Feedback
Table Of Contents
match default-inspection-traffic
match flow ip destination-address
memory delayed-free-poisoner enable
memory delayed-free-poisoner validate
ospf network point-to-point non-broadcast
password (crypto ca trustpoint)
remote-access threshold session-threshold-exceeded
M through R Commands
mac address
To specify the virtual MAC addresses for the active and standby units, use the mac address command in failover group configuration mode. To restore the default virtual MAC addresses, use the no form of this command.
mac address phy_if [active_mac] [standby_mac]
no mac address phy_if [active_mac] [standby_mac]
Syntax Description
Defaults
The defaults are as follows:
•
Active unit default MAC address: 00a0.c9physical_port_number.failover_group_id01.
•
Command Modes
The following table shows the modes in which you can enter the command:
Failover group configuration
•
•
—
—
•
Command History
Usage Guidelines
If the virtual MAC addresses are not defined for the failover group, the default values are used.
If you have more than one Active/Active failover pair on the same network, it is possible to have the same default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the interfaces of the other pairs because of the way the default virtual MAC addresses are determined. To avoid having duplicate MAC addresses on your network, make sure you assign each physical interface a virtual active and standby MAC address.
Examples
The following partial example shows a possible configuration for a failover group:
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# exithostname(config)# failover group 2hostname(config-fover-group)# secondaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# mac address e1 0000.a000.a011 0000.a000.a012hostname(config-fover-group)# exithostname(config)#Related Commands
failover group
Defines a failover group for Active/Active failover.
failover mac address
Specifies a virtual MAC address for a physical interface.
mac-address-table aging-time
To set the timeout for MAC address table entries, use the mac-address-table aging-time command in global configuration mode. To restore the default value of 5 minutes, use the no form of this command.
mac-address-table aging-time timeout_value
no mac-address-table aging-time
Syntax Description
timeout_value
The time a MAC address entry stays in the MAC address table before timing out, between 5 and 720 minutes (12 hours). 5 minutes is the default.
Defaults
The default timeout is 5 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Usage Guidelines
No usage guidelines.
Examples
The following example sets the MAC address timeout to 10 minutes:
hostname(config)# mac-address-timeout aging time 10Related Commands
mac-address-table static
To add a static entry to the MAC address table, use the mac-address-table static command in global configuration mode. To remove a static entry, use the no form of this command. Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. You can add static MAC addresses to the MAC address table if desired. One benefit to adding static entries is to guard against MAC spoofing. If a client with the same MAC address as a static entry attempts to send traffic to an interface that does not match the static entry, then the security appliance drops the traffic and generates a system message.
mac-address-table static interface_name mac_address
no mac-address-table static interface_name mac_address
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Examples
The following example adds a static MAC address entry to the MAC address table:
hostname(config)# mac-address-table static inside 0010.7cbe.6101Related Commands
mac-learn
To disable MAC address learning for an interface, use the mac-learn command in global configuration mode. To reenable MAC address learning, use the no form of this command. By default, each interface automatically learns the MAC addresses of entering traffic, and the security appliance adds corresponding entries to the MAC address table. You can disable MAC address learning if desired.
mac-learn interface_name disable
no mac-learn interface_name disable
Syntax Description
interface_name
The interface on which you want to disable MAC learning.
disable
Disables MAC learning.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Examples
The following example disables MAC learning on the outside interface:
hostname(config)# mac-learn outside disableRelated Commands
mac-list
To specify a list of MAC addresses to be used for MAC-based authentication, use the mac-list command in global configuration mode. To disable the use of a list of MAC addresses, use the no form of this command. The mac-list command adds a list of MAC addresses using a first-match search.
mac-list id deny | permit mac macmask
no mac-list id deny | permit mac macmask
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
To group a set of MAC addresses, enter the mac-list command as many times as needed with the same id value. Configure the MAC access list number using the mac-list command before using the aaa mac-exempt command.
Only AAA exemption is provided. Authorization is automatically exempted for MAC addresses for which authentication is exempted. Other types of AAA with mac-list are not supported.
Examples
The following example shows how to configure a MAC address list:
hostname(config)# mac-list adc permit 00a0.cp5d.0282 ffff.ffff.ffffhostname(config)# mac-list adc deny 00a1.cp5d.0282 ffff.ffff.ffffhostname(config)# mac-list ac permit 0050.54ff.0000 ffff.ffff.0000hostname(config)# mac-list ac deny 0061.54ff.b440 ffff.ffff.ffffhostname(config)# mac-list ac deny 0072.54ff.b440 ffff.ffff.ffffRelated Commands
management-access
To enable access to an internal management interface of the security appliance, use the management-access command in global configuration mode. To disable, use the no form of this command.
management-access mgmt_if
no management-access mgmt_if
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
Command History
Usage Guidelines
The management-access command lets you define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The interface names are defined by the nameif command and displayed in quotes, " ", in the output of the show interface command.)
The management-access command is supported for the following through an IPSec VPN tunnel only, and you can define only one management interface globally:
•
•
•
•
•
•
•
•
Examples
The following example shows how to configure a firewall interface named "inside" as the management access interface:
hostname(config)# management-access insidehostname(config)# show management-accessmanagement-access insideRelated Commands
management-only
To set an interface to accept management traffic only, use the management-only command in interface configuration mode. To allow through traffic, use the no form of this command.
management-only
no management-only
Syntax Description
This command has no arguments or keywords.
Defaults
The Management 0/0 interface on the ASA 5500 series adaptive security appliance is set to management-only mode by default.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
The ASA adaptive security appliance includes a dedicated management interface called Management 0/0, which is meant to support traffic to the security appliance. However, you can configure any interface to be a management-only interface using the management-only command. Also, for Management 0/0, you can disable management-only mode so the interface can pass through traffic just like any other interface.
Note
Examples
The following example disables management-only mode on the management interface:
hostname(config)# interface management0/0hostname(config-if)# no management-onlyThe following example enables management-only mode on a subinterface:
hostname(config)# interface gigabitethernet0/2.1hostname(config-subif)# management-onlyRelated Commands
mask-syst-reply
To hide the FTP server response from clients, use the mask-syst-reply command in FTP map configuration mode, which is accessible by using the ftp-map command. To remove the configuration, use the no form of this command.
mask-syst-reply
no mask-syst-reply
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
FTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the mask-syst-reply command with strict FTP inspection to protect the FTP server system from clients. After enabling this command, the servers replies to the syst command are replaced by a series of Xs.
Examples
The following example causes the security appliance to replace the FTP server replies to the syst command with Xs:
hostname(config)# ftp-map inbound_ftphostname(config-ftp-map)# mask-syst-replyhostname(config-ftp-map)# exit
match access-list
To identify traffic using an access list in a class map, use the match access-list command in class-map configuration mode. To remove the access list, use the no form of this command.
match access-list {acl-id...}
no match access-list {acl-id...}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
You can specify one or more access lists to identify specific types of traffic using the match access-list command. The permit statement in an access control entry causes the traffic to be included, while a deny statement causes the traffic to be excluded from the traffic class map.
Examples
The following example shows how to define a traffic class using a class map and the match access-list command:
hostname(config)# access-list ftp_acl extended permit tcp any any eq 21hostname(config)# class-map ftp_porthostname(config-cmap)# match access-list ftp_aclRelated Commands
match any
To include all traffic in a class map, use the match any command in class-map configuration mode. To remove this specification, use the no form of this command.
match any
no match any
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
All packets will be matched using the match any command (as in the default class map, class-default).
Examples
This example shows how to define a traffic class using a class map and the match any command:
hostname(config)# class-map cmaphostname(config-cmap)# match anyRelated Commands
match default-inspection-traffic
To specify default traffic for the inspect commands in a class map, use the match default-inspection-traffic command in class-map configuration mode. To remove this specification, use the no form of this command.
match default-inspection-traffic
no match default-inspection-traffic
Syntax Description
This command has no arguments or keywords.
Defaults
See the Usage Guidelines section for the default traffic of each inspection.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
Using the match default-inspection-traffic command, you can match default traffic for the individual inspect commands. The match default-inspection-traffic command can be used in conjunction with one other match command, which is typically an access-list in the form of permit ip src-ip dst-ip.
The rule for combining a second match command with the match default-inspection-traffic command is to specify the protocol and port information using the match default-inspection-traffic command and specify all other information (such as IP addresses) using the second match command. Any protocol or port information specified in the second match command is ignored with respect to the inspect commands.
For instance, port 65535 specified in the example below is ignored:
hostname(config)# class-map cmaphostname(config-cmap)# match default-inspection-traffichostname(config-cmap)# match port 65535Default traffic for inspections are as follows:
Examples
The following example shows how to define a traffic class using a class map and the match default-inspection-traffic command:
hostname(config)# class-map cmaphostname(config-cmap)# match default-inspection-trafficRelated Commands
match dscp
To identify the IETF-defined DSCP value (in an IP header) in a class map, use the match dscp command in class-map configuration mode. To remove this specification, use the no form of this command.
match dscp {values}
no match dscp {values}
Syntax Description
values
Specifies up to eight different the IETF-defined DSCP values in the IP header. Range is 0 to 63.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
Using the match dscp command, you can match the IETF-defined DSCP values in the IP header.
Examples
The following example shows how to define a traffic class using a class map and the match dscp command:
hostname(config)# class-map cmaphostname(config-cmap)# match dscp af43 cs1 efRelated Commands
match flow ip destination-address
To specify the flow IP destination address in a class map, use the match flow ip destination-address command in class-map configuration mode. To remove this specification, use the no form of this command.
match flow ip destination-address
no match flow ip destination-address
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
To enable flow-based policy actions on a tunnel group, use the match flow ip destination-address and match tunnel-group commands with the class-map, policy-map, and service-policy commands. The criteria to define flow is the destination IP address. All traffic going to a unique IP destination address is considered a flow. Policy action is applied to each flow instead of the entire class of traffic. QoS action police is applied using the match flow ip destination-address command. Use match tunnel-group to police every tunnel within a tunnel group to a specified rate.
Examples
The following example shows how to enable flow-based policing within a tunnel group and limit each tunnel to a specified rate:
hostname(config)# class-map cmaphostname(config-cmap)# match tunnel-grouphostname(config-cmap)# match flow ip destination-addresshostname(config-cmap)# exithostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# police 56000hostname(config-pmap)# exithostname(config)# service-policy pmap globalRelated Commands
match interface
To distribute any routes that have their next hop out one of the interfaces specified, use the match interface command in route-map configuration mode. To remove the match interface entry, use the no form of this command.
match interface interface-name...
no match interface interface-name...
Syntax Description
interface-name
Name of the interface (not the physical interface). Multiple interface names can be specified.
Defaults
No match interfaces are defined.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
—
—
Command History
Usage Guidelines
An ellipsis (...) in the command syntax indicates that your command input can include multiple values for the interface-type interface-number arguments.
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can give the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions that are given with the set commands. The no forms of the match commands remove the specified match criteria. If there is more than one interface specified in the match command. then the no match interface interface-name can be used to remove a single interface.
A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. If you want to modify only some data, you must configure a second route map section and specify an explicit match.
Examples
The following example shows that the routes with their next hop outside is distributed:
hostname(config)# route-map namehostname(config-route-map)# match interface outsideRelated Commands
match ip address
To redistribute any routes that have a route address or match packet that is passed by one of the access lists specified, use the match ip address command in route-map configuration mode. To restore the default settings, use the no form of this command.
match ip address {acl...}
no match ip address {acl...}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
—
—
Command History
Usage Guidelines
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
Examples
The following example shows how to redistribute internal routes:
hostname(config)# route-map namehostname(config-route-map)# match ip address acl_dmz1 acl_dmz2Related Commands
match ip next-hop
To redistribute any routes that have a next-hop router address that is passed by one of the access lists specified, use the match ip next-hop command in route-map configuration mode. To remove the next-hop entry, use the no form of this command.
match ip next-hop {acl...} | prefix-list prefix_list
no match ip next-hop {acl...} | prefix-list prefix_list
Syntax Description
Defaults
Routes are distributed freely, without being required to match a next-hop address.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
—
—
Command History
Usage Guidelines
An ellipsis (...) in the command syntax indicates that your command input can include multiple values for the acl argument.
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can enter the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
When you are passing routes through a route map, a route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. To modify only some data, you must configure a second route map section and specify an explicit match.
Examples
The following example shows how to distribute routes that have a next-hop router address passed by access list acl_dmz1 or acl_dmz2:
hostname(config)# route-map namehostname(config-route-map)# match ip next-hop acl_dmz1 acl_dmz2Related Commands
match ip route-source
To redistribute routes that have been advertised by routers and access servers at the address that is specified by the ACLs, use the match ip route-source command in the route-map configuration mode. To remove the next-hop entry, use the no form of this command.
match ip route-source {acl...} | prefix-list prefix_list
no match ip route-source {acl...}
Syntax Description
Defaults
No filtering on a route source.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
—
—
Command History
Usage Guidelines
An ellipsis (...) in the command syntax indicates that your command input can include multiple values for the access-list-name argument.
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can enter the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. To modify only some data, you must configure a second route map section and specify an explicit match. The next-hop and source-router address of the route are not the same in some situations.
Examples
The following example shows how to distribute routes that have been advertised by routers and access servers at the addresses specified by ACLs acl_dmz1 and acl_dmz2:
hostname(config)# route-map namehostname(config-route-map)# match ip route-source acl_dmz1 acl_dmz2Related Commands
match metric
To redistribute routes with the metric specified, use the match metric command in route-map configuration mode. To remove the entry, use the no form of this command.
match metric number
no match metric number
Syntax Description
Defaults
No filtering on a metric value.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
—
—
Command History
Usage Guidelines
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. The match commands can be given in any order, and all match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. To modify only some data, you must configure a second route map section and specify an explicit match.
Examples
The following example shows how to redistribute routes with the metric 5:
hostname(config)# route-map namehostname(config-route-map)# match metric 5Related Commands
match port
To identify a specific port number in a class map, use the match port command in class-map configuration mode. To remove this specification, use the no form of this command.
match port {tcp | udp} {eq eq_id | range beg_id end_id}
no match port {tcp | udp} {eq eq_id | range beg_id end_id}
Syntax Description
eq eq_id
Specifies a port name.
range beg_id end_id
Specifies beginning and ending port range values (1-65535).
tcp
Specifies a TCP port.
udp
Specifies a UDP port.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
Use the match port command to specify a range of ports.
Examples
The following example shows how to define a traffic class using a class map and the match port command:
hostname(config)# class-map cmaphostname(config-cmap)# match port tcp eq 8080Related Commands
match precedence
To specify a precedence value in a class map, use the match precedence command in class-map configuration mode. To remove this specification, use the no form of this command.
match precedence value
no match precedence value
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
Use the match precedence command to specify the value represented by the TOS byte in the IP header.
Examples
The following example shows how to define a traffic class using a class map and the match precedence command:
hostname(config)# class-map cmaphostname(config-cmap)# match precedence 1Related Commands
match route-type
To redistribute routes of the specified type, use the match route-type command in route-map configuration mode. To remove the route type entry, use the no form of this command.
match route-type {local | internal | {external [type-1 | type-2]} | {nssa-external [type-1 | type-2]}}
no match route-type {local | internal | {external [type-1 | type-2]} | {nssa-external [type-1 | type-2]}}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
—
—
Command History
Usage Guidelines
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can enter the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. To modify only some data, you must configure a second route map section and specify an explicit match.
For OSPF, the external type-1 keywords match only type 1 external routes and the external type-2 keywords match only type 2 external routes.
Examples
The following example shows how to redistribute internal routes:
hostname(config)# route-map namehostname(config-route-map)# match route-type internalRelated Commands
match rtp
To specify a UDP port range of even-number ports in a class map, use the match rtp command in class-map configuration mode. To remove this specification, use the no form of this command.
match rtp starting_port range
no match rtp starting_port range
Syntax Description
starting_port
Specifies lower bound of even-number UDP destination port. Range is 2000-65535
range
Specifies range of RTP ports. Range is 0-16383.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
Use the match rtp command to match RTP ports (even UDP port numbers between the starting_port and the starting_port plus the range).
Examples
The following example shows how to define a traffic class using a class map and the match rtp command:
hostname(config)# class-map cmaphostname(config-cmap)# match rtp 20000 100Related Commands
match tunnel-group
To match traffic in a class map that belongs to a previously defined tunnel-group, use the match tunnel-group command in class-map configuration mode. To remove this specification, use the no form of this command.
match tunnel-group name
no match tunnel-group name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
To enable flow-based policy actions, use the match flow ip destination-address and match tunnel-group commands with the class-map, policy-map, and service-policy commands. The criteria to define flow is the destination IP address. All traffic going to a unique IP destination address is considered a flow. Policy action is applied to each flow instead of the entire class of traffic. QoS action police is applied using the police command. Use match tunnel-group along with match flow ip destination-address to police every tunnel within a tunnel group to a specified rate.
Examples
The following example shows how to enable flow-based policing within a tunnel group and limit each tunnel to a specified rate:
hostname(config)# class-map cmaphostname(config-cmap)# match tunnel-grouphostname(config-cmap)# match flow ip destination-addresshostname(config-cmap)# exithostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# police 56000hostname(config-pmap)# exithostname(config)# service-policy pmap globalRelated Commands
max-failed-attempts
To specify the number of failed attempts allowed for any given server in the server group before that server is deactivated, use the max-failed-attempts command in AAA-sersver group mode. To remove this specification and revert to the default value, use the no form of this command:
max-failed-attempts number
no max-failed-attempts
Syntax Description
number
An integer in the range 1-5, specifying the number of failed connection attempts allowed for any given server in the server group specified in a prior aaa-server command.
Defaults
The default value of number is 3.
Command Modes
The following table shows the modes in which you can enter the command:
AAA-server group
•
•
•
•
—
Command History
Usage Guidelines
You must have configured the AAA server/group before issuing this command.
Examples
hostname(config)# aaa-server svrgrp1 protocol tacacs+hostname(config-aaa-server-group)# max-failed-attempts 4Related Commands
max-header-length
To restrict HTTP traffic based on the HTTP header length, use the max-header-length command in HTTP map configuration mode, which is accessible using the http-map command. To remove this command, use the no form of this command.
max-header-length {request bytes [response bytes] | response bytes} action {allow | reset | drop} [log]
no max-header-length {request bytes [response bytes] | response bytes} action {allow | reset | drop} [log]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
HTTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
After enabling the max-header-length command, the security appliance only allows messages having an HTTP header within the configured limit and otherwise takes the specified action. Use the action keyword to cause the security appliance to reset the TCP connection and optionally create a syslog entry.
Examples
The following example restricts HTTP requests to those with HTTP headers that do not exceed 100 bytes. If a header is too large, the security appliance resets the TCP connection and creates a syslog entry.
hostname(config)# http-map inbound_httphostname(config-http-map)# max-header-length request bytes 100 action log resethostname(config-http-map)# exitRelated Commands
max-uri-length
To restrict HTTP traffic based on the length of the URI in the HTTP request message, use the max-uri-length command in HTTP map configuration mode, which is accessible using the http-map command. To remove this command, use the no form of this command.
max-uri-length bytes action {allow | reset | drop} [log]
no max-uri-length bytes action {allow | reset | drop} [log]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
HTTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
After enabling the max-uri-length command, the security appliance only allows messages having a URI within the configured limit and otherwise takes the specified action. Use the action keyword to cause the security appliance to reset the TCP connection and create a syslog entry.
URIs with a length less than or equal to the configured value will be allowed. Otherwise, the specified action will be taken.
Examples
The following example restricts HTTP requests to those with URIs that do not exceed 100 bytes. If a URI is too large, the security appliance resets the TCP connection and creates a syslog entry.
hostname(config)# http-map inbound_httphostname(config-http-map)# max-uri-length 100 action reset loghostname(config-http-map)# exitRelated Commands
mcc
To identify the mobile country code and the mobile network code for IMSI prefix filtering, use the mcc command in GTP map configuration mode. To remove the configuration, use the no form of this command.
mcc country_code mnc network_code
no mcc country_code mnc network_code
Syntax Description
Defaults
By default, the security appliance does not check for valid MCC/MNC combinations.
Command Modes
The following table shows the modes in which you can enter the command:
GTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command is used for IMSI Prefix filtering. The MCC and MNC in the IMSI of the received packet is compared with the MCC/MNC configured with this command and is dropped if it does not match.
This command must be used to enable IMSI Prefix filtering. You can configure multiple instances to specify permitted MCC and MNC combinations. By default, the security appliance does not check the validity of MNC and MCC combinations, so you must verify the validity of the combinations configured. To find more information about MCC and MNC codes, see the ITU E.212 recommendation, Identification Plan for Land Mobile Stations.
Examples
The following example identifies traffic for IMSI Prefix filtering with an MCC of 111 and an MNC of 222:
hostname(config)# gtp-map qtp-policyhostname(config-gtpmap)# mcc 111 mnc 222Related Commands
media-type
To set the media type to copper or fiber Gigabit Ethernet, use the media-type command in interface configuration mode. The fiber SFP connector is available on the 4GE SSM for the ASA 5500 series adaptive security appliance. To restore the media type setting to the default, use the no form of this command.
media-type {rj45 | sfp}
no media-type [rj45 | sfp]
Syntax Description
rj45
(Default) Sets the media type to the copper RJ-45 connector.
sfp
Sets the media type to the fiber SFP connector.
Defaults
The default is rj45.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
•
Command History
Usage Guidelines
The sfp setting uses a fixed speed (1000 Mbps), so the speed command allows you to set whether the interface negotiates link parameters or not. The duplex command is not supported for sfp.
Examples
The following example sets the media type to SFP:
hostname(config)# interface gigabitethernet1/1hostname(config-if)# media-type sfphostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownRelated Commands
memory caller-address
To configure a specific range of program memory for the call tracing, or caller PC, to help isolate memory problems, use the memory caller-address command in privileged EXEC mode. The caller PC is the address of the program that called a memory allocation primitive. To remove an address range, use the no form of this command.
memory caller-address startPC endPC
no memory caller-address
Syntax Description
endPC
Specifies the end address range of the memory block.
startPC
Specifies the start address range of the memory block.
Defaults
The actual caller PC is recorded for memory tracing.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
—
•
•
Command History
Usage Guidelines
Use the memory caller-address command to isolate memory problems to a specific block of memory.
In certain cases the actual caller PC of the memory allocation primitive is a known library function that is used at many places in the program. To isolate individual places in the program, configure the start and end program address of the library function, thereby recording the program address of the caller of the library function.
Note
Examples
The following examples show the address ranges configured with the memory caller-address commands, and the resulting display of the show memory-caller address command:hostname# memory caller-address 0x00109d5c 0x00109e08hostname# memory caller-address 0x009b0ef0 0x009b0f14hostname# memory caller-address 0x00cf211c 0x00cf4464hostname# show memory-caller addressMove down stack frame for the addresses:pc = 0x00109d5c-0x00109e08pc = 0x009b0ef0-0x009b0f14pc = 0x00cf211c-0x00cf4464Related Commands
memory delayed-free-poisoner enable
To enable the delayed free-memory poisoner tool, use the memory delayed-free-poisoner enable command in privileged EXEC mode. To disable the delayed free-memory poisoner tool, use the no form of this command. The delayed free-memory poisoner tool lets you monitor freed memory for changes after it has been released by an application.
memory delayed-free-poisoner enable
no memory delayed-free-poisoner enable
Syntax Description
This command has no arguments or keywords.
Defaults
The memory delayed-free-poisoner enable command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Enabling the delayed free-memory poisoner tool has a significant impact on memory usage and system performance. The command should only be used under the supervision of the Cisco TAC. It should not be run in a production environment during heavy system usage.
When you enable this tool, requests to free memory by the applications running on the security appliance are written to a FIFO queue. As each request is written to the queue, each associated byte of memory that is not required by lower-level memory management is "poisoned" by being written with the value 0xcc.
The freed memory requests remain in the queue until more memory is required by an application than is in the free memory pool. When memory is needed, the first freed memory request is pulled from the queue and the poisoned memory is validated.
If the memory is unmodified, it is returned to the lower-level memory pool and the tool reissues the memory request from the application that made the initial request. The process continues until enough memory for the requesting application is freed.
If the poisoned memory has been modified, then the system forces a crash and produces diagnostic output to determine the cause of the crash.
The delayed free-memory poisoner tool periodically performs validation on all of the elements of the queue automatically. Validation can also be started manually using the memory delayed-free-poisoner validate command.
The no form of the command causes all of the memory referenced by the requests in the queue to be returned to the free memory pool without validation and any statistical counters to be cleared.
Examples
The following example enables the delayed free-memory poisoner tool:
hostname# memory delayed-free-poisoner enableThe following is sample output when the delayed free-memory poisoner tool detects illegal memory reuse:
delayed-free-poisoner validate failed because adata signature is invalid at delayfree.c:328.heap region: 0x025b1cac-0x025b1d63 (184 bytes)memory address: 0x025b1cb4byte offset: 8allocated by: 0x0060b812freed by: 0x0060ae15Dumping 80 bytes of memory from 0x025b1c88 to 0x025b1cd7025b1c80: ef cd 1c a1 e1 00 00 00 | ........025b1c90: 23 01 1c a1 b8 00 00 00 15 ae 60 00 68 ba 5e 02 | #.........`.h.^.025b1ca0: 88 1f 5b 02 12 b8 60 00 00 00 00 00 6c 26 5b 02 | ..[...`.....l&[.025b1cb0: 8e a5 ea 10 ff ff ff ff cc cc cc cc cc cc cc cc | ................025b1cc0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc | ................025b1cd0: cc cc cc cc cc cc cc cc | ........An internal error occurred. Specifically, a programming assertion wasviolated. Copy the error message exactly as it appears, and get theoutput of the show version command and the contents of the configurationfile. Then call your technical support representative.assertion "0" failed: file "delayfree.c", line 191Table 6-1 describes the significant portion of the output.
Related Commands
memory delayed-free-poisoner validate
To force validation of all elements in the memory delayed-free-poisoner queue, use the memory delayed-free-poisoner validate command in privileged EXEC mode.
memory delayed-free-poisoner validate
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
You must enable the delayed free-memory poisoner tool using the memory delayed-free-poisoner enable command before issuing the memory delayed-free-poisoner validate command.
The memory delayed-free-poisoner validate command causes each element of the memory delayed-free-poisoner queue to be validated. If an element contains unexpected values, then the system forces a crash and produces diagnostic output to determine the cause of the crash. If no unexpected values are encountered, the elements remain in the queue and are processed normally by the tool; the memory delayed-free-poisoner validate command does not cause the memory in the queue to be returned to the system memory pool.
Note
Examples
The following example causes all elements in the memory delayed-free-poisoner queue to be validated:
hostname# memory delayed-free-poisoner validateRelated Commands
memory profile enable
To enable the monitoring of memory usage (memory profiling), use the memory profile enable command in privileged EXEC mode. To disable memory profiling, use the no form of this command.
memory profile enable peak peak_value
no memory profile enable peak peak_value
Syntax Description
Defaults
Memory profiling is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
—
•
•
Command History
Usage Guidelines
Before enabling memory profiling, you must first configure a memory text range to profile with the memory profile text command.
Some memory is held by the profiling system until you enter the clear memory profile command. See the output of the show memory status command.
Note
The following example enables memory profiling:
hostname# memory profile enableRelated Commands
memory profile text
Configures a text range of memory to profile.
show memory profile
Displays information about the memory usage (profiling) of the security appliance.
memory profile text
To configure a program text range of memory to profile, use the memory profile text command in privileged EXEC mode. To disable, use the no form of this command.
memory profile text {startPC endPC | all resolution}
no memory profile text {startPC endPC | all resolution}
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
—
•
•
Command History
Usage Guidelines
For a small text range, a resolution of "4" normally traces the call to an instruction. For a larger text range, a coarse resolution is probably enough for the first pass and the range could be narrowed down to a set of smaller regions in the next pass.
After entering the text range with the memory profile text command, you must then enter the memory profile enable command to begin memory profiling. Memory profiling is disabled by default.
Note
Examples
The following example shows how to configure a text range of memory to profile, with a resolution of 4:
hostname# memory profile text 0x004018b4 0x004169d0 4The following example displays the configuration of the text range and the status of memory profiling (OFF):
hostname# show memory profile InUse profiling: OFF Peak profiling: OFF Profile: 0x004018b4-0x004169d0(00000004)
Note
Related Commands
memory tracking enable
To enable the tracking of heap memory request, use the memory tracking enable command in privileged EXEC mode. To disable memory tracking, use the no form of this command.
memory tracking enable
no memory tracking enable
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
—
•
•
Command History
Usage Guidelines
Use the memory tracking enable command to track heap memory requests. To disable memory tracking, use the no form of this command.
Examples
The following example enables tracking heap memory requests:
hostname# memory tracking enableRelated Commands
message-length
To filter GTP packets that do not meet the configured maximum and minimum length, use the message-length command in GTP map configuration mode, which is accessed by using the gtp-map command. Use the no form to remove the command.
message-length min min_bytes max max_bytes
no message-length min min_bytes max max_bytes
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
GTP map configuration
·
·
·
·
No
Command History
Usage Guidelines
The length specified by this command is the sum of the GTP header and the rest of the message, which is the payload of the UDP packet.
Examples
The following example allows messages between 20 bytes and 300 bytes in length:
hostname(config)# gtp-map qtp-policyhostname(config-gtpmap)# permit message-length min 20 max 300Related Commands
mgcp-map
To identify a specific map for defining the parameters for MGCP inspection, use the mgcp-map command in global configuration mode. To remove the map, use the no form of this command.
mgcp-map map_name
no mgcp-map map_name
Syntax Description
Defaults
The default for the MGCP command queue is 200.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the mgcp-map command to identify a specific map to use for defining the parameters for MGCP inspection. When you enter this command, the system enters a configuration mode that lets you enter the different commands used for defining the specific map. After defining the MGCP map, you use the inspect mgcp command to enable the map. You use Modular Policy Framework to apply the inspect command to a defined class of traffic and to apply the policy to a specific interface. The following are the commands available in MGCP map configuration mode.
•
•
•
•
Examples
The following example shows how to use the mgcp-map command to identify a specific map (mgcp-policy) to use for defining the parameters for MGCP inspection.
hostname(config)# mgcp-map mgcp-policyhostname(config-mgcp-policy)#The following example shows how to identify MGCP traffic, define a MGCP map, define a policy, and apply the policy to the outside interface.
You enable the MGCP inspection engine as shown in the following example, which creates a class map to match MGCP traffic on the default port (2427). The service policy is then applied to the outside interface.
hostname(config)# class-map mgcp-porthostname(config-cmap)# match port tcp eq 2427hostname(config-cmap)# exithostname(config)# mgcp-map mgcp_inboundhostname(config-mgcp-map)# call-agent 10.10.11.5 101hostname(config-mgcp-map)# call-agent 10.10.11.6 101hostname(config-mgcp-map)# call-agent 10.10.11.7 102hostname(config-mgcp-map)# call-agent 10.10.11.8 102hostname(config-mgcp-map)# gateway 10.10.10.115 101hostname(config-mgcp-map)# gateway 10.10.10.116 102hostname(config-mgcp-map)# gateway 10.10.10.117 102hostname(config-mgcp-map)# command-queue 150hostname(config)# policy-map mgcp_policyhostname(config)# mgcp-map mgcp_hostname(config-pmap)# class mgcp-porthostname(config-pmap-c)# inspect mgcp mgcp_inboundhostname(config-pmap-c)# exithostname(config)# service-policy mgcp_policy interface outsideTo enable MGCP inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
mkdir
To create a new directory, use the mkdir command in privileged EXEC mode.
mkdir [/noconfirm] [disk0: | disk1: | flash:]path
Syntax Description
Defaults
If you do not specify a path, the directory is created in the current working directory.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
If a directory with the same name already exists, then the new directory is not created.
Examples
This example shows how to make a new directory called "backup":
hostname# mkdir backupRelated Commands
mode
To set the security context mode to single or multiple, use the mode command in global configuration mode. You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context behaves like an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone appliances. In single mode, the security appliance has a single configuration and behaves as a single device. In multiple mode, you can create multiple contexts, each with its own configuration. The number of contexts allowed depends on your license.
mode {single | multiple} [noconfirm]
Syntax Description
multiple
Sets multiple context mode.
noconfirm
(Optional) Sets the mode without prompting you for confirmation. This option is useful for automated scripts.
single
Sets the context mode to single.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
In multiple context mode, the security appliance includes a configuration for each context that identifies the security policy, interfaces, and almost all the options you can configure on a stand-alone device (see the config-url command to identify the context configuration location). The system administrator adds and manages contexts by configuring them in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the security appliance. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context.
When you change the context mode using the mode command, you are prompted to reboot.
The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If you need to copy your configuration to another device, set the mode on the new device to match using the mode command.
When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files: a new startup configuration that comprises the system configuration, and admin.cfg that comprises the admin context (in the root directory of the internal Flash memory). The original running configuration is saved as old_running.cfg (in the root directory of the internal Flash memory). The original startup configuration is not saved. The security appliance automatically adds an entry for the admin context to the system configuration with the name "admin."
If you convert from multiple mode to single mode, you might want to first copy a full startup configuration (if available) to the security appliance; the system configuration inherited from multiple mode is not a complete functioning configuration for a single mode device.
Not all features are supported in multiple context mode. See the Cisco Security Appliance Command Line Configuration Guide for more information.
Examples
The following example sets the mode to multiple:
hostname(config)# mode multipleWARNING: This command will change the behavior of the deviceWARNING: This command will initiate a RebootProceed with change mode? [confirm] yConvert the system configuration? [confirm] yFlash Firewall mode: multiple****** --- SHUTDOWN NOW ---****** Message to all terminals:****** change modeRebooting....Booting system, please wait...The following example sets the mode to single:
hostname(config)# mode singleWARNING: This command will change the behavior of the deviceWARNING: This command will initiate a RebootProceed with change mode? [confirm] yFlash Firewall mode: single****** --- SHUTDOWN NOW ---****** Message to all terminals:****** change modeRebooting....Booting system, please wait...Related Commands
context
Configures a context in the system configuration and enters context configuration mode.
show mode
Shows the current context mode, either single or multiple.
monitor-interface
To enable health monitoring on a specific interface, use the monitor-interface command in global configuration mode. To disable interface monitoring, use the no form of this command.
monitor-interface if_name
no monitor-interface if_name
Syntax Description
Defaults
Monitoring of physical interfaces is enabled by default; monitoring of logical interfaces is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The number of interfaces that can be monitored for the security appliance is 250. Hello messages are exchanged during every interface poll frequency time period between the security appliance failover pair. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds).
Monitored failover interfaces can have the following status:
•
•
•
•
•
•
In Active/Active failover, this command is only valid within a context.
Examples
The following example enables monitoring on an interface named "inside":
hostname(config)# monitor-interface insidehostname(config)#Related Commands
more
To display the contents of a file, use the more command.
more {/ascii | /binary| /ebcdic | disk0: | disk1: | flash: | ftp: | http: | https: | system: | tftp:}filename
Syntax Description
Defaults
ACSII mode
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The more filesystem: command prompts you to enter the alias of the local directory or file systems.
Examples
This example shows how to display the contents of a local file named "test.cfg":
hostname# more test.cfg: Saved: Written by enable_15 at 10:04:01 Apr 14 2005XXX Version X.X(X)nameif vlan300 outside security10enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedhostname testfixup protocol ftp 21fixup protocol h323 H225 1720fixup protocol h323 ras 1718-1719fixup protocol ils 389fixup protocol rsh 514fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol sip 5060fixup protocol skinny 2000namesaccess-list deny-flow-max 4096access-list alert-interval 300access-list 100 extended permit icmp any anyaccess-list 100 extended permit ip any anypager lines 24icmp permit any outsidemtu outside 1500ip address outside 172.29.145.35 255.255.0.0no asdm history enablearp timeout 14400access-group 100 in interface outside!interface outside!route outside 0.0.0.0 0.0.0.0 172.29.145.1 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absoluteaaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radiusaaa-server LOCAL protocol localsnmp-server host outside 128.107.128.179snmp-server location my_context, USAsnmp-server contact admin@my_context.comsnmp-server community publicno snmp-server enable trapsfloodguard enablefragment size 200 outsideno sysopt route dnattelnet timeout 5ssh timeout 5terminal width 511gdb enablemgcp command-queue 0Cryptochecksum:00000000000000000000000000000000: endRelated Commands
cd
Changes to the specified directory.
pwd
Displays the current working directory.
mroute
To configure a static multicast route, use the mroute command in global configuration mode. To remove a static multicast route, use the no form of this command.
mroute src smask in_if_name [dense output_if_name] [distance]
no mroute src smask in_if_name [dense output_if_name] [distance]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command lets you statically configure where multicast sources are located. The security appliance expects to receive multicast packets on the same interface as it would use to send unicast packets to a specific source. In some cases, such as bypassing a route that does not support multicast routing, multicast packets may take a different path than the unicast packets.
Static multicast routes are not advertised or redistributed.
Use the show mroute command displays the contents of the multicast route table. Use the show running-config mroute command to display the mroute commands in the running configuration.
Examples
The following example shows how configure a static multicast route using the mroute command:
hostname(config)# mroute 172.16.0.0 255.255.0.0 insideRelated Commands
mtu
To specify the maximum transmission unit for an interface, use the mtu command in global configuration mode. To reset the MTU block size to 1500 for Ethernet interfaces, use the no form of this command. This command supports IPv4 and IPv6 traffic.
mtu interface_name bytes
no mtu interface_name bytes
Syntax Description
bytes
Number of bytes in the MTU; valid values are from 64 to 65,535 bytes.
interface_name
Internal or external network interface name.
Defaults
The default bytes is 1500 for Ethernet interfaces.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Usage Guidelines
The mtu command lets you to set the data size that is sent on a connection. Data that is larger than the MTU value is fragmented before being sent.
The security appliance supports IP path MTU discovery (as defined in RFC 1191), which allows a host to dynamically discover and cope with the differences in the maximum allowable MTU size of the various links along the path. Sometimes, the security appliance cannot forward a datagram because the packet is larger than the MTU that you set for the interface, but the "don't fragment" (DF) bit is set. The network software sends a message to the sending host, alerting it to the problem. The host has to fragment packets for the destination so that they fit the smallest packet size of all the links along the path.
The default MTU is 1500 bytes in a block for Ethernet interfaces (which is also the maximum). This value is sufficient for most applications, but you can pick a lower number if network conditions require it.
When using the Layer 2 Tunneling Protocol (L2TP), we recommend that you set the MTU size to 1380 to account for the L2TP header and IPSec header length.
Examples
This example shows how to specify the MTU for an interface:
hostname(config)# show running-config mtumtu outside 1500mtu inside 1500hostname(config)# mtu inside 8192hostname(config)# show running-config mtumtu outside 1500mtu inside 8192Related Commands
clear configure mtu
Clears the configured maximum transmission unit values on all interfaces.
show running-config mtu
Displays the current maximum transmission unit block size.
multicast-routing
To enable IP multicast routing on the security appliance, use the multicast routing command in global configuration mode. To disable IP multicast routing, use the no form of this command.
multicast-routing
no multicast-routing
Syntax Description
This command has no arguments or keywords.
Defaults
The multicast-routing command enables PIM and IGMP on all interfaces by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The multicast-routing command enables PIM and IGMP on all interfaces.
Note
If the security appliance is the PIM RP, use the untranslated outside address of the security appliance as the RP address.The number of entries in the multicast routing tables are limited by the amount of RAM on the system. Table 6-1 lists the maximum number of entries for specific multicast tables based on the amount of RAM on the security appliance. Once these limits are reached, any new entries are discarded.
Table 6-2 Entry Limits for Multicast Tables
1000
3000
5000
1000
3000
5000
3000
7000
12000
Examples
The following example enables IP multicast routing on the security appliance:
hostname(config)# multicast-routingRelated Commands
name
To associate a name with an IP address, use the name command in global configuration mode. To disable the use of the text names but not remove them from the configuration, use the no form of this command.
name ip_address name
no name ip_address [name]
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable the association of a name with an IP address, use the names command. You can associate only one name with an IP address.
You must first use the names command before you use the name command. Use the name command immediately after you use the names command and before you use the write memory command.
The name command lets you identify a host by a text name and map text strings to IP addresses. The no name command allows you to disable the use of the text names but does not remove them from the configuration. Use the clear configure name command to clear the list of names from the configuration.
If you are using both ASDM and the command line to manage the security appliance, when you add a name command using the command line interface you should also add an asdm location command specifying the same IP address. If you do not, ASDM will not display the named object. For example, the following commands will cause the 10.1.1.0 network, named "finance", to appear in the Hosts/Networks list in ASDM:
hostname(config)# name finance 10.1.1.0hostname(config)# asdm location 10.1.1.0 255.255.255.0 insideTo disable displaying name values, use the no names command.
Both the name and names commands are saved in the configuration.
The name command does not support assigning a name to a network mask. For example, this command would be rejected:
hostname(config)# name 255.255.255.0 class-C-mask
Note
Examples
This example shows that the names command allows you to enable use of the name command. The name command substitutes sa_inside for references to 192.168.42.3 and sa_outside for 209.165.201.3. You can use these names with the ip address commands when assigning IP addresses to the network interfaces. The no names command disables the name command values from displaying. Subsequent use of the names command again restores the name command value display.
hostname(config)# nameshostname(config)# name 192.168.42.3 sa_insidehostname(config)# name 209.165.201.3 sa_outsidehostname(config-if)# ip address inside sa_inside 255.255.255.0hostname(config-if)# ip address outside sa_outside 255.255.255.224hostname(config)# show ip addressSystem IP Addresses:inside ip address sa_inside mask 255.255.255.0outside ip address sa_outside mask 255.255.255.224hostname(config)# no nameshostname(config)# show ip addressSystem IP Addresses:inside ip address 192.168.42.3 mask 255.255.255.0outside ip address 209.165.201.3 mask 255.255.255.224hostname(config)# nameshostname(config)# show ip addressSystem IP Addresses:inside ip address sa_inside mask 255.255.255.0outside ip address sa_outside mask 255.255.255.224Related Commands
nameif
To provide a name for an interface, use the nameif command in interface configuration mode. To remove the name, use the no form of this command. The interface name is used in all configuration commands on the security appliance instead of the interface type and ID (such as gigabitethernet0/1), and is therefore required before traffic can pass through the interface.
nameif name
no nameif
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
•
—
Command History
7.0
This command was changed from a global configuration command to an interface configuration mode command.
Usage Guidelines
For subinterfaces, you must assign a VLAN with the vlan command before you enter the nameif command.
You can change the name by reentering this command with a new value. Do not enter the no form, because that command causes all commands that refer to that name to be deleted.
Examples
The following example configures the names for two interfaces to be "inside" and "outside:"
hostname(config)# interface gigabitethernet0/1hostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface gigabitethernet0/0hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address 10.1.2.1 255.255.255.0hostname(config-if)# no shutdownRelated Commands
names
To enable the association of a name with an IP address, use the names command in global configuration mode. You can associate only one name with an IP address. To disable displaying name values, use the no names command.
names
no names
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The names command is used to enable the association of a name with an IP address that you configured with the name command. The order in which you enter the name or names commands is irrelevant.
Examples
The following example shows how to enable the association of a name with an IP address:
hostname(config)# namesRelated Commands
name-separator
To specify a character as a delimiter between the e-mail and VPN username and password, use the name-separator command in the applicable e-mail proxy mode. To revert to the default, ":", use the no version of this command.
name-separator [symbol]
no name-separator
Syntax Description
symbol
(Optional) The character that separates the e-mail and VPN usernames and passwords. Choices are "@," (at) "|" (pipe), ":"(colon), "#" (hash), "," (comma), and ";" (semi-colon).
Defaults
The default is ":" (colon).
Command Modes
The following table shows the modes in which you can enter the command:
Pop3s
•
—
•
—
—
Imap4s
•
—
•
—
—
Smtps
•
—
•
—
—
Command History
Usage Guidelines
The name separator must be different from the server separator.
Examples
The following example shows how to set a hash (#) as the name separator for POP3S:
hostname(config)# pop3shostname(config-pop3s)# name-separator #Related Commands
nat
To identify addresses on one interface that are translated to mapped addresses on another interface, use the nat command in global configuration mode. This command configures dynamic NAT or PAT, where an address is translated to one of a pool of mapped addresses. To remove the nat command, use the no form of this command.
For regular dynamic NAT:
nat (real_ifc) nat_id real_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit] [norandomseq]]] [udp udp_max_conns]
no nat (real_ifc) nat_id real_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit] [norandomseq]]] [udp udp_max_conns]
For policy dynamic NAT and NAT exemption:
nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [[tcp] tcp_max_conns [emb_limit] [norandomseq]]] [udp udp_max_conns]
no nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [[tcp] tcp_max_conns [emb_limit] [norandomseq]]] [udp udp_max_conns]
Syntax Description
Defaults
The default value for tcp_max_conns, emb_limit, and udp_max_conns is 0 (unlimited), which is the maximum available.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
For dynamic NAT and PAT, you first configure a nat command identifying the real addresses on a given interface that you want to translate. Then you configure a separate global command to specify the mapped addresses when exiting another interface (in the case of PAT, this is one address). Each nat command matches a global command by comparing the NAT ID, a number that you assign to each command.
The security appliance translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues. The exception is when you enable NAT control using the nat-control command. NAT control requires that packets traversing from a higher security interface (inside) to a lower security interface (outside) match a NAT rule, or else processing for the packet stops. NAT is not required between same security level interfaces even if you enable NAT control. You can optionally configure NAT if desired.
Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the destination network. The mapped pool can include fewer addresses than the real group. When a host you want to translate accesses the destination network, the security appliance assigns it an IP address from the mapped pool. The translation is added only when the real host initiates the connection. The translation is in place only for the duration of the connection, and a given user does not keep the same IP address after the translation times out (see the timeout xlate command). Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic NAT (or PAT, even if the connection is allowed by an access list), and the security appliance rejects any attempt to connect to a real host address directly. See the static command for reliable access to hosts.
Dynamic NAT has these disadvantages:
•
Use PAT if this event occurs often, because PAT provides over 64,000 translations using ports of a single address.
•
The advantage of dynamic NAT is that some protocols cannot use PAT. For example, PAT does not work with IP protocols that do not have a port to overload, such as GRE version 0. PAT also does not work with some applications that have a data stream on one port and the control path on another and are not open standard, such as some multimedia applications.
PAT translates multiple real addresses to a single mapped IP address. Specifically, the security appliance translates the real address and source port (real socket) to the mapped address and a unique port above 1024 (mapped socket). Each connection requires a separate translation, because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.
After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout is not configurable.
PAT lets you use a single mapped address, thus conserving routable addresses. You can even use the security appliance interface IP address as the PAT address. PAT does not work with some multimedia applications that have a data stream that is different from the control path.
Note
If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If you do not want to perform NAT for some hosts, then you can bypass NAT for those hosts (alternatively, you can disable NAT control). You might want to bypass NAT, for example, if you are using an application that does not support NAT. You can use the static command to bypass NAT, or one of the following options:
•
For identity NAT, even though the mapped address is the same as the real address, you cannot initiate a connection from the outside to the inside (even if the interface access list allows it). Use static identity NAT or NAT exemption for this functionality.
•
Policy NAT lets you identify real addresses for address translation by specifying the source and destination addresses in an extended access list. You can also optionally specify the source and destination ports. Regular NAT can only consider the real addresses. For example, you can translate the real address to mapped address A when it accesses server A, but translate the real address to mapped address B when it accesses server B.
When you specify the ports in policy NAT for applications that require application inspection for secondary channels (FTP, VoIP, etc.), the security appliance automatically translates the secondary ports.
Note
You can alternatively configure maximum connections, maximum embryonic connections, and TCP sequence randomization using the set connection commands. If you configure these settings for the same traffic using both methods, then the security appliance uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the security appliance disables TCP sequence randomization.
If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using clear xlate command. However, clearing the translation table disconnects all of the current connections.
Examples
For example, to translate the 10.1.1.0/24 network on the inside interface, enter the following command:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0hostname(config)# global (outside) 1 209.165.201.1-209.165.201.30To identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is exhausted, enter the following commands:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0hostname(config)# global (outside) 1 209.165.201.5hostname(config)# global (outside) 1 209.165.201.10-209.165.201.20To translate the lower security dmz network addresses so they appear to be on the same network as the inside network (10.1.1.0), for example, to simplify routing, enter the following commands:
hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dnshostname(config)# global (inside) 1 10.1.1.45To identify a single real address with two different destination addresses using policy NAT, enter the following commands:
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 255.255.255.224hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224hostname(config)# nat (inside) 1 access-list NET1 tcp 0 2000 udp 10000hostname(config)# global (outside) 1 209.165.202.129hostname(config)# nat (inside) 2 access-list NET2 tcp 1000 500 udp 2000hostname(config)# global (outside) 2 209.165.202.130To identify a single real address/destination address pair that use different ports using policy NAT, enter the following commands:
hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 80hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 23hostname(config)# nat (inside) 1 access-list WEBhostname(config)# global (outside) 1 209.165.202.129hostname(config)# nat (inside) 2 access-list TELNEThostname(config)# global (outside) 2 209.165.202.130Related Commands
nat (vpn load-balancing)
To set the IP address to which NAT translates the IP address of this device, use the nat command in VPN load-balancing mode. To disable this NAT translation, use the no form of this command.
nat ip-address
no nat [ip-adddress]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
VPN load-balancing
•
—
•
—
—
Command History
Usage Guidelines
You must first use the vpn load-balancing command to enter VPN load-balancing mode.
In the no nat form of the command, if you specify the optional ip-address value, the IP address must match the existing NAT IP address in the running configuration.
Examples
The following is an example of a VPN load-balancing command sequence that includes a nat command that sets the NAT-translated address to 192.168.10.10:
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# nat 192.168.10.10hostname(config-load-balancing)# priority 9hostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# interface lbprivate foohostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# cluster port 9023hostname(config-load-balancing)# participateRelated Commandshostname(config-load-balancing)# participate
nat-control
To enforce NAT control, use the nat-control command in global configuration mode. To disable NAT control, which allows inside hosts to communicate with outside networks without configuring a NAT rule, use the no form of this command.
nat-control
no nat-control
Syntax Description
This command has no arguments or keywords.
Defaults
NAT control is disabled by default (no nat-control command).
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
If nat-control is enabled, you must configure a NAT rule before an inside host can communicate with any outside networks. The no nat-control command allows inside hosts to communicate with outside networks without configuring a NAT rule. Only hosts that undergo NAT need to have a NAT rule configured.
The difference between the no nat-control command and the nat 0 (identity NAT) command is that identity NAT requires that traffic be initiated from the local host. The no nat-control command does not have this requirement, nor does it require a static command to allow communication to inside hosts.
Disabling NAT control is similar to the same security level communication feature, which allows communication between two interfaces of the same security level without configuring a NAT rule, except that the NAT control feature is between hosts instead of interfaces.
No new NAT functionality is provided with this feature. All existing NAT functionality remains the same.
Note
If you want the added security of NAT control but do not want to translate inside addresses in some cases, you can apply a NAT exemption (nat 0 access-list) or identity NAT (nat 0 or static) rule on those addresses.
When NAT control is disabled with the no-nat control command, and a NAT and a global command pair are configured for an interface, the real IP addresses cannot go out on other interfaces unless you define those destinations with the nat 0 access-list command.
For example, the following NAT is the that one you want performed when going to the outside network:
nat (inside) 1 0.0.0.0 0.0.0.0global (ouside) 1 209.165.201.2The above configuration catches everything on the inside network, so if you do not want to translate inside addresses when they go to the DMZ, then you need to match that traffic for NAT exemption, as shown in the following example:
access-list EXEMPT extended permit ip any 192.168.1.0 255.255.255.0access-list EXEMPT remark This matches any traffic going to DMZ1access-list EXEMPT extended permit ip any 10.1.1.0 255.255.255.0access-list EXEMPT remark This matches any traffic going to DMZ1nat (inside) 0 access-list EXEMPTAlternately, you can perform NAT translation on all interfaces:
nat (inside) 1 0.0.0.0 0.0.0.0gloval (outside) 1 209.165.201.2global (dmz1) 1 192.168.1.230global (dmz2) 1 10.1.1.230The following table compares the results between nat-control and no nat-control:
•
•
deny
continue
•
•
(no dynamic outside NAT)continue
continue
•
•
(dynamic outside NAT)1deny
continue
1 Dynamic outside NAT is enabled at an interface if a nat command with the keyword outside is associated with the interface
Two NAT policies are used to perform address translation on each packet that traverses the security appliance, an inside NAT policy and an outside NAT policy. If the nat-control command is enabled, each inside address must have an inside NAT rule before communication is permitted through the security appliance. Additionally, if outside dynamic NAT is enabled on an interface, each outside address must have an outside NAT rule before communication is permitted through the security appliance.
If the no nat-control command is configured and no NAT policy matches, an address rewrite is not performed and processing continues. The default is NAT control disabled (no nat-control command).
Note: To ensure backward compatibility, the nat-control command is automatically enabled if the startup configuration is six or lower.
Examples
The following example enables nat-control:
hostname(config)# nat-controlRelated Commands
nat
Defines an address on one interface that is translated to a global address on another interface.
show running-config nat-control
Shows the NAT configuration requirement.
nbns-server
To configure an NBNS server, use the nbns-server command in webvpn mode. To remove the NBNS server from the configuration, use the no form of this command.
The security appliance queries NBNS servers to map NetBIOS names to IP addresses. WebVPN requires NetBIOS to access or share files on remote systems.
nbns-server {ipaddr or hostname} [master] [timeout timeout] [retry retries]
no nbns-server
Syntax Description
Defaults
No NBNS server is configured by default.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn
•
—
•
—
—
Command History
Usage Guidelines
Maximum of 3 server entries. The first server you configure is the primary server, and the others are backups, for redundancy.
Use the no option to remove the matching entry from the configuration.
Examples
The following example shows how to configure an NBNS server that is a master browser with an IP address of 10.10.10.19, a timeout value of 10 seconds, and 8 retries. It also shows how to configure an NBNS WINS server with an IP address of 10.10.10.24, a timeout value of 15 seconds, and 8 retries.
hostname(config)# webvpnhostname(config-webvpn)# nbns-server 10.10.10.19 master timeout 10 retry 8hostname(config-webvpn)# nbns-server 10.10.10.24 timeout 15 retry 8
neighbor
To define a static neighbor on a point-to-point, non-broadcast network, use the neighbor command in router configuration mode. To remove the statically defined neighbor from the configuration, use the no form of this command. The neighbor command is used to advertise OSPF routes over VPN tunnels.
neighbor ip_address [interface name]
no neighbor ip_address [interface name]
Syntax Description
interface name
(Optional) The interface name, as specified by the nameif command, through which the neighbor can be reached.
ip_address
IP address of the neighbor router.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
One neighbor entry must be included for each known non-broadcast network neighbor. The neighbor address must be on the primary address of the interface.
The interface option needs to be specified when the neighbor is not on the same network as any of the directly connected interfaces of the system. Additionally, a static route must be created to reach the neighbor.`
Examples
The following example defines a neighbor router with an address of 192.168.1.1:
hostname(config-router)# neighbor 192.168.1.1Related Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
nem
To enable network extension mode for hardware clients, use the nem enable command in group-policy configuration mode. To disable NEM, use the nem disable command. To remove the NEM attribute from the running configuration, use the no form of this command. This option allows inheritance of a value from another group policy.
nem {enable | disable}
no nem
Syntax Description
Defaults
Network extension mode is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Usage Guidelines
Network Extension mode lets hardware clients present a single, routable network to the remote private network over the VPN tunnel. IPSec encapsulates all traffic from the private network behind the hardware client to networks behind the security appliance. PAT does not apply. Therefore, devices behind the security appliance have direct access to devices on the private network behind the hardware client over the tunnel, and only over the tunnel, and vice versa. The hardware client must initiate the tunnel, but after the tunnel is up, either side can initiate data exchange.
Command History
Examples
The following example shows how to set NEM for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# nem enable
network area
To define the interfaces on which OSPF runs and to define the area ID for those interfaces, use the network area command in router configuration mode. To disable OSPF routing for interfaces defined with the address/netmask pair, use the no form of this command.
network addr mask area area_id
no network addr mask area area_id
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
For OSPF to operate on the interface, the address of the interface must be covered by the network area command. If the network area command does not cover the IP address of the interface, it will not enable OSPF over that interface.
There is no limit to the number of network area commands you can use on the security appliance.
Examples
The following example enables OSPF on the 192.168.1.1 interface and assigns it to area 2:
hostname(config-router)# network 192.168.1.1 255.255.255.0 area 2Related Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
network-object
To add a network object to a network object group, use the network-object command in network configuration mode. To remove network objects, use the no form of this command.
network-object host host_addr | host_name
no network-object host host_addr | host_name
network-object net_addr netmask
no network-object net_addr netmask
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Network configuration
•
•
•
•
—
Command History
Usage Guidelines
The network-object command is used with the object-group command to define a host or a subnet object in network configuration mode.
Examples
The following example shows how to use the network-object command in network configuration mode to create a new network object group:
hostname(config)# object-group network sjj_eng_ftp_servershostname(config-network)# network-object host sjj.eng.ftphostname(config-network)# network-object host 172.16.56.195hostname(config-network)# network-object 192.168.1.0 255.255.255.224hostname(config-network)# group-object sjc_eng_ftp_servershostname(config-network)# quithostname(config)#Related Commands
nt-auth-domain-controller
To specify the name of the NT Primary Domain Controller for this server, use the nt-auth-domain-controller command in AAA-server host mode. To remove this specification, use the no form of this command:
nt-auth-domain-controller string
no nt-auth-domain-controller
Syntax Description
string
Specify the name, up to 16 characters long, of the Primary Domain Controller for this server.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
AAA-server host
•
•
•
•
—
Command History
Usage Guidelines
This command is valid only for NT Authentication AAA servers. You must have first used the aaa-server host command to enter host configuration mode. The name in the string variable must match the NT entry on the server itself.
Examples
The following example configures the name of the NT Primary Domain Controller for this server as "primary1".
hostname(config)# aaa-server svrgrp1 protocol nthostname(configaaa-sesrver-group)# aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)# nt-auth-domain-controller primary1Related Commands
ntp authenticate
To enable authentication with an NTP server, use the ntp authenticate command in global configuration mode. To disable NTP authentication, use the no form of this command.
ntp authenticate
no ntp authenticate
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
If you enable authentication, the security appliance only communicates with an NTP server if it uses the correct trusted key in the packets (see the ntp trusted-key command). The security appliance also uses an authentication key to synchronize with the NTP server (see the ntp authentication-key command).
Examples
The following example configures the security appliance to synchronize only to systems that provide authentication key 42 in their NTP packets:
hostname(config)# ntp authenticatehostname(config)# ntp authentication-key 42 md5 aNiceKeyhostname(config)# ntp trusted-key 42Related Commands
ntp authentication-key
To set a key to authenticate with an NTP server, use the ntp authentication-key command in global configuration mode. To remove the key, use the no form of this command.
ntp authentication-key key_id md5 key
no ntp authentication-key key_id [md5 key]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
To use NTP authentication, also configure the ntp authenticate command.
Examples
The following example enables authentications, identifies trusted key IDs 1 and 2, and sets authentication keys for each trusted key ID:
hostname(config)# ntp authenticatehostname(config)# ntp trusted-key 1hostname(config)# ntp trusted-key 2hostname(config)# ntp authentication-key 1 md5 aNiceKeyhostname(config)# ntp authentication-key 2 md5 aNiceKey2Related Commands
ntp server
To identify an NTP server to set the time on the security appliance, use the ntp server command in global configuration mode. To remove the server, use the no form of this command. You can identify multiple servers; the security appliance uses the most accurate server. In multiple context mode, set the NTP server in the system configuration only.
ntp server ip_address [key key_id] [source interface_name] [prefer]
no ntp server ip_address [key key_id] [source interface_name] [prefer]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Examples
The following example identifies two NTP servers and enables authentication for the key IDs 1 and 2:
hostname(config)# ntp server 10.1.1.1 key 1 preferhostname(config)# ntp server 10.2.1.1 key 2hostname(config)# ntp authenticatehostname(config)# ntp trusted-key 1hostname(config)# ntp trusted-key 2hostname(config)# ntp authentication-key 1 md5 aNiceKeyhostname(config)# ntp authentication-key 2 md5 aNiceKey2Related Commands
ntp trusted-key
To specify an authentication key ID to be a trusted key, which is required for authentication with an NTP server, use the ntp trusted-key command in global configuration mode. To remove the trusted key, use the no form of this command. You can enter multiple trusted keys for use with multiple servers.
ntp trusted-key key_id
no ntp trusted-key key_id
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
To use NTP authentication, also configure the ntp authenticate command. To synchronize with a server, set the authentication key for the key ID using the ntp authentication-key command.
Examples
The following example enables authentications, identifies trusted key IDs 1 and 2, and sets authentication keys for each trusted key ID:
hostname(config)# ntp authenticatehostname(config)# ntp trusted-key 1hostname(config)# ntp trusted-key 2hostname(config)# ntp authentication-key 1 md5 aNiceKeyhostname(config)# ntp authentication-key 2 md5 aNiceKey2Related Commands
object-group
To define object groups that you can use to optimize your configuration, use the object-group command in global configuration mode. Use the no form of this command to remove object groups from the configuration. This command supports IPv4 and IPv6 addresses.
object-group {protocol | network | icmp-type} obj_grp_id
no object-group {protocol | network | icmp-type} obj_grp_id
object-group service obj_grp_id {tcp | udp | tcp-udp}
no object-group service obj_grp_id {tcp | udp | tcp-udp}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Objects such as hosts, protocols, or services can be grouped, and then you can issue a single command using the group name to apply to every item in the group.
When you define a group with the object-group command and then use any security appliance command, the command applies to every item in that group. This feature can significantly reduce your configuration size.
Once you define an object group, you must use the object-group keyword before the group name in all applicable security appliance commands as follows:
hostname# show running-config object-group group_namewhere group_name is the name of the group.
This example shows the use of an object group once it is defined:
hostname(config)# access-list access_list_name permit tcp any object-group group_nameIn addition, you can group access list command arguments:
protocol
object-group protocol
host and subnet
object-group network
service
object-group service
icmp_type
object-group icmp_type
You can group commands hierarchically; an object group can be a member of another object group.
To use object groups, you must do the following:
•
hostname(config)# access-list acl permit tcp object-group remotes object-group locals object-group eng_svcwhere remotes and locals are sample object group names.
•
•
After you enter a main object-group command, the command mode changes to its corresponding mode. The object group is defined in the new mode. The active mode is indicated in the command prompt format. For example, the prompt in the configuration terminal mode appears as follows:
hostname(config)#where hostname is the name of the security appliance.
However, when you enter the object-group command, the prompt appears as follows:
hostname(config-type)#where hostname is the name of the security appliance, and type is the object-group type.
Use the exit, quit, or any valid config-mode commands such as access-list to close an object-group mode and exit the object-group main command.
The show running-config object-group command displays all defined object groups by their grp_id when the show running-config object-group grp_id command is entered, and by their group type when you enter the show running-config object-group grp_type command. When you enter the show running-config object-group command without an argument, all defined object groups are shown.
Use the clear configure object-group command to remove a group of previously defined object-group commands. Without an argument, the clear configure object-group command lets you to remove all defined object groups that are not being used in a command. The grp_type argument removes all defined object groups that are not being used in a command for that group type only.
You can use all other security appliance commands in an object-group mode, including the show running-config and clear configure commands.
Commands within the object-group mode appear indented when displayed or saved by the show running-config object-group, write, or config commands.
Commands within the object-group mode have the same command privilege level as the main command.
When you use more than one object group in an access-list command, the elements of all object groups that are used in the command are linked together, starting with the elements of the first group with the elements of the second group, then the elements of the first and second groups together with the elements of the third group, and so on.
The starting position of the description text is the character right after the white space (a blank or a tab) following the description keyword.
Examples
The following example shows how to use the object-group icmp-type mode to create a new icmp-type object group:
hostname(config)# object-group icmp-type icmp-allowedhostname(config-icmp-type)# icmp-object echohostname(config-icmp-type)# icmp-object time-exceededhostname(config-icmp-type)# exitThe following example shows how to use the object-group network command to create a new network object group:
hostname(config)# object-group network sjc_eng_ftp_servershostname(config-network)# network-object host sjc.eng.ftp.servcershostname(config-network)# network-object host 172.23.56.194hostname(config-network)# network-object 192.1.1.0 255.255.255.224hostname(config-network)# exitThe following example shows how to use the object-group network command to create a new network object group and map it to an existing object-group:
hostname(config)# object-group network sjc_ftp_servershostname(config-network)# network-object host sjc.ftp.servershostname(config-network)# network-object host 172.23.56.195hostname(config-network)# network-object 193.1.1.0 255.255.255.224hostname(config-network)# group-object sjc_eng_ftp_servershostname(config-network)# exitThe following example shows how to use the object-group protocol mode to create a new protocol object group:
hostname(config)# object-group protocol proto_grp_1hostname(config-protocol)# protocol-object udphostname(config-protocol)# protocol-object ipsechostname(config-protocol)# exithostname(config)# object-group protocol proto_grp_2hostname(config-protocol)# protocol-object tcphostname(config-protocol)# group-object proto_grp_1hostname(config-protocol)# exitThe following example shows how to use the object-group service mode to create a new port (service) object group:
hostname(config)# object-group service eng_service tcphostname(config-service)# group-object eng_www_servicehostname(config-service)# port-object eq ftphostname(config-service)# port-object range 2000 2005hostname(config-service)# exitThe following example shows how to add and remove a text description to an object group:
hostname(config)# object-group protocol protos1hostname(config-protocol)# description This group of protocols is for our internal networkhostname(config-protocol)# show running-config object-group id protos1object-group protocol protos1description: This group of protocols is for our internal networkhostname(config-protocol)# no descriptionhostname(config-protocol)# show running-config object-group id protos1object-group protocol protos1The following example shows how to use the group-object mode to create a new object group that consists of previously defined objects:
hostname(config)# object-group network host_grp_1hostname(config-network)# network-object host 192.168.1.1hostname(config-network)# network-object host 192.168.1.2hostname(config-network)# exithostname(config)# object-group network host_grp_2hostname(config-network)# network-object host 172.23.56.1hostname(config-network)# network-object host 172.23.56.2hostname(config-network)# exithostname(config)# object-group network all_hostshostname(config-network)# group-object host_grp_1hostname(config-network)# group-object host_grp_2hostname(config-network)# exithostname(config)# access-list grp_1 permit tcp object-group host_grp_1 any eq ftphostname(config)#access-list grp_2 permit tcp object-group host_grp_2 any eq smtphostname(config)#access-list all permit tcp object-group all_hosts any eq wwwWithout the group-object command, you need to define the all_hosts group to include all the IP addresses that have already been defined in host_grp_1 and host_grp_2. With the group-object command, the duplicated definitions of the hosts are eliminated.
The following examples show how to use object groups to simplify the access list configuration:
hostname(config)# object-group network remotehostname(config-network)# network-object host kqk.suu.dri.ixxhostname(config-network)# network-object host kqk.suu.pyl.gnlhostname(config)# object-group network localshostname(config-network)# network-object host 172.23.56.10hostname(config-network)# network-object host 172.23.56.20hostname(config-network)# network-object host 172.23.56.194hostname(config-network)# network-object host 172.23.56.195hostname(config)# object-group service eng_svc ftphostname(config-service)# port-object eq wwwhostname(config-service)# port-object eq smtphostname(config-service)# port-object range 25000 25100This grouping enables the access list to be configured in 1 line instead of 24 lines, which would be needed if no grouping is used. Instead, with the grouping, the access list configuration is as follows:
hostname(config)# access-list acl permit tcp object-group remote object-group locals object-group eng_svc
Note
Related Commands
ospf authentication
To enable the use of OSPF authentication, use the ospf authentication command in interface configuration mode. To restore the default authentication stance, use the no form of this command.
ospf authentication [message-digest | null]
no ospf authentication
Syntax Description
message-digest
(Optional) Specifies to use OSPF message digest authentication.
null
(Optional) Specifies to not use OSPF authentication.
Defaults
By default, OSPF authentication is not enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
Before using the ospf authentication command, configure a password for the interface using the ospf authentication-key command. If you use the message-digest keyword, configure the message-digest key for the interface with the ospf message-digest-key command.
For backward compatibility, authentication type for an area is still supported. If the authentication type is not specified for an interface, the authentication type for the area will be used (the area default is null authentication).
When this command is used without any options, simple password authentication is enabled.
Examples
The following example shows how to enable simple password authentication for OSPF on the selected interface:
hostname(config-if)# ospf authenticationhostname(config-if)#Related Commands
ospf authentication-key
Specifies the password used by neighboring routing devices.
ospf message-digest-key
Enables MD5 authentication and specifies the MD5 key.
ospf authentication-key
To specify the password used by neighboring routing devices, use the ospf authentication-key command in interface configuration mode. To remove the password, use the no form of this command.
ospf authentication-key password
no ospf authentication-key
Syntax Description<
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
The password created by this command is used as a key that is inserted directly into the OSPF header when routing protocol packets are originated. A separate password can be assigned to each network on a per-interface basis. All neighboring routers on the same network must have the same password to be able to exchange OSPF information.
ExamplesNote
The following example shows how to specify a password for OSPF authentication:
hostname(config-if)# ospf authentication-key ThisMyPWRelated Commands
area authentication
Enables OSPF authentication for the specified area.
ospf authentication
Enables the use of OSPF authentication.
ospf cost
To specify the cost of sending a packet through the interface, use the ospf cost command in interface configuration mode. To reset the interface cost to the default value, use the no form of this command.
ospf cost interface_cost
no ospf cost
Syntax Description
Defaults
The default interface_cost is 10.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
The ospf cost command lets you explicitly specify the cost of sending a packet on an interface. The interface_cost parameter is an unsigned integer value from 0 to 65535.
The no ospf cost command allows you to reset the path cost to the default value.
Examples
The following example show how to specify the cost of sending a packet on the selected interface:
hostname(config-if)# ospf cost 4Related Commands
show running-config interface
Displays the configuration of the specified interface.
ospf database-filter
To filter out all outgoing LSAs to an OSPF interface during synchronization and flooding, use the ospf database-filter command in interface configuration mode. To restore the LSAs, use the no form of this command.
ospf database-filter all out
no ospf database-filter all out
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
The ospf database-filter command filters outgoing LSAs to an OSPF interface. The no ospf database-filter all out command restores the forwarding of LSAs to the interface.
Examples
The following example shows how to use the ospf database-filter command to filter outgoing LSAs:
hostname(config-if)# ospf database-filter all outRelated Commands
ospf dead-interval
To specify the interval before neighbors declare a router down, use the ospf dead-interval command in interface configuration mode. To restore the default value, use the no form of this command.
ospf dead-interval seconds
no ospf dead-interval
Syntax Description
seconds
The length of time during which no hello packets are seen. The default for seconds is four times the interval set by the ospf hello-interval command (which ranges from 1 to 65535).
Defaults
The default value for seconds is four times the interval set by the ospf hello-interval command.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
The ospf dead-interval command lets you set the dead interval before neighbors to declare the router down (the length of time during which no hello packets are seen). The seconds argument specifies the dead interval and must be the same for all nodes on the network. The default for seconds is four times the interval set by the ospf hello-interval command from 1 to 65535.
The no ospf dead-interval command lets restores the default interval value.
Examples
The following example sets the OSPF dead interval to 1 minute:
hostname(config-if)# ospf dead-interval 60Related Commands
ospf hello-interval
Specifies the interval between hello packets sent on an interface.
show ospf interface
Displays OSPF-related interface information.
ospf hello-interval
To specify the interval between hello packets sent on an interface, use the ospf hello-interval command in interface configuration mode. To return the hello interval to the default value, use the no form of this command.
ospf hello-interval seconds
no ospf hello-interval
Syntax Description
seconds
Specifies the interval between hello packets that are sent on the interface; valid values are from 1 to 65535 seconds.
Defaults
The default value for hello-interval seconds is 10 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
This value is advertised in the hello packets. The smaller the hello interval, the faster topological changes will be detected, but more routing traffic will ensue. This value must be the same for all routers and access servers on a specific network.
Examples
The following example sets the OSPF hello interval to 5 seconds:
hostname(config-if)# ospf hello-interval 5Related Commands
ospf dead-interval
Specifies the interval before neighbors declare a router down.
show ospf interface
Displays OSPF-related interface information.
ospf message-digest-key
To enable OSPF MD5 authentication, use the ospf message-digest-key command in interface configuration mode. To remove an MD5 key, use the no form of this command.
ospf message-digest-key key-id md5 key
no ospf message-digest-key
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
The ospf message-digest-key command lets you enable MD5 authentication. The no form of the command let you remove an old MD5 key. key_id is a numerical identifier from 1 to 255 for the authentication key. key is an alphanumeric password of up to 16 bytes. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness.
Examples
The following example shows how to specify an MD5 key for OSPF authentication:
hostname(config-if)# ospf message-digest-key 3 md5 ThisIsMyMd5KeyRelated Commands
area authentication
Enables OSPF area authentication.
ospf authentication
Enables the use of OSPF authentication.
ospf mtu-ignore
To disable OSPF maximum transmission unit (MTU) mismatch detection on receiving database packets, use the ospf mtu-ignore command in interface configuration mode. To restore MTU mismatch detection, use the no form of this command.
ospf mtu-ignore
no ospf mtu-ignore
Syntax Description
This command has no arguments or keywords.
Defaults
By default, ospf mtu-ignore is enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
OSPF checks whether neighbors are using the same MTU on a common interface. This check is performed when neighbors exchange Database Descriptor (DBD) packets. If the receiving MTU in the DBD packet is higher than the IP MTU configured on the incoming interface, OSPF adjacency will not be established.The ospf mtu-ignore command disables OSPF MTU mismatch detection on receiving DBD packets. It is enabled by default.
Examples
The following example shows how to disable the ospf mtu-ignore command:
hostname(config-if)# ospf mtu-ignoreRelated Commands
ospf network point-to-point non-broadcast
To configure the OSPF interface as a point-to-point, non-broadcast network, use the ospf network point-to-point non-broadcast command in interface configuration mode. To remove this command from the configuration, use the no form of this command. The ospf network point-to-point non-broadcast command lets you to transmit OSPF routes over VPN tunnels.
ospf network point-to-point non-broadcast
no ospf network point-to-point non-broadcast
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
When the interface is specified as point-to-point, the OSPF neighbors have to be manually configured; dynamic discovery is not possible. To manually configure OSPF neighbors, use the neighbor command in router configuration mode.
When an interface is configured as point-to-point, the following restrictions apply:
•
•
•
•
•
Examples
The following example shows how to configure the selected interface as a point-to-point, non-broadcast interface:
hostname(config-if)# ospf network point-to-point non-broadcasthostname(config-if)#Related Commands
neighbor
Specifies manually configured OSPF neighbors.
show interface
Displays interface status information.
ospf priority
To change the OSPF router priority, use the ospf priority command in interface configuration mode. To restore the default priority, use the no form of this command.
ospf priority number
no ospf priority [number]
Syntax Description
Defaults
The default value for number is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
When two routers attached to a network both attempt to become the designated router, the one with the higher router priority takes precedence. If there is a tie, the router with the higher router ID takes precedence. A router with a router priority set to zero is ineligible to become the designated router or backup designated router. Router priority is configured only for interfaces to multiaccess networks (in other words, not to point-to-point networks).
Examples
The following example shows how to change the OSPF priority on the selected interface:
hostname(config-if)# ospf priority 4hostname(config-if)#Related Commands
ospf retransmit-interval
To specify the time between LSA retransmissions for adjacencies belonging to the interface, use the ospf retransmit-interval command in interface configuration mode. To restore the default value, use the no form of this command.
ospf retransmit-interval seconds
no ospf retransmit-interval [seconds]
Syntax Description
seconds
Specifies the time between LSA retransmissions for adjacent routers belonging to the interface; valid values are from 1 to 65535 seconds.
Defaults
The default value of retransmit-interval seconds is 5 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
When a router sends an LSA to its neighbor, it keeps the LSA until it receives the acknowledgment message. If the router receives no acknowledgment, it will re-send the LSA.
The setting of this parameter should be conservative, or needless retransmission will result. The value should be larger for serial lines and virtual links.
Examples
The following example shows how to change the retransmit interval for LSAs:
hostname(config-if)# ospf retransmit-interval 15hostname(config-if)#Related Commands
ospf transmit-delay
To set the estimated time required to send a link-state update packet on the interface, use the ospf transmit-delay command in interface configuration mode. To restore the default value, use the no form of this command.
ospf transmit-delay seconds
no ospf transmit-delay [seconds]
Syntax Description
seconds
Sets the estimated time required to send a link-state update packet on the interface. The default value is 1 second with a range from 1 to 65535 seconds.
Defaults
The default value of seconds is 1 second.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
LSAs in the update packet must have their ages incremented by the amount specified in the seconds argument before transmission. The value assigned should take into account the transmission and propagation delays for the interface.
If the delay is not added before transmission over a link, the time in which the LSA propagates over the link is not considered. This setting has more significance on very low-speed links.
Examples
The following example sets the transmit delay to 3 seconds for the selected interface:
hostname(config-if)# ospf restransmit-delay 3hostname(config-if)#Related Commands
outstanding
To limit the number of unauthenticated e-mail proxy sessions, use the outstanding command in the applicable e-mail proxy mode. To remove the attribute from the configuration, use the no version of this command, which permits an unlimited number of unauthenticated sessions. Use this command to limit DOS attacks on the e-mail ports.
E-mail proxy connections have three states:
1.
2.
3.
If the number of connections in the unauthenticated state exceeds the configured limit, the security appliance terminates the oldest unauthenticated connection, preventing overload. It does not terminate authenticated connections.
outstanding {number}
no outstanding
Syntax Description
Defaults
The default is 20.
Command Modes
The following table shows the modes in which you can enter the command:
Pop3s
•
•
—
—
•
Imap4s
•
•
—
—
•
Smtps
•
•
—
—
•
Command History
Examples
The following example shows how to set a limit of 12 unauthenticated sessions for POP3S e-mail proxy.
hostname(config)# pop3shostname(config-pop3s)# outstanding 12
participate
To force the device to participate in the virtual load-balancing cluster, use the participate command in VPN load-balancing mode. To remove a device from participation in the cluster, use the no form of this command.
participate
no participate
Syntax Description
This command has no arguments or keywords.
Defaults
The default behavior is that the device does not participate in the vpn load-balancing cluster.
Command Modes
The following table shows the modes in which you can enter the command:
VPN load-balancing
•
—
•
—
—
Command History
Usage Guidelines
You must first configure the interface using the interface and nameif commands, and use the vpn load-balancing command to enter VPN load-balancing mode. You must also have previously configured the cluster IP address using the cluster ip command and configured the interface to which the virtual cluster IP address refers.
This command forces this device to participate in the virtual load-balancing cluster. You must explicitly issue this command to enable participation for a device.
All devices that participate in a cluster must share the same cluster-specific values: ip address, encryption settings, encryption key, and port.
Note
If isakmp was enabled when you configured the cluster encryption command, but was disabled before you configured the participate command, you get an error message when you enter the participate command, and the local device will not participate in the cluster.Examples
The following is an example of a VPN load-balancing command sequence that includes a participate command that enables the current device to participate in the vpn load-balancing cluster:
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# interface lbprivate foohostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# participatehostname(config-load-balancing)#Related Commandshostname(config-load-balancing)# participate
passwd
To set the login password, use the passwd command in global configuration mode. To set the password back to the default of "cisco," use the no form of this command. You are prompted for the login password when you access the CLI as the default user using Telnet or SSH. After you enter the login password, you are in user EXEC mode.
{passwd | password} password [encrypted]
no {passwd | password} password
Syntax Description
Defaults
The default password is "cisco."
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
This login password is for the default user. If you configure CLI authentication per user for Telnet or SSH using the aaa authentication console command, then this password is not used.
Examples
The following example sets the password to Pa$$w0rd:
hostname(config)# passwd Pa$$w0rdThe following example sets the password to an encrypted password that you copied from another security appliance:
hostname(config)# passwd jMorNbK0514fadBh encryptedRelated Commands
password (crypto ca trustpoint)
To specify a challenge phrase that is registered with the CA during enrollment, use the password command in crypto ca trustpoint configuration mode. The CA typically uses this phrase to authenticate a subsequent revocation request. To restore the default setting, use the no form of the command.
password string
no password
Syntax Description
Defaults
The default setting is to not include a password.
Command Modes
The following table shows the modes in which you can enter the
Crypto ca trustpoint configuration
•
•
•
•
•
command:
Command History
Usage Guidelines
This command lets you specify the revocation password for the certificate before actual certificate enrollment begins. The specified password is encrypted when the updated configuration is written to NVRAM by the security appliance.
If this command is enabled, you will not be prompted for a password during certificate enrollment.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes a challenge phrase registered with the CA in the enrollment request for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# password zzxxyyhostname(ca-trustpoint)#Related Commands
crypto ca trustpoint
Enters trustpoint configuration mode.
default enrollment
Returns enrollment parameters to their defaults.
password-prompt
To configure the prompt that requests the password for initial login to WebVPN, use the password-prompt command in webvpn mode. To revert to the default, "Password:," use the no form of this command.
password-prompt [prompt]
no password-prompt
Syntax Description
prompt
(Optional) Specifies the string that prompts users to enter a password. Maximum 16 characters.
Defaults
The default prompt is "Password:"
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn
•
—
•
—
—
Command History
Examples
The following example shows how to configure the password prompt, "Enter Password:"
hostname(config)# webvpnhostname(config-webvpn)# password-prompt Enter Password:
password-storage
To let users store their login passwords on the client system, use the password-storage enable command in group-policy configuration mode or username configuration mode. To disable password storage, use the password-storage disable command.
To remove the password-storage attribute from the running configuration, use the no form of this command. This enables inheritance of a value for password-storage from another group policy.
password-storage {enable | disable}
no password-storage
Syntax Description
Defaults
Password storage is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Username
•
—
•
—
—
Command History
Usage Guidelines
Enable password storage only on systems that you know to be in secure sites.
This command has no bearing on interactive hardware client authentication or individual user authentication for hardware clients.
Examples
The following example shows how to enable password storage for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# password-storage enable
peer-id-validate
To specify whether to validate the identity of the peer using the peer's certificate, use the peer-id-validate command in tunnel-group ipsec-attributes mode. To return to the default value, use the no form of this command.
peer-id-validate option
no peer-id-validate
Syntax Description
option
Specifies one of the following options:
•
•
•
Defaults
The default setting for this command is req.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group ipsec attributes
•
—
•
—
—
Command History
Usage Guidelines
You can apply this attribute to all tunnel-group types.
Examples
The following example entered in config-ipsec configuration mode, requires validating the peer using the identity of the peer's certificate for the IPSec LAN-to-LAN tunnel group named 209.165.200.225:
hostname(config)# tunnel-group 209.165.200.225 type IPSec_L2Lhostname(config)# tunnel-group 209.165.200.225 ipsec-attributeshostname(config-ipsec)# peer-id-validate reqhostname(config-ipsec)#Related Commands
perfmon
To display performance information, use the perfmon command in privileged EXEC mode.
perfmon {verbose | interval seconds | quiet | settings}
Syntax Description
Defaults
The seconds is 120 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
·
·
·
·
Command History
Usage Guidelines
The perfmon command allows you to monitor the performance of the security appliance. Use the show perfmon command to display the information immediately. Use the perfmon verbose command to display the information every 2 minutes continuously. Use the perfmon interval seconds command with the perfmon verbose command to display the information continuously every number of seconds that you specify.
An example of the performance information is displayed as follows:
This information lists the number of translations, connections, Websense requests, address translations (called "fixups"), and AAA transactions that occur each second.
Examples
This example shows how to display the performance monitor statistics every 30 seconds on the security appliance console:
hostname(config)# perfmon interval 120hostname(config)# perfmon quiethostname(config)# perfmon settingsinterval: 120 (seconds)quietRelated Commands
periodic
To specify a recurring (weekly) time range for functions that support the time-range feature, use the periodic command in time-range configuration mode. To disable, use the no form of this command.
periodic days-of-the-week time to [days-of-the-week] time
no periodic days-of-the-week time to [days-of-the-week] time
Syntax Description
Defaults
If a value is not entered with the periodic command, access to the security appliance as defined with the time-range command is in effect immediately and always on.
Command Modes
The following table shows the modes in which you can enter the command:
Time-range configuration
•
•
•
•
—
Command History
Usage Guidelines
To implement a time-based ACL, use the time-range command to define specific times of the day and week. Then use the with the access-list extended time-range command to bind the time range to an ACL.
The periodic command is one way to specify when a time range is in effect. Another way is to specify an absolute time period with the absolute command. Use either of these commands after the time-range global configuration command, which specifies the name of the time range. Multiple periodic entries are allowed per time-range command.
If the end days-of-the-week value is the same as the start value, you can omit them.
If a time-range command has both absolute and periodic values specified, then the periodic commands are evaluated only after the absolute start time is reached, and are not further evaluated after the absolute end time is reached.
The time-range feature relies on the system clock of the security appliance; however, the feature works best with NTP synchronization.
Examples
Some examples follow:
The following example shows how to allow access to the security appliance on Monday through Friday, 8:00 a.m. to 6:00 p.m. only:
hostname(config-time-range)# periodic weekdays 8:00 to 18:00hostname(config-time-range)#The following example shows how to allow access to the security appliance on specific days (Monday, Tuesday, and Friday), 10:30 a.m. to 12:30 p.m.:
hostname(config-time-range)# periodic Monday Tuesday Friday 10:30 to 12:30hostname(config-time-range)#Related Commands
permit errors
To allow invalid GTP packets or packets that otherwise would fail parsing and be dropped, use the permit errors command in GTP map configuration mode, which is accessed by using the gtp-map command. Use the no form of this command to remove the command.
permit errors
no permit errors
Syntax Description
This command has no arguments or keywords.
Defaults
By default, all invalid packets or packets that failed, during parsing, are dropped.
Command Modes
The following table shows the modes in which you can enter the command:
GTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the permit errors command in GTP map configuration mode to allow any packets that are invalid or encountered an error during inspection of the message to be sent through the security appliance instead of being dropped.
Examples
The following example permits traffic containing invalid packets or packets that failed, during parsing:
hostname(config)# gtp-map qtp-policyhostname(config-gtpmap)# permit errorsRelated Commands
permit response
To support load-balancing GSNs, use the permit response command in GTP map configuration mode, which is accessed by using the gtp-map command. The permit response command supports load-balancing GSNs by allowing GTP responses from a different GSN than the response was sent to. Use the no form of this command to remove the command.
permit response to-object-group to_obj_group_id from-object-group from_obj_group_id
no permit response to-object-group to_obj_group_id from-object-group from_obj_group_id
Syntax Description
Defaults
By default, the security appliance drops GTP responses from GSNs other than the host to which the request was sent.
Command Modes
The following table shows the modes in which you can enter the command:
GTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the permit response command in GTP map configuration mode to support load-balancing GSNs. The permit response command configures the GTP map to allow GTP responses from a different GSN than the response was sent to.
You identify the pool of load-balancing GSNs as a network object. Likewise, you identify the SGSN as a network object. If the GSN responding belongs to the same object group as the GSN that the GTP request was sent to and if the SGSN is in a object group that the responding GSN is permitted to send a GTP response to, the security appliance permits the response.
Examples
The following example permits GTP responses from any host on the 192.168.32.0 network to the host with the IP address 192.168.112.57:
hostname(config)# object-group network gsnpool32hostname(config-network)# network-object 192.168.32.0 255.255.255.0hostname(config)# object-group network sgsn1hostname(config-network)# network-object host 192.168.112.57hostname(config-network)# exithostname(config)# gtp-map qtp-policyhostname(config-gtpmap)# permit response to-object-group sgsn1 from-object-group gsnpool32Related Commands
pfs
To enable PFS, use the pfs enable command in group-policy configuration mode. To disable PFS, use the pfs disable command. To remove the PFS attribute from the running configuration, use the no form of this command. This option allows inheritance of a value for PFS from another group policy.
In IPSec negotiations, PFS ensures that each new cryptographic key is unrelated to any previous key.
pfs {enable | disable}
no pfs
Syntax Description
Defaults
PFS is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Command History
Usage Guidelines
The PFS setting on the VPN Client and the security appliance must match.
Examples
The following example shows how to set PFS for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# pfs enable
pim
To re-enable PIM on an interface, use the pim command in interface configuration mode. To disable PIM, use the no form of this command.
pim
no pim
Syntax Description
This command has no arguments or keywords.
Defaults
The multicast-routing command enables PIM on all interfaces by default.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
The multicast-routing command enables PIM on all interfaces by default. Only the no form of the pim command is saved in the configuration.
Note
Examples
The following example disables PIM on the selected interface:
hostname(config-if)# no pimRelated Commands
pim accept-register
To configure the security appliance to filter PIM register messages, use the pim accept-register command in global configuration mode. To remove the filtering, use the no form of this command.
pim accept-register {list acl | route-map map-name}
no pim accept-register
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command is used to prevent unauthorized sources from registering with the RP. If an unauthorized source sends a register message to the RP, the security appliance will immediately send back a register-stop message.
Examples
The following example restricts PIM register messages to those from sources defined in the access list named "no-ssm-range":
hostname(config)# pim accept-register list no-ssm-rangeRelated Commands
pim dr-priority
To configure the neighbor priority on the security appliance used for designated router election, use the pim dr-priority command in interface configuration mode. To restore the default priority, use the no form of this command.
pim dr-priority number
no pim dr-priority
Syntax Description
Defaults
The default value is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
The device with the largest priority value on an interface becomes the PIM designated router. If multiple devices have the same designated router priority, then the device with the highest IP address becomes the DR. If a device does not include the DR-Priority Option in hello messages, it is regarded as the highest-priority device and becomes the designated router. If multiple devices do not include this option in their hello messages, then the device with the highest IP address becomes the designated router.
Examples
The following example sets the DR priority for the interface to 5:
hostname(config-if)# pim dr-priority 5Related Commands
pim hello-interval
To configure the frequency of the PIM hello messages, use the pim hello-interval command in interface configuration mode. To restore the hello-interval to the default value, use the no form of this command.
pim hello-interval seconds
no pim hello-interval [seconds]
Syntax Description
seconds
The number of seconds that the security appliance waits before sending a hello message. Valid values range from 1 to 3600 seconds. The default value is 30 seconds.
Defaults
30 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Examples
The following example sets the PIM hello interval to 1 minute:
hostname(config-if)# pim hello-interval 60Related Commands
pim join-prune-interval
To configure the PIM join/prune interval, use the pim join-prune-interval command in interface configuration mode. To restore the interval to the default value, use the no form of this command.
pim join-prune-interval seconds
no pim join-prune-interval [seconds]
Syntax Description
seconds
The number of seconds that the security appliance waits before sending a join/prune message. Valid values range from 10 to 600 seconds. 60 seconds is the default.
Defaults
60 seconds
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Examples
The following example sets the PIM join/prune interval to 2 minutes:
hostname(config-if)# pim join-prune-interval 120Related Commands
pim old-register-checksum
To allow backward compatibility on a rendezvous point (RP) that uses old register checksum methodology, use the pim old-register-checksum command in global configuration mode. To generate PIM RFC-compliant registers, use the no form of this command.
pim old-register-checksum
no pim old-register-checksum
Syntax Description
This command has no arguments or keywords.
Defaults
The security appliance generates PIM RFC-compliant registers.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The security appliance software accepts register messages with checksum on the PIM header and only the next 4 bytes rather than using the Cisco IOS method—accepting register messages with the entire PIM message for all PIM message types. The pim old-register-checksum command generates registers compatible with Cisco IOS software.
Examples
The following example configures the security appliance to use the old checksum calculations:
hostname(config)# pim old-register-checksumRelated Commands
pim rp-address
To configure the address of a PIM rendezvous point (RP), use the pim rp-address command in global configuration mode. To remove an RP address, use the no form of this command.
pim rp-address ip_address [acl] [bidir]
no pim rp-address ip_address
Syntax Description
This command has no arguments or keywords.
Defaults
No PIM RP addresses are configured.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
All routers within a common PIM sparse mode (PIM-SM) or bidir domain require knowledge of the well-known PIM RP address. The address is statically configured using this command.
Note
You can configure a single RP to serve more than one group. The group range specified in the access list determines the PIM RP group mapping. If the an access list is not specified, the RP for the group is applied to the entire IP multicast group range (224.0.0.0/4).
Note
Examples
The following example sets the PIM RP address to 10.0.0.1 for all multicast groups:
hostname(config)# pim rp-address 10.0.0.1Related Commands
pim spt-threshold infinity
To change the behavior of the last hop router to always use the shared tree and never perform a shortest-path tree (SPT) switchover, use the pim spt-threshold infinity command in global configuration mode. To restore the default value, use the no form of this command.
pim spt-threshold infinity [group-list acl]
no pim spt-threshold
Syntax Description
group-list acl
(Optional) Indicates the source groups restricted by the access list. The acl argument must specify a standard ACL; extended ACLs are not supported.
Defaults
The last hop PIM router switches to the shortest-path source tree by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
If the group-list keyword is not used, this command applies to all multicast groups.
Examples
The following example causes the last hop PIM router to always use the shared tree instead of switching to the shortest-path source tree:
hostname(config)# pim spt-threshold infinityRelated Commands
ping
To determine if other IP addresses are visible from the security appliance, use the ping command in privileged EXEC mode.
ping [if_name] host [data pattern] [repeat count] [size bytes] [timeout seconds] [validate]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
The ping command allows you to determine if the security appliance has connectivity or if a host is available on the network. If the security appliance has connectivity, ensure that the icmp permit any interface command is configured. This configuration is required to allow the security appliance to respond and accept messages generated from the ping command. The ping command output shows if the response was received. If a host is not responding, when you enter the ping command, a message similar to the following displays:
hostname(config)# ping 10.1.1.1Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:?????Success rate is 0 percent (0/5)Use the show interface command to ensure that the security appliance is connected to the network and is passing traffic. The address of the specified if_name is used as the source address of the ping.
If you want internal hosts to ping external hosts, you must do one of the following:
•
•
You can also perform an extended ping, which allows you to enter the keywords one line at a time.
If you are pinging through the security appliance between hosts or routers, but the pings are not successful, use the capture command to monitor the success of the ping.
The security appliance ping command does not require an interface name. If you do not specify an interface name, the security appliance checks the routing table to find the address that you specify. You can specify an interface name to indicate through which interface the ICMP echo requests are sent.
Examples
The following example shows how to determine if other IP addresses are visible from the security appliance:
hostname# ping 171.69.38.1Sending 5, 100-byte ICMP Echos to 171.69.38.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 msThe following is an example of an extended ping:
hostname# pingInterface: outsideTarget IP address: 171.69.38.1Repeat count: [5]Datagram size: [100]Timeout in seconds: [2]Extended commands [n]:Sweep range of sizes [n]:Sending 5, 100-byte ICMP Echos to 171.69.38.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 msRelated Commands
police
To apply strict scheduling priority for this class, use the police command in class mode. To remove the rate-limiting requirement, use the no form of this command.
police [output] conform-rate {conform-burst | conform-action {drop | transmit} | exceed-action {drop | transmit}}
no police
Syntax Description
Defaults
No default behavior or variables.
Command Modes
The following table shows the modes in which you can enter the command:
Class
—
—
•
—
—
Command History
Usage Guidelines
You must have configured the policy-map command and the class command before issuing the police command.
Note
Policing traffic in the inbound direction is not supported.
You cannot enable both priority and policing together.
If a service policy is applied or removed from an interface that has existing VPN client/LAN-to-LAN or non-tunneled traffic already established, the QoS policy is not applied or removed from the traffic stream. To apply or remove the QoS policy for such connections, you must clear (that is, drop) the connections and re-establish them.
Examples
The following is an example of a police command that sets the conform rate to 100,000 bits per second, a burst value of 2,000,000 bytes, and specifies that traffic that exceeds the burst rate will be dropped:
hostname(config)# policy-map localpolicy1hostname(config-pmap)# class firstclass classhostname(config-pmap-c)# police 100000 20000 exceed-action drophostname(config-pmap-c)# class class-defaulthostname(config-pmap-c)# police 1000000 200000 exceed-action drophostname(config-pmap-c)# exitRelated Commands
policy
To specify the source for retrieving the CRL, use the policy command in ca-crl configuration mode.
policy {static | cdp | both}
Syntax Description
Defaults
The default setting is cdp.
Command Modes
The following table shows the modes in which you can enter the
CRL configuration
•
—
•
—
—
command:
Command History
Examples
The following example enters ca-crl configuration mode, and configures CRL retrieval to occur using the CRL distribution point extension in the certificate being checked or if that fails, to use static CDPs:
hostname(configure)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# policy bothhostname(ca-crl)#Related Commands
crl configure
Enters ca-crl configuration mode.
crypto ca trustpoint
Enters trustpoint configuration mode.
url
Creates and maintains a list of static URLs for retrieving CRLs.
policy-map
To configure a policy, use the policy-map command in global configuration mode. To remove a policy, use the no form of this command.
policy-map name
no policy-map name
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
A policy-map command configures a policy, which is an association of a traffic class with one or more security-related actions. A traffic class is a set of traffic that is identifiable by its packet content. For example, TCP traffic with a port value of 23 can be classified as a Telnet traffic class. A policy consists of a class command and its associated actions. A policy map can specify multiple policies. A service-policy command activates a policy map globally on all interfaces or on a single targeted interface.
The policy-map command lets you classify traffic and then apply feature-specific actions to it.
The maximum number of policy maps is 64.
Use the policy-map command to enter policy-map mode, in which you can enter class and description commands. See the individual command descriptions for detailed information.
The order in which different types of actions in a policy-map are performed is independent of the order in which the actions appear in these command descriptions.
Examples
The following is an example of the policy-map command; note the change in the prompt:
hostname(config)# policy-map localpolicy1hostname(config-pmap)#The following is an example of a policy-map command for connection policy:
hostname(config)# access-list http-server permit tcp any host 10.1.1.1hostname(config)# class-map http-serverhostname(config-cmap)# match access-list http-serverhostname(config-cmap)# exithostname(config)# policy-map global-policy globalhostname(config-pmap)# description This policy map defines a policy concerning connection to http server.hostname(config-pmap)# class http-serverhostname(config-pmap-c)# set connection conn-max 256The following is an example of a policy-map command for the "outside" interface:
hostname(config)# class-map outside-voiphostname(config-cmap)# match ip rtp 2000 100hostname(config-cmap)# exithostname(config)# policy-map outside-policyhostname(config-pmap)# description This policy map defines policies for the outside interface.hostname(config-pmap)# class outside-voiphostname(config-pmap-c)# priorityhostname(config-pmap-c)# exithostname(config-pmap)#Related Commands
polltime interface
To specify the interval between hello packets on the interface, use the polltime interface command in failover group configuration mode. To restore the default value, use the no form of this command.
polltime interface time
no polltime interface time
Syntax Description
Defaults
The default is 15 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Failover group configuration
•
•
—
—
•
Command History
Usage Guidelines
Use the polltime interface command to change the frequency that hello packets are sent out on an interfaces associated with the current failover group. with a faster poll time, the security appliance can detect failure and trigger failover faster. However, faster detection can cause unnecessary switchovers when the network is temporarily congested.
Five missed consecutive interface hello packets cause interface testing.
This command is available for Active/Active failover only.
Examples
The following partial example shows a possible configuration for a failover group:
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# polltime interface 20hostname(config-fover-group)# exithostname(config)#Related Commands
failover group
Defines a failover group for Active/Active failover.
failover polltime
Configures the time between hello packets on monitored interfaces.
pop3s
To enter POP3S configuration mode, use the pop3s command in global configuration mode. To remove any commands entered in POP3S command mode, use the no version of this command.
POP3 is a client/server protocol in which your Internet server receives and holds e-mail for you. Periodically, you (or your client e-mail receiver) check your mail-box on the server and download any mail. This standard protocol is built into most popular e-mail products. POP3S lets you receive e-mail over an SSL connection.
pop3s
no pop3
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Examples
The following example shows how to enter POP3S configuration mode:
hostname(config)# pop3shostname(config-pop3s)#Related Commands
clear configure pop3s
Removes the POP3S configuration.
show running-config pop3s
Displays the running configuration for POP3S.
port
To specify the port an e-mail proxy listens to, use the port command in the applicable e-mail proxy command mode. To revert to the default value, use the no version of this command.
port {portnum}
no port
Syntax Description
portnum
The port for the e-mail proxy to use. To avoid conflicts with local TCP services, use port numbers in the range 1024 to 65535.
Defaults
The default ports for e-mail proxies are as follows:
Command Modes
The following table shows the modes in which you can enter the command:
Pop3s
•
—
•
—
—
Imap4s
•
—
•
—
—
Smtps
•
—
•
—
—
Command History
Usage Guidelines
To avoid conflicts with local TCP services, use port numbers in the range 1024 to 65535.
Examples
The following example shows how to set port 1066 for the IMAP4S e-mail proxy:
hostname(config)# imap4shostname(config-imap4s)# port 1066
port-forward
To configure the set of applications that WebVPN users can access over forwarded TCP ports, use the port-forward command in global configuration mode. To configure access to multiple applications, use this command with the same listname multiple times, once for each application. To remove an entire configured list, use the no port-forward listname command. To remove a configured application, use the no port-forward listname localport command (you need not include the remoteserver and remoteport parameters).
port-forward {listname localport remoteserver remoteport description}
no port-forward listname
no port-forward listname localport
Syntax Description
Defaults
There is no default port forwarding list.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration mode
•
—
•
—
—
Command History
Usage Guidelines
To allow access to particular TCP port forwarding applications for a specific user or group policy, use the listname you create here with the port-forward command in webvpn mode.
Examples
The following example shows how to create a portforwarding list called SalesGroupPorts that provides access to IMAP4S e-mail, SMTPS e-mail, DDTS, and Telnet. The following table provides values that the example uses for each application.
hostname(config)# port-forward SalesGroupPorts 143 IMAP4Sserver 20143 Get Mailhostname(config)# port-forward SalesGroupPorts 25 SMTPSserver 20025 Send Mailhostname(config)# port-forward SalesGroupPorts 22 DDTSserver 20022 DDTS over SSHhostname(config)# port-forward SalesGroupPorts 23 Telnetserver 20023 TelnetRelated Commands
port-forward (webvpn)
To enable WebVPN application access for this user or group policy, use the port-forward command in webvpn mode, which you enter from group-policy or username mode. To remove the port forwarding attribute from the configuration, including a null value created by issuing the port-forward none command, use the no form of this command. The no option allows inheritance of a list from another group policy. To prevent inheriting a port forwarding list, use the port-forward none command.
port-forward {value listname | none}
no port-forward
Syntax Description
Defaults
Port forwarding is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn mode
•
—
•
—
—
Command History
Usage Guidelines
Using the command a second time overrides the previous setting.
Before you can use the port-forward command in webvpn mode to enable application access, you must define a list of applications that you want users to be able to use in a WebVPN connection. Use the port-forward command in global configuration mode to define this list.
Examples
The following example shows how to set a portforwarding list called ports1 for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# port-forward value ports1Related Commands
port-forward-name
To configure the display name that identifies TCP port forwarding to end users for a particular user or group policy, use the port-forward-name command in webvpn mode, which you enter from group-policy or username mode. To delete the display name, including a null value created by using the port-forward-name none command, use the no form of the command. The no option restores the default name, "Application Access." To prevent a display name, use the port-forward none command.
port-forward-name {value name | none}
no port-forward-name
Syntax Description
Defaults
The default name is "Application Access."
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn
•
—
•
—
—
Command History
Examples
The following example shows how to set the name, "Remote Access TCP Applications," for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# port-forward-name value Remote Access TCP ApplicationsRelated Commands
port-misuse
To restrict HTTP traffic by specifying a restricted application category, use the port-misuse command in HTTP map configuration mode, which is accessible using the http-map command. To disable this feature, use the no form of the command.
port-misuse {im | p2p | tunneling | default} action {allow | reset | drop} [log]
no port-misuse {im | p2p | tunneling | default} action {allow | reset | drop} [log]
Syntax Description
Defaults
This command is disabled by default. When the command is enabled and a supported application category is not specified, the default action is to allow the connection without logging. To change the default action, use the default keyword and specify a different default action.
Command Modes
The following table shows the modes in which you can enter the command:
HTTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
When you enable the port-misuse command, the security appliance applies the specified action to HTTP connections for each supported and configured application category.
The security appliance applies the default action to all traffic that does not match the application categories on the configured list. The preconfigured default action is to allow connections without logging.
For example, given the preconfigured default action, if you specify one or more application categories with the action of drop and log, the security appliance drops connections containing the configured application categories, logs each connection, and allows all connections for the other supported application types.
If you want to configure a more restrictive policy, change the default action to drop (or reset) and log (if you want to log the event). Then configure each permitted application type with the allow action.
Enter the port-misuse command once for each setting you wish to apply. You use one instance of the port-misuse command to change the default action and one instance to add each application category to the list of configured application types.
Caution
When you use the no form of the command to remove an application category from the list of configured application types, any characters in the command line after the application category keyword are ignored.
Examples
The following example provides a permissive policy, using the preconfigured default, which allows all supported application types that are not specifically prohibited.
hostname(config)# http-map inbound_httphostname(config-http-map)# port-misuse p2p drop loghostname(config-http-map)# exitIn this case, only connections in the peer-to-peer category are dropped and the events is logged.
The following example provides a restrictive policy, with the default action changed to reset the connection and to log the event for any application type that is not specifically allowed.
hostname(config)# http-map inbound_httphostname(config-http-map)# port-misuse default action reset loghostname(config-http-map)# port-misuse im allowhostname(config-http-map)# exitIn this case, only the Instant Messenger application is allowed. When HTTP traffic for the other supported applications is received, the security appliance resets the connection and creates a syslog entry.
Related Commands
port-object
To add a port object to a service object group, use the port-object command in service configuration mode. To remove port objects, use the no form of this command.
port-object eq service
no port-object eq service
port-object range begin_service end_service
no port-object range begin_service end_service
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Service configuration
•
•
•
•
—
Command History
Usage Guidelines
The port-object command is used with the object-group command to define an object that is either a specific service (port) or a range of services (ports) in service configuration mode.
If a name is specified for a TCP or UDP service, it must be one of the supported TCP or/and UDP names, and must be consistent with the protocol type of the object group. For instance, for a protocol types of tcp, udp, and tcp-udp, the names must be a valid TCP service name, a valid UDP service name, or a valid TCP and UDP service name, respectively.
If a number is specified, translation to its corresponding name (if one exists) based on the protocol type will be made when showing the object.
The following service names are supported:
Examples
This example shows how to use the port-object command in service configuration mode to create a new port (service) object group:
hostname(config)# object-group service eng_service tcphostname(config-service)# port-object eq smtphostname(config-service)# port-object eq telnethostname(config)# object-group service eng_service udphostname(config-service)# port-object eq snmphostname(config)# object-group service eng_service tcp-udphostname(config-service)# port-object eq domainhostname(config-service)# port-object range 2000 2005hostname(config-service)# quitRelated Commands
preempt
To cause the unit to become active on boot if it has the higher priority, use the preempt command in failover group configuration mode. To remove the preemption, use the no form of this command.
preempt [delay]
no preempt [delay]
Syntax Description
seconds
The wait time, in seconds, before the peer is preempted. Valid values are from 1 to 1200 seconds.
Defaults
By default, there is no delay.
Command Modes
The following table shows the modes in which you can enter the command:
Failover group configuration
•
•
—
—
•
Command History
Usage Guidelines
Assigning a primary or secondary priority to a failover group specifies which unit the failover group becomes active on when both units boot simultaneously (within a unit polltime). However, if one unit boots before the other, then both failover groups become active on that unit. When the other unit comes online, any failover groups that have the second unit as a priority do not become active on the second unit unless the failover group is configured with the preempt command or is manually forced to the other unit with the no failover active command. If the failover group is configured with the preempt command, the failover group automatically becomes active on the designated unit.
Note
Examples
The following example configures failover group 1 with the primary unit as the higher priority and failover group 2 with the secondary unit as the higher priority. Both failover groups are configured with the preempt command with a wait time of 100 seconds, so the groups will automatically become active on their preferred unit 100 seconds after the units become available.
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# exithostname(config)# failover group 2hostname(config-fover-group)# secondaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# mac-address e1 0000.a000.a011 0000.a000.a012hostname(config-fover-group)# exithostname(config)#Related Commands
prefix-list
To create an entry in a prefix list for ABR type 3 LSA filtering, use the prefix-list command in global configuration mode. To remove a prefix list entry, use the no form of this command.
prefix-list prefix-list-name [seq seq_num] {permit | deny} network/len [ge min_value] [le max_value]
no prefix-list prefix-list-name [seq seq_num] {permit | deny} network/len [ge min_value] [le max_value]
Syntax Description
Defaults
If you do not specify a sequence number, the first entry in a prefix list is assigned a sequence number of 5, and the sequence number for each subsequent entry is increased by 5.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The prefix-list commands are ABR type 3 LSA filtering commands. ABR type 3 LSA filtering extends the capability of an ABR that is running OSPF to filter type 3 LSAs between different OSPF areas. Once a prefix list is configured, only the specified prefixes are sent from one area to another area. All other prefixes are restricted to their OSPF area. You can apply this type of area filtering to traffic going into or coming out of an OSPF area, or to both the incoming and outgoing traffic for that area.
When multiple entries of a prefix list match a given prefix, the entry with the lowest sequence number is used. The security appliance begins the search at the top of the prefix list, with the entry with the lowest sequence number. Once a mach is made, the security appliance does not go through the rest of the list. For efficiency, you may want to put the most common matches or denials near the top of the list by manually assigning them a lower sequence number.
By default, the sequence numbers are automatically generated. They can be suppressed with the no prefix-list sequence-number command. Sequence numbers are generated in increments of 5. The first sequence number generated in a prefix list would be 5. The next entry in that list would have a sequence number of 10, and so on. If you specify a value for an entry, and then do not specify values for subsequent entries, the generated sequence numbers are increased from the specified value in increments of 5. For example, if you specify that the first entry in the prefix list has a sequence number of 3, and then add two more entries without specifying a sequence number for the additional entries, the automatically generated sequence numbers for those two entries would be 8 and 13.
You can use the ge and le keywords to specify the range of the prefix length to be matched for prefixes that are more specific than the network/len argument. Exact match is assumed when neither the ge or le keywords are specified. The range is from min_value to 32 if only the ge keyword is specified.The range is from len to max_value if only the le keyword is specified.
The value of the min_value and max_value arguments must satisfy the following condition:
len < min_value <= max_value <= 32
Use the no form of the command to remove specific entries from the prefix list. Use the clear configure prefix-list command to remove a prefix list. The clear configure prefix-list command also removes the associated prefix-list description command, if any, from the configuration.
Examples
The following example denies the default route 0.0.0.0/0:
hostname(config)# prefix-list abc deny 0.0.0.0/0The following example permits the prefix10.0.0.0/8:
hostname(config)# prefix-list abc permit 10.0.0.0/8The following example shows how to accept a mask length of up to 24 bits in routes with the prefix 192/8:
hostname(config)# prefix-list abc permit 192.168.0.0/8 le 24The following example shows how to deny mask lengths greater than 25 bits in routes with a prefix of 192/8:
hostname(config)# prefix-list abc deny 192.168.0.0/8 ge 25The following example shows how to permit mask lengths from 8 to 24 bits in all address space:
hostname(config)# prefix-list abc permit 0.0.0.0/0 ge 8 le 24The following example shows how to deny mask lengths greater than 25 bits in all address space:
hostname(config)# prefix-list abc deny 0.0.0.0/0 ge 25The following example shows how to deny all routes with a prefix of 10/8:
hostname(config)# prefix-list abc deny 10.0.0.0/8 le 32The following example shows how to deny all masks with a length greater than 25 bits for routes with a prefix of 192.168.1/24:
hostname(config)# prefix-list abc deny 192.168.1.0/24 ge 25The following example shows how to permit all routes with a prefix of 0/0:
hostname(config)# prefix-list abc permit 0.0.0.0/0 le 32Related Commands
prefix-list description
To add a description to a prefix list, use the prefix-list description command in global configuration mode. To remove a prefix list description, use the no form of this command.
prefix-list prefix-list-name description text
no prefix-list prefix-list-name description [text]
Syntax Description
prefix-list-name
The name of a prefix list.
text
The text of the prefix list description. You can enter a maximum of 80 characters.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
You can enter prefix-list and prefix-list description commands in any order for a particular prefix list name; you do not need to create the prefix list before entering a prefix list description. The prefix-list description command will always appear on the line before the associated prefix list in the configuration, no matter what order you enter the commands.
If you enter a prefix-list description command for a prefix list entry that already has a description, the new description replaces the original description.
You do not need to enter the text description when using the no form of this command.
Examples
The following example adds a description for a prefix list named MyPrefixList. The show running-config prefix-list command shows that although the prefix list description has been added to the running configuration, the prefix-list itself has not been configured.
hostname(config)# prefix-list MyPrefixList description A sample prefix list descriptionhostname(config)# show running-config prefix-list!prefix-list MyPrefixList description A sample prefix list description!Related Commands
prefix-list sequence-number
To enable prefix list sequence numbering, use the prefix-list sequence-number command in global configuration mode. To disable prefix list sequence numbering, use the no form of this command.
prefix-list sequence-number
Syntax Description
This command has no arguments or keywords.
Defaults
Prefix list sequence numbering is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
Only the no form of this command appears in the configuration. When the no form of this command is in the configuration, the sequence numbers, including the manually configured ones, are removed from the prefix-list commands in the configuration and new prefix lists entries are not assigned a sequence number.
When prefix list sequence numbering is enabled, all prefix list entries are assigned sequence numbers using the default numbering method (starting with 5 and incrementing each number by 5). If a sequence number was manually assigned to a prefix list entry before numbering was disabled, the manually assigned number is restored. Sequence numbers that are manually assigned while automatic numbering is disabled are also restored, even though they are not displayed while numbering is disabled.
Examples
The following example disables prefix list sequence numbering:
hostname(config)# no prefix-list sequence-numberRelated Commands
prefix-list
Defines a prefix list for ABR type 3 LSA filtering.
show running-config prefix-list
Displays the prefix-list commands in the running configuration.
pre-shared-key
To specify a preshared key to support IKE connections based on preshared keys, use the pre-shared-key command in tunnel-group ipsec-attributes configuration mode. To return to the default value, use the no form of this command.
pre-shared-key key
no pre-shared-key
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group ipsec attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can apply this attribute to all tunnel-group types.
Examples
The following command entered in config-ipsec configuration mode, specifies the preshared key XYZX to support IKE connections for the IPSec LAN-to-LAN tunnel group named 209.165.200.225:
hostname(config)# tunnel-group 209.165.200.225 type IPSec_L2Lhostname(config)# tunnel-group 209.165.200.225 ipsec-attributeshostname(config-ipsec)# pre-shared-key xyzxhostname(config-ipsec)#Related Commands
primary
To give the primary unit higher priority for a failover group, use the primary command in failover group configuration mode. To restore the default value, use the no form of this command.
primary
no primary
Syntax Description
This command has no arguments or keywords.
Defaults
If primary or secondary is not specified for a failover group, the failover group defaults to primary.
Command Modes
The following table shows the modes in which you can enter the command:
Failover group configuration
•
•
—
—
•
Command History
Usage Guidelines
Assigning a primary or secondary priority to a failover group specifies which unit the failover group becomes active on when both units boot simultaneously (within a unit polltime). If one unit boots before the other, then both failover groups become active on that unit. When the other unit comes online, any failover groups that have the second unit as a priority do not become active on the second unit unless the failover group is configured with the preempt command or is manually forced to the other unit with the no failover active command.
Examples
The following example configures failover group 1 with the primary unit as the higher priority and failover group 2 with the secondary unit as the higher priority. Both failover groups are configured with the preempt command, so the groups will automatically become active on their preferred unit as the units become available.
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# exithostname(config)# failover group 2hostname(config-fover-group)# secondaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# mac-address e1 0000.a000.a011 0000.a000.a012hostname(config-fover-group)# exithostname(config)#Related Commands
priority
To apply strict scheduling priority for this class, use the priority command in class mode. To remove the priority requirement, use the no form of this command.
priority
no priority
Syntax Description
This command has no parameters or variables.
Defaults
No default behavior or variables.
Command Modes
The following table shows the modes in which you can enter the command:
Class
—
—
•
—
—
Command History
Usage Guidelines
You must have configured the policy-map command and the class command before issuing the priority command.
Examples
The following is an example of the priority command in policy-map mode:
hostname(config)# policy-map localpolicy1hostname(config-pmap)# class firstclasshostname(config-pmap-c)# priorityhostname(config-pmap-c)# class class-defaulthostname(config-pmap-c)# exitRelated Commands
priority (vpn load balancing)
To set the priority of the local device participating in the virtual load-balancing cluster, use the priority command in VPN load-balancing mode. To revert to the default priority specification, use the no form of this command.
priority priority
no priority
Syntax Description
Defaults
The default priority depends on the model number of the device:
Command Modes
The following table shows the modes in which you can enter the command:
VPN load-balancing
—
—
•
—
—
Command History
Usage Guidelines
You must first use the vpn load-balancing command to enter VPN load-balancing mode.
This command sets the priority of the local device participating in the virtual load-balancing cluster.
The priority must be an integer in the range of 1 (lowest) to 10 (highest).
The priority is used in the master-election process as one way to determine which of the devices in a VPN load-balancing cluster becomes the master or primary device for the cluster. See Cisco Security Appliance Command Line Configuration Guide for details about the master-election process.
The no form of the command reverts the priority specification to the default value.
Examples
The following is an example of a VPN load-balancing command sequence that includes a priority command that sets the priority of the current device to 9:
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# priority 9hostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# interface lbprivate foohostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# participateRelated Commandshostname(config-load-balancing)# participate
priority-queue
To configure priority queuing on an interface, use the priority-queue command in global configuration mode. To remove this specification, use the no form of this command.
priority-queue interface-name
no priority queue interface-name
Syntax Description
interface-name
Specifies the name of the physical interface on which you want to enable priority queuing.
Defaults
By default, priority queuing is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
—
•
—
—
Command History
Usage Guidelines
The security appliance allows two classes of traffic: low-latency queuing (LLQ) for higher priority, latency sensitive traffic (such as voice and video) and best-effort, the default, for all other traffic. The security appliance recognizes priority traffic and enforces appropriate Quality of Service (QoS) policies. You can configure the size and depth of the priority queue to fine-tune the traffic flow.
For priority queuing to occur, you must create a priority queue for a named, physical interface. To create the priority queue, use the priority-queue command in global configuration mode. In general, you can apply one priority-queue command to each physical interface defined by the nameif command. You cannot apply a priority-queue command to a VLAN interface, except on an ASA 5505 security applicance. On the ASA 5500, you configure the nameif command under a VLAN interface, so you must apply the priority-queue command there as well.
The priority-queue command enters priority-queue mode, as shown by the prompt. In priority-queue mode, you can configure the maximum number of packets allowed in the transmit queue at any given time (tx-ring-limit command) and the number of packets of either type (priority or best -effort) allowed to be buffered before dropping packets (queue-limit command).
The tx-ring-limit and the queue-limit values that you specify affect both the higher priority low-latency queue and the best-effort queue. The tx-ring-limit is the number of either type of packets allowed into the driver before the driver pushes back to the queues sitting in front of the interface to let them buffer packets until the congestion clears. In general, you can adjust these two parameters to optimize the flow of low-latency traffic.
Because queues are not of infinite size, they can fill and overflow. When a queue is full, any additional packets cannot get into the queue and are dropped. This is tail drop. To avoid having the queue fill up, you can use the queue-limit command to increase the queue buffer size.
Note
If a service policy is applied or removed from an interface that has existing VPN client/LAN-to-LAN or non-tunneled traffic already established, the QoS policy is not applied or removed from the traffic stream. To apply or remove the QoS policy for such connections, you must clear (that is, drop) the connections and re-establish them.
You cannot enable both priority and policing together.
Examples
The following example configures a priority queue for the interface named test, specifying a queue limit of 30,000 packets and a transmit queue limit of 256 packets.
hostname(config)# priority-queue testhostname(priority-queue)# queue-limit 30000hostname(priority-queue)# tx-ring-limit 256Related Commands
privilege
To configure the command privilege levels, use the privilege command in global configuration mode. To disallow the configuration, use the no form of this command.
privilege [ show | clear | configure ] level level [ mode {enable | configure}] command command
no privilege [ show | clear | configure ] level level [ mode {enable | configure}] command command
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
The privilege command lets you set user-defined privilege levels for the security appliance commands. In particular, this command is useful for setting different privilege levels for related configuration, show, and clear commands. Make sure that you verify privilege level changes in your commands with your security policies before using the new privilege levels.
When commands and users have privilege levels set, the two are compared to determine if a given user can execute a given command. If the user's privilege level is lower than the privilege level of the command, the user is prevented from executing the command.
To change between privilege levels, use the login command to access another privilege level and the appropriate logout, exit, or quit command to exit that level.
The mode enable and mode configure keywords are for commands with both enable and configure modes.
Lower privilege level numbers are lower privilege levels.
Note
Examples
This example shows how to set the privilege level "5" for an individual user as follows:
username intern1 password pass1 privilege 5This example shows how to define a set of show commands with the privilege level "5" as follows:
hostname(config)# privilege show level 5 command aliashostname(config)# privilege show level 5 command applyhostname(config)# privilege show level 5 command arphostname(config)# privilege show level 5 command auth-prompthostname(config)# privilege show level 5 command blocksThis example shows how to apply privilege level 11 to a complete AAA authorization configuration:
hostname(config)# privilege configure level 11 command aaahostname(config)# privilege configure level 11 command aaa-serverhostname(config)# privilege configure level 11 command access-grouphostname(config)# privilege configure level 11 command access-listhostname(config)# privilege configure level 11 command activation-keyhostname(config)# privilege configure level 11 command agehostname(config)# privilege configure level 11 command aliashostname(config)# privilege configure level 11 command applyRelated Commands
protocol http
To specify HTTP as a permitted distribution point protocol for retrieving a CRL, use the protocol http command in ca-crl configuration mode. Subject to permission, the content of the CRL distribution point determines the retrieval method (HTTP, LDAP, and/or SCEP).
To remove HTTP as the permitted method of CRL retrieval, use the no form of this command.
protocol http
no protocol http
Syntax Description
Defaults
The default setting is to permit HTTP.
Command Modes
The following table shows the modes in which you can enter the
CRL configuration
•
•
•
•
•
command:
Command History
Usage Guidelines
If you use this command, be sure to assign HTTP rules to the public interface filter.
Examples
The following example enters ca-crl configuration mode, and permits HTTP as a distribution point protocol for retrieving a CRL for trustpoint central:
hostname(configure)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# protocol httphostname(ca-crl)#Related Commands
protocol ldap
To specify LDAP as a distribution point protocol for retrieving a CRL, use the protocol ldap command in ca-crl configuration mode. Subject to permission, the content of the CRL distribution point determines the retrieval method (HTTP, LDAP, and/or SCEP).
To remove the LDAP protocol as the permitted method of CRL retrieval, use the no form of this command.
protocol ldap
no protocol ldap
Syntax Description
Defaults
The default setting is to permit LDAP.
Command Modes
The following table shows the modes in which you can enter the
CRL configuration
•
•
•
•
•
command:
Command History
Examples
The following example enters ca-crl configuration mode, and permits LDAP as a distribution point protocol for retrieving a CRL for trustpoint central:
hostname(configure)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# protocol ldaphostname(ca-crl)#Related Commands
protocol scep
To specify SCEP as a distribution point protocol for retrieving a CRL, use the protocol scep command in crl configure mode. Subject to permission, the content of the CRL distribution point determines the retrieval method (HTTP, LDAP, and/or SCEP).
To remove the SCEP protocol as the permitted method of CRL retrieval, use the no form of this command.
protocol scep
no protocol scep
Syntax Description
Defaults
The default setting is to permit SCEP.
Command Modes
The following table shows the modes in which you can enter the
CRL configuration
•
•
•
•
•
command:
Command History
Examples
The following example enters ca-crl configuration mode, and permits SCEP as a distribution point protocol for retrieving a CRL for trustpoint central:
hostname(configure)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# protocol scephostname(ca-crl)#Related Commands
protocol-object
To add a protocol object to a protocol object group, use the protocol-object command in protocol configuration mode. To remove port objects, use the no form of this command.
protocol-object protocol
no protocol-object protocol
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Protocol configuration
•
•
•
•
—
Command History
Usage Guidelines
The protocol-object command is used with the object-group command to define a protocol object in protocol configuration mode.
You can specify an IP protocol name or number using the protocol argument. The udp protocol number is 17, the tcp protocol number is 6, and the egp protocol number is 47.
Examples
The following example shows how to define protocol objects:
hostname(config)# object-group protocol proto_grp_1hostname(config-protocol)# protocol-object udphostname(config-protocol)# protocol-object tcphostname(config-protocol)# exithostname(config)# object-group protocol proto_grphostname(config-protocol)# protocol-object tcphostname(config-protocol)# group-object proto_grp_1hostname(config-protocol)# exithostname(config)#Related Commands
pwd
To display the current working directory, use the pwd command in privileged EXEC mode.
pwd
Syntax Description
This command has no arguments or keywords.
Defaults
The root directory (/) is the default.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
This command is similar in functionality to the dir command.
Examples
The following example shows how to display the current working directory:
hostname# pwddisk0:/hostname# pwdflash:Related Commands
cd
Changes the current working directory to the one specified.
dir
Displays the directory contents.
more
Displays the contents of a file.
queue-limit (priority-queue)
To specify the depth of the priority queues, use the queue-limit command in priority-queue mode. To remove this specification, use the no form of this command.
queue-limit number-of-packets
no queue-limit number-of-packets
Syntax Description
Defaults
The default queue limit is 1024 packets.
Command Modes
The following table shows the modes in which you can enter the command:
Priority-queue
•
•
•
•
—
Command History
Usage Guidelines
The security appliance allows two classes of traffic: low-latency queuing (LLQ) for higher priority, latency sensitive traffic (such as voice and video) and best-effort, the default, for all other traffic. The security appliance recognizes priority traffic and enforces appropriate Quality of Service (QoS) policies. You can configure the size and depth of the priority queue to fine-tune the traffic flow.
You must use the priority-queue command to create the priority queue for an interface before priority queuing takes effect. You can apply one priority-queue command to any interface that can be defined by the nameif command.
The priority-queue command enters priority-queue mode, as shown by the prompt. In priority-queue mode, you can configure the maximum number of packets allowed in the transmit queue at any given time (tx-ring-limit command) and the number of packets of either type (priority or best -effort) allowed to be buffered before dropping packets (queue-limit command).
Note
The tx-ring-limit and the queue-limit that you specify affect both the higher priority low-latency queue and the best-effort queue. The tx-ring-limit is the number of either type of packets allowed into the driver before the driver pushes back to the queues sitting in front of the interface to let them buffer packets until the congestion clears. In general, you can adjust these two parameters to optimize the flow of low-latency traffic.
Because queues are not of infinite size, they can fill and overflow. When a queue is full, any additional packets cannot get into the queue and are dropped. This is tail drop. To avoid having the queue fill up, you can use the queue-limit command to increase the queue buffer size.
Note
Examples
The following example configures a priority queue for the interface named test, specifying a queue limit of 30,000 packets and a transmit queue limit of 256 packets.
hostname(config)# priority-queue testhostname(priority-queue)# queue-limit 30000hostname(priority-queue)# tx-ring-limit 256Related Commands
queue-limit (tcp-map)
To configure the maximum number of out-of-order packets that can queued on a TCP stream, use the queue-limit command in tcp-map configuration mode. To remove this specification, use the no form of this command.
queue-limit pkt_num
no queue-limit pkt_num
Syntax Description
Defaults
The default maximum number of packets is 0 for the ASA platform. For PIX, the number is 3 and cannot be changed.
The following table shows the modes in which you can enter the command:
Tcp-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new tcp map using the policy-map command. Activate TCP inspection with service-policy commands.
Use the tcp-map command to enter tcp-map configuration mode. Use the queue-limit command in tcp-map configuration mode to enable TCP packet ordering on any TCP connection or change the queue limit for connections that are ordered by default.
Packets will be ordered on TCP connections if any of the following features have been enabled: inspect, IDS feature, or TCP check-retransmission. The default packet queue limit for connections that are ordered is two per flow. For all other TCP connections, packets are forwarded as received, including out-of-order packets. To enable TCP packet ordering on any TCP connection or change the queue limit for connections that are ordered, use the queue-limit command. Enabling this feature results in out-of-order packets being queued until they can be forwarded or a fixed amount of time. Hence, memory usage is increased due to packet buffering.
Examples
The following example shows how to enable TCP packet ordering on all telnet connections:
hostname(config)# tcp-map tmaphostname(config-tcp-map)# queue-limit 8hostname(config)# class-map cmaphostname(config-cmap)# match port tcp eq telnethostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# set connection advanced-options tmaphostname(config)# service-policy pmap globalRelated Commands
quit
To exit the current configuration mode, or to logout from privileged or user EXEC modes, use the quit command.
quit
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
•
•
•
•
Command History
Usage Guidelines
You can also use the key sequence Ctrl Z to exit global configuration (and higher) modes. This key sequence does not work with privileged or user EXEC modes.
When you enter the quit command in privileged or user EXEC modes, you log out from the security appliance. Use the disable command to return to user EXEC mode from privileged EXEC mode.
Examples
The following example shows how to use the quit command to exit global configuration mode, and then logout from the session:
hostname(config)# quithostname# quitLogoffThe following example shows how to use the quit command to exit global configuration mode, and then use the disable command to exit privileged EXEC mode:
hostname(config)# quithostname# disablehostname>Related Commands
radius-common-pw
To specify a common password to be used for all users who are accessing this RADIUS authorization server through this security appliance, use the radius-common-pw command in AAA-server host mode. To remove this specification, use the no form of this command:
radius-common-pw string
no radius-common-pw
Syntax Description
string
A case-sensitive, alphanumeric keyword of up to 127 characters to be used as a common password for all authorization transactions with this RADIUS server.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
AAA-server host
•
•
•
•
—
Command History
Usage Guidelines
This command is valid only for RADIUS authorization servers.
The RADIUS authorization server requires a password and username for each connecting user. The security appliance provides the username automatically. You enter the password here. The RADIUS server administrator must configure the RADIUS server to associate this password with each user authorizing to the server via this security appliance. Be sure to provide this information to your RADIUS server administrator.
If you do not specify a common user password, each user's password is his or her own username. For example, a user with the username "jsmith" would enter "jsmith". If you are using usernames for the common user passwords, as a security precaution do not use this RADIUS server for authorization anywhere else on your network.
13-125
Note
Examples
The following example configures a RADIUS AAA server group named "svrgrp1" on host "1.2.3.4", sets the timeout interval to 9 seconds, sets the retry interval to 7 seconds, and configures the RADIUS commnon password as "allauthpw".
hostname(config)# aaa-server svrgrp1 protocol radiushostname(config-aaa-server-group)# aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)# timeout 9hostname(config-aaa-server-host)# retry 7hostname(config-aaa-server-host)# radius-common-pw allauthpwhostname(config-aaa-server-host)# exithostname(config)#Related Commands
radius-with-expiry
To have the security appliance use MS-CHAPv2 to negotiate a password update with the user during authentication, use the radius-with-expiry command in tunnel-group ipsec-attributes configuration mode. The security appliance ignores this command if RADIUS authentication has not been configured.
To return to the default value, use the no form of this command.
radius-with-expiry
no radius-with-expiry
Syntax Description
This command has no arguments or keywords.
Defaults
The default setting for this command is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group ipsec attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can apply this attribute to IPSec remote-access tunnel-group type only.
Examples
The following example entered in config-ipsec configuration mode, configures Radius with Expiry for the remote-access tunnel group named remotegrp:
hostname(config)# tunnel-group remotegrp type ipsec_rahostname(config)# tunnel-group remotegrp ipsec-attributeshostname(config-ipsec)# radius-with-expiryhostname(config-ipsec)#Related Commands
reactivation-mode
To specify the method (reactivation policy) by which failed servers in a group are reactivated, use the reactivation-mode command in AAA-server group mode. To remove this specification, use the no form of this command:
reactivation-mode depletion [deadtime minutes]
reactivation-mode timed
no reactivation-mode
Syntax Description
Defaults
The default reactivation mode is depletion, and the default deadtime value is 10. The supported range of values for deadtime is 0-1440 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
AAA-server group
•
•
•
•
—
Command History
Usage Guidelines
Each server group has an attribute that specifies the reactivation policy for its servers.
In depletion mode, when a server is deactivated, it remains inactive until all other servers in the group are inactive. When and if this occurs, all servers in the group are reactivated. This approach minimizes the occurrence of connection delays due to failed servers. When depletion mode is in use, you can also specify the deadtime parameter. The deadtime parameter specifies the amount of time (in minutes) that will elapse between the disabling of the last server in the group and the subsequent re-enabling of all servers. This parameter is meaningful only when the server group is being used in conjunction with the local fallback feature.
In timed mode, failed servers are reactivated after 30 seconds of down time. This is useful when customers use the first server in a server list as the primary server and prefer that it is online whenever possible. This policy breaks down in the case of UDP servers. Since a connection to a UDP server will not fail, even if the server is not present, UDP servers are put back on line blindly. This could lead to slowed connection times or connection failures if a server list contains multiple servers that are not reachable.
Accounting server groups that have simultaneous accounting enabled are forced to use the timed mode. This implies that all servers in a given list are equivalent.
Examples
The following example configures aTACACS+ AAA server named "srvgrp1" to use the depletion reactivation mode, with a deadtime of 15 minutes:
hostname(config)# aaa-server svrgrp1 protocol tacacs+hostname(config-aaa-sersver-group)# reactivation-mode depletion deadtime 15hostname(config-aaa-server)# exithostname(config)#The following example configures aTACACS+ AAA server named "srvgrp1" to use timed reactivation mode:
hostname(config)# aaa-server svrgrp2 protocol tacacs+hostname(config-aaa-server)# reactivation-mode timedhostname(config-aaa-server)# exithostname(config)#Related Commands
redistribute
To redistribute routes from one routing domain into another routing domain, use the redistribute command in router configuration mode. To remove the redistribution, use the no form of this command.
redistribute {{ospf pid [match {internal | external [1 | 2] | nssa-external [1 | 2]}]} | static | connected} [metric metric_value] [metric-type metric_type] [route-map map_name] [tag tag_value] [subnets]
no redistribute {{ospf pid [match {internal | external [1 | 2] | nssa-external [1 | 2]}]} | static | connected} [metric metric_value] [metric-type metric_type] [route-map map_name] [tag tag_value] [subnets]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Examples
This example shows how to redistribute static routes into the current OSPF process:
hostname(config-router)# redistribute ospf staticRelated Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
reload
To reboot and reload the configuration, use the reload command in privileged EXEC mode.
reload [at hh:mm [month day | day month]] [cancel] [in [hh:]mm] [max-hold-time [hh:]mm] [noconfirm] [quick] [reason text] [save-config]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
·
·
·
—
·
Command History
7.0
This command was modified to add the following new arguments and keywords: day, hh, mm, month, quick, save-config, and text.
Usage Guidelines
The command lets you reboot the security appliance and reload the configuration from Flash.
By default, the reload command is interactive. The security appliance first checks whether the configuration has been modified but not saved. If so, the security appliance prompts you to save the configuration. In multiple context mode, the security appliance prompts for each context with an unsaved configuration. If you specify the save-config parameter, the configuration is saved without prompting you. The security appliance then prompts you to confirm that you really want to reload the system. Only a response of y or pressing the Enter key causes a reload. Upon confirmation, the security appliance starts or schedules the reload process, depending upon whether you have specified a delay parameter (in or at).
By default, the reload process operates in "graceful" (also known as "nice") mode. All registered subsystems are notified when a reboot is about to occur, allowing these subsystems to shut down properly before the reboot. To avoid waiting until for such a shutdown to occur, specify the max-hold-time parameter to specify a maximum time to wait. Alternatively, you can use the quick parameter to force the reload process to begin abruptly, without notifying the affected subsystems or waiting for a graceful shutdown.
You can force the reload command to operate noninteractively by specifying the noconfirm parameter. In this case, the security appliance does not check for an unsaved configuration unless you have specified the save-config parameter. The security appliance does not prompt the user for confirmation before rebooting the system. It starts or schedules the reload process immediately, unless you have specified a delay parameter, although you can specify the max-hold-time or quick parameters to control the behavior or the reload process.
Use reload cancel to cancel a scheduled reload. You cannot cancel a reload that is already in progress.
Note
Examples
This example shows how to reboot and reload the configuration:
hostname# reloadProceed with ? [confirm] yRebooting...XXX Bios VX.X...Related Commands
remote-access threshold session-threshold-exceeded
To set threshold values, use the remote-access threshold command in global configuration mode. To remove threshold values, use the no version of this command. This command specifies the number of active remote access sessions, at which point the security appliance sends traps.
remote-access threshold session-threshold-exceeded {threshold-value}
no remote-access threshold session-threshold-exceeded
Syntax Description
threshold-value
Specifies an integer less than or equal to the session limit the security appliance supports.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
Examples
The following example shows how to set a threshold value of 1500:
hostname# remote-access threshold session-threshold-exceeded 1500Related Commands
rename
To rename a file or a directory from the source filename to the destination filename, use the rename command in privileged EXEC mode.
rename [/noconfirm] [disk0: | disk1: | flash:] source-path [disk0: | disk1: | flash:] destination-path
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The rename flash: flash: command prompts you to enter a source and destination filename.
You cannot rename a file or directory across file systems.
For example:
hostname# rename flash: disk1:Source filename []? new-configDestination filename []? old-config%Cannot rename between filesystemsExamples
The following example shows how to rename a file named "test" to "test1":
hostname# rename flash: flash:Source filename [running-config]? testDestination filename [n]? test1Related Commands
mkdir
Creates a new directory.
rmdir
Removes a directory.
show file
Displays information about the file system.
replication http
To enable HTTP connection replication for the failover group, use the replication http command in failover group configuration mode. To disable HTTP connection replication, use the no form of this command.
replication http
no replication http
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Failover group configuration
•
•
—
—
•
Command History
Usage Guidelines
By default, the security appliance does not replicate HTTP session information when Stateful Failover is enabled. Because HTTP sessions are typically short-lived, and because HTTP clients typically retry failed connection attempts, not replicating HTTP sessions increases system performance without causing serious data or connection loss. The replication http command enables the stateful replication of HTTP sessions in a Stateful Failover environment, but could have a negative effect on system performance.
This command is available for Active/Active failover only. It provides the same functionality as the failover replication http command for Active/Standby failover, except for failover groups in Active/Active failover configurations.
Examples
The following example shows a possible configuration for a failover group:
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# replication httphostname(config-fover-group)# exitRelated Commands
failover group
Defines a failover group for Active/Active failover.
failover replication http
Configures stateful failover to replicate HTTP connections.
request-command deny
To disallow specific commands within FTP requests, use the request-command deny command in FTP map configuration mode, which is accessible by using the ftp-map command. To remove the configuration, use the no form of this command.
request-command deny { appe | cdup | dele | get | help | mkd | put | rmd | rnfr | rnto | site | stou }
no request-command deny { appe | cdup | help | retr | rnfr | rnto | site | stor | stou }
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
FTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command is used for controlling the commands allowed within FTP requests traversing the security appliance when using strict FTP inspection.
Examples
The following example causes the security appliance to drop FTP requests containing stor, stou, or appe commands:
hostname(config)# ftp-map inbound_ftphostname(config-ftp-map)# request-command deny put stou appehostname(config-ftp-map)# exitRelated Commands
request-method
To restrict HTTP traffic based on the HTTP request method, use the request-method command in HTTP map configuration mode, which is accessible using the http-map command. To disable this feature, use the no form of the command.
request-method {{ ext ext_methods | default} | { rfc rfc_methods | default}} action {allow | reset | drop} [log]
no request-method { ext ext_methods | rfc rfc_methods } action {allow | reset | drop} [log]
Syntax Description
Defaults
This command is disabled by default. When the command is enabled and a supported request method is not specified, the default action is to allow the connection without logging. To change the default action, use the default keyword and specify a different default action.
Command Modes
The following table shows the modes in which you can enter the command:
HTTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
When you enable the request-method command, the security appliance applies the specified action to HTTP connections for each supported and configured request method.
The security appliance applies the default action to all traffic that does not match the request methods on the configured list. The default action is to allow connections without logging. Given this preconfigured default action, if you specify one or more request methods with the action of drop and log, the security appliance drops connections containing the configured request methods, logs each connection, and allows all connections containing other supported request methods.
If you want to configure a more restrictive policy, change the default action to drop (or reset) and log (if you want to log the event). Then configure each permitted method with the allow action.
Enter the request-method command once for each setting you wish to apply. You use one instance of the request-method command to change the default action or to add a single request method to the list of configured methods.
When you use the no form of the command to remove a request method from the list of configured methods, any characters in the command line after the request method keyword are ignored.
Table 6-2 lists the methods defined in RFC 2616 that you can add to the list of configured methods:
Examples
The following example provides a permissive policy, using the preconfigured default, which allows all supported request methods that are not specifically prohibited.
hostname(config)# http-map inbound_httphostname(config-http-map)# request-method rfc options drop loghostname(config-http-map)# request-method rfc post drop loghostname(config-http-map)# exitIn this example, only the options and post request methods are dropped and the events are logged.
The following example provides a restrictive policy, with the default action changed to reset the connection and log the event for any request method that is not specifically allowed.
hostname(config)# http-map inbound_httphostname(config-http-map)# request-method rfc default action reset loghostname(config-http-map)# request-method rfc get allowhostname(config-http-map)# request-method rfc put allowhostname(config-http-map)# exitIn this case, the get and put request methods are allowed. When traffic is detected that uses any other methods, the security appliance resets the connection and creates a syslog entry.
Related Commands
request-queue
To specify the maximum number of GTP requests that will be queued waiting for a response, use the request-queue command in GTP map configuration mode, which is accessed by using the gtp-map command. Use the no form of this command to return this number to the default of 200.
request-queue max_requests
no request-queue max_requests
Syntax Description
max_requests
The maximum number of GTP requests that will be queued waiting for a response. The range values is 1 to 4294967295.
Defaults
The max_requests default is 200.
Command Modes
The following table shows the modes in which you can enter the command:
GTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
The gtp request-queue command specifies the maximum number of GTP requests that are queued waiting for a response. When the limit has been reached and a new request arrives, the request that has been in the queue for the longest time is removed. The Error Indication, the Version Not Supported and the SGSN Context Acknowledge messages are not considered as requests and do not enter the request queue to wait for a response.
Examples
The following example specifies a maximum request queue size of 300 bytes:
hostname(config)# gtp-map qtp-policyhostname(config-gtpmap)# request-queue-size 300Related Commands
reserved-bits
To clear reserved bits in the TCP header, or drop packets with reserved bits set, use the reserved-bits command in tcp-map configuration mode. To remove this specification, use the no form of this command.
reserved-bits {allow | clear | drop}
no reserved-bits {allow | clear | drop}
Syntax Description
allow
Allows packet with the reserved bits in the TCP header.
clear
Clears the reserved bits in the TCP header and allows the packet.
drop
Drops the packet with the reserved bits in the TCP header.
Defaults
The reserved bits are allowed by default.
Command Modes
The following table shows the modes in which you can enter the command:
Tcp-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.
Use the tcp-map command to enter tcp-map configuration mode. Use the reserved-bits command in tcp-map configuration mode to remove ambiguity as to how packets with reserved bits are handled by the end host, which may lead to desynchronizing the security appliance. You can choose to clear the reserved bits in the TCP header or even drop packets with the reserved bits set.
Examples
The following example shows how to clear packets on all TCP flows with the reserved bit set:
hostname(config)# access-list TCP extended permit tcp any anyhostname(config)# tcp-map tmaphostname(config-tcp-map)# reserved-bits clearhostname(config)# class-map cmaphostname(config-cmap)# match access-list TCPhostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# set connection advanced-options tmaphostname(config)# service-policy pmap globalRelated Commands
retry-interval
To configure the amount of time between retry attempts for a particular AAA server designated in a prior aaa-server host command, use the retry-interval command in AAA-server host mode. To reset the retry interval to the default value, use the no form of this command.
retry-interval seconds
no retry-interval
Syntax Description
seconds
Specify the retry interval (1-10 seconds) for the request. This is the time the security appliance waits before retrying a connection request.
Defaults
The default retry interval is 10 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
AAA-server host
•
•
•
•
—
Command History
Usage Guidelines
Use the retry-interval command to specify or reset the number of seconds the security appliance waits between connection attempts. Use the timeout command to specify the length of time during which the security appliance attempts to make a connection to a AAA server.
Examples
The following examples show the retry-interval command in context.
hostname(config)# aaa-server svrgrp1 protocol radiushostname(config-aaa-server-group)# aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)# timeout 7hostname(config-aaa-server-host)# retry-interval 9hostname(config-aaa-server-host)# exithostname(config)#Related Commands
re-xauth
To require that users reauthenticate on IKE rekey, issue the re-xauth enable command in group-policy configuration mode. To disable user reauthentication on IKE rekey, use the re-xauth disable command.
To remove the re-xauth attribute from the running configuration, use the no form of this command. This enables inheritance of a value for reauthentication on IKE rekey from another group policy.
re-xauth {enable | disable}
no re-xauth
Syntax Description
Defaults
Reauthentication on IKE rekey is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group policy
•
—
•
—
—
Command History
Usage Guidelines
If you enable reauthentication on IKE rekey, the security appliance prompts the user to enter a username and password during initial Phase 1 IKE negotiation and also prompts for user authentication whenever an IKE rekey occurs. Reauthentication provides additional security.
If the configured rekey interval is very short, users might find the repeated authorization requests inconvenient. In this case, disable reauthentication. To check the configured rekey interval, in monitoring mode, issue the show crypto ipsec sa command to view the security association lifetime in seconds and lifetime in kilobytes of data.
Note
Examples
The following example shows how to enable reauthentication on rekey for the group policy named FirstGroup:
hostname(config) #group-policy FirstGroup attributeshostname(config-group-policy)# re-xauth enable
rip
To enable and change RIP settings, use the rip command in global configuration mode. To disable the security appliance RIP routing table updates, use the no form of this command.
rip if_name {default | passive} [version {1 | 2 [authentication {text | md5} key key_id]}]
no rip if_name {default | passive} [version {1 | 2 [authentication {text | md5} key key_id]}]
Syntax Description
Defaults
RIP is disabled.
If you do not specify a version, RIP version 1 is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The rip command lets you to enable the sending and receiving of RIP routing updates on an interface. You configure RIP update transmission and reception independently; you can enable transmission only, reception only, or both transmission and reception on each interface. Use the passive keyword with the rip command to enable RIP update reception. Use the default keyword with the rip command to enable the broadcast of a default route. To enable both transmission and reception of RIP updates on an interface, you must two rip commands for the interface, one with the default keyword, enabling the sending of RIP routing updates, and one with the passive keyword, enabling the interface to receive RIP updates and to populate the routing table with those updates.
Note
If you specify RIP version 2, you can enable neighbor authentication and use MD5-based encryption to authenticate the RIP updates. When you enable neighbor authentication, you must ensure that the key and key_id arguments are the same as those used by neighbor devices that provide RIP version 2 updates. The key is a text string of up to 16 characters.
Configuring RIP Version 2 registers the multicast address 224.0.0.9 on the respective interface to be able to accept multicast RIP Version 2 updates. When RIP Version 2 is configured in passive mode, the security appliance accepts RIP Version 2 multicast updates with an IP destination of 224.0.0.9. When RIP Version 2 is configured in default mode, the security appliance transmits default route updates using an IP multicast destination of 224.0.0.9. Removing the RIP version 2 commands for an interface unregisters the multicast address from the interface card.
Note
RIP is not supported under transparent mode. By default, the security appliance denies all RIP broadcast and multicast packets. To permit these RIP messages to pass through a security appliance operating in transparent mode you must define access list entries to permit this traffic. For example, to permit RIP version 2 traffic through the security appliance, create an access list entry like access-list myriplist extended permit ip any host 224.0.0.9. To permit RIP version 1 broadcasts, create an access list entry like access-list myriplist extended permit udp any any eq rip. Apply these access list entries to the appropriate interface using the access-group command.
Examples
The following example shows how to combine version 1 and version 2 commands and list the information with the show running-config rip command after entering the rip commands. The rip commands let you to do the following.
•
•
•
hostname(config)# rip outside passive version 2 authentication md5 thisisakey 2hostname(config)# rip outside default version 2 authentication md5 thisisakey 2hostname(config)# rip inside passivehostname(config)# rip dmz passive version 2hostname# show running-config riprip outside passive version 2 authentication md5 thisisakey 2rip outside default version 2 authentication md5 thisisakey 2rip inside passive version 1rip dmz passive version 2The following example shows how to use the version 2 feature that passes the encryption key in text form:
hostname(config)# rip out default version 2 authentication text thisisakey 3hostname# show running-config riprip outside default version 2 authentication text thisisakey 3Related Commands
rmdir
To remove the existing directory, use the rmdir command in privileged EXEC mode.
rmdir [/noconfirm] [disk0: | disk1: | flash:]path
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
If the directory is not empty, the rmdir command fails.
Examples
This example shows how to remove an existing directory named "test":
hostname# rmdir testRelated Commands
dir
Displays the directory contents.
mkdir
Creates a new directory.
pwd
Displays the current working directory.
show file
Displays information about the file system.
route
To enter a static or default route for the specified interface, use the route command in global configuration mode. Use the no form of this command to remove routes from the specified interface.
route interface_name ip_address netmask gateway_ip [metric | tunneled]
no route interface_name ip_address netmask gateway_ip [metric | tunneled]
Syntax Description
Defaults
The metric default is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the route command to enter a default or static route for an interface. To enter a default route, set ip_address and netmask to 0.0.0.0, or use the shortened form of 0. All routes that are entered using the route command are stored in the configuration when it is saved.
You can define a separate default route for tunneled traffic along with the standard default route. When you create a default route with the tunneled option, all encrypted traffic that arrives on the security appliance and cannot be routed using learned or static routes is sent to this route. Otherwise, if the traffic is not encrypted, the standard default route entry is used. You cannot define more than one default route with the tunneled option; ECMP for tunneled traffic is not supported.
Create static routes to access networks that are connected outside a router on any interface. For example, the security appliance sends all packets that are destined to the 192.168.42.0 network through the 192.168.1.5 router with this static route command.
hostname(config)# route dmz 192.168.42.0 255.255.255.0 192.168.1.5 1Once you enter the IP address for each interface, the security appliance creates a CONNECT route in the route table. This entry is not deleted when you use the clear route or clear configure route commands.
If the route command uses the IP address from one of the interfaces on the security appliance as the gateway IP address, the security appliance will ARP for the destination IP address in the packet instead of ARPing for the gateway IP address.
Examples
The following example shows how to specify one default route command for an outside interface:
hostname(config)# route outside 0 0 209.165.201.1 1The following example shows how to add these static route commands to provide access to the networks:
hostname(config)# route dmz1 10.1.2.0 255.0.0.0 10.1.1.4 1hostname(config)# route dmz1 10.1.3.0 255.0.0.0 10.1.1.4 1Related Commands
route-map
To define the conditions for redistributing routes from one routing protocol into another, use the route-map command in global configuration mode. To delete a map, use the no form of this command.
route-map map_tag [permit | deny] [seq_num]
no route-map map_tag [permit | deny] [seq_num]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The route-map command allows you to redistribute routes.
The route-map global configuration command and the match and set configuration commands define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria that are the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions, which are the redistribution actions to perform if the criteria enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can enter the match commands in any order, and all match commands must pass to cause the route to be redistributed according to the set actions given with the set commands. The no form of the match commands removes the specified match criteria.
Use route maps when you want detailed control over how routes are redistributed between routing processes. You specify the destination routing protocol with the router ospf global configuration command. You specify the source routing protocol with the redistribute router configuration command.
When you pass routes through a route map, a route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored; the route is not advertised for outbound route maps and is not accepted for inbound route maps. To modify only some data, you must configure a second route map section with an explicit match specified.
The seq_number argument is as follows:
1.
2.
3.
If the no route-map map-tag command is specified (with no seq-num argument), the whole route map is deleted (all route-map entries with the same map-tag text).
If the match criteria are not met, and you specify the permit keyword, the next route map with the same map_tag is tested. If a route passes none of the match criteria for the set of route maps sharing the same name, it is not redistributed by that set.
Examples
The following example shows how to configure a route map in OSPF routing:
hostname(config)# route-map maptag1 permit 8hostname(config-route-map)# set metric 5hostname(config-route-map)# match metric 5hostname(config-route-map)# show running-config route-maproute-map maptag1 permit 8set metric 5match metric 5hostname(config-route-map)# exithostname(config)#Related Commands
router-id
To use a fixed router ID, use the router-id command in router configuration mode. To reset OSPF to use the previous router ID behavior, use the no form of this command.
router-id addr
no router-id [addr]
Syntax Description
Defaults
If not specified, the highest-level IP address on the security appliance is used as the router ID.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
If the highest-level IP address on the security appliance is a private address, then this address is sent in hello packets and database definitions. To prevent this situation, use the router-id command to specify a global address for the router ID.
Examples
The following example sets the router ID to 192.168.1.1:
hostname(config-router)# router-id 192.168.1.1hostname(config-router)#Related Commands
router ospf
Enters router configuration mode.
show ospf
Displays general information about the OSPF routing processes.
router ospf
To start an OSPF routing process and configure parameters for that process, use the router ospf command in global configuration mode. To disable OSPF routing, use the no form of this command.
router ospf pid
no router ospf pid
Syntax Description
pid
Internally used identification parameter for an OSPF routing process; valid values are from 1 to 65535. The pid does not need to match the ID of OSPF processes on other routers.
Defaults
OSPF routing is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The router ospf command is the global configuration command for OSPF routing processes running on the security appliance. Once you enter the router ospf command, the command prompt appears as (config-router)#, indicating that you are in router configuration mode.
When using the no router ospf command, you do not need to specify optional arguments unless they provide necessary information. The no router ospf command terminates the OSPF routing process specified by its pid. You assign the pid locally on the security appliance. You must assign a unique value for each OSPF routing process.
The router ospf command is used with the following OSPF-specific commands to configure OSPF routing processes:
•
•
•
•
•
•
•
•
•
•
•
•
•
You cannot configure OSPF when RIP is configured on the security appliance.
Examples
The following example shows how to enter the configuration mode for the OSPF routing process numbered 5:
hostname(config)# router ospf 5hostname(config-router)#Related Commands
