1-16
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring IPsec and ISAKMP
Configuring Certificate Group Matching for IKEv1
To enable IPsec over TCP for IKEv1 globally on the ASA, perform the following command in either
single or multiple context mode:
crypto ikev1 ipsec-over-tcp [port
port 1...port0]
This example enables IPsec over TCP on port 45:
hostname(config)#
crypto ikev1 ipsec-over-tcp port 45
Waiting for Active Sessions to Terminate Before Rebooting
You can schedule an ASA reboot to occur only when all active sessions have terminated voluntarily. This
feature is disabled by default.
To enable waiting for all active sessions to voluntarily terminate before the ASA reboots, perform the
following site-to-site task in either single or multiple context mode:
crypto isakmp reload-wait
For example:
hostname(config)#
crypto isakmp reload-wait
Use the
reload
command to reboot the ASA. If you set the
reload-wait
command, you can use the
reload quick
command to override the
reload-wait
setting. The
reload
and
reload-wait
commands are
available in privileged EXEC mode; neither includes the
isakmp
prefix.
Alerting Peers Before Disconnecting
Remote access or LAN-to-LAN sessions can drop for several reasons, such as an ASA shutdown or
reboot, session idle timeout, maximum connection time exceeded, or administrator cut-off.
The ASA can notify qualified peers (in LAN-to-LAN configurations), Cisco VPN clients, and VPN 3002
hardware clients of sessions that are about to be disconnected. The peer or client receiving the alert
decodes the reason and displays it in the event log or in a pop-up pane. This feature is disabled by default.
Qualified clients and peers include the following:
•
Security appliances with Alerts enabled
•
Cisco VPN clients running Version 4.0 or later software (no configuration required)
•
VPN 3002 hardware clients running Version 4.0 or later software, with Alerts enabled
•
VPN 3000 series concentrators running Version 4.0 or later software with Alerts enabled
To enable disconnect notification to IPsec peers, enter the
crypto isakmp disconnect-notify
command
in either single or multiple context mode.
For example:
hostname(config)#
crypto isakmp disconnect-notify
Configuring Certificate Group Matching for IKEv1
Tunnel groups define user connection terms and permissions. Certificate group matching lets you match
a user to a tunnel group using either the Subject DN or Issuer DN of the user certificate.
Summary of Contents for 5505 - ASA Firewall Edition Bundle
Page 28: ...Glossary GL 24 Cisco ASA Series CLI Configuration Guide ...
Page 61: ...P A R T 1 Getting Started with the ASA ...
Page 62: ......
Page 219: ...P A R T 2 Configuring High Availability and Scalability ...
Page 220: ......
Page 403: ...P A R T 2 Configuring Interfaces ...
Page 404: ......
Page 499: ...P A R T 2 Configuring Basic Settings ...
Page 500: ......
Page 533: ...P A R T 2 Configuring Objects and Access Lists ...
Page 534: ......
Page 601: ...P A R T 2 Configuring IP Routing ...
Page 602: ......
Page 745: ...P A R T 2 Configuring Network Address Translation ...
Page 746: ......
Page 845: ...P A R T 2 Configuring AAA Servers and the Local Database ...
Page 846: ......
Page 981: ...P A R T 2 Configuring Access Control ...
Page 982: ......
Page 1061: ...P A R T 2 Configuring Service Policies Using the Modular Policy Framework ...
Page 1062: ......
Page 1093: ...P A R T 2 Configuring Application Inspection ...
Page 1094: ......
Page 1191: ...P A R T 2 Configuring Unified Communications ...
Page 1192: ......
Page 1333: ...P A R T 2 Configuring Connection Settings and QoS ...
Page 1334: ......
Page 1379: ...P A R T 2 Configuring Advanced Network Protection ...
Page 1380: ......
Page 1475: ...P A R T 2 Configuring Modules ...
Page 1476: ......
Page 1549: ...P A R T 2 Configuring VPN ...
Page 1550: ......
Page 1965: ...P A R T 2 Configuring Logging SNMP and Smart Call Home ...
Page 1966: ......
Page 2059: ...P A R T 2 System Administration ...
Page 2060: ......
Page 2098: ...1 8 Cisco ASA Series CLI Configuration Guide Chapter 1 Troubleshooting Viewing the Coredump ...
Page 2099: ...P A R T 2 Reference ...
Page 2100: ......