. However, if the other class has any settings that are not defined, then the member context
uses the default class for those limits. For example, if you create a class with a 2 percent limit for all
concurrent connections, but no other limits, then all other limits are inherited from the default class.
Conversely, if you create a class with a limit for all resources, the class uses no settings from the default
class.
By default, the default class provides unlimited access to resources for all contexts, except for the
following limits, which are by default set to the maximum allowed per context:
•

Telnet sessions—5 sessions.

•

SSH sessions—5 sessions.

•

IPsec sessions—5 sessions.

•

MAC addresses—65,535 entries.

Figure 5-7 shows the relationship between the default class and other classes. Contexts A and C belong
to classes with some limits set; other limits are inherited from the default class. Context B inherits no
limits from default because all limits are set in its class, the Gold class. Context D was not assigned to
a class, and is by default a member of the default class.
Figure 5-7

Class
Bronze
(Some
Limits
Set)

Context A

Resource Classes

Default Class

Context D

Class Silver
(Some Limits
Set)
Class Gold
(All Limits
Set)

Context B

104689

Context C

Class Members
To use the settings of a class, assign the context to the class when you define the context. All contexts
belong to the default class if they are not assigned to another class; you do not have to actively assign a
context to default. You can only assign a context to one resource class. The exception to this rule is that
limits that are undefined in the member class are inherited from the default class; so in effect, a context
could be a member of default plus another class.

Cisco ASA 5500 Series Configuration Guide using the CLI

5-10

Chapter 5

Configuring Multiple Context Mode
Information About Security Contexts

Information About MAC Addresses
To allow contexts to share interfaces, you should assign unique MAC addresses to each shared context
interface.
The MAC address is used to classify packets within a context. If you share an interface, but do not have
unique MAC addresses for the interface in each context, then other classification methods are attempted
that might not provide full coverage. See the “How the ASA Classifies Packets” section on page 5-3 for
information about classifying packets.
In the rare circumstance that the generated MAC address conflicts with another private MAC address in
your network, you can manually set the MAC address for the interface within the context. See the
“Configuring the MAC Address and MTU” section on page 8-9 to manually set the MAC address.
This section includes the following topics:
•

Default MAC Address, page 5-11

•

Interaction with Manual MAC Addresses, page 5-11

•

Failover MAC Addresses, page 5-12

•

MAC Address Format, page 5-12

Default MAC Address
If you disable MAC address generation, the physical interface uses the burned-in MAC address, and all
subinterfaces of a physical interface use the same burned-in MAC address.
See the following sections for your release for additional information about automatic MAC address
generation. See also the “MAC Address Format” section on page 5-12.
8.6(1) and Later

Automatic MAC address generation is enabled—Uses an autogenerated prefix. The ASA autogenerates
the prefix based on the last two bytes of the interface MAC address. You cannot use the legacy
auto-generation method (without a prefix).

Note

To maintain hitless upgrade for failover pairs, the ASA does not convert an existing auto-generation
configuration upon a reload if failover is enabled. However, we strongly recommend that you manually
change to the prefix method of generation when using failover. After upgrading, to use the prefix method
of MAC address generation, reenable MAC address autogeneration to use a prefix.
Earlier Releases

Automatic MAC address generation is disabled.

Interaction with Manual MAC Addresses
If you manually assign a MAC address and also enable auto-generation, then the manually assigned
MAC address is used. If you later remove the manual MAC address, the auto-generated address is used.
Because auto-generated addresses (when using a prefix) start with A2, you cannot start manual
MAC addresses with A2 if you also want to use auto-generation.

Cisco ASA 5500 Series Configuration Guide using the CLI

5-11

Chapter 5

Configuring Multiple Context Mode

Licensing Requirements for Multiple Context Mode

Failover MAC Addresses
For use with failover, the ASA generates both an active and standby MAC address for each interface. If
the active unit fails over and the standby unit becomes active, the new active unit starts using the active
MAC addresses to minimize network disruption. See the “MAC Address Format” section for more
information.

MAC Address Format
The MAC address format without a prefix is a legacy version not supported on newer ASA versions.

MAC Address Format Using a Prefix
The ASA generates the MAC address using the following format:
A2xx.yyzz.zzzz
Where xx.yy is a user-defined prefix or an autogenerated prefix based on the last two bytes of the
interface MAC address, and zz.zzzz is an internal counter generated by the ASA. For the standby MAC
address, the address is identical except that the internal counter is increased by 1.
For an example of how the prefix is used, if you set a prefix of 77, then the ASA converts 77 into the
hexadecimal value 004D (yyxx). When used in the MAC address, the prefix is reversed (xxyy) to match
the ASA native form:
A24D.00zz.zzzz
For a prefix of 1009 (03F1), the MAC address is:
A2F1.03zz.zzzz

MAC Address Format Without a Prefix (Legacy Method; Not Available in 8.6(1) and Later)
Without a prefix, the MAC address is generated using the following format:
•

Active unit MAC address: 12_slot.port_subid.contextid.

•

Standby unit MAC address: 02_slot.port_subid.contextid.

For platforms with no interface slots, the slot is always 0. The port is the interface port. The subid is an
internal ID for the subinterface, which is not viewable. The contextid is an internal ID for the context,
viewable with the show context detail command. For example, the interface GigabitEthernet 0/1.200 in
the context with the ID 1 has the following generated MAC addresses, where the internal ID for
subinterface 200 is 31:
•

Active: 1200.0131.0001

•

Standby: 0200.0131.0001

This MAC address generation method does not allow for persistent MAC addresses across reloads, does
not allow for multiple ASAs on the same network segment (because unique MAC addresses are not
guaranteed), and does not prevent overlapping MAC addresses with manually assigned MAC addresses.
We recommend using a prefix with the MAC address generation to avoid these issues.

Licensing Requirements for Multiple Context Mode

Cisco ASA 5500 Series Configuration Guide using the CLI

5-12

Chapter 5

Configuring Multiple Context Mode
Guidelines and Limitations

Model

License Requirement

ASA 5505

No support.

ASA 5510

Security Plus License: 2 contexts.
Optional license: 5 contexts.

ASA 5520

Base License: 2 contexts.
Optional licenses: 5, 10, or 20 contexts.

ASA 5540

Base License: 2 contexts.
Optional licenses: 5, 10, 20, or 50 contexts.

ASA 5550

Base License: 2 contexts.
Optional licenses: 5, 10, 20, 50, or 100 contexts.

ASA 5580

Base License: 2 contexts.
Optional licenses: 5, 10, 20, 50, 100, or 250 contexts.

ASA 5512-X

No support.

ASA 5515-X

Security Plus License: 2 contexts.
Optional license: 5 contexts.

ASA 5525-X

Base License: 2 contexts.
Optional licenses: 5, 10, or 20 contexts.

ASA 5545-X

Base License: 2 contexts.
Optional licenses: 5, 10, 20, or 50 contexts.

ASA 5555-X

Base License: 2 contexts.
Optional licenses: 5, 10, 20, 50, or 100 contexts.

ASA 5585-X with
SSP-10

Base License: 2 contexts.

ASA 5585-X with
SSP-20, -40, and -60

Base License: 2 contexts.

Optional licenses: 5, 10, 20, 50, or 100 contexts.
Optional licenses: 5, 10, 20, 50, 100, or 250 contexts.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Firewall Mode Guidelines

Supported in routed and transparent firewall mode.
Failover Guidelines

Active/Active mode failover is only supported in multiple context mode.
IPv6 Guidelines

Supports IPv6.

Cisco ASA 5500 Series Configuration Guide using the CLI

5-13

Chapter 5

Configuring Multiple Context Mode

Default Settings

Model Guidelines

Does not support the ASA 5505.
Unsupported Features

Multiple context mode does not support the following features:
•

Dynamic routing protocols
Security contexts support only static routes. You cannot enable OSPF, RIP, or EIGRP in multiple
context mode.

•

VPN

•

Multicast routing

•

Threat Detection

•

Phone Proxy

•

QoS

•

Unified Communications

Additional Guidelines

The context mode (single or multiple) is not stored in the configuration file, even though it does endure
reboots. If you need to copy your configuration to another device, set the mode on the new device to
match.

Default Settings
By default, the ASA is in single context mode.

Configuring Multiple Contexts
This section describes how to configure multiple context mode, and includes the following topics:
•

Task Flow for Configuring Multiple Context Mode, page 5-14

•

Enabling or Disabling Multiple Context Mode, page 5-15

•

Configuring a Class for Resource Management, page 5-16

•

Configuring a Security Context, page 5-18

•

Automatically Assigning MAC Addresses to Context Interfaces, page 5-22

Task Flow for Configuring Multiple Context Mode
To configure multiple context mode, perform the following steps:
Step 1

Enable multiple context mode. See the “Enabling or Disabling Multiple Context Mode” section on
page 5-15.

Step 2

(Optional) Configure classes for resource management. See the “Configuring a Class for Resource
Management” section on page 5-16.

Cisco ASA 5500 Series Configuration Guide using the CLI

5-14

Chapter 5

Configuring Multiple Context Mode
Configuring Multiple Contexts

Step 3

Configure interfaces in the system execution space. See Chapter 6, “Starting Interface Configuration
(ASA 5510 and Higher).”

Step 4

Configure security contexts. See the “Configuring a Security Context” section on page 5-18.

Step 5

(Optional) Automatically assign MAC addresses to context interfaces. See the “Automatically Assigning
MAC Addresses to Context Interfaces” section on page 5-22.

Step 6

Complete interface configuration in the context. See Chapter 8, “Completing Interface Configuration
(Routed Mode),” or Chapter 9, “Completing Interface Configuration (Transparent Mode).”

Enabling or Disabling Multiple Context Mode
Your ASA might already be configured for multiple security contexts depending on how you ordered it
from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple
mode by following the procedures in this section.
This section includes the following topics:
•

Enabling Multiple Context Mode, page 5-15

•

Restoring Single Context Mode, page 5-16

Enabling Multiple Context Mode
When you convert from single mode to multiple mode, the ASA converts the running configuration into
two files: a new startup configuration that comprises the system configuration, and admin.cfg that
comprises the admin context (in the root directory of the internal flash memory). The original running
configuration is saved as old_running.cfg (in the root directory of the internal flash memory). The
original startup configuration is not saved. The ASA automatically adds an entry for the admin context
to the system configuration with the name “admin.”

Prerequisites
•

When you convert from single mode to multiple mode, the ASA converts the running configuration
into two files. The original startup configuration is not saved, so if it differs from the running
configuration, you should back it up before proceeding.

•

The context mode (single or multiple) is not stored in the configuration file, even though it does
endure reboots. If you need to copy your configuration to another device, set the mode on the new
device to match.

Detailed Steps

Command

Purpose

mode multiple

Changes to multiple context mode. You are prompted to reboot the ASA.

Example:
hostname(config)# mode multiple

Cisco ASA 5500 Series Configuration Guide using the CLI

5-15

Chapter 5

Configuring Multiple Context Mode

Configuring Multiple Contexts

Restoring Single Context Mode
To copy the old running configuration to the startup configuration and to change the mode to single
mode, perform the following steps.

Prerequisites
Perform this procedure in the system execution space.

Detailed Steps

Step 1

Command

Purpose

copy flash:old_running.cfg startup-config

Copies the backup version of your original running configuration
to the current startup configuration.

Example:
hostname(config)# copy
flash:old_running.cfg startup-config

Step 2

Sets the mode to single mode. You are prompted to reboot the
ASA.

mode single

Example:
hostname(config)# mode single

Configuring a Class for Resource Management
To configure a class in the system configuration, perform the following steps. You can change the value
of a particular resource limit by reentering the command with a new value.

Prerequisites
Perform this procedure in the system execution space.

Guidelines
Table 5-1 lists the resource types and the limits. See also the show resource types command.

Cisco ASA 5500 Series Configuration Guide using the CLI

5-16

Chapter 5

Configuring Multiple Context Mode
Configuring Multiple Contexts

Table 5-1

Resource Names and Limits

Rate or
Resource Name Concurrent

Minimum and
Maximum Number
per Context
System Limit1

mac-addresses Concurrent

N/A

65,535

conns

N/A

Concurrent connections: TCP or UDP connections between any two
hosts, including connections between one
See the “Supported
host and multiple other hosts.
Feature Licenses Per
Model” section on
page 3-1 for the
connection limit for your
platform.

Concurrent
or Rate

Description
For transparent firewall mode, the number of
MAC addresses allowed in the MAC address
table.

Rate: N/A
inspects

Rate

N/A

Application inspections.

hosts

Concurrent

N/A

Hosts that can connect through the ASA.

asdm

Concurrent

1 minimum

200

ASDM management sessions.

5 maximum

ssh

Concurrent

1 minimum

Note

ASDM sessions use two HTTPS
connections: one for monitoring that
is always present, and one for making
configuration changes that is present
only when you make changes. For
example, the system limit of 32
ASDM sessions represents a limit of
64 HTTPS sessions.

100

SSH sessions.

5 maximum
syslogs

Rate

N/A

Syslog messages.

telnet

Concurrent

1 minimum

100

Telnet sessions.

N/A

Address translations.

5 maximum
xlates

Concurrent

N/A

1. If this column value is N/A, then you cannot set a percentage of the resource because there is no hard system limit for the resource.

Detailed Steps

Step 1

Command

Purpose

class name

Specifies the class name and enters the class configuration mode.
The name is a string up to 20 characters long. To set the limits for
the default class, enter default for the name.

Example:
hostname(config)# threat-detection
scanning-threat shun except ip-address
10.1.1.0 255.255.255.0

Step 2

Do one or more of the following:

Cisco ASA 5500 Series Configuration Guide using the CLI

5-17

Chapter 5

Configuring Multiple Context Mode

Configuring Multiple Contexts

Command

Purpose

limit-resource all 0

Sets all resource limits (shown in Table 5-1) to be unlimited. For
example, you might want to create a class that includes the admin
context that has no limitations. The default class has all resources
set to unlimited by default.

Example:
hostname(config)# limit-resource all 0
limit-resource [rate] resource_name
number[%]

Example:
hostname(config)# limit-resource rate
inspects 10

Sets a particular resource limit. For this particular resource, the
limit overrides the limit set for all. Enter the rate argument to set
the rate per second for certain resources. For resources that do not
have a system limit, you cannot set the percentage (%) between 1
and 100; you can only set an absolute value. See Table 5-1 for
resources for which you can set the rate per second and which do
not have a system limit.

Examples
For example, to set the default class limit for conns to 10 percent instead of unlimited, enter the
following commands:
hostname(config)# class default
hostname(config-class)# limit-resource conns 10%

All other resources remain at unlimited.
To add a class called gold, enter the following commands:
hostname(config)# class
hostname(config-class)#
hostname(config-class)#
hostname(config-class)#
hostname(config-class)#
hostname(config-class)#
hostname(config-class)#
hostname(config-class)#
hostname(config-class)#
hostname(config-class)#
hostname(config-class)#

gold
limit-resource
limit-resource
limit-resource
limit-resource
limit-resource
limit-resource
limit-resource
limit-resource
limit-resource
limit-resource

mac-addresses 10000
conns 15%
rate conns 1000
rate inspects 500
hosts 9000
asdm 5
ssh 5
rate syslogs 5000
telnet 5
xlates 36000

Configuring a Security Context
The security context definition in the system configuration identifies the context name, configuration file
URL, and interfaces that a context can use.

Prerequisites
•

Perform this procedure in the system execution space.

•

For ASA 5500 series appliances, configure physical interface parameters, VLAN subinterfaces, and
redundant interfaces according to the Chapter 6, “Starting Interface Configuration
(ASA 5510 and Higher).”

•

If you do not have an admin context (for example, if you clear the configuration) then you must first
specify the admin context name by entering the following command:
hostname(config)# admin-context name

Cisco ASA 5500 Series Configuration Guide using the CLI

5-18

Chapter 5

Configuring Multiple Context Mode
Configuring Multiple Contexts

Although this context name does not exist yet in your configuration, you can subsequently enter the
context name command to match the specified name to continue the admin context configuration.

Detailed Steps

Step 1

Command

Purpose

context name

Adds or modifies a context. The name is a string up to 32
characters long. This name is case sensitive, so you can have two
contexts named “customerA” and “CustomerA,” for example.
You can use letters, digits, or hyphens, but you cannot start or end
the name with a hyphen.

Example:
hostname(config)# context administrator

“System” or “Null” (in upper or lower case letters) are reserved
names, and cannot be used.
Step 2

(Optional)

Adds a description for this context.

description text

Example:
hostname(config)# description
Administrator Context

Cisco ASA 5500 Series Configuration Guide using the CLI

5-19

Chapter 5

Configuring Multiple Context Mode

Configuring Multiple Contexts

Step 3

Command

Purpose

To allocate a physical interface:

Specifies the interfaces you can use in the context. Do not include
a space between the interface type and the port number.

allocate-interface physical_interface
[mapped_name] [visible | invisible]

To allocate one or more subinterfaces:
allocate-interface
physical_interface.subinterface[-physical_
interface.subinterface]
[mapped_name[-mapped_name]] [visible |
invisible]

Example:
hostname(config-ctx)# allocate-interface
gigabitethernet0/1.100 int1
hostname(config-ctx)# allocate-interface
gigabitethernet0/1.200 int2
hostname(config-ctx)# allocate-interface
gigabitethernet0/2.300-gigabitethernet0/2.
305 int3-int8

Enter these commands multiple times to specify different ranges.
If you remove an allocation with the no form of this command,
then any context commands that include this interface are
removed from the running configuration.
Transparent firewall mode allows a limited number of interfaces
to pass through traffic; however, you can use a dedicated
management interface, Management slot/port, (physical,
subinterface, redundant, or EtherChannel) as an additional
interface for management traffic. The management interface for
transparent mode does not flood a packet out the interface when
that packet is not in the MAC address table.
You can assign the same interfaces to multiple contexts in routed
mode, if desired.
The mapped_name is an alphanumeric alias for the interface that
can be used within the context instead of the interface ID. If you
do not specify a mapped name, the interface ID is used within the
context. For security purposes, you might not want the context
administrator to know which interfaces are being used by the
context. A mapped name must start with a letter, end with a letter
or digit, and have as interior characters only letters, digits, or an
underscore. For example, you can use the following names:
int0, inta, int_0

If you specify a range of subinterfaces, you can specify a
matching range of mapped names. Follow these guidelines for
ranges:
•

The mapped name must consist of an alphabetic portion
followed by a numeric portion. The alphabetic portion of the
mapped name must match for both ends of the range. For
example, enter the following range:
int0-int10

If you enter gig0/1.1-gig0/1.5 happy1-sad5, for example,
the command fails.
•

The numeric portion of the mapped name must include the
same quantity of numbers as the subinterface range. For
example, both ranges include 100 interfaces:
gigabitethernet0/0.100-gigabitethernet0/0.199
int1-int100

If you enter gig0/0.100-gig0/0.199 int1-int15, for
example, the command fails.
Specify visible to see the real interface ID in the show interface
command if you set a mapped name. The default invisible
keyword shows only the mapped name.

Cisco ASA 5500 Series Configuration Guide using the CLI

5-20

Chapter 5

Configuring Multiple Context Mode
Configuring Multiple Contexts

Step 4

Command

Purpose

config-url url

Identifies the URL from which the system downloads the context
configuration. When you add a context URL, the system
immediately loads the context so that it is running, if the
configuration is available.

Example:

hostname(config-ctx)# config-url
ftp://user1:passw0rd@10.1.1.1/configlets/t Note
est.cfg

Enter the allocate-interface command(s) before you
enter the config-url command. If you enter the config-url
command first, the ASA loads the context configuration
immediately. If the context contains any commands that
refer to (not yet configured) interfaces, those commands
fail.

The filename does not require a file extension, although we
recommend using “.cfg”. The server must be accessible from the
admin context. If the configuration file is not available, you see
the following message:
WARNING: Could not fetch the URL disk:/url
INFO: Creating context with default config

For non-HTTP(S) URL locations, after you specify the URL, you
can then change to the context, configure it at the CLI, and enter
the write memory command to write the file to the URL location.
(HTTP(S) is read only).
Note

The admin context file must be stored on the internal flash
memory.

Available URL types include: disknumber (for flash memory),
ftp, http, https, or tftp.
To change the URL, reenter the config-url command with a new
URL. See the “Changing the Security Context URL” section on
page 5-25 for more information about changing the URL.
Step 5

(Optional)
member class_name

Assigns the context to a resource class. If you do not specify a
class, the context belongs to the default class. You can only assign
a context to one resource class.

Example:
hostname(config-ctx)# member gold

Step 6

(Optional)
join-failover-group {1 | 2)

Example:
hostname(config-ctx)# join-failover-group
2

Step 7

(Optional)
allocate-ips sensor_name [mapped_name]
[default]

Example:

Assigns a context to a failover group in Active/Active failover. By
default, contexts are in group 1. The admin context must always
be in group 1.
See the “Configuring the Primary Failover Unit” section on
page 63-8 for detailed information about failover groups.
Assigns an IPS virtual sensor to this context if you have the AIP
SSM installed.
See the “Assigning Virtual Sensors to a Security Context (ASA
5510 and Higher)” section on page 58-15 for detailed information
about virtual sensors.

hostname(config-ctx)# allocate-ips sensor1
highsec

Cisco ASA 5500 Series Configuration Guide using the CLI

5-21

Chapter 5

Configuring Multiple Context Mode

Configuring Multiple Contexts

Examples
The following example sets the admin context to be “administrator,” creates a context called
“administrator” on the internal flash memory, and then adds two contexts from an FTP server:
hostname(config)# admin-context administrator
hostname(config)# context administrator
hostname(config-ctx)# allocate-interface gigabitethernet0/0.1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.1
hostname(config-ctx)# config-url flash:/admin.cfg
hostname(config-ctx)#
hostname(config-ctx)#
hostname(config-ctx)#
hostname(config-ctx)#
int3-int8
hostname(config-ctx)#
hostname(config-ctx)#

context test
allocate-interface gigabitethernet0/0.100 int1
allocate-interface gigabitethernet0/0.102 int2
allocate-interface gigabitethernet0/0.110-gigabitethernet0/0.115

hostname(config-ctx)#
hostname(config-ctx)#
hostname(config-ctx)#
hostname(config-ctx)#
int3-int8
hostname(config-ctx)#
hostname(config-ctx)#

context sample
allocate-interface gigabitethernet0/1.200 int1
allocate-interface gigabitethernet0/1.212 int2
allocate-interface gigabitethernet0/1.230-gigabitethernet0/1.235

config-url ftp://user1:passw0rd@10.1.1.1/configlets/test.cfg
member gold

config-url ftp://user1:passw0rd@10.1.1.1/configlets/sample.cfg
member silver

Automatically Assigning MAC Addresses to Context Interfaces
This section describes how to configure auto-generation of MAC addresses.
The MAC address is used to classify packets within a context. See the “Information About MAC
Addresses” section on page 5-11 for more information, especially if you are upgrading from an earlier
ASA version. See also the “Viewing Assigned MAC Addresses” section on page 5-35.

Guidelines
•

When you configure a nameif command for the interface in a context, the new MAC address is
generated immediately. If you enable this feature after you configure context interfaces, then MAC
addresses are generated for all interfaces immediately after you enable it. If you disable this feature,
the MAC address for each interface reverts to the default MAC address. For example, subinterfaces
of GigabitEthernet 0/1 revert to using the MAC address of GigabitEthernet 0/1.

•

In the rare circumstance that the generated MAC address conflicts with another private MAC
address in your network, you can manually set the MAC address for the interface within the context.
See the “Configuring the MAC Address and MTU” section on page 8-9 to manually set the MAC
address.

Cisco ASA 5500 Series Configuration Guide using the CLI

5-22

Chapter 5

Configuring Multiple Context Mode
Changing Between Contexts and the System Execution Space

Detailed Steps

Command

Purpose

mac-address auto [prefix prefix]

Automatically assign private MAC addresses to each context interface.

Example:
hostname(config)# mac-address auto prefix
19

The prefix is a decimal value between 0 and 65535. This prefix is converted
to a 4-digit hexadecimal number, and used as part of the MAC address. The
prefix ensures that each ASA uses unique MAC addresses, so you can have
multiple ASAs on a network segment, for example. See the “MAC Address
Format” section for more information about how the prefix is used.

Changing Between Contexts and the System Execution Space
If you log in to the system execution space (or the admin context using Telnet or SSH), you can change
between contexts and perform configuration and monitoring tasks within each context. The running
configuration that you edit in a configuration mode, or that is used in the copy or write commands,
depends on your location. When you are in the system execution space, the running configuration
consists only of the system configuration; when you are in a context, the running configuration consists
only of that context. For example, you cannot view all running configurations (system plus all contexts)
by entering the show running-config command. Only the current configuration displays.
To change between the system execution space and a context, or between contexts, see the following
commands:

Command

Purpose

changeto context name

Changes to a context. The prompt changes to the following:
hostname/name#

Changes to the system execution space. The prompt changes to the
following:

changeto system

hostname#

Managing Security Contexts
This section describes how to manage security contexts and includes the following topics:
•

Removing a Security Context, page 5-24

•

Changing the Admin Context, page 5-24

•

Changing the Security Context URL, page 5-25

•

Reloading a Security Context, page 5-26

Cisco ASA 5500 Series Configuration Guide using the CLI

5-23

Chapter 5

Configuring Multiple Context Mode

Managing Security Contexts

Removing a Security Context
You can only remove a context by editing the system configuration. You cannot remove the current
admin context, unless you remove all contexts using the clear context command.

Note

If you use failover, there is a delay between when you remove the context on the active unit and when
the context is removed on the standby unit. You might see an error message indicating that the number
of interfaces on the active and standby units are not consistent; this error is temporary and can be
ignored.

Prerequisites
Perform this procedure in the system execution space.

Detailed Steps

Command

Purpose

no context name

Removes a single context. All context commands are also removed.

clear context

Removes all contexts (including the admin context).

Changing the Admin Context
The system configuration does not include any network interfaces or network settings for itself; rather,
when the system needs to access network resources (such as downloading the contexts from the server),
it uses one of the contexts that is designated as the admin context.
The admin context is just like any other context, except that when a user logs in to the admin context,
then that user has system administrator rights and can access the system and all other contexts. The
admin context is not restricted in any way, and can be used as a regular context. However, because
logging into the admin context grants you administrator privileges over all contexts, you might need to
restrict access to the admin context to appropriate users.

Guidelines
You can set any context to be the admin context, as long as the configuration file is stored in the internal
flash memory.

Prerequisites
Perform this procedure in the system execution space.

Cisco ASA 5500 Series Configuration Guide using the CLI

5-24

Chapter 5

Configuring Multiple Context Mode
Managing Security Contexts

Detailed Steps

Command

Purpose

admin-context context_name

Sets the admin context. Any remote management sessions, such as Telnet,
SSH, or HTTPS, that are connected to the admin context are terminated.
You must reconnect to the new admin context.

Example:
hostname(config)# admin-context
administrator

Note

A few system commands, including ntp server, identify an
interface name that belongs to the admin context. If you change the
admin context, and that interface name does not exist in the new
admin context, be sure to update any system commands that refer
to the interface.

Changing the Security Context URL
This section describes how to change the context URL.

Guidelines
•

You cannot change the security context URL without reloading the configuration from the new URL.
The ASA merges the new configuration with the current running configuration.

•

Reentering the same URL also merges the saved configuration with the running configuration.

A merge adds any new commands from the new configuration to the running configuration.
•

If the configurations are the same, no changes occur.

•

If commands conflict or if commands affect the running of the context, then the effect of the merge
depends on the command. You might get errors, or you might have unexpected results. If the running
configuration is blank (for example, if the server was unavailable and the configuration was never
downloaded), then the new configuration is used.

If you do not want to merge the configurations, you can clear the running configuration, which disrupts
any communications through the context, and then reload the configuration from the new URL.

Prerequisites
Perform this procedure in the system execution space.

Cisco ASA 5500 Series Configuration Guide using the CLI

5-25

Chapter 5

Configuring Multiple Context Mode

Managing Security Contexts

Detailed Steps

Step 1

Command

Purpose

(Optional, if you do not want to perform a
merge)

Changes to the context and clears its configuration. If you want to
perform a merge, skip to Step 2.

changeto context name
clear configure all

Example:
hostname(config)# changeto context ctx1
hostname/ctx1(config)# clear configure all

Step 2

changeto system

Changes to the system execution space.

Example:
hostname/ctx1(config)# changeto system
hostname(config)#

Step 3

Enters the context configuration mode for the context you want to
change.

context name

Example:
hostname(config)# context ctx1

Step 4

config-url new_url

Enters the new URL. The system immediately loads the context
so that it is running.

Example:
hostname(config)# config-url
ftp://user1:passw0rd@10.1.1.1/configlets/c
tx1.cfg

Reloading a Security Context
You can reload the context in two ways:
•

Clear the running configuration and then import the startup configuration.
This action clears most attributes associated with the context, such as connections and NAT tables.

•

Remove the context from the system configuration.
This action clears additional attributes, such as memory allocation, which might be useful for
troubleshooting. However, to add the context back to the system requires you to respecify the URL
and interfaces.

This section includes the following topics:
•

Reloading by Clearing the Configuration, page 5-26

•

Reloading by Removing and Re-adding the Context, page 5-27

Reloading by Clearing the Configuration
To reload the context by clearing the context configuration, and reloading the configuration from the
URL, perform the following steps.

Cisco ASA 5500 Series Configuration Guide using the CLI

5-26

Chapter 5

Configuring Multiple Context Mode
Monitoring Security Contexts

Detailed Steps

Step 1

Command

Purpose

changeto context name

Changes to the context that you want to reload.

Example:
hostname(comfig)# changeto context ctx1
hostname/ctx1(comfig)#

Step 2

clear configure all

Clears the running configuration. This command clears all
connections.

Example:
hostname/ctx1(config)# clear configure all

Step 3

copy startup-config running-config

Example:

Reloads the configuration. The ASA copies the configuration
from the URL specified in the system configuration. You cannot
change the URL from within a context.

hostname/ctx1(config)# copy startup-config
running-config

Reloading by Removing and Re-adding the Context
To reload the context by removing the context and then re-adding it, perform the steps in the following
sections:
1.

“Removing a Security Context” section on page 5-24

“Configuring a Security Context” section on page 5-18

Monitoring Security Contexts
This section describes how to view and monitor context information and includes the following topics:
•

Viewing Context Information, page 5-27

•

Viewing Context Information, page 5-27

•

Viewing Resource Allocation, page 5-29

•

Viewing Resource Usage, page 5-32

•

Monitoring SYN Attacks in Contexts, page 5-33

•

Viewing Assigned MAC Addresses, page 5-35

Viewing Context Information
From the system execution space, you can view a list of contexts including the name, allocated
interfaces, and configuration file URL.

Cisco ASA 5500 Series Configuration Guide using the CLI

5-27

Chapter 5

Configuring Multiple Context Mode

Monitoring Security Contexts

From the system execution space, view all contexts by entering the following command:

Command

Purpose

show context [name | detail| count]

Shows all contexts.
The detail option shows additional information. See the following sample
outputs below for more information.
If you want to show information for a particular context, specify the name.
The count option shows the total number of contexts.

The following is sample output from the show context command. The following sample output shows
three contexts:
hostname# show context
Context Name
*admin

Interfaces
GigabitEthernet0/1.100
GigabitEthernet0/1.101
contexta
GigabitEthernet0/1.200
GigabitEthernet0/1.201
contextb
GigabitEthernet0/1.300
GigabitEthernet0/1.301
Total active Security Contexts: 3

URL
disk0:/admin.cfg
disk0:/contexta.cfg
disk0:/contextb.cfg

Table 5-2 shows each field description.
Table 5-2

show context Fields

Field

Description

Context Name

Lists all context names. The context name with the asterisk (*) is the admin context.

Interfaces

The interfaces assigned to the context.

URL

The URL from which the ASA loads the context configuration.

The following is sample output from the show context detail command:
hostname# show context detail
Context "admin", has been created, but initial ACL rules not complete
Config URL: disk0:/admin.cfg
Real Interfaces: Management0/0
Mapped Interfaces: Management0/0
Flags: 0x00000013, ID: 1
Context "ctx", has been created, but initial ACL rules not complete
Config URL: ctx.cfg
Real Interfaces: GigabitEthernet0/0.10, GigabitEthernet0/1.20,
GigabitEthernet0/2.30
Mapped Interfaces: int1, int2, int3
Flags: 0x00000011, ID: 2
Context "system", is a system resource
Config URL: startup-config
Real Interfaces:
Mapped Interfaces: Control0/0, GigabitEthernet0/0,
GigabitEthernet0/0.10, GigabitEthernet0/1, GigabitEthernet0/1.10,

Cisco ASA 5500 Series Configuration Guide using the CLI

5-28

Chapter 5

Configuring Multiple Context Mode
Monitoring Security Contexts

GigabitEthernet0/1.20, GigabitEthernet0/2, GigabitEthernet0/2.30,
GigabitEthernet0/3, Management0/0, Management0/0.1
Flags: 0x00000019, ID: 257
Context "null", is a system resource
Config URL: ... null ...
Real Interfaces:
Mapped Interfaces:
Flags: 0x00000009, ID: 258

See the command reference for more information about the detail output.
The following is sample output from the show context count command:
hostname# show context count
Total active contexts: 2

Viewing Resource Allocation
From the system execution space, you can view the allocation for each resource across all classes and
class members.
To view the resource allocation, enter the following command:

Command

Purpose

show resource allocation [detail]

Shows the resource allocation. This command shows the resource
allocation, but does not show the actual resources being used. See the
“Viewing Resource Usage” section on page 5-32 for more information
about actual resource usage.
The detail argument shows additional information. See the following
sample outputs for more information.

The following sample output shows the total allocation of each resource as an absolute value and as a
percentage of the available system resources:
hostname# show resource allocation
Resource
Total
Conns [rate]
35000
Inspects [rate]
35000
Syslogs [rate]
10500
Conns
305000
Hosts
78842
SSH
35
Telnet
35
Xlates
91749
All
unlimited

% of Avail
N/A
N/A
N/A
30.50%
N/A
35.00%
35.00%
N/A

Cisco ASA 5500 Series Configuration Guide using the CLI

5-29

Chapter 5

Configuring Multiple Context Mode

Monitoring Security Contexts

Table 5-3 shows each field description.
Table 5-3

show resource allocation Fields

Field

Description

Resource

The name of the resource that you can limit.

Total

The total amount of the resource that is allocated across all contexts. The amount
is an absolute number of concurrent instances or instances per second. If you
specified a percentage in the class definition, the ASA converts the percentage to
an absolute number for this display.

% of Avail

The percentage of the total system resources that is allocated across all contexts, if
the resource has a hard system limit. If a resource does not have a system limit, this
column shows N/A.

The following is sample output from the show resource allocation detail command:
hostname# show resource allocation detail
Resource Origin:
A
Value was derived from the resource 'all'
C
Value set in the definition of this class
D
Value set in default class
Resource
Class
Mmbrs Origin
Limit
Conns [rate]
default
all
CA unlimited
gold
1
C
34000
silver
1
CA
17000
bronze
0
CA
8500
All Contexts:
3
Inspects [rate]

Syslogs [rate]

Conns

Hosts

SSH

Telnet

default
gold
silver
bronze
All Contexts:

all
1
1
0
3

CA
DA
CA
CA

default
gold
silver
bronze
All Contexts:

all
1
1
0
3

CA
C
CA
CA

default
gold
silver
bronze
All Contexts:

all
1
1
0
3

CA
C
CA
CA

default
gold
silver
bronze
All Contexts:

all
1
1
0
3

CA
DA
CA
CA

default
gold
silver
bronze
All Contexts:

all
1
1
0
3

C
D
CA
CA

default

all

Cisco ASA 5500 Series Configuration Guide using the CLI

5-30

unlimited
unlimited
10000
5000

unlimited
6000
3000
1500

unlimited
200000
100000
50000

unlimited
unlimited
26214
13107

5
5
10
5

Total

Total %

34000
17000

N/A
N/A

51000

N/A

10000

N/A

10000

N/A

6000
3000

N/A
N/A

9000

N/A

200000
100000

20.00%
10.00%

300000

30.00%

26214

N/A

26214

N/A

5
10

5.00%
10.00%

20.00%

Chapter 5

Configuring Multiple Context Mode
Monitoring Security Contexts

Xlates

mac-addresses

gold
silver
bronze
All Contexts:

1
1
0
3

D
CA
CA

default
gold
silver
bronze
All Contexts:

all
1
1
0
3

CA
DA
CA
CA

default
gold
silver
bronze
All Contexts:

all
1
1
0
3

C
D
CA
CA

5
10
5

unlimited
unlimited
23040
11520

65535
65535
6553
3276

5
10

5.00%
10.00%

20.00%

23040

N/A

23040

N/A

65535
6553

100.00%
9.99%

137623

209.99%

Table 5-4 shows each field description.
Table 5-4

show resource allocation detail Fields

Field

Description

Resource

The name of the resource that you can limit.

Class

The name of each class, including the default class.
The All contexts field shows the total values across all classes.

Mmbrs

The number of contexts assigned to each class.

Origin

The origin of the resource limit, as follows:
•

A—You set this limit with the all option, instead of as an individual resource.

•

C—This limit is derived from the member class.

•

D—This limit was not defined in the member class, but was derived from the
default class. For a context assigned to the default class, the value will be “C”
instead of “D.”

The ASA can combine “A” with “C” or “D.”
Limit

The limit of the resource per context, as an absolute number. If you specified a
percentage in the class definition, the ASA converts the percentage to an absolute
number for this display.

Total

The total amount of the resource that is allocated across all contexts in the class.
The amount is an absolute number of concurrent instances or instances per second.
If the resource is unlimited, this display is blank.

% of Avail

The percentage of the total system resources that is allocated across all contexts in
the class. If the resource is unlimited, this display is blank. If the resource does not
have a system limit, then this column shows N/A.

Cisco ASA 5500 Series Configuration Guide using the CLI

5-31

Chapter 5

Configuring Multiple Context Mode

Monitoring Security Contexts

Viewing Resource Usage
From the system execution space, you can view the resource usage for each context and display the
system resource usage.
From the system execution space, view the resource usage for each context by entering the following
command:

Command

Purpose

show resource usage [context context_name
| top n | all | summary | system]
[resource {resource_name | all} | detail]
[counter counter_name [count_threshold]]

By default, all context usage is displayed; each context is listed separately.
Enter the top n keyword to show the contexts that are the top n users of the
specified resource. You must specify a single resource type, and not
resource all, with this option.
The summary option shows all context usage combined.
The system option shows all context usage combined, but shows the
system limits for resources instead of the combined context limits.
For the resource resource_name, see Table 5-1 for available resource
names. See also the show resource type command. Specify all (the
default) for all types.
The detail option shows the resource usage of all resources, including
those you cannot manage. For example, you can view the number of TCP
intercepts.
The counter counter_name is one of the following keywords:
•

current—Shows the active concurrent instances or the current rate of
the resource.

•

denied—Shows the number of instances that were denied because they
exceeded the resource limit shown in the Limit column.

•

peak—Shows the peak concurrent instances, or the peak rate of the
resource since the statistics were last cleared, either using the clear
resource usage command or because the device rebooted.

•

all—(Default) Shows all statistics.

The count_threshold sets the number above which resources are shown.
The default is 1. If the usage of the resource is below the number you set,
then the resource is not shown. If you specify all for the counter name, then
the count_threshold applies to the current usage.
Note

To show all resources, set the count_threshold to 0.

The following is sample output from the show resource usage context command, which shows the
resource usage for the admin context:
hostname# show resource usage context admin
Resource
Telnet
Conns
Hosts

Current
1
44
45

Cisco ASA 5500 Series Configuration Guide using the CLI

5-32

Peak
1
55
56

Limit
5
N/A
N/A

Denied
0
0
0

Context
admin
admin
admin

Chapter 5

Configuring Multiple Context Mode
Monitoring Security Contexts

The following is sample output from the show resource usage summary command, which shows the
resource usage for all contexts and all resources. This sample shows the limits for 6 contexts.
hostname# show resource usage summary
Resource
Current
Peak
Limit
Denied
Syslogs [rate]
1743
2132
N/A
0
Conns
584
763
280000(S)
0
Xlates
8526
8966
N/A
0
Hosts
254
254
N/A
0
Conns [rate]
270
535
N/A
1704
Inspects [rate]
270
535
N/A
0
S = System: Combined context limits exceed the system limit; the

Context
Summary
Summary
Summary
Summary
Summary
Summary
system limit is shown.

The following is sample output from the show resource usage summary command, which shows the
limits for 25 contexts. Because the context limit for Telnet and SSH connections is 5 per context, then
the combined limit is 125. The system limit is only 100, so the system limit is shown.
hostname# show resource usage summary
Resource
Current
Peak
Limit
Denied
Context
Telnet
1
1
100[S]
0
Summary
SSH
2
2
100[S]
0
Summary
Conns
56
90
N/A
0
Summary
Hosts
89
102
N/A
0
Summary
S = System: Combined context limits exceed the system limit; the system limit is shown.

The following is sample output from the show resource usage system command, which shows the
resource usage for all contexts, but it shows the system limit instead of the combined context limits. The
counter all 0 option is used to show resources that are not currently in use. The Denied statistics indicate
how many times the resource was denied due to the system limit, if available.
hostname# show resource usage system counter all 0
Resource
Telnet
SSH
ASDM
Syslogs [rate]
Conns
Xlates
Hosts
Conns [rate]
Inspects [rate]

Current
0
0
0
1
0
0
0
1
0

Peak
0
0
0
18
1
0
2
1
0

Limit
100
100
32
N/A
280000
N/A
N/A
N/A
N/A

Denied
0
0
0
0
0
0
0
0
0

Context
System
System
System
System
System
System
System
System
System

Monitoring SYN Attacks in Contexts
The ASA prevents SYN attacks using TCP Intercept. TCP Intercept uses the SYN cookies algorithm to
prevent TCP SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN packets usually
originating from spoofed IP addresses. The constant flood of SYN packets keeps the server SYN queue
full, which prevents it from servicing connection requests. When the embryonic connection threshold of
a connection is crossed, the ASA acts as a proxy for the server and generates a SYN-ACK response to
the client SYN request. When the ASA receives an ACK back from the client, it can then authenticate
the client and allow the connection to the server.
Monitor SYN attacks using the following commands:

Cisco ASA 5500 Series Configuration Guide using the CLI

5-33

Chapter 5

Configuring Multiple Context Mode

Monitoring Security Contexts

Command

Purpose

show perfmon

Monitors the rate of attacks for individual contexts.

show resource usage detail

Monitors the amount of resources being used by TCP intercept for
individual contexts.

show resource usage summary detail

Monitors the resources being used by TCP intercept for the entire system.

The following is sample output from the show perfmon command that shows the rate of TCP intercepts
for a context called admin.
hostname/admin# show perfmon
Context:admin
PERFMON STATS:
Xlates
Connections
TCP Conns
UDP Conns
URL Access
URL Server Req
WebSns Req
TCP Fixup
HTTP Fixup
FTP Fixup
AAA Authen
AAA Author
AAA Account
TCP Intercept

Current
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
322779/s

Average
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
0/s
322779/s

The following is sample output from the show resource usage detail command that shows the amount
of resources being used by TCP Intercept for individual contexts. (Sample text in italics shows the TCP
intercept information.)
hostname(config)# show resource usage detail
Resource
Current
Peak
Limit
memory
843732
847288 unlimited
chunk:channels
14
15 unlimited
chunk:fixup
15
15 unlimited
chunk:hole
1
1 unlimited
chunk:ip-users
10
10 unlimited
chunk:list-elem
21
21 unlimited
chunk:list-hdr
3
4 unlimited
chunk:route
2
2 unlimited
chunk:static
1
1 unlimited
tcp-intercepts
328787
803610 unlimited
np-statics
3
3 unlimited
statics
1
1 unlimited
ace-rules
1
1 unlimited
console-access-rul
2
2 unlimited
fixup-rules
14
15 unlimited
memory
959872
960000 unlimited
chunk:channels
15
16 unlimited
chunk:dbgtrace
1
1 unlimited
chunk:fixup
15
15 unlimited
chunk:global
1
1 unlimited
chunk:hole
2
2 unlimited
chunk:ip-users
10
10 unlimited
chunk:udp-ctrl-blk
1
1 unlimited
chunk:list-elem
24
24 unlimited
chunk:list-hdr
5
6 unlimited

Cisco ASA 5500 Series Configuration Guide using the CLI

5-34

Denied
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0

Context
admin
admin
admin
admin
admin
admin
admin
admin
admin
admin
admin
admin
admin
admin
admin
c1
c1
c1
c1
c1
c1
c1
c1
c1
c1

Chapter 5

Configuring Multiple Context Mode
Monitoring Security Contexts

chunk:nat
chunk:route
chunk:static
tcp-intercept-rate
globals
np-statics
statics
nats
ace-rules
console-access-rul
fixup-rules
memory
chunk:channels
chunk:dbgtrace
chunk:fixup
chunk:ip-users
chunk:list-elem
chunk:list-hdr
chunk:route
block:16384
block:2048

1
2
1
16056
1
3
1
1
2
2
14
232695716
17
3
15
4
1014
1
1
510
32

1
2
1
16254
1
3
1
1
2
2
15
232020648
20
3
15
4
1014
1
1
885
34

unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
unlimited
unlimited

0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0

c1
c1
c1
c1
c1
c1
c1
c1
c1
c1
c1
system
system
system
system
system
system
system
system
system
system

The following sample output shows the resources being used by TCP intercept for the entire system.
(Sample text in italics shows the TCP intercept information.)
hostname(config)# show resource usage summary detail
Resource
Current
Peak
Limit
memory
238421312
238434336 unlimited
chunk:channels
46
48 unlimited
chunk:dbgtrace
4
4 unlimited
chunk:fixup
45
45 unlimited
chunk:global
1
1 unlimited
chunk:hole
3
3 unlimited
chunk:ip-users
24
24 unlimited
chunk:udp-ctrl-blk
1
1 unlimited
chunk:list-elem
1059
1059 unlimited
chunk:list-hdr
10
11 unlimited
chunk:nat
1
1 unlimited
chunk:route
5
5 unlimited
chunk:static
2
2 unlimited
block:16384
510
885 unlimited
block:2048
32
35 unlimited
tcp-intercept-rate
341306
811579 unlimited
globals
1
1 unlimited
np-statics
6
6 unlimited
statics
2
2
N/A
nats
1
1
N/A
ace-rules
3
3
N/A
console-access-rul
4
4
N/A
fixup-rules
43
44
N/A

Denied
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0

Context
Summary
Summary
Summary
Summary
Summary
Summary
Summary
Summary
Summary
Summary
Summary
Summary
Summary
Summary
Summary
Summary
Summary
Summary
Summary
Summary
Summary
Summary
Summary

Viewing Assigned MAC Addresses
You can view auto-generated MAC addresses within the system configuration or within the context. This
section includes the following topics:
•

Viewing MAC Addresses in the System Configuration, page 5-36

•

Viewing MAC Addresses Within a Context, page 5-37

Cisco ASA 5500 Series Configuration Guide using the CLI

5-35

Chapter 5

Configuring Multiple Context Mode

Monitoring Security Contexts

Viewing MAC Addresses in the System Configuration
This section describes how to view MAC addresses in the system configuration.

Guidelines
If you manually assign a MAC address to an interface, but also have auto-generation enabled, the
auto-generated address continues to show in the configuration even though the manual MAC address is
the one that is in use. If you later remove the manual MAC address, the auto-generated one shown will
be used.

Detailed Steps

Command

Purpose

show running-config all context [name]

Shows the assigned MAC addresses from the system execution space.
The all option is required to view the assigned MAC addresses. Although
this command is user-configurable in global configuration mode only, the
mac-address auto command appears as a read-only entry in the
configuration for each context along with the assigned MAC address. Only
allocated interfaces that are configured with a nameif command within the
context have a MAC address assigned.

Examples
The following output from the show running-config all context admin command shows the primary
and standby MAC address assigned to the Management0/0 interface:
hostname# show running-config all context admin
context admin
allocate-interface Management0/0
mac-address auto Management0/0 a24d.0000.1440 a24d.0000.1441
config-url disk0:/admin.cfg

The following output from the show running-config all context command shows all the MAC addresses
(primary and standby) for all context interfaces. Note that because the GigabitEthernet0/0 and
GigabitEthernet0/1 main interfaces are not configured with a nameif command inside the contexts, no
MAC addresses have been generated for them.
hostname# show running-config all context
admin-context admin
context admin
allocate-interface Management0/0
mac-address auto Management0/0 a2d2.0400.125a a2d2.0400.125b
config-url disk0:/admin.cfg
!
context CTX1
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/0.1-GigabitEthernet0/0.5
mac-address auto GigabitEthernet0/0.1 a2d2.0400.11bc a2d2.0400.11bd
mac-address auto GigabitEthernet0/0.2 a2d2.0400.11c0 a2d2.0400.11c1
mac-address auto GigabitEthernet0/0.3 a2d2.0400.11c4 a2d2.0400.11c5
mac-address auto GigabitEthernet0/0.4 a2d2.0400.11c8 a2d2.0400.11c9

Cisco ASA 5500 Series Configuration Guide using the CLI

5-36

Chapter 5

Configuring Multiple Context Mode
Monitoring Security Contexts

mac-address auto GigabitEthernet0/0.5 a2d2.0400.11cc a2d2.0400.11cd
allocate-interface GigabitEthernet0/1
allocate-interface GigabitEthernet0/1.1-GigabitEthernet0/1.3
mac-address auto GigabitEthernet0/1.1 a2d2.0400.120c a2d2.0400.120d
mac-address auto GigabitEthernet0/1.2 a2d2.0400.1210 a2d2.0400.1211
mac-address auto GigabitEthernet0/1.3 a2d2.0400.1214 a2d2.0400.1215
config-url disk0:/CTX1.cfg
!
context CTX2
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/0.1-GigabitEthernet0/0.5
mac-address auto GigabitEthernet0/0.1 a2d2.0400.11ba a2d2.0400.11bb
mac-address auto GigabitEthernet0/0.2 a2d2.0400.11be a2d2.0400.11bf
mac-address auto GigabitEthernet0/0.3 a2d2.0400.11c2 a2d2.0400.11c3
mac-address auto GigabitEthernet0/0.4 a2d2.0400.11c6 a2d2.0400.11c7
mac-address auto GigabitEthernet0/0.5 a2d2.0400.11ca a2d2.0400.11cb
allocate-interface GigabitEthernet0/1
allocate-interface GigabitEthernet0/1.1-GigabitEthernet0/1.3
mac-address auto GigabitEthernet0/1.1 a2d2.0400.120a a2d2.0400.120b
mac-address auto GigabitEthernet0/1.2 a2d2.0400.120e a2d2.0400.120f
mac-address auto GigabitEthernet0/1.3 a2d2.0400.1212 a2d2.0400.1213
config-url disk0:/CTX2.cfg
!

Viewing MAC Addresses Within a Context
This section describes how to view MAC addresses within a context.

Detailed Steps

Command

Purpose

show interface | include (Interface)|(MAC)

Shows the MAC address in use by each interface within the context.

Examples
For example:
hostname/context# show interface | include (Interface)|(MAC)
Interface GigabitEthernet1/1.1 "g1/1.1", is down, line protocol is down
MAC address a201.0101.0600, MTU 1500
Interface GigabitEthernet1/1.2 "g1/1.2", is down, line protocol is down
MAC address a201.0102.0600, MTU 1500
Interface GigabitEthernet1/1.3 "g1/1.3", is down, line protocol is down
MAC address a201.0103.0600, MTU 1500
...

Note

The show interface command shows the MAC address in use; if you manually assign a MAC address
and also have auto-generation enabled, then you can only view the unused auto-generated address from
within the system configuration.

Cisco ASA 5500 Series Configuration Guide using the CLI

5-37

Chapter 5

Configuring Multiple Context Mode

Configuration Examples for Multiple Context Mode

Configuration Examples for Multiple Context Mode
The following example:
•

Automatically sets the MAC addresses in contexts.

•

Sets the default class limit for conns to 10 percent instead of unlimited.

•

Creates a gold resource class.

•

Sets the admin context to be “administrator.”

•

Creates a context called “administrator” on the internal flash memory to be part of the default
resource class.

•

Adds two contexts from an FTP server as part of the gold resource class.

hostname(config)# mac-address auto prefix 19
hostname(config)# class default
hostname(config-class)# limit-resource conns 10%
hostname(config)# class
hostname(config-class)#
hostname(config-class)#
hostname(config-class)#
hostname(config-class)#
hostname(config-class)#
hostname(config-class)#
hostname(config-class)#
hostname(config-class)#
hostname(config-class)#
hostname(config-class)#

gold
limit-resource
limit-resource
limit-resource
limit-resource
limit-resource
limit-resource
limit-resource
limit-resource
limit-resource
limit-resource

mac-addresses 10000
conns 15%
rate conns 1000
rate inspects 500
hosts 9000
asdm 5
ssh 5
rate syslogs 5000
telnet 5
xlates 36000

hostname(config)# admin-context administrator
hostname(config)# context administrator
hostname(config-ctx)# allocate-interface gigabitethernet0/0.1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.1
hostname(config-ctx)# config-url flash:/admin.cfg
hostname(config-ctx)#
hostname(config-ctx)#
hostname(config-ctx)#
hostname(config-ctx)#
int3-int8
hostname(config-ctx)#
hostname(config-ctx)#

context test
allocate-interface gigabitethernet0/0.100 int1
allocate-interface gigabitethernet0/0.102 int2
allocate-interface gigabitethernet0/0.110-gigabitethernet0/0.115

hostname(config-ctx)#
hostname(config-ctx)#
hostname(config-ctx)#
hostname(config-ctx)#
int3-int8
hostname(config-ctx)#
hostname(config-ctx)#

context sample
allocate-interface gigabitethernet0/1.200 int1
allocate-interface gigabitethernet0/1.212 int2
allocate-interface gigabitethernet0/1.230-gigabitethernet0/1.235

config-url ftp://user1:passw0rd@10.1.1.1/configlets/test.cfg
member gold

config-url ftp://user1:passw0rd@10.1.1.1/configlets/sample.cfg
member gold

Cisco ASA 5500 Series Configuration Guide using the CLI

5-38

Chapter 5

Configuring Multiple Context Mode
Feature History for Multiple Context Mode

Feature History for Multiple Context Mode
Table 5-5 lists each feature change and the platform release in which it was implemented.
Table 5-5

Feature History for Multiple Context Mode

Feature Name

Platform
Releases

Feature Information

Multiple security contexts

7.0(1)

Multiple context mode was introduced.
We introduced the following commands: context, mode,
and class.

Automatic MAC address assignment

7.2(1)

Automatic assignment of MAC address to context interfaces
was introduced.
We introduced the following command: mac-address auto.

Resource management

7.2(1)

Resource management was introduced.
We introduced the following commands: class,
limit-resource, and member.

Virtual sensors for IPS

8.0(2)

The AIP SSM running IPS software Version 6.0 and above
can run multiple virtual sensors, which means you can
configure multiple security policies on the AIP SSM. You
can assign each context or single mode ASA to one or more
virtual sensors, or you can assign multiple security contexts
to the same virtual sensor.
We introduced the following command: allocate-ips.

Automatic MAC address assignment
enhancements

8.0(5)/8.2(2)

The MAC address format was changed to use a prefix, to use
a fixed starting value (A2), and to use a different scheme for
the primary and secondary unit MAC addresses in a failover
pair. The MAC addresses are also now persistent across
reloads. The command parser now checks if auto-generation
is enabled; if you want to also manually assign a MAC
address, you cannot start the manual MAC address with A2.
We modified the following command: mac-address auto
prefix.

Cisco ASA 5500 Series Configuration Guide using the CLI

5-39

Chapter 5

Configuring Multiple Context Mode

Feature History for Multiple Context Mode

Table 5-5

Feature History for Multiple Context Mode (continued)

Feature Name

Platform
Releases

Feature Information

Maximum contexts increased for the ASA 5550 8.4(1)
and 5580

The maximum security contexts for the ASA 5550 was
increased from 50 to 100. The maximum for the ASA 5580
was increased from 50 to 250.

Automatic generation of a MAC address prefix 8.6(1)
for the mac-address auto command

In multiple context mode, the ASA now converts the
automatic MAC address generation configuration to use a
default prefix. The ASA auto-generates the prefix based on
the last two bytes of the interface MAC address. This
conversion happens automatically when you reload, or if
you reenable MAC address generation. The prefix method
of generation provides many benefits, including a better
guarantee of unique MAC addresses on a segment. You can
view the auto-generated prefix by entering the show
running-config mac-address command. If you want to
change the prefix, you can reconfigure the feature with a
custom prefix. The legacy method of MAC address
generation is no longer available.
Note

To maintain hitless upgrade for failover pairs, the
ASA does not convert the MAC address method in
an existing configuration upon a reload if failover is
enabled. However, we strongly recommend that you
manually change to the prefix method of generation
when using failover. After upgrading, to use the
prefix method of MAC address generation, reenable
MAC address generation to use the default prefix.

We modified the following command: mac-address auto.

Cisco ASA 5500 Series Configuration Guide using the CLI

5-40

PA R T

Configuring Interfaces

CH A P T E R

Starting Interface Configuration
(ASA 5510 and Higher)
This chapter includes tasks for starting your interface configuration for the ASA 5510 and higher,
including configuring Ethernet settings, redundant interfaces, and EtherChannels.

Note

For ASA 5505 configuration, see Chapter 7, “Starting Interface Configuration (ASA 5505).”
For multiple context mode, complete all tasks in this section in the system execution space. To change
from the context to the system execution space, enter the changeto system command.
This chapter includes the following sections:
•

Information About Starting ASA 5510 and Higher Interface Configuration, page 6-1

•

Licensing Requirements for ASA 5510 and Higher Interfaces, page 6-8

•

Guidelines and Limitations, page 6-9

•

Default Settings, page 6-11

•

Starting Interface Configuration (ASA 5510 and Higher), page 6-12

•

Monitoring Interfaces, page 6-33

•

Configuration Examples for ASA 5510 and Higher Interfaces, page 6-33

•

Where to Go Next, page 6-34

•

Feature History for ASA 5510 and Higher Interfaces, page 6-35

Information About Starting ASA 5510 and Higher Interface
Configuration
This section includes the following topics:
•

Auto-MDI/MDIX Feature, page 6-2

•

Interfaces in Transparent Mode, page 6-2

•

Management Interface, page 6-2

•

Redundant Interfaces, page 6-4

•

EtherChannels, page 6-5

Cisco ASA 5500 Series Configuration Guide using the CLI

6-1

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)

Information About Starting ASA 5510 and Higher Interface Configuration

Auto-MDI/MDIX Feature
For RJ-45 interfaces on the ASA 5500 series, the default auto-negotiation setting also includes the
Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an
internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed
or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set
both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then
Auto-MDI/MDIX is also disabled. For Gigabit Ethernet, when the speed and duplex are set to 1000 and
full, then the interface always auto-negotiates; therefore Auto-MDI/MDIX is always enabled and you
cannot disable it.

Interfaces in Transparent Mode
Interfaces in transparent mode belong to a “bridge group,” one bridge group for each network. You can
have up to eight bridge groups of four interfaces each per context or in single mode. For more
information about bridge groups, see the “Bridge Groups in Transparent Mode” section on page 9-1.

Management Interface
•

Management Interface Overview, page 6-2

•

Management Slot/Port Interface, page 6-2

•

Using Any Interface for Management-Only Traffic, page 6-3

•

Management Interface for Transparent Mode, page 6-3

•

No Support for Redundant Management Interfaces, page 6-4

•

Management 0/0 Interface on the ASA 5512-X through ASA 5555-X, page 6-4

Management Interface Overview
You can manage the ASA by connecting to:
•

Any through-traffic interface

•

A dedicated Management Slot/Port interface (if available for your model)

You may need to configure management access to the interface according to Chapter 37, “Configuring
Management Access.”

Management Slot/Port Interface
Table 6-1 shows the Management interfaces per model.Table 6-1

Management Interfaces Per Model

Model

Configurable for
Through Traffic1

Management 0/02

Management 0/1

Management 1/0

Management 1/1

ASA 5505

N/A

ASA 5510

Yes

Cisco ASA 5500 Series Configuration Guide using the CLI

6-2

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)
Information About Starting ASA 5510 and Higher Interface Configuration

Table 6-1

Management Interfaces Per Model

Model

Configurable for
Through Traffic1

Management 0/02

Management 0/1

Management 1/0

Management 1/1

ASA 5520

Yes

ASA 5540

Yes

ASA 5550

Yes

ASA 5580

Yes

ASA 5512-X

Yes

ASA 5515-X

Yes

ASA 5525-X

Yes

ASA 5545-X

Yes

ASA 5555-X

Yes

ASA 5585-X

Yes

No
3

Yes3

1. By default, the Management 0/0 interface is configured for management-only traffic (the management-only command). For supported models in routed
mode, you can remove the limitation and pass through traffic. If your model includes additional Management interfaces, you can use them for through
traffic as well. The Management interfaces might not be optimized for through-traffic, however.
2. The Management 0/0 interface is configured for ASDM access as part of the default factory configuration. See the “Factory Default Configurations”
section on page 2-10 for more information.
3. If you installed an SSP in slot 1, then Management 1/0 and 1/1 provide management access to the SSP in slot 1 only.

Note

If you installed an IPS module, then the IPS module management interface(s) provides management
access for the IPS module only. For the ASA 5512-X through ASA 5555-X, the IPS SSP software
module uses the same physical Management 0/0 interface as the ASA.

Using Any Interface for Management-Only Traffic
You can use any interface as a dedicated management-only interface by configuring it for management
traffic, including an EtherChannel interface (see the management-only command).

Management Interface for Transparent Mode
In transparent firewall mode, in addition to the maximum allowed through-traffic interfaces, you can also
use the Management interface (either the physical interface, a subinterface (if supported for your model),
or an EtherChannel interface comprised of Management interfaces (if you have multiple Management
interfaces)) as a separate management interface. You cannot use any other interface types as management
interfaces.
If your model does not include a Management interface, you must manage the transparent firewall from
a data interface.
In multiple context mode, you cannot share any interfaces, including the Management interface, across
contexts. To provide management per context, you can create subinterfaces of the Management interface
and allocate a Management subinterface to each context. Note that the ASA 5512-X through ASA
5555-X do not allow subinterfaces on the Management interface, so for per-context management, you
must connect to a data interface.

Cisco ASA 5500 Series Configuration Guide using the CLI

6-3

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)

Information About Starting ASA 5510 and Higher Interface Configuration

For 8.4(1) and later, the management interface is not part of a normal bridge group. Note that for
operational purposes, it is part of a non-configurable bridge group.

Note

In transparent firewall mode, the management interface updates the MAC address table in the same
manner as a data interface; therefore you should not connect both a management and a data interface to
the same switch unless you configure one of the switch ports as a routed port (by default Cisco Catalyst
switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on the
management interface from the physically-connected switch, then the ASA updates the MAC address
table to use the management interface to access the switch, instead of the data interface. This action
causes a temporary traffic interruption; the ASA will not re-update the MAC address table for packets
from the switch to the data interface for at least 30 seconds for security reasons.

No Support for Redundant Management Interfaces
Redundant interfaces do not support Management slot/port interfaces as members. You also cannot set
a redundant interface comprised of non-Management interfaces as management-only.

Management 0/0 Interface on the ASA 5512-X through ASA 5555-X
The Management 0/0 interface on the ASA 5512-X through ASA 5555-X has the following
characteristics:
•

No through traffic support

•

No subinterface support

•

No priority queue support

•

No multicast MAC support

•

The IPS SSP software module shares the Management 0/0 interface. Separate MAC addresses and
IP addresses are supported for the ASA and IPS module. You must perform configuration of the IPS
IP address within the IPS operating system. However, physical characteristics (such as enabling the
interface) are configured on the ASA.

Redundant Interfaces
A logical redundant interface consists of a pair of physical interfaces: an active and a standby interface.
When the active interface fails, the standby interface becomes active and starts passing traffic. You can
configure a redundant interface to increase the ASA reliability. This feature is separate from device-level
failover, but you can configure redundant interfaces as well as device-level failover if desired.

Redundant Interface MAC Address
The redundant interface uses the MAC address of the first physical interface that you add. If you change
the order of the member interfaces in the configuration, then the MAC address changes to match the
MAC address of the interface that is now listed first. Alternatively, you can assign a MAC address to the
redundant interface, which is used regardless of the member interface MAC addresses (see the
“Configuring the MAC Address and MTU” section on page 8-9 or the “Configuring Multiple Contexts”
section on page 5-14). When the active interface fails over to the standby, the same MAC address is
maintained so that traffic is not disrupted.

Cisco ASA 5500 Series Configuration Guide using the CLI

6-4

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)
Information About Starting ASA 5510 and Higher Interface Configuration

EtherChannels
An 802.3ad EtherChannel is a logical interface (called a port-channel interface) consisting of a bundle
of individual Ethernet links (a channel group) so that you increase the bandwidth for a single network.
A port channel interface is used in the same way as a physical interface when you configure
interface-related features.
You can configure up to 48 EtherChannels.
This section includes the following topics:
•

Channel Group Interfaces, page 6-5

•

Connecting to an EtherChannel on Another Device, page 6-5

•

Link Aggregation Control Protocol, page 6-6

•

Load Balancing, page 6-7

•

EtherChannel MAC Address, page 6-7

Channel Group Interfaces
Each channel group can have eight active interfaces. Note that you can assign up to 16 interfaces to a
channel group. While only eight interfaces can be active, the remaining interfaces can act as standby
links in case of interface failure.
All interfaces in the channel group must be the same type and speed. The first interface added to the
channel group determines the correct type and speed.
The EtherChannel aggregates the traffic across all the available active interfaces in the channel. The port
is selected using a proprietary hash algorithm, based on source or destination MAC addresses, IP
addresses, TCP and UDP port numbers and vlan numbers.

Connecting to an EtherChannel on Another Device
The device to which you connect the ASA EtherChannel must also support 802.3ad EtherChannels; for
example, you can connect to the Catalyst 6500 switch.
When the switch is part of a Virtual Switching System (VSS), then you can connect ASA interfaces
within the same EtherChannel to separate switches in the VSS. The switch interfaces are members of the
same EtherChannel port-channel interface, because the separate switches act like a single switch (see
Figure 6-1).

Cisco ASA 5500 Series Configuration Guide using the CLI

6-5

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)

Information About Starting ASA 5510 and Higher Interface Configuration

Figure 6-1

Connecting to a VSS

VSS
Switch 2

Switch 1

gig3/5

gig6/5

gig0/0

gig0/1

port-channel 2

port-channel 1

ASA

If you use the ASA in an Active/Standby failover deployment, then you need to create separate
EtherChannels on the switches in the VSS, one for each ASA (see Figure 6-1). On each ASA, a single
EtherChannel connects to both switches. Even if you could group all switch interfaces into a single
EtherChannel connecting to both ASAs (in this case, the EtherChannel will not be established because
of the separate ASA system IDs), a single EtherChannel would not be desirable because you do not want
traffic sent to the standby ASA.
Figure 6-2

Active/Standby Failover and VSS

VSS
Switch 1

port-channel 2 gig3/2

port-channel 1 gig0/0

gig3/3

Switch 2

gig6/2

gig0/1

Primary ASA

gig0/0

gig6/3 port-channel 3

gig0/1

port-channel 1

Secondary ASA

Link Aggregation Control Protocol
The Link Aggregation Control Protocol (LACP) aggregates interfaces by exchanging the Link
Aggregation Control Protocol Data Units (LACPDUs) between two network devices.
You can configure each physical interface in an EtherChannel to be:
•

Active—Sends and receives LACP updates. An active EtherChannel can establish connectivity with
either an active or a passive EtherChannel. You should use the active mode unless you need to
minimize the amount of LACP traffic.

•

Passive—Receives LACP updates. A passive EtherChannel can only establish connectivity with an
active EtherChannel.

Cisco ASA 5500 Series Configuration Guide using the CLI

6-6

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)
Information About Starting ASA 5510 and Higher Interface Configuration

•

On—The EtherChannel is always on, and LACP is not used. An “on” EtherChannel can only
establish a connection with another “on” EtherChannel.

LACP coordinates the automatic addition and deletion of links to the EtherChannel without user
intervention. It also handles misconfigurations and checks that both ends of member interfaces are
connected to the correct channel group. “On” mode cannot use standby interfaces in the channel group
when an interface goes down, and the connectivity and configurations are not checked.

Load Balancing
The ASA distributes packets to the interfaces in the EtherChannel by hashing the source and destination
IP address of the packet (this criteria is configurable; see the “Customizing the EtherChannel” section
on page 6-29). The hash result is a 3-bit value (0 to 7).
The eight hash result values are distributed in a round robin fashion between the channel group
interfaces, starting with the interface with the lowest ID (slot/port). For example, all packets with a hash
result of 0 go to GigabitEthernet 0/0, packets with a hash result of 1 go to GigabitEthernet 0/1, packets
with a hash result of 2 go to GigabitEthernet 0/2, and so on.
Because there are eight hash result values regardless of how many active interfaces are in the
EtherChannel, packets might not be distributed evenly depending on the number of active interfaces.
Table 6-2 shows the load balancing amounts per interface for each number of active interfaces. The
active interfaces in bold have even distribution.
Table 6-2

Load Distribution per Interface

# of Active
Interfaces

% Distribution Per Interface
1

100%

—

50%

—

37.5%

25%

—

25%

—

25%

12.5%

—

25%

12.5%

—

25%

12.5%

—

12.5%

If an active interface goes down and is not replaced by a standby interface, then traffic is rebalanced
between the remaining links. The failure is masked from both Spanning Tree at Layer 2 and the routing
table at Layer 3, so the switchover is transparent to other network devices.

EtherChannel MAC Address
All interfaces that are part of the channel group share the same MAC address. This feature makes the
EtherChannel transparent to network applications and users, because they only see the one logical
connection; they have no knowledge of the individual links.
The port-channel interface uses the lowest numbered channel group interface MAC address as the
port-channel MAC address. Alternatively you can manually configure a MAC address for the
port-channel interface. In multiple context mode, you can automatically assign unique MAC addresses

Cisco ASA 5500 Series Configuration Guide using the CLI

6-7

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)

Licensing Requirements for ASA 5510 and Higher Interfaces

to interfaces, including an EtherChannel port interface. We recommend manually, or in multiple context
mode, automatically configuring a unique MAC address in case the group channel interface membership
changes. If you remove the interface that was providing the port-channel MAC address, then the
port-channel MAC address changes to the next lowest numbered interface, thus causing traffic
disruption.

Licensing Requirements for ASA 5510 and Higher Interfaces
Model

License Requirement

ASA 5510

VLANs:
Base License: 50
Security Plus License: 100
Interface Speed:
Base License—All interfaces Fast Ethernet.
Security Plus License—Ethernet 0/0 and 0/1: Gigabit Ethernet; all others Fast Ethernet.
Interfaces of all types1:
Base License: 52
Security Plus License: 120

ASA 5520

VLANs:
Base License: 150.
Interfaces of all types1:
Base License: 640

ASA 5540

VLANs:
Base License: 200
Interfaces of all types1:
Base License: 840

ASA 5550

VLANs:
Base License: 400
Interfaces of all types1:
Base License: 1640

ASA 5580

VLANs:
Base License: 1024
Interfaces of all types1:
Base License: 4176

ASA 5512-X

VLANs:
Base License: 50
Interfaces of all types1:
Base License: 328

Cisco ASA 5500 Series Configuration Guide using the CLI

6-8

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)
Guidelines and Limitations

Model

License Requirement

ASA 5515-X

VLANs:
Base License: 100
Interfaces of all types1:
Base License: 528

ASA 5525-X

VLANs:
Base License: 200
Interfaces of all types1:
Base License: 928

ASA 5545-X

VLANs:
Base License: 300
Interfaces of all types1:
Base License: 1328

ASA 5555-X

VLANs:
Base License: 500
Interfaces of all types1:
Base License: 2128

ASA 5585-X

VLANs:
Base License: 1024
Interface Speed for SSP-10 and SSP-20:
Base License—1-Gigabit Ethernet for fiber interfaces
10 GE I/O License—10-Gigabit Ethernet for fiber interfaces
(SSP-40 and SSP-60 support 10-Gigabit Ethernet by default.)
Interfaces of all types1:
Base License: 4176

1. The maximum number of combined interfaces; for example, VLANs, physical, redundant, bridge group, and EtherChannel interfaces.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

In multiple context mode, configure the physical interfaces in the system execution space according to
the “Starting Interface Configuration (ASA 5510 and Higher)” section on page 6-12. Then, configure the
logical interface parameters in the context execution space according to Chapter 8, “Completing
Interface Configuration (Routed Mode),” or Chapter 9, “Completing Interface Configuration
(Transparent Mode).”

Cisco ASA 5500 Series Configuration Guide using the CLI

6-9

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)

Guidelines and Limitations

Firewall Mode Guidelines
•

For transparent mode, you can configure up to eight bridge groups per context or for a single mode
device.

•

Each bridge group can include up to four interfaces.

•

For multiple context, transparent mode, each context must use different interfaces; you cannot share
an interface across contexts.

Failover Guidelines
•

When you use a redundant or EtherChannel interface as a failover link, it must be pre-configured on
both units in the failover pair; you cannot configure it on the primary unit and expect it to replicate
to the secondary unit because the failover link itself is required for replication.

•

If you use a redundant or EtherChannel interface for the state link, no special configuration is
required; the configuration can replicate from the primary unit as normal.

•

You can monitor redundant or EtherChannel interfaces for failover using the monitor-interface
command; be sure to reference the logical redundant interface name. When an active member
interface fails over to a standby interface, this activity does not cause the redundant or EtherChannel
interface to appear to be failed when being monitored for device-level failover. Only when all
physical interfaces fail does the redundant or EtherChannel interface appear to be failed (for an
EtherChannel interface, the number of member interfaces allowed to fail is configurable).

•

If you use an EtherChannel interface for a failover or state link, then to prevent out-of-order packets,
only one interface in the EtherChannel is used. If that interface fails, then the next interface in the
EtherChannel is used. You cannot alter the EtherChannel configuration while it is in use as a failover
link. To alter the configuration, you need to either shut down the EtherChannel while you make
changes, or temporarily disable failover; either action prevents failover from occurring for the
duration.

•

Although you can configure failover and failover state links on a port channel link, this port channel
cannot be shared with other firewall traffic.

Redundant Interface Guidelines
•

You can configure up to 8 redundant interface pairs.

•

All ASA configuration refers to the logical redundant interface instead of the member physical
interfaces.

•

You cannot use a redundant interface as part of an EtherChannel, nor can you use an EtherChannel
as part of a redundant interface. You cannot use the same physical interfaces in a redundant interface
and an EtherChannel interface. You can, however, configure both types on the ASA if they do not
use the same physical interfaces.

•

If you shut down the active interface, then the standby interface becomes active.

•

Redundant interfaces do not support Management slot/port interfaces as members. You also cannot
set a redundant interface comprised of non-Management interfaces as management-only.

•

For failover guidelines, see the “Failover Guidelines” section on page 6-10.

EtherChannel Guidelines
•

You can configure up to 48 EtherChannels.

•

Each channel group can have eight active interfaces. Note that you can assign up to 16 interfaces to
a channel group. While only eight interfaces can be active, the remaining interfaces can act as
standby links in case of interface failure.

Cisco ASA 5500 Series Configuration Guide using the CLI

6-10

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)
Default Settings

•

All interfaces in the channel group must be the same type and speed. The first interface added to the
channel group determines the correct type and speed.

•

The device to which you connect the ASA 5500 EtherChannel must also support 802.3ad
EtherChannels; for example, you can connect to the Catalyst 6500 switch.

•

All ASA configuration refers to the logical EtherChannel interface instead of the member physical
interfaces.

•

You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA
5550, as part of an EtherChannel.

•

For failover guidelines, see the “Failover Guidelines” section on page 6-10.

Default Settings
This section lists default settings for interfaces if you do not have a factory default configuration. For
information about the factory default configurations, see the “Factory Default Configurations” section
on page 2-10.
Default State of Interfaces

The default state of an interface depends on the type and the context mode.
In multiple context mode, all allocated interfaces are enabled by default, no matter what the state of the
interface is in the system execution space. However, for traffic to pass through the interface, the interface
also has to be enabled in the system execution space. If you shut down an interface in the system
execution space, then that interface is down in all contexts that share it.
In single mode or in the system execution space, interfaces have the following default states:
•

Physical interfaces—Disabled.

•

Redundant Interfaces—Enabled. However, for traffic to pass through the redundant interface, the
member physical interfaces must also be enabled.

•

Subinterfaces—Enabled. However, for traffic to pass through the subinterface, the physical interface
must also be enabled.

•

EtherChannel port-channel interfaces—Enabled. However, for traffic to pass through the
EtherChannel, the channel group physical interfaces must also be enabled.

Default Speed and Duplex
•

By default, the speed and duplex for copper (RJ-45) interfaces are set to auto-negotiate.

•

The fiber interface for the ASA 5550 (slot 1) and the 4GE SSM has a fixed speed and does not
support duplex, but you can set the interface to negotiate link parameters (the default) or not to
negotiate.

•

For fiber interfaces for the ASA 5580 and 5585-X, the speed is set for automatic link negotiation.

Cisco ASA 5500 Series Configuration Guide using the CLI

6-11

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)

Default Connector Type

The ASA 5550 (slot 1) and the 4GE SSM for the ASA 5510 and higher ASA include two connector
types: copper RJ-45 and fiber SFP. RJ-45 is the default. You can configure the ASA to use the fiber SFP
connectors.
Default MAC Addresses

By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical
interface use the same burned-in MAC address.

Starting Interface Configuration (ASA 5510 and Higher)
This section includes the following topics:
•

Task Flow for Starting Interface Configuration, page 6-12

•

Converting In-Use Interfaces to a Redundant or EtherChannel Interface, page 6-13

•

Enabling the Physical Interface and Configuring Ethernet Parameters, page 6-22

•

Configuring a Redundant Interface, page 6-25

•

Configuring an EtherChannel, page 6-27

•

Configuring VLAN Subinterfaces and 802.1Q Trunking, page 6-30

•

Enabling Jumbo Frame Support (Supported Models), page 6-32

Task Flow for Starting Interface Configuration
Note

If you have an existing configuration, and want to convert interfaces that are in use to a redundant or
EtherChannel interface, perform your configuration offline to minimize disruption. See the “Converting
In-Use Interfaces to a Redundant or EtherChannel Interface” section on page 6-13.
To start configuring interfaces, perform the following steps:

Step 1

(Multiple context mode) Complete all tasks in this section in the system execution space. To change from
the context to the system execution space, enter the changeto system command.

Step 2

Enable the physical interface, and optionally change Ethernet parameters. See the “Enabling the Physical
Interface and Configuring Ethernet Parameters” section on page 6-22.
Physical interfaces are disabled by default.

Step 3

(Optional) Configure redundant interface pairs. See the “Configuring a Redundant Interface” section on
page 6-25.
A logical redundant interface pairs an active and a standby physical interface. When the active interface
fails, the standby interface becomes active and starts passing traffic.

Step 4

(Optional) Configure an EtherChannel. See the “Configuring an EtherChannel” section on page 6-27.
An EtherChannel groups multiple Ethernet interfaces into a single logical interface.

Cisco ASA 5500 Series Configuration Guide using the CLI

6-12

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)
Starting Interface Configuration (ASA 5510 and Higher)

You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the
ASA 5550, as part of an EtherChannel.

Note

Step 5

(Optional) Configure VLAN subinterfaces. See the “Configuring VLAN Subinterfaces and 802.1Q
Trunking” section on page 6-30.

Step 6

(Optional) Enable jumbo frame support on the ASA 5580 and 5585-X according to the “Enabling Jumbo
Frame Support (Supported Models)” section on page 6-32.

Step 7

(Multiple context mode only) To complete the configuration of interfaces in the system execution space,
perform the following tasks that are documented in Chapter 5, “Configuring Multiple Context Mode”:
•

To assign interfaces to contexts, see the “Configuring a Security Context” section on page 5-18.

•

(Optional) To automatically assign unique MAC addresses to context interfaces, see the
“Automatically Assigning MAC Addresses to Context Interfaces” section on page 5-22.

The MAC address is used to classify packets within a context. If you share an interface, but do not have
unique MAC addresses for the interface in each context, then the destination IP address is used to
classify packets. Alternatively, you can manually assign MAC addresses within the context according to
the “Configuring the MAC Address and MTU” section on page 8-9.
Step 8

Complete the interface configuration according to Chapter 8, “Completing Interface Configuration
(Routed Mode),” or Chapter 9, “Completing Interface Configuration (Transparent Mode).”

Converting In-Use Interfaces to a Redundant or EtherChannel Interface
If you have an existing configuration and want to take advantage of the redundant or EtherChannel
interface feature for interfaces that are currently in use, you will have some amount of downtime when
you convert to the logical interfaces.
This section provides an overview of how to convert your existing interfaces to a redundant or
EtherChannel interface with minimal downtime. See the “Configuring a Redundant Interface” section
on page 6-25 and the “Configuring an EtherChannel” section on page 6-27 fore more information.
•

Detailed Steps (Single Mode), page 6-13

•

Detailed Steps (Multiple Mode), page 6-18

Detailed Steps (Single Mode)
We recommend that you update your configuration offline as a text file, and reimport the whole
configuration for the following reasons:
•

Because you cannot add a named interface as a member of a redundant or EtherChannel interface,
you must remove the name from the interface. When you remove the name from the interface, any
command that referred to that name is deleted. Because commands that refer to interface names are
widespread throughout the configuration and affect multiple features, removing a name from an
in-use interface at the CLI or in ASDM would cause significant damage to your configuration, not
to mention significant downtime while you reconfigure all your features around a new interface
name.

•

Changing your configuration offline lets you use the same interface names for your new logical
interfaces, so you do not need to touch the feature configurations that refer to interface names. You
only need to change the interface configuration.

Cisco ASA 5500 Series Configuration Guide using the CLI

6-13

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)

•

Clearing the running configuration and immediately applying a new configuration will minimize the
downtime of your interfaces. You will not be waiting to configure the interfaces in real time.

Step 1

Connect to the ASA; if you are using failover, connect to the active ASA.

Step 2

If you are using failover, disable failover by entering the no failover command.

Step 3

Copy the running configuration by entering the more system:running-config command and copying the
display output to a text editor.
Be sure to save an extra copy of the old configuration in case you make an error when you edit it.

Step 4

For each in-use interface that you want to add to a redundant or EtherChannel interface, cut and paste
all commands under the interface command to the end of the interface configuration section for use in
creating your new logical interfaces. The only exceptions are the following commands, which should
stay with the physical interface configuration:
•

media-type

•

speed

•

duplex

•

flowcontrol

Note

You can only add physical interfaces to an EtherChannel or redundant interface; you cannot have
VLANs configured for the physical interfaces.
Be sure to match the above values for all interfaces in a given EtherChannel or redundant
interface. Note that the duplex setting for an EtherChannel interface must be Full or Auto.

For example, you have the following interface configuration. The bolded commands are the ones we
want to use with three new EtherChannel interfaces, and that you should cut and paste to the end of the
interface section.
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.86.194.225 255.255.255.0
no shutdown
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.3 255.255.255.0
no shutdown
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown

Cisco ASA 5500 Series Configuration Guide using the CLI

6-14

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)
Starting Interface Configuration (ASA 5510 and Higher)

no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif mgmt
security-level 100
ip address 10.1.1.5 255.255.255.0
no shutdown
!
interface Management0/1
shutdown
no nameif
no security-level
no ip address

Step 5

Above each pasted command section, create your new logical interfaces by entering one of the following
commands:
•

interface redundant number [1-8]

•

interface port-channel channel_id [1-48]

For example:
...
interface port-channel 1
nameif outside
security-level 0
ip address 10.86.194.225 255.255.255.0
no shutdown
!
interface port-channel 2
nameif inside
security-level 100
ip address 192.168.1.3 255.255.255.0
no shutdown
!
interface port-channel 3
nameif mgmt
security-level 100
ip address 10.1.1.5 255.255.255.0
no shutdown

Step 6

Assign the physical interfaces to the new logical interfaces:
•

Redundant interface—Enter the following commands under the new interface redundant
command:
member-interface physical_interface1
member-interface physical_interface2

Where the physical interfaces are any two interfaces of the same type (either formerly in use or
unused). You cannot assign a Management interface to a redundant interface.
For example, to take advantage of existing cabling, you would continue to use the formerly in-use
interfaces in their old roles as part of the inside and outside redundant interfaces:

Cisco ASA 5500 Series Configuration Guide using the CLI

6-15

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)

interface redundant 1
nameif outside
security-level 0
ip address 10.86.194.225 255.255.255.0
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/2
interface redundant 2
nameif inside
security-level 100
ip address 192.168.1.3 255.255.255.0
member-interface GigabitEthernet0/1
member-interface GigabitEthernet0/3

•

EtherChannel interface—Enter the following command under each interface you want to add to the
EtherChannel (either formerly in use or unused). You can assign up to 16 interfaces per
EtherChannel, although only eight can be active; the others are in a standby state in case of failure.
channel-group channel_id mode active

For example, to take advantage of existing cabling, you would continue to use the formerly in-use
interfaces in their old roles as part of the inside and outside EtherChannel interfaces:
interface GigabitEthernet0/0
channel-group 1 mode active
no shutdown
!
interface GigabitEthernet0/1
channel-group 2 mode active
no shutdown
!
interface GigabitEthernet0/2
channel-group 1 mode active
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
channel-group 1 mode active
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
channel-group 2 mode active
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
channel-group 2 mode active
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
channel-group 3 mode active
no shutdown
!
interface Management0/1

Cisco ASA 5500 Series Configuration Guide using the CLI

6-16

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)
Starting Interface Configuration (ASA 5510 and Higher)

channel-group 3 mode active
shutdown
no nameif
no security-level
no ip address
...

Step 7

Enable each formerly unused interface that is now part of a logical interface by adding no in front of the
shutdown command.
For example, your final EtherChannel configuration is:
interface GigabitEthernet0/0
channel-group 1 mode active
no shutdown
!
interface GigabitEthernet0/1
channel-group 2 mode active
no shutdown
!
interface GigabitEthernet0/2
channel-group 1 mode active
no shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
channel-group 1 mode active
no shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
channel-group 2 mode active
no shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
channel-group 2 mode active
no shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
channel-group 3 mode active
no shutdown
!
interface Management0/1
channel-group 3 mode active
no shutdown
no nameif
no security-level
no ip address
!
interface port-channel 1
nameif outside
security-level 0
ip address 10.86.194.225 255.255.255.0

Cisco ASA 5500 Series Configuration Guide using the CLI

6-17

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)

!
interface port-channel 2
nameif inside
security-level 100
ip address 192.168.1.3 255.255.255.0
!
interface port-channel 3
nameif mgmt
security-level 100
ip address 10.1.1.5 255.255.255.0

Note

Step 8

Other optional EtherChannel parameters can be configured after you import the new
configuration. See the “Configuring an EtherChannel” section on page 6-27.

At the ASA CLI prompt, perform the following steps depending on your connection (console or remote).
•

Console connection:
a. Copy the entire new configuration to the clipboard, including the altered interface section.
b. Clear the running configuration by entering:
hostname(config)# clear configure all

Traffic through the ASA stops at this point.
c. Paste in the new configuration at the prompt.

Traffic through the ASA resumes.
•

Remote connection:
a. Save the new configuration to a TFTP or FTP server, so you can copy it to the startup

configuration on the ASA. For example, you can run a TFTP or FTP server on your PC.
b. Clear the startup configuration by entering:
hostname(config)# write erase

c. Copy the new configuration to the startup configuration by entering:
hostname(config)# copy url startup-config

See the “Downloading a File to a Specific Location” section on page 81-3
d. Reload the ASA using the reload command. Do not save the running configuration.
Step 9

Reenable failover by entering the failover command.

Detailed Steps (Multiple Mode)
We recommend that you update your system and context configurations offline as text files, and reimport
them for the following reasons:
•

Because you cannot add an allocated interface as a member of a redundant or EtherChannel
interface, you must deallocate the interface from any contexts. When you deallocate the interface,
any context command that referred to that interface is deleted. Because commands that refer to
interfaces are widespread throughout the configuration and affect multiple features, removing an
allocation from an in-use interface at the CLI or in ASDM would cause significant damage to your
configuration, not to mention significant downtime while you reconfigure all your features around
a new interface.

Cisco ASA 5500 Series Configuration Guide using the CLI

6-18

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)
Starting Interface Configuration (ASA 5510 and Higher)

•

Clearing the running system configuration and immediately applying a new configuration will
minimize the downtime of your interfaces. You will not be waiting to configure the interfaces in real
time.

Step 1

Connect to the ASA, and change to the system; if you are using failover, connect to the active ASA.

Step 2

If you are using failover, disable failover by entering the no failover command.

Step 3

In the system, copy the running configuration by entering the more system:running-config command
and copying the display output to a text editor.
Be sure to save an extra copy of the old configuration in case you make an error when you edit it.
For example, you have the following interface configuration and allocation in the system configuration,
with shared interfaces between two contexts.
System
interface GigabitEthernet0/0
no shutdown
interface GigabitEthernet0/1
no shutdown
interface GigabitEthernet0/2
shutdown
interface GigabitEthernet0/3
shutdown
interface GigabitEthernet0/4
shutdown
interface GigabitEthernet0/5
shutdown
interface Management0/0
no shutdown
interface Management1/0
shutdown
!
context customerA
allocate-interface gigabitethernet0/0 int1
allocate-interface gigabitethernet0/1 int2
allocate-interface management0/0 mgmt
context customerB
allocate-interface gigabitethernet0/0
allocate-interface gigabitethernet0/1
allocate-interface management0/0

Step 4

Get copies of all context configurations that will use the new EtherChannel or redundant interface. See
the “Backing Up a Context Configuration or Other File in Flash Memory” section on page 81-8.
For example, you download the following context configurations (interface configuration shown):
CustomerA Context
interface int1
nameif outside
security-level 0
ip address 10.86.194.225 255.255.255.0
!
interface int2
nameif inside
security-level 100

Cisco ASA 5500 Series Configuration Guide using the CLI

6-19

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)

ip address 192.168.1.3 255.255.255.0
no shutdown
!
interface mgmt
nameif mgmt
security-level 100
ip address 10.1.1.5 255.255.255.0
management-only

CustomerB Context
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.20.15.5 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.6.78 255.255.255.0
!
interface Management0/0
nameif mgmt
security-level 100
ip address 10.8.1.8 255.255.255.0
management-only

Step 5

In the system configuration, create the new logical interfaces according to the “Configuring a Redundant
Interface” section on page 6-25 or the “Configuring an EtherChannel” section on page 6-27. Be sure to
enter the no shutdown command on any additional physical interfaces you want to use as part of the
logical interface.

Note

You can only add physical interfaces to an EtherChannel or redundant interface; you cannot have
VLANs configured for the physical interfaces.
Be sure to match physical interface parameters such as speed and duplex for all interfaces in a
given EtherChannel or redundant interface. Note that the duplex setting for an EtherChannel
interface must be Full or Auto.

For example, the new configuration is:
System
interface GigabitEthernet0/0
channel-group 1 mode active
no shutdown
!
interface GigabitEthernet0/1
channel-group 2 mode active
no shutdown
!
interface GigabitEthernet0/2
channel-group 1 mode active
no shutdown
!
interface GigabitEthernet0/3
channel-group 1 mode active
no shutdown
!

Cisco ASA 5500 Series Configuration Guide using the CLI

6-20

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)
Starting Interface Configuration (ASA 5510 and Higher)

interface GigabitEthernet0/4
channel-group 2 mode active
no shutdown
!
interface GigabitEthernet0/5
channel-group 2 mode active
no shutdown
!
interface Management0/0
channel-group 3 mode active
no shutdown
!
interface Management0/1
channel-group 3 mode active
no shutdown
!
interface port-channel 1
interface port-channel 2
interface port-channel 3

Step 6

Change the interface allocation per context to use the new EtherChannel or redundant interfaces. See the
“Configuring a Security Context” section on page 5-18.
For example, to take advantage of existing cabling, you would continue to use the formerly in-use
interfaces in their old roles as part of the inside and outside redundant interfaces:
context customerA
allocate-interface
allocate-interface
allocate-interface
context customerB
allocate-interface
allocate-interface
allocate-interface

Note

Step 7

port-channel1 int1
port-channel2 int2
port-channel3 mgmt
port-channel1
port-channel2
port-channel3

You might want to take this opportunity to assign mapped names to interfaces if you have not
done so already. For example, the configuration for customerA does not need to be altered at all;
it just needs to be reapplied on the ASA. The customerB configuration, however, needs to have
all of the interface IDs changed; if you assign mapped names for customerB, you still have to
change the interface IDs in the context configuration, but mapped names might help future
interface changes.

For contexts that do not use mapped names, change the context configuration to use the new
EtherChannel or redundant interface ID. (Contexts that use mapped interface names do not require any
alteration.)
For example:
CustomerB Context
interface port-channel1
nameif outside
security-level 0
ip address 10.20.15.5 255.255.255.0
!
interface port-channel2
nameif inside
security-level 100
ip address 192.168.6.78 255.255.255.0
!

Cisco ASA 5500 Series Configuration Guide using the CLI

6-21

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)

interface port-channel3
nameif mgmt
security-level 100
ip address 10.8.1.8 255.255.255.0
management-only

Step 8

Copy the new context configuration files over the old ones. For example, if your contexts are on an FTP
server, copy over the existing files (making backups as desired) using FTP. If your contexts are in flash
memory, you can use the copy command and run a TFTP or FTP server on your PC, or use secure copy.
See the “Downloading a File to a Specific Location” section on page 81-3. This change only affects the
startup configuration; the running configuration is still using the old context configuration.

Step 9

At the ASA system CLI prompt, perform the following steps depending on your connection (console or
remote).
•

Console connection:
a. Copy the entire new system configuration to the clipboard, including the altered interface

section.
b. Clear the running configuration (both system and contexts) by entering:
hostname(config)# clear configure all

Traffic through the ASA stops at this point.
c. Paste in the new system configuration at the prompt.

All of the new context configurations now reload. When they are finished reloading, traffic
through the ASA resumes.
•

Remote connection:
a. Save the new system configuration to a TFTP or FTP server, so you can copy it to the startup

configuration on the ASA. For example, you can run a TFTP or FTP server on your PC.
b. Clear the startup configuration by entering:
hostname(config)# write erase

c. Copy the new system configuration to the startup configuration by entering:
hostname(config)# copy url startup-config

See the “Downloading a File to a Specific Location” section on page 81-3
d. Reload the ASA using the reload command. Do not save the running configuration.
Step 10

Reenable failover by entering the failover command.

Enabling the Physical Interface and Configuring Ethernet Parameters
This section describes how to:
•

Enable the physical interface

•

Set a specific speed and duplex (if available)

•

Enable pause frames for flow control

Cisco ASA 5500 Series Configuration Guide using the CLI

6-22

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)
Starting Interface Configuration (ASA 5510 and Higher)

Prerequisites
For multiple context mode, complete this procedure in the system execution space. To change from the
context to the system execution space, enter the changeto system command.

Detailed Steps

Step 1

Command

Purpose

interface physical_interface

Specifies the interface you want to configure.

Example:

where the physical_interface ID includes the type, slot, and port
number as type[slot/]port.

hostname(config)# interface
gigabitethernet 0/0

The physical interface types include the following:
•

ethernet

•

gigabitethernet

•

tengigabitethernet

•

management

Enter the type followed by slot/port, for example,
gigabitethernet0/1 or ethernet 0/1. A space is optional between
the type and the slot/port.
Step 2

(Optional)
media-type sfp

Sets the media type to SFP, if available for your model. To restore
the default RJ-45, enter the media-type rj45 command.

Example:
hostname(config-if)# media-type sfp

Step 3

(Optional)

Sets the speed.

speed {auto | 10 | 100 | 1000 |
nonegotiate}

For copper interfaces, the default setting is auto.

Example:
hostname(config-if)# speed 100

Step 4

(Optional)
duplex {auto | full | half}

For SFP interfaces, the default setting is no speed nonegotiate,
which sets the speed to the maximum speed and enables link
negotiation for flow-control parameters and remote fault
information. The nonegotiate keyword is the only keyword
available for SFP interfaces. The speed nonegotiate command
disables link negotiation.
Sets the duplex for copper interfaces. The auto setting is the
default.
Note

Example:

The duplex setting for an EtherChannel interface must be
Full or Auto.

hostname(config-if)# duplex full

Cisco ASA 5500 Series Configuration Guide using the CLI

6-23

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)

Step 5

Command

Purpose

(Optional)

Enables pause (XOFF) frames for flow control on 1-Gigabit and
10-Gigabit Ethernet interfaces.

flowcontrol send on [low_water high_water
pause_time] [noconfirm]

Example:
hostname(config-if)# flowcontrol send on
95 200 10000

If you have a traffic burst, dropped packets can occur if the burst
exceeds the buffering capacity of the FIFO buffer on the NIC and
the receive ring buffers. Enabling pause frames for flow control
can alleviate this issue. Pause (XOFF) and XON frames are
generated automatically by the NIC hardware based on the FIFO
buffer usage. A pause frame is sent when the buffer usage exceeds
the high-water mark. The default high_water value is 128 KB (10
GigabitEthernet) and 24 KB (1 GigabitEthernet); you can set it
between 0 and 511 (10 GigabitEthernet) or 0 and 47 KB
(1 GigabitEthernet). After a pause is sent, an XON frame can be
sent when the buffer usage is reduced below the low-water mark.
By default, the low_water value is 64 KB (10 GigabitEthernet)
and 16 KB (1 GigabitEthernet); you can set it between 0 and 511
(10 GigabitEthernet) or 0 and 47 KB (1 GigabitEthernet). The link
partner can resume traffic after receiving an XON, or after the
XOFF expires, as controlled by the timer value in the pause frame.
The default pause_time value is 26624; you can set it between 0
and 65535. If the buffer usage is consistently above the high-water
mark, pause frames are sent repeatedly, controlled by the pause
refresh threshold value.
When you use this command, you see the following warning:
Changing flow-control parameters will reset the
interface. Packets may be lost during the reset.
Proceed with flow-control changes?

To change the parameters without being prompted, use the
noconfirm keyword.
Note
Step 6

no shutdown

Example:
hostname(config-if)# no shutdown

Only flow control frames defined in 802.3x are supported.
Priority-based flow control is not supported.

Enables the interface. To disable the interface, enter the
shutdown command. If you enter the shutdown command, you
also shut down all subinterfaces. If you shut down an interface in
the system execution space, then that interface is shut down in all
contexts that share it.

What to Do Next
Optional Tasks:
•

Configure redundant interface pairs. See the “Configuring a Redundant Interface” section on
page 6-25.

•

Configure an EtherChannel. See the “Configuring an EtherChannel” section on page 6-27.

•

Configure VLAN subinterfaces. See the “Configuring VLAN Subinterfaces and 802.1Q Trunking”
section on page 6-30.

Required Tasks:
•

For multiple context mode, assign interfaces to contexts and automatically assign unique MAC
addresses to context interfaces. See the “Configuring Multiple Contexts” section on page 5-14.

Cisco ASA 5500 Series Configuration Guide using the CLI

6-24

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)
Starting Interface Configuration (ASA 5510 and Higher)

•

For single context mode, complete the interface configuration. See Chapter 8, “Completing
Interface Configuration (Routed Mode),” or Chapter 9, “Completing Interface Configuration
(Transparent Mode).”

Configuring a Redundant Interface
A logical redundant interface consists of a pair of physical interfaces: an active and a standby interface.
When the active interface fails, the standby interface becomes active and starts passing traffic. You can
configure a redundant interface to increase the ASA reliability. This feature is separate from device-level
failover, but you can configure redundant interfaces as well as failover if desired.
This section describes how to configure redundant interfaces and includes the following topics:
•

Configuring a Redundant Interface, page 6-25

•

Changing the Active Interface, page 6-27

Configuring a Redundant Interface
This section describes how to create a redundant interface. By default, redundant interfaces are enabled.

Guidelines and Limitations
•

You can configure up to 8 redundant interface pairs.

•

Redundant interface delay values are configurable, but by default the ASA inherits the default delay
values based on the physical type of its member interfaces.

•

See also the “Redundant Interface Guidelines” section on page 6-10.

•

Both member interfaces must be of the same physical type. For example, both must be Ethernet.

•

You cannot add a physical interface to the redundant interface if you configured a name for it. You
must first remove the name using the no nameif command.

•

For multiple context mode, complete this procedure in the system execution space. To change from
the context to the system execution space, enter the changeto system command.

Prerequisites

Caution

If you are using a physical interface already in your configuration, removing the name will clear any
configuration that refers to the interface.

Cisco ASA 5500 Series Configuration Guide using the CLI

6-25

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)

Detailed Steps

Step 1

Command

Purpose

interface redundant number

Adds the logical redundant interface, where the number argument
is an integer between 1 and 8.

Example:

Note

hostname(config)# interface redundant 1

Step 2

You need to add at least one member interface to the
redundant interface before you can configure logical
parameters for it such as a name.

member-interface physical_interface

Adds the first member interface to the redundant interface.

Example:

See the “Enabling the Physical Interface and Configuring
Ethernet Parameters” section for a description of the physical
interface ID.

hostname(config-if)# member-interface
management 0/0

Redundant interfaces do not support Management slot/port
interfaces as members.
After you add the interface, any configuration for it (such as an IP
address) is removed.

Step 3

member-interface physical_interface

Adds the second member interface to the redundant interface.

Example:

Make sure the second interface is the same physical type as the
first interface.

hostname(config-if)# member-interface
management 1/0

To remove a member interface, enter the no member-interface
physical_interface command. You cannot remove both member
interfaces from the redundant interface; the redundant interface
requires at least one member interface.

Examples
The following example creates two redundant interfaces:
hostname(config)# interface redundant 1
hostname(config-if)# member-interface gigabitethernet
hostname(config-if)# member-interface gigabitethernet
hostname(config-if)# interface redundant 2
hostname(config-if)# member-interface gigabitethernet
hostname(config-if)# member-interface gigabitethernet

0/0
0/1
0/2
0/3

What to Do Next
Optional Task:
•

Configure VLAN subinterfaces. See the “Configuring VLAN Subinterfaces and 802.1Q Trunking”
section on page 6-30.

Required Tasks:
•

For multiple context mode, assign interfaces to contexts and automatically assign unique MAC
addresses to context interfaces. See the “Configuring Multiple Contexts” section on page 5-14.

•

For single context mode, complete the interface configuration. See the Chapter 8, “Completing
Interface Configuration (Routed Mode),” or Chapter 9, “Completing Interface Configuration
(Transparent Mode).”

Cisco ASA 5500 Series Configuration Guide using the CLI

6-26

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)
Starting Interface Configuration (ASA 5510 and Higher)

Changing the Active Interface
By default, the active interface is the first interface listed in the configuration, if it is available. To view
which interface is active, enter the following command:
hostname# show interface redundantnumber detail | grep Member

For example:
hostname# show interface redundant1 detail | grep Member
Members GigabitEthernet0/3(Active), GigabitEthernet0/2

To change the active interface, enter the following command:
hostname# redundant-interface redundantnumber active-member physical_interface

where the redundantnumber argument is the redundant interface ID, such as redundant1.
The physical_interface is the member interface ID that you want to be active.

Configuring an EtherChannel
This section describes how to create an EtherChannel port-channel interface, assign interfaces to the
EtherChannel, and customize the EtherChannel.
This section includes the following topics:
•

Adding Interfaces to the EtherChannel, page 6-27

•

Customizing the EtherChannel, page 6-29

Adding Interfaces to the EtherChannel
This section describes how to create an EtherChannel port-channel interface and assign interfaces to the
EtherChannel. By default, port-channel interfaces are enabled.

Guidelines and Limitations
•

You can configure up to 48 EtherChannels.

•

You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA
5550, as part of an EtherChannel.

•

See also the “EtherChannel Guidelines” section on page 6-10.

•

All interfaces in the channel group must be the same type, speed, and duplex. Half duplex is not
supported.

•

You cannot add a physical interface to the channel group if you configured a name for it. You must
first remove the name using the no nameif command.

•

For multiple context mode, complete this procedure in the system execution space. To change from
the context to the system execution space, enter the changeto system command.

Prerequisites

Cisco ASA 5500 Series Configuration Guide using the CLI

6-27

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)

Caution

If you are using a physical interface already in your configuration, removing the name will clear any
configuration that refers to the interface.

Detailed Steps

Step 1

Command

Purpose

interface physical_interface

Specifies the interface you want to add to the channel group,
where the physical_interface ID includes the type, slot, and port
number as type[slot/]port. This first interface in the channel group
determines the type and speed for all other interfaces in the group.

Example:
hostname(config)# interface
gigabitethernet 0/0

Step 2

channel-group channel_id mode {active |
passive | on}

Example:
hostname(config-if)# channel-group 1 mode
active

In transparent mode, if you create a channel group with multiple
Management interfaces, then you can use this EtherChannel as the
management-only interface.
Assigns this physical interface to an EtherChannel with the
channel_id between 1 and 48. If the port-channel interface for this
channel ID does not yet exist in the configuration, one will be
added:
interface port-channel channel_id

We recommend using active mode. For information about active,
passive, and on modes, see the “Link Aggregation Control
Protocol” section on page 6-6.
Step 3

(Optional)
lacp port-priority number

Example:
hostname(config-if)# lacp port-priority
12345

Sets the priority for a physical interface in the channel group
between 1 and 65535. The default is 32768. The higher the
number, the lower the priority. The ASA uses this setting to decide
which interfaces are active and which are standby if you assign
more interfaces than can be used. If the port priority setting is the
same for all interfaces, then the priority is determined by the
interface ID (slot/port). The lowest interface ID is the highest
priority. For example, GigabitEthernet 0/0 is a higher priority
than GigabitEthernet 0/1.
If you want to prioritize an interface to be active even though it
has a higher interface ID, then set this command to have a lower
value. For example, to make GigabitEthernet 1/3 active before
GigabitEthernet 0/7, then make the lacp port-priority value be
12345 on the 1/3 interface vs. the default 32768 on the 0/7
interface.
If the device at the other end of the EtherChannel has conflicting
port priorities, the system priority is used to determine which port
priorities to use. See the lacp system-priority command in the
“Customizing the EtherChannel” section on page 6-29.

Step 4

Repeat steps 1 through 5 for each interface you
want to add to the channel group.

Cisco ASA 5500 Series Configuration Guide using the CLI

6-28

Each interface in the channel group must be the same type and
speed. Half duplex is not supported. If you add an interface that
does not match, it will be placed in a suspended state.

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)
Starting Interface Configuration (ASA 5510 and Higher)

What to Do Next
Optional Tasks:
•

Customize the EtherChannel interface. See the “Customizing the EtherChannel” section on
page 6-29.

•

Configure VLAN subinterfaces. See the “Configuring VLAN Subinterfaces and 802.1Q Trunking”
section on page 6-30.

Required Tasks:
•

For multiple context mode, assign interfaces to contexts and automatically assign unique MAC
addresses to context interfaces. See the “Configuring Multiple Contexts” section on page 5-14.

•

Customizing the EtherChannel
This section describes how to set the maximum number of interfaces in the EtherChannel, the minimum
number of operating interfaces for the EtherChannel to be active, the load balancing algorithm, and other
optional parameters.

Detailed Steps

Command
Step 1

interface port-channel channel_id

Step 2

lacp max-bundle number

Purpose

Specifies the port-channel interface. This interface was created
automatically when you added an interface to the channel group.
If you have not yet added an interface, then this command creates
Example:
the port-channel interface.
hostname(config)# interface port-channel 1
Note
You need to add at least one member interface to the
port-channel interface before you can configure logical
parameters for it such as a name.
Specifies the maximum number of active interfaces allowed in the
channel group, between 1 and 8. The default is 8.

Example:
hostname(config-if)# lacp max-bundle 6

Step 3

port-channel min-bundle number

Example:
hostname(config-if)# port-channel
min-bundle 2

Specifies the minimum number of active interfaces required for
the port-channel interface to become active, between 1 and 8. The
default is 1. If the active interfaces in the channel group falls
below this value, then the port-channel interface goes down, and
could trigger a device-level failover.

Cisco ASA 5500 Series Configuration Guide using the CLI

6-29

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)

Step 4

Command

Purpose

port-channel load-balance {dst-ip |
dst-ip-port | dst-mac | dst-port |
src-dst-ip | src-dst-ip-port | src-dst-mac
| src-dst-port | src-ip | src-ip-port |
src-mac | src-port | vlan-dst-ip |
vlan-dst-ip-port | vlan-only |
vlan-src-dst-ip | vlan-src-dst-ip-port |
vlan-src-ip | vlan-src-ip-port}

Configures the load-balancing algorithm. By default, the ASA
balances the packet load on interfaces according to the source and
destination IP address (src-dst-ip) of the packet. If you want to
change the properties on which the packet is categorized, use this
command. For example, if your traffic is biased heavily towards
the same source and destination IP addresses, then the traffic
assignment to interfaces in the EtherChannel will be unbalanced.
Changing to a different algorithm can result in more evenly
distributed traffic. For more information about load balancing, see
the “Load Balancing” section on page 6-7.

Example:
hostname(config-if)# port-channel
load-balance src-dst-mac

Step 5

lacp system-priority number

Example:
hostname(config)# lacp system-priority
12345

Step 6

Sets the LACP system priority, from 1 to 65535. The default is
32768. The higher the number, the lower the priority. This
command is global for the ASA.
If the device at the other end of the EtherChannel has conflicting
port priorities, the system priority is used to determine which port
priorities to use. For interface priorities within an EtherChannel,
see the lacp port-priority command in the “Adding Interfaces to
the EtherChannel” section on page 6-27.

This method provides a shortcut to set these parameters because
these parameters must match for all interfaces in the channel
You can set the Ethernet properties for the
group. See the “Enabling the Physical Interface and Configuring
port-channel interface to override the properties
Ethernet Parameters” section on page 6-22 for Ethernet
set on the individual interfaces.
commands.
(Optional)

What to Do Next
Optional Task:
•

Configure VLAN subinterfaces. See the “Configuring VLAN Subinterfaces and 802.1Q Trunking”
section on page 6-30.

Required Tasks:
•

For multiple context mode, assign interfaces to contexts and automatically assign unique MAC
addresses to context interfaces. See the “Configuring Multiple Contexts” section on page 5-14.

•

Configuring VLAN Subinterfaces and 802.1Q Trunking
Subinterfaces let you divide a physical, redundant, or EtherChannel interface into multiple logical
interfaces that are tagged with different VLAN IDs. An interface with one or more VLAN subinterfaces
is automatically configured as an 802.1Q trunk. Because VLANs allow you to keep traffic separate on a
given physical interface, you can increase the number of interfaces available to your network without
adding additional physical interfaces or ASAs. This feature is particularly useful in multiple context
mode so that you can assign unique interfaces to each context.

Cisco ASA 5500 Series Configuration Guide using the CLI

6-30

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)
Starting Interface Configuration (ASA 5510 and Higher)

Guidelines and Limitations
•

Maximum subinterfaces—To determine how many VLAN subinterfaces are allowed for your
platform, see the “Licensing Requirements for ASA 5510 and Higher Interfaces” section on
page 6-8.

•

Preventing untagged packets on the physical interface—If you use subinterfaces, you typically do
not also want the physical interface to pass traffic, because the physical interface passes untagged
packets. This property is also true for the active physical interface in a redundant interface pair.
Because the physical or redundant interface must be enabled for the subinterface to pass traffic,
ensure that the physical or redundant interface does not pass traffic by leaving out the nameif
command. If you want to let the physical or redundant interface pass untagged packets, you can
configure the nameif command as usual. See Chapter 8, “Completing Interface Configuration
(Routed Mode),” or Chapter 9, “Completing Interface Configuration (Transparent Mode),” for more
information about completing the interface configuration.

•

(ASA 5512-X through ASA 5555-X) You cannot configure subinterfaces on the Management 0/0
interface.

Prerequisites
For multiple context mode, complete this procedure in the system execution space. To change from the
context to the system execution space, enter the changeto system command.

Detailed Steps

Step 1

Command

Purpose

interface {physical_interface | redundant
number | port-channel number}.subinterface

Specifies the new subinterface. See the “Enabling the Physical
Interface and Configuring Ethernet Parameters” section for a
description of the physical interface ID.

Example:

The redundant number argument is the redundant interface ID,
such as redundant 1.

hostname(config)# interface
gigabitethernet 0/1.100

The port-channel number argument is the EtherChannel interface
ID, such as port-channel 1.
The subinterface ID is an integer between 1 and 4294967293.
Step 2

vlan vlan_id

Example:
hostname(config-subif)# vlan 101

Specifies the VLAN for the subinterface. The vlan_id is an integer
between 1 and 4094. Some VLAN IDs might be reserved on
connected switches, so check the switch documentation for more
information.
You can only assign a single VLAN to a subinterface, and you
cannot assign the same VLAN to multiple subinterfaces. You
cannot assign a VLAN to the physical interface. Each subinterface
must have a VLAN ID before it can pass traffic. To change a
VLAN ID, you do not need to remove the old VLAN ID with the
no option; you can enter the vlan command with a different
VLAN ID, and the ASA changes the old ID.

Cisco ASA 5500 Series Configuration Guide using the CLI

6-31

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)

What to Do Next
(Optional) For the ASA 5580 and 5585-X, enable jumbo frame support according to the “Enabling
Jumbo Frame Support (Supported Models)” section on page 6-32.

Enabling Jumbo Frame Support (Supported Models)
A jumbo frame is an Ethernet packet larger than the standard maximum of 1518 bytes (including Layer
2 header and FCS), up to 9216 bytes. You can enable support for jumbo frames for all interfaces by
increasing the amount of memory to process Ethernet frames. Assigning more memory for jumbo frames
might limit the maximum use of other features, such as access lists.
Supported models include:
•

ASA 5512-X

•

ASA 5515-X

•

ASA 5525-X

•

ASA 5545-X

•

ASA 5555-X

•

ASA 5580

•

ASA 5585-X

•

In multiple context mode, set this option in the system execution space.

•

Changes in this setting require you to reload the ASA.

•

Be sure to set the MTU for each interface that needs to transmit jumbo frames to a higher value than
the default 1500; for example, set the value to 9000 using the mtu command. See the “Configuring
the MAC Address and MTU” section on page 8-9. In multiple context mode, set the MTU within
each context.

Prerequisites

Detailed Steps

Command

Purpose

jumbo-frame reservation

Enables jumbo frame support for the ASA 5580 and 5585-X. To disable
jumbo frames, use the no form of this command.

Example:
hostname(config)# jumbo-frame reservation

Examples
The following example enables jumbo frame reservation, saves the configuration, and reloads the ASA:
hostname(config)# jumbo-frame reservation
WARNING: this command will take effect after the running-config is saved
and the system has been rebooted. Command accepted.
hostname(config)# write memory
Building configuration...

Cisco ASA 5500 Series Configuration Guide using the CLI

6-32

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)
Monitoring Interfaces

Cryptochecksum: 718e3706 4edb11ea 69af58d0 0a6b7cb5
70291 bytes copied in 3.710 secs (23430 bytes/sec)
[OK]
hostname(config)# reload
Proceed with reload? [confirm] Y

Monitoring Interfaces
To monitor interfaces, enter one of the following commands:
Command

Purpose

show interface

Displays interface statistics.

show interface ip brief

Displays interface IP addresses and status.

show lacp {[channel_group_number] {counters
| internal | neighbor} | sys-id}

For EtherChannel, displays LACP information such as traffic statistics,
system identifier and neighbor details.

show port-channel [channel_group_number]
[brief | detail | port | protocol |
summary]

For EtherChannel, displays EtherChannel information in a detailed and
one-line summary form. This command also displays the port and
port-channel information.

show port-channel channel_group_number
load-balance [hash-result {ip | ipv6 |
l4port | mac | mixed | vlan-only}
parameters]

For EtherChannel, displays port-channel load-balance information along
with the hash result and member interface selected for a given set of
parameters.

Configuration Examples for ASA 5510 and Higher Interfaces
This section includes the following topics:
•

Physical Interface Parameters Example, page 6-33

•

Subinterface Parameters Example, page 6-33

•

Multiple Context Mode Example, page 6-34

•

EtherChannel Example, page 6-34

Physical Interface Parameters Example
The following example configures parameters for the physical interface in single mode:
interface gigabitethernet 0/1
speed 1000
duplex full
no shutdown

Subinterface Parameters Example
The following example configures parameters for a subinterface in single mode:

Cisco ASA 5500 Series Configuration Guide using the CLI

6-33

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)

Where to Go Next

interface gigabitethernet 0/1.1
vlan 101
no shutdown

Multiple Context Mode Example
The following example configures interface parameters in multiple context mode for the system
configuration, and allocates the gigabitethernet 0/1.1 subinterface to contextA:
interface gigabitethernet 0/1
speed 1000
duplex full
no shutdown
interface gigabitethernet 0/1.1
vlan 101
context contextA
allocate-interface gigabitethernet 0/1.1

EtherChannel Example
The following example configures three interfaces as part of an EtherChannel. It also sets the system
priority to be a higher priority, and GigabitEthernet 0/2 to be a higher priority than the other interfaces
in case more than eight interfaces are assigned to the EtherChannel.
lacp system-priority 1234
interface GigabitEthernet0/0
channel-group 1 mode active
interface GigabitEthernet0/1
channel-group 1 mode active
interface GigabitEthernet0/2
lacp port-priority 1234
channel-group 1 mode passive
interface Port-channel1
lacp max-bundle 4
port-channel min-bundle 2
port-channel load-balance dst-ip

Where to Go Next
•

For multiple context mode:
a. Assign interfaces to contexts and automatically assign unique MAC addresses to context

interfaces. See Chapter 5, “Configuring Multiple Context Mode.”
b. Complete the interface configuration according to Chapter 8, “Completing Interface

Configuration (Routed Mode),” or Chapter 9, “Completing Interface Configuration
(Transparent Mode).”
•

For single context mode, complete the interface configuration according to Chapter 8, “Completing
Interface Configuration (Routed Mode),” or Chapter 9, “Completing Interface Configuration
(Transparent Mode).”

Cisco ASA 5500 Series Configuration Guide using the CLI

6-34

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)
Feature History for ASA 5510 and Higher Interfaces

Feature History for ASA 5510 and Higher Interfaces
Table 6-3 lists the release history for this feature.
Table 6-3

Feature History for Interfaces

Feature Name

Releases

Feature Information

Increased VLANs

7.0(5)

Increased the following limits:
•

ASA5510 Base license VLANs from 0 to 10.

•

ASA5510 Security Plus license VLANs from 10 to 25.

•

ASA5520 VLANs from 25 to 100.

•

ASA5540 VLANs from 100 to 200.

Increased interfaces for the Base license on the 7.2(2)
ASA 5510

For the Base license on the ASA 5510, the maximum
number of interfaces was increased from 3 plus a
management interface to unlimited interfaces.

Increased VLANs

7.2(2)

VLAN limits were increased for the ASA 5510 (from 10 to
50 for the Base license, and from 25 to 100 for the Security
Plus license), the ASA 5520 (from 100 to 150), the ASA
5550 (from 200 to 250).

Gigabit Ethernet Support for the ASA 5510
Security Plus License

7.2(3)

The ASA 5510 ASA now supports GE (Gigabit Ethernet)
for port 0 and 1 with the Security Plus license. If you
upgrade the license from Base to Security Plus, the capacity
of the external Ethernet0/0 and Ethernet0/1 ports increases
from the original FE (Fast Ethernet) (100 Mbps) to GE
(1000 Mbps). The interface names will remain Ethernet 0/0
and Ethernet 0/1. Use the speed command to change the
speed on the interface and use the show interface command
to see what speed is currently configured for each interface.

Jumbo packet support for the ASA 5580

8.1(1)

The Cisco ASA 5580 supports jumbo frames. A jumbo
frame is an Ethernet packet larger than the standard
maximum of 1518 bytes (including Layer 2 header and
FCS), up to 9216 bytes. You can enable support for jumbo
frames for all interfaces by increasing the amount of
memory to process Ethernet frames. Assigning more
memory for jumbo frames might limit the maximum use of
other features, such as access lists.
This feature is also supported on the ASA 5585-X.
We introduced the following command: jumbo-frame
reservation.

Increased VLANs for the ASA 5580

8.1(2)

The number of VLANs supported on the ASA 5580 are
increased from 100 to 250.

Cisco ASA 5500 Series Configuration Guide using the CLI

6-35

Chapter 6

Starting Interface Configuration (ASA 5510 and Higher)

Feature History for ASA 5510 and Higher Interfaces

Table 6-3

Feature History for Interfaces (continued)

Feature Name

Releases

Feature Information

Support for Pause Frames for Flow Control on
the ASA 5580 10-Gigabit Ethernet Interfaces

8.2(2)

You can now enable pause (XOFF) frames for flow control.
This feature is also supported on the ASA 5585-X.
We introduced the following command: flowcontrol.

Support for Pause Frames for Flow Control on
1-Gigabit Ethernet Interfaces

8.2(5)/8.4(2)

You can now enable pause (XOFF) frames for flow control
for 1-Gigabit interfaces on all models.
We modified the following command: flowcontrol.

EtherChannel support

8.4(1)

You can configure up to 48 802.3ad EtherChannels of eight
active interfaces each.
We introduced the following commands: channel-group,
lacp port-priority, interface port-channel, lacp
max-bundle, port-channel min-bundle, port-channel
load-balance, lacp system-priority, clear lacp counters,
show lacp, show port-channel.
Note

Cisco ASA 5500 Series Configuration Guide using the CLI

6-36

EtherChannel is not supported on the ASA 5505.

CH A P T E R

Starting Interface Configuration (ASA 5505)
This chapter includes tasks for starting your interface configuration for the ASA 5505, including creating
VLAN interfaces and assigning them to switch ports.
For ASA 5510 and higher configuration, see the “Feature History for ASA 5505 Interfaces” section on
page 7-13.
This chapter includes the following sections:
•

Information About ASA 5505 Interfaces, page 7-1

•

Licensing Requirements for ASA 5505 Interfaces, page 7-4

•

Guidelines and Limitations, page 7-5

•

Default Settings, page 7-5

•

Starting ASA 5505 Interface Configuration, page 7-6

•

Monitoring Interfaces, page 7-11

•

Configuration Examples for ASA 5505 Interfaces, page 7-11

•

Where to Go Next, page 7-13

•

Feature History for ASA 5505 Interfaces, page 7-13

Information About ASA 5505 Interfaces
This section describes the ports and interfaces of the ASA 5505 and includes the following topics:
•

Understanding ASA 5505 Ports and Interfaces, page 7-2

•

Maximum Active VLAN Interfaces for Your License, page 7-2

•

VLAN MAC Addresses, page 7-4

•

Power over Ethernet, page 7-4

•

Monitoring Traffic Using SPAN, page 7-4

•

Auto-MDI/MDIX Feature, page 7-4

Cisco ASA 5500 Series Configuration Guide using the CLI

7-1

Chapter 7

Starting Interface Configuration (ASA 5505)

Information About ASA 5505 Interfaces

Understanding ASA 5505 Ports and Interfaces
The ASA 5505 supports a built-in switch. There are two kinds of ports and interfaces that you need to
configure:
•

Physical switch ports—The ASA has 8 Fast Ethernet switch ports that forward traffic at Layer 2,
using the switching function in hardware. Two of these ports are PoE ports. See the “Power over
Ethernet” section on page 7-4 for more information. You can connect these interfaces directly to
user equipment such as PCs, IP phones, or a DSL modem. Or you can connect to another switch.

•

Logical VLAN interfaces—In routed mode, these interfaces forward traffic between VLAN
networks at Layer 3, using the configured security policy to apply firewall and VPN services. In
transparent mode, these interfaces forward traffic between the VLANs on the same network at Layer
2, using the configured security policy to apply firewall services. See the “Maximum Active VLAN
Interfaces for Your License” section for more information about the maximum VLAN interfaces.
VLAN interfaces let you divide your equipment into separate VLANs, for example, home, business,
and Internet VLANs.

To segregate the switch ports into separate VLANs, you assign each switch port to a VLAN interface.
Switch ports on the same VLAN can communicate with each other using hardware switching. But when
a switch port on VLAN 1 wants to communicate with a switch port on VLAN 2, then the ASA applies
the security policy to the traffic and routes or bridges between the two VLANs.

Maximum Active VLAN Interfaces for Your License
In routed mode, you can configure the following VLANs depending on your license:
•

Base license—3 active VLANs. The third VLAN can only be configured to initiate traffic to one
other VLAN. See Figure 7-1 for more information.

•

Security Plus license—20 active VLANs.

In transparent firewall mode, you can configure the following VLANs depending on your license:

Note

•

Base license—2 active VLANs in 1 bridge group.

•

Security Plus license—3 active VLANs: 2 active VLANs in 1 bridge group, and 1 active VLAN for
the failover link.

An active VLAN is a VLAN with a nameif command configured.

Cisco ASA 5500 Series Configuration Guide using the CLI

7-2

Starting Interface Configuration (ASA 5505)
Information About ASA 5505 Interfaces

With the Base license in routed mode, the third VLAN can only be configured to initiate traffic to one
other VLAN. See Figure 7-1 for an example network where the Home VLAN can communicate with the
Internet, but cannot initiate contact with Business.
Figure 7-1

ASA 5505 with Base License

Internet

ASA 5505
with Base License

Home

153364

Business

With the Security Plus license, you can configure 20 VLAN interfaces in routed mode, including a
VLAN interface for failover and a VLAN interface as a backup link to your ISP. You can configure the
backup interface to not pass through traffic unless the route through the primary interface fails. You can
configure trunk ports to accommodate multiple VLANs per port.

Note

The ASA 5505 supports Active/Standby failover, but not Stateful Failover.
See Figure 7-2 for an example network.
Figure 7-2

ASA 5505 with Security Plus License

Backup ISP

Primary ISP

ASA 5505
with Security Plus
License

Failover
ASA 5505

DMZ

Failover Link

Inside

153365

Chapter 7

Cisco ASA 5500 Series Configuration Guide using the CLI

7-3

Chapter 7

Starting Interface Configuration (ASA 5505)

Licensing Requirements for ASA 5505 Interfaces

VLAN MAC Addresses
•

Routed firewall mode—All VLAN interfaces share a MAC address. Ensure that any connected
switches can support this scenario. If the connected switches require unique MAC addresses, you
can manually assign MAC addresses. See the “Configuring the MAC Address and MTU” section on
page 8-9.

•

Transparent firewall mode—Each VLAN has a unique MAC address. You can override the generated
MAC addresses if desired by manually assigning MAC addresses. See the “Configuring the MAC
Address and MTU” section on page 9-12.

Power over Ethernet
Ethernet 0/6 and Ethernet 0/7 support PoE for devices such as IP phones or wireless access points. If you
install a non-PoE device or do not connect to these switch ports, the ASA does not supply power to the
switch ports.
If you shut down the switch port using the shutdown command, you disable power to the device. Power
is restored when you enable the port using the no shutdown command. See the “Configuring and
Enabling Switch Ports as Access Ports” section on page 7-7 for more information about shutting down
a switch port.
To view the status of PoE switch ports, including the type of device connected (Cisco or IEEE 802.3af),
use the show power inline command.

Monitoring Traffic Using SPAN
If you want to monitor traffic that enters or exits one or more switch ports, you can enable SPAN, also
known as switch port monitoring. The port for which you enable SPAN (called the destination port)
receives a copy of every packet transmitted or received on a specified source port. The SPAN feature lets
you attach a sniffer to the destination port so you can monitor all traffic; without SPAN, you would have
to attach a sniffer to every port you want to monitor. You can only enable SPAN for one destination port.
See the switchport monitor command in the command reference for more information.

Auto-MDI/MDIX Feature
All ASA 5505 interfaces include the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need
for crossover cabling by performing an internal crossover when a straight cable is detected during the
auto-negotiation phase. You cannot disable Auto-MDI/MDIX.

Licensing Requirements for ASA 5505 Interfaces

Cisco ASA 5500 Series Configuration Guide using the CLI

7-4

Chapter 7

Starting Interface Configuration (ASA 5505)
Guidelines and Limitations

Model

License Requirement

ASA 5505

VLANs:
Base License: 3 (2 regular zones and 1 restricted zone that can only communicate with 1 other
zone)
Security Plus License: 20
VLAN Trunks:
Base License: None.
Security Plus License: 8.
Interfaces of all types1:
Base License: 52.
Security Plus License: 120.

1. The maximum number of combined interfaces; for example, VLANs, physical, redundant, and bridge group interfaces.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

The ASA 5505 does not support multiple context mode.
Firewall Mode Guidelines
•

In transparent mode, you can configure up to eight bridge groups. Note that you must use at least
one bridge group; data interfaces must belong to a bridge group.

•

Each bridge group can include up to four VLAN interfaces, up to the license limit.

Interfaces have the following default states:
•

Switch ports—Disabled.

•

VLANs—Enabled. However, for traffic to pass through the VLAN, the switch port must also be
enabled.

Default Speed and Duplex

By default, the speed and duplex are set to auto-negotiate.

Cisco ASA 5500 Series Configuration Guide using the CLI

7-5

Chapter 7

Starting Interface Configuration (ASA 5505)

Starting ASA 5505 Interface Configuration

Starting ASA 5505 Interface Configuration
This section includes the following topics:
•

Task Flow for Starting Interface Configuration, page 7-6

•

Configuring VLAN Interfaces, page 7-6

•

Configuring and Enabling Switch Ports as Access Ports, page 7-7

•

Configuring and Enabling Switch Ports as Trunk Ports, page 7-9

Task Flow for Starting Interface Configuration
To configure interfaces in single mode, perform the following steps:
Step 1

Configure VLAN interfaces. See the “Configuring VLAN Interfaces” section on page 7-6.

Step 2

Configure and enable switch ports as access ports. See the “Configuring and Enabling Switch Ports as
Access Ports” section on page 7-7.

Step 3

(Optional for Security Plus licenses) Configure and enable switch ports as trunk ports. See the
“Configuring and Enabling Switch Ports as Trunk Ports” section on page 7-9.

Step 4

Complete the interface configuration according to Chapter 8, “Completing Interface Configuration
(Routed Mode),” or Chapter 9, “Completing Interface Configuration (Transparent Mode).”

Configuring VLAN Interfaces
This section describes how to configure VLAN interfaces. For more information about ASA 5505
interfaces, see the “Information About ASA 5505 Interfaces” section on page 7-1.

Guidelines
We suggest that you finalize your interface configuration before you enable Easy VPN.

Cisco ASA 5500 Series Configuration Guide using the CLI

7-6

Chapter 7

Starting Interface Configuration (ASA 5505)
Starting ASA 5505 Interface Configuration

Detailed Steps

Step 1

Command

Purpose

interface vlan number

Adds a VLAN interface, where the number is between 1 and 4090.

Example:
hostname(config)# interface vlan 100

Step 2

(Optional for the Base license)
no forward interface vlan number

To remove this VLAN interface and all associated configuration,
enter the no interface vlan command. Because this interface also
includes the interface name configuration, and the name is used in
other commands, those commands are also removed.
Allows this interface to be the third VLAN by limiting it from
initiating contact to one other VLAN.
The number specifies the VLAN ID to which this VLAN interface
cannot initiate traffic.

Example:
hostname(config-if)# no forward interface
vlan 101

With the Base license, you can only configure a third VLAN if
you use this command to limit it.
For example, you have one VLAN assigned to the outside for
Internet access, one VLAN assigned to an inside business
network, and a third VLAN assigned to your home network. The
home network does not need to access the business network, so
you can use the no forward interface command on the home
VLAN; the business network can access the home network, but
the home network cannot access the business network.
If you already have two VLAN interfaces configured with a
nameif command, be sure to enter the no forward interface
command before the nameif command on the third interface; the
ASA does not allow three fully functioning VLAN interfaces with
the Base license on the ASA 5505.
Note

If you upgrade to the Security Plus license, you can
remove this command and achieve full functionality for
this interface. If you leave this command in place, this
interface continues to be limited even after upgrading.

What to Do Next
Configure the switch ports. See the “Configuring and Enabling Switch Ports as Access Ports” section on
page 7-7 and the “Configuring and Enabling Switch Ports as Trunk Ports” section on page 7-9.

Configuring and Enabling Switch Ports as Access Ports
By default (with no configuration), all switch ports are shut down, and assigned to VLAN 1. To assign
a switch port to a single VLAN, configure it as an access port. To create a trunk port to carry multiple
VLANs, see the “Configuring and Enabling Switch Ports as Trunk Ports” section on page 7-9. If you
have a factory default configuration, see the “ASA 5505 Default Configuration” section on page 2-11 to
check if you want to change the default interface settings according to this procedure.
For more information about ASA 5505 interfaces, see the “Information About ASA 5505 Interfaces”
section on page 7-1.

Cisco ASA 5500 Series Configuration Guide using the CLI

7-7

Chapter 7

Starting Interface Configuration (ASA 5505)

Starting ASA 5505 Interface Configuration

Caution

The ASA 5505 does not support Spanning Tree Protocol for loop detection in the network. Therefore
you must ensure that any connection with the ASA does not end up in a network loop.

Detailed Steps

Step 1

Command

Purpose

interface ethernet0/port

Specifies the switch port you want to configure, where port is 0
through 7.

Example:
hostname(config)# interface ethernet0/1

Step 2

switchport access vlan number

Example:
hostname(config-if)# switchport access
vlan 100

Assigns this switch port to a VLAN, where number is the VLAN
ID, between 1 and 4090. See the “Configuring VLAN Interfaces”
section on page 7-6 to configure the VLAN interface that you
want to assign to this switch port. To view configured VLANs,
enter the show interface command.
Note

Step 3

(Optional)
switchport protected

Example:
hostname(config-if)# switchport protected

Step 4

(Optional)
speed {auto | 10 | 100}

Example:

You might assign multiple switch ports to the primary or
backup VLANs if the Internet access device includes
Layer 2 redundancy.

Prevents the switch port from communicating with other
protected switch ports on the same VLAN.
You might want to prevent switch ports from communicating with
each other if the devices on those switch ports are primarily
accessed from other VLANs, you do not need to allow
intra-VLAN access, and you want to isolate the devices from each
other in case of infection or other security breach. For example, if
you have a DMZ that hosts three web servers, you can isolate the
web servers from each other if you apply the switchport
protected command to each switch port. The inside and outside
networks can both communicate with all three web servers, and
vice versa, but the web servers cannot communicate with each
other.
Sets the speed. The auto setting is the default. If you set the speed
to anything other than auto on PoE ports Ethernet 0/6 or 0/7, then
Cisco IP phones and Cisco wireless access points that do not
support IEEE 802.3af will not be detected and supplied with
power.

hostname(config-if)# speed 100

Step 5

(Optional)
duplex {auto | full | half}

Example:

Sets the duplex. The auto setting is the default. If you set the
duplex to anything other than auto on PoE ports Ethernet 0/6 or
0/7, then Cisco IP phones and Cisco wireless access points that do
not support IEEE 802.3af will not be detected and supplied with
power.

hostname(config-if)# duplex full

Step 6

no shutdown

Example:
hostname(config-if)# no shutdown

Cisco ASA 5500 Series Configuration Guide using the CLI

7-8

Enables the switch port. To disable the switch port, enter the
shutdown command.

Chapter 7

Starting Interface Configuration (ASA 5505)
Starting ASA 5505 Interface Configuration

What to Do Next
•

If you want to configure a switch port as a trunk port, see the “Configuring and Enabling Switch
Ports as Trunk Ports” section on page 7-9.

•

To complete the interface configuration, see Chapter 8, “Completing Interface Configuration
(Routed Mode),” or Chapter 9, “Completing Interface Configuration (Transparent Mode).”

Configuring and Enabling Switch Ports as Trunk Ports
This procedure describes how to create a trunk port that can carry multiple VLANs using 802.1Q
tagging. Trunk mode is available only with the Security Plus license.
To create an access port, where an interface is assigned to only one VLAN, see the “Configuring and
Enabling Switch Ports as Access Ports” section on page 7-7.

Guidelines
This switch port cannot pass traffic until you assign at least one VLAN to it, native or non-native.

Detailed Steps

Step 1

Command

Purpose

interface ethernet0/port

Specifies the switch port you want to configure, where port is 0
through 7.

Example:
hostname(config)# interface ethernet0/1

Step 2

To assign VLANs to this trunk, do one or more of the following:
switchport trunk allowed vlan vlan_range

Example:
hostname(config)# switchport trunk allowed
vlan 100-200

Identifies one or more VLANs that you can assign to the trunk
port, where the vlan_range (with VLANs between 1 and 4090)
can be identified in one of the following ways:
•

A single number (n)

•

A range (n-x)

•

Separate numbers and ranges by commas, for example:
5,7-10,13,45-100
You can enter spaces instead of commas, but the command is
saved to the configuration with commas.

You can include the native VLAN in this command, but it is not
required; the native VLAN is passed whether it is included in this
command or not.

Cisco ASA 5500 Series Configuration Guide using the CLI

7-9

Chapter 7

Starting Interface Configuration (ASA 5505)

Starting ASA 5505 Interface Configuration

Command

Purpose

switchport trunk native vlan vlan_id

Assigns a native VLAN to the trunk, where the vlan_id is a single
VLAN ID between 1 and 4090.

Example:

Packets on the native VLAN are not modified when sent over the
trunk. For example, if a port has VLANs 2, 3 and 4 assigned to it,
and VLAN 2 is the native VLAN, then packets on VLAN 2 that
egress the port are not modified with an 802.1Q header. Frames
which ingress (enter) this port and have no 802.1Q header are put
into VLAN 2.

hostname(config-if)# switchport trunk
native vlan 100

Each port can only have one native VLAN, but every port can have
either the same or a different native VLAN.
Step 3

switchport mode trunk

Makes this switch port a trunk port. To restore this port to access
mode, enter the switchport mode access command.

Example:
hostname(config-if)# switchport mode trunk

Step 4

(Optional)
switchport protected

Example:
hostname(config-if)# switchport protected

Step 5

(Optional)
speed {auto | 10 | 100}

Example:

hostname(config-if)# speed 100

Step 6

(Optional)
duplex {auto | full | half}

Example:

hostname(config-if)# duplex full

Step 7

no shutdown

Example:
hostname(config-if)# no shutdown

Cisco ASA 5500 Series Configuration Guide using the CLI

7-10

Enables the switch port. To disable the switch port, enter the
shutdown command.

Chapter 7

Starting Interface Configuration (ASA 5505)
Monitoring Interfaces

Monitoring Interfaces
To monitor interfaces, enter one of the following commands:
Command

Purpose

show interface

Displays interface statistics.

show interface ip brief

Displays interface IP addresses and status.

Configuration Examples for ASA 5505 Interfaces
This section includes the following topics:
•

Access Port Example, page 7-11

•

Trunk Port Example, page 7-12

Access Port Example
The following example configures five VLAN interfaces, including the failover interface which is
configured using the failover lan command:
hostname(config)# interface vlan 100
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#

interface vlan 200
nameif inside
security-level 100
ip address 10.2.1.1 255.255.255.0
no shutdown

hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#

interface vlan 300
nameif dmz
security-level 50
ip address 10.3.1.1 255.255.255.0
no shutdown

hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#

interface vlan 400
nameif backup-isp
security-level 50
ip address 10.1.2.1 255.255.255.0
no shutdown

hostname(config-if)# failover lan faillink vlan500
hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2
255.255.255.0
hostname(config)# interface ethernet 0/0
hostname(config-if)# switchport access vlan 100
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/1
hostname(config-if)# switchport access vlan 200

Cisco ASA 5500 Series Configuration Guide using the CLI

7-11

Chapter 7

Starting Interface Configuration (ASA 5505)

Configuration Examples for ASA 5505 Interfaces

hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/2
hostname(config-if)# switchport access vlan 300
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/3
hostname(config-if)# switchport access vlan 400
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/4
hostname(config-if)# switchport access vlan 500
hostname(config-if)# no shutdown

Trunk Port Example
The following example configures seven VLAN interfaces, including the failover interface which is
configured using the failover lan command. VLANs 200, 201, and 202 are trunked on Ethernet 0/1.
hostname(config)# interface vlan 100
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#

interface vlan 200
nameif inside
security-level 100
ip address 10.2.1.1 255.255.255.0
no shutdown

hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#

interface vlan 201
nameif dept1
security-level 90
ip address 10.2.2.1 255.255.255.0
no shutdown

hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#

interface vlan 202
nameif dept2
security-level 90
ip address 10.2.3.1 255.255.255.0
no shutdown

hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#

interface vlan 300
nameif dmz
security-level 50
ip address 10.3.1.1 255.255.255.0
no shutdown

hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#

interface vlan 400
nameif backup-isp
security-level 50
ip address 10.1.2.1 255.255.255.0
no shutdown

Cisco ASA 5500 Series Configuration Guide using the CLI

7-12

Chapter 7

Starting Interface Configuration (ASA 5505)
Where to Go Next

hostname(config-if)# no shutdown
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#

interface ethernet 0/1
switchport mode trunk
switchport trunk allowed vlan 200-202
switchport trunk native vlan 5
no shutdown

hostname(config-if)# interface ethernet 0/2
hostname(config-if)# switchport access vlan 300
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/3
hostname(config-if)# switchport access vlan 400
hostname(config-if)# no shutdown
hostname(config-if)# interface ethernet 0/4
hostname(config-if)# switchport access vlan 500
hostname(config-if)# no shutdown

Where to Go Next
Complete the interface configuration according to Chapter 8, “Completing Interface Configuration
(Routed Mode),” or Chapter 9, “Completing Interface Configuration (Transparent Mode).”

Feature History for ASA 5505 Interfaces
Table 7-1 lists the release history for this feature.
Table 7-1

Feature History for Interfaces

Feature Name

Releases

Feature Information

Increased VLANs

7.2(2)

Native VLAN support for the ASA 5505

7.2(4)/8.0(4)

You can now include the native VLAN in an ASA 5505
trunk port.
We introduced the following command: switchport trunk
native vlan.

Cisco ASA 5500 Series Configuration Guide using the CLI

7-13

Chapter 7
Feature History for ASA 5505 Interfaces

Cisco ASA 5500 Series Configuration Guide using the CLI

7-14

Starting Interface Configuration (ASA 5505)

CH A P T E R

Completing Interface Configuration
(Routed Mode)
This chapter includes tasks to complete the interface configuration for all models in routed firewall
mode. This chapter includes the following sections:

Note

•

Information About Completing Interface Configuration in Routed Mode, page 8-1

•

Licensing Requirements for Completing Interface Configuration in Routed Mode, page 8-2

•

Guidelines and Limitations, page 8-5

•

Default Settings, page 8-5

•

Completing Interface Configuration in Routed Mode, page 8-5

•

Monitoring Interfaces, page 8-16

•

Configuration Examples for Interfaces in Routed Mode, page 8-16

•

Feature History for Interfaces in Routed Mode, page 8-17

For multiple context mode, complete the tasks in this section in the context execution space. Enter the
changeto context name command to change to the context you want to configure.

Information About Completing Interface Configuration in Routed
Mode
This section includes the following topics:
•

Security Levels, page 8-1

•

Dual IP Stack (IPv4 and IPv6), page 8-2

Security Levels
Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should
assign your most secure network, such as the inside host network, to level 100. While the outside
network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You
can assign interfaces to the same security level. See the “Allowing Same Security Level Communication”
section on page 8-15 for more information.

Cisco ASA 5500 Series Configuration Guide using the CLI

8-1

Chapter 8

Completing Interface Configuration (Routed Mode)

Licensing Requirements for Completing Interface Configuration in Routed Mode

The level controls the following behavior:
•

Network access—By default, there is an implicit permit from a higher security interface to a lower
security interface (outbound). Hosts on the higher security interface can access any host on a lower
security interface. You can limit access by applying an access list to the interface.
If you enable communication for same security interfaces (see the “Allowing Same Security Level
Communication” section on page 8-15), there is an implicit permit for interfaces to access other
interfaces on the same security level or lower.

•

Inspection engines—Some application inspection engines are dependent on the security level. For
same security interfaces, inspection engines apply to traffic in either direction.
– NetBIOS inspection engine—Applied only for outbound connections.
– SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port

exists between a pair of hosts, then only an inbound data connection is permitted through the
ASA.
•

Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level
to a lower level).
If you enable communication for same security interfaces, you can filter traffic in either direction.

•

established command—This command allows return connections from a lower security host to a
higher security host if there is already an established connection from the higher level host to the
lower level host.
If you enable communication for same security interfaces, you can configure established commands
for both directions.

Dual IP Stack (IPv4 and IPv6)
The ASA supports the configuration of both IPv6 and IPv4 on an interface. You do not need to enter any
special commands to do so; simply enter the IPv4 configuration commands and IPv6 configuration
commands as you normally would. Make sure you configure a default route for both IPv4 and IPv6.

Licensing Requirements for Completing Interface Configuration
in Routed Mode

Cisco ASA 5500 Series Configuration Guide using the CLI

8-2

Chapter 8

Completing Interface Configuration (Routed Mode)
Licensing Requirements for Completing Interface Configuration in Routed Mode

Model

License Requirement

ASA 5505

1. The maximum number of combined interfaces; for example, VLANs, physical, redundant, and bridge group interfaces.

Model

License Requirement

ASA 5510

ASA 5520

VLANs:
Base License: 150.
Interfaces of all types1:
Base License: 640

ASA 5540

VLANs:
Base License: 200
Interfaces of all types1:
Base License: 840

ASA 5550

VLANs:
Base License: 400
Interfaces of all types1:
Base License: 1640

Cisco ASA 5500 Series Configuration Guide using the CLI

8-3

Chapter 8

Completing Interface Configuration (Routed Mode)

Licensing Requirements for Completing Interface Configuration in Routed Mode

Model

License Requirement

ASA 5580

VLANs:
Base License: 1024
Interfaces of all types1:
Base License: 4176

ASA 5512-X

VLANs:
Base License: 50
Interfaces of all types1:
Base License: 328

ASA 5515-X

VLANs:
Base License: 100
Interfaces of all types1:
Base License: 528

ASA 5525-X

VLANs:
Base License: 200
Interfaces of all types1:
Base License: 928

ASA 5545-X

VLANs:
Base License: 300
Interfaces of all types1:
Base License: 1328

ASA 5555-X

VLANs:
Base License: 500
Interfaces of all types1:
Base License: 2128

ASA 5585-X

1. The maximum number of combined interfaces; for example, VLANs, physical, redundant, bridge group, and EtherChannel interfaces.

Cisco ASA 5500 Series Configuration Guide using the CLI

8-4

Chapter 8

Completing Interface Configuration (Routed Mode)
Guidelines and Limitations

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines
•

For the ASA 5510 and higher in multiple context mode, configure the physical interfaces in the
system execution space according to Chapter 6, “Starting Interface Configuration
(ASA 5510 and Higher).” Then, configure the logical interface parameters in the context execution
space according to this chapter.
The ASA 5505 does not support multiple context mode.

•

In multiple context mode, you can only configure context interfaces that you already assigned to the
context in the system configuration according to the “Configuring Multiple Contexts” section on
page 5-14.

•

PPPoE is not supported in multiple context mode.

Firewall Mode Guidelines

Supported in routed firewall mode. For transparent mode, see Chapter 9, “Completing Interface
Configuration (Transparent Mode).”
Failover Guidelines

Do not finish configuring failover interfaces with the procedures in this chapter. See the “Configuring
Active/Standby Failover” section on page 62-7 or the “Configuring Active/Active Failover” section on
page 63-8 to configure the failover and state links. In multiple context mode, failover interfaces are
configured in the system configuration.
IPv6 Guidelines

Supports IPv6.

The default security level is 0. If you name an interface “inside” and you do not set the security level
explicitly, then the ASA sets the security level to 100.

Note

If you change the security level of an interface, and you do not want to wait for existing connections to
time out before the new security information is used, you can clear the connections using the
clear local-host command.

Completing Interface Configuration in Routed Mode
This section includes the following topics:

Cisco ASA 5500 Series Configuration Guide using the CLI

8-5

Chapter 8

Completing Interface Configuration (Routed Mode)

Completing Interface Configuration in Routed Mode

•

Task Flow for Completing Interface Configuration, page 8-6

•

Configuring General Interface Parameters, page 8-6

•

Configuring the MAC Address and MTU, page 8-9

•

Configuring IPv6 Addressing, page 8-11

•

Allowing Same Security Level Communication, page 8-15

Task Flow for Completing Interface Configuration
Step 1

Set up your interfaces depending on your model:
•

ASA 5510 and higher—Chapter 6, “Starting Interface Configuration (ASA 5510 and Higher).”

•

ASA 5505—Chapter 7, “Starting Interface Configuration (ASA 5505).”

Step 2

(Multiple context mode) Allocate interfaces to the context according to the “Configuring Multiple
Contexts” section on page 5-14.

Step 3

(Multiple context mode) Enter the changeto context name command to change to the context you want
to configure. Configure general interface parameters, including the interface name, security level, and
IPv4 address. See the “Configuring General Interface Parameters” section on page 8-6.

Step 4

(Optional) Configure the MAC address and the MTU. See the “Configuring the MAC Address and
MTU” section on page 8-9.

Step 5

(Optional) Configure IPv6 addressing. See the “Configuring IPv6 Addressing” section on page 8-11.

Step 6

(Optional) Allow same security level communication, either by allowing communication between two
interfaces or by allowing traffic to enter and exit the same interface. See the “Allowing Same Security
Level Communication” section on page 8-15.

Configuring General Interface Parameters
This procedure describes how to set the name, security level, IPv4 address and other options.
For the ASA 5510 and higher, you must configure interface parameters for the following interface types:
•

Physical interfaces

•

VLAN subinterfaces

•

Redundant interfaces

•

EtherChannel interfaces

For the ASA 5505, you must configure interface parameters for the following interface types:
•

VLAN interfaces

Guidelines and Limitations
•

For the ASA 5550, for maximum throughput, be sure to balance your traffic over the two interface
slots; for example, assign the inside interface to slot 1 and the outside interface to slot 0.

Cisco ASA 5500 Series Configuration Guide using the CLI

8-6

Chapter 8

Completing Interface Configuration (Routed Mode)
Completing Interface Configuration in Routed Mode

•

If you are using failover, do not use this procedure to name interfaces that you are reserving for
failover and Stateful Failover communications. See the “Configuring Active/Standby Failover”
section on page 62-7 or the “Configuring Active/Active Failover” section on page 63-8 to configure
the failover and state links.

•

PPPoE is not supported in multiple context mode.

•

Set up your interfaces depending on your model:

Restrictions

Prerequisites

– ASA 5510 and higher—Chapter 6, “Starting Interface Configuration (ASA 5510 and Higher).”
– ASA 5505—Chapter 7, “Starting Interface Configuration (ASA 5505).”
•

•

In multiple context mode, complete this procedure in the context execution space. To change from
the system to a context configuration, enter the changeto context name command.

Detailed Steps

Step 1

Command

Purpose

For the ASA 5510 and higher:

If you are not already in interface configuration mode, enters
interface configuration mode.

interface {{redundant number |
port-channel number |
physical_interface}[.subinterface] |
mapped_name}

For the ASA 5505:
hostname(config)# interface vlan number

Example:
hostname(config)# interface
gigabithethernet 0/0

The redundant number argument is the redundant interface ID,
such as redundant 1.
The port-channel number argument is the EtherChannel interface
ID, such as port-channel 1.
See the “Enabling the Physical Interface and Configuring
Ethernet Parameters” section for a description of the physical
interface ID.
Append the subinterface ID to the physical or redundant interface
ID separated by a period (.).
In multiple context mode, enter the mapped_name if one was
assigned using the allocate-interface command.

Step 2

nameif name

Example:
hostname(config-if)# nameif inside

Step 3

Names the interface.
The name is a text string up to 48 characters, and is not
case-sensitive. You can change the name by reentering this
command with a new value. Do not enter the no form, because
that command causes all commands that refer to that name to be
deleted.

Do one of the following:

Cisco ASA 5500 Series Configuration Guide using the CLI

8-7

Chapter 8

Completing Interface Configuration (Routed Mode)

Completing Interface Configuration in Routed Mode

Command

Purpose

ip address ip_address [mask] [standby
ip_address]

Sets the IP address manually.
Note

Example:
hostname(config-if)# ip address 10.1.1.1
255.255.255.0 standby 10.1.1.2

For use with failover, you must set the IP address and
standby address manually; DHCP and PPPoE are not
supported.

The ip_address and mask arguments set the interface IP address
and subnet mask.
The standby ip_address argument is used for failover. See the
“Configuring Active/Standby Failover” section on page 62-7 or
the “Configuring Active/Active Failover” section on page 63-8
for more information.

ip address dhcp [setroute]

Obtains an IP address from a DHCP server.

Example:

The setroute keyword lets the ASA use the default route supplied
by the DHCP server.

hostname(config-if)# ip address dhcp

Reenter this command to reset the DHCP lease and request a new
lease.
If you do not enable the interface using the no shutdown
command before you enter the ip address dhcp command, some
DHCP requests might not be sent.

To obtain an IP address from a PPPoE server, see PPPoE is not supported in multiple context mode.
Chapter 72, “Configuring the PPPoE Client.”
Step 4

security-level number

Example:

Sets the security level, where number is an integer between 0
(lowest) and 100 (highest). See the “Security Levels” section on
page 8-1.

hostname(config-if)# security-level 50

Step 5

(Optional)
management-only

Example:
hostname(config-if)# management-only

Sets an interface to management-only mode so that it does not
pass through traffic.
By default, Management interfaces are configured as
management-only. To disable this setting, enter the no
management-only command.
(ASA 5512-X through ASA 5555-X) You cannot disable
management-only on the Management 0/0 interface.
The management-only command is not supported for a
redundant interface.

Example
The following example configures parameters for VLAN 101:
hostname(config)# interface vlan 101
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.1.1.1 255.255.255.0

The following example configures parameters in multiple context mode for the context configuration.
The interface ID is a mapped name.
hostname/contextA(config)# interface int1

Cisco ASA 5500 Series Configuration Guide using the CLI

8-8

Chapter 8

Completing Interface Configuration (Routed Mode)
Completing Interface Configuration in Routed Mode

hostname/contextA(config-if)# nameif outside
hostname/contextA(config-if)# security-level 100
hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0

What to Do Next
•

(Optional) Configure the MAC address and the MTU. See the “Configuring the MAC Address and
MTU” section on page 8-9.

•

(Optional) Configure IPv6 addressing. See the “Configuring IPv6 Addressing” section on
page 8-11.

Configuring the MAC Address and MTU
This section describes how to configure MAC addresses for interfaces and how to set the MTU.

Information About MAC Addresses
By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical
interface use the same burned-in MAC address.
A redundant interface uses the MAC address of the first physical interface that you add. If you change
the order of the member interfaces in the configuration, then the MAC address changes to match the
MAC address of the interface that is now listed first. If you assign a MAC address to the redundant
interface using this command, then it is used regardless of the member interface MAC addresses.
For an EtherChannel, all interfaces that are part of the channel group share the same MAC address. This
feature makes the EtherChannel transparent to network applications and users, because they only see the
one logical connection; they have no knowledge of the individual links. The port-channel interface uses
the lowest numbered channel group interface MAC address as the port-channel MAC address.
Alternatively you can manually configure a MAC address for the port-channel interface. In multiple
context mode, you can automatically assign unique MAC addresses to interfaces, including an
EtherChannel port interface. We recommend manually, or in multiple context mode, automatically
configuring a unique MAC address in case the group channel interface membership changes. If you
remove the interface that was providing the port-channel MAC address, then the port-channel MAC
address changes to the next lowest numbered interface, thus causing traffic disruption.
In multiple context mode, if you share an interface between contexts, you can assign a unique MAC
address to the interface in each context. This feature lets the ASA easily classify packets into the
appropriate context. Using a shared interface without unique MAC addresses is possible, but has some
limitations. See the “How the ASA Classifies Packets” section on page 5-3 for more information. You
can assign each MAC address manually, or you can automatically generate MAC addresses for shared
interfaces in contexts. See the “Automatically Assigning MAC Addresses to Context Interfaces” section
on page 5-22 to automatically generate MAC addresses. If you automatically generate MAC addresses,
you can use this procedure to override the generated address.
For single context mode, or for interfaces that are not shared in multiple context mode, you might want
to assign unique MAC addresses to subinterfaces. For example, your service provider might perform
access control based on the MAC address.

Information About the MTU
The MTU is the maximum datagram size that is sent on a connection. Data that is larger than the MTU
value is fragmented before being sent.

Cisco ASA 5500 Series Configuration Guide using the CLI

8-9

Chapter 8

Completing Interface Configuration (Routed Mode)

Completing Interface Configuration in Routed Mode

The ASA supports IP path MTU discovery (as defined in RFC 1191), which allows a host to dynamically
discover and cope with the differences in the maximum allowable MTU size of the various links along
the path. Sometimes, the ASA cannot forward a datagram because the packet is larger than the MTU that
you set for the interface, but the “don't fragment” (DF) bit is set. The network software sends a message
to the sending host, alerting it to the problem. The host has to fragment packets for the destination so
that they fit the smallest packet size of all the links along the path.
The default MTU is 1500 bytes in a block for Ethernet interfaces. This value is sufficient for most
applications, but you can pick a lower number if network conditions require it.
To enable jumbo frames, see the “Enabling Jumbo Frame Support (Supported Models)” section on
page 6-32. A jumbo frame is an Ethernet packet larger than the standard maximum of 1518 bytes
(including Layer 2 header and FCS), up to 9216 bytes. Jumbo frames require extra memory to process,
and assigning more memory for jumbo frames might limit the maximum use of other features, such as
access lists. To use jumbo frames, set the value higher, for example, to 9000 bytes.

Prerequisites
•

Set up your interfaces depending on your model:
– ASA 5510 and higher—Chapter 6, “Starting Interface Configuration (ASA 5510 and Higher).”
– ASA 5505—Chapter 7, “Starting Interface Configuration (ASA 5505).”

•

In multiple context mode, complete this procedure in the context execution space. To change from
the system to a context configuration, enter the changeto context name command.

Cisco ASA 5500 Series Configuration Guide using the CLI

8-10

Chapter 8

Completing Interface Configuration (Routed Mode)
Completing Interface Configuration in Routed Mode

Detailed Steps

Step 1

Command

Purpose

For the ASA 5510 and higher:

If you are not already in interface configuration mode, enters
interface configuration mode.

interface {{redundant number |
port-channel number |
physical_interface}[.subinterface] |
mapped_name}

For the ASA 5505:
hostname(config)# interface vlan number

Example:
hostname(config)# interface vlan 100

Step 2

mac-address mac_address
[standby mac_address]

Example:
hostname(config-if)# mac-address
000C.F142.4CDE

Assigns a private MAC address to this interface. The mac_address
is in H.H.H format, where H is a 16-bit hexadecimal digit. For
example, the MAC address 00-0C-F1-42-4C-DE is entered as
000C.F142.4CDE.
The first two bytes of a manual MAC address cannot be A2 if you
also want to use auto-generated MAC addresses.
For use with failover, set the standby MAC address. If the active
unit fails over and the standby unit becomes active, the new active
unit starts using the active MAC addresses to minimize network
disruption, while the old active unit uses the standby address.

Step 3

mtu interface_name bytes

Sets the MTU between 300 and 65,535 bytes. The default is 1500
bytes.

Example:

Note

hostname(config)# mtu inside 9200

When you set the MTU for a redundant or port-channel
interface, the ASA applies the setting to all member
interfaces.

For models that support jumbo frames, if you enter a value for any
interface that is greater than 1500, then you need to enable jumbo
frame support. See the “Enabling Jumbo Frame Support
(Supported Models)” section on page 6-32.

What to Do Next
(Optional) Configure IPv6 addressing. See the “Configuring IPv6 Addressing” section on page 8-11.

Configuring IPv6 Addressing
This section describes how to configure IPv6 addressing. For more information about IPv6, see the
“Information About IPv6 Support” section on page 21-9 and the “IPv6 Addresses” section on page B-5.
This section includes the following topics:

Cisco ASA 5500 Series Configuration Guide using the CLI

8-11

Chapter 8

Completing Interface Configuration (Routed Mode)

Completing Interface Configuration in Routed Mode

•

Information About IPv6, page 8-12

•

Configuring a Global IPv6 Address and Other Options, page 8-13

Information About IPv6
This section includes information about how to configure IPv6, and includes the following topics:
•

IPv6 Addressing, page 8-12

•

Duplicate Address Detection, page 8-12

•

Modified EUI-64 Interface IDs, page 8-13

IPv6 Addressing
You can configure two types of unicast addresses for IPv6:
•

Global—The global address is a public address that you can use on the public network.

•

At a minimum, you need to configure a link-local addresses for IPv6 to operate. If you configure a global
address, a link-local address is automatically configured on the interface, so you do not also need to
specifically configure a link-local address. If you do not configure a global address, then you need to
configure the link-local address, either automatically or manually.

Note

If you want to only configure the link-local addresses, see the ipv6 enable (to auto-configure) or ipv6
address link-local (to manually configure) command in the command reference.

Duplicate Address Detection
During the stateless autoconfiguration process, duplicate address detection (DAD) verifies the
uniqueness of new unicast IPv6 addresses before the addresses are assigned to interfaces (the new
addresses remain in a tentative state while duplicate address detection is performed). Duplicate address
detection is performed first on the new link-local address. When the link-local address is verified as
unique, then duplicate address detection is performed all the other IPv6 unicast addresses on the
interface.
Duplicate address detection is suspended on interfaces that are administratively down. While an
interface is administratively down, the unicast IPv6 addresses assigned to the interface are set to a
pending state. An interface returning to an administratively up state restarts duplicate address detection
for all of the unicast IPv6 addresses on the interface.
When a duplicate address is identified, the state of the address is set to DUPLICATE, the address is not
used, and the following error message is generated:
%ASA-4-325002: Duplicate address ipv6_address/MAC_address on interface

Cisco ASA 5500 Series Configuration Guide using the CLI

8-12

Chapter 8

Completing Interface Configuration (Routed Mode)
Completing Interface Configuration in Routed Mode

If the link-local address for an interface changes, duplicate address detection is performed on the new
link-local address and all of the other IPv6 address associated with the interface are regenerated
(duplicate address detection is performed only on the new link-local address).
The ASA uses neighbor solicitation messages to perform duplicate address detection. By default, the
number of times an interface performs duplicate address detection is 1.

Modified EUI-64 Interface IDs
RFC 3513: Internet Protocol Version 6 (IPv6) Addressing Architecture requires that the interface
identifier portion of all unicast IPv6 addresses, except those that start with binary value 000, be 64 bits
long and be constructed in Modified EUI-64 format. The ASA can enforce this requirement for hosts
attached to the local link.
When this feature is enabled on an interface, the source addresses of IPv6 packets received on that
interface are verified against the source MAC addresses to ensure that the interface identifiers use the
Modified EUI-64 format. If the IPv6 packets do not use the Modified EUI-64 format for the interface
identifier, the packets are dropped and the following system log message is generated:
%ASA-3-325003: EUI-64 source address check failed.

The address format verification is only performed when a flow is created. Packets from an existing flow
are not checked. Additionally, the address verification can only be performed for hosts on the local link.
Packets received from hosts behind a router will fail the address format verification, and be dropped,
because their source MAC address will be the router MAC address and not the host MAC address.

Configuring a Global IPv6 Address and Other Options
To configure a global IPv6 address and other options, perform the following steps.

Note

Configuring the global address automatically configures the link-local address, so you do not need to
configure it separately.

Restrictions
The ASA does not support IPv6 anycast addresses.

Prerequisites
•

•

In multiple context mode, complete this procedure in the context execution space. To change from
the system to a context configuration, enter the changeto context name command.

Cisco ASA 5500 Series Configuration Guide using the CLI

8-13

Chapter 8

Completing Interface Configuration (Routed Mode)

Completing Interface Configuration in Routed Mode

Detailed Steps

Step 1

Command

Purpose

For the ASA 5510 and higher:

If you are not already in interface configuration mode, enters
interface configuration mode.

interface {{redundant number |
port-channel number |
physical_interface}[.subinterface] |
mapped_name}

For the ASA 5505:
hostname(config)# interface vlan number

Example:
hostname(config)# interface
gigabithethernet 0/0

Step 2

Do one of the following:
ipv6 address autoconfig

Example:
hostname(config-if)# ipv6 address
autoconfig

Enables stateless autoconfiguration on the interface. Enabling
stateless autoconfiguration on the interface configures IPv6
addresses based on prefixes received in Router Advertisement
messages. A link-local address, based on the Modified EUI-64
interface ID, is automatically generated for the interface when
stateless autoconfiguration is enabled.
Note

Although RFC 4862 specifies that hosts configured for
stateless autoconfiguration do not send Router
Advertisement messages, the ASA does send Router
Advertisement messages in this case. See the ipv6 nd
suppress-ra command to suppress messages.

ipv6 address ipv6-address/prefix-length
[standby ipv6-address]

Assigns a global address to the interface. When you assign a
global address, the link-local address is automatically created for
the interface.

Example:

standby specifies the interface address used by the secondary unit
or failover group in a failover pair.

hostname(config-if)# ipv6 address
2001:0DB8::BA98:0:3210/48

See the “IPv6 Addresses” section on page B-5 for more
information about IPv6 addressing.
ipv6 address ipv6-prefix/prefix-length
eui-64

Example:
hostname(config-if)# ipv6 address
2001:0DB8::BA98::/48 eui-64

Assigns a global address to the interface by combining the
specified prefix with an interface ID generated from the interface
MAC address using the Modified EUI-64 format. When you
assign a global address, the link-local address is automatically
created for the interface.
You do not need to specify the standby address; the interface ID
will be generated automatically.
See the “IPv6 Addresses” section on page B-5 for more
information about IPv6 addressing.

Cisco ASA 5500 Series Configuration Guide using the CLI

8-14

Chapter 8

Completing Interface Configuration (Routed Mode)
Completing Interface Configuration in Routed Mode

Step 3

Command

Purpose

(Optional)

Suppresses Router Advertisement messages on an interface. By
default, Router Advertisement messages are automatically sent in
response to router solicitation messages. You may want to disable
these messages on any interface for which you do not want the
ASA to supply the IPv6 prefix (for example, the outside
interface).

ipv6 nd suppress-ra

Example:
hostname(config-if)# ipv6 nd suppress-ra

Step 4

(Optional)
ipv6 nd dad attempts value

Example:
hostname(config-if)# ipv6 nd dad attempts
3

Step 5

(Optional)
ipv6 nd ns-interval value

Example:
hostname(config-if)# ipv6 nd ns-interval
2000

Changes the number of duplicate address detection attempts. The
value argument can be any value from 0 to 600. Setting the value
argument to 0 disables duplicate address detection on the
interface.
By default, the number of times an interface performs duplicate
address detection is 1. See the “Duplicate Address Detection”
section on page 8-12 for more information.
Changes the neighbor solicitation message interval. When you
configure an interface to send out more than one duplicate address
detection attempt with the ipv6 nd dad attempts command, this
command configures the interval at which the neighbor
solicitation messages are sent out. By default, they are sent out
once every 1000 milliseconds. The value argument can be from
1000 to 3600000 milliseconds.
Note

Step 6

(Optional)
ipv6 enforce-eui64 if_name

Example:
hostname(config)# ipv6 enforce-eui64
inside

Changing this value changes it for all neighbor
solicitation messages sent out on the interface, not just
those used for duplicate address detection.

Enforces the use of Modified EUI-64 format interface identifiers
in IPv6 addresses on a local link.
The if_name argument is the name of the interface, as specified by
the nameif command, on which you are enabling the address
format enforcement.
See the “Modified EUI-64 Interface IDs” section on page 8-13 for
more information.

Allowing Same Security Level Communication
By default, interfaces on the same security level cannot communicate with each other, and packets
cannot enter and exit the same interface. This section describes how to enable inter-interface
communication when interfaces are on the same security level, and how to enable intra-interface
communication.

Information About Inter-Interface Communication
Allowing interfaces on the same security level to communicate with each other provides the following
benefits:
•

You can configure more than 101 communicating interfaces.
If you use different levels for each interface and do not assign any interfaces to the same security
level, you can configure only one interface per level (0 to 100).

•

You want traffic to flow freely between all same security interfaces without access lists.

Cisco ASA 5500 Series Configuration Guide using the CLI

8-15

Chapter 8

Completing Interface Configuration (Routed Mode)

Monitoring Interfaces

If you enable same security interface communication, you can still configure interfaces at different
security levels as usual.

Information About Intra-Interface Communication
Intra-interface communication might be useful for VPN traffic that enters an interface, but is then routed
out the same interface. The VPN traffic might be unencrypted in this case, or it might be reencrypted for
another VPN connection. For example, if you have a hub and spoke VPN network, where the ASA is the
hub, and remote VPN networks are spokes, for one spoke to communicate with another spoke, traffic
must go into the ASA and then out again to the other spoke.

Note

All traffic allowed by this feature is still subject to firewall rules. Be careful not to create an asymmetric
routing situation that can cause return traffic not to traverse the ASA.

Detailed Steps

Command

Purpose

same-security-traffic permit
inter-interface

Enables interfaces on the same security level so that they can communicate
with each other.

same-security-traffic permit
intra-interface

Enables communication between hosts connected to the same interface.

Monitoring Interfaces
To monitor interfaces, enter one of the following commands:
Command

Purpose

show interface

Displays interface statistics.

show interface ip brief

Displays interface IP addresses and status.

Configuration Examples for Interfaces in Routed Mode
This section includes the following topics:
•

ASA 5505 Example, page 8-16

ASA 5505 Example
The following example configures three VLAN interfaces for the Base license. The third home interface
cannot forward traffic to the business interface.
hostname(config)# interface vlan 100

Cisco ASA 5500 Series Configuration Guide using the CLI

8-16

Chapter 8

Completing Interface Configuration (Routed Mode)
Feature History for Interfaces in Routed Mode

hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#

nameif outside
security-level 0
ip address dhcp
no shutdown

hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#

interface vlan 200
nameif business
security-level 100
ip address 10.1.1.1 255.255.255.0
no shutdown

hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#
hostname(config-if)#

interface vlan 300
no forward interface vlan 200
nameif home
security-level 50
ip address 10.2.1.1 255.255.255.0
no shutdown

Feature History for Interfaces in Routed Mode
Table 8-1 lists the release history for this feature.
Table 8-1

Feature History for Interfaces

Feature Name

Releases

Feature Information

Increased VLANs

7.0(5)

Increased the following limits:

Increased VLANs

7.2(2)

•

ASA5510 Base license VLANs from 0 to 10.

•

ASA5510 Security Plus license VLANs from 10 to 25.

•

ASA5520 VLANs from 25 to 100.

•

ASA5540 VLANs from 100 to 200.

Cisco ASA 5500 Series Configuration Guide using the CLI

8-17

Chapter 8

Completing Interface Configuration (Routed Mode)

Feature History for Interfaces in Routed Mode

Table 8-1

Feature History for Interfaces (continued)

Feature Name

Releases

Feature Information

Gigabit Ethernet Support for the ASA 5510
Security Plus License

7.2(3)

The ASA 5510 now supports GE (Gigabit Ethernet) for port
0 and 1 with the Security Plus license. If you upgrade the
license from Base to Security Plus, the capacity of the
external Ethernet0/0 and Ethernet0/1 ports increases from
the original FE (Fast Ethernet) (100 Mbps) to GE (1000
Mbps). The interface names will remain Ethernet 0/0 and
Ethernet 0/1. Use the speed command to change the speed
on the interface and use the show interface command to see
what speed is currently configured for each interface.

Native VLAN support for the ASA 5505

7.2(4)/8.0(4)

You can now include the native VLAN in an ASA 5505
trunk port.
We introduced the following command: switchport trunk
native vlan.

Jumbo packet support for the ASA 5580

8.1(1)

The Cisco ASA 5580 supports jumbo frames. A jumbo
frame is an Ethernet packet larger than the standard
maximum of 1518 bytes (including Layer 2 header and
FCS), up to 9216 bytes. You can enable support for jumbo
frames for all interfaces by increasing the amount of
memory to process Ethernet frames. Assigning more
memory for jumbo frames might limit the maximum use of
other features, such as access lists.
We introduced the following command: jumbo-frame
reservation.

Increased VLANs for the ASA 5580

8.1(2)

The number of VLANs supported on the ASA 5580 are
increased from 100 to 250.

IPv6 support for transparent mode

8.2(1)

IPv6 support was introduced for transparent firewall mode.

Support for Pause Frames for Flow Control on
the ASA 5580 10 Gigabit Ethernet Interfaces

8.2(2)

You can now enable pause (XOFF) frames for flow control.

Cisco ASA 5500 Series Configuration Guide using the CLI

8-18

We introduced the following command: flowcontrol.

CH A P T E R

Completing Interface Configuration
(Transparent Mode)
This chapter includes tasks to complete the interface configuration for all models in transparent firewall
mode.
This chapter includes the following sections:

Note

•

Information About Completing Interface Configuration in Transparent Mode, page 9-1

•

Licensing Requirements for Completing Interface Configuration in Transparent Mode, page 9-2

•

Guidelines and Limitations, page 9-5

•

Default Settings, page 9-6

•

Completing Interface Configuration in Transparent Mode, page 9-6

•

Monitoring Interfaces, page 9-19

•

Configuration Examples for Interfaces in Transparent Mode, page 9-19

•

Feature History for Interfaces in Transparent Mode, page 9-20

For multiple context mode, complete the tasks in this section in the context execution space. Enter the
changeto context name command to change to the context you want to configure.

Information About Completing Interface Configuration in
Transparent Mode
This section includes the following topics:
•

Bridge Groups in Transparent Mode, page 9-1

•

Security Levels, page 9-2

Bridge Groups in Transparent Mode
If you do not want the overhead of security contexts, or want to maximize your use of security contexts,
you can group interfaces together in a bridge group, and then configure multiple bridge groups, one for
each network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another
bridge group within the ASA, and traffic must exit the ASA before it is routed by an external router back

Cisco ASA 5500 Series Configuration Guide using the CLI

9-1

Chapter 9

Completing Interface Configuration (Transparent Mode)

Licensing Requirements for Completing Interface Configuration in Transparent Mode

to another bridge group in the ASA. Although the bridging functions are separate for each bridge group,
many other functions are shared between all bridge groups. For example, all bridge groups share a syslog
server or AAA server configuration. For complete security policy separation, use security contexts with
one bridge group in each context. At least one bridge group is required per context or in single mode.
Each bridge group requires a management IP address. For another method of management, see the
“Management Interface” section.

Note

The ASA does not support traffic on secondary networks; only traffic on the same network as the
management IP address is supported.

Network access—By default, there is an implicit permit from a higher security interface to a lower
security interface (outbound). Hosts on the higher security interface can access any host on a lower
security interface. You can limit access by applying an access list to the interface.
If you enable communication for same security interfaces (see the “Allowing Same Security Level
Communication” section on page 9-18), there is an implicit permit for interfaces to access other
interfaces on the same security level or lower.

•

exists between a pair of hosts, then only an inbound data connection is permitted through the
ASA.
•

•

Licensing Requirements for Completing Interface Configuration
in Transparent Mode

Cisco ASA 5500 Series Configuration Guide using the CLI

9-2

Chapter 9

Completing Interface Configuration (Transparent Mode)
Licensing Requirements for Completing Interface Configuration in Transparent Mode

Model

License Requirement

ASA 5505

1. The maximum number of combined interfaces; for example, VLANs, physical, redundant, and bridge group interfaces.

Model

License Requirement

ASA 5510

ASA 5520

VLANs:
Base License: 150.
Interfaces of all types1:
Base License: 640

ASA 5540

VLANs:
Base License: 200
Interfaces of all types1:
Base License: 840

ASA 5550

VLANs:
Base License: 400
Interfaces of all types1:
Base License: 1640

Cisco ASA 5500 Series Configuration Guide using the CLI

9-3

Chapter 9

Completing Interface Configuration (Transparent Mode)

Licensing Requirements for Completing Interface Configuration in Transparent Mode

Model

License Requirement

ASA 5580

VLANs:
Base License: 1024
Interfaces of all types1:
Base License: 4176

ASA 5512-X

VLANs:
Base License: 50
Interfaces of all types1:
Base License: 328

ASA 5515-X

VLANs:
Base License: 100
Interfaces of all types1:
Base License: 528

ASA 5525-X

VLANs:
Base License: 200
Interfaces of all types1:
Base License: 928

ASA 5545-X

VLANs:
Base License: 300
Interfaces of all types1:
Base License: 1328

ASA 5555-X

VLANs:
Base License: 500
Interfaces of all types1:
Base License: 2128

ASA 5585-X

1. The maximum number of combined interfaces; for example, VLANs, physical, redundant, bridge group, and EtherChannel interfaces.

Cisco ASA 5500 Series Configuration Guide using the CLI

9-4

Chapter 9

Completing Interface Configuration (Transparent Mode)
Guidelines and Limitations

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines
•

•

You can only configure context interfaces that you already assigned to the context in the system
configuration using the allocate-interface command.

Firewall Mode Guidelines
•

You can configure up to 8 bridge groups in single mode or per context in multiple mode. Note that
you must use at least 1 bridge group; data interfaces must belong to a bridge group.

Note

Although you can configure multiple bridge groups on the ASA 5505, the restriction of 2
data interfaces in transparent mode on the ASA 5505 means you can only effectively use 1
bridge group.

•

Each bridge group can include up to 4 interfaces.

•

For IPv4, a management IP address is required for each bridge group for both management traffic
and for traffic to pass through the ASA.
Unlike routed mode, which requires an IP address for each interface, a transparent firewall has an
IP address assigned to the entire bridge group. The ASA uses this IP address as the source address
for packets originating on the ASA, such as system messages or AAA communications. In addition
to the bridge group management address, you can optionally configure a management interface for
some models; see the “Management Interface” section on page 6-2 for more information.
The management IP address must be on the same subnet as the connected network. You cannot set
the subnet to a host subnet (255.255.255.255). The ASA does not support traffic on secondary
networks; only traffic on the same network as the management IP address is supported. See the
“Configuring Bridge Groups” section on page 9-7 for more information about management IP
subnets.

•

For IPv6, at a minimum you need to configure link-local addresses for each interface for through
traffic. For full functionality, including the ability to manage the ASA, you need to configure a
global IPv6 address for each bridge group.

•

For multiple context mode, each context must use different interfaces; you cannot share an interface
across contexts.

•

For multiple context mode, each context typically uses a different subnet. You can use overlapping
subnets, but your network topology requires router and NAT configuration to make it possible from
a routing standpoint.

Cisco ASA 5500 Series Configuration Guide using the CLI

9-5

Chapter 9

Completing Interface Configuration (Transparent Mode)

Default Settings

Failover Guidelines

Supports IPv6.

•

No support for IPv6 anycast addresses in transparent mode.

The default security level is 0. If you name an interface “inside” and you do not set the security level
explicitly, then the ASA sets the security level to 100.

Note

Completing Interface Configuration in Transparent Mode
This section includes the following topics:
•

Task Flow for Completing Interface Configuration, page 9-6

•

Configuring Bridge Groups, page 9-7

•

Configuring General Interface Parameters, page 9-8

•

Configuring a Management Interface (ASA 5510 and Higher), page 9-11

•

Configuring the MAC Address and MTU, page 9-12

•

Configuring IPv6 Addressing, page 9-15

•

Allowing Same Security Level Communication, page 9-18

Task Flow for Completing Interface Configuration
Step 1

Set up your interfaces depending on your model:
•

ASA 5510 and higher—Chapter 6, “Starting Interface Configuration (ASA 5510 and Higher).”

•

ASA 5505—Chapter 7, “Starting Interface Configuration (ASA 5505).”

Cisco ASA 5500 Series Configuration Guide using the CLI

9-6

Chapter 9

Completing Interface Configuration (Transparent Mode)
Completing Interface Configuration in Transparent Mode

Step 2

(Multiple context mode) Allocate interfaces to the context according to the “Configuring Multiple
Contexts” section on page 5-14.

Step 3

(Multiple context mode) Enter the changeto context name command to change to the context you want
to configure.Configure one or more bridge groups, including the IPv4 address. See the “Configuring
Bridge Groups” section on page 9-7.

Step 4

Configure general interface parameters, including the interface name and security level. See the
“Configuring General Interface Parameters” section on page 9-8.

Step 5

(Optional; not supported for the ASA 5505) Configure a management interface. See the “Configuring a
Management Interface (ASA 5510 and Higher)” section on page 9-11.

Step 6

(Optional) Configure the MAC address and the MTU. See the “Configuring the MAC Address and
MTU” section on page 9-12.

Step 7

(Optional) Configure IPv6 addressing. See the “Configuring IPv6 Addressing” section on page 9-15.

Step 8

Configuring Bridge Groups
Each bridge group requires a management IP address. The ASA uses this IP address as the source address
for packets originating from the bridge group. The management IP address must be on the same subnet
as the connected network. For IPv4 traffic, the management IP address is required to pass any traffic.
For IPv6 traffic, you must, at a minimum, configure the link-local addresses to pass traffic, but a global
management address is recommended for full functionality, including remote management and other
management operations.

Guidelines and Limitations
You can configure up to 8 bridge groups in single mode or per context in multiple mode. Note that you
must use at least one bridge group; data interfaces must belong to a bridge group.

Note

For a separate management interface (for supported models), a non-configurable bridge group (ID 101)
is automatically added to your configuration. This bridge group is not included in the bridge group limit.

Cisco ASA 5500 Series Configuration Guide using the CLI

9-7

Chapter 9

Completing Interface Configuration (Transparent Mode)

Completing Interface Configuration in Transparent Mode

Detailed Steps

Step 1

Command

Purpose

interface bvi bridge_group_number

Creates a bridge group, where bridge_group_number is an integer
between 1 and 100.

Example:
hostname(config)# interface bvi 1

Step 2

ip address ip_address [mask]
[standby ip_address]

Example:
hostname(config-if)# ip address 10.1.3.1
255.255.255.0 standby 10.1.3.2

Specifies the management IP address for the bridge group.
Do not assign a host address (/32 or 255.255.255.255) to the
bridge group. Also, do not use other subnets that contain fewer
than 3 host addresses (one each for the upstream router,
downstream router, and transparent firewall) such as a /30 subnet
(255.255.255.252). The ASA drops all ARP packets to or from the
first and last addresses in a subnet. Therefore, if you use a /30
subnet and assign a reserved address from that subnet to the
upstream router, then the ASA drops the ARP request from the
downstream router to the upstream router.
The ASA does not support traffic on secondary networks; only
traffic on the same network as the management IP address is
supported.
The standby keyword and address is used for failover.

Examples
The following example sets the management address and standby address of bridge group 1:
hostname(config)# interface bvi 1
hostname(config-if)# ip address 10.1.3.1 255.255.255.0 standby 10.1.3.2

What to Do Next
Configure general interface parameters. See the “Configuring General Interface Parameters” section on
page 9-8.

Configuring General Interface Parameters
This procedure describes how to set the name, security level, and bridge group for each transparent
interface.
To configure a separate management interface, see the “Configuring a Management Interface (ASA 5510
and Higher)” section on page 9-11.
For the ASA 5510 and higher, you must configure interface parameters for the following interface types:
•

Physical interfaces

•

VLAN subinterfaces

•

Redundant interfaces

•

EtherChannel interfaces

Cisco ASA 5500 Series Configuration Guide using the CLI

9-8

Chapter 9

Completing Interface Configuration (Transparent Mode)
Completing Interface Configuration in Transparent Mode

For the ASA 5505, you must configure interface parameters for the following interface types:
•

VLAN interfaces

Guidelines and Limitations
•

You can configure up to four interfaces per bridge group.

•

For the ASA 5550, for maximum throughput, be sure to balance your traffic over the two interface
slots; for example, assign the inside interface to slot 1 and the outside interface to slot 0.

•

For information about security levels, see the “Security Levels” section on page 9-2.

•

Set up your interfaces depending on your model:

Prerequisites

– ASA 5510 and higher—Chapter 6, “Starting Interface Configuration (ASA 5510 and Higher).”
– ASA 5505—Chapter 7, “Starting Interface Configuration (ASA 5505).”
•

•

In multiple context mode, complete this procedure in the context execution space. To change from
the system to a context configuration, enter the changeto context name command.

Cisco ASA 5500 Series Configuration Guide using the CLI

9-9

Chapter 9

Completing Interface Configuration (Transparent Mode)

Completing Interface Configuration in Transparent Mode

Detailed Steps

Step 1

Command

Purpose

For the ASA 5510 and higher:

If you are not already in interface configuration mode, enters
interface configuration mode.

interface {{redundant number |
port-channel number |
physical_interface}[.subinterface] |
mapped_name}

For the ASA 5505:
hostname(config)# interface vlan number

Example:
hostname(config)# interface vlan 100

The redundant number argument is the redundant interface ID,
such as redundant 1.
The port-channel number argument is the EtherChannel interface
ID, such as port-channel 1.
See the “Enabling the Physical Interface and Configuring
Ethernet Parameters” section for a description of the physical
interface ID. Do not use this procedure for Management
interfaces; see the “Configuring a Management Interface (ASA
5510 and Higher)” section on page 9-11 to configure the
Management interface.
Append the subinterface ID to the physical or redundant interface
ID separated by a period (.).
In multiple context mode, enter the mapped_name if one was
assigned using the allocate-interface command.

Step 2

hostname(config-if)# bridge-group 1

Assigns the interface to a bridge group, where number is an
integer between 1 and 100. You can assign up to four interfaces to
a bridge group. You cannot assign the same interface to more than
one bridge group.

nameif name

Names the interface.

bridge-group number

Example:
Step 3

Example:
hostname(config-if)# nameif inside

Step 4

security-level number

The name is a text string up to 48 characters, and is not
case-sensitive. You can change the name by reentering this
command with a new value. Do not enter the no form, because
that command causes all commands that refer to that name to be
deleted.
Sets the security level, where number is an integer between 0
(lowest) and 100 (highest).

Example:
hostname(config-if)# security-level 50

What to Do Next
•

(Optional) Configure a management interface. See the “Configuring a Management Interface (ASA
5510 and Higher)” section on page 9-11.

•

(Optional) Configure the MAC address and the MTU. See the “Configuring the MAC Address and
MTU” section on page 9-12.

•

(Optional) Configure IPv6 addressing. See the “Configuring IPv6 Addressing” section on
page 9-15.

Cisco ASA 5500 Series Configuration Guide using the CLI

9-10

Chapter 9

Completing Interface Configuration (Transparent Mode)
Completing Interface Configuration in Transparent Mode

Configuring a Management Interface (ASA 5510 and Higher)
You can configure one management interface separate from the bridge group interfaces in single mode
or per context. For more information, see the “Management Interface” section on page 6-2.

Restrictions
•

See the “Management Interface” section on page 6-2.

•

Do not assign this interface to a bridge group; a non-configurable bridge group (ID 101) is
automatically added to your configuration. This bridge group is not included in the bridge group
limit.

•

If your model does not include a Management interface, you must manage the transparent firewall
from a data interface; skip this procedure. (For example, on the ASA 5505.)

•

In multiple context mode, you cannot share any interfaces, including the Management interface,
across contexts. To provide management per context, you can create subinterfaces of the
Management interface and allocate a Management subinterface to each context. Note that the ASA
5512-X through ASA 5555-X do not allow subinterfaces on the Management interface, so for
per-context management, you must connect to a data interface.

•

Complete the procedures in Chapter 6, “Starting Interface Configuration (ASA 5510 and Higher).”

•

In multiple context mode, complete this procedure in the context execution space. To change from
the system to a context configuration, enter the changeto context name command.

Prerequisites

Detailed Steps

Step 1

Command

Purpose

interface {{port-channel number |
management slot/port}[.subinterface] |
mapped_name}

If you are not already in interface configuration mode, enters
interface configuration mode for the management interface.

Example:
hostname(config)# interface management
0/0.1

The port-channel number argument is the EtherChannel interface
ID, such as port-channel 1. The EtherChannel interface must
have only Management member interfaces.
Redundant interfaces do not support Management slot/port
interfaces as members. You also cannot set a redundant interface
comprised of non-Management interfaces as management-only.
In multiple context mode, enter the mapped_name if one was
assigned using the allocate-interface command.

Step 2

nameif name

Example:
hostname(config-if)# nameif management

Cisco ASA 5500 Series Configuration Guide using the CLI

9-11

Chapter 9

Completing Interface Configuration (Transparent Mode)

Completing Interface Configuration in Transparent Mode

Command
Step 3

Purpose

Do one of the following:
ip address ip_address [mask] [standby
ip_address]

Sets the IP address manually.
Note

For use with failover, you must set the IP address and
standby address manually; DHCP is not supported.

Example:
hostname(config-if)# ip address 10.1.1.1
255.255.255.0 standby 10.1.1.2

ip address dhcp [setroute]

Obtains an IP address from a DHCP server.

Example:

The setroute keyword lets the ASA use the default route supplied
by the DHCP server.

hostname(config-if)# ip address dhcp

Step 4

security-level number

Sets the security level, where number is an integer between 0
(lowest) and 100 (highest).

Example:
hostname(config-if)# security-level 50

What to Do Next
•

(Optional) Configure the MAC address and the MTU. See the “Configuring the MAC Address and
MTU” section on page 9-12.

•

(Optional) Configure IPv6 addressing. See the “Configuring IPv6 Addressing” section on
page 9-15.

Configuring the MAC Address and MTU
This section describes how to configure MAC addresses for interfaces and how to set the MTU.

Cisco ASA 5500 Series Configuration Guide using the CLI

9-12

Chapter 9

Completing Interface Configuration (Transparent Mode)
Completing Interface Configuration in Transparent Mode

For an EtherChannel, all interfaces that are part of the channel group share the same MAC address. This
feature makes the EtherChannel transparent to network applications and users, because they only see the
one logical connection; they have no knowledge of the individual links. The port-channel interface uses
the lowest numbered channel group interface MAC address as the port-channel MAC address.
Alternatively you can manually configure a MAC address for the port-channel interface. In multiple
context mode, you can automatically assign unique MAC addresses to interfaces, including an
EtherChannel port interface. We recommend manually, or in multiple context mode, automatically
configuring a unique MAC address in case the group channel interface membership changes. If you
remove the interface that was providing the port-channel MAC address, then the port-channel MAC
address changes to the next lowest numbered interface, thus causing traffic disruption.
In multiple context mode, if you share an interface between contexts, you can assign a unique MAC
address to the interface in each context. This feature lets the ASA easily classify packets into the
appropriate context. Using a shared interface without unique MAC addresses is possible, but has some
limitations. See the “How the ASA Classifies Packets” section on page 5-3 for more information. You
can assign each MAC address manually, or you can automatically generate MAC addresses for shared
interfaces in contexts. See the “Automatically Assigning MAC Addresses to Context Interfaces” section
on page 5-22 to automatically generate MAC addresses. If you automatically generate MAC addresses,
you can use this procedure to override the generated address.
For single context mode, or for interfaces that are not shared in multiple context mode, you might want
to assign unique MAC addresses to subinterfaces. For example, your service provider might perform
access control based on the MAC address.

Information About the MTU
The MTU is the maximum datagram size that is sent on a connection. Data that is larger than the MTU
value is fragmented before being sent.
The ASA supports IP path MTU discovery (as defined in RFC 1191), which allows a host to dynamically
discover and cope with the differences in the maximum allowable MTU size of the various links along
the path. Sometimes, the ASA cannot forward a datagram because the packet is larger than the MTU that
you set for the interface, but the “don't fragment” (DF) bit is set. The network software sends a message
to the sending host, alerting it to the problem. The host has to fragment packets for the destination so
that they fit the smallest packet size of all the links along the path.
The default MTU is 1500 bytes in a block for Ethernet interfaces. This value is sufficient for most
applications, but you can pick a lower number if network conditions require it.
To enable jumbo frames, see the “Enabling Jumbo Frame Support (Supported Models)” section on
page 6-32. A jumbo frame is an Ethernet packet larger than the standard maximum of 1518 bytes
(including Layer 2 header and FCS), up to 9216 bytes. Jumbo frames require extra memory to process,
and assigning more memory for jumbo frames might limit the maximum use of other features, such as
access lists. To use jumbo frames, set the value higher, for example, to 9000 bytes.

Prerequisites
•

•

Cisco ASA 5500 Series Configuration Guide using the CLI

9-13

Chapter 9

Completing Interface Configuration (Transparent Mode)

Completing Interface Configuration in Transparent Mode

•

In multiple context mode, complete this procedure in the context execution space. To change from
the system to a context configuration, enter the changeto context name command.

Detailed Steps

Step 1

Command

Purpose

For the ASA 5510 and higher:

If you are not already in interface configuration mode, enters
interface configuration mode.

interface {{redundant number |
port-channel number |
physical_interface}[.subinterface] |
mapped_name}

For the ASA 5505:
hostname(config)# interface vlan number

Example:
hostname(config)# interface vlan 100

Step 2

mac-address mac_address
[standby mac_address]

Example:
hostname(config-if)# mac-address
000C.F142.4CDE

Step 3

mtu interface_name bytes

Sets the MTU between 300 and 65,535 bytes. The default is 1500
bytes.

Example:

Note

hostname(config)# mtu inside 9200

When you set the MTU for a redundant or port-channel
interface, the ASA applies the setting to all member
interfaces.

What to Do Next
(Optional) Configure IPv6 addressing. See the “Configuring IPv6 Addressing” section on page 9-15.

Cisco ASA 5500 Series Configuration Guide using the CLI

9-14

Chapter 9

Completing Interface Configuration (Transparent Mode)
Completing Interface Configuration in Transparent Mode

Information About IPv6, page 9-15

•

Configuring a Global IPv6 Address and Other Options, page 9-17

Information About IPv6
This section includes information about how to configure IPv6, and includes the following topics:
•

IPv6 Addressing, page 9-15

•

Duplicate Address Detection, page 9-15

•

Modified EUI-64 Interface IDs, page 9-16

•

Unsupported Commands, page 9-16

IPv6 Addressing
You can configure two types of unicast addresses for IPv6:
•

Global—The global address is a public address that you can use on the public network. This address
needs to be configured for each bridge group, and not per-interface. You can also configure a global
IPv6 address for the management interface.

•

Link-local—The link-local address is a private address that you can only use on the
directly-connected network. Routers do not forward packets using link-local addresses; they are
only for communication on a particular physical network segment. They can be used for address
configuration or for the ND functions such as address resolution and neighbor discovery. Because
the link-local address is only available on a segment, and is tied to the interface MAC address, you
need to configure the link-local address per interface.

At a minimum, you need to configure a link-local address for IPv6 to operate. If you configure a global
address, a link-local addresses is automatically configured on each interface, so you do not also need to
specifically configure a link-local address. If you do not configure a global address, then you need to
configure the link-local address, either automatically or manually.

Note

If you want to only configure the link-local addresses, see the ipv6 enable (to auto-configure) or ipv6
address link-local (to manually configure) command in the command reference.

Cisco ASA 5500 Series Configuration Guide using the CLI

9-15

Chapter 9

Completing Interface Configuration (Transparent Mode)

Completing Interface Configuration in Transparent Mode

Duplicate address detection is suspended on interfaces that are administratively down. While an
interface is administratively down, the unicast IPv6 addresses assigned to the interface are set to a
pending state. An interface returning to an administratively up state restarts duplicate address detection
for all of the unicast IPv6 addresses on the interface.
When a duplicate address is identified, the state of the address is set to DUPLICATE, the address is not
used, and the following error message is generated:
%ASA-4-325002: Duplicate address ipv6_address/MAC_address on interface

If the duplicate address is the link-local address of the interface, the processing of IPv6 packets is
disabled on the interface. If the duplicate address is a global address, the address is not used. However,
all configuration commands associated with the duplicate address remain as configured while the state
of the address is set to DUPLICATE.
If the link-local address for an interface changes, duplicate address detection is performed on the new
link-local address and all of the other IPv6 address associated with the interface are regenerated
(duplicate address detection is performed only on the new link-local address).
The ASA uses neighbor solicitation messages to perform duplicate address detection. By default, the
number of times an interface performs duplicate address detection is 1.

Unsupported Commands
The following IPv6 commands are not supported in transparent firewall mode, because they require
router capabilities:
•

ipv6 address autoconfig

•

ipv6 nd prefix

•

ipv6 nd ra-interval

•

ipv6 nd ra-lifetime

•

ipv6 nd suppress-ra

The ipv6 local pool VPN command is not supported, because transparent mode does not support VPN.

Cisco ASA 5500 Series Configuration Guide using the CLI

9-16

Chapter 9

Completing Interface Configuration (Transparent Mode)
Completing Interface Configuration in Transparent Mode

Configuring a Global IPv6 Address and Other Options
To configure a global IPv6 address and other options for a bridge group or management interface,
perform the following steps.

Note

Configuring the global address automatically configures the link-local address, so you do not need to
configure it separately.

Restrictions
The ASA does not support IPv6 anycast addresses.

Prerequisites
•

•

In multiple context mode, complete this procedure in the context execution space. To change from
the system to a context configuration, enter the changeto context name command.

Detailed Steps

Step 1

Command

Purpose

For the bridge group:

If you are not already in interface configuration mode, enters
interface configuration mode.

interface bvi bridge_group_id

For the management interface:
interface management_interface_id

Example:
hostname(config)# interface bvi 1

Step 2

ipv6 address ipv6-address/prefix-length
[standby ipv6-address]

Assigns a global address to the interface. When you assign a
global address, the link-local address is automatically created for
the interface (for a bridge group, for each member interface).

Example:

standby specifies the interface address used by the secondary unit
or failover group in a failover pair.

hostname(config-if)# ipv6 address
2001:0DB8::BA98:0:3210/48

Note

The eui-64 keyword to use the Modified EUI-64 interface
ID for the interface ID is not supported in transparent
mode.

See the “IPv6 Addresses” section on page B-5 for more
information about IPv6 addressing.

Cisco ASA 5500 Series Configuration Guide using the CLI

9-17

Chapter 9

Completing Interface Configuration (Transparent Mode)

Completing Interface Configuration in Transparent Mode

Step 3

Command

Purpose

(Optional)

ipv6 nd suppress-ra

Example:
hostname(config-if)# ipv6 nd suppress-ra

Step 4

(Optional)
ipv6 nd dad attempts value

Example:
hostname(config-if)# ipv6 nd dad attempts
3

Step 5

(Optional)
ipv6 nd ns-interval value

Example:
hostname(config-if)# ipv6 nd ns-interval
2000

Changes the number of duplicate address detection attempts. The
value argument can be any value from 0 to 600. Setting the value
argument to 0 disables duplicate address detection on the
interface.
By default, the number of times an interface performs duplicate
address detection is 1. See the “Duplicate Address Detection”
section on page 9-15 for more information.
Changes the neighbor solicitation message interval. When you
configure an interface to send out more than one duplicate address
detection attempt with the ipv6 nd dad attempts command, this
command configures the interval at which the neighbor
solicitation messages are sent out. By default, they are sent out
once every 1000 milliseconds. The value argument can be from
1000 to 3600000 milliseconds.
Note

Step 6

(Optional)
ipv6 enforce-eui64 if_name

Example:
hostname(config)# ipv6 enforce-eui64
inside

Changing this value changes it for all neighbor
solicitation messages sent out on the interface, not just
those used for duplicate address detection.

Information About Inter-Interface Communication
Allowing interfaces on the same security level to communicate with each other is useful if you want
traffic to flow freely between all same security interfaces without access lists.
If you enable same security interface communication, you can still configure interfaces at different
security levels as usual.

Cisco ASA 5500 Series Configuration Guide using the CLI

9-18

Chapter 9

Completing Interface Configuration (Transparent Mode)
Monitoring Interfaces

Detailed Steps

Command

Purpose

same-security-traffic permit
inter-interface

Enables interfaces on the same security level so that they can communicate
with each other.

Monitoring Interfaces
To monitor interfaces, enter one of the following commands:
Command

Purpose

show interface

Displays interface statistics.

show interface ip brief

Displays interface IP addresses and status.

show bridge-group

Shows bridge group information.

Configuration Examples for Interfaces in Transparent Mode
The following example includes two bridge groups of three interfaces each, plus a management-only
interface:
interface gigabitethernet 0/0
nameif inside1
security-level 100
bridge-group 1
no shutdown
interface gigabitethernet 0/1
nameif outside1
security-level 0
bridge-group 1
no shutdown
interface gigabitethernet 0/2
nameif dmz1
security-level 50
bridge-group 1
no shutdown
interface bvi 1
ip address 10.1.3.1 255.255.255.0 standby 10.1.3.2
interface gigabitethernet 1/0
nameif inside2
security-level 100
bridge-group 2
no shutdown
interface gigabitethernet 1/1
nameif outside2
security-level 0
bridge-group 2
no shutdown
interface gigabitethernet 1/2
nameif dmz2
security-level 50
bridge-group 2

Cisco ASA 5500 Series Configuration Guide using the CLI

9-19

Chapter 9

Completing Interface Configuration (Transparent Mode)

Feature History for Interfaces in Transparent Mode

no shutdown
interface bvi 2
ip address 10.3.5.8 255.255.255.0 standby 10.3.5.9
interface management 0/0
nameif mgmt
security-level 100
ip address 10.2.1.1 255.255.255.0 standby 10.2.1.2
no shutdown

Feature History for Interfaces in Transparent Mode
Table 9-1 lists each feature change and the platform release in which it was implemented.
Table 9-1

Feature History for Interfaces in Transparent Mode

Feature Name

Platform
Releases

Feature Information

Increased VLANs

7.0(5)

Increased the following limits:

Increased VLANs

7.2(2)

•

ASA5510 Base license VLANs from 0 to 10.

•

ASA5510 Security Plus license VLANs from 10 to 25.

•

ASA5520 VLANs from 25 to 100.

•

ASA5540 VLANs from 100 to 200.

Gigabit Ethernet Support for the ASA 5510
Security Plus License

7.2(3)

Cisco ASA 5500 Series Configuration Guide using the CLI

9-20

Chapter 9

Completing Interface Configuration (Transparent Mode)
Feature History for Interfaces in Transparent Mode

Table 9-1

Feature History for Interfaces in Transparent Mode (continued)

Feature Name

Platform
Releases

Native VLAN support for the ASA 5505

7.2(4)/8.0(4)

Feature Information
You can now include the native VLAN in an ASA 5505
trunk port.
We introduced the following command: switchport trunk
native vlan.

Jumbo packet support for the ASA 5580

8.1(1)

The Cisco ASA 5580 supports jumbo frames. A jumbo
frame is an Ethernet packet larger than the standard
maximum of 1518 bytes (including Layer 2 header and
FCS), up to 9216 bytes. You can enable support for jumbo
frames for all interfaces by increasing the amount of
memory to process Ethernet frames. Assigning more
memory for jumbo frames might limit the maximum use of
other features, such as access lists.
We introduced the following command: jumbo-frame
reservation.

Increased VLANs for the ASA 5580

8.1(2)

The number of VLANs supported on the ASA 5580 are
increased from 100 to 250.

IPv6 support for transparent mode

8.2(1)

IPv6 support was introduced for transparent firewall mode.

Support for Pause Frames for Flow Control on
the ASA 5580 10-Gigabit Ethernet Interfaces

8.2(2)

You can now enable pause (XOFF) frames for flow control.

Bridge groups for transparent mode

8.4(1)

We introduced the following command: flowcontrol.
If you do not want the overhead of security contexts, or want
to maximize your use of security contexts, you can group
interfaces together in a bridge group, and then configure
multiple bridge groups, one for each network. Bridge group
traffic is isolated from other bridge groups. You can
configure up to eight bridge groups of four interfaces each
in single mode or per context.
We introduced the following commands: interface bvi,
show bridge-group.

Cisco ASA 5500 Series Configuration Guide using the CLI

9-21

Chapter 9
Feature History for Interfaces in Transparent Mode

Cisco ASA 5500 Series Configuration Guide using the CLI

9-22

Completing Interface Configuration (Transparent Mode)

PA R T

Configuring Basic Settings

CH A P T E R

Configuring Basic Settings
This chapter describes how to configure basic settings on your ASA that are typically required for a
functioning configuration. This chapter includes the following sections:
•

Configuring the Hostname, Domain Name, and Passwords, page 10-1

•

Setting the Date and Time, page 10-3

•

Configuring the Master Passphrase, page 10-6

•

Configuring the DNS Server, page 10-11

Configuring the Hostname, Domain Name, and Passwords
This section describes how to change the device name and passwords, and includes the following topics:
•

Changing the Login Password, page 10-1

•

Changing the Enable Password, page 10-2

•

Setting the Hostname, page 10-2

•

Setting the Domain Name, page 10-3

Changing the Login Password
To change the login password, enter the following command:
Command

Purpose

{passwd | password} password

Changes the login password. The login password is used for Telnet and
SSH connections. The default login password is “cisco.”
You can enter passwd or password. The password is a case-sensitive
password of up to 16 alphanumeric and special characters. You can use any
character in the password except a question mark or a space.
The password is saved in the configuration in encrypted form, so you
cannot view the original password after you enter it. Use the no password
command to restore the password to the default setting.

Cisco ASA 5500 Series Configuration Guide using the CLI

10-1

Chapter 10

Configuring Basic Settings

Configuring the Hostname, Domain Name, and Passwords

Changing the Enable Password
To change the enable password, enter the following command:
Command

Purpose

enable password password

Changes the enable password, which lets you enter privileged EXEC mode.
By default, the enable password is blank.

Example:

The password argument is a case-sensitive password of up to
16 alphanumeric and special characters. You can use any character in the
password except a question mark or a space.

hostname(config)# passwd Pa$$w0rd

This command changes the password for the highest privilege level. If you
configure local command authorization, you can set enable passwords for
each privilege level from 0 to 15.
The password is saved in the configuration in encrypted form, so you
cannot view the original password after you enter it. Enter the enable
password command without a password to set the password to the default,
which is blank.

Setting the Hostname
To set the hostname, enter the following command:
Command

Purpose

hostname name

Specifies the hostname for the ASA or for a context.

Example:

This name can be up to 63 characters. A hostname must start and end with
a letter or digit, and have as interior characters only letters, digits, or a
hyphen.

hostname(config)# hostname farscape
farscape(config)#

When you set a hostname for the ASA, that name appears in the command
line prompt. If you establish sessions to multiple devices, the hostname
helps you keep track of where you enter commands. The default hostname
depends on your platform.
For multiple context mode, the hostname that you set in the system
execution space appears in the command line prompt for all contexts. The
hostname that you optionally set within a context does not appear in the
command line, but can be used by the banner command $(hostname)
token.

Cisco ASA 5500 Series Configuration Guide using the CLI

10-2

Chapter 10

Configuring Basic Settings
Setting the Date and Time

Setting the Domain Name
To set the domain name, enter the following command:
Command

Purpose

domain-name name

Specifies the domain name for the ASA.

Example:
hostname(config)# domain-name example.com

The ASA appends the domain name as a suffix to unqualified names. For
example, if you set the domain name to “example.com,” and specify a
syslog server by the unqualified name of “jupiter,” then the ASA qualifies
the name to “jupiter.example.com.”
The default domain name is default.domain.invalid.
For multiple context mode, you can set the domain name for each context,
as well as within the system execution space.

Setting the Date and Time
This section includes the following topics:
•

Setting the Time Zone and Daylight Saving Time Date Range, page 10-3

•

Setting the Date and Time Using an NTP Server, page 10-4

•

Setting the Date and Time Manually, page 10-6

Setting the Time Zone and Daylight Saving Time Date Range
To change the time zone and daylight saving time date range, perform the following steps:

Step 1

Command

Purpose

clock timezone zone
[-]hours [minutes]

Sets the time zone. By default, the time zone is UTC and the daylight saving time date
range is from 2:00 a.m. on the first Sunday in April to 2:00 a.m. on the last Sunday in
October.

Example:

Where zone specifies the time zone as a string, for example, PST for Pacific Standard
Time.

hostname(config)# clock
timezone PST -8

The [-]hours value sets the number of hours of offset from UTC. For example, PST is
-8 hours.
The minutes value sets the number of minutes of offset from UTC.
Step 2

To change the date range for daylight saving time from the default, enter one of the following commands. The default
recurring date range is from 2:00 a.m. on the second Sunday in March to 2:00 a.m. on the first Sunday in November.

Cisco ASA 5500 Series Configuration Guide using the CLI

10-3

Chapter 10

Configuring Basic Settings

Setting the Date and Time

Command

Purpose

clock summer-time zone
date {day month | month
day} year hh:mm {day
month | month day} year
hh:mm [offset]

Sets the start and end dates for daylight saving time as a specific date in a specific year.
If you use this command, you need to reset the dates every year.
The zone value specifies the time zone as a string, for example, PDT for Pacific
Daylight Time.

Example:

The day value sets the day of the month, from 1 to 31. You can enter the day and month
as April 1 or as 1 April, for example, depending on your standard date format.

hostname(config)# clock
summer-time PDT 1 April
2010 2:00 60

The month value sets the month as a string. You can enter the day and month as April
1 or as 1 April, depending on your standard date format.
The year value sets the year using four digits, for example, 2004. The year range is
1993 to 2035.
The hh:mm value sets the hour and minutes in 24-hour time.
The offset value sets the number of minutes to change the time for daylight saving
time. By default, the value is 60 minutes.

clock summer-time zone
recurring [week weekday
month hh:mm week weekday
month hh:mm] [offset]

Specifies the start and end dates for daylight saving time, in the form of a day and time
of the month, and not a specific date in a year.

Example:

The zone value specifies the time zone as a string, for example, PDT for Pacific
Daylight Time.

hostname(config)# clock
summer-time PDT
recurring first Monday
April 2:00 60

This command enables you to set a recurring date range that you do not need to change
yearly.

The week value specifies the week of the month as an integer between 1 and 4 or as
the words first or last. For example, if the day might fall in the partial fifth week, then
specify last.
The weekday value specifies the day of the week: Monday, Tuesday, Wednesday, and
so on.
The month value sets the month as a string.
The hh:mm value sets the hour and minutes in 24-hour time.
The offset value sets the number of minutes to change the time for daylight savings
time. By default, the value is 60 minutes.

Setting the Date and Time Using an NTP Server
To obtain the date and time from an NTP server, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

ntp authenticate

Enables authentication with an NTP server.

Example:
hostname(config)# ntp
authenticate

Cisco ASA 5500 Series Configuration Guide using the CLI

10-4

Chapter 10

Configuring Basic Settings
Setting the Date and Time

Step 2

ntp trusted-key key_id

Specifies an authentication key ID to be a trusted key, which is required for
authentication with an NTP server.

Example:

The key_id argument is a value between 1 and 4294967295. You can enter
multiple trusted keys for use with multiple servers.

hostname(config)# ntp
trusted-key 1

Step 3

ntp authentication-key key_id
md5 key

Sets a key to authenticate with an NTP server.
The key_id argument is the ID you set in Step 2 using the ntp trusted-key
command, and the key argument is a string up to 32 characters long.

Example:
hostname(config)# ntp
authentication-key 1 md5
aNiceKey

Step 4

ntp server ip_address [key
key_id] [source interface_name]
[prefer]

Identifies an NTP server.

Example:

The source interface_name keyword-argument pair identifies the outgoing
interface for NTP packets if you do not want to use the default interface in
the routing table. Because the system does not include any interfaces in
multiple context mode, specify an interface name defined in the admin
context.

hostname(config)# ntp server
10.1.1.1 key 1 prefer

The key_id argument is the ID you set in Step 2 using the ntp trusted-key
command.

The prefer keyword sets this NTP server as the preferred server if multiple
servers have similar accuracy. NTP uses an algorithm to determine which
server is the most accurate and synchronizes to that one. If servers are of
similar accuracy, then the prefer keyword specifies which of those servers to
use. However, if a server is significantly more accurate than the preferred
one, the ASA uses the more accurate one. For example, the ASA uses a
server of stratum 2 over a server of stratum 3 that is preferred.
You can identify multiple servers; the ASA uses the most accurate server.
Note

In multiple context mode, set the time in the system configuration
only.

Cisco ASA 5500 Series Configuration Guide using the CLI

10-5

Chapter 10

Configuring Basic Settings

Configuring the Master Passphrase

Setting the Date and Time Manually
To set the date and time manually, perform the following steps:

Detailed Steps

Command

Purpose

clock set hh:mm:ss {month day | day month}
year

Sets the date time manually.
The hh:mm:ss argument sets the hour, minutes, and seconds in 24-hour
time. For example, enter 20:54:00 for 8:54 pm.

Example:
hostname# clock set 20:54:00 april 1 2004

The day value sets the day of the month, from 1 to 31. You can enter the
day and month as april 1 or as 1 april, for example, depending on your
standard date format.
The month value sets the month. Depending on your standard date format,
you can enter the day and month as april 1 or as 1 april.
The year value sets the year using four digits, for example, 2004. The year
range is from 1993 to 2035.
The default time zone is UTC. If you change the time zone after you enter
the clock set command using the clock timezone command, the time
automatically adjusts to the new time zone.
This command sets the time in the hardware chip, and does not save the
time in the configuration file. This time endures reboots. Unlike the other
clock commands, this command is a privileged EXEC command. To reset
the clock, you need to set a new time with the clock set command.

Configuring the Master Passphrase
This section describes how to configure the master passphrase and includes the following topics:
•

Information About the Master Passphrase, page 10-6

•

Licensing Requirements for the Master Passphrase, page 10-7

•

Guidelines and Limitations, page 10-7

•

Adding or Changing the Master Passphrase, page 10-7

•

Disabling the Master Passphrase, page 10-9

•

Recovering the Master Passphrase, page 10-10

•

Feature History for the Master Passphrase, page 10-11

Information About the Master Passphrase
The master passphrase feature allows you to securely store plain text passwords in encrypted format. The
master passphrase provides a key that is used to universally encrypt or mask all passwords, without
changing any functionality. Features that implement the master passphrase include the following:
•

OSPF

Cisco ASA 5500 Series Configuration Guide using the CLI

10-6

Chapter 10

Configuring Basic Settings
Configuring the Master Passphrase

•

EIGRP

•

VPN load balancing

•

VPN (remote access and site-to-site)

•

Failover

•

AAA servers

•

Logging

•

Shared licenses

Licensing Requirements for the Master Passphrase
Model

License Requirement

All models

Base License.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single and multiple context mode.

Adding or Changing the Master Passphrase
This section describes how to add or change the master passphrase.

Prerequisites
•

If failover is enabled but no failover shared key is set, an error message appears if you change the
master passphrase, informing you that you must enter a failover shared key to protect the master
passphrase changes from being sent as plain text.

•

This procedure will only be accepted in a secure session, for example by console, SSH, or ASDM
via HTTPS.

To add or change the master passphrase, perform the following steps:

Cisco ASA 5500 Series Configuration Guide using the CLI

10-7

Chapter 10

Configuring Basic Settings

Configuring the Master Passphrase

Detailed Steps

Step 1

Command

Purpose

key config-key password-encryption
[new_passphrase [old_passphrase]]

Sets the passphrase used for generating the encryption key. The
passphrase must be between 8 and 128 characters long. All
characters except a back space and double quotes are accepted
for the passphrase.

Example:
hostname(config)# key config-key
password-encryption
Old key: bumblebee
New key: haverford
Confirm key: haverford

If you do not enter the new passphrase in the command, you are
prompted for it.
When you want to change the passphrase, you also have to
enter the old passphrase.
See the “Examples” section on page 10-9 for examples of the
interactive prompts.
Note

Use the interactive prompts to enter passwords to avoid
having the passwords logged in the command history
buffer.

Use the no key config-key password-encrypt command with
caution, because it changes the encrypted passwords into plain
text passwords. You can use the no form of this command when
downgrading to a software version that does not support
password encryption.
Step 2

password encryption aes

Example:
hostname(config)# password encryption aes

Enables password encryption. As soon as password encryption
is turned on and the master passphrase is available, all the user
passwords will be encrypted. The running configuration will
show the passwords in the encrypted format.
If the passphrase is not configured at the time that password
encryption is enabled, the command will succeed in
anticipation that the passphrase will be available in the future.
If you later disable password encryption using the no
password encryption aes command, all existing encrypted
passwords are left unchanged, and as long as the master
passphrase exists, the encrypted passwords will be decrypted,
as required by the application.

Step 3

write memory

Example:
hostname(config)# write memory

Saves the runtime value of the master passphrase and the
resulting configuration. If you do not enter this command,
passwords in startup configuration may still be visible if they
were not saved with encryption before.
In addition, in multiple context mode the master passphrase is
changed in the system context configuration. As a result, the
passwords in all contexts will be affected. If the write memory
command is not entered in the system context mode, but not in
all user contexts, then the encrypted passwords in user contexts
may be stale. Alternatively, use the write memory all
command in the system context to save all configurations.

Cisco ASA 5500 Series Configuration Guide using the CLI

10-8

Chapter 10

Configuring Basic Settings
Configuring the Master Passphrase

Examples
In the following configuration example, no previous key is present:
hostname (config)# key config-key password-encryption 12345678

In the following configuration example, a key already exists:
Hostname (config)# key config-key password-encryption 23456789
Old key: 12345678
hostname (config)#

In the following configuration example, you want to key in interactively, but a key already exists. The
Old key, New key, and Confirm key prompts will appear on your screen if you enter the key config-key
password-encryption command and press Enter to access interactive mode.
hostname (config)# key config-key password-encryption
Old key: 12345678
New key: 23456789
Confirm key: 23456789

In the following example, you want to key in interactively, but no key is present. The New key and
Confirm key prompts will appear on your screen if you are in interactive mode.
hostname (config)# key config-key password-encryption
New key: 12345678
Confirm key: 12345678

Disabling the Master Passphrase
Disabling the master passphrase reverts encrypted passwords into plain text passwords. Removing the
passphrase might be useful if you downgrade to a previous software version that does not support
encrypted passwords.

Prerequisites
•

You must know the current master passphrase to disable it. If you do not know the passphrase, see
the “Recovering the Master Passphrase” section on page 10-10.

•

This procedure will only be accepted in a secure session, that is, by Telnet, SSH, or ASDM via
HTTPS.

Cisco ASA 5500 Series Configuration Guide using the CLI

10-9

Chapter 10

Configuring Basic Settings

Configuring the Master Passphrase

Detailed Steps

Step 1

Command

Purpose

no key config-key password-encryption
[old_passphrase]]

Removes the master passphrase.
If you do not enter the passphrase in the command, you are
prompted for it.

Example:
hostname(config)# no key config-key
password-encryption
Warning! You have chosen to revert the
encrypted passwords to plain text. This
operation will expose passwords in the
configuration and therefore exercise caution
while viewing, storing, and copying
configuration.
Old key: bumblebee

Step 2

write memory

Example:
hostname(config)# write memory

Saves the run time value of the master passphrase and the
resulting configuration. The non-volatile memory containing
the passphrase will be erased and overwritten with the 0xFF
pattern.
In multiple mode the master passphrase is changed in the
system context configuration. As a result the passwords in all
contexts will be affected. If the write memory command is not
entered in the system context mode, but not in all user contexts,
then the encrypted passwords in user contexts may be stale.
Alternatively, use the write memory all command in the
system context to save all configurations.

Recovering the Master Passphrase
You cannot recover the master passphrase.
If the master passphrase is lost or unknown, you can remove it using the write erase command followed
by the reload command. These commands remove the master key and the configuration that includes the
encrypted passwords.

Cisco ASA 5500 Series Configuration Guide using the CLI

10-10

Chapter 10

Configuring Basic Settings
Configuring the DNS Server

Feature History for the Master Passphrase
Table 10-1 lists each feature change and the platform release in which it was implemented.
Table 10-1

Feature History for the Master Passphrase

Feature Name

Platform
Releases

Feature Information

Master Passphrase

8.3(1)

This feature was introduced.
We introduced the following commands: key config-key
password-encryption, password encryption aes, clear
configure password encryption aes, show running-config
password encryption aes, show password encryption.

Password Encryption Visibility

8.4(1)

We modified the show password encryption command.

Configuring the DNS Server
Some ASA features require use of a DNS server to access external servers by domain name; for example,
the Botnet Traffic Filter feature requires a DNS server to access the dynamic database server and to
resolve entries in the static database. Other features, such as the ping or traceroute command, let you
enter a name that you want to ping or traceroute, and the ASA can resolve the name by communicating
with a DNS server. Many SSL VPN and certificate commands also support names.

Note

The ASA has limited support for using the DNS server, depending on the feature. For example, most
commands require you to enter an IP address and can only use a name when you manually configure the
name command to associate a name with an IP address and enable use of the names using the names
command.
For information about dynamic DNS, see the “Configuring DDNS” section on page 12-2.

Prerequisites
Make sure that you configure the appropriate routing for any interface on which you enable DNS domain
lookup so you can reach the DNS server. See the “Information About Routing” section on page 21-1 for
more information about routing.

Detailed Steps

Step 1

Command

Purpose

dns domain-lookup interface_name

Enables the ASA to send DNS requests to a DNS server to perform a
name lookup for supported commands.

Example:
hostname(config)# dns domain-lookup
inside

Cisco ASA 5500 Series Configuration Guide using the CLI

10-11

Chapter 10

Configuring Basic Settings

Monitoring DNS Cache

Step 2

dns server-group DefaultDNS

Specifies the DNS server group that the ASA uses for outgoing
requests.

Example:

Other DNS server groups can be configured for VPN tunnel groups.
See the tunnel-group command in the command reference for more
information.

hostname(config)# dns server-group
DefaultDNS

Step 3

name-server ip_address [ip_address2]
[...] [ip_address6]

Example:

Specifies one or more DNS servers. You can enter all six IP addresses
in the same command, separated by spaces, or you can enter each
command separately. The ASA tries each DNS server in order until
it receives a response.

hostname(config-dns-server-group)#
name-server 10.1.1.5 192.168.1.67
209.165.201.6

Monitoring DNS Cache
The ASA provides a local cache of DNS information from external DNS queries that are sent for certain
clientless SSL VPN and certificate commands. Each DNS translation request is first looked for in the
local cache. If the local cache has the information, the resulting IP address is returned. If the local cache
can not resolve the request, a DNS query is sent to the various DNS servers that have been configured.
If an external DNS server resolves the request, the resulting IP address is stored in the local cache with
its corresponding hostname.

DNS Cache Monitoring Commands
To monitor the DNS cache, enter the following command:
Command

Purpose

show dns-hosts

Show the DNS cache, which includes dynamically learned
entries from a DNS server as well as manually entered name
and IP addresses using the name command.

Feature History for DNS Cache
Table 2 lists each feature change and the platform release in which it was implemented.
Table 2

Feature History for DNS Cache

Feature Name

Platform
Releases

DNS Cache

7.0(1)

Feature Information
DNS cache stores responses that allow a DNS server to
respond more quickly to queries.
We introduced the following command: show dns host.

Cisco ASA 5500 Series Configuration Guide using the CLI

10-12

C H A P T E R

Configuring DHCP
This chapter describes how to configure the DHCP server and includes the following sections:
•

Information About DHCP, page 11-1

•

Licensing Requirements for DHCP, page 11-1

•

Guidelines and Limitations, page 11-2

•

Configuring a DHCP Server, page 11-2

•

Configuring DHCP Relay Services, page 11-7

•

DHCP Monitoring Commands, page 11-8

•

Feature History for DHCP, page 11-8

Information About DHCP
DHCP provides network configuration parameters, such as IP addresses, to DHCP clients. The ASA can
provide a DHCP server or DHCP relay services to DHCP clients attached to ASA interfaces. The DHCP
server provides network configuration parameters directly to DHCP clients. DHCP relay passes DHCP
requests received on one interface to an external DHCP server located behind a different interface.

Licensing Requirements for DHCP
Table 11-1 shows the licensing requirements for DHCP.
Table 11-1

Licensing Requirements

Model

License Requirement

All models

Base License.
For the ASA 5505, the maximum number of DHCP client addresses varies depending on the license:
•

If the limit is 10 hosts, the maximum available DHCP pool is 32 addresses.

•

If the limit is 50 hosts, the maximum available DHCP pool is 128 addresses.

•

If the number of hosts is unlimited, the maximum available DHCP pool is 256 addresses.

Cisco ASA 5500 Series Configuration Guide using the CLI

11-1

Chapter 11

Configuring DHCP

Guidelines and Limitations

Note

By default, the ASA 5505 ships with a 10-user license.

Guidelines and Limitations
Use the following guidelines to configure the DHCP server:
•

You can configure a DHCP server on each interface of the ASA. Each interface can have its own
pool of addresses to draw from. However the other DHCP settings, such as DNS servers, domain
name, options, ping timeout, and WINS servers, are configured globally and used by the DHCP
server on all interfaces.

•

You cannot configure a DHCP client or DHCP relay services on an interface on which the server is
enabled. Additionally, DHCP clients must be directly connected to the interface on which the server
is enabled.

•

The ASA does not support QIP DHCP servers for use with DHCP proxy.

•

The relay agent cannot be enabled if the DHCP server is also enabled.

•

When it receives a DHCP request, the ASA sends a discovery message to the DHCP server. This
message includes the IP address (within a subnetwork) configured with the dhcp-network-scope
command in the group policy. If the server has an address pool that falls within that subnetwork, the
server sends the offer message with the pool information to the IP address—not to the source IP
address of the discovery message.

•

For example, if the server has a pool in the range of 209.165.200.225 to 209.165.200.254, mask
255.255.255.0, and the IP address specified by the dhcp-network-scope command is
209.165.200.1, the server sends that pool in the offer message to the ASA.

Failover Guidelines

Supports Active/Active and Active/Standby failover.
Firewall Mode Guidelines

Supported in routed and transparent firewall modes.
Context Mode Guidelines

Supported in single mode and multiple context mode.

Configuring a DHCP Server
This section describes how to configure a DHCP server provided by the ASA and includes the following
topics:
•

Enabling the DHCP Server, page 11-3

•

Configuring DHCP Options, page 11-4

•

Using Cisco IP Phones with a DHCP Server, page 11-6

•

DHCP Monitoring Commands, page 11-8

Cisco ASA 5500 Series Configuration Guide using the CLI

11-2

Chapter 11

Configuring DHCP
Configuring a DHCP Server

Enabling the DHCP Server
The ASA can act as a DHCP server. DHCP is a protocol that provides network settings to hosts, including
the host IP address, the default gateway, and a DNS server.

Note

The ASA DHCP server does not support BOOTP requests. In multiple context mode, you cannot enable
the DHCP server or DHCP relay on an interface that is used by more than one context.
To enable the DHCP server on a ASA interface, perform the following steps:

Step 1

Command

Purpose

dhcpd address ip_address-ip_address
interface_name

Create a DHCP address pool. The ASA assigns a client one of the
addresses from this pool to use for a given length of time. These
addresses are the local, untranslated addresses for the directly
connected network.

Example:

Step 2

hostname(config)# dhcpd address
10.0.1.101-10.0.1.110 inside

The address pool must be on the same subnet as the ASA
interface.

dhcpd dns dns1 [dns2]

(Optional) Specifies the IP address(es) of the DNS server(s).

Example:
hostname(config)# dhcpd dns 209.165.201.2
209.165.202.129

Step 3

dhcpd wins wins1 [wins2]

(Optional) Specifies the IP address(es) of the WINS server(s).
You can specify up to two WINS servers.

Example:
hostname(config)# dhcpd wins 209.165.201.5

Step 4

hostname(config)# dhcpd lease 3000

(Optional) Change the lease length to be granted to the client.
This lease equals the amount of time (in seconds) the client can
use its allocated IP address before the lease expires. Enter a value
between 0 to 1,048,575. The default value is 3600 seconds.

dhcpd domain domain_name

(Optional) Configures the domain name.

dhcpd lease lease_length

Example:
Step 5

Example:
hostname(config)# dhcpd domain example.com

Step 6

dhcpd ping_timeout milliseconds

Example:
hostname(config)# dhcpd ping timeout 20

(Optional) Configures the DHCP ping timeout value. To avoid
address conflicts, the ASA sends two ICMP ping packets to an
address before assigning that address to a DHCP client. This
command specifies the timeout value for those packets.

Cisco ASA 5500 Series Configuration Guide using the CLI

11-3

Chapter 11

Configuring DHCP

Configuring a DHCP Server

Step 7

Command

Purpose

dhcpd option 3 ip gateway_ip

Defines a default gateway that is sent to DHCP clients. If you do
not use the dhcpd option 3 command to define the default
gateway, DHCP clients use the IP address of the management
interface. As a result, the DHCP ACK does not include this
option. The management interface does not route traffic.

Example:
hostname(config)# dhcpd option 3 ip
10.10.1.1

Step 8

Enables the DHCP daemon within the ASA to listen for DHCP
client requests on the enabled interface.

dhcpd enable interface_name

Example:
hostname(config)# dhcpd enable outside

Configuring DHCP Options
You can configure the ASA to send information for the DHCP options listed in RFC 2132. The DHCP
options include the following three categories:
•

Options that Return an IP Address, page 11-4

•

Options that Return a Text String, page 11-4

•

Options that Return a Hexadecimal Value, page 11-5

The ASA supports all three categories. To configure a DHCP option, choose one of the following
commands:

Options that Return an IP Address
Command

Purpose

dhcpd option code ip addr_1 [addr_2]

Configures a DHCP option that returns one or two IP addresses.

Example:
hostname(config)# dhcpd option 2 ip
10.10.1.1 10.10.1.2

Options that Return a Text String
Command

Purpose

dhcpd option code ascii text

Configures a DHCP option that returns a text string.

Example:
hostname(config)# dhcpd option 2 ascii
examplestring

Cisco ASA 5500 Series Configuration Guide using the CLI

11-4

Chapter 11

Configuring DHCP
Configuring a DHCP Server

Options that Return a Hexadecimal Value
Command

Purpose

dhcpd option code hex value

Configures a DHCP option that returns a hexadecimal value.

Example:
hostname(config)# dhcpd option 2 hex
22.0011.01.FF1111.00FF.0000.AAAA.1111.1111
.1111.11

Note

The ASA does not verify that the option type and value that you provide match the expected type and
value for the option code as defined in RFC 2132. For example, you can enter the dhcpd option 46 ascii
hello command, and the ASA accepts the configuration, although option 46 is defined in RFC 2132 to
expect a single-digit, hexadecimal value. For more information about the option codes and their
associated types and expected values, see RFC 2132.
Table 11-2 shows the DHCP options that are not supported by the dhcpd option command.
Table 11-2

Unsupported DHCP Options

Option Code

Description

DHCPOPT_PAD

HCPOPT_SUBNET_MASK

DHCPOPT_HOST_NAME

DHCPOPT_REQUESTED_ADDRESS

DHCPOPT_LEASE_TIME

DHCPOPT_OPTION_OVERLOAD

DHCPOPT_MESSAGE_TYPE

DHCPOPT_SERVER_IDENTIFIER

DHCPOPT_RENEWAL_TIME

DHCPOPT_REBINDING_TIME

DHCPOPT_CLIENT_IDENTIFIER

DHCPOPT_BOOT_FILE_NAME

DHCPOPT_RELAY_INFORMATION

255

DHCPOPT_END

DHCP options 3, 66, and 150 are used to configure Cisco IP Phones. For more information about
configuring these options, see the “Using Cisco IP Phones with a DHCP Server” section on page 11-6.

Cisco ASA 5500 Series Configuration Guide using the CLI

11-5

Chapter 11

Configuring DHCP

Configuring a DHCP Server

Using Cisco IP Phones with a DHCP Server
Enterprises with small branch offices that implement a Cisco IP Telephony Voice over IP solution
typically implement Cisco CallManager at a central office to control Cisco IP Phones at small branch
offices. This implementation allows centralized call processing, reduces the equipment required, and
eliminates the administration of additional Cisco CallManager and other servers at branch offices.
Cisco IP Phones download their configuration from a TFTP server. When a Cisco IP Phone starts, if it
does not have both the IP address and TFTP server IP address preconfigured, it sends a request with
option 150 or 66 to the DHCP server to obtain this information.

Note

•

DHCP option 150 provides the IP addresses of a list of TFTP servers.

•

DHCP option 66 gives the IP address or the hostname of a single TFTP server.

Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route.
A single request might include both options 150 and 66. In this case, the ASA DHCP server provides
values for both options in the response if they are already configured on the ASA.
You can configure the ASA to send information for most options listed in RFC 2132. The following
examples show the syntax for any option number, as well as the syntax for options 3, 66, and 150:

Command

Purpose

dhcpd option number value

Provides information for DHCP requests that include an option number as
specified in RFC-2132.

Example:
hostname(config)# dhcpd option 2

Command

Purpose

dhcpd option 66 ascii server_name

Provides the IP address or name of a TFTP server for option 66.

Example:
hostname(config)# dhcpd option 66 ascii
exampleserver

Command

Purpose

dhcpd option 150 ip server_ip1
[server_ip2]

Provides the IP address or names of one or two TFTP servers for option
150. The server_ip1 is the IP address or name of the primary TFTP server
while server_ip2 is the IP address or name of the secondary TFTP server.
A maximum of two TFTP servers can be identified using option 150.

Example:
hostname(config)# dhcpd option 150 ip
10.10.1.1

Cisco ASA 5500 Series Configuration Guide using the CLI

11-6

Chapter 11

Configuring DHCP
Configuring DHCP Relay Services

Command

Purpose

dhcpd option 3 ip router_ip1

Sets the default route.

Example:
hostname(config)# dhcpd option 3 ip
10.10.1.1

Configuring DHCP Relay Services
A DHCP relay agent allows the ASA to forward DHCP requests from clients to a router connected to a
different interface.
The following restrictions apply to the use of the DHCP relay agent:

Note

•

The relay agent cannot be enabled if the DHCP server feature is also enabled.

•

DHCP clients must be directly connected to the ASA and cannot send requests through another relay
agent or a router.

•

For multiple context mode, you cannot enable DHCP relay on an interface that is used by more than
one context.

•

DHCP Relay services are not available in transparent firewall mode. An ASA in transparent firewall
mode only allows ARP traffic through; all other traffic requires an access list. To allow DHCP
requests and replies through the ASA in transparent mode, you need to configure two access lists,
one that allows DCHP requests from the inside interface to the outside, and one that allows the
replies from the server in the other direction.

•

When DHCP relay is enabled and more than one DHCP relay server is defined, the ASA forwards
client requests to each defined DHCP relay server. Replies from the servers are also forwarded to
the client until the client DHCP relay binding is removed. The binding is removed when the ASA
receives any of the following DHCP messages: ACK, NACK, or decline.

You cannot enable DHCP Relay on an interface running DHCP Proxy. You must Remove VPN DHCP
configuration first or you will see an error message. This error happens if both DHCP relay and DHCP
proxy are enabled. Ensure that either DHCP relay or DHCP proxy are enabled, but not both.
To enable DHCP relay, perform the following steps:

Step 1

Command

Purpose

dhcprelay server ip_address if_name

Set the IP address of a DHCP server on a different interface from
the DHCP client.

Example:

You can use this command up to ten times to identify up to ten
servers.

hostname(config)# dhcprelay server
201.168.200.4 outside

Step 2

dhcprelay enable interface

Enables DHCP relay on the interface connected to the clients.

Example:
hostname(config)# dhcprelay enable inside

Cisco ASA 5500 Series Configuration Guide using the CLI

11-7

Chapter 11

Configuring DHCP

DHCP Monitoring Commands

Step 3

Command

Purpose

dhcprelay timeout seconds

(Optional) Set the number of seconds allowed for relay address
negotiation.

Example:
hostname(config)# dhcprelay timeout 25

Step 4

dhcprelay setroute interface_name

(Optional) Change the first default router address in the packet
sent from the DHCP server to the address of the ASA interface.

Example:

This action allows the client to set its default route to point to the
ASA even if the DHCP server specifies a different router.

hostname(config)# dhcprelay setroute
inside

If there is no default router option in the packet, the ASA adds one
containing the interface address.

DHCP Monitoring Commands
To monitor DHCP, enter one of the following commands:
Command

Purpose

show running-config dhcpd

Shows the current DHCP configuration.

show running-config dhcprelay

Shows the current DHCP relay services status.

Feature History for DHCP
Table 11-3 lists each feature change and the platform release in which it was implemented.
Table 11-3

Feature History for DHCP

Feature Name

Releases

Description

DHCP

7.0(1)

The ASA can provide a DHCP server or DHCP relay services to DHCP clients
attached to ASA interfaces.
We introduced the following commands: dhcp client update dns, dhcpd address,
dhcpd domain, dhcpd enable, dhcpd lease, dhcpd option, dhcpd ping timeout,
dhcpd update dns, dhcpd wins, dhcp-network-scope, dhcprelay enable,
dhcprelay server, dhcprelay setroute, dhcprelay trusted, dhcp-server. show
running-config dhcpd, and show running-config dhcprelay.

Cisco ASA 5500 Series Configuration Guide using the CLI

11-8

C H A P T E R

Configuring Dynamic DNS
This chapter describes how to configure DDNS update methods and includes the following topics:
•

Information About DDNS, page 12-1

•

Licensing Requirements for DDNS, page 12-2

•

Guidelines and Limitations, page 12-2

•

Configuring DDNS, page 12-2

•

Configuration Examples for DDNS, page 12-3

•

DDNS Monitoring Commands, page 12-6

•

Feature History for DDNS, page 12-6

Information About DDNS
DDNS update integrates DNS with DHCP. The two protocols are complementary: DHCP centralizes and
automates IP address allocation; DDNS update automatically records the association between assigned
addresses and hostnames at pre-defined intervals. DDNS allows frequently changing address-hostname
associations to be updated frequently. Mobile hosts, for example, can then move freely on a network
without user or administrator intervention. DDNS provides the necessary dynamic update and
synchronization of the name-to-address mapping and address-to-name mapping on the DNS server. To
configure the DNS server for other uses, see the “Configuring the DNS Server” section on page 10-11.
To configure DHCP, see the “Configuring a DHCP Server” section on page 11-2.
EDNS allows DNS requesters to advertise the size of their UDP packets and facilitates the transfer of
packets larger than 512 octets. When a DNS server receives a request over UDP, it identifies the size of
the UDP packet from the OPT resource record (RR) and scales its response to contain as many resource
records as are allowed in the maximum UDP packet size specified by the requester. The size of the DNS
packets can be up to 4096 bytes for BIND or 1280 bytes for the Windows 2003 DNS Server. Several
additional message-length maximum commands are available:
•

The existing global limit: message-length maximum 512

•

A client or server specific limit: message-length maximum client 4096

•

The dynamic value specified in the OPT RR field: message-length maximum client auto

If the three commands are present at the same time, the ASA enforces the minimum of the three specified
values.

Cisco ASA 5500 Series Configuration Guide using the CLI

12-1

Chapter 12

Configuring Dynamic DNS

Licensing Requirements for DDNS

Licensing Requirements for DDNS
The following table shows the licensing requirements for DDNS:
Model

License Requirement

All models

Base License.

Guidelines and Limitations
Failover Guidelines

Supports Active/Active and Active/Standby failover.
Firewall Mode Guidelines

Supported in routed firewall mode.
Context Mode Guidelines

Supported in single and multiple context modes.
Supported in transparent mode for the DNS Client pane.
IPv6 Guidelines

Supports IPv6.

Configuring DDNS
This section describes examples for configuring the ASA to support Dynamic DNS. DDNS update
integrates DNS with DHCP. The two protocols are complementary—DHCP centralizes and automates
IP address allocation, while dynamic DNS update automatically records the association between
assigned addresses and hostnames. When you use DHCP and dynamic DNS update, this configures a
host automatically for network access whenever it attaches to the IP network. You can locate and reach
the host using its permanent, unique DNS hostname. Mobile hosts, for example, can move freely without
user or administrator intervention.
DDNS provides address and domain name mapping so that hosts can find each other, even though their
DHCP-assigned IP addresses change frequently. The DDNS name and address mapping is held on the
DHCP server in two resource records: the A RR includes the name-to I- address mapping, while the PTR
RR maps addresses to names. Of the two methods for performing DDNS updates—the IETF standard
defined by RFC 2136 and a generic HTTP method—the ASA supports the IETF method in this release.
The two most common DDNS update configurations are the following:
•

The DHCP client updates the A RR, while the DHCP server updates the PTR RR.

•

The DHCP server updates both the A RR and PTR RR.

Cisco ASA 5500 Series Configuration Guide using the CLI

12-2

Chapter 12

Configuring Dynamic DNS
Configuration Examples for DDNS

In general, the DHCP server maintains DNS PTR RRs on behalf of clients. Clients may be configured
to perform all desired DNS updates. The server may be configured to honor these updates or not. To
update the PTR RR, the DHCP server must know the FQDN of the client. The client provides an FQDN
to the server using a DHCP option called Client FQDN.

Configuration Examples for DDNS
The following examples present five common scenarios:
•

Example 1: Client Updates Both A and PTR RRs for Static IP Addresses, page 12-3

•

Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client Update Request;
FQDN Provided Through Configuration, page 12-3

•

Example 3: Client Includes FQDN Option Instructing Server Not to Update Either RR; Server
Overrides Client and Updates Both RRs., page 12-4

•

Example 4: Client Asks Server To Perform Both Updates; Server Configured to Update PTR RR
Only; Honors Client Request and Updates Both A and PTR RR, page 12-5

•

Example 5: Client Updates A RR; Server Updates PTR RR, page 12-5

Example 1: Client Updates Both A and PTR RRs for Static IP Addresses
The following example shows how to configure the client to request that it update both A and PTR
resource records for static IP addresses.
To configure this scenario, perform the following steps:
Step 1

To define a DDNS update method called ddns-2 that requests that the client update both the A RR and
PTR RR, enter the following commands:
hostname(config)# ddns update method ddns-2
hostname(DDNS-update-method)# ddns both

Step 2

To associate the method ddns-2 with the eth1 interface, enter the following commands:
hostname(DDNS-update-method)# interface eth1
hostname(config-if)# ddns update ddns-2
hostname(config-if)# ddns update hostname asa.example.com

Step 3

To configure a static IP address for eth1, enter the following command:
hostname(config-if)# ip address 10.0.0.40 255.255.255.0

Example 2: Client Updates Both A and PTR RRs; DHCP Server Honors Client
Update Request; FQDN Provided Through Configuration
The following example shows how to configure the DHCP client to request that it update both the A and
PTR RRs, and the DHCP server to honor these requests.
To configure this scenario, perform the following steps:

Cisco ASA 5500 Series Configuration Guide using the CLI

12-3

Chapter 12

Configuring Dynamic DNS

Configuration Examples for DDNS

Step 1

To configure the DHCP client to request that the DHCP server perform no updates, enter the following
command:
hostname(config)# dhcp-client update dns server none

Step 2

To create a DDNS update method named ddns-2 on the DHCP client that requests that the client perform
both A and PTR updates, enter the following commands:
hostname(config)# ddns update method ddns-2
hostname(DDNS-update-method)# ddns both

Step 3

To associate the method named ddns-2 with the ASA interface named Ethernet0, and enable DHCP on
the interface, enter the following commands:
hostname(DDNS-update-method)# interface Ethernet0
hostname(if-config)# ddns update ddns-2
hostname(if-config)# ddns update hostname asa.example.com
hostname(if-config)# ip address dhcp

Step 4

To configure the DHCP server, enter the following command:
hostname(if-config)# dhcpd update dns

Example 3: Client Includes FQDN Option Instructing Server Not to Update Either
RR; Server Overrides Client and Updates Both RRs.
The following example shows how to configure the DHCP client to include the FQDN option that
instruct the DHCP server not to honor either the A or PTR updates. The example also shows how to
configure the server to override the client request. As a result, the client does not perform any updates.
To configure this scenario, perform the following steps:
Step 1

To configure the update method named ddns-2 to request that it make both A and PTR RR updates, enter
the following commands:
hostname(config)# ddns update method ddns-2
hostname(DDNS-update-method)# ddns both

Step 2

To assign the DDNS update method named ddns-2 on interface Ethernet0 and provide the client
hostname (asa), enter the following commands:
hostname(DDNS-update-method)# interface Ethernet0
hostname(if-config)# ddns update ddns-2
hostname(if-config)# ddns update hostname asa.example.com

Step 3

To enable the DHCP client feature on the interface, enter the following commands:
hostname(if-config)# dhcp client update dns server none
hostname(if-config)# ip address dhcp

Step 4

To configure the DHCP server to override the client update requests, enter the following command:
hostname(if-config)# dhcpd update dns both override

Cisco ASA 5500 Series Configuration Guide using the CLI

12-4

Chapter 12

Configuring Dynamic DNS
Configuration Examples for DDNS

Example 4: Client Asks Server To Perform Both Updates; Server Configured to
Update PTR RR Only; Honors Client Request and Updates Both A and PTR RR
The following example shows how to configure the server to perform only PTR RR updates by default.
However, the server honors the client request that it perform both A and PTR updates. The server also
forms the FQDN by appending the domain name (example.com) to the hostname that the client (asa) has
provided.
To configure this scenario, perform the following steps:
Step 1

To configure the DHCP client on interface Ethernet0, enter the following commands:
hostname(config)# interface Ethernet0
hostname(config-if)# dhcp client update dns both
hostname(config-if)# ddns update hostname asa

Step 2

To configure the DHCP server, enter the following commands:
hostname(config-if)# dhcpd update dns
hostname(config-if)# dhcpd domain example.com

Example 5: Client Updates A RR; Server Updates PTR RR
The following example shows how to configure the client to update the A resource record and how to
configure the server to update the PTR records. Also, the client uses the domain name from the DHCP
server to form the FQDN.
To configure this scenario, perform the following steps:
Step 1

To define the DDNS update method named ddns-2, enter the following commands:
hostname(config)# ddns update method ddns-2
hostname(DDNS-update-method)# ddns

Step 2

To configure the DHCP client for interface Ethernet0 and assign the update method to the interface, enter
the following commands:
hostname(DDNS-update-method)# interface Ethernet0
hostname(config-if)# dhcp client update dns
hostname(config-if)# ddns update ddns-2
hostname(config-if)# ddns update hostname asa

Step 3

To configure the DHCP server, enter the following commands:
hostname(config-if)# dhcpd update dns
hostname(config-if)# dhcpd domain example.com

Cisco ASA 5500 Series Configuration Guide using the CLI

12-5

Chapter 12

Configuring Dynamic DNS

DDNS Monitoring Commands

DDNS Monitoring Commands
To monitor DDNS, enter one of the following commands:
Command

Purpose

show running-config ddns

Shows the current DDNS configuration.

show running-config dns server-group

Shows the current DNS server group status.

Feature History for DDNS
Table 12-1 lists each feature change and the platform release in which it was implemented.
Table 12-1

Feature History for DDNS

Feature Name

Releases

Feature Information

DDNS

7.0(1)

This feature was introduced.
The following commands were introduced: ddns, ddns update, dhcp client update
dns, dhcpd update dns, show running-config ddns, and show running-config dns
server-group.

Cisco ASA 5500 Series Configuration Guide using the CLI

12-6

PA R T

Configuring Objects and Access Lists

C H A P T E R

Configuring Objects
Objects are reusable components for use in your configuration. They can be defined and used in ASA
configurations in the place of inline IP addresses. Objects make it easy to maintain your configurations
because you can modify an object in one place and have it be reflected in all other places that are
referencing it. Without objects you would have to modify the parameters for every feature when
required, instead of just once. For example, if a network object defines an IP address and subnet mask,
and you want to change the address, you only need to change it in the object definition, not in every
feature that refers to that IP address.
This chapter describes how to configure objects, and it includes the following sections:
•

Configuring Objects and Groups, page 13-1

•

Configuring Regular Expressions, page 13-12

•

Scheduling Extended Access List Activation, page 13-16

Configuring Objects and Groups
This section includes the following topics:
•

Information About Objects and Groups, page 13-1

•

Licensing Requirements for Objects and Groups, page 13-2

•

Guidelines and Limitations for Objects and Groups, page 13-3

•

Configuring Objects, page 13-3

•

Configuring Object Groups, page 13-6

•

Monitoring Objects and Groups, page 13-11

•

Feature History for Objects and Groups, page 13-12

Information About Objects and Groups
The ASA supports objects and object groups. You can attach or detach objects from one or more object
groups when needed, ensuring that the objects are not duplicated but can be re-used wherever needed.
This section includes the following topics:
•

Information About Objects, page 13-2

Cisco ASA 5500 Series Configuration Guide using the CLI

13-1

Chapter 13

Configuring Objects

Configuring Objects and Groups

•

Information About Object Groups, page 13-2

Information About Objects
Objects are created in and used by the ASA in the place of an inline IP address in any given
configuration. You can define an object with a particular IP address and netmask pair or a protocol (and,
optionally, a port) and use this object in several configurations. The advantage is that whenever you want
to modify the configurations created to this IP address or protocol, you do not need to modify all rules
in the running configuration. You can modify the object, and then the change automatically applies to
all rules that use the specified object. You can configure two types of objects: network objects and
service objects. These objects can be used in Network Address Translation (NAT), access lists, and
object groups.

Information About Object Groups
By grouping like objects together, you can use the object group in an ACE instead of having to enter an
ACE for each object separately. You can create the following types of object groups:
•

Protocol

•

Network

•

Service

•

ICMP type

For example, consider the following three object groups:
•

MyServices—Includes the TCP and UDP port numbers of the service requests that are allowed
access to the internal network.

•

TrustedHosts—Includes the host and network addresses allowed access to the greatest range of
services and servers.

•

PublicServers—Includes the host addresses of servers to which the greatest access is provided.

After creating these groups, you could use a single ACE to allow trusted hosts to make specific service
requests to a group of public servers.
You can also nest object groups in other object groups.

Licensing Requirements for Objects and Groups
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Cisco ASA 5500 Series Configuration Guide using the CLI

13-2

Chapter 13

Configuring Objects
Configuring Objects and Groups

Guidelines and Limitations for Objects and Groups
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single and multiple context mode.
Firewall Mode Guidelines

Supported in routed and transparent firewall modes.
IPv6 Guidelines

Supports IPv6, with limitations. (See the “Additional Guidelines and Limitations” section on page 13-3.)
Additional Guidelines and Limitations

The following guidelines and limitations apply to object groups:
•

Objects and object groups share the same name space.

•

Object groups must have unique names. While you might want to create a network object group
named “Engineering” and a service object group named “Engineering,” you need to add an identifier
(or “tag”) to the end of at least one object group name to make it unique. For example, you can use
the names “Engineering_admins” and “Engineering_hosts” to make the object group names unique
and to aid in identification.

•

You cannot remove an object group or make an object group empty if it is used in a command.

•

The ASA does not support IPv6 nested object groups, so you cannot group an object with IPv6
entities under another IPv6 object group.

Configuring Objects
This section includes the following topics:
•

Configuring a Network Object, page 13-3

•

Configuring a Service Object, page 13-4

Configuring a Network Object
A network object contains a single IP address/mask pair. Network objects can be of three types: host,
subnet, or range.
You can also configure auto NAT as part of the object definition; see Chapter 30, “Configuring Network
Object NAT,” for more information.

Cisco ASA 5500 Series Configuration Guide using the CLI

13-3

Chapter 13

Configuring Objects

Configuring Objects and Groups

Detailed Steps

Step 1

Command

Purpose

object network obj_name

Creates a new network object. The obj_name is a text string up to
64 characters in length and can be any combination of letters,
digits, and the following characters:

Example:
hostname(config)# object-network OBJECT1

•

underscore “_”

•

dash “-”

•

period “.”

The prompt changes to network object configuration mode.
Step 2

{host ip_addr | subnet net_addr net_mask |
range ip_addr_1 ip_addr_2}

Assigns the IP address to the named object. You can configure a
host address, a subnet, or a range of addresses.

Example:
hostname(config-network-object)# host
10.2.2.2

Step 3

description text

Adds a description to the object.

Example:
hostname(config-network-object)#
description Engineering Network

Examples
To create a network object, enter the following commands:
hostname (config)# object network OBJECT1
hostname (config-network-object)# host 10.2.2.2

Configuring a Service Object
A service object contains a protocol and optional source and/or destination port.

Cisco ASA 5500 Series Configuration Guide using the CLI

13-4

Chapter 13

Configuring Objects
Configuring Objects and Groups

Detailed Steps

Step 1

Command

Purpose

object service obj_name

Creates a new service object. The obj_name is a text string up to
64 characters in length and can be any combination of letters,
digits, and the following characters:

Example:
hostname(config)# object-service
SERVOBJECT1

•

underscore “_”

•

dash “-”

•

period “.”

The prompt changes to service object configuration mode.
Step 2

service {protocol | icmp icmp-type | icmp6
icmp6-type | {tcp | udp} [source operator
port] [destination operator port]}

Creates a service object for the source mapped address.
The protocol argument specifies an IP protocol name or number.
The icmp, tcp, or udp keywords specify that this service object is
for either the ICMP, TCP, or UDP protocol.

Example:
hostname(config-service-object)# service
tcp source eq www destination eq ssh

The icmp-type argument names the ICMP type.
The icmp6 keyword specifies that the service type is for ICMP
version 6 connections.
The icmp6-type argument names the ICMP version 6 type.
The source keyword specifies the source port.
The destination keyword specifies the destination port.
The operator port argument specifies a single port/code value that
supports configuring the port for the protocol. You can specify
“eq,” “neq,” “lt,” “gt,” and “range” when configuring a port for
TCP or UDP. The “range” operator lists the beginning port and
ending port.

Example
To create a service object, enter the following commands:
hostname (config)# object service SERVOBJECT1
hostname (config-service-object)# service tcp source eq www destination eq ssh

Cisco ASA 5500 Series Configuration Guide using the CLI

13-5

Chapter 13

Configuring Objects

Configuring Objects and Groups

Configuring Object Groups
This section includes the following topics:
•

Adding a Protocol Object Group, page 13-6

•

Adding a Network Object Group, page 13-7

•

Adding a Service Object Group, page 13-8

•

Adding an ICMP Type Object Group, page 13-9

•

Nesting Object Groups, page 13-10

•

Removing Object Groups, page 13-11

Adding a Protocol Object Group
To add or change a protocol object group, perform the steps in this section. After you add the group, you
can add more objects as required by following this procedure again for the same group name and
specifying additional objects. You do not need to reenter existing objects; the commands you already set
remain in place unless you remove them with the no form of the command.

Detailed Steps

Step 1

Command

Purpose

object-group protocol obj_grp_id

Adds a protocol group. The obj_grp_id is a text string up to 64
characters in length and can be any combination of letters, digits,
and the following characters:

Example:
hostname(config)# object-group protocol
tcp_udp_icmp

•

underscore “_”

•

dash “-”

•

period “.”

The prompt changes to protocol configuration mode.
Step 2

description text

(Optional) Adds a description. The description can be up to 200
characters.

Example:
hostname(config-protocol)# description New
Group

Step 3

Defines the protocols in the group. Enter the command for each
protocol. The protocol is the numeric identifier of the specified IP
protocol (1 to 254) or a keyword identifier (for example, icmp,
Example:
tcp, or udp). To include all IP protocols, use the keyword ip. For
hostname(config-protocol)# protocol-object
a list of protocols that you can specify, see the “Protocols and
tcp
Applications” section on page B-11.
protocol-object protocol

Example
To create a protocol group for TCP, UDP, and ICMP, enter the following commands:
hostname (config)# object-group protocol tcp_udp_icmp
hostname (config-protocol)# protocol-object tcp
hostname (config-protocol)# protocol-object udp

Cisco ASA 5500 Series Configuration Guide using the CLI

13-6

Chapter 13

Configuring Objects
Configuring Objects and Groups

hostname (config-protocol)# protocol-object icmp

Adding a Network Object Group
A network object group supports IPv4 and IPv6 addresses.
To add or change a network object group, perform the steps in this section. After you add the group, you
can add more objects as required by following this procedure again for the same group name and
specifying additional objects. You do not need to reenter existing objects; the commands you already set
remain in place unless you remove them with the no form of the command.

Detailed Steps

Step 1

Command

Purpose

object-group network grp_id

Adds a network group.

Example:

The grp_id is a text string up to 64 characters in
length and can be any combination of letters, digits,
and the following characters:

hostname(config)# object-group network
admins

•

underscore “_”

•

dash “-”

•

period “.”

The prompt changes to protocol configuration mode.
Step 2

(Optional) Adds a description. The description can
be up to 200 characters.

description text

Example:
hostname(config-network)# Administrator
Addresses

Step 3

The object keyword adds an additional object to the
network object group.

network-object {object name | host
ip_address | ip_address mask}

Defines the networks in the group. Enter the
command for each network or address.

Example:
hostname(config-network)# network-object
host 10.2.2.4

Example
To create a network group that includes the IP addresses of three administrators, enter the following
commands:
hostname
hostname
hostname
hostname
hostname

(config)# object-group network admins
(config-protocol)# description Administrator Addresses
(config-protocol)# network-object host 10.2.2.4
(config-protocol)# network-object host 10.2.2.78
(config-protocol)# network-object host 10.2.2.34

Cisco ASA 5500 Series Configuration Guide using the CLI

13-7

Chapter 13

Configuring Objects

Configuring Objects and Groups

Adding a Service Object Group
To add or change a service object group, perform the steps in this section. After you add the group, you
can add more objects as required by following this procedure again for the same group name and
specifying additional objects. You do not need to reenter existing objects; the commands you already set
remain in place unless you remove them with the no form of the command.

Detailed Steps

Step 1

Command

Purpose

object-group service grp_id {tcp | udp |
tcp-udp}

Adds a service group.
The object keyword adds an additional object to the
service object group.

Example:
hostname(config)# object-group service
services1 tcp-udp

The grp_id is a text string up to 64 characters in
length and can be any combination of letters, digits,
and the following characters:
•

underscore “_”

•

dash “-”

•

period “.”

Specify the protocol for the services (ports) you
want to add with either the tcp, udp, or tcp-udp
keywords. Enter the tcp-udp keyword if your
service uses both TCP and UDP with the same port
number, for example, DNS (port53).
The prompt changes to service configuration mode.
Step 2

description text

(Optional) Adds a description. The description can
be up to 200 characters.

Example:
hostname(config-service)# description DNS
Group

Step 3

port-object {eq port | range begin_port
end_port}

Example:

Defines the ports in the group. Enter the command
for each port or range of ports. For a list of permitted
keywords and well-known port assignments, see the
“Protocols and Applications” section on page B-11.

hostname(config-service)# port-object eq
domain

Example
To create service groups that include DNS (TCP/UDP), LDAP (TCP), and RADIUS (UDP), enter the
following commands:
hostname (config)# object-group service services1 tcp-udp
hostname (config-service)# description DNS Group
hostname (config-service)# port-object eq domain
hostname (config)# object-group service services2 udp
hostname (config-service)# description RADIUS Group
hostname (config-service)# port-object eq radius

Cisco ASA 5500 Series Configuration Guide using the CLI

13-8

Chapter 13

Configuring Objects
Configuring Objects and Groups

hostname (config-service)# port-object eq radius-acct
hostname (config)# object-group service services3 tcp
hostname (config-service)# description LDAP Group
hostname (config-service)# port-object eq ldap

Adding an ICMP Type Object Group
To add or change an ICMP type object group, perform the steps in this section. After you add the group,
you can add more objects as required by following this procedure again for the same group name and
specifying additional objects. You do not need to reenter existing objects; the commands you already set
remain in place unless you remove them with the no form of the command.

Detailed Steps

Step 1

Command

Purpose

object-group icmp-type grp_id

Adds an ICMP type object group. The grp_id is a text string up to
64 characters in length and can be any combination of letters,
digits, and the following characters:

Example:
hostname(config)# object-group icmp-type
ping

•

underscore “_”

•

dash “-”

•

period “.”

The prompt changes to ICMP type configuration mode.
Step 2

(Optional) Adds a description. The description can be up to 200
characters.

description text

Example:
hostname(config-icmp-type)# description
Ping Group

Step 3

icmp-object icmp-type

Example:

Defines the ICMP types in the group. Enter the command for each
type. For a list of ICMP types, see the“ICMP Types” section on
page B-15.

hostname(config-icmp-type)# icmp-object
echo-reply

Example
Create an ICMP type group that includes echo-reply and echo (for controlling ping) by entering the
following commands:
hostname
hostname
hostname
hostname

(config)# object-group icmp-type ping
(config-service)# description Ping Group
(config-service)# icmp-object echo
(config-service)# icmp-object echo-reply

Cisco ASA 5500 Series Configuration Guide using the CLI

13-9

Chapter 13

Configuring Objects

Configuring Objects and Groups

Nesting Object Groups
You can nest object groups hierarchically so that one object group can contain other object groups of the
same type and you can mix and match nested group objects and regular objects within an object group.
The ASA does not support IPv6 nested object groups, however, so you cannot group an object with IPv6
entities under another IPv6 object-group.
To nest an object group within another object group of the same type, first create the group that you want
to nest (see the “Configuring Object Groups” section on page 13-6), and then perform the steps in this
section.

Detailed Steps

Step 1

Command

Purpose

object-group group {{protocol | network |
icmp-type} grp_id |service grp_id {tcp |
udp | tcp-udp}}

Adds or edits the specified object group type under which you
want to nest another object group.
The service_grp_id is a text string up to 64 characters in length
and can be any combination of letters, digits, and the following
characters:

Example:
hostname(config)# object-group network
Engineering_group

Step 2

group-object group_id

Example:
hostname(config-network)# group-object
Engineering_groups

•

underscore “_”

•

dash “-”

•

period “.”

Adds the specified group under the object group you specified in
Step 1. The nested group must be of the same type. You can mix
and match nested group objects and regular objects within an
object group.

Examples
Create network object groups for privileged users from various departments by entering the following
commands:
hostname
hostname
hostname
hostname

(config)# object-group network eng
(config-network)# network-object host 10.1.1.5
(config-network)# network-object host 10.1.1.9
(config-network)# network-object host 10.1.1.89

hostname (config)# object-group network hr
hostname (config-network)# network-object host 10.1.2.8
hostname (config-network)# network-object host 10.1.2.12
hostname (config)# object-group network finance
hostname (config-network)# network-object host 10.1.4.89
hostname (config-network)# network-object host 10.1.4.100

You then nest all three groups together as follows:
hostname
hostname
hostname
hostname

(config)# object-group network
(config-network)# group-object
(config-network)# group-object
(config-network)# group-object

Cisco ASA 5500 Series Configuration Guide using the CLI

13-10

admin
eng
hr
finance

Chapter 13

Configuring Objects
Configuring Objects and Groups

You only need to specify the admin object group in your ACE as follows:
hostname (config)# access-list ACL_IN extended permit ip object-group admin host
209.165.201.29

Removing Object Groups
You can remove a specific object group or remove all object groups of a specified type; however, you
cannot remove an object group or make an object group empty if it is used in an access list.

Detailed Step

Step 1

Do one of the following:
no object-group grp_id

Example:

Removes the specified object group. The grp_id is a text string up
to 64 characters in length and can be any combination of letters,
digits, and the following characters:

hostname(config)# no object-group
Engineering_host

clear object-group [protocol | network |
services | icmp-type]

•

underscore “_”

•

dash “-”

•

period “.”

Removes all object groups of the specified type.

Note

Example:

If you do not enter a type, all object groups are removed.

hostname(config)# clear-object group
network

Monitoring Objects and Groups
To monitor objects and groups, enter the following commands:
Command

Purpose

show access-list

Displays the access list entries that are expanded
out into individual entries without their object
groupings.

show running-config object-group

Displays all current object groups.

show running-config object-group grp_id

Displays the current object groups by their group
ID.

show running-config object-group grp_type

Displays the current object groups by their group
type.

Cisco ASA 5500 Series Configuration Guide using the CLI

13-11

Chapter 13

Configuring Objects

Configuring Regular Expressions

Feature History for Objects and Groups
Table 1 lists each feature change and the platform release in which it was implemented.
Table 1

Feature History for Object Groups

Feature Name

Releases

Feature Information

Object groups

7.0(1)

Object groups simplify access list creation and
maintenance.
We introduced or modified the following commands:
object-group protocol, object-group network,
object-group service, object-group icmp_type.

Objects

8.3(1)

Object support was introduced.
We introduced or modified the following commands:
object-network, object-service, object-group network,
object-group service, network object, access-list
extended, access-list webtype, access-list remark.

Configuring Regular Expressions
A regular expression matches text strings either literally as an exact string, or by using metacharacters
so that you can match multiple variants of a text string. You can use a regular expression to match the
content of certain application traffic; for example, you can match a URL string inside an HTTP packet.
This section describes how to create a regular expression and includes the following topics:
•

Creating a Regular Expression, page 13-12

•

Creating a Regular Expression Class Map, page 13-15

Creating a Regular Expression
A regular expression matches text strings either literally as an exact string, or by using metacharacters
so you can match multiple variants of a text string. You can use a regular expression to match the content
of certain application traffic; for example, you can match a URL string inside an HTTP packet.

Guidelines
Use Ctrl+V to escape all of the special characters in the CLI, such as question mark (?) or a tab. For
example, type d[Ctrl+V]?g to enter d?g in the configuration.
See the regex command in the command reference for performance impact information when matching
a regular expression to packets.

Note

As an optimization, the ASA searches on the deobfuscated URL. Deobfuscation compresses multiple
forward slashes (/) into a single slash. For strings that commonly use double slashes, like “http://”, be
sure to search for “http:/” instead.

Cisco ASA 5500 Series Configuration Guide using the CLI

13-12

Chapter 13

Configuring Objects
Configuring Regular Expressions

Table 13-2 lists the metacharacters that have special meanings.
Table 13-2

regex Metacharacters

Character Description

Notes

Dot

Matches any single character. For example, d.g matches
dog, dag, dtg, and any word that contains those
characters, such as doggonnit.

(exp)

Subexpression

A subexpression segregates characters from surrounding
characters, so that you can use other metacharacters on
the subexpression. For example, d(o|a)g matches dog
and dag, but do|ag matches do and ag. A subexpression
can also be used with repeat quantifiers to differentiate
the characters meant for repetition. For example,
ab(xy){3}z matches abxyxyxyz.

Alternation

Matches either expression it separates. For example,
dog|cat matches dog or cat.

Question mark

A quantifier that indicates that there are 0 or 1 of the
previous expression. For example, lo?se matches lse or
lose.
Note

You must enter Ctrl+V and then the question
mark or else the help function is invoked.

Asterisk

A quantifier that indicates that there are 0, 1 or any
number of the previous expression. For example, lo*se
matches lse, lose, loose, and so on.

Plus

A quantifier that indicates that there is at least 1 of the
previous expression. For example, lo+se matches lose
and loose, but not lse.

{x} or {x,} Minimum repeat quantifier

Repeat at least x times. For example, ab(xy){2,}z
matches abxyxyz, abxyxyxyz, and so on.

[abc]

Character class

Matches any character in the brackets. For example,
[abc] matches a, b, or c.

[^abc]

Negated character class

Matches a single character that is not contained within
the brackets. For example, [^abc] matches any character
other than a, b, or c. [^A-Z] matches any single
character that is not an uppercase letter.

[a-c]

Character range class

Matches any character in the range. [a-z] matches any
lowercase letter. You can mix characters and ranges:
[abcq-z] matches a, b, c, q, r, s, t, u, v, w, x, y, z, and so
does [a-cq-z].
The dash (-) character is literal only if it is the last or the
first character within the brackets: [abc-] or [-abc].

“”

Quotation marks

Preserves trailing or leading spaces in the string. For
example, “ test” preserves the leading space when it
looks for a match.

Caret

Specifies the beginning of a line.

Cisco ASA 5500 Series Configuration Guide using the CLI

13-13

Chapter 13

Configuring Objects

Configuring Regular Expressions

Table 13-2

regex Metacharacters (continued)

Character Description

Notes

Escape character

When used with a metacharacter, matches a literal
character. For example, \[ matches the left square
bracket.

char

Character

When character is not a metacharacter, matches the
literal character.

Carriage return

Matches a carriage return 0x0d.

Newline

Matches a new line 0x0a.

Tab

Matches a tab 0x09.

Formfeed

Matches a form feed 0x0c.

\xNN

Escaped hexadecimal number

Matches an ASCII character using hexadecimal (exactly
two digits).

\NNN

Escaped octal number

Matches an ASCII character as octal (exactly three
digits). For example, the character 040 represents a
space.

Detailed Steps
Step 1

To test a regular expression to make sure it matches what you think it will match, enter the following
command:
hostname(config)# test regex input_text regular_expression

Where the input_text argument is a string you want to match using the regular expression, up to 201
characters in length.
The regular_expression argument can be up to 100 characters in length.
Use Ctrl+V to escape all of the special characters in the CLI. For example, to enter a tab in the input
text in the test regex command, you must enter test regex “test[Ctrl+V Tab]” “test\t”.
If the regular expression matches the input text, you see the following message:
INFO: Regular expression match succeeded.

If the regular expression does not match the input text, you see the following message:
INFO: Regular expression match failed.

Step 2

To add a regular expression after you tested it, enter the following command:
hostname(config)# regex name regular_expression

Where the name argument can be up to 40 characters in length.
The regular_expression argument can be up to 100 characters in length.

Examples
The following example creates two regular expressions for use in an inspection policy map:
hostname(config)# regex url_example example\.com

Cisco ASA 5500 Series Configuration Guide using the CLI

13-14

Chapter 13

Configuring Objects
Configuring Regular Expressions

hostname(config)# regex url_example2 example2\.com

Creating a Regular Expression Class Map
A regular expression class map identifies one or more regular expressions. You can use a regular
expression class map to match the content of certain traffic; for example, you can match URL strings
inside HTTP packets.

Detailed Steps
Step 1

Create one or more regular expressions according to the “Configuring Regular Expressions” section.

Step 2

Create a class map by entering the following command:
hostname(config)# class-map type regex match-any class_map_name
hostname(config-cmap)#

Where class_map_name is a string up to 40 characters in length. The name “class-default” is reserved.
All types of class maps use the same name space, so you cannot reuse a name already used by another
type of class map.
The match-any keyword specifies that the traffic matches the class map if it matches at least one of the
regular expressions.
The CLI enters class-map configuration mode.
Step 3

(Optional) Add a description to the class map by entering the following command:
hostname(config-cmap)# description string

Step 4

Identify the regular expressions you want to include by entering the following command for each regular
expression:
hostname(config-cmap)# match regex regex_name

Examples
The following example creates two regular expressions, and adds them to a regular expression class map.
Traffic matches the class map if it includes the string “example.com” or “example2.com.”
hostname(config)# regex url_example example\.com
hostname(config)# regex url_example2 example2\.com
hostname(config)# class-map type regex match-any URLs
hostname(config-cmap)# match regex url_example
hostname(config-cmap)# match regex url_example2

Cisco ASA 5500 Series Configuration Guide using the CLI

13-15

Chapter 13

Configuring Objects

Scheduling Extended Access List Activation

Scheduling Extended Access List Activation
This section includes the following topics:
•

Information About Scheduling Access List Activation, page 13-16

•

Licensing Requirements for Scheduling Access List Activation, page 13-16

•

Guidelines and Limitations for Scheduling Access List Activation, page 13-16

•

Configuring and Applying Time Ranges, page 13-17

•

Configuration Examples for Scheduling Access List Activation, page 13-18

•

Feature History for Scheduling Access List Activation, page 13-18

Information About Scheduling Access List Activation
You can schedule each ACE in an access list to be activated at specific times of the day and week by
applying a time range to the ACE.

Licensing Requirements for Scheduling Access List Activation
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Guidelines and Limitations for Scheduling Access List Activation
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single and multiple context mode.
Firewall Mode Guidelines

Supported in routed and transparent firewall modes.
IPv6 Guidelines

Supports IPv6.

Cisco ASA 5500 Series Configuration Guide using the CLI

13-16

Chapter 13

Configuring Objects
Scheduling Extended Access List Activation

Additional Guidelines and Limitations

The following guidelines and limitations apply to using object groups with access lists:
•

Users could experience a delay of approximately 80 to 100 seconds after the specified end time for
the ACL to become inactive. For example, if the specified end time is 3:50, because the end time is
inclusive, the command is picked up anywhere between 3:51:00 and 3:51:59. After the command is
picked up, the ASA finishes any currently running task and then services the command to deactivate
the ACL.

•

Multiple periodic entries are allowed per time-range command. If a time-range command has both
absolute and periodic values specified, then the periodic commands are evaluated only after the
absolute start time is reached, and they are not further evaluated after the absolute end time is
reached.

Configuring and Applying Time Ranges
You can add a time range to implement a time-based access list. To identify the time range, perform the
steps in this section.

Detailed Steps

Step 1

Command

Purpose

time-range name

Identifies the time-range name.

Example:
hostname(config)# time range Sales

Step 2

Do one of the following:
periodic days-of-the-week time to
[days-of-the-week] time

Specifies a recurring time range.
You can specify the following values for days-of-the-week:

Example:
hostname(config-time-range)# periodic
monday 7:59 to friday 17:01

•

monday, tuesday, wednesday, thursday, friday, saturday,
or sunday.

•

daily

•

weekdays

•

weekend

The time is in the format hh:mm. For example, 8:00 is 8:00 a.m.
and 20:00 is 8:00 p.m.

Cisco ASA 5500 Series Configuration Guide using the CLI

13-17

Chapter 13

Configuring Objects

Scheduling Extended Access List Activation

Step 3

Command

Purpose

absolute start time date [end time date]

Specifies an absolute time range.

Example:

The time is in the format hh:mm. For example, 8:00 is 8:00 a.m.
and 20:00 is 8:00 p.m.

hostname(config-time-range)# absolute
start 7:59 2 january 2009

The date is in the format day month year; for example, 1 january
2006.

access-list access_list_name [extended]
{deny | permit}...[time-range name]

Applies the time range to an ACE.

Note

Example:
hostname(config)# access list Marketing
extended deny tcp host 209.165.200.225
host 209.165 201.1 time-range
Pacific_Coast

If you also enable logging for the ACE, use the log
keyword before the time-range keyword. If you disable
the ACE using the inactive keyword, use the inactive
keyword as the last keyword.

See Chapter 15, “Adding an Extended Access List,” for complete
access-list command syntax.

Example
The following example binds an access list named “Sales” to a time range named “New_York_Minute”:
hostname(config)# access-list Sales line 1 extended deny tcp host 209.165.200.225 host
209.165.201.1 time-range New_York_Minute

Configuration Examples for Scheduling Access List Activation
The following is an example of an absolute time range beginning at 8:00 a.m. on January 1, 2006.
Because no end time and date are specified, the time range is in effect indefinitely.
hostname(config)# time-range for2006
hostname(config-time-range)# absolute start 8:00 1 january 2006

The following is an example of a weekly periodic time range from 8:00 a.m. to 6:00 p.m on weekdays:
hostname(config)# time-range workinghours
hostname(config-time-range)# periodic weekdays 8:00 to 18:00

Feature History for Scheduling Access List Activation
Table 13-3 lists each feature change and the platform release in which it was implemented.
Table 13-3

Feature History for Scheduling Access List Activation

Feature Name

Releases

Feature Information

Scheduling access list activation

7.0

You can schedule each ACE in an access list to be activated
at specific times of the day and week.
We introduced or mofied the following commands:
object-group protocol, object-group network,
object-group service, object-group icmp_type.

Cisco ASA 5500 Series Configuration Guide using the CLI

13-18

Chapter 13

Configuring Objects
Scheduling Extended Access List Activation

Cisco ASA 5500 Series Configuration Guide using the CLI

13-19

Chapter 13
Scheduling Extended Access List Activation

Cisco ASA 5500 Series Configuration Guide using the CLI

13-20

Configuring Objects

CH A P T E R

Information About Access Lists
Cisco ASAs provide basic traffic filtering capabilities with access lists, which control access in your
network by preventing certain traffic from entering or exiting. This chapter describes access lists and
shows how to add them to your network configuration.
Access lists are made up of one or more access control entries (ACEs). An ACE is a single entry in an
access list that specifies a permit or deny rule (to forward or drop the packet) and is applied to a protocol,
to a source and destination IP address or network, and, optionally, to the source and destination ports.
Access lists can be configured for all routed and network protocols (IP, AppleTalk, and so on) to filter
the packets of those protocols as the packets pass through a router.
Access lists are used in a variety of features. If your feature uses Modular Policy Framework, you can
use an access list to identify traffic within a traffic class map. For more information on Modular Policy
Framework, see Chapter 32, “Configuring a Service Policy Using the Modular Policy Framework.”
This chapter includes the following sections:
•

Access List Types, page 14-1

•

Access Control Entry Order, page 14-2

•

Access Control Implicit Deny, page 14-3

•

IP Addresses Used for Access Lists When You Use NAT, page 14-3

•

Where to Go Next, page 14-3

Access List Types
The ASA uses five types of access control lists:
•

Standard access lists—Identify the destination IP addresses of OSPF routes and can be used in a
route map for OSPF redistribution. Standard access lists cannot be applied to interfaces to control
traffic. For more information, see Chapter 17, “Adding a Standard Access List.”

•

Extended access lists—Use one or more access control entries (ACE) in which you can specify the
line number to insert the ACE, the source and destination addresses, and, depending upon the ACE
type, the protocol, the ports (for TCP or UDP), or the IPCMP type (for ICMP). For more
information, see Chapter 15, “Adding an Extended Access List.”

•

EtherType access lists—Use one or more ACEs that specify an EtherType. For more information,
see Chapter 16, “Adding an EtherType Access List.”

•

Webtype access lists—Used in a configuration that supports filtering for clientless SSL VPN. For
more information, see Chapter 18, “Adding a Webtype Access List.”

Cisco ASA 5500 Series Configuration Guide using the CLI

14-1

Chapter 14

Information About Access Lists

Access Control Entry Order

•

IPv6 access lists—Determine which IPv6 traffic to block and which traffic to forward at router
interfaces. For more information, see Chapter 19, “Adding an IPv6 Access List.”

Table 14-1 lists the types of access lists and some common uses for them.
Table 14-1

Access List Types and Common Uses

Access List Use

Access List Type

Description

Control network access for IP traffic
(routed and transparent mode)

Extended

The ASA does not allow any traffic from a lower security
interface to a higher security interface unless it is
explicitly permitted by an extended access list.
Note

Identify traffic for AAA rules

Extended

To access the ASA interface for management
access, you do not also need an access list
allowing the host IP address. You only need to
configure management access according to
Chapter 37, “Configuring Management Access.”

AAA rules use access lists to identify traffic.

Control network access for IP traffic for a Extended,
given user
downloaded from a
AAA server per user

You can configure the RADIUS server to download a
dynamic access list to be applied to the user, or the server
can send the name of an access list that you already
configured on the ASA.

Identify addresses for NAT (policy NAT
and NAT exemption)

Extended

Policy NAT lets you identify local traffic for address
translation by specifying the source and destination
addresses in an extended access list.

Establish VPN access

Extended

You can use an extended access list in VPN commands.

Identify traffic in a traffic class map for
Modular Policy Framework

Extended

Access lists can be used to identify traffic in a class map,
which is used for features that support Modular Policy
Framework. Features that support Modular Policy
Framework include TCP and general connection settings,
and inspection.

For transparent firewall mode, control
network access for non-IP traffic

EtherType

You can configure an access list that controls traffic based
on its EtherType.

Identify OSPF route redistribution

Standard

Standard access lists include only the destination address.
You can use a standard access list to control the
redistribution of OSPF routes.

Filtering for WebVPN

Webtype

You can configure a Webtype access list to filter URLs.

Control network access for IPV6
networks

IPv6

You can add and apply access lists to control traffic in
IPv6 networks.

EtherType

Access Control Entry Order
An access list is made up of one or more access control entries (ACEs). Each ACE that you enter for a
given access list name is appended to the end of the access list. Depending on the access list type, you
can specify the source and destination addresses, the protocol, the ports (for TCP or UDP), the ICMP
type (for ICMP), or the EtherType.

Cisco ASA 5500 Series Configuration Guide using the CLI

14-2

Chapter 14

Information About Access Lists
Access Control Implicit Deny

The order of ACEs is important. When the ASA decides whether to forward or to drop a packet, the ASA
tests the packet against each ACE in the order in which the entries are listed. After a match is found, no
more ACEs are checked. For example, if you create an ACE at the beginning of an access list that
explicitly permits all traffic, no further statements are checked, and the packet is forwarded.

Access Control Implicit Deny
All access lists have an implicit deny statement at the end, so unless you explicitly permit traffic to pass,
it will be denied. For example, if you want to allow all users to access a network through the ASA except
for one or more particular addresses, then you need to deny those particular addresses and then permit
all others.
For EtherType access lists, the implicit deny at the end of the access list does not affect IP traffic or
ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the access list does not
now block any IP traffic that you previously allowed with an extended access list (or implicitly allowed
from a high security interface to a low security interface). However, if you explicitly deny all traffic with
an EtherType ACE, then IP and ARP traffic is denied.

IP Addresses Used for Access Lists When You Use NAT
For the following features, you should always use the real IP address in the access list when you use
NAT, even if the address as seen on an interface is the mapped address:
•

access-group command

•

Modular Policy Framework match access-list command

•

Botnet Traffic Filter dynamic-filter enable classify-list command

•

AAA aaa ... match commands

•

WCCP wccp redirect-list group-list command

The following features use access lists, but these access lists use the mapped values as seen on an
interface:
•

IPsec access lists

•

capture command access lists

•

Per-user access lists

•

Routing protocols

•

All other features...

Where to Go Next
For information about implementing access lists, see the following chapters in this guide:
•

Chapter 15, “Adding an Extended Access List”

•

Chapter 16, “Adding an EtherType Access List”

Cisco ASA 5500 Series Configuration Guide using the CLI

14-3

Chapter 14
Where to Go Next

•

Chapter 17, “Adding a Standard Access List”

•

Chapter 18, “Adding a Webtype Access List”

•

Chapter 19, “Adding an IPv6 Access List”

•

Chapter 34, “Configuring Access Rules”

Cisco ASA 5500 Series Configuration Guide using the CLI

14-4

Information About Access Lists

CH A P T E R

Adding an Extended Access List
This chapter describes how to configure extended access lists (also known as access control lists), and
it includes the following sections:
•

Information About Extended Access Lists, page 15-1

•

Licensing Requirements for Extended Access Lists, page 15-1

•

Guidelines and Limitations, page 15-1

•

Default Settings, page 15-2

•

Configuring Extended Access Lists, page 15-2

•

Monitoring Extended Access Lists, page 15-5

•

Configuration Examples for Extended Access Lists, page 15-5

•

Where to Go Next, page 15-7

•

Feature History for Extended Access Lists, page 15-7

Information About Extended Access Lists
Access lists are used to control network access or to specify traffic for many features to act upon. An
extended access list is made up of one or more access control entries (ACE) in which you can specify
the line number to insert the ACE, the source and destination addresses, and, depending upon the ACE
type, the protocol, the ports (for TCP or UDP), or the ICMP type. You can identify all of these parameters
within the access-list command, or you can use objects for each parameter.

Licensing Requirements for Extended Access Lists
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single and multiple context mode.

Cisco ASA 5500 Series Configuration Guide using the CLI

15-1

Chapter 15

Adding an Extended Access List

Default Settings

Firewall Mode Guidelines

Supported only in routed and transparent firewall modes.
IPv6 Guidelines

IPv6 is supported.
Additional Guidelines and Limitations

The following guidelines and limitations apply to creating an extended access list:
•

Enter the access list name in uppercase letters so that the name is easy to see in the configuration.
You might want to name the access list for the interface (for example, INSIDE), or you can name it
for the purpose for which it is created (for example, NO_NAT or VPN).

•

Typically, you identify the ip keyword for the protocol, but other protocols are accepted. For a list
of protocol names, see the “Protocols and Applications” section on page B-11.

•

You can specify the source and destination ports only for the TCP or UDP protocols. For a list of
permitted keywords and well-known port assignments, see the “TCP and UDP Ports” section on
page B-11. DNS, Discard, Echo, Ident, NTP, RPC, SUNRPC, and Talk each require one definition
for TCP and one for UDP. TACACS+ requires one definition for port 49 on TCP.

•

When you specify a network mask, the method is different from the Cisco IOS software access-list
command. The ASA uses a network mask (for example, 255.255.255.0 for a Class C mask). The
Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).

Default Settings
Table 15-1 lists the default settings for extended access list parameters.
Table 15-1

Default Extended Access List Parameters

Parameters

Default

ACE logging

ACE logging generates system log message
106023 for denied packets. A deny ACE must be
present to log denied packets.

log

When the log keyword is specified, the default
level for system log message 106100 is 6
(informational), and the default interval is 300
seconds.

Configuring Extended Access Lists
This section shows how to add and delete an access control entry and access list, and it includes the
following topics:
•

Adding an Extended Access List, page 15-3

•

Adding Remarks to Access Lists, page 15-5

Cisco ASA 5500 Series Configuration Guide using the CLI

15-2

Chapter 15

Adding an Extended Access List
Configuring Extended Access Lists

Adding an Extended Access List
An access list is made up of one or more access control entries (ACEs) with the same access list ID. To
create an access list you start by creating an ACE and applying a list name. An access list with one entry
is still considered a list, although you can add multiple entries to the list.

Prerequisites
(Optional) Create an object or onject group according to the “Configuring Objects and Groups” section
on page 13-1.

Guidelines
To delete an ACE, enter the no access-list command with the entire command syntax string as it appears
in the configuration. To remove the entire access list, use the clear configure access-list command.

Cisco ASA 5500 Series Configuration Guide using the CLI

15-3

Chapter 15

Adding an Extended Access List

Configuring Extended Access Lists

Detailed Steps

Command

Purpose

(For IP traffic, no ports)

Adds an extended ACE.

access-list access_list_name [line
line_number] extended {deny | permit}
{protocol | object-group prot_grp_id}
{source_address mask | object nw_obj_id |
object-group nw_grp_id}
{dest_address mask | object nw_obj_id |
object-group nw_grp_id}
[log [[level] [interval secs] | disable |
default]]
[inactive | time-range time_range_name]

The line line_number option specifies the line number at which insert the
ACE. If you do not specify a line number, the ACE is added to the end of
the access list. The line number is not saved in the configuration; it only
specifies where to insert the ACE.

(For TCP or UDP traffic, with ports)
access-list access_list_name [line
line_number] extended {deny | permit}
{tcp | udp | object-group prot_grp_id}
{source_address mask | object nw_obj_id |
object-group nw_grp_id}
[operator port | object-group svc_grp_id]
{dest_address mask | object nw_obj_id |
object-group nw_grp_id}
[operator port | object-group svc_grp_id]
[log [[level] [interval secs] | disable |
default]]
[inactive | time-range time_range_name]

(For ICMP traffic)
access-list access_list_name [line
line_number] extended {deny | permit} icmp
{source_address mask | object nw_obj_id |
object-group nw_grp_id}
{dest_address mask | object nw_obj_id |
object-group nw_grp_id}
[icmp_type | object-group icmp_grp_id]
[log [[level] [interval secs] | disable |
default]] [inactive | time-range
time_range_name]

The deny keyword denies a packet if the conditions are matched. The
permit keyword permits a packet if the conditions are matched.
Instead of entering the protocol, IP address, or port directly in the
command, you can use network objects, or protocol, network, port, or
ICMP object groups using the object and object-group keyword. See
“Configuring Objects and Groups” section on page 13-1 for more
information about creating objects.
The protocol argument specifies the IP protocol name or number. For
example UDP is 17, TCP is 6, and EGP is 47.
The source_address specifies the IP address of the network or host from
which the packet is being sent. Enter the host keyword before the IP
address to specify a single address. In this case, do not enter a mask. Enter
the any keyword instead of the address and mask to specify any address.
For the TCP and UDP protocols only, the operator port option matches the
port numbers used by the source or destination. The permitted operators are
as follows:
•

lt—less than.

•

gt—greater than.

•

dq—equal to.

•

neq—not equal to.

•

range—an inclusive range of values. When you use this operator,
specify two port numbers, for example: range 100 200.

Example:

The dest_address argument specifies the IP address of the network or host
to which the packet is being sent. Enter the host keyword before the IP
address to specify a single address. In this case, do not enter a mask. Enter
the any keyword instead of the address and mask to specify any address.

hostname(config)# access-list ACL_IN
extended permit ip any any

The icmp_type argument specifies the ICMP type if the protocol is ICMP.
The time-range keyword specifies when an access list is activated. See the
“Scheduling Extended Access List Activation” section on page 13-16 for
more information.
The inactive keyword disables an ACE. To reenable it, enter the entire
ACE without the inactive keyword. This feature enables you to keep a
record of an inactive ACE in your configuration to make reenabling easier.
For the log keyword, see Chapter 20, “Configuring Logging for Access
Lists.”

Cisco ASA 5500 Series Configuration Guide using the CLI

15-4

Chapter 15

Adding an Extended Access List
Monitoring Extended Access Lists

Adding Remarks to Access Lists
You can include remarks about entries in any access list, including extended, EtherType, IPv6, standard,
and Webtype access lists. The remarks make the access list easier to understand.
To add a remark after the last access-list command you entered, enter the following command:
Command

Purpose

access-list access_list_name remark text

Adds a remark after the last access-list command you entered.
The text can be up to 100 characters in length. You can enter leading spaces
at the beginning of the text. Trailing spaces are ignored.

Example:
hostname(config)# access-list OUT remark this is the inside admin address

If you enter the remark before any access-list command, then the remark
is the first line in the access list.
If you delete an access list using the no access-list access_list_name
command, then all the remarks are also removed.

Example

You can add remarks before each ACE, and the remark appears in the access list in this location. Entering
a dash (-) at the beginning of the remark helps set it apart from the ACEs.
hostname(config)#
hostname(config)#
hostname(config)#
hostname(config)#

access-list
access-list
access-list
access-list

OUT
OUT
OUT
OUT

remark extended
remark extended

this is the inside admin address
permit ip host 209.168.200.3 any
this is the hr admin address
permit ip host 209.168.200.4 any

Monitoring Extended Access Lists
To monitor extended access lists, enter one of the following commands:
Command

Purpose

show access list

Displays the access list entries by number.

show running-config access-list

Displays the current running access-list
configuration.

Configuration Examples for Extended Access Lists
This section includes the following topics:
•

Configuration Examples for Extended Access Lists (No Objects), page 15-6

•

Configuration Examples for Extended Access Lists (Using Objects), page 15-6

Cisco ASA 5500 Series Configuration Guide using the CLI

15-5

Chapter 15

Adding an Extended Access List

Configuration Examples for Extended Access Lists

Configuration Examples for Extended Access Lists (No Objects)
The following access list allows all hosts (on the interface to which you apply the access list) to go
through the ASAe:
hostname(config)# access-list ACL_IN extended permit ip any any

The following sample access list prevents hosts on 192.168.1.0/24 from accessing the 209.165.201.0/27
network. All other addresses are permitted.
hostname(config)# access-list ACL_IN extended deny tcp 192.168.1.0 255.255.255.0
209.165.201.0 255.255.255.224
hostname(config)# access-list ACL_IN extended permit ip any any

If you want to restrict access to selected hosts only, then enter a limited permit ACE. By default, all other
traffic is denied unless explicitly permitted.
hostname(config)# access-list ACL_IN extended permit ip 192.168.1.0 255.255.255.0
209.165.201.0 255.255.255.224

The following access list restricts all hosts (on the interface to which you apply the access list) from
accessing a website at address 209.165.201.29. All other traffic is allowed.
hostname(config)# access-list ACL_IN extended deny tcp any host 209.165.201.29 eq www
hostname(config)# access-list ACL_IN extended permit ip any any

The following access list that uses object groups restricts several hosts on the inside network from
accessing several web servers. All other traffic is allowed.
hostname(config-network)# access-list ACL_IN extended deny tcp object-group denied
object-group web eq www
hostname(config)# access-list ACL_IN extended permit ip any any
hostname(config)# access-group ACL_IN in interface inside

The following example temporarily disables an access list that permits traffic from one group of network
objects (A) to another group of network objects (B):
hostname(config)# access-list 104 permit ip host object-group A object-group B inactive

To implement a time-based access list, use the time-range command to define specific times of the day
and week. Then use the access-list extended command to bind the time range to an access list. The
following example binds an access list named “Sales” to a time range named “New_York_Minute.”
hostname(config)# access-list Sales line 1 extended deny tcp host 209.165.200.225 host
209.165.201.1 time-range New_York_Minute

Configuration Examples for Extended Access Lists (Using Objects)
The following normal access list that does not use object groups restricts several hosts on the inside
network from accessing several web servers. All other traffic is allowed.
hostname(config)#
eq www
hostname(config)#
eq www
hostname(config)#
eq www
hostname(config)#
eq www

access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.29
access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.29
access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.29
access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.16

Cisco ASA 5500 Series Configuration Guide using the CLI

15-6

Chapter 15

Adding an Extended Access List
Where to Go Next

hostname(config)#
eq www
hostname(config)#
eq www
hostname(config)#
eq www
hostname(config)#
eq www
hostname(config)#
eq www
hostname(config)#
hostname(config)#

access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.16
access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.16
access-list ACL_IN extended deny tcp host 10.1.1.4 host 209.165.201.78
access-list ACL_IN extended deny tcp host 10.1.1.78 host 209.165.201.78
access-list ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.78
access-list ACL_IN extended permit ip any any
access-group ACL_IN in interface inside

If you make two network object groups, one for the inside hosts, and one for the web servers, then the
configuration can be simplified and can be easily modified to add more hosts:
hostname(config)# object-group network denied
hostname(config-network)# network-object host 10.1.1.4
hostname(config-network)# network-object host 10.1.1.78
hostname(config-network)# network-object host 10.1.1.89
hostname(config-network)#
hostname(config-network)#
hostname(config-network)#
hostname(config-network)#

object-group network web
network-object host 209.165.201.29
network-object host 209.165.201.16
network-object host 209.165.201.78

hostname(config-network)# access-list ACL_IN extended deny tcp port object-group denied
object-group web eq www
hostname(config)# access-list ACL_IN extended permit ip any any
hostname(config)# access-group ACL_IN in interface inside

Where to Go Next
Apply the access list to an interface. See the “Configuring Access Rules” section on page 34-7 for more
information.

Feature History for Extended Access Lists
Table 15-2 lists each feature change and the platform release in which it was implemented.
Table 15-2

Feature History for Extended Access Lists

Feature Name

Releases

Feature Information

Extended access lists

7.0(1)

Access lists are used to control network access or to specify
traffic for many features to act upon. An extended access
control list is made up of one or more access control entries
(ACE) in which you can specify the line number to insert
the ACE, the source and destination addresses, and,
depending upon the ACE type, the protocol, the ports (for
TCP or UDP), or the IPCMP type (for ICMP).
We introduced the following command: access-list
extended.

Cisco ASA 5500 Series Configuration Guide using the CLI

15-7

Chapter 15
Feature History for Extended Access Lists

Cisco ASA 5500 Series Configuration Guide using the CLI

15-8

Adding an Extended Access List

CH A P T E R

Adding an EtherType Access List
This chapter describes how to configure EtherType access lists and includes the following sections:
•

Information About EtherType Access Lists, page 16-1

•

Licensing Requirements for EtherType Access Lists, page 16-1

•

Guidelines and Limitations, page 16-2

•

Default Settings, page 16-2

•

Configuring EtherType Access Lists, page 16-2

•

Monitoring EtherType Access Lists, page 16-4

•

What to Do Next, page 16-4

•

Configuration Examples for EtherType Access Lists, page 16-5

•

Feature History for EtherType Access Lists, page 16-5

Information About EtherType Access Lists
An EtherType access list is made up of one or more Access Control Entries (ACEs) that specify an
EtherType. An EtherType rule controls any EtherType identified by a 16-bit hexadecimal number, as well
as other traffic types. See the “Supported EtherTypes and Other Traffic” section on page 34-6 for more
information.
For information about creating an access rule with the EtherType access list, see Chapter 34,
“Configuring Access Rules.”

Licensing Requirements for EtherType Access Lists
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Cisco ASA 5500 Series Configuration Guide using the CLI

16-1

Chapter 16

Adding an EtherType Access List

Guidelines and Limitations

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Available in single and multiple context modes.
Firewall Mode Guidelines

Supported in transparent firewall mode only.
IPv6 Guidelines

Supports IPv6.
Additional Guidelines and Limitations

The following guidelines and limitations apply to EtherType access lists:
•

For EtherType access lists, the implicit deny at the end of the access list does not affect IP traffic or
ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the access list does
not now block any IP traffic that you previously allowed with an extended access list (or implicitly
allowed from a high security interface to a low security interface). However, if you explicitly deny
all traffic with an EtherType ACE, then IP and ARP traffic is denied.

•

802.3-formatted frames are not handled by the access list because they use a length field as opposed
to a type field.

•

See the “Supported EtherTypes and Other Traffic” section on page 34-6 for more information about
supported traffic.

Default Settings
Access list logging generates system log message 106023 for denied packets. Deny packets must be
present to log denied packets.
When you configure logging for the access list, the default severity level for system log message 106100
is 6 (informational).

Configuring EtherType Access Lists
This section includes the following topics:
•

Task Flow for Configuring EtherType Access Lists, page 16-2

•

Adding EtherType Access Lists, page 16-3

•

Adding Remarks to Access Lists, page 16-4

Task Flow for Configuring EtherType Access Lists
Use the following guidelines to create and implement an access list:

Cisco ASA 5500 Series Configuration Guide using the CLI

16-2

Chapter 16

Adding an EtherType Access List
Configuring EtherType Access Lists

Step 1

Create an access list by adding an ACE and applying an access list name, as shown in the “Adding
EtherType Access Lists” section on page 16-3.

Step 2

Apply the access list to an interface. (See the “Configuring Access Rules” section on page 34-7 for more
information.)

Adding EtherType Access Lists
To configure an access list that controls traffic based upon its EtherType, perform the following steps:

Detailed Steps

Command

Purpose

access-list access_list_name ethertype
{deny | permit} {ipx | bpdu | mpls-unicast
| mpls-multicast | is-is | any |
hex_number}

Adds an EtherType ACE.

Example:
hostname(config)# hostname(config)#
access-list ETHER ethertype permit ipx

The access_list_name argument lists the name or number of an access list.
When you specify an access list name, the ACE is added to the end of the
access list. Enter the access_list_name in upper case letters so that the
name is easy to see in the configuration. You might want to name the access
list for the interface (for example, INSIDE) or for the purpose (for
example, MPLS or PIX).
The permit keyword permits access if the conditions are matched.
The deny keyword denies access if the conditions are matched. If an
EtherType access list is configured to deny all, all ethernet frames are
discarded. Only physical protocol traffic, such as auto-negotiation, is still
allowed.
The ipx keyword specifies access to IPX.
The bpdu keyword specifies access to bridge protocol data units, which are
allowed by default.
The mpls-unicast keyword specifies access to MPLS unicast.
The mpls-multicast keyword specifies access to MPLS multicast.
The is-is keyword specifies access to IS-IS traffic (Version 8.4(5) only).
The any keyword specifies access for any traffic.
The hex_number argument indicates any EtherType that can be identified
by a 16-bit hexadecimal number greater than or equal to 0x600. (See RFC
1700, “Assigned Numbers,” at http://www.ietf.org/rfc/rfc1700.txt for a list
of EtherTypes.)

Note

To remove an EtherType ACE, enter the no access-list command
with the entire command syntax string as it appears in the
configuration.

Cisco ASA 5500 Series Configuration Guide using the CLI

16-3

Chapter 16

Adding an EtherType Access List

What to Do Next

Example
The following sample access list allows common EtherTypes originating on the inside interface:
hostname(config)# access-list ETHER ethertype permit ipx
hostname(config)# access-list ETHER ethertype permit mpls-unicast
hostname(config)# access-group ETHER in interface inside

Adding Remarks to Access Lists
You can include remarks about entries in any access list, including extended, EtherType, IPv6, standard,
and Webtype access lists. The remarks make an access list easier to understand.
To add a remark after the last access-list command you entered, enter the following command:
Command

Purpose

access-list access_list_name remark text

Adds a remark after the last access-list command you entered.

Example:

The text can be up to 100 characters in length. You can enter leading spaces
at the beginning of the text. Trailing spaces are ignored.

hostname(config)# access-list OUT remark this is the inside admin address

Example
You can add remarks before each ACE, and the remarks appear in the access list in these locations.
Entering a dash (-) at the beginning of a remark helps to set it apart from the ACE.
hostname(config)#
hostname(config)#
hostname(config)#
hostname(config)#

access-list
access-list
access-list
access-list

OUT
OUT
OUT
OUT

remark extended
remark extended

this is the inside admin address
permit ip host 209.168.200.3 any
this is the hr admin address
permit ip host 209.168.200.4 any

What to Do Next
Apply the access list to an interface. (See the “Configuring Access Rules” section on page 34-7 for more
information.)

Monitoring EtherType Access Lists
To monitor EtherType access lists, enter one of the following commands:
Command

Purpose

show access-list

Displays the access list entries by number.

show running-config access-list

Displays the current running access-list
configuration.

Cisco ASA 5500 Series Configuration Guide using the CLI

16-4

Chapter 16

Adding an EtherType Access List
Configuration Examples for EtherType Access Lists

Configuration Examples for EtherType Access Lists
The following example shows how to configure EtherType access lists:
The following access list allows some EtherTypes through the ASA, but it denies IPX:
hostname(config)#
hostname(config)#
hostname(config)#
hostname(config)#
hostname(config)#

access-list ETHER ethertype deny ipx
access-list ETHER ethertype permit 0x1234
access-list ETHER ethertype permit mpls-unicast
access-group ETHER in interface inside
access-group ETHER in interface outside

The following access list denies traffic with EtherType 0x1256, but it allows all others on both interfaces:
hostname(config)#
hostname(config)#
hostname(config)#
hostname(config)#

access-list nonIP ethertype deny 1256
access-list nonIP ethertype permit any
access-group ETHER in interface inside
access-group ETHER in interface outside

Feature History for EtherType Access Lists
Table 16-1 lists each feature change and the platform release in which it was implemented.
Table 16-1

Feature History for EtherType Access Lists

Feature Name

Releases

Feature Information

EtherType access lists

7.0(1)

EtherType access lists control traffic based upon its
EtherType.
We introduced the feature and the following command:
access-list ethertype.

Cisco ASA 5500 Series Configuration Guide using the CLI

16-5

Chapter 16
Feature History for EtherType Access Lists

Cisco ASA 5500 Series Configuration Guide using the CLI

16-6

Adding an EtherType Access List

CH A P T E R

Adding a Standard Access List
This chapter describes how to configure a standard access list and includes the following sections:
•

Information About Standard Access Lists, page 17-1

•

Licensing Requirements for Standard Access Lists, page 17-1

•

Guidelines and Limitations, page 17-1

•

Default Settings, page 17-2

•

Adding Standard Access Lists, page 17-3

•

What to Do Next, page 17-4

•

Monitoring Access Lists, page 17-4

•

Configuration Examples for Standard Access Lists, page 17-4

•

Feature History for Standard Access Lists, page 17-5

Information About Standard Access Lists
Standard access lists identify the destination IP addresses of OSPF routes and can be used in a route map
for OSPF redistribution. Standard access lists cannot be applied to interfaces to control traffic.

Licensing Requirements for Standard Access Lists
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature:
•

Context Mode Guidelines, page 17-2

•

Firewall Mode Guidelines, page 17-2

Cisco ASA 5500 Series Configuration Guide using the CLI

17-1

Chapter 17

Adding a Standard Access List

Default Settings

•

IPv6 Guidelines, page 17-2

•

Additional Guidelines and Limitations, page 17-2

Context Mode Guidelines

Supported in single context mode only.
Firewall Mode Guidelines

Supported in routed and transparent firewall modes.
IPv6 Guidelines

Supports IPv6.
Additional Guidelines and Limitations

The following guidelines and limitations apply for standard Access Lists:
•

Standard ACLs identify the destination IP addresses (not source addresses) of OSPF routes and can
be used in a route map for OSPF redistribution. Standard ACLs cannot be applied to interfaces to
control traffic.

•

To add additional ACEs at the end of the access list, enter another access-list command, specifying
the same access list name.

•

When used with the access-group command, the deny keyword does not allow a packet to traverse
the ASA. By default, the ASA denies all packets on the originating interface unless you specifically
permit access.

•

When specifying a source, local, or destination address, use the following guidelines:
– Use a 32-bit quantity in four-part, dotted-decimal format.
– Use the keyword any as an abbreviation for an address and mask of 0.0.0.0.0.0.0.0.
– Use the host ip_address option as an abbreviation for a mask of 255.255.255.255.

•

You can disable an ACE by specifying the keyword inactive in the access-list command.

Default Settings
Table 17-1 lists the default settings for standard Access List parameters.
Table 17-1

Default Standard Access List Parameters

Parameters

Default

deny

The ASA denies all packets on the originating
interface unless you specifically permit access.
Access list logging generates system log message
106023 for denied packets. Deny packets must be
present to log denied packets.

Cisco ASA 5500 Series Configuration Guide using the CLI

17-2

Chapter 17

Adding a Standard Access List
Adding Standard Access Lists

Adding Standard Access Lists
This section includes the following topics:
•

Task Flow for Configuring Extended Access Lists, page 17-3

•

Adding a Standard Access List, page 17-3Adding Remarks to Access Lists, page 17-4

Task Flow for Configuring Extended Access Lists
Use the following guidelines to create and implement an access list:
•

Create an access list by adding an ACE and applying an access list name. See in the “Adding
Standard Access Lists” section on page 17-3.

•

Apply the access list to an interface. See the “Configuring Access Rules” section on page 34-7 for
more information.

Adding a Standard Access List
To add an access list to identify the destination IP addresses of OSPF routes, which can be used in a route
map for OSPF redistribution, enter the following command:
Command

Purpose

hostname(config)# access-list
access_list_name standard {deny | permit}
{any | ip_address mask}

Adds a standard access list entry. To add another ACE to the end of the
access list, enter another access-list command, specifying the same access
list name.

Example:

The access_list_name argument specifies the name of number of an access
list.

hostname(config)# access-list OSPF
standard permit 192.168.1.0 255.255.255.0

The any keyword specifies access to anyone.
The deny keyword denies access if the conditions are matched.
The host ip_address syntax specifies access to a host IP address.
The ip_address ip_mask argument specifies access to a specific IP address
and subnet mask.
The line line-num option specifies the line number at which to insert an
ACE.
The permit keyword permits access if the conditions are matched.
To remove an ACE, enter the no access-list command with the entire
command syntax string as it appears in the configuration.

Cisco ASA 5500 Series Configuration Guide using the CLI

17-3

Chapter 17

Adding a Standard Access List

What to Do Next

Purpose

access-list access_list_name remark text

Adds a remark after the last access-list command you entered.

Example:

The text can be up to 100 characters in length. You can enter leading spaces
at the beginning of the text. Trailing spaces are ignored.

hostname(config)# access-list OUT remark this is the inside admin address

Example
You can add a remark before each ACE, and the remarks appear in the access lists in these location.
Entering a dash (-) at the beginning of a remark helps to set it apart from an ACE.
hostname(config)#
hostname(config)#
hostname(config)#
hostname(config)#

access-list
access-list
access-list
access-list

OUT
OUT
OUT
OUT

remark extended
remark extended

this is the inside admin address
permit ip host 209.168.200.3 any
this is the hr admin address
permit ip host 209.168.200.4 any

What to Do Next
Apply the access list to an interface. See the “Configuring Access Rules” section on page 34-7 for more
information.

Monitoring Access Lists
To monitor access lists, perform one of the following tasks:
Command

Purpose

show access-list

Displays the access list entries by number.

show running-config access-list

Displays the current running access-list
configuration.

Configuration Examples for Standard Access Lists
The following example shows how to deny IP traffic through the ASA:
hostname(config)# access-list 77 standard deny

Cisco ASA 5500 Series Configuration Guide using the CLI

17-4

Chapter 17

Adding a Standard Access List
Feature History for Standard Access Lists

The following example shows how to permit IP traffic through the ASA if conditions are matched:
hostname(config)# access-list 77 standard permit

The following example shows how to specify a destination address:
hostname(config)# access-list 77 standard permit host 10.1.10.123

Feature History for Standard Access Lists
Table 17-2 lists each feature change and the platform release in which it was implemented.
Table 17-2

Feature History for Standard Access Lists

Feature Name

Releases

Feature Information

Standard access lists

7.0(1)

Standard access listsidentify the destination IP addresses of
OSPF routes, which can be used in a route map for OSPF
redistribution.
We introduced the feature and the following command:
access-list standard.

Cisco ASA 5500 Series Configuration Guide using the CLI

17-5

Chapter 17
Feature History for Standard Access Lists

Cisco ASA 5500 Series Configuration Guide using the CLI

17-6

Adding a Standard Access List

CH A P T E R

Adding a Webtype Access List
Webtype access lists are added to a configuration that supports filtering for clientless SSL VPN. This
chapter describes how to add an access list to the configuration that supports filtering for WebVPN.
This chapter includes the following sections:
•

Licensing Requirements for Webtype Access Lists, page 18-1

•

Guidelines and Limitations, page 18-1

•

Default Settings, page 18-2

•

Using Webtype Access Lists, page 18-2

•

What to Do Next, page 18-5

•

Monitoring Webtype Access Lists, page 18-5

•

Configuration Examples for Webtype Access Lists, page 18-5

•

Feature History for Webtype Access Lists, page 18-7

Licensing Requirements for Webtype Access Lists
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature:
•

Context Mode Guidelines, page 18-1

•

Firewall Mode Guidelines, page 18-2

•

Additional Guidelines and Limitations, page 18-2

Context Mode Guidelines

Supported in single and multiple context mode.

Cisco ASA 5500 Series Configuration Guide using the CLI

18-1

Chapter 18

Adding a Webtype Access List

Default Settings

Firewall Mode Guidelines

Supported in routed and transparent firewall mode.
IPv6 Guidelines

Supports IPv6.
Additional Guidelines and Limitations

The following guidelines and limitations apply to Webtype access lists:
•

The access-list webtype command is used to configure clientless SSL VPN filtering. The URL
specified may be full or partial (no file specified), may include wildcards for the server, or may
specify a port. See the “Adding Webtype Access Lists with a URL String” section on page 18-3 for
information about using wildcard characters in the URL string.

•

Valid protocol identifiers are http, https, cifs, imap4, pop3, and smtp. The RL may also contain the
keyword any to refer to any URL. An asterisk may be used to refer to a subcomponent of a DNS
name.

Default Settings
Table 18-1 lists the default settings for Webtype access lists parameters.
Table 18-1

Default Webtype Access List Parameters

Parameters

Default

deny

The ASA denies all packets on the originating
interface unless you specifically permit access.

log

Access list logging generates system log message
106023 for denied packets. Deny packets must be
present to log denied packets.

Using Webtype Access Lists
This section includes the following topics:
•

Task Flow for Configuring Webtype Access Lists, page 18-2

•

Adding Webtype Access Lists with a URL String, page 18-3

•

Adding Webtype Access Lists with an IP Address, page 18-4

•

Adding Remarks to Access Lists, page 18-5

Task Flow for Configuring Webtype Access Lists
Use the following guidelines to create and implement an access list:
•

Create an access list by adding an ACE and applying an access list name. See the “Using Webtype
Access Lists” section on page 18-2.

•

Apply the access list to an interface. See the “Configuring Access Rules” section on page 34-7 for
more information.

Cisco ASA 5500 Series Configuration Guide using the CLI

18-2

Chapter 18

Adding a Webtype Access List
Using Webtype Access Lists

Adding Webtype Access Lists with a URL String
To add an access list to the configuration that supports filtering for clientless SSL VPN, enter the following command:

Command

Purpose

access-list access_list_name webtype {deny
| permit} url [url_string | any]
[log[[disable | default] | level] interval
secs][time_range name]]

Adds an access list to the configuration that supports filtering for
WebVPN.

Example:

The any keyword specifies all URLs.

hostname(config)# access-list acl_company
webtype deny url http://*.cisco.example

The deny keyword denies access if the conditions are matched.

The access_list_name argument specifies the name or number of an access
list.

The interval option specifies the time interval at which to generate system
log message 106100; valid values are from 1 to 600 seconds.
The log [[disable | default] | level] option specifies that system log
message 106100 is generated for the ACE. When the log optional keyword
is specified, the default level for system log message 106100 is 6
(informational). See the log command for more information.
The permit keyword permits access if the conditions are matched.
The time_range name option specifies a keyword for attaching the
time-range option to this access list element.
The url keyword specifies that a URL be used for filtering.
The url_string option specifies the URL to be filtered.
You can use the following wildcard characters to define more than one
wildcard in the Webtype access list entry:
•

Enter an asterisk “*” to match no characters or any number of
characters.

•

Enter a question mark “?” to match any one character exactly.

•

Enter square brackets “[]” to create a range operator that matches any
one character in a range.

Note

To match any http URL, you must enter http://*/* instead of the
former method of entering http://*.

To remove an access list, use the no form of this command with the
complete syntax string as it appears in the configuration.

Cisco ASA 5500 Series Configuration Guide using the CLI

18-3

Chapter 18

Adding a Webtype Access List

Using Webtype Access Lists

Adding Webtype Access Lists with an IP Address
To add an access list to the configuration that supports filtering for clientless SSL VPN, enter the following command:

Command

Purpose

access-list access_list_name webtype {deny
| permit} tcp [host ip_address |
ip_address subnet_mask | any] [oper
port[port]] [log[[disable | default] |
level] interval secs][time_range name]]

Adds an access list to the configuration that supports filtering for
WebVPN.
The access_list_name argument specifies the name or number of an access
list.
The any keyword specifies all IP addresses.

Example:
hostname(config)# access-list acl_company
webtype permit tcp any

The deny keyword denies access if the conditions are matched.
The host ip_address option specifies a host IP address.
The interval option specifies the time interval at which to generate system
log message 106100; valid values are from 1 to 600 seconds.
The ip_address ip_mask option specifies a specific IP address and subnet
mask.
The log [[disable | default]| level] option specifies that system log message
106100 is generated for the ACE. When the log optional keyword is
specified, the default level for system log message 106100 is 6
(informational). See the log command for more information.
The permit keyword permits access if the conditions are matched.
The port option specifies the decimal number or name of a TCP or UDP
port.
The time_range name option specifies a keyword for attaching the
time-range option to this access list element.
To remove an access list, use the no form of this command with the
complete syntax string as it appears in the configuration.

Cisco ASA 5500 Series Configuration Guide using the CLI

18-4

Chapter 18

Adding a Webtype Access List
What to Do Next

Purpose

access-list access_list_name remark text

Adds a remark after the last access-list command you entered.

Example:

The text can be up to 100 characters in length. You can enter leading spaces
at the beginning of the text. Trailing spaces are ignored.

hostname(config)# access-list OUT remark this is the inside admin address

Example
You can add a remark before each ACE, and the remarks appear in the access list in these locations.
Entering a dash (-) at the beginning of a remark helps set it apart from an ACE.
hostname(config)#
hostname(config)#
hostname(config)#
hostname(config)#

access-list
access-list
access-list
access-list

OUT
OUT
OUT
OUT

remark extended
remark extended

this is the inside admin address
permit ip host 209.168.200.3 any
this is the hr admin address
permit ip host 209.168.200.4 any

What to Do Next
Apply the access list to an interface. See the “Configuring Access Rules” section on page 34-7 for more
information.

Monitoring Webtype Access Lists
To monitor webtype access lists, enter the following command:
Command

Purpose

show running-config access list

Displays the access-list configuration running on
the ASA.

Configuration Examples for Webtype Access Lists
The following example shows how to deny access to a specific company URL:
hostname(config)# access-list acl_company webtype deny url http://*.example.com

Cisco ASA 5500 Series Configuration Guide using the CLI

18-5

Chapter 18

Adding a Webtype Access List

Configuration Examples for Webtype Access Lists

The following example shows how to deny access to a specific file:
hostname(config)# access-list acl_file webtype deny url
https://www.example.com/dir/file.html

The following example shows how to deny HTTP access to any URL through port 8080:
hostname(config)# access-list acl_company webtype deny url http://my-server:8080/*

The following examples show how to use wildcards in Webtype access lists.
•

The following example matches URLs such as http://www.example.com/ and
http://www.example.net/:
access-list test webtype permit url http://www.**ample/

•

The following example matches URLs such as http://www.cisco.com and ftp://wwz.example.com:
access-list test webtype permit url *://ww?.c*co*/

•

The following example matches URLs such as http://www.cisco.com:80 and
https://www.cisco.com:81:
access-list test webtype permit url *://ww?.c*co*:8[01]/

The range operator “[]” in the preceding example specifies that either character 0 or 1 can occur.
•

The following example matches URLs such as http://www.example.com and
http://www.example.net:
access-list test webtype permit url http://www.[a-z]ample?*/

The range operator “[]” in the preceding example specifies that any character in the range from a to
z can occur.
•

The following example matches URLs such as http://www.cisco.com/anything/crazy/url/ddtscgiz:
access-list test webtype permit url htt*://*/*cgi?*

Note

To match any http URL, you must enter http://*/* instead of the former method of entering http://*.
The following example shows how to enforce a webtype access list to disable access to specific CIFS
shares.
In this scenario we have a root folder named “shares” that contains two sub-folders named
“Marketing_Reports” and “Sales_Reports.” We want to specifically deny access to the
“shares/Marketing_Reports” folder.
access-list CIFS_Avoid webtype deny url cifs://172.16.10.40/shares/Marketing_Reports.

However, due to the implicit “deny all,” the above access list makes all of the sub-folders inaccessible
(“shares/Sales_Reports” and “shares/Marketing_Reports”), including the root folder (“shares”).
To fix the problem, add a new access list to allow access to the root folder and the remaining sub-folders:
access-list CIFS_Allow webtype permit url cifs://172.16.10.40/shares*

Cisco ASA 5500 Series Configuration Guide using the CLI

18-6

Chapter 18

Adding a Webtype Access List
Feature History for Webtype Access Lists

Feature History for Webtype Access Lists
Table 18-2 lists each feature change and the platform release in which it was implemented.
Table 18-2

Feature History for Webtype Access Lists

Feature Name

Releases

Feature Information

Webtype access lists

7.0(1)

Webtype access lists are access lists that are added to a
configuration that supports filtering for clientless SSL
VPN.
We introduced the feature and the following command:
access-list webtype.

Cisco ASA 5500 Series Configuration Guide using the CLI

18-7

Chapter 18
Feature History for Webtype Access Lists

Cisco ASA 5500 Series Configuration Guide using the CLI

18-8

Adding a Webtype Access List

Chapter 18

Adding a Webtype Access List
Feature History for Webtype Access Lists

Cisco ASA 5500 Series Configuration Guide using the CLI

18-9

Chapter 18
Feature History for Webtype Access Lists

Cisco ASA 5500 Series Configuration Guide using the CLI

18-10

Adding a Webtype Access List

CH A P T E R

Adding an IPv6 Access List
This chapter describes how to configure IPv6 access lists to control and filter traffic through the ASA.
This chapter includes the following sections:
•

Information About IPv6 Access Lists, page 19-1

•

Licensing Requirements for IPv6 Access Lists, page 19-1

•

Prerequisites for Adding IPv6 Access Lists, page 19-2

•

Guidelines and Limitations, page 19-2

•

Default Settings, page 19-3

•

Configuring IPv6 Access Lists, page 19-4

•

Monitoring IPv6 Access Lists, page 19-7

•

Configuration Examples for IPv6 Access Lists, page 19-7

•

Where to Go Next, page 19-7

•

Feature History for IPv6 Access Lists, page 19-7

Information About IPv6 Access Lists
The typical access list functionality in IPv6 is similar to access lists in IPv4. Access lists determine
which traffic to block and which traffic to forward at router interfaces. Access lists allow filtering based
upon source and destination addresses, inbound and outbound to specific interfaces. Each access list has
an implicit deny statement at the end. You define IPv6 access lists and set their deny and permit
conditions using the ipv6 access-list command with the deny and permit keywords in global
configuration mode.

Licensing Requirements for IPv6 Access Lists
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Cisco ASA 5500 Series Configuration Guide using the CLI

19-1

Chapter 19

Adding an IPv6 Access List

Prerequisites for Adding IPv6 Access Lists

Prerequisites for Adding IPv6 Access Lists
You should be familiar with IPv6 addressing and basic configuration. See the ipv6 commands in the
Cisco Security Appliance Command Reference for more information about configuring IPv6.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single and multiple context modes.
Firewall Mode Guidelines

Supported in routed and transparent firewall modes.
IPv6 Guidelines

Supports IPv6.
Additional Guidelines and Limitations

The following guidelines and limitations apply to IPv6 access lists:
•

The ipv6 access-list command allows you to specify whether an IPv6 address is permitted or denied
access to a port or protocol. Each command is called an ACE. One or more ACEs with the same
access list name are referred to as an access list. Apply an access list to an interface using the
access-group command.

•

The ASA denies all packets from an outside interface to an inside interface unless you specifically
permit access using an access list. All packets are allowed by default from an inside interface to an
outside interface unless you specifically deny access.

•

The ipv6 access-list command is similar to the access-list command, except that it is IPv6-specific.
For additional information about access lists, refer to the access-list extended command.

•

The ipv6 access-list icmp command is used to filter ICMPv6 messages that pass through the
ASA.To configure the ICMPv6 traffic that is allowed to originate and terminate at a specific
interface, use the ipv6 icmp command.

•

See the object-group command for information on how to configure object groups.

•

Possible operands for the operator option of the ipv6 access-list command include lt for less than,
gt for greater than, eq for equal to, neq for not equal to, and range for an inclusive range. Use the
ipv6 access-list command without an operator and port to indicate all ports by default.

•

ICMP message types are filtered by the access rule. Omitting the icmp_type argument indicates all
ICMP types. If you specify ICMP types, the value can be a valid ICMP type number (from 0 to 255)
or one of the following ICMP type literals:
– destination-unreachable
– packet-too-big
– time-exceeded
– parameter-problem
– echo-request

Cisco ASA 5500 Series Configuration Guide using the CLI

19-2

Chapter 19

Adding an IPv6 Access List
Default Settings

– echo-reply
– membership-query
– membership-report
– membership-reduction
– router-renumbering
– router-solicitation
– router-advertisement
– neighbor-solicitation
– neighbor-advertisement
– neighbor-redirect
•

If the protocol argument is specified, valid values are icmp, ip, tcp, udp, or an integer in the range
of 1 to 254, representing an IP protocol number.

Default Settings
Table 19-1 lists the default settings for IPv6 access list parameters.
Table 19-1

Default IPv6 Access List Parameters

Parameters

Default

default

The default option specifies that a syslog message
106100 is generated for the ACE.

interval secs

Specifies the time interval at which to generate a
106100 syslog message; valid values are from 1 to
600 seconds. The default interval is 300 seconds.
This value is also used as the timeout value for
deleting an inactive flow.

level

The level option specifies the syslog level for
message 106100; valid values are from 0 to 7. The
default level is 6 (informational).

log

The log option specifies logging action for the
ACE. If you do not specify the log keyword or you
specify the log default keyword, then message
106023 is generated when a packet is denied by the
ACE. If you specify the log keyword alone or with
a level or interval, then message 106100 is
generated when a packet is denied by the ACE.
Packets that are denied by the implicit deny at the
end of an access list are not logged. You must
implicitly deny packets with an ACE to enable
logging.

Cisco ASA 5500 Series Configuration Guide using the CLI

19-3

Chapter 19

Adding an IPv6 Access List

Configuring IPv6 Access Lists

Configuring IPv6 Access Lists
This section includes the following topics:
•

Task Flow for Configuring IPv6 Access Lists, page 19-4

•

Adding IPv6 Access Lists, page 19-5

•

Adding Remarks to Access Lists, page 19-6

Task Flow for Configuring IPv6 Access Lists
Use the following guidelines to create and implement an access list:
•

Create an access list by adding an ACE and applying an access list name, as shown in the “Adding
IPv6 Access Lists” section on page 19-5.

•

Apply the access list to an interface. (See the “Configuring Access Rules” section on page 34-7 for
more information.)

Cisco ASA 5500 Series Configuration Guide using the CLI

19-4

Chapter 19

Adding an IPv6 Access List
Configuring IPv6 Access Lists

Adding IPv6 Access Lists
You can add a regular IPv6 access list or add an IPv6 access list with TCP.
To add a regular IPv6 access list, enter the following command:
Command

Purpose

ipv6 access-list id [line line-num] {deny
| permit} {protocol | object-group
protocol_obj_grp_id}
{source-ipv6-prefix/prefix-length | any |
host source-ipv6-address | object-group
network_obj_grp_id} [operator {port [port]
| object-group service_obj_grp_id}]
{destination-ipv6-prefix/prefix-length |
any | host destination-ipv6-address |
object-group network_obj_grp_id}
[{operator port [port] | object-group
service_obj_grp_id}] [log [[level]
[interval secs] | disable | default]]

Configures an IPv6 access list.
The any keyword is an abbreviation for the IPv6 prefix ::/0, indicating any
IPv6 address.
The deny keyword denies access if the conditions are matched.
The destination-ipv6-address argument identifies the IPv6 address of the
host receiving the traffic.
The destination-ipv6-prefix argument identifies the IPv6 network address
where the traffic is destined.
The disable option disables syslog messaging.
The host keyword indicates that the address refers to a specific host.

Example:
hostname(config)# ipv6 access-list acl_grp
permit tcp any host
3001:1::203:A0FF:FED6:162D

The id keyword specifies the number of an access list.
The line line-num option specifies the line number for inserting the access
rule into the list. By default, the ACE is added to the end of the access list.
The network_obj_grp_id argument specifies existing network object group
identification.
The object-group option specifies an object group.
The operator option compares the source IP address or destination IP
address ports. For a list of permitted operands, see the “Guidelines and
Limitations” section on page 19-2.
The permit keyword permits access if the conditions are matched.
The port option specifies the port that you permit or deny access. You can
specify the port either by a number in the range of 0 to 65535 or by a literal
name if the protocol is tcp or udp. For a list of permitted TCP or UDP
literal names, see the “Guidelines and Limitations” section on page 19-2.
The prefix-length argument indicates how many of the high-order,
contiguous bits of the address comprise the IPv6 prefix.
The protocol argument specifies the name or number of an IP protocol.
The protocol_obj_grp_id indicates the existing protocol object group ID.
The service_obj_grp_id option specifies the object group.
The source-ipv6-address specifies the address of the host sending traffic.
The source-ipv6-prefix specifies the IPv6 address of traffic origin.

Cisco ASA 5500 Series Configuration Guide using the CLI

19-5

Chapter 19

Adding an IPv6 Access List

Configuring IPv6 Access Lists

To configure an IPv6 access list with ICMP, enter the following command:
Command

Purpose

ipv6 access-list id [line line-num] {deny
| permit} icmp6
{source-ipv6-prefix/prefix-length | any |
host source-ipv6-address | object-group
network_obj_grp_id}
{destination-ipv6-prefix/prefix-length |
any | host destination-ipv6-address |
object-group network_obj_grp_id}
[icmp_type | object-group
icmp_type_obj_grp_id] [log [[level]
[interval secs] | disable | default]]

Configures an IPv6 access list with ICMP.

Example:

For details about additional ipv6 access-list command parameters, see the
preceding procedure for adding a regular IPv6 access list, or see the
ipv6 access-list command in the Cisco Security Appliance Command
Reference.

hostname(config)# ipv6 access list acl_grp
permit tcp any host
3001:1::203:AOFF:FED6:162D

The icmp6 keyword specifies that the access rule applies to ICMPv6 traffic
passing through the ASA.
The icmp_type argument specifies the ICMP message type being filtered by
the access rule. The value can be a valid ICMP type number from 0 to 255.
(For a list of the permitted ICMP type literals, see the “Guidelines and
Limitations” section on page 19-2.)
The icmp_type_obj_grp_id option specifies the object group ICMP type
ID.

Purpose

access-list access_list_name remark text

Adds a remark after the last access-list command you entered.

Example:

The text can be up to 100 characters in length. You can enter leading spaces
at the beginning of the text. Trailing spaces are ignored.

hostname(config)# access-list OUT remark this is the inside admin address

Example

You can add remarks before each ACE, and the remarks appear in the access list in these locations.
Entering a dash (-) at the beginning of a remark helps set it apart from an ACE.
hostname(config)#
hostname(config)#
hostname(config)#
hostname(config)#

access-list
access-list
access-list
access-list

OUT
OUT
OUT
OUT

Cisco ASA 5500 Series Configuration Guide using the CLI

19-6

remark extended
remark extended

this is the inside admin address
permit ip host 209.168.200.3 any
this is the hr admin address
permit ip host 209.168.200.4 any

Chapter 19

Adding an IPv6 Access List
Monitoring IPv6 Access Lists

Monitoring IPv6 Access Lists
To monitor IPv6 access lists, perform one of the following tasks:
Command

Purpose

show ipv6 access-list

Displays all IPv6 access list information.

Configuration Examples for IPv6 Access Lists
The following example shows how to configure IPv6 access lists:
The following example allows any host using TCP to access the 3001:1::203:A0FF:FED6:162D server:
hostname(config)# ipv6 access-list acl_grp permit tcp any host 3001:1::203:A0FF:FED6:162D

The following example uses eq and a port to deny access to just FTP:
hostname(config)# ipv6 access-list acl_out deny tcp any host 3001:1::203:A0FF:FED6:162D eq
ftp
hostname(config)# access-group acl_out in interface inside

The following example uses lt to permit access to all ports less than port 2025, which permits access to
the well-known ports (1 to 1024):
hostname(config)# ipv6 access-list acl_dmz1 permit tcp any host 3001:1::203:A0FF:FED6:162D
lt 1025
hostname(config)# access-group acl_dmz1 in interface dmz1

Where to Go Next
Apply the access list to an interface. (See the “Configuring Access Rules” section on page 34-7 for more
information.)

Feature History for IPv6 Access Lists
Table 19-2 lists each feature change and the platform release in which it was implemented.
Table 19-2

Feature History for IPv6 Access Lists

Feature Name

Releases

Feature Information

IPv6 access lists

7.0(1)

We introduced the following command: ipv6 access-list.

Cisco ASA 5500 Series Configuration Guide using the CLI

19-7

Chapter 19
Feature History for IPv6 Access Lists

Cisco ASA 5500 Series Configuration Guide using the CLI

19-8

Adding an IPv6 Access List

CH A P T E R

Configuring Logging for Access Lists
This chapter describes how to configure access list logging for extended access lists and Webytpe access
lists, and it describes how to manage deny flows.
This chapter includes the following sections:
•

Configuring Logging for Access Lists, page 20-1

•

Managing Deny Flows, page 20-5

Configuring Logging for Access Lists
This section includes the following topics:
•

Information About Logging Access List Activity, page 20-1

•

Licensing Requirements for Access List Logging, page 20-2

•

Guidelines and Limitations, page 20-2

•

Default Settings, page 20-3

•

Configuring Access List Logging, page 20-3

•

Monitoring Access Lists, page 20-4

•

Configuration Examples for Access List Logging, page 20-4

•

Feature History for Access List Logging, page 20-5

Information About Logging Access List Activity
By default, when traffic is denied by an extended ACE or a Webtype ACE, the ASA generates syslog
message 106023 for each denied packet in the following form:
%ASA|PIX-4-106023: Deny protocol src [interface_name:source_address/source_port] dst
interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_id

If the ASA is attacked, the number of syslog messages for denied packets can be very large. We
recommend that you instead enable logging using syslog message 106100, which provides statistics for
each ACE and enables you to limit the number of syslog messages produced. Alternatively, you can
disable all logging.

Cisco ASA 5500 Series Configuration Guide using the CLI

20-1

Chapter 20

Configuring Logging for Access Lists

Note

Only ACEs in the access list generate logging messages; the implicit deny at the end of the access list
does not generate a message. If you want all denied traffic to generate messages, add the implicit ACE
manually to the end of the access list, as shown in the following example:
hostname(config)# access-list TEST deny ip any any log

The log options at the end of the extended access-list command enable you to set the following behavior:
•

Enable message 106100 instead of message 106023

•

Disable all logging

•

Return to the default logging using message 106023

Syslog message 106100 uses the following form:
%ASA|PIX-n-106100: access-list acl_id {permitted | denied} protocol
interface_name/source_address(source_port) -> interface_name/dest_address(dest_port)
hit-cnt number ({first hit | number-second interval})

When you enable logging for message 106100, if a packet matches an ACE, the ASA creates a flow entry
to track the number of packets received within a specific interval. The ASA generates a syslog message
at the first hit and at the end of each interval, identifying the total number of hits during the interval and
the timestamp for the last hit. At the end of each interval, the ASA resets the hit count to 0. If no packets
match the ACE during an interval, the ASA deletes the flow entry.
A flow is defined by the source and destination IP addresses, protocols, and ports. Because the source
port might differ for a new connection between the same two hosts, you might not see the same flow
increment because a new flow was created for the connection. See the “Managing Deny Flows” section
on page 20-5 to limit the number of logging flows.
Permitted packets that belong to established connections do not need to be checked against access lists;
only the initial packet is logged and included in the hit count. For connectionless protocols, such as
ICMP, all packets are logged, even if they are permitted, and all denied packets are logged.
See the syslog message guide guide for detailed information about this syslog message.

Licensing Requirements for Access List Logging
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single and multiple context mode.

Cisco ASA 5500 Series Configuration Guide using the CLI

20-2

Chapter 20

Configuring Logging for Access Lists
Configuring Logging for Access Lists

Firewall Mode Guidelines

Supported only in routed and transparent firewall modes.
IPv6 Guidelines

Supports IPv6.
Additional Guidelines and Limitations

ACE logging generates syslog message 106023 for denied packets. A deny ACE must be present to log
denied packets.

Default Settings
Table 20-1 lists the default settings for extended access list parameters.
Table 20-1

Default Extended Access List Parameters

Parameters

Default

log

When the log keyword is specified, the default
level for syslog message 106100 is 6
(informational), and the default interval is 300
seconds.

Configuring Access List Logging
This sections describes how to configure access list logging.

Note

For complete access list command syntax, see the “Configuring Extended Access Lists” section on
page 15-2 and the “Using Webtype Access Lists” section on page 18-2.

Cisco ASA 5500 Series Configuration Guide using the CLI

20-3

Chapter 20

Configuring Logging for Access Lists

To configure logging for an ACE, enter the following command:
Command

Purpose

access-list access_list_name [extended]
{deny | permit}...[log [[level] [interval
secs] | disable | default]]

Configures logging for an ACE.
The access-list access_list_name syntax specifies the access list for which
you want to configure logging.

Example:

The extended option adds an ACE.

hostname(config)# access-list outside-acl
permit ip host 10.0.0.0 any log 7 interval
600

The deny keyword denies a packet if the conditions are matched. Some
features do not allow deny ACEs, such as NAT. (See the command
documentation for each feature that uses an access list for more
information.)
The permit keyword permits a packet if the conditions are matched.
If you enter the log option without any arguments, you enable syslog
message 106100 at the default level (6) and for the default interval (300
seconds). See the following options:
•

level—A severity level between 0 and 7. The default is 6.

•

interval secs—The time interval in seconds between syslog messages,
from 1 to 600. The default is 300. This value is also used as the timeout
value for deleting an inactive flow.

•

disable—Disables all access list logging.

•

default—Enables logging to message 106023. This setting is the same
as having no log option.

(See the access-list command in the Cisco Security Appliance Command
Reference for more information about command options.)

Monitoring Access Lists
To monitor access lists, enter one of the following commands:
Command

Purpose

show access list

Displays the access list entries by number.

show running-config access-list

Displays the current running access list
configuration.

Configuration Examples for Access List Logging
This section includes sample configurations for logging access lists.
You might configure the following access list:
hostname(config)#
hostname(config)#
hostname(config)#
hostname(config)#

access-list outside-acl permit ip host 10.10.0.0 any log 7 interval 600
access-list outside-acl permit ip host 10.255.255.255 any
access-list outside-acl deny ip any any log 2
access-group outside-acl in interface outside

Cisco ASA 5500 Series Configuration Guide using the CLI

20-4

Chapter 20

Configuring Logging for Access Lists
Managing Deny Flows

When the first ACE of outside-acl permits a packet, the ASA generates the following syslog message:
%ASA|PIX-7-106100: access-list outside-acl permitted tcp outside/10.0.0.0(12345) ->
inside/192.168.1.1(1357) hit-cnt 1 (first hit)

Although 20 additional packets for this connection arrive on the outside interface, the traffic does not
have to be checked against the access list, and the hit count does not increase.
If one or more connections by the same host are initiated within the specified 10-minute interval (and
the source and destination ports remain the same), then the hit count is incremented by 1, and the
following syslog message displays at the end of the 10-minute interval:
%ASA|PIX-7-106100: access-list outside-acl permitted tcp outside/10.0.0.0(12345)->
inside/192.168.1.1(1357) hit-cnt 2 (600-second interval)

When the third ACE denies a packet, the ASA generates the following syslog message:
%ASA|PIX-2-106100: access-list outside-acl denied ip outside/10.255.255.255(12345) ->
inside/192.168.1.1(1357) hit-cnt 1 (first hit)

If 20 additional attempts occur within a 5-minute interval (the default), the following syslog message
appears at the end of 5 minutes:
%ASA|PIX-2-106100: access-list outside-acl denied ip outside/10.255.255.255(12345) ->
inside/192.168.1.1(1357) hit-cnt 21 (300-second interval)

Feature History for Access List Logging
Table 20-2 lists each feature change and the platform release in which it was implemented.
Table 20-2

Feature History for Access List Logging

Feature Name

Releases

Feature Information

Access list logging

7.0(1)

You can enable logging using syslog message 106100,
which provides statistics for each ACE and lets you limit the
number of syslog messages produced.
We introduced the following command: access-list.

ACL Timestamp

8.3(1)

The ASA reports the timestamp for the last access rule hit.

Managing Deny Flows
This section includes the following topics:
•

Information About Managing Deny Flows, page 20-6

•

Licensing Requirements for Managing Deny Flows, page 20-6

•

Guidelines and Limitations, page 20-6

•

Managing Deny Flows, page 20-7

•

Monitoring Deny Flows, page 20-7

•

Feature History for Managing Deny Flows, page 20-8

Cisco ASA 5500 Series Configuration Guide using the CLI

20-5

Chapter 20

Configuring Logging for Access Lists

Managing Deny Flows

Information About Managing Deny Flows
When you enable logging for message 106100, if a packet matches an ACE, the ASA creates a flow entry
to track the number of packets received within a specific interval. The ASA has a maximum of 32 K
logging flows for ACEs. A large number of flows can exist concurrently at any point of time. To prevent
unlimited consumption of memory and CPU resources, the ASA places a limit on the number of
concurrent deny flows; the limit is placed on deny flows only (not on permit flows) because they can
indicate an attack. When the limit is reached, the ASA does not create a new deny flow for logging until
the existing flows expire.
For example, if someone initiates a DoS attack, the ASA can create a large number of deny flows in a
short period of time. Restricting the number of deny flows prevents unlimited consumption of memory
and CPU resources.
When you reach the maximum number of deny flows, the ASA issues syslog message 106100:
%ASA|PIX-1-106101: The number of ACL log deny-flows has reached limit (number).

The access-list alert-interval command sets the time interval for generating syslog message 106001.
Syslog message 106001 alerts you that the ASA has reached a deny flow maximum. When the deny flow
maximum is reached, another syslog message 106001 is generated if at least six seconds have passed
since the last 106001 message was generated.

Licensing Requirements for Managing Deny Flows
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single and multiple context mode.
Firewall Mode Guidelines

Supported only in routed and transparent firewall modes.
IPv6 Guidelines

Supports IPv6.
Additional Guidelines and Limitations

The ASA places a limit on the number of concurrent deny flows only—not permit flows.

Cisco ASA 5500 Series Configuration Guide using the CLI

20-6

Chapter 20

Configuring Logging for Access Lists
Managing Deny Flows

Default Settings
Table 20-1 lists the default settings for managing deny flows.
Table 20-3

Default Parameters for Managing Deny Flows

Parameters

Default

numbers

The numbers argument specifies the maximum
number of deny flows. The default is 4096.

secs

The secs argument specifies the time, in seconds,
between syslog messages. The default is 300.

Managing Deny Flows
To configure the maximum number of deny flows and to set the interval between deny flow alert
messages (106100), enter the following command:
Command

Purpose

access-list deny-flow-max number

Sets the maximum number of deny flows.

Example:

The numbers argument specifies the maximum number, which can be
between 1 and 4096. The default is 4096.

hostname(config)# access-list
deny-flow-max 3000

To set the amount of time between syslog messages (number 106101), which identifies that the
maximum number of deny flows was reached, enter the following command:
Command

Purpose

access-list alert-interval secs

Sets the time, in seconds, between syslog messages.

Example:

The secs argument specifies the time interval between each deny flow
maximum message. Valid values are from 1 to 3600 seconds. The default
is 300 seconds.

hostname(config)# access-list
alert-interval 200

Monitoring Deny Flows
To monitor access lists, enter one of the following commands:
Command

Purpose

show access-list

Displays access list entries by number.

show running-config access-list

Displays the current running access list
configuration.

Cisco ASA 5500 Series Configuration Guide using the CLI

20-7

Chapter 20

Configuring Logging for Access Lists

Managing Deny Flows

Feature History for Managing Deny Flows
Table 20-2 lists each feature change and the platform release in which it was implemented.
Table 20-4

Feature History for Managing Deny Flows

Feature Name

Releases

Feature Information

Managing Deny Flows

7.0(1)

You can configure the maximum number of deny flows and
set the interval between deny flow alert messages.
We introduced the following commands: access-list
deny-flow and access-list alert-interval.

Cisco ASA 5500 Series Configuration Guide using the CLI

20-8

PA R T

Configuring IP Routing

C H A P T E R

Routing Overview
This chapter describes underlying concepts of how routing behaves within the ASA, and the routing
protocols that are supported.
This chapter includes the following sections:
•

Information About Routing, page 21-1

•

How Routing Behaves Within the ASA, page 21-4

•

Supported Internet Protocols for Routing, page 21-5

•

Information About the Routing Table, page 21-6

•

Information About IPv6 Support, page 21-9

•

Disabling Proxy ARPs, page 21-11

Information About Routing
Routing is the act of moving information across an internetwork from a source to a destination. Along
the way, at least one intermediate node typically is encountered. Routing involves two basic activities:
determining optimal routing paths and transporting information groups (typically called packets)
through an internetwork. In the context of the routing process, the latter of these is referred to as packet
switching. Although packet switching is relatively straightforward, path determination can be very
complex.
This section includes the following topics:
•

Switching, page 21-2

•

Path Determination, page 21-2

•

Supported Route Types, page 21-2

Cisco ASA 5500 Series Configuration Guide using the CLI

21-1

Chapter 21

Routing Overview

Information About Routing

Switching
Switching algorithms is relatively simple; it is the same for most routing protocols. In most cases, a host
determines that it must send a packet to another host. Having acquired a router address by some means,
the source host sends a packet addressed specifically to a router physical (Media Access Control
[MAC]-layer) address, this time with the protocol (network layer) address of the destination host.
As it examines the packet destination protocol address, the router determines that it either knows or does
not know how to forward the packet to the next hop. If the router does not know how to forward the
packet, it typically drops the packet. If the router knows how to forward the packet, however, it changes
the destination physical address to that of the next hop and transmits the packet.
The next hop may be the ultimate destination host. If not, the next hop is usually another router, which
executes the same switching decision process. As the packet moves through the internetwork, its
physical address changes, but its protocol address remains constant.

Path Determination
Routing protocols use metrics to evaluate what path will be the best for a packet to travel. A metric is a
standard of measurement, such as path bandwidth, that is used by routing algorithms to determine the
optimal path to a destination. To aid the process of path determination, routing algorithms initialize and
maintain routing tables, which include route information. Route information varies depending on the
routing algorithm used.
Routing algorithms fill routing tables with a variety of information. Destination or next hop associations
tell a router that a particular destination can be reached optimally by sending the packet to a particular
router representing the next hop on the way to the final destination. When a router receives an incoming
packet, it checks the destination address and attempts to associate this address with a next hop.
Routing tables also can include other information, such as data about the desirability of a path. Routers
compare metrics to determine optimal routes, and these metrics differ depending on the design of the
routing algorithm used.
Routers communicate with one another and maintain their routing tables through the transmission of a
variety of messages. The routing update message is one such message that generally consists of all or a
portion of a routing table. By analyzing routing updates from all other routers, a router can build a
detailed picture of network topology. A link-state advertisement, another example of a message sent
between routers, informs other routers of the state of the sender links. Link information also can be used
to build a complete picture of network topology to enable routers to determine optimal routes to network
destinations.

Note

Asymmetric routing is only supported for Active/Active failover in multiple context mode. For more
information, see the “Configuring Active/Active Failover” section on page 63-8.

Supported Route Types
There are several route types that a router can use. The ASA uses the following route types:
•

Static Versus Dynamic, page 21-3

•

Single-Path Versus Multipath, page 21-3

•

Flat Versus Hierarchical, page 21-3

Cisco ASA 5500 Series Configuration Guide using the CLI

21-2

Chapter 21

Routing Overview
Information About Routing

•

Link-State Versus Distance Vector, page 21-4

Static Versus Dynamic
Static routing algorithms are hardly algorithms at all, but are table mappings established by the network
administrator before the beginning of routing. These mappings do not change unless the network
administrator alters them. Algorithms that use static routes are simple to design and work well in
environments where network traffic is relatively predictable and where network design is relatively
simple.
Because static routing systems cannot react to network changes, they generally are considered unsuitable
for large, constantly changing networks. Most of the dominant routing algorithms are dynamic routing
algorithms, which adjust to changing network circumstances by analyzing incoming routing update
messages. If the message indicates that a network change has occurred, the routing software recalculates
routes and sends out new routing update messages. These messages permeate the network, stimulating
routers to rerun their algorithms and change their routing tables accordingly.
Dynamic routing algorithms can be supplemented with static routes where appropriate. A router of last
resort (a router to which all unroutable packets are sent), for example, can be designated to act as a
repository for all unroutable packets, ensuring that all messages are at least handled in some way.

Note

There is no dynamic routing support in multi-context mode. As a result, there is no route tracking.

Single-Path Versus Multipath
Some sophisticated routing protocols support multiple paths to the same destination. Unlike single-path
algorithms, these multipath algorithms permit traffic multiplexing over multiple lines. The advantages
of multipath algorithms are substantially better throughput and reliability, which is generally called load
sharing.

Flat Versus Hierarchical
Some routing algorithms operate in a flat space, while others use routing hierarchies. In a flat routing
system, the routers are peers of all others. In a hierarchical routing system, some routers form what
amounts to a routing backbone. Packets from nonbackbone routers travel to the backbone routers, where
they are sent through the backbone until they reach the general area of the destination. At this point, they
travel from the last backbone router through one or more nonbackbone routers to the final destination.
Routing systems often designate logical groups of nodes, called domains, autonomous systems, or areas.
In hierarchical systems, some routers in a domain can communicate with routers in other domains, while
others can communicate only with routers within their domain. In very large networks, additional
hierarchical levels may exist, with routers at the highest hierarchical level forming the routing backbone.
The primary advantage of hierarchical routing is that it mimics the organization of most companies and
therefore supports their traffic patterns well. Most network communication occurs within small company
groups (domains). Because intradomain routers need to know only about other routers within their
domain, their routing algorithms can be simplified, and, depending on the routing algorithm being used,
routing update traffic can be reduced accordingly.

Cisco ASA 5500 Series Configuration Guide using the CLI

21-3

Chapter 21

Routing Overview

How Routing Behaves Within the ASA

Link-State Versus Distance Vector
Link-state algorithms (also known as shortest path first algorithms) flood routing information to all
nodes in the internetwork. Each router, however, sends only the portion of the routing table that describes
the state of its own links. In link-state algorithms, each router builds a picture of the entire network in
its routing tables. Distance vector algorithms (also known as Bellman-Ford algorithms) call for each
router to send all or some portion of its routing table, but only to its neighbors. In essence, link-state
algorithms send small updates everywhere, while distance vector algorithms send larger updates only to
neighboring routers. Distance vector algorithms know only about their neighbors. Typically, this type of
algorithm is used in conjunction with OSPF routing protocols.

How Routing Behaves Within the ASA
The ASA uses both routing table and XLATE tables for routing decisions. To handle destination IP
translated traffic, that is, untranslated traffic, the ASA searches for existing XLATE, or static translation
to select the egress interface.
This section includes the following topics:
•

Egress Interface Selection Process, page 21-4

•

Next Hop Selection Process, page 21-4

Egress Interface Selection Process
The selection process follows these steps:
1.

If a destination IP translating XLATE already exists, the egress interface for the packet is determined
from the XLATE table, but not from the routing table.

If a destination IP translating XLATE does not exist, but a matching static translation exists, then
the egress interface is determined from the static route and an XLATE is created, and the routing
table is not used.

If a destination IP translating XLATE does not exist and no matching static translation exists, the
packet is not destination IP translated. The ASA processes this packet by looking up the route to
select the egress interface, then source IP translation is performed (if necessary).
For regular dynamic outbound NAT, initial outgoing packets are routed using the route table and
then creating the XLATE. Incoming return packets are forwarded using existing XLATE only. For
static NAT, destination translated incoming packets are always forwarded using existing XLATE or
static translation rules.

Next Hop Selection Process
After selecting the egress interface using any method described previously, an additional route lookup
is performed to find out suitable next hop(s) that belong to a previously selected egress interface. If there
are no routes in the routing table that explicitly belong to a selected interface, the packet is dropped with

Cisco ASA 5500 Series Configuration Guide using the CLI

21-4

Chapter 21

Routing Overview
Supported Internet Protocols for Routing

a level 6 syslog message 110001 generated (no route to host), even if there is another route for a given
destination network that belongs to a different egress interface. If the route that belongs to a selected
egress interface is found, the packet is forwarded to the corresponding next hop.
Load sharing on the ASA is possible only for multiple next hops available using a single egress interface.
Load sharing cannot share multiple egress interfaces.
If dynamic routing is in use on the ASA and the route table changes after XLATE creation (for example,
route flap), then destination translated traffic is still forwarded using the old XLATE, not via the route
table, until XLATE times out. It may be either forwarded to the wrong interface or dropped with a level
6 syslog message 110001 generated (no route to host), if the old route was removed from the old
interface and attached to another one by the routing process.
The same problem may happen when there are no route flaps on the ASA itself, but some routing process
is flapping around it, sending source-translated packets that belong to the same flow through the ASA
using different interfaces. Destination-translated return packets may be forwarded back using the wrong
egress interface.
This issue has a high probability in some security traffic configurations, where virtually any traffic may
be either source-translated or destination-translated, depending on the direction of the initial packet in
the flow. When this issue occurs after a route flap, it can be resolved manually by using the clear xlate
command, or automatically resolved by an XLATE timeout. The XLATE timeout may be decreased if
necessary. To ensure that this issue rarely occurs, make sure that there are no route flaps on the ASA and
around it. That is, ensure that destination-translated packets that belong to the same flow are always
forwarded the same way through the ASA.

Supported Internet Protocols for Routing
The ASA supports several Internet protocols for routing. Each protocol is briefly described in this
section.
•

Enhanced Interior Gateway Routing Protocol (EIGRP)
EIGRP provides compatibility and seamless interoperation with IGRP routers. An
automatic-redistribution mechanism allows IGRP routes to be imported into Enhanced IGRP, and
vice versa, so it is possible to add Enhanced IGRP gradually into an existing IGRP network.
For more information about configuring EIGRP, see the “Configuring EIGRP” section on page 27-3.

•

Open Shortest Path First (OSPF)
Open Shortest Path First (OSPF) is a routing protocol developed for Internet Protocol (IP) networks
by the interior gateway protocol (IGP) working group of the Internet Engineering Task Force
(IETF). OSPF uses a link-state algorithm to build and calculate the shortest path to all known
destinations. Each router in an OSPF area includes an identical link-state database, which is a list
of each of the router usable interfaces and reachable neighbors.
For more information about configuring OSPF, see the “Configuring OSPF” section on page 24-3.

•

Routing Information Protocol
The Routing Information Protocol (RIP) is a distance-vector protocol that uses hop count as its
metric. RIP is widely used for routing traffic in the global Internet and is an interior gateway
protocol (IGP), which means that it performs routing within a single autonomous system.
For more information about configuring RIP, see the “Configuring RIP” section on page 25-4.

Cisco ASA 5500 Series Configuration Guide using the CLI

21-5

Chapter 21

Routing Overview

Information About the Routing Table

Information About the Routing Table
This section includes the following topics:
•

Displaying the Routing Table, page 21-6

•

How the Routing Table Is Populated, page 21-6

•

How Forwarding Decisions Are Made, page 21-8

•

Dynamic Routing and Failover, page 21-9

Displaying the Routing Table
To view the entries in the routing table, enter the following command:
hostname# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 10.86.194.1 to network 0.0.0.0
S
C
S*

10.1.1.0 255.255.255.0 [3/0] via 10.86.194.1, outside
10.86.194.0 255.255.254.0 is directly connected, outside
0.0.0.0 0.0.0.0 [1/0] via 10.86.194.1, outside

On the ASA 5505, the following route is also shown. It is the internal loopback interface, which is used
by the VPN hardware client feature for individual user authentication.
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback

How the Routing Table Is Populated
The ASA routing table can be populated by statically defined routes, directly connected routes, and
routes discovered by the RIP, EIGRP, and OSPF routing protocols. Because the ASA can run multiple
routing protocols in addition to having static and connected routes in the routing table, it is possible that
the same route is discovered or entered in more than one manner. When two routes to the same
destination are put into the routing table, the one that remains in the routing table is determined as
follows:
•

If the two routes have different network prefix lengths (network masks), then both routes are
considered unique and are entered into the routing table. The packet forwarding logic then
determines which of the two to use.
For example, if the RIP and OSPF processes discovered the following routes:
– RIP: 192.168.32.0/24
– OSPF: 192.168.32.0/19

Cisco ASA 5500 Series Configuration Guide using the CLI

21-6

Chapter 21

Routing Overview
Information About the Routing Table

Even though OSPF routes have the better administrative distance, both routes are installed in the
routing table because each of these routes has a different prefix length (subnet mask). They are
considered different destinations and the packet forwarding logic determines which route to use.
•

If the ASA learns about multiple paths to the same destination from a single routing protocol, such
as RIP, the route with the better metric (as determined by the routing protocol) is entered into the
routing table.
Metrics are values associated with specific routes, ranking them from most preferred to least
preferred. The parameters used to determine the metrics differ for different routing protocols. The
path with the lowest metric is selected as the optimal path and installed in the routing table. If there
are multiple paths to the same destination with equal metrics, load balancing is done on these equal
cost paths.

•

If the ASA learns about a destination from more than one routing protocol, the administrative
distances of the routes are compared and the routes with lower administrative distance are entered
into the routing table.
You can change the administrative distances for routes discovered by or redistributed into a routing
protocol. If two routes from two different routing protocols have the same administrative distance,
then the route with the lower default administrative distance is entered into the routing table. In the
case of EIGRP and OSPF routes, if the EIGRP route and the OSPF route have the same
administrative distance, then the EIGRP route is chosen by default.

Administrative distance is a route parameter that the ASA uses to select the best path when there are two
or more different routes to the same destination from two different routing protocols. Because the routing
protocols have metrics based on algorithms that are different from the other protocols, it is not always
possible to determine the best path for two routes to the same destination that were generated by different
routing protocols.
Each routing protocol is prioritized using an administrative distance value. Table 21-1 shows the default
administrative distance values for the routing protocols supported by the ASA.
Table 21-1

Default Administrative Distance for Supported Routing Protocols

Route Source

Default Administrative Distance

Connected interface

Static route

EIGRP Summary Route

Internal EIGRP

OSPF

110

RIP

120

EIGRP external route

170

Unknown

255

The smaller the administrative distance value, the more preference is given to the protocol. For example,
if the ASA receives a route to a certain network from both an OSPF routing process (default
administrative distance - 110) and a RIP routing process (default administrative distance - 120), the ASA
chooses the OSPF route because OSPF has a higher preference. In this case, the router adds the OSPF
version of the route to the routing table.
In this example, if the source of the OSPF-derived route was lost (for example, due to a power shutdown),
the ASA would then use the RIP-derived route until the OSPF-derived route reappears.

Cisco ASA 5500 Series Configuration Guide using the CLI

21-7

Chapter 21

Routing Overview

Information About the Routing Table

The administrative distance is a local setting. For example, if you use the distance-ospf command to
change the administrative distance of routes obtained through OSPF, that change would only affect the
routing table for the ASA on which the command was entered. The administrative distance is not
advertised in routing updates.
Administrative distance does not affect the routing process. The OSPF and RIP routing processes only
advertise the routes that have been discovered by the routing process or redistributed into the routing
process. For example, the RIP routing process advertises RIP routes, even if routes discovered by the
OSPF routing process are used in the ASA routing table.

Backup Routes
A backup route is registered when the initial attempt to install the route in the routing table fails because
another route was installed instead. If the route that was installed in the routing table fails, the routing
table maintenance process calls each routing protocol process that has registered a backup route and
requests them to reinstall the route in the routing table. If there are multiple protocols with registered
backup routes for the failed route, the preferred route is chosen based on administrative distance.
Because of this process, you can create floating static routes that are installed in the routing table when
the route discovered by a dynamic routing protocol fails. A floating static route is simply a static route
configured with a greater administrative distance than the dynamic routing protocols running on the
ASA. When the corresponding route discovered by a dynamic routing process fails, the static route is
installed in the routing table.

How Forwarding Decisions Are Made
Forwarding decisions are made as follows:
•

If the destination does not match an entry in the routing table, the packet is forwarded through the
interface specified for the default route. If a default route has not been configured, the packet is
discarded.

•

If the destination matches a single entry in the routing table, the packet is forwarded through the
interface associated with that route.

•

If the destination matches more than one entry in the routing table, and the entries all have the same
network prefix length, the packets for that destination are distributed among the interfaces
associated with that route.

•

If the destination matches more than one entry in the routing table, and the entries have different
network prefix lengths, then the packet is forwarded out of the interface associated with the route
that has the longer network prefix length.

For example, a packet destined for 192.168.32.1 arrives on an interface of an ASA with the following
routes in the routing table:
hostname# show route
....
R
192.168.32.0/24 [120/4] via 10.1.1.2
O
192.168.32.0/19 [110/229840] via 10.1.1.3
....

In this case, a packet destined to 192.168.32.1 is directed toward 10.1.1.2, because 192.168.32.1 falls
within the 192.168.32.0/24 network. It also falls within the other route in the routing table, but the
192.168.32.0/24 has the longest prefix within the routing table (24 bits verses 19 bits). Longer prefixes
are always preferred over shorter ones when forwarding a packet.

Cisco ASA 5500 Series Configuration Guide using the CLI

21-8

Chapter 21

Routing Overview
Information About IPv6 Support

Dynamic Routing and Failover
Because static routing systems cannot react to network changes, they generally are considered unsuitable
for large, constantly changing networks. Most of the dominant routing algorithms are dynamic routing
algorithms, which adjust to changing network circumstances by analyzing incoming routing update
messages. If the message indicates that a network change has occurred, the routing software recalculates
routes and sends out new routing update messages. These messages permeate the network, stimulating
routers to rerun their algorithms and change their routing tables accordingly.
Dynamic routing algorithms can be supplemented with static routes where appropriate. A router of last
resort (a router to which all unroutable packets are sent), for example, can be designated to act as a
repository for all unroutable packets, ensuring that all messages are at least handled in some way.
Dynamic routes are synchronized on the standby unit when the routing table changes on the active unit,
which means that all additions, deletions, or changes on the active unit are immediately propagated to
the standby unit. If the standby unit becomes active after the primary unit has been active for a period of
time, routes become synchronized as a part of the failover bulk synchronization process, so the routing
table on the active/standby failover pair should appear the same.
For more information about static routes and how to configure them, see the “Configuring Static and
Default Routes” section on page 22-2.

Information About IPv6 Support
Many, but not all, features on the ASA support IPv6 traffic. This section describes the commands and
features that support IPv6 and includes the following topics:
•

Features That Support IPv6, page 21-9

•

IPv6-Enabled Commands, page 21-10

•

Entering IPv6 Addresses in Commands, page 21-11

Features That Support IPv6
The following features support IPv6:

Note

For features that use the Modular Policy Framework, be sure to use the match any command to match
IPv6 traffic; other match commands do not support IPv6.
•

The following application inspections support IPv6 traffic:
– FTP
– HTTP
– ICMP
– SIP
– SMTP
– IPsec-pass-thru

•

IPS

Cisco ASA 5500 Series Configuration Guide using the CLI

21-9

Chapter 21
Information About IPv6 Support

•

NetFlow Secure Event Logging filtering

•

Connection limits, timeouts, and TCP randomization

•

TCP Normalization

•

TCP state bypass

•

Access group, using an IPv6 access list

•

Static Routes

•

VPN (all types)

•

Failover

•

Transparent firewall mode

IPv6-Enabled Commands
The following ASA commands can accept and display IPv6 addresses:
•

capture

•

configure

•

copy

•

failover interface ip

•

http

•

name

•

object-group

•

ping

•

show conn

•

show local-host

•

show tcpstat

•

ssh

•

telnet

•

tftp-server

•

who

•

write

The following commands were modified to work for IPv6:
•

debug

•

fragment

•

ip verify

•

mtu

•

icmp (entered as ipv6 icmp)

Cisco ASA 5500 Series Configuration Guide using the CLI

21-10

Routing Overview

Chapter 21

Routing Overview
Disabling Proxy ARPs

Entering IPv6 Addresses in Commands
When entering IPv6 addresses in commands that support them, enter the IPv6 address using standard
IPv6 notation, for example:
ping fe80::2e0:b6ff:fe01:3b7a.

The ASA correctly recognizes and processes the IPv6 address. However, you must enclose the IPv6
address in square brackets ([ ]) in the following situations:
•

You need to specify a port number with the address, for example:
[fe80::2e0:b6ff:fe01:3b7a]:8080.

•

The command uses a colon as a separator, such as the write net command and config net command,
for example:
configure net [fe80::2e0:b6ff:fe01:3b7a]:/tftp/config/asaconfig.

Disabling Proxy ARPs
When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the
MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A
host sends an ARP request asking “Who is this IP address?” The device owning the IP address replies,
“I own that IP address; here is my MAC address.”
Proxy ARP is used when a device responds to an ARP request with its own MAC address, even though
the device does not own the IP address. The ASA uses proxy ARP when you configure NAT and specify
a mapped address that is on the same network as the ASA interface. The only way traffic can reach the
hosts is if the ASA uses proxy ARP to claim that the MAC address is assigned to destination mapped
addresses.
Under rare circumstances, you might want to disable proxy ARP for NAT addresses.
If you have a VPN client address pool that overlaps with an existing network, the ASA by default sends
proxy ARPs on all interfaces. If you have another interface that is on the same Layer 2 domain, it will
see the ARP requests and will answer with the MAC address of its interface. The result of this is that the
return traffic of the VPN clients towards the internal hosts will go to the wrong interface and will get
dropped. In this case, you need to disable proxy ARPs for the interface on which you do not want proxy
ARPs.
To disable proxy ARPs, enter the following command:
Command

Purpose

sysopt noproxyarp interface

Disables proxy ARPs.

Example:
hostname(config)# sysopt noproxyarp exampleinterface

Cisco ASA 5500 Series Configuration Guide using the CLI

21-11

Chapter 21
Disabling Proxy ARPs

Cisco ASA 5500 Series Configuration Guide using the CLI

21-12

Routing Overview

C H A P T E R

Configuring Static and Default Routes
This chapter describes how to configure static and default routes on the ASA and includes the following
sections:
•

Information About Static and Default Routes, page 22-1

•

Licensing Requirements for Static and Default Routes, page 22-2

•

Guidelines and Limitations, page 22-2

•

Configuring Static and Default Routes, page 22-2

•

Monitoring a Static or Default Route, page 22-6

•

Configuration Examples for Static or Default Routes, page 22-8

•

Feature History for Static and Default Routes, page 22-8

Information About Static and Default Routes
To route traffic to a nonconnected host or network, you must define a static route to the host or network
or, at a minimum, a default route for any networks to which the ASA is not directly connected; for
example, when there is a router between a network and the ASA.
Without a static or default route defined, traffic to nonconnected hosts or networks generates the
following syslog message:
%ASA-6-110001: No route to dest_address from source_address

Multiple context mode does not support dynamic routing,
You might want to use static routes in single context mode in the following cases:
•

Your networks use a different router discovery protocol from EIGRP, RIP, or OSPF.

•

Your network is small and you can easily manage static routes.

•

You do not want the traffic or CPU overhead associated with routing protocols.

The simplest option is to configure a default route to send all traffic to an upstream router, relying on the
router to route the traffic for you. However, in some cases the default gateway might not be able to reach
the destination network, so you must also configure more specific static routes. For example, if the
default gateway is outside, then the default route cannot direct traffic to any inside networks that are not
directly connected to the ASA.
In transparent firewall mode, for traffic that originates on the ASA and is destined for a nondirectly
connected network, you need to configure either a default route or static routes so the ASA knows out
of which interface to send traffic. Traffic that originates on the ASA might include communications to a

Cisco ASA 5500 Series Configuration Guide using the CLI

22-1

Chapter 22

Configuring Static and Default Routes

Licensing Requirements for Static and Default Routes

syslog server, Websense or N2H2 server, or AAA server. If you have servers that cannot all be reached
through a single default route, then you must configure static routes. Additionally, the ASA supports up
to three equal cost routes on the same interface for load balancing.

Licensing Requirements for Static and Default Routes
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single and multiple context mode.
Firewall Mode Guidelines

Supported in routed and transparent firewall mode.
IPv6 Guidelines

Supports IPv6.
Failover Guidelines

Supports stateful failover of dynamic routing protocols.
Additional Guidelines

IPv6 static routes are not supported in transparent mode in ASDM.

Configuring Static and Default Routes
This section explains how to configure a static route and a static default route, and includes the following
topics:
•

Configuring a Static Route, page 22-3

•

Configuring a Default Static Route, page 22-4

•

Configuring IPv6 Default and Static Routes, page 22-5

Cisco ASA 5500 Series Configuration Guide using the CLI

22-2

Chapter 22

Configuring Static and Default Routes
Configuring Static and Default Routes

Configuring a Static Route
Static routing algorithms are basically table mappings established by the network administrator before
the beginning of routing. These mappings do not change unless the network administrator alters them.
Algorithms that use static routes are simple to design and work well in environments where network
traffic is relatively predictable and where network design is relatively simple. Because of this fact, static
routing systems cannot react to network changes.
Static routes remain in the routing table even if the specified gateway becomes unavailable. If the
specified gateway becomes unavailable, you need to remove the static route from the routing table
manually. However, static routes are removed from the routing table if the specified interface goes down,
and are reinstated when the interface comes back up.

Note

If you create a static route with an administrative distance greater than the administrative distance of the
routing protocol running on the ASA, then a route to the specified destination discovered by the routing
protocol takes precedence over the static route. The static route is used only if the dynamically
discovered route is removed from the routing table.
You can define up to three equal cost routes to the same destination per interface. Equal-cost multi-path
(ECMP) routing is not supported across multiple interfaces. With ECMP, the traffic is not necessarily
divided evenly between the routes; traffic is distributed among the specified gateways based on an
algorithm that hashes the source and destination IP addresses.
To configure a static route, see the following section:
•

Adding or Editing a Static Route, page 22-3

Adding or Editing a Static Route
To add or edit a static route, enter the following command:
Command

Purpose

route if_name dest_ip mask gateway_ip
[distance]

Enables you to add a static route.

Example:
hostname(config)# route outside 10.10.10.0
255.255.255.0 192.168.1.1 [1]

The dest_ip and mask arguments indicate the IP address for the destination
network, and the gateway_ip argument is the address of the next-hop
router. The addresses you specify for the static route are the addresses that
are in the packet before entering the ASA and performing NAT.
The distance argument is the administrative distance for the route. The
default is 1 if you do not specify a value. Administrative distance is a
parameter used to compare routes among different routing protocols. The
default administrative distance for static routes is 1, giving it precedence
over routes discovered by dynamic routing protocols but not directly
connected routes.
The default administrative distance for routes discovered by OSPF is 110.
If a static route has the same administrative distance as a dynamic route,
the static route takes precedence. Connected routes always take precedence
over static or dynamically discovered routes.

Cisco ASA 5500 Series Configuration Guide using the CLI

22-3

Chapter 22

Configuring Static and Default Routes

Examples
The following example shows static routes that are equal cost routes that direct traffic to three different
gateways on the outside interface. The ASA distributes the traffic among the specified gateways.
hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1
hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.2
hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.3

Configuring a Default Static Route
A default route identifies the gateway IP address to which the ASA sends all IP packets for which it does
not have a learned or static route. A default static route is simply a static route with 0.0.0.0/0 as the
destination IP address. Routes that identify a specific destination take precedence over the default route.

Note

In Versions 7.0(1) and later, if you have two default routes configured on different interfaces that have
different metrics, the connection to the ASA that is made from the higher metric interface fails, but
connections to the ASA from the lower metric interface succeed as expected.
You can define up to three equal cost default route entries per device. Defining more than one equal cost
default route entry causes the traffic sent to the default route to be distributed among the specified
gateways. When defining more than one default route, you must specify the same interface for each
entry.
If you attempt to define more than three equal cost default routes or a default route with a different
interface than a previously defined default route, you receive the following message:
“ERROR: Cannot add route entry, possible conflict with existing routes.”

You can define a separate default route for tunneled traffic along with the standard default route. When
you create a default route with the tunneled option, all traffic from a tunnel terminating on the ASA that
cannot be routed using learned or static routes is sent to this route. For traffic emerging from a tunnel,
this route overrides any other configured or learned default routes.

Limitations on Configuring a Default Static Route
The following restrictions apply to default routes with the tunneled option:
•

Do not enable unicast RPF (ip verify reverse-path command) on the egress interface of a tunneled
route, because this setting causes the session to fail.

•

Do not enable TCP intercept on the egress interface of the tunneled route, because this setting causes
the session to fail.

•

Do not use the VoIP inspection engines (CTIQBE, H.323, GTP, MGCP, RTSP, SIP, SKINNY), the
DNS inspect engine, or the DCE RPC inspection engine with tunneled routes, because these
inspection engines ignore the tunneled route.

•

You cannot define more than one default route with the tunneled option.

•

ECMP for tunneled traffic is not supported.

To add or edit a tunneled default static route, enter the following command:

Cisco ASA 5500 Series Configuration Guide using the CLI

22-4

Chapter 22

Configuring Static and Default Routes
Configuring Static and Default Routes

Command

Purpose

route if_name 0.0.0.0 0.0.0.0 gateway_ip
[distance | tunneled]

Enables you to add a static route.

Example:
hostname(config)# route outside 0 0
192.168.2.4 tunneled

The dest_ip and mask arguments indicate the IP address for the destination
network and the gateway_ip argument is the address of the next hop router.
The addresses you specify for the static route are the addresses that are in
the packet before entering the ASA and performing NAT.
The distance argument is the administrative distance for the route. The
default is 1 if you do not specify a value. Administrative distance is a
parameter used to compare routes among different routing protocols. The
default administrative distance for static routes is 1, giving it precedence
over routes discovered by dynamic routing protocols but not directly
connect routes. The default administrative distance for routes discovered
by OSPF is 110. If a static route has the same administrative distance as a
dynamic route, the static routes take precedence. Connected routes always
take precedence over static or dynamically discovered routes.

Tip

You can enter 0 0 instead of 0.0.0.0 0.0.0.0 for the destination network address and mask, as shown in
the following example:
hostname(config)# route outside 0 0 192.168.1 1

Configuring IPv6 Default and Static Routes
The ASA automatically routes IPv6 traffic between directly connected hosts if the interfaces to which
the hosts are attached are enabled for IPv6 and the IPv6 ACLs allow the traffic.
To configure an IPv6 default route and static routes, perform the following steps:

Detailed Steps

Step 1

Step 2

Command

Purpose

ipv6 route if_name ::/0 next_hop_ipv6_addr

Adds a default IPv6 route.

Example:

The example routes packets for network 7fff::0/32 to a networking
device on the inside interface at 3FFE:1100:0:CC00::1

hostname(config)# ipv6 route inside
7fff::0/32 3FFE:1100:0:CC00::1

The address ::/0 is the IPv6 equivalent of any.

ipv6 route if_name destination
next_hop_ipv6_addr [admin_distance]

Adds an IPv6 static route to the IPv6 routing table.

Example:

The example routes packets for network 7fff::0/32 to a networking
device on the inside interface at 3FFE:1100:0:CC00::1, and with
an administrative distance of 110.

hostname(config)# ipv6 route inside
7fff::0/32 3FFE:1100:0:CC00::1 [110]

Cisco ASA 5500 Series Configuration Guide using the CLI

22-5

Chapter 22

Configuring Static and Default Routes

Monitoring a Static or Default Route

Note

The ipv6 route command works the same way as the route command, which is used to define IPv4 static
routes.

Monitoring a Static or Default Route
One of the problems with static routes is that there is no inherent mechanism for determining if the route
is up or down. They remain in the routing table even if the next hop gateway becomes unavailable. Static
routes are only removed from the routing table if the associated interface on the ASA goes down.
The static route tracking feature provides a method for tracking the availability of a static route and
installing a backup route if the primary route should fail. For example, you can define a default route to
an ISP gateway and a backup default route to a secondary ISP in case the primary ISP becomes
unavailable.
The ASA implements this feature by associating a static route with a monitoring target that you define,
and monitors the target using ICMP echo requests. If an echo reply is not received within a specified
time period, the object is considered down and the associated route is removed from the routing table. A
previously configured backup route is used in place of the removed route.
When selecting a monitoring target, you need to make sure that it can respond to ICMP echo requests.
The target can be any network object that you choose, but you should consider using the following:

Note

•

The ISP gateway (for dual ISP support) address

•

The next hop gateway address (if you are concerned about the availability of the gateway)

•

A server on the target network, such as a AAA server, that the ASA needs to communicate with

•

A persistent network object on the destination network

A desktop or notebook computer that may be shut down at night is not a good choice.
You can configure static route tracking for statically defined routes or default routes obtained through
DHCP or PPPoE. You can only enable PPPoE clients on multiple interfaces with route tracking
configured.
To configure static route tracking, perform the following steps:

Cisco ASA 5500 Series Configuration Guide using the CLI

22-6

Chapter 22

Configuring Static and Default Routes
Monitoring a Static or Default Route

Detailed Steps

Step 1

Command

Purpose

sla monitor sla_id

Configures the tracked object monitoring parameters by defining
the monitoring process.

Example:

If you are configuring a new monitoring process, you enter sla
monitor configuration mode.

hostname(config)# sla monitor sla_id

If you are changing the monitoring parameters for an unscheduled
monitoring process that already has a type defined, you
automatically enter sla protocol configuration mode.
Step 2

type echo protocol ipIcmpEcho target_ip
interface if_name

Example:
hostname(config-sla-monitor)# type echo
protocol ipIcmpEcho target_ip interface
if_name

Step 3

The target_ip argument is the IP address of the network object
whose availability the tracking process monitors. While this
object is available, the tracking process route is installed in the
routing table. When this object becomes unavailable, the tracking
process removes the route and the backup route is used in its
place.
Schedules the monitoring process.

Example:

However, you can schedule this monitoring process to begin in the
future and to only occur at specified times.

Typically, you will use the sla monitor schedule sla_id life
forever start-time now command for the monitoring schedule,
and allow the monitoring configuration to determine how often
the testing occurs.

track track_id rtr sla_id reachability

Associates a tracked static route with the SLA monitoring
process.

Example:

The track_id argument is a tracking number you assign with this
command. The sla_id argument is the ID number of the SLA
process.

hostname(config)# track track_id rtr
sla_id reachability

Step 5

If you are changing the monitoring parameters for an unscheduled
monitoring process that already has a type defined, you
automatically enter sla protocol configuration mode and cannot
change this setting.

sla monitor schedule sla_id [life {forever
| seconds}] [start-time {hh:mm [:ss]
[month day | day month] | pending | now |
after hh:mm:ss}] [ageout seconds]
[recurring]

hostname(config)# sla monitor schedule
sla_id [life {forever | seconds}]
[start-time {hh:mm[:ss] [month day | day
month] | pending | now | after hh:mm:ss}]
[ageout seconds] [recurring]

Step 4

Specifies the monitoring protocol.

Do one of the following to define the static route to be installed in the routing table while the tracked object is
reachable.
These options allow you to track a static route or a default route obtained through DHCP or PPPOE.
route if_name dest_ip mask gateway_ip
[admin_distance] track track_id

Tracks a static route.
You cannot use the tunneled option with the route command in
static route tracking.

Example:
hostname(config)# route if_name dest_ip
mask gateway_ip [admin_distance] track
track_id

Cisco ASA 5500 Series Configuration Guide using the CLI

22-7

Chapter 22

Configuring Static and Default Routes

Configuration Examples for Static or Default Routes

Command
Example:

Purpose
Tracks a default route obtained through DHCP,

hostname(config)# interface phy_if
hostname(config-if)# dhcp client route
track track_id
hostname(config-if)# ip address dhcp
setroute
hostname(config-if)# exit

Example:

Remember that you must use the setroute keyword with the ip
address dhcp command to obtain the default route using DHCP.

Tracks a default route obtained through PPPoE.

hostname(config)# interface phy_if
hostname(config-if)# pppoe client route
track track_id
hostname(config-if)# ip address pppoe
setroute
hostname(config-if)# exit

You must use the setroute keyword with the ip address pppoe
command to obtain the default route using PPPoE.

Configuration Examples for Static or Default Routes
The following example shows how to create a static route that sends all traffic destined for 10.1.1.0/24
to the router 10.1.2.45, which is connected to the inside interface, defines three equal cost static routes
that direct traffic to three different gateways on the outside interface, and adds a default route for
tunneled traffic. The ASA then distributes the traffic among the specified gateways:
hostname(config)#
hostname(config)#
hostname(config)#
hostname(config)#
hostname(config)#

route
route
route
route
route

inside 10.1.1.0 255.255.255.0 10.1.2.45 1
outside 10.10.10.0 255.255.255.0 192.168.2.1
outside 10.10.10.0 255.255.255.0 192.168.2.2
outside 10.10.10.0 255.255.255.0 192.168.2.3
outside 0 0 192.168.2.4 tunneled

Unencrypted traffic received by the ASA for which there is no static or learned route is distributed among
the gateways with the IP addresses 192.168.2.1, 192.168.2.2, and 192.168.2.3. Encrypted traffic received
by the ASA for which there is no static or learned route is passed to the gateway with the IP address
192.168.2.4.
The following example creates a static route that sends all traffic destined for 10.1.1.0/24 to the router
(10.1.2.45) connected to the inside interface:
hostname(config)# route inside 10.1.1.0 255.255.255.0 10.1.2.45 1

Feature History for Static and Default Routes
Table 22-1 lists each feature change and the platform release in which it was implemented.
Table 22-1

Feature History for Static and Default Routes

Feature Name

Platform
Releases

Feature Information

Routing

7.0(1)

Static and default routing were introduced.
We introduced the route command.

Cisco ASA 5500 Series Configuration Guide using the CLI

22-8

Chapter 22

Configuring Static and Default Routes
Feature History for Static and Default Routes

Cisco ASA 5500 Series Configuration Guide using the CLI

22-9

Chapter 22
Feature History for Static and Default Routes

Cisco ASA 5500 Series Configuration Guide using the CLI

22-10

Configuring Static and Default Routes

C H A P T E R

Defining Route Maps
This chapter describes route maps and includes the following sections:
•

Information About Route Maps, page 23-1

•

Licensing Requirements for Route Maps, page 23-3

•

Guidelines and Limitations, page 23-3

•

Defining a Route Map, page 23-4

•

Customizing a Route Map, page 23-4

•

Configuration Example for Route Maps, page 23-6

•

Feature History for Route Maps, page 23-6

Information About Route Maps
Route maps are used when redistributing routes into an OSPF, RIP, or EIGRP routing process. They are
also used when generating a default route into an OSPF routing process. A route map defines which of
the routes from the specified routing protocol are allowed to be redistributed into the target routing
process.
Route maps have many features in common with widely known ACLs. These are some of the traits
common to both:
•

They are an ordered sequence of individual statements, each has a permit or deny result. Evaluation
of ACL or route maps consists of a list scan, in a predetermined order, and an evaluation of the
criteria of each statement that matches. A list scan is aborted once the first statement match is found
and an action associated with the statement match is performed.

•

They are generic mechanisms—Criteria matches and match interpretation are dictated by the way
that they are applied. The same route map applied to different tasks might be interpreted differently.

These are some of the differences between route maps and ACLs:
•

Route maps frequently use ACLs as matching criteria.

•

The main result from the evaluation of an access list is a yes or no answer—An ACL either permits
or denies input data. Applied to redistribution, an ACL determines if a particular route can (route
matches ACLs permit statement) or can not (matches deny statement) be redistributed. Typical route
maps not only permit (some) redistributed routes but also modify information associated with the
route, when it is redistributed into another protocol.

•

Route maps are more flexible than ACLs and can verify routes based on criteria which ACLs can
not verify. For example, a route map can verify if the type of route is internal.

Cisco ASA 5500 Series Configuration Guide using the CLI

23-1

Chapter 23

Defining Route Maps

Information About Route Maps

•

Each ACL ends with an implicit deny statement, by design convention; there is no similar
convention for route maps. If the end of a route map is reached during matching attempts, the result
depends on the specific application of the route map. Fortunately, route maps that are applied to
redistribution behave the same way as ACLs: if the route does not match any clause in a route map
then the route redistribution is denied, as if the route map contained deny statement at the end.

The dynamic protocol redistribute command allows you to apply a route map. In ASDM, this capability
for redistribution can be found when you add or edit a new route map (see the “Defining a Route Map”
section on page 23-4). Route maps are preferred if you intend to either modify route information during
redistribution or if you need more powerful matching capability than an ACL can provide. If you simply
need to selectively permit some routes based on their prefix or mask, we recommends that you use a route
map to map to an ACL (or equivalent prefix list) directly in the redistribute command. If you use a route
map to selectively permit some routes based on their prefix or mask, you typically use more
configuration commands to achieve the same goal.

Note

You must use a standard ACL as the match criterion for your route map. Using an extended ACL will
not work, and your routes will never be redistributed. We recommend that you number clauses in
intervals of 10, to reserve numbering space in case you need to insert clauses in the future.
This section includes the following topics:
•

Permit and Deny Clauses, page 23-2

•

Match and Set Clause Values, page 23-2

Permit and Deny Clauses
Route maps can have permit and deny clauses. In the route-map ospf-to-eigrp command, there is one
deny clause (with sequence number 10) and two permit clauses. The deny clause rejects route matches
from redistribution. Therefore, the following rules apply:
•

If you use an ACL in a route map using a permit clause, routes that are permitted by the ACL are
redistributed.

•

If you use an ACL in a route map deny clause, routes that are permitted by the ACL are not
redistributed.

•

If you use an ACL in a route map permit or deny clause, and the ACL denies a route, then the route
map clause match is not found and the next route-map clause is evaluated.

Match and Set Clause Values
Each route map clause has two types of values:
•

A match value selects routes to which this clause should be applied.

•

A set value modifies information that will be redistributed into the target protocol.

For each route that is being redistributed, the router first evaluates the match criteria of a clause in the
route map. If the match criteria succeed, then the route is redistributed or rejected as dictated by the
permit or deny clause, and some of its attributes might be modified by the values set from the Set Value
tab in ASDM or from the set commands. If the match criteria fail, then this clause is not applicable to
the route, and the software proceeds to evaluate the route against the next clause in the route map.
Scanning of the route map continues until a clause is found whose match command(s), or Match Clause
as set from the Match Clause tab in ASDM, match the route or until the end of the route map is reached.

Cisco ASA 5500 Series Configuration Guide using the CLI

23-2

Chapter 23

Defining Route Maps
Licensing Requirements for Route Maps

A match or set value in each clause can be missed or repeated several times, if one of these conditions
exists:

Note

•

If several match commands or Match Clause values in ASDM are present in a clause, all must
succeed for a given route in order for that route to match the clause (in other words, the logical AND
algorithm is applied for multiple match commands).

•

If a match command or Match Clause value in ASDM refers to several objects in one command,
either of them should match (the logical OR algorithm is applied). For example, in the match ip
address 101 121 command, a route is permitted if access list 101 or access list 121 permits it.

•

If a match command or Match Clause value in ASDM is not present, all routes match the clause. In
the previous example, all routes that reach clause 30 match; therefore, the end of the route map is
never reached.

•

If a set command, or Set Value in ASDM, is not present in a route map permit clause, then the route
is redistributed without modification of its current attributes.

Do not configure a set command in a route map deny clause because the deny clause prohibits route
redistribution—there is no information to modify.
A route map clause without a match or set command, or Match or Set Value as set on the Match or Set
Value tab in ASDM, performs an action. An empty permit clause allows a redistribution of the remaining
routes without modification. An empty deny clause does not allows a redistribution of other routes (this
is the default action if a route map is completely scanned, but no explicit match is found).

Licensing Requirements for Route Maps
The following table shows the licensing requirements for route maps:
Model

License Requirement

All models

Base License.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single context mode.
Firewall Mode Guidelines

Supported only in routed firewall mode. Transparent firewall mode is not supported.
IPv6 Guidelines

Does not support IPv6.

Cisco ASA 5500 Series Configuration Guide using the CLI

23-3

Chapter 23

Defining Route Maps

Defining a Route Map

Defining a Route Map
You must define a route map when specifying which of the routes from the specified routing protocol
are allowed to be redistributed into the target routing process.
To define a route map, enter the following command:
Command

Purpose

route-map name {permit | deny}
[sequence_number]

Creates the route map entry. Enters route-map configuration mode.
Route map entries are read in order. You can identify the order using the
sequence_number argument, or the ASA uses the order in which you add
route map entries.

Example:
hostname(config)# route-map name {permit}
[12]

Customizing a Route Map
This section describes how to customize the route map and includes the following topics:
•

Defining a Route to Match a Specific Destination Address, page 23-4

•

Configuring the Metric Values for a Route Action, page 23-5

Defining a Route to Match a Specific Destination Address
To define a route to match a specified destination address, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

route-map name {permit | deny}
[sequence_number]

Creates the route map entry. Enters route-map configuration
mode.

Example:

Route map entries are read in order. You can identify the order
using the sequence_number option, or the ASA uses the order in
which you add route map entries.

hostname(config)# route-map name {permit}
[12]

Step 2

Enter one of the following match commands to match routes to a specified destination address:
match ip address acl_id [acl_id] [...]
[prefix-list]

Example:
hostname(config-route-map)# match ip
address acl_id [acl_id] [...]
[prefix-list]

Cisco ASA 5500 Series Configuration Guide using the CLI

23-4

Matches any routes that have a destination network that matches
a standard ACL or prefix list.
If you specify more than one ACL, then the route can match any
of the ACLs.

Chapter 23

Defining Route Maps
Customizing a Route Map

Command

Purpose

match metric metric_value

Matches any routes that have a specified metric.
The metric_value can range from 0 to 4294967295.

Example:
hostname(config-route-map)# match metric
200
match ip next-hop acl_id [acl_id] [...]

Matches any routes that have a next hop router address that
matches a standard ACL.

Example:

If you specify more than one ACL, then the route can match any
of the ACLs.

hostname(config-route-map)# match ip
next-hop acl_id [acl_id] [...]
match interface if_name

Matches any routes with the specified next hop interface.

Example:

If you specify more than one interface, then the route can match
either interface.

hostname(config-route-map)# match
interface if_name
match ip route-source acl_id [acl_id]
[...]

Matches any routes that have been advertised by routers that
match a standard ACL.
If you specify more than one ACL, then the route can match any
of the ACLs.

Example:
hostname(config-route-map)# match ip
route-source acl_id [acl_id] [...]
match route-type {internal | external
[type-1 | type-2]}

Matches the route type.

Example:
hostname(config-route-map)# match
route-type internal type-1

Configuring the Metric Values for a Route Action
If a route matches the match commands, then the following set commands determine the action to
perform on the route before redistributing it.
To configure the metric value for a route action, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

route-map name {permit | deny}
[sequence_number]

Creates the route map entry.

Example:

Route map entries are read in order. You can identify the order
using the sequence_number argument, or the ASA uses the order
in which you add route map entries.

hostname(config)# route-map name {permit}
[12]

Step 2

To set a metric for the route map, enter one or more of the following set commands:

Cisco ASA 5500 Series Configuration Guide using the CLI

23-5

Chapter 23

Defining Route Maps

Configuration Example for Route Maps

Command

Purpose

set metric metric_value

Sets the metric value.
The metric_value argument can range from 0 to 294967295.

Example:
hostname(config-route-map)# set metric 200

Sets the metric type.

set metric-type {type-1 | type-2}

The metric-type argument can be type-1 or type-2.
Example:
hostname(config-route-map)# set
metric-type type-2

Configuration Example for Route Maps
The following example shows how to redistribute routes with a hop count equal to 1 into OSPF.
The ASA redistributes these routes as external LSAs with a metric of 5 and a metric type of Type 1.
hostname(config)# route-map
hostname(config-route-map)#
hostname(config-route-map)#
hostname(config-route-map)#

1-to-2 permit
match metric 1
set metric 5
set metric-type type-1

The following example shows how to redistribute the 10.1.1.0 static route into eigrp process 1 with the
configured metric value:
hostname(config)# route outside 10.1.1.0 255.255.255.0 192.168.1.1
hostname(config-route-map)# access-list mymap2 line 1 permit 10.1.1.0 255.255.255.0
hostname(config-route-map)# route-map mymap2 permit 10
hostname(config-route-map)# match ip address mymap2
hostname(config-route-map)# router eigrp 1
hostname(config)# redistribute static metric 250 250 1 1 1 route-map mymap2

Feature History for Route Maps
Table 23-1 lists each feature change and the platform release in which it was implemented.
Table 23-1

Feature History for Route Maps

Feature Name

Platform
Releases

Feature Information

Route maps

7.0(1)

We introduced this feature.
We introduced the following command: route-map.

Enhanced support for static and dynamic route
maps

8.0(2)

Support for stateful failover of dynamic routing 8.4(1)
protocols (EIGRP, OSPF, and RIP) and
debugging of general routing-related operations

Cisco ASA 5500 Series Configuration Guide using the CLI

23-6

Enhanced support for dynamic and static route maps was
added.
We introduced the following commands: debug route,
show debug route.
We modified the following command: show route.

CH A P T E R

Configuring OSPF
This chapter describes how to configure the ASA to route data, perform authentication, and redistribute
routing information using the Open Shortest Path First (OSPF) routing protocol.
The chapter includes the following sections:
•

Information About OSPF, page 24-1

•

Licensing Requirements for OSPF, page 24-2

•

Guidelines and Limitations, page 24-3

•

Configuring OSPF, page 24-3

•

Customizing OSPF, page 24-4

•

Restarting the OSPF Process, page 24-14

•

Configuration Example for OSPF, page 24-14

•

Monitoring OSPF, page 24-16

•

Feature History for OSPF, page 24-17

Information About OSPF
OSPF is an interior gateway routing protocol that uses link states rather than distance vectors for path
selection. OSPF propagates link-state advertisements rather than routing table updates. Because only
LSAs are exchanged instead of the entire routing tables, OSPF networks converge more quickly than RIP
networks.
OSPF uses a link-state algorithm to build and calculate the shortest path to all known destinations. Each
router in an OSPF area contains an identical link-state database, which is a list of each of the router
usable interfaces and reachable neighbors.
The advantages of OSPF over RIP include the following:
•

OSPF link-state database updates are sent less frequently than RIP updates, and the link-state
database is updated instantly, rather than gradually, as stale information is timed out.

•

Routing decisions are based on cost, which is an indication of the overhead required to send packets
across a certain interface. The ASA calculates the cost of an interface based on link bandwidth rather
than the number of hops to the destination. The cost can be configured to specify preferred paths.

The disadvantage of shortest path first algorithms is that they require a lot of CPU cycles and memory.

Cisco ASA 5500 Series Configuration Guide using the CLI

24-1

Chapter 24

Configuring OSPF

Licensing Requirements for OSPF

The ASA can run two processes of OSPF protocol simultaneously on different sets of interfaces. You
might want to run two processes if you have interfaces that use the same IP addresses (NAT allows these
interfaces to coexist, but OSPF does not allow overlapping addresses). Or you might want to run one
process on the inside and another on the outside, and redistribute a subset of routes between the two
processes. Similarly, you might need to segregate private addresses from public addresses.
You can redistribute routes into an OSPF routing process from another OSPF routing process, a RIP
routing process, or from static and connected routes configured on OSPF-enabled interfaces.
The ASA supports the following OSPF features:
•

Support of intra-area, interarea, and external (Type I and Type II) routes.

•

Support of a virtual link.

•

OSPF LSA flooding.

•

Authentication to OSPF packets (both password and MD5 authentication).

•

Support for configuring the ASA as a designated router or a designated backup router. The ASA also
can be set up as an ABR.

•

Support for stub areas and not-so-stubby areas.

•

Area boundary router Type 3 LSA filtering.

OSPF supports MD5 and clear text neighbor authentication. Authentication should be used with all
routing protocols when possible because route redistribution between OSPF and other protocols (like
RIP) can potentially be used by attackers to subvert routing information.
If NAT is used, if OSPF is operating on public and private areas, and if address filtering is required, then
you need to run two OSPF processes—one process for the public areas and one for the private areas.
A router that has interfaces in multiple areas is called an Area Border Router (ABR). A router that acts
as a gateway to redistribute traffic between routers using OSPF and routers using other routing protocols
is called an Autonomous System Boundary Router (ASBR).
An ABR uses LSAs to send information about available routes to other OSPF routers. Using ABR Type
3 LSA filtering, you can have separate private and public areas with the ASA acting as an ABR. Type 3
LSAs (interarea routes) can be filtered from one area to other, which allows you to use NAT and OSPF
together without advertising private networks.

Note

Only Type 3 LSAs can be filtered. If you configure the ASA as an ASBR in a private network, it will
send Type 5 LSAs describing private networks, which will get flooded to the entire AS, including public
areas.
If NAT is employed but OSPF is only running in public areas, then routes to public networks can be
redistributed inside the private network, either as default or Type 5 AS External LSAs. However, you
need to configure static routes for the private networks protected by the ASA. Also, you should not mix
public and private networks on the same ASA interface.
You can have two OSPF routing processes, one RIP routing process, and one EIGRP routing process
running on the ASA at the same time.

Licensing Requirements for OSPF
The following table shows the licensing requirements for this feature:

Cisco ASA 5500 Series Configuration Guide using the CLI

24-2

Chapter 24

Configuring OSPF
Guidelines and Limitations

Model

License Requirement

All models

Base License.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single context mode.
Firewall Mode Guidelines

Supported in routed firewall mode only. Transparent firewall mode is not supported.
IPv6 Guidelines

Does not support IPv6.

Configuring OSPF
This section describes how to enable an OSPF process on the ASA.
After you enable OSPF, you need to define a route map. For more information, see the “Defining a Route
Map” section on page 23-4. Then you generate a default route. For more information, see the
“Configuring Static and Default Routes” section on page 22-2.
After you have defined a route map for the OSPF process, you can customize the OSPF process to suit
your particular needs, To learn how to customize the OSPF process on the ASA, see the “Customizing
OSPF” section on page 24-4.
To enable OSPF, you need to create an OSPF routing process, specify the range of IP addresses
associated with the routing process, then assign area IDs associated with that range of IP addresses.
You can enable up to two OSPF process instances. Each OSPF process has its own associated areas and
networks.
To enable OSPF, perform the following steps:

Cisco ASA 5500 Series Configuration Guide using the CLI

24-3

Chapter 24

Configuring OSPF

Customizing OSPF

Detailed Steps

Step 1

Command

Purpose

router ospf process_id

Creates an OSPF routing process and enters router configuration
mode for this OSPF process.

Example:

The process_id argument is an internally used identifier for this
routing process and can be any positive integer. This ID does not
have to match the ID on any other device; it is for internal use
only. You can use a maximum of two processes.

hostname(config)# router ospf 2

If there is only one OSPF process enabled on the ASA, then that
process is selected by default. You cannot change the OSPF
process ID when editing an existing area.
Step 2

network ip_address mask area area_id

Defines the IP addresses on which OSPF runs and the area ID for
that interface.

Example:

When adding a new area, enter the area ID. You can specify the
area ID as either a decimal number or an IP address. Valid decimal
values range from 0-4294967295. You cannot change the area ID
when editing an existing area.

hostname(config)# router ospf 2
hostname(config-router)# network 10.0.0.0
255.0.0.0 area 0

Customizing OSPF
This section explains how to customize the OSPF process and includes the following topics:
•

Redistributing Routes Into OSPF, page 24-4

•

Configuring Route Summarization When Redistributing Routes Into OSPF, page 24-6

•

Configuring Route Summarization Between OSPF Areas, page 24-7

•

Configuring OSPF Interface Parameters, page 24-8

•

Configuring OSPF Area Parameters, page 24-10

•

Configuring OSPF NSSA, page 24-11

•

Defining Static OSPF Neighbors, page 24-12

•

Configuring Route Calculation Timers, page 24-13

•

Logging Neighbors Going Up or Down, page 24-13

Redistributing Routes Into OSPF
The ASA can control the redistribution of routes between OSPF routing processes.

Note

If you want to redistribute a route by defining which of the routes from the specified routing protocol are
allowed to be redistributed into the target routing process, you must first generate a default route. See
the “Configuring Static and Default Routes” section on page 22-2, and then define a route map according
to the “Defining a Route Map” section on page 23-4.
To redistribute static, connected, RIP, or OSPF routes into an OSPF process, perform the following steps:

Cisco ASA 5500 Series Configuration Guide using the CLI

24-4

Chapter 24

Configuring OSPF
Customizing OSPF

Detailed Steps

Step 1

Command

Purpose

router ospf process_id

Creates an OSPF routing process and enters router configuration
mode for the OSPF process that you want to redistribute.

Example:

hostname(config)# router ospf 2

Step 2

Do one of the following to redistribute the selected route type into the OSPF routing process:
redistribute connected
[[metric metric-value]
[metric-type {type-1 | type-2}]
[tag tag_value] [subnets] [route-map
map_name]

Redistributes connected routes into the OSPF routing process.

Example:
hostname(config)# redistribute connected 5
type-1 route-map-practice
redistribute static [metric metric-value]
[metric-type {type-1 | type-2}]
[tag tag_value] [subnets] [route-map
map_name

Redistributes static routes into the OSPF routing process.

Example:
hostname(config)# redistribute static 5
type-1 route-map-practice
redistribute ospf pid [match {internal |
external [1 | 2] | nssa-external [1 | 2]}]
[metric metric-value]
[metric-type {type-1 | type-2}]
[tag tag_value] [subnets] [route-map
map_name]

Example:
hostname(config)# route-map 1-to-2 permit
hostname(config-route-map)# match metric 1
hostname(config-route-map)# set metric 5
hostname(config-route-map)# set
metric-type type-1
hostname(config-route-map)# router ospf 2
hostname(config-router)# redistribute ospf
1 route-map 1-to-2

Allows you to redistribute routes from an OSPF routing process
into another OSPF routing process.
You can either use the match options in this command to match
and set route properties, or you can use a route map. The subnets
option does not have equivalents in the route-map command. If
you use both a route map and match options in the redistribute
command, then they must match.
The example shows route redistribution from OSPF process 1 into
OSPF process 2 by matching routes with a metric equal to 1. The
ASA redistributes these routes as external LSAs with a metric of
5 and a metric type of Type 1.

Cisco ASA 5500 Series Configuration Guide using the CLI

24-5

Chapter 24

Configuring OSPF

Customizing OSPF

Command

Purpose

redistribute rip [metric metric-value]
[metric-type {type-1 | type-2}]
[tag tag_value] [subnets] [route-map
map_name]

Allows you to redistribute routes from a RIP routing process into
the OSPF routing process.

Example:
hostname(config)# redistribute rip 5
hostname(config-route-map)# match metric 1
hostname(config-route-map)# set metric 5
hostname(config-route-map)# set
metric-type type-1
hostname(config-router)# redistribute ospf
1 route-map 1-to-2
redistribute eigrp as-num
[metric metric-value]
[metric-type {type-1 | type-2}]
[tag tag_value] [subnets] [route-map
map_name]

Allows you to redistribute routes from an EIGRP routing process
into the OSPF routing process.

Example:
hostname(config)# redistribute eigrp 2
hostname(config-route-map)# match metric 1
hostname(config-route-map)# set metric 5
hostname(config-route-map)# set
metric-type type-1
hostname(config-router)# redistribute ospf
1 route-map 1-to-2

Configuring Route Summarization When Redistributing Routes Into OSPF
When routes from other protocols are redistributed into OSPF, each route is advertised individually in
an external LSA. However, you can configure the ASA to advertise a single route for all the redistributed
routes that are included for a specified network address and mask. This configuration decreases the size
of the OSPF link-state database.
Routes that match the specified IP Address mask pair can be suppressed. The tag value can be used as a
match value for controlling redistribution through route maps.

Cisco ASA 5500 Series Configuration Guide using the CLI

24-6

Chapter 24

Configuring OSPF
Customizing OSPF

To configure the software advertisement on one summary route for all redistributed routes included for
a network address and mask, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

router ospf process_id

Creates an OSPF routing process and enters router configuration
mode for this OSPF process.

Example:

hostname(config)# router ospf 1

Step 2

summary-address ip_address mask
[not-advertise] [tag tag]

Sets the summary address.
In this example, the summary address 10.1.0.0 includes addresses
10.1.1.0, 10.1.2.0, 10.1.3.0, and so on. Only the 10.1.0.0 address
is advertised in an external link-state advertisement.

Example:
hostname(config)# router ospf 1
hostname(config-router)# summary-address
10.1.0.0 255.255.0.0

Configuring Route Summarization Between OSPF Areas
Route summarization is the consolidation of advertised addresses. This feature causes a single summary
route to be advertised to other areas by an area boundary router. In OSPF, an area boundary router
advertises networks in one area into another area. If the network numbers in an area are assigned in a
way so that they are contiguous, you can configure the area boundary router to advertise a summary route
that includes all the individual networks within the area that fall into the specified range.
To define an address range for route summarization, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

router ospf process_id

Creates an OSPF routing process and enters router configuration
mode for this OSPF process.

Example:

The process_id argument is an internally used identifier for this
routing process. It can be any positive integer. This ID does not
have to match the ID on any other device; it is for internal use
only. You can use a maximum of two processes.

hostname(config)# router ospf 1

Step 2

area area-id range ip-address mask
[advertise | not-advertise]

Sets the address range.
In this example, the address range is set between OSPF areas.

Example:
hostname(config)# router ospf 1
hostname(config-router)# area 17 range
12.1.0.0 255.255.0.0

Cisco ASA 5500 Series Configuration Guide using the CLI

24-7

Chapter 24

Configuring OSPF

Customizing OSPF

Configuring OSPF Interface Parameters
You can change some interface-specific OSPF parameters, if necessary.

Prerequisites
You are not required to change any of these parameters, but the following interface parameters must be
consistent across all routers in an attached network: ospf hello-interval, ospf dead-interval, and ospf
authentication-key. If you configure any of these parameters, be sure that the configurations for all
routers on your network have compatible values.
To configure OSPF interface parameters, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

router ospf process_id

Creates an OSPF routing process and enters router configuration
mode for the OSPF process that you want to redistribute.

Example:

hostname(config)# router ospf 2

Step 2

network ip_address mask area area_id

Defines the IP addresses on which OSPF runs and the area ID for
that interface.

Example:
hostname(config)# router ospf 2
hostname(config-router)# network 10.0.0.0
255.0.0.0 area 0

Step 3

hostname(config)# interface interface_name

Allows you to enter interface configuration mode.

Example:
hostname(config)# interface my_interface

Step 4

Do one of the following to configure optional OSPF interface parameters:
ospf authentication [message-digest | null]

Example:
hostname(config-interface)# ospf
authentication message-digest

Cisco ASA 5500 Series Configuration Guide using the CLI

24-8

Specifies the authentication type for an interface.

Chapter 24

Configuring OSPF
Customizing OSPF

Command

Purpose

ospf authentication-key key

Allows you to assign a password to be used by neighboring OSPF
routers on a network segment that is using the OSPF simple
password authentication.

Example:
hostname(config-interface)# ospf
authentication-key cisco

The key argument can be any continuous string of characters up to
8 bytes in length.
The password created by this command is used as a key that is
inserted directly into the OSPF header when the ASA software
originates routing protocol packets. A separate password can be
assigned to each network on a per-interface basis. All neighboring
routers on the same network must have the same password to be
able to exchange OSPF information.

ospf cost cost

Allows you to explicitly specify the cost of sending a packet on
an OSPF interface. The cost is an integer from 1 to 65535.

Example:

In this example, the cost is set to 20.

hostname(config-interface)# ospf cost 20
ospf dead-interval seconds

Example:
hostname(config-interface)# ospf
dead-interval 40
ospf hello-interval seconds

Example:

Allows you to set the number of seconds that a device must wait
before it declares a neighbor OSPF router down because it has not
received a hello packet. The value must be the same for all nodes
on the network.
In this example, the dead interval is set to 40.
Allows you to specify the length of time between the hello
packets that the ASA sends on an OSPF interface. The value must
be the same for all nodes on the network.

hostname(config-interface)# ospf
hello-interval 10

In this example, the hello interval is set to 10.

ospf message-digest-key key_id md5 key

Enables OSPF MD5 authentication.
The following argument values can be set:

Example:
hostname(config-interface)# ospf
message-digest-key 1 md5 cisco

•

key_id—An identifier in the range from 1 to 255.

•

key—An alphanumeric password of up to 16 bytes.

Usually, one key per interface is used to generate authentication
information when sending packets and to authenticate incoming
packets. The same key identifier on the neighbor router must have
the same key value.
We recommend that you not keep more than one key per interface.
Every time you add a new key, you should remove the old key to
prevent the local system from continuing to communicate with a
hostile system that knows the old key. Removing the old key also
reduces overhead during rollover.
ospf priority number_value

Allows you to set the priority to help determine the OSPF
designated router for a network.

Example:

The number_value argument ranges from 0 to 255.

hostname(config-interface)# ospf priority
20

In this example, the priority number value is set to 20.

Cisco ASA 5500 Series Configuration Guide using the CLI

24-9

Chapter 24

Configuring OSPF

Customizing OSPF

Command

Purpose

ospf retransmit-interval seconds

Allows you to specify the number of seconds between LSA
retransmissions for adjacencies belonging to an OSPF interface.

Example:

The value for seconds must be greater than the expected
round-trip delay between any two routers on the attached
network. The range is from 1 to 65535 seconds. The default value
is 5 seconds.

hostname(config-interface)# ospf
retransmit-interval seconds

In this example, the retransmit-interval value is set to 15.
ospf transmit-delay seconds

Example:

Sets the estimated number of seconds required to send a link-state
update packet on an OSPF interface. The seconds value ranges
from 1 to 65535 seconds. The default value is 1 second.

hostname(config-interface)# ospf
transmit-delay 5

In this example, the transmit-delay is 5 seconds.

ospf network point-to-point non-broadcast

Specifies the interface as a point-to-point, nonbroadcast network.

Example:
hostname(config-interface)# ospf network
point-to-point non-broadcast

When you designate an interface as point-to-point, nonbroadcast,
you must manually define the OSPF neighbor; dynamic neighbor
discovery is not possible. See the “Defining Static OSPF
Neighbors” section on page 24-12 for more information.
Additionally, you can only define one OSPF neighbor on that
interface.

Configuring OSPF Area Parameters
You can configure several OSPF area parameters. These area parameters (shown in the following task
list) include setting authentication, defining stub areas, and assigning specific costs to the default
summary route. Authentication provides password-based protection against unauthorized access to an
area.
Stub areas are areas into which information on external routes is not sent. Instead, there is a default
external route generated by the ABR into the stub area for destinations outside the autonomous system.
To take advantage of the OSPF stub area support, default routing must be used in the stub area. To further
reduce the number of LSAs sent into a stub area, you can use the no-summary keyword of the area stub
command on the ABR to prevent it from sending a summary link advertisement (LSA Type 3) into the
stub area.
To specify area parameters for your network, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

router ospf process_id

Creates an OSPF routing process and enters router configuration
mode for the OSPF process that you want to redistribute.

Example:

hostname(config)# router ospf 2

Step 2

Do one of the following to configure optional OSPF area parameters:

Cisco ASA 5500 Series Configuration Guide using the CLI

24-10

Chapter 24

Configuring OSPF
Customizing OSPF

Command

Purpose

area area-id authentication

Enables authentication for an OSPF area.

Example:
hostname(config-router)# area 0
authentication
area area-id authentication message-digest

Enables MD5 authentication for an OSPF area.

Example:
hostname(config-router)# area 0
authentication message-digest

Configuring OSPF NSSA
The OSPF implementation of an NSSA is similar to an OSPF stub area. NSSA does not flood Type 5
external LSAs from the core into the area, but it can import autonomous system external routes in a
limited way within the area.
NSSA imports Type 7 autonomous system external routes within an NSSA area by redistribution. These
Type 7 LSAs are translated into Type 5 LSAs by NSSA ABRs, which are flooded throughout the whole
routing domain. Summarization and filtering are supported during the translation.
You can simplify administration if you are an ISP or a network administrator that must connect a central
site using OSPF to a remote site that is using a different routing protocol using NSSA.
Before the implementation of NSSA, the connection between the corporate site border router and the
remote router could not be run as an OSPF stub area because routes for the remote site could not be
redistributed into the stub area, and two routing protocols needed to be maintained. A simple protocol
such as RIP was usually run and handled the redistribution. With NSSA, you can extend OSPF to cover
the remote connection by defining the area between the corporate router and the remote router as an
NSSA.
Before you use this feature, consider these guidelines:
•

You can set a Type 7 default route that can be used to reach external destinations. When configured,
the router generates a Type 7 default into the NSSA or the NSSA area boundary router.

•

Every router within the same area must agree that the area is NSSA; otherwise, the routers will not
be able to communicate.

To specify area parameters for your network to configure OSPF NSSA, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

router ospf process_id

Creates an OSPF routing process and enters router configuration
mode for the OSPF process that you want to redistribute.

Example:

hostname(config)# router ospf 2

Step 2

Do one of the following to configure optional OSPF NSSA parameters:

Cisco ASA 5500 Series Configuration Guide using the CLI

24-11

Chapter 24

Configuring OSPF

Customizing OSPF

Command

Purpose

area area-id nssa [no-redistribution]
[default-information-originate]

Defines an NSSA area.

Example:
hostname(config-router)# area 0 nssa
summary-address ip_address mask
[not-advertise] [tag tag]

Example:
hostname(config)# router ospf 1
hostname(config-router)# summary-address
10.1.0.0 255.255.0.0

Note

Sets the summary address and helps reduce the size of the routing
table. Using this command for OSPF causes an OSPF ASBR to
advertise one external route as an aggregate for all redistributed
routes that are covered by the address.
In this example, the summary address 10.1.0.0 includes addresses
10.1.1.0, 10.1.2.0, 10.1.3.0, and so on. Only the 10.1.0.0 address
is advertised in an external link-state advertisement.

OSPF does not support summary-address 0.0.0.0 0.0.0.0.

Defining Static OSPF Neighbors
You need to define static OSPF neighbors to advertise OSPF routes over a point-to-point, non-broadcast
network. This feature lets you broadcast OSPF advertisements across an existing VPN connection
without having to encapsulate the advertisements in a GRE tunnel.
Before you begin, you must create a static route to the OSPF neighbor. See Chapter 22, “Configuring
Static and Default Routes,” for more information about creating static routes.
To define a static OSPF neighbor, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

router ospf process_id

Creates an OSPF routing process and enters router configuration
mode for this OSPF process.

Example:

hostname(config)# router ospf 2

Step 2

neighbor addr [interface if_name]

Example:
hostname(config-router)# neighbor
255.255.0.0 [interface my_interface]

Cisco ASA 5500 Series Configuration Guide using the CLI

24-12

Defines the OSPF neighborhood.
The addr argument is the IP address of the OSPF neighbor. The
if_name argument is the interface used to communicate with the
neighbor. If the OSPF neighbor is not on the same network as any
of the directly connected interfaces, you must specify the
interface.

Chapter 24

Configuring OSPF
Customizing OSPF

Configuring Route Calculation Timers
You can configure the delay time between when OSPF receives a topology change and when it starts an
SPF calculation. You also can configure the hold time between two consecutive SPF calculations.
To configure route calculation timers, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

router ospf process_id

Creates an OSPF routing process and enters router configuration
mode for this OSPF process.

Example:

hostname(config)# router ospf 2

Step 2

timers spf spf-delay spf-holdtime

Configures the route calculation times.

The spf-delay argument is the delay time (in seconds) between
when OSPF receives a topology change and when it starts an SPF
hostname(config-router)# timers spf 10 120 calculation. It can be an integer from 0 to 65535. The default time
is 5 seconds. A value of 0 means that there is no delay; that is, the
SPF calculation is started immediately.
Example:

The spf-holdtime argument is the minimum time (in seconds)
between two consecutive SPF calculations. It can be an integer
from 0 to 65535. The default time is 10 seconds. A value of 0
means that there is no delay; that is, two SPF calculations can be
performed, one immediately after the other.

Logging Neighbors Going Up or Down
By default, a syslog message is generated when an OSPF neighbor goes up or down.
Configure log-adj-changes router configuration command if you want to know about OSPF neighbors
going up or down without turning on the debug ospf adjacency command. The log-adj-changes router
configuration command provides a higher level view of the peer relationship with less output. Configure
the log-adj-changes detail command if you want to see messages for each state change.

Cisco ASA 5500 Series Configuration Guide using the CLI

24-13

Chapter 24

Configuring OSPF

Restarting the OSPF Process

To log neighbors going up or down, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

router ospf process_id

Creates an OSPF routing process and enters router configuration
mode for this OSPF process.

Example:

hostname(config)# router ospf 2

Step 2

Configures logging for neighbors going up or down.

log-adj-changes [detail]

Example:
hostname(config-router)# log-adj-changes
[detail]

Restarting the OSPF Process
To remove the entire OSPF configuration that you have enabled, enter the following command:
Command

Purpose

clear ospf pid {process | redistribution |
counters [neighbor [neighbor-interface]
[neighbor-id]]}

Removes the entire OSPF configuration that you have enabled. After the
configuration is cleared, you must reconfigure OSPF using the router ospf
command.

Example:
hostname(config)# clear ospf

Configuration Example for OSPF
The following example shows how to enable and configure OSPF with various optional processes:
Step 1

To enable OSPF, enter the following commands:
hostname(config)# router ospf 2
hostname(config-router)# network 10.0.0.0 255.0.0.0 area 0

Step 2

(Optional) To redistribute routes from one OSPF process to another OSPF process, enter the following
commands:
hostname(config)# route-map 1-to-2 permit
hostname(config-route-map)# match metric 1
hostname(config-route-map)# set metric 5
hostname(config-route-map)# set metric-type type-1
hostname(config-route-map)# router ospf 2
hostname(config-router)# redistribute ospf 1 route-map 1-to-2

Cisco ASA 5500 Series Configuration Guide using the CLI

24-14

Chapter 24

Configuring OSPF
Configuration Example for OSPF

Step 3

(Optional) To configure OSPF interface parameters, enter the following commands:
hostname(config)# router ospf 2
hostname(config-router)# network 10.0.0.0 255.0.0.0 area 0
hostname(config-router)# interface inside
hostname(config-interface)# ospf cost 20
hostname(config-interface)# ospf retransmit-interval 15
hostname(config-interface)# ospf transmit-delay 10
hostname(config-interface)# ospf priority 20
hostname(config-interface)# ospf hello-interval 10
hostname(config-interface)# ospf dead-interval 40
hostname(config-interface)# ospf authentication-key cisco
hostname(config-interface)# ospf message-digest-key 1 md5 cisco
hostname(config-interface)# ospf authentication message-digest

Step 4

(Optional) To configure OSPF area parameters, enter the following commands:
hostname(config)# router
hostname(config-router)#
hostname(config-router)#
hostname(config-router)#
hostname(config-router)#

Step 5

ospf
area
area
area
area

2
0 authentication
0 authentication message-digest
17 stub
17 default-cost 20

(Optional) To configure the route calculation timers and show the log neighbor up and down messages,
enter the following commands:
hostname(config-router)# timers spf 10 120
hostname(config-router)# log-adj-changes [detail]

Step 6

To restart the OSPF process, enter the following commands:
hostname(config)# clear ospf pid {process | redistribution | counters
[neighbor [neighbor-interface] [neighbor-id]]}

Step 7

(Optional) To show current OSPF configuration settings, enter the show ospf command.
The following is sample output from the show ospf command:
hostname(config)# show ospf
Routing Process “ospf 2” with ID 10.1.89.2 and Domain ID 0.0.0.2
Supports only single TOS(TOS0) routes
Supports opaque LSA
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 5. Checksum Sum 0x 26da6
Number of opaque AS LSA 0. Checksum Sum 0x
0
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
External flood list length 0
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has no authentication
SPF algorithm executed 2 times
Area ranges are
Number of LSA 5. Checksum Sum 0x 209a3
Number of opaque link LSA 0. Checksum Sum 0x
0
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0

Cisco ASA 5500 Series Configuration Guide using the CLI

24-15

Chapter 24

Configuring OSPF

Monitoring OSPF

Monitoring OSPF
You can display specific statistics such as the contents of IP routing tables, caches, and databases. You
can also use the information provided to determine resource utilization and solve network problems. You
can also display information about node reachability and discover the routing path that your device
packets are taking through the network.
To monitor or display various OSPF routing statistics, enter one of the following commands:
Command

Purpose

show ospf [process-id [area-id]]

Displays general information about OSPF routing
processes.

show ospf border-routers

Displays the internal OSPF routing table entries to
the ABR and ASBR.

show ospf [process-id [area-id]] database

Displays lists of information related to the OSPF
database for a specific router.

show ospf flood-list if-name

Displays a list of LSAs waiting to be flooded over
an interface (to observe OSPF packet pacing).
OSPF update packets are automatically paced so
they are not sent less than 33 milliseconds apart.
Without pacing, some update packets could get lost
in situations where the link is slow, a neighbor
could not receive the updates quickly enough, or
the router could run out of buffer space. For
example, without pacing, packets might be
dropped if either of the following topologies exist:
•

A fast router is connected to a slower router
over a point-to-point link.

•

During flooding, several neighbors send
updates to a single router at the same time.

Pacing is also used between resends to increase
efficiency and minimize lost retransmissions. You
also can display the LSAs waiting to be sent out of
an interface. Pacing enables OSPF update and
retransmission packets to be sent more efficiently.
There are no configuration tasks for this feature; it
occurs automatically.
show ospf interface [if_name]

Displays OSPF-related interface information.

show ospf neighbor [interface-name]
[neighbor-id] [detail]

Displays OSPF neighbor information on a
per-interface basis.

show ospf request-list neighbor if_name

Displays a list of all LSAs requested by a router.

show ospf retransmission-list neighbor
if_name

Displays a list of all LSAs waiting to be resent.

Cisco ASA 5500 Series Configuration Guide using the CLI

24-16

Chapter 24

Configuring OSPF
Feature History for OSPF

Command

Purpose

show ospf [process-id] summary-address

Displays a list of all summary address
redistribution information configured under an
OSPF process.

show ospf [process-id] virtual-links

Displays OSPF-related virtual links information.

Feature History for OSPF
Table 24-1 lists each feature change and the platform release in which it was implemented.
Table 24-1

Feature History for Static and Default Routes

Feature Name

Platform
Releases

OSPF support

7.0(1)

Feature Information
Support was added for route data, authentication, and
redistribution and monitoring of routing information using
the Open Shortest Path First (OSPF) routing protocol.
We introduced the route ospf command.

Cisco ASA 5500 Series Configuration Guide using the CLI

24-17

Chapter 24
Feature History for OSPF

Cisco ASA 5500 Series Configuration Guide using the CLI

24-18

Configuring OSPF

CH A P T E R

Configuring RIP
This chapter describes how to configure the ASA to route data, perform authentication, and redistribute
routing information using the Routing Information Protocol (RIP).
This chapter includes the following sections:
•

Information About RIP, page 25-1

•

Licensing Requirements for RIP, page 25-3

•

Guidelines and Limitations, page 25-3

•

Configuring RIP, page 25-4

•

Customizing RIP, page 25-4

•

Monitoring RIP, page 25-11

•

Configuration Example for RIP, page 25-11

•

Feature History for RIP, page 25-11

Information About RIP
This section includes the following topics:
•

Routing Update Process, page 25-2

•

RIP Routing Metric, page 25-2

•

RIP Stability Features, page 25-2

•

RIP Timers, page 25-2

The Routing Information Protocol, or RIP, as it is more commonly called, is one of the most enduring
of all routing protocols. RIP has four basic components: routing update process, RIP routing metrics,
routing stability, and routing timers. Devices that support RIP send routing-update messages at regular
intervals and when the network topology changes. These RIP packets include information about the
networks that the devices can reach, as well as the number of routers or gateways that a packet must
travel through to reach the destination address. RIP generates more traffic than OSPF, but is easier to
configure.
RIP is a distance-vector routing protocol that uses hop count as the metric for path selection. When RIP
is enabled on an interface, the interface exchanges RIP broadcasts with neighboring devices to
dynamically learn about and advertise routes.

Cisco ASA 5500 Series Configuration Guide using the CLI

25-1

Chapter 25

Configuring RIP

Information About RIP

The ASA supports both RIP Version 1 and RIP Version 2. RIP Version 1 does not send the subnet mask
with the routing update. RIP Version 2 sends the subnet mask with the routing update and supports
variable-length subnet masks. Additionally, RIP Version 2 supports neighbor authentication when
routing updates are exchanged. This authentication ensures that the ASA receives reliable routing
information from a trusted source.
RIP has advantages over static routes because the initial configuration is simple, and you do not need to
update the configuration when the topology changes. The disadvantage to RIP is that there is more
network and processing overhead than in static routing.

Routing Update Process
RIP sends routing-update messages at regular intervals and when the network topology changes. When
a router receives a routing update that includes changes to an entry, it updates its routing table to reflect
the new route. The metric value for the path is increased by 1, and the sender is indicated as the next hop.
RIP routers maintain only the best route (the route with the lowest metric value) to a destination. After
updating its routing table, the router immediately begins transmitting routing updates to inform other
network routers of the change. These updates are sent independently of the regularly scheduled updates
that RIP routers send.

RIP Routing Metric
RIP uses a single routing metric (hop count) to measure the distance between the source and a destination
network. Each hop in a path from source to destination is assigned a hop count value, which is typically
1. When a router receives a routing update that contains a new or changed destination network entry, the
router adds 1 to the metric value indicated in the update and enters the network in the routing table. The
IP address of the sender is used as the next hop.

RIP Stability Features
RIP prevents routing loops from continuing indefinitely by implementing a limit on the number of hops
allowed in a path from the source to a destination. The maximum number of hops in a path is 15. If a
router receives a routing update that contains a new or changed entry, and if increasing the metric value
by 1 causes the metric to be infinity (that is, 16), the network destination is considered unreachable. The
downside of this stability feature is that it limits the maximum diameter of a RIP network to less than 16
hops.
RIP includes a number of other stability features that are common to many routing protocols. These
features are designed to provide stability despite potentially rapid changes in network topology. For
example, RIP implements the split horizon and hold-down mechanisms to prevent incorrect routing
information from being propagated.

RIP Timers
RIP uses numerous timers to regulate its performance. These include a routing-update timer, a
route-timeout timer, and a route-flush timer. The routing-update timer clocks the interval between
periodic routing updates. Generally, it is set to 30 seconds, with a small random amount of time added
whenever the timer is reset. This is done to help prevent congestion, which could result from all routers

Cisco ASA 5500 Series Configuration Guide using the CLI

25-2

Chapter 25

Configuring RIP
Licensing Requirements for RIP

simultaneously attempting to update their neighbors. Each routing table entry has a route-timeout timer
associated with it. When the route-timeout timer expires, the route is marked invalid but is retained in
the table until the route-flush timer expires.

Licensing Requirements for RIP
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single context mode only.
Firewall Mode Guidelines

Supported in routed and transparent firewall mode.
IPv6 Guidelines

Does not support IPv6.
Additional Guidelines

The following information applies to RIP Version 2 only:
•

If using neighbor authentication, the authentication key and key ID must be the same on all neighbor
devices that provide RIP Version 2 updates to the interface.

•

With RIP Version 2, the ASA transmits and receives default route updates using the multicast
address 224.0.0.9. In passive mode, it receives route updates at that address.

•

When RIP Version 2 is configured on an interface, the multicast address 224.0.0.9 is registered on
that interface. When a RIP Version 2 configuration is removed from an interface, that multicast
address is unregistered.

Limitations
•

The ASA cannot pass RIP updates between interfaces.

•

RIP Version 1 does not support variable-length subnet masks.

•

RIP has a maximum hop count of 15. A route with a hop count greater than 15 is considered
unreachable.

•

RIP convergence is relatively slow compared to other routing protocols.

•

You can only enable a single RIP process on the ASA.

Cisco ASA 5500 Series Configuration Guide using the CLI

25-3

Chapter 25

Configuring RIP

Configuring RIP
This section describes how to enable and restart the RIP process on the ASA.
After you have enabled RIP, see the “Customizing RIP” section on page 25-4 to learn how to customize
the RIP process on the ASA.

Note

If you want to redistribute a route by defining which of the routes from the specified routing protocol are
allowed to be redistributed into the target routing process, you must first generate a default route. For
information, see the “Configuring a Default Static Route” section on page 22-4 and then define a route
map. For information, see the “Defining a Route Map” section on page 23-4.

Enabling RIP
You can only enable one RIP routing process on the ASA. After you enable the RIP routing process, you
must define the interfaces that will participate in that routing process using the network command. By
default, the ASA sends RIP Version 1 updates and accepts RIP Version 1 and Version 2 updates.
To enable the RIP routing process, enter the following command:
Command

Purpose

router rip

Starts the RIP routing process and places you in router configuration mode.

Example:

Use the no router rip command to remove the entire RIP configuration
that you have enabled. After the configuration is cleared, you must
reconfigure RIP using the router rip command.

hostname(config)# router rip

Customizing RIP
This section describes how to configure RIP and includes the following topics:
•

Configuring the RIP Version, page 25-5

•

Configuring Interfaces for RIP, page 25-6

•

Configuring the RIP Send and Receive Version on an Interface, page 25-6

•

Configuring Route Summarization, page 25-7

•

Filtering Networks in RIP, page 25-8

•

Redistributing Routes into the RIP Routing Process, page 25-8

•

Enabling RIP Authentication, page 25-9

•

. Restarting the RIP Process, page 25-10

Cisco ASA 5500 Series Configuration Guide using the CLI

25-4

Chapter 25

Configuring RIP
Customizing RIP

Configuring the RIP Version
To specify the version of RIP used by the ASA, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

router rip

Starts the RIP routing process and places you in router
configuration mode.

Example:
hostname(config)# router rip

Step 2

network network_address

Specifies the interfaces that will participate in the RIP routing
process.

Example:

If an interface belongs to a network defined by this command, the
interface will participate in the RIP routing process. If an
interface does not belong to a network defined by this command,
the interface will not send or receive RIP updates.

hostname(config)# router rip
hostname(config-router)# network 10.0.0.0

Step 3

Enter one of the following numbers to customize an interface to participate in RIP routing:
version [1 | 2]

Specifies the version of RIP used by the ASA.
You can override this setting on a per-interface basis.

Example:
hostname(config-router):# version [1]

In this example, Version 1 is entered.

Cisco ASA 5500 Series Configuration Guide using the CLI

25-5

Chapter 25

Configuring RIP

Customizing RIP

Configuring Interfaces for RIP
If you have an interface that you do not want to have participate in RIP routing, but that is attached to a
network that you want advertised, you can configure the network (using the network command) that
includes the network to which the interface is attached, and configure the passive interfaces (using the
passive-interface command) to prevent that interface from using RIP. Additionally, you can specify the
version of RIP that is used by the ASA for updates.
To configure interfaces for RIP, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

router rip

Starts the RIP routing process and places you in router
configuration mode.

Example:
hostname(config)# router rip

Step 2

network network_address

Specifies the interfaces that will participate in the RIP routing
process.

Example:

hostname(config)# router rip
hostname(config-router)# network 10.0.0.0

Step 3

passive-interface

[default | if_name]

Specifies an interface to operate in passive mode.

Using the default keyword causes all interfaces to operate in
passive mode. Specifying an interface name sets only that
hostname(config-router)# passive-interface interface to passive mode. In passive mode, RIP routing updates
[default]
are accepted by, but not sent out of, the specified interface. You
can enter this command for each interface that you want to set to
passive mode.
Example:

Configuring the RIP Send and Receive Version on an Interface
You can override the globally-set version of RIP that the ASA uses to send and receive RIP updates on
a per-interface basis.
To configure the RIP version for sending and receiving updates, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

interface phy_if

Enters interface configuration mode for the interface that you are
configuring.

Example:
hostname(config)# interface phy_if

Step 2

Do one of the following to send or receive RIP updates on a per-interface basis.

Cisco ASA 5500 Series Configuration Guide using the CLI

25-6

Chapter 25

Configuring RIP
Customizing RIP

Command

Purpose

rip send version {[1] [2]}

Specifies the version of RIP to use when sending RIP updates out
of the interface.

Example:

In this example, Version 1 is selected.

hostname(config-if)# rip send version 1
rip receive version {[1] [2]}

Specifies the version of RIP advertisements permitted to be
received by an interface.

Example:

In this example, Version 2 is selected.

hostname(config-if)# rip receive version 2

RIP updates received on the interface that do not match the
allowed version are dropped.

Configuring Route Summarization
Note

RIP Version 1 always uses automatic route summarization. You cannot disable this feature for RIP
Version 1. RIP Version 2 uses automatic route summarization by default.
The RIP routing process summarizes on network number boundaries, which can cause routing problems
if you have noncontiguous networks.
For example, if you have a router with the networks 192.168.1.0, 192.168.2.0, and 192.168.3.0
connected to it, and those networks all participate in RIP, the RIP routing process creates the summary
address 192.168.0.0 for those routes. If an additional router is added to the network with the networks
192.168.10.0 and 192.168.11.0, and those networks participate in RIP, they will also be summarized as
192.168.0.0. To prevent the possibility of traffic being routed to the wrong location, you should disable
automatic route summarization on the routers that are creating conflicting summary addresses.
Because RIP Version 1 always uses automatic route summarization, and RIP Version 2 always uses
automatic route summarization by default, when configuring automatic route summarization, you only
need to disable it.
To disable automatic route summarization, enter the following command:

Detailed Steps

Step 1

Command

Purpose

router rip

Enables the RIP routing process and places you in router
configuration mode.

Example:
hostname(config)# router rip

Step 2

no auto-summarize

Disables automatic route summarization.

Example:
hostname(config-router):# no
auto-summarize

Cisco ASA 5500 Series Configuration Guide using the CLI

25-7

Chapter 25

Configuring RIP

Customizing RIP

Filtering Networks in RIP
To filter the networks received in updates, perform the following steps:

Note

Before you begin, you must create a standard access list that permits the networks that you want the RIP
process to allow in the routing table and denies the networks that you want the RIP process to discard.

Detailed Steps

Step 1

Command

Purpose

router rip

Enables the RIP routing process and places you in router
configuration mode.

Example:
hostname(config)# router rip

Step 2

Example:
hostname(config-router)# distribute-list
acl2 in [interface interface1]
hostname(config-router)# distribute-list
acl3 out [connected]

Filters the networks sent in updates.
You can specify an interface to apply the filter to only those
updates that are received or sent by that interface. You can enter
this command for each interface to which you want to apply a
filter. If you do not specify an interface name, the filter is applied
to all RIP updates.

Redistributing Routes into the RIP Routing Process
You can redistribute routes from the OSPF, EIGRP, static, and connected routing processes into the RIP
routing process.

Note

Before you begin this procedure, you must create a route map to further define which routes from the
specified routing protocol are redistributed in to the RIP routing process. See Chapter 23, “Defining a
Route Map,” for more information about creating a route map.

Cisco ASA 5500 Series Configuration Guide using the CLI

25-8

Chapter 25

Configuring RIP
Customizing RIP

To redistribute a route into the RIP routing process, enter one of the following commands:
Command

Purpose

Choose one of the following commands to redistribute the selected route type into the RIP routing process. You must specify
the RIP metric values in the redistribute command if you do not have a default-metric command in the RIP router
configuration.
redistribute connected [metric
metric-value | transparent] [route-map
route-map-name]

Redistributes connected routes into the RIP routing process.

Example:
hostname(config-router): # redistribute
connected [metric metric-value |
transparent] [route-map route-map-name]
redistribute static [metric {metric_value
| transparent}] [route-map map_name]

Redistributes static routes into the EIGRP routing process.

Example:
hostname(config-router):# redistribute
static [metric {metric_value |
transparent}] [route-map map_name]
redistribute ospf pid [match {internal |
external [1 | 2] | nssa-external [1 | 2]}]
[metric {metric_value | transparent}]
[route-map map_name]

Redistributes routes from an OSPF routing process into the RIP routing
process.

Example:
hostname(config-router):# redistribute
ospf pid [match {internal | external [1 |
2] | nssa-external [1 | 2]}] [metric
{metric_value | transparent}] [route-map
map_name]
redistribute eigrp as-num [metric
{metric_value | transparent}] [route-map
map_name]

Redistributes routes from an EIGRP routing process into the RIP routing
process.

Example:
hostname(config-router):# redistribute
eigrp as-num [metric {metric_value |
transparent}] [route-map map_name]

Enabling RIP Authentication
Note

The ASA supports RIP message authentication for RIP Version 2 messages.

Cisco ASA 5500 Series Configuration Guide using the CLI

25-9

Chapter 25

Configuring RIP

Customizing RIP

RIP route authentication provides MD5 authentication of routing updates from the RIP routing protocol.
The MD5 keyed digest in each RIP packet prevents the introduction of unauthorized or false routing
messages from unapproved sources.
RIP route authentication is configured on a per-interface basis. All RIP neighbors on interfaces
configured for RIP message authentication must be configured with the same authentication mode and
key for adjacencies to be established.

Note

Before you can enable RIP route authentication, you must enable RIP.
To enable RIP authentication on an interface, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

router rip as-num

Creates the RIP routing process and enters router configuration
mode for this RIP process.

Example:

The as-num argument is the autonomous system number of the
RIP routing process.

hostname(config)# router rip 2

Step 2

Enters interface configuration mode for the interface on which
you are configuring RIP message authentication.

interface phy_if

Example:
hostname(config)# interface phy_if

Step 3

rip authentication mode {text | md5}

Sets the authentication mode. By default, text authentication is
used. We recommend that you use MD5 authentication.

Example:
hostname(config-if)# rip authentication
mode md5

Step 4

rip authentication key key key-id key-id

Configures the authentication key used by the MD5 algorithm.
The key argument can include up to 16 characters.

Example:
hostname(config-if)# rip authentication
key cisco key-id 200

The key-id argument is a number from 0 to 255.

Restarting the RIP Process
To remove the entire RIP configuration, enter the following command:

Command

Purpose

clear rip pid {process | redistribution |
counters [neighbor [neighbor-interface]
[neighbor-id]]}

Removes the entire RIP configuration that you have enabled. After the
configuration is cleared, you must reconfigure RIP again using the router
rip command.

Example:
hostname(config)# clear rip

Cisco ASA 5500 Series Configuration Guide using the CLI

25-10

Chapter 25

Configuring RIP
Monitoring RIP

Monitoring RIP
We recommend that you only use the debug commands to troubleshoot specific problems or during
troubleshooting sessions with the Cisco TAC.
Debugging output is assigned high priority in the CPU process and can render the ASA unusable. It is
best to use debug commands during periods of lower network traffic and fewer users. Debugging during
these periods decreases the likelihood that increased debug command processing overhead will affect
performance. For examples and descriptions of the command output, see the command reference.
To monitor or debug various RIP routing statistics, enter one of the following commands:
Command

Purpose

Monitoring RIP Routing
show rip database

Display the contents of the RIP routing database.

show running-config router
rip

Displays the RIP commands.

Debugging RIP
debug rip events

Displays RIP processing events.

debug rip database

Displays RIP database events.

Configuration Example for RIP
The following example shows how to enable and configure RIP with various optional processes:
hostname(config)# router rip 2
hostname(config-router)# default-information originate
hostname(config-router)# version [1]
hostname(config-router)# network 225.25.25.225
hostname(config-router)# passive-interface [default]
hostname(config-router)# redistribute connected [metric bandwidth delay reliability
loading mtu] [route-map map_name]

Feature History for RIP
Table 25-1 lists each feature change and the platform release in which it was implemented.
Table 25-1

Feature History for RIP

Feature Name

Releases

Feature Information

RIP support

7.0(1)

Support was added for routing data, performing
authentication, and redistributing and monitoring routing
information using the Routing Information Protocol (RIP).
We introduced the route rip command.

Cisco ASA 5500 Series Configuration Guide using the CLI

25-11

Chapter 25
Feature History for RIP

Cisco ASA 5500 Series Configuration Guide using the CLI

25-12

Configuring RIP

CH A P T E R

Configuring Multicast Routing
This chapter describes how to configure the ASA to use the multicast routing protocol and includes the
following sections:
•

Information About Multicast Routing, page 26-1

•

Licensing Requirements for Multicast Routing, page 26-2

•

Guidelines and Limitations, page 26-3

•

Enabling Multicast Routing, page 26-3

•

Customizing Multicast Routing, page 26-4

•

Configuration Example for Multicast Routing, page 26-14

•

Additional References, page 26-15

•

Feature History for Multicast Routing, page 26-15

Information About Multicast Routing
Multicast routing is a bandwidth-conserving technology that reduces traffic by simultaneously
delivering a single stream of information to thousands of corporate recipients and homes. Applications
that take advantage of multicast routing include videoconferencing, corporate communications, distance
learning, and distribution of software, stock quotes, and news.
Multicast routing protocols delivers source traffic to multiple receivers without adding any additional
burden on the source or the receivers while using the least network bandwidth of any competing
technology. Multicast packets are replicated in the network by Cisco routers enabled with Protocol
Independent Multicast (PIM) and other supporting multicast protocols resulting in the most efficient
delivery of data to multiple receivers possible.
The ASA supports both stub multicast routing and PIM multicast routing. However, you cannot
configure both concurrently on a single ASA.

Note

The UDP and non-UDP transports are both supported for multicast routing. However, the non-UDP
transport has no FastPath optimization.
This section includes the following topics:
•

Stub Multicast Routing, page 26-2

•

PIM Multicast Routing, page 26-2

Cisco ASA 5500 Series Configuration Guide using the CLI

26-1

Chapter 26

Configuring Multicast Routing

Licensing Requirements for Multicast Routing

•

Multicast Group Concept, page 26-2

Stub Multicast Routing
Stub multicast routing provides dynamic host registration and facilitates multicast routing. When
configured for stub multicast routing, the ASA acts as an IGMP proxy agent. Instead of fully
participating in multicast routing, the ASA forwards IGMP messages to an upstream multicast router,
which sets up delivery of the multicast data. When configured for stub multicast routing, the ASA cannot
be configured for PIM.
The ASA supports both PIM-SM and bidirectional PIM. PIM-SM is a multicast routing protocol that
uses the underlying unicast routing information base or a separate multicast-capable routing information
base. It builds unidirectional shared trees rooted at a single Rendezvous Point per multicast group and
optionally creates shortest-path trees per multicast source.

PIM Multicast Routing
Bi-directional PIM is a variant of PIM-SM that builds bi-directional shared trees connecting multicast
sources and receivers. Bi-directional trees are built using a DF election process operating on each link
of the multicast topology. With the assistance of the DF, multicast data is forwarded from sources to the
Rendezvous Point, and therefore along the shared tree to receivers, without requiring source-specific
state. The DF election takes place during Rendezvous Point discovery and provides a default route to the
Rendezvous Point.

Note

If the ASA is the PIM RP, use the untranslated outside address of the ASA as the RP address.

Multicast Group Concept
Multicast is based on the concept of a group. An arbitrary group of receivers expresses an interest in
receiving a particular data stream. This group does not have any physical or geographical
boundaries—the hosts can be located anywhere on the Internet. Hosts that are interested in receiving data
flowing to a particular group must join the group using IGMP. Hosts must be a member of the group to
receive the data stream.

Multicast Addresses
Multicast addresses specify an arbitrary group of IP hosts that have joined the group and want to receive
traffic sent to this group.

Licensing Requirements for Multicast Routing
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Cisco ASA 5500 Series Configuration Guide using the CLI

26-2

Chapter 26

Configuring Multicast Routing
Guidelines and Limitations

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single context mode. In multiple context mode, unshared interfaces and shared interfaces
are not supported.
Firewall Mode Guidelines

Supported only in routed firewall mode. Transparent firewall mode is not supported.
IPv6 Guidelines

Does not support IPv6.

Enabling Multicast Routing
Enabling multicast routing lets you enable multicast routing on the ASA. Enabling multicast routing
enables IGMP and PIM on all interfaces by default. IGMP is used to learn whether members of a group
are present on directly attached subnets. Hosts join multicast groups by sending IGMP report messages.
PIM is used to maintain forwarding tables to forward multicast datagrams.

Note

Only the UDP transport layer is supported for multicast routing.
To enable multicast routing, enter the following command:

Command

Purpose

multicast-routing

Enables multicast routing.

Example:

The number of entries in the multicast routing tables are limited by the
amount of RAM on the ASA.

hostname(config)# multicast-routing

Table 26-1 lists the maximum number of entries for specific multicast tables based on the amount of
RAM on the ASA. Once these limits are reached, any new entries are discarded.
Table 26-1

Entry Limits for Multicast Tables

Table

16 MB 128 MB 128+ MB

MFIB

1000

3000

5000

IGMP
Groups

1000

3000

5000

PIM Routes 3000

7000

12000

Cisco ASA 5500 Series Configuration Guide using the CLI

26-3

Chapter 26

Configuring Multicast Routing

Customizing Multicast Routing

Customizing Multicast Routing
This section describes how to customize multicast routing and includes the following topics:
•

Configuring Stub Multicast Routing and Forwarding IGMP Messages, page 26-4

•

Configuring a Static Multicast Route, page 26-4

•

Configuring IGMP Features, page 26-5

•

Configuring PIM Features, page 26-9

•

Configuring a Bidirectional Neighbor Filter, page 26-13

•

Configuring a Multicast Boundary, page 26-14

Configuring Stub Multicast Routing and Forwarding IGMP Messages
Note

Stub multicast routing and PIM are not supported concurrently.
An ASA acting as the gateway to the stub area does not need to participate in PIM. Instead, you can
configure it to act as an IGMP proxy agent and forward IGMP messages from hosts connected on one
interface to an upstream multicast router on another interface. To configure the ASA as an IGMP proxy
agent, forward the host join and leave messages from the stub area interface to an upstream interface.
To forward the host join and leave messages, enter the following command from the interface attached
to the stub area:

Command

Purpose

igmp forward interface if_name

Configures stub multicast routing and forwards IGMP messages.

Example:
hostname(config-if)# igmp forward
interface interface1

Configuring a Static Multicast Route
Configuring static multicast routes lets you separate multicast traffic from unicast traffic. For example,
when a path between a source and destination does not support multicast routing, the solution is to
configure two multicast devices with a GRE tunnel between them and to send the multicast packets over
the tunnel.
When using PIM, the ASA expects to receive packets on the same interface where it sends unicast
packets back to the source. In some cases, such as bypassing a route that does not support multicast
routing, you may want unicast packets to take one path and multicast packets to take another.
Static multicast routes are not advertised or redistributed.
To configure a static multicast route or a static multicast route for a stub area, enter one of the following
commands:

Cisco ASA 5500 Series Configuration Guide using the CLI

26-4

Chapter 26

Configuring Multicast Routing
Customizing Multicast Routing

Command

Purpose

mroute src_ip src_mask {input_if_name |
rpf_neighbor} [distance]

Configures a static multicast route.

Example:
hostname(config)# mroute src_ip src_mask
{input_if_name | rpf_neighbor} [distance]
mroute src_ip src_mask input_if_name
[dense output_if_name] [distance]

Configures a static multicast route for a stub area.
The dense output_if_name keyword and argument pair is only supported
for stub multicast routing.

Example:
hostname(config)# mroute src_ip src_mask
input_if_name [dense output_if_name]
[distance]

Configuring IGMP Features
IP hosts use the Internet Group Management Protocol (IGMP) to report their group memberships to
directly connected multicast routers.
IGMP is used to dynamically register individual hosts in a multicast group on a particular LAN. Hosts
identify group memberships by sending IGMP messages to their local multicast router. Under IGMP,
routers listen to IGMP messages and periodically send out queries to discover which groups are active
or inactive on a particular subnet.
IGMP uses group addresses (Class D IP address) as group identifiers. Host group address can be in the
range of 224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is never assigned to any group. The
address 224.0.0.1 is assigned to all systems on a subnet. The address 224.0.0.2 is assigned to all routers
on a subnet.
When you enable multicast routing on the ASA, IGMP Version 2 is automatically enabled on all
interfaces.

Note

Only the no igmp command appears in the interface configuration when you use the show run
command. If the multicast-routing command appears in the device configuration, then IGMP is
automatically enabled on all interfaces.
This section describes how to configure optional IGMP setting on a per-interface basis and includes the
following topics:
•

Disabling IGMP on an Interface, page 26-6

•

Configuring IGMP Group Membership, page 26-6

•

Configuring a Statically Joined IGMP Group, page 26-6

•

Controlling Access to Multicast Groups, page 26-7

•

Limiting the Number of IGMP States on an Interface, page 26-7

•

Modifying the Query Messages to Multicast Groups, page 26-8

•

Changing the IGMP Version, page 26-9

Cisco ASA 5500 Series Configuration Guide using the CLI

26-5

Chapter 26

Configuring Multicast Routing

Customizing Multicast Routing

Disabling IGMP on an Interface
You can disable IGMP on specific interfaces. This information is useful if you know that there are no
multicast hosts on a specific interface and you want to prevent the ASA from sending host query
messages on that interface.
To disable IGMP on an interface, enter the following command:
Command

Purpose

no igmp

Disables IGMP on an interface.
To reenable IGMP on an interface, use the igmp command.

Example:
hostname(config-if)# no igmp

Note

Only the no igmp command appears in the interface configuration.

Configuring IGMP Group Membership
You can configure the ASA to be a member of a multicast group. Configuring the ASA to join a multicast
group causes upstream routers to maintain multicast routing table information for that group and keep
the paths for that group active.

Note

If you want to forward multicast packets for a specific group to an interface without the ASA accepting
those packets as part of the group, see the “Configuring a Statically Joined IGMP Group” section on
page 26-6.
To have the ASA join a multicast group, enter the following command:

Command

Purpose

igmp join-group group-address

Configures the ASA to be a member of a multicast group.
The group-address argument is the IP address of the group.

Example:
hostname(config-if)# igmp join-group
mcast-group

Configuring a Statically Joined IGMP Group
Sometimes a group member cannot report its membership in the group because of some configuration,
or there may be no members of a group on the network segment. However, you still want multicast traffic
for that group to be sent to that network segment. You can have multicast traffic for that group sent to
the segment by configuring a statically joined IGMP group.
Enter the igmp static-group command. The ASA does not accept the multicast packets, but instead
forwards them to the specified interface.
To configure a statically joined multicast group on an interface,enter the following command:

Cisco ASA 5500 Series Configuration Guide using the CLI

26-6

Chapter 26

Configuring Multicast Routing
Customizing Multicast Routing

Command

Purpose

igmp static-group

Configures the ASA statically to join a multicast group on an interface.
The group-address argument is the IP address of the group.

Example:
hostname(config-if)# igmp static-group
group-address

Controlling Access to Multicast Groups
To control the multicast groups that hosts on the ASA interface can join, perform the following steps:

Detailed Steps

Command
Step 1

Purpose

Do one of the following to create a standard or extended access list:
access-list name standard [permit | deny]
ip_addr mask

Creates a standard access list for the multicast traffic.
You can create more than one entry for a single access list. You
can use extended or standard access lists.

Example:
hostname(config)# access-list acl1
standard permit 192.52.662.25
access-list name extended [permit | deny]
protocol src_ip_addr src_mask dst_ip_addr
dst_mask

The ip_addr mask argument is the IP address of the multicast
group being permitted or denied.
Creates an extended access list.
The dst_ip_addr argument is the IP address of the multicast group
being permitted or denied.

Example:
hostname(config)# access-list acl2
extended permit protocol src_ip_addr
src_mask dst_ip_addr dst_mask

Step 2

igmp access-group acl

Applies the access list to an interface.

Example:

The acl argument is the name of a standard or extended IP access
list.

hostname(config-if)# igmp access-group acl

Limiting the Number of IGMP States on an Interface
You can limit the number of IGMP states resulting from IGMP membership reports on a per-interface
basis. Membership reports exceeding the configured limits are not entered in the IGMP cache, and traffic
for the excess membership reports is not forwarded.
To limit the number of IGMP states on an interface, enter the following command:

Cisco ASA 5500 Series Configuration Guide using the CLI

26-7

Chapter 26

Configuring Multicast Routing

Customizing Multicast Routing

Command

Purpose

igmp limit number

Limits the number of IGMP states on an interface.

Example:
hostname(config-if)# igmp limit 50

Valid values range from 0 to 500, with 500 being the default value. Setting
this value to 0 prevents learned groups from being added, but manually
defined memberships (using the igmp join-group and igmp static-group
commands) are still permitted. The no form of this command restores the
default value.

Modifying the Query Messages to Multicast Groups
Note

The igmp query-timeout and igmp query-interval commands require IGMP Version 2.
The ASA sends query messages to discover which multicast groups have members on the networks
attached to the interfaces. Members respond with IGMP report messages indicating that they want to
receive multicast packets for specific groups. Query messages are addressed to the all-systems multicast
group, which has an address of 224.0.0.1, with a time-to-live value of 1.
These messages are sent periodically to refresh the membership information stored on the ASA. If the
ASA discovers that there are no local members of a multicast group still attached to an interface, it stops
forwarding multicast packet for that group to the attached network, and it sends a prune message back
to the source of the packets.
By default, the PIM designated router on the subnet is responsible for sending the query messages. By
default, they are sent once every 125 seconds.
When changing the query response time, by default, the maximum query response time advertised in
IGMP queries is 10 seconds. If the ASA does not receive a response to a host query within this amount
of time, it deletes the group.
To change the query interval, query response time, and query timeout value, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

igmp query-interval seconds

Sets the query interval time in seconds.
Valid values range from 0 to 500; 125 is the default value.

Example:
hostname(config-if)# igmp query-interval
30

Cisco ASA 5500 Series Configuration Guide using the CLI

26-8

If the ASA does not hear a query message on an interface for the
specified timeout value (by default, 255 seconds), then the ASA
becomes the designated router and starts sending the query
messages.

Chapter 26

Configuring Multicast Routing
Customizing Multicast Routing

Step 2

Command

Purpose

igmp query-timeout seconds

Changes the timeout value of the query.
Valid values range from 0 to 500; 225 is the default value.

Example:
hostname(config-if)# igmp query-timeout 30

Step 3

igmp query-max-response-time seconds

Changes the maximum query response time.

Example:
hostname(config-if)# igmp
query-max-response-time 30

Changing the IGMP Version
By default, the ASA runs IGMP Version 2, which enables several additional features such as the igmp
query-timeout and igmp query-interval commands.
All multicast routers on a subnet must support the same version of IGMP. The ASA does not
automatically detect Version 1 routers and switch to Version 1. However, a mix of IGMP Version 1 and
2 hosts on the subnet works; the ASA running IGMP Version 2 works correctly when IGMP Version 1
hosts are present.
To control which version of IGMP is running on an interface, enter the following command:
Command

Purpose

igmp version {1 | 2}

Controls the version of IGMP that you want to run on the interface.

Example:
hostname(config-if)# igmp version 2

Configuring PIM Features
Routers use PIM to maintain forwarding tables for forwarding multicast diagrams. When you enable
multicast routing on the ASA, PIM and IGMP are automatically enabled on all interfaces.

Note

PIM is not supported with PAT. The PIM protocol does not use ports, and PAT only works with protocols
that use ports.
This section describes how to configure optional PIM settings and includes the following topics:
•

Enabling and Disabling PIM on an Interface, page 26-10

•

Configuring a Static Rendezvous Point Address, page 26-10

•

Configuring the Designated Router Priority, page 26-11

•

Configuring and Filtering PIM Register Messages, page 26-11

•

Configuring PIM Message Intervals, page 26-12

•

Filtering PIM Neighbors, page 26-12

Cisco ASA 5500 Series Configuration Guide using the CLI

26-9

Chapter 26

Configuring Multicast Routing

Customizing Multicast Routing

Enabling and Disabling PIM on an Interface
You can enable or disable PIM on specific interfaces. To enable or disable PIM on an interface, perform
the following steps:

Detailed Steps

Step 1

Command

Purpose

pim

Enables or reenables PIM on a specific interface.

Example:
hostname(config-if)# pim

Step 2

Disables PIM on a specific interface.

no pim

Example:
hostname(config-if)# no pim

Note

Only the no pim command appears in the interface configuration.

Configuring a Static Rendezvous Point Address
All routers within a common PIM sparse mode or bidir domain require knowledge of the PIM RP
address. The address is statically configured using the pim rp-address command.

Note

The ASA does not support Auto-RP or PIM BSR. You must use the pim rp-address command to specify
the RP address.
You can configure the ASA to serve as RP to more than one group. The group range specified in the
access list determines the PIM RP group mapping. If an access list is not specified, then the RP for the
group is applied to the entire multicast group range (224.0.0.0/4).
To configure the address of the PIM PR, enter the following command:

Command

Purpose

pim rp-address ip_address [acl] [bidir]

Enables or reenables PIM on a specific interface.

Example:

The ip_address argument is the unicast IP address of the router assigned to
be a PIM RP.

hostname(config)# pim rp-address
10.86.75.23 [acl1] [bidir]

The acl argument is the name or number of a standard access list that
defines with which multicast groups the RP should be used. Do not use a
host ACL with this command.
Excluding the bidir keyword causes the groups to operate in PIM sparse
mode.

Cisco ASA 5500 Series Configuration Guide using the CLI

26-10

Chapter 26

Configuring Multicast Routing
Customizing Multicast Routing

Note

The ASA always advertises the bidirectional capability in the PIM hello messages, regardless of the
actual bidirectional configuration.

Configuring the Designated Router Priority
The DR is responsible for sending PIM register, join, and prune messages to the RP. When there is more
than one multicast router on a network segment, selecting the DR is based on the DR priority. If multiple
devices have the same DR priority, then the device with the highest IP address becomes the DR.
By default, the ASA has a DR priority of 1. To change this value, enter the following command:
Command

Purpose

pim dr-priority num

Changes the designated router priority.
The num argument can be any number ranging from 1 to 4294967294.

Example:
hostname(config-if)# pim dr-priority 500

Configuring and Filtering PIM Register Messages
When the ASA is acting as an RP, you can restrict specific multicast sources from registering with it to
prevent unauthorized sources from registering with the RP. The Request Filter pane lets you define the
multicast sources from which the ASA will accept PIM register messages.
To filter PIM register messages, enter the following command:
Command

Purpose

pim accept-register {list acl | route-map
map-name}

Configures the ASA to filter PIM register messages.
In the example, the ASA filters PIM register messages acl1 and route map
map2.

Example:
hostname(config)# pim accept-register
{list acl1 | route-map map2}

Cisco ASA 5500 Series Configuration Guide using the CLI

26-11

Chapter 26

Configuring Multicast Routing

Customizing Multicast Routing

Configuring PIM Message Intervals
Router query messages are used to select the PIM DR. The PIM DR is responsible for sending router
query messages. By default, router query messages are sent every 30 seconds. Additionally, every 60
seconds, the ASA sends PIM join or prune messages.
To change these intervals, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

pim hello-interval seconds

Sends router query messages.

Example:

Valid values for the seconds argument range from 1 to 3600
seconds.

hostname(config-if)# pim hello-interval 60

Step 2

pim join-prune-interval seconds

Changes the amount of time (in seconds) that the ASA sends PIM
join or prune messages.

Example:

Valid values for the seconds argument range from 10 to 600
seconds.

hostname(config-if)# pim
join-prune-interval 60

Filtering PIM Neighbors
You can define the routers that can become PIM neighbors. By filtering the routers that can become PIM
neighbors, you can do the following:
•

Prevent unauthorized routers from becoming PIM neighbors.

•

Prevent attached stub routers from participating in PIM.

To define neighbors that can become a PIM neighbor, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

access-list pim_nbr deny router-IP_addr
PIM neighbor

Uses a standard access list to define the routers that you want to
have participate in PIM.

Example:

In the example, the following access list, when used with the pim
neighbor-filter command, prevents the 10.1.1.1 router from
becoming a PIM neighbor.

hostname(config)# access-list pim_nbr deny
10.1.1.1 255.255.255.255

Step 2

pim neighbor-filter pim_nbr

Filters neighbor routers.

Example:

In the example, the 10.1.1.1 router is prevented from becoming a
PIM neighbor on interface GigabitEthernet0/3.

hostname(config)# interface
GigabitEthernet0/3
hostname(config-if)# pim neighbor-filter
pim_nbr

Cisco ASA 5500 Series Configuration Guide using the CLI

26-12

Chapter 26

Configuring Multicast Routing
Customizing Multicast Routing

Configuring a Bidirectional Neighbor Filter
The Bidirectional Neighbor Filter pane shows the PIM bidirectional neighbor filters, if any, that are
configured on the ASA. A PIM bidirectional neighbor filter is an ACL that defines the neighbor devices
that can participate in the DF election. If a PIM bidirectional neighbor filter is not configured for an
interface, then there are no restrictions. If a PIM bidirectional neighbor filter is configured, only those
neighbors permitted by the ACL can participate in the DF election process.
When a PIM bidirectional neighbor filter configuration is applied to the ASA, an ACL appears in the
running configuration with the name interface-name_multicast, in which the interface-name is the name
of the interface to which the multicast boundary filter is applied. If an ACL with that name already exists,
a number is appended to the name (for example, inside_multicast_1). This ACL defines which devices
can become PIM neighbors of the ASA.
Bidirectional PIM allows multicast routers to keep reduced state information. All of the multicast routers
in a segment must be bidirectionally enabled for bidir to elect a DF.
The PIM bidirectional neighbor filters enable the transition from a sparse-mode-only network to a bidir
network by letting you specify the routers that should participate in the DF election, while still allowing
all routers to participate in the sparse-mode domain. The bidir-enabled routers can elect a DF from
among themselves, even when there are non-bidir routers on the segment. Multicast boundaries on the
non-bidir routers prevent PIM messages and data from the bidir groups from leaking in or out of the bidir
subset cloud.
When a PIM bidirectional neighbor filter is enabled, the routers that are permitted by the ACL are
considered to be bidirectionally capable. Therefore, the following is true:
•

If a permitted neighbor does not support bidir, then the DF election does not occur.

•

If a denied neighbor supports bidir, then the DF election does not occur.

•

If a denied neighbor does not support bidir, the DF election can occur.

To define the neighbors that can become a PIM bidirectional neighbor filter, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

access-list pim_nbr deny router-IP_addr
PIM neighbor

Uses a standard access list to define the routers that you want to
have participate in PIM.

Example:

In the example, the following access list, when used with the pim
neighbor-filter command, prevents the 10.1.1.1 router from
becoming a PIM neighbor.

hostname(config)# access-list pim_nbr deny
10.1.1.1 255.255.255.255

Step 2

pim bidirectional-neighbor-filter pim_nbr

Filters neighbor routers.

Example:

In the example, the 10.1.1.1 router is prevented from becoming a
PIM bidirectional neighbor on interface GigabitEthernet0/3.

hostname(config)# interface
GigabitEthernet0/3
hostname(config-if)# pim bidirectional
neighbor-filter pim_nbr

Cisco ASA 5500 Series Configuration Guide using the CLI

26-13

Chapter 26

Configuring Multicast Routing

Configuration Example for Multicast Routing

Configuring a Multicast Boundary
Address scoping defines domain boundaries so that domains with RPs that have the same IP address do
not leak into each other. Scoping is performed on the subnet boundaries within large domains and on the
boundaries between the domain and the Internet.
You can set up an administratively scoped boundary on an interface for multicast group addresses by
entering the multicast boundary command. IANA has designated the multicast address range from
239.0.0.0 to 239.255.255.255 as the administratively scoped addresses. This range of addresses can be
reused in domains administered by different organizations. The addresses would be considered local, not
globally unique.
A standard ACL defines the range of affected addresses. When a boundary is set up, no multicast data
packets are allowed to flow across the boundary from either direction. The boundary allows the same
multicast group address to be reused in different administrative domains.
You can configure, examine, and filter Auto-RP discovery and announcement messages at the
administratively scoped boundary by entering the the filter-autorp keyword. Any Auto-RP group range
announcements from the Auto-RP packets that are denied by the boundary ACL are removed. An
Auto-RP group range announcement is permitted and passed by the boundary only if all addresses in the
Auto-RP group range are permitted by the boundary ACL. If any address is not permitted, the entire
group range is filtered and removed from the Auto-RP message before the Auto-RP message is
forwarded.
To configure a multicast boundary, enter the following command:
Command

Purpose

multicast boundary acl [filter-autorp]

Configures a multicast boundary.

Example:
hostname(config-if)# multicast boundary
acl1 [filter-autorp]

Configuration Example for Multicast Routing
The following example shows how to enable and configure multicast routing with various optional
processes:
Step 1

Enable multicast routing:
hostname(config)# multicast-routing

Step 2

Configure a static multicast route:
hostname(config)# mroute src_ip src_mask {input_if_name | rpf_neighbor} [distance]
hostname(config)# exit

Step 3

Configure the ASA to be a member of a multicast group:
hostname(config)# interface
hostname(config-if)# igmp join-group group-address

Cisco ASA 5500 Series Configuration Guide using the CLI

26-14

Chapter 26

Configuring Multicast Routing
Additional References

Additional References
For additional information related to routing, see the following sections:
•

Related Documents
Related Topic

Document Title

Technical details about the IGMP and multicast routing IETF draft-ietf-idmr-igmp-proxy-01.txt
standards used for implementing the SMR feature

RFCs
RFC

Title

RFC 2113

IP Router Alert Option

RFC 2236

IGMPv2

RFC 2362

PIM-SM

RFC 2588

IP Multicast and Firewalls

Feature History for Multicast Routing
Table 26-2 lists each feature change and the platform release in which it was implemented.
Table 26-2

Feature History for Multicast Routing

Feature Name

Platform
Releases

Multicast routing support

7.0(1)

Feature Information
Support was added for multicast routing data,
authentication, and redistribution and monitoring of routing
information using the multicast routing protocol.
We introduced the multicast-routing command.

Cisco ASA 5500 Series Configuration Guide using the CLI

26-15

Chapter 26
Feature History for Multicast Routing

Cisco ASA 5500 Series Configuration Guide using the CLI

26-16

Configuring Multicast Routing

CH A P T E R

Configuring EIGRP
This chapter describes how to configure the ASA to route data, perform authentication, and redistribute
routing information using the Enhanced Interior Gateway Routing Protocol (EIGRP).
This chapter includes the following sections:
•

Information About EIGRP, page 27-1

•

Licensing Requirements for EIGRP, page 27-2

•

Guidelines and Limitations, page 27-2

•

Configuring EIGRP, page 27-3

•

Customizing EIGRP, page 27-4

•

Monitoring EIGRP, page 27-17

•

Configuration Example for EIGRP, page 27-18

•

Feature History for EIGRP, page 27-19

Information About EIGRP
EIGRP is an enhanced version of IGRP developed by Cisco. Unlike IGRP and RIP, EIGRP does not send
out periodic route updates. EIGRP updates are sent out only when the network topology changes. Key
capabilities that distinguish EIGRP from other routing protocols include fast convergence, support for
variable-length subnet mask, support for partial updates, and support for multiple network layer
protocols.
A router running EIGRP stores all the neighbor routing tables so that it can quickly adapt to alternate
routes. If no appropriate route exists, EIGRP queries its neighbors to discover an alternate route. These
queries propagate until an alternate route is found. Its support for variable-length subnet masks permits
routes to be automatically summarized on a network number boundary. In addition, EIGRP can be
configured to summarize on any bit boundary at any interface. EIGRP does not make periodic updates.
Instead, it sends partial updates only when the metric for a route changes. Propagation of partial updates
is automatically bounded so that only those routers that need the information are updated. As a result of
these two capabilities, EIGRP consumes significantly less bandwidth than IGRP.
Neighbor discovery is the process that the ASA uses to dynamically learn of other routers on directly
attached networks. EIGRP routers send out multicast hello packets to announce their presence on the
network. When the ASA receives a hello packet from a new neighbor, it sends its topology table to the
neighbor with an initialization bit set. When the neighbor receives the topology update with the
initialization bit set, the neighbor sends its topology table back to the ASA.

Cisco ASA 5500 Series Configuration Guide using the CLI

27-1

Chapter 27

Configuring EIGRP

Licensing Requirements for EIGRP

The hello packets are sent out as multicast messages. No response is expected to a hello message. The
exception to this is for statically defined neighbors. If you use the neighbor command, or configure the
Hello Interval in ASDM, to configure a neighbor, the hello messages sent to that neighbor are sent as
unicast messages. Routing updates and acknowledgements are sent out as unicast messages.
Once this neighbor relationship is established, routing updates are not exchanged unless there is a change
in the network topology. The neighbor relationship is maintained through the hello packets. Each hello
packet received from a neighbor includes a hold time. This is the time in which the ASA can expect to
receive a hello packet from that neighbor. If the ASA does not receive a hello packet from that neighbor
within the hold time advertised by that neighbor, the ASA considers that neighbor to be unavailable.
The EIGRP protocol uses four key algorithm technologies, four key technologies, including neighbor
discovery/recovery, Reliable Transport Protocol (RTP), and DUAL, which is important for route
computations. DUAL saves all routes to a destination in the topology table, not just the least-cost route.
The least-cost route is inserted into the routing table. The other routes remain in the topology table. If
the main route fails, another route is chosen from the feasible successors. A successor is a neighboring
router used for packet forwarding that has a least-cost path to a destination. The feasibility calculation
guarantees that the path is not part of a routing loop.
If a feasible successor is not found in the topology table, a route recomputation must occur. During route
recomputation, DUAL queries the EIGRP neighbors for a route, who in turn query their neighbors.
Routers that do no have a feasible successor for the route return an unreachable message.
During route recomputation, DUAL marks the route as active. By default, the ASA waits for three
minutes to receive a response from its neighbors. If the ASA does not receive a response from a neighbor,
the route is marked as stuck-in-active. All routes in the topology table that point to the unresponsive
neighbor as a feasibility successor are removed.

Note

EIGRP neighbor relationships are not supported through the IPsec tunnel without a GRE tunnel.

Licensing Requirements for EIGRP
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single context mode.
Firewall Mode Guidelines

Supported only in routed firewall mode. Transparent firewall mode is not supported.

Cisco ASA 5500 Series Configuration Guide using the CLI

27-2

Chapter 27

Configuring EIGRP
Configuring EIGRP

IPv6 Guidelines

Does not support IPv6.

Configuring EIGRP
This section describes how to enable the EIGRP process on your system. After you have enabled EIGRP,
see the following sections to learn how to customize the EIGRP process on your system.
•

Enabling EIGRP, page 27-3

•

Enabling EIGRP Stub Routing, page 27-3

Enabling EIGRP
You can only enable one EIGRP routing process on the ASA.
To enable EIGRP, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

router eigrp as-num

Creates an EIGRP routing process and enters router configuration
mode for this EIGRP process.

Example:

The as-num argument is the autonomous system number of the
EIGRP routing process.

hostname(config)# router eigrp 2

Step 2

network ip-addr [mask]

Example:
hostname(config)# router eigrp 2
hostname(config-router)# network 10.0.0.0
255.0.0.0

Configures the interfaces and networks that participate in EIGRP
routing. You can configure one or more network statements with
this command.
Directly connected and static networks that fall within the defined
network are advertised by the ASA. Additionally, only interfaces
with an IP address that fall within the defined network participate
in the EIGRP routing process.
If you have an interface that you do not want to have participate
in EIGRP routing, but that is attached to a network that you want
advertised, see the “Configuring Interfaces for EIGRP” section on
page 27-6.

Enabling EIGRP Stub Routing
You can enable, and configure the ASA as an EIGRP stub router. Stub routing decreases memory and
processing requirements on the ASA. As a stub router, the ASA does not need to maintain a complete
EIGRP routing table because it forwards all nonlocal traffic to a distribution router. Generally, the
distribution router need not send anything more than a default route to the stub router.
Only specified routes are propagated from the stub router to the distribution router. As a stub router, the
ASA responds to all queries for summaries, connected routes, redistributed static routes, external routes,
and internal routes with the message “inaccessible.” When the ASA is configured as a stub, it sends a
special peer information packet to all neighboring routers to report its status as a stub router. Any

Cisco ASA 5500 Series Configuration Guide using the CLI

27-3

Chapter 27

Configuring EIGRP

Customizing EIGRP

neighbor that receives a packet informing it of the stub status will not query the stub router for any
routes, and a router that has a stub peer will not query that peer. The stub router depends on the
distribution router to send the correct updates to all peers.
To enable the ASA as an EIGRP stub routing process, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

router eigrp as-num

Creates an EIGRP routing process and enters router configuration
mode for this EIGRP process.

Example:

The as-num argument is the autonomous system number of the
EIGRP routing process.

hostname(config)# router eigrp 2

Step 2

network ip-addr [mask]

Example:
hostname(config)# router eigrp 2
hostname(config-router)# network 10.0.0.0
255.0.0.0

Configures the interfaces and networks that participate in EIGRP
routing. You can configure one or more network statements with
this command.
Directly connected and static networks that fall within the defined
network are advertised by the ASA. Additionally, only interfaces
with an IP address that fall within the defined network participate
in the EIGRP routing process.
If you have an interface that you do not want to have participate
in EIGRP routing, but that is attached to a network that you want
advertised, see the section “Configuring Passive Interfaces”
section on page 27-7.

Step 3

eigrp stub {receive-only | [connected]
[redistributed] [static] [summary]}

Example:

Configures the stub routing process. You must specify which
networks are advertised by the stub routing process to the
distribution router. Static and connected networks are not
automatically redistributed into the stub routing process.

hostname(config)# router eigrp 2
hostname(config-router)# network 10.0.0.0
255.0.0.0
hostname(config-router)# eigrp stub
{receive-only | [connected]
[redistributed] [static] [summary]}

Note

A stub routing process does not maintain a full topology table. At a minimum, stub routing needs a
default route to a distribution router, which makes the routing decisions.

Customizing EIGRP
This section describes how to customize the EIGRP routing and includes the following topics:
•

Defining a Network for an EIGRP Routing Process, page 27-5

•

Configuring Interfaces for EIGRP, page 27-6

•

Configuring the Summary Aggregate Addresses on Interfaces, page 27-8

•

Changing the Interface Delay Value, page 27-9

Cisco ASA 5500 Series Configuration Guide using the CLI

27-4

Chapter 27

Configuring EIGRP
Customizing EIGRP

•

Enabling EIGRP Authentication on an Interface, page 27-9

•

Defining an EIGRP Neighbor, page 27-10

•

Redistributing Routes Into EIGRP, page 27-11

•

Filtering Networks in EIGRP, page 27-12

•

Customizing the EIGRP Hello Interval and Hold Time, page 27-13

•

Disabling Automatic Route Summarization, page 27-14

•

Configuring Default Information in EIGRP, page 27-15

•

Disabling EIGRP Split Horizon, page 27-16

•

Restarting the EIGRP Process, page 27-17

Defining a Network for an EIGRP Routing Process
The Network table lets you specify the networks used by the EIGRP routing process. For an interface to
participate in EIGRP routing, it must fall within the range of addresses defined by the network entries.
For directly connected and static networks to be advertised, they must also fall within the range of the
network entries.
The Network table displays the networks configured for the EIGRP routing process. Each row of the
table displays the network address and associated mask configured for the specified EIGRP routing
process.
To add or define a network, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

router eigrp as-num

Creates an EIGRP routing process and enters router configuration
mode for this EIGRP process.

Example:

The as-num argument is the autonomous system number of the
EIGRP routing process.

hostname(config)# router eigrp 2

Step 2

network ip-addr [mask]

Example:
hostname(config)# router eigrp 2
hostname(config-router)# network 10.0.0.0
255.0.0.0

Cisco ASA 5500 Series Configuration Guide using the CLI

27-5

Chapter 27

Configuring EIGRP

Customizing EIGRP

Configuring Interfaces for EIGRP
If you have an interface that you do not want to have participate in EIGRP routing, but that is attached
to a network that you want advertised, you can configure a network command that includes the network
to which the interface is attached, and use the passive-interface command to prevent that interface from
sending or receiving EIGRP updates.
To configure interfaces for EIGRP, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

router eigrp as-num

Creates an EIGRP routing process and enters router configuration
mode for this EIGRP process.

Example:

The as-num argument is the autonomous system number of the
EIGRP routing process.

hostname(config)# router eigrp 2

Step 2

hostname(config-router)# network ip-addr
[mask]

Configures the interfaces and networks that participate in EIGRP
routing. You can configure one or more network statements with
this command.

Example:

Directly connected and static networks that fall within the defined
network are advertised by the ASA. Additionally, only interfaces
with an IP address that fall within the defined network participate
in the EIGRP routing process.

hostname(config)# router eigrp 2
hostname(config-router)# network 10.0.0.0
255.0.0.0

If you have an interface that you do not want to have participate
in EIGRP routing, but that is attached to a network that you want
advertised, see the “Defining a Network for an EIGRP Routing
Process” section on page 27-5.
Step 3

(Optional) Do one of the following to customize an interface to participate in EIGRP routing:
no default-information {in | out | WORD}

Allows you to control the sending or receiving of candidate
default route information.

Example:

Entering the no default-information in command causes the
candidate default route bit to be blocked on received routes.
Entering the no default-information out command disables the
setting of the default route bit in advertised routes.

hostname(config)# router eigrp 2
hostname(config-router)# network 10.0.0.0
255.0.0.0
hostname(config-router)# no
default-information {in | out | WORD}

authentication mode eigrp as-num md5

Example:
hostname(config)# authentication mode
eigrp 2 md5

See the “Configuring Default Information in EIGRP” section on
page 27-15 for more information on this particular option.
Enables MD5 authentication of EIGRP packets.
The as-num argument is the autonomous system number of the
EIGRP routing process configured on the ASA. If EIGRP is not
enabled or if you enter the wrong number, the ASA returns the
following error message:
% Asystem(100) specified does not exist

See the “Enabling EIGRP Authentication on an Interface” section
on page 27-9 for more information on this particular option.

Cisco ASA 5500 Series Configuration Guide using the CLI

27-6

Chapter 27

Configuring EIGRP
Customizing EIGRP

Command
delay value

Purpose
The value argument entered is in tens of microseconds. To set the
delay for 2000 microseconds, you enter a value of 200.

Example:

To view the delay value assigned to an interface, use the show
interface command.

hostname(config-if)# delay 200

See the “Changing the Interface Delay Value” section on
page 27-9 for more information on this particular option.
hello-interval eigrp as-num seconds

Example:

Allows you to change the hello interval. See the “Customizing the
EIGRP Hello Interval and Hold Time” section on page 27-13 for
more information on this particular option.

hostname(config)# hello-interval eigrp 2
60
hold-time eigrp as-num seconds

Example:

Allows you to change the hold time. See the “Customizing the
EIGRP Hello Interval and Hold Time” section on page 27-13 for
more information on this particular option.

hostname(config)# hold-time eigrp 2 60

Configuring Passive Interfaces
You can configure one or more interfaces as passive interfaces. In EIGRP, a passive interface does not
send or receive routing updates.
To configure passive interfaces, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

router eigrp as-num

Creates an EIGRP routing process and enters router configuration
mode for this EIGRP process.

Example:

The as-num argument is the autonomous system number of the
EIGRP routing process.

hostname(config)# router eigrp 2

Cisco ASA 5500 Series Configuration Guide using the CLI

27-7

Chapter 27

Configuring EIGRP

Customizing EIGRP

Step 2

Command

Purpose

hostname(config-router)# network ip-addr
[mask]

Configures the interfaces and networks that participate in EIGRP
routing. You can configure one or more network statements with
this command.

Example:

hostname(config)# router eigrp 2
hostname(config-router)# network 10.0.0.0
255.0.0.0

passive-interface {default | if-name}

Prevents an interface from sending or receiving EIGRP routing
message.

Example:

Using the default keyword disables EIGRP routing updates on all
interfaces. Specifying an interface name, as defined by the
nameif command, disables EIGRP routing updates on the
specified interface. You can use multiple passive-interface
commands in your EIGRP router configuration.

hostname(config)# router eigrp 2
hostname(config-router)# network 10.0.0.0
255.0.0.0
hostname(config-router)# passive-interface
{default}

Configuring the Summary Aggregate Addresses on Interfaces
You can configure a summary addresses on a per-interface basis. You need to manually define summary
addresses if you want to create summary addresses that do not occur at a network number boundary or
if you want to use summary addresses on an ASA with automatic route summarization disabled. If any
more specific routes are in the routing table, EIGRP will advertise the summary address out the interface
with a metric equal to the minimum of all more specific routes.
To create a summary address, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

interface phy_if

Enters interface configuration mode for the interface on which
you are changing the delay value used by EIGRP.

Example:
hostname(config)# interface phy_if

Step 2

summary-address eigrp as-num address mask
[distance]

Example:
hostname(config-if)# summary-address eigrp
2 address mask [20]

Cisco ASA 5500 Series Configuration Guide using the CLI

27-8

Creates the summary address.
By default, EIGRP summary addresses that you define have an
administrative distance of 5. You can change this value by
specifying the optional distance argument in the
summary-address command.

Chapter 27

Configuring EIGRP
Customizing EIGRP

Changing the Interface Delay Value
The interface delay value is used in EIGRP distance calculations. You can modify this value on a
per-interface basis.
To change the interface delay value, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

interface phy_if

Enters interface configuration mode for the interface on which
you are changing the delay value used by EIGRP.

Example:
hostname(config)# interface phy_if

Step 2

delay value

The value argument entered is in tens of microseconds. To set the
delay for 2000 microseconds, you enter a value of 200.

Example:

To view the delay value assigned to an interface, use the show
interface command.

hostname(config-if)# delay 200

Enabling EIGRP Authentication on an Interface
EIGRP route authentication provides MD5 authentication of routing updates from the EIGRP routing
protocol. The MD5 keyed digest in each EIGRP packet prevents the introduction of unauthorized or false
routing messages from unapproved sources.
EIGRP route authentication is configured on a per-interface basis. All EIGRP neighbors on interfaces
configured for EIGRP message authentication must be configured with the same authentication mode
and key for adjacencies to be established.

Note

Before you can enable EIGRP route authentication, you must enable EIGRP.
To enable EIGRP authentication on an interface, perform the following steps:

Cisco ASA 5500 Series Configuration Guide using the CLI

27-9

Chapter 27

Configuring EIGRP

Customizing EIGRP

Detailed Steps

Step 1

router eigrp as-num

Creates an EIGRP routing process and enters router configuration
mode for this EIGRP process.

Example:

The as-num argument is the autonomous system number of the
EIGRP routing process.

hostname(config)# router eigrp 2

Step 2

network ip-addr [mask]

Example:
hostname(config)# router eigrp 2
hostname(config-router)# network 10.0.0.0
255.0.0.0

Configures the interfaces and networks that participate in EIGRP
routing. You can configure one or more network statements with
this command.
Directly connected and static networks that fall within the defined
network are advertised by the ASA. Additionally, only interfaces
with an IP address that falls within the defined network
participate in the EIGRP routing process.
If you have an interface that you do not want to have participate
in EIGRP routing, but that is attached to a network that you want
advertised, see the “Configuring EIGRP” section on page 27-3.

Step 3

interface phy_if

Enters interface configuration mode for the interface on which
you are configuring EIGRP message authentication.

Example:
hostname(config)# interface phy_if

Step 4

authentication mode eigrp as-num md5

Example:
hostname(config)# authentication mode
eigrp 2 md5

Enables MD5 authentication of EIGRP packets.
The as-num argument is the autonomous system number of the
EIGRP routing process configured on the ASA. If EIGRP is not
enabled or if you enter the wrong number, the ASA returns the
following error message:
% Asystem(100) specified does not exist

Step 5

authentication key eigrp as-num key key-id
key-id

Example:
hostname(config)# authentication key eigrp
2 cisco key-id 200

Configures the key used by the MD5 algorithm.
The as-num argument is the autonomous system number of the
EIGRP routing process configured on the ASA. If EIGRP is not
enabled or if you enter the wrong number, the ASA returns the
following error message:
% Asystem(100) specified does not exist

The key argument can include up to 16 characters.
The key-id argument is a number that can range from 0 to 255.

Defining an EIGRP Neighbor
EIGRP hello packets are sent as multicast packets. If an EIGRP neighbor is located across a non
broadcast network, such as a tunnel, you must manually define that neighbor. When you manually define
an EIGRP neighbor, hello packets are sent to that neighbor as unicast messages.
To manually define an EIGRP neighbor, perform the following steps:

Cisco ASA 5500 Series Configuration Guide using the CLI

27-10

Chapter 27

Configuring EIGRP
Customizing EIGRP

Detailed Steps

Step 1

Step 2

Command

Purpose

router eigrp as-num

Creates an EIGRP routing process and enters router configuration
mode for this EIGRP process.

Example:
hostname(config)# router eigrp 2

The as-num argument is the autonomous system number of the
EIGRP routing process.

neighbor ip-addr interface if_name

Defines the static neighbor.
The ip-addr argument is the IP address of the neighbor.

Example:
hostname(config)# router eigrp 2
hostname(config-router)# neighbor 10.0.0.0
interface interface1

The if-name argument is the name of the interface, as specified by
the nameif command, through which that neighbor is available.
You can define multiple neighbors for an EIGRP routing process.

Redistributing Routes Into EIGRP
You can redistribute routes discovered by RIP and OSPF into the EIGRP routing process. You can also
redistribute static and connected routes into the EIGRP routing process. You do not need to redistribute
connected routes if they fall within the range of a network statement in the EIGRP configuration.

Note

For RIP only: Before you begin this procedure, you must create a route-map to further define which
routes from the specified routing protocol are redistributed in to the RIP routing process. See Chapter 23,
“Defining Route Maps,” for more information about creating a route map.
To redistribute routes into the EIGRP routing process, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

router eigrp as-num

Creates an EIGRP routing process and enters router configuration
mode for this EIGRP process.

Example:

The as-num argument is the autonomous system number of the
EIGRP routing process.

hostname(config)# router eigrp 2

Step 2

default-metric bandwidth delay reliability
loading mtu

Example:
hostname(config)# router eigrp 2
hostname(config-router)# default-metric
bandwidth delay reliability loading mtu

Step 3

(Optional) Specifies the default metrics that should be applied to
routes redistributed into the EIGRP routing process.
If you do not specify a default metric in the EIGRP router
configuration, you must specify the metric values in each
redistribute command. If you specify the EIGRP metrics in the
redistribute command and have the default-metric command in
the EIGRP router configuration, the metrics in the redistribute
command are used.

Do one of the following to redistribute the selected route type into the EIGRP routing process. You must specify the
EIGRP metric values in the redistribute command if you do not have a default-metric command in the EIGRP
router configuration.

Cisco ASA 5500 Series Configuration Guide using the CLI

27-11

Chapter 27

Configuring EIGRP

Customizing EIGRP

Command

Purpose

redistribute connected [metric bandwidth
delay reliability loading mtu] [route-map
map_name]

Redistributes connected routes into the EIGRP routing process.

Example:
hostname(config-router): redistribute
connected [metric bandwidth delay
reliability loading mtu] [route-map
map_name]
redistribute static [metric bandwidth
delay reliability loading mtu] [route-map
map_name]

Redistributes static routes into the EIGRP routing process.

Example:
hostname(config-router): redistribute
static [metric bandwidth delay reliability
loading mtu] [route-map map_name]
redistribute ospf pid [match {internal |
external [1 | 2] | nssa-external [1 | 2]}]
[metric bandwidth delay reliability
loading mtu] [route-map map_name]

Redistributes routes from an OSPF routing process into the
EIGRP routing process.

Example:
hostname(config-router): redistribute ospf
pid [match {internal | external [1 | 2] |
nssa-external [1 | 2]}] [metric bandwidth
delay reliability loading mtu] [route-map
map_name]
redistribute rip [metric bandwidth delay
reliability load mtu] [route-map map_name]

Redistributes routes from a RIP routing process into the EIGRP
routing process.

Example:
(config-router): redistribute rip [metric
bandwidth delay reliability load mtu]
[route-map map_name]

Filtering Networks in EIGRP
Note

Before you begin this process, you must create a standard access list that defines the routes that you want
to advertise. That is, create a standard access list that defines the routes that you want to filter from
sending or receiving updates.

Cisco ASA 5500 Series Configuration Guide using the CLI

27-12

Chapter 27

Configuring EIGRP
Customizing EIGRP

To filter networks in EIGRP, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

router eigrp as-num

Creates an EIGRP routing process and enters router configuration
mode for this EIGRP process.

Example:

The as-num argument is the autonomous system number of the
EIGRP routing process.

hostname(config)# router eigrp 2

Step 2

hostname(config-router)# network ip-addr
[mask]

Configures the interfaces and networks that participate in EIGRP
routing. You can configure one or more network statements with
this command.

Example:

hostname(config)# router eigrp 2
hostname(config-router)# network 10.0.0.0
255.0.0.0

If you have an interface that you do not want to have participate
in EIGRP routing, but that is attached to a network that you want
advertised, see the “Configuring Interfaces for EIGRP” section on
page 27-6.
Step 3

Do one of the following to filter networks sent or received in EIGRP routing updates. You can enter multiple
distribute-list commands in your EIGRP router configuration.
distribute-list acl out [connected | ospf
| rip | static | interface if_name]

Filters networks sent in EIGRP routing updates.
You can specify an interface to apply the filter to only those
updates that are sent by that specific interface.

Example:
hostname(config)# router eigrp 2
hostname(config-router)# network 10.0.0.0
255.0.0.0
hostname(config-router): distribute-list
acl out [connected]
distribute-list acl in [interface if_name]

Filters networks received in EIGRP routing updates.

Example:

You can specify an interface to apply the filter to only those
updates that are received by that interface.

hostname(config)# router eigrp 2
hostname(config-router)# network 10.0.0.0
255.0.0.0
hostname(config-router): distribute-list
acl in [interface interface1]

Customizing the EIGRP Hello Interval and Hold Time
The ASA periodically sends hello packets to discover neighbors and to learn when neighbors become
unreachable or inoperative. By default, hello packets are sent every 5 seconds.
The hello packet advertises the ASA hold time. The hold time indicates to EIGRP neighbors the length
of time the neighbor should consider the ASA reachable. If the neighbor does not receive a hello packet
within the advertised hold time, then the ASA is considered unreachable. By default, the advertised hold
time is 15 seconds (three times the hello interval).

Cisco ASA 5500 Series Configuration Guide using the CLI

27-13

Chapter 27

Configuring EIGRP

Customizing EIGRP

Both the hello interval and the advertised hold time are configured on a per-interface basis. We
recommend setting the hold time to be at minimum three times the hello interval.
To configure the hello interval and advertised hold time, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

interface phy_if

Enters interface configuration mode for the interface on which
you are configuring the hello interval or advertised hold time.

Example:
hostname(config)# interface phy_if

Step 2

hello-interval eigrp as-num seconds

Changes the hello interval.

Example:
hostname(config)# hello-interval eigrp 2
60

Step 3

hold-time eigrp as-num seconds

Changes the hold time.

Example:
hostname(config)# hold-time eigrp 2 60

Disabling Automatic Route Summarization
Automatic route summarization is enabled by default. The EIGRP routing process summarizes on
network number boundaries. This can cause routing problems if you have noncontiguous networks.
For example, if you have a router with the networks 192.168.1.0, 192.168.2.0, and 192.168.3.0
connected to it, and those networks all participate in EIGRP, the EIGRP routing process creates the
summary address 192.168.0.0 for those routes. If an additional router is added to the network with the
networks 192.168.10.0 and 192.168.11.0, and those networks participate in EIGRP, they will also be
summarized as 192.168.0.0. To prevent the possibility of traffic being routed to the wrong location, you
should disable automatic route summarization on the routers creating the conflicting summary
addresses.
To disable automatic route summarization, enter the following commands:

Cisco ASA 5500 Series Configuration Guide using the CLI

27-14

Chapter 27

Configuring EIGRP
Customizing EIGRP

Detailed Steps

Step 1

Command

Purpose

router eigrp as-num

Creates an EIGRP routing process and enters router configuration
mode for this EIGRP process.

Example:

The as-num argument is the autonomous system number of the
EIGRP routing process.

hostname(config)# router eigrp 2

Step 2

no auto-summary

You cannot configure this value. Automatic summary addresses
have an administrative distance of 5.

Example:
hostname(config-router)# no auto-summary

Configuring Default Information in EIGRP
You can control the sending and receiving of default route information in EIGRP updates. By default,
default routes are sent and accepted. Configuring the ASA to disallow default information to be received
causes the candidate default route bit to be blocked on received routes. Configuring the ASA to disallow
default information to be sent disables the setting of the default route bit in advertised routes.
To configure default routing information, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

router eigrp as-num

Creates an EIGRP routing process and enters router configuration
mode for this EIGRP process.

Example:

The as-num argument is the autonomous system number of the
EIGRP routing process.

hostname(config)# router eigrp 2

Cisco ASA 5500 Series Configuration Guide using the CLI

27-15

Chapter 27

Configuring EIGRP

Customizing EIGRP

Step 2

Command

Purpose

hostname(config-router)# network ip-addr
[mask]

Configures the interfaces and networks that participate in EIGRP
routing. You can configure one or more network statements with
this command.

Example:

hostname(config)# router eigrp 2
hostname(config-router)# network 10.0.0.0
255.0.0.0

no default-information {in | out | WORD}

Controls the sending or receiving of candidate default route
information.

Example:

hostname(config)# router eigrp 2
hostname(config-router)# network 10.0.0.0
255.0.0.0
hostname(config-router)# no
default-information {in | out | WORD}

Disabling EIGRP Split Horizon
Split horizon controls the sending of EIGRP update and query packets. When split horizon is enabled on
an interface, update and query packets are not sent for destinations for which this interface is the next
hop. Controlling update and query packets in this manner reduces the possibility of routing loops.
By default, split horizon is enabled on all interfaces.
Split horizon blocks route information from being advertised by a router out of any interface from which
that information originated. This behavior usually optimizes communications among multiple routing
devices, particularly when links are broken. However, with nonbroadcast networks, there may be
situations where this behavior is not desired. For these situations, including networks in which you have
EIGRP configured, you may want to disable split horizon.
If you disable split horizon on an interface, you must disable it for all routers and access servers on that
interface.

Cisco ASA 5500 Series Configuration Guide using the CLI

27-16

Chapter 27

Configuring EIGRP
Monitoring EIGRP

To disable EIGRP split horizon, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

interface phy_if

Enters interface configuration mode for the interface on which
you are changing the delay value used by EIGRP.

Example:
hostname(config)# interface phy_if

Step 2

no split-horizon eigrp as-number

Disables the split horizon.

Example:
hostname(config-if)# no split-horizon
eigrp 2

Restarting the EIGRP Process
To restart an EIGRP process or clear redistribution or counters, enter the following command:
Command

Purpose

clear eigrp pid {1-65535 | neighbors | topology |
events)}

Restarts an EIGRP process or clears redistribution or counters.

Example:
hostname(config)# clear eigrp pid 10 neighbors

Monitoring EIGRP
You can use the following commands to monitor the EIGRP routing process. For examples and
descriptions of the command output, see the command reference. Additionally, you can disable the
logging of neighbor change messages and neighbor warning messages.
To monitor or disable various EIGRP routing statistics, enter one of the following commands:
Command

Purpose

Monitoring EIGRP Routing
show eigrp [as-number] events [{start end}
| type]

Displays the EIGRP event log.

show eigrp [as-number] neighbors [detail |
static] [if-name]

Displays the EIGRP neighbor table.

show eigrp [as-number] interfaces [if-name]
[detail]

Displays the interfaces participating in EIGRP
routing.

Displays the EIGRP topology table.

Cisco ASA 5500 Series Configuration Guide using the CLI

27-17

Chapter 27

Configuring EIGRP

Configuration Example for EIGRP

Command (continued)

Purpose (continued)

show eigrp [as-number] traffic

Displays EIGRP traffic statistics.

router-id

Displays the router-id for this EIGRP process.

Disabling EIGRP Logging Messages

Note

no eigrp log-neighbor-changes

Disables the logging of neighbor change
messages. Enter this command in router
configuration mode for the EIGRP routing
process.

no eigrp log-neighbor-warnings

Disables the logging of neighbor warning
messages.

By default, neighbor change and neighbor warning messages are logged.

Configuration Example for EIGRP
The following example shows how to enable and configure EIGRP with various optional processes:
Step 1

To enable EIGRP, enter the following commands:
hostname(config)# router eigrp 2
hostname(config-router)# network 10.0.0.0 255.0.0.0

Step 2

To configure an interface from sending or receiving EIGRP routing messages, enter the following
command:
hostname(config-router)# passive-interface {default}

Step 3

To define an EIGRP neighbor, enter the following command:
hostname(config-router)# neighbor 10.0.0.0 interface interface1

Step 4

To configure the interfaces and networks that participate in EIGRP routing, enter the following
command:
hostname(config-router)# network 10.0.0.0 255.0.0.0

Step 5

To change the interface delay value used in EIGRP distance calculations, enter the following commands:
hostname(config-router)# exit
hostname(config)# interface phy_if
hostname(config-if)# delay 200

Cisco ASA 5500 Series Configuration Guide using the CLI

27-18

Chapter 27

Configuring EIGRP
Feature History for EIGRP

Feature History for EIGRP
Table 27-1 lists each feature change and the platform release in which it was implemented.
Table 27-1

Feature History for EIGRP

Feature Name

Platform
Releases

EIGRP support

7.0(1)

Feature Information
Support was added for routing data, performing
authentication, and redistributing and monitoring routing
information using the Enhanced Interior Gateway Routing
Protocol (EIGRP).
We introduced the following command: route eigrp.

Cisco ASA 5500 Series Configuration Guide using the CLI

27-19

Chapter 27
Feature History for EIGRP

Cisco ASA 5500 Series Configuration Guide using the CLI

27-20

Configuring EIGRP

Chapter 27

Configuring EIGRP
Feature History for EIGRP

Cisco ASA 5500 Series Configuration Guide using the CLI

27-21

Chapter 27
Feature History for EIGRP

Cisco ASA 5500 Series Configuration Guide using the CLI

27-22

Configuring EIGRP

Chapter 27

Configuring EIGRP
Feature History for EIGRP

Cisco ASA 5500 Series Configuration Guide using the CLI

27-23

Chapter 27
Feature History for EIGRP

Cisco ASA 5500 Series Configuration Guide using the CLI

27-24

Configuring EIGRP

Chapter 27

Configuring EIGRP
Feature History for EIGRP

Cisco ASA 5500 Series Configuration Guide using the CLI

27-25

Chapter 27
Feature History for EIGRP

Cisco ASA 5500 Series Configuration Guide using the CLI

27-26

Configuring EIGRP

Chapter 27

Configuring EIGRP
Feature History for EIGRP

Cisco ASA 5500 Series Configuration Guide using the CLI

27-27

Chapter 27
Feature History for EIGRP

Cisco ASA 5500 Series Configuration Guide using the CLI

27-28

Configuring EIGRP

Chapter 27

Configuring EIGRP
Feature History for EIGRP

Cisco ASA 5500 Series Configuration Guide using the CLI

27-29

Chapter 27
Feature History for EIGRP

Cisco ASA 5500 Series Configuration Guide using the CLI

27-30

Configuring EIGRP

CH A P T E R

Configuring IPv6 Neighbor Discovery
This chapter describes how to enable and configure IPv6 neighbor discovery on the ASA and includes
the following sections:
•

Information About IPv6 Neighbor Discovery, page 28-1

•

Licensing Requirements for IPv6 Neighbor Discovery, page 28-4

•

Guidelines and Limitations, page 28-4

•

Default Settings for IPv6 Neighbor Discovery, page 28-6

•

Configuring the Neighbor Solicitation Message Interval, page 28-7

•

Configuring the Neighbor Reachable Time, page 28-7

•

Configuring the Router Advertisement Transmission Interval, page 28-8

•

Configuring the Router Lifetime Value, page 28-8

•

Configuring DAD Settings, page 28-9

•

Configuring IPv6 Addresses on an Interface, page 28-9

•

Suppressing Router Advertisement Messages, page 28-10

•

Configuring the IPv6 Prefix, page 28-11

•

Configuring a Static IPv6 Neighbor, page 28-12

•

Monitoring IPv6 Neighbor Discovery, page 28-13

•

Additional References, page 28-13

•

Feature History for IPv6 Neighbor Discovery, page 28-14

Information About IPv6 Neighbor Discovery
The IPv6 neighbor discovery process uses ICMPv6 messages and solicited-node multicast addresses to
determine the link-layer address of a neighbor on the same network (local link), verify the readability of
a neighbor, and keep track of neighboring routers.
Nodes (hosts) use neighbor discovery to determine the link-layer addresses for neighbors known to
reside on attached links and to quickly purge cashed values that become invalid. Hosts also use neighbor
discovery to find neighboring routers that are willing to forward packets on their behalf. In addition,
nodes use the protocol to actively keep track of which neighbors are reachable and which are not, and to
detect changed link-layer addresses. When a router or the path to a router fails, a host actively searches
for functioning alternates.

Cisco ASA 5500 Series Configuration Guide using the CLI

28-1

Chapter 28

Configuring IPv6 Neighbor Discovery

Information About IPv6 Neighbor Discovery

This section includes the following topics:
•

Neighbor Solicitation Messages, page 28-2

•

Neighbor Reachable Time, page 28-3

•

Router Advertisement Messages, page 28-3

•

Static IPv6 Neighbors, page 28-4

Neighbor Solicitation Messages
Neighbor solicitation messages (ICMPv6 Type 135) are sent on the local link by nodes attempting to
discover the link-layer addresses of other nodes on the local link. The neighbor solicitation message is
sent to the solicited-node multicast address. The source address in the neighbor solicitation message is
the IPv6 address of the node sending the neighbor solicitation message. The neighbor solicitation
message also includes the link-layer address of the source node.
After receiving a neighbor solicitation message, the destination node replies by sending a neighbor
advertisement message (ICPMv6 Type 136) on the local link. The source address in the neighbor
advertisement message is the IPv6 address of the node sending the neighbor advertisement message; the
destination address is the IPv6 address of the node that sent the neighbor solicitation message. The data
portion of the neighbor advertisement message includes the link-layer address of the node sending the
neighbor advertisement message.
After the source node receives the neighbor advertisement, the source node and destination node can
communicate. Figure 28-1 shows the neighbor solicitation and response process.
Figure 28-1

IPv6 Neighbor Discovery—Neighbor Solicitation Message

ICMPv6 Type = 135
Src = A
Dst = solicited-node multicast of B
Data = link-layer address of A
Query = what is your link address?

A and B can now exchange
packets on this link

132958

ICMPv6 Type = 136
Src = B
Dst = A
Data = link-layer address of B

Neighbor solicitation messages are also used to verify the reachability of a neighbor after the link-layer
address of a neighbor is identified. When a node wants to verifying the reachability of a neighbor, the
destination address in a neighbor solicitation message is the unicast address of the neighbor.
Neighbor advertisement messages are also sent when there is a change in the link-layer address of a node
on a local link. When there is such a change, the destination address for the neighbor advertisement is
the all-nodes multicast address.

Cisco ASA 5500 Series Configuration Guide using the CLI

28-2

Chapter 28

Configuring IPv6 Neighbor Discovery
Information About IPv6 Neighbor Discovery

Neighbor Reachable Time
The neighbor reachable time enables detecting unavailable neighbors. Shorter configured times enable
detecting unavailable neighbors more quickly, however, shorter times consume more IPv6 network
bandwidth and processing resources in all IPv6 network devices. Very short configured times are not
recommended in normal IPv6 operation.

Router Advertisement Messages
An ASA can participate in router advertisements so that neighboring devices can dynamically learn a
default router address. Router advertisement messages (ICMPv6 Type 134) are periodically sent out each
IPv6 configured interface of the ASA. The router advertisement messages are sent to the all-nodes
multicast address. Figure 28-2 shows the router advertisement messages that are sent from IPv6
configured interfaces on the ASA.
IPv6 Neighbor Discovery—Router Advertisement Message

Router
advertisement

Router advertisement packet definitions:
ICMPv6 Type = 134
Src = router link-local address
Dst = all-nodes multicast address
Data = options, prefix, lifetime, autoconfig flag

132917

Figure 28-2

Router advertisement messages typically include the following information:
•

One or more IPv6 prefix that nodes on the local link can use to automatically configure their IPv6
addresses.

•

Lifetime information for each prefix included in the advertisement.

•

Sets of flags that indicate the type of autoconfiguration (stateless or stateful) that can be completed.

•

Default router information (whether the router sending the advertisement should be used as a default
router and, if so, the amount of time (in seconds) the router should be used as a default router).

•

Additional information for hosts, such as the hop limit and MTU a host should use in packets that it
originates.

•

The amount of time between neighbor solicitation message retransmissions on a given link.

•

The amount of time a node considers a neighbor reachable.

Router advertisements are also sent in response to router solicitation messages (ICMPv6 Type 133).
Router solicitation messages are sent by hosts at system startup so that the host can immediately
autoconfigure without needing to wait for the next scheduled router advertisement message. Because
router solicitation messages are usually sent by hosts at system startup, and the host does not have a
configured unicast address, the source address in router solicitation messages is usually the unspecified
IPv6 address (0:0:0:0:0:0:0:0). If the host has a configured unicast address, the unicast address of the
interface sending the router solicitation message is used as the source address in the message. The

Cisco ASA 5500 Series Configuration Guide using the CLI

28-3

Chapter 28

Configuring IPv6 Neighbor Discovery

Licensing Requirements for IPv6 Neighbor Discovery

destination address in router solicitation messages is the all-routers multicast address with a scope of the
link. When a router advertisement is sent in response to a router solicitation, the destination address in
the router advertisement message is the unicast address of the source of the router solicitation message.
You can configure the following settings for router advertisement messages:
•

The time interval between periodic router advertisement messages.

•

The router lifetime value, which indicates the amount of time IPv6 nodes should consider the ASA
to be the default router.

•

The IPv6 network prefixes in use on the link.

•

Whether or not an interface transmits router advertisement messages.

Unless otherwise noted, the router advertisement message settings are specific to an interface and are
entered in interface configuration mode.

Static IPv6 Neighbors
You can manually define a neighbor in the IPv6 neighbor cache. If an entry for the specified IPv6 address
already exists in the neighbor discovery cache—learned through the IPv6 neighbor discovery
process—the entry is automatically converted to a static entry. Static entries in the IPv6 neighbor
discovery cache are not modified by the neighbor discovery process.

Licensing Requirements for IPv6 Neighbor Discovery
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single and multiple context mode.
Firewall Mode Guidelines

Supported in routed mode only. Transparent mode is not supported.
Additional Guidelines and Limitations
•

The interval value is included in all IPv6 router advertisements that are sent out of this interface.

Cisco ASA 5500 Series Configuration Guide using the CLI

28-4

Chapter 28

Configuring IPv6 Neighbor Discovery
Guidelines and Limitations

•

The configured time enables detecting unavailable neighbors. Shorter configured times enable
detecting unavailable neighbors more quickly; however, shorter times consume more IPv6 network
bandwidth and processing resources in all IPv6 network devices. Very short configured times are not
recommended in normal IPv6 operation.

•

The interval between transmissions should be less than or equal to the IPv6 router advertisement
lifetime if the ASA is configured as a default router by using the ipv6 nd ra-lifetime command. To
prevent synchronization with other IPv6 nodes, randomly adjust the actual value used to within 20
percent of the specified value.

•

The ipv6 nd prefix command allows control over the individual parameters per prefix, including
whether or not the prefix should be advertised.

•

By default, prefixes configured as addresses on an interface using the ipv6 address command are
advertised in router advertisements. If you configure prefixes for advertisement using the ipv6 nd
prefix command, then only these prefixes are advertised.

•

The default keyword can be used to set default parameters for all prefixes.

•

A date can be set to specify the expiration of a prefix. The valid and preferred lifetimes are counted
down in real time. When the expiration date is reached, the prefix will no longer be advertised.

•

When onlink is on (by default), the specified prefix is assigned to the link. Nodes sending traffic to
such addresses that contain the specified prefix consider the destination to be locally reachable on
the link.

•

When autoconfig is on (by default), it indicates to hosts on the local link that the specified prefix
can be used for IPv6 autoconfiguration.

•

For stateless autoconfiguration to work correctly, the advertised prefix length in router
advertisement messages must always be 64 bits.

•

The router lifetime value is included in all IPv6 router advertisements sent out of the interface. The
value indicates the usefulness of the ASA as a default router on this interface.

•

Setting the value to a non-zero value indicates that the ASA should be considered a default router
on this interface. The non-zero value for the router lifetime value should not be less than the router
advertisement interval.

The following guidelines and limitations apply for configuring a static IPv6 neighbor:
•

The ipv6 neighbor command is similar to the arp command. If an entry for the specified IPv6
address already exists in the neighbor discovery cache—learned through the IPv6 neighbor
discovery process—the entry is automatically converted to a static entry. These entries are stored in
the configuration when the copy command is used to store the configuration.

•

Use the show ipv6 neighbor command to view static entries in the IPv6 neighbor discovery cache.

•

The clear ipv6 neighbor command deletes all entries in the IPv6 neighbor discovery cache except
static entries. The no ipv6 neighbor command deletes a specified static entry from the neighbor
discovery cache; the command does not remove dynamic entries—entries learned from the IPv6
neighbor discovery process—from the cache. Disabling IPv6 on an interface by using the no ipv6
enable command deletes all IPv6 neighbor discovery cache entries configured for that interface
except static entries (the state of the entry changes to INCMP [Incomplete]).

•

Static entries in the IPv6 neighbor discovery cache are not modified by the neighbor discovery
process.

•

The clear ipv6 neighbor command does not remove static entries from the IPv6 neighbor discovery
cache; it only clears the dynamic entries.

Cisco ASA 5500 Series Configuration Guide using the CLI

28-5

Chapter 28

Configuring IPv6 Neighbor Discovery

Default Settings for IPv6 Neighbor Discovery

•

The ICMP syslogs generated are caused by a regular refresh of IPv6 neighbor entries. The ASA
default timer for IPv6 neighbor entry is 30 seconds, so the ASA would generate ICMPv6 neighbor
discovery and response packets about every 30 seconds. If the ASA has both failover LAN and state
interfaces configured with IPv6 addresses, then every 30 seconds, ICMPv6 neighbor discovery and
response packets will be generated by both ASAs for both configured and link-local IPv6 addresses.
In addition, each packet will generate several syslogs (ICMP connection and local-host creation or
teardown), so it may appear that constant ICMP syslogs are being generated. The refresh time for
IPV6 neighbor entry is configurable on the regular data interface, but not configurable on the
failover interface. However, the CPU impact for this ICMP neighbor discovery traffic is minimal.

Default Settings for IPv6 Neighbor Discovery
Table 28-1 lists the default settings for IPv6 neighbor discovery.
Table 28-1

Default IPv6 Neighbor Discovery Parameters

Parameters

Default

value for the neighbor solicitation transmission
message interval

1000 seconds between neighbor solicitation
transmissions.

value for the neighbor reachable time

The default is 0.

value for the router advertisement transmission
interval

The default is 200 seconds.

value for the router lifetime

The default is 1800 seconds.

value for the number of consecutive neighbor
solicitation messages sent during DAD

The default is one message.

prefix lifetime

The default lifetime is 2592000 seconds (30 days),
and a preferred lifetime is 604800 seconds (7
days).

on-link flag

The flag is on by default, which means that the
prefix is used on the advertising interface.

autoconfig flag

The flag is on by default, which means that the
prefix is used for autoconfiguration.

static IPv6 neighbor

Static entries are not configured in the IPv6
neighbor discovery cache.

Cisco ASA 5500 Series Configuration Guide using the CLI

28-6

Chapter 28

Configuring IPv6 Neighbor Discovery
Configuring the Neighbor Solicitation Message Interval

Configuring the Neighbor Solicitation Message Interval
To configure the interval between IPv6 neighbor solicitation retransmissions on an interface, enter the
following command:
Command

Purpose

ipv6 nd ns-interval value

Sets the interval between IPv6 neighbor solicitation retransmissions on an
interface.

Example:

Valid values for the value argument range from 1000 to 3600000
milliseconds.

hostname (config-if)# ipv6 nd ns-interval
9000

This information is also sent in router advertisement messages.

Examples
The following example configures an IPv6 neighbor solicitation transmission interval of 9000
milliseconds for GigabitEthernet 0/0:
hostname (config)# interface gigabitethernet 0/0
hostname (config-if)# ipv6 nd ns-interval 9000

Configuring the Neighbor Reachable Time
To configure the amount of time that a remote IPv6 node is considered reachable after a reachability
confirmation event has occurred, enter the following command:
Command

Purpose

ipv6 nd reachable-time value

Sets the amount of time that a remote IPv6 node is reachable.
Valid values for the value argument range from 0 to 3600000 milliseconds.

Example:
hostname (config-if)# ipv6 nd
reachable-time 1700000

When 0 is used for the value, the reachable time is sent as undetermined. It
is up to the receiving devices to set and track the reachable time value.

Examples
The following example configures an IPv6 reachable time of 1700000 milliseconds for the selected
interface, GigabitEthernet 0/0:
hostname (config)# interface gigabitethernet 0/0
hostname (config-if)# ipv6 nd reachable-time 1700000

Cisco ASA 5500 Series Configuration Guide using the CLI

28-7

Chapter 28

Configuring IPv6 Neighbor Discovery

Configuring the Router Advertisement Transmission Interval

Configuring the Router Advertisement Transmission Interval
To configure the interval between IPv6 router advertisement transmissions on an interface, enter the
following command:
Command

Purpose

ipv6 nd ra-interval [msec] value

Sets the interval between IPv6 router advertisement transmissions.

Example:

The optional msec keyword indicates that the value provided is in
milliseconds. If this keyword is not present, the value provided is in
seconds.

hostname (config-if)# ipv6 nd ra-interval
201

Valid values for the value argument range from 3 to 1800 seconds or from
500 to 1800000 milliseconds if the msec keyword is provided.
The interval between transmissions should be less than or equal to the IPv6
router advertisement lifetime if the ASA is configured as a default router.
For more information, see the “Configuring the Router Lifetime Value”
section on page 28-8. To prevent synchronization with other IPv6 nodes,
randomly adjust the actual value used to within 20 percent of the desired
value.

Examples
The following example configures an IPv6 router advertisement interval of 201 seconds for the selected
interface, GigabitEthernet 0/0:
hostname (config)# interface gigabitethernet 0/0
hostname (config-if)# ipv6 nd ra-interval 201

Configuring the Router Lifetime Value
To configure the router lifetime value in IPv6 router advertisements on an interface, enter the following
command:
Command

Purpose

ipv6 nd ra-lifetime [msec] value

Specifies the length of time that nodes on the local link should consider the
ASA as the default router on the link.

Example:

The optional msec keyword indicates that the value provided is in
milliseconds. If this keyword is not present, the value provided is in
seconds.

hostname (config-if)# ipv6 nd ra-lifetime
2000

Valid values for the value argument range from 0 to 9000 seconds.
Entering 0 indicates that the ASA should not be considered a default router
on the selected interface.

Cisco ASA 5500 Series Configuration Guide using the CLI

28-8

Chapter 28

Configuring IPv6 Neighbor Discovery
Configuring DAD Settings

Examples
The following example configures an IPv6 router lifetime value of 2000 seconds for the selected
interface, GigabitEthernet 0/0:
hostname (config)# interface gigabitethernet 0/0
hostname (config-if)# ipv6 nd ra-lifetime 2000

Configuring DAD Settings
To specify DAD settings on the interface, enter the following command:
Command

Purpose

ipv6 nd dad attempts value

Specifies the uniqueness of new unicast IPv6 addresses before they are
assigned and ensures that duplicate IPv6 addresses are detected in the
network on a link basis.

Example:
hostname (config-if)# ipv6 nd dad attempts
20

Valid values for the value argument range from 0 to 600. A zero value
disables DAD processing on the specified interface.

Examples
The following example configures a DAD attempt value of 20 for the selected interface, GigabitEthernet
0/0:
hostname (config)# interface gigabitethernet 0/0
hostname (config-if)# ipv6 nd dad attempts 20

Configuring IPv6 Addresses on an Interface
To configure IPv6 addresses on an interface, enter the following command:
Command

Purpose

ipv6 address

Specifies the IPv6 address for the selected interface.

Example:
hostname (config-if)# ipv6 address
fe80::20d:88ff:feee:6a82

Examples
The following example configures a link-local IPv6 address for the selected interface, GigabitEthernet
0/0:
hostname (config)# interface gigabitethernet 0/0
hostname (config-if)# ipv6 address fe80::20d:88ff:feee:6a82

Cisco ASA 5500 Series Configuration Guide using the CLI

28-9

Chapter 28

Configuring IPv6 Neighbor Discovery

Suppressing Router Advertisement Messages

Suppressing Router Advertisement Messages
Router advertisement messages are automatically sent in response to router solicitation messages. You
may want to disable these messages on any interface for which you do not want the ASA to supply the
IPv6 prefix (for example, the outside interface).
To suppress the router lifetime value in IPv6 router advertisements on an interface, enter the following
command:
Command

Purpose

ipv6 nd suppress-ra seconds

Suppresses the router lifetime value.

Example:
hostname (config-if)# ipv6 nd suppress-ra
2001:DB8::/32 1000 900

The seconds argument specifies the validity of the ASA as a default router
on this interface. Valid values range from 0 to 9000 seconds. A zero
indicates that the ASA should not be considered a default router on the
specified interface.
Entering this command causes the ASA to appear as a regular IPv6
neighbor on the link and not as an IPv6 router.

Examples
The following example suppresses an IPv6 router advertisement transmission for the specified interface,
which is GigabitEthernet 0/0:
hostname (config)# interface gigabitethernet 0/0
hostname (config-if)# ipv6 nd suppress-ra 2001:DB8::/32 1000 900

Cisco ASA 5500 Series Configuration Guide using the CLI

28-10

Chapter 28

Configuring IPv6 Neighbor Discovery
Configuring the IPv6 Prefix

Configuring the IPv6 Prefix
To configure the which IPv6 prefixes are included in IPv6 router advertisements, enter the following
command:
Command

Purpose

Configures which IPv6 prefixes are included in IPv6 router advertisements.
The prefix advertisement can be used by neighboring devices to
autoconfigure their interface addresses. Stateless autoconfiguration uses
IPv6 prefixes provided in router advertisement messages to create the
global unicast address from the link-local address.

Example:
hostname (config-if)# ipv6 nd prefix
2001:DB8::/32 1000 900

The at valid-date preferred-date syntax indicates the date and time at
which the lifetime and preference expire. The prefix is valid until this
specified date and time are reached. Dates are expressed in the form
date-valid-expire month-valid-expire hh:mm-valid-expire
date-prefer-expire month-prefer-expire hh:mm-prefer-expire.
The default keyword indicates that default values are used.
The optional infinite keyword specifies that the valid lifetime does not
expire.
The ipv6-prefix argument specifies the IPv6 network number to include in
router advertisements. This argument must be in the form documented in
RFC 2373 where the address is specified in hexadecimal using 16-bit
values between colons.
The optional no-advertise keyword indicates to hosts on the local link that
the specified prefix is not to be used for IPv6 autoconfiguration.
The optional no-autoconfig keyword indicates to hosts on the local link
that the specified prefix cannot be used for IPv6 autoconfiguration.
The optional off-link keyword indicates that the specified prefix is not used
for on-link determination.
The preferred-lifetime argument specifies the amount of time (in seconds)
that the specified IPv6 prefix is advertised as being preferred. Valid values
range from 0 to 4294967295 seconds. The maximum value represents
infinity, which can also be specified with infinite. The default is 604800 (7
days).
The prefix-length argument specifies the length of the IPv6 prefix. This
value indicates how many of the high-order, contiguous bits of the address
comprise the network portion of the prefix. The slash (/) must precede the
prefix length.
The valid-lifetime argument specifies the amount of time that the specified
IPv6 prefix is advertised as being valid. Valid values range from 0 to
4294967295 seconds. The maximum value represents infinity, which can
also be specified with infinite. The default is 2592000 (30 days).

Cisco ASA 5500 Series Configuration Guide using the CLI

28-11

Chapter 28

Configuring IPv6 Neighbor Discovery

Configuring a Static IPv6 Neighbor

Examples
The following example includes the IPv6 prefix 2001:DB8::/32, with a valid lifetime of 1000 seconds
and a preferred lifetime of 900 seconds, in router advertisements sent out on the specified interface,
which is GigabitEthernet 0/0:
hostname (config)# interface gigabitethernet 0/0
hostname (config-if)# ipv6 nd prefix 2001:DB8::/32 1000 900

Configuring a Static IPv6 Neighbor
To configure a static entry in the IPv6 neighbor discovery cache, enter the following command:
Command

Purpose

ipv6 neighbor ipv6_address if_name
mac_address

Configures a static entry in the IPv6 neighbor discovery cache.

Example:
hostname)config-if)# ipv6 neighbor
3001:1::45A inside 002.7D1A.9472

The ipv6_address argument is the link-local IPv6 address of the neighbor,
the if_name argument is the interface through which the neighbor is
available, and the mac_address argument is the MAC address of the
neighbor interface.

Examples
The following example adds a static entry for an inside host with an IPv6 address of 3001:1::45A and a
MAC address of 002.7D1a.9472 to the neighbor discovery cache:
hostname)config-if)# ipv6 neighbor 3001:1::45A inside 002.7D1A.9472

Cisco ASA 5500 Series Configuration Guide using the CLI

28-12

Chapter 28

Configuring IPv6 Neighbor Discovery
Monitoring IPv6 Neighbor Discovery

Monitoring IPv6 Neighbor Discovery
To monitor IPv6 neighbor discovery parameters, enter the following command:
Command

Purpose

show ipv6 interface

Displays the usability status of interfaces configured for IPv6. Including
the interface name, such as “outside” and displays the settings for the
specified interface. Excludes the name from the command and displays
the settings for all interfaces that have IPv6 enabled on them. Output for
the command shows the following:
•

The name and status of the interface.

•

The link-local and global unicast addresses.

•

The multicast groups to which the interface belongs.

•

ICMP redirect and error message settings.

•

Neighbor discovery settings.

•

The actual time when the command is set to 0.

•

The neighbor discovery reachable time that is being used.

Additional References
For additional information related to implementing IPv6 prefixes, see the following topics:
•

Related Documents for IPv6 Prefixes, page 28-14

•

RFCs for IPv6 Prefixes and Documentation, page 28-14

Cisco ASA 5500 Series Configuration Guide using the CLI

28-13

Chapter 28

Configuring IPv6 Neighbor Discovery

Feature History for IPv6 Neighbor Discovery

Related Documents for IPv6 Prefixes
Related Topic

Document Title

ipv6 commands

command reference

RFCs for IPv6 Prefixes and Documentation
RFC

Title

RFC 2373 includes complete documentation to show IP Version 6 Addressing Architecture
how IPv6 network address numbers must be shown in
router advertisements. The command argument
ipv6-prefix indicates this network number, in which the
address must be specified in hexadecimal format using
16-bit values between colons.
RFC 3849 specifies the requirements for using IPv6
address prefixes in documentation. The IPv6 unicast
address prefix that has been reserved for use in
documentation is 2001:DB8::/32.

IPv6 Address Prefix Reserved for Documentation

Feature History for IPv6 Neighbor Discovery
Table 28-2 lists each feature change and the platform release in which it was implemented.
Table 28-2

Feature History for IPv6 Neighbor Discovery

Feature Name

Releases

Feature Information

IPv6 Neighbor Discovery

7.0(1)

We introduced this feature.
We introduced the following commands: ipv6 nd
ns-interval, ipv6 nd ra-lifetime, ipv6 nd suppress-ra,
ipv6 neighbor, ipv6 nd prefix, ipv6 nd dad-attempts,
ipv6 nd reachable-time, ipv6 address, ipv6
enforce-eui64.

Cisco ASA 5500 Series Configuration Guide using the CLI

28-14

PA R T

Configuring Network Address Translation

CH A P T E R

Information About NAT
This chapter provides an overview of how Network Address Translation (NAT) works on the ASA. This
chapter includes the following sections:

Note

•

Why Use NAT?, page 29-1

•

NAT Terminology, page 29-2

•

NAT Types, page 29-3

•

NAT in Routed and Transparent Mode, page 29-12

•

NAT for VPN, page 29-14

•

How NAT is Implemented, page 29-16

•

NAT Rule Order, page 29-20

•

Routing NAT Packets, page 29-21

•

DNS and NAT, page 29-24

•

Where to Go Next, page 29-27

To start configuring NAT, see Chapter 30, “Configuring Network Object NAT,” or Chapter 31,
“Configuring Twice NAT.”

Why Use NAT?
Each computer and device within an IP network is assigned a unique IP address that identifies the host.
Because of a shortage of public IPv4 addresses, most of these IP addresses are private, not routable
anywhere outside of the private company network. RFC 1918 defines the private IP addresses you can
use internally that should not be advertised:
•

10.0.0.0 through 10.255.255.255

•

172.16.0.0 through 172.31.255.255

•

192.168.0.0 through 192.168.255.255

Cisco ASA 5500 Series Configuration Guide using the CLI

29-1

Chapter 29

Information About NAT

NAT Terminology

One of the main functions of NAT is to enable private IP networks to connect to the Internet. NAT
replaces a private IP address with a public IP address, translating the private addresses in the internal
private network into legal, routable addresses that can be used on the public Internet. In this way, NAT
conserves public addresses because it can be configured to advertise at a minimum only one public
address for the entire network to the outside world.
Other functions of NAT include:

Note

•

Security—Keeping internal IP addresses hidden discourages direct attacks.

•

IP routing solutions—Overlapping IP addresses are not a problem when you use NAT.

•

Flexibility—You can change internal IP addressing schemes without affecting the public addresses
available externally; for example, for a server accessible to the Internet, you can maintain a fixed IP
address for Internet use, but internally, you can change the server address.

NAT is not required. If you do not configure NAT for a given set of traffic, that traffic will not be
translated, but will have all of the security policies applied as normal.

NAT Terminology
This document uses the following terminology:
•

Real address/host/network/interface—The real address is the address that is defined on the host,
before it is translated. In a typical NAT scenario where you want to translate the inside network when
it accesses the outside, the inside network would be the “real” network. Note that you can translate
any network connected to the ASA, not just an inside network, Therefore if you configure NAT to
translate outside addresses, “real” can refer to the outside network when it accesses the inside
network.

•

Mapped address/host/network/interface—The mapped address is the address that the real address is
translated to. In a typical NAT scenario where you want to translate the inside network when it
accesses the outside, the outside network would be the “mapped” network.

•

Bidirectional initiation—Static NAT allows connections to be initiated bidirectionally, meaning
both to the host and from the host.

•

Source and destination NAT—For any given packet, both the source and destination IP addresses are
compared to the NAT rules, and one or both can be translated/untranslated. For static NAT, the rule
is bidirectional, so be aware that “source” and “destination” are used in commands and descriptions
throughout this guide even though a given connection might originate at the “destination” address.

Cisco ASA 5500 Series Configuration Guide using the CLI

29-2

Chapter 29

Information About NAT
NAT Types

NAT Types
•

NAT Types Overview, page 29-3

•

Static NAT, page 29-3

•

Dynamic NAT, page 29-8

•

Dynamic PAT, page 29-10

•

Identity NAT, page 29-11

NAT Types Overview
You can implement NAT using the following methods:
•

Static NAT—A consistent mapping between a real and mapped IP address. Allows bidirectional
traffic initiation. See the “Static NAT” section on page 29-3.

•

Dynamic NAT—A group of real IP addresses are mapped to a (usually smaller) group of mapped IP
addresses, on a first come, first served basis. Only the real host can initiate traffic. See the “Dynamic
NAT” section on page 29-8.

•

Dynamic Port Address Translation (PAT)—A group of real IP addresses are mapped to a single IP
address using a unique source port of that IP address. See the “Dynamic PAT” section on page 29-10.

•

Identity NAT—A real address is statically transalted to itself, essentially bypassing NAT. You might
want to configure NAT this way when you want to translate a large group of addresses, but then want
to exempt a smaller subset of addresses. See the “Identity NAT” section on page 29-11.

Static NAT
This section describes static NAT and includes the following topics:
•

Information About Static NAT, page 29-3

•

Information About Static NAT with Port Translation, page 29-4

•

Information About One-to-Many Static NAT, page 29-6

•

Information About Other Mapping Scenarios (Not Recommended), page 29-7

Information About Static NAT
Static NAT creates a fixed translation of a real address to a mapped address. Because the mapped address
is the same for each consecutive connection, static NAT allows bidirectional connection initiation, both
to and from the host (if an access rule exists that allows it). With dynamic NAT and PAT, on the other
hand, each host uses a different address or port for each subsequent translation, so bidirectional initiation
is not supported.

Cisco ASA 5500 Series Configuration Guide using the CLI

29-3

Chapter 29

Information About NAT

NAT Types

Figure 29-1 shows a typical static NAT scenario. The translation is always active so both real and remote
hosts can initiate connections.
Figure 29-1

Static NAT

Security
Appliance
209.165.201.1

10.1.1.2

209.165.201.2
130035

10.1.1.1

Inside Outside

Information About Static NAT with Port Translation
Static NAT with port translation lets you specify a real and mapped protocol (TCP or UDP) and port.
This section includes the following topics:
•

Information About Static NAT with Port Address Translation, page 29-4

•

Static NAT with Identity Port Translation, page 29-5

•

Static NAT with Port Translation for Non-Standard Ports, page 29-5

•

Static Interface NAT with Port Translation, page 29-5

Information About Static NAT with Port Address Translation
When you specify the port with static NAT, you can choose to map the port and/or the IP address to the
same value or to a different value.
Figure 29-2 shows a typical static NAT with port translation scenario showing both a port that is mapped
to itself and a port that is mapped to a different value; the IP address is mapped to a different value in
both cases. The translation is always active so both translated and remote hosts can initiate connections.
Figure 29-2

Typical Static NAT with Port Translation Scenario

10.1.1.1:23

209.165.201.1:23

10.1.1.2:8080

209.165.201.2:80

Inside Outside

Note

For applications that require application inspection for secondary channels (for example, FTP and VoIP),
the ASA automatically translates the secondary ports.

Cisco ASA 5500 Series Configuration Guide using the CLI

29-4

130044

Security
Appliance

Chapter 29

Information About NAT
NAT Types

Static NAT with Identity Port Translation
The following static NAT with port translation example provides a single address for remote users to
access FTP, HTTP, and SMTP. These servers are actually different devices on the real network, but for
each server, you can specify static NAT with port translation rules that use the same mapped IP address,
but different ports. (See Figure 29-3. See the “Single Address for FTP, HTTP, and SMTP (Static
NAT-with-Port-Translation)” section on page 30-18 for details on how to configure this example.)
Figure 29-3

Static NAT with Port Translation

Host

Undo Translation
209.165.201.3:21
10.1.2.27

Outside

Undo Translation
209.165.201.3:25
10.1.2.29
Undo Translation
209.165.201.3:80
10.1.2.28

Inside

SMTP server
10.1.2.29

HTTP server
10.1.2.28

130031

FTP server
10.1.2.27

Static NAT with Port Translation for Non-Standard Ports
You can also use static NAT with port translation to translate a well-known port to a non-standard port
or vice versa. For example, if inside web servers use port 8080, you can allow outside users to connect
to port 80, and then undo translation to the original port 8080. Similarly, to provide extra security, you
can tell web users to connect to non-standard port 6785, and then undo translation to port 80.

Static Interface NAT with Port Translation
You can configure static NAT to map a real address to an interface address/port combination. For
example, if you want to redirect Telnet access for the ASA outside interface to an inside host, then you
can map the inside host IP address/port 23 to the ASA interface address/port 23. (Note that although
Telnet to the ASA is not allowed to the lowest security interface, static NAT with interface port
translation redirects the Telnet session instead of denying it).

Cisco ASA 5500 Series Configuration Guide using the CLI

29-5

Chapter 29

Information About NAT

NAT Types

Information About One-to-Many Static NAT
Typically, you configure static NAT with a one-to-one mapping. However, in some cases, you might want
to configure a single real address to several mapped addresses (one-to-many). When you configure
one-to-many static NAT, when the real host initiates traffic, it always uses the first mapped address.
However, for traffic initiated to the host, you can initiate traffic to any of the mapped addresses, and they
will be untranslated to the single real address.
Figure 29-4 shows a typical one-to-many static NAT scenario. Because initiation by the real host always
uses the first mapped address, the translation of real host IP/1st mapped IP is technically the only
bidirectional translation.
Figure 29-4

One-to-Many Static NAT

10.1.2.27

209.165.201.3

10.1.2.27

209.165.201.4

10.1.2.27

209.165.201.5
Inside Outside

Cisco ASA 5500 Series Configuration Guide using the CLI

29-6

248771

Security
Appliance

Chapter 29

Information About NAT
NAT Types

For example, you have a load balancer at 10.1.2.27. Depending on the URL requested, it redirects traffic
to the correct web server (see Figure 29-5). (See the “Inside Load Balancer with Multiple Mapped
Addresses (Static NAT, One-to-Many)” section on page 30-17 for details on how to configure this
example.)
Figure 29-5

One-to-Many Static NAT

Host

Undo Translation
209.165.201.5
10.1.2.27

Outside
Undo Translation
209.165.201.3
10.1.2.27

Undo Translation
209.165.201.4
10.1.2.27

Inside

Web Servers

248633

Load Balancer
10.1.2.27

Information About Other Mapping Scenarios (Not Recommended)
The ASA has the flexibility to allow any kind of static mapping scenario: one-to-one, one-to-many, but
also few-to-many, many-to-few, and many-to-one mappings. We recommend using only one-to-one or
one-to-many mappings. These other mapping options might result in unintended consequences.
Functionally, few-to-many is the same as one-to-many; but because the configuration is more
complicated and the actual mappings may not be obvious at a glance, we recommend creating a
one-to-many configuration for each real address that requires it. For example, for a few-to-many
scenario, the few real addresses are mapped to the many mapped addresses in order (A to 1, B to 2, C to
3). When all real addresses are mapped, the next mapped address is mapped to the first real address, and
so on until all mapped addresses are mapped (A to 4, B to 5, C to 6). This results in multiple mapped
addresses for each real address. Just like a one-to-many configuration, only the first mappings are
bidirectional; subsequent mappings allow traffic to be initiated to the real host, but all traffic from the
real host uses only the first mapped address for the source.

Cisco ASA 5500 Series Configuration Guide using the CLI

29-7

Chapter 29

Information About NAT

NAT Types

Figure 29-6 shows a typical few-to-many static NAT scenario.
Few-to-Many Static NAT

Security
Appliance
10.1.2.27

209.165.201.3

10.1.2.28

209.165.201.4

10.1.2.27

209.165.201.5

10.1.2.28

209.165.201.6

10.1.2.27

209.165.201.7

248769

Figure 29-6

Inside Outside

For a many-to-few or many-to-one configuration, where you have more real addresses than mapped
addresses, you run out of mapped addresses before you run out of real addresses. Only the mappings
between the lowest real IP addresses and the mapped pool result in bidirectional initiation. The
remaining higher real addresses can initiate traffic, but traffic cannot be initiated to them (returning
traffic for a connection is directed to the correct real address because of the unique 5-tuple (source IP,
destination IP, source port, destination port, protocol) for the connection).

Note

Many-to-few or many-to-one NAT is not PAT. If two real hosts use the same source port number and go
to the same outside server and the same TCP destination port, and both hosts are translated to the same
IP address, then both connections will be reset because of an address conflict (the 5-tuple is not unique).
Figure 29-7 shows a typical many-to-few static NAT scenario.
Many-to-Few Static NAT

Security
Appliance
10.1.2.27

209.165.201.3

10.1.2.28

209.165.201.4

10.1.2.29

209.165.201.3

10.1.2.30

209.165.201.4

10.1.2.31

209.165.201.3

248770

Figure 29-7

Inside Outside

Instead of using a static rule this way, we suggest that you create a one-to-one rule for the traffic that
needs bidirectional initiation, and then create a dynamic rule for the rest of your addresses.

Dynamic NAT
This section describes dynamic NAT and includes the following topics:
•

Information About Dynamic NAT, page 29-9

•

Dynamic NAT Disadvantages and Advantages, page 29-10

Cisco ASA 5500 Series Configuration Guide using the CLI

29-8

Chapter 29

Information About NAT
NAT Types

Information About Dynamic NAT
Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the
destination network. The mapped pool typically includes fewer addresses than the real group. When a
host you want to translate accesses the destination network, the ASA assigns the host an IP address from
the mapped pool. The translation is created only when the real host initiates the connection. The
translation is in place only for the duration of the connection, and a given user does not keep the same
IP address after the translation times out. Users on the destination network, therefore, cannot initiate a
reliable connection to a host that uses dynamic NAT, even if the connection is allowed by an access rule.
Figure 29-8 shows a typical dynamic NAT scenario. Only real hosts can create a NAT session, and
responding traffic is allowed back.
Figure 29-8

Dynamic NAT

Security
Appliance
209.165.201.1

10.1.1.2

209.165.201.2
130032

10.1.1.1

Inside Outside

Figure 29-9 shows a remote host attempting to initiate a connection to a mapped address. This address
is not currently in the translation table; therefore, the ASA drops the packet.
Figure 29-9

Remote Host Attempts to Initiate a Connection to a Mapped Address

Web Server
www.example.com

Outside
209.165.201.2
Security
Appliance

209.165.201.10

10.1.2.1

132217

Inside

10.1.2.27

Cisco ASA 5500 Series Configuration Guide using the CLI

29-9

Chapter 29

Information About NAT

NAT Types

Note

For the duration of the translation, a remote host can initiate a connection to the translated host if an
access rule allows it. Because the address is unpredictable, a connection to the host is unlikely.
Nevertheless, in this case you can rely on the security of the access rule.

Dynamic NAT Disadvantages and Advantages
Dynamic NAT has these disadvantages:
•

If the mapped pool has fewer addresses than the real group, you could run out of addresses if the
amount of traffic is more than expected.
Use PAT or a PAT fallback method if this event occurs often because PAT provides over 64,000
translations using ports of a single address.

•

You have to use a large number of routable addresses in the mapped pool, and routable addresses
may not be available in large quantities.

The advantage of dynamic NAT is that some protocols cannot use PAT. PAT does not work with the
following:
•

IP protocols that do not have a port to overload, such as GRE version 0.

•

Some multimedia applications that have a data stream on one port, the control path on another port,
and are not open standard.

See the “Default Settings” section on page 42-4 for more information about NAT and PAT support.

Dynamic PAT
This section describes dynamic PAT and includes the following topics:
•

Information About Dynamic PAT, page 29-10

•

Dynamic PAT Disadvantages and Advantages, page 29-11

Information About Dynamic PAT
Dynamic PAT translates multiple real addresses to a single mapped IP address by translating the real
address and source port to the mapped address and a unique port. If available, the real source port number
is used for the mapped port. However, if the real port is not available, by default the mapped ports are
chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535.
Therefore, ports below 1024 have only a small PAT pool that can be used. (8.4(3) and later, not including
8.5(1) or 8.6(1)) If you have a lot of traffic that uses the lower port ranges, you can now specify a flat
range of ports to be used instead of the three unequal-sized tiers.
Each connection requires a separate translation session because the source port differs for each
connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.

Cisco ASA 5500 Series Configuration Guide using the CLI

29-10

Chapter 29

Information About NAT
NAT Types

Figure 29-10 shows a typical dynamic PAT scenario. Only real hosts can create a NAT session, and
responding traffic is allowed back. The mapped address is the same for each translation, but the port is
dynamically assigned.
Figure 29-10

Dynamic PAT

209.165.201.1:2020

10.1.1.1:1026

209.165.201.1:2021

10.1.1.2:1025

209.165.201.1:2022
Inside Outside

130034

Security
Appliance
10.1.1.1:1025

After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout
is not configurable. Users on the destination network cannot reliably initiate a connection to a host that
uses PAT (even if the connection is allowed by an access rule).

Note

For the duration of the translation, a remote host can initiate a connection to the translated host if an
access rule allows it. Because the port address (both real and mapped) is unpredictable, a connection to
the host is unlikely. Nevertheless, in this case you can rely on the security of the access rule.

Dynamic PAT Disadvantages and Advantages
Dynamic PAT lets you use a single mapped address, thus conserving routable addresses. You can even
use the ASA interface IP address as the PAT address.
Dynamic PAT does not work with some multimedia applications that have a data stream that is different
from the control path. See the “Default Settings” section on page 42-4 for more information about NAT
and PAT support.
Dynamic PAT may also create a large number of connections appearing to come from a single IP address,
and servers might interpret the traffic as a DoS attack. (8.4(2)/8.5(1) and later) You can configure a PAT
pool of addresses and use a round-robin assignment of PAT addresses to mitigate this situation.

Identity NAT
You might have a NAT configuration in which you need to translate an IP address to itself. For example,
if you create a broad rule that applies NAT to every network, but want to exclude one network from NAT,
you can create a static NAT rule to translate an address to itself. Identity NAT is necessary for remote
access VPN, where you need to exempt the client traffic from NAT.

Cisco ASA 5500 Series Configuration Guide using the CLI

29-11

Chapter 29

Information About NAT

NAT in Routed and Transparent Mode

Figure 29-11 shows a typical identity NAT scenario.
Figure 29-11

Identity NAT

209.165.201.1

209.165.201.2

Inside Outside

130036

Security
Appliance

NAT in Routed and Transparent Mode
You can configure NAT in both routed and transparent firewall mode. This section describes typical
usage for each firewall mode and includes the following topics:
•

NAT in Routed Mode, page 29-13

•

NAT in Transparent Mode, page 29-13

Cisco ASA 5500 Series Configuration Guide using the CLI

29-12

Chapter 29

Information About NAT
NAT in Routed and Transparent Mode

NAT in Routed Mode
Figure 29-12 shows a typical NAT example in routed mode, with a private network on the inside.
Figure 29-12

NAT Example: Routed Mode

Web Server
www.cisco.com

Outside
209.165.201.2
Originating
Packet

Security
Appliance

Translation
10.1.2.27
209.165.201.10

Responding
Packet
Undo Translation
209.165.201.10
10.1.2.27

10.1.2.1

10.1.2.27

130023

Inside

When the inside host at 10.1.2.27 sends a packet to a web server, the real source address of the
packet, 10.1.2.27, is changed to a mapped address, 209.165.201.10.

When the server responds, it sends the response to the mapped address, 209.165.201.10, and the
ASA receives the packet because the ASA performs proxy ARP to claim the packet.

The ASA then changes the translation of the mapped address, 209.165.201.10, back to the real
address, 10.1.2.27, before sending it to the host.

NAT in Transparent Mode
Using NAT in transparent mode eliminates the need for the upstream or downstream routers to perform
NAT for their networks.
NAT in transparent mode has the following requirements and limitations:
•

Because the transparent firewall does not have any interface IP addresses, you cannot use interface
PAT.

•

ARP inspection is not supported. Moreover, if for some reason a host on one side of the ASA sends
an ARP request to a host on the other side of the ASA, and the initiating host real address is mapped
to a different address on the same subnet, then the real address remains visible in the ARP request.

Figure 29-13 shows a typical NAT scenario in transparent mode, with the same network on the inside
and outside interfaces. The transparent firewall in this scenario is performing the NAT service so that the
upstream router does not have to perform NAT.

Cisco ASA 5500 Series Configuration Guide using the CLI

29-13

Chapter 29

Information About NAT

NAT for VPN

Figure 29-13

NAT Example: Transparent Mode

www.example.com

Internet
Static route on router:
209.165.201.0/27 to 10.1.1.1

Source Addr Translation
10.1.1.75
209.165.201.15

Static route on ASA:
192.168.1.0/24 to 10.1.1.3
10.1.1.2
Management IP
10.1.1.1
ASA
10.1.1.75
10.1.1.3

Source Addr Translation
192.168.1.2
209.165.201.10

250261

192.168.1.1
Network 2
192.168.1.2

When the inside host at 10.1.1.75 sends a packet to a web server, the real source address of the
packet, 10.1.1.75, is changed to a mapped address, 209.165.201.15.

When the server responds, it sends the response to the mapped address, 209.165.201.15, and the
ASA receives the packet because the upstream router includes this mapped network in a static route
directed to the ASA management IP address. See the “Mapped Addresses and Routing” section on
page 29-22 for more information about required routes.

The ASA then undoes the translation of the mapped address, 209.165.201.15, back to the real
address, 10.1.1.1.75. Because the real address is directly-connected, the ASA sends it directly to the
host.

For host 192.168.1.2, the same process occurs, except for returning traffic, the ASA looks up the
route in its routing table and sends the packet to the downstream router at 10.1.1.3 based on the ASA
static route for 192.168.1.0/24. See the “Transparent Mode Routing Requirements for Remote
Networks” section on page 29-24 for more information about required routes.

NAT for VPN
If you do not allow split-tunneling, then all VPN traffic, even traffic destined for the Internet, goes
through the VPN tunnel. VPN traffic, after being decrypted by the ASA, is essentially the same as any
other inside traffic: when an inside user needs to access the Internet, they need a public IP address
provided by NAT.

Cisco ASA 5500 Series Configuration Guide using the CLI

29-14

Information About NAT
NAT for VPN

Figure 29-14 shows a VPN client that wants to visit a website at www.example.com. In this example, an
interface PAT rule on the outside interface matches the VPN-assigned address 10.1.1.10. With
intra-interface communication enabled, traffic can exit the same interface it entered to reach
www.example.com. A similar example without the need for hairpin networking includes an ASA for
VPN termination, and a separate ASA with NAT as the Internet gateway.
Figure 29-14

Interface PAT for Internet-Bound VPN Traffic (Hairpin, Intra-Interface)

2. ASA replaces src address with local address 1. HTTP request to www.example.com
209.165.201.10

Src: 209.165.201.10

10.1.1.10

ASA Outside IP: 203.0.113.1
Inside

VPN Client
209.165.201.10

Internet

Inside Server
203.0.113.1:6070

Src: 203.0.113.1:6070 www.example.com
3. ASA performs interface PAT for outgoing traffic.
Note: This “hairpin” traffic flow requires you to enable 4. HTTP request to www.example.com
intra-interface communication.

331396

10.1.1.10

Figure 29-15 also shows an interface PAT rule for Internet-bound traffic. However, for any
communication between VPN endpoints such as the ends of a site-to-site tunnel, you do not want to
perform NAT. Therefore you also need to create an identity NAT rule (using twice NAT) for any traffic
that goes to other inside networks connected by VPN.
Figure 29-15

Identity NAT to Allow Communication Between VPN Sites and Clients

2. Identity NAT for 10.1.1.0, 10.2.2.0, & 10.3.3.0
networks when going to other inside networks
connected by VPN
San Jose VPN Client
10.1.1.6
10.1.1.6
VPN IP: 10.3.3.2
1. IM to 10.2.2.78
3. IM received
Src: 10.1.1.6

Src: 10.1.1.6

Internet

10.1.1.6

Boulder

ASA
10.1.1.6

Site-to-Site VPN Tunnel

203.0.113.1:6070

San Jose
ASA

10.2.2.78
www.example.com

Src: 10.1.1.6

B. ASA performs interface PAT for
outgoing traffic. Note: For remote access
A. HTTP to
VPN Clients, this “hairpin” traffic flow
www.example.com requires you to enable
Src: 203.0.113.1:6070
intra-interface communication.
C. HTTP request to www.example.com

331395

Chapter 29

Cisco ASA 5500 Series Configuration Guide using the CLI

29-15

Chapter 29

Information About NAT

How NAT is Implemented

How NAT is Implemented
The ASA can implement address translation in two ways: network object NAT and twice NAT. This
section includes the following topics:
•

Main Differences Between Network Object NAT and Twice NAT, page 29-16

•

Information About Network Object NAT, page 29-17

•

Information About Twice NAT, page 29-17

Main Differences Between Network Object NAT and Twice NAT
The main differences between these two NAT types are:
•

How you define the real address.
– Network object NAT—You define NAT as a parameter for a network object. A network object

names an IP host, range, or subnet so you can then use the object in configuration instead of the
actual IP addresses. The network object IP address serves as the real address. This method lets
you easily add NAT to network objects that might already be used in other parts of your
configuration.
– Twice NAT—You identify a network object or network object group for both the real and

mapped addresses. In this case, NAT is not a parameter of the network object; the network object
or group is a parameter of the NAT configuration. The ability to use a network object group for
the real address means that twice NAT is more scalable.
•

How source and destination NAT is implemented.
– Network object NAT— Each rule can apply to either the source or destination of a packet. So

two rules might be used, one for the source IP address, and one for the destination IP address.
These two rules cannot be tied together to enforce a specific translation for a source/destination
combination.
– Twice NAT—A single rule translates both the source and destination. A matching packet only

matches the one rule, and further rules are not checked. Even if you do not configure the
optional destination address for twice NAT, a matching packet still only matches one twice NAT
rule. The source and destination are tied together, so you can enforce different translations
depending on the source/destination combination. For example, sourceA/destinationA can have
a different translation than sourceA/destinationB.
•

Order of NAT Rules.
– Network object NAT—Automatically ordered in the NAT table.
– Twice NAT—Manually ordered in the NAT table (before or after network object NAT rules).

See the “NAT Rule Order” section on page 29-20 for more information.
We recommend using network object NAT unless you need the extra features that twice NAT provides.
Network object NAT is easier to configure, and might be more reliable for applications such as Voice
over IP (VoIP). (For VoIP, because twice NAT is applicable only between two objects, you might see a
failure in the translation of indirect addresses that do not belong to either of the objects.)

Cisco ASA 5500 Series Configuration Guide using the CLI

29-16

Chapter 29

Information About NAT
How NAT is Implemented

Information About Network Object NAT
All NAT rules that are configured as a parameter of a network object are considered to be network object
NAT rules. Network object NAT is a quick and easy way to configure NAT for a network object, which
can be a single IP address, a range of addresses, or a subnet.
After you configure the network object, you can then identify the mapped address for that object, either
as an inline address or as another network object or network object group.
When a packet enters the ASA, both the source and destination IP addresses are checked against the
network object NAT rules. The source and destination address in the packet can be translated by separate
rules if separate matches are made. These rules are not tied to each other; different combinations of rules
can be used depending on the traffic.
Because the rules are never paired, you cannot specify that sourceA/destinationA should have a different
translation than sourceA/destinationB. Use twice NAT for that kind of functionality (twice NAT lets you
identify the source and destination address in a single rule).
To start configuring network object NAT, see Chapter 30, “Configuring Network Object NAT.”

Information About Twice NAT
Twice NAT lets you identify both the source and destination address in a single rule. Specifying both the
source and destination addresses lets you specify that sourceA/destinationA can have a different
translation than sourceA/destinationB.
The destination address is optional. If you specify the destination address, you can either map it to itself
(identity NAT), or you can map it to a different address. The destination mapping is always a static
mapping.
Twice NAT also lets you use service objects for static NAT with port translation; network object NAT
only accepts inline definition.
To start configuring twice NAT, see Chapter 31, “Configuring Twice NAT.”
Figure 29-16 shows a host on the 10.1.2.0/24 network accessing two different servers. When the host
accesses the server at 209.165.201.11, the real address is translated to 209.165.202.129. When the host
accesses the server at 209.165.200.225, the real address is translated to 209.165.202.130. (See the
“Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation)” section on page 30-18
for details on how to configure this example.)

Cisco ASA 5500 Series Configuration Guide using the CLI

29-17

Chapter 29

Information About NAT

How NAT is Implemented

Figure 29-16

Twice NAT with Different Destination Addresses

Server 1
209.165.201.11

Server 2
209.165.200.225

209.165.201.0/27

209.165.200.224/27
DMZ

Translation
10.1.2.27
209.165.202.129

Translation
10.1.2.27
209.165.202.130

Inside

Packet
Dest. Address:
209.165.201.11

10.1.2.27

Packet
Dest. Address:
209.165.200.225

130039

10.1.2.0/24

Figure 29-17 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses
a single host for both web services and Telnet services. When the host accesses the server for web
services, the real address is translated to 209.165.202.129. When the host accesses the same server for
Telnet services, the real address is translated to 209.165.202.130.
Figure 29-17

Twice NAT with Different Destination Ports

Cisco ASA 5500 Series Configuration Guide using the CLI

29-18

Information About NAT
How NAT is Implemented

Figure 29-18 shows a remote host connecting to a mapped host. The mapped host has a twice static NAT
translation that translates the real address only for traffic to and from the 209.165.201.0/27 network. A
translation does not exist for the 209.165.200.224/27 network, so the translated host cannot connect to
that network, nor can a host on that network connect to the translated host.
Figure 29-18

Twice Static NAT with Destination Address Translation

209.165.201.11

209.165.200.225

209.165.201.0/27

209.165.200.224/27
DMZ

No Translation

Undo Translation
10.1.2.27
209.165.202.128

Inside
10.1.2.0/27

10.1.2.27

130037

Chapter 29

Cisco ASA 5500 Series Configuration Guide using the CLI

29-19

Chapter 29

Information About NAT

NAT Rule Order

NAT Rule Order
Network object NAT rules and twice NAT rules are stored in a single table that is divided into three
sections. Section 1 rules are applied first, then section 2, and finally section 3. Table 29-1 shows the
order of rules within each section.
Table 29-1

NAT Rule Table

Table Section Rule Type

Order of Rules within the Section

Section 1

Applied on a first match basis, in the order they appear in the
configuration. By default, twice NAT rules are added to
section 1.

Twice NAT

Note

Section 2

If you configure EasyVPN remote, the ASA
dynamically adds invisible NAT rules to the end of this
section. Be sure that you do not configure a twice NAT
rule in this section that might match your VPN traffic,
instead of matching the invisible rule. If VPN does not
work due to NAT failure, consider adding twice NAT
rules to section 3 instead.

Network object NAT Section 2 rules are applied in the following order, as
automatically determined by the ASA:
1.

Static rules.

Dynamic rules.

Within each rule type, the following ordering guidelines are
used:
a. Quantity of real IP addresses—From smallest to

largest. For example, an object with one address will
be assessed before an object with 10 addresses.
b. For quantities that are the same, then the IP address

number is used, from lowest to highest. For example,
10.1.1.0 is assessed before 11.1.1.0.
c. If the same IP address is used, then the name of the

network object is used, in alphabetical order. For
example, abracadabra is assessed before catwoman.
Section 3

Twice NAT

Section 3 rules are applied on a first match basis, in the order
they appear in the configuration. You can specify whether to
add a twice NAT rule to section 3 when you add the rule.

For section 2 rules, for example, you have the following IP addresses defined within network objects:
192.168.1.0/24 (static)
192.168.1.0/24 (dynamic)
10.1.1.0/24 (static)
192.168.1.1/32 (static)
172.16.1.0/24 (dynamic) (object def)
172.16.1.0/24 (dynamic) (object abc)

Cisco ASA 5500 Series Configuration Guide using the CLI

29-20

Chapter 29

Information About NAT
NAT Interfaces

The resultant ordering would be:
192.168.1.1/32 (static)
10.1.1.0/24 (static)
192.168.1.0/24 (static)
172.16.1.0/24 (dynamic) (object abc)
172.16.1.0/24 (dynamic) (object def)
192.168.1.0/24 (dynamic)

NAT Interfaces
You can configure a NAT rule to apply to any interface (in other words, all interfaces), or you can identify
specific real and mapped interfaces. You can also specify any interface for the real address, and a specific
interface for the mapped address, or vice versa.
For example, you might want to specify any interface for the real address and specify the outside
interface for the mapped address if you use the same private addresses on multiple interfaces, and you
want to translate them all to the same global pool when accessing the outside (Figure 29-19).
Figure 29-19

Specifying Any Interface

Outside
10.1.2.0

209.165.201.1:xxxx
Security
Appliance

any

Note

Eng

10.1.2.0
Mktg

10.1.2.0
HR

248768

10.1.2.0

For transparent mode, you must choose specific source and destination interfaces.

Routing NAT Packets
The ASA needs to be the destination for any packets sent to the mapped address. The ASA also needs to
determine the egress interface for translated packets. This section describes how the ASA handles
accepting and delivering packets with NAT, and includes the following topics:
•

Mapped Addresses and Routing, page 29-22

•

Transparent Mode Routing Requirements for Remote Networks, page 29-24

•

Determining the Egress Interface, page 29-24

Cisco ASA 5500 Series Configuration Guide using the CLI

29-21

Chapter 29

Information About NAT

Routing NAT Packets

Mapped Addresses and Routing
When you translate the real address to a mapped address, the mapped address you choose determines
how to configure routing, if necessary, for the mapped address.
See additional guidelines about mapped IP addresses in Chapter 30, “Configuring Network Object
NAT,” and Chapter 31, “Configuring Twice NAT.”
See the following mapped address types:
•

Addresses on the same network as the mapped interface.
If you use addresses on the same network as the mapped interface, the ASA uses proxy ARP to
answer any ARP requests for the mapped addresses, thus intercepting traffic destined for a mapped
address. This solution simplifies routing because the ASA does not have to be the gateway for any
additional networks. This solution is ideal if the outside network contains an adequate number of
free addresses, a consideration if you are using a 1:1 translation like dynamic NAT or static NAT.
Dynamic PAT greatly extends the number of translations you can use with a small number of
addresses, so even if the available addresses on the outside network is small, this method can be
used. For PAT, you can even use the IP address of the mapped interface.

Note

•

If you configure the mapped interface to be any interface, and you specify a mapped address
on the same network as one of the mapped interfaces, then if an ARP request for that mapped
address comes in on a different interface, then you need to manually configure an ARP entry
for that network on the ingress interface, specifying its MAC address (see the arp
command). Typically, if you specify any interface for the mapped interface, then you use a
unique network for the mapped addresses, so this situation would not occur.

Addresses on a unique network.
If you need more addresses than are available on the mapped interface network, you can identify
addresses on a different subnet. The upstream router needs a static route for the mapped addresses
that points to the ASA. Alternatively for routed mode, you can configure a static route on the ASA
for the mapped addresses, and then redistribute the route using your routing protocol. For
transparent mode, if the real host is directly-connected, configure the static route on the upstream
router to point to the ASA: in 8.3, specify the global management IP address; in 8.4(1) and later,
specify the bridge group IP address. For remote hosts in transparent mode, in the static route on the
upstream router, you can alternatively specify the downstream router IP address.

•

The same address as the real address (identity NAT).
(8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You
cannot configure this setting.
(8.4(2) and later) The default behavior for identity NAT has proxy ARP enabled, matching other
static NAT rules. You can disable proxy ARP if desired. Note: You can also disable proxy ARP for
regular static NAT if desired, in which case you need to be sure to have proper routes on the upstream
router.
Normally for identity NAT, proxy ARP is not required, and in some cases can cause connectivity
issues. For example, if you configure a broad identity NAT rule for “any” IP address, then leaving
proxy ARP enabled can cause problems for hosts on the network directly-connected to the mapped
interface. In this case, when a host on the mapped network wants to communicate with another host
on the same network, then the address in the ARP request matches the NAT rule (which matches
“any” address). The ASA will then proxy ARP for the address, even though the packet is not actually
destined for the ASA. (Note that this problem occurs even if you have a twice NAT rule; although

Cisco ASA 5500 Series Configuration Guide using the CLI

29-22

Chapter 29

Information About NAT
Routing NAT Packets

the NAT rule must match both the source and destination addresses, the proxy ARP decision is made
only on the “source” address). If the ASA ARP response is received before the actual host ARP
response, then traffic will be mistakenly sent to the ASA (see Figure 29-20).
Figure 29-20

Proxy ARP Problems with Identity NAT

209.165.200.230
3

ARP Response

Too late
209.165.200.231
209.165.200.225

Inside

Outside

ARP for 209.165.200.230.

Proxy ARP for 209.165.200.230.

Identity NAT for
“any” with Proxy ARP

Traffic incorrectly sent to ASA.

In rare cases, you need proxy ARP for identity NAT; for example for virtual Telnet. When using
AAA for network access, a host needs to authenticate with the ASA using a service like Telnet
before any other traffic can pass. You can configure a virtual Telnet server on the ASA to provide
the necessary login. When accessing the virtual Telnet address from the outside, you must configure
an identity NAT rule for the address specifically for the proxy ARP functionality. Due to internal
processes for virtual Telnet, proxy ARP lets the ASA keep traffic destined for the virtual Telnet
address rather than send the traffic out the source interface according to the NAT rule. (See
Figure 29-21).
Figure 29-21

Proxy ARP and Virtual Telnet

Virtual Telnet:
209.165.200.230
Inside

209.165.201.11
Outside

Server
Identity NAT for
209.165.200.230
between inside and outside
with Proxy ARP

Telnet to 209.165.200.230.

Authenticate.

Communicate with server.

Cisco ASA 5500 Series Configuration Guide using the CLI

29-23

Chapter 29

Information About NAT

DNS and NAT

Transparent Mode Routing Requirements for Remote Networks
If the ASA performs NAT for a host that is not on the directly-connected network, then you need to
configure a static route on the ASA for that network. You also need to have a static route for embedded
IP addresses that are at least one hop away from the ASA (such as in VoIP or DNS traffic) when you
have inspection and NAT enabled.

Determining the Egress Interface
In transparent mode, the ASA determines the egress interface for a NAT packet by using the NAT
configuration; you must specify the source and destination interfaces as part of the NAT configuration.
In routed mode, the ASA determines the egress interface for a NAT packet in the following way:
•

If you specify an optional interface, then the ASA uses the NAT configuration to determine the
egress interface. (8.3(1) through 8.4(1)) The only exception is for identity NAT, which always uses
a route lookup, regardless of the NAT configuration. (8.4(2) and later) For identity NAT, the default
behavior is to use the NAT configuration, but you have the option to always use a route lookup
instead.

•

If you do not specify a specific interface, then the ASA uses a route lookup to determine the egress
interface.

DNS and NAT
You might need to configure the ASA to modify DNS replies by replacing the address in the reply with
an address that matches the NAT configuration. You can configure DNS modification when you
configure each translation rule.
This feature rewrites the A record, or address record, in DNS replies that match a NAT rule. For DNS
replies traversing from a mapped interface to any other interface, the A record is rewritten from the
mapped value to the real value. Inversely, for DNS replies traversing from any interface to a mapped
interface, the A record is rewritten from the real value to the mapped value.

Note

If you configure a twice NAT rule, you cannot configure DNS modification if you specify the source
address as well as the destination address. These kinds of rules can potentially have a different
translation for a single address when going to A vs. B. Therefore, the ASA cannot accurately match the
IP address inside the DNS reply to the correct twice NAT rule; the DNS reply does not contain
information about which source/destination address combination was in the packet that prompted the
DNS request.
Figure 29-22 shows a DNS server that is accessible from the outside interface. A server, ftp.cisco.com,
is on the inside interface. You configure the ASA to statically translate the ftp.cisco.com real address
(10.1.3.14) to a mapped address (209.165.201.10) that is visible on the outside network. In this case, you
want to enable DNS reply modification on this static rule so that inside users who have access to
ftp.cisco.com using the real address receive the real address from the DNS server, and not the mapped
address. When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server
replies with the mapped address (209.165.201.10). The ASA refers to the static rule for the inside server

Cisco ASA 5500 Series Configuration Guide using the CLI

29-24

Information About NAT
DNS and NAT

and translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply
modification, then the inside host attempts to send traffic to 209.165.201.10 instead of accessing
ftp.cisco.com directly.
Figure 29-22

DNS Reply Modification, DNS Server on Outside

DNS Server

1
DNS Query
ftp.cisco.com?

Outside

DNS Reply
209.165.201.10

Security
Appliance

3
DNS Reply Modification
209.165.201.10
10.1.3.14
Inside

4
DNS Reply
10.1.3.14

User

ftp.cisco.com
10.1.3.14
Static Translation
on Outside to:
209.165.201.10
130021

Chapter 29

5
FTP Request
10.1.3.14

Figure 29-23 shows a user on the inside network requesting the IP address for ftp.cisco.com, which is
on the DMZ network, from an outside DNS server. The DNS server replies with the mapped address
(209.165.201.10) according to the static rule between outside and DMZ even though the user is not on
the DMZ network. The ASA translates the address inside the DNS reply to 10.1.3.14. If the user needs
to access ftp.cisco.com using the real address, then no further configuration is required. If there is also

Cisco ASA 5500 Series Configuration Guide using the CLI

29-25

Chapter 29

Information About NAT

DNS and NAT

a static rule between the inside and DMZ, then you also need to enable DNS reply modification on this
rule. The DNS reply will then be modified two times.In this case, the ASA again translates the address
inside the DNS reply to 192.168.1.10 according to the static rule between inside and DMZ.
Figure 29-23

DNS Reply Modification, DNS Server, Host, and Server on Separate Networks

DNS Server

1
DNS Query
ftp.cisco.com?

2
DNS Reply
209.165.201.10

Outside

ASA

DNS Reply Modification 1
209.165.201.10
10.1.3.14

Static Translation 1
on Outside to:
209.165.201.10
Static Translation 2
on Inside to:
192.168.1.10
ftp.cisco.com
10.1.3.14

DMZ

4
DNS Reply Modification 2
192.168.1.10
10.1.3.14

Inside

Translation
192.168.1.10
10.1.3.14

5
DNS Reply
192.168.1.10

Cisco ASA 5500 Series Configuration Guide using the CLI

29-26

FTP Request
192.168.1.10
User

Chapter 29

Information About NAT
Where to Go Next

Figure 29-24 shows a web server and DNS server on the outside. The ASA has a static translation for
the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS
server, the DNS server responds with the real address, 209.165.20.10. Because you want inside users to
use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply modification for
the static translation.
Figure 29-24

DNS Reply Modification, DNS Server on Host Network

ftp.cisco.com
209.165.201.10
Static Translation on Inside to:
10.1.2.56
DNS Server

7
FTP Request
209.165.201.10

1
DNS Query
ftp.cisco.com?

DNS Reply
209.165.201.10

Outside

6
Dest Addr. Translation
10.1.2.56
209.165.201.10

Security
Appliance

DNS Reply Modification
209.165.201.10
10.1.2.56
Inside

FTP Request
10.1.2.56

User
10.1.2.27

130022

DNS Reply
10.1.2.56

Where to Go Next
To configure network object NAT, see Chapter 30, “Configuring Network Object NAT.”
To configure twice NAT, see Chapter 31, “Configuring Twice NAT.”

Cisco ASA 5500 Series Configuration Guide using the CLI

29-27

Chapter 29
Where to Go Next

Cisco ASA 5500 Series Configuration Guide using the CLI

29-28

Information About NAT

CH A P T E R

Configuring Network Object NAT
All NAT rules that are configured as a parameter of a network object are considered to be network object
NAT rules. Network object NAT is a quick and easy way to configure NAT for a single IP address, a range
of addresses, or a subnet. After you configure the network object, you can then identify the mapped
address for that object.
This chapter describes how to configure network object NAT, and it includes the following sections:

Note

•

Information About Network Object NAT, page 30-1

•

Licensing Requirements for Network Object NAT, page 30-2

•

Prerequisites for Network Object NAT, page 30-2

•

Guidelines and Limitations, page 30-2

•

Default Settings, page 30-3

•

Configuring Network Object NAT, page 30-3

•

Monitoring Network Object NAT, page 30-14

•

Configuration Examples for Network Object NAT, page 30-15

•

Feature History for Network Object NAT, page 30-22

For detailed information about how NAT works, see Chapter 29, “Information About NAT.”

Information About Network Object NAT
When a packet enters the ASA, both the source and destination IP addresses are checked against the
network object NAT rules. The source and destination address in the packet can be translated by separate
rules if separate matches are made. These rules are not tied to each other; different combinations of rules
can be used depending on the traffic.
Because the rules are never paired, you cannot specify that a source address should be translated to A
when going to destination X, but be translated to B when going to destination Y. Use twice NAT for that
kind of functionality (twice NAT lets you identify the source and destination address in a single rule).
For detailed information about the differences between twice NAT and network object NAT, see the
“How NAT is Implemented” section on page 29-16.
Network object NAT rules are added to section 2 of the NAT rules table. For more information about
NAT ordering, see the “NAT Rule Order” section on page 29-20.

Cisco ASA 5500 Series Configuration Guide using the CLI

30-1

Chapter 30

Configuring Network Object NAT

Licensing Requirements for Network Object NAT

Licensing Requirements for Network Object NAT
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Prerequisites for Network Object NAT
Depending on the configuration, you can configure the mapped address inline if desired or you can create
a separate network object or network object group for the mapped address (the object network or
object-group network command). Network object groups are particularly useful for creating a mapped
address pool with discontinous IP address ranges or multiple hosts or subnets. To create a network object
or group, see the “Configuring Objects and Groups” section on page 13-1.
For specific guidelines for objects and groups, see the configuration section for the NAT type you want
to configure. See also the “Guidelines and Limitations” section.

Guidelines and Limitations
Context Mode Guidelines

Supported in single and multiple context mode.
Firewall Mode Guidelines
•

Supported in routed and transparent firewall mode.

•

In transparent mode, you must specify the real and mapped interfaces; you cannot use any.

•

In transparent mode, you cannot configure interface PAT, because the transparent mode interfaces
do not have IP addresses. You also cannot use the management IP address as a mapped address.

IPv6 Guidelines

Does not support IPv6.
Additional Guidelines
•

You can only define a single NAT rule for a given object; if you want to configure multiple NAT
rules for an object, you need to create multiple objects with different names that specify the same
IP address, for example, object network obj-10.10.10.1-01, object network obj-10.10.10.1-02,
and so on.

Cisco ASA 5500 Series Configuration Guide using the CLI

30-2

Chapter 30

Configuring Network Object NAT
Default Settings

•

If you change the NAT configuration, and you do not want to wait for existing translations to time
out before the new NAT configuration is used, you can clear the translation table using the clear
xlate command. However, clearing the translation table disconnects all current connections that use
translations.

If you remove a dynamic NAT or PAT rule, and then add a new rule with mapped addresses
that overlap the addresses in the removed rule, then the new rule will not be used until all
connections associated with the removed rule time out or are cleared using the clear xlate
command. This safeguard ensures that the same address is not assigned to multiple hosts.

Note

•

Objects and object groups used in NAT cannot be undefined; they must include IP addresses.

•

You can use the same mapped object or group in multiple NAT rules.

•

The mapped IP address pool cannot include:
– The mapped interface IP address. If you specify any interface for the rule, then all interface IP

addresses are disallowed. For interface PAT (routed mode only), use the interface keyword
instead of the IP address.
– (Transparent mode) The management IP address.
– (Dynamic NAT) The standby interface IP address when VPN is enabled.
– Existing VPN pool addresses.
•

For application inspection limitations with NAT or PAT, see the “Default Settings” section on
page 42-4 in Chapter 42, “Getting Started with Application Layer Protocol Inspection.”

Default Settings
•

(Routed mode) The default real and mapped interface is Any, which applies the rule to all interfaces.

•

(8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You
cannot configure this setting. (8.4(2) and later) The default behavior for identity NAT has proxy
ARP enabled, matching other static NAT rules. You can disable proxy ARP if desired. See the
“Routing NAT Packets” section on page 29-21 for more information.

•

Configuring Network Object NAT
This section describes how to configure network object NAT and includes the following topics:
•

Configuring Dynamic NAT, page 30-4

•

Configuring Dynamic PAT (Hide), page 30-6

•

Configuring Static NAT or Static NAT-with-Port-Translation, page 30-10

•

Configuring Identity NAT, page 30-12

Cisco ASA 5500 Series Configuration Guide using the CLI

30-3

Chapter 30

Configuring Network Object NAT

Configuring Dynamic NAT
This section describes how to configure network object NAT for dynamic NAT. For more information,
see the “Dynamic NAT” section on page 29-8.

Detailed Steps

Step 1

Command

Purpose

Network object:

To specify the mapped addresses (that you want to translate to),
configure a network object or network object group. A network
object group can contain objects and/or inline addresses.

object network obj_name
range ip_address_1 ip_address_2

Network object group:
object-group network grp_name
{network-object {object net_obj_name |
host ip_address} |
group-object grp_obj_name}

Note

The object or group cannot contain a subnet.

If a mapped network object contains both ranges and host IP
addresses, then the ranges are used for dynamic NAT, and then the
host IP addresses are used as a PAT fallback.
See the “Guidelines and Limitations” section on page 30-2 for
information about disallowed mapped IP addresses.

Example:
hostname(config)# object network TEST
hostname(config-network-object)# range
10.1.1.1 10.1.1.70

For more information about configuring a network object or group,
see the “Configuring Objects” section on page 13-3.

hostname(config)# object network TEST2
hostname(config-network-object)# range
10.1.2.1 10.1.2.70
hostname(config-network-object)#
object-group network MAPPED_IPS
hostname(config-network)# network-object
object TEST
hostname(config-network)# network-object
object TEST2
hostname(config-network)# network-object
host 10.1.2.79

Step 2

object network obj_name

Example:

Configures a network object for which you want to configure NAT,
or enters object network configuration mode for an existing network
object.

hostname(config)# object network
my-host-obj1

Step 3

{host ip_address | subnet subnet_address
netmask | range ip_address_1 ip_address_2}

Example:
hostname(config-network-object)# subnet
10.1.1.0 255.255.255.0

Cisco ASA 5500 Series Configuration Guide using the CLI

30-4

If you are creating a new network object, defines the real IP
address(es) that you want to translate.

Chapter 30

Configuring Network Object NAT
Configuring Network Object NAT

Step 4

Command

Purpose

nat [(real_ifc,mapped_ifc)] dynamic
mapped_obj [interface] [dns]

Configures dynamic NAT for the object IP addresses.
Note

You can only define a single NAT rule for a given object. See
the “Additional Guidelines” section on page 30-2.

Example:
hostname(config-network-object)# nat
(inside,outside) dynamic MAPPED_IPS
interface

See the following guidelines:
•

Interfaces—(Required for transparent mode) Specify the real
and mapped interfaces. Be sure to include the parentheses in
your command. In routed mode, if you do not specify the real
and mapped interfaces, all interfaces are used; you can also
specify the keyword any for one or both of the interfaces.

•

Mapped IP address—Specify the mapped IP address as:
– An existing network object (see Step 1).
– An existing network object group (see Step 1).

•

Interface PAT fallback—(Optional) The interface keyword
enables interface PAT fallback. After the mapped IP addresses
are used up, then the IP address of the mapped interface is used.
For this option, you must configure a specific interface for the
mapped_ifc. (You cannot specify interface in transparent
mode).

•

DNS—(Optional) The dns keyword translates DNS replies. Be
sure DNS inspection is enabled (it is enabled by default). See the
“DNS and NAT” section on page 29-24 for more information.

Examples
The following example configures dynamic NAT that hides 192.168.2.0 network behind a range of
outside addresses 10.2.2.1 through 10.2.2.10:
hostname(config)# object network
hostname(config-network-object)#
hostname(config)# object network
hostname(config-network-object)#
hostname(config-network-object)#

my-range-obj
range 10.2.2.1 10.2.2.10
my-inside-net
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) dynamic my-range-obj

The following example configures dynamic NAT with dynamic PAT backup. Hosts on inside network
10.76.11.0 are mapped first to the nat-range1 pool (10.10.10.10-10.10.10.20). After all addresses in the
nat-range1 pool are allocated, dynamic PAT is performed using the pat-ip1 address (10.10.10.21). In the
unlikely event that the PAT translations are also use up, dynamic PAT is performed using the outside
interface address.
hostname(config)# object network nat-range1
hostname(config-network-object)# range 10.10.10.10 10.10.10.20
hostname(config-network-object)# object network pat-ip1
hostname(config-network-object)# host 10.10.10.21
hostname(config-network-object)# object-group network nat-pat-grp
hostname(config-network-object)# network-object object nat-range1
hostname(config-network-object)# network-object object pat-ip1
hostname(config-network-object)# object network my_net_obj5
hostname(config-network-object)# subnet 10.76.11.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic nat-pat-grp interface

Cisco ASA 5500 Series Configuration Guide using the CLI

30-5

Chapter 30

Configuring Network Object NAT

Configuring Dynamic PAT (Hide)
This section describes how to configure network object NAT for dynamic PAT (hide). For more
information, see the “Dynamic PAT” section on page 29-10.

Guidelines
For a PAT pool:
•

If available, the real source port number is used for the mapped port. However, if the real port is not
available, by default the mapped ports are chosen from the same range of ports as the real port
number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small
PAT pool that can be used. (8.4(3) and later, not including 8.5(1) or 8.6(1)) If you have a lot of traffic
that uses the lower port ranges, you can now specify a flat range of ports to be used instead of the
three unequal-sized tiers: either 1024 to 65535, or 1 to 65535.

•

(8.4(3) and later, not including 8.5(1) or 8.6(1)) If you use the same PAT pool object in two separate
rules, then be sure to specify the same options for each rule. For example, if one rule specifies
extended PAT and a flat range, then the other rule must also specify extended PAT and a flat range.

For extended PAT for a PAT pool (8.4(3) and later, not including 8.5(1) or 8.6(1)):
•

Many application inspections do not support extended PAT. See the “Default Settings” section on
page 42-4 in Chapter 42, “Getting Started with Application Layer Protocol Inspection,” for a
complete list of unsupported inspections.

•

If you enable extended PAT for a dynamic PAT rule, then you cannot also use an address in the PAT
pool as the PAT address in a separate static NAT-with-port-translation rule. For example, if the PAT
pool includes 10.1.1.1, then you cannot create a static NAT-with-port-translation rule using 10.1.1.1
as the PAT address.

•

If you use a PAT pool and specify an interface for fallback, you cannot specify extended PAT.

•

For VoIP deployments that use ICE or TURN, do not use extended PAT. ICE and TURN rely on the
PAT binding to be the same for all destinations.

For round robin for a PAT pool:
•

(8.4(3) and later, not including 8.5(1) or 8.6(1)) If a host has an existing connection, then subsequent
connections from that host will use the same PAT IP address if ports are available. Note: This
“stickiness” does not survive a failover. If the ASA fails over, then subsequent connections from a
host may not use the initial IP address.

•

(8.4(2), 8.5(1), and 8.6(1)) If a host has an existing connection, then subsequent connections from
that host will likely use different PAT addresses for each connection because of the round robin
allocation. In this case, you may have problems when accessing two websites that exchange
information about the host, for example an e-commerce site and a payment site. When these sites
see two different IP addresses for what is supposed to be a single host, the transaction may fail.

•

Round robin, especially when combined with extended PAT, can consume a large amount of
memory. Because NAT pools are created for every mapped protocol/IP address/port range, round
robin results in a large number of concurrent NAT pools, which use memory. Extended PAT results
in an even larger number of concurrent NAT pools.

Cisco ASA 5500 Series Configuration Guide using the CLI

30-6

Chapter 30

Configuring Network Object NAT
Configuring Network Object NAT

Detailed Steps

Step 1

Command

Purpose

(Optional)

Specify the mapped address(es) (that you want to translate to).
You can configure a single address or, for a PAT pool, multiple
addresses. Configure a network object or network object group. A
network object group can contain objects and/or inline addresses.
Alternatively, you can skip this step if you want to enter a single
IP address as an inline value for the nat command or if you want
to use the interface address by specifying the interface keyword.

Network object:
object network obj_name
{host ip_address | range ip_address_1
ip_address_2}

Network object group:
object-group network grp_name
{network-object {object net_obj_name |
host ip_address} |
group-object grp_obj_name}

Example:
hostname(config)# object network PAT_POOL1
hostname(config-network-object)# range
10.5.1.80 10.7.1.80

For mapped addresses used as a PAT pool, all addresses in the
object or group, including ranges, are used as PAT addresses.
Note

The object or group cannot contain a subnet.

See the “Guidelines and Limitations” section on page 30-2 for
information about disallowed mapped IP addresses.
For more information about configuring a network object or
group, see the “Configuring Objects” section on page 13-3.

hostname(config)# object network PAT_POOL2
hostname(config-network-object)# range
10.9.1.1 10.10.1.1
hostname(config)# object network PAT_IP
hostname(config-network-object)# host
10.5.1.79
hostname(config-network-object)#
object-group network PAT_POOLS
hostname(config-network)# network-object
object PAT_POOL1
hostname(config-network)# network-object
object PAT_POOL2
hostname(config-network)# network-object
object PAT_IP

Step 2

object network obj_name

Example:

Configures a network object for which you want to configure
NAT, or enters object network configuration mode for an existing
network object.

hostname(config)# object network
my-host-obj1

Step 3

{host ip_address | subnet subnet_address
netmask | range ip_address_1 ip_address_2}

If you are creating a new network object, defines the real IP
address(es) that you want to translate.

Example:
hostname(config-network-object)# range
10.1.1.1 10.1.1.90

Cisco ASA 5500 Series Configuration Guide using the CLI

30-7

Chapter 30

Configuring Network Object NAT

Step 4

Command

Purpose

nat [(real_ifc,mapped_ifc)] dynamic
{mapped_inline_host_ip | mapped_obj |
pat-pool mapped_obj [round-robin]
[extended] [flat [include-reserve]] |
interface} [interface] [dns]

Configures dynamic PAT for the object IP addresses. You can
only define a single NAT rule for a given object. See the
“Additional Guidelines” section on page 30-2.
See the following guidelines:
•

•

Mapped IP address—You can specify the mapped IP address
as:

Example:
hostname(config-network-object)# nat
(any,outside) dynamic interface

– An inline host address.
– An existing network object that is defined as a host

address (see Step 1).
– pat-pool—An existing network object or group that

contains multiple addresses.
– interface—(Routed mode only) The IP address of the

mapped interface is used as the mapped address. For this
option, you must configure a specific interface for the
mapped_ifc. You must use this keyword when you want
to use the interface IP address; you cannot enter it inline
or as an object.
•

For a PAT pool, you can specify one or more of the following
options:
– Round robin—The round-robin keyword enables

round-robin address allocation for a PAT pool. Without
round robin, by default all ports for a PAT address will be
allocated before the next PAT address is used. The
round-robin method assigns an address/port from each
PAT address in the pool before returning to use the first
address again, and then the second address, and so on.
(continued)

Cisco ASA 5500 Series Configuration Guide using the CLI

30-8

Chapter 30

Configuring Network Object NAT
Configuring Network Object NAT

Command

Purpose
(continued)
– Extended PAT—(8.4(3) and later, not including 8.5(1) or

8.6(1)) The extended keyword enables extended PAT.
Extended PAT uses 65535 ports per service, as opposed
to per IP address, by including the destination address
and port in the translation information. Normally, the
destination port and address are not considered when
creating PAT translations, so you are limited to 65535
ports per PAT address. For example, with extended PAT,
you can create a translation of 10.1.1.1:1027 when going
to 192.168.1.7:23 as well as a translation of
10.1.1.1:1027 when going to 192.168.1.7:80.
– Flat range—(8.4(3) and later, not including 8.5(1) or

8.6(1)) The flat keyword enables use of the entire 1024
to 65535 port range when allocating ports. When
choosing the mapped port number for a translation, the
ASA uses the real source port number if it is available.
However, without this option, if the real port is not
available, by default the mapped ports are chosen from
the same range of ports as the real port number: 1 to 511,
512 to 1023, and 1024 to 65535. To avoid running out of
ports at the low ranges, configure this setting. To use the
entire range of 1 to 65535, also specify the
include-reserve keyword.
•

Interface PAT fallback—(Optional) The interface keyword
enables interface PAT fallback when entered after a primary
PAT address. After the primary PAT address(es) are used up,
then the IP address of the mapped interface is used. For this
option, you must configure a specific interface for the
mapped_ifc. (You cannot specify interface in transparent
mode).

•

DNS—(Optional) The dns keyword translates DNS replies.
Be sure DNS inspection is enabled (it is enabled by default).
See the “DNS and NAT” section on page 29-24 for more
information.

Examples
The following example configures dynamic PAT that hides the 192.168.2.0 network behind address
10.2.2.2:
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic 10.2.2.2

The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside
interface address:
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic interface

Cisco ASA 5500 Series Configuration Guide using the CLI

30-9

Chapter 30

Configuring Network Object NAT

Configuring Static NAT or Static NAT-with-Port-Translation
This section describes how to configure a static NAT rule using network object NAT. For more
information, see the “Static NAT” section on page 29-3.

Detailed Steps

Step 1

Command

Purpose

(Optional)

To specify the mapped addresses (that you want to translate to),
configure a network object or network object group. A network
object group can contain objects and/or inline addresses.
Alternatively, you can skip this step if you want to enter the
IP addresses as an inline value for the nat command or if you want
to use the interface address (for static NAT-with-port-translation)
by specifying the interface keyword.

Network object:
object network obj_name
{host ip_address |
subnet subnet_address netmask |
range ip_address_1 ip_address_2}

Network object group:
object-group network grp_name
{network-object {object net_obj_name |
subnet_address netmask |
host ip_address} |
group-object grp_obj_name}

Example:
hostname(config)# object network
MAPPED_IPS
hostname(config-network-object)# subnet
10.1.1.0 255.255.255.0

Step 2

object network obj_name

Example:

Configures a network object for which you want to configure
NAT, or enters object network configuration mode for an existing
network object.

hostname(config)# object network
my-host-obj1

Step 3

{host ip_address | subnet subnet_address
netmask | range ip_address_1 ip_address_2}

Example:
hostname(config-network-object)# subnet
10.2.1.0 255.255.255.0

Cisco ASA 5500 Series Configuration Guide using the CLI

30-10

If you are creating a new network object, defines the real IP
address(es) that you want to translate.

Chapter 30

Configuring Network Object NAT
Configuring Network Object NAT

Step 4

Command

Purpose

nat [(real_ifc,mapped_ifc)] static
{mapped_inline_ip | mapped_obj |
interface} [dns | service {tcp | udp}
real_port mapped_port] [no-proxy-arp]

Configures static NAT for the object IP addresses.

Example:
hostname(config-network-object)# nat
(inside,outside) static MAPPED_IPS service
tcp 80 8080

Note

You can only define a single NAT rule for a given object.
See the “Additional Guidelines” section on page 30-2.

See the following guidelines:
•

•

Mapped IP Addresses—You can specify the mapped IP
address as:
– An inline IP address. The netmask or range for the

mapped network is the same as that of the real network.
For example, if the real network is a host, then this
address will be a host address. In the case of a range, then
the mapped addresses include the same number of
addresses as the real range. For example, if the real
address is defined as a range from 10.1.1.1 through
10.1.1.6, and you specify 172.20.1.1 as the mapped
address, then the mapped range will include 172.20.1.1
through 172.20.1.6.
– An existing network object or group (see Step 1).
– interface—(Static NAT-with-port-translation only;

routed mode) For this option, you must configure a
specific interface for the mapped_ifc. Be sure to also
configure the service keyword.
Typically, you configure the same number of mapped
addresses as real addresses for a one-to-one mapping. You
can, however, have a mismatched number of addresses. For
more information, see the “Static NAT” section on page 29-3.
•

DNS—(Optional) The dns keyword translates DNS replies.
Be sure DNS inspection is enabled (it is enabled by default).
See the “DNS and NAT” section on page 29-24 for more
information. This option is not available if you specify the
service keyword.

•

Port translation—(Static NAT-with-port-translation only)
Specify tcp or udp and the real and mapped ports. You can
enter either a port number or a well-known port name (such
as ftp).

•

No Proxy ARP—(Optional) Specify no-proxy-arp to disable
proxy ARP for incoming packets to the mapped IP addresses.
See the “Mapped Addresses and Routing” section on
page 29-22 for more information.

Cisco ASA 5500 Series Configuration Guide using the CLI

30-11

Chapter 30

Configuring Network Object NAT

Examples
The following example configures static NAT for the real host 10.1.1.1 on the inside to 10.2.2.2 on the
outside with DNS rewrite enabled.
hostname(config)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static 10.2.2.2 dns

The following example configures static NAT for the real host 10.1.1.1 on the inside to 2.2.2.2 on the
outside using a mapped object.
hostname(config)# object network my-mapped-obj
hostname(config-network-object)# host 10.2.2.2
hostname(config-network-object)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static my-mapped-obj

The following example configures static NAT-with-port-translation for 10.1.1.1 at TCP port 21 to the
outside interface at port 2121.
hostname(config)# object network my-ftp-server
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static interface service tcp 21 2121

Configuring Identity NAT
This section describes how to configure an identity NAT rule using network object NAT. For more
information, see the “Identity NAT” section on page 29-11.

Detailed Steps

Step 1

Command

Purpose

(Optional)

For the mapped addresses (which will be the same as the real
addresses), configure a network object. Alternatively, you can
skip this step if you want to enter the IP addresses as an inline
value for the nat command.

object network obj_name
{host ip_address |
subnet subnet_address netmask |
range ip_address_1 ip_address_2}

For more information about configuring a network object, see the
“Configuring Objects” section on page 13-3.

Example:
hostname(config)# object network
MAPPED_IPS
hostname(config-network-object)# subnet
10.1.1.0 255.255.255.0

Step 2

object network obj_name

Example:
hostname(config)# object network
my-host-obj1

Cisco ASA 5500 Series Configuration Guide using the CLI

30-12

Configures a network object for which you want to perform
identity NAT, or enters object network configuration mode for an
existing network object.

Chapter 30

Configuring Network Object NAT
Configuring Network Object NAT

Step 3

Command

Purpose

{host ip_address | subnet subnet_address
netmask | range ip_address_1 ip_address_2}

If you are creating a new network object, defines the real IP
address(es) to which you want to perform identity NAT. If you
configured a network object for the mapped addresses in Step 1,
then these addresses must match.

Example:
hostname(config-network-object)# subnet
10.1.1.0 255.255.255.0

Step 4

nat [(real_ifc,mapped_ifc)] static
{mapped_inline_ip | mapped_obj}
[no-proxy-arp] [route-lookup]

Configures identity NAT for the object IP addresses.

Example:

See the following guidelines:

hostname(config-network-object)# nat
(inside,outside) static MAPPED_IPS

Note

You can only define a single NAT rule for a given object.
See the “Additional Guidelines” section on page 30-2.

•

Mapped IP addresses—Be sure to configure the same IP
address for both the mapped and real address. Use one of the
following:
– Network object—Including the same IP address as the

real object (see Step 1).
– Inline IP address—The netmask or range for the mapped

network is the same as that of the real network. For
example, if the real network is a host, then this address
will be a host address. In the case of a range, then the
mapped addresses include the same number of addresses
as the real range. For example, if the real address is
defined as a range from 10.1.1.1 through 10.1.1.6, and
you specify 10.1.1.1 as the mapped address, then the
mapped range will include 10.1.1.1 through 10.1.1.6.
•

No Proxy ARP—Specify no-proxy-arp to disable proxy
ARP for incoming packets to the mapped IP addresses. See
the “Mapped Addresses and Routing” section on page 29-22
for more information.

•

Route lookup—(Routed mode only; interface(s) specified)
Specify route-lookup to determine the egress interface using
a route lookup instead of using the interface specified in the
NAT command. See the “Determining the Egress Interface”
section on page 29-24 for more information.

Example
The following example maps a host address to itself using an inline mapped address:
hostname(config)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static 10.1.1.1

Cisco ASA 5500 Series Configuration Guide using the CLI

30-13

Chapter 30

Configuring Network Object NAT

Monitoring Network Object NAT

The following example maps a host address to itself using a network object:
hostname(config)# object network my-host-obj1-identity
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static my-host-obj1-identity

Monitoring Network Object NAT
To monitor object NAT, enter one of the following commands:
Command

Purpose

show nat

Shows NAT statistics, including hits for each NAT rule.

show nat pool

Shows NAT pool statistics, including the addresses and ports allocated,
and how many times they were allocated.

show running-config nat

Shows the NAT configuration.
Note

You cannot view the NAT configuration using the show
running-config object command. You cannot reference objects
or object groups that have not yet been created in nat commands.
To avoid forward or circular references in show command output,
the show running-config command shows the object command
two times: first, where the IP address(es) are defined; and later,
where the nat command is defined. This command output
guarantees that objects are defined first, then object groups, and
finally NAT. For example:
hostname# show running-config
...
object network obj1
range 192.168.49.1 192.150.49.100
object network obj2
object 192.168.49.100
object network network-1
subnet
object network network-2
subnet
object-group network pool
network-object object obj1
network-object object obj2
...
object network network-1
nat (inside,outside) dynamic pool
object network network-2
nat (inside,outside) dynamic pool

show xlate

Shows current NAT session information.

Cisco ASA 5500 Series Configuration Guide using the CLI

30-14

Chapter 30

Configuring Network Object NAT
Configuration Examples for Network Object NAT

Configuration Examples for Network Object NAT
This section includes the following configuration examples:
•

Providing Access to an Inside Web Server (Static NAT), page 30-15

•

NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT), page 30-16

•

Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many), page 30-17

•

Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation), page 30-18

•

DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS
Modification), page 30-19

•

DNS Server and Web Server on Mapped Interface, Web Server is Translated (Static NAT with DNS
Modification), page 30-21

Providing Access to an Inside Web Server (Static NAT)
The following example performs static NAT for an inside web server. The real address is on a private
network, so a public address is required. Static NAT is necessary so hosts can initiate traffic to the web
server at a fixed address. (See Figure 30-1).
Figure 30-1

Static NAT for an Inside Web Server

209.165.201.12

Outside
209.165.201.1
Undo Translation
10.1.2.27
209.165.201.10

Security
Appliance
10.1.2.1

myWebServ
10.1.2.27

Step 1

248772

Inside

Create a network object for the internal web server:
hostname(config)# object network myWebServ

Step 2

Define the web server address:
hostname(config-network-object)# host 10.1.2.27

Cisco ASA 5500 Series Configuration Guide using the CLI

30-15

Chapter 30

Configuring Network Object NAT

Configuration Examples for Network Object NAT

Step 3

Configure static NAT for the object:
hostname(config-network-object)# nat (inside,outside) static 209.165.201.10

NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server
(Static NAT)
The following example configures dynamic NAT for inside users on a private network when they access
the outside. Also, when inside users connect to an outside web server, that web server address is
translated to an address that appears to be on the inside network. (See Figure 30-2).
Figure 30-2

Dynamic NAT for Inside, Static NAT for Outside Web Server

Web Server
209.165.201.12

Outside
209.165.201.1
10.1.2.10

Translation
209.165.201.20

Security
Appliance

Undo Translation
209.165.201.12
10.1.2.20

10.1.2.1
Inside

248773

myInsNet
10.1.2.0/24

Step 1

Create a network object for the dynamic NAT pool to which you want to translate the inside addresses:
hostname(config)# object network myNatPool
hostname(config-network-object)# range 209.165.201.20 209.165.201.30

Step 2

Create a network object for the inside network:
hostname(config)# object network myInsNet
hostname(config-network-object)# subnet 10.1.2.0 255.255.255.0

Step 3

Enable dynamic NAT for the inside network:
hostname(config-network-object)# nat (inside,outside) dynamic myNatPool

Cisco ASA 5500 Series Configuration Guide using the CLI

30-16

Chapter 30

Configuring Network Object NAT
Configuration Examples for Network Object NAT

Step 4

Create a network object for the outside web server:
hostname(config)# object network myWebServ

Step 5

Define the web server address:
hostname(config-network-object)# host 209.165.201.12

Step 6

Configure static NAT for the web server:
hostname(config-network-object)# nat (outside,inside) static 10.1.2.20

Inside Load Balancer with Multiple Mapped Addresses (Static NAT,
One-to-Many)
The following example shows an inside load balancer that is translated to multiple IP addresses. When
an outside host accesses one of the mapped IP addresses, it is untranslated to the single load balancer
address. Depending on the URL requested, it redirects traffic to the correct web server. (See
Figure 30-3).
Figure 30-3

Static NAT with One-to-Many for an Inside Load Balancer

Host

Undo Translation
209.165.201.5
10.1.2.27

Outside
Undo Translation
209.165.201.3
10.1.2.27

Undo Translation
209.165.201.4
10.1.2.27

Inside

Web Servers

Step 1

248633

Load Balancer
10.1.2.27

Create a network object for the addresses to which you want to map the load balancer:

Cisco ASA 5500 Series Configuration Guide using the CLI

30-17

Chapter 30

Configuring Network Object NAT

Configuration Examples for Network Object NAT

hostname(config)# object network myPublicIPs
hostname(config-network-object)# range 209.165.201.3 209.265.201.8

Step 2

Create a network object for the load balancer:
hostname(config)# object network myLBHost

Step 3

Define the load balancer address:
hostname(config-network-object)# host 10.1.2.27

Step 4

Configure static NAT for the load balancer:
hostname(config-network-object)# nat (inside,outside) static myPublicIPs

Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation)
The following static NAT-with-port-translation example provides a single address for remote users to
access FTP, HTTP, and SMTP. These servers are actually different devices on the real network, but for
each server, you can specify static NAT-with-port-translation rules that use the same mapped IP address,
but different ports. (See Figure 30-4.)
Figure 30-4

Static NAT-with-Port-Translation

Host

Undo Translation
209.165.201.3:21
10.1.2.27

Outside

Undo Translation
209.165.201.3:25
10.1.2.29
Undo Translation
209.165.201.3:80
10.1.2.28

Inside

SMTP server
10.1.2.29

HTTP server
10.1.2.28

Step 1

Create a network object for the FTP server address:
hostname(config)# object network FTP_SERVER

Cisco ASA 5500 Series Configuration Guide using the CLI

30-18

130031

FTP server
10.1.2.27

Chapter 30

Configuring Network Object NAT
Configuration Examples for Network Object NAT

Step 2

Define the FTP server address, and configure static NAT with identity port translation for the FTP server:
hostname(config-network-object)# host 10.1.2.27
hostname(config-network-object)# nat (inside,outside) static 209.165.201.3 service tcp ftp
ftp

Step 3

Create a network object for the HTTP server address:
hostname(config)# object network HTTP_SERVER

Step 4

Define the HTTP server address, and configure static NAT with identity port translation for the HTTP
server:
hostname(config-network-object)# host 10.1.2.28
hostname(config-network-object)# nat (inside,outside) static 209.165.201.3 service tcp
http http

Step 5

Create a network object for the SMTP server address:
hostname(config)# object network SMTP_SERVER

Step 6

Define the SMTP server address, and configure static NAT with identity port translation for the SMTP
server:
hostname(config-network-object)# host 10.1.2.29
hostname(config-network-object)# nat (inside,outside) static 209.165.201.3 service tcp
smtp smtp

DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT
with DNS Modification)
For example, a DNS server is accessible from the outside interface. A server, ftp.cisco.com, is on the
inside interface. You configure the ASA to statically translate the ftp.cisco.com real address (10.1.3.14)
to a mapped address (209.165.201.10) that is visible on the outside network. (See Figure 30-5.) In this
case, you want to enable DNS reply modification on this static rule so that inside users who have access
to ftp.cisco.com using the real address receive the real address from the DNS server, and not the mapped
address.

Cisco ASA 5500 Series Configuration Guide using the CLI

30-19

Chapter 30

Configuring Network Object NAT

Configuration Examples for Network Object NAT

When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with
the mapped address (209.165.201.10). The ASA refers to the static rule for the inside server and
translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply modification,
then the inside host attempts to send traffic to 209.165.201.10 instead of accessing ftp.cisco.com
directly.
Figure 30-5

DNS Reply Modification

DNS Server

1
DNS Query
ftp.cisco.com?

Outside

DNS Reply
209.165.201.10

Security
Appliance

3
DNS Reply Modification
209.165.201.10
10.1.3.14
Inside

4
DNS Reply
10.1.3.14

ftp.cisco.com
10.1.3.14
Static Translation
on Outside to:
209.165.201.10
130021

User

5
FTP Request
10.1.3.14

Step 1

Create a network object for the FTP server address:
hostname(config)# object network FTP_SERVER

Step 2

Define the FTP server address, and configure static NAT with DNS modification:
hostname(config-network-object)# host 10.1.3.14
hostname(config-network-object)# nat (inside,outside) static 209.165.201.10 dns

Cisco ASA 5500 Series Configuration Guide using the CLI

30-20

Chapter 30

Configuring Network Object NAT
Configuration Examples for Network Object NAT

DNS Server and Web Server on Mapped Interface, Web Server is Translated
(Static NAT with DNS Modification)
Figure 30-6 shows a web server and DNS server on the outside. The ASA has a static translation for the
outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS
server, the DNS server responds with the real address, 209.165.20.10. Because you want inside users to
use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply modification for
the static translation.
Figure 30-6

DNS Reply Modification Using Outside NAT

ftp.cisco.com
209.165.201.10
Static Translation on Inside to:
10.1.2.56
DNS Server

7
FTP Request
209.165.201.10

1
DNS Query
ftp.cisco.com?

DNS Reply
209.165.201.10

Outside

6
Dest Addr. Translation
10.1.2.56
209.165.201.10

Security
Appliance

DNS Reply Modification
209.165.201.10
10.1.2.56
Inside

FTP Request
10.1.2.56

User
10.1.2.27

Step 1

130022

DNS Reply
10.1.2.56

Create a network object for the FTP server address:
hostname(config)# object network FTP_SERVER

Step 2

Define the FTP server address, and configure static NAT with DNS modification:
hostname(config-network-object)# host 209.165.201.10
hostname(config-network-object)# nat (outside,inside) static 10.1.2.56 dns

Cisco ASA 5500 Series Configuration Guide using the CLI

30-21

Chapter 30

Configuring Network Object NAT

Feature History for Network Object NAT

Feature History for Network Object NAT
Table 30-1 lists each feature change and the platform release in which it was implemented.
Table 30-1

Feature History for Network Object NAT

Feature Name

Platform
Releases

Feature Information

Network Object NAT

8.3(1)

Configures NAT for a network object IP address(es).
We introduced or modified the following commands: nat
(object network configuration mode), show nat, show
xlate, show nat pool.

Identity NAT configurable proxy ARP and route 8.4(2)
lookup

PAT pool and round robin address assignment

8.4(2)

You can now specify a pool of PAT addresses instead of a
single address. You can also optionally enable round-robin
assignment of PAT addresses instead of first using all ports
on a PAT address before using the next address in the pool.
These features help prevent a large number of connections
from a single PAT address from appearing to be part of a
DoS attack and makes configuration of large numbers of
PAT addresses easy.
We modifed the following commands: nat dynamic
[pat-pool mapped_object [round-robin]].

Round robin PAT pool allocation uses the same 8.4(3)
IP address for existing hosts

When using a PAT pool with round robin allocation, if a host
has an existing connection, then subsequent connections
from that host will use the same PAT IP address if ports are
available.
We did not modify any commands.
This feature is not available in 8.5(1) or 8.6(1).

Cisco ASA 5500 Series Configuration Guide using the CLI

30-22

Chapter 30

Configuring Network Object NAT
Feature History for Network Object NAT

Table 30-1

Feature History for Network Object NAT (continued)

Feature Name

Platform
Releases

Flat range of PAT ports for a PAT pool

8.4(3)

Feature Information
If available, the real source port number is used for the
mapped port. However, if the real port is not available, by
default the mapped ports are chosen from the same range of
ports as the real port number: 0 to 511, 512 to 1023, and
1024 to 65535. Therefore, ports below 1024 have only a
small PAT pool.
If you have a lot of traffic that uses the lower port ranges,
when using a PAT pool, you can now specify a flat range of
ports to be used instead of the three unequal-sized tiers:
either 1024 to 65535, or 1 to 65535.
We modifed the following commands: nat dynamic
[pat-pool mapped_object [flat [include-reserve]]].
This feature is not available in 8.5(1) or 8.6(1).

Cisco ASA 5500 Series Configuration Guide using the CLI

30-23

Chapter 30

Configuring Network Object NAT

Feature History for Network Object NAT

Table 30-1

Feature History for Network Object NAT (continued)

Feature Name

Platform
Releases

Extended PAT for a PAT pool

8.4(3)

Feature Information
Each PAT IP address allows up to 65535 ports. If 65535
ports do not provide enough translations, you can now
enable extended PAT for a PAT pool. Extended PAT uses
65535 ports per service, as opposed to per IP address, by
including the destination address and port in the translation
information.
We modifed the following commands: nat dynamic
[pat-pool mapped_object [extended]].
This feature is not available in 8.5(1) or 8.6(1).

Automatic NAT rules to translate a VPN peer’s 8.4(3)
local IP address back to the peer’s real IP
address

In rare situations, you might want to use a VPN peer’s real
IP address on the inside network instead of an assigned local
IP address. Normally with VPN, the peer is given an
assigned local IP address to access the inside network.
However, you might want to translate the local IP address
back to the peer’s real public IP address if, for example,
your inside servers and network security is based on the
peer’s real IP address.
You can enable this feature on one interface per tunnel
group. Object NAT rules are dynamically added and deleted
when the VPN session is established or disconnected. You
can view the rules using the show nat command.
Because of routing issues, we do not recommend
using this feature unless you know you need this
feature; contact Cisco TAC to confirm feature
compatibility with your network. See the following
limitations:

Note

•

Only supports Cisco IPsec and AnyConnect Client.

•

Return traffic to the public IP addresses must be
routed back to the ASA so the NAT policy and VPN
policy can be applied.

•

Does not support load-balancing (because of
routing issues).

•

Does not support roaming (public IP changing).

We introduced the following command:
nat-assigned-to-public-ip interface (tunnel-group
general-attributes configuration mode).

Cisco ASA 5500 Series Configuration Guide using the CLI

30-24

CH A P T E R

Configuring Twice NAT
Twice NAT lets you identify both the source and destination address in a single rule. This chapter shows
you how to configure twice NAT and includes the following sections:

Note

•

Information About Twice NAT, page 31-1

•

Licensing Requirements for Twice NAT, page 31-2

•

Prerequisites for Twice NAT, page 31-2

•

Guidelines and Limitations, page 31-2

•

Default Settings, page 31-3

•

Configuring Twice NAT, page 31-3

•

Monitoring Twice NAT, page 31-24

•

Configuration Examples for Twice NAT, page 31-24

•

Feature History for Twice NAT, page 31-28

For detailed information about how NAT works, see Chapter 29, “Information About NAT.”

Information About Twice NAT
Twice NAT lets you identify both the source and destination address in a single rule. Specifying both the
source and destination addresses lets you specify that a source address should be translated to A when
going to destination X, but be translated to B when going to destination Y, for example.

Note

For static NAT, the rule is bidirectional, so be aware that “source” and “destination” are used in
commands and descriptions throughout this guide even though a given connection might originate at the
“destination” address. For example, if you configure static NAT with port address translation, and
specify the source address as a Telnet server, and you want all traffic going to that Telnet server to have
the port translated from 2323 to 23, then in the command, you must specify the source ports to be
translated (real: 23, mapped: 2323). You specify the source ports because you specified the Telnet server
address as the source address.
The destination address is optional. If you specify the destination address, you can either map it to itself
(identity NAT), or you can map it to a different address. The destination mapping is always a static
mapping.

Cisco ASA 5500 Series Configuration Guide using the CLI

31-1

Chapter 31

Configuring Twice NAT

Licensing Requirements for Twice NAT

Twice NAT also lets you use service objects for static NAT-with-port-translation; network object NAT
only accepts inline definition.
For detailed information about the differences between twice NAT and network object NAT, see the
“How NAT is Implemented” section on page 29-16.
Twice NAT rules are added to section 1 of the NAT rules table, or if specified, section 3. For more
information about NAT ordering, see the “NAT Rule Order” section on page 29-20.

Licensing Requirements for Twice NAT
Model

License Requirement

All models

Base License.

Prerequisites for Twice NAT
•

For both the real and mapped addresses, configure network objects or network object groups (the
object network or object-group network command). Network object groups are particularly useful
for creating a mapped address pool with discontinuous IP address ranges or multiple hosts or
subnets. To create a network object or group, see the “Configuring Objects and Groups” section on
page 13-1.

•

For static NAT-with-port-translation, configure TCP or UDP service objects (the object service
command). To create a service object, see the “Configuring a Service Object” section on page 13-4.

For specific guidelines for objects and groups, see the configuration section for the NAT type you want
to configure. See also the “Guidelines and Limitations” section.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single and multiple context mode.
Firewall Mode Guidelines
•

Supported in routed and transparent firewall mode.

•

In transparent mode, you must specify the real and mapped interfaces; you cannot use any.

•

In transparent mode, you cannot configure interface PAT, because the transparent mode interfaces
do not have IP addresses. You also cannot use the management IP address as a mapped address.

IPv6 Guidelines

Does not support IPv6.

Cisco ASA 5500 Series Configuration Guide using the CLI

31-2

Chapter 31

Configuring Twice NAT
Default Settings

Additional Guidelines
•

If you change the NAT configuration, and you do not want to wait for existing translations to time
out before the new NAT information is used, you can clear the translation table using the clear xlate
command. However, clearing the translation table disconnects all current connections that use
translations.

Note

•

Objects and object groups used in NAT cannot be undefined; they must include IP addresses.

•

You can use the same objects in multiple rules.

•

The mapped IP address pool cannot include:
– The mapped interface IP address. If you specify any interface for the rule, then all interface IP

Default Settings
•

By default, the rule is added to the end of section 1 of the NAT table.

•

(Routed mode) The default real and mapped interface is Any, which applies the rule to all interfaces.

•

Configuring Twice NAT
This section describes how to configure twice NAT. This section includes the following topics:
•

Configuring Dynamic NAT, page 31-4

•

Configuring Dynamic PAT (Hide), page 31-8

•

Configuring Static NAT or Static NAT-with-Port-Translation, page 31-15

•

Configuring Identity NAT, page 31-20

Cisco ASA 5500 Series Configuration Guide using the CLI

31-3

Chapter 31

Configuring Twice NAT

Configuring Dynamic NAT
This section describes how to configure twice NAT for dynamic NAT. For more information, see the
“Dynamic NAT” section on page 29-8.

Detailed Steps

Step 1

Command

Purpose

Network object:

Configure the real source addresses.

object network obj_name
{host ip_address | subnet
subnet_address netmask | range
ip_address_1 ip_address_2}

You can configure either a network object or a network object
group. For more information, see the “Configuring Objects”
section on page 13-3.

Network object group:

If you want to translate all traffic, you can skip this step and
specify the any keyword instead of creating an object or group.

object-group network grp_name
{network-object {object net_obj_name |
subnet_address netmask |
host ip_address} |
group-object grp_obj_name}

Example:
hostname(config)# object network MyInsNet
hostname(config-network-object)# subnet
10.1.1.0 255.255.255.0

Step 2

Network object:

Configure the mapped source addresses.

object network obj_name
range ip_address_1 ip_address_2

You can configure either a network object or a network object
group.

Network object group:

For dynamic NAT, you typically configure a larger group of
addresses to be mapped to a smaller group. If a mapped network
object contains both ranges and host IP addresses, then the ranges
are used for dynamic NAT, and then the host IP addresses are used
as a PAT fallback.

object-group network grp_name
{network-object {object net_obj_name |
host ip_address} |
group-object grp_obj_name}

Note

Example:
hostname(config)# object network NAT_POOL
hostname(config-network-object)# range
209.165.201.10 209.165.201.20

Cisco ASA 5500 Series Configuration Guide using the CLI

31-4

The mapped object or group cannot contain a subnet.

See the “Guidelines and Limitations” section on page 31-2 for
information about disallowed mapped IP addresses.

Chapter 31

Configuring Twice NAT
Configuring Twice NAT

Step 3

Command

Purpose

(Optional)

Configure the real destination addresses.

Network object:

You can configure either a network object or a network object
group.

object network obj_name
{host ip_address | subnet
subnet_address netmask | range
ip_address_1 ip_address_2}

Network object group:
object-group network grp_name
{network-object {object net_obj_name |
subnet_address netmask |
host ip_address} |
group-object grp_obj_name}

Although the main feature of twice NAT is the inclusion of the
destination IP address, the destination address is optional. If you
do specify the destination address, you can configure static
translation for that address or just use identity NAT for it. You
might want to configure twice NAT without a destination address
to take advantage of some of the other qualities of twice NAT,
including the use of network object groups for real addresses, or
manually ordering of rules. For more information, see the “Main
Differences Between Network Object NAT and Twice NAT”
section on page 29-16.

Example:
hostname(config)# object network Server1
hostname(config-network-object)# host
209.165.201.8

Step 4

(Optional)

Configure the mapped destination addresses.

Network object:

The destination translation is always static. For identity NAT, you
can skip this step and simply use the same object or group for both
the real and mapped addresses.

object network obj_name
{host ip_address | subnet
subnet_address netmask | range
ip_address_1 ip_address_2}

Network object group:
object-group network grp_name
{network-object {object net_obj_name |
subnet_address netmask |
host ip_address} |
group-object grp_obj_name}

Example:

If you want to translate the destination address, you can configure
either a network object or a network object group. The static
mapping is typically one-to-one, so the real addresses have the
same quantity as the mapped addresses. You can, however, have
different quantities if desired. For more information, see the
“Static NAT” section on page 29-3.
For static interface NAT with port translation (routed mode only),
you can skip this step and specify the interface keyword instead
of a network object/group for the mapped address. For more
information, see the “Static Interface NAT with Port Translation”
section on page 29-5.

hostname(config)# object network
Server1_mapped
hostname(config-network-object)# host
10.1.1.67

Cisco ASA 5500 Series Configuration Guide using the CLI

31-5

Chapter 31

Configuring Twice NAT

Step 5

Command

Purpose

(Optional)

Configure service objects for:

object service obj_name
service {tcp | udp} destination
operator port

Example:
hostname(config)# object service REAL_SVC
hostname(config-service-object)# service
tcp destination eq 80
hostname(config)# object service
MAPPED_SVC
hostname(config-service-object)# service
tcp destination eq 8080

Cisco ASA 5500 Series Configuration Guide using the CLI

31-6

•

Destination real port

•

Destination mapped port

Dynamic NAT does not support port translation. However,
because the destination translation is always static, you can
perform port translation for the destination port. A service object
can contain both a source and destination port, but only the
destination port is used in this case. If you specify the source port,
it will be ignored. NAT only supports TCP or UDP. When
translating a port, be sure the protocols in the real and mapped
service objects are identical (both TCP or both UDP). For identity
NAT, you can use the same service object for both the real and
mapped ports. The “not equal” (neq) operator is not supported.

Chapter 31

Configuring Twice NAT
Configuring Twice NAT

Step 6

Command

Purpose

nat [(real_ifc,mapped_ifc)]
[line | {after-auto [line]}]
source dynamic {real_obj | any}
{mapped_obj [interface]}
[destination static {mapped_obj |
interface} real_obj]
[service mapped_dest_svc_obj
real_dest_svc_obj] [dns] [inactive]
[description desc]

Configure dynamic NAT. See the following guidelines:
•

•

Section and Line—(Optional) By default, the NAT rule is
added to the end of section 1 of the NAT table (see the “NAT
Rule Order” section on page 29-20). If you want to add the
rule into section 3 instead (after the network object NAT
rules), then use the after-auto keyword. You can insert a rule
anywhere in the applicable section using the line argument.

•

Source addresses:

Example:
hostname(config)# nat (inside,outside)
source dynamic MyInsNet NAT_POOL
destination static Server1_mapped Server1
service MAPPED_SVC REAL_SVC

– Real—Specify a network object, group, or the any

keyword (see Step 1). Use the any keyword if you want
to translate all traffic from the real interface to the
mapped interface.
– Mapped—Specify a different network object or group

(see Step 2). You can optionally configure the following
fallback method:
Interface PAT fallback—(Routed mode only) The
interface keyword enables interface PAT fallback. After
the mapped IP addresses are used up, then the IP address
of the mapped interface is used. For this option, you must
configure a specific interface for the mapped_ifc.

Cisco ASA 5500 Series Configuration Guide using the CLI

31-7

Chapter 31

Configuring Twice NAT

Command

Purpose
(Continued)
•

Destination addresses (Optional):
– Mapped—Specify a network object or group, or for static

interface NAT with port translation only, specify the
interface keyword (see Step 4). If you specify interface,
be sure to also configure the service keyword. For this
option, you must configure a specific interface for the
real_ifc. See the “Static Interface NAT with Port
Translation” section on page 29-5 for more information.
– Real—Specify a network object or group (see Step 3).

For identity NAT, simply use the same object or group for
both the real and mapped addresses.
•

Destination port—(Optional) Specify the service keyword
along with the mapped and real service objects (see Step 5).
For identity port translation, simply use the same service
object for both the real and mapped ports.

•

DNS—(Optional; for a source-only rule) The dns keyword
translates DNS replies. Be sure DNS inspection is enabled (it
is enabled by default). You cannot configure the dns keyword
if you configure a destination address. See the “DNS and
NAT” section on page 29-24 for more information.

•

Inactive—(Optional) To make this rule inactive without
having to remove the command, use the inactive keyword. To
reactivate it, reenter the whole command without the inactive
keyword.

•

Description—Optional) Provide a description up to 200
characters using the description keyword.

Configuring Dynamic PAT (Hide)
This section describes how to configure twice NAT for dynamic PAT (hide). For more information, see
the “Dynamic PAT” section on page 29-10.

Guidelines
For a PAT pool:
•

•

For extended PAT for a PAT pool (8.4(3) and later, not including 8.5(1) or 8.6(1)):

Cisco ASA 5500 Series Configuration Guide using the CLI

31-8

Chapter 31

Configuring Twice NAT
Configuring Twice NAT

•

If you use a PAT pool and specify an interface for fallback, you cannot specify extended PAT.

•

For VoIP deployments that use ICE or TURN, do not use extended PAT. ICE and TURN rely on the
PAT binding to be the same for all destinations.

For round robin for a PAT pool:
•

•

Detailed Steps

Step 1

Command

Purpose

Network object:

Configure the real source addresses.

object network obj_name
{host ip_address | subnet
subnet_address netmask | range
ip_address_1 ip_address_2}

You can configure either a network object or a network object
group. For more information, see the “Configuring Objects”
section on page 13-3.

Network object group:

If you want to translate all traffic, you can skip this step and
specify the any keyword instead of creating an object or group.

object-group network grp_name
{network-object {object net_obj_name |
subnet_address netmask |
host ip_address} |
group-object grp_obj_name}

Example:
hostname(config)# object network MyInsNet
hostname(config-network-object)# subnet
10.1.1.0 255.255.255.0

Cisco ASA 5500 Series Configuration Guide using the CLI

31-9

Chapter 31

Configuring Twice NAT

Step 2

Command

Purpose

Network object:

object network obj_name
{host ip_address | range ip_address_1
ip_address_2}

Network object group:
object-group network grp_name
{network-object {object net_obj_name |
host ip_address} |
group-object grp_obj_name}

For mapped addresses used as a PAT pool, all addresses in the
object or group, including ranges, are used as PAT addresses.
Note

Example:
hostname(config)# object network PAT_POOL1
hostname(config-network-object)# range
10.5.1.80 10.7.1.80

The object or group cannot contain a subnet.

See the “Guidelines and Limitations” section on page 31-2 for
information about disallowed mapped IP addresses.
For more information about configuring a network object or
group, see the “Configuring Objects” section on page 13-3.

Step 3

(Optional)

Configure the real destination addresses.

Network object:

You can configure either a network object or a network object
group.

object network obj_name
{host ip_address | subnet
subnet_address netmask | range
ip_address_1 ip_address_2}

Network object group:
object-group network grp_name
{network-object {object net_obj_name |
subnet_address netmask |
host ip_address} |
group-object grp_obj_name}

Example:
hostname(config)# object network Server1
hostname(config-network-object)# host
209.165.201.8

Cisco ASA 5500 Series Configuration Guide using the CLI

31-10

Chapter 31

Configuring Twice NAT
Configuring Twice NAT

Step 4

Command

Purpose

(Optional)

Configure the mapped destination addresses.

Network object:

The destination translation is always static. For identity NAT, you
can skip this step and simply use the same object or group for both
the real and mapped addresses.

object network obj_name
{host ip_address | subnet
subnet_address netmask | range
ip_address_1 ip_address_2}

Network object group:
object-group network grp_name
{network-object {object net_obj_name |
subnet_address netmask |
host ip_address} |
group-object grp_obj_name}

Example:

hostname(config)# object network
Server1_mapped
hostname(config-network-object)# host
10.1.1.67

Step 5

(Optional)
object service obj_name
service {tcp | udp} destination
operator port

Configure service objects for:
•

Destination real port

•

Destination mapped port

Dynamic PAT does not support additional port translation.
However, because the destination translation is always static, you
can perform port translation for the destination port. A service
object can contain both a source and destination port, but only the
destination port is used in this case. If you specify the source port,
it will be ignored. NAT only supports TCP or UDP. When
translating a port, be sure the protocols in the real and mapped
service objects are identical (both TCP or both UDP). For identity
NAT, you can use the same service object for both the real and
mapped ports. The “not equal” (neq) operator is not supported.

Cisco ASA 5500 Series Configuration Guide using the CLI

31-11

Chapter 31

Configuring Twice NAT

Step 6

Command

Purpose

nat [(real_ifc,mapped_ifc)]
[line | {after-auto [line]}]
source dynamic {real-obj | any}
{mapped_obj [interface] | [pat-pool
mapped_obj [round-robin] [extended]
[flat [include-reserve]] [interface] |
interface} [destination static {mapped_obj
| interface} real_obj]
[service mapped_dest_svc_obj
real_dest_svc_obj] [dns] [inactive]
[description desc]

Configures dynamic PAT (hide). See the following guidelines:
•

•

Source addresses:

Example:
hostname(config)# nat (inside,outside)
source dynamic MyInsNet interface
destination static Server1 Server1
description Interface PAT for inside
addresses when going to server 1

– Real—Specify a network object, group, or the any

keyword (see Step 1). Use the any keyword if you want
to translate all traffic from the real interface to the
mapped interface.
– Mapped—Configure one of the following:

- Network object—Specify a network object that contains
a host address (see Step 2).
- pat-pool—Specify the pat-pool keyword and a network
object or group that contains multiple addresses (see
Step 2).
- interface—(Routed mode only) Specify the interface
keyword alone to only use interface PAT. When specified
with a PAT pool or network object, the interface
keyword enables interface PAT fallback. After the PAT IP
addresses are used up, then the IP address of the mapped
interface is used. For this option, you must configure a
specific interface for the mapped_ifc.
(continued)

Cisco ASA 5500 Series Configuration Guide using the CLI

31-12

Chapter 31

Configuring Twice NAT
Configuring Twice NAT

Command

Purpose
(continued)
For a PAT pool, you can specify one or more of the
following options:
-- Round robin—The round-robin keyword enables
round-robin address allocation for a PAT pool. Without
round robin, by default all ports for a PAT address will be
allocated before the next PAT address is used. The
round-robin method assigns an address/port from each
PAT address in the pool before returning to use the first
address again, and then the second address, and so on.
-- Extended PAT—(8.4(3) and later, not including 8.5(1)
or 8.6(1)) The extended keyword enables extended PAT.
Extended PAT uses 65535 ports per service, as opposed
to per IP address, by including the destination address
and port in the translation information. Normally, the
destination port and address are not considered when
creating PAT translations, so you are limited to 65535
ports per PAT address. For example, with extended PAT,
you can create a translation of 10.1.1.1:1027 when going
to 192.168.1.7:23 as well as a translation of
10.1.1.1:1027 when going to 192.168.1.7:80.
-- Flat range—(8.4(3) and later, not including 8.5(1) or
8.6(1)) The flat keyword enables use of the entire 1024
to 65535 port range when allocating ports. When
choosing the mapped port number for a translation, the
ASA uses the real source port number if it is available.
However, without this option, if the real port is not
available, by default the mapped ports are chosen from
the same range of ports as the real port number: 1 to 511,
512 to 1023, and 1024 to 65535. To avoid running out of
ports at the low ranges, configure this setting. To use the
entire range of 1 to 65535, also specify the
include-reserve keyword.
(continued)

Cisco ASA 5500 Series Configuration Guide using the CLI

31-13

Chapter 31

Configuring Twice NAT

Command

Purpose
(continued)
•

Destination addresses (Optional):
– Mapped—Specify a network object or group, or for static

interface NAT with port translation only (routed mode),
specify the interface keyword (see Step 4). If you
specify interface, be sure to also configure the service
keyword. For this option, you must configure a specific
interface for the real_ifc. See the “Static Interface NAT
with Port Translation” section on page 29-5 for more
information.
– Real—Specify a network object or group (see Step 3).

For identity NAT, simply use the same object or group for
both the real and mapped addresses.

Cisco ASA 5500 Series Configuration Guide using the CLI

31-14

•

Destination port—(Optional) Specify the service keyword
along with the real and mapped service objects (see Step 5).
For identity port translation, simply use the same service
object for both the real and mapped ports.

•

Inactive—(Optional) To make this rule inactive without
having to remove the command, use the inactive keyword. To
reactivate it, reenter the whole command without the inactive
keyword.

•

Description—(Optional) Provide a description up to 200
characters using the description keyword.

Chapter 31

Configuring Twice NAT
Configuring Twice NAT

Configuring Static NAT or Static NAT-with-Port-Translation
This section describes how to configure a static NAT rule using twice NAT. For more information about
static NAT, see the “Static NAT” section on page 29-3.

Detailed Steps

Step 1

Command

Purpose

Network object:

Configure the real source addresses.

object network obj_name
{host ip_address | subnet
subnet_address netmask | range
ip_address_1 ip_address_2}

You can configure either a network object or a network object
group. For more information, see the “Configuring Objects”
section on page 13-3.

Network object group:
object-group network grp_name
{network-object {object net_obj_name |
subnet_address netmask |
host ip_address} |
group-object grp_obj_name}

Example:
hostname(config)# object network MyInsNet
hostname(config-network-object)# subnet
10.1.1.0 255.255.255.0

Step 2

Network object:

Configure the mapped source addresses.

object network obj_name
{host ip_address | subnet
subnet_address netmask | range
ip_address_1 ip_address_2}

You can configure either a network object or a network object
group. For static NAT, the mapping is typically one-to-one, so the
real addresses have the same quantity as the mapped addresses.
You can, however, have different quantities if desired. For more
information, see the “Static NAT” section on page 29-3.

Network object group:
object-group network grp_name
{network-object {object net_obj_name |
subnet_address netmask |
host ip_address} |
group-object grp_obj_name}

Example:

For static interface NAT with port translation (routed mode only),
you can skip this step and specify the interface keyword instead
of a network object/group for the mapped address. For more
information, see the “Static Interface NAT with Port Translation”
section on page 29-5.
See the “Guidelines and Limitations” section on page 31-2 for
information about disallowed mapped IP addresses.

hostname(config)# object network
MyInsNet_mapped
hostname(config-network-object)# subnet
192.168.1.0 255.255.255.0

Cisco ASA 5500 Series Configuration Guide using the CLI

31-15

Chapter 31

Configuring Twice NAT

Step 3

Command

Purpose

(Optional)

Configure the real destination addresses.

Network object:

You can configure either a network object or a network object
group.

object network obj_name
{host ip_address | subnet
subnet_address netmask | range
ip_address_1 ip_address_2}

Network object group:
object-group network grp_name
{network-object {object net_obj_name |
subnet_address netmask |
host ip_address} |
group-object grp_obj_name}

Example:
hostname(config)# object network Server1
hostname(config-network-object)# host
209.165.201.8

Step 4

(Optional)

Configure the mapped destination addresses.

Network object:

The destination translation is always static. For identity NAT, you
can skip this step and simply use the same object or group for both
the real and mapped addresses.

object network obj_name
{host ip_address | subnet
subnet_address netmask | range
ip_address_1 ip_address_2}

Network object group:
object-group network grp_name
{network-object {object net_obj_name |
subnet_address netmask |
host ip_address} |
group-object grp_obj_name}

Example:
hostname(config)# object network
Server1_mapped
hostname(config-network-object)# host
10.1.1.67

Cisco ASA 5500 Series Configuration Guide using the CLI

31-16

Chapter 31

Configuring Twice NAT
Configuring Twice NAT

Step 5

Command

Purpose

(Optional)

Configure service objects for:

object service obj_name
service {tcp | udp} [source operator
port] [destination operator port]

Example:
hostname(config)# object service
REAL_SRC_SVC
hostname(config-service-object)# service
tcp source eq 80
hostname(config)# object service
MAPPED_SRC_SVC
hostname(config-service-object)# service
tcp source eq 8080

•

Source or destination real port

•

Source or destination mapped port

A service object can contain both a source and destination port;
however, you should specify either the source or the destination
port for both service objects. You should only specify both the
source and destination ports if your application uses a fixed
source port (such as some DNS servers); but fixed source ports are
rare. NAT only supports TCP or UDP. When translating a port, be
sure the protocols in the real and mapped service objects are
identical (both TCP or both UDP). For identity NAT, you can use
the same service object for both the real and mapped ports. The
“not equal” (neq) operator is not supported.
For example, if you want to translate the port for the source host,
then configure the source service.

Cisco ASA 5500 Series Configuration Guide using the CLI

31-17

Chapter 31

Configuring Twice NAT

Step 6

Command

Purpose

nat [(real_ifc,mapped_ifc)]
[line | {after-object [line]}]
source static real_ob
[mapped_obj | interface]
[destination static {mapped_obj |
interface} real_obj]
[service real_src_mapped_dest_svc_obj
mapped_src_real_dest_svc_obj] [dns]
[no-proxy-arp] [inactive]
[description desc]

Configures static NAT. See the following guidelines:
•

•

Section and Line—(Optional) By default, the NAT rule is
added to the end of section 1 of the NAT table. See the “NAT
Rule Order” section on page 29-20 for more information
about sections. If you want to add the rule into section 3
instead (after the network object NAT rules), then use the
after-auto keyword. You can insert a rule anywhere in the
applicable section using the line argument.

•

Source addresses:

Example:
hostname(config)# nat (inside,dmz) source
static MyInsNet MyInsNet_mapped
destination static Server1 Server1 service
REAL_SRC_SVC MAPPED_SRC_SVC

– Real—Specify a network object or group (see Step 1).
– Mapped—Specify a different network object or group

(see Step 2). For static interface NAT with port
translation only, you can specify the interface keyword
(routed mode only). If you specify interface, be sure to
also configure the service keyword (in this case, the
service objects should include only the source port). For
this option, you must configure a specific interface for
the mapped_ifc. See the “Static Interface NAT with Port
Translation” section on page 29-5 for more information.
•

Destination addresses (Optional):
– Mapped—Specify a network object or group, or for static

interface NAT with port translation only, specify the
interface keyword (see Step 4). If you specify interface,
be sure to also configure the service keyword (in this
case, the service objects should include only the
destination port). For this option, you must configure a
specific interface for the real_ifc.
– Real—Specify a network object or group (see Step 3).

For identity NAT, simply use the same object or group for
both the real and mapped addresses.

Cisco ASA 5500 Series Configuration Guide using the CLI

31-18

Chapter 31

Configuring Twice NAT
Configuring Twice NAT

Command

Purpose
(Continued)
•

Ports—(Optional) Specify the service keyword along with
the real and mapped service objects (see Step 5). For source
port translation, the objects must specify the source service.
The order of the service objects in the command for source
port translation is service real_obj mapped_obj. For
destination port translation, the objects must specify the
destination service. The order of the service objects for
destination port translation is service mapped_obj real_obj.
In the rare case where you specify both the source and
destination ports in the object, the first service object contains
the real source port/mapped destination port; the second
service object contains the mapped source port/real
destination port. For identity port translation, simply use the
same service object for both the real and mapped ports
(source and/or destination ports, depending on your
configuration).

•

Inactive—(Optional) To make this rule inactive without
having to remove the command, use the inactive keyword. To
reactivate it, reenter the whole command without the inactive
keyword.

•

Description—(Optional) Provide a description up to 200
characters using the description keyword.

Examples
The following example shows the use of static interface NAT with port translation. Hosts on the outside
access an FTP server on the inside by connecting to the outside interface IP address with destination port
65000 through 65004. The traffic is untranslated to the internal FTP server at 192.168.10.100:6500
through :65004. Note that you specify the source port range in the service object (and not the destination
port) because you want to translate the source address and port as identified in the command; the
destination port is “any.” Because static NAT is bidirectional, “source” and “destination” refers primarily
to the command keywords; the actual source and destination address and port in a packet depends on

Cisco ASA 5500 Series Configuration Guide using the CLI

31-19

Chapter 31

Configuring Twice NAT

which host sent the packet. In this example, connections are originated from outside to inside, so the
“source” address and port of the FTP server is actually the destination address and port in the originating
packet.
hostname(config)# object service FTP_PASV_PORT_RANGE
hostname(config-service-object)# service tcp source range 65000 65004
hostname(config)# object network HOST_FTP_SERVER
hostname(config-network-object)# host 192.168.10.100
hostname(config)# nat (inside,outside) source static HOST_FTP_SERVER interface service
FTP_PASV_PORT_RANGE FTP_PASV_PORT_RANGE

Configuring Identity NAT
This section describes how to configure an identity NAT rule using twice NAT. For more information
about identity NAT, see the “Identity NAT” section on page 29-11.

Detailed Steps

Step 1

Command

Purpose

Network object:

Configure the real source addresses.

object network obj_name
{host ip_address | subnet
subnet_address netmask | range
ip_address_1 ip_address_2}

You can configure either a network object or a network object
group. For more information, see the “Configuring Objects”
section on page 13-3.

Network object group:

These are the addresses on which you want to perform identity
NAT. If you want to perform identity NAT for all addresses, you
can skip this step and instead use the keywords any any.

object-group network grp_name
{network-object {object net_obj_name |
subnet_address netmask |
host ip_address} |
group-object grp_obj_name}

Example:
hostname(config)# object network MyInsNet
hostname(config-network-object)# subnet
10.1.1.0 255.255.255.0

Cisco ASA 5500 Series Configuration Guide using the CLI

31-20

Chapter 31

Configuring Twice NAT
Configuring Twice NAT

Step 2

Command

Purpose

(Optional)

Configure the real destination addresses.

Network object:

You can configure either a network object or a network object
group.

object network obj_name
{host ip_address | subnet
subnet_address netmask | range
ip_address_1 ip_address_2}

Network object group:
object-group network grp_name
{network-object {object net_obj_name |
subnet_address netmask |
host ip_address} |
group-object grp_obj_name}

Example:
hostname(config)# object network Server1
hostname(config-network-object)# host
209.165.201.8

Step 3

(Optional)

Configure the mapped destination addresses.

Network object:

The destination translation is always static. For identity NAT, you
can skip this step and simply use the same object or group for both
the real and mapped addresses.

object network obj_name
{host ip_address | subnet
subnet_address netmask | range
ip_address_1 ip_address_2}

Network object group:
object-group network grp_name
{network-object {object net_obj_name |
subnet_address netmask |
host ip_address} |
group-object grp_obj_name}

Example:

hostname(config)# object network
Server1_mapped
hostname(config-network-object)# host
10.1.1.67

Cisco ASA 5500 Series Configuration Guide using the CLI

31-21

Chapter 31

Configuring Twice NAT

Step 4

Command

Purpose

(Optional)

Configure service objects for:

object service obj_name
service {tcp | udp} [source operator
port] [destination operator port]

•

Source or destination real port

•

Source or destination mapped port

Cisco ASA 5500 Series Configuration Guide using the CLI

31-22

Chapter 31

Configuring Twice NAT
Configuring Twice NAT

Step 5

Command

Purpose

nat [(real_ifc,mapped_ifc)]
[line | {after-object [line]}]
source static {nw_obj nw_obj | any any}
[destination static {mapped_obj |
interface} real_obj]
[service real_src_mapped_dest_svc_obj
mapped_src_real_dest_svc_obj]
[no-proxy-arp] [route-lookup] [inactive]
[description desc]

Configures identity NAT. See the following guidelines:
•

•

Source addresses—Specify a network object, group, or the
any keyword for both the real and mapped addresses (see
Step 1).

•

Destination addresses (Optional):

Example:
hostname(config)# nat (inside,outside)
source static MyInsNet MyInsNet
destination static Server1 Server1

– Mapped—Specify a network object or group, or for static

interface NAT with port translation only, specify the
interface keyword (routed mode only) (see Step 3). If
you specify interface, be sure to also configure the
service keyword (in this case, the service objects should
include only the destination port). For this option, you
must configure a specific interface for the real_ifc. See
the “Static Interface NAT with Port Translation” section
on page 29-5 for more information.
– Real—Specify a network object or group (see Step 2).

For identity NAT, simply use the same object or group for
both the real and mapped addresses.
•

Port—(Optional) Specify the service keyword along with the
real and mapped service objects (see Step 4). For source port
translation, the objects must specify the source service. The
order of the service objects in the command for source port
translation is service real_obj mapped_obj. For destination
port translation, the objects must specify the destination
service. The order of the service objects for destination port
translation is service mapped_obj real_obj. In the rare case
where you specify both the source and destination ports in the
object, the first service object contains the real source
port/mapped destination port; the second service object
contains the mapped source port/real destination port. For
identity port translation, simply use the same service object
for both the real and mapped ports (source and/or destination
ports, depending on your configuration).

Cisco ASA 5500 Series Configuration Guide using the CLI

31-23

Chapter 31

Configuring Twice NAT

Monitoring Twice NAT

Command

Purpose
(Continued)
•

•

Route lookup—(Optional; routed mode only; interface(s)
specified) Specify route-lookup to determine the egress
interface using a route lookup instead of using the interface
specified in the NAT command. See the “Determining the
Egress Interface” section on page 29-24 for more
information.

•

Inactive—(Optional) To make this rule inactive without
having to remove the command, use the inactive keyword. To
reactivate it, reenter the whole command without the inactive
keyword.

•

Description—(Optional) Provide a description up to 200
characters using the description keyword.

Monitoring Twice NAT
To monitor twice NAT, enter one of the following commands:
Command

Purpose

show nat

Shows NAT statistics, including hits for each NAT rule.

show nat pool

Shows NAT pool statistics, including the addresses and ports allocated,
and how many times they were allocated.

show xlate

Shows current NAT session information.

Configuration Examples for Twice NAT
This section includes the following configuration examples:
•

Different Translation Depending on the Destination (Dynamic PAT), page 31-24

•

Different Translation Depending on the Destination Address and Port (Dynamic PAT), page 31-26

Different Translation Depending on the Destination (Dynamic PAT)
Figure 31-1 shows a host on the 10.1.2.0/24 network accessing two different servers. When the host
accesses the server at 209.165.201.11, the real address is translated to 209.165.202.129:port. When the
host accesses the server at 209.165.200.225, the real address is translated to 209.165.202.130:port.

Cisco ASA 5500 Series Configuration Guide using the CLI

31-24

Configuring Twice NAT
Configuration Examples for Twice NAT

Figure 31-1

Twice NAT with Different Destination Addresses

Server 1
209.165.201.11

Server 2
209.165.200.225

209.165.201.0/27

209.165.200.224/27
DMZ

Translation
10.1.2.27
209.165.202.129

Translation
10.1.2.27
209.165.202.130

Inside
10.1.2.0/24
Packet
Dest. Address:
209.165.201.11

Step 1

10.1.2.27

Packet
Dest. Address:
209.165.200.225

130039

Chapter 31

Add a network object for the inside network:
hostname(config)# object network myInsideNetwork
hostname(config-network-object)# subnet 10.1.2.0 255.255.255.0

Step 2

Add a network object for the DMZ network 1:
hostname(config)# object network DMZnetwork1
hostname(config-network-object)# subnet 209.165.201.0 255.255.255.224

Step 3

Add a network object for the PAT address:
hostname(config)# object network PATaddress1
hostname(config-network-object)# host 209.165.202.129

Step 4

Configure the first twice NAT rule:
hostname(config)# nat (inside,dmz) source dynamic myInsideNetwork PATaddress1 destination
static DMZnetwork1 DMZnetwork1

Because you do not want to translate the destination address, you need to configure identity NAT for it
by specifying the same address for the real and mapped destination addresses.
By default, the NAT rule is added to the end of section 1 of the NAT table, See the “Configuring Dynamic
PAT (Hide)” section on page 31-8 for more information about specifying the section and line number for
the NAT rule.
Step 5

Add a network object for the DMZ network 2:
hostname(config)# object network DMZnetwork2
hostname(config-network-object)# subnet 209.165.200.224 255.255.255.224

Step 6

Add a network object for the PAT address:
hostname(config)# object network PATaddress2

Cisco ASA 5500 Series Configuration Guide using the CLI

31-25

Chapter 31

Configuring Twice NAT

Configuration Examples for Twice NAT

hostname(config-network-object)# host 209.165.202.130

Step 7

Configure the second twice NAT rule:
hostname(config)# nat (inside,dmz) source dynamic myInsideNetwork PATaddress2 destination
static DMZnetwork2 DMZnetwork2

Different Translation Depending on the Destination Address and Port (Dynamic
PAT)
Figure 31-2 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses
a single host for both web services and Telnet services. When the host accesses the server for Telnet
services, the real address is translated to 209.165.202.129:port. When the host accesses the same server
for web services, the real address is translated to 209.165.202.130:port.
Figure 31-2

Twice NAT with Different Destination Ports

Web and Telnet server:
209.165.201.11

Internet

Translation
10.1.2.27:80
209.165.202.129

Translation
10.1.2.27:23
209.165.202.130

Inside

Web Packet
Dest. Address:
209.165.201.11:80

Step 1

10.1.2.27

Telnet Packet
Dest. Address:
209.165.201.11:23

Add a network object for the inside network:
hostname(config)# object network myInsideNetwork
hostname(config-network-object)# subnet 10.1.2.0 255.255.255.0

Step 2

Add a network object for the Telnet/Web server:
hostname(config)# object network TelnetWebServer
hostname(config-network-object)# host 209.165.201.11

Step 3

Add a network object for the PAT address when using Telnet:
hostname(config)# object network PATaddress1

Cisco ASA 5500 Series Configuration Guide using the CLI

31-26

130040

10.1.2.0/24

Chapter 31

Configuring Twice NAT
Configuration Examples for Twice NAT

hostname(config-network-object)# host 209.165.202.129

Step 4

Add a service object for Telnet:
hostname(config)# object service TelnetObj
hostname(config-network-object)# service tcp destination eq telnet

Step 5

Configure the first twice NAT rule:
hostname(config)# nat (inside,outside) source dynamic myInsideNetwork PATaddress1
destination static TelnetWebServer TelnetWebServer service TelnetObj TelnetObj

Because you do not want to translate the destination address or port, you need to configure identity NAT
for them by specifying the same address for the real and mapped destination addresses, and the same
port for the real and mapped service.
By default, the NAT rule is added to the end of section 1 of the NAT table, See the “Configuring Dynamic
PAT (Hide)” section on page 31-8 for more information about specifying the section and line number for
the NAT rule.
Step 6

Add a network object for the PAT address when using HTTP:
hostname(config)# object network PATaddress2
hostname(config-network-object)# host 209.165.202.130

Step 7

Add a service object for HTTP:
hostname(config)# object service HTTPObj
hostname(config-network-object)# service tcp destination eq http

Step 8

Configure the second twice NAT rule:
hostname(config)# nat (inside,outside) source dynamic myInsideNetwork PATaddress2
destination static TelnetWebServer TelnetWebServer service HTTPObj HTTPObj

Cisco ASA 5500 Series Configuration Guide using the CLI

31-27

Chapter 31

Configuring Twice NAT

Feature History for Twice NAT

Feature History for Twice NAT
Table 31-1 lists each feature change and the platform release in which it was implemented.
Table 31-1

Feature History for Twice NAT

Feature Name

Platform
Releases

Twice NAT

8.3(1)

Feature Information
Twice NAT lets you identify both the source and destination
address in a single rule.
We modified or introduced the following commands: nat,
show nat, show xlate, show nat pool.

Identity NAT configurable proxy ARP and route 8.4(2)
lookup

In earlier releases for identity NAT, proxy ARP was
disabled, and a route lookup was always used to determine
the egress interface. You could not configure these settings.
In 8.4(2) and later, the default behavior for identity NAT
was changed to match the behavior of other static NAT
configurations: proxy ARP is enabled, and the NAT
configuration determines the egress interface (if specified)
by default. You can leave these settings as is, or you can
enable or disable them discretely. Note that you can now
also disable proxy ARP for regular static NAT.
For pre-8.3 configurations, the migration of NAT exempt
rules (the nat 0 access-list command) to 8.4(2) and later
now includes the following keywords to disable proxy ARP
and to use a route lookup: no-proxy-arp and route-lookup.
The unidirectional keyword that was used for migrating to
8.3(2) and 8.4(1) is no longer used for migration. When
upgrading to 8.4(2) from 8.3(1), 8.3(2), and 8.4(1), all
identity NAT configurations will now include the
no-proxy-arp and route-lookup keywords, to maintain
existing functionality. The unidirectional keyword is
removed.
We modified the following commands: nat source static
[no-proxy-arp] [route-lookup].

PAT pool and round robin address assignment

8.4(2)

You can now specify a pool of PAT addresses instead of a
single address. You can also optionally enable round-robin
assignment of PAT addresses instead of first using all ports
on a PAT address before using the next address in the pool.
These features help prevent a large number of connections
from a single PAT address from appearing to be part of a
DoS attack and makes configuration of large numbers of
PAT addresses easy.
We modified the following commands: nat source dynamic
[pat-pool mapped_object [round-robin]].

Cisco ASA 5500 Series Configuration Guide using the CLI

31-28

Chapter 31

Configuring Twice NAT
Feature History for Twice NAT

Table 31-1

Feature History for Twice NAT (continued)

Feature Name

Platform
Releases

Round robin PAT pool allocation uses the same 8.4(3)
IP address for existing hosts

Feature Information
When using a PAT pool with round robin allocation, if a host
has an existing connection, then subsequent connections
from that host will use the same PAT IP address if ports are
available.
We did not modify any commands.
This feature is not available in 8.5(1) or 8.6(1).

Flat range of PAT ports for a PAT pool

8.4(3)

If available, the real source port number is used for the
mapped port. However, if the real port is not available, by
default the mapped ports are chosen from the same range of
ports as the real port number: 0 to 511, 512 to 1023, and
1024 to 65535. Therefore, ports below 1024 have only a
small PAT pool.
If you have a lot of traffic that uses the lower port ranges,
when using a PAT pool, you can now specify a flat range of
ports to be used instead of the three unequal-sized tiers:
either 1024 to 65535, or 1 to 65535.
We modified the following commands: nat source dynamic
[pat-pool mapped_object [flat [include-reserve]]].
This feature is not available in 8.5(1) or 8.6(1).

Cisco ASA 5500 Series Configuration Guide using the CLI

31-29

Chapter 31

Configuring Twice NAT

Feature History for Twice NAT

Table 31-1

Feature History for Twice NAT (continued)

Feature Name

Platform
Releases

Extended PAT for a PAT pool

8.4(3)

Feature Information
Each PAT IP address allows up to 65535 ports. If 65535
ports do not provide enough translations, you can now
enable extended PAT for a PAT pool. Extended PAT uses
65535 ports per service, as opposed to per IP address, by
including the destination address and port in the translation
information.
We modified the following commands: nat source dynamic
[pat-pool mapped_object [extended]].
This feature is not available in 8.5(1) or 8.6(1).

Automatic NAT rules to translate a VPN peer’s 8.4(3)
local IP address back to the peer’s real IP
address

In rare situations, you might want to use a VPN peer’s real
IP address on the inside network instead of an assigned local
IP address. Normally with VPN, the peer is given an
assigned local IP address to access the inside network.
However, you might want to translate the local IP address
back to the peer’s real public IP address if, for example,
your inside servers and network security is based on the
peer’s real IP address.
You can enable this feature on one interface per tunnel
group. Object NAT rules are dynamically added and deleted
when the VPN session is established or disconnected. You
can view the rules using the show nat command.
Because of routing issues, we do not recommend
using this feature unless you know you need this
feature; contact Cisco TAC to confirm feature
compatibility with your network. See the following
limitations:

Note

•

Only supports Cisco IPsec and AnyConnect Client.

•

Return traffic to the public IP addresses must be
routed back to the ASA so the NAT policy and VPN
policy can be applied.

•

Does not support load-balancing (because of
routing issues).

•

Does not support roaming (public IP changing).

We introduced the following command:
nat-assigned-to-public-ip interface (tunnel-group
general-attributes configuration mode).

Cisco ASA 5500 Series Configuration Guide using the CLI

31-30

PA R T

Configuring Service Policies Using the
Modular Policy Framework

CH A P T E R

Configuring a Service Policy Using the Modular
Policy Framework
Service policies using Modular Policy Framework provide a consistent and flexible way to configure
ASA features. For example, you can use a service policy to create a timeout configuration that is specific
to a particular TCP application, as opposed to one that applies to all TCP applications. A service policy
consists of multiple actionsapplied to an interface or applied globally.
This chapter includes the following sections:
•

Information About Service Policies, page 32-1

•

Licensing Requirements for Service Policies, page 32-6

•

Guidelines and Limitations, page 32-6

•

Default Settings, page 32-7

•

Task Flows for Configuring Service Policies, page 32-9

•

Identifying Traffic (Layer 3/4 Class Maps), page 32-12

•

Defining Actions (Layer 3/4 Policy Map), page 32-15

•

Applying Actions to an Interface (Service Policy), page 32-17

•

Monitoring Modular Policy Framework, page 32-18

•

Configuration Examples for Modular Policy Framework, page 32-18

•

Feature History for Service Policies, page 32-21

Information About Service Policies
This section describes how service policies work and includes the following topics:
•

Supported Features for Through Traffic, page 32-2

•

Supported Features for Management Traffic, page 32-2

•

Feature Directionality, page 32-2

•

Feature Matching Within a Service Policy, page 32-3

•

Order in Which Multiple Feature Actions are Applied, page 32-4

•

Incompatibility of Certain Feature Actions, page 32-5

•

Feature Matching for Multiple Service Policies, page 32-6

Cisco ASA 5500 Series Configuration Guide using the CLI

32-1

Chapter 32

Configuring a Service Policy Using the Modular Policy Framework

Information About Service Policies

Supported Features for Through Traffic
Table 32-1 lists the features supported by Modular Policy Framework.
Table 32-1

Modular Policy Framework

Feature
Application inspection (multiple types)

See:
•

Chapter 42, “Getting Started with Application Layer
Protocol Inspection.”

•

Chapter 43, “Configuring Inspection of Basic Internet
Protocols.”

•

Chapter 44, “Configuring Inspection for Voice and
Video Protocols.”

•

Chapter 45, “Configuring Inspection of Database and
Directory Protocols.”

•

Chapter 46, “Configuring Inspection for Management
Application Protocols.”

ASA CSC

Chapter 60, “Configuring the ASA CSC Module.”

ASA IPS

Chapter 58, “Configuring the ASA IPS Module.”

ASA CX

Chapter 59, “Configuring the ASA CX Module.”

NetFlow Secure Event Logging filtering Chapter 78, “Configuring NetFlow Secure Event Logging
(NSEL).”
QoS input and output policing

Chapter 54, “Configuring QoS.”

QoS standard priority queue

Chapter 54, “Configuring QoS.”

QoS traffic shaping, hierarchical priority Chapter 54, “Configuring QoS.”
queue
TCP and UDP connection limits and
timeouts, and TCP sequence number
randomization

Chapter 53, “Configuring Connection Settings.”

TCP normalization

Chapter 53, “Configuring Connection Settings.”

TCP state bypass

Chapter 53, “Configuring Connection Settings.”

Supported Features for Management Traffic
Modular Policy Framework supports the following features for management traffic:
•

Application inspection for RADIUS accounting traffic—See Chapter 46, “Configuring Inspection
for Management Application Protocols.”

•

Connection limits—See Chapter 53, “Configuring Connection Settings.”

Feature Directionality
Actions are applied to traffic bidirectionally or unidirectionally depending on the feature. For features
that are applied bidirectionally, all traffic that enters or exits the interface to which you apply the policy
map is affected if the traffic matches the class map for both directions.

Cisco ASA 5500 Series Configuration Guide using the CLI

32-2

Chapter 32

Configuring a Service Policy Using the Modular Policy Framework
Information About Service Policies

Note

When you use a global policy, all features are unidirectional; features that are normally bidirectional
when applied to a single interface only apply to the ingress of each interface when applied globally.
Because the policy is applied to all interfaces, the policy will be applied in both directions so
bidirectionality in this case is redundant.
For features that are applied unidirectionally, for example QoS priority queue, only traffic that enters (or
exits, depending on the feature) the interface to which you apply the policy map is affected. See
Table 32-2 for the directionality of each feature.
Table 32-2

Feature Directionality

Feature

Single Interface Direction Global Direction

Application inspection (multiple types)

Bidirectional

Ingress

ASA CSC

Bidirectional

Ingress

ASA CX

Bidirectional

Ingress

ASA CX authentication proxy

Ingress

ASA IPS

Bidirectional

Ingress

NetFlow Secure Event Logging filtering

N/A

Ingress

QoS input policing

Ingress

QoS output policing

Egress

QoS standard priority queue

Egress

QoS traffic shaping, hierarchical priority
queue

Egress

TCP and UDP connection limits and timeouts, Bidirectional
and TCP sequence number randomization

Ingress

TCP normalization

Bidirectional

Ingress

TCP state bypass

Bidirectional

Ingress

Feature Matching Within a Service Policy
See the following information for how a packet matches class maps in a policy map for a given interface:
1.

A packet can match only one class map in the policy map for each feature type.

When the packet matches a class map for a feature type, the ASA does not attempt to match it to any
subsequent class maps for that feature type.

If the packet matches a subsequent class map for a different feature type, however, then the ASA
also applies the actions for the subsequent class map, if supported. See the “Incompatibility of
Certain Feature Actions” section on page 32-5 for more information about unsupported
combinations.

Note

Application inspection includes multiple inspection types, and most are mutually exclusive.
For inspections that can be combined, each inspection is considered to be a separate feature.

Cisco ASA 5500 Series Configuration Guide using the CLI

32-3

Chapter 32

Configuring a Service Policy Using the Modular Policy Framework

Information About Service Policies

For example, if a packet matches a class map for connection limits, and also matches a class map for an
application inspection, then both actions are applied.
If a packet matches a class map for HTTP inspection, but also matches another class map that includes
HTTP inspection, then the second class map actions are not applied.
If a packet matches a class map for HTTP inspection, but also matches another class map that includes
FTP inspection, then the second class map actions are not applied because HTTP and FTP inspections
cannpt be combined.
If a packet matches a class map for HTTP inspection, but also matches another class map that includes
IPv6 inspection, then both actions are applied because the IPv6 inspection can be combined with any
other type of inspection.

Order in Which Multiple Feature Actions are Applied
The order in which different types of actions in a policy map are performed is independent of the order
in which the actions appear in the policy map.

Note

NetFlow Secure Event Logging filtering is order-independent.
Actions are performed in the following order:
1.

QoS input policing

TCP normalization, TCP and UDP connection limits and timeouts, TCP sequence number
randomization, and TCP state bypass.

Note

When a the ASA performs a proxy service (such as AAA or CSC) or it modifies the TCP payload
(such as FTP inspection), the TCP normalizer acts in dual mode, where it is applied before and
after the proxy or payload modifying service.

ASA CSC

Application inspections that can be combined with other inspections:
a. IPv6
b. IP options
c. WAAS

Application inspections that cannot be combined with other inspections. The remaining application
inspections cannot be combined with other inspections. See the “Incompatibility of Certain Feature
Actions” section on page 32-5 for more information.

ASA IPS

ASA CX

QoS output policing

QoS standard priority queue

10. QoS traffic shaping, hierarchical priority queue

Cisco ASA 5500 Series Configuration Guide using the CLI

32-4

Chapter 32

Configuring a Service Policy Using the Modular Policy Framework
Information About Service Policies

Incompatibility of Certain Feature Actions
Some features are not compatible with each other for the same traffic. The following list may not include
all incompatibilities; for information about compatibility of each feature, see the chapter or section for
your feature:

Note

•

You cannot configure QoS priority queueing and QoS policing for the same set of traffic.

•

Most inspections should not be combined with another inspection, so the ASA only applies one
inspection if you configure multiple inspections for the same traffic. The only exceptions are listed
in the “Order in Which Multiple Feature Actions are Applied” section on page 32-4.

•

You cannot configure traffic to be sent to multiple modules, such as the ASA CX and ASA IPS.

•

HTTP inspection is not compatible with the ASA CX.

The match default-inspection-traffic command, which is used in the default global policy, is a special
CLI shortcut to match the default ports for all inspections. When used in a policy map, this class map
ensures that the correct inspection is applied to each packet, based on the destination port of the traffic.
For example, when UDP traffic for port 69 reaches the ASA, then the ASA applies the TFTP inspection;
when TCP traffic for port 21 arrives, then the ASA applies the FTP inspection. So in this case only, you
can configure multiple inspections for the same class map. Normally, the ASA does not use the port
number to determine which inspection to apply, thus giving you the flexibility to apply inspections to
non-standard ports, for example.
An example of a misconfiguration is if you configure multiple inspections in the same policy map and
do not use the default-inspection-traffic shortcut. In Example 32-1, traffic destined to port 21 is
mistakenly configured for both FTP and HTTP inspection. In Example 32-2, traffic destined to port 80
is mistakenly configured for both FTP and HTTP inspection. In both cases of misconfiguration
examples, only the FTP inspection is applied, because FTP comes before HTTP in the order of
inspections applied.
Example 32-1 Misconfiguration for FTP packets: HTTP Inspection Also Configured
class-map ftp
match port tcp eq 21
class-map http
match port tcp eq 21
policy-map test
class ftp
inspect ftp
class http
inspect http

[it should be 80]

Example 32-2 Misconfiguration for HTTP packets: FTP Inspection Also Configured
class-map ftp
match port tcp eq 80
class-map http
match port tcp eq 80
policy-map test
class http
inspect http
class ftp
inspect ftp

[it should be 21]

Cisco ASA 5500 Series Configuration Guide using the CLI

32-5

Chapter 32

Configuring a Service Policy Using the Modular Policy Framework

Licensing Requirements for Service Policies

Feature Matching for Multiple Service Policies
For TCP and UDP traffic (and ICMP when you enable stateful ICMP inspection), service policies
operate on traffic flows, and not just individual packets. If traffic is part of an existing connection that
matches a feature in a policy on one interface, that traffic flow cannot also match the same feature in a
policy on another interface; only the first policy is used.
For example, if HTTP traffic matches a policy on the inside interface to inspect HTTP traffic, and you
have a separate policy on the outside interface for HTTP inspection, then that traffic is not also inspected
on the egress of the outside interface. Similarly, the return traffic for that connection will not be
inspected by the ingress policy of the outside interface, nor by the egress policy of the inside interface.
For traffic that is not treated as a flow, for example ICMP when you do not enable stateful ICMP
inspection, returning traffic can match a different policy map on the returning interface. For example, if
you configure IPS on the inside and outside interfaces, but the inside policy uses virtual sensor 1 while
the outside policy uses virtual sensor 2, then a non-stateful Ping will match virtual sensor 1 outbound,
but will match virtual sensor 2 inbound.

Licensing Requirements for Service Policies
Model

License Requirement

All models

Base License.
Specific features may have separate license requirements. See the feature chapter for more information.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single and multiple context mode.
Firewall Mode Guidelines

Supported in routed and transparent firewall mode.
IPv6 Guidelines

Supports IPv6 for the following features:
•

Application inspection for FTP, HTTP, ICMP, SIP, SMTP and IPsec-pass-thru, and IPv6.

•

ASA IPS

•

ASA CX

•

NetFlow Secure Event Logging filtering

•

TCP and UDP connection limits and timeouts, TCP sequence number randomization

•

TCP normalization

•

TCP state bypass

Cisco ASA 5500 Series Configuration Guide using the CLI

32-6

Chapter 32

Configuring a Service Policy Using the Modular Policy Framework
Default Settings

Class Map Guidelines

The maximum number of class mapsof all types is 255 in single mode or per context in multiple mode.
Class maps include the following types:
•

Layer 3/4 class maps (for through traffic and management traffic).

•

Inspection class maps

•

Regular expression class maps

•

match commands used directly underneath an inspection policy map

This limit also includes default class maps of all types, limiting user-configured class mapsto
approximately 235. See the “Default Class Maps” section on page 32-8.
Policy Map Guidelines

See the following guidelines for using policy maps:
•

You can only assign one policy map per interface. (However you can create up to 64 policy maps in
the configuration.)

•

You can apply the same policy map to multiple interfaces.

•

You can identify up to 63 Layer 3/4 class maps in a Layer 3/4 policy map.

•

For each class map, you can assign multiple actions from one or more feature types, if supported.
See the “Incompatibility of Certain Feature Actions” section on page 32-5.

Service Policy Guidelines
•

Interface service policies take precedence over the global service policy for a given feature. For
example, if you have a global policy with FTP inspection, and an interface policy with TCP
normalization, then both FTP inspection and TCP normalization are applied to the interface.
However, if you have a global policy with FTP inspection, and an interface policy with FTP
inspection, then only the interface policy FTP inspection is applied to that interface.

•

You can only apply one global policy. For example, you cannot create a global policy that includes
feature set 1, and a separate global policy that includes feature set 2. All features must be included
in a single policy.

Default Settings
The following topics describe the default settings for Modular Policy Framework:
•

Default Configuration, page 32-7

•

Default Class Maps, page 32-8

Default Configuration
By default, the configuration includes a policy that matches all default application inspection traffic and
applies certain inspections to the traffic on all interfaces (a global policy). Not all inspections are enabled
by default. You can only apply one global policy, so if you want to alter the global policy, you need to
either edit the default policy or disable it and apply a new one. (An interface policy overrides the global
policy for a particular feature.)
The default policy includes the following application inspections:

Cisco ASA 5500 Series Configuration Guide using the CLI

32-7

Chapter 32

Configuring a Service Policy Using the Modular Policy Framework

Default Settings

•

DNS inspection for the maximum message length of 512 bytes

•

FTP

•

H323 (H225)

•

H323 (RAS)

•

RSH

•

RTSP

•

ESMTP

•

SQLnet

•

Skinny (SCCP)

•

SunRPC

•

XDMCP

•

SIP

•

NetBios

•

TFTP

•

IP Options

The default policy configuration includes the following commands:
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global

Note

See the “Incompatibility of Certain Feature Actions” section on page 32-5 for more information about
the special match default-inspection-traffic command used in the default class map.

Default Class Maps
The configuration includes a default Layer 3/4 class map that the ASA uses in the default global policy
called default-inspection-traffic; it matches the default inspection traffic. This class, which is used in the
default global policy, is a special shortcut to match the default ports for all inspections. When used in a

Cisco ASA 5500 Series Configuration Guide using the CLI

32-8

Chapter 32

Configuring a Service Policy Using the Modular Policy Framework
Task Flows for Configuring Service Policies

policy, this class ensures that the correct inspection is applied to each packet, based on the destination
port of the traffic. For example, when UDP traffic for port 69 reaches the ASA, then the ASA applies the
TFTP inspection; when TCP traffic for port 21 arrives, then the ASA applies the FTP inspection. So in
this case only, you can configure multiple inspections for the same class map. Normally, the ASA does
not use the port number to determine which inspection to apply, thus giving you the flexibility to apply
inspections to non-standard ports, for example.
class-map inspection_default
match default-inspection-traffic

Another class map that exists in the default configuration is called class-default, and it matches all
traffic. This class map appears at the end of all Layer 3/4 policy maps and essentially tells the ASA to
not perform any actions on all other traffic. You can use the class-default class if desired, rather than
making your own match any class map. In fact, some features are only available for class-default, such
as QoS traffic shaping.
class-map class-default
match any

Task Flows for Configuring Service Policies
This section includes the following topics:
•

Task Flow for Using the Modular Policy Framework, page 32-9

•

Task Flow for Configuring Hierarchical Policy Maps for QoS Traffic Shaping, page 32-11

Task Flow for Using the Modular Policy Framework
To configure Modular Policy Framework, perform the following steps:
Step 1

Identify the traffic—Identify the traffic on which you want to perform Modular Policy Framework
actions by creating Layer 3/4 class maps.
For example, you might want to perform actions on all traffic that passes through the ASA; or you might
only want to perform certain actions on traffic from 10.1.1.0/24 to any destination address.
Layer 3/4 Class Map

241506

Layer 3/4 Class Map

See the “Identifying Traffic (Layer 3/4 Class Maps)” section on page 32-12.
Step 2

Perform additional actions on some inspection traffic—If one of the actions you want to perform is
application inspection, and you want to perform additional actions on some inspection traffic, then create
an inspection policy map. The inspection policy map identifies the traffic and specifies what to do with it.
For example, you might want to drop all HTTP requests with a body length greater than 1000 bytes.

Cisco ASA 5500 Series Configuration Guide using the CLI

32-9

Chapter 32

Configuring a Service Policy Using the Modular Policy Framework

Task Flows for Configuring Service Policies

Inspection Policy Map Actions

241507

Inspection Class Map/
Match Commands

You can create a self-contained inspection policy map that identifies the traffic directly with match
commands, or you can create an inspection class map for reuse or for more complicated matching. See
the “Defining Actions in an Inspection Policy Map” section on page 33-2 and the “Identifying Traffic in
an Inspection Class Map” section on page 33-6.
Step 3

Create a regular expression—If you want to match text with a regular expression within inspected
packets, you can create a regular expression or a group of regular expressions (a regular expression class
map). Then, when you define the traffic to match for the inspection policy map, you can call on an
existing regular expression.
For example, you might want to drop all HTTP requests with a URL including the text “example.com.”
Inspection Policy Map Actions

241509

Inspection Class Map/
Match Commands

Regular Expression Statement/
Regular Expression Class Map

See the “Creating a Regular Expression” section on page 13-12 and the “Creating a Regular Expression
Class Map” section on page 13-15.
Step 4

Define the actions you want to perform and determine on which interfaces you want to apply the policy
map—Define the actions you want to perform on each Layer 3/4 class map by creating a Layer 3/4 policy
map. Then, determine on which interfaces you want to apply the policy map using a service policy.

Cisco ASA 5500 Series Configuration Guide using the CLI

32-10

Chapter 32

Configuring a Service Policy Using the Modular Policy Framework
Task Flows for Configuring Service Policies

Layer 3/4 Policy Map
Connection Limits

Connection Limits

Service Policy

Inspection

241508

IPS

See the “Defining Actions (Layer 3/4 Policy Map)” section on page 32-15 and the “Applying Actions to
an Interface (Service Policy)” section on page 32-17.

Task Flow for Configuring Hierarchical Policy Maps for QoS Traffic Shaping
If you enable QoS traffic shaping for a class map, then you can optionally enable priority queueing for
a subset of shaped traffic. To do so, you need to create a policy map for the priority queueing, and then
within the traffic shaping policy map, you can call the priority class map. Only the traffic shaping class
map is applied to an interface.
See Chapter 54, “Information About QoS,” for more information about this feature.
Hierarchical policy maps are only supported for traffic shaping and priority queueing.
To implement a hierarchical policy map, perform the following steps:
Step 1

Identify the prioritized traffic according to the “Identifying Traffic (Layer 3/4 Class Maps)” section on
page 32-12.
You can create multiple class maps to be used in the hierarchical policy map.

Step 2

Create a policy map according to the “Defining Actions (Layer 3/4 Policy Map)” section on page 32-15,
and identify the sole action for each class map as priority.

Step 3

Create a separate policy map according to the “Defining Actions (Layer 3/4 Policy Map)” section on
page 32-15, and identify the shape action for the class-default class map.

Cisco ASA 5500 Series Configuration Guide using the CLI

32-11

Chapter 32

Configuring a Service Policy Using the Modular Policy Framework

Identifying Traffic (Layer 3/4 Class Maps)

Traffic shaping can only be applied the to class-default class map.
Step 4

For the same class map, identify the priority policy map that you created in Step 2 using the
service-policy priority_policy_map command.

Step 5

Apply the shaping policy map to the interface accrding to “Applying Actions to an Interface (Service
Policy)” section on page 32-17.

Identifying Traffic (Layer 3/4 Class Maps)
A Layer 3/4 class map identifies Layer 3 and 4 traffic to which you want to apply actions. You can create
multiple Layer 3/4 class maps for each Layer 3/4 policy map.
This section includes the following topics:
•

Creating a Layer 3/4 Class Map for Through Traffic, page 32-12

•

Creating a Layer 3/4 Class Map for Management Traffic, page 32-14

Creating a Layer 3/4 Class Map for Through Traffic
A Layer 3/4 class map matches traffic based on protocols, ports, IP addresses and other Layer 3 or 4
attributes.

Detailed Steps

Step 1

Command

Purpose

class-map class_map_name

Creates a Layer 3/4 class map, where class_map_name is a string
up to 40 characters in length. The name “class-default” is
reserved. All types of class maps use the same name space, so you
cannot reuse a name already used by another type of class map.
The CLI enters class-map configuration mode.

Example:
hostname(config)# class-map all_udp

Step 2

(Optional)

Adds a description to the class map.

description string

Example:
hostname(config-cmap)# description All UDP
traffic

Step 3

Match traffic using one of the following:

Unless otherwise specified, you can include only one match
command in the class map.

match any

Matches all traffic.

Example:
hostname(config-cmap)# match any

Cisco ASA 5500 Series Configuration Guide using the CLI

32-12

Chapter 32

Configuring a Service Policy Using the Modular Policy Framework
Identifying Traffic (Layer 3/4 Class Maps)

Command

Purpose

match access-list access_list_name

Matches traffic specified by an extended access list. If the ASA is
operating in transparent firewall mode, you can use an EtherType
access list.

Example:
hostname(config-cmap)# match access-list
udp
match port {tcp | udp} {eq port_num |
range port_num port_num}

Matches TCP or UDP destination ports, either a single port or a
contiguous range of ports.
Tip

Example:
hostname(config-cmap)# match tcp eq 80

For applications that use multiple, non-contiguous ports,
use the match access-list command and define an ACE to
match each port.

match default-inspection-traffic

Matches default traffic for inspection: the default TCP and UDP
ports used by all applications that the ASA can inspect.

Example:

This command, which is used in the default global policy, is a
special CLI shortcut that when used in a policy map, ensures that
the correct inspection is applied to each packet, based on the
destination port of the traffic. For example, when UDP traffic for
port 69 reaches the ASA, then the ASA applies the TFTP
inspection; when TCP traffic for port 21 arrives, then the ASA
applies the FTP inspection. So in this case only, you can configure
multiple inspections for the same class map (with the exception of
WAAS inspection, which can be configured with other
inspections. See the “Incompatibility of Certain Feature Actions”
section on page 32-5 for more information about combining
actions). Normally, the ASA does not use the port number to
determine the inspection applied, thus giving you the flexibility to
apply inspections to non-standard ports, for example.

hostname(config-cmap)# match
default-inspection-traffic

See the “Default Settings” section on page 42-4 for a list of
default ports. Not all applications whose ports are included in the
match default-inspection-traffic command are enabled by
default in the policy map.
You can specify a match access-list command along with the
match default-inspection-traffic command to narrow the
matched traffic. Because the match default-inspection-traffic
command specifies the ports and protocols to match, any ports and
protocols in the access list are ignored.
Tip

match dscp value1 [value2] [...] [value8]

We suggest that you only inspect traffic on ports on which
you expect application traffic; if you inspect all traffic, for
example using match any, the ASA performance can be
impacted.

Matches DSCP value in an IP header, up to eight DSCP values.

Example:
hostname(config-cmap)# match dscp af43 cs1
ef

Cisco ASA 5500 Series Configuration Guide using the CLI

32-13

Chapter 32

Configuring a Service Policy Using the Modular Policy Framework

Identifying Traffic (Layer 3/4 Class Maps)

Command

Purpose

match precedence value1 [value2] [value3]
[value4]

Matches up to four precedence values, represented by the TOS
byte in the IP header, where value1 through value4 can be 0 to 7,
corresponding to the possible precedences.

Example:
hostname(config-cmap)# match precedence 1
4
match rtp starting_port range

Example:
hostname(config-cmap)# match rtp 4004 100
match tunnel-group name

(Optional)
match flow ip destination-address

Example:
hostname(config-cmap)# match tunnel-group
group1
hostname(config-cmap)# match flow ip
destination-address

Matches RTP traffic, where the starting_port specifies an
even-numbered UDP destination port between 2000 and 65534.
The range specifies the number of additional UDP ports to match
above the starting_port, between 0 and 16383.
Matches VPN tunnel group traffic to which you want to apply
QoS.
You can also specify one other match command to refine the
traffic match. You can specify any of the preceding commands,
except for the match any, match access-list, or match
default-inspection-traffic commands. Or you can also enter the
match flow ip destination-address command to match flows in
the tunnel group going to each IP address.

Examples
The following is an example for the class-map command:
hostname(config)# access-list udp permit udp any any
hostname(config)# access-list tcp permit tcp any any
hostname(config)# access-list host_foo permit ip any 10.1.1.1 255.255.255.255
hostname(config)# class-map all_udp
hostname(config-cmap)# description "This class-map matches all UDP traffic"
hostname(config-cmap)# match access-list udp
hostname(config-cmap)# class-map all_tcp
hostname(config-cmap)# description "This class-map matches all TCP traffic"
hostname(config-cmap)# match access-list tcp
hostname(config-cmap)# class-map all_http
hostname(config-cmap)# description "This class-map matches all HTTP traffic"
hostname(config-cmap)# match port tcp eq http
hostname(config-cmap)# class-map to_server
hostname(config-cmap)# description "This class-map matches all traffic to server 10.1.1.1"
hostname(config-cmap)# match access-list host_foo

Creating a Layer 3/4 Class Map for Management Traffic
For management traffic to the ASA, you might want to perform actions specific to this kind of traffic.
You can specify a management class map that can match an access list or TCP or UDP ports. The types
of actions available for a management class map in the policy map are specialized for management
traffic. See the “Supported Features for Management Traffic” section on page 32-2.

Cisco ASA 5500 Series Configuration Guide using the CLI

32-14

Chapter 32

Configuring a Service Policy Using the Modular Policy Framework
Defining Actions (Layer 3/4 Policy Map)

Detailed Steps

Step 1

Command

Purpose

class-map type management class_map_name

hostname(config)# class-map type
management all_mgmt

Creates a management class map, where class_map_name is a
string up to 40 characters in length. The name “class-default” is
reserved. All types of class maps use the same name space, so you
cannot reuse a name already used by another type of class map.
The CLI enters class-map configuration mode.

(Optional)

Adds a description to the class map.

Example:

Step 2

description string

Example:
hostname(config-cmap)# description All
management traffic

Step 3

Match traffic using one of the following:

Unless otherwise specified, you can include only one match
command in the class map.

match access-list access_list_name

Matches traffic specified by an extended access list. If the ASA is
operating in transparent firewall mode, you can use an EtherType
access list.

Example:
hostname(config-cmap)# match access-list
udp
match port {tcp | udp} {eq port_num |
range port_num port_num}

Matches TCP or UDP destination ports, either a single port or a
contiguous range of ports.
Tip

Example:
hostname(config-cmap)# match tcp eq 80

For applications that use multiple, non-contiguous ports,
use the match access-list command and define an ACE to
match each port.

Defining Actions (Layer 3/4 Policy Map)
This section describes how to associate actions with Layer 3/4 class maps by creating a Layer 3/4 policy
map.

Restrictions
The maximum number of policy maps is 64, but you can only apply one policy map per interface.

Cisco ASA 5500 Series Configuration Guide using the CLI

32-15

Chapter 32

Configuring a Service Policy Using the Modular Policy Framework

Defining Actions (Layer 3/4 Policy Map)

Detailed Steps

Command

Purpose

Step 1

policy-map policy_map_name

Step 2

(Optional)

Adds the policy map. The policy_map_name argument is the
name of the policy map up to 40 characters in length. All types of
policy maps use the same name space, so you cannot reuse a name
Example:
already used by another type of policy map. The CLI enters
hostname(config)# policy-map global_policy
policy-map configuration mode.

class class_map_name

Example:
hostname(config-pmap)# description global
policy map

Specifies a previously configured Layer 3/4 class map, where the
class_map_name is the name of the class map. See the
“Identifying Traffic (Layer 3/4 Class Maps)” section on
page 32-12 to add a class map.
Note

If there is no match default-inspection-traffic command
in a class map, then at most one inspect command is
allowed to be configured under the class.
For QoS, you can configure a hierarchical policy map for
the traffic shaping and priority queue features. See the
“Task Flow for Configuring Hierarchical Policy Maps for
QoS Traffic Shaping” section on page 32-11 for more
information.

Step 3

Specify one or more actions for this class map.

Step 4

Repeat Step 2 and Step 3 for each class map you
want to include in this policy map.

See the “Supported Features for Through Traffic” section on
page 32-2.

Examples
The following is an example of a policy-map command for connection policy. It limits the number of
connections allowed to the web server 10.1.1.1:
hostname(config)# access-list http-server permit tcp any host 10.1.1.1
hostname(config)# class-map http-server
hostname(config-cmap)# match access-list http-server
hostname(config)# policy-map global-policy
hostname(config-pmap)# description This policy map defines a policy concerning connection
to http server.
hostname(config-pmap)# class http-server
hostname(config-pmap-c)# set connection conn-max 256

The following example shows how multi-match works in a policy map:
hostname(config)# class-map inspection_default
hostname(config-cmap)# match default-inspection-traffic
hostname(config)# class-map http_traffic
hostname(config-cmap)# match port tcp eq 80
hostname(config)# policy-map outside_policy
hostname(config-pmap)# class inspection_default
hostname(config-pmap-c)# inspect http http_map
hostname(config-pmap-c)# inspect sip
hostname(config-pmap)# class http_traffic
hostname(config-pmap-c)# set connection timeout idle 0:10:0

Cisco ASA 5500 Series Configuration Guide using the CLI

32-16

Chapter 32

Configuring a Service Policy Using the Modular Policy Framework
Applying Actions to an Interface (Service Policy)

The following example shows how traffic matches the first available class map, and will not match any
subsequent class maps that specify actions in the same feature domain:
hostname(config)# class-map telnet_traffic
hostname(config-cmap)# match port tcp eq 23
hostname(config)# class-map ftp_traffic
hostname(config-cmap)# match port tcp eq 21
hostname(config)# class-map tcp_traffic
hostname(config-cmap)# match port tcp range 1 65535
hostname(config)# class-map udp_traffic
hostname(config-cmap)# match port udp range 0 65535
hostname(config)# policy-map global_policy
hostname(config-pmap)# class telnet_traffic
hostname(config-pmap-c)# set connection timeout idle 0:0:0
hostname(config-pmap-c)# set connection conn-max 100
hostname(config-pmap)# class ftp_traffic
hostname(config-pmap-c)# set connection timeout idle 0:5:0
hostname(config-pmap-c)# set connection conn-max 50
hostname(config-pmap)# class tcp_traffic
hostname(config-pmap-c)# set connection timeout idle 2:0:0
hostname(config-pmap-c)# set connection conn-max 2000

When a Telnet connection is initiated, it matches class telnet_traffic. Similarly, if an FTP connection is
initiated, it matches class ftp_traffic. For any TCP connection other than Telnet and FTP, it will match
class tcp_traffic. Even though a Telnet or FTP connection can match class tcp_traffic, the ASA does
not make this match because they previously matched other classes.

Applying Actions to an Interface (Service Policy)
To activate the Layer 3/4 policy map, create a service policy that applies it to one or more interfaces or
that applies it globally to all interfaces.

Restrictions
You can only apply one global policy, so if you want to alter the global policy, you need to either edit
the default policy or disable it and apply a new one. By default, the configuration includes a global policy
that matches all default application inspection traffic and applies inspection to the traffic globally. The
default service policy includes the following command:
service-policy global_policy global

Cisco ASA 5500 Series Configuration Guide using the CLI

32-17

Chapter 32

Configuring a Service Policy Using the Modular Policy Framework

Monitoring Modular Policy Framework

Detailed Steps

Command

Purpose

service-policy policy_map_name interface
interface_name

Creates a service policy by associating a policy map with an interface.

Example:
hostname(config)# service-policy
inbound_policy interface outside
service-policy policy_map_name global

Creates a service policy that applies to all interfaces that do not have a
specific policy.

Example:
hostname(config)# service-policy
inbound_policy global

Examples
For example, the following command enables the inbound_policy policy map on the outside interface:
hostname(config)# service-policy inbound_policy interface outside

The following commands disable the default global policy, and enables a new one called
new_global_policy on all other ASA interfaces:
hostname(config)# no service-policy global_policy global
hostname(config)# service-policy new_global_policy global

Monitoring Modular Policy Framework
To monitor Modular Policy Framework, enter the following command:
Command

Purpose

show service-policy

Displays the service policy statistics.

Configuration Examples for Modular Policy Framework
This section includes several Modular Policy Framework examples and includes the following topics:
•

Applying Inspection and QoS Policing to HTTP Traffic, page 32-19

•

Applying Inspection to HTTP Traffic Globally, page 32-19

•

Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers, page 32-20

•

Applying Inspection to HTTP Traffic with NAT, page 32-21

Cisco ASA 5500 Series Configuration Guide using the CLI

32-18

Chapter 32

Configuring a Service Policy Using the Modular Policy Framework
Configuration Examples for Modular Policy Framework

Applying Inspection and QoS Policing to HTTP Traffic
In this example (see Figure 32-1), any HTTP connection (TCP traffic on port 80) that enters or exits the
ASA through the outside interface is classified for HTTP inspection. Any HTTP traffic that exits the
outside interface is classified for policing.
HTTP Inspection and QoS Policing

Security
appliance
port 80
A

insp.
police

port 80
insp.

Host A

inside

outside

Host B

143356

Figure 32-1

See the following commands for this example:
hostname(config)# class-map http_traffic
hostname(config-cmap)# match port tcp eq 80
hostname(config)# policy-map http_traffic_policy
hostname(config-pmap)# class http_traffic
hostname(config-pmap-c)# inspect http
hostname(config-pmap-c)# police output 250000
hostname(config)# service-policy http_traffic_policy interface outside

Applying Inspection to HTTP Traffic Globally
In this example (see Figure 32-2), any HTTP connection (TCP traffic on port 80) that enters the ASA
through any interface is classified for HTTP inspection. Because the policy is a global policy, inspection
occurs only as the traffic enters each interface.
Figure 32-2

Global HTTP Inspection

Security
appliance
port 80

A
Host A

inside

port 80 insp.
outside

Host B

143414

insp.

See the following commands for this example:
hostname(config)# class-map http_traffic
hostname(config-cmap)# match port tcp eq 80

Cisco ASA 5500 Series Configuration Guide using the CLI

32-19

Chapter 32

Configuring a Service Policy Using the Modular Policy Framework

Configuration Examples for Modular Policy Framework

hostname(config)# policy-map http_traffic_policy
hostname(config-pmap)# class http_traffic
hostname(config-pmap-c)# inspect http
hostname(config)# service-policy http_traffic_policy global

Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers
In this example (see Figure 32-3), any HTTP connection destined for Server A (TCP traffic on port 80)
that enters the ASA through the outside interface is classified for HTTP inspection and maximum
connection limits. Connections initiated from Server A to Host A does not match the access list in the
class map, so it is not affected.
Any HTTP connection destined for Server B that enters the ASA through the inside interface is classified
for HTTP inspection. Connections initiated from Server B to Host B does not match the access list in the
class map, so it is not affected.
Figure 32-3

HTTP Inspection and Connection Limits to Specific Servers

Server A
Real Address: 192.168.1.2
Mapped Address: 209.165.201.1

Security
appliance

port 80

insp.
set conns

port 80
insp. inside

Host B
Real Address: 192.168.1.1
Mapped Address: 209.165.201.2:port

outside
Server B
209.165.200.227

143357

Host A
209.165.200.226

See the following commands for this example:
hostname(config)# object network obj-192.168.1.2
hostname(config-network-object)# host 192.168.1.2
hostname(config-network-object)# nat (inside,outside) static 209.165.201.1
hostname(config)# object network obj-192.168.1.0
hostname(config-network-object)# subnet 192.168.1.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic 209.165.201.2
hostname(config)# access-list serverA extended permit tcp any host 209.165.201.1 eq 80
hostname(config)# access-list ServerB extended permit tcp any host 209.165.200.227 eq 80
hostname(config)# class-map http_serverA
hostname(config-cmap)# match access-list serverA
hostname(config)# class-map http_serverB
hostname(config-cmap)# match access-list serverB
hostname(config)# policy-map policy_serverA
hostname(config-pmap)# class http_serverA
hostname(config-pmap-c)# inspect http
hostname(config-pmap-c)# set connection conn-max 100
hostname(config)# policy-map policy_serverB
hostname(config-pmap)# class http_serverB
hostname(config-pmap-c)# inspect http

Cisco ASA 5500 Series Configuration Guide using the CLI

32-20

Chapter 32

Configuring a Service Policy Using the Modular Policy Framework
Feature History for Service Policies

hostname(config)# service-policy policy_serverB interface inside
hostname(config)# service-policy policy_serverA interface outside

Applying Inspection to HTTP Traffic with NAT
In this example, the Host on the inside network has two addresses: one is the real IP address 192.168.1.1,
and the other is a mapped IP address used on the outside network, 209.165.200.225. Because the policy
is applied to the inside interface, where the real address is used, then you must use the real IP address in
the access list in the class map. If you applied it to the outside interface, you would use the mapped
address.
Figure 32-4

HTTP Inspection with NAT

port 80
insp. inside

outside

Host
Real IP: 192.168.1.1
Mapped IP: 209.165.200.225

Server
209.165.201.1

143416

Security
appliance

See the following commands for this example:
hostname(config)# static (inside,outside) 209.165.200.225 192.168.1.1
hostname(config)# access-list http_client extended permit tcp host 192.168.1.1 any eq 80
hostname(config)# class-map http_client
hostname(config-cmap)# match access-list http_client
hostname(config)# policy-map http_client
hostname(config-pmap)# class http_client
hostname(config-pmap-c)# inspect http
hostname(config)# service-policy http_client interface inside

Feature History for Service Policies
Table 32-3 lists the release history for this feature.
Table 32-3

Feature History for Service Policies

Feature Name

Releases

Feature Information

Modular Policy Framework

7.0(1)

Modular Policy Framework was introduced.

Management class map for use with RADIUS
accounting traffic

7.2(1)

The management class map was introduced for use with
RADIUS accounting traffic. The following commands were
introduced: class-map type management, and inspect
radius-accounting.

Cisco ASA 5500 Series Configuration Guide using the CLI

32-21

Chapter 32

Configuring a Service Policy Using the Modular Policy Framework

Feature History for Service Policies

Table 32-3

Feature History for Service Policies (continued)

Feature Name

Releases

Feature Information

Inspection policy maps

7.2(1)

The inspection policy map was introduced. The following
command was introduced: class-map type inspect.

Regular expressions and policy maps

7.2(1)

Regular expressions and policy maps were introduced to be
used under inspection policy maps. The following
commands were introduced: class-map type regex, regex,
match regex.

Match any for inspection policy maps

8.0(2)

The match any keyword was introduced for use with
inspection policy maps: traffic can match one or more
criteria to match the class map. Formerly, only match all
was available.

Maximum connections and embryonic
connections for management traffic

8.0(2)

The set connection command is now available for a Layer
3/4 management class map, for to-the-security appliance
management traffic. Only the conn-max and
embryonic-conn-max keywords are available.

Cisco ASA 5500 Series Configuration Guide using the CLI

32-22

CH A P T E R

Configuring Special Actions for Application
Inspections (Inspection Policy Map)
Modular Policy Framework lets you configure special actions for many application inspections. When
you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable actions as
defined in an inspection policy map. When the inspection policy map matches traffic within the Layer
3/4 class map for which you have defined an inspection action, then that subset of traffic will be acted
upon as specified (for example, dropped or rate-limited).
This chapter includes the following sections:
•

Information About Inspection Policy Maps, page 33-1

•

Guidelines and Limitations, page 33-2

•

Default Inspection Policy Maps, page 33-2

•

Defining Actions in an Inspection Policy Map, page 33-2

•

Identifying Traffic in an Inspection Class Map, page 33-6

•

Where to Go Next, page 33-7

Information About Inspection Policy Maps
See the “Configuring Application Layer Protocol Inspection” section on page 42-6 for a list of
applications that support inspection policy maps.
An inspection policy map consists of one or more of the following elements. The exact options available
for an inspection policy map depends on the application.
•

Traffic matching command—You can define a traffic matching command directly in the inspection
policy map to match application traffic to criteria specific to the application, such as a URL string,
for which you then enable actions.
– Some traffic matching commands can specify regular expressions to match text inside a packet.

Be sure to create and test the regular expressions before you configure the policy map, either
singly or grouped together in a regular expression class map.
•

Inspection class map—(Not available for all applications. See the CLI help for a list of supported
applications.) An inspection class map includes traffic matching commands that match application
traffic with criteria specific to the application, such as a URL string. You then identify the class map
in the policy map and enable actions. The difference between creating a class map and defining the
traffic match directly in the inspection policy map is that you can create more complex match criteria
and you can reuse class maps.

Cisco ASA 5500 Series Configuration Guide using the CLI

33-1

Chapter 33

Configuring Special Actions for Application Inspections (Inspection Policy Map)

Guidelines and Limitations

– Some traffic matching commands can specify regular expressions to match text inside a packet.

Be sure to create and test the regular expressions before you configure the policy map, either
singly or grouped together in a regular expression class map.
•

Parameters—Parameters affect the behavior of the inspection engine.

Guidelines and Limitations
•

HTTP inspection policy maps—If you modify an in-use HTTP inspection policy map (policy-map
type inspect http), you must remove and reapply the inspect http map action for the changes to
take effect. For example, if you modify the “http-map” inspection policy map, you must remove and
readd the inspect http http-map command from the layer 3/4 policy:
hostname(config)# policy-map test
hostname(config-pmap)# class httpO
hostname(config-pmap-c)# no inspect http http-map
hostname(config-pmap-c)# inspect http http-map

•

All inspection policy maps—If you want to exchange an in-use inspection policy map for a different
map name, you must remove the inspect protocol map command, and readd it with the new map.
For example:
hostname(config)# policy-map test
hostname(config-pmap)# class sip
hostname(config-pmap-c)# no inspect sip sip-map1
hostname(config-pmap-c)# inspect sip sip-map2

Default Inspection Policy Maps
The default inspection policy map configuration includes the following commands, which sets the
maximum message length for DNS packets to be 512 bytes:
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512

Note

There are other default inspection policy maps such as policy-map type inspect esmtp
_default_esmtp_map. These default policy maps are created implicitly by the command inspect
protocol. For example, inspect esmtp implicitly uses the policy map “_default_esmtp_map.” All the
default policy maps can be shown by using the show running-config all policy-map command.

Defining Actions in an Inspection Policy Map
When you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable
actions as defined in an inspection policy map.

Restrictions
You can specify multiple class or match commands in the policy map.

Cisco ASA 5500 Series Configuration Guide using the CLI

33-2

Chapter 33

Configuring Special Actions for Application Inspections (Inspection Policy Map)
Defining Actions in an Inspection Policy Map

If a packet matches multiple different match or class commands, then the order in which the ASA
applies the actions is determined by internal ASA rules, and not by the order they are added to the policy
map. The internal rules are determined by the application type and the logical progression of parsing a
packet, and are not user-configurable. For example for HTTP traffic, parsing a Request Method field
precedes parsing the Header Host Length field; an action for the Request Method field occurs before the
action for the Header Host Length field. For example, the following match commands can be entered in
any order, but the match request method get command is matched first.
match request header host length gt 100
reset
match request method get
log

If an action drops a packet, then no further actions are performed in the inspection policy map. For
example, if the first action is to reset the connection, then it will never match any further match or class
commands. If the first action is to log the packet, then a second action, such as resetting the connection,
can occur. (You can configure both the reset (or drop-connection, and so on.) and the log action for the
same match or class command, in which case the packet is logged before it is reset for a given match.)
If a packet matches multiple match or class commands that are the same, then they are matched in the
order they appear in the policy map. For example, for a packet with the header length of 1001, it will
match the first command below, and be logged, and then will match the second command and be reset.
If you reverse the order of the two match commands, then the packet will be dropped and the connection
reset before it can match the second match command; it will never be logged.
match request header length gt 100
log
match request header length gt 1000
reset

A class map is determined to be the same type as another class map or match command based on the
lowest priority match command in the class map (the priority is based on the internal rules). If a class
map has the same type of lowest priority match command as another class map, then the class maps are
matched according to the order they are added to the policy map. If the lowest priority command for each
class map is different, then the class map with the higher priority match command is matched first. For
example, the following three class maps contain two types of match commands: match request-cmd
(higher priority) and match filename (lower priority). The ftp3 class map includes both commands, but
it is ranked according to the lowest priority command, match filename. The ftp1 class map includes the
highest priority command, so it is matched first, regardless of the order in the policy map. The ftp3 class
map is ranked as being of the same priority as the ftp2 class map, which also contains the match
filename command. They are matched according to the order in the policy map: ftp3 and then ftp2.
class-map type inspect ftp match-all ftp1
match request-cmd get
class-map type inspect ftp match-all ftp2
match filename regex abc
class-map type inspect ftp match-all ftp3
match request-cmd get
match filename regex abc
policy-map type inspect ftp ftp
class ftp3
log
class ftp2
log
class ftp1
log

Cisco ASA 5500 Series Configuration Guide using the CLI

33-3

Chapter 33

Configuring Special Actions for Application Inspections (Inspection Policy Map)

Defining Actions in an Inspection Policy Map

Detailed Steps

Step 1

Command

Purpose

(Optional)

See the “Identifying Traffic in an Inspection Class Map” section
on page 33-6. Alternatively, you can identify the traffic directly
within the policy map.

Create an inspection class map.
Step 2

policy-map type inspect application
policy_map_name

Creates the inspection policy map. See the “Configuring
Application Layer Protocol Inspection” section on page 42-6 for
a list of applications that support inspection policy maps.

Example:

The policy_map_name argument is the name of the policy map up
to 40 characters in length. All types of policy maps use the same
name space, so you cannot reuse a name already used by another
type of policy map. The CLI enters policy-map configuration
mode.

hostname(config)# policy-map type inspect
http http_policy

Step 3

Specify the traffic on which you want to perform actions using one of the following methods:
class class_map_name

Example:
hostname(config-pmap)# class http_traffic
hostname(config-pmap-c)#

Not all applications support inspection class maps.

Specify traffic directly in the policy map using
one of the match commands described for each
application in the inspection chapter.

If you use a match not command, then any traffic that matches
the criterion in the match not command does not have the action
applied.

Example:
hostname(config-pmap)# match req-resp
content-type mismatch
hostname(config-pmap-c)#

Cisco ASA 5500 Series Configuration Guide using the CLI

33-4

Specifies the inspection class map that you created in the
“Identifying Traffic in an Inspection Class Map” section on
page 33-6.

Chapter 33

Configuring Special Actions for Application Inspections (Inspection Policy Map)
Defining Actions in an Inspection Policy Map

Step 4

Command

Purpose

{[drop [send-protocol-error] |
drop-connection [send-protocol-error]|
mask | reset] [log] | rate-limit
message_rate}

Specifies the action you want to perform on the matching traffic.
Not all options are available for each application. Other actions
specific to the application might also be available. See the
appropriate inspection chapter for the exact options available.

Example:
hostname(config-pmap-c)# drop-connection
log

Step 5

parameters

Example:
hostname(config-pmap)# parameters
hostname(config-pmap-p)#

•

drop—Drops all packets that match.

•

send-protocol-error—Sends a protocol error message.

•

drop-connection—Drops the packet and closes the
connection.

•

mask—Masks out the matching portion of the packet.

•

reset—Drops the packet, closes the connection, and sends a
TCP reset to the server and/or client.

•

log—Sends a system log message. You can use log alone or
with one of the other keywords.

•

rate-limit message_rate—Limits the rate of messages.

Configures parameters that affect the inspection engine. The CLI
enters parameters configuration mode. For the parameters
available for each application, see the appropriate inspection
chapter.

Examples
The following is an example of an HTTP inspection policy map and the related class maps. This policy
map is activated by the Layer 3/4 policy map, which is enabled by the service policy.
hostname(config)# regex url_example example\.com
hostname(config)# regex url_example2 example2\.com
hostname(config)# class-map type regex match-any URLs
hostname(config-cmap)# match regex url_example
hostname(config-cmap)# match regex url_example2
hostname(config-cmap)#
hostname(config-cmap)#
hostname(config-cmap)#
hostname(config-cmap)#

class-map type inspect http match-all http-traffic
match req-resp content-type mismatch
match request body length gt 1000
match not request uri regex class URLs

hostname(config-cmap)# policy-map type inspect http http-map1
hostname(config-pmap)# class http-traffic
hostname(config-pmap-c)# drop-connection log
hostname(config-pmap-c)# match req-resp content-type mismatch
hostname(config-pmap-c)# reset log
hostname(config-pmap-c)# parameters
hostname(config-pmap-p)# protocol-violation action log
hostname(config-pmap-p)# policy-map test
hostname(config-pmap)# class test (a Layer 3/4 class
hostname(config-pmap-c)# inspect http http-map1

map not shown)

hostname(config-pmap-c)# service-policy test interface outside

Cisco ASA 5500 Series Configuration Guide using the CLI

33-5

Chapter 33

Configuring Special Actions for Application Inspections (Inspection Policy Map)

Identifying Traffic in an Inspection Class Map

Identifying Traffic in an Inspection Class Map
This type of class map allows you to match criteria that is specific to an application. For example, for
DNS traffic, you can match the domain name in a DNS query.
A class map groups multiple traffic matches (in a match-all class map), or lets you match any of a list of
matches (in a match-any class map). The difference between creating a class map and defining the traffic
match directly in the inspection policy map is that the class map lets you group multiple match
commands, and you can reuse class maps. For the traffic that you identify in this class map, you can
specify actions such as dropping, resetting, and/or logging the connection in the inspection policy map.
If you want to perform different actions on different types of traffic, you should identify the traffic
directly in the policy map.

Restrictions
Not all applications support inspection class maps. See the CLI help for class-map type inspect for a
list of supported applications.

Detailed Steps

Step 1

Command

Purpose

(Optional)

See the “Creating a Regular Expression” section on page 13-12
and the “Creating a Regular Expression Class Map” section on
page 13-15.

Create a regular expression.
Step 2

class-map type inspect application
[match-all | match-any] class_map_name

Example:
hostname(config)# class-map type inspect
http http_traffic
hostname(config-cmap)#

Creates an inspection class map, where the application is the
application you want to inspect. For supported applications, see
the CLI help for a list of supported applications or see Chapter 42,
“Getting Started with Application Layer Protocol Inspection.”
The class_map_name argument is the name of the class map up to
40 characters in length.
The match-all keyword is the default, and specifies that traffic
must match all criteria to match the class map.
The match-any keyword specifies that the traffic matches the
class map if it matches at least one of the criteria.
The CLI enters class-map configuration mode, where you can
enter one or more match commands.

Cisco ASA 5500 Series Configuration Guide using the CLI

33-6

Chapter 33

Configuring Special Actions for Application Inspections (Inspection Policy Map)
Where to Go Next

Step 3

Command

Purpose

(Optional)

Adds a description to the class map.

description string

Example:
hostname(config-cmap)# description All UDP
traffic

Step 4

Define the traffic to include in the class by
To specify traffic that should not match the class map, use the
entering one or more match commands available match not command. For example, if the match not command
for your application.
specifies the string “example.com,” then any traffic that includes
“example.com” does not match the class map.
To see the match commands available for each application, see
the appropriate inspection chapter.

Examples
The following example creates an HTTP class map that must match all criteria:
hostname(config-cmap)#
hostname(config-cmap)#
hostname(config-cmap)#
hostname(config-cmap)#

class-map type inspect http match-all http-traffic
match req-resp content-type mismatch
match request body length gt 1000
match not request uri regex class URLs

The following example creates an HTTP class map that can match any of the criteria:
hostname(config-cmap)#
hostname(config-cmap)#
hostname(config-cmap)#
hostname(config-cmap)#

class-map type inspect http match-any monitor-http
match request method get
match request method put
match request method post

Where to Go Next
To use an inspection policy, see Chapter 32, “Configuring a Service Policy Using the Modular Policy
Framework.”

Cisco ASA 5500 Series Configuration Guide using the CLI

33-7

Chapter 33
Where to Go Next

Cisco ASA 5500 Series Configuration Guide using the CLI

33-8

Configuring Special Actions for Application Inspections (Inspection Policy Map)

PA R T

Configuring Access Control

CH A P T E R

Configuring Access Rules
This chapter describes how to control network access through the ASA using access rules and includes
the following sections:

Note

•

Information About Access Rules, page 34-1

•

Licensing Requirements for Access Rules, page 34-6

•

Prerequisites, page 34-7

•

Guidelines and Limitations, page 34-7

•

Default Settings, page 34-7

•

Configuring Access Rules, page 34-7

•

Monitoring Access Rules, page 34-8

•

Configuration Examples for Permitting or Denying Network Access, page 34-9

•

Feature History for Access Rules, page 34-10

You use access rules to control network access in both routed and transparent firewall modes. In
transparent mode, you can use both access rules (for Layer 3 traffic) and EtherType rules (for Layer 2
traffic).
To access the ASA interface for management access, you do not also need an access rule allowing the
host IP address. You only need to configure management access according to Chapter 37, “Configuring
Management Access.”

Information About Access Rules
You create an access rule by applying an extended or EtherType access list to an interface or globally for
all interfaces.You can use access rules in routed and transparent firewall mode to control IP traffic. An
access rule permits or denies traffic based on the protocol, a source and destination IP address or
network, and optionally the source and destination ports.
For transparent mode only, an EtherType rule controls network access for non-IP traffic. An EtherType
rule permits or denies traffic based on the EtherType.
This section includes the following topics:
•

General Information About Rules, page 34-2

•

Information About Extended Access Rules, page 34-4

Cisco ASA 5500 Series Configuration Guide using the CLI

34-1

Chapter 34

Configuring Access Rules

Information About Access Rules

•

Information About EtherType Rules, page 34-5

General Information About Rules
This section describes information for both access rules and EtherType rules, and it includes the
following topics:
•

Implicit Permits, page 34-2

•

Information About Interface Access Rules and Global Access Rules, page 34-2

•

Using Access Rules and EtherType Rules on the Same Interface, page 34-2

•

Implicit Deny, page 34-3

•

Inbound and Outbound Rules, page 34-3

Implicit Permits
For routed mode, the following types of traffic are allowed through by default:
•

IPv4 traffic from a higher security interface to a lower security interface.

•

IPv6 traffic from a higher security interface to a lower security interface.

For transparent mode, the following types of traffic are allowed through by default:
•

IPv4 traffic from a higher security interface to a lower security interface.

•

IPv6 traffic from a higher security interface to a lower security interface.

•

ARPs in both directions.

Note
•

ARP traffic can be controlled by ARP inspection, but cannot be controlled by an access rule.

BPDUs in both directions.

For other traffic, you need to use either an extended access rule (IPv4), an IPv6 access rule (IPv6), or an
EtherType rule (non-IPv4/IPv6).

Information About Interface Access Rules and Global Access Rules
You can apply an access rule to a specific interface, or you can apply an access rule globally to all
interfaces. You can configure global access rules in conjunction with interface access rules, in which
case, the specific interface access rules are always processed before the general global access rules.

Note

Global access rules apply only to inbound traffic. See the “Inbound and Outbound Rules” section on
page 34-3.

Using Access Rules and EtherType Rules on the Same Interface
You can apply one access rule and one EtherType rule to each direction of an interface.

Cisco ASA 5500 Series Configuration Guide using the CLI

34-2

Chapter 34

Configuring Access Rules
Information About Access Rules

Implicit Deny
Access lists have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot
pass. For example, if you want to allow all users to access a network through the ASA except for
particular addresses, then you need to deny the particular addresses and then permit all others.
For EtherType access lists, the implicit deny at the end of the access list does not affect IP traffic or
ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the access list does not
now block any IP traffic that you previously allowed with an extended access list (or implicitly allowed
from a high security interface to a low security interface). However, if you explicitly deny all traffic with
an EtherType ACE, then IP and ARP traffic is denied.
If you configure a global access rule, then the implicit deny comes after the global rule is processed. See
the following order of operations:
1.

Interface access rule.

Global access rule.

Implicit deny.

Inbound and Outbound Rules
The ASA supports two types of access rules:

Note

•

Inbound—Inbound access rules apply to traffic as it enters an interface. Global access rules are
always inbound.

•

Outbound—Outbound access rules apply to traffic as it exits an interface.

“Inbound” and “outbound” refer to the application of an access list on an interface, either to traffic
entering the ASA on an interface or traffic exiting the ASA on an interface. These terms do not refer to
the movement of traffic from a lower security interface to a higher security interface, commonly known
as inbound, or from a higher to lower interface, commonly known as outbound.
An outbound access list is useful, for example, if you want to allow only certain hosts on the inside
networks to access a web server on the outside network. Rather than creating multiple inbound access
lists to restrict access, you can create a single outbound access list that allows only the specified hosts.
(See Figure 34-1.) The outbound access list prevents any other hosts from reaching the outside network.

Cisco ASA 5500 Series Configuration Guide using the CLI

34-3

Chapter 34

Configuring Access Rules

Information About Access Rules

Figure 34-1

Outbound Access List

Web Server:
209.165.200.225

ASA

Outside
ACL Outbound
Permit HTTP from 10.1.1.14, 10.1.2.67,
and 10.1.3.34 to 209.165.200.225
Deny all others

ACL Inbound
Permit from any to any

10.1.1.14

209.165.201.4
Static NAT

HR
ACL Inbound
Permit from any to any

10.1.2.67
209.165.201.6
Static NAT

Eng
ACL Inbound
Permit from any to any

10.1.3.34
209.165.201.8
Static NAT

333823

Inside

See the following commands for this example:
hostname(config)# access-list OUTSIDE extended permit tcp host 10.1.1.14
host 209.165.200.225 eq www
hostname(config)# access-list OUTSIDE extended permit tcp host 10.1.2.67
host 209.165.200.225 eq www
hostname(config)# access-list OUTSIDE extended permit tcp host 10.1.3.34
host 209.165.200.225 eq www
hostname(config)# access-group OUTSIDE out interface outside

Information About Extended Access Rules
This section describes information about extended access rules and includes the following topics:
•

Access Rules for Returning Traffic, page 34-4

•

Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules,
page 34-5

•

Management Access Rules, page 34-5

Access Rules for Returning Traffic
For TCP and UDP connections for both routed and transparent mode, you do not need an access rule to
allow returning traffic because the ASA allows all returning traffic for established, bidirectional
connections.

Cisco ASA 5500 Series Configuration Guide using the CLI

34-4

Chapter 34

Configuring Access Rules
Information About Access Rules

For connectionless protocols such as ICMP, however, the ASA establishes unidirectional sessions, so
you either need access rules to allow ICMP in both directions (by applying access lists to the source and
destination interfaces), or you need to enable the ICMP inspection engine. The ICMP inspection engine
treats ICMP sessions as bidirectional connections. To control ping, specify echo-reply (0) (ASA to host)
or echo (8) (host to ASA).

Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules
In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access rule,
including unsupported dynamic routing protocols and DHCP (unless you configure DHCP relay).
Transparent firewall mode can allow any IP traffic through. This feature is especially useful in multiple
context mode, which does not allow dynamic routing, for example.

Note

Because these special types of traffic are connectionless, you need to apply an extended access list to
both interfaces, so returning traffic is allowed through.
Table 34-1 lists common traffic types that you can allow through the transparent firewall.
Table 34-1

Transparent Firewall Special Traffic

Traffic Type

Protocol or Port

Notes

DHCP

UDP ports 67 and 68

If you enable the DHCP server, then the ASA
does not pass DHCP packets.

EIGRP

Protocol 88

—

OSPF

Protocol 89

—

Multicast streams The UDP ports vary depending
on the application.

Multicast streams are always destined to a
Class D address (224.0.0.0 to 239.x.x.x).

RIP (v1 or v2)

—

UDP port 520

Management Access Rules
You can configure access rules that control management traffic destined to the ASA. Access control rules
for to-the-box management traffic (defined by such commands as http, ssh, or telnet) have higher
precedence than an management access rule applied with the control-plane option. Therefore, such
permitted management traffic will be allowed to come in even if explicitly denied by the to-the-box
access list.

Information About EtherType Rules
This section describes EtherType rules and includes the following topics:
•

Supported EtherTypes and Other Traffic, page 34-6

•

Access Rules for Returning Traffic, page 34-6

•

Allowing MPLS, page 34-6

Cisco ASA 5500 Series Configuration Guide using the CLI

34-5

Chapter 34

Configuring Access Rules

Licensing Requirements for Access Rules

Supported EtherTypes and Other Traffic
An EtherType rule controls the following:
•

EtherType identified by a 16-bit hexadecimal number, including common types IPX and MPLS
unicast or multicast.

•

Ethernet V2 frames.

•

BPDUs, which are permitted by default. BPDUs are SNAP-encapsulated, and the ASA is designed
to specifically handle BPDUs.

•

Trunk port (Cisco proprietary) BPDUs. Trunk BPDUs have VLAN information inside the payload,
so the ASA modifies the payload with the outgoing VLAN if you allow BPDUs.

•

IS-IS (supported in Version 8.4(5) only).

The following types of traffic are not supported:
•

802.3-formatted frames—These frames are not handled by the rule because they use a length field
as opposed to a type field.

Access Rules for Returning Traffic
Because EtherTypes are connectionless, you need to apply the rule to both interfaces if you want traffic
to pass in both directions.

Allowing MPLS
If you allow MPLS, ensure that Label Distribution Protocol and Tag Distribution Protocol TCP
connections are established through the ASA by configuring both MPLS routers connected to the ASA
to use the IP address on the ASA interface as the router-id for LDP or TDP sessions. (LDP and TDP
allow MPLS routers to negotiate the labels (addresses) used to forward packets.)
On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is
the interface connected to the ASA.
hostname(config)# mpls ldp router-id interface force

Or
hostname(config)# tag-switching tdp router-id interface force

Licensing Requirements for Access Rules
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Cisco ASA 5500 Series Configuration Guide using the CLI

34-6

Chapter 34

Configuring Access Rules
Prerequisites

Prerequisites
Before you can create an access rule, create the access list. See Chapter 15, “Adding an Extended Access
List,” and Chapter 16, “Adding an EtherType Access List,” for more information.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single and multiple context mode.
Firewall Mode Guidelines

Supported in routed and transparent firewall modes.
IPv6 Guidelines

Supports IPv6.
Per-User Access List Guidelines
•

If there is no per-user access list associated with a packet, the interface access rule is applied.

•

The per-user access list uses the value in the timeout uauth command, but it can be overridden by
the AAA per-user session timeout value.

•

If traffic is denied because of a per-user access list, syslog message 109025 is logged. If traffic is
permitted, no syslog message is generated. The log option in the per-user access list has no effect.

Default Settings
See the “Implicit Permits” section on page 34-2.

Configuring Access Rules
To apply an access rule, perform the following steps.

Cisco ASA 5500 Series Configuration Guide using the CLI

34-7

Chapter 34

Configuring Access Rules

Monitoring Access Rules

Detailed Steps

Command

Purpose

access-group access_list
{{in | out} interface interface_name
[per-user-override | control-plane] |
global}

Binds an access list to an interface or applies it globally.

Example:
hostname(config)# access-group acl_out in
interface outside

Specify the extended, EtherType, or IPv6 access list name. You can
configure one access-group command per access list type per interface.
You cannot reference empty access lists or access lists that contain only a
remark.
For an interface-specific rule:
•

The in keyword applies the access list to inbound traffic. The out
keyword applies the access list to the outbound traffic.

•

Specify the interface name.

•

The per-user-override keyword (for inbound access lists only) allows
dynamic user access lists that are downloaded for user authorization to
override the access list assigned to the interface. For example, if the
interface access list denies all traffic from 10.0.0.0, but the dynamic
access list permits all traffic from 10.0.0.0, then the dynamic access
list overrides the interface access list for that user. See the
“Configuring RADIUS Authorization” section on page 38-14 for more
information about per-user access lists. See also the “Per-User Access
List Guidelines” section on page 34-7.

•

The control-plane keyword specifies if the rule is for to-the-box
traffic.

For a global rule, specify the global keyword to apply the access list to
the inbound direction of all interfaces.

Examples
The following example shows how to use the access-group command:
hostname(config)# access-list acl_out permit tcp any host 209.165.201.3 eq 80
hostname(config)# access-group acl_out in interface outside

The access-list command lets any host access the global address using port 80. The access-group
command specifies that the access-list command applies to traffic entering the outside interface.

Monitoring Access Rules
To monitor network access, enter the following command:
Command

Purpose

show running-config access-group

Displays the current access list bound to the
interfaces.

Cisco ASA 5500 Series Configuration Guide using the CLI

34-8

Chapter 34

Configuring Access Rules
Configuration Examples for Permitting or Denying Network Access

Configuration Examples for Permitting or Denying Network
Access
This section includes typical configuration examples for permitting or denying network access.
The following example illustrates the commands required to enable access to an inside web server with
the IP address 209.165.201.12. (This IP address is the real address, not the visible on the outside
interface after NAT.)
hostname(config)# access-list ACL_OUT extended permit tcp any host 209.165.201.12 eq www
hostname(config)# access-group ACL_OUT in interface outside

The following example allows all hosts to communicate between the inside and hr networks but only
specific hosts to access the outside network:
hostname(config)# access-list ANY extended permit ip any any
hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any
hostname(config)# access-list OUT extended permit ip host 209.168.200.4 any
hostname(config)# access-group ANY in interface inside
hostname(config)# access-group ANY in interface hr
hostname(config)# access-group OUT out interface outside

For example, the following sample access list allows common EtherTypes originating on the inside
interface:
hostname(config)# access-list ETHER ethertype permit ipx
hostname(config)# access-list ETHER ethertype permit mpls-unicast
hostname(config)# access-group ETHER in interface inside

The following example allows some EtherTypes through the ASA, but it denies all others:
hostname(config)#
hostname(config)#
hostname(config)#
hostname(config)#

access-list ETHER ethertype permit 0x1234
access-list ETHER ethertype permit mpls-unicast
access-group ETHER in interface inside
access-group ETHER in interface outside

The following example denies traffic with EtherType 0x1256 but allows all others on both interfaces:
hostname(config)#
hostname(config)#
hostname(config)#
hostname(config)#

access-list nonIP ethertype deny 1256
access-list nonIP ethertype permit any
access-group ETHER in interface inside
access-group ETHER in interface outside

The following example uses object groups to permit specific traffic on the inside interface:
!
hostname
hostname
hostname
hostname
hostname
hostname

(config)# object-group service myaclog
(config-service)# service-object tcp source range 2000 3000
(config-service)# service-object tcp source range 3000 3010 destinatio$
(config-service)# service-object ipsec
(config-service)# service-object udp destination range 1002 1006
(config-service)# service-object icmp echo

hostname(config)# access-list outsideacl extended permit object-group myaclog interface
inside any

Cisco ASA 5500 Series Configuration Guide using the CLI

34-9

Chapter 34

Configuring Access Rules

Feature History for Access Rules

Feature History for Access Rules
Table 34-2 lists each feature change and the platform release in which it was implemented.
Table 34-2

Feature History for Access Rules

Feature Name
Interface access rules

Platform
Releases
7.0(1)

Feature Information
Controlling network access through the ASA using access
lists.
We introduced the following command: access-group.

Global access rules

8.3(1)

Global access rules were introduced.
We modified the following command: access-group.

Support for Identity Firewall

8.4(2)

You can now use identity firewall users and groups for the
source and destination. You can use an identity firewall
ACL with access rules, AAA rules, and for VPN
authentication.
We modified the following commands: access-list
extended.

EtherType ACL support for IS-IS traffic
(transparent firewall mode)

8.4(5)

In transparent firewall mode, the ASA can now pass IS-IS
traffic using an EtherType ACL.
We modified the following command: access-list ethertype
{permit | deny} is-is.
Not available in Version 8.5(1), 8.6(1), or 9.0(1).

Cisco ASA 5500 Series Configuration Guide using the CLI

34-10

CH A P T E R

Configuring AAA Servers and the Local Database
This chapter describes support for authentication, authorization, and accounting (AAA, pronounced
“triple A”), and how to configure AAA servers and the local database.
The chapter includes the following sections:
•

Information About AAA, page 35-1

•

Licensing Requirements for AAA Servers, page 35-10

•

Guidelines and Limitations, page 35-10

•

Configuring AAA, page 35-10

•

Monitoring AAA Servers, page 35-30

•

Additional References, page 35-31

•

Feature History for AAA Servers, page 35-31

Information About AAA
AAA enables the ASA to determine who the user is (authentication), what the user can do
(authorization), and what the user did (accounting).
AAA provides an extra level of protection and control for user access than using access lists alone. For
example, you can create an access list allowing all outside users to access Telnet on a server on the DMZ
network. If you want only some users to access the server and you might not always know IP addresses
of these users, you can enable AAA to allow only authenticated and/or authorized users to connect
through the ASA. (The Telnet server enforces authentication, too; the ASA prevents unauthorized users
from attempting to access the server.)
You can use authentication alone or with authorization and accounting. Authorization always requires a
user to be authenticated first. You can use accounting alone, or with authentication and authorization.
This section includes the following topics:
•

Information About Authentication, page 35-2

•

Information About Authorization, page 35-2

•

Information About Accounting, page 35-3

•

Summary of Server Support, page 35-3

•

RADIUS Server Support, page 35-4

•

TACACS+ Server Support, page 35-5

Cisco ASA 5500 Series Configuration Guide using the CLI

35-1

Chapter 35

Configuring AAA Servers and the Local Database

Information About AAA

•

RSA/SDI Server Support, page 35-5

•

NT Server Support, page 35-6

•

Kerberos Server Support, page 35-6

•

LDAP Server Support, page 35-6

•

Local Database Support, Including as a Falback Method, page 35-8

•

How Fallback Works with Multiple Servers in a Group, page 35-8

•

Using Certificates and User Login Credentials, page 35-9

•

Task Flow for Configuring AAA, page 35-11

Information About Authentication
Authentication controls access by requiring valid user credentials, which are usually a username and
password. You can configure the ASA to authenticate the following items:
•

All administrative connections to the ASA, including the following sessions:
– Telnet
– SSH
– Serial console
– ASDM using HTTPS
– VPN management access

•

The enable command

•

Network access

•

VPN access

Information About Authorization
Authorization controls access per user after users are authenticated. You can configure the ASA to
authorize the following items:
•

Management commands

•

Network access

•

VPN access

Authorization controls the services and commands that are available to each authenticated user. If you
did not enable authorization, authentication alone would provide the same access to services for all
authenticated users.
If you need the control that authorization provides, you can configure a broad authentication rule, and
then have a detailed authorization configuration. For example, you can authenticate inside users who try
to access any server on the outside network and then limit the outside servers that a particular user can
access using authorization.
The ASA caches the first 16 authorization requests per user, so if the user accesses the same services
during the current authentication session, the ASA does not resend the request to the authorization
server.

Cisco ASA 5500 Series Configuration Guide using the CLI

35-2

Chapter 35

Configuring AAA Servers and the Local Database
Information About AAA

Information About Accounting
Accounting tracks traffic that passes through the ASA, enabling you to have a record of user activity. If
you enable authentication for that traffic, you can account for traffic per user. If you do not authenticate
the traffic, you can account for traffic per IP address. Accounting information includes session start and
stop times, username, the number of bytes that pass through the ASA for the session, the service used,
and the duration of each session.

Summary of Server Support
Table 35-1 summarizes the support for each AAA service by each AAA server type, including the local
database. For more information about support for a specific AAA server type, see the topics following
the table.
Table 35-1

Summary of AAA Support

Database Type
AAA Service

Local RADIUS

TACACS+

SDI (RSA) NT

Kerberos

LDAP

HTTP Form

VPN users1

Yes

Yes2

Firewall sessions

Yes

Administrators

Yes

Yes3

Yes

Authentication of...

Authorization of...

VPN users
Firewall sessions
Administrators

No
Yes

Yes
5

Accounting of...

VPN connections

Yes

Firewall sessions

Yes

Administrators

Yes

1. For SSL VPN connections, either PAP or MS-CHAPv2 can be used.
2. HTTP Form protocol supports both authentication and single sign-on operations for clientless SSL VPN users sessions only.
3. RSA/SDI is supported for ASDM HTTP administrative access with ASA 5500 software version 8.2(1) or later.
4. For firewall sessions, RADIUS authorization is supported with user-specific access lists only, which are received or specified
in a RADIUS authentication response.
5. Local command authorization is supported by privilege level only.
6. Command accounting is available for TACACS+ only.

Note

In addition to the native protocol authentication listed in Table 35-1, the ASA supports proxying
authentication. For example, the ASA can proxy to an RSA/SDI and/or LDAP server via a RADIUS
server. Authentication via digital certificates and/or digital certificates with the AAA combinations
listed in the table are also supported.

Cisco ASA 5500 Series Configuration Guide using the CLI

35-3

Chapter 35

Configuring AAA Servers and the Local Database

Information About AAA

RADIUS Server Support
The ASA supports the following RFC-compliant RADIUS servers for AAA:
•

Cisco Secure ACS 3.2, 4.0, 4.1, 4.2, and 5.x

•

Cisco Identity Services Engine (ISE)

•

RSA RADIUS in RSA Authentication Manager 5.2, 6.1, and 7.x

•

Microsoft

Authentication Methods
The ASA supports the following authentication methods with RADIUS:

Note

•

PAP—For all connection types.

•

CHAP and MS-CHAPv1—For L2TP-over-IPsec connections.

•

MS-CHAPv2—For L2TP-over-IPsec connections, and for regular IPsec remote access connections
when the password management feature is enabled. You can also use MS-CHAPv2 with clientless
connections.

•

Authentication Proxy modes—Including RADIUS to Active Directory, RADIUS to RSA/SDI,
RADIUS to Token-server, and RSA/SDI to RADIUS connections,

To enable MS-CHAPv2 as the protocol used between the ASA and the RADIUS server for a VPN
connection, password management must be enabled in the tunnel group general attributes. Enabling
password management generates an MS-CHAPv2 authentication request from the ASA to the RADIUS
server. See the description of the password-management command for details.
If you use double authentication and enable password management in the tunnel group, then the primary
and secondary authentication requests include MS-CHAPv2 request attributes. If a RADIUS server does
not support MS-CHAPv2, then you can configure that server to send a non-MS-CHAPv2 authentication
request by using the no mschapv2-capable command.

Attribute Support
The ASA supports the following sets of RADIUS attributes:
•

Authentication attributes defined in RFC 2138.

•

Accounting attributes defined in RFC 2139.

•

RADIUS attributes for tunneled protocol support, defined in RFC 2868.

•

Cisco IOS Vendor-Specific Attributes (VSAs), identified by RADIUS vendor ID 9.

•

Cisco VPN-related VSAs, identified by RADIUS vendor ID 3076.

•

Microsoft VSAs, defined in RFC 2548.

•

Cisco VSA (Cisco-Priv-Level), which provides a standard 0-15 numeric ranking of privileges, with
1 being the lowest level and 15 being the highest level. A zero level indicates no privileges. The first
level (login) allows privileged EXEC access for the commands available at this level. The second
level (enable) allows CLI configuration privileges.

Cisco ASA 5500 Series Configuration Guide using the CLI

35-4

Chapter 35

Configuring AAA Servers and the Local Database
Information About AAA

•

A list of attributes is available at the following URL:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp1
605508

RADIUS Authorization Functions
The ASA can use RADIUS servers for user authorization of VPN remote access and firewall
cut-through-proxy sessions using dynamic access lists or access list names per user. To implement
dynamic access lists, you must configure the RADIUS server to support it. When the user authenticates,
the RADIUS server sends a downloadable access list or access list name to the ASA. Access to a given
service is either permitted or denied by the access list. The ASA deletes the access list when the
authentication session expires.
In addtition to access lists, the ASA supports many other attributes for authorization and setting of
permissions for VPN remote access and firewall cut-through proxy sessions. For a complete list of
authorization attributes, see the following URL:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp16055
08

TACACS+ Server Support
The ASA supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1.

RSA/SDI Server Support
The RSA SecureID servers are also known as SDI servers.
This section includes the following topics:
•

RSA/SDI Version Support, page 35-5

•

Two-step Authentication Process, page 35-5

•

RSA/SDI Primary and Replica Servers, page 35-6

RSA/SDI Version Support
The ASA supports SDI Versions 5.x, 6.x, and 7.x. SDI uses the concepts of an SDI primary and SDI
replica servers. Each primary and its replicas share a single node secret file. The node secret file has its
name based on the hexadecimal value of the ACE or Server IP address, with .sdi appended.
A version 5.x, 6.x, or 7.x SDI server that you configure on the ASA can be either the primary or any one
of the replicas. See the “RSA/SDI Primary and Replica Servers” section on page 35-6 for information
about how the SDI agent selects servers to authenticate users.

Two-step Authentication Process
SDI Versions 5.x, 6.x, or 7.x use a two-step process to prevent an intruder from capturing information
from an RSA SecurID authentication request and using it to authenticate to another server. The agent
first sends a lock request to the SecurID server before sending the user authentication request. The server

Cisco ASA 5500 Series Configuration Guide using the CLI

35-5

Chapter 35

Configuring AAA Servers and the Local Database

Information About AAA

locks the username, preventing another (replica) server from accepting it. This actions means that the
same user cannot authenticate to two ASAs using the same authentication servers simultaneously. After
a successful username lock, the ASA sends the passcode.

RSA/SDI Primary and Replica Servers
The ASA obtains the server list when the first user authenticates to the configured server, which can be
either a primary or a replica. The ASA then assigns priorities to each of the servers on the list, and
subsequent server selection is derived at random from those assigned priorities. The highest priority
servers have a higher likelihood of being selected.

NT Server Support
The ASA supports Microsoft Windows server operating systems that support NTLM Version 1,
collectively referred to as NT servers.

Note

NT servers have a maximum length of 14 characters for user passwords. Longer passwords are truncated,
which is a limitation of NTLM Version 1.

Kerberos Server Support
The ASA supports 3DES, DES, and RC4 encryption types.

Note

The ASA does not support changing user passwords during tunnel negotiation. To avoid this situation
happening inadvertently, disable password expiration on the Kerberos/Active Directory server for users
connecting to the ASA.
For a simple Kerberos server configuration example, see Example 35-2 on page 35-16.

LDAP Server Support
The ASA supports LDAP. This section includes the following topics:
•

Authentication with LDAP, page 35-6

•

LDAP Server Types, page 35-7

Authentication with LDAP
During authentication, the ASA acts as a client proxy to the LDAP server for the user, and authenticates
to the LDAP server in either plain text or by using the SASL protocol. By default, the ASA passes
authentication parameters, usually a username and password, to the LDAP server in plain text.
The ASA supports the following SASL mechanisms, listed in order of increasing strength:
•

Digest-MD5—The ASA responds to the LDAP server with an MD5 value computed from the
username and password.

Cisco ASA 5500 Series Configuration Guide using the CLI

35-6

Chapter 35

Configuring AAA Servers and the Local Database
Information About AAA

•

Kerberos—The ASA responds to the LDAP server by sending the username and realm using the
GSSAPI Kerberos mechanism.

You can configure the ASA and LDAP server to support any combination of these SASL mechanisms.
If you configure multiple mechanisms, the ASA retrieves the list of SASL mechanisms that are
configured on the server and sets the authentication mechanism to the strongest mechanism configured
on both the ASA and the server. For example, if both the LDAP server and the ASA support both
mechanisms, the ASA selects Kerberos, the stronger of the mechanisms.
When user LDAP authentication has succeeded, the LDAP server returns the attributes for the
authenticated user. For VPN authentication, these attributes generally include authorization data that is
applied to the VPN session. Thus, using LDAP accomplishes authentication and authorization in a single
step.

LDAP Server Types
The ASA supports LDAP version 3 and is compatible with the Sun Microsystems JAVA System
Directory Server (formerly named the Sun ONE Directory Server), the Microsoft Active Directory,
Novell, OpenLDAP, and other LDAPv3 directory servers.
By default, the ASA auto-detects whether it is connected to Microsoft Active Directory, Sun LDAP,
Novell, OpenLDAP, or a generic LDAPv3 directory server. However, if auto-detection fails to determine
the LDAP server type, and you know the server is either a Microsoft, Sun or generic LDAP server, you
can manually configure the server type.
When configuring the server type, note the following guidelines:
•

The DN configured on the ASA to access a Sun directory server must be able to access the default
password policy on that server. We recommend using the directory administrator, or a user with
directory administrator privileges, as the DN. Alternatively, you can place an ACL on the default
password policy.

•

You must configure LDAP over SSL to enable password management with Microsoft Active
Directory and Sun servers.

•

The ASA does not support password management with Novell, OpenLDAP, and other LDAPv3
directory servers.

•

The ASA uses the Login Distinguished Name (DN) and Login Password to establish a trust
relationship (bind) with an LDAP server. For more information, see the “Binding the ASA to the
LDAP Server” section on page C-4.

Cisco ASA 5500 Series Configuration Guide using the CLI

35-7

Chapter 35

Configuring AAA Servers and the Local Database

Information About AAA

HTTP Forms Authentication for Clientless SSL VPN
The ASA can use the HTTP Form protocol for both authentication and single sign-on (SSO) operations
of Clientless SSL VPN user sessions only. For configuration information, see the “Using Single Sign-on
with Clientless SSL VPN” section on page 74-13.

Local Database Support, Including as a Falback Method
The ASA maintains a local database that you can populate with user profiles.
The local database can act as a fallback method for several functions. This behavior is designed to help
you prevent accidental lockout from the ASA.
For users who need fallback support, we recommend that their usernames and passwords in the local
database match their usernames and passwords on the AAA servers. This practice provides transparent
fallback support. Because the user cannot determine whether a AAA server or the local database is
providing the service, using usernames and passwords on AAA servers that are different than the
usernames and passwords in the local database means that the user cannot be certain which username
and password should be given.
The local database supports the following fallback functions:
•

Console and enable password authentication—If the servers in the group are all unavailable, the
ASA uses the local database to authenticate administrative access, which can also include enable
password authentication.

•

Command authorization—If the TACACS+ servers in the group are all unavailable, the local
database is used to authorize commands based on privilege levels.

•

VPN authentication and authorization—VPN authentication and authorization are supported to
enable remote access to the ASA if AAA servers that normally support these VPN services are
unavailable. When a VPN client of an administrator specifies a tunnel group configured to fallback
to the local database, the VPN tunnel can be established even if the AAA server group is unavailable,
provided that the local database is configured with the necessary attributes.

How Fallback Works with Multiple Servers in a Group
If you configure multiple servers in a server group and you enable fallback to the local database for the
server group, fallback occurs when no server in the group responds to the authentication request from
the ASA. To illustrate, consider this scenario:
You configure an LDAP server group with two Active Directory servers, server 1 and server 2, in that
order. When the remote user logs in, the ASA attempts to authenticate to server 1.
If server 1 responds with an authentication failure (such as user not found), the ASA does not attempt to
authenticate to server 2.
If server 1 does not respond within the timeout period (or the number of authentication attempts exceeds
the configured maximum), the ASA tries server 2.
If both servers in the group do not respond, and the ASA is configured to fall back to the local database,
the ASA tries to authenticate to the local database.

Cisco ASA 5500 Series Configuration Guide using the CLI

35-8

Chapter 35

Configuring AAA Servers and the Local Database
Information About AAA

Using Certificates and User Login Credentials
The following section describes the different methods of using certificates and user login credentials
(username and password) for authentication and authorization. These methods apply to IPsec,
AnyConnect, and Clientless SSL VPN.
In all cases, LDAP authorization does not use the password as a credential. RADIUS authorization uses
either a common password for all users or the username as a password.
This section includes the following topics:
•

Using User Login Credentials, page 35-9

•

Using Certificates, page 35-9

Using User Login Credentials
The default method for authentication and authorization uses the user login credentials.
•

Authentication
– Enabled by the authentication server group setting in the tunnel group (also called ASDM

Connection Profile)
– Uses the username and password as credentials
•

Authorization
– Enabled by the authorization server group setting in the tunnel group (also called ASDM

Connection Profile)
– Uses the username as a credential

Using Certificates
If user digital certificates are configured, the ASA first validates the certificate. It does not, however, use
any of the DNs from certificates as a username for the authentication.
If both authentication and authorization are enabled, the ASA uses the user login credentials for both
user authentication and authorization.
•

Authentication
– Enabled by the authentication server group setting
– Uses the username and password as credentials

•

Authorization
– Enabled by the authorization server group setting
– Uses the username as a credential

If authentication is disabled and authorization is enabled, the ASA uses the primary DN field for
authorization.
•

Authentication
– DISABLED (set to None) by the authentication server group setting
– No credentials used

•

Authorization
– Enabled by the authorization server group setting

Cisco ASA 5500 Series Configuration Guide using the CLI

35-9

Chapter 35

Configuring AAA Servers and the Local Database

Licensing Requirements for AAA Servers

– Uses the username value of the certificate primary DN field as a credential

Note

If the primary DN field is not present in the certificate, the ASA uses the secondary DN field value as
the username for the authorization request.
For example, consider a user certificate that includes the following Subject DN fields and values:
Cn=anyuser,OU=sales;O=XYZCorporation;L=boston;S=mass;C=us;ea=anyuser@example.com

If the Primary DN = EA (E-mail Address) and the Secondary DN = CN (Common Name), then the
username used in the authorization request would be anyuser@example.com.

Licensing Requirements for AAA Servers
Model

License Requirement

All models

Base License.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single and multiple context mode.
Firewall Mode Guidelines

Supported in routed and transparent firewall mode.
IPv6 Guidelines

Supports IPv6.
Additional Guidelines

The username command has two versions: one for 8.4(3) and earlier and one for 8.4(4.1) and later. See
the command reference for more information.

Configuring AAA
This section includes the following topics:
•

Configuring AAA Server Groups, page 35-11

•

Configuring Authorization with LDAP for VPN, page 35-16

•

Configuring LDAP Attribute Maps, page 35-18

•

Adding a User Account to the Local Database, page 35-20

Cisco ASA 5500 Series Configuration Guide using the CLI

35-10

Chapter 35

Configuring AAA Servers and the Local Database
Configuring AAA

•

Managing User Passwords, page 35-25

•

.Changing User Passwords, page 35-27

•

Authenticating Users with a Public Key for SSH, page 35-28

•

Differentiating User Roles Using AAA, page 35-28

Task Flow for Configuring AAA
Step 1

Do one or both of the following:
•

Add a AAA server group. See the “Configuring AAA Server Groups” section on page 35-11.

•

Add a user to the local database. See the “Adding a User Account to the Local Database” section on
page 35-20.

Step 2

(Optional) Configure authorization from an LDAP server that is separate and distinct from the
authentication mechanism. See the “Configuring Authorization with LDAP for VPN” section on
page 35-16.

Step 3

For an LDAP server, configure LDAP attribute maps. See the “Configuring LDAP Attribute Maps”
section on page 35-18.

Step 4

For an administrator, specify the password policy attributes for users. See the “Managing User
Passwords” section on page 35-25.

Step 5

(Optional) Users can change their own passwords. See the “.Changing User Passwords” section on
page 35-27.

Step 6

(Optional) Users can authenticate with a public key. See the “Authenticating Users with a Public Key for
SSH” section on page 35-28.

Step 7

(Optional) Distinguish between administrative and remote-access users when they authenticate. See the
“Differentiating User Roles Using AAA” section on page 35-28.

Configuring AAA Server Groups
If you want to use an external AAA server for authentication, authorization, or accounting, you must first
create at least one AAA server group per AAA protocol and add one or more servers to each group. You
identify AAA server groups by name. Each server group is specific to one type of server: Kerberos,
LDAP, NT, RADIUS, SDI, or TACACS+.

Guidelines
•

You can have up to 100 server groups in single mode or 4 server groups per context in multiple mode.

•

Each group can have up to 16 servers in single mode or 4 servers in multiple mode.

•

When a user logs in, the servers are accessed one at a time, starting with the first server you specify
in the configuration, until a server responds. If all servers in the group are unavailable, the ASA tries
the local database if you configured it as a fallback method (management authentication and
authorization only). If you do not have a fallback method, the ASA continues to try the AAA servers.

Cisco ASA 5500 Series Configuration Guide using the CLI

35-11

Chapter 35

Configuring AAA Servers and the Local Database

Configuring AAA

Detailed Steps

Step 1

Command

Purpose

aaa-server server_tag protocol {kerberos | ldap |
nt | radius | sdi | tacacs+}

Identifies the server group name and the protocol. For
example, to use RADIUS to authenticate network access
and TACACS+ to authenticate CLI access, you need to
create at least two server groups, one for RADIUS
servers and one for TACACS+ servers.

Example:
hostname(config)# aaa-server servergroup1
protocol ldap
hostname(config-aaa-server-group)#
hostname(config)# aaa-server servergroup1
protocol radius
hostname(config-aaa-server-group)#
interim-accounting-update
hostname(config)# aaa-server servergroup1
protocol radius
hostname(config-aaa-server-group)# ad-agent-mode

You can have up to 100 server groups in single mode or
4 server groups per context in multiple mode. Each group
can have up to 15 servers in single mode or 4 servers in
multiple mode.
When you enter the aaa-server protocol command, you
enter aaa-server group configuration mode.
The interim-accounting-update option enables
multi-session accounting for clientless SSL and
AnyConnect sessions. If you choose this option, interim
accounting records are sent to the RADIUS server in
addition to the start and stop records.
Tip

Choose this option if users have trouble
completing a VPN connection using clean access
SSO, which might occur when making clientless
or AnyConnect connections directly to the ASA.

The ad-agent-mode option specifies the shared secret
between the ASA and the AD agent, and indicates that a
RADIUS server group includes AD agents that are not
full-function RADIUS servers. Only a RADIUS server
group that has been configured using the ad-agent-mode
option can be associated with user identity. As a result,
the test aaa-server {authentication | authorization}
aaa-server-group command is not available when a
RADIUS server group that is not configured using the
ad-agent-mode option is specified.

Cisco ASA 5500 Series Configuration Guide using the CLI

35-12

Chapter 35

Configuring AAA Servers and the Local Database
Configuring AAA

Step 2

Command

Purpose

merge-dacl {before-avpair | after-avpair}

Merges a downloadable ACL with the ACL received in
the Cisco AV pair from a RADIUS packet. The default
setting is no merge dacl, which specifies that
downloadable ACLs will not be merged with Cisco AV
pair ACLs. If both an AV pair and a downloadable ACL
are received, the AV pair has priority and is used.

Example:
hostname(config)# aaa-server servergroup1
protocol radius
hostname(config-aaa-server-group)# merge-dacl
before-avpair

The before-avpair option specifies that the
downloadable ACL entries should be placed before the
Cisco AV pair entries.
The after-avpair option specifies that the downloadable
ACL entries should be placed after the Cisco AV pair
entries. This option applies only to VPN connections. For
VPN users, ACLs can be in the form of Cisco AV pair
ACLs, downloadable ACLs, and an ACL that is
configured on the ASA. This option determines whether
or not the downloadable ACL and the AV pair ACL are
merged, and does not apply to any ACLs configured on
the ASA.

Step 3

max-failed-attempts number

Example:
hostname(config-aaa-server-group)#
max-failed-attempts 2

Specifies the maximum number of requests sent to a
AAA server in the group before trying the next server.
The number argument can range from 1 and 5. The
default is 3.
If you configured a fallback method using the local
database (for management access only; see the
“Configuring Local Command Authorization” section on
page 37-23 and the “Configuring TACACS+ Command
Authorization” section on page 37-29 to configure the
fallback mechanism), and all the servers in the group fail
to respond, then the group is considered to be
unresponsive, and the fallback method is tried. The
server group remains marked as unresponsive for a
period of 10 minutes (by default), so that additional AAA
requests within that period do not attempt to contact the
server group, and the fallback method is used
immediately. To change the unresponsive period from the
default, see the reactivation-mode command in the next
step.
If you do not have a fallback method, the ASA continues
to retry the servers in the group.

Cisco ASA 5500 Series Configuration Guide using the CLI

35-13

Chapter 35

Configuring AAA Servers and the Local Database

Configuring AAA

Step 4

Command

Purpose

reactivation-mode {depletion [deadtime minutes] |
timed}

Specifies the method (reactivation policy) by which
failed servers in a group are reactivated.
The depletion keyword reactivates failed servers only
after all of the servers in the group are inactive.

Example:
hostname(config-aaa-server-group)#
reactivation-mode deadtime 20

The deadtime minutes keyword-argument pair specifies
the amount of time in minutes, between 0 and 1440, that
elapses between the disabling of the last server in the
group and the subsequent reenabling of all servers. The
default is 10 minutes.
The timed keyword reactivates failed servers after 30
seconds of down time.

Step 5

accounting-mode simultaneous

Sends accounting messages to all servers in the group
(RADIUS or TACACS+ only).

Example:

To restore the default of sending messages only to the
active server, enter the accounting-mode single
command.

hostname(config-aaa-server-group)#
accounting-mode simultaneous

Step 6

Identifies the server and the AAA server group to which
it belongs.

aaa-server server_group [interface_name] host
server_ip

Example:
hostname(config)# aaa-server servergroup1 outside
host 10.10.1.1

When you enter the aaa-server host command, you enter
aaa-server host configuration mode. As needed, use host
configuration mode commands to further configure the
AAA server.
The commands in host configuration mode do not apply
to all AAA server types. Table 35-2 lists the available
commands, the server types to which they apply, and
whether or not a new AAA server definition has a default
value for that command. Where a command is applicable
to the specified server type and no default value is
provided (indicated by “—”), use the command to
specify the value.

Table 35-2

Host Mode Commands, Server Types, and Defaults

Command

Applicable AAA Server Types Default Value

accounting-port

RADIUS

1646

acl-netmask-convert

RADIUS

standard

authentication-port

RADIUS

1645

kerberos-realm

Kerberos

—

key

RADIUS

—

TACACS+

—

ldap-attribute-map

LDAP

—

ldap-base-dn

LDAP

—

ldap-login-dn

LDAP

—

Cisco ASA 5500 Series Configuration Guide using the CLI

35-14

Description

Chapter 35

Configuring AAA Servers and the Local Database
Configuring AAA

Table 35-2

Host Mode Commands, Server Types, and Defaults (continued)

Command

Applicable AAA Server Types Default Value

ldap-login-password

LDAP

—

ldap-naming-attribute

LDAP

—

ldap-over-ssl

LDAP

636

ldap-scope

LDAP

—

mschapv2-capable

RADIUS

enabled

Description

If not set, the ASA uses sAMAccountName for
LDAP requests. Whether using SASL or plain
text, you can secure communications between
the ASA and the LDAP server with SSL. If you
do not configure SASL, we strongly
recommend that you secure LDAP
communications with SSL.

nt-auth-domain-controller NT

—

radius-common-pw

RADIUS

—

retry-interval

Kerberos

10 seconds

RADIUS

10 seconds

SDI

10 seconds

sasl-mechanism

LDAP

—

server-port

Kerberos

LDAP

389

139

SDI

5500

TACACS+

server-type

LDAP

auto-discovery If auto-detection fails to determine the LDAP
server type, and you know the server is either a
Microsoft, Sun or generic LDAP server, you
can manually configure the server type.

timeout

All

10 seconds

Examples
Example 35-1 shows how to add one TACACS+ group with one primary and one backup server, one
RADIUS group with a single server, and an NT domain server.
Example 35-1 Multiple AAA Server Groups and Servers
hostname(config)# aaa-server AuthInbound protocol tacacs+
hostname(config-aaa-server-group)# max-failed-attempts 2
hostname(config-aaa-server-group)# reactivation-mode depletion deadtime 20
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.2
hostname(config-aaa-server-host)# key TACPlusUauthKey2
hostname(config-aaa-server-host)# exit

Cisco ASA 5500 Series Configuration Guide using the CLI

35-15

Chapter 35

Configuring AAA Servers and the Local Database

Configuring AAA

hostname(config)# aaa-server AuthOutbound protocol radius
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.3
hostname(config-aaa-server-host)# key RadUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# aaa-server NTAuth protocol nt
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server NTAuth (inside) host 10.1.1.4
hostname(config-aaa-server-host)# nt-auth-domain-controller primary1
hostname(config-aaa-server-host)# exit

Example 35-2 shows how to configure a Kerberos AAA server group named watchdogs, add a AAA
server to the group, and define the Kerberos realm for the server. Because Example 35-2 does not define
a retry interval or the port that the Kerberos server listens to, the ASA uses the default values for these
two server-specific parameters. Table 35-2 lists the default values for all AAA server host mode
commands.

Note

Kerberos realm names use numbers and upper-case letters only. Although the ASA accepts lower-case
letters for a realm name, it does not translate lower-case letters to upper-case letters. Be sure to use
upper-case letters only.
Example 35-2 Kerberos Server Group and Server
hostname(config)# aaa-server watchdogs protocol kerberos
hostname(config-aaa-server-group)# aaa-server watchdogs host 192.168.3.4
hostname(config-aaa-server-host)# kerberos-realm EXAMPLE.COM
hostname(config-aaa-server-host)# exit
hostname(config)#

Configuring Authorization with LDAP for VPN
When user LDAP authentication for VPN access has succeeded, the ASA queries the LDAP server which
returns LDAP attributes. These attributes generally include authorization data that applies to the VPN
session. Thus, using LDAP accomplishes authentication and authorization in a single step.
There may be cases, however, where you require authorization from an LDAP directory server that is
separate and distinct from the authentication mechanism. For example, if you use an SDI or certificate
server for authentication, no authorization information is passed back. For user authorizations in this
case, you can query an LDAP directory after successful authentication, accomplishing authentication
and authorization in two steps.

Cisco ASA 5500 Series Configuration Guide using the CLI

35-16

Chapter 35

Configuring AAA Servers and the Local Database
Configuring AAA

To set up VPN user authorization using LDAP, perform the following steps.

Detailed Steps

Step 1

Command

Purpose

aaa-server server_group protocol {kerberos | ldap | nt |
radius | sdi | tacacs+}

Creates a AAA server group.

Example:
hostname(config)# aaa-server servergroup1 protocol
ldap
hostname(config-aaa-server-group)

Step 2

tunnel-group groupname

Creates an IPsec remote access tunnel group named
remotegrp.

Example:
hostname(config)# tunnel-group remotegrp

Step 3

tunnel-group groupname general-attributes

Associates the server group and the tunnel group.

Example:
hostname(config)# tunnel-group remotegrp
general-attributes

Step 4

Assigns a new tunnel group to a previously created
AAA server group for authorization.

authorization-server-group group-tag

Example:
hostname(config-general)# authorization-server-group
ldap_dir_1

Examples
While there are other authorization-related commands and options available for specific requirements,
the following example shows commands for enabling user authorization with LDAP. The example then
creates an IPsec remote access tunnel group named remote-1, and assigns that new tunnel group to the
previously created ldap_dir_1 AAA server group for authorization:
hostname(config)# tunnel-group remote-1 type ipsec-ra
hostname(config)# tunnel-group remote-1 general-attributes
hostname(config-general)# authorization-server-group ldap_dir_1
hostname(config-general)#

After you complete this configuration work, you can then configure additional LDAP authorization
parameters such as a directory password, a starting point for searching a directory, and the scope of a
directory search by entering the following commands:
hostname(config)# aaa-server ldap_dir_1 protocol ldap
hostname(config-aaa-server-group)# aaa-server ldap_dir_1 host 10.1.1.4
hostname(config-aaa-server-host)# ldap-login-dn obscurepassword
hostname(config-aaa-server-host)# ldap-base-dn starthere
hostname(config-aaa-server-host)# ldap-scope subtree
hostname(config-aaa-server-host)#

Cisco ASA 5500 Series Configuration Guide using the CLI

35-17

Chapter 35

Configuring AAA Servers and the Local Database

Configuring AAA

Configuring LDAP Attribute Maps
The ASA can use an LDAP directory for authenticating VPN remote access users or firewall network
access/cut-thru-proxy sessions and/or for setting policy permissions (also called authorization
attributes), such as ACLs, bookmark lists, DNS or WINS settings, session timers, and so on. That is, you
can set the key attributes that exist in a local group policy externally through an LDAP server.
The authorization process is accomplished by means of LDAP attribute maps (similar to a RADIUS
dictionary that defines vendor-specific attributes), which translate the native LDAP user attributes to
Cisco ASA attribute names. You can then bind these attribute maps to LDAP servers or remove them, as
needed. You can also show or clear attribute maps.

Guidelines
The ldap-attribute-map has a limitation with multi-valued attributes. For example, if a user is a
memberOf of several AD groups and the ldap attribute map matches on more than one of them, the
mapped value is chosen based on the alphabetization of the matched entries.
To use the attribute mapping features correctly, you need to understand Cisco LDAP attribute names and
values, as well as the user-defined attribute names and values. For more information about LDAP
attribute maps, see the “Active Directory/LDAP VPN Remote Access Authorization Examples” section
on page C-16.
The names of frequently mapped Cisco LDAP attributes and the type of user-defined attributes that they
would commonly be mapped to include the following:
•

IETF-Radius-Class (Group_Policy in ASA version 8.2 and later)—Sets the group policy based on
the directory’s department or user group (for example, Microsoft Active Directory memberOf)
attribute value. The group-policy attribute replaced the IETF-Radius-Class attribute with ASDM
version 6.2/ASA version 8.2 or later.

•

IETF-Radius-Filter-Id—An access control list or ACL applied to VPN clients, IPsec, and SSL.

•

IETF-Radius-Framed-IP-Address—Assigns a static IP address assigned to a VPN remote access
client, IPsec, and SSL.

•

Banner1—Displays a text banner when the VPN remote access user logs in.

•

Tunneling-Protocols—Allows or denies the VPN remote access session based on the access type.

Note

A single ldapattribute map may contain one or many attributes. You can only assign one ldap
attribute to a specific LDAP server.

Cisco ASA 5500 Series Configuration Guide using the CLI

35-18

Chapter 35

Configuring AAA Servers and the Local Database
Configuring AAA

To map LDAP features correctly, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

ldap attribute-map map-name

Creates an unpopulated LDAP attribute map table.

Example:
hostname(config)# ldap attribute-map
att_map_1

Step 2

map-name user-attribute-name
Cisco-attribute-name

Maps the user-defined attribute name department to the Cisco
attribute.

Example:
hostname(config-ldap-attribute-map)#
map-name department IETF-Radius-Class

Step 3

map-value user-attribute-name
Cisco-attribute-name

Maps the user-defined map value department to the user-defined
attribute value and the Cisco attribute value.

Example:
hostname(config-ldap-attribute-map)#
map-value department Engineering group1

Step 4

aaa-server server_group [interface_name]
host server_ip

Identifies the server and the AAA server group to which it
belongs.

Example:
hostname(config)# aaa-server ldap_dir_1
host 10.1.1.4

Step 5

ldap-attribute-map map-name

Binds the attribute map to the LDAP server.

Example:
hostname(config-aaa-server-host)#
ldap-attribute-map att_map_1

Examples
The following example shows how to limit management sessions to the ASA based on an LDAP attribute
called accessType. The accessType attribute has three possible values:
•

VPN

•

admin

•

helpdesk

The following example shows how each value is mapped to one of the valid IETF-Radius-Service-Type
attributes that the ASA supports: remote-access (Service-Type 5) Outbound, admin (Service-Type 6)
Administrative, and nas-prompt (Service-Type 7) NAS Prompt:
hostname(config)# ldap attribute-map
hostname(config-ldap-attribute-map)#
hostname(config-ldap-attribute-map)#
hostname(config-ldap-attribute-map)#

MGMT
map-name accessType IETF-Radius-Service-Type
map-value accessType VPN 5
map-value accessType admin 6

Cisco ASA 5500 Series Configuration Guide using the CLI

35-19

Chapter 35

Configuring AAA Servers and the Local Database

Configuring AAA

hostname(config-ldap-attribute-map)# map-value accessType helpdesk 7
hostname(config-ldap-attribute-map)# aaa-server LDAP protocol ldap
hostname(config-aaa-server-group)# aaa-server LDAP (inside) host 10.1.254.91
hostname(config-aaa-server-host)# ldap-base-dn CN=Users,DC=cisco,DC=local
hostname(config-aaa-server-host)# ldap-scope subtree
hostname(config-aaa-server-host)# ldap-login-password test
hostname(config-aaa-server-host)# ldap-login-dn
CN=Administrator,CN=Users,DC=cisco,DC=local
hostname(config-aaa-server-host)# server-type auto-detect
hostname(config-aaa-server-host)# ldap-attribute-map MGMT

The following example shows how to display the complete list of Cisco LDAP attribute names:
hostname(config)# ldap attribute-map att_map_1
hostname(config-ldap-attribute-map)# map-name att_map_1?
ldap mode commands/options:
cisco-attribute-names:
Access-Hours
Allow-Network-Extension-Mode
Auth-Service-Type
Authenticated-User-Idle-Timeout
Authorization-Required
Authorization-Type
:
:
X509-Cert-Data
hostname(config-ldap-attribute-map)#

Adding a User Account to the Local Database
This section describes how to manage users in the local database and includes the following topics:

Guidelines
The local database is used for the following features:
•

ASDM per-user access

•

Console authentication

•

Telnet and SSH authentication.

•

enable command authentication
This setting is for CLI-access only and does not affect the ASDM login.

•

Command authorization
If you turn on command authorization using the local database, then the ASA refers to the user
privilege level to determine which commands are available. Otherwise, the privilege level is not
generally used. By default, all commands are either privilege level 0 or level 15.

•

Network access authentication

•

VPN client authentication

For multiple context mode, you can configure usernames in the system execution space to provide
individual logins at the CLI using the login command; however, you cannot configure any AAA rules
that use the local database in the system execution space.

Cisco ASA 5500 Series Configuration Guide using the CLI

35-20

Chapter 35

Configuring AAA Servers and the Local Database
Configuring AAA

Limitations
You cannot use the local database for network access authorization.

Cisco ASA 5500 Series Configuration Guide using the CLI

35-21

Chapter 35

Configuring AAA Servers and the Local Database

Configuring AAA

To add a user to the local database, perform the following steps:

Detailed Steps

Cisco ASA 5500 Series Configuration Guide using the CLI

35-22

Chapter 35

Configuring AAA Servers and the Local Database
Configuring AAA

Step 1

Command

Purpose

username username {nopassword | password
password [mschap]} [privilege priv_level]

Creates the user account. The username username keyword is a
string from 4 to 64 characters long.
Note

Example:
hostname(config)# username exampleuser1
privilege 1

The ASA does not prohibit the creation of usernames that
only differ by case with previously configured usernames.
We do not recommend this practice if VPN users are
authenticated using the local user database. Usernames
such as “User1” and “user1” are still distinct for
authentication purposes, but if a maximum simultaneous
login limit has been configured, these users share the same
session count. This makes it possible for “user1” to log off
“User1” by establishing a tunnel that exceeds the
simultaneous login limit.

The password password argument is a string from 3 to 32
characters long. The mschap keyword specifies that the password
is converted to Unicode and hashed using MD4 after you enter it.
Use this keyword if users are authenticated using MS-CHAPv1 or
MS-CHAPv2. The privilege level argument sets the privilege
level, which ranges from 0 to 15. The default is 2. This privilege
level is used with command authorization.

Caution

If you do not use command authorization (the aaa
authorization console LOCAL command), then the
default level 2 allows management access to privileged
EXEC mode.To limit access to privileged EXEC mode,
either set the privilege level to 0 or 1, or use the
service-type command (see Step 5).

The nopassword keyword creates a user account with no
password.
The encrypted and nt-encrypted keywords are typically for
display only. When you define a password in the username
command, the ASA encrypts it when it saves it to the
configuration for security purposes. When you enter the show
running-config command, the username command does not
show the actual password; it shows the encrypted password
followed by the encrypted or nt-encrypted keyword (when you
specify mschap). For example, if you enter the password “test,”
the show running-config output would appear as something
similar to the following:
username user1 password DLaUiAX3l78qgoB5c7iVNw==
nt-encrypted

The only time you would actually enter the encrypted or
nt-encrypted keyword at the CLI is if you are cutting and pasting
a configuration file for use in another ASA, and you are using the
same password.

Cisco ASA 5500 Series Configuration Guide using the CLI

35-23

Chapter 35

Configuring AAA Servers and the Local Database

Configuring AAA

Step 2

Command

Purpose

aaa authorization exec
authentication-server

(Optional) Enforces user-specific access levels for users who
authenticate for management access (see the aaa authentication
console LOCAL command). This command enables management
authorization for local, RADIUS, LDAP (mapped), and
TACACS+ users.

Example:
hostname(config)# aaa authorization exec
authentication-server

Use the aaa authorization exec LOCAL command to enable
attributes to be taken from the local database. See the “Limiting
User CLI and ASDM Access with Management Authorization”
section on page 37-21 for information about configuring a user on
a AAA server to accommodate management authorization.
Note the following prerequisites for each user type:

Step 3

username username attributes

Example:
hostname(config)# username exampleuser1
attributes

Cisco ASA 5500 Series Configuration Guide using the CLI

35-24

•

Configure local database users at a privilege level from 0 to
15 using the username command. Configure the level of
access using the service-type command.

•

Configure RADIUS users with Cisco VSA
CVPN3000-Privilege-Level with a value between 0 and 15.

•

Configure LDAP users with a privilege level between 0 and
15, and then map the LDAP attribute to Cisco VAS
CVPN3000-Privilege-Level using the ldap map-attributes
command.

•

See the privilege command for information about setting
command privilege levels.

(Optional) Configures username attributes. The username
argument is the username that you created in Step 1.

Chapter 35

Configuring AAA Servers and the Local Database
Configuring AAA

Step 4

Command

Purpose

service-type {admin | nas-prompt |
remote-access}

(Optional) Configures the user level if you configured
management authorization in Step 2. The admin keyword allows
full access to any services specified by the aaa authentication
console LOCAL commands. The admin keyword is the default.

Example:
hostname(config-username)# service-type
admin

The nas-prompt keyword allows access to the CLI when you
configure the aaa authentication {telnet | ssh | serial} console
LOCAL command, but denies ASDM configuration access if you
configure the aaa authentication http console LOCAL
command. ASDM monitoring access is allowed. If you enable
authentication with the aaa authentication enable console
LOCAL command, the user cannot access privileged EXEC mode
using the enable command (or the login command).
The remote-access keyword denies management access. The user
cannot use any services specified by the aaa authentication
console LOCAL commands (excluding the serial keyword; serial
access is allowed).
(Optional) If you are using this username for VPN authentication,
you can configure many VPN attributes for the user. For more
information, see the “Configuring Attributes for Specific Users”
section on page 67-79.

Examples
The following example assigns a privilege level of 15 to the admin user account:
hostname(config)# username admin password password privilege 15

The following example creates a user account with no password:
hostname(config)# username user34 nopassword

The following example enables management authorization, creates a user account with a password,
enters username attributes configuration mode, and specifies the service-type attribute:
hostname(config)# aaa authorization exec authentication-server
hostname(config)# username user1 password gOgeOus
hostname(config)# username user1 attributes
hostname(config-username)# service-type nas-prompt

Managing User Passwords
The ASA enables administrators with the necessary privileges to modify password policy for users in
the current context.
User passwords have the following guidelines:
•

A maximum lifetime of 0 to 65536 days.

•

A minimum length of 3 to 64 characters.

•

A minimum number of changed characters for updates of 0 to 64 characters.

•

They may include lower case characters.

Cisco ASA 5500 Series Configuration Guide using the CLI

35-25

Chapter 35

Configuring AAA Servers and the Local Database

Configuring AAA

•

They may include upper case characters.

•

They may include numbers.

•

They may include special characters.

To specify password policy for users, perform the following steps:

Step 1

Command

Purpose

password-policy lifetime value

Sets the password policy for the current context and
the interval in days after which passwords expire.
Valid values are between 0 and 65536 days. The
default value is 0 days.

Example:
hostname (config)# password-policy lifetime 1000

Step 2

password-policy minimum-changes value

Example:
hostname(config)# password-policy minimum-changes 4

Sets the minimum number of characters that must be
changed between new and old passwords. Valid
values are between 0 and 64 characters. The default
value is 0.
New passwords must include a minimum of 4
character changes from the current password and are
considered changed only if they do not appear
anywhere in the current password.

Step 3

password-policy minimum-length value

Example:

Step 4

hostname(config)# password-policy minimum-length 8

If the minimum length is less than the value of any
of the other minimum values (lowercase, numeric,
special, and uppercase), an error message appears
and the minimum length is not changed.

password-policy minimum-lowercase value

Sets the minimum number of lower case characters
that passwords may have. Valid values are between
0 and 64 characters. The default value is 0, which
means there is no minimum.

Example:
hostname(config)# password-policy minimum-lowercase
6

Step 5

password-policy minimum-numeric value

Example:
hostname(config)# password-policy minimum-numeric 1

Step 6

password-policy minimum-special value

Example:
hostname(config)# password-policy minimum-special 2

Cisco ASA 5500 Series Configuration Guide using the CLI

35-26

Sets the minimum length of passwords. Valid values
are between 3 and 64 characters. The recommended
minimum password length is 8 characters.

Sets the minimum number of numeric characters
that passwords may have. Valid values are between
0 and 64 characters. The default value is 0, which
means there is no minimum.
Sets the minimum number of special characters that
passwords may have. Valid values are between 0 and
64 characters. Special characters include the
following: !, @, #, $, %, ^, &, *, '(‘ and ‘)’. The
default value is 0, which means there is no
minimum.

Chapter 35

Configuring AAA Servers and the Local Database
Configuring AAA

Step 7

Command

Purpose

password-policy minimum-uppercase value

Sets the minimum number of upper case characters
that passwords may have. Valid values are between
0 and 64 characters. The default value is 0, which
means there is no minimum.

Example:
hostname(config)# password-policy minimum-uppercase
3

Step 8

password-policy authenticate enable

(Optional) Determines whether or not users are
allowed to modify their own user account.

Example:

If authentication is enabled, users cannot change
their own password or delete their own account with
the username command or with the clear configure
username command.

hostname(config)# password-policy authenticate
enable

Changing User Passwords
The ASA enables administrators with the necessary privileges to modify passwords for users in the
current context. Users must authenticate with their current passwords before they are allowed to change
passwords. However, authentication is not required when an administrator is changing a user password.
To enable users to change their own account passwords, enter the following command:

Command

Purpose

change-password [old-password old-password
[new-password new-password]]

Enables users to change their own account passwords. The
new-password new-password keyword-argument pair
specifies the new password. The old-password old-password
keyword-argument pair specifies the old password, which
reauthenticates the user. If users omit the passwords, the ASA
prompts them for input. When users enter the
change-password command, they are asked to save their
running configuration.

Example:
hostname# change-password old-password
myoldpassword000 new password mynewpassword123

Cisco ASA 5500 Series Configuration Guide using the CLI

35-27

Chapter 35

Configuring AAA Servers and the Local Database

Configuring AAA

Authenticating Users with a Public Key for SSH
Users can authenticate with a public key for SSH. The public key can be hashed or not hashed.
To authenticate with a public key for SSH, enter the following command:
Command

Purpose

username {user} attributes ssh authentication
publickey key [hashed]

Enables public key authentication on a per-user basis. The
value of the key argument can be one of the following:
•

When the key argument is supplied and the hashed tag is
not specified, the value of the key must be a Base 64
encoded public key that is generated by SSH key
generation software that can generate SSH-RSA raw keys
(that is, with no certificates). After you submit the Base
64 encoded public key, that key is then hashed via
SHA-256 and the corresponding 32-byte hash is used for
all further comparisons.

•

When the key argument is supplied and the hashed tag is
specified, the value of the key must have been previously
hashed with SHA-256 and be 32 bytes long, with each
byte separated by a colon (for parsing purposes).

Example:
hostname(config)# username anyuser ssh authentication
publickey key [hashed]

When you save the configuration, the hashed key value is
saved to the configuration and used when the ASA is
rebooted.

Differentiating User Roles Using AAA
The ASA enables you to distinguish between administrative and remote-access users when they
authenticate using RADIUS, LDAP, TACACS+, or the local user database. User role differentiation can
prevent remote access VPN and network access users from establishing an administrative connection to
the ASA.
To differentiate user roles, use the service-type attribute in username configuration mode. For RADIUS
and LDAP (with the ldap-attribute-map command), you can use a Cisco Vendor-Specific Attribute
(VSA), Cisco-Priv-Level, to assign a privilege level to an authenticated user.
This section includes the following topics:
•

Using Local Authentication, page 35-28

•

Using RADIUS Authentication, page 35-29

•

Using LDAP Authentication, page 35-29

•

Using TACACS+ Authentication, page 35-30

Using Local Authentication
Before you configure the service-type attribute and privilege level when using local authentication, you
must create a user, assign a password, and assign a privilege level.
To do so, enter the following command:
hostname(config)# username admin password mysecret123 privilege 15

Cisco ASA 5500 Series Configuration Guide using the CLI

35-28

Chapter 35

Configuring AAA Servers and the Local Database
Configuring AAA

Where mysecret123 is the stored password and 15 is the assigned privilege level, which indicates an
admin user.
The available configuration options for the service-type attribute include the following:
•

admin, in which users are allowed access to the configuration mode. This option also allows a user
to connect via remote access.

•

nas-prompt, in which users are allowed access to the EXEC mode.

•

remote-access, in which users are allowed access to the network.

The following example designates a service-type of admin for a user named admin:
hostname(config)# username admin attributes
hostname(config-username)# service-type admin

The following example designates a service-type of remote-access for a user named ra-user:
hostname(config)# username ra-user attributes
hostname(config-username)# service-type remote-access

Using RADIUS Authentication
The RADIUS IETF service-type attribute, when sent in an access-accept message as the result of a
RADIUS authentication and authorization request, is used to designate which type of service is granted
to the authenticated user. The supported attribute values are the following: administrative(6),
nas-prompt(7), Framed(2), and Login(1). For a list of supported RADIUS IETF VSAs used for
authentication and authorization, see Table C-8 on page C-36.
For more information about using RADIUS authentication, see “Configuring an External RADIUS
Server” section on page C-27. For more information about configuring RADIUS authentication for
Cisco Secure ACS, see the Cisco Secure ACS documentation on Cisco.com.
The RADIUS Cisco VSA privilege-level attribute (Vendor ID 3076, sub-ID 220), when sent in an
access-accept message, is used to designate the level of privilege for the user. For a list of supported
RADIUS VSAs used for authorization, see Table C-7 on page C-28.

Using LDAP Authentication
When users are authenticated through LDAP, the native LDAP attributes and their values can be mapped
to Cisco ASA attributes to provide specific authorization features. For the supported list of LDAP VSAs
used for authorization, see Table C-2 on page C-6.
You can use the LDAP attribute mapping feature for LDAP authorization. For examples of this feature,
see the “Understanding Policy Enforcement of Permissions and Attributes” section on page C-1.
The following example shows how to define an LDAP attribute map. In this example, the security policy
specifies that users being authenticated through LDAP map the user record fields or parameters title and
company to the IETF-RADIUS service-type and privilege-level, respectively.
To define an LDAP attribute map, enter the following commands:
hostname(config)# ldap attribute-map admin-control
hostname(config-ldap-attribute-map)# map-name title IETF-RADIUS-Service-Type
hostname(config-ldap-attribute-map)# map-name company Privilege-Level

The following is sample output from the ldap-attribute-map command:
ldap attribute-map admin-control

Cisco ASA 5500 Series Configuration Guide using the CLI

35-29

Chapter 35

Configuring AAA Servers and the Local Database

Monitoring AAA Servers

map-name company Privilege-Level
map-name title IETF-Radius-Service-Type

To apply the LDAP attribute map to the LDAP AAA server, enter the following commands:
hostname(config)# aaa-server ldap-server (dmz1) host 10.20.30.1
hostname(config-aaa-server-host)# ldap-attribute-map admin-control

Note

When an authenticated user tries administrative access to the ASA through ASDM, SSH, or Telnet, but
does not have the appropriate privilege level to do so, the ASA generates syslog message 113021. This
message informs the user that the attempted login failed because of inappropriate administrative
privileges.

Using TACACS+ Authentication
For information about how to configure TACACS+ authentication, see the “RADIUS Accounting
Disconnect Reason Codes” section on page C-37.

Monitoring AAA Servers
To monitor AAA servers,enter one of the following commands:
Command

Purpose

show aaa-server

Shows the configured AAA server statistics.
To clear the AAA server configuration, enter the clear aaa-server
statistics command.

show running-config aaa-server

Shows the AAA server running configuration.
To clear AAA server statistics, enter the clear configure aaa-server
command.

show running-config all ldap attribute-map

Shows all LDAP attribute maps in the running configuration.
To clear all LDAP attribute maps in the running configuration, use the
clear configuration ldap attribute-map command.

show running-config zonelabs-integrity

Shows the Zone Labs Integrity server configuration.
To clear the Zone Labs Integrity server configuration, use the clear
configure zonelabs-integrity command.

show ad-groups name [filter string]

Applies only to AD servers using LDAP, and shows groups that are listed
on an AD server.

show running-config [all] password-policy

Shows the password policy for the current context.

Cisco ASA 5500 Series Configuration Guide using the CLI

35-30

Chapter 35

Configuring AAA Servers and the Local Database
Additional References

Additional References
For additional information related to implementing LDAP mapping, see the “RFCs” section on
page 35-31.

RFCs
RFC

Title

2138

Remote Authentication Dial In User Service (RADIUS)

2139

RADIUS Accounting

2548

Microsoft Vendor-specific RADIUS Attributes

2868

RADIUS Attributes for Tunnel Protocol Support

Feature History for AAA Servers
Table 35-3 lists each feature change and the platform release in which it was implemented.

Cisco ASA 5500 Series Configuration Guide using the CLI

35-31

Chapter 35

Configuring AAA Servers and the Local Database

Feature History for AAA Servers

Table 35-3

Feature History for AAA Servers

Feature Name

Platform
Releases

AAA Servers

7.0(1)

Feature Information
AAA Servers describe support for AAA and how to
configure AAA servers and the local database.
We introduced the following commands:
username, aaa authorization exec authentication-server,
aaa authentication console LOCAL, aaa authorization
exec LOCAL, service-type, ldap attribute-map,
aaa-server protocol, aaa authentication {telnet | ssh |
serial} console LOCAL, aaa authentication http console
LOCAL, aaa authentication enable console LOCAL,
max-failed-attempts, reactivation-mode,
accounting-mode simultaneous, aaa-server host,
authorization-server-group, tunnel-group, tunnel-group
general-attributes, map-name, map-value,
ldap-attribute-map, zonelabs-Integrity server-address,
zonelabs-integrity port, zonelabs-integrity interface,
zonelabs-integrity fail-timeout, zonelabs-integrity
fail-close, zonelabs-integrity fail-open,
zonelabs-integrity ssl-certificate-port,
zonelabs-integrity ssl-client-authentication {enable |
disable}, client-firewall {opt | req} zonelabs-integrity

8.4(3)
Key vendor-specific attributes (VSAs) sent in
RADIUS access request and accounting request
packets from the ASA

Four New VSAs—Tunnel Group Name (146) and Client
Type (150) are sent in RADIUS access request packets from
the ASA. Session Type (151) and Session Subtype (152) are
sent in RADIUS accounting request packets from the ASA.
All four attributes are sent for all accounting request packet
types: Start, Interim-Update, and Stop. The RADIUS server
(for example, ACS and ISE) can then enforce authorization
and policy attributes or use them for accounting and billing
purposes.

Common Criteria certification and FIPS support 8.4(4.1)
for password policy, password change, and SSH
public key authentication

We introduced or modified the following commands:
password-policy lifetime, password-policy minimum
changes, password-policy minimum-length,
password-policy minimum-lowercase, password-policy
minimum-uppercase, password-policy
minimum-numeric, password-policy minimum-special,
password-policy authenticate enable, username,
username attributes, clear configure username,
change-password, clear configure password-policy,
show running-config password-policy, and username.

Cisco ASA 5500 Series Configuration Guide using the CLI

35-32

CH A P T E R

Configuring the Identity Firewall
This chapter describes how to configure the ASA for the Identity Firewall. The chapter includes the
following sections:
•

Information About the Identity Firewall, page 1

•

Licensing for the Identity Firewall, page 8

•

Guidelines and Limitations, page 8

•

Prerequisites, page 9

•

Configuring the Identity Firewall, page 10

•

Monitoring the Identity Firewall, page 25

•

Feature History for the Identity Firewall, page 28

Information About the Identity Firewall
This section includes the following topics:
•

Overview of the Identity Firewall, page 1

•

Architecture for Identity Firewall Deployments, page 2

•

Features of the Identity Firewall, page 3

•

Deployment Scenarios, page 4

•

Cut-through Proxy and VPN Authentication, page 7

Overview of the Identity Firewall
In an enterprise, users often need access to one or more server resources. Typically, a firewall is not
aware of the users’ identities and, therefore, cannot apply security policies based on identity. To
configure per-user access policies, you must configure a user authentication proxy, which requires user
interaction (a user name/password query).
The Identity Firewall in the ASA provides more granular access control based on users’ identities. You
can configure access rules and security policies based on user names and user groups name rather than
through source IP addresses. The ASA applies the security policies based on an association of IP
addresses to Windows Active Directory login information and reports events based on the mapped user
names instead of network IP addresses.

Cisco ASA 5500 Series Configuration Guide using the CLI

36-1

Chapter 36

Configuring the Identity Firewall

Information About the Identity Firewall

The Identity Firewall integrates with Microsoft Active Directory in conjunction with an external Active
Directory (AD) Agent that provides the actual identity mapping. The ASA uses Windows Active
Directory as the source to retrieve the current user identity information for specific IP addresses and
allows transparent authentication for Active Directory users.
Identity-based firewall services enhance the existing access control and security policy mechanisms by
allowing users or groups to be specified in place of source IP addresses. Identity-based security policies
can be interleaved without restriction between traditional IP address based rules.
The key benefits of the Identity Firewall include:
•

Decoupling network topology from security policies

•

Simplifying the creation of security policies

•

Providing the ability to easily identify user activities on network resources

•

Simplify user activity monitoring

Architecture for Identity Firewall Deployments
The Identity Firewall integrates with Window Active Directory in conjunction with an external Active
Directory (AD) Agent that provides the actual identity mapping.
The identity firewall consists of three components:
•

ASA

•

Microsoft Active Directory
Though Active Directory is part of the Identity Firewall on the ASA, they are managed by Active
Directory administrators. The reliability and accuracy of the data depends on data in Active
Directory.
Supported versions include Windows Server 2003, Windows Server 2008, and Windows Server
2008 R2 servers.

•

Active Directory (AD) Agent
The AD Agent runs on a Windows server. Supported Windows servers include Windows 2003,
Windows 2008, and Windows 2008 R2.

Note

Windows 2003 R2 is not supported for the AD Agent server.

Cisco ASA 5500 Series Configuration Guide using the CLI

36-2

Chapter 36

Configuring the Identity Firewall
Information About the Identity Firewall

Figure 36-1

Identity Firewall Components

LAN
ASA

Client
NetBIOS Probe

LD
AP

US
DI
RA

mktg.sample.com
10.1.1.2
AD
Agent

WMI

AD Agent

xxxxxx

AD Servers

On the ASA: Configure local user groups and 4
Identity Firewall policies.

Client <-> ASA: The client logs onto the
network through Microsoft Active Directory.
The AD Server authenticates users and
generates user logon security logs.
Alternatively, the client can log onto the
network through a cut-through proxy or by
using VPN.

ASA <-> AD Server: The ASA sends an
LDAP query for the Active Directory groups
configured on the AD Server.

If configured, the ASA probes the NetBIOS of
the client to pass inactive and no-response
users.

The ASA consolidates local and Active
Directory groups and applies access rules and
MPF security policies based on user identity.
3

ASA <-> AD Agent: Depending on the
Identity Firewall configuration, the ASA
downloads the IP-user database or sends a
RADIUS request to the AD Agent querying
the user’s IP address.

ASA <-> Client: Based on the policies
configured on the ASA, it grants or denies
access to the client.

The ASA forwards the new mappings learned
from web authentication and VPN sessions to
the AD Agent.

AD Agent <-> AD Server: Periodically or
on-demand, the AD Agent monitors the AD
Server security event log file via WMI for
client login and logoff events.
The AD Agent maintains a cache of user ID
and IP address mappings. and notifies the
ASA of changes.
The AD Agent sends logs to a syslog server.

Features of the Identity Firewall
The Identity Firewall has the following key features.
Flexibility
•

The ASA can retrieve user identity and IP address mappings from the AD Agent by querying the
AD Agent for each new IP address or by maintaining a local copy of the entire user identity and IP
address database.

•

Supports host group, subnet, or IP address for the destination of a user identity policy.

•

Supports a fully qualified domain name (FQDN) for the source and destination of a user identity
policy.

Cisco ASA 5500 Series Configuration Guide using the CLI

36-3

Chapter 36

Configuring the Identity Firewall

Information About the Identity Firewall

•

Supports the combination of 5-tuple policies with ID-based policies. The identity-based feature
works in tandem with existing 5-tuple solution.

•

Supports usage with IPS and Application Inspection policies.

•

Retrieves user identity information from remote access VPN, AnyConnect VPN, L2TP VPN and
cut-through proxy. All retrieved users are populated to all ASA devices connected to the AD Agent.

Scalability
•

Each AD Agent supports 100 ASA devices. Multiple ASA devices are able to communicate with a
single AD Agent to provide scalability in larger network deployments.

•

Supports 30 Active Directory servers provided the IP address is unique among all domains.

•

Each user identity in a domain can have up to 8 IP addresses.

•

Supports up to 64,000 user identity-IP address mappings in active ASA policies for ASA 5500
Series models. This limit controls the maximum users who have policies applied. The total users are
the aggregated users configured on all different contexts.

•

Supports up to 1024 user identity-IP address mappings in active ASA policies for the ASA 5505.

•

Supports up to 256 user groups in active ASA policies.

•

A single rule can contain one or more user groups or users.

•

Supports multiple domains.

Availability
•

The ASA retrieves group information from Active Directory and falls back to web authentication
for IP addresses that the AD Agent cannot map a source IP address to a user identity.

•

The AD Agent continues to function when any of the Active Directory servers or the ASA are not
responding.

•

Supports configuring a primary AD Agent and a secondary AD Agent on the ASA. If the primary
AD Agent stops responding, the ASA can switch to the secondary AD Agent.

•

If the AD Agent is unavailable, the ASA can fall back to existing identity sources such as cut through
proxy and VPN authentication.

•

The AD Agent runs a watchdog process that automatically restarts its services when they are down.

•

Allows a distributed IP address/user mapping database among ASA devices.

Deployment Scenarios
You can deploy the components of the Identity Firewall in the following ways depending on your
environmental requirement.
As shown in Figure 36-2, you can deploy the components of the Identity Firewall to allow for
redundancy. Scenario 1 shows a simple installation without component redundancy.
Scenario 2 also shows a simple installation without redundancy. However, in that deployment scenario,
the Active Directory server and AD Agent are co-located on one Windows server.

Cisco ASA 5500 Series Configuration Guide using the CLI

36-4

Configuring the Identity Firewall
Information About the Identity Firewall

Figure 36-2
Deployment Scenario without Redundancy
No Redundancy
Scenario 1

Scenario 2

AD Agent
AD
Agent
AD
Agent

AD Server
AD Agent

ASA

xxxxxx

AD Server

ASA

As shown in Figure 36-3, you can deploy the Identity Firewall components to support redundancy.
Scenario 1 shows a deployment with multiple Active Directory servers and a single AD Agent installed
on a separate Windows server. Scenario 2 shows a deployment with multiple Active Directory servers
and multiple AD Agents installed on separate Windows servers.
Figure 36-3

Deployment Scenario with Redundant Components

Redundant
Scenario 1
AD Server

Scenario 2

AD Agent

AD
Agent

AD Server

AD
Agent

AD Server

ASA

AD Server

ASA

xxxxxx

AD
Agent

As shown in Figure 36-4, all Identity Firewall components—Active Directory server, the AD Agent, and
the clients—are installed and communicate on the LAN.
Figure 36-4

LAN -based Deployment

LAN
ASA

Client
NetBIOS Probe

RA
DI

LD
AP

mktg.sample.com
10.1.1.2
AD
Agent

WMI

AD Servers

AD Agent

xxxxxx

Chapter 36

Cisco ASA 5500 Series Configuration Guide using the CLI

36-5

Chapter 36

Configuring the Identity Firewall

Information About the Identity Firewall

Figure 36-5 shows a WAN-based deployment to support a remote site. The Active Directory server and
the AD Agent are installed on the main site LAN. The clients are located at a remote site and connect to
the Identity Firewall components over a WAN.
Figure 36-5

WAN-based Deployment

Remote Site

Enterprise Main Site
ASA

Client
NetBIOS Probe
Login/Authentication

AP
LD

R
AD
IU
S

WAN

mktg.sample.com
10.1.1.2

AD
Agent

AD Agent

xxxxxx

WMI

AD Servers

Figure 36-6 also shows a WAN-based deployment to support a remote site. The Active Directory server
is installed on the main site LAN. However, the AD Agent is installed and access by the clients at the
remote site. The remote clients connect to the Active Directory servers at the main site over a WAN.
Figure 36-6

WAN-based Deployment with Remote AD Agent

Remote Site

Enterprise Main Site
ASA

Client
RADIUS

WAN
AP
LD

mktg.sample.com
10.1.1.2

AD
Agent

WMI

AD Servers

xxxxxx

AD Agent

Figure 36-7 shows an expanded remote site installation. An AD Agent and Active Directory servers are
installed at the remote site. The clients access these components locally when logging into network
resources located at the main site. The remote Active Directory server must synchronize its data with the
central Active Directory servers located at the main site.

Cisco ASA 5500 Series Configuration Guide using the CLI

36-6

Chapter 36

Configuring the Identity Firewall
Information About the Identity Firewall

Figure 36-7

WAN-based Deployment with Remote AD Agent and AD Servers

Remote Site

Enterprise Main Site
ASA

Client
RADIUS

WAN

LDAP

Directory
Sync

AD
Agent

mktg.sample.com
10.1.1.2

WMI
xxxxxx

AD Servers
AD Agent

AD Servers

Cut-through Proxy and VPN Authentication
In an enterprise, some users log onto the network by using other authentication mechanisms, such as
authenticating with a web portal (cut-through proxy) or by using a VPN. For example, users with a
Machintosh and Linux client might log in a web portal (cut-through proxy) or by using a VPN.
Therefore, you must configure the Identity Firewall to allow these types of authentication in connection
with identity-based access policies.
Figure 36-8 shows a deployment to support a cut-through proxy authentication captive portal. Active
Directory servers and the AD Agent are installed on the main site LAN. However, the Identity Firewall
is configured to support authentication of clients that are not part of the Active Directory domain.
Figure 36-8

Deployment Supporting Cut-through Proxy Authentication
Inside Enterprise

Windows Clients
(Domain Members)

ASA

WAN / LAN

AP
LD

IU
S

/HTT

HTTP

mktg.sample.com
10.1.1.2

AD
Agent

AD Agent

AD Servers

xxxxxx

WMI

Non-domain Member
Clients

The ASA designates users logging in through a web portal (cut-through proxy) as belonging to the
Active Directory domain with which they authenticated.
The ASA designates users logging in through a VPN as belonging to the LOCAL domain unless the VPN
is authenticated by LDAP with Active Directory, then the Identity Firewall can associate the users with
their Active Directory domain.
The ASA reports users logging in through VPN authentication or a web portal (cut-through proxy) to the
AD Agent, which distributes the user information to all registered ASA devices. Specifically, the user
identity-IP address mappings of authenticated users are forwarded to all ASA contexts that contain the
input interface where packets are received and authenticated.
See Configuring Cut-through Proxy Authentication, page 22.

Cisco ASA 5500 Series Configuration Guide using the CLI

36-7

Chapter 36

Configuring the Identity Firewall

Licensing for the Identity Firewall

Licensing for the Identity Firewall
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single and multiple context mode.
Firewall Mode Guidelines

Supported in routed and transparent firewall modes.
Failover Guidelines

The Identity Firewall supports user identity-IP address mappings and AD Agent status replication from
active to standby when stateful failover is enabled. However, only user identity-IP address mappings,
AD Agent status, and domain status are replicated. User and user group records are not replicated to the
standby ASA.
When failover is configured, the standby ASA must also be configured to connect to the AD Agent
directly to retrieve user groups. The standby ASA does not send NetBIOS packets to clients even when
the NetBIOS probing options are configured for the Identity Firewall.
When a client is determined as inactive by the active ASA, the information is propagated to the standby
ASA. User statistics are not propagated to the standby ASA.
When you have failover configured, you must configure the AD Agent to communicate with both the
active and standby ASA devices. See the Installation and Setup Guide for the Active Directory Agent for
the steps to configure the ASA on the AD Agent server.
IPv6 Guidelines
•

Supports IPv6.
The AD Agent supports endpoints with IPv6 addresses. It can receive IPv6 addresses in log events,
maintain them in its cache, and send them through RADIUS messages.

•

NetBIOS over IPv6 is not supported

•

Cut through proxy over IPv6 is not supported.

Additional Guidelines and Limitations
•

A full URL as a destination address is not supported.

•

For NetBIOS probing to function, the network between the ASA, AD Agent, and clients must
support UDP-encapsulated NetBIOS traffic.

Cisco ASA 5500 Series Configuration Guide using the CLI

36-8

Chapter 36

Configuring the Identity Firewall
Prerequisites

•

MAC address checking by the Identity Firewall does not work when intervening routers are present.
Users logged onto clients that are behind the same router have the same MAC addresses. With this
implementation, all the packets from the same router are able to pass the check, because the ASA is
unable to ascertain to the actual MAC addresses behind the router.

•

The following ASA features do not support using the identity-based object and FQDN:
– route-map
– Crypto map
– WCCP
– NAT
– group-policy (except VPN filter)
– DAP

See Configuring Identity-based Access Rules, page 20.

Prerequisites
Before configuring the Identity Firewall in the ASA, you must meet the prerequisites for the AD Agent
and Microsoft Active Directory.
AD Agent

The AD Agent must be installed on a Windows server that is accessible to the ASA. Additionally, you
must configure the AD Agent to obtain information from the Active Directory servers. Configure the AD
Agent to communicate with the ASA.
Supported Windows servers include Windows 2003, Windows 2008, and Windows 2008 R2.

Note

Windows 2003 R2 is not supported for the AD Agent server.

For the steps to install and configure the AD Agent, see the Installation and Setup Guide for the Active
Directory Agent.
Before configuring the AD Agent in the ASA, obtain the secret key value that the AD Agent and the ASA
use to communicate. This value must match on both the AD Agent and the ASA.
Microsoft Active Directory

Microsoft Active Directory must be installed on a Windows server and accessible by the ASA. Supported
versions include Windows 2003, 2008, and 2008 R2 servers.
Before configuring the Active Directory server on the ASA, create a user account in Active Directory
for the ASA.
Additionally, the ASA sends encrypted log in information to the Active Directory server by using SSL
enabled over LDAP. SSL must be enabled on the Active Directory server. See the documentation for
Microsft Active Diretory for the steps to enable SSL for Active Directory.

Cisco ASA 5500 Series Configuration Guide using the CLI

36-9

Chapter 36

Configuring the Identity Firewall

Note

Before running the AD Agent Installer, you must install the following patches on every Microsoft Active
Directory server that the AD Agent monitors. These patches are required even when the AD Agent is
installed directly on the domain controller server. See the README First for the Cisco Active Directory
Agent.

Configuring the Identity Firewall
This section contains the following topics:
•

Task Flow for Configuring the Identity Firewall, page 10

•

Configuring the Active Directory Domain, page 11

•

Configuring Active Directory Agents, page 13

•

Configuring Identity Options, page 14

•

Configuring Identity-based Access Rules, page 20

•

Configuring Cut-through Proxy Authentication, page 22

•

Configuring VPN Authentication, page 24

Task Flow for Configuring the Identity Firewall
Prerequisite

Before configuring the Identity Firewall in the ASA, you must meet the prerequisites for the AD Agent
and Microsoft Active Directory. See Prerequisites, page 9 for information.
Task Flow in the ASA

To configure the Identity Firewall, perform the following tasks:
Step 1

Configure the Active Directory domain in the ASA.
See Configuring the Active Directory Domain, page 11.
See also Deployment Scenarios, page 4 for the ways in which you can deploy the Active Directory
servers to meet your environment requirements.

Step 2

Configure the AD Agent in ASA.
See Configuring Active Directory Agents, page 13.
See also Deployment Scenarios, page 4 for the ways in which you can deploy the AD Agents to meet
your environment requirements.

Step 3

Configure Identity Options.
See Configuring Identity Options, page 14.

Step 4

Configure Identity-based Access Rules in the ASA.
After AD domain and AD-Agent are configured, identity-based rules can be specified to enforce
identity-based rules. See Configuring Identity-based Access Rules, page 20.

Step 5

Configure the cut-through proxy.

Cisco ASA 5500 Series Configuration Guide using the CLI

36-10

Chapter 36

Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall

See Configuring Cut-through Proxy Authentication, page 22.
Step 6

Configure VPN authentication.
See Configuring VPN Authentication, page 24.

Configuring the Active Directory Domain
Active Directory domain configuration on the ASA is required for the ASA to download Active
Directory groups and accept user identities from specific domains when receiving IP-user mapping from
the AD Agent.

Prerequisites
•

Active Directory server IP address

•

Distinguished Name for LDAP base dn

•

Distinguished Name and password for the Active Directory user that the Identity Firewall uses to
connect to the Active Directory domain controller

To configure the Active Directory domain, perform the following steps:
Command

Purpose

Step 1

hostname(config)# aaa-server server-tag protocol
ldap
Example:
hostname(config)# aaa-server adserver protocol ldap

Creates the AAA server group and configures AAA
server parameters for the Active Directory server.

Step 2

hostname(config-aaa-server-group)# aaa-server
server-tag [(interface-name)] host {server-ip |
name} [key] [timeout seconds]
Example:
hostname(config-aaa-server-group)# aaa-server
adserver (mgmt) host 172.168.224.6

For the Active Directory server, configures the AAA
server as part of a AAA server group and the AAA
server parameters that are host-specific.

Step 3

hostname(config-aaa-server-host)# ldap-base-dn
string
Example:
hostname(config-aaa-server-host)# ldap-base-dn
DC=SAMPLE,DC=com

Specifies the location in the LDAP hierarchy where
the server should begin searching when it receives
an authorization request.

Step 4

hostname(config-aaa-server-host)# ldap-scope subtree

Specifies the extent of the search in the LDAP
hierarchy that the server should make when it
receives an authorization request.

Step 5

hostname(config-aaa-server-host)#
ldap-login-password string
Example:
hostname(config-aaa-server-host)#
ldap-login-password obscurepassword

Specifies the login password for the LDAP server.

Specifying the ldap-base-dn command is optional.
If you do not specify this command, the ASA
retrieves the defaultNamingContext from Active
Directory and uses it as the base DN.

Cisco ASA 5500 Series Configuration Guide using the CLI

36-11

Chapter 36

Configuring the Identity Firewall

Task Flow for Configuring the Identity Firewall

Step 6

Command

Purpose

hostname(config-aaa-server-host)# ldap-login-dn
string
Example:
hostname(config-aaa-server-host)#ldap-login-dn
SAMPLE\user1

Specifies the name of the directory object that the
system should bind this as. The ASA identifies itself
for authenticated binding by attaching a Login DN
field to the user authentication request. The Login
DN field describes the authentication characteristics
of the ASA.
Where string is a case-sensitive string of up to 128
characters that specifies the name of the directory
object in the LDAP hierarchy. Spaces are not
permitted in the string, but other special characters
are allowed.
You can specify the traditional or simplified format.
The traditional ldap-login-dn in format includes:
CN=username,OU=Employees,OU=Sample
Users,DC=sample,DC=com is accepted also.

Step 7

hostname(config-aaa-server-host)# server-type
microsoft

Configures the LDAP server model for the
Microsoft Active Directory server.

Step 8

hostname(config-aaa-server-host)# ldap-group-base-dn
string
Example:
hostname(config-aaa-server-host)# ldap-group-base-dn
OU=Sample Groups,DC=SAMPLE,DC=com

Specifies location of the Active Directory groups
configuration in the Active Directory domain
controller. If not specified, the value in ldap-base-dn
is used.
Specifying the ldap-group-base-dn command is
optional.

Step 9

hostname(config-aaa-server-host)# ldap-over-ssl
enable

Allows the ASA to access the Active Directory
domain controller over SSL. To support LDAP over
SSL, Active Directory server needs to be configured
to have this support.
By default, Active Directory does not have SSL
configured. If SSL is not configured on on Active
Directory, you do not need to configure it on the
ASA for the Identity Firewall.

Step 10

hostname(config-aaa-server-host)# server-port
port-number
Examples:
hostname(config-aaa-server-host)# server-port 389
hostname(config-aaa-server-host)# server-port 636

By default, if ldap-over-ssl is not enabled, the
default server-port is 389; if ldap-over-ssl is
enabled, the default server-port is 636.

Step 11

hostname(config-aaa-server-host)#
group-search-timeout seconds
Examples:
hostname(config-aaa-server-host)#
group-search-timeout 300

Sets the amount of time before LDAP queries time
out.

What to Do Next
Configure AD Agents. See Configuring Active Directory Agents, page 13.

Cisco ASA 5500 Series Configuration Guide using the CLI

36-12

Chapter 36

Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall

Configuring Active Directory Agents
Periodically or on-demand, the AD Agent monitors the Active Directory server security event log file
via WMI for user login and logoff events. The AD Agent maintains a cache of user ID and IP address
mappings. and notifies the ASA of changes.
Configure the primary and secondary AD Agents for the AD Agent Server Group. When the ASA detects
that the primary AD Agent is not responding and a secondary agent is specified, the ASA switches to
secondary AD Agent. The Active Directory server for the AD agent uses RADIUS as the communication
protocol; therefore, you should specify a key attribute for the shared secret between ASA and AD Agent.
Requirement
•

AD agent IP address

•

Shared secret between ASA and AD agent

To configure the AD Agents, perform the following steps:
Command

Purpose

Step 1

hostname(config)# aaa-server server-tag protocol
radius
Example:
hostname(config)# aaa-server adagent protocol radius

Creates the AAA server group and configures AAA
server parameters for the AD Agent.

Step 1

hostname(config)# ad-agent-mode

Enables the AD Agent mode.

Step 2

For the AD Agent, configures the AAA server as
part of a AAA server group and the AAA server
parameters that are host-specific.

Step 3

hostname(config-aaa-server-host)# key key
Example:
hostname(config-aaa-server-host)# key mysecret

Specifies the server secret value used to authenticate
the ASA to the AD Agent server.

Step 4

hostname(config-aaa-server-host)# user-identity
ad-agent aaa-server aaa_server_group_tag
Examples:
hostname(config-aaa-server-hostkey )# user-identity
ad-agent aaa-server adagent

Defines the server group of the AD Agent.
The first server defined in aaa_server_group_tag
variable is the primary AD Agent and the second
server defined is the secondary AD Agent.
The Identity Firewall supports defining only two
AD-Agent hosts.
When ASA detects the primary AD Agent is down
and a secondary agent is specified, it switches to
secondary AD Agent. The aaa-server for the AD
agent uses RADIUS as the communication protocol,
and should specify key attribute for the shared secret
between ASA and AD Agent.

Step 5

hostname(config-aaa-server-host)# test aaa-server
ad-agent

Tests the communication between the ASA and the
AD Agent server.

What to Do Next
Configure access rules for the Identity Firewall. See Configuring Identity-based Access Rules, page 20.

Cisco ASA 5500 Series Configuration Guide using the CLI

36-13

Chapter 36

Configuring the Identity Firewall

Task Flow for Configuring the Identity Firewall

Configuring Identity Options
Perform this procedure to add or edit the Identity Firewall feature; select the Enable check box to enable
the feature. By default, the Identity Firewall feature is disabled.

Prerequisites
Before configuring the identify options for the Identity Firewall, you must you must meet the
prerequisites for the AD Agent and Microsoft Active Directory. See Prerequisites, page 9 the
requirements for the AD Agent and Microsoft Active Directory installation.
To configure the Identity Options for the Identity Firewall, perform the following steps:

Cisco ASA 5500 Series Configuration Guide using the CLI

36-14

Chapter 36

Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall

Command
Step 1

hostname(config)# user-identity enable

Step 2

hostname(config)# user-identity default-domain
domain_NetBIOS_name
Example:
hostname(config)# user-identity default-domain
SAMPLE

Purpose
Enables the Identity Firewall feature.
Specifies the default domain for the Identity
Firewall.
For domain_NetBIOS_name, enter a name up to 32
characters consisting of [a-z], [A-Z], [0-9],
[!@#$%^&()-_=+[]{};,. ] except '.' and ' ' at the first
character. If the domain name contains a space,
enclose the entire name in quotation marks. The
domain name is not case sensitive.
The default domain is used for all users and user
groups when a domain has not been explicitly
configured for those users or groups. When a default
domain is not specified, the default domain for users
and groups is LOCAL. For multiple context modes,
you can set a default domain name for each context,
as well as within the system execution space.
Note

The default domain name you specify must
match the NetBIOS domain name
configured on the Active Directory domain
controller. If the domain name does not
match, the AD Agent will incorrectly
associate the user identity-IP address
mappings with the domain name you enter
when configuring the ASA. To view the
NetBIOS domain name, open the Active
Directory user event security log in any text
editor.

The Identity Firewall uses the LOCAL domain for
all locally defined user groups or locally defined
users. Users logging in through a web portal
(cut-through proxy) are designated as belonging to
the Active Directory domain with which they
authenticated. Users logging in through a VPN are
designated as belonging to the LOCAL domain
unless the VPN is authenticated by LDAP with
Active Directory, then the Identity Firewall can
associate the users with their Active Directory
domain.
Step 3

hostname(config)# user-identity domain
domain_nickname aaa-server aaa_server_group_tag
Example:
hostname(config)# user-identity domain SAMPLE
aaa-server ds

Associates the LDAP parameters defined for the
AAA server for importing user group queries with
the domain name.
For domain_nickname, enter a name up to 32
characters consisting of [a-z], [A-Z], [0-9],
[!@#$%^&()-_=+[]{};,. ] except '.' and ' ' at the first
character. If the domain name contains a space, you
must enclose that space character in quotation
marks. The domain name is not case sensitive.

Cisco ASA 5500 Series Configuration Guide using the CLI

36-15

Chapter 36

Configuring the Identity Firewall

Task Flow for Configuring the Identity Firewall

Step 4

Command

Purpose

hostname(config)# user-identity logout-probe netbios
local-system probe-time minutes minutes
retry-interval seconds seconds retry-count times
[user-not-needed|match-any|exact-match]
Example:
hostname(config)# user-identity logout-probe netbios
local-system probe-time minutes 10 retry-interval
seconds 10 retry-count 2 user-not-needed

Enables NetBIOS probing. Enabling this option
configures how often the ASA probes the user client
IP address to determine whether the client is still
active. By default, NetBIOS probing is disabled.
To minimize the NetBIOS packets, the ASA only
sends a NetBIOS probe to a client when the user has
been idle for more than the specified number of
minutes.
Set the NetBIOS probe timer from1 to 65535
minutes and the retry interval from 1 to 256 retries.
Specify the number of times to retry the probe:
•

match-any—As long as the NetBIOS response
from the client contains the user name of the
user assigned to the IP address, the user identity
is be considered valid. Specifying this option
requires that the client enabled the Messenger
service and configured a WINS server.

•

exact-match—The user name of the user
assigned to the IP address must be the only one
in the NetBIOS response. Otherwise, the user
identity of that IP address is considered invalid.
Specifying this option requires that the client
enabled the Messenger service and configured a
WINS server.

•

user-not-needed—As long as the ASA received
a NetBIOS response from the client the user
identity is considered valid.

The Identity Firewall only performs NetBIOS
probing for those users identities that are in the
active state and exist in at least one security policy.
The ASA does not perform NetBIOS probing for
clients where the users logged in through
cut-through proxy or by using VPN.

Cisco ASA 5500 Series Configuration Guide using the CLI

36-16

Chapter 36

Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall

Step 5

Command

Purpose

hostname(config)# user-identity inactive-user-timer
minutes minutes
Example:
hostname(config)# user-identity inactive-user-timer
minutes 120

Specifies the amount of time before a user is
considered idle, meaning the ASA has not received
traffic from the user's IP address for specified
amount of time.
When the timer expires, the user's IP address is
marked as inactive and removed from the local
cached user identity-IP address mappings database
and the ASA no longer notifies the AD Agent about
that IP address removal. Existing traffic is still
allowed to pass. When this command is specified,
the ASA runs an inactive timer even when the
NetBIOS Logout Probe is configured.
By default, the idle timeout is set to 60 minutes.
Note

Step 6

hostname(config)# user-identity
poll-import-user-group-timer hours hours
Example:
hostname(config)# user-identity
poll-import-user-group-timer hours 1

The Idle Timeout option does not apply to
VPN or cut through proxy users.

Specifies the amount of time before the ASA queries
the Active Directory server for user group
information.
If a user is added to or deleted from to an Active
Directory group, the ASA received the updated user
group after import group timer runs.
By default, the poll-import-user-group-timer is 8
hours.
To immediately update user group information,
enter the following command:
user-identity update import-user
See the CLI configuration guide

Step 7

hostname(config)# user-identity action
netbios-response-fail remove-user-ip

Specifies the action when a client does not respond
to a NetBIOS probe. For example, the network
connection might be blocked to that client or the
client is not active.
When the user-identity action remove-user-ip is
configured, the ASA removed the user identity-IP
address mapping for that client.
By default, this command is disabled.

Cisco ASA 5500 Series Configuration Guide using the CLI

36-17

Chapter 36

Configuring the Identity Firewall

Task Flow for Configuring the Identity Firewall

Step 8

Command

Purpose

hostname(config)# user-identity action
domain-controller-down domain_nickname
disable-user-identity-rule
Example:
hostname(config)# user-identity action
domain-controller-down SAMPLE
disable-user-identity-rule

Specifies the action when the domain is down
because Active Directory domain controller is not
responding.
When the domain is down and the
disable-user-identity-rule keyword is configured,
the ASA disables the user identity-IP address
mappings for that domain. Additionally, the status of
all user IP addresses in that domain are marked as
disabled in the output displayed by the show
user-identity user command.
By default, this command is disabled.

Step 9

hostname(config)# user-identity user-not-found
enable

Enables user-not-found tracking. Only the last 1024
IP addresses tracked.
By default, this command is disabled.

Step 10

hostname(config)# user-identity action ad-agent-down
disable-user-identity-rule

Specifies the action when the AD Agent is not
responding.
When the AD Agent is down and the user-identity
action ad-agent-down is configured, the ASA
disables the user identity rules associated with the
users in that domain. Additionally, the status of all
user IP addresses in that domain are marked as
disabled in the output displayed by the show
user-identity user command.
By default, this command is disabled.

Step 11

hostname(config)# user-identity action
mac-address-mismatch remove-user-ip

Specifies the action when a user's MAC address is
found to be inconsistent with the ASA device IP
address currently mapped to that MAC address.
When the user-identity action
mac-address-mismatch command is configured,
the ASA removes the user identity-IP address
mapping for that client.
By default, the ASA uses the remove-user-ip
keyword when this command is specified.

Cisco ASA 5500 Series Configuration Guide using the CLI

36-18

Chapter 36

Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall

Step 12

Command

Purpose

hostname(config)# user-identity ad-agent
active-user-database {on-demand|full-download}
Example:
hostname(config)# user-identity ad-agent
active-user-database full-download

Defines how the ASA retrieves the user identity-IP
address mapping information from the AD Agent:
•

full-download—Specifies that the ASA send a
request to the AD Agent to download the entire
IP-user mapping table when the ASA starts and
then to receive incremental IP-user mapping
when users log in and log out.

•

on-demand—Specifies that the ASA retrieve
the user mapping information of an IP address
from the AD Agent when the ASA receives a
packet that requires a new connection and the
user of its source IP address is not in the
user-identity database.

By default, the ASA 5505, uses the on-demand
option. The other ASA platforms use the
full-download option.
Full downloads are event driven, meaning that
subsequent requests to download the database, send
just the updates to the user identity-IP address
mapping database.
When the ASA registers a change request with the
AD Agent, the AD Agent sends a new event to the
ASA.
Step 13

hostname(config)# user-identity ad-agent hello-timer
seconds seconds retry-times number
Example:
hostname(config)# user-identity ad-agent hello-timer
seconds 20 retry-times 3

Defines the hello timer between the ASA and the AD
Agent.
The hello timer between the ASA and the AD Agent
defines how frequently the ASA exchanges hello
packets. The ASA uses the hello packet to obtain
ASA replication status (in-sync or out-of-sync) and
domain status (up or down). If the ASA does not
receive a response from the AD Agent, it resends a
hello packet after the specified interval.
By default, the hello timer is set to 30 seconds and 5
retries.

Step 14

hostname(config)# user-identity ad-agent aaa-server
aaa_server_group_tag
Example:
hostname(config)# user-identity ad-agent aaa-server
adagent

Defines the server group of the AD Agent.
For aaa_server_group_tag, enter the value defined
by the aaa-server command.

What to Do Next
Configure the Active Directory domain and server groups. See Configuring the Active Directory
Domain, page 11.
Configure AD Agents. See Configuring Active Directory Agents, page 13.

Cisco ASA 5500 Series Configuration Guide using the CLI

36-19

Chapter 36

Configuring the Identity Firewall

Task Flow for Configuring the Identity Firewall

Configuring Identity-based Access Rules
An access rule permits or denies traffic based on the protocol, a source and destination IP address or
network, and the source and destination ports. For information about access rules, see in Chapter 34,
“Configuring Access Rules.”
The Identity Firewall feature adds the ability to permit or deny traffic based on a users’ identities or
based on a user group. You configure access rules and security policies based on user names and user
groups name in addition to source IP addresses. The ASA applies the security policies based on an
association of IP addresses to Windows Active Directory login information and reports events based on
the mapped user names instead of network IP addresses.
Users can be local, remote (via VPN), wired or wireless. Server resources can include server IP address,
server DNS name, or domain.
Identity-based access rules follow the same general format that standard IP-address-based rules follow:
action, protocol, source, destination, and optional source service when the protocol for the rule is TCP
or UDP. In addition, they include specifying user and user group objects before traditional
IP-address-based objects—any, network object/network group, interface, host, IP address, and network
mask.
You can create access rules that solely contain identity-based objects (users and user groups) or combine
identity-based objects with traditional IP-address-based objects. You can create an access rule that
includes a source user or source user group from a qualifying IP-address-based source. For example, you
could create and access rule for sample_user1 11.0.0.0 255.0.0.0, meaning the user could have any IP
address on subnet 11.0.0.0/8.
You can create an access rule with FQDN in the source and the destination.
The destination portion of an identity-based access rule follows the same format and guidelines as
traditional IP-address-based access rules.

Guidelines and Limitations
•

Supports up to 64,000 user identity-IP address mappings in active ASA policies for ASA 5500
Series models.
This limit controls the maximum users who have policies applied. The total users are the aggregated
users configured on all different contexts.

•

Supports up to 1024 user identity-IP address mappings in active ASA policies for the ASA 5505.
This limit controls the maximum users who have policies applied. The total users are the aggregated
users configured on all different contexts.

•

Supports up to 256 user groups in active ASA security policies.

•

A single rule can contain one or more user groups or users.

Prerequisites
After AD domain and AD-Agent are configured, Identity-based rules can be specified to enforce
identity-based rules.
To configure identity-based access rules, perform the following steps:

Cisco ASA 5500 Series Configuration Guide using the CLI

36-20

Chapter 36

Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall

Command

Purpose

Step 1

hostname(config)# object-group user user_group_name
Examples:
hostname(config)# object-group user users1

Defines object groups that you can use to control
access with the Identity Firewall. You can use the
object group as part of an access group or service
policy.

Step 2

hostname(config-user-object-group)# user
domain_NetBIOS_name\user_name
Examples:
hostname(config-user-object-group)# user
SAMPLE\users1

Specifies the user to add to the access rule.
The user_name can contain any character including
[a-z], [A-Z], [0-9], [!@#$%^&()-_{}. ]. If
domain_NetBIOS_name\user_name contains a
space, you must enclose the domain name and user
name in quotation marks.
The user_name can be part of the LOCAL domain or
a user imported by the ASA from Active Directory
domain.
If the domain_NetBIOS_name is associated with a
AAA server, the user_name must be the Active
Directory sAMAccountName, which is unique,
instead of the common name (cn), which might not
be unique.
Thedomain_NetBIOS_name can be LOCAL or the
actual domain name as specified in user-identity
domain domain_NetBIOS_name aaa-server
aaa_server_group_tag command.

Step 3

hostname(config-user-object-group)# user-group
domain__NetBIOS_name\\user_group_name
Examples:
hostname(config-user-object-group)# user-group
SAMPLE\\group.marketing

Specifies a user group to add to the access rule.
The group_name can contain any character
including [a-z], [A-Z], [0-9], [!@#$%^&()-_{}. ]. If
domain_NetBIOS_name\group_name contains a
space, you must enclose the domain name and user
name in quotation marks.
Specifying the domain_NetBIOS_name for
user-group has the same requirements as specifying
it for user.
The ASA imports the nested user groups from in
Active Directory when the access rule is used in an
access group or service policy.

Step 4

hostname(config-user-object-group)# exit

Exit from the configure user object group mode to
the global configuration mode.

Cisco ASA 5500 Series Configuration Guide using the CLI

36-21

Chapter 36

Configuring the Identity Firewall

Task Flow for Configuring the Identity Firewall

Step 5

Step 6

Command

Purpose

hostname(config)# access-list access_list_name {deny
| permit} protocol [{user-group
[domain_name\\]user_group_name | user
{[domain_name\\]user_name | any | none} |
object-group-user object_group_user_name}] {any |
host sip | sip smask | interface name | object
src_object_name | object-group
network_object_group_name> [eq port | …]
{object-group-user dst_object_group_name | object
dst_object_name host dst_host_name | ip_address}
[object-group service_object_name | eq port | …]

Creates an access control entry that controls access
using user identity or group identity.
You can specify [domain_nickname>\]user_name
and [domain_nickname>\]user_group_name
directly without specifying them in an object-group
first.
See the access-list extended command in the Cisco
ASA 5500 Series Command Reference for a
complete description of the command syntax.

Examples:
hostname(config)# access-list identity-list1 permit
ip user SAMPLE\user1 any any
hostname(config)# access-list aclname extended
permit ip user-group SAMPLE\\group.marketing any any
hostname(config)# access-list aclname extended
permit ip object-group-user asausers any any

The keywords user-group any and user-group
none can be specified to support cut-through proxy
authentication. See Configuring Cut-through Proxy
Authentication, page 22.

hostname(config)# access-group access-list global
Examples:
hostname(config)# access-group aclname global

Applies a single set of global rules to all interfaces
with the single command.

Configuring Cut-through Proxy Authentication
In an enterprise, some users log onto the network by using other authentication mechanisms, such as
authenticating with a web portal (cut-through proxy) or by using a VPN. For example, users with a
Machintosh and Linux client might log in a web portal (cut-through proxy) or by using a VPN.
Therefore, you must configure the Identity Firewall to allow these types of authentication in connection
with identity-based access policies.
The ASA designates users logging in through a web portal (cut-through proxy) as belonging to the
Active Directory domain with which they authenticated. The ASA designates users logging in through
a VPN as belonging to the LOCAL domain unless the VPN is authenticated by LDAP with Active
Directory, then the Identity Firewall can associate the users with their Active Directory domain. The
ASA reports users logging in through VPN authentication or a web portal (cut-through proxy) to the AD
Agent, which distributes the user information to all registered ASA devices.
Users can log in by using HTTP/HTTPS, FTP, Telnet, or SSH. When users log in with these
authentication methods, the following guidelines apply:
•

For HTTP/HTTPS traffic, an authentication window appears for unauthenticated users.

•

For Telnet and FTP traffic, users must log in through the cut-through proxy and again to Telnet and
FTP server.

•

A user can specify an Active Directory domain while providing login credentials (in the format
domain\username). The ASA automatically selects the associated AAA server group for the
specified domain.

•

If a user specifies an Active Directory domain while providing login credentials (in the format
domain\username), the ASA parses the domain and uses it to select an authentication server from
the AAA servers configured for the Identity Firewall. Only the username is passed to the AAA
server.

Cisco ASA 5500 Series Configuration Guide using the CLI

36-22

Chapter 36

Configuring the Identity Firewall
Task Flow for Configuring the Identity Firewall

•

If the backslash (\) delimiter is not found in the log in credentials, the ASA does not parse a domain
and authentication is conducted with the AAA server that corresponds to default domain configured
for the Identity Firewall.

•

If a default domain or a server group is not configured for that default domain, the ASA rejects the
authentication.

•

If the domain is not specified, the ASA selects the AAA server group for the default domain that is
configured for the Identity Firewall.

Detailed Steps
To configure the cut-through proxy for the Identity Firewall, perform the following steps:
Command

Purpose

Step 1

hostname(config)# access-list access_list_name
extended permit tcp any user_ip_address
255.255.255.255 eq http
hostname(config)# access-list access_list_name
extended permit tcp any user_ip_address
255.255.255.255 eq https
Examples:
hostname(config)# access-list listenerAuth extended
permit tcp any any

Creates an access list that permits traffic from the
users client that uses the HTTP or HTTPS protocol.

Step 2

hostname(config)# aaa authentication listener http
inside port port
Examples:
hostname(config)# aaa authentication listener http
inside port 8888

Enables HTTP(S) listening ports to authenticate the
user.

Step 3

Creates an access control entry that controls access
using user identity or group identity.

Step 4

hostname(config)# aaa authenticate match
access_list_name inside user-identity
Examples:
aaa authenticate match listenerAuth inside
user-identity

See the access-list extended command in the Cisco
ASA 5500 Series Command Reference for a
complete description of the command syntax.
The keywords user-group any and user-group
none can be specified to support cut-through proxy
authentication.
•

any—The access list matches any IP addresses
that has already been associated with any users.

•

none—The access list matches any IP addresses
that has not been associated with any IP address.

Enables authentication for connections through the
ASA and matches it to the Identity Firewall feature.

Examples
Example 1

This example shows a typical cut-through proxy configuration to allow a user to log in through the ASA.
In this example, the following conditions apply:

Cisco ASA 5500 Series Configuration Guide using the CLI

36-23

Chapter 36

Configuring the Identity Firewall

Task Flow for Configuring the Identity Firewall

•

The ASA IP address is 172.1.1.118.

•

The Active Directory domain controller has the IP address 71.1.2.93.

•

The end user client has the IP address 172.1.1.118 and uses HTTPS to log in through a web portal.

•

The user is authenticated by the Active Directory domain controller via LDAP.

•

The ASA uses the inside interface to connect to the Active Directory domain controller on the
corporate network.

hostname(config)# access-list AUTH extended permit tcp any 172.1.1.118 255.255.255.255 eq http
hostname(config)# access-list AUTH extended permit tcp any 172.1.1.118 255.255.255.255 eq https
hostname(config)# aaa-server LDAP protocol ldap
hostname(config-aaa-server-group)# aaa-server LDAP (inside) host 171.1.2.93
hostname(config-aaa-server-host)# ldap-base-dn DC=cisco,DC=com
hostname(config-aaa-server-host)# ldap-group-base-dn DC=cisco,DC=com
hostname(config-aaa-server-host)# ldap-scope subtree
hostname(config-aaa-server-host)# ldap-login-dn cn=kao,OU=Employees,OU=Cisco Users,DC=cisco,DC=com
hostname(config-aaa-server-host)# ldap-login-password *****
hostname(config-aaa-server-host)# ldap-over-ssl enable
hostname(config-aaa-server-host)# server-type microsoft
hostname(config-aaa-server-host)# aaa authentication match AUTH inside LDAP
hostname(config)#
hostname(config)# http server enable
hostname(config)# http 0.0.0.0 0.0.0.0 inside
hostname(config)#
hostname(config)# auth-prompt prompt Enter Your Authentication
hostname(config)# auth-prompt accept You are Good
hostname(config)# auth-prompt reject Goodbye

Example 2
hostname(config)#
hostname(config)#
hostname(config)#
hostname(config)#
hostname(config)#
hostname(config)#
hostname(config)#
hostname(config)#
hostname(config)#

access-list listenerAuth extended permit tcp any any
aaa authentication match listenerAuth inside ldap
aaa authentication listener http inside port 8888
access-list 100 ex permit ip user SAMPLE\user1 any any
access-list 100 ex deny ip user SAMPLE\user2 any any
access-list 100 ex permit ip user NONE any any
access-list 100 ex deny any any
access-group 100 in interface inside
aaa authenticate match 200 inside user-identity

In this example, the following guidelines apply:
•

In access-list commands, “permit user NONE” rules should be written before the “access-list 100
ex deny any any” to allow unauthenticated incoming users trigger AAA Cut-Through Proxy.

•

In auth access-list command, “permit user NONE” rules guarantee only unauthenticated trigger
Cut-Through Proxy. Ideally they should be the last lines.

Configuring VPN Authentication
In an enterprise, some traffic might need to bypass the Identity Firewall.
The ASA reports users logging in through VPN authentication or a web portal (cut-through proxy) to the
AD Agent, which distributes the user information to all registered ASA devices. Specifically, the IP-user
mapping of authenticated users is forwarded to all ASA contexts that contain the input interface where
HTTP/HTTPS packets are received and authenticated. The ASA designates users logging in through a
VPN as belonging the LOCAL domain.
There are two different ways to apply IDFW rules on VPN users.

Cisco ASA 5500 Series Configuration Guide using the CLI

36-24

Chapter 36

Configuring the Identity Firewall
Monitoring the Identity Firewall

•

Apply VPN-Filter with bypassing access-list check disabled

•

Apply VPN-Filter with bypassing access-list check enabled

Configuration Example -- VPN with IDFW Rule -1
By default, “sysopt connection permit-vpn" is enabled and VPN traffic is exempted from access-list
check. In order to apply regular interface based ACL rules for VPN traffic, VPN traffic access-list
bypassing needs to be disabled.
In the this example, if the user logs in from outside interface, the IDFW rules will control what network
resource he can access. All VPN users are be stored under domain LOCAL. Therefore, it is only
meaningful to apply the rules over LOCAL users or object-group containing LOCAL users.
! Apply VPN-Filter with bypassing access-list check disabled
no sysopt connection permit-vpn
access-list v1 extended deny ip user LOCAL\idfw any 10.0.0.0 255.255.255.0
access-list v1 extended permit ip user LOCAL\idfw any 20.0.0.0 255.255.255.0
access-group v1 in interface outside
>> Control VPN user based on regular IDFW ACLs

Configuration ExampleVPN with IDFW Rule -2
By default, "sysopt connection permit-vpn" is enabled, with VPN traffic access bypassing enabled.
VPN-filter can be used to apply the IDFW rules on the VPN traffic. VPN-filter with IDFW rules can be
defined in CLI username and group-policy.
In the example, when user idfw logs in, he is able to access to network resources in 10.0.00/24 subnet.
However, when user user1 loggs in, his access to network resources in 10.0.00/24 subnet will be denied.
Note that all VPN users will be stored under domain LOCAL. Therefore, it is only meaningful to apply
the rules over LOCAL users or object-group containing LOCAL users.
Note: IDFW rules can only be aplpied to vpn-filter under group-policy and are not available in all the
other group-policy features.
! Apply VPN-Filter with bypassing access-list check enabled
sysopt connection permit-vpn
access-list v1 extended permit ip user LOCAL\idfw any 10.0.0.0 255.255.255.0
access-list v2 extended deny ip user LOCAL\user1 any 10.0.0.0 255.255.255.0
username user1 password QkBIIYVi6IFLEsYv encrypted privilege 0 username user1 attributes
vpn-group-policy group1 vpn-filter value v2
>> Per user VPN-filter control
username idfw password eEm2dmjMaopcGozT encrypted
username idfw attributes
vpn-group-policy testgroup vpn-filter value v1
sysopt connection permit-vpn
access-list v1 extended permit ip user LOCAL\idfw any 10.0.0.0 255.255.255.0 access-list
v1 extended deny ip user LOCAL\user1 any 10.0.0.0 255.255.255.0 group-policy group1
internal
group-policy group1 attributes
>> Per group VPN-filter control
vpn-filter value v1
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

Monitoring the Identity Firewall
This section contains the following topics:
•

Monitoring AD Agents, page 26

•

Monitoring Groups, page 26

Cisco ASA 5500 Series Configuration Guide using the CLI

36-25

Chapter 36

Configuring the Identity Firewall

Monitoring the Identity Firewall

•

Monitoring Memory Usage for the Identity Firewall, page 26

•

Monitoring Users for the Identity Firewall, page 27

Monitoring AD Agents
You can monitor the AD Agent component of the Identity Firewall.
Use the following options of the show user-identity command to obtain troubleshooting information for
the AD Agent:
•

show user-identity ad-agent

•

show user-identity ad-agent statistics

These commands display the following information about the primary and secondary AD Agents:
•

Status of the AD Agents

•

Status of the domains

•

Statistics for the AD Agents

Monitoring Groups
You can monitor the user groups configured for the Identity Firewall.
Use the show user-identity group command to obtain troubleshooting information for the user groups
configured for the Identity Firewall:
displays the list of user groups in the following format:
domain\group_name

Monitoring Memory Usage for the Identity Firewall
You can monitor the memory usage that the Identity Firewall consumes on the ASA.
Use the show user-identity memory command to obtain troubleshooting information for the Identity
Firewall:
The command displays the memory usage in bytes of various modules in the Identity Firewall:
•

Users

•

Groups

•

User Stats

•

LDAP
The ASA sends an LDAP query for the Active Directory groups configured on the Active Directory
server. The Active Directory server authenticates users and generates user logon security logs.

•

AD Agent

•

Miscellaneous

•

Total Memory Usage

Cisco ASA 5500 Series Configuration Guide using the CLI

36-26

Chapter 36

Configuring the Identity Firewall
Monitoring the Identity Firewall

Note

How you configure the Identity Firewall to retrieve user information from the AD Agent impacts the
amount of memory used by the feature. You specify whether the ASA uses on demand retrieval or full
download retrieval. Selecting On Demand has the benefit of using less memory as only users of
received packets are queried and stored. See Configuring Identity Options, page 14 for a description of
these options.

Monitoring Users for the Identity Firewall
You can display information about all users contained in the IP-user mapping database used by the
Identity Firewall.
Use the following options of the show user-identity command to obtain troubleshooting information for
the AD Agent:
•

show user-identity user all list

•

show user-identity user active user domain\user-name list detail

These commands display the following information for users:
domain\user_name

Active Connections

Minutes Idle

The default domain name can be the real domain name, a special reserved word, or LOCAL. The Identity
Firewall uses the LOCAL domain name for all locally defined user groups or locally defined users (users
who log in and authenticate by using a VPN or web portal). When default domain is not specified, the
default domain is LOCAL.
The idle time is stored on a per user basis instead of per the IP address of a user.

Note

The first three tabs in the
If the commands user-identity action domain-controller-down domain_name
disable-user-identity-rule is configured and the specified domain is down, or if user-identity action
ad-agent-down disable-user-identity-rule is configured and AD Agent is down, all the logged on users
have the status disabled.

Cisco ASA 5500 Series Configuration Guide using the CLI

36-27

Chapter 36

Configuring the Identity Firewall

Feature History for the Identity Firewall

Feature History for the Identity Firewall
Table 36-1 lists the release history for this feature.
\

Table 36-1

Feature History for the Identity Firewall

Feature Name

Releases

Feature Information

Identity Firewall

8.4(2)

The Identity Firewall feature was introduced.
We introduced or modified the following commands:
user-identity enable, user-identity default-domain,
user-identity domain, user-identity logout-probe,
user-identity inactive-user-timer, user-identity
poll-import-user-group-timer, user-identity action
netbios-response-fail, user-identity user-not-found,
user-identity action ad-agent-down, user-identity action
mac-address-mismatch, user-identity action
domain-controller-down, user-identity ad-agent
active-user-database, user-identity ad-agent hello-timer,
user-identity ad-agent aaa-server, user-identity update
import-user, user-identity static user, dns
domain-lookup, dns poll-timer, dns expire-entry-timer,
object-group user, show user-identity, show dns, clear
configure user-identity, clear dns, debug user-identity.

Cisco ASA 5500 Series Configuration Guide using the CLI

36-28

CH A P T E R

Configuring Management Access
This chapter describes how to access the ASA for system management through Telnet, SSH, and HTTPS
(using ASDM), how to authenticate and authorize users, how to create login banners, and how to
customize CLI parameters.
This chapter includes the following sections:

Note

•

Configuring ASA Access for ASDM, Telnet, or SSH, page 37-1

•

Configuring CLI Parameters, page 37-6

•

Configuring ICMP Access, page 37-10

•

Configuring Management Access Over a VPN Tunnel, page 37-12

•

Configuring AAA for System Administrators, page 37-13

•

Feature History for Management Access, page 37-33

To access the ASA interface for management access, you do not also need an access list allowing the
host IP address. You only need to configure management access according to the sections in this chapter.

Configuring ASA Access for ASDM, Telnet, or SSH
This section describes how to allow clients to access the ASA using ASDM, Telnet, or SSH and includes
the following topics:
•

Licensing Requirements for ASA Access for ASDM, Telnet, or SSH, page 37-2

•

Guidelines and Limitations, page 37-2

•

Configuring Telnet Access, page 37-3

•

Using a Telnet Client, page 37-4

•

Configuring SSH Access, page 37-4

•

Using an SSH Client, page 37-5

•

Configuring HTTPS Access for ASDM, page 37-6

Cisco ASA 5500 Series Configuration Guide using the CLI

37-1

Chapter 37

Configuring Management Access

Configuring ASA Access for ASDM, Telnet, or SSH

Licensing Requirements for ASA Access for ASDM, Telnet, or SSH
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single and multiple context mode.
Firewall Mode Guidelines

Supported in routed and transparent firewall mode.
IPv6 Guidelines

Supports IPv6.
Additional Guidelines
•

You cannot use Telnet to the lowest security interface unless you use Telnet inside a VPN tunnel.

•

Management access to an interface other than the one from which you entered the ASA is not
supported. For example, if your management host is located on the outside interface, you can only
initiate a management connection directly to the outside interface. The only exception to this rule is
through a VPN connection. See the “Configuring Management Access Over a VPN Tunnel” section
on page 37-12.

•

The ASA allows:
– A maximum of 5 concurrent Telnet connections per context, if available, with a maximum of

100 connections divided among all contexts.
– A maximum of 5 concurrent SSH connections per context, if available, with a maximum of 100

connections divided among all contexts.
– A maximum of 5 concurrent ASDM instances per context, if available, with a maximum of 32

ASDM instances among all contexts.
•

The ASA supports the SSH remote shell functionality provided in SSH Versions 1 and 2 and
supports DES and 3DES ciphers.

•

XML management over SSL and SSH is not supported.

•

(8.4 and later) The SSH default username is no longer supported. You can no longer connect to the
ASA using SSH with the pix or asa username and the login password. To use SSH, you must
configure AAA authentication using the aaa authentication ssh console LOCAL command; then
define a local user by entering the username command. If you want to use a AAA server for
authentication instead of the local database, we recommend also configuring local authentication as
a backup method.

Cisco ASA 5500 Series Configuration Guide using the CLI

37-2

Chapter 37

Configuring Management Access
Configuring ASA Access for ASDM, Telnet, or SSH

Configuring Telnet Access
To identify the client IP addresses allowed to connect to the ASA using Telnet, perform the following
steps.

Detailed Steps

Step 1

Command

Purpose

telnet source_IP_address mask
source_interface

For each address or subnet, identifies the IP addresses from
which the ASA accepts connections.
If there is only one interface, you can configure Telnet to access
that interface as long as the interface has a security level of 100.

Example:
hostname(config)# telnet 192.168.1.2
255.255.255.255 inside

Step 2

telnet timeout minutes

Sets the duration for how long a Telnet session can be idle
before the ASA disconnects the session.

Example:

Set the timeout from 1 to 1440 minutes. The default is 5
minutes. The default duration is too short in most cases and
should be increased until all pre-production testing and
troubleshooting have been completed.

hostname(config)# telnet timeout 30

Examples
The following example shows how to let a host on the inside interface with an address of 192.168.1.2
access the ASA:
hostname(config)# telnet 192.168.1.2 255.255.255.255 inside

The following example shows how to allow all users on the 192.168.3.0 network to access the ASA on
the inside interface:
hostname(config)# telnet 192.168.3.0 255.255.255.0 inside

Cisco ASA 5500 Series Configuration Guide using the CLI

37-3

Chapter 37

Configuring Management Access

Configuring ASA Access for ASDM, Telnet, or SSH

Using a Telnet Client
To gain access to the ASA CLI using Telnet, enter the login password set by the password command. If
you configure Telnet authentication (see the “Configuring Authentication for CLI and ASDM Access”
section on page 37-19), then enter the username and password defined by the AAA server or local
database.

Configuring SSH Access
To identify the client IP addresses and define a user allowed to connect to the ASA using SSH, perform
the following steps.

Detailed Steps

Step 1

Command

Purpose

crypto key generate rsa modulus
modulus_size

Generates an RSA key pair, which is required for SSH.

Example:

The modulus value (in bits) is 512, 768, 1024, or 2048. The
larger the key modulus size you specify, the longer it takes to
generate an RSA key pair. We recommend a value of 1024.

hostname(config)# crypto key generate rsa
modulus 1024

Step 2

write memory

Saves the RSA keys to persistent flash memory.

Example:
hostname(config)# write memory

Step 3

aaa authentication ssh console LOCAL

Enables local authentication for SSH access. You can
alternatively configure authentication using a AAA server. See
the “Configuring Authentication for CLI and ASDM Access”
section on page 37-19 for more information.

Step 4

username username password password

Creates a user in the local database that can be used for SSH
access.

Step 5

ssh source_IP_address mask
source_interface

For each address or subnet, identifies the IP addresses from
which the ASA accepts connections, and the interface on which
you can SSH. Unlike Telnet, you can SSH on the lowest
security level interface.

Example:
hostname(config)# ssh 192.168.3.0
255.255.255.0 inside

Step 6

(Optional)
ssh timeout minutes

Example:
hostname(config)# ssh timeout 30

Cisco ASA 5500 Series Configuration Guide using the CLI

37-4

Sets the duration for how long an SSH session can be idle
before the ASA disconnects the session.
Set the timeout from 1 to 60 minutes. The default is 5 minutes.
The default duration is too short in most cases, and should be
increased until all pre-production testing and troubleshooting
have been completed.

Chapter 37

Configuring Management Access
Configuring ASA Access for ASDM, Telnet, or SSH

Step 7

Command

Purpose

(Optional)

Limits access to SSH version 1 or 2. By default, SSH allows
both versions 1 and 2.

ssh version version_number

Example:
hostname(config)# ssh version 2

Step 8

ssh key-exchange {dh-group1 | dhgroup14}

Example:
hostname(config)# ssh key-exchange
dh-group14

Specifies that either the Diffie-Hellman Group 1 or
Diffie-Hellman Group 14 follows and should be used for key
exchange. Diffie-Hellman Group 1 is the default if no value is
specified.

Examples
The following example shows how to generate RSA keys and let a host on the inside interface with an
address of 192.168.1.2 access the ASA:
hostname(config)# crypto key generate rsa modulus 1024
hostname(config)# write memory
hostname(config)# aaa authentication ssh console LOCAL
WARNING: local database is empty! Use 'username' command to define local users.
hostname(config)# username exampleuser1 password examplepassword1
hostname(config)# ssh 192.168.1.2 255.255.255.255 inside
hostname(config)# ssh timeout 30

The following example shows how to allow all users on the 192.168.3.0 network to access the ASA on
the inside interface:
hostname(config)# ssh 192.168.3.0 255.255.255.0 inside

Using an SSH Client
In the SSH client on your management host, enter the username and password that you configured in the
“Configuring SSH Access” section on page 37-4. When starting an SSH session, a dot (.) displays on the
ASA console before the following SSH user authentication prompt appears:
hostname(config)# .

The display of the dot does not affect the functionality of SSH. The dot appears at the console when
generating a server key or decrypting a message using private keys during SSH key exchange before user
authentication occurs. These tasks can take up to two minutes or longer. The dot is a progress indicator
that verifies that the ASA is busy and has not hung.

Note

If more than one SSH configuration session exists and the configuration operation is carried through any
file operations (such as copy, tftp, config net, context mode config file), even if it is a single CLI, it will
be blocked with the response "Command Ignored, configuration in progress...". If the CLI is directly
entered through a command prompt, it is not blocked.

Cisco ASA 5500 Series Configuration Guide using the CLI

37-5

Chapter 37

Configuring Management Access

Configuring CLI Parameters

Configuring HTTPS Access for ASDM
To use ASDM, you need to enable the HTTPS server, and allow HTTPS connections to the ASA. HTTPS
access is enabled as part of the factory default configuration or when you use the setup command. This
section describes how to manually configure ASDM access.
To configure HTTPS access for ASDM, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

http source_IP_address mask
source_interface

For each address or subnet, identifies the IP addresses from
which the ASA accepts HTTPS connections.

Example:
hostname(config)# http 192.168.1.2
255.255.255.255 inside

Step 2

http server enable [port]

Enables the HTTPS server.

Example:

By default, the port is 443. If you change the port number, be
sure to include it in the ASDM access URL. For example, if
you change the port number to 444, enter the following:

hostname(config)# http server enable 443

https://10.1.1.1:444

Examples
The following example shows how to enable the HTTPS server and let a host on the inside interface with
an address of 192.168.1.2 access ASDM:
hostname(config)# http server enable
hostname(config)# http 192.168.1.2 255.255.255.255 inside

The following example shows how to allow all users on the 192.168.3.0 network to access ASDM on the
inside interface:
hostname(config)# http 192.168.3.0 255.255.255.0 inside

Configuring CLI Parameters
This section includes the following topics:
•

Licensing Requirements for CLI Parameters, page 37-7

•

Guidelines and Limitations, page 37-7

•

Configuring a Login Banner, page 37-7

•

Customizing a CLI Prompt, page 37-8

•

Changing the Console Timeout, page 37-9

Cisco ASA 5500 Series Configuration Guide using the CLI

37-6

Chapter 37

Configuring Management Access
Configuring CLI Parameters

Licensing Requirements for CLI Parameters
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single and multiple context mode.
Firewall Mode Guidelines

Supported in routed and transparent firewall mode.

Configuring a Login Banner
You can configure a message to display when a user connects to the ASA, before a user logs in, or before
a user enters privileged EXEC mode.

Restrictions
After a banner is added, Telnet or SSH sessions to ASA may close if:
•

There is not enough system memory available to process the banner message(s).

•

A TCP write error occurs when trying to display banner message(s).

•

From a security perspective, it is important that your banner discourage unauthorized access. Do not
use the words “welcome” or “please,” as they appear to invite intruders in. The following banner
sets the correct tone for unauthorized access:

Guidelines

You have logged in to a secure device. If you are not authorized to access this
device, log out immediately or risk possible criminal consequences.

•

See RFC 2196 for guidelines about banner messages.

Cisco ASA 5500 Series Configuration Guide using the CLI

37-7

Chapter 37

Configuring Management Access

Configuring CLI Parameters

To configure a login banner, perform the following steps:

Detailed Steps

Command

Purpose

banner {exec | login | motd} text

Adds a banner to display at one of three times: when a user first connects
(message-of-the-day (motd)), when a user logs in (login), and when a user
accesses privileged EXEC mode (exec). When a user connects to the ASA,
the message-of-the-day banner appears first, followed by the login banner
and prompts. After the user successfully logs in to the ASA, the exec
banner appears.

Example:
hostname(config)# banner motd Welcome to
$(hostname).

To add more than one line, precede each line by the banner command.
For the banner text:
•

Spaces are allowed, but tabs cannot be entered using the CLI.

•

There are no limits for banner length other than those for RAM and
flash memory.

•

You can dynamically add the hostname or domain name of the ASA by
including the strings $(hostname) and $(domain).

•

If you configure a banner in the system configuration, you can use that
banner text within a context by using the $(system) string in the
context configuration.

Examples
The following example shows how to add a message-of-the-day banner:
hostname(config)# banner motd Welcome to $(hostname).
hostname(config)# banner motd Contact me at admin@example.com for any
hostname(config)# banner motd issues.

Customizing a CLI Prompt
The CLI Prompt pane lets you customize the prompt used during CLI sessions. By default, the prompt
shows the hostname of the ASA. In multiple context mode, the prompt also displays the context name.
You can display the following items in the CLI prompt:
context

(Multiple mode only) Displays the name of the current context.

domain

Displays the domain name.

hostname

Displays the hostname.

Cisco ASA 5500 Series Configuration Guide using the CLI

37-8

Chapter 37

Configuring Management Access
Configuring CLI Parameters

priority

Displays the failover priority as pri (primary) or sec (secondary).

state

Displays the traffic-passing state of the unit. The following values appear for
the state:
•

act—Failover is enabled, and the unit is actively passing traffic.

•

stby— Failover is enabled, and the unit is not passing traffic and is in a
standby, failed, or another nonactive state.

•

actNoFailover—Failover is not enabled, and the unit is actively passing
traffic.

•

stbyNoFailover—Failover is not enabled, and the unit is not passing
traffic. This condition might occur when there is an interface failure
above the threshold on the standby unit.

Detailed Steps
To customize the CLI prompt, enter the following command:
Command

Purpose

prompt {[hostname] [context] [domain]
[slot] [state] [priority]}

Customizes the CLI prompt.

Example:
hostname(config)# firewall transparent

Changing the Console Timeout
The console timeout sets how long a connection can remain in privileged EXEC mode or configuration
mode; when the timeout is reached, the session drops into user EXEC mode. By default, the session does
not time out. This setting does not affect how long you can remain connected to the console port, which
never times out.
To change the console timeout, enter the following command:
Command

Purpose

console timeout number

Specifies the idle time in minutes (0 through 60) after which the privileged
session ends. The default timeout is 0, which means the session does not
time out.

Example:
hostname(config)# console timeout 0

Model

License Requirement

All models

Base License.

Cisco ASA 5500 Series Configuration Guide using the CLI

37-9

Chapter 37

Configuring Management Access

Configuring ICMP Access

Configuring ICMP Access
By default, you can send ICMP packets to any ASA interface using either IPv4 or IPv6. This section tells
how to limit ICMP management access to the ASA. You can protect the ASA from attacks by limiting
the addresses of hosts and networks that are allowed to have ICMP access to the ASA.

Note

For allowing ICMP traffic through the ASA, see Chapter 34, “Configuring Access Rules.”
This section includes the following topics:
•

Information About ICMP Access, page 37-10

•

Licensing Requirements for ICMP Access, page 37-10

•

Guidelines and Limitations, page 37-10

•

Default Settings, page 37-11

•

Configuring ICMP Access, page 37-11

Information About ICMP Access
ICMP in IPv6 functions the same as ICMP in IPv4. ICMPv6 generates error messages, such as ICMP
destination unreachable messages and informational messages like ICMP echo request and reply
messages. Additionally ICMP packets in IPv6 are used in the IPv6 neighbor discovery process and path
MTU discovery.
We recommend that you always grant permission for the ICMP unreachable message type (type 3).
Denying ICMP unreachable messages disables ICMP path MTU discovery, which can halt IPsec and
PPTP traffic. See RFC 1195 and RFC 1435 for details about path MTU discovery.
If you configure ICMP rules, then the ASA uses a first match to the ICMP traffic followed by an implicit
deny all entry. That is, if the first matched entry is a permit entry, the ICMP packet continues to be
processed. If the first matched entry is a deny entry or an entry is not matched, the ASA discards the
ICMP packet and generates a syslog message. An exception is when an ICMP rule is not configured; in
that case, a permit statement is assumed.

Licensing Requirements for ICMP Access
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single and multiple context mode.

Cisco ASA 5500 Series Configuration Guide using the CLI

37-10

Chapter 37

Configuring Management Access
Configuring ICMP Access

Firewall Mode Guidelines

Supported in routed and transparent firewall mode.
IPv6 Guidelines

Supports IPv6.
Additional Guidelines
•

The ASA does not respond to ICMP echo requests directed to a broadcast address.

•

The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot
send ICMP traffic through an interface to a far interface.

Default Settings
By default, you can send ICMP packets to any ASA interface using either IPv4 or IPv6.

Configuring ICMP Access
To configure ICMP access rules, enter one of the following commands:

Detailed Steps

Command

Purpose

(For IPv4)

Creates an IPv4 ICMP access rule. If you do not specify an icmp_type, all
types are identified. You can enter the number or the name. To control ping,
specify echo-reply (0) (ASA-to-host) or echo (8) (host-to-ASA). See the
“ICMP Types” section on page B-15 for a list of ICMP types.

icmp {permit | deny} {host ip_address |
ip_address mask | any} [icmp_type]
interface_name

Example:
hostname(config)# icmp deny host 10.1.1.15
inside

(For IPv6)
ipv6 icmp {permit | deny}
{ipv6-prefix/prefix-length | any | host
ipv6-address} [icmp-type] interface_name

Creates an IPv6 ICMP access rule. If you do not specify an icmp_type, all
types are identified. You can enter the number or the name. To control ping,
specify echo-reply (0) (ASA-to-host) or echo (8) (host-to-ASA). See
the“ICMP Types” section on page B-15 for a list of ICMP types.

Example:
hostname(config)# icmp permit host
fe80::20d:88ff:feee:6a82 outside

Examples
The following example shows how to allow all hosts except the one at 10.1.1.15 to use ICMP to the inside
interface:
hostname(config)# icmp deny host 10.1.1.15 inside
hostname(config)# icmp permit any inside

Cisco ASA 5500 Series Configuration Guide using the CLI

37-11

Chapter 37

Configuring Management Access

Configuring Management Access Over a VPN Tunnel

The following example shows how to allow the host at 10.1.1.15 to use only ping to the inside interface,
enter the following command:
hostname(config)# icmp permit host 10.1.1.15 inside

The following example shows how to deny all ping requests and permit all packet-too-big messages (to
support path MTU discovery) at the outside interface:
hostname(config)# ipv6 icmp deny any echo-reply outside
hostname(config)# ipv6 icmp permit any packet-too-big outside

The following example shows how to permit host 2000:0:0:4::2 or hosts on prefix 2001::/64 to ping the
outside interface:
hostname(config)# ipv6 icmp permit host 2000:0:0:4::2 echo-reply outside
hostname(config)# ipv6 icmp permit 2001::/64 echo-reply outside
hostname(config)# ipv6 icmp permit any packet-too-big outside

Configuring Management Access Over a VPN Tunnel
If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different
interface, you can identify that interface as a management-access interface. For example, if you enter the
ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH,
Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface.
Management access is available via the following VPN tunnel types: IPsec clients, IPsec site-to-site, and
the AnyConnect SSL VPN client.
This section includes the following topics:
•

Licensing Requirements for a Management Interface, page 37-12

•

Guidelines and Limitations, page 37-12

•

Configuring a Management Interface, page 37-13

Licensing Requirements for a Management Interface
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single mode.
Firewall Mode Guidelines

Supported in routed mode.

Cisco ASA 5500 Series Configuration Guide using the CLI

37-12

Chapter 37

Configuring Management Access
Configuring AAA for System Administrators

IPv6 Guidelines

Supports IPv6.
Additional Guidelines

You can define only one management access interface.

Configuring a Management Interface
To configure the management interface, enter the following command:
Command

Purpose

management access management_interface

The management_interface specifies the name of the management
interface that you want to access when entering the ASA from another
interface.

Example:
hostname(config)# management access inside

Configuring AAA for System Administrators
This section describes how to enable authentication and command authorization for system
administrators. Before you configure AAA for system administrators, first configure the local database
or AAA server according to procedures listed in Chapter 35, “Configuring AAA Servers and the Local
Database.”
This section includes the following topics:
•

Information About AAA for System Administrators, page 37-14

•

Licensing Requirements for AAA for System Administrators, page 37-17

•

Prerequisites, page 37-17

•

Guidelines and Limitations, page 37-18

•

Default Settings, page 37-18

•

Configuring Authentication for CLI and ASDM Access, page 37-19

•

Configuring Authentication to Access Privileged EXEC Mode (the enable Command), page 37-19

•

Limiting User CLI and ASDM Access with Management Authorization, page 37-21

•

Configuring Command Authorization, page 37-22

•

Configuring Management Access Accounting, page 37-30

•

Viewing the Currently Logged-In User, page 37-30

•

Recovering from a Lockout, page 37-31

•

Setting a Management Session Quota, page 37-32

Cisco ASA 5500 Series Configuration Guide using the CLI

37-13

Chapter 37

Configuring Management Access

Configuring AAA for System Administrators

Information About AAA for System Administrators
This section describes AAA for system administrators and includes the following topics:
•

Information About Management Authentication, page 37-14

•

Information About Command Authorization, page 37-14

Information About Management Authentication
This section describes authentication for management access and includes the following topics:
•

Comparing CLI Access with and without Authentication, page 37-14

•

Comparing ASDM Access with and without Authentication, page 37-14

Comparing CLI Access with and without Authentication
How you log into the ASA depends on whether or not you enable authentication:
•

If you do not enable any authentication for Telnet, you do not enter a username; you enter the login
password (set with the password command). For SSH, you enter the username and the login
password. You access user EXEC mode.

•

If you enable Telnet or SSH authentication according to this section, you enter the username and
password as defined on the AAA server or local user database. You access user EXEC mode.

To enter privileged EXEC mode after logging in, enter the enable command. How enable works depends
on whether you enable authentication:
•

If you do not configure enable authentication, enter the system enable password when you enter the
enable command (set by the enable password command). However, if you do not use enable
authentication, after you enter the enable command, you are no longer logged in as a particular user.
To maintain your username, use enable authentication.

•

If you configure enable authentication (see the Configuring Authentication to Access Privileged
EXEC Mode (the enable Command), page 37-19), the ASA prompts you for your username and
password again. This feature is particularly useful when you perform command authorization, in
which usernames are important in determining the commands that a user can enter.

For enable authentication using the local database, you can use the login command instead of the enable
command. login maintains the username but requires no configuration to turn on authentication. See the
“Authenticating Users with the login Command” section on page 37-20 for more information.

Comparing ASDM Access with and without Authentication
By default, you can log into ASDM with a blank username and the enable password set by the enable
password command. Note that if you enter a username and password at the login screen (instead of
leaving the username blank), ASDM checks the local database for a match.
If you configure HTTP authentication, you can no longer use ASDM with a blank username and the
enable password.

Information About Command Authorization
This section describes command authorization and includes the following topics:
•

Supported Command Authorization Methods, page 37-15

Cisco ASA 5500 Series Configuration Guide using the CLI

37-14

Chapter 37

Configuring Management Access
Configuring AAA for System Administrators

•

About Preserving User Credentials, page 37-15

•

Security Contexts and Command Authorization, page 37-16

Supported Command Authorization Methods
You can use one of two command authorization methods:
•

Note

•

Local privilege levels—Configure the command privilege levels on the ASA. When a local,
RADIUS, or LDAP (if you map LDAP attributes to RADIUS attributes) user authenticates for CLI
access, the ASA places that user in the privilege level that is defined by the local database, RADIUS,
or LDAP server. The user can access commands at the assigned privilege level and below. Note that
all users access user EXEC mode when they first log in (commands at level 0 or 1). The user needs
to authenticate again with the enable command to access privileged EXEC mode (commands at level
2 or higher), or they can log in with the login command (local database only).

You can use local command authorization without any users in the local database and without
CLI or enable authentication. Instead, when you enter the enable command, you enter the
system enable password, and the ASA places you in level 15. You can then create enable
passwords for every level, so that when you enter enable n (2 to 15), the ASA places you in level
n. These levels are not used unless you enable local command authorization (see the
“Configuring Local Command Authorization” section on page 37-23). (See the command
reference for more information about the enable command.)
TACACS+ server privilege levels—On the TACACS+ server, configure the commands that a user or
group can use after authenticating for CLI access. Every command that a user enters at the CLI is
validated with the TACACS+ server.

About Preserving User Credentials
When a user logs into the ASA, that user is required to provide a username and password for
authentication. The ASA retains these session credentials in case further authentication is needed later
in the session.
When the following configurations are in place, a user needs only to authenticate with the local server
for login. Subsequent serial authorization uses the saved credentials. The user is also prompted for the
privilege level 15 password. When exiting privileged mode, the user is authenticated again. User
credentials are not retained in privileged mode.
•

The local server is configured to authenticate user access.

•

Privilege level 15 command access is configured to require a password.

•

The user account is configured for serial-only authorization (no access to console or ASDM).

•

The user account is configured for privilege level 15 command access.

The following table shows how credentials are used in this case by the ASA.

Credentials required

Username and
Password
Authentication

Serial
Authorization

Privileged Mode Privileged
Command
Mode Exit
Authorization
Authorization

Username

Yes

Cisco ASA 5500 Series Configuration Guide using the CLI

37-15

Chapter 37

Configuring Management Access

Configuring AAA for System Administrators

Credentials required

Username and
Password
Authentication

Serial
Authorization

Privileged Mode Privileged
Command
Mode Exit
Authorization
Authorization

Password

Yes

Privileged Mode
Password

Yes

Security Contexts and Command Authorization
The following are important points to consider when implementing command authorization with
multiple security contexts:
•

AAA settings are discrete per context, not shared among contexts.
When configuring command authorization, you must configure each security context separately.
This configuration provides you the opportunity to enforce different command authorizations for
different security contexts.
When switching between security contexts, administrators should be aware that the commands
permitted for the username specified when they login may be different in the new context session or
that command authorization may not be configured at all in the new context. Failure to understand
that command authorizations may differ between security contexts could confuse an administrator.
This behavior is further complicated by the next point.

•

New context sessions started with the changeto command always use the default enable_15
username as the administrator identity, regardless of which username was used in the previous
context session. This behavior can lead to confusion if command authorization is not configured for
the enable_15 user or if authorizations are different for the enable_15 user than for the user in the
previous context session.
This behavior also affects command accounting, which is useful only if you can accurately associate
each command that is issued with a particular administrator. Because all administrators with
permission to use the changeto command can use the enable_15 username in other contexts,
command accounting records may not readily identify who was logged in as the enable_15
username. If you use different accounting servers for each context, tracking who was using the
enable_15 username requires correlating the data from several servers.
When configuring command authorization, consider the following:
•

An administrator with permission to use the changeto command effectively has permission to
use all commands permitted to the enable_15 user in each of the other contexts.

•

If you intend to authorize commands differently per context, ensure that in each context the
enable_15 username is denied use of commands that are also denied to administrators who are
permitted use of the changeto command.

When switching between security contexts, administrators can exit privileged EXEC mode and enter
the enable command again to use the username that they need.

Note

The system execution space does not support AAA commands; therefore, command authorization is not
available in the system execution space.

Cisco ASA 5500 Series Configuration Guide using the CLI

37-16

Chapter 37

Configuring Management Access
Configuring AAA for System Administrators

Licensing Requirements for AAA for System Administrators
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Prerequisites
Depending on the feature, you can use the following:
•

AAA server—See the “Configuring AAA Server Groups” section on page 35-11.

•

Local Database—See the “Adding a User Account to the Local Database” section on page 35-20.

Prerequisites for Management Authentication

Before the ASA can authenticate a Telnet, SSH, or HTTP user, you must identify the IP addresses that
are allowed to communicate with the ASA. For more information, see the “Configuring ASA Access for
ASDM, Telnet, or SSH” section on page 37-1.
Prerequisites for Local Command Authorization
•

Configure enable authentication. (See the “Configuring Authentication for CLI and ASDM Access”
section on page 37-19.) enable authentication is essential for maintaining the username after the
user accesses the enable command.
Alternatively, you can use the login command (which is the same as the enable command with
authentication; for the local database only), which requires no configuration. We do not recommend
this option because it is not as secure as enable authentication.
You can also use CLI authentication, but it is not required.

•

See the following prerequisites for each user type:
– Local database users—Configure each user in the local database at a privilege level from 0 to 15.
– RADIUS users—Configure the user with Cisco VSA CVPN3000-Privilege-Level with a value

between 0 and 15.
– LDAP users—Configure the user with a privilege level between 0 and 15, and then map the

LDAP attribute to Cisco VSA CVPN3000-Privilege-Level according to the “Configuring LDAP
Attribute Maps” section on page 35-18.
Prerequisites for TACACS+ Command Authorization
•

Configure CLI authentication (see the “Configuring Authentication for CLI and ASDM Access”
section on page 37-19).

•

Configure enable authentication (see the “Configuring Authentication to Access Privileged EXEC
Mode (the enable Command)” section on page 37-19).

Prerequisites for Managament Accounting
•

Configure CLI authentication (see the “Configuring Authentication for CLI and ASDM Access”
section on page 37-19).

Cisco ASA 5500 Series Configuration Guide using the CLI

37-17

Chapter 37

Configuring Management Access

Configuring AAA for System Administrators

•

Configure enable authentication (see the “Configuring Authentication to Access Privileged EXEC
Mode (the enable Command)” section on page 37-19).

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single and multiple context mode.
Firewall Mode Guidelines

Supported in routed and transparent firewall mode.
IPv6 Guidelines

Supports IPv6.

Default Settings
By default, the following commands are assigned to privilege level 0. All other commands are assigned
to privilege level 15.
•

show checksum

•

show curpriv

•

enable

•

help

•

show history

•

logout

•

pager

•

show pager

•

clear pager

•

quit

•

show version

If you move any configure mode commands to a lower level than 15, be sure to move the configure
command to that level as well, otherwise, the user will not be able to enter configuration mode.
To view all privilege levels, see the “Viewing Local Command Privilege Levels” section on page 37-26.

Cisco ASA 5500 Series Configuration Guide using the CLI

37-18

Chapter 37

Configuring Management Access
Configuring AAA for System Administrators

Configuring Authentication for CLI and ASDM Access
To configure management authentication, enter the following command:
Command

Purpose

aaa authentication {telnet | ssh | http |
serial} console {LOCAL |
server_group [LOCAL]}

Authenticates users for management access. The telnet keyword controls
Telnet access.
The ssh keyword controls SSH access. The SSH default usernames asa and
pix are no longer supported.

Example:
hostname(config)# aaa authentication
telnet console LOCAL

The http keyword controls ASDM access.
The serial keyword controls console port access.
HTTP management authentication does not support the SDI protocol for a
AAA server group.
If you use a AAA server group for authentication, you can configure the
ASA to use the local database as a fallback method if the AAA server is
unavailable. Specify the server group name followed by LOCAL (LOCAL
is case sensitive). We recommend that you use the same username and
password in the local database as the AAA server, because the ASA prompt
does not give any indication which method is being used.
You can alternatively use the local database as your primary method of
authentication (with no fallback) by entering LOCAL alone.

Configuring Authentication to Access Privileged EXEC Mode (the enable
Command)
You can configure the ASA to authenticate users with a AAA server or the local database when they enter
the enable command. Alternatively, users are automatically authenticated with the local database when
they enter the login command, which also accesses privileged EXEC mode depending on the user level
in the local database.
This section includes the following topics:
•

Configuring Authentication for the enable Command, page 37-20

•

Authenticating Users with the login Command, page 37-20

Cisco ASA 5500 Series Configuration Guide using the CLI

37-19

Chapter 37

Configuring Management Access

Configuring AAA for System Administrators

Configuring Authentication for the enable Command
You can configure the ASA to authenticate users when they enter the enable command. See the
“Comparing CLI Access with and without Authentication” section on page 37-14 for more information.
To authenticate users who enter the enable command, enter the following command.
Command

Purpose

aaa authentication enable console {LOCAL |
server_group [LOCAL]}

Authenticates users who enter the enable command. The user is prompted
for the username and password.

Example:
hostname(config)# aaa authentication
enable console LOCAL

If you use a AAA server group for authentication, you can configure the
ASA to use the local database as a fallback method if the AAA server is
unavailable. Specify the server group name followed by LOCAL (LOCAL
is case sensitive). We recommend that you use the same username and
password in the local database as the AAA server, because the ASA prompt
does not give any indication of which method is being used.
You can alternatively use the local database as your primary method of
authentication (with no fallback) by entering LOCAL alone.

Authenticating Users with the login Command
From user EXEC mode, you can log in as any username in the local database using the login command.
This feature allows users to log in with their own username and password to access privileged EXEC
mode, so you do not have to provide the system enable password to everyone. To allow users to access
privileged EXEC mode (and all commands) when they log in, set the user privilege level to 2 (the default)
through 15. If you configure local command authorization, then the user can only enter commands
assigned to that privilege level or lower. See the “Configuring Local Command Authorization” section
on page 37-23 for more information.

Caution

If you add users to the local database who can gain access to the CLI and whom you do not want to enter
privileged EXEC mode, you should configure command authorization. Without command authorization,
users can access privileged EXEC mode (and all commands) at the CLI using their own password if their
privilege level is 2 or greater (2 is the default). Alternatively, you can use a AAA server for
authentication, or you can set all local users to level 1 so you can control who can use the system enable
password to access privileged EXEC mode.
To log in as a user from the local database, enter the following command:

Command

Purpose

Logs in as a user from the local database. The ASA prompts for your
username and password. After you enter your password, the ASA places
you in the privilege level that the local database specifies.

Example:
hostname# login

Cisco ASA 5500 Series Configuration Guide using the CLI

37-20

Chapter 37

Configuring Management Access
Configuring AAA for System Administrators

Limiting User CLI and ASDM Access with Management Authorization
If you configure CLI or enable authentication, you can limit a local user, RADIUS, TACACS+, or LDAP
user (if you map LDAP attributes to RADIUS attributes) from accessing the CLI, ASDM, or the enable
command.

Note

Serial access is not included in management authorization, so if you configure the aaa authentication
serial consolecommand, then any user who authenticates can access the console port.
To limit user CLI and ASDM access, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

aaa authorization exec
authentication-server

Enables management authorization for local, RADIUS, LDAP
(mapped), and TACACS+ users. Also enables support of
administrative user privilege levels from RADIUS, which can be
used in conjunction with local command privilege levels for
command authorization. See the “Configuring Local Command
Authorization” section on page 37-23 for more information. Use
the aaa authorization exec LOCAL command to enable
attributes to be taken from the local database.

Example:
hostname(config)# aaa authorization exec
authentication-server

Cisco ASA 5500 Series Configuration Guide using the CLI

37-21

Chapter 37

Configuring Management Access

Configuring AAA for System Administrators

Command
Step 2

Purpose

To configure the user for management authorization, see the following requirements for each AAA server type or
local user:
•

RADIUS or LDAP (mapped) users—Use the IETF RADIUS numeric Service-Type attribute, which maps to one
of the following values:
– Service-Type 6 (Administrative)—Allows full access to any services specified by the aaa authentication

console commands.
– Service-Type 7 (NAS prompt)—Allows access to the CLI when you configure the aaa authentication

{telnet | ssh} console command, but denies ASDM configuration access if you configure the aaa
authentication http console command. ASDM monitoring access is allowed. If you configure enable
authentication with the aaa authentication enable console command, the user cannot access privileged
EXEC mode using the enable command.
– Service-Type 5 (Outbound)—Denies management access. The user cannot use any services specified by the

aaa authentication console commands (excluding the serial keyword; serial access is allowed). Remote
access (IPsec and SSL) users can still authenticate and terminate their remote access sessions.
Configure Cisco VSA CVPN3000-Privilege-Level with a value between 0 and 15. and then map the LDAP
attributes to Cisco VAS CVPN3000-Privilege-Level using the ldap map-attributes command. For more
information, see the “Configuring LDAP Attribute Maps” section on page 35-18.
•

TACACS+ users—Authorization is requested with “service=shell,” and the server responds with PASS or FAIL.
– PASS, privilege level 1—Allows access to ASDM, with limited read-only access to the configuration and

monitoring sections, and access for show commands that are privilege level 1 only.
– PASS, privilege level 2 and higher—Allows access to the CLI when you configure the aaa authentication

{telnet | ssh} console command, but denies ASDM configuration access if you configure the aaa
authentication http console command. ASDM monitoring access is allowed. If you configure enable
authentication with the aaa authentication enable console command, the user cannot access privileged
EXEC mode using the enable command. You are not allowed to access privileged EXEC mode using the
enable command if your enable privilege level is set to 14 or less.
– FAIL—Denies management access. You cannot use any services specified by the aaa authentication

console commands (excluding the serial keyword; serial access is allowed).
•

Local users—Sets the service-type command. By default, the service-type is admin, which allows full access
to any services specified by the aaa authentication console command. Uses the username command to
configure local database users at a privilege level from 0 to 15. For more information, see the “Adding a User
Account to the Local Database” section on page 35-20.

Configuring Command Authorization
If you want to control access to commands, the ASA lets you configure command authorization, where
you can determine which commands that are available to a user. By default when you log in, you can
access user EXEC mode, which offers only minimal commands. When you enter the enable command
(or the login command when you use the local database), you can access privileged EXEC mode and
advanced commands, including configuration commands.
You can use one of two command authorization methods:
•

Local privilege levels

•

TACACS+ server privilege levels

Cisco ASA 5500 Series Configuration Guide using the CLI

37-22

Chapter 37

Configuring Management Access
Configuring AAA for System Administrators

For more information about command authorization, see the “Information About Command
Authorization” section on page 37-14.
This section includes the following topics:
•

Configuring Local Command Authorization, page 37-23

•

Viewing Local Command Privilege Levels, page 37-26

•

Configuring Commands on the TACACS+ Server, page 37-26

•

Configuring TACACS+ Command Authorization, page 37-29

Configuring Local Command Authorization
Local command authorization lets you assign commands to one of 16 privilege levels (0 to 15). By
default, each command is assigned either to privilege level 0 or 15. You can define each user to be at a
specific privilege level, and each user can enter any command at the assigned privilege level or below.
The ASA supports user privilege levels defined in the local database, a RADIUS server, or an LDAP
server (if you map LDAP attributes to RADIUS attributes. See the “Configuring LDAP Attribute Maps”
section on page 35-18.)

Cisco ASA 5500 Series Configuration Guide using the CLI

37-23

Chapter 37

Configuring Management Access

Configuring AAA for System Administrators

To configure local command authorization, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

privilege [show | clear | cmd] level level
[mode {enable | cmd}] command command

Assigns a command to a privilege level.
Repeat this command for each command that you want to
reassign.

Example:
hostname(config)# privilege show level 5
command filter

The options in this command are the following:
•

show | clear | cmd—These optional keywords let you set the
privilege only for the show, clear, or configure form of the
command. The configure form of the command is typically
the form that causes a configuration change, either as the
unmodified command (without the show or clear prefix) or as
the no form. If you do not use one of these keywords, all
forms of the command are affected.

•

level level—A level between 0 and 15.

•

mode {enable | configure}—If a command can be entered in
user EXEC or privileged EXEC mode as well as
configuration mode, and the command performs different
actions in each mode, you can set the privilege level for these
modes separately:
– enable—Specifies both user EXEC mode and privileged

EXEC mode.
– configure—Specifies configuration mode, accessed

using the configure terminal command.
•

Step 2

aaa authorization exec
authentication-server

Example:
hostname(config)# aaa authorization exec
authentication-server

command command—The command you are configuring.
You can only configure the privilege level of the main
command. For example, you can configure the level of all aaa
commands, but not the level of the aaa authentication
command and the aaa authorization command separately.

Supports administrative user privilege levels from RADIUS.
Enforces user-specific access levels for users who authenticate for
management access (see the aaa authentication console LOCAL
command).
Without this command, the ASA only supports privilege levels for
local database users and defaults all other types of users to level
15.
This command also enables management authorization for local,
RADIUS, LDAP (mapped), and TACACS+ users.
Use the aaa authorization exec LOCAL command to enable
attributes to be taken from the local database. See the “Limiting
User CLI and ASDM Access with Management Authorization”
section on page 37-21 for information about configuring a user on
a AAA server to accommodate management authorization.

Cisco ASA 5500 Series Configuration Guide using the CLI

37-24

Chapter 37

Configuring Management Access
Configuring AAA for System Administrators

Step 3

Command

Purpose

aaa authorization command LOCAL

Enables the use of local command privilege levels, which can be
checked with the privilege level of users in the local database,
RADIUS server, or LDAP server (with mapped attributes).

Example:
hostname(config)# aaa authorization
command LOCAL

When you set command privilege levels, command authorization
does not occur unless you configure command authorization with
this command.

Examples
The filter command has the following forms:
•

filter (represented by the configure option)

•

show running-config filter

•

clear configure filter

You can set the privilege level separately for each form, or set the same privilege level for all forms by
omitting this option. The following example shows how to set each form separately:
hostname(config)# privilege show level 5 command filter
hostname(config)# privilege clear level 10 command filter
hostname(config)# privilege cmd level 10 command filter

Alternatively, the following example shows how to set all filter commands to the same level:
hostname(config)# privilege level 5 command filter

The show privilege command separates the forms in the display.
The following example shows the use of the mode keyword. The enable command must be entered from
user EXEC mode, while the enable password command, which is accessible in configuration mode,
requires the highest privilege level:
hostname(config)# privilege cmd level 0 mode enable command enable
hostname(config)# privilege cmd level 15 mode cmd command enable
hostname(config)# privilege show level 15 mode cmd command enable

The following example shows an additional command, the configure command, which uses the mode
keyword:
hostname(config)#
hostname(config)#
hostname(config)#
hostname(config)#

Note

privilege
privilege
privilege
privilege

show level 5 mode cmd command configure
clear level 15 mode cmd command configure
cmd level 15 mode cmd command configure
cmd level 15 mode enable command configure

This last line is for the configure terminal command.

Cisco ASA 5500 Series Configuration Guide using the CLI

37-25

Chapter 37

Configuring Management Access

Configuring AAA for System Administrators

Viewing Local Command Privilege Levels
The following commandslet you view privilege levels for commands.
Command

Purpose

show running-config all privilege all

Shows all commands.

show running-config privilege level level

Shows commands for a specific level. The level is an integer between 0
and 15.

show running-config privilege command
command

Shows the level of a specific command.

Examples
For the show running-config all privilege all command, the ASA displays the current assignment of
each CLI command to a privilege level. The following is sample output from this command:
hostname(config)# show running-config all privilege all
privilege show level 15 command aaa
privilege clear level 15 command aaa
privilege configure level 15 command aaa
privilege show level 15 command aaa-server
privilege clear level 15 command aaa-server
privilege configure level 15 command aaa-server
privilege show level 15 command access-group
privilege clear level 15 command access-group
privilege configure level 15 command access-group
privilege show level 15 command access-list
privilege clear level 15 command access-list
privilege configure level 15 command access-list
privilege show level 15 command activation-key
privilege configure level 15 command activation-key
....

The following example displays the command assignments for privilege level 10:
hostname(config)# show running-config privilege level 10
privilege show level 10 command aaa

The following example displays the command assignments for the access-list command:
hostname(config)# show running-config privilege command access-list
privilege show level 15 command access-list
privilege clear level 15 command access-list
privilege configure level 15 command access-list

Configuring Commands on the TACACS+ Server
You can configure commands on a Cisco Secure Access Control Server (ACS) TACACS+ server as a
shared profile component, for a group, or for individual users. For third-party TACACS+ servers, see
your server documentation for more information about command authorization support.
See the following guidelines for configuring commands in Cisco Secure ACS Version 3.1; many of these
guidelines also apply to third-party servers:
•

The ASA sends the commands to be authorized as shell commands, so configure the commands on
the TACACS+ server as shell commands.

Cisco ASA 5500 Series Configuration Guide using the CLI

37-26

Chapter 37

Configuring Management Access
Configuring AAA for System Administrators

Note

•

Cisco Secure ACS might include a command type called “pix-shell.” Do not use this type for
ASA command authorization.
The first word of the command is considered to be the main command. All additional words are
considered to be arguments, which need to be preceded by permit or deny.
For example, to allow the show running-configuration aaa-server command, add show
running-configuration to the command field, and type permit aaa-server in the arguments field.

•

You can permit all arguments of a command that you do not explicitly deny by checking the Permit
Unmatched Args check box.
For example, you can configure just the show command, and then all the show commands are
allowed. We recommend using this method so that you do not have to anticipate every variant of a
command, including abbreviations and ?, which shows CLI usage (see Figure 37-1).

Figure 37-1

•

For commands that are a single word, you must permit unmatched arguments, even if there are no
arguments for the command, for example enable or help (see Figure 37-2).

Figure 37-2

•

Permitting All Related Commands

Permitting Single Word Commands

To disallow some arguments, enter the arguments preceded by deny.

Cisco ASA 5500 Series Configuration Guide using the CLI

37-27

Chapter 37

Configuring Management Access

Configuring AAA for System Administrators

For example, to allow enable, but not enable password, enter enable in the commands field, and
deny password in the arguments field. Be sure to check the Permit Unmatched Args check box so
that enable alone is still allowed (see Figure 37-3).
Figure 37-3

•

Disallowing Arguments

When you abbreviate a command at the command line, the ASA expands the prefix and main
command to the full text, but it sends additional arguments to the TACACS+ server as you enter
them.
For example, if you enter sh log, then the ASA sends the entire command to the TACACS+ server,
show logging. However, if you enter sh log mess, then the ASA sends show logging mess to the
TACACS+ server, and not the expanded command show logging message. You can configure
multiple spellings of the same argument to anticipate abbreviations (see Figure 37-4).

Figure 37-4

•

Specifying Abbreviations

We recommend that you allow the following basic commands for all users:
– show checksum
– show curpriv
– enable
– help
– show history

Cisco ASA 5500 Series Configuration Guide using the CLI

37-28

Chapter 37

Configuring Management Access
Configuring AAA for System Administrators

– login
– logout
– pager
– show pager
– clear pager
– quit
– show version

Configuring TACACS+ Command Authorization
If you enable TACACS+ command authorization, and a user enters a command at the CLI, the ASA
sends the command and username to the TACACS+ server to determine if the command is authorized.
Before you enable TACACS+ command authorization, be sure that you are logged into the ASA as a user
that is defined on the TACACS+ server, and that you have the necessary command authorization to
continue configuring the ASA. For example, you should log in as an admin user with all commands
authorized. Otherwise, you could become unintentionally locked out.
Do not save your configuration until you are sure that it works the way you want. If you get locked out
because of a mistake, you can usually recover access by restarting the ASA. If you still get locked out,
see the “Recovering from a Lockout” section on page 37-31.
Be sure that your TACACS+ system is completely stable and reliable. The necessary level of reliability
typically requires that you have a fully redundant TACACS+ server system and fully redundant
connectivity to the ASA. For example, in your TACACS+ server pool, include one server connected to
interface 1, and another to interface 2. You can also configure local command authorization as a fallback
method if the TACACS+ server is unavailable. In this case, you need to configure local users and
command privilege levels according to procedures listed in the “Configuring Command Authorization”
section on page 37-22.
To configure TACACS+ command authorization, enter the following command:

Detailed Steps

Command

Purpose

aaa authorization command
tacacs+_server_group [LOCAL]

Performs command authorization using a TACACS+ server.

Example:
hostname(config)# aaa authorization
command group_1 LOCAL

You can configure the ASA to use the local database as a fallback method
if the TACACS+ server is unavailable. To enable fallback, specify the
server group name followed by LOCAL (LOCAL is case sensitive). We
recommend that you use the same username and password in the local
database as the TACACS+ server because the ASA prompt does not give
any indication which method is being used. Be sure to configure users in
the local database (see the “Adding a User Account to the Local Database”
section on page 35-20) and command privilege levels (see the
“Configuring Local Command Authorization” section on page 37-23).

Cisco ASA 5500 Series Configuration Guide using the CLI

37-29

Chapter 37

Configuring Management Access

Configuring AAA for System Administrators

Configuring Management Access Accounting
You can send accounting messages to the TACACS+ accounting server when you enter any command
other than show commands at the CLI. You can configure accounting when users log in, when they enter
the enable command, or when they issue commands.
For command accounting, you can only use TACACS+ servers.
To configure management access and enable command accounting, perform the following steps:

Detailed Steps

Step 1

Command

Purpose

aaa accounting {serial | telnet | ssh |
enable} console server-tag

Enables support for AAA accounting for administrative access.
Valid server group protocols are RADIUS and TACACS+.

Example:
hostname(config)# aaa accounting telnet
console group_1

Step 2

aaa accounting command [privilege level]
server-tag

Enables command accounting. Only TACACS+ servers support
command accounting.

Example:

Where privilege level is the minimum privilege level and
server-tag is the name of the TACACS+ server group to which
the ASA should send command accounting messages.

hostname(config)# aaa accounting command
privilege 15 group_1

Viewing the Currently Logged-In User
To view the current logged-in user, enter the following command:
hostname# show curpriv

The following is sample output from the show curpriv command:
hostname# show curpriv
Username: admin
Current privilege level: 15
Current Mode/s: P_PRIV

Table 37-1 describes the show curpriv command output.
Table 37-1

show curpriv Command Output Description

Field

Description

Username

Username. If you are logged in as the default user, the name is enable_1 (user
EXEC) or enable_15 (privileged EXEC).

Cisco ASA 5500 Series Configuration Guide using the CLI

37-30

Chapter 37

Configuring Management Access
Configuring AAA for System Administrators

Table 37-1

show curpriv Command Output Description (continued)

Field

Description

Current privilege level Levels range from 0 to 15. Unless you configure local command authorization
and assign commands to intermediate privilege levels, levels 0 and 15 are the
only levels that are used.
Current Mode/s

The available access modes are the following:
•

P_UNPR—User EXEC mode (levels 0 and 1)

•

P_PRIV—Privileged EXEC mode (levels 2 to 15)

•

P_CONF—Configuration mode

Recovering from a Lockout
In some circumstances, when you turn on command authorization or CLI authentication, you can be
locked out of the ASA CLI. You can usually recover access by restarting the ASA. However, if you
already saved your configuration, you might be locked out. Table 37-2 lists the common lockout
conditions and how you might recover from them.
Table 37-2

CLI Authentication and Command Authorization Lockout Scenarios

Feature

Lockout Condition Description

Local CLI
authentication

No users in the
local database

If you have no users in Log in and reset the
the local database, you passwords and aaa
cannot log in, and you commands.
cannot add any users.

TACACS+
command
authorization

Server down or
unreachable and
you do not have
the fallback
method
configured

If the server is
unreachable, then you
cannot log in or enter
any commands.

TACACS+ CLI
authentication
RADIUS CLI
authentication

Workaround: Single Mode

Configure the local
database as a fallback
method so you do not
get locked out when the
server is down.

Workaround: Multiple Mode
Session into the ASA from
the switch. From the system
execution space, you can
change to the context and
add a user.
1.

If the server is
unreachable because the
network configuration
is incorrect on the ASA,
session into the ASA
from the switch. From
the system execution
space, you can change
to the context and
reconfigure your
network settings.

Configure the local
database as a fallback
method so you do not
get locked out when the
server is down.

Cisco ASA 5500 Series Configuration Guide using the CLI

37-31

Chapter 37

Configuring Management Access

Configuring AAA for System Administrators

Table 37-2

CLI Authentication and Command Authorization Lockout Scenarios (continued)

Feature

Lockout Condition Description

TACACS+
command
authorization

You are logged in
as a user without
enough privileges
or as a user that
does not exist

Local command
authorization

You are logged in You enable command Log in and reset the
as a user without authorization, but then passwords and aaa
commands.
enough privileges find that the user
cannot enter any more
commands.

You enable command
authorization, but then
find that the user
cannot enter any more
commands.

Workaround: Single Mode

Workaround: Multiple Mode

Fix the TACACS+ server
user account.

Session into the ASA from
the switch. From the system
execution space, you can
change to the context and
complete the configuration
changes. You can also
disable command
authorization until you fix
the TACACS+
configuration.

If you do not have access to
the TACACS+ server and
you need to configure the
ASA immediately, then log
into the maintenance
partition and reset the
passwords and aaa
commands.

Session into the ASA from
the switch. From the system
execution space, you can
change to the context and
change the user level.

Setting a Management Session Quota
An administrator can establish a maximum number of simultaneous management sessions. If the
maximum is reached, no additional sessions are allowed and a syslog message is generated. To prevent
a system lockout, the management session quota mechanism cannot block a console session.
To set a management session maximum, enter the following command:
Command

Purpose

quota management-session number

Sets the maximum number of simultaneous ASDM, SSH, and
Telnet sessions that are allowed on the ASA. The no form of
this command sets the quota value to 0, which means that
there is no session limit.

Example:
hostname(config)# quota management-session 1000

Cisco ASA 5500 Series Configuration Guide using the CLI

37-32

Chapter 37

Configuring Management Access
Feature History for Management Access

Feature History for Management Access
Table 37-3 lists each feature change and the platform release in which it was implemented.
Table 37-3

Feature History for Management Access

Feature Name

Platform
Releases

Feature Information

Management Access

7.0(1)

We introduced this feature.
We introduced the following commands:
show running-config all privilege all, show
running-config privilege level, show running-config
privilege command, telnet, telnet timeout, ssh, ssh
timeout, , http, http server enable, asdm image disk,
banner, console timeout, icmp, ipv6 icmp, management
access, aaa authentication console, aaa authentication
enable console, aaa authentication telnet | ssh console,
service-type, login, privilege, aaa authentication exec
authentication-server, aaa authentication command
LOCAL,aaa accounting serial | telnet | ssh | enable
console, show curpriv, aaa accounting command
privilege

Increased SSH security; the SSH default
username is no longer supported.

8.4(2)

Common Criteria certification and FIPS support 8.4(4.1)
for maximum number of management sessions
allowed and Diffie-Hellman Key Exchange
Group 14 support for SSH.

Starting in 8.4(2), you can no longer connect to the ASA
using SSH with the pix or asa username and the login
password. To use SSH, you must configure AAA
authentication using the aaa authentication ssh console
LOCAL command (CLI) or Configuration > Device
Management > Users/AAA > AAA Access >
Authentication (ASDM); then define a local user by
entering the username command (CLI) or choosing
Configuration > Device Management > Users/AAA > User
Accounts (ASDM). If you want to use a AAA server for
authentication instead of the local database, we recommend
also configuring local authentication as a backup method.
The maximum number of simultaneous ASDM, SSH, and
Telnet sessions allowed was added. Support for
Diffie-Hellman Key Exchange Group 14 for SSH was
added.
We introduced or modified the following commands: quota
management-session, show running-config quota
management-session, show quota management-session,
ssh.

Cisco ASA 5500 Series Configuration Guide using the CLI

37-33

Chapter 37
Feature History for Management Access

Cisco ASA 5500 Series Configuration Guide using the CLI

37-34

Configuring Management Access

CH A P T E R

Configuring AAA Rules for Network Access
This chapter describes how to enable AAA (pronounced “triple A”) for network access.
For information about AAA for management access, see the “Configuring AAA for System
Administrators” section on page 37-13.
This chapter includes the following sections:
•

AAA Performance, page 38-1

•

Licensing Requirements for AAA Rules, page 38-1

•

Guidelines and Limitations, page 38-2

•

Configuring Authentication for Network Access, page 38-2

•

Configuring Authorization for Network Access, page 38-11

•

Configuring Accounting for Network Access, page 38-18

•

Using MAC Addresses to Exempt Traffic from Authentication and Authorization, page 38-20

•

Feature History for AAA Rules, page 38-21

AAA Performance
The ASA uses “cut-through proxy” to significantly improve performance compared to a traditional
proxy server. The performance of a traditional proxy server suffers because it analyzes every packet at
the application layer of the OSI model. The ASA cut-through proxy challenges a user initially at the
application layer and then authenticates with standard AAA servers or the local database. After the ASA
authenticates the user, it shifts the session flow, and all traffic flows directly and quickly between the
source and destination while maintaining session state information.

Licensing Requirements for AAA Rules
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Cisco ASA 5500 Series Configuration Guide using the CLI

38-1

Chapter 38

Configuring AAA Rules for Network Access

Guidelines and Limitations

Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single and multiple context mode.
Firewall Mode Guidelines

Supported in routed and transparent firewall mode.
IPv6 Guidelines

Supports IPv6.

Configuring Authentication for Network Access
This section includes the following topics:
•

Information About Authentication, page 38-2

•

Configuring Network Access Authentication, page 38-4

•

Enabling Secure Authentication of Web Clients, page 38-6

•

Authenticating Directly with the ASA, page 38-7

Information About Authentication
The ASA lets you configure network access authentication using AAA servers. This section includes the
following topics:
•

One-Time Authentication, page 38-2

•

Applications Required to Receive an Authentication Challenge, page 38-2

•

ASA Authentication Prompts, page 38-3

•

Static PAT and HTTP, page 38-4

One-Time Authentication
A user at a given IP address only needs to authenticate one time for all rules and types, until the
authentication session expires. (See the timeout uauth command in the command reference for timeout
values.) For example, if you configure the ASA to authenticate Telnet and FTP, and a user first
successfully authenticates for Telnet, then as long as the authentication session exists, the user does not
also have to authenticate for FTP.

Applications Required to Receive an Authentication Challenge
Although you can configure the ASA to require authentication for network access to any protocol or
service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A user must first
authenticate with one of these services before the ASA allows other traffic requiring authentication.
The authentication ports that the ASA supports for AAA are fixed as follows:

Cisco ASA 5500 Series Configuration Guide using the CLI

38-2

Chapter 38

Configuring AAA Rules for Network Access
Configuring Authentication for Network Access

•

Port 21 for FTP

•

Port 23 for Telnet

•

Port 80 for HTTP

•

Port 443 for HTTPS

ASA Authentication Prompts
For Telnet and FTP, the ASA generates an authentication prompt.
For HTTP, the ASA uses basic HTTP authentication by default, and provides an authentication prompt.
You can optionally configure the ASA to redirect users to an internal web page where they can enter their
username and password (configured with the aaa authentication listener command).
For HTTPS, the ASA generates a custom login screen. You can optionally configure the ASA to redirect
users to an internal web page where they can enter their username and password (configured with the
aaa authentication listener command).
Redirection is an improvement over the basic method because it provides an improved user experience
when authenticating, and an identical user experience for HTTP and HTTPS in both Easy VPN and
firewall modes. It also supports authenticating directly with the ASA.
You might want to continue to use basic HTTP authentication for the following reasons:
•

You do not want the ASA to open listening ports.

•

You use NAT on a router and you do not want to create a translation rule for the web page served by
the ASA.

•

Basic HTTP authentication might work better with your network.

For example non-browser applications, as when a URL is embedded in e-mail, might be more compatible
with basic authentication.
After you authenticate correctly, the ASA redirects you to your original destination. If the destination
server also has its own authentication, the user enters another username and password. If you use basic
HTTP authentication and need to enter another username and password for the destination server, then
you need to configure the virtual http command.

Note

If you use HTTP authentication, by default the username and password are sent from the client to the
ASA in clear text; in addition, the username and password are sent on to the destination web server as
well. See the “Enabling Secure Authentication of Web Clients” section on page 38-6 for information to
secure your credentials.
For FTP, a user has the option of entering the ASA username followed by an at sign (@) and then the
FTP username (name1@name2). For the password, the user enters the ASA password followed by an at
sign (@) and then the FTP password (password1@password2). For example, enter the following text:
name> name1@name2
password> password1@password2

This feature is useful when you have cascaded firewalls that require multiple logins. You can separate
several names and passwords by multiple at signs (@).

Cisco ASA 5500 Series Configuration Guide using the CLI

38-3

Chapter 38

Configuring AAA Rules for Network Access

Configuring Authentication for Network Access

Static PAT and HTTP
For HTTP authentication, the ASA checks real ports when static PAT is configured. If it detects traffic
destined for real port 80, regardless of the mapped port, the ASA intercepts the HTTP connection and
enforces authentication.
For example, assume that outside TCP port 889 is translated to port 80 and that any relevant access lists
permit the traffic:
object network obj-192.168.123.10-01
host 192.168.123.10
nat (inside,outside) static 10.48.66.155 service tcp 80 889

Then when users try to access 10.48.66.155 on port 889, the ASA intercepts the traffic and enforces
HTTP authentication. Users see the HTTP authentication page in their web browsers before the ASA
allows HTTP connection to complete.
If the local port is different than port 80, as in the following example:
object network obj-192.168.123.10-02
host 192.168.123.10
nat (inside,outside) static 10.48.66.155 service tcp 111 889

Then users do not see the authentication page. Instead, the ASA sends an error message to the web
browser indicating that the user must be authenticated before using the requested service.

Configuring Network Access Authentication
To configure network access authentication, perform the following steps:

Step 1

Command

Purpose

aaa-server

Identifies your AAA servers. If you have already
identified them, continue to the next step. For more
information about identifying AAA servers, see the
“Configuring AAA Server Groups” section on
page 35-11.

Example:
hostname(config)# aaa-server AuthOutbound protocol
tacacs+

Step 2

access-list

Example:
hostname(config)# access-list MAIL_AUTH extended
permit tcp any any eq smtp

Cisco ASA 5500 Series Configuration Guide using the CLI

38-4

Chapter 38

Configuring AAA Rules for Network Access
Configuring Authentication for Network Access

Step 3

Command

Purpose

aaa authentication match acl_name interface_name
server_group

Configures authentication.

Example:
hostname(config)# aaa authentication match MAIL_AUTH
inside AuthOutbound

The acl_name argument is the name of the access
list that you created in Step 2. The interface_name
argument is the name of the interface specified with
the nameif command. The server_group argument is
the AAA server group that you created in Step 1.
Note

Step 4

You can alternatively use the aaa
authentication include command (which
identifies traffic within the command).
However, you cannot use both methods in
the same configuration. See the command
reference for more information.

(Optional) Enables the redirection method of
authentication for HTTP or HTTPS connections.

aaa authentication listener http[s] interface_name
[port portnum] redirect

Example:
hostname(config)# aaa authentication listener http
inside redirect

You can use any port number and retain the same
functionality, but be sure your direct authentication
users know the port number; redirected traffic is sent
to the correct port number automatically, but direct
authenticators must specify the port number
manually.
Enter this command separately for HTTP and for
HTTPS.
Step 5

aaa local authentication attempts max-fail number

Example:
hostname(config)# aaa local authentication attempts
max-fail 7

(Optional) Uses the local database for network
access authentication and limits the number of
consecutive failed login attempts that the ASA
allows any given user account (with the exception of
users with a privilege level of 15. This feature does
not affect level 15 users). The number argument
value is between 1 and 16.
Tip

To clear the lockout status of a specific user
or all users, use the clear aaa local user
lockout command.

Examples
The following example authenticates all inside HTTP traffic and SMTP traffic:
hostname(config)# aaa-server AuthOutbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq smtp
hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq www
hostname(config)# aaa authentication match MAIL_AUTH inside AuthOutbound

Cisco ASA 5500 Series Configuration Guide using the CLI

38-5

Chapter 38

Configuring AAA Rules for Network Access

Configuring Authentication for Network Access

hostname(config)# aaa authentication listener http inside redirect

The following example authenticates Telnet traffic from the outside interface to a particular server
(209.165.201.5):
hostname(config)# aaa-server AuthInbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list TELNET_AUTH extended permit tcp any host 209.165.201.5 eq
telnet
hostname(config)# aaa authentication match TELNET_AUTH outside AuthInbound

For more information about authentication, see the “Information About Authentication” section on
page 38-2.

Enabling Secure Authentication of Web Clients
If you use HTTP authentication, by default the username and password are sent from the client to the
ASA in clear text; in addition, the username and password are sent to the destination web server as well.
The ASA provides the following methods for securing HTTP authentication:
•

Enable the redirection method of authentication for HTTP—Use the aaa authentication listener
command with the redirect keyword. This method prevents the authentication credentials from
continuing to the destination server. See the “ASA Authentication Prompts” section on page 38-3
for more information about the redirection method compared to the basic method.

•

Enable virtual HTTP—Use the virtual http command to authenticateseparately with the ASA and
with the HTTP server. Even if the HTTP server does not need a second authentication, this command
achieves the effect of stripping the basic authentication credentials from the HTTP GET request. See
the “Authenticating HTTP(S) Connections with a Virtual Server” section on page 38-8 for more
information.
Enable the exchange of usernames and passwords between a web client and the ASA with
HTTPS—Use the aaa authentication secure-http-client command to enable the exchange of
usernames and passwords between a web client and the ASA with HTTPS. This is the only method
that protects credentials between the client and the ASA, as well as between the ASA and the
destination server. You can use this method alone, or in conjunction with either of the other methods
so you can maximize your security.
After enabling this feature, when a user requires authentication when using HTTP, the ASA redirects
the HTTP user to an HTTPS prompt. After you authenticate correctly, the ASA redirects you to the
original HTTP URL.
Secured, web-client authentication has the following limitations:
– A maximum of 16 concurrent HTTPS authentication sessions are allowed. If all 16 HTTPS

authentication processes are running, a new connection requiring authentication will not
succeed.
– When uauth timeout 0 is configured (the uauth timeout is set to 0),HTTPS authentication

might not work. If a browser initiates multiple TCP connections to load a web page after HTTPS
authentication, the first connection is let through, but the subsequent connections trigger
authentication. As a result, users are continuously presented with an authentication page, even
if the correct username and password are entered each time. To work around this, set the uauth

Cisco ASA 5500 Series Configuration Guide using the CLI

38-6

Chapter 38

Configuring AAA Rules for Network Access
Configuring Authentication for Network Access

timeout to 1 second with the timeout uauth 0:0:1 command. However, this workaround opens
a 1-second window of opportunity that might allow unauthenticated users to go through the
firewall if they are coming from the same source IP address.
Because HTTPS authentication occurs on the SSL port 443, users must not configure an access-list
command statement to block traffic from the HTTP client to the HTTP server on port 443. Furthermore,
if static PAT is configured for web traffic on port 80, it must also be configured for the SSL port.
– In the following example, the first set of commands configures static PAT for web traffic, and

the second set of commands must be added to support the HTTPS authentication configuration:
object network obj-10.130.16.10-01
host 10.130.16.10
nat (inside,outside) static 10.132.16.200 service tcp 80 80
object network obj-10.130.16.10-02
host 10.130.16.10
nat (inside,outside) static 10.132.16.200 service tcp 443 443

Authenticating Directly with the ASA
If you do not want to allow HTTP, HTTPS, Telnet, or FTP through the ASA but want to authenticate
other types of traffic, you can authenticate with the ASA directly using HTTP, HTTPS, or Telnet.
This section includes the following topics:
•

Authenticating HTTP(S) Connections with a Virtual Server, page 38-8

•

Authenticating Telnet Connections with a Virtual Server, page 38-9

Cisco ASA 5500 Series Configuration Guide using the CLI

38-7

Chapter 38

Configuring AAA Rules for Network Access

Configuring Authentication for Network Access

Authenticating HTTP(S) Connections with a Virtual Server
If you enabled the redirection method of HTTP and HTTPS authentication in the “Configuring Network
Access Authentication” section on page 38-4, then you have also automatically enabled direct
authentication.
When you use HTTP authentication on the ASA (see the“Configuring Network Access Authentication”
section on page 38-4), the ASA uses basic HTTP authentication by default.
To continue to use basic HTTP authentication, and to enable direct authentication for HTTP and HTTPS,
enter the following command:
Command

Purpose

aaa authentication listener http[s] interface_name
[port portnum] redirect

(Optional) Enables the redirection method of authentication
for HTTP or HTTPS connections.

Example:
hostname(config)# aaa authentication listener http
inside redirect

The interface_name argument is the interface on which you
want to enable listening ports. The port portnum argument
specifies the port number on which the ASA listens; the
defaults are 80 (HTTP) and 443 (HTTPS).
You can use any port number and retain the same functionality,
but be sure your direct authentication users know the port
number; redirected traffic is sent to the correct port number
automatically, but direct authenticators must specify the port
number manually.
Enter this command separately for HTTP and for HTTPS.

If the destination HTTP server requires authentication in addition to the ASA, then to authenticate
separately with the ASA (via a AAA server) and with the HTTP server, enter the following command:

Cisco ASA 5500 Series Configuration Guide using the CLI

38-8

Chapter 38

Configuring AAA Rules for Network Access
Configuring Authentication for Network Access

Command

Purpose

virtual http

Redirects all HTTP connections that require AAA
authentication to the virtual HTTP server on the ASA. The
ASA prompts for the AAA server username and password.
After the AAA server authenticates the user, the ASA redirects
the HTTP connection back to the original server, but it does
not include the AAA server username and password. Because
the username and password are not included in the HTTP
packet, the HTTP server prompts the user separately for the
HTTP server username and password.

Example:
hostname(config)# virtual http

For inbound users (from lower security to higher security),
you must also include the virtual HTTP address as a
destination interface in the access list applied to the source
interface. In addition, you must add a static NAT command for
the virtual HTTP IP address, even if NAT is not required. An
identity NAT command is typically used (where you translate
the address to itself).
For outbound users, there is an explicit permit for traffic, but
if you apply an access list to an inside interface, be sure to
allow access to the virtual HTTP address. A static statement is
not required.
Note

Do not set the timeout uauth command duration to 0
seconds when using the virtual http command,
because this setting prevents HTTP connections to the
actual web server.

You can authenticate directly with the ASA at the following
URLs when you enable AAA for the interface:
http://interface_ip[:port]/netaccess/connstatus.html
https://interface_ip[:port]/netaccess/connstatus.html

Without virtual HTTP, the same username and password that
you used to authenticate with the ASA are sent to the HTTP
server; you are not prompted separately for the HTTP server
username and password. Assuming the username and
password are not the same for the AAA and HTTP servers,
then the HTTP authentication fails.

Authenticating Telnet Connections with a Virtual Server
Although you can configure network access authentication for any protocol or service (see the aaa
authentication match or aaa authentication include command), you can authenticate directly with
HTTP, Telnet, or FTP only. A user must first authenticate with one of these services before other traffic
that requires authentication is allowed through. If you do not want to allow HTTP, Telnet, or FTP traffic
through the ASA, but want to authenticate other types of traffic, you can configure virtual Telnet; the
user Telnets to a given IP address configured on the ASA, and the ASA issues a Telnet prompt.
To configure a virtual Telnet server, enter the following command:

Cisco ASA 5500 Series Configuration Guide using the CLI

38-9

Chapter 38

Configuring AAA Rules for Network Access

Configuring Authentication for Network Access

Command

Purpose

virtual telnet ip_address

Configures a virtual Telnet server.

Example:

The ip_address argument sets the IP address for the virtual
Telnet server. Make sure this address is an unused address that
is routed to the ASA.

hostname(config)# virtual telnet 209.165.202.129

You must configure authentication for Telnet access to the
virtual Telnet address as well as the other services that you
want to authenticate using the authentication match or aaa
authentication include command.
When an unauthenticated user connects to the virtual Telnet IP
address, the user is challenged for a username and password,
and then authenticated by the AAA server. Once authenticated,
the user sees the message “Authentication Successful.” Then,
the user can successfully access other services that require
authentication.
For inbound users (from lower security to higher security),
you must also include the virtual Telnet address as a
destination interface in the access list applied to the source
interface. In addition, you must add a static NAT command for
the virtual Telnet IP address, even if NAT is not required. An
identity NAT command is typically used (where you translate
the address to itself).
For outbound users, there is an explicit permit for traffic, but
if you apply an access list to an inside interface, be sure to
allow access to the virtual Telnet address. A static statement is
not required.
To log out from the ASA, reconnect to the virtual Telnet IP
address; you are then prompted to log out.

Examples
The following example shows how to enable virtual Telnet together with AAA authentication for other
services:
hostname(config)# virtual telnet 209.165.202.129
hostname(config)# access-list ACL-IN extended permit tcp any host 209.165.200.225 eq smtp
hostname(config)# access-list ACL-IN remark This is the SMTP server on the inside
hostname(config)# access-list ACL-IN extended permit tcp any host 209.165.202.129 eq
telnet
hostname(config)# access-list ACL-IN remark This is the virtual Telnet address
hostname(config)# access-group ACL-IN in interface outside
hostname(config)# network object obj-209.165.202.129-01
hostname(config-network-object)# host 209.165.202.129
hostname(config-network-object)# nat (inside,outside) static 209.165.202.129
hostname(config)# access-list AUTH extended permit tcp any host 209.165.200.225 eq smtp
hostname(config)# access-list AUTH remark This is the SMTP server on the inside
hostname(config)# access-list AUTH extended permit tcp any host 209.165.202.129 eq telnet
hostname(config)# access-list AUTH remark This is the virtual Telnet address
hostname(config)# aaa authentication match AUTH outside tacacs+

Cisco ASA 5500 Series Configuration Guide using the CLI

38-10

Chapter 38

Configuring AAA Rules for Network Access
Configuring Authorization for Network Access

Configuring Authorization for Network Access
After a user authenticates for a given connection, the ASA can use authorization to further control traffic
from the user.
This section includes the following topics:
•

Configuring TACACS+ Authorization, page 38-11

•

Configuring RADIUS Authorization, page 38-14

Configuring TACACS+ Authorization
You can configure the ASA to perform network access authorization with TACACS+. You identify the
traffic to be authorized by specifying access lists that authorization rules must match. Alternatively, you
can identify the traffic directly in authorization rules themselves.

Tip

Using access lists to identify traffic to be authorized can greatly reduced the number of authorization
commands that you must enter. This is because each authorization rule that you enter can specify only
one source and destination subnet and service, whereas an access list can include many entries.
Authentication and authorization statements are independent; however, any unauthenticated traffic
matched by an authorization rule will be denied. For authorization to succeed:
1.

A user must first authenticate with the ASA.
Because a user at a given IP address only needs to authenticate one time for all rules and types, if
the authentication session has not expired, authorization can occur even if the traffic is not matched
by an authentication rule.

After a user authenticates, the ASA checks the authorization rules for matching traffic.

If the traffic matches the authorization rule, the ASA sends the username to the TACACS+ server.

The TACACS+ server responds to the ASA with a permit or a deny for that traffic, based on the user
profile.

The ASA enforces the authorization rule in the response.

See the documentation for your TACACS+ server for information about configuring network access
authorizations for a user.
To configure TACACS+ authorization, perform the following steps:

Cisco ASA 5500 Series Configuration Guide using the CLI

38-11

Chapter 38

Configuring AAA Rules for Network Access

Configuring Authorization for Network Access

Step 1

Command

Purpose

aaa-server

Example:
hostname(config)# aaa-server AuthOutbound protocol
tacacs+

Step 2

access-list

Example:
hostname(config)# access-list MAIL_AUTH extended
permit tcp any any eq smtp

Step 3

aaa authentication match acl_name interface_name
server_group

Example:
hostname(config)# aaa authentication match MAIL_AUTH
inside AuthOutbound

Creates an access list that identifies the source
addresses and destination addresses of traffic you
want to authenticate. For details, see Chapter 15,
“Adding an Extended Access List.”
The permit ACEs mark matching traffic for
authentication, while deny entries exclude matching
traffic from authentication. Be sure to include the
destination ports for either HTTP, HTTPS, Telnet, or
FTP in the access list, because the user must
authenticate with one of these services before other
services are allowed through the ASA.
Configures authentication. The acl_name argument
is the name of the access list that you created in Step
2., The interface_name argument is the name of the
interface specified with the nameif command, and
the server_group argument is the AAA server group
that you created in Step 1.
Note

Step 4

aaa authentication listener http[s] interface_name
[port portnum] redirect

Example:
hostname(config)# aaa authentication listener http
inside redirect

(Optional) Enables the redirection method of
authentication for HTTP or HTTPS connections.
The interface_name argument is the interface on
which you want to enable listening ports. The port
portnum argument specifies the port number on
which the ASA listens; the defaults are 80 (HTTP)
and 443 (HTTPS).
You can use any port number and retain the same
functionality, but be sure your direct authentication
users know the port number; redirected traffic is sent
to the correct port number automatically, but direct
authenticators must specify the port number
manually.
Enter this command separately for HTTP and for
HTTPS.

Cisco ASA 5500 Series Configuration Guide using the CLI

38-12

Chapter 38

Configuring AAA Rules for Network Access
Configuring Authorization for Network Access

Step 5

Command

Purpose

aaa local authentication attempts max-fail number

Example:
hostname(config)# aaa local authentication attempts
max-fail 7

Tip

Step 6

Create an access list that identifies the source
addresses and destination addresses of traffic that
you want to authorize. For instructions, see
Chapter 15, “Adding an Extended Access List.”

access-list

Example:
hostname(config)# access-list TELNET_AUTH extended
permit tcp any any eq telnet

The permit ACEs mark matching traffic for
authorization, while deny entries exclude matching
traffic from authorization. The access list that you
use for authorization matching should include rules
that are equal to or a subset of the rules in the access
list used for authentication matching.
Note

Step 7

To clear the lockout status of a specific user
or all users, use the clear aaa local user
lockout command.

If you have configured authentication and
want to authorize all the traffic being
authenticated, you can use the same access
list that you created for use with the aaa
authentication match command.

Enables authorization.

aaa authorization match acl_name interface_name
server_group

The acl_name argument is the name of the access
list you created in Step 6, the interface_name
argument is the name of the interface as specified
with the nameif command or by default, and the
server_group argument is the AAA server group that
you created when you enabled authentication.

Example:
hostname(config)# aaa authentication match
TELNET_AUTH inside AuthOutbound

Note

Alternatively, you can use the aaa
authorization include command (which
identifies traffic within the command) but
you cannot use both methods in the same
configuration. See the command reference
for more information.

Examples
The following example authenticates and authorizes inside Telnet traffic. Telnet traffic to servers other
than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires authorization.
hostname(config)# access-list TELNET_AUTH
hostname(config)# access-list SERVER_AUTH
telnet
hostname(config)# aaa-server AuthOutbound
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound

extended permit tcp any any eq telnet
extended permit tcp any host 209.165.201.5 eq
protocol tacacs+
(inside) host 10.1.1.1

Cisco ASA 5500 Series Configuration Guide using the CLI

38-13

Chapter 38

Configuring AAA Rules for Network Access

Configuring Authorization for Network Access

hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# aaa authentication match TELNET_AUTH inside AuthOutbound
hostname(config)# aaa authorization match SERVER_AUTH inside AuthOutbound

Configuring RADIUS Authorization
When authentication succeeds, the RADIUS protocol returns user authorizations in the access-accept
message sent by a RADIUS server. For more information about configuring authentication, see the
“Configuring Network Access Authentication” section on page 38-4.
When you configure the ASA to authenticate users for network access, you are also implicitly enabling
RADIUS authorizations; therefore, this section contains no information about configuring RADIUS
authorization on the ASA. It does provide information about how the ASA handles access list
information received from RADIUS servers.
You can configure a RADIUS server to download an access list to the ASA or an access list name at the
time of authentication. The user is authorized to do only what is permitted in the user-specific access list.

Note

If you have used the access-group command to apply access lists to interfaces, be aware of the following
effects of the per-user-override keyword on authorization by user-specific access lists:
•

Without the per-user-override keyword, traffic for a user session must be permitted by both the
interface access list and the user-specific access list.

•

With the per-user-override keyword, the user-specific access list determines what is permitted.

For more information, see the access-group command entry in the command reference.

This section includes the following topics:
•

Configuring a RADIUS Server to Send Downloadable Access Control Lists, page 38-14

•

Configuring a RADIUS Server to Download Per-User Access Control List Names, page 38-18

Configuring a RADIUS Server to Send Downloadable Access Control Lists
This section describes how to configure Cisco Secure ACS or a third-party RADIUS server and includes
the following topics:
•

About the Downloadable Access List Feature and Cisco Secure ACS, page 38-14

•

Configuring Cisco Secure ACS for Downloadable Access Lists, page 38-16

•

Configuring Any RADIUS Server for Downloadable Access Lists, page 38-17

•

Converting Wildcard Netmask Expressions in Downloadable Access Lists, page 38-18

About the Downloadable Access List Feature and Cisco Secure ACS
Downloadable access lists is the most scalable means of using Cisco Secure ACS to provide the
appropriate access lists for each user. It provides the following capabilities:
•

Unlimited access list size—Downloadable access lists are sent using as many RADIUS packets as
required to transport the full access list from Cisco Secure ACS to the ASA.

Cisco ASA 5500 Series Configuration Guide using the CLI

38-14

Chapter 38

Configuring AAA Rules for Network Access
Configuring Authorization for Network Access

•

Simplified and centralized management of access lists—Downloadable access lists enable you to
write a set of access lists once and apply it to many user or group profiles and distribute it to many
ASAs.

This approach is most useful when you have very large access list sets that you want to apply to more
than one Cisco Secure ACS user or group; however, its ability to simplify Cisco Secure ACS user and
group management makes it useful for access lists of any size.
The ASA receives downloadable access lists from Cisco Secure ACS using the following process:
1.

The ASA sends a RADIUS authentication request packet for the user session.

If Cisco Secure ACS successfully authenticates the user, Cisco Secure ACS returns a RADIUS
access-accept message that includes the internal name of the applicable downloadable access list.
The Cisco IOS cisco-av-pair RADIUS VSA (vendor 9, attribute 1) includes the following
attribute-value pair to identify the downloadable access list set:
ACS:CiscoSecure-Defined-ACL=acl-set-name

where acl-set-name is the internal name of the downloadable access list, which is a combination of
the name assigned to the access list by the Cisco Secure ACS administrator and the date and time
that the access list was last modified.
3.

The ASA examines the name of the downloadable access list and determines if it has previously
received the named downloadable access list.
– If the ASA has previously received the named downloadable access list, communication with

Cisco Secure ACS is complete and the ASA applies the access list to the user session. Because
the name of the downloadable access list includes the date and time that it was last modified,
matching the name sent by Cisco Secure ACS to the name of an access list previously
downloaded means that the ASA has the most recent version of the downloadable access list.
– If the ASA has not previously received the named downloadable access list, it may have an

out-of-date version of the access list or it may not have downloaded any version of the access
list. In either case, the ASA issues a RADIUS authentication request using the downloadable
access list name as the username in the RADIUS request and a null password attribute. In a
cisco-av-pair RADIUS VSA, the request also includes the following attribute-value pairs:
AAA:service=ip-admission
AAA:event=acl-download

In addition, the ASA signs the request with the Message-Authenticator attribute (IETF RADIUS
attribute 80).
4.

After receipt of a RADIUS authentication request that has a username attribute that includes the
name of a downloadable access list, Cisco Secure ACS authenticates the request by checking the
Message-Authenticator attribute. If the Message-Authenticator attribute is missing or incorrect,
Cisco Secure ACS ignores the request. The presence of the Message-Authenticator attribute
prevents malicious use of a downloadable access list name to gain unauthorized network access. The
Message-Authenticator attribute and its use are defined in RFC 2869, RADIUS Extensions,
available at http://www.ietf.org.

If the access list required is less than approximately 4 KB in length, Cisco Secure ACS responds
with an access-accept message that includes the access list. The largest access list that can fit in a
single access-accept message is slightly less than 4 KB, because part of the message must be other
required attributes.
Cisco Secure ACS sends the downloadable access list in a cisco-av-pair RADIUS VSA. The access
list is formatted as a series of attribute-value pairs that each include an ACE and are numbered
serially:
ip:inacl#1=ACE-1

Cisco ASA 5500 Series Configuration Guide using the CLI

38-15

Chapter 38

Configuring AAA Rules for Network Access

Configuring Authorization for Network Access

ip:inacl#2=ACE-2
.
.
.
ip:inacl#n=ACE-n

The following example is of an attribute-value pair:
ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0

If the access list required is more than approximately 4 KB in length, Cisco Secure ACS responds
with an access-challenge message that includes a portion of the access list, formatted as described
previously, and a State attribute (IETF RADIUS attribute 24), which includes control data used by
Cisco Secure ACS to track the progress of the download. Cisco Secure ACS fits as many complete
attribute-value pairs into the cisco-av-pair RADIUS VSA as it can without exceeding the maximum
RADIUS message size.
The ASA stores the portion of the access list received and responds with another access-request
message that includes the same attributes as the first request for the downloadable access list, plus
a copy of the State attribute received in the access-challenge message.
This process repeats until Cisco Secure ACS sends the last of the access list in an access-accept
message.

Configuring Cisco Secure ACS for Downloadable Access Lists
You can configure downloadable access lists on Cisco Secure ACS as a shared profile component and
then assign the access list to a group or to an individual user.
The access list definition consists of one or more ASA commands that are similar to the extended
access-list command (see command reference), except without the following prefix:
access-list acl_name extended

For more information about creating downloadable access lists and associating them with users, see the
user guide for your version of Cisco Secure ACS.
On the ASA, the downloaded access list has the following name:
#ACSACL#-ip-acl_name-number

Cisco ASA 5500 Series Configuration Guide using the CLI

38-16

Chapter 38

Configuring AAA Rules for Network Access
Configuring Authorization for Network Access

The acl_name argument is the name that is defined on Cisco Secure ACS (acs_ten_acl in the preceding
example), and number is a unique version ID generated by Cisco Secure ACS.
The downloaded access list on the ASA consists of the following lines:
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list

#ACSACL#-ip-asa-acs_ten_acl-3b5385f7
#ACSACL#-ip-asa-acs_ten_acl-3b5385f7
#ACSACL#-ip-asa-acs_ten_acl-3b5385f7
#ACSACL#-ip-asa-acs_ten_acl-3b5385f7
#ACSACL#-ip-asa-acs_ten_acl-3b5385f7
#ACSACL#-ip-asa-acs_ten_acl-3b5385f7
#ACSACL#-ip-asa-acs_ten_acl-3b5385f7
#ACSACL#-ip-asa-acs_ten_acl-3b5385f7
#ACSACL#-ip-asa-acs_ten_acl-3b5385f7
#ACSACL#-ip-asa-acs_ten_acl-3b5385f7

permit
permit
permit
permit
permit
permit
permit
permit
permit
permit

tcp any host 10.0.0.254
udp any host 10.0.0.254
icmp any host 10.0.0.254
tcp any host 10.0.0.253
udp any host 10.0.0.253
icmp any host 10.0.0.253
tcp any host 10.0.0.252
udp any host 10.0.0.252
icmp any host 10.0.0.252
ip any any

Configuring Any RADIUS Server for Downloadable Access Lists
You can configure any RADIUS server that supports Cisco IOS RADIUS VSAs to send user-specific
access lists to the ASA in a Cisco IOS RADIUS cisco-av-pair VSA (vendor 9, attribute 1).
In the cisco-av-pair VSA, configure one or more ACEs that are similar to the access-list extended
command (see command reference), except that you replace the following command prefix:
access-list acl_name extended

with the following text:
ip:inacl#nnn=

The nnn argument is a number in the range from 0 to 999999999 that identifies the order of the command
statement to be configured on the ASA. If this parameter is omitted, the sequence value is 0, and the
order of the ACEs inside the cisco-av-pair RADIUS VSA is used.
The following example is an access list definition as it should be configured for a cisco-av-pair VSA on
a RADIUS server:
ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
ip:inacl#99=deny tcp any any
ip:inacl#2=permit udp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
ip:inacl#100=deny udp any any
ip:inacl#3=permit icmp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0

For information about making unique per user the access lists that are sent in the cisco-av-pair attribute,
see the documentation for your RADIUS server.
On the ASA, the downloaded access list name has the following format:
AAA-user-username

The username argument is the name of the user that is being authenticated.
The downloaded access list on the ASA consists of the following lines. Notice the order based on the
numbers identified on the RADIUS server.
access-list
access-list
access-list
access-list
access-list

AAA-user-bcham34-79AD4A08
AAA-user-bcham34-79AD4A08
AAA-user-bcham34-79AD4A08
AAA-user-bcham34-79AD4A08
AAA-user-bcham34-79AD4A08

permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
permit udp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
permit icmp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
deny tcp any any
deny udp any any

Cisco ASA 5500 Series Configuration Guide using the CLI

38-17

Chapter 38

Configuring AAA Rules for Network Access

Configuring Accounting for Network Access

Downloaded access lists have two spaces between the word “access-list” and the name. These spaces
serve to differentiate a downloaded access list from a local access list. In this example, “79AD4A08” is
a hash value generated by the ASA to help determine when access list definitions have changed on the
RADIUS server.

Converting Wildcard Netmask Expressions in Downloadable Access Lists
If a RADIUS server provides downloadable access lists to Cisco VPN 3000 series concentrators as well
as to the ASA, you may need the ASA to convert wildcard netmask expressions to standard netmask
expressions. This is because Cisco VPN 3000 series concentrators support wildcard netmask
expressions, but the ASA only supports standard netmask expressions. Configuring the ASA to convert
wildcard netmask expressions helps minimize the effects of these differences on how you configure
downloadable access lists on your RADIUS servers. Translation of wildcard netmask expressions means
that downloadable access lists written for Cisco VPN 3000 series concentrators can be used by the ASA
without altering the configuration of the downloadable access lists on the RADIUS server.
You configure access list netmask conversion on a per-server basis using the acl-netmask-convert
command, available in the aaa-server configuration mode. For more information about configuring a
RADIUS server, see the “Configuring AAA Server Groups” section on page 35-11. For more
information about the acl-netmask-convert command, see the command reference.

Configuring a RADIUS Server to Download Per-User Access Control List Names
To download a name for an access list that you already created on the ASA from the RADIUS server
when a user authenticates, configure the IETF RADIUS filter-id attribute (attribute number 11) as
follows:
filter-id=acl_name

Note

In Cisco Secure ACS, the values for filter-id attributes are specified in boxes in the HTML interface,
omitting filter-id= and entering only acl_name.
For information about making the filter-id attribute value unique per user, see the documentation for your
RADIUS server.
To create an access list on the ASA, see Chapter 15, “Adding an Extended Access List.”

Configuring Accounting for Network Access
The ASA can send accounting information to a RADIUS or TACACS+ server about any TCP or UDP
traffic that passes through the ASA. If that traffic is also authenticated, then the AAA server can maintain
accounting information by username. If the traffic is not authenticated, the AAA server can maintain
accounting information by IP address. Accounting information includes session start and stop times,
username, the number of bytes that pass through the ASA for the session, the service used, and the
duration of each session.
To configure accounting, perform the following steps:

Cisco ASA 5500 Series Configuration Guide using the CLI

38-18

Chapter 38

Configuring AAA Rules for Network Access
Configuring Accounting for Network Access

Step 1

Command

Purpose

access-list

If you want the ASA to provide accounting data per
user, you must enable authentication. For more
information, see the “Configuring Network Access
Authentication” section on page 38-4. If you want
the ASA to provide accounting data per IP address,
enabling authentication is not necessary.

Example:
hostname(config)# access-list TELNET_AUTH extended
permit tcp any any eq telnet

Creates an access list that identifies the source
addresses and destination addresses of traffic for
which you want accounting data. For instructions,
see Chapter 15, “Adding an Extended Access List.”
The permit ACEs mark matching traffic for
accounting, while deny entries exclude matching
traffic from accounting.
Note

Step 2

aaa accounting match acl_name interface_name
server_group

If you have configured authentication and
want accounting data for all the traffic being
authenticated, you can use the same access
list that you created for use with the aaa
authentication match command.

Enables accounting.
The acl_name argument is the access list name set in
the access-list command.

Example:
hostname(config)# aaa accounting match SERVER_AUTH
inside AuthOutbound

The interface_name argument is the interface name
set in the nameif command.
The server_group argument is the server group
name set in the aaa-server command.
Note

Alternatively, you can use the aaa
accounting include command (which
identifies traffic within the command), but
you cannot use both methods in the same
configuration. See the command reference
for more information.

Examples
The following example authenticates, authorizes, and accounts for inside Telnet traffic. Telnet traffic to
servers other than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires
authorization and accounting.
hostname(config)# aaa-server AuthOutbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list TELNET_AUTH extended permit tcp any any eq telnet
hostname(config)# access-list SERVER_AUTH extended permit tcp any host 209.165.201.5 eq
telnet
hostname(config)# aaa authentication match TELNET_AUTH inside AuthOutbound
hostname(config)# aaa authorization match SERVER_AUTH inside AuthOutbound
hostname(config)# aaa accounting match SERVER_AUTH inside AuthOutbound

Cisco ASA 5500 Series Configuration Guide using the CLI

38-19

Chapter 38

Configuring AAA Rules for Network Access

Using MAC Addresses to Exempt Traffic from Authentication and Authorization

Using MAC Addresses to Exempt Traffic from Authentication
and Authorization
The ASA can exempt from authentication and authorization any traffic from specific MAC addresses.
For example, if the ASA authenticates TCP traffic originating on a particular network, but you want to
allow unauthenticated TCP connections from a specific server, you would use a MAC exempt rule to
exempt from authentication and authorization any traffic from the server specified by the rule.
This feature is particularly useful to exempt devices such as IP phones that cannot respond to
authentication prompts.
To use MAC addresses to exempt traffic from authentication and authorization, perform the following
steps:

Step 1

Command

Purpose

mac-list id {deny | permit} mac macmask

Configures a MAC list.

Example:
hostname(config)# mac-list abc permit 00a0.c95d.0282
ffff.ffff.ffff

The id argument is the hexadecimal number that you
assign to the MAC list. To group a set of MAC
addresses, enter the mac-list command as many
times as needed with the same ID value. Because you
can only use one MAC list for AAA exemption, be
sure that your MAC list includes all the MAC
addresses that you want to exempt. You can create
multiple MAC lists, but you can only use one at a
time.
The order of entries matters, because the packet uses
the first entry it matches, instead of a best match
scenario. If you have a permit entry, and you want to
deny an address that is allowed by the permit entry,
be sure to enter the deny entry before the permit
entry.
The mac argument specifies the source MAC address
in 12-digit hexadecimal form; that is,
nnnn.nnnn.nnnn.
The macmask argument specifies the portion of the
MAC address that should be used for matching. For
example, ffff.ffff.ffff matches the MAC address
exactly. ffff.ffff.0000 matches only the first 8 digits.

Step 2

aaa mac-exempt match id

Exempts traffic for the MAC addresses specified in a
particular MAC list.

Example:

The id argument is the string identifying the MAC
list that includes the MAC addresses whose traffic is
to be exempt from authentication and authorization.

hostname(config)# aaa mac-exempt match 1

You can only enter one instance of the aaa
mac-exempt match command.

Cisco ASA 5500 Series Configuration Guide using the CLI

38-20

Chapter 38

Configuring AAA Rules for Network Access
Feature History for AAA Rules

Examples
The following example bypasses authentication for a single MAC address:
hostname(config)# mac-list abc permit 00a0.c95d.0282 ffff.ffff.ffff
hostname(config)# aaa mac-exempt match abc

The following example bypasses authentication for all Cisco IP Phones, which have the hardware ID
0003.E3:
hostname(config)# mac-list acd permit 0003.E300.0000 FFFF.FF00.0000
hostname(config)# aaa mac-exempt match acd

The following example bypasses authentication for a a group of MAC addresses except for
00a0.c95d.02b2. Enter the deny statement before the permit statement, because 00a0.c95d.02b2
matches the permit statement as well, and if it is first, the deny statement will never be matched.
hostname(config)# mac-list 1 deny 00a0.c95d.0282 ffff.ffff.ffff
hostname(config)# mac-list 1 permit 00a0.c95d.0000 ffff.ffff.0000
hostname(config)# aaa mac-exempt match 1

Feature History for AAA Rules
Table 38-1 lists each feature change and the platform release in which it was implemented.
Table 38-1

Feature History for AAA Rules

Feature Name

Platform
Releases

AAA Rules

7.0(1)

Feature Information
AAA Rules describe how to enable AAA for network
access.
We introduced the following commands:
aaa authentication match, aaa authentication include |
exclude, aaa authentication listener http[s], aaa local
authentication attempts max-fail, virtual http, virtual
telnet, aaa authentication secure-http-client, aaa
authorization match, aaa accounting match, aaa
mac-exempt match.

Cisco ASA 5500 Series Configuration Guide using the CLI

38-21

Chapter 38
Feature History for AAA Rules

Cisco ASA 5500 Series Configuration Guide using the CLI

38-22

Configuring AAA Rules for Network Access

C H A P T E R

Configuring Filtering Services
This chapter describes how to use filtering services to provide greater control over traffic passing
through the ASA and includes the following sections:
•

Information About Web Traffic Filtering, page 39-1

•

Configuring ActiveX Filtering, page 39-2

•

Configuring Java Applet Filtering, page 39-4

•

Filtering URLs and FTP Requests with an External Server, page 39-6

•

Monitoring Filtering Statistics, page 39-15

Information About Web Traffic Filtering
You can use web traffic filtering in two distinct ways:
•

Filtering ActiveX objects or Java applets

•

Filtering with an external filtering server

Instead of blocking access altogether, you can remove specific undesirable objects from web traffic, such
as ActiveX objects or Java applets, that may pose a security threat in certain situations.
You can use web traffic filtering to direct specific traffic to an external filtering server, such an Secure
Computing SmartFilter (formerly N2H2) or the Websense filtering server. You can enable long URL,
HTTPS, and FTP filtering using either Websense or Secure Computing SmartFilter for web traffic
filtering. Filtering servers can block traffic to specific sites or types of sites, as specified by the security
policy.

Note

URL caching will only work if the version of the URL server software from the URL server vendor
supports it.
Because web traffic filtering is CPU-intensive, using an external filtering server ensures that the
throughput of other traffic is not affected. However, depending on the speed of your network and the
capacity of your web traffic filtering server, the time required for the initial connection may be
noticeably slower when filtering traffic with an external filtering server.

Cisco ASA 5500 Series Configuration Guide using the CLI

39-1

Chapter 39

Configuring Filtering Services

Configuring ActiveX Filtering

Configuring ActiveX Filtering
This section includes the following topics:
•

Information About ActiveX Filtering, page 39-2

•

Licensing Requirements for ActiveX Filtering, page 39-2

•

Guidelines and Limitations for ActiveX Filtering, page 39-3

•

Configuring ActiveX Filtering, page 39-3

•

Configuration Examples for ActiveX Filtering, page 39-3

•

Feature History for ActiveX Filtering, page 39-4

Information About ActiveX Filtering
ActiveX objects may pose security risks because they can contain code intended to attack hosts and
servers on a protected network. You can disable ActiveX objects with ActiveX filtering.
ActiveX controls, formerly known as OLE or OCX controls, are components that you can insert in a web
page or another application. These controls include custom forms, calendars, or any of the extensive
third-party forms for gathering or displaying information. As a technology, ActiveX creates many
potential problems for network clients including causing workstations to fail, introducing network
security problems, or being used to attack servers.
The filter activex command blocks the HTML object commands by commenting them out within the
HTML web page. ActiveX filtering of HTML files is performed by selectively replacing the
and , and tags with comments. Filtering of nested
tags is supported by converting top-level tags to comments.

Caution

The filter activex command also blocks any Java applets, image files, or multimedia objects that are
embedded in object tags.
If the HTML tags split across network packets or if the code in the tags is longer
than the number of bytes in the MTU, the ASA cannot block the tag.
ActiveX blocking does not occur when users access an IP address referenced by the alias command or
for clientless SSL VPN traffic.

Licensing Requirements for ActiveX Filtering
The following table shows the licensing requirements for this feature:
Model

License Requirement

All models

Base License.

Cisco ASA 5500 Series Configuration Guide using the CLI

39-2

Chapter 39

Configuring Filtering Services
Licensing Requirements for ActiveX Filtering

Guidelines and Limitations for ActiveX Filtering
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines

Supported in single and multiple context mode.
Firewall Mode Guidelines

Supported in routed and transparent firewall mode.
IPv6 Guidelines

Does not support IPv6.

Configuring ActiveX Filtering
To remove ActiveX objects in HTTP traffic that is passing through the ASA, enter the following
command:
Command

Purpose

filter activex port[-port] local_ip
local_mask foreign_ip foreign_mask

Removes ActiveX objects. To use this command, replace port[-port] with
the TCP port to which filtering is applied. Typically, this is port 80, but
other values are accepted. The http or url literal can be used for port 80.
You can specify a range of ports by using a hyphen between the starting
port number and the ending port number. The local IP address and mask
identify one or more internal hosts that are the source of the traffic to be
filtered. The foreign address and mask specify the external destination of
the traffic to be filtered.

Example:
hostname# filter activex 80 0 0 0 0

Configuration Examples for ActiveX Filtering
You can set either address to 0.0.0.0 (or in shortened form, 0) to specify all hosts. You can use 0.0.0.0
for either mask (or in shortened form, 0) to specify all masks. This command specifies that the ActiveX
object blocking applies to HTTP traffic on port 80 from any local host and for connections to any foreign
host.
The following example shows how to configure ActiveX filtering to block all outbound connections:
hostname(config)# filter activex 80 0 0 0 0

The following example shows how to remove ActiveX filtering:
hostname(config)# no filter activex 80 0 0 0 0

Cisco ASA 5500 Series Configuration Guide using the CLI

39-3

Chapter 39

Configuring Filtering Services

Configuring Java Applet Filtering

Feature History for ActiveX Filtering
Table 39-1 lists the release history for ActiveX Filtering. ASDM is backwards-compatible with multiple
platform releases, so the specific ASDM release in which support was added is not listed.
Table 39-1

Feature History for ActiveX Filtering

Feature Name

Platform
Releases

ActiveX filtering

7.0(1)

Feature Information
Filters specific undesirable objects from HTTP traffic, such as ActiveX
objects, which may pose a security threat in certain situations.

Configuring Java Applet Filtering
This section includes the following topics:
•

Information About Java Applet Filtering, page 39-4

•

Licensing Requirements for Java Applet Filtering, page 39-4

•

Guidelines and Limitations for Java Applet Filtering, page 39-5

•

Configuring Java Applet Filtering, page 39-5

•

Configuration Examples for Java Applet Filtering, page 39-5

•

Feature History for Java Applet Filtering, page 39-6

Information About Java Applet Filtering
Java applets may pose security risks because they can contain code intended to attack hosts and servers
on a protected network. You can remove Java applets with the filter java command.

Note

Use the filter activex command to remove Java applets that are embedded in

Cisco Systems Asa5515K9 Users Manual _asacfg_cli

ASA 5500 to the manual 70242a1d-7de2-47db-bb39-a0524b4b647c

Navigation menu

Versions of this User Manual:

Views

Navigation