-
Cisco Security Appliance Command Reference, Version 7.1
-
About this Guide
-
Using the Command Line Interface
-
aaa accounting through accounting-server-group
-
acl-netmask-convert through auto-update timeout Commands
-
backup-servers through browse networks Commands
-
cache through clear compression Commands
-
clear configure through clear configure vpn-load-balancing Commands
-
clear console-output through clear xlate Commands
-
client-access-rule through crl-configure Commands
-
crypto ca authenticate through customization Commands
-
debug aaa through debug xdmcp Commands
-
default through duplex Commands
-
email through functions Commands
-
gateway through hw-module module shutdown Commands
-
icmp through imap4s Commands
-
inspect ctiqbe through inspect xdmcp Commands
-
interface-dhcp through issuer-name Commands
-
join-failover-group through kill Commands
-
ldap-attribute-map through log-adj-changes Commands
-
logging asdm through logout message Commands
-
mac-address through multicast-routing Commands
-
name through override-account-disable Commands
-
page style through pwd Commands
-
queue-limit through routerospf Commands
-
same-security-traffic through show asdm sessions Commands
-
show asp drop through show curpriv Commands
-
show debug through show ipv6 traffic Commands
-
show isakmp sa through show route Commands
-
show running-config through show running-config isakmp Commands
-
show running-config ldap through show running-config webvpn auto-signon Commands
-
show service-policy through show webvpn svc Commands
-
shun through sysopt uauth allow-http-cache Commands
-
tcp-map through tx-ring-limit Commands
-
urgent-flag through write terminal Commands
-
Feedback
Table Of Contents
cache through clear compression Commands
clear aaa local user fail-attempts
cache through clear compression Commands
cache
To enter cache mode and set values for caching attributes, enter the cache command in webvpn mode. To remove all cache related commands from the configuration and reset them to default values, enter the no version of the command, also in webvpn mode.
cache
no cache
Defaults
Enabled with default settings for each cache attribute.
Command Modes
The following table shows the modes in which you enter the command:
Webvpn mode
•
—
•
—
—
Command History
Usage Guidelines
Caching stores frequently reused objects in the system cache, which reduces the need to perform repeated rewriting and compressing of content. It reduces traffic between WebVPN and both the remote servers and end-user browsers, with the result that many applications run much more efficiently.
Examples
The following example shows how to enter cache mode:
hostname(config)#webvpnhostname(config-webvpn)#cachehostname(config-webvpn-cache)#Related Commands
cache-compressed
To cache compressed objects for WebVPN sessions, use the cache-compressed command in webvpn mode. To disallow caching of compressed content, enter the no version of the command.
cache-compressed enable
no cache-compressed
Syntax Description
Defaults
Caching of compressed content is enabled by default.
Command Modes
The following table shows the modes in which you enter the command:
Cache mode
•
—
•
—
—
Command History
Usage Guidelines
Caching stores frequently reused objects in the system cache. When caching of compressed content is enabled, the security appliance stores compressed ojects. When you disable caching of compressed content, the security appliance stores objects prior to invoking the compression routine.
Examples
The following example shows how to disable caching of compressed content, and how to reenable it.
hostname(config)#webvpnhostname(config-webvpn)#cachehostname(config-webvpn-cache)# no cache-compressedhostname(config-webvpn-cache)# cache-compressed enableRelated Commands
cache-time
To specify in minutes how long to allow a CRL to remain in the cache before considering it stale, use the cache-time command in ca-crl configuration mode. To return to the default value, use the no form of this command.
cache-time refresh-time
no cache-time
Syntax Description
refresh-time
Specifies the number of minutes to allow a CRL to remain in the cache. The range is 1 - 1440 minutes. If the NextUpdate field is not present in the CRL, the CRL is not cached.
Defaults
The default setting is 60 minutes.
Command Modes
The following table shows the modes in which you can enter the
CRL configuration
•
•
•
•
•
command:
Command History
Examples
The following example enters ca-crl configuration mode, and specifies a cache time refresh value of 10 minutes for trustpoint central:
hostname(configure)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# cache-time 10hostname(ca-crl)#Related Commands
Enters crl configuration mode.
Enters trustpoint configuration mode.
Specifies how to handle the NextUpdate CRL field in a certificate.
call-agent
To specify a group of call agents, use the call-agent command in MGCP map configuration mode, which is accessible by using the mgcp-map command. To remove the configuration, use the no form of this command.
call-agent ip_address group_id
no call-agent ip_address group_id
Syntax Description
ip_address
The IP address of the gateway.
group_id
The ID of the call agent group, from 0 to 2147483647.
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the call-agent command to specify a group of call agents that can manage one or more gateways. The call agent group information is used to open connections for the call agents in the group (other than the one a gateway sends a command to) so that any of the call agents can send the response. Call agents with the same group_id belong to the same group. A call agent may belong to more than one group. The group_id option is a number from 0 to 4294967295. The ip_address option specifies the IP address of the call agent.
Examples
The following example allows call agents 10.10.11.5 and 10.10.11.6 to control gateway 10.10.10.115, and allows call agents 10.10.11.7 and 10.10.11.8 to control both gateways 10.10.10.116 and 10.10.10.117:
hostname(config)# mgcp-map mgcp_inboundhostname(config-mgcp-map)# call-agent 10.10.11.5 101hostname(config-mgcp-map)# call-agent 10.10.11.6 101hostname(config-mgcp-map)# call-agent 10.10.11.7 102hostname(config-mgcp-map)# call-agent 10.10.11.8 102hostname(config-mgcp-map)# gateway 10.10.10.115 101hostname(config-mgcp-map)# gateway 10.10.10.116 102hostname(config-mgcp-map)# gateway 10.10.10.117 102Related Commands
capture
To enable packet capture capabilities for packet sniffing and network fault isolation, use the capture command. To disable packet capture capabilities, use the no form of this command (see the "Usage Guidelines" section for additional information about the no form of this command).
capture capture_name [access-list access_list_name] [buffer buf_size] [ethernet-type type] [interface interface_name] [packet-length bytes] [circular-buffer]
capture capture_name type asp-drop all [drop-code] [buffer buf_size] [circular-buffer] [packet-length bytes]
capture capture_name type isakmp [access-list access_list_name] [buffer buf_size] [circular-buffer] [interface interface_name] [packet-length bytes]
capture capture_name type raw-data [access-list access_list_name] [buffer buf_size] [circular-buffer] [ethernet-type type] [interface interface_name] [packet-length bytes]
capture capture_name type webvpn user webvpn-user [url url]
no capture capture_name
Syntax Description
Defaults
The defaults are as follows:
•
•
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Privileged mode
·
·
·
·
·
Command History
Usage Guidelines
Capturing packets is useful when troubleshooting connectivity problems or monitoring suspicious activity. The security appliance can track packet information for traffic that passes through it, including management traffic and inspection engines. Packet information for all traffic that passes through the device can be captured.
To capture packets on the dataplane of an ASA 5500 series adaptive security appliance, you can use the interface keyword with asa_dataplane as the name of the interface.
With ISAKMP, the ISAKMP subsystem does not have access to the upper layer protocols. The capture is a pseudo capture, with the Physical, IP, and UDP layers combined together to satisfy a PCAP parser. The peer addresses are obtained from the SA exchange and are stored in the IP layer.
When selecting an Ethernet type to be included from capture, an exception occurs with the 802.1Q or VLAN type. The 802.1Q tag is automatically skipped and the inner Ethernet type is used for matching. By default, all the Ethernet types are accepted.
Once the byte buffer is full, packet capture stops.
To enable packet capturing, attach the capture to an interface with the interface optional argument. Multiple capture command statements attach the capture to multiple interfaces.
If you copy the buffer contents to a TFTP server in ASCII format, you will see only the headers, not the details and hexadecimal dump of the packets. To see the details and hexadecimal dump, you need to transfer the buffer in PCAP format and read it with TCPDUMP or Ethereal.
The ethernet-type and access-list optional keywords select the packets to store in the buffer. A packet must pass both the Ethernet and access list filters before the packet is stored in the capture buffer.
The circular-buffer keyword allows you to enable the capture buffer to overwrite itself, starting from the beginning, when the capture buffer is full.
Enter the no capture command with either the access-list or interface optional keyword unless you want to clear the capture itself. Entering no capture without optional keywords deletes the capture. If the access-list optional keyword is specified, the access list is removed from the capture and the capture is preserved. If the interface optional keyword is specified, the capture is detached from the specified interface and the capture is preserved.
Note
Use the copy capture: capture_name tftp://server/path [pcap] command to copy capture information to a remote TFTP server.
Use the https://securityappliance-ip-address/capture/capture_name[/pcap] command to see the packet capture information with a web browser.
If you specify the pcap optional keyword, then a libpcap-format file is downloaded to the web browser and can be saved using the web browser. (A libcap file can be viewed with TCPDUMP or Ethereal.)
When you enable WebVPN capture, the security appliance creates a pair of matching files:
capture name_ORIGINAL.000 and capture name_MANGLED.000. For each subsequent capture, the security appliance generates additional matching pairs of files and increments the file extensions. url is the URL prefix to match for data capture. Use the URL http://server/path to capture HTTP traffic to the server. Use https://server/path to capture HTTPS traffic to the server.
Note
type asp-drop Drop Codes
The following table lists valid values for the optional drop-code argument that can follow the type asp-drop keyword.
Examples
To enable packet capture, enter the following:
hostname(config)# capture captest interface insidehostname(config)# capture captest interface outsideOn a web browser, the capture contents for a capture named "mycapture" can be viewed at the following location:
https://171.69.38.95/capture/mycapture/pcapTo download a libpcap file (used in web browsers such as Internet Explorer or Netscape Navigator) to a local machine, enter the following:
https://171.69.38.95/capture/http/pcapThis example shows that the traffic is captured from an outside host at 171.71.69.234 to an inside HTTP server:
hostname(config)# access-list http permit tcp host 10.120.56.15 eq http host 171.71.69.234hostname(config)# access-list http permit tcp host 171.71.69.234 host 10.120.56.15 eq httphostname(config)# capture http access-list http packet-length 74 interface insideThis example shows how to capture ARP packets:
hostname(config)# capture arp ethernet-type arp interface outsideThis example creates a WebVPN capture designated hr, which is configured to capture HTTP traffic for user2 visiting website wwwin.abcd.com/hr/people:
hostname# capture hr type webvpn user user2 url http://wwwin.abcd.com/hr/peopleWebVPN capture started.capture name hruser name user2url /http/0/wwwin.abcd.com/hr/peoplehostname#Related Commands
clear capture
Clears the capture buffer.
copy capture
Copies a capture file to a server.
show capture
Displays the capture configuration when no options are specified.
cd
To change the current working directory to the one specified, use the cd command in privileged EXEC mode.
cd [flash:] [path]
Syntax Description
flash:
Specifies the internal Flash memory, followed by a colon.
path
(Optional) The absolute path of the directory to change to.
Defaults
If you do not specify a directory, the directory is changed to the root directory.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Examples
This example shows how to change to the "config" directory:
hostname# cd flash:/config/Related Commands
certificate
To add the indicated certificate, use the certificate command in crypto ca certificate chain mode. When you use this command, the security appliance interprets the data included with it as the certificate in hexadecimal format. A quit string indicates the end of the certificate.
To delete the certificate, use the no form of the command.
certificate [ca | ra-encrypt | ra-sign | ra-general] certificate-serial-number
no certificate certificate-serial-number
Syntax Description
Syntax DescriptionSyntax Description
Defaults
This command has no default values.
Command Modes
The following table shows the modes in which you can enter the command:
Certificate chain configuration
•
•
•
•
•
Command History
Usage Guidelines
A certificate authority (CA) is an authority in a network that issues and manages security credentials and public key for message encryption. As part of a public key infrastructure, a CA checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA can then issue a certificate.
Examples
This example enters ca trustpoint mode for a trustpoint named central, then enters crypto ca certificate chain mode for central, and adds a CA certificate with a serial number 29573D5FF010FE25B45:
hostname(config)#crypto ca trustpoint centralhostname(ca-trustpoint)#crypto ca certificate chain centralhostname(ca-cert-chain)#certificate ca 29573D5FF010FE25B4530820345 308202EF A0030201 02021029 572A3FF2 96EF854F D0D6732F E25B45300D06092A 864886F7 0D010105 05003081 8F311630 1406092A 864886F7 0D01090116076140 622E636F 6D310B30 09060355 04061302 55533116 30140603 550408130D6D6173 73616368 75736574 74733111 300F0603 55040713 08667261 6E6B6C696E310E30 0C060355 040A1305 63697363 6F310F30 0D060355 040B1306 726F6F746F75311C 301A0603 55040313 136D732D 726F6F74 2D736861 2D30362D 32303031301E170D 30313036 32363134 31313430 5A170D32 32303630 34313430 3133305A30818F31 16301406 092A8648 86F70D01 09011607 6140622E 636F6D31 0B30090603550406 13025553 31163014 06035504 08130D6D 61737361 63687573 657474733111300F 06035504 07130866 72616E6B 6C696E31 0E300C06 0355040A 1305636973636F31 0F300D06 0355040B 1306726F 6F746F75 311C301A 06035504 0313136D732D726F 6F742D73 68612D30 362D3230 3031305C 300D0609 2A864886 F70D010101050003 4B003048 024100AA 3EB9859B 8670A6FB 5E7D2223 5C11BCFE 48E6D3A8181643ED CF7E75EE E77D83DF 26E51876 97D8281E 9F58E4B0 353FDA41 29FC791B1E14219C 847D19F4 A51B7B02 03010001 A3820123 3082011F 300B0603 551D0F0404030201 C6300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E04160414E0D412 3ACC96C2 FBF651F3 3F66C0CE A62AB63B 323081CD 0603551D 1F0481C53081C230 3EA03CA0 3A86386C 6461703A 2F2F7732 6B616476 616E6365 647372762F436572 74456E72 6F6C6C2F 6D732D72 6F6F742D 7368612D 30362D32 3030312E63726C30 3EA03CA0 3A863868 7474703A 2F2F7732 6B616476 616E6365 647372762F436572 74456E72 6F6C6C2F 6D732D72 6F6F742D 7368612D 30362D32 3030312E63726C30 40A03EA0 3C863A66 696C653A 2F2F5C5C 77326B61 6476616E 6365647372765C43 65727445 6E726F6C 6C5C6D73 2D726F6F 742D7368 612D3036 2D323030312E6372 6C301006 092B0601 04018237 15010403 02010130 0D06092A 864886F70D010105 05000341 0056221E 03F377B9 E6900BF7 BCB3568E ADBA146F 3B8A71F3DF9EB96C BB1873B2 B6268B7C 0229D8D0 FFB40433 C8B3CB41 0E4D212B 2AEECD77BEA3C1FE 5EE2AB6D 91quitRelated Commands
Clears all configuration for all crypto maps
Displays configuration for all crypto maps.
Enters certificate crypto ca certificate chain mode.
Enters ca trustpoint mode.
chain
To enable sending of a certificate chain, use the chain command in tunnel-group ipsec-attributes configuration mode. This action includes the root certificate and any subordinate CA certificates in the transmission. To return this command to the default, use the no form of this command.
chain
no chain
Syntax Description
This command has no arguments or keywords.
Defaults
The default setting for this command is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group ipsec attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can apply this attribute to all IPSec tunnel-group types.
Examples
The following example entered in tunnel-group-ipsec attributes configuration mode, enables sending a chain for an IPSec LAN-to-LAN tunnel group with the IP address of 209.165.200.225, which includes the root certificate and any subordinate CA certificates:
hostname(config)# tunnel-group 209.165.200.225 type IPSec_L2Lhostname(config)# tunnel-group 209.165.200.225 ipsec-attributeshostname(config-tunnel-ipsec)# chainhostname(config-tunnel-ipsec)#Related Commands
changeto
To change between security contexts and the system, use the changeto command in privileged EXEC mode.
changeto {system | context name}
Syntax Description
context name
Changes to the context with the specified name.
system
Changes to the system execution space.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
—
•
•
Command History
Usage Guidelines
If you log into the system execution space or the admin context, you can change between contexts and perform configuration and monitoring tasks within each context. The "running" configuration that you edit in configuration mode, or that is used in the copy or write commands, depends on which execution space you are in. When you are in the system execution space, the running configuration consists only of the system configuration; when you are in a context execution space, the running configuration consists only of that context. For example, you cannot view all running configurations (system plus all contexts) by entering the show running-config command. Only the current configuration appears.
Examples
The following example changes between contexts and the system in privileged EXEC mode:
hostname/admin# changeto systemhostname# changeto context customerAhostname/customerA#The following example changes between the system and the admin context in interface configuration mode. When you change between execution spaces, and you are in a configuration submode, the mode changes to the global configuration mode in the new execution space.
hostname(config-if)# changeto context adminhostname/admin(config)#Related Commands
character-encoding
To specify the global character encoding in WebVPN portal pages, use the character-encoding command in webvpn configuration mode. The no form removes the value of the character-encoding attribute.
character-encoding charset
no character-encoding [charset]
Syntax Description
charset
String consisting of up to 40 characters, and equal to one of the valid character sets identified in http://www.iana.org/assignments/character-sets. You can use either the name or the alias of a character set listed on that page. Examples include iso-8859-1, shift_jis, and ibm850.
The string is case-insensitive. The command interpreter converts upper-case to lower-case in the security appliance configuration.
Defaults
No default behavior or values. The encoding type set on the remote browser determines the character set for WebVPN portal pages when this attribute does not have a value.
Command Modes
The following table shows the modes in which you can enter the command:
webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
Character encoding, also called "character coding" and "a character set," is the pairing of raw data (such as 0's and 1's) and characters to represent the data. The language determines the character encoding method to use. Some languages use the same method, while others do not. Usually, the geographic region determines the default encoding method used by the browser, but the user can change this. The browser can also detect the encoding specified on the page, and render the document accordingly. The character-encoding attribute lets you specify the value of the character-encoding method into the WebVPN portal page to ensure that the browser renders it properly, regardless of the region in which the user is using the browser, or any changes made to the browser.
The character-encoding attribute is a global setting that, by default, all WebVPN portal pages inherit. However, you can override the file-encoding attribute for Common Internet File System servers that use character encoding that differs from the value of the character-encoding attribute. You can use different file-encoding values for CIFS servers that require different character encodings.
The WebVPN portal pages downloaded from the CIFS server to the WebVPN user encode the value of the WebVPN file-encoding attribute identifying the server, or if one does not, they inherit the value of the character-encoding attribute. The remote user's browser maps this value to an entry in its character encoding set to determine the proper character set to use. The WebVPN portal pages do not specify a value if WebVPN configuration does not specify a file-encoding entry for the CIFS server and the character-encoding attribute is not set. The remote browser uses its own default encoding if the WebVPN portal page does not specify the character encoding or if it specifies a character encoding value that the browser does not support.
The mapping of CIFS servers to their appropriate character encoding, globally with the webvpn character-encoding attribute, and individually with file-encoding overrides, provides for the accurate handling and display of CIFS pages when the proper rendering of file names or directory paths, as well as pages, are an issue.
Note
Examples
The following example sets the character-encoding attribute to support Japanese Shift_JIS characters, removes the font family, and retains the default background color:
hostname(config)# webvpnhostname(config-webvpn)# character-encoding shift_jisF1-asa1(config-webvpn)# customization DfltCustomizationF1-asa1(config-webvpn-custom)# page style background-color:whiteF1-asa1(config-webvpn-custom)#Related Commands
checkheaps
To configure checkheaps verification intervals, use the checkheaps command in global configuration mode. To set the value to the default, use the no form of this command. Checkheaps is a periodic process that verifies the sanity of the heap memory buffers (dynamic memory is allocated from the system heap memory region) and the integrity of the code region.
checkheaps {check-interval | validate-checksum} seconds
no checkheaps {check-interval | validate-checksum} [seconds]
Syntax Description
Defaults
The default intervals are 60 seconds each.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Examples
The following example sets the buffer allocation interval to 200 seconds and the code space checksum interval to 500 seconds:
hostname(config)# checkheaps check-interval 200hostname(config)# checkheaps validate-checksum 500Related Commands
check-retransmission
To prevent against TCP retransmission style attacks, use the check-retransmission command in tcp-map configuration mode. To remove this specification, use the no form of this command.
check-retransmission
no check-retransmission
Syntax Description
This command has no arguments or keywords.
Defaults
The default is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Tcp-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.
Use the tcp-map command to enter tcp-map configuration mode. To prevent against TCP retransmission style attacks that arise from end-system interpretation of inconsistent retransmissions, use the check-retransmission command in tcp-map configuration mode.
The security appliance will make efforts to verify if the data in retransmits are the same as the original. If the data doesn't match, then the connection is dropped by the security appliance. When this feature is enabled, packets on the TCP connection are only allowed in order. For more details, see the queue-limit command.
Examples
The following example enables the TCP check-retransmission feature on all TCP flows:
hostname(config)# access-list TCP extended permit tcp any anyhostname(config)# tcp-map tmaphostname(config-tcp-map)# check-retransmissionhostname(config)# class-map cmaphostname(config-cmap)# match access-list TCPhostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# set connection advanced-options tmaphostname(config)# service-policy pmap globalRelated Commands
checksum-verification
To enable or disable TCP checksum verification, use the checksum-verification command in tcp-map configuration mode. To remove this specification, use the no form of this command.
checksum-verification
no checksum-verification
Syntax Description
This command has no arguments or keywords.
Defaults
Checksum verification is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Tcp-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.
Use the tcp-map command to enter tcp-map configuration mode. Use the checksum-verification command in tcp-map configuration mode to enable TCP checksum verification. If the check fails, the packet is dropped.
Examples
The following example enables TCP checksum verification on TCP connections from 10.0.0.0 to 20.0.0.0:
hostname(config)# access-list TCP1 extended permit tcp 10.0.0.0 255.0.0.0 20.0.0.0 255.0.0.0hostname(config)# tcp-map tmaphostname(config-tcp-map)# checksum-verificationhostname(config)# class-map cmaphostname(config-cmap)# match access-list TCP1hostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# set connection advanced-options tmaphostname(config)# service-policy pmap globalRelated Commands
class (policy-map)
To assign a class-map to a policy for traffic classification, use the class command in policy-map mode. To remove a class-map specification for a policy map, use the no form of this command.
class classmap-name
no class classmap-name
Syntax Description
Defaults
By default, "class class-default" always exists at the end of a policy map.
Command Modes
The following table shows the modes in which you can enter the command:
Policy-map
•
•
•
•
—
Command History
Usage Guidelines
Including the class-default, up to 63 class commands can be configured in a policy map.
The name "class-default" is a reserved name for default class, and it always exists; that is, you can include it in your configuration, but you cannot reconfigure or remove it using CLI. See the description of the class-map command for more information.
Use the class command to enter class mode, in which you can enter the following commands:
set connection
inspect
ips
priority
police
See the individual command descriptions for detailed information.
Examples
The following is an example of the class command in policy-map mode; note the change in the prompt:
hostname(config)# class-map localclass1hostname(config-cmap)# match anyhostname(config-cmap)# exithostname(config)# policy-map localpolicy1hostname(config-pmap)# class localclass1hostname(config-pmap-c)# priorityhostname(config-pmap-c)# exitThe following is an example of a policy-map command, with its class commands, for a connection policy that limits connections to an HTTP server to a maximum of 256:
hostname(config)# access-list myhttp permit tcp any host 10.1.1.1hostname(config)# class-map myhttphostname(config-cmap)# match access-list myhttphostname(config-cmap)# exithostname(config)# policy-map global-policyhostname(config-pmap)# description This policy map defines a policy concerning connection to http server.hostname(config-pmap)# class myhttphostname(config-pmap-c)# set connection conn-max 256The following is an example of a policy-map command, with its class commands, for the outside interface (defined in the service-policy command). The class-map command specifies a class of traffic that has a destination IP address of 192.168.10.10:
hostname(config)# class-map outside-voiphostname(config-cmap)# match dscp af11hostname(config-cmap)# exithostname(config)# policy-map outside-policyhostname(config-pmap)# description This policy map defines policies for the outside interface.hostname(config-pmap)# class outside-voiphostname(config-pmap-c)# priorityhostname(config-pmap-c)# exithostname(config-pmap)# exithostname(config)# service-policy outside-policy interface outsideRelated Commands
class-map
To classify traffic for an interface when using Modular Policy Framework to configure a security feature, use the class-map command in global configuration mode. To delete a class map, use the no form of this command.
class-map class_map_name
no class-map class_map_name
Syntax Description
Defaults
The default class, class-default, always exists and cannot be configured or removed using the CLI. A default class, when used in a policy map, means "all other traffic.". The definition of class-default is:
class-map class-defaultmatch anyCommand Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The class-map command allows you to define a traffic class when using Modular Policy Framework to configure a security feature. Modular Policy Framework provides a consistent and flexible way to configure security appliance features in a manner similar to Cisco IOS software QoS CLI. Use the class-map, policy-map, and service-policy global configuration commands to configure a security feature using Modular Policy Framework.
Define a traffic class using the class-map global configuration command. Then create a policy map by associating the traffic class with one or more actions using the policy-map global configuration command. Finally, create a security policy by associating the policy map with one or more interfaces using the service-policy command.
A traffic class map contains, at most, one match command (with the exception of the match tunnel-group and match default-inspection-traffic commands). The match command identifies the traffic included in the traffic class. When a packet is matched against a class-map, the match result is either a match or a no match.
Use the class-map command to enter class-map configuration mode. From class-map configuration mode, you can define the traffic to include in the class using the match command. The following commands are available in class-map configuration mode:
Examples
The following example shows how to define a traffic class of all TCP traffic to port 21 using a class map:
hostname(config)# class-map ftp-porthostname(config-cmap)# match port tcp eq 21Related Commands
clear aaa local user fail-attempts
To reset the number of failed user authentication attempts to zero without modifying the user's locked-out status, use the clear aaa local user fail-attempts command in privileged EXEC mode.
clear aaa local user authentication fail-attempts {username name | all}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
Use this command when a user fails authentication a few times, but you want to reset to counter to zero, for example, when the configuration has recently been modified.
After the configured number of failed authentication attempts, the user is locked out of the system and cannot successfully log in until either a system administrator unlocks the username or the system reboots.
The number of failed attempts resets to zero and the lockout status resets to No when the user successfully authenticates or when the security appliance reboots.
Locking or unlocking a username results in a syslog message.
A system administrator with a privilege level of 15 cannot be locked out.
Examples
The following example shows use of the clear aaa local user authentication fail-attempts command to reset the failed-attempts counter to 0 for the username anyuser:
hostname(config)# clear aaa local user authentication fail-attempts username anyuserhostname(config)#The following example shows use of the clear aaa local user authentication fail-attempts command to reset the failed-attempts counter to 0 for all users:
hostname(config)# clear aaa local user authentication fail-attempts allhostname(config)#Related Commands
clear aaa local user lockout
To clear the lockout status of the specified users and set their failed-attempts counter to 0, use the clear aaa local user lockout command in privileged EXEC mode.
clear aaa local user lockout {username name | all}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
You can specify a single user by using the username option or all users with the all option.
This command affects only the status of users that are locked out.
The administrator cannot be locked out of the device.
Locking or unlocking a username results in a syslog message.
Examples
The following example shows use of the clear aaa local user lockout command to clear the lockout condition and reset the failed-attempts counter to 0 for the username anyuser:
hostname(config)# clear aaa local user lockout username anyuserhostname(config)#Related Commands
clear aaa-server statistics
To reset the statistics for AAA servers, use the clear aaa-server statistics command in privilged EXEC mode.
clear aaa-server statistics [LOCAL | groupname [host hostname] | protocol protocol]
Syntax Description
Defaults
Remove all AAA-server statistics across all groups.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
7.0(1)
This command was modified to adhere to CLI guidelines. In the protocol values, nt replaces the older nt-domain, and sdi replaces the older rsa-ace.
Examples
The following command shows how to reset the AAA statistics for a specific server in a group:
hostname(config)#clear aaa-server statistics svrgrp1 host 1.2.3.4The following command shows how to reset the AAA statistics for an entire server group:
hostname(config)#clear aaa-server statistics svrgrp1The following command shows how to reset the AAA statistics for all server groups:
hostname(config)#clear aaa-server statisticsThe following command shows how to reset the AAA statistics for a particular protocol (in this case, TACACS+):
hostname(config)#clear aaa-server statistics protocol tacacs+Related Commands
clear access-group
To remove access groups from all the interfaces, use the clear access-group command.
clear access-group
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example shows how to remove all access groups:
hostname(config)# clear access-groupRelated Commands
access-group
Binds an access list to an interface.
show running-config access-group
Displays the current access group configuration.
clear access-list
To clear an access-list counter, use the clear access-list command in global configuration mode.
clear access-list [id] counters
Syntax Description
Defaults
All the access list counters are cleared.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
When you enter the clear access-list command, all the access list counters are cleared if you do not specify an id.
Examples
The following example shows how to clear a specific access list counter:
hostname# clear access-list inbound countersRelated Commands
clear arp
To clear dynamic ARP entries or ARP statistics, use the clear arp command in privileged EXEC mode.
clear arp [statistics]
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Examples
The following example clears all ARP statistics:
hostname# clear arp statisticsRelated Commands
clear asp drop
To clear accelerated security path drop statistics, use the clear asp drop command in privileged EXEC mode.
clear asp drop [flow type | frame type]
Syntax Description
flow
(Optional) Clears the dropped flow statistics.
frame
(Optional) Clears the dropped packet statistics.
type
(Optional) Clears the dropped flow or packets statistics for a particular process. See "Usage Guidelines" for a list of types.
Defaults
By default, this command clears all drop statistics.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Process types include the following:
acl-dropaudit-failureclosed-by-inspectionconn-limit-exceededfin-timeoutflow-reclaimedfo-primary-closedfo-standbyfo_rep_errhost-removedinspect-failips-fail-closeips-requestipsec-spoof-detectloopbackmcast-entry-removedmcast-intrf-removedmgmt-lockdownnat-failednat-rpf-failedneed-ikeno-ipv6-ipsecnon_tcp_synout-of-memoryparent-closedpinhole-timeoutrecursereinject-puntreset-by-ipsreset-inreset-ooutshunnedsyn-timeouttcp-finstcp-intecept-no-responsetcp-intercept-killtcp-intercept-unexpectedtcpnorm-invalid-syntcpnorm-rexmit-badtcpnorm-win-variationtimeouttunnel-pendingtunnel-torn-downxlate-removedExamples
The following example clears all drop statistics:
hostname# clear asp dropRelated Commands
clear asp table
To clear the hit counters either in asp arp or classify tables, or both, use the clear asp table command in privileged EXEC mode.
clear asp table [arp | classify]
Syntax Description
arp
clears the hits counters in asp arp table only.
classify
clears the hits counters in asp classify tables only
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
There are only two options arp and classify having hits in the clear asp table command
Examples
The following example clears all drop statistics:
hostname# clear asp tableWarning: hits counters in asp arp and classify tables are cleared, which might impact the hits statistic of other modules and output of other "show" commands! hostname#clear asp table arpWarning: hits counters in asp arp table are cleared, which might impact the hits statistic of other modules and output of other "show" commands! hostname#clear asp table classifyWarning: hits counters in classify tables are cleared, which might impact the hits statistic of other modules and output of other "show" commands! hostname(config)# clear asp tableWarning: hits counters in asp tables are cleared, which might impact the hits statistics of other modules and output of other "show" commands! hostname# sh asp table arpContext: single_vf, Interface: inside 10.1.1.11 Active 00e0.8146.5212 hits 0Context: single_vf, Interface: identity :: Active 0000.0000.0000 hits 0 0.0.0.0 Active 0000.0000.0000 hits 0Related Commands
show asp table arp
Shows the contents of the accelerated security path, which might help you troubleshoot a problem.
clear blocks
To reset the packet buffer counters such as the low watermark and history information, use the clear blocks command in privileged EXEC mode.
clear blocks
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Resets the low watermark counters to the current available blocks in each pool. Also clears the history information stored during the last buffer allocation failure.
Examples
The following example clears the blocks:
hostname# clear blocksRelated Commands
blocks
Increases the memory assigned to block diagnostics
show blocks
Shows the system buffer utilization.
clear-button
To customize the Clear button of the WebVPN page login box that is displayed to WebVPN users when they connect to the security appliance, use the clear-button command from webvpn customization mode:
clear-button {text | style} value
[no] clear-button {text | style} value
To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
Syntax Description
Defaults
The default text is "Clear".
The default style is border:1px solid black;background-color:white;font-weight:bold;font-size:80%.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn customization
•
—
•
—
—
Command History
Usage Guidelines
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
The following example changes the default background color of the Clear button from black to blue:
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# clear-button style background-color:blueRelated Commands
clear capture
To clear the capture buffer, use the clear capture capture_name command.
clear capture capture_name
Syntax Description
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Priveleged Mode
·
·
·
·
·
Command History
Usage Guidelines
The shortened form of the clear capture (for example, cl cap or clear cap) is not supported to prevent accidental destruction of all the packet captures.
Examples
This example shows how to clear the capture buffer for the capture buffer "trudy":
hostname(config)#clear capture trudyRelated Commands
Enables packet capture capabilities for packet sniffing and network fault isolation.
Displays the capture configuration when no options are specified.
clear compression
To clear compression statistics for all SVC and WebVPN connections, use the clear compression command from privileged EXEC mode:
clear compression {all | svc | http-comp}
Defaults
There is no default behavior for this command.
Command Modes
The following table shows the modes in which you can enter the command:
global configuration
•
—
•
—
—
Command History
Examples
In the following example, the user clears the compression configuration:
hostname#(config) clear configure compressionRelated Commands
compression
Enables compression for all SVC and WebVPN connections.
svc compression
Enables compression of data over an SVC connection for a specific group or user.
