-
Cisco Security Appliance Command Reference, Version 7.1
-
About this Guide
-
Using the Command Line Interface
-
aaa accounting through accounting-server-group
-
acl-netmask-convert through auto-update timeout Commands
-
backup-servers through browse networks Commands
-
cache through clear compression Commands
-
clear configure through clear configure vpn-load-balancing Commands
-
clear console-output through clear xlate Commands
-
client-access-rule through crl-configure Commands
-
crypto ca authenticate through customization Commands
-
debug aaa through debug xdmcp Commands
-
default through duplex Commands
-
email through functions Commands
-
gateway through hw-module module shutdown Commands
-
icmp through imap4s Commands
-
inspect ctiqbe through inspect xdmcp Commands
-
interface-dhcp through issuer-name Commands
-
join-failover-group through kill Commands
-
ldap-attribute-map through log-adj-changes Commands
-
logging asdm through logout message Commands
-
mac-address through multicast-routing Commands
-
name through override-account-disable Commands
-
page style through pwd Commands
-
queue-limit through routerospf Commands
-
same-security-traffic through show asdm sessions Commands
-
show asp drop through show curpriv Commands
-
show debug through show ipv6 traffic Commands
-
show isakmp sa through show route Commands
-
show running-config through show running-config isakmp Commands
-
show running-config ldap through show running-config webvpn auto-signon Commands
-
show service-policy through show webvpn svc Commands
-
shun through sysopt uauth allow-http-cache Commands
-
tcp-map through tx-ring-limit Commands
-
urgent-flag through write terminal Commands
-
Feedback
Table Of Contents
default through duplex Commands
deny-message (group-policy webvpn configuration mode)
dns-group (tunnel-group webvpn configuration mode)
default through duplex Commands
default
To restore default settings for the time-range command absolute and periodic keywords, use the default command in time-range configuration mode.
default {absolute | periodic days-of-the-week time to [days-of-the-week] time}
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Time-range configuration
•
•
•
•
—
Command History
Usage Guidelines
If the end days-of-the-week value is the same as the start value, you can omit them.
If a time-range command has both absolute and periodic values specified, then the periodic commands are evaluated only after the absolute start time is reached, and are not further evaluated after the absolute end time is reached.
The time-range feature relies on the system clock of the security appliance; however, the feature works best with NTP synchronization.
Examples
The following example shows how to restore the default behavior of the absolute keyword:
hostname(config-time-range)# default absoluteRelated Commands
default (crl configure)
To return all CRL parameters to their system default values, use the default command in crl configure configuration mode. The crl configure configuration mode is accessible from the crypto ca trustpoint configuration mode. These parameters are used only when the LDAP server requires them.
default
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Crl configure configuration
·
·
Command History
Usage Guidelines
Invocations of this command do not become part of the active configuration.
Examples
The following example enters ca-crl configuration mode, and returns CRL command values to their defaults:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# defaulthostname(ca-crl)#Related Commands
crl configure
Enters crl configure configuration mode.
crypto ca trustpoint
Enters trustpoint configuration mode.
protocol ldap
Specifies LDAP as a retrieval method for CRLs.
default (time-range)
To restore default settings for the absolute and periodic commands, use the default command in time-range configuration mode.
default {absolute | periodic days-of-the-week time to [days-of-the-week] time}
Syntax Description
Defaults
There are no default settings for this command.
Command Modes
The following table shows the modes in which you can enter the command:
Time-range configuration
·
·
·
·
Command History
Usage Guidelines
If the end days-of-the-week value is the same as the start value, you can omit them.
If a time-range command has both absolute and periodic values specified, then the periodic commands are evaluated only after the absolute start time is reached, and are not further evaluated after the absolute end time is reached.
The time-range feature relies on the system clock of the security appliance; however, the feature works best with NTP synchronization.
Examples
The following example shows how to restore the default behavior of the absolute keyword:
hostname(config-time-range)# default absoluteRelated Commands
default enrollment
To return all enrollment parameters to their system default values, use the default enrollment command in crypto ca trustpoint configuration mode.
default enrollment
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
·
·
·
·
·
Command History
Usage Guidelines
Invocations of this command do not become part of the active configuration.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and returns all enrollment parameters to their default values within trustpoint central:
hostname<config># crypto ca trustpoint centralhostname<ca-trustpoint># default enrollmenthostname<ca-trustpoint>#Related Commands
Removes all trustpoints.
Enters crl configuration mode.
Enters trustpoint configuration mode.
default-domain
To set a default domain name for users of the group policy, use the default-domain command in group-policy configuration mode. To delete a domain name, use the no form of this command.
To prevent users from inheriting a domain name, use the default-domain none command.
The security appliance passes the default domain name to the IPSec client to append to DNS queries that omit the domain field. This domain name applies only to tunneled packets. When there are no default domain names, users inherit the default domain name in the default group policy.
default-domain {value domain-name | none}
no default-domain [domain-name]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Command History
Usage Guidelines
You can use only alphanumeric characters, hyphens (-), and periods (.) in default domain names.
Examples
The following example shows how to set a default domain name of FirstDomain for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# default-domain value FirstDomainRelated Commands
default-group-policy
To specify the set of attributes that the user inherits by default, use the default-group-policy command in tunnel-group general-attributes configuration mode. To eliminate a default group policy name, use the no form of this command.
default-group-policy group-name
no default-group-policy group-name
Syntax Description
Defaults
The default group name is DfltGrpPolicy.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
In Release 7.1(1), if you enter this command in webvpn configuration mode, it is transformed to the same command in tunnel-group general-attributes mode.
The default group policy DfltGrpPolicy comes with the initial configuration of the security appliance. You can apply this attribute to all tunnel-group types.
Examples
The following example entered in config-general configuration mode, specifies a set of attributes for users to inherit by default for an IPSec LAN-to-LAN tunnel group named "standard-policy". This set of commands defines the accounting server, the authentication server, the authorization server and the address pools.
hostname(config)# tunnel-group standard-policy type ipsec-rahostname(config)# tunnel-group standard-policy general-attributeshostname(config-tunnel-general)# default-group-policy first-policyhostname(config-tunnel-general)# accounting-server-group aaa-server123hostname(config-tunnel-general)# address-pool (inside) addrpool1 addrpool2 addrpool3hostname(config-tunnel-general)# authentication-server-group aaa-server456hostname(config-tunnel-general)# authorization-server-group aaa-server78hostname(config-tunnel-general)#Related Commands
default-group-policy (webvpn)
To specify the name of the group policy to use when the WebVPN or e-mail proxy configuration does not specify a group policy, use the default-group-policy command. WebVPN, IMAP4S, POP3S, and SMTPS sessions require either a specified or a default group policy. For WebVPN, use this command in webvpn mode. For e-mail proxy, use this command in the applicable e-mail proxy mode. To remove the attribute from the configuration, use the no version of this command.
default-group-policy groupname
no default-group-policy
Syntax Description
groupname
Identifies the previously configured group policy to use as the default group policy. Use the group-policy command in configuration mode to configure a group policy.
Defaults
A default group policy, named DfltGrpPolicy, always exists on the security appliance. This default-group-policy command lets you substitute a group policy that you create as the default group policy for WebVPN and e-mail proxy sessions. An alternative is to edit the DfltGrpPolicy.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn
•
—
•
—
—
Imap4s
•
—
•
—
—
Pop3s
•
—
•
—
—
Smtps
•
—
•
—
—
Command History
7.0(1)
This command was introduced.
7.1(1)
This command was deprecated in webvpn configuration mode and moved to tunnel-group general-attributes configuration mode.
Usage Guidelines
In Release 7.1(1), if you enter this command in webvpn configuration mode, it is transformed to the same command in tunnel-group general-attributes mode.
You can edit, but not delete the system DefaultGroupPolicy. It has the following AVPs:
Examples
The following example shows how to specify a default group policy called WebVPN7 for WebVPN:
hostname(config)#webvpnhostname(config-webvpn)# default-group-policy WebVPN7default-idle-timeout
To set a default idle timeout value for WebVPN users, use the default-idle-timeout command in webvpn mode. To remove the default idle timeout value from the configuration and reset the default, use the no form of this command.
The default idle timeout prevents stale sessions.
default-idle-timeout seconds
no default-idle-timeout
Syntax Description
seconds
Specifies the number of seconds for the idle time out. The minimum is 60 seconds, maximum is 1 day (86400 seconds).
Defaults
1800 seconds (30 minutes).
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn
•
—
•
—
—
Command History
Usage Guidelines
The security appliance uses the value you set here if there is no idle timeout defined for a user, if the value is 0, or if the value does not fall into the valid range.
We recommend that you set this command to a short time period. This is because a browser set to disable cookies (or one that prompts for cookies and then denies them) can result in a user not connecting but nevertheless appearing in the sessions database. If the maximum number of connections permitted is set to one (vpn-simultaneous-logins command), the user cannot log back in because the database indicates that the maximum number of connections already exists. Setting a low idle timeout removes such phantom sessions quickly, and lets a user log in again.
Examples
The following example shows how to set the default idle timeout to 1200 seconds (20 minutes):
hostname(config)#webvpnhostname(config-webvpn)# default-idle-timeout 1200Related Commands
vpn-simultaneous-logins
Sets the maximum number of simultaneous VPN sessions permitted. Use in group-policy or username mode.
default-information originate
To generate a default external route into an OSPF routing domain, use the default-information originate command in router configuration mode. To disable this feature, use the no form of this command.
default-information originate [always] [metric value] [metric-type {1 | 2}] [route-map name]
no default-information originate [[always] [metric value] [metric-type {1 | 2}] [route-map name]]
Syntax Description
Defaults
The default values are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
Using the no form of this command with optional keywords and arguments only removes the optional information from the command. For example, entering no default-information originate metric 3 removes the metric 3 option from the command in the running configuration. To remove the complete command from the running configuration, use the no form of the command without any options: no default-information originate.
Examples
The following example shows how to use the default-information originate command with an optional metric and metric type:
hostname(config-router)# default-information originate always metric 3 metric-type 2hostname(config-router)#Related Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
delete
To delete a file in the disk partition, use the delete command in privileged EXEC mode.
delete [/noconfirm] [/recursive] [flash:]filename
Syntax Description
Defaults
If you do not specify a directory, the directory is the current working directory by default.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The file is deleted from the current working directory if a path is not specified. Wildcards are supported when deleting files. When deleting files, you are prompted with the filename and you must confirm the deletion.
The following example shows how to delete a file named test.cfg in the current working directory:
hostname# delete test.cfgRelated Commands
cd
Changes the current working directory to the one specified.
rmdir
Removes a file or directory.
show file
Displays the specified file.
deny-message (group-policy webvpn configuration mode)
To change the message delivered to a remote user who logs into WebVPN successfully, but has no VPN privileges, use the deny-message value command in tunnel-group webvpn configuration mode.
The no deny-message value command removes the string, so that the remote user does not receive a message.
The no deny-message none command removes the attribute from the tunnel group policy configuration. The policy inherits the attribute value.
deny-message value "string"
no deny-message value
no deny-message none
Syntax Description
Defaults
The default deny message is: "Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information."
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy webvpn configuration
•
—
•
—
—
Command History
7.0(1)
This command was introduced.
7.1(1)
This command moved from tunnel-group webvpn configuration mode to group-policy webvpn configuration mode.
Usage Guidelines
Before entering this command, you must enter the group-policy name attributes in global configuration mode, then the webvpn command. (This assumes you already have created the policy name.)
When typing the string in the deny-message value command, continue typing even if the command wraps.
The text appears on the remote user's browser upon login, independent of the tunnel policy used for the VPN session.
Examples
The first command in the following example creates an internal group policy named group2. The subsequent commands modify the deny message associated with that policy.
hostname(config)# group-policy group2 internalhostname(config)# group-policy group2 attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# deny-message value "Your login credentials are OK. However, you have not been granted rights to use the VPN features. Contact your administrator for more information."hostname(config-group-webvpn)Related Commands
deny version
To deny a specific version of SNMP traffic, use the deny version command in SNMP map configuration mode, which is accessible by entering the snmp-map command from global configuration mode. To disable this command, use the no version of the command.
deny version version
deny version version
Syntax Description
version
Specifies the version of SNMP traffic that the security appliance drops. The permitted values are 1, 2, 2c, and 3.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
SNMP map configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the deny version command to restrict SNMP traffic to specific versions of SNMP. Earlier versions of SNMP were less secure so restricting SNMP traffic to Version 2 may be specified by your security policy. You use the deny version command within an SNMP map, which you configure using the snmp-map command. After creating the SNMP map, you enable the map using the inspect snmp command and then apply it to one or more interfaces using the service-policy command.
Examples
The following example shows how to identify SNMP traffic, define a SNMP map, define a policy, and apply the policy to the outside interface:
hostname(config)# access-list snmp-acl permit tcp any any eq 161hostname(config)# access-list snmp-acl permit tcp any any eq 162hostname(config)# class-map snmp-porthostname(config-cmap)# match access-list snmp-aclhostname(config-cmap)# exithostname(config)# snmp-map inbound_snmphostname(config-snmp-map)# deny version 1hostname(config-snmp-map)# exithostname(config)# policy-map inbound_policyhostname(config-pmap)# class snmp-porthostname(config-pmap-c)# inspect snmp inbound_snmphostname(config-pmap-c)# exithostname(config-pmap)# exithostname(config)# service-policy inbound_policy interface outsideRelated Commands
description
To add a description for a named configuration unit (for example, for a context or for an object group), use the description command in various configuration modes. To remove the description, use the no form of this command. The description adds helpful notes in your configuration.
description text
no description
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command History
Examples
The following example adds a description to the "Administration" context configuration:
hostname(config)# context administratorhostname(config-context)# description This is the admin context.hostname(config-context)# allocate-interface gigabitethernet0/0.1hostname(config-context)# allocate-interface gigabitethernet0/1.1hostname(config-context)# config-url flash://admin.cfgRelated Commands
dhcp-network-scope
To specify the range of IP addresses the security appliance DHCP server should use to assign addresses to users of this group policy, use the dhcp-network-scope command in group-policy configuration mode. To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a value from another group policy. To prevent inheriting a value, use the dhcp-network-scope none command.
dhcp-network-scope {ip_address} | none
no dhcp-network-scope
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Command History
Examples
The following example shows how to set an IP subnetwork of 10.10.85.0 for the group policy named First Group:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# dhcp-network-scope 10.10.85.0dhcp-server
To configure support for DHCP servers that assign IP addresses to clients as a VPN tunnel is established, use the dhcp-server command in tunnel-group general-attributes configuration mode. To return this command to the default, use the no form of this command.
dhcp-server hostname1 [...hostname10]
no dhcp-server hostname
Syntax Description
hostname1 ...hostname10
Specifies the IP address of the DHCP server. You can specify up to 10 DHCP servers.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can apply this attribute to IPSec remote access tunnel-group types only.
Examples
The following command entered in config-general configuration mode, adds three DHCP servers (dhcp1, dhcp2, and dhcp3) to the IPSec remote-access tunnel group "remotegrp":
hostname(config)# tunnel-group remotegrp type ipsec-rahostname(config)# tunnel-group remotegrp generalhostname(config-tunnel-general)# default-group-policy remotegrphostname(config-tunnel-general)# dhcp-server dhcp1 dhcp2 dhcp3hostname(config-tunnel-general)Related Commands
dhcpd address
To define the IP address pool used by the DHCP server, use the dhcpd address command in global configuration mode. To remove an existing DHCP address pool, use the no form of this command.
dhcpd address IP_address1[-IP_address2] interface_name
no dhcpd address interface_name
Syntax Description
interface_name
Interface the address pool is assigned to.
IP_address1
Start address of the DHCP address pool.
IP_address2
End address of the DHCP address pool.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The dhcpd address ip1[-ip2] interface_name command specifies the DHCP server address pool. The address pool of a security appliance DHCP server must be within the same subnet of the security appliance interface on which it is enabled, and you must specify the associated security appliance interface using interface_name.
The size of the address pool is limited to 256 addresses per pool on the security appliance. If the address pool range is larger than 253 addresses, the netmask of the security appliance interface cannot be a Class C address (for example, 255.255.255.0) and needs to be something larger, for example, 255.255.254.0.
DHCP clients must be physically connected to the subnet of the security appliance DCHP server interface.
The dhcpd address command cannot use interface names with a "-" (dash) character because the "-" character is interpreted as a range specifier instead of as part of the object name.
The no dhcpd address interface_name command removes the DHCP server address pool that you configured for the specified interface.
Refer to the Cisco Security Appliance Command Line Configuration Guide for information on how to implement the DHCP server feature into the security appliance.
Examples
The following example shows how to use the dhcpd address, dhcpd dns, and dhcpd enable interface_name commands to configure an address pool and DNS server for the DHCP clients on the dmz interface of the security appliance:
hostname(config)# dhcpd address 10.0.1.100-10.0.1.108 dmzhostname(config)# dhcpd dns 209.165.200.226hostname(config)# dhcpd enable dmzThe following example shows how to configure a DHCP server on the inside interface. It uses the dhcpd address command to assign a pool of 10 IP addresses to the DHCP server on that interface.
hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 insidehostname(config)# dhcpd dns 198.162.1.2 198.162.1.3hostname(config)# dhcpd wins 198.162.1.4hostname(config)# dhcpd lease 3000hostname(config)# dhcpd ping_timeout 1000hostname(config)# dhcpd domain example.comhostname(config)# dhcpd enable insideRelated Commands
dhcpd auto_config
To enable the security appliance to automatically configure DNS, WINS and domain name values for the DHCP server based on the values obtained from an interface running a DHCP client, use the dhcpd auto_config command in global configuration mode. To discontinue the automatic configuration of DHCP parameters, use the no form of this command.
dhcpd auto_config client_if_name
no dhcpd auto_config client_if_name
Syntax Description
client_if_name
Specifies the interface running the DHCP client that supplies the DNS, WINS, and domain name parameters.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
If you specify DNS, WINS, or domain name parameters using the CLI commands, then the CLI-configured parameters overwrite the parameters obtained by automatic configuration.
Examples
The following example shows how to configure DHCP on the inside interface. The dhcpd auto_config command is used to pass DNS, WINS, and domain information obtained from the DHCP client on the outside interface to the DHCP clients on the inside interface.
hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 insidehostname(config)# dhcpd autoconfig outsidehostname(config)# dhcpd enable insideRelated Commands
dhcpd dns
To define the DNS servers for DHCP clients, use the dhcpd dns command in global configuration mode. To clear defined servers, use the no form of this command.
dhcpd dns dnsip1 [dnsip2]
no dhcpd dns [dnsip1 [dnsip2]]
Syntax Description
dnsip1
IP address of the primary DNS server for the DHCP client.
dnsip2
(Optional) IP address of the alternate DNS server for the DHCP client.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The dhcpd dns command lets you specify the IP address or addresses of the DNS server(s) for the DHCP client. You can specify two DNS servers. The no dhcpd dns command lets you remove the DNS IP address(es) from the configuration.
Examples
The following example shows how to use the dhcpd address, dhcpd dns, and dhcpd enable interface_name commands to configure an address pool and DNS server for the DHCP clients on the dmz interface of the security appliance.
hostname(config)# dhcpd address 10.0.1.100-10.0.1.108 dmzhostname(config)# dhcpd dns 192.168.1.2hostname(config)# dhcpd enable dmzRelated Commands
dhcpd domain
To define the DNS domain name for DHCP clients, use the dhcpd domain command in global configuration mode. To clear the DNS domain name, use the no form of this command.
dhcpd domain domain_name
no dhcpd domain [domain_name]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The dhcpd domain command lets you specify the DNS domain name for the DHCP client. The no dhcpd domain command lets you remove the DNS domain server from the configuration.
Examples
The following example shows how to use the dhcpd domain command to configure the domain name supplied to DHCP clients by the DHCP server on the security appliance:
hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 insidehostname(config)# dhcpd dns 198.162.1.2 198.162.1.3hostname(config)# dhcpd wins 198.162.1.4hostname(config)# dhcpd lease 3000hostname(config)# dhcpd ping_timeout 1000hostname(config)# dhcpd domain example.comhostname(config)# dhcpd enable insideRelated Commands
clear configure dhcpd
Removes all DHCP server settings.
show running-config dhcpd
Displays the current DHCP server configuration.
dhcpd enable
To enable the DHCP server, use the dhcpd enable command in global configuration mode. To disable the DHCP server, use the no form of this command. The DHCP server provides network configuration parameters to DHCP clients. Support for the DHCP server within the security appliance means that the security appliance can use DHCP to configure connected clients.
dhcpd enable interface
no dhcpd enable interface
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The dhcpd enable interface command lets you enable the DHCP daemon to listen for the DHCP client requests on the DHCP-enabled interface. The no dhcpd enable command disables the DHCP server feature on the specified interface.
Note
When the security appliance responds to a DHCP client request, it uses the IP address and subnet mask of the interface where the request was received as the IP address and subnet mask of the default gateway in the response.
Note
Refer to the Cisco Security Appliance Command Line Configuration Guide for information on how to implement the DHCP server feature into the security appliance.
Examples
The following example shows how to use the dhcpd enable command to enable the DHCP server on the inside interface:
hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 insidehostname(config)# dhcpd dns 198.162.1.2 198.162.1.3hostname(config)# dhcpd wins 198.162.1.4hostname(config)# dhcpd lease 3000hostname(config)# dhcpd ping_timeout 1000hostname(config)# dhcpd domain example.comhostname(config)# dhcpd enable insideRelated Commands
dhcpd lease
To specify the DHCP lease length, use the dhcpd lease command in global configuration mode. To restore the default value for the lease, use the no form of this command.
dhcpd lease lease_length
no dhcpd lease [lease_length]
Syntax Description
lease_length
Length of the IP address lease, in seconds, granted to the DHCP client from the DHCP server; valid values are from 300 to 1048575 seconds.
Defaults
The default lease_length is 3600 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The dhcpd lease command lets you specify the length of the lease, in seconds, that is granted to the DHCP client. This lease indicates how long the DHCP client can use the assigned IP address that the DHCP server granted.
The no dhcpd lease command lets you remove the lease length that you specified from the configuration and replaces this value with the default value of 3600 seconds.
Examples
The following example shows how to use the dhcpd lease command to specify the length of the lease of DHCP information for DHCP clients:
hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 insidehostname(config)# dhcpd dns 198.162.1.2 198.162.1.3hostname(config)# dhcpd wins 198.162.1.4hostname(config)# dhcpd lease 3000hostname(config)# dhcpd ping_timeout 1000hostname(config)# dhcpd domain example.comhostname(config)# dhcpd enable insideRelated Commands
clear configure dhcpd
Removes all DHCP server settings.
show running-config dhcpd
Displays the current DHCP server configuration.
dhcpd option
To configure DHCP options, use the dhcpd option command in global configuration mode. To clear the option, use the no form of this command. You can use the dhcpd option command to provide TFTP server information to Cisco IP Phones and routers.
dhcpd option code {ascii string} | {ip IP_address [IP_address]} | {hex hex_string}
no dhcpd option code
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
When a DHCP option request arrives at the security appliance DHCP server, the security appliance places the value or values that are specified by the dhcpd option command in the response to the client.
The dhcpd option 66 and dhcpd option 150 commands specify TFTP servers that Cisco IP Phones and routers can use to download configuration files. Use the commands as follows:
•
•
Note
Use the following guidelines when specifying an IP address for the dhcpd option 66 | 150 commands:
•
•
•
For information about other DHCP options, refer to RFC2132.
Note
You cannot configure the following DHCP options with the dhcpd option command:
Examples
The following example shows how to specify a TFTP server for DHCP option 66:
hostname(config)# dhcpd option 66 ascii MyTftpServerRelated Commands
clear configure dhcpd
Removes all DHCP server settings.
show running-config dhcpd
Displays the current DHCP server configuration.
dhcpd ping_timeout
To change the default timeout for DHCP ping, use the dhcpd ping_timeout command in global configuration mode. To return to the default value, use the no form of this command. To avoid address conflicts, the DHCP server sends two ICMP ping packets to an address before assigning that address to a DHCP client. This command specifies the ping timeout in milliseconds.
dhcpd ping_timeout number
no dhcpd ping_timeout
Syntax Description
number
The timeout value of the ping, in milliseconds. The minimum value is 10, the maximum is 10000. The default is 50.
Defaults
The default number of milliseconds for number is 50.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The security appliance waits for both ICMP ping packets to time out before assigning an IP address to a DHCP client. For example, if the default value is used, the security appliance waits for 1500 milliseconds (750 milliseconds for each ICMP ping packet) before assigning an IP address.
A long ping timeout value can adversely affect the performance of the DHCP server.
Examples
The following example shows how to use the dhcpd ping_timeout command to change the ping timeout value for the DHCP server:
hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 insidehostname(config)# dhcpd dns 198.162.1.2 198.162.1.3hostname(config)# dhcpd wins 198.162.1.4hostname(config)# dhcpd lease 3000hostname(config)# dhcpd ping_timeout 1000hostname(config)# dhcpd domain example.comhostname(config)# dhcpd enable insideRelated Commands
clear configure dhcpd
Removes all DHCP server settings.
show running-config dhcpd
Displays the current DHCP server configuration.
dhcpd wins
To define the WINS servers for DHCP clients, use the dhcpd wins command in global configuration mode. To remove the WINS servers from the DHCP server, use the no form of this command.
dhcpd wins server1 [server2]
no dhcpd wins [server1 [server2]]
Syntax Description
server1
Specifies the IP address of the primary Microsoft NetBIOS name server (WINS server).
server2
(Optional) Specifies the IP address of the alternate Microsoft NetBIOS name server (WINS server).
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The dhcpd wins command lets you specify the addresses of the WINS servers for the DHCP client. The no dhcpd wins command removes the WINS server IP addresses from the configuration.
Examples
The following example shows how to use the dhcpd wins command to specify WINS server information that is sent to DHCP clients:
hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 insidehostname(config)# dhcpd dns 198.162.1.2 198.162.1.3hostname(config)# dhcpd wins 198.162.1.4hostname(config)# dhcpd lease 3000hostname(config)# dhcpd ping_timeout 1000hostname(config)# dhcpd domain example.comhostname(config)# dhcpd enable insideRelated Commands
dhcprelay enable
To enable the DHCP relay agent, use the dhcprelay enable command in global configuration mode. To disable DHCP relay agent, use the no form of this command. The DHCP relay agent allows DHCP requests to be forwarded from a specified security appliance interface to a specified DHCP server.
dhcprelay enable interface_name
no dhcprelay enable interface_name
Syntax Description
Defaults
The DHCP relay agent is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
For the security appliance to start the DHCP relay agent with the dhcprelay enable interface_name command, you must have a dhcprelay server command already in the configuration. Otherwise, the security appliance displays an error message similar to the following:
DHCPRA: Warning - There are no DHCP servers configured!No relaying can be done without a server!Use the 'dhcprelay server <server_ip> <server_interface>' commandYou cannot enable DHCP relay under the following conditions:
•
•
•
•
The no dhcprelay enable interface_name command removes the DHCP relay agent configuration for the interface that is specified by interface_name only.
Examples
The following example shows how to configure the DHCP relay agent for a DHCP server with an IP address of 10.1.1.1 on the outside interface of the security appliance, client requests on the inside interface of the security appliance, and a timeout value up to 90 seconds:
hostname(config)# dhcprelay server 10.1.1.1 outsidehostname(config)# dhcprelay timeout 90hostname(config)# dhcprelay enable insidehostname(config)# show running-config dhcprelaydhcprelay server 10.1.1.1 outsidedhcprelay enable insidedhcprelay timeout 90The following example shows how to disable the DHCP relay agent:
hostname(config)# no dhcprelay enable insidehostname(config)# show running-config dhcprelaydhcprelay server 10.1.1.1 outsidedhcprelay timeout 90Related Commands
dhcprelay server
To specify the DHCP server that DHCP requests are forwarded to, use the dhcpreplay server command in global configuration mode. To remove the DHCP server from the DHCP relay configuration, use the no form of this command. The DHCP relay agent allows DHCP requests to be forwarded from a specified security appliance interface to a specified DHCP server.
dhcprelay server IP_address interface_name
no dhcprelay server IP_address [interface_name]
Syntax Description
interface_name
Name of the security appliance interface on which the DHCP server resides.
IP_address
The IP address of the DHCP server to which the DHCP relay agent forwards client DHCP requests.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
You can add up to four DHCP relay servers per interface. You must add at least one dhcprelay server command to the security appliance configuration before you can enter the dhcprelay enable command. You cannot configure a DHCP client on an interface that has a DHCP relay server configured.
The dhcprelay server command opens UDP port 67 on the specified interface and starts the DHCP relay task as soon as the dhcprelay enable command is added to the configuration. If there is no dhcprelay enable command in the configuration, then the sockets are not opened and the DHCP relay task does not start.
When you use the no dhcprelay server IP_address [interface_name] command, the interface stops forwarding DHCP packets to that server.
The no dhcprelay server IP_address [interface_name] command removes the DHCP relay agent configuration for the DHCP server that is specified by IP_address [interface_name] only.
Examples
The following example shows how to configure the DHCP relay agent for a DHCP server with an IP address of 10.1.1.1 on the outside interface of the security appliance, client requests on the inside interface of the security appliance, and a timeout value up to 90 seconds:
hostname(config)# dhcprelay server 10.1.1.1 outsidehostname(config)# dhcprelay timeout 90hostname(config)# dhcprelay enable insidehostname(config)# show running-config dhcprelaydhcprelay server 10.1.1.1 outsidedhcprelay enable insidedhcprelay timeout 90Related Commands
dhcprelay setroute
To set the default gateway address in the DHCP reply, use the dhcprelay setroute command in global configuration mode. To remove the default router, use the no form of this command. This command causes the default IP address of the DHCP reply to be substituted with the address of the specified security appliance interface.
dhcprelay setroute interface
no dhcprelay setroute interface
Syntax Description
interface
Configures the DHCP relay agent to change the first default IP address (in the packet sent from the DHCP server) to the address of interface.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
The dhcprelay setroute interface command lets you enable the DHCP relay agent to change the first default router address (in the packet sent from the DHCP server) to the address of interface.
If there is no default router option in the packet, the security appliance adds one containing the address of interface. This action allows the client to set its default route to point to the security appliance.
When you do not configure the dhcprelay setroute interface command (and there is a default router option in the packet), it passes through the security appliance with the router address unaltered.
Examples
The following example shows how to use the dhcprelay setroute command to set the default gateway in the DHCP reply from the external DHCP server to the inside interface of the security appliance:
hostname(config)# dhcprelay server 10.1.1.1 outsidehostname(config)# dhcprelay timeout 90hostname(config)# dhcprelay setroute insidehostname(config)# dhcprelay enable insideRelated Commands
dhcprelay timeout
To set the DHCP relay agent timeout value, use the dhcprelay timeout command in global configuration mode. To restore the timeout value to its default value, use the no form of this command.
dhcprelay timeout seconds
no dhcprelay timeout
Syntax Description
Defaults
The default value for the dhcprelay timeout is 60 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
The dhcprelay timeout command lets you set the amount of time, in seconds, allowed for responses from the DHCP server to pass to the DHCP client through the relay binding structure.
Examples
The following example shows how to configure the DHCP relay agent for a DHCP server with an IP address of 10.1.1.1 on the outside interface of the security appliance, client requests on the inside interface of the security appliance, and a timeout value up to 90 seconds:
hostname(config)# dhcprelay server 10.1.1.1 outsidehostname(config)# dhcprelay timeout 90hostname(config)# dhcprelay enable insidehostname(config)# show running-config dhcprelaydhcprelay server 10.1.1.1 outsidedhcprelay enable insidedhcprelay timeout 90Related Commands
dialog
To customize dialog messages displayed to WebVPN users, use the dialog command from webvpn customization mode:
dialog {title | message | border} style value
[no] dialog {title | message | border} style value
To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
Syntax Description
Defaults
The default title style is background-color:#669999;color:white.
The default message style is background-color:#99CCCC;color:black.
The default border style is border:1px solid black;border-collapse:collapse.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn customization
•
—
•
—
—
Command History
Usage Guidelines
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
The following example customizes the dialog message, changing the foreground color to blue:
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# dialog message style color:blueRelated Commands
dir
To display the directory contents, use the dir command in privileged EXEC mode.
dir [/all] [all-filesystems] [/recursive] [flash: | system:] [path]
Syntax Description
Defaults
If you do not specify a directory, the directory is the current working directory by default.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The dir command without keywords or arguments displays the directory contents of the current directory.
Examples
The following example shows how to display the directory contents:
hostname# dirDirectory of disk0:/1 -rw- 1519 10:03:50 Jul 14 2003 my_context.cfg2 -rw- 1516 10:04:02 Jul 14 2003 my_context.cfg3 -rw- 1516 10:01:34 Jul 14 2003 admin.cfg60985344 bytes total (60973056 bytes free)This example shows how to display recursively the contents of the entire file system:
hostname# dir /recursive disk0:Directory of disk0:/*1 -rw- 1519 10:03:50 Jul 14 2003 my_context.cfg2 -rw- 1516 10:04:02 Jul 14 2003 my_context.cfg3 -rw- 1516 10:01:34 Jul 14 2003 admin.cfg60985344 bytes total (60973056 bytes free)Related Commands
cd
Changes the current working directory to the one specified.
pwd
Displays the current working directory.
mkdir
Creates a directory.
rmdir
Removes a directory.
disable
To exit privileged EXEC mode and return to unprivileged EXEC mode, use the disable command in privileged EXEC mode.
disable
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
Use the enable command to enter privileged mode. The disable command allows you to exit privileged mode and returns you to unprivileged mode.
Examples
The following example shows how to enter privileged mode:
hostname>enablehostname#The following example shows how to exit privileged mode:
hostname#disablehostname>Related Commands
disable (cache)
To disable caching for WebVPN, use the disable command in cache mode. To reenable caching, use the no version of the command
disable
no disable
Defaults
Caching is enabled with default settings for each cache attribute.
Command Modes
The following table shows the modes in which you enter the command:
Cache mode
•
—
•
—
—
Command History
Usage Guidelines
Caching stores frequently reused objects in the system cache, which reduces the need to perform repeated rewriting and compressing of content. It reduces traffic between WebVPN and both the remote servers and end-user browsers, with the result that many applications run much more efficiently.
Examples
The following example shows how to disable caching, and how to then reenable it.
hostname(config)#webvpnhostname(config-webvpn)#cachehostname(config-webvpn-cache)# disablehostname(config-webvpn-cache)# no disablehostname(config-webvpn-cache)#Related Commands
distance ospf
To define OSPF route administrative distances based on route type, use the distance ospf command in router configuration mode. To restore the default values, use the no form of this command.
distance ospf [intra-area d1] [inter-area d2] [external d3]
no distance ospf
Syntax Description
Defaults
The default values for d1, d2, and d3 are 110.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
You must specify at least one keyword and argument. You can enter the commands for each type of administrative distance separately, however they appear as a single command in the configuration. If you reenter an administrative distance, the administrative distance for only that route type changes; the administrative distances for any other route types remain unaffected.
The no form of the command does not take any keywords or arguments. Using the no form of the command restores the default administrative distance for all of the route types. If you want to restore the default administrative distance for a single route type when you have multiple route types configured, you can do one of the following:
•
•
Examples
The following example sets the administrative distance of external routes to 150:
hostname(config-router)# distance ospf external 105hostname(config-router)#The following example shows how entering separate commands for each route type appears as a single command in the router configuration:
hostname(config-router)# distance ospf intra-area 105 inter-area 105hostname(config-router)# distance ospf intra-area 105hostname(config-router)# distance ospf external 105hostname(config-router)# exithostname(config)# show running-config router ospf 1!router ospf 1distance ospf intra-area 105 inter-area 105 external 105!hostname(config)#The following example shows how to set each administrative distance to 105, and then change only the external administrative distance to 150. The show running-config router ospf command shows how only the external route type value changed, while the other route types retained the value previously set.
hostname(config-router)# distance ospf external 105 intra-area 105 inter-area 105hostname(config-router)# distance ospf external 150hostname(config-router)# exithostname(config)# show running-config router ospf 1!router ospf 1distance ospf intra-area 105 inter-area 105 external 150!hostname(config)#Related Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
dns domain-lookup
To enable the security appliance to send DNS requests to a DNS server to perform a name lookup for supported commands, use the dns domain-lookup command in global configuration mode. To disable DNS lookup, use the no form of this command.
dns domain-lookup interface_name
no dns domain-lookup interface_name
Syntax Description
Defaults
DNS lookup is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the dns name-server command to configure the DNS server addresses to which you want to send DNS requests. See the dns name-server command for a list of commands that support DNS lookup.
The security appliance maintains a cache of name resolutions that consists of dynamically learned entries. Instead of making queries to external DNS servers each time an hostname-to-IP-address translation is needed, the security appliance caches information returned from external DNS requests. The security appliance only makes requests for names that are not in the cache. The cache entries time out automatically according to the DNS record expiration, or after 72 hours, whichever comes first.
Examples
The following example enables DNS lookup on the inside interface:
hostname(config)# dns domain-lookup insideRelated Commands
dns-group (tunnel-group webvpn configuration mode)
To specify the DNS server to use for a WebVPN tunnel-group, use the dns-group command in tunnel-group webvpn configuration mode. To restore the default DNS group, use the no form of this command.
dns-group name
no dns-group
Syntax Description
Defaults
The default value is DefaultDNS.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group webvpn-attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
The name can specify any DNS group. The dns-group command resolves the hostname to the appropriate DNS server for the tunnel group.
You configure the DNS group using the dns server-group command.
Examples
The following example shows a customization command that specifies the use of the DNS group named "dnsgroup1":
hostname(config)# tunnel-group test type webvpnhostname(config)# tunnel-group test webvpn-attributeshostname(config-tunnel-webvpn)# dns-group dnsgroup1hostname(config-tunnel-webvpn)#Related Commands
dns name-server
To identify one or more DNS servers, use the dns name-server command in global configuration mode. To remove a server, use the no form of this command. The security appliance uses DNS to resolve server names in your WebVPN configuration or certificate configuration (see "Usage Guidelines" for a list of supported commands). Other features that define server names (such as AAA) do not support DNS resolution. You must enter the IP address or manually resolve the name to an IP address by using the name command.
dns name-server ip_address [ip_address2] [...] [ip_address6]
no dns name-server ip_address [ip_address2] [...] [ip_address6]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced.
7.1(1)
This command is deprecated. The name-server command in dns-server-group configuration mode replaces it.
Usage Guidelines
To enable DNS lookup, configure the domain-name command in dns-server-group configuration mode. If you do not enable DNS lookup, the DNS servers are not used.
WebVPN commands that support DNS resolution include the following:
•
•
•
•
•
Certificate commands that support DNS resolution include the following:
•
•
You can manually enter names and IP addresses using the name command.
See the retries command to set how many times the security appliance tries the list of DNS servers.
Examples
The following example adds three DNS servers:
hostname(config)# dns name-server 10.1.1.1 10.2.3.4 192.168.5.5The security appliance saves the configuration as separate commands, as follows:
dns name-server 10.1.1.1dns name-server 10.2.3.4dns name-server 192.168.5.5To add two additional servers, you can enter them as one command:
hostname(config)# dns name-server 10.5.1.1 10.8.3.8hostname(config)# show running-config dnsdns name-server 10.1.1.1dns name-server 10.2.3.4dns name-server 192.168.5.5dns name-server 10.5.1.1dns name-server 10.8.3.8...Or you can enter them as two commands:
hostname(config)# dns name-server 10.5.1.1hostname(config)# dns name-server 10.8.3.8To delete multiple servers you can enter them as multiple commands or as one command, as follows:
hostname(config)# no dns name-server 10.5.1.1 10.8.3.8Related Commands
dns retries
To specify the number of times to retry the list of DNS servers when the security appliance does not receive a response, use the dns retries command in global configuration mode. To restore the default setting, use the no form of this command.
dns retries number
no dns retries [number]
Syntax Description
Defaults
The default number of retries is 2.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced.
7.1(1)
This command was deprecated for WebVPN connections.
Usage Guidelines
Add DNS servers using the dns name-server command.
Examples
The following example sets the number of retries to 0. The security appliance only tries each server one time.
hostname(config)# dns retries 0hostname(config)#Related Commands
dns-server
To set the IP address of the primary and secondary DNS servers, use the dns-server command in group-policy mode. To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a DNS server from another group policy. To prevent inheriting a server, use the dns-server none command.
dns-server {value ip_address [ip_address] | none}
no dns-server
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Command History
Usage Guidelines
Every time you issue the dns-server command you overwrite the existing setting. For example, if you configure DNS server x.x.x.x and then configure DNS server y.y.y.y, the second command overwrites the first, and y.y.y.y becomes the sole DNS server. The same holds true for multiple servers. To add a DNS server rather than overwrite previously configured servers, include the IP addresses of all DNS servers when you enter this command.
Examples
The following example shows how to configure DNS servers with the IP addresses 10.10.10.15, 10.10.10.30, and 10.10.10.45 for the group policy named FirstGroup.
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#dns-server value 10.10.10.15 10.10.10.30 10.10.10.45dns server-group
To enter the dns server-group mode, in which you can specify the domain-name, name-server, number of retries, and timeout values for a DNS server to use for a tunnel-group, use the dns server-group command in global configuration mode. To remove a particular DNS server group, use the no form of this command.
dns server -group name
no dns server-group
Syntax Description
Defaults
The default value is DefaultDNS.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The name can specify any DNS group. You configure the DNS group using the dns server-group command.
Examples
The following example configures a DNS server group named "eval":
hostname(config)# dns server-group evalhostname(config-dns-server-group)# domain-name cisco.comhostname(config-dns-server-group)# name-server 192.168.10.10hostname(config-dns-server-group)# retries 5hostname(config-dns-server-group)# timeout 7hostname(config-dns-server-group)#Related Commands
clear configure dns
Removes all DNS commands.
show running-config dns server-group
Shows the current running DNS server-group configuration.
dns timeout
To specify the amount of time to wait before trying the next DNS server, use the dns timeout command in global configuration mode. To restore the default timeout, use the no form of this command.
dns timeout seconds
no dns timeout [seconds]
Syntax Description
Defaults
The default timeout is 2 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example sets the timeout to 1 second:
hostname(config)# dns timeout 1Related Commands
domain-name
To set the default domain name, use the domain-name command in global configuration mode. To remove the domain name, use the no form of this command. The security appliance appends the domain name as a suffix to unqualified names. For example, if you set the domain name to "example.com," and specify a syslog server by the unqualified name of "jupiter," then the security appliance qualifies the name to "jupiter.example.com."
domain-name name
no domain-name [name]
Syntax Description
Defaults
The default domain name is default.domain.invalid.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
For multiple context mode, you can set the domain name for each context, as well as within the system execution space.
Examples
The following example sets the domain as example.com:
hostname(config)# domain-name example.comRelated Commands
downgrade
To downgrade to a previous version of the operating system software (software image), use the downgrade command in privileged EXEC mode.
Caution
downgrade image_url [activation-key [flash | 4-part_key | file]] [config start_config_url]
Syntax Description
Defaults
If the activation-key keyword is not specified, the security appliance tries to use the last four-part activation key used. If the security appliance cannot find a four-part activation key in Flash, the command is rejected and an error message displays. In this case, a valid four-part activation-key must be specified at the command line next time. The default activation key or the user specified activation key is compared with the activation key currently in effect. If there is a potential loss of features by using the chosen activation key, a warning displays with the list of features that could be lost after downgrade.
The security appliance uses downgrade.cfg by default if the startup configuration file is not specified.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
Command History
Usage Guidelines
This command is available only on Cisco PIX Firewall series security appliances running software Release 7.0(1) and later.
Caution
Recovering corrupt Flash memory requires direct console access. See the format command for more information.
Examples
The following example downgrades the software to Release 6.3.3:
hostname# downgrade tftp://17.13.2.25//tftpboot/mananthr/cdisk.6.3.3 activation-key 32c261f3 062afe24 c94ef2ea 0e299a3fThis command will reformat the flash and automatically reboot the system.Do you wish to continue? [confirm]Buffering image!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Buffering startup configAll items have been buffered successfully.If the flash reformat is interrupted or fails, data in flash will be lostand the system might drop to monitor mode.Do you wish to continue? [confirm]Installing the correct file system for the image and saving the buffered data!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Flash downgrade succeededRebooting....Enter zero actkey:The following example shows what happens if you enter an invalid activation key:
hostname# downgrade tftp://17.13.2.25//tftpboot/mananthr/cdisk.6.3.3 activation-key0 0 0 0This command will reformat the flash and automatically reboot the system.Do you wish to continue? [confirm]Buffering image!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Error: activation key entered is invalid.Enter the file option when there is no actkey in the source image (happens if the source is in tftp server).The following example shows what happens if you specify the activation key in the source image and it does not exist:
hostname# downgrade tftp://17.13.2.25//tftpboot/mananthr/cdisk.6.3.3 activation-key fileThis command will reformat the flash and automatically reboot the system.Do you wish to continue? [confirm]Buffering image!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Activation key does not exist in the source image.Please use the activation-key option to specify an activation key.The following example shows how to abort the downgrade procedure at the final prompt:
hostname# downgrade tftp://17.13.2.25//tftpboot/mananthr/cdisk.6.3.3This command will reformat the flash and automatically reboot the system.Do you wish to continue? [confirm]Buffering image!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Buffering startup configAll items have been buffered successfully.If the flash reformat is interrupted or fails, data in flash will be lostand the system might drop to monitor mode.Do you wish to continue? [confirm] ===<typed n here>Downgrade process terminated.To downgrade, the software version must be less than 7.0. The following example shows a failed attempt at downgrading the software:
hostname# downgrade tftp://17.13.2.25//scratch/views/test/target/sw/cdiskThis command will reformat the flash and automatically reboot the system.Do you wish to continue? [confirm]Buffering image!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Error: Need to use an image with version less than 7-0-0-0.The following example shows what happens if you specify an image and do not verify the activation key:
hostname# downgrade tftp://17.13.2.25//tftpboot/mananthr/cdisk.4.4.1-relThis command will reformat the flash and automatically reboot the system.Do you wish to continue? [confirm]Buffering image!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Image checksum has not been verified !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Warning: Activation key not verified.Key 32c261f3 633fe24 c94ef2ea e299a3f might be incompatible with the image version4-4-1-0.Do you wish to continue? [confirm]Downgrade process terminated.Please enter an activation-key in the command line.The following example shows what happens if the four-part activation key does not have all the features that the current five-part activation key has:
hostname# downgrade tftp://17.13.2.25//tftpboot/mananthr/cdisk.6.3.3This command will reformat the flash and automatically reboot the system.Do you wish to continue? [confirm]Buffering image!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!The following features available in current activation key in flashare NOT available in 4 tuple activation key in flash:VPN-3DES-AESGTP/GPRS5 Security ContextsFailover is different:current activation key in flash: UR(estricted)4 tuple activation key in flash: R(estricted)Some features might not work in the downgraded image if this key is used.Do you wish to continue? [confirm]Downgrade process terminated.Please enter an activation-key in the command line.Related Commands
copy running-config startup-config
Saves the current running configuration to Flash memory.
drop
To drop specified GTP messages, use the drop command in GTP map configuration mode, which is accessed by using the gtp-map command. Use the no form to remove the command.
drop {apn access_point_name | message message_id | version version}
no drop {apn access_point_name | message message_id | version version}
Syntax Description
Defaults
All messages with valid message IDs, APNs, and version are inspected.
Any APN is allowed.
Command Modes
The following table shows the modes in which you can enter the command:
GTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the drop message command to drop specific GTP messages that you do not want to allow in your network.
Use the drop apn command to drop GTP messages with the specified access point. Use the drop version command to drop GTP messages with the specified version.
Examples
The following example drops traffic to message ID 20:
hostname(config)# gtp-map qtp-policyhostname(config-gtpmap)# drop message 20Related Commands
duplex
To set the duplex of a copper (RJ-45) Ethernet interface, use the duplex command in interface configuration mode. To restore the duplex setting to the default, use the no form of this command.
duplex {auto | full | half}
no duplex
Syntax Description
auto
Auto-detects the duplex mode.
full
Sets the duplex mode to full duplex.
half
Sets the duplex mode to half duplex.
Defaults
The default is auto detect.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
•
Command History
7.0(1)
This command was moved from a keyword of the interface command to an interface configuration mode command.
Usage Guidelines
Set the duplex mode on the physical interface only.
The duplex command is not available for fiber media.
If your network does not support auto detection, set the duplex mode to a specific value.
For RJ-45 interfaces on the ASA 5500 series adaptive security appliance, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.
Examples
The following example sets the duplex mode to full duplex:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# speed 1000hostname(config-if)# duplex fullhostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownRelated Commands
