-
Cisco Security Appliance Command Reference, Version 7.1
-
About this Guide
-
Using the Command Line Interface
-
aaa accounting through accounting-server-group
-
acl-netmask-convert through auto-update timeout Commands
-
backup-servers through browse networks Commands
-
cache through clear compression Commands
-
clear configure through clear configure vpn-load-balancing Commands
-
clear console-output through clear xlate Commands
-
client-access-rule through crl-configure Commands
-
crypto ca authenticate through customization Commands
-
debug aaa through debug xdmcp Commands
-
default through duplex Commands
-
email through functions Commands
-
gateway through hw-module module shutdown Commands
-
icmp through imap4s Commands
-
inspect ctiqbe through inspect xdmcp Commands
-
interface-dhcp through issuer-name Commands
-
join-failover-group through kill Commands
-
ldap-attribute-map through log-adj-changes Commands
-
logging asdm through logout message Commands
-
mac-address through multicast-routing Commands
-
name through override-account-disable Commands
-
page style through pwd Commands
-
queue-limit through routerospf Commands
-
same-security-traffic through show asdm sessions Commands
-
show asp drop through show curpriv Commands
-
show debug through show ipv6 traffic Commands
-
show isakmp sa through show route Commands
-
show running-config through show running-config isakmp Commands
-
show running-config ldap through show running-config webvpn auto-signon Commands
-
show service-policy through show webvpn svc Commands
-
shun through sysopt uauth allow-http-cache Commands
-
tcp-map through tx-ring-limit Commands
-
urgent-flag through write terminal Commands
-
Feedback
Table Of Contents
interface-dhcp through issuer-name Commands
interface (vpn load-balancing)
interface-dhcp through issuer-name Commands
intercept-dhcp
To enable DHCP Intercept, use the intercept-dhcp enable command in group-policy configuration mode. To disable DHCP Intercept, use the intercept-dhcp disable command.
To remove the intercept-dhcp attribute from the running configuration, use the no intercept-dhcp command. This lets users inherit a DHCP Intercept configuration from the default or other group policy.
DHCP Intercept lets Microsoft XP clients use split-tunneling with the security appliance. The security appliance replies directly to the Microsoft Windows XP client DHCP Inform message, providing that client with the subnet mask, domain name, and classless static routes for the tunnel IP address. For Windows clients prior to XP, DHCP Intercept provides the domain name and subnet mask. This is useful in environments in which using a DHCP server is not advantageous
intercept-dhcp netmask {enable | disable}
no intercept-dhcp
Syntax Description
disable
Disables DHCP Intercept.
enable
Enables DHCP Intercept.
netmask
Provides the subnet mask for the tunnel IP address.
Defaults
DHCP Intercept is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
A Microsoft XP anomaly results in the corruption of domain names if split tunnel options exceed 255 bytes. To avoid this problem, the security appliance limits the number of routes it sends to 27 to 40 routes, with the number of routes dependent on the classes of the routes.
Examples
The following example shows how to set DHCP Intercept S for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# intercept-dhcp enableinterface
To configure an interface and enter interface configuration mode, use the interface command in global configuration mode. To create a logical subinterface, use the .subinterface argument. To remove a subinterface, use the no form of this command; you cannot remove a physical interface. In interface configuration mode, you can configure hardware settings, assign a name, assign a VLAN, assign an IP address, and configure many other settings.
interface {physical_interface[.subinterface] | mapped_name}
no interface physical_interface.subinterface
Syntax Description
Defaults
By default, the security appliance automatically generates interface commands for all physical interfaces.
In multiple context mode, the security appliance automatically generates interface commands for all interfaces allocated to the context using the allocate-interface command.
All physical interfaces are shut down by default. Allocated interfaces in contexts are not shut down in the configuration.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
7.0(1)
This command was modified to allow for new subinterface naming conventions and to change arguments to be separate commands under interface configuration mode.
Usage Guidelines
By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.
For an enabled interface to pass traffic, configure the following interface configuration mode commands: nameif, and, for routed mode, ip address. For subinterfaces, configure the vlan command. The security level is 0 (lowest) by default. See the security-level command for default levels for some interfaces or to change from the default of 0 so interfaces can communicate with each other.
The ASA adaptive security appliance includes a dedicated management interface called Management 0/0, which is meant to support traffic to the security appliance. However, you can configure any interface to be a management-only interface using the management-only command. Also, for Management 0/0, you can disable management-only mode so the interface can pass through traffic just like any other interface.
Note
If you change interface settings, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.
You cannot delete the physical interfaces using the no form of the interface command, nor can you delete the allocated interfaces within a context.
In multiple context mode, you configure physical parameters, subinterfaces, and VLAN assignments in the system configuration only. You configure other parameters in the context configuration only.
Examples
The following example configures parameters for the physical interface in single mode:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# speed 1000hostname(config-if)# duplex fullhostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownThe following example configures parameters for a subinterface in single mode:
hostname(config)# interface gigabitethernet0/1.1hostname(config-subif)# vlan 101hostname(config-subif)# nameif dmz1hostname(config-subif)# security-level 50hostname(config-subif)# ip address 10.1.2.1 255.255.255.0hostname(config-subif)# no shutdownThe following example configures interface parameters in multiple context mode for the system configuration, and allocates the gigabitethernet 0/1.1 subinterface to contextA:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# speed 1000hostname(config-if)# duplex fullhostname(config-if)# no shutdownhostname(config-if)# interface gigabitethernet0/1.1hostname(config-subif)# vlan 101hostname(config-subif)# no shutdownhostname(config-subif)# context contextAhostname(config-ctx)# ...hostname(config-ctx)# allocate-interface gigabitethernet0/1.1The following example configures parameters in multiple context mode for the context configuration:
hostname/contextA(config)# interface gigabitethernet0/1.1hostname/contextA(config-if)# nameif insidehostname/contextA(config-if)# security-level 100hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0hostname/contextA(config-if)# no shutdownRelated Commands
interface (vpn load-balancing)
To specify a non-default public or private interface for VPN load-balancing in the VPN load-balancing virtual cluster, use the interface command in vpn load-balancing mode. To remove the interface specification and revert to thte default interface, use the no form of this command.
interface {lbprivate | lbpublic} interface-name]
no interface {lbprivate | lbpublic}
Syntax Description
Defaults
If you omit the interface command, the lbprivate interface defaults to inside, and the lbpublic interface defaults to outside.
Command Modes
The following table shows the modes in which you can enter the command:
vpn load-balancing
•
—
•
—
—
Command History
Usage Guidelines
You must have first used the vpn load-balancing command to enter vpn load-balancing mode.
You must also have previously used the interface, ip address and nameif commands to configure and assign a name to the interface that you are specifying in this command.
The no form of this command reverts the interface to its default.
Examples
The following is an example of a vpn load-balancing command sequence that includes an interface command that specifies the public interface of the cluster as "test" one that reverts the private interface of the cluster to the default (inside):
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# no interface lbprivatehostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# participateRelated Commandshostname(config-load-balancing)# participate
interface-policy
To specify the policy for failover when monitoring detects an interface failure, use the interface-policy command in failover group configuration mode. To restore the default values, use the no form of this command.
interface-policy num[%]
no interface-policy num[%]
Syntax Description
num
Specifies a number from 1 to 100 when used as a percentage, or 1 to the maximum number of interfaces.
%
(Optional) Specifies that the number num is a percentage of the monitored interfaces.
Defaults
If the failover interface-policy command is configured for the unit, then the default for the interface-policy failover group command assumes that value. If not, then num is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Failover group configuration
•
•
—
—
•
Command History
Usage Guidelines
There is no space between the num argument and the optional % keyword.
If the number of failed interfaces meets the configured policy and the other security appliance is functioning properly, the security appliance will mark itself as failed and a failover may occur (if the active security appliance is the one that fails). Only interfaces that are designated as monitored by the monitor-interface command count towards the policy.
Examples
The following partial example shows a possible configuration for a failover group:
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# interface-policy 25%hostname(config-fover-group)# exithostname(config)#Related Commands
ip-address
To include the security appliance IP address in the certificate during enrollment, use the ip-addr command in crypto ca trustpoint configuration mode. To restore the default setting, use the no form of the command.
ip-address ip-address
no ip-address
Syntax Description
Defaults
The default setting is to not include the IP address.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
—
Command History
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes the security appliance IP address in the enrollment request for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# ip-address 209.165.200.225Related Commands
Enters trustpoint configuration mode.
Returns enrollment parameters to their defaults.
ip address
To set the IP address for an interface (in routed mode) or for the management address (transparent mode), use the ip address command. For routed mode, enter this command in interface configuration mode. In transparent mode, enter this command in global configuration mode. To remove the IP address, use the no form of this command. This command also sets the standby address for failover.
ip address ip_address [mask] [standby ip_address]
no ip address [ip_address]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Global configuration
—
•
•
•
—
Command History
7.0(1)
For routed mode, this command was changed from a global configuration command to an interface configuration mode command.
Usage Guidelines
In single context routed firewall mode, each interface address must be on a unique subnet. In multiple context mode, if this interface is on a shared interface, then each IP address must be unique but on the same subnet. If the interface is unique, this IP address can be used by other contexts if desired.
A transparent firewall does not participate in IP routing. The only IP configuration required for the security appliance is to set the management IP address. This address is required because the security appliance uses this address as the source address for traffic originating on the security appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access. This address must be on the same subnet as the upstream and downstream routers. For multiple context mode, set the management IP address within each context.
The standby IP address must be on the same subnet as the main IP address.
Examples
The following example sets the IP addresses and standby addresses of two interfaces:
hostname(config)# interface gigabitethernet0/2hostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2hostname(config-if)# no shutdownhostname(config-if)# interface gigabitethernet0/3hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address 10.1.2.1 255.255.255.0 standby 10.1.2.2hostname(config-if)# no shutdownThe following example sets the management address and standby address of a transparent firewall:
hostname(config)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2Related Commands
Configures an interface and enters interface configuration mode.
Sets the interface to obtain an IP address from a DHCP server.
Shows the IP address assigned to an interface.
ip address dhcp
To use DHCP to obtain an IP address for an interface, use the ip address dhcp command in interface configuration mode. To disable the DHCP client for this interface, use the no form of this command.
ip address dhcp [setroute]
no ip address dhcp
Syntax Description
setroute
(Optional) Allows the security appliance to use the default route supplied by the DHCP server.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
Reenter this command to reset the DHCP lease and request a new lease.
You cannot set this command at the same time as the ip address command.
If you enable the setroute option, do not configure a default route using the route command.
If you do not enable the interface using the no shutdown command before you enter the ip address dhcp command, some DHCP requests might not be sent.
Examples
The following example enables DHCP on the gigabitethernet0/1 interface:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# no shutdownhostname(config-if)# ip address dhcpRelated Commands
ip audit attack
To set the default actions for packets that match an attack signature, use the ip audit attack command in global configuration mode. To restore the default action (to reset the connection), use the no form of this command. You can specify multiple actions, or no actions.
ip audit attack [action [alarm] [drop] [reset]]
no ip audit attack
Syntax Description
Defaults
The default action is to send and alarm.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
You can override the action you set with this command when you configure an audit policy using the ip audit name command. If you do not specify the action in the ip audit name command, then the action you set with this command is used.
For a list of signatures, see the ip audit signature command.
Examples
The following example sets the default action to alarm and reset for packets that match an attack signature. The audit policy for the inside interface overrides this default to be alarm only, while the policy for the outside interface uses the default setting set with the ip audit attack command.
hostname(config)# ip audit attack action alarm resethostname(config)# ip audit name insidepolicy attack action alarmhostname(config)# ip audit name outsidepolicy attackhostname(config)# ip audit interface inside insidepolicyhostname(config)# ip audit interface outside outsidepolicyRelated Commands
ip audit info
To set the default actions for packets that match an informational signature, use the ip audit info command in global configuration mode. To restore the default action (to generate an alarm), use the no form of this command. You can specify multiple actions, or no actions.
ip audit info [action [alarm] [drop] [reset]]
no ip audit info
Syntax Description
Defaults
The default action is to generate an alarm.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
You can override the action you set with this command when you configure an audit policy using the ip audit name command. If you do not specify the action in the ip audit name command, then the action you set with this command is used.
For a list of signatures, see the ip audit signature command.
Examples
The following example sets the default action to alarm and reset for packets that match an informational signature. The audit policy for the inside interface overrides this default to be alarm and drop, while the policy for the outside interface uses the default setting set with the ip audit info command.
hostname(config)# ip audit info action alarm resethostname(config)# ip audit name insidepolicy info action alarm drophostname(config)# ip audit name outsidepolicy infohostname(config)# ip audit interface inside insidepolicyhostname(config)# ip audit interface outside outsidepolicyRelated Commands
ip audit interface
To assign an audit policy to an interface, use the ip audit interface command in global configuration mode. To remove the policy from the interface, use the no form of this command.
ip audit interface interface_name policy_name
no ip audit interface interface_name policy_name
Syntax Description
interface_name
Specifies the interface name.
policy_name
The name of the policy you added with the ip audit name command. You can assign an info policy and an attack policy to each interface.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example applies audit policies to the inside and outside interfaces:
hostname(config)# ip audit name insidepolicy1 attack action alarmhostname(config)# ip audit name insidepolicy2 info action alarmhostname(config)# ip audit name outsidepolicy1 attack action resethostname(config)# ip audit name outsidepolicy2 info action alarmhostname(config)# ip audit interface inside insidepolicy1hostname(config)# ip audit interface inside insidepolicy2hostname(config)# ip audit interface outside outsidepolicy1hostname(config)# ip audit interface outside outsidepolicy2Related Commands
ip audit name
To create a named audit policy that identifies the actions to take when a packet matches a predefined attack signature or informational signature, use the ip audit name command in global configuration mode. Signatures are activities that match known attack patterns. For example, there are signatures that match DoS attacks. To remove the policy, use the no form of this command.
ip audit name name {info | attack} [action [alarm] [drop] [reset]]
no ip audit name name {info | attack} [action [alarm] [drop] [reset]]
Syntax Description
Defaults
If you do not change the default actions using the ip audit attack and ip audit info commands, then the default action for attack signatures and informational signatures is to generate an alarm.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
To apply the policy, assign it to an interface using the ip audit interface command. You can assign an info policy and an attack policy to each interface.
For a list of signatures, see the ip audit signature command.
If traffic matches a signature, and you want to take action against that traffic, use the shun command to prevent new connections from the offending host and to disallow packets from any existing connection.
Examples
The following example sets an audit policy for the inside interface to generate an alarm for attack and informational signatures, while the policy for the outside interface resets the connection for attacks:
hostname(config)# ip audit name insidepolicy1 attack action alarmhostname(config)# ip audit name insidepolicy2 info action alarmhostname(config)# ip audit name outsidepolicy1 attack action resethostname(config)# ip audit name outsidepolicy2 info action alarmhostname(config)# ip audit interface inside insidepolicy1hostname(config)# ip audit interface inside insidepolicy2hostname(config)# ip audit interface outside outsidepolicy1hostname(config)# ip audit interface outside outsidepolicy2Related Commands
ip audit signature
To disable a signature for an audit policy, use the ip audit signature command in global configuration mode. To reenable the signature, use the no form of this command. You might want to disable a signature if legitimate traffic continually matches a signature, and you are willing to risk disabling the signature to avoid large numbers of alarms.
ip audit signature signature_number disable
no ip audit signature signature_number
Syntax Description
signature_number
Specifies the signature number to disable. See Table 16-1 for a list of supported signatures.
disable
Disables the signature.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Table 16-1 lists supported signatures and system message numbers.
Examples
The following example disables signature 6100:
hostname(config)# ip audit signature 6100 disableRelated Commands
ip-comp
To enable LZS IP compression, use the ip-comp enable command in group-policy configuration mode. To disable IP compression, use the ip-comp disable command.
To remove the ip-comp attribute from the running configuration, use the no form of this command. This enables inheritance of a value from another group policy.
ip-comp {enable | disable}
no ip-comp
Syntax Description
Defaults
IP compression is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
Enabling data compression might speed up data transmission rates for remote dial-in users connecting with modems.
Caution
Examples
The following example shows how to enable IP compression for the group policy named "FirstGroup":
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# ip-comp enableip local pool
To configure IP address pools to be used for VPN remote access tunnels, use the ip local pool command in global configuration mode. To delete address pools, use the no form of this command.
ip local pool poolname first-address—last-address [mask mask]
no ip local pool poolname
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
You must supply the mask value when the IP addresses assigned to VPN clients belong to a non-standard network and the data could be routed incorrectly if you use the default mask. A typical example is when the IP local pool contains 10.10.10.0/255.255.255.0 addresses, since this is a Class A network by default. This could cause some routing issues when the VPN client needs to access different subnets within the 10 network over different interfaces. For example, if a printer, address 10.10.100.1/255.255.255.0 is available via interface 2, but the 10.10.10.0 network is available over the VPN tunnel and therefore interface 1, the VPN client would be confused as to where to route data destined for the printer. Both the 10.10.10.0 and 10.10.100.0 subnets fall under the 10.0.0.0 Class A network so the printer data may be sent over the VPN tunnel.
Examples
The following example configures an IP address pool named firstpool. The starting address is 10.20.30.40 and the ending address is 10.20.30.50. The network mask is 255.255.255.0.
hostname(config)# ip local pool firstpool 10.20.30.40-10.20.30.50 mask 255.255.255.0Related Commands
Removes all ip local pools.
Displays the ip pool configuration. To specify a specific IP address pool, include the name in the command.
ip-phone-bypass
To enable IP Phone Bypass, use the ip-phone-bypass enable command in group-policy configuration mode. To disable IP Phone Bypass, use the ip-phone-bypass disable command. To remove the IP phone Bypass attribute from the running configuration, use the no form of this command. This option allows inheritance of a value for IP Phone Bypass from another group policy.
IP Phone Bypass lets IP phones behind hardware clients connect without undergoing user authentication processes. If enabled, secure unit authentication remains in effect.
ip-phone-bypass {enable | disable}
no ip-phone-bypass
Syntax Description
Defaults
IP Phone Bypass is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
You need to configure IP Phone Bypass only if you have enabled user authentication.
Examples
The following example shows how to enable IP Phone Bypass. for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# ip-phone-bypass enableRelated Commands
user-authentication
Requires users behind a hardware client to identify themselves to the security appliance before connecting.
ips
The ASA 5500 series adaptive security appliance supports the AIP SSM, which runs advanced IPS software that provides further security inspection either in inline mode or promiscuous mode. The security appliance diverts packets to the AIP SSM just before the packet exits the egress interface (or before VPN encryption occurs, if configured) and after other firewall policies are applied. For example, packets that are blocked by an access list are not forwarded to the AIP SSM.
To assign traffic from the security appliance to the AIP SSM, use the ips command in class configuration mode. To remove this command, use the no form of this command.
ips {inline | promiscuous} {fail-close | fail-open}
no ips {inline | promiscuous} {fail-close | fail-open}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
—
—
•
Command History
Usage Guidelines
To configure the ips command, you must first configure the class-map command, policy-map command and the class command.
After you configure the security appliance to divert traffic to the AIP SSM, configure the AIP SSM inspection and protection policy, which determines how to inspect traffic and what to do when an intrusion is detected. You can either session to the AIP SSM from the security appliance (the session command) or you can connect directly to the AIP SSM using SSH or Telnet on its mangement interface. Alternatively, you can use ASDM. For more information about configuring the AIP SSM, see Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface.
Examples
The following example diverts all IP traffic to the AIP SSM in promiscous mode, and blocks all IP traffic should the AIP SSM card fail for any reason:
hostname(config)# access-list IPS permit ip any anyhostname(config)# class-map my-ips-classhostname(config-cmap)# match access-list IPShostname(config-cmap)# policy-map my-ips-policyhostname(config-pmap)# class my-ips-classhostname(config-pmap-c)# ips promiscuous fail-closehostname(config-pmap-c)# service-policy my-ips-policy globalRelated Commands
ipsec-udp
To enable IPSec over UDP, use the ipsec-udp enable command in group-policy configuration mode. To disable IPSec over UDP, use the ipsec-udp disable command. To remove the IPSec over UDP attribute from the running configuration, use the no form of this command. This enables inheritance of a value for IPSec over UDP from another group policy.
IPSec over UDP, sometimes called IPSec through NAT, lets a Cisco VPN Client or hardware client connect via UDP to a security appliance that is running NAT.
ipsec-udp {enable | disable}
no ipsec-udp
Syntax Description
Defaults
IPSec over UDP is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
To use IPSec over UDP, you must also configure the ipsec-udp-port command.
The Cisco VPN Client must also be configured to use IPSec over UDP (it is configured to use it by default). The VPN 3002 requires no configuration to use IPSec over UDP.
IPSec over UDP is proprietary, it applies only to remote-access connections, and it requires mode configuration, means the security appliance exchanges configuration parameters with the client while negotiating SAs.
Using IPSec over UDP may slightly degrade system performance.
Examples
The following example shows how to set IPSec over UDP for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# ipsec-udp enableRelated Commands
ipsec-udp-port
Specifies the port on which the security appliance listens for UDP traffic.
ipsec-udp-port
To set a UDP port number for IPSec over UDP, use the ipsec-udp-port command in group-policy configuration mode. To disable the UDP port, use the no form of this command. This enables inheritance of a value for the IPSec over UDP port from another group policy.
In IPSec negotiations. the security appliance listens on the configured port and forwards UDP traffic for that port even if other filter rules drop UDP traffic.
ipsec-udp-port port
no ipsec-udp-port
Syntax Description
Defaults
The default port is 10000.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
You can configure multiple group policies with this feature enabled, and each group policy can use a different port number.
Examples
The following example shows how to set an IPSec UDP port to port 4025 for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# ipsec-udp-port 4025Related Commands
ipsec-udp
Lets a Cisco VPN Client or hardware client connect via UDP to a security appliance that is running NAT.
ip verify reverse-path
To enable Unicast RPF, use the ip verify reverse-path command in global configuration mode. To disable this feature, use the no form of this command. Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.
ip verify reverse-path interface interface_name
no ip verify reverse-path interface interface_name
Syntax Description
Defaults
This feature is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
Normally, the security appliance only looks at the destination address when determining where to forward the packet. Unicast RPF instructs the security appliance to also look at the source address; this is why it is called Reverse Path Forwarding. For any traffic that you want to allow through the security appliance, the security appliance routing table must include a route back to the source address. See RFC 2267 for more information.
For outside traffic, for example, the security appliance can use the default route to satisfy the Unicast RPF protection. If traffic enters from an outside interface, and the source address is not known to the routing table, the security appliance uses the default route to correctly identify the outside interface as the source interface.
If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, then the security appliance drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the security appliance drops the packet because the matching route (the default route) indicates the outside interface.
Unicast RPF is implemented as follows:
•
•
Examples
The following example enables Unicast RPF on the outside interface:
hostname(config)# ip verify reverse-path interface outsideRelated Commands
ipv6 access-list
To configure an IPv6 access list, use the ipv6 access-list command in global configuration mode. To remove an ACE, use the no form of this command. Access lists define the traffic that the security appliance allows to pass through or blocks.
ipv6 access-list id [line line-num] {deny | permit} {protocol | object-group protocol_obj_grp_id} {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | object-group network_obj_grp_id} [operator {port [port] | object-group service_obj_grp_id}] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | object-group network_obj_grp_id} [{operator port [port] | object-group service_obj_grp_id}] [log [[level] [interval secs] | disable | default]]
no ipv6 access-list id [line line-num] {deny | permit} {protocol | object-group protocol_obj_grp_id} {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | object-group network_obj_grp_id} [operator {port [port] | object-group service_obj_grp_id}] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | object-group network_obj_grp_id} [{operator port [port] | object-group service_obj_grp_id}] [log [[level] [interval secs] | disable | default]]
ipv6 access-list id [line line-num] {deny | permit} icmp6 {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | object-group network_obj_grp_id} {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | object-group network_obj_grp_id} [icmp_type | object-group icmp_type_obj_grp_id] [log [[level] [interval secs] | disable | default]]
no ipv6 access-list id [line line-num] {deny | permit} icmp6 {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | object-group network_obj_grp_id} {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | object-group network_obj_grp_id} [icmp_type | object-group icmp_type_obj_grp_id] [log [[level] [interval secs] | disable | default]]
Syntax Description
Defaults
When the log keyword is specified, the default level for syslog message 106100 is 6 (informational).
The default logging interval is 300 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
The ipv6 access-list command allows you to specify if an IPv6 address is permitted or denied access to a port or protocol. Each command is called an ACE. One or more ACEs with the same access list name are referred to as an access list. Apply an access list to an interface using the access-group command.
The security appliance denies all packets from an outside interface to an inside interface unless you specifically permit access using an access list. All packets are allowed by default from an inside interface to an outside interface unless you specifically deny access.
The ipv6 access-list command is similar to the access-list command, except that it is IPv6-specific. For additional information about access lists, refer to the access-list extended command.
The ipv6 access-list icmp command is used to filter ICMPv6 messages that pass through the security appliance.To configure the ICMPv6 traffic that is allowed to originate and terminate at a specific interface, use the ipv6 icmp command.
Refer to the object-group command for information on how to configure object groups.
Examples
The following example will allow any host using TCP to access the 3001:1::203:A0FF:FED6:162D server:
hostname(config)# ipv6 access-list acl_grp permit tcp any host 3001:1::203:A0FF:FED6:162DThe following example uses eq and a port to deny access to just FTP:
hostname(config)# ipv6 access-list acl_out deny tcp any host 3001:1::203:A0FF:FED6:162D eq ftphostname(config)# access-group acl_out in interface insideThe following example uses lt to permit access to all ports less than port 2025, which permits access to the well-known ports (1 to 1024):
hostname(config)# ipv6 access-list acl_dmz1 permit tcp any host 3001:1::203:A0FF:FED6:162D lt 1025hostname(config)# access-group acl_dmz1 in interface dmz1Related Commands
ipv6 address
To enable IPv6 and configure the IPv6 addresses on an interface, use the ipv6 address command in interface configuration mode. To remove the IPv6 addresses, use the no form of this command.
ipv6 address {autoconfig | ipv6-prefix/prefix-length [eui-64] | ipv6-address link-local}
no ipv6 address {autoconfig | ipv6-prefix/prefix-length [eui-64] | ipv6-address link-local}
Syntax Description
Defaults
IPv6 is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
Configuring an IPv6 address on an interface enables IPv6 on that interface; you do not need to use the ipv6 enable command after specifying an IPv6 address.
The ipv6 address autoconfig command is used to enable automatic configuration of IPv6 addresses on an interface using stateless autoconfiguration. The addresses are configured based on the prefixes received in Router Advertisement messages. If a link-local address has not been configured, then one is automatically generated for this interface. An error message is displayed if another host is using the link-local address.
The ipv6 address eui-64 command is used to configure an IPv6 address for an interface. If the optional eui-64 is specified, the EUI-64 interface ID will be used in the low order 64 bits of the address. If the value specified for the prefix-length argument is greater than 64 bits, the prefix bits have precedence over the interface ID. An error message will be displayed if another host is using the specified address.
The Modified EUI-64 format interface ID is derived from the 48-bit link-layer (MAC) address by inserting the hex number FFFE between the upper three bytes (OUI field) and the lower 3 bytes (serial number) of the link layer address. To ensure the chosen address is from a unique Ethernet MAC address, the next-to-lowest order bit in the high-order byte is inverted (universal/local bit) to indicate the uniqueness of the 48-bit address. For example, an interface with a MAC address of 00E0.B601.3B7A would have a 64 bit interface ID of 02E0:B6FF:FE01:3B7A.
The ipv6 address link-local command is used to configure an IPv6 link-local address for an interface. The ipv6-address specified with this command overrides the link-local address that is automatically generated for the interface. The link-local address is composed of the link-local prefix FE80::/64 and the interface ID in Modified EUI-64 format. An interface with a MAC address of 00E0.B601.3B7A would have a link-local address of FE80::2E0:B6FF:FE01:3B7A. An error message will be displayed if another host is using the specified address.
Examples
The following example assigns 3FFE:C00:0:1::576/64 as the global address for the selected interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 address 3ffe:c00:0:1::576/64The following example assigns an IPv6 address automatically for the selected interface:
hostname(config)# interface gigabitethernet 0/1hostname(config-if)# ipv6 address autoconfigThe following example assigns IPv6 address 3FFE:C00:0:1::/64 to the selected interface and specifies an EUI-64 interface ID in the low order 64 bits of the address:
hostname(config)# interface gigabitethernet 0/2hostname(onfig-if)# ipv6 address 3FFE:C00:0:1::/64 eui-64The following example assigns FE80::260:3EFF:FE11:6670 as the link-level address for the selected interface:
hostname(config)# interface gigabitethernet 0/3hostname(config-if)# ipv6 address FE80::260:3EFF:FE11:6670 link-localRelated Commands
debug ipv6 interface
Displays debug information for IPv6 interfaces.
show ipv6 interface
Displays the status of interfaces configured for IPv6.
ipv6 enable
To enable IPv6 processing on an interface that has not been configured with an explicit IPv6 address, use the ipv6 enable command in interface configuration mode. To disable IPv6 processing on an interface that has not been configured with an explicit IPv6 address, use the no form of this command.
ipv6 enable
no ipv6 enable
Syntax Description
This command has no arguments or keywords.
Defaults
IPv6 is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
The ipv6 enable command automatically configures an IPv6 link-local unicast address on the interface while also enabling the interface for IPv6 processing.
The no ipv6 enable command does not disable IPv6 processing on an interface that is configured with an explicit IPv6 address.
Examples
The following example enables IPv6 processing on the selected interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 enableRelated Commands
ipv6 icmp
To configure ICMP access rules for an interface, use the ipv6 icmp command in global configuration mode. To remove an ICMP access rule, use the no form of this command.
ipv6 icmp {permit | deny} {ipv6-prefix/prefix-length | any | host ipv6-address} [icmp-type] if-name
no ipv6 icmp {permit | deny} {ipv6-prefix/prefix-length | any | host ipv6-address} [icmp-type] if-name
Syntax Description
Defaults
If no ICMP access rules are defined, all ICMP traffic is permitted.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
ICMP in IPv6 functions the same as ICMP in IPv4. ICMPv6 generates error messages, such as ICMP destination unreachable messages and informational messages like ICMP echo request and reply messages. Additionally, ICMP packets in IPv6 are used in the IPv6 neighbor discovery process and path MTU discovery.
If there are no ICMP rules defined for an interface, all IPv6 ICMP traffic is permitted.
If there are ICMP rules defined for an interface, then the rules are processed in order on a first-match basis followed by an implicit deny all rule. For example, if the first matched rule is a permit rule, the ICMP packet is processed. If the first matched rule is a deny rule, or if the ICMP packet did not match any rule on that interface, then the security appliance discards the ICMP packet and generates a syslog message.
For this reason, the order that you enter the ICMP rules is important. If you enter a rule denying all ICMP traffic from a specific network, and then follow it with a rule permitting ICMP traffic from a particular host on that network, the host rule will never be processed. The ICMP traffic is blocked by the network rule. However, if you enter the host rule first, followed by the network rule, the host ICMP traffic will be allowed, while all other ICMP traffic from that network is blocked.
The ipv6 icmp command configures access rules for ICMP traffic that terminates at the security appliance interfaces. To configure access rules for pass-through ICMP traffic, refer to the ipv6 access-list command.
Examples
The following example denies all ping requests and permits all Packet Too Big messages (to support Path MTU Discovery) at the outside interface:
hostname(config)# ipv6 icmp deny any echo-reply outsidehostname(config)# ipv6 icmp permit any packet-too-big outsideThe following example permits host 2000:0:0:4::2 or hosts on prefix 2001::/64 to ping the outside interface:
hostname(config)# ipv6 icmp permit host 2000:0:0:4::2 echo-reply outsidehostname(config)# ipv6 icmp permit 2001::/64 echo-reply outsidehostname(config)# ipv6 icmp permit any packet-too-big outsideRelated Commands
ipv6 nd dad attempts
To configure the number of consecutive neighbor solicitation messages that are sent on an interface during duplicate address detection, use the ipv6 nd dad attempts command in interface configuration mode. To return to the default number of duplicate address detection messages sent, use the no form of this command.
ipv6 nd dad attempts value
no ipv6 nd dad [attempts value]
Syntax Description
Defaults
The default number of attempts is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
Duplicate address detection verifies the uniqueness of new unicast IPv6 addresses before the addresses are assigned to interfaces (the new addresses remain in a tentative state while duplicate address detection is performed). Duplicate address detection uses neighbor solicitation messages to verify the uniqueness of unicast IPv6 addresses. The frequency at which the neighbor solicitation messages are sent is configured using the ipv6 nd ns-interval command.
Duplicate address detection is suspended on interfaces that are administratively down. While an interface is administratively down, the unicast IPv6 addresses assigned to the interface are set to a pending state.
Duplicate address detection is automatically restarted on an interface when the interface returns to being administratively up. An interface returning to administratively up restarts duplicate address detection for all of the unicast IPv6 addresses on the interface.
Note
When duplicate address detection identifies a duplicate address, the state of the address is set to DUPLICATE and the address is not used. If the duplicate address is the link-local address of the interface, the processing of IPv6 packets is disabled on the interface and an error message similar to the following is issued:
%PIX-4-DUPLICATE: Duplicate address FE80::1 on outsideIf the duplicate address is a global address of the interface, the address is not used and an error message similar to the following is issued:
%PIX-4-DUPLICATE: Duplicate address 3000::4 on outsideAll configuration commands associated with the duplicate address remain as configured while the state of the address is set to DUPLICATE.
If the link-local address for an interface changes, duplicate address detection is performed on the new link-local address and all of the other IPv6 address associated with the interface are regenerated (duplicate address detection is performed only on the new link-local address).
Examples
The following example configures 5 consecutive neighbor solicitation messages to be sent when duplicate address detection is being performed on the tentative unicast IPv6 address of the interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd dad attempts 5The following example disables duplicate address detection on the selected interface:
hostname(config)# interface gigabitethernet 0/1hostname(config-if)# ipv6 nd dad attempts 0Related Commands
ipv6 nd ns-interval
To configure the interval between IPv6 neighbor solicitation retransmissions on an interface, use the ipv6 nd ns-interval command in interface configuration mode. To restore the default value, use the no form of this command.
ipv6 nd ns-interval value
no ipv6 nd ns-interval [value]
Syntax Description
value
The interval between IPv6 neighbor solicitation transmissions, in milliseconds. Valid values range from 1000 to 3600000 milliseconds. The default value is 1000 milliseconds.
Defaults
1000 milliseconds between neighbor solicitation transmissions.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
This value will be included in all IPv6 router advertisements sent out this interface.
Examples
The following example configures an IPv6 neighbor solicitation transmission interval of 9000 milliseconds for Gigabitethernet 0/0:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd ns-interval 9000Related Commands
show ipv6 interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd prefix
To configure which IPv6 prefixes are included in IPv6 router advertisements, use the ipv6 nd prefix command in interface configuration mode. To remove the prefixes, use the no form of this command.
ipv6 nd prefix ipv6-prefix/prefix-length | default [[valid-lifetime preferred-lifetime] | [at valid-date preferred-date] | infinite | no-advertise | off-link | no-autoconfig]
no ipv6 nd prefix ipv6-prefix/prefix-length | default [[valid-lifetime preferred-lifetime] | [at valid-date preferred-date] | infinite | no-advertise | off-link | no-autoconfig]
Syntax Description
Defaults
All prefixes configured on interfaces that originate IPv6 router advertisements are advertised with a valid lifetime of 2592000 seconds (30 days) and a preferred lifetime of 604800 seconds (7 days), and with both the "onlink" and "autoconfig" flags set.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
This command allows control over the individual parameters per prefix, including whether or not the prefix should be advertised.
By default, prefixes configured as addresses on an interface using the ipv6 address command are advertised in router advertisements. If you configure prefixes for advertisement using the ipv6 nd prefix command, then only these prefixes are advertised.
The default keyword can be used to set default parameters for all prefixes.
A date can be set to specify the expiration of a prefix. The valid and preferred lifetimes are counted down in real time. When the expiration date is reached, the prefix will no longer be advertised.
When onlink is "on" (by default), the specified prefix is assigned to the link. Nodes sending traffic to such addresses that contain the specified prefix consider the destination to be locally reachable on the link.
When autoconfig is "on" (by default), it indicates to hosts on the local link that the specified prefix can be used for IPv6 autoconfiguration.
Examples
The following example includes the IPv6 prefix 2001:200::/35, with a valid lifetime of 1000 seconds and a preferred lifetime of 900 seconds, in router advertisements sent out on the specified interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd prefix 2001:200::/35 1000 900Related Commands
ipv6 address
Configures an IPv6 address and enables IPv6 processing on an interface.
show ipv6 interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd ra-interval
To configure the interval between IPv6 router advertisement transmissions on an interface, use the ipv6 nd ra-interval command in interface configuration mode. To restore the default interval, use the no form of this command.
ipv6 nd ra-interval [msec] value
no ipv6 nd ra-interval [[msec] value]
Syntax Description
Defaults
200 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
The interval between transmissions should be less than or equal to the IPv6 router advertisement lifetime if the security appliance is configured as a default router by using the ipv6 nd ra-lifetime command. To prevent synchronization with other IPv6 nodes, randomly adjust the actual value used to within 20 percent of the specified value.
Examples
The following example configures an IPv6 router advertisement interval of 201 seconds for the selected interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd ra-interval 201Related Commands
ipv6 nd ra-lifetime
Configures the lifetime of an IPv6 router advertisement.
show ipv6 interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd ra-lifetime
To configure the "router lifetime" value in IPv6 router advertisements on an interface, use the ipv6 nd ra-lifetime command in interface configuration mode. To restore the default value, use the no form of this command.
ipv6 nd ra-lifetime seconds
no ipv6 nd ra-lifetime [seconds]
Syntax Description
Defaults
1800 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
The "router lifetime" value is included in all IPv6 router advertisements sent out the interface. The value indicates the usefulness of the security appliance as a default router on this interface.
Setting the value to a non-zero value to indicates that the security appliance should be considered a default router on this interface. The no-zero value for the "router lifetime" value should not be less than the router advertisement interval.
Setting the value to 0 indicates that the security appliance should not be considered a default router on this interface.
Examples
The following example configures an IPv6 router advertisement lifetime of 1801 seconds for the selected interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd ra-lifetime 1801Related Commands
ipv6 nd reachable-time
To configure the amount of time that a remote IPv6 node is considered reachable after a reachability confirmation event has occurred, use the ipv6 nd reachable-time command in interface configuration mode. To restore the default time, use the no form of this command.
ipv6 nd reachable-time value
no ipv6 nd reachable-time [value]
Syntax Description
value
The amount of time, in milliseconds, that a remote IPv6 node is considered reachable. Valid values range from 0 to 3600000 milliseconds. The default is 0.
Defaults
0 milliseconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
The configured time enables detecting unavailable neighbors. Shorter configured times enable detecting unavailable neighbors more quickly; however, shorter times consume more IPv6 network bandwidth and processing resources in all IPv6 network devices. Very short configured times are not recommended in normal IPv6 operation.
Examples
The following example configures an IPv6 reachable time of 1700000 milliseconds for the selected interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd reachable-time 1700000Related Commands
show ipv6 interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd suppress-ra
To suppress IPv6 router advertisement transmissions on a LAN interface, use the ipv6 nd suppress-ra command in interface configuration mode. To reenable the sending of IPv6 router advertisement transmissions on a LAN interface, use the no form of this command.
ipv6 nd suppress-ra
no ipv6 nd suppress-ra
Syntax Description
This command has no arguments or keywords.
Defaults
Router advertisements are automatically sent on LAN interfaces if IPv6 unicast routing is enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
Use the no ipv6 nd suppress-ra command to enable the sending of IPv6 router advertisement transmissions on non-LAN interface types (for example serial or tunnel interfaces).
Examples
The following example suppresses IPv6 router advertisements on the selected interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd suppress-raRelated Commands
show ipv6 interface
Displays the usability status of interfaces configured for IPv6.
ipv6 neighbor
To configure a static entry in the IPv6 neighbor discovery cache, use the ipv6 neighbor command in global configuration mode. To remove a static entry from the neighbor discovery cache, use the no form of this command.
ipv6 neighbor ipv6_address if_name mac_address
no ipv6 neighbor ipv6_address if_name [mac_address]
Syntax Description
Defaults
Static entries are not configured in the IPv6 neighbor discovery cache.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
The ipv6 neighbor command is similar to the arp command. If an entry for the specified IPv6 address already exists in the neighbor discovery cache—learned through the IPv6 neighbor discovery process—the entry is automatically converted to a static entry. These entries are stored in the configuration when the copy command is used to store the configuration.
Use the show ipv6 neighbor command to view static entries in the IPv6 neighbor discovery cache.
The clear ipv6 neighbors command deletes all entries in the IPv6 neighbor discovery cache except static entries. The no ipv6 neighbor command deletes a specified static entry from the neighbor discovery cache; the command does not remove dynamic entries—entries learned from the IPv6 neighbor discovery process—from the cache. Disabling IPv6 on an interface by using the no ipv6 enable command deletes all IPv6 neighbor discovery cache entries configured for that interface except static entries (the state of the entry changes to INCMP [Incomplete]).
Static entries in the IPv6 neighbor discovery cache are not modified by the neighbor discovery process.
Examples
The following example adds a static entry for the an inside host with an IPv6 address of 3001:1::45A and a MAC address of 0002.7D1A.9472 to the neighbor discovery cache:
hostname(config)# ipv6 neighbor 3001:1::45A inside 0002.7D1A.9472Related Commands
clear ipv6 neighbors
Deletes all entries in the IPv6 neighbor discovery cache, except static entries.
show ipv6 neighbor
Displays IPv6 neighbor cache information.
ipv6 route
To add an IPv6 route to the IPv6 routing table, use the ipv6 route command in global configuration mode. To remove an IPv6 default route, use the no form of this command.
ipv6 route if_name ipv6-prefix/prefix-length ipv6-address [administrative-distance]
no ipv6 route if_name ipv6-prefix/prefix-length ipv6-address [administrative-distance]
Syntax Description
Defaults
By default, the administrative-distance is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
Use the show ipv6 route command to view the contents of the IPv6 routing table.
Examples
The following example routes packets for network 7fff::0/32 to a networking device on the inside interface at 3FFE:1100:0:CC00::1 with an administrative distance of 110:
hostname(config)# ipv6 route inside 7fff::0/32 3FFE:1100:0:CC00::1 110Related Commands
debug ipv6 route
Displays debug messages for IPv6 routing table updates and route cache updates.
show ipv6 route
Displays the current contents of the IPv6 routing table.
isakmp am-disable
To disable inbound aggressive mode connections, use the isakmp am-disable command in global configuration mode. To enable inbound aggressive mode connections, use the no form of this command.
isakmp am-disable
no isakmp am-disable
Syntax Description
This command has no arguments or keywords.
Defaults
The default value is enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example, entered in global configuration mode, disables inbound aggressive mode connections:
hostname(config)# isakmp am-disableRelated Commands
isakmp disconnect-notify
To enable disconnect notification to peers, use the isakmp disconnect-notify command in global configuration mode. To disable disconnect notification, use the no form of this command.
isakmp disconnect-notify
no isakmp disconnect-notify
Syntax Description
This command has no arguments or keywords.
Defaults
The default value is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example, entered in global configuration mode, enables disconnect notification to peers:
hostname(config)# isakmp disconnect-notifyRelated Commands
isakmp enable
To enable ISAKMP negotiation on the interface on which the IPSec peer communicates with the security appliance, use the isakmp enable command in global configuration mode. To disable ISAKMP on the interface, use the no form of this command.
isakmp enable interface-name
no isakmp enable interface-name
Syntax Description
interface-name
Specifies the name of the interface on which to enable or disable ISAKMP negotiation.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example, entered in global configuration mode, shows how to disable ISAKMP on the inside interface:
hostname(config)# no isakmp enable insideRelated Commands
Clears all the ISAKMP configuration.
Clears all ISAKMP policy configuration.
Clears the IKE runtime SA database.
Displays all the active configuration.
isakmp identity
To set the Phase 2 ID to be sent to the peer, use the isakmp identity command in global configuration mode. To return to the default setting, use the no form of this command.
isakmp identity {address | hostname | key-id key-id-string | auto}
no isakmp identity {address | hostname | key-id key-id-string | auto}
Syntax Description
Defaults
The default ISAKMP identity is isakmp identity hostname.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example, entered in global configuration mode, enables ISAKMP negotiation on the interface for communicating with the IPSec peer, depending on connection type:
hostname(config)# isakmp identity autoRelated Commands
Clears all the ISAKMP configuration.
Clears all ISAKMP policy configuration.
Clears the IKE runtime SA database.
Displays all the active configuration.
isakmp ipsec-over-tcp
To enable IPSec over TCP, use the isakmp ipsec-over-tcp command in global configuration mode. To disable IPSec over TCP, use the no form of this command.
isakmp ipsec-over-tcp [port port1...port10]
no isakmp ipsec-over-tcp [port port1...port10]
Syntax Description
Defaults
The default value is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
This example, entered in global configuration mode, enables IPSec over TCP on port 45:
hostname(config)# isakmp ipsec-over-tcp port 45Related Commands
isakmp keepalive
To configure IKE DPD, use the isakmp keepalive command in tunnel-group ipsec-attributes configuration mode. In every tunnel group, IKE keepalives are enabled by default with default threshold and retry values. To return the keepalive parameters to enabled with default threshold and retry values, use the no form of this command.
isakmp keepalive [threshold seconds] [retry seconds] [disable]
no isakmp keepalive disable
Syntax Description
Defaults
The default for a remote access group is a threshold of 300 seconds and a retry of 2 seconds.
For a LAN-to-LAN group, the default is a threshold of 10 seconds and a retry of 2 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group ipsec attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can apply this attribute only to IPSec remote-access and IPSec LAN-to-LAN tunnel-group types.
Examples
The following example entered in config-ipsec configuration mode, configures IKE DPD, establishes a threshold of 15, and specifies a retry interval of 10 for the IPSec LAN-to-LAN tunnel group with the IP address 209.165.200.225:
hostname(config)# tunnel-group 209.165.200.225 type IPSec_L2Lhostname(config)# tunnel-group 209.165.200.225 ipsec-attributeshostname(config-tunnel-ipsec)# isakmp keepalive threshold 15 retry 10hostname(config-tunnel-ipsec)#Related Commands
isakmp nat-traversal
To enable NAT traversal globally, check that ISAKMP is enabled (you can enable it with the isakmp enable command) in global configuration mode and then use the isakmp nat-traversal command. If you have enabled NAT traversal, you can disable it with the no form of this command.
isakmp nat-traversal natkeepalive
no isakmp nat-traversal natkeepalive
Syntax Description
Defaults
By default, NAT traversal (isakmp nat-traversal) is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.
The security appliance supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps.
This command enables NAT-T globally on the security appliance. To disable in a crypto-map entry, use the crypto map set nat-t-disable command.
Examples
The following example, entered in global configuration mode, enables ISAKMP and then enables NAT traversal with an interval of 30 seconds:
hostname(config)# isakmp enablehostname(config)# isakmp nat-traversal 30Related Commands
isakmp policy authentication
To specify an authentication method within an IKE policy, use the isakmp policy authentication command in global configuration mode. IKE policies define a set of parameters for IKE negotiation. To reset the authentication method to the default value, use the no form of this command.
isakmp policy priority authentication {pre-share | dsa-sig | rsa-sig}
no isakmp policy priority authentication
Syntax Description
Defaults
The default ISAKMP policy authentication is pre-share.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
If you specify RSA signatures, you must configure the security appliance and its peer to obtain certificates from a certification authority (CA). If you specify preshared keys, you must separately configure these preshared keys within the security appliance and its peer.
Examples
The following example, entered in global configuration mode, shows use of the isakmp policy authentication command. This example sets the authentication method of RSA Signatures to be used within the IKE policy with the priority number of 40.
hostname(config)# isakmp policy 40 authentication rsa-sigRelated Commands
isakmp policy encryption
To specify the encryption algorithm to use within an IKE policy, use the isakmp policy encryption command in global configuration mode. To reset the encryption algorithm to the default value, which is des, use the no form of this command.
isakmp policy priority encryption {aes | aes-192| aes-256 | des | 3des}
no isakmp policy priority encryption {aes | aes-192| aes-256 | des | 3des}
Syntax Description
Defaults
The default ISAKMP policy encryption is 3des.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example, entered in global configuration mode, shows use of the isakmp policy encryption command; it sets 128-bit key AES encryption as the algorithm to be used within the IKE policy with the priority number of 25.
hostname(config)# isakmp policy 25 encryption aesThe following example, entered in global configuration mode, sets the 3DES algorithm to be used within the IKE policy with the priority number of 40.
hostname(config)# isakmp policy 40 encryption 3deshostname(config)#Related Commands
isakmp policy group
To specify the Diffie-Hellman group for an IKE policy, use the isakmp policy group command in global configuration mode. IKE policies define a set of parameters to use during IKE negotiation. To reset the Diffie-Hellman group identifier to the default value, use the no form of this command.
isakmp policy priority group {1 | 2 | 5 | 7}
no isakmp policy priority group
Syntax Description
Defaults
The default group policy is group 2.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
There are four group options: 768-bit (DH Group 1), 1024-bit (DH Group 2), 1536-bit (DH Group 5), and DH Group 7. The 1024-bit and 1536-bit Diffie-Hellman Groups provide stronger security, but require more CPU time to execute.
Note
AES support is available on security appliances licensed for VPN-3DES only. Due to the large key sizes provided by AES, ISAKMP negotiation should use Diffie-Hellman (DH) group 5 instead of group 1 or group 2. This is done with the isakmp policy priority group 5 command.
Examples
The following example, entered in global configuration mode, shows use of the isakmp policy group command. This example sets group 2, the 1024-bit Diffie Hellman, to be used within the IKE policy with the priority number of 40.
hostname(config)# isakmp policy 40 group 2Related Commands
isakmp policy hash
To specify the hash algorithm for an IKE policy, use the isakmp policy hash command in global configuration mode. IKE policies define a set of parameters to be used during IKE negotiation.
To reset the hash algorithm to the default value of SHA-1, use the no form of this command.
isakmp policy priority hash {md5 | sha}
no isakmp policy priority hash
Syntax Description
Defaults
The default hash algorithm is SHA-1 (HMAC variant).
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
There are two hash algorithm options: SHA-1 and MD5. MD5 has a smaller digest and is considered to be slightly faster than SHA-1.
Examples
The following example, entered in global configuration mode, shows use of the isakmp policy hash command. This example specifies that the MD5 hash algorithm be used within the IKE policy, with the priority number of 40.
hostname(config)# isakmp policy 40 hash md5Related Commands
isakmp policy lifetime
To specify the lifetime of an IKE security association before it expires, use the isakmp policy lifetime command in global configuration mode. You can specify an infinite lifetime if the peer does not propose a lifetime. Use the no form of this command to reset the security association lifetime to the default value of 86,400 seconds (one day).
isakmp policy priority lifetime seconds
no isakmp policy priority lifetime
Syntax Description
Defaults
The default value is 86,400 seconds (one day).
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
When IKE begins negotiations, it seeks to agree upon the security parameters for its own session. Then the security association at each peer refers to the agreed-upon parameters. The peers retain the security association until the lifetime expires. Before a security association expires, subsequent IKE negotiations can use it, which can save time when setting up new IPSec security associations. The peers negotiate new security associations before current security associations expire.
With longer lifetimes, the security appliance sets up future IPSec security associations more quickly. Encryption strength is great enough to ensure security without using very fast rekey times, on the order of every few minutes. We recommend that you accept the default.
Note
The following example, entered in global configuration mode, shows use of the isakmp policy lifetime command. This example sets the lifetime of the IKE security association to 50,400 seconds (14 hours) within the IKE policy with the priority number of 40.
Examples
The following example, entered in global configuration mode, sets the lifetime of the IKE security association to 50,4000 seconds (14 hours) within the IKE policy with the priority number of 40.
hostname(config)# isakmp policy 40 lifetime 50400The following example, entered in global configuration mode, sets the IKE security association to an infinite lifetime.
hostname(config)# isakmp policy 40 lifetime 0Related Commands
isakmp reload-wait
To enable waiting for all active sessions to voluntarily terminate before rebooting the security appliance, use the isakmp reload-wait command in global configuration mode. To disable waiting for active sessions to terminate and to proceed with a reboot of the security appliance, use the no form of this command.
isakmp reload-wait
no isakmp reload-wait
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example, entered in global configuration mode, tells the security appliance to wait until all active sessions have terminated before rebooting.
hostname(config)# isakmp reload-waitRelated Commands
issuer-name
To identify the DN from the CA certificate to be compared to the rule entry string, use the issuer-name command in CA certificate map configuration mode. To remove an issuer-name, use the no form of the command.
issuer-name [attr tag] {eq | ne | co | nc} string
no issuer-name [attr tag] {eq | ne | co | nc} string
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
•
Command History
Examples
The following example enters the CA certificate map mode for certificate map 4 and configures the issuer name as O = central:
hostname(config)# crypto ca certificate map 4hostname(ca-certificate-map)# issuer-name attr o eq centralhostname(ca-certificate-map)# exitRelated Commands
