-
Cisco Security Appliance Command Reference, Version 7.1
-
About this Guide
-
Using the Command Line Interface
-
aaa accounting through accounting-server-group
-
acl-netmask-convert through auto-update timeout Commands
-
backup-servers through browse networks Commands
-
cache through clear compression Commands
-
clear configure through clear configure vpn-load-balancing Commands
-
clear console-output through clear xlate Commands
-
client-access-rule through crl-configure Commands
-
crypto ca authenticate through customization Commands
-
debug aaa through debug xdmcp Commands
-
default through duplex Commands
-
email through functions Commands
-
gateway through hw-module module shutdown Commands
-
icmp through imap4s Commands
-
inspect ctiqbe through inspect xdmcp Commands
-
interface-dhcp through issuer-name Commands
-
join-failover-group through kill Commands
-
ldap-attribute-map through log-adj-changes Commands
-
logging asdm through logout message Commands
-
mac-address through multicast-routing Commands
-
name through override-account-disable Commands
-
page style through pwd Commands
-
queue-limit through routerospf Commands
-
same-security-traffic through show asdm sessions Commands
-
show asp drop through show curpriv Commands
-
show debug through show ipv6 traffic Commands
-
show isakmp sa through show route Commands
-
show running-config through show running-config isakmp Commands
-
show running-config ldap through show running-config webvpn auto-signon Commands
-
show service-policy through show webvpn svc Commands
-
shun through sysopt uauth allow-http-cache Commands
-
tcp-map through tx-ring-limit Commands
-
urgent-flag through write terminal Commands
-
Feedback
Table Of Contents
page style through pwd Commands
password (crypto ca trustpoint)
page style through pwd Commands
page style
To customize the WebVPN page displayed to WebVPN users when they connect to the security appliance, use the page style command in webvpn customization mode:
page style value
[no] page style value
To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
Syntax Description
Defaults
The default page style is background-color:white;font-family:Arial,Helv,sans-serif
Command Modes
The following table shows the modes in which you can enter the command:
webvpn customization
•
—
•
—
—
Command History
Usage Guidelines
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
The following example customizes the page style to large:
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# page style font-size:largeRelated Commands
logo
Customizes the logo on the WebVPN page.
title
Customizes the title of the WebVPN page
pager
To set the default number of lines on a page before the "
---more---"prompt appears for Telnet sessions, use the pager command in global configuration mode.pager [lines] lines
Syntax Description
Defaults
The default is 24 lines.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
This command changes the default pager line setting for Telnet sessions. If you want to temporarily change the setting only for the current session, use the terminal pager command.
If you Telnet to the admin context, then the pager line setting follows your session when you change to other contexts, even if the pager command in a given context has a different setting. To change the current pager setting, enter the terminal pager command with a new setting, or you can enter the pager command in the current context. In addition to saving a new pager setting to the context configuration, the pager command applies the new setting to the current Telnet session.
Examples
The following example changes the number of lines displayed to 20:
hostname(config)# pager 20Related Commands
participate
To force the device to participate in the virtual load-balancing cluster, use the participate command in VPN load-balancing mode. To remove a device from participation in the cluster, use the no form of this command.
participate
no participate
Syntax Description
This command has no arguments or keywords.
Defaults
The default behavior is that the device does not participate in the vpn load-balancing cluster.
Command Modes
The following table shows the modes in which you can enter the command:
VPN load-balancing
•
—
•
—
—
Command History
Usage Guidelines
You must first configure the interface using the interface and nameif commands, and use the vpn load-balancing command to enter VPN load-balancing mode. You must also have previously configured the cluster IP address using the cluster ip command and configured the interface to which the virtual cluster IP address refers.
This command forces this device to participate in the virtual load-balancing cluster. You must explicitly issue this command to enable participation for a device.
All devices that participate in a cluster must share the same cluster-specific values: ip address, encryption settings, encryption key, and port.
Note
If isakmp was enabled when you configured the cluster encryption command, but was disabled before you configured the participate command, you get an error message when you enter the participate command, and the local device will not participate in the cluster.
Examples
The following is an example of a VPN load-balancing command sequence that includes a participate command that enables the current device to participate in the vpn load-balancing cluster:
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# interface lbprivate foohostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# participatehostname(config-load-balancing)#Related Commandshostname(config-load-balancing)# participate
passwd
To set the login password, use the passwd command in global configuration mode. To set the password back to the default of "cisco," use the no form of this command. You are prompted for the login password when you access the CLI as the default user using Telnet or SSH. After you enter the login password, you are in user EXEC mode.
{passwd | password} password [encrypted]
no {passwd | password} password
Syntax Description
Defaults
The default password is "cisco."
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
This login password is for the default user. If you configure CLI authentication per user for Telnet or SSH using the aaa authentication console command, then this password is not used.
Examples
The following example sets the password to Pa$$w0rd:
hostname(config)# passwd Pa$$w0rdThe following example sets the password to an encrypted password that you copied from another security appliance:
hostname(config)# passwd jMorNbK0514fadBh encryptedRelated Commands
password (crypto ca trustpoint)
To specify a challenge phrase that is registered with the CA during enrollment, use the password command in crypto ca trustpoint configuration mode. The CA typically uses this phrase to authenticate a subsequent revocation request. To restore the default setting, use the no form of the command.
password string
no password
Syntax Description
Defaults
The default setting is to not include a password.
Command Modes
The following table shows the modes in which you can enter the
Crypto ca trustpoint configuration
•
•
•
•
•
command:
Command History
Usage Guidelines
This command lets you specify the revocation password for the certificate before actual certificate enrollment begins. The specified password is encrypted when the updated configuration is written to NVRAM by the security appliance.
If this command is enabled, you will not be prompted for a password during certificate enrollment.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes a challenge phrase registered with the CA in the enrollment request for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# password zzxxyyhostname(ca-trustpoint)#Related Commands
crypto ca trustpoint
Enters trustpoint configuration mode.
default enrollment
Returns enrollment parameters to their defaults.
password-management
To enable password management, use the password-management command in tunnel-group general-attributes configuration mode. To disable password management, use the no form of this command. To reset the number of days to the default value, use the no form of the command with the password-expire-in-days keyword specified.
password-management [password-expire-in-days days]
no password-management
no password-management password-expire-in-days [days]
Syntax Description
Defaults
If you do not specify this command, no password management occurs. If you do not specify the password-expire-in-days keyword, the default length of time to start warning before the current password expires is 14 days.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general-attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can configure this attribute for IPSec remote access and WebVPN tunnel-groups.
When you configure this command, the security appliance notifies the remote user at login that the user's current password is about to expire or has expired. The security appliance then offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password. This command is valid for AAA servers that support such notification; that is, RADIUS, RADIUS with an NT server, and LDAP servers. The security appliance ignores this command if RADIUS or LDAP authentication has not been configured.
Note that this does not change the number of days before the password expires, but rather, the number of days ahead of expiration that the security appliance starts warning the user that the password is about to expire.
If you do specify the password-expire-in-days keyword, you must also specify the number of days.
Specifying this command with the number of days set to 0 disables this command. The security appliance does not notify the user of the pending expiration, but the user can change the password after it expires.
Examples
The following example sets the days before password expiration to begin warning the user of the pending expiration to 90 for the WebVPN tunnel group "testgroup":
hostname(config)# tunnel-group testgroup type webvpnhostname(config)# tunnel-group testgroup general-attributeshostname(config-tunnel-general)# password-management password-expire-in-days 90hostname(config-tunnel-general)#The following example uses the default value of 14 days before password expiration to begin warning the user of the pending expiration for the IPSec remote access tunnel group "QAgroup":
hostname(config)# tunnel-group QAgroup type ipsec-rahostname(config)# tunnel-group QAgroup general-attributeshostname(config-tunnel-general)# password-managementhostname(config-tunnel-general)#Related Commands
password-parameter
To specify the name of the HTTP POST request parameter in which a user password must be submitted for SSO authentication, use the password-parameter command in aaa-server- host configuration mode. This is an SSO with HTTP Forms command.
password-parameter string
Note
Syntax Description
Syntax DescriptionSyntax Description
string
The name of the password parameter included in the HTTP POST request. The maximum password length is 128 characters.
Defaults
There is no default value or behavior.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server-host configuration
•
—
•
—
—
Command History
Usage Guidelines
The WebVPN server of the security appliance uses an HTTP POST request to submit a single sign-on authentication request to an authenticating web server. The required command password-parameter specifies that the POST request must include a user password parameter for SSO authentication.
Note
Examples
The following example, entered in aaa-server-host configuration mode, specifies a password parameter named user_password:
hostname(config)# aaa-server testgrp1 host example.comhostname(config-aaa-server-host)# password-parameter user_passwordhostname(config-aaa-server-host)#Related Commands
password-prompt
To customize the password prompt of the WebVPN page login box that is displayed to WebVPN users when they connect to the security appliance, use the password-prompt command from webvpn customization mode:
password-prompt {text | style} value
[no] password-prompt {text | style} value
To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
Syntax Description
Defaults
The default text of the password prompt is "PASSWORD:".
The default style of the password prompt is color:black;font-weight:bold;text-align:right.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn customization
•
—
•
—
—
Command History
Usage Guidelines
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
In the following example, the text is changed to "Corporate Password:", and the default style is changed with the font weight increased to bolder:
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# password-prompt text Corporate Username:F1-asa1(config-webvpn-custom)# password-prompt style font-weight:bolderRelated Commands
group-prompt
Customizes the group prompt of the WebVPN page
username-prompt
Customizes the username prompt of the WebVPN page
password-storage
To let users store their login passwords on the client system, use the password-storage enable command in group-policy configuration mode or username configuration mode. To disable password storage, use the password-storage disable command.
To remove the password-storage attribute from the running configuration, use the no form of this command. This enables inheritance of a value for password-storage from another group policy.
password-storage {enable | disable}
no password-storage
Syntax Description
Defaults
Password storage is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Username
•
—
•
—
—
Command History
Usage Guidelines
Enable password storage only on systems that you know to be in secure sites.
This command has no bearing on interactive hardware client authentication or individual user authentication for hardware clients.
Examples
The following example shows how to enable password storage for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# password-storage enablepeer-id-validate
To specify whether to validate the identity of the peer using the peer's certificate, use the peer-id-validate command in tunnel-group ipsec-attributes mode. To return to the default value, use the no form of this command.
peer-id-validate option
no peer-id-validate
Syntax Description
option
Specifies one of the following options:
•
•
•
Defaults
The default setting for this command is req.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group ipsec attributes
•
—
•
—
—
Command History
Usage Guidelines
You can apply this attribute to all IPSec tunnel-group types.
Examples
The following example entered in config-ipsec configuration mode, requires validating the peer using the identity of the peer's certificate for the IPSec LAN-to-LAN tunnel group named 209.165.200.225:
hostname(config)# tunnel-group 209.165.200.225 type IPSec_L2Lhostname(config)# tunnel-group 209.165.200.225 ipsec-attributeshostname(config-tunnel-ipsec)# peer-id-validate reqhostname(config-tunnel-ipsec)#Related Commands
perfmon
To display performance information, use the perfmon command in privileged EXEC mode.
perfmon {verbose | interval seconds | quiet | settings}
Syntax Description
Defaults
The seconds is 120 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
·
·
·
·
Command History
Usage Guidelines
The perfmon command allows you to monitor the performance of the security appliance. Use the show perfmon command to display the information immediately. Use the perfmon verbose command to display the information every 2 minutes continuously. Use the perfmon interval seconds command with the perfmon verbose command to display the information continuously every number of seconds that you specify.
An example of the performance information is displayed as follows:
This information lists the number of translations, connections, Websense requests, address translations (called "fixups"), and AAA transactions that occur each second.
Examples
This example shows how to display the performance monitor statistics every 30 seconds on the security appliance console:
hostname(config)# perfmon interval 120hostname(config)# perfmon quiethostname(config)# perfmon settingsinterval: 120 (seconds)quietRelated Commands
periodic
To specify a recurring (weekly) time range for functions that support the time-range feature, use the periodic command in time-range configuration mode. To disable, use the no form of this command.
periodic days-of-the-week time to [days-of-the-week] time
no periodic days-of-the-week time to [days-of-the-week] time
Syntax Description
Defaults
If a value is not entered with the periodic command, access to the security appliance as defined with the time-range command is in effect immediately and always on.
Command Modes
The following table shows the modes in which you can enter the command:
Time-range configuration
•
•
•
•
—
Command History
Usage Guidelines
To implement a time-based ACL, use the time-range command to define specific times of the day and week. Then use the with the access-list extended time-range command to bind the time range to an ACL.
The periodic command is one way to specify when a time range is in effect. Another way is to specify an absolute time period with the absolute command. Use either of these commands after the time-range global configuration command, which specifies the name of the time range. Multiple periodic entries are allowed per time-range command.
If the end days-of-the-week value is the same as the start value, you can omit them.
If a time-range command has both absolute and periodic values specified, then the periodic commands are evaluated only after the absolute start time is reached, and are not further evaluated after the absolute end time is reached.
The time-range feature relies on the system clock of the security appliance; however, the feature works best with NTP synchronization.
Examples
Some examples follow:
The following example shows how to allow access to the security appliance on Monday through Friday, 8:00 a.m. to 6:00 p.m. only:
hostname(config-time-range)# periodic weekdays 8:00 to 18:00hostname(config-time-range)#The following example shows how to allow access to the security appliance on specific days (Monday, Tuesday, and Friday), 10:30 a.m. to 12:30 p.m.:
hostname(config-time-range)# periodic Monday Tuesday Friday 10:30 to 12:30hostname(config-time-range)#Related Commands
permit errors
To allow invalid GTP packets or packets that otherwise would fail parsing and be dropped, use the permit errors command in GTP map configuration mode, which is accessed by using the gtp-map command. Use the no form of this command to remove the command.
permit errors
no permit errors
Syntax Description
This command has no arguments or keywords.
Defaults
By default, all invalid packets or packets that failed, during parsing, are dropped.
Command Modes
The following table shows the modes in which you can enter the command:
GTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the permit errors command in GTP map configuration mode to allow any packets that are invalid or encountered an error during inspection of the message to be sent through the security appliance instead of being dropped.
Examples
The following example permits traffic containing invalid packets or packets that failed, during parsing:
hostname(config)# gtp-map qtp-policyhostname(config-gtpmap)# permit errorshostname(config-gtpmap)#Related Commands
permit response
To support load-balancing GSNs, use the permit response command in GTP map configuration mode, which is accessed by using the gtp-map command. The permit response command supports load-balancing GSNs by allowing GTP responses from a different GSN than the response was sent to. Use the no form of this command to remove the command.
permit response to-object-group to_obj_group_id from-object-group from_obj_group_id
no permit response to-object-group to_obj_group_id from-object-group from_obj_group_id
Syntax Description
Defaults
By default, the security appliance drops GTP responses from GSNs other than the host to which the request was sent.
Command Modes
The following table shows the modes in which you can enter the command:
GTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the permit response command in GTP map configuration mode to support load-balancing GSNs. The permit response command configures the GTP map to allow GTP responses from a different GSN than the response was sent to.
You identify the pool of load-balancing GSNs as a network object. Likewise, you identify the SGSN as a network object. If the GSN responding belongs to the same object group as the GSN that the GTP request was sent to and if the SGSN is in a object group that the responding GSN is permitted to send a GTP response to, the security appliance permits the response.
Examples
The following example permits GTP responses from any host on the 192.168.32.0 network to the host with the IP address 192.168.112.57:
hostname(config)# object-group network gsnpool32hostname(config-network)# network-object 192.168.32.0 255.255.255.0hostname(config)# object-group network sgsn1hostname(config-network)# network-object host 192.168.112.57hostname(config-network)# exithostname(config)# gtp-map qtp-policyhostname(config-gtpmap)# permit response to-object-group sgsn1 from-object-group gsnpool32Related Commands
pfs
To enable PFS, use the pfs enable command in group-policy configuration mode. To disable PFS, use the pfs disable command. To remove the PFS attribute from the running configuration, use the no form of this command. This option allows inheritance of a value for PFS from another group policy.
In IPSec negotiations, PFS ensures that each new cryptographic key is unrelated to any previous key.
pfs {enable | disable}
no pfs
Syntax Description
Defaults
PFS is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Command History
Usage Guidelines
The PFS setting on the VPN Client and the security appliance must match.
Examples
The following example shows how to set PFS for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# pfs enablepim
To re-enable PIM on an interface, use the pim command in interface configuration mode. To disable PIM, use the no form of this command.
pim
no pim
Syntax Description
This command has no arguments or keywords.
Defaults
The multicast-routing command enables PIM on all interfaces by default.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
The multicast-routing command enables PIM on all interfaces by default. Only the no form of the pim command is saved in the configuration.
Note
Examples
The following example disables PIM on the selected interface:
hostname(config-if)# no pimRelated Commands
pim accept-register
To configure the security appliance to filter PIM register messages, use the pim accept-register command in global configuration mode. To remove the filtering, use the no form of this command.
pim accept-register {list acl | route-map map-name}
no pim accept-register
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command is used to prevent unauthorized sources from registering with the RP. If an unauthorized source sends a register message to the RP, the security appliance will immediately send back a register-stop message.
Examples
The following example restricts PIM register messages to those from sources defined in the access list named "no-ssm-range":
hostname(config)# pim accept-register list no-ssm-rangeRelated Commands
pim dr-priority
To configure the neighbor priority on the security appliance used for designated router election, use the pim dr-priority command in interface configuration mode. To restore the default priority, use the no form of this command.
pim dr-priority number
no pim dr-priority
Syntax Description
Defaults
The default value is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
The device with the largest priority value on an interface becomes the PIM designated router. If multiple devices have the same designated router priority, then the device with the highest IP address becomes the DR. If a device does not include the DR-Priority Option in hello messages, it is regarded as the highest-priority device and becomes the designated router. If multiple devices do not include this option in their hello messages, then the device with the highest IP address becomes the designated router.
Examples
The following example sets the DR priority for the interface to 5:
hostname(config-if)# pim dr-priority 5Related Commands
pim hello-interval
To configure the frequency of the PIM hello messages, use the pim hello-interval command in interface configuration mode. To restore the hello-interval to the default value, use the no form of this command.
pim hello-interval seconds
no pim hello-interval [seconds]
Syntax Description
seconds
The number of seconds that the security appliance waits before sending a hello message. Valid values range from 1 to 3600 seconds. The default value is 30 seconds.
Defaults
30 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Examples
The following example sets the PIM hello interval to 1 minute:
hostname(config-if)# pim hello-interval 60Related Commands
pim join-prune-interval
To configure the PIM join/prune interval, use the pim join-prune-interval command in interface configuration mode. To restore the interval to the default value, use the no form of this command.
pim join-prune-interval seconds
no pim join-prune-interval [seconds]
Syntax Description
seconds
The number of seconds that the security appliance waits before sending a join/prune message. Valid values range from 10 to 600 seconds. 60 seconds is the default.
Defaults
60 seconds
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Examples
The following example sets the PIM join/prune interval to 2 minutes:
hostname(config-if)# pim join-prune-interval 120Related Commands
pim old-register-checksum
To allow backward compatibility on a rendezvous point (RP) that uses old register checksum methodology, use the pim old-register-checksum command in global configuration mode. To generate PIM RFC-compliant registers, use the no form of this command.
pim old-register-checksum
no pim old-register-checksum
Syntax Description
This command has no arguments or keywords.
Defaults
The security appliance generates PIM RFC-compliant registers.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The security appliance software accepts register messages with checksum on the PIM header and only the next 4 bytes rather than using the Cisco IOS method—accepting register messages with the entire PIM message for all PIM message types. The pim old-register-checksum command generates registers compatible with Cisco IOS software.
Examples
The following example configures the security appliance to use the old checksum calculations:
hostname(config)# pim old-register-checksumRelated Commands
pim rp-address
To configure the address of a PIM rendezvous point (RP), use the pim rp-address command in global configuration mode. To remove an RP address, use the no form of this command.
pim rp-address ip_address [acl] [bidir]
no pim rp-address ip_address
Syntax Description
This command has no arguments or keywords.
Defaults
No PIM RP addresses are configured.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
All routers within a common PIM sparse mode (PIM-SM) or bidir domain require knowledge of the well-known PIM RP address. The address is statically configured using this command.
Note
You can configure a single RP to serve more than one group. The group range specified in the access list determines the PIM RP group mapping. If the an access list is not specified, the RP for the group is applied to the entire IP multicast group range (224.0.0.0/4).
Note
Examples
The following example sets the PIM RP address to 10.0.0.1 for all multicast groups:
hostname(config)# pim rp-address 10.0.0.1Related Commands
pim spt-threshold infinity
To change the behavior of the last hop router to always use the shared tree and never perform a shortest-path tree (SPT) switchover, use the pim spt-threshold infinity command in global configuration mode. To restore the default value, use the no form of this command.
pim spt-threshold infinity [group-list acl]
no pim spt-threshold
Syntax Description
group-list acl
(Optional) Indicates the source groups restricted by the access list. The acl argument must specify a standard ACL; extended ACLs are not supported.
Defaults
The last hop PIM router switches to the shortest-path source tree by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
If the group-list keyword is not used, this command applies to all multicast groups.
Examples
The following example causes the last hop PIM router to always use the shared tree instead of switching to the shortest-path source tree:
hostname(config)# pim spt-threshold infinityRelated Commands
ping
To determine if other IP addresses are visible from the security appliance, use the ping command in privileged EXEC mode.
ping [if_name] host [data pattern] [repeat count] [size bytes] [timeout seconds] [validate]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
The ping command allows you to determine if the security appliance has connectivity or if a host is available on the network. If the security appliance has connectivity, ensure that the icmp permit any interface command is configured. This configuration is required to allow the security appliance to respond and accept messages generated from the ping command. The ping command output shows if the response was received. If a host is not responding, when you enter the ping command, a message similar to the following displays:
hostname(config)# ping 10.1.1.1Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:?????Success rate is 0 percent (0/5)Use the show interface command to ensure that the security appliance is connected to the network and is passing traffic. The address of the specified if_name is used as the source address of the ping.
If you want internal hosts to ping external hosts, you must do one of the following:
•
•
You can also perform an extended ping, which allows you to enter the keywords one line at a time.
If you are pinging through the security appliance between hosts or routers, but the pings are not successful, use the capture command to monitor the success of the ping.
The security appliance ping command does not require an interface name. If you do not specify an interface name, the security appliance checks the routing table to find the address that you specify. You can specify an interface name to indicate through which interface the ICMP echo requests are sent.
Examples
The following example shows how to determine if other IP addresses are visible from the security appliance:
hostname# ping 171.69.38.1Sending 5, 100-byte ICMP Echos to 171.69.38.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 msThe following is an example of an extended ping:
hostname# pingInterface: outsideTarget IP address: 171.69.38.1Repeat count: [5]Datagram size: [100]Timeout in seconds: [2]Extended commands [n]:Sweep range of sizes [n]:Sending 5, 100-byte ICMP Echos to 171.69.38.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 msRelated Commands
police
To apply strict scheduling priority for this class, use the police command in class mode. To remove the rate-limiting requirement, use the no form of this command.
police [output] conform-rate {conform-burst | conform-action {drop | transmit} | exceed-action {drop | transmit}}
no police
Syntax Description
Defaults
No default behavior or variables.
Command Modes
The following table shows the modes in which you can enter the command:
Class
•
•
•
—
—
Command History
Usage Guidelines
You must have configured the policy-map command and the class command before issuing the police command.
Note
Policing traffic in the inbound direction is not supported.
You cannot enable both priority and policing together.
If a service policy is applied or removed from an interface that has existing VPN client/LAN-to-LAN or non-tunneled traffic already established, the QoS policy is not applied or removed from the traffic stream. To apply or remove the QoS policy for such connections, you must clear (that is, drop) the connections and re-establish them.
Examples
The following is an example of a police command that sets the conform rate to 100,000 bits per second, a burst value of 2,000,000 bytes, and specifies that traffic that exceeds the burst rate will be dropped:
hostname(config)# policy-map localpolicy1hostname(config-pmap)# class firstclass classhostname(config-pmap-c)# police 100000 20000 exceed-action drophostname(config-pmap-c)# class class-defaulthostname(config-pmap-c)# police 1000000 200000 exceed-action drophostname(config-pmap-c)#Related Commands
policy
To specify the source for retrieving the CRL, use the policy command in ca-crl configuration mode.
policy {static | cdp | both}
Syntax Description
Defaults
The default setting is cdp.
Command Modes
The following table shows the modes in which you can enter the
CRL configuration
•
—
•
—
—
command:
Command History
Examples
The following example enters ca-crl configuration mode, and configures CRL retrieval to occur using the CRL distribution point extension in the certificate being checked or if that fails, to use static CDPs:
hostname(configure)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# policy bothhostname(ca-crl)#Related Commands
crl configure
Enters ca-crl configuration mode.
crypto ca trustpoint
Enters trustpoint configuration mode.
url
Creates and maintains a list of static URLs for retrieving CRLs.
policy-map
To configure a policy, use the policy-map command in global configuration mode. To remove a policy, use the no form of this command.
policy-map name
no policy-map name
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
A policy-map command configures a policy, which is an association of a traffic class with one or more security-related actions. A traffic class is a set of traffic that is identifiable by its packet content. For example, TCP traffic with a port value of 23 can be classified as a Telnet traffic class. A policy consists of a class command and its associated actions. A policy map can specify multiple policies. A service-policy command activates a policy map globally on all interfaces or on a single targeted interface.
The policy-map command lets you classify traffic and then apply feature-specific actions to it.
The maximum number of policy maps is 64.
Use the policy-map command to enter policy-map mode, in which you can enter class and description commands. See the individual command descriptions for detailed information.
The order in which different types of actions in a policy-map are performed is independent of the order in which the actions appear in these command descriptions.
Examples
The following is an example of the policy-map command; note the change in the prompt:
hostname(config)# policy-map localpolicy1hostname(config-pmap)#The following is an example of a policy-map command for connection policy:
hostname(config)# access-list http-server permit tcp any host 10.1.1.1hostname(config)# class-map http-serverhostname(config-cmap)# match access-list http-serverhostname(config-cmap)# exithostname(config)# policy-map global-policy globalhostname(config-pmap)# description This policy map defines a policy concerning connection to http server.hostname(config-pmap)# class http-serverhostname(config-pmap-c)# set connection conn-max 256The following is an example of a policy-map command for the "outside" interface:
hostname(config)# class-map outside-voiphostname(config-cmap)# match ip rtp 2000 100hostname(config-cmap)# exithostname(config)# policy-map outside-policyhostname(config-pmap)# description This policy map defines policies for the outside interface.hostname(config-pmap)# class outside-voiphostname(config-pmap-c)# priorityhostname(config-pmap-c)# exithostname(config-pmap)#Related Commands
policy-server-secret
To configure a secret key used to encrypt authentication requests to the SSO server, use the policy-server-secret command in webvpn-sso-siteminder configuration mode. This is an SSO with CA SiteMinder command.
To remove a secret key, use the no form of this command.
policy-server-secret secret-key
no policy-server-secret
Note
Syntax Description
Syntax DescriptionSyntax Description
secret-key
The character string used as a secret key to encrypt authentication communications. There is no minimum or maximum number of characters.
Defaults
No default behavior or value.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn-sso-siteminder configuration
•
—
•
—
—
Command History
Usage Guidelines
Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without reentering a username and password more than once. You first create the SSO server using the sso-server command. The policy-server-secret command then secures authentication communications between the security appliance and the SSO server.
The command argument, secret-key, is similar to a password: you create it, save it, and configure it. It is configured on both the security appliance using the policy-server-secret command and on the SiteMinder Policy Server using the Cisco Java plug-in authentication scheme.
The security appliance currently supports the Computer Associates eTrust SiteMinder SSO server (formerly Netegrity SiteMinder).
Examples
The following command, entered in webvpn-sso-siteminder configuration mode and including a random character string as an argument, creates a secret key for SSO server authentication communications:
hostname(config-webvpn)# sso-server my-sso-server type siteminderhostname(config-webvpn-sso-siteminder)# policy-server-secret @#ET&hostname(config-webvpn-sso-siteminder)#Related Commands
polltime interface
To specify the interval between hello packets on the interface, use the polltime interface command in failover group configuration mode. To restore the default value, use the no form of this command.
polltime interface time
no polltime interface time
Syntax Description
Defaults
The default is 15 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Failover group configuration
•
•
—
—
•
Command History
Usage Guidelines
Use the polltime interface command to change the frequency that hello packets are sent out on an interfaces associated with the current failover group. with a faster poll time, the security appliance can detect failure and trigger failover faster. However, faster detection can cause unnecessary switchovers when the network is temporarily congested.
Five missed consecutive interface hello packets cause interface testing.
This command is available for Active/Active failover only.
Examples
The following partial example shows a possible configuration for a failover group:
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# polltime interface 20hostname(config-fover-group)# exithostname(config)#Related Commands
failover group
Defines a failover group for Active/Active failover.
failover polltime
Configures the time between hello packets on monitored interfaces.
pop3s
To enter POP3S configuration mode, use the pop3s command in global configuration mode. To remove any commands entered in POP3S command mode, use the no version of this command.
POP3 is a client/server protocol in which your Internet server receives and holds e-mail for you. Periodically, you (or your client e-mail receiver) check your mail-box on the server and download any mail. This standard protocol is built into most popular e-mail products. POP3S lets you receive e-mail over an SSL connection.
pop3s
no pop3
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Examples
The following example shows how to enter POP3S configuration mode:
hostname(config)#pop3shostname(config-pop3s)#Related Commands
clear configure pop3s
Removes the POP3S configuration.
show running-config pop3s
Displays the running configuration for POP3S.
port
To specify the port an e-mail proxy listens to, use the port command in the applicable e-mail proxy command mode. To revert to the default value, use the no version of this command.
port {portnum}
no port
Syntax Description
portnum
The port for the e-mail proxy to use. To avoid conflicts with local TCP services, use port numbers in the range 1024 to 65535.
Defaults
The default ports for e-mail proxies are as follows:
Command Modes
The following table shows the modes in which you can enter the command:
Pop3s
•
—
•
—
—
Imap4s
•
—
•
—
—
Smtps
•
—
•
—
—
Command History
Usage Guidelines
To avoid conflicts with local TCP services, use port numbers in the range 1024 to 65535.
Examples
The following example shows how to set port 1066 for the IMAP4S e-mail proxy:
hostname(config)#imap4shostname(config-imap4s)# port 1066port-forward
To configure the set of applications that WebVPN users can access over forwarded TCP ports, use the port-forward command in global configuration mode. To configure access to multiple applications, use this command with the same listname multiple times, once for each application. To remove an entire configured list, use the no port-forward listname command. To remove a configured application, use the no port-forward listname localport command (you need not include the remoteserver and remoteport parameters).
port-forward {listname localport remoteserver remoteport description}
no port-forward listname
no port-forward listname localport
Syntax Description
Defaults
There is no default port forwarding list.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration mode
•
—
•
—
—
Command History
Usage Guidelines
To allow access to particular TCP port forwarding applications for a specific user or group policy, use the listname you create here with the port-forward command in webvpn mode.
Examples
The following example shows how to create a portforwarding list called SalesGroupPorts that provides access to IMAP4S e-mail, SMTPS e-mail, DDTS, and Telnet. The following table provides values that the example uses for each application.
hostname(config)#port-forward SalesGroupPorts 143 IMAP4Sserver 20143 Get Mailhostname(config)#port-forward SalesGroupPorts 25 SMTPSserver 20025 Send Mailhostname(config)#port-forward SalesGroupPorts 22 DDTSserver 20022 DDTS over SSHhostname(config)#port-forward SalesGroupPorts 23 Telnetserver 20023 TelnetRelated Commands
port-forward (webvpn)
To enable WebVPN application access for this user or group policy, use the port-forward command in webvpn mode, which you enter from group-policy or username mode. To remove the port forwarding attribute from the configuration, including a null value created by issuing the port-forward none command, use the no form of this command. The no option allows inheritance of a list from another group policy. To prevent inheriting a port forwarding list, use the port-forward none command.
port-forward {value listname | none}
no port-forward
Syntax Description
Defaults
Port forwarding is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn mode
•
—
•
—
—
Command History
Usage Guidelines
Using the command a second time overrides the previous setting.
Before you can use the port-forward command in webvpn mode to enable application access, you must define a list of applications that you want users to be able to use in a WebVPN connection. Use the port-forward command in global configuration mode to define this list.
Examples
The following example shows how to set a portforwarding list called ports1 for the group policy named FirstGroup:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#webvpnhostname(config-group-webvpn)# port-forward value ports1Related Commands
port-forward-name
To configure the display name that identifies TCP port forwarding to end users for a particular user or group policy, use the port-forward-name command in webvpn mode, which you enter from group-policy or username mode. To delete the display name, including a null value created by using the port-forward-name none command, use the no form of the command. The no option restores the default name, "Application Access." To prevent a display name, use the port-forward none command.
port-forward-name {value name | none}
no port-forward-name
Syntax Description
Defaults
The default name is "Application Access."
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn
•
—
•
—
—
Command History
Examples
The following example shows how to set the name, "Remote Access TCP Applications," for the group policy named FirstGroup:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#webvpnhostname(config-group-webvpn)# port-forward-name value Remote Access TCP ApplicationsRelated Commands
port-misuse
To restrict HTTP traffic by specifying a restricted application category, use the port-misuse command in HTTP map configuration mode, which is accessible using the http-map command. To disable this feature, use the no form of the command.
port-misuse {im | p2p | tunneling | default} action {allow | reset | drop} [log]
no port-misuse {im | p2p | tunneling | default} action {allow | reset | drop} [log]
Syntax Description
Defaults
This command is disabled by default. When the command is enabled and a supported application category is not specified, the default action is to allow the connection without logging. To change the default action, use the default keyword and specify a different default action.
Command Modes
The following table shows the modes in which you can enter the command:
HTTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
When you enable the port-misuse command, the security appliance applies the specified action to HTTP connections for each supported and configured application category.
The security appliance applies the default action to all traffic that does not match the application categories on the configured list. The preconfigured default action is to allow connections without logging.
For example, given the preconfigured default action, if you specify one or more application categories with the action of drop and log, the security appliance drops connections containing the configured application categories, logs each connection, and allows all connections for the other supported application types.
If you want to configure a more restrictive policy, change the default action to drop (or reset) and log (if you want to log the event). Then configure each permitted application type with the allow action.
Enter the port-misuse command once for each setting you wish to apply. You use one instance of the port-misuse command to change the default action and one instance to add each application category to the list of configured application types.
Caution
When you use the no form of the command to remove an application category from the list of configured application types, any characters in the command line after the application category keyword are ignored.
Examples
The following example provides a permissive policy, using the preconfigured default, which allows all supported application types that are not specifically prohibited.
hostname(config)# http-map inbound_httphostname(config-http-map)# port-misuse p2p drop loghostname(config-http-map)# exitIn this case, only connections in the peer-to-peer category are dropped and the events is logged.
The following example provides a restrictive policy, with the default action changed to reset the connection and to log the event for any application type that is not specifically allowed.
hostname(config)# http-map inbound_httphostname(config-http-map)# port-misuse default action reset loghostname(config-http-map)# port-misuse im allowhostname(config-http-map)# exitIn this case, only the Instant Messenger application is allowed. When HTTP traffic for the other supported applications is received, the security appliance resets the connection and creates a syslog entry.
Related Commands
port-object
To add a port object to a service object group, use the port-object command in service configuration mode. To remove port objects, use the no form of this command.
port-object eq service
no port-object eq service
port-object range begin_service end_service
no port-object range begin_service end_service
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Service configuration
•
•
•
•
—
Command History
Usage Guidelines
The port-object command is used with the object-group command to define an object that is either a specific service (port) or a range of services (ports) in service configuration mode.
If a name is specified for a TCP or UDP service, it must be one of the supported TCP or/and UDP names, and must be consistent with the protocol type of the object group. For instance, for a protocol types of tcp, udp, and tcp-udp, the names must be a valid TCP service name, a valid UDP service name, or a valid TCP and UDP service name, respectively.
If a number is specified, translation to its corresponding name (if one exists) based on the protocol type will be made when showing the object.
The following service names are supported:
Examples
This example shows how to use the port-object command in service configuration mode to create a new port (service) object group:
hostname(config)# object-group service eng_service tcphostname(config-service)# port-object eq smtphostname(config-service)# port-object eq telnethostname(config)# object-group service eng_service udphostname(config-service)# port-object eq snmphostname(config)# object-group service eng_service tcp-udphostname(config-service)# port-object eq domainhostname(config-service)# port-object range 2000 2005hostname(config-service)# quitRelated Commands
preempt
To cause the unit to become active on boot if it has the higher priority, use the preempt command in failover group configuration mode. To remove the preemption, use the no form of this command.
preempt [delay]
no preempt [delay]
Syntax Description
seconds
The wait time, in seconds, before the peer is preempted. Valid values are from 1 to 1200 seconds.
Defaults
By default, there is no delay.
Command Modes
The following table shows the modes in which you can enter the command:
Failover group configuration
•
•
—
—
•
Command History
Usage Guidelines
Assigning a primary or secondary priority to a failover group specifies which unit the failover group becomes active on when both units boot simultaneously (within a unit polltime). However, if one unit boots before the other, then both failover groups become active on that unit. When the other unit comes online, any failover groups that have the second unit as a priority do not become active on the second unit unless the failover group is configured with the preempt command or is manually forced to the other unit with the no failover active command. If the failover group is configured with the preempt command, the failover group automatically becomes active on the designated unit.
Note
Examples
The following example configures failover group 1 with the primary unit as the higher priority and failover group 2 with the secondary unit as the higher priority. Both failover groups are configured with the preempt command with a wait time of 100 seconds, so the groups will automatically become active on their preferred unit 100 seconds after the units become available.
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# exithostname(config)# failover group 2hostname(config-fover-group)# secondaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# mac-address e1 0000.a000.a011 0000.a000.a012hostname(config-fover-group)# exithostname(config)#Related Commands
prefix-list
To create an entry in a prefix list for ABR type 3 LSA filtering, use the prefix-list command in global configuration mode. To remove a prefix list entry, use the no form of this command.
prefix-list prefix-list-name [seq seq_num] {permit | deny} network/len [ge min_value] [le max_value]
no prefix-list prefix-list-name [seq seq_num] {permit | deny} network/len [ge min_value] [le max_value]
Syntax Description
Defaults
If you do not specify a sequence number, the first entry in a prefix list is assigned a sequence number of 5, and the sequence number for each subsequent entry is increased by 5.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The prefix-list commands are ABR type 3 LSA filtering commands. ABR type 3 LSA filtering extends the capability of an ABR that is running OSPF to filter type 3 LSAs between different OSPF areas. Once a prefix list is configured, only the specified prefixes are sent from one area to another area. All other prefixes are restricted to their OSPF area. You can apply this type of area filtering to traffic going into or coming out of an OSPF area, or to both the incoming and outgoing traffic for that area.
When multiple entries of a prefix list match a given prefix, the entry with the lowest sequence number is used. The security appliance begins the search at the top of the prefix list, with the entry with the lowest sequence number. Once a mach is made, the security appliance does not go through the rest of the list. For efficiency, you may want to put the most common matches or denials near the top of the list by manually assigning them a lower sequence number.
By default, the sequence numbers are automatically generated. They can be suppressed with the no prefix-list sequence-number command. Sequence numbers are generated in increments of 5. The first sequence number generated in a prefix list would be 5. The next entry in that list would have a sequence number of 10, and so on. If you specify a value for an entry, and then do not specify values for subsequent entries, the generated sequence numbers are increased from the specified value in increments of 5. For example, if you specify that the first entry in the prefix list has a sequence number of 3, and then add two more entries without specifying a sequence number for the additional entries, the automatically generated sequence numbers for those two entries would be 8 and 13.
You can use the ge and le keywords to specify the range of the prefix length to be matched for prefixes that are more specific than the network/len argument. Exact match is assumed when neither the ge or le keywords are specified. The range is from min_value to 32 if only the ge keyword is specified.The range is from len to max_value if only the le keyword is specified.
The value of the min_value and max_value arguments must satisfy the following condition:
len < min_value <= max_value <= 32
Use the no form of the command to remove specific entries from the prefix list. Use the clear configure prefix-list command to remove a prefix list. The clear configure prefix-list command also removes the associated prefix-list description command, if any, from the configuration.
Examples
The following example denies the default route 0.0.0.0/0:
hostname(config)# prefix-list abc deny 0.0.0.0/0The following example permits the prefix10.0.0.0/8:
hostname(config)# prefix-list abc permit 10.0.0.0/8The following example shows how to accept a mask length of up to 24 bits in routes with the prefix 192/8:
hostname(config)# prefix-list abc permit 192.168.0.0/8 le 24The following example shows how to deny mask lengths greater than 25 bits in routes with a prefix of 192/8:
hostname(config)# prefix-list abc deny 192.168.0.0/8 ge 25The following example shows how to permit mask lengths from 8 to 24 bits in all address space:
hostname(config)# prefix-list abc permit 0.0.0.0/0 ge 8 le 24The following example shows how to deny mask lengths greater than 25 bits in all address space:
hostname(config)# prefix-list abc deny 0.0.0.0/0 ge 25The following example shows how to deny all routes with a prefix of 10/8:
hostname(config)# prefix-list abc deny 10.0.0.0/8 le 32The following example shows how to deny all masks with a length greater than 25 bits for routes with a prefix of 192.168.1/24:
hostname(config)# prefix-list abc deny 192.168.1.0/24 ge 25The following example shows how to permit all routes with a prefix of 0/0:
hostname(config)# prefix-list abc permit 0.0.0.0/0 le 32Related Commands
prefix-list description
To add a description to a prefix list, use the prefix-list description command in global configuration mode. To remove a prefix list description, use the no form of this command.
prefix-list prefix-list-name description text
no prefix-list prefix-list-name description [text]
Syntax Description
prefix-list-name
The name of a prefix list.
text
The text of the prefix list description. You can enter a maximum of 80 characters.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
You can enter prefix-list and prefix-list description commands in any order for a particular prefix list name; you do not need to create the prefix list before entering a prefix list description. The prefix-list description command will always appear on the line before the associated prefix list in the configuration, no matter what order you enter the commands.
If you enter a prefix-list description command for a prefix list entry that already has a description, the new description replaces the original description.
You do not need to enter the text description when using the no form of this command.
Examples
The following example adds a description for a prefix list named MyPrefixList. The show running-config prefix-list command shows that although the prefix list description has been added to the running configuration, the prefix-list itself has not been configured.
hostname(config)# prefix-list MyPrefixList description A sample prefix list descriptionhostname(config)# show running-config prefix-list!prefix-list MyPrefixList description A sample prefix list description!Related Commands
prefix-list sequence-number
To enable prefix list sequence numbering, use the prefix-list sequence-number command in global configuration mode. To disable prefix list sequence numbering, use the no form of this command.
prefix-list sequence-number
Syntax Description
This command has no arguments or keywords.
Defaults
Prefix list sequence numbering is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
Only the no form of this command appears in the configuration. When the no form of this command is in the configuration, the sequence numbers, including the manually configured ones, are removed from the prefix-list commands in the configuration and new prefix lists entries are not assigned a sequence number.
When prefix list sequence numbering is enabled, all prefix list entries are assigned sequence numbers using the default numbering method (starting with 5 and incrementing each number by 5). If a sequence number was manually assigned to a prefix list entry before numbering was disabled, the manually assigned number is restored. Sequence numbers that are manually assigned while automatic numbering is disabled are also restored, even though they are not displayed while numbering is disabled.
Examples
The following example disables prefix list sequence numbering:
hostname(config)# no prefix-list sequence-numberRelated Commands
prefix-list
Defines a prefix list for ABR type 3 LSA filtering.
show running-config prefix-list
Displays the prefix-list commands in the running configuration.
pre-shared-key
To specify a preshared key to support IKE connections based on preshared keys, use the pre-shared-key command in tunnel-group ipsec-attributes configuration mode. To return to the default value, use the no form of this command.
pre-shared-key key
no pre-shared-key
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group ipsec-attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can apply this attribute to all IPSec tunnel-group types.
Examples
The following command entered in config-ipsec configuration mode, specifies the preshared key XYZX to support IKE connections for the IPSec LAN-to-LAN tunnel group named 209.165.200.225:
hostname(config)# tunnel-group 209.165.200.225 type IPSec_L2Lhostname(config)# tunnel-group 209.165.200.225 ipsec-attributeshostname(config-tunnel-ipsec)# pre-shared-key xyzxhostname(config-tunnel-ipsec)#Related Commands
primary
To give the primary unit higher priority for a failover group, use the primary command in failover group configuration mode. To restore the default value, use the no form of this command.
primary
no primary
Syntax Description
This command has no arguments or keywords.
Defaults
If primary or secondary is not specified for a failover group, the failover group defaults to primary.
Command Modes
The following table shows the modes in which you can enter the command:
Failover group configuration
•
•
—
—
•
Command History
Usage Guidelines
Assigning a primary or secondary priority to a failover group specifies which unit the failover group becomes active on when both units boot simultaneously (within a unit polltime). If one unit boots before the other, then both failover groups become active on that unit. When the other unit comes online, any failover groups that have the second unit as a priority do not become active on the second unit unless the failover group is configured with the preempt command or is manually forced to the other unit with the no failover active command.
Examples
The following example configures failover group 1 with the primary unit as the higher priority and failover group 2 with the secondary unit as the higher priority. Both failover groups are configured with the preempt command, so the groups will automatically become active on their preferred unit as the units become available.
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# exithostname(config)# failover group 2hostname(config-fover-group)# secondaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# mac-address e1 0000.a000.a011 0000.a000.a012hostname(config-fover-group)# exithostname(config)#Related Commands
priority
To apply strict scheduling priority for this class, use the priority command in class mode. To remove the priority requirement, use the no form of this command.
priority
no priority
Syntax Description
This command has no parameters or variables.
Defaults
No default behavior or variables.
Command Modes
The following table shows the modes in which you can enter the command:
Class
•
•
•
—
—
Command History
Usage Guidelines
You must have configured the policy-map command and the class command before issuing the priority command.
Examples
The following is an example of the priority command in policy-map mode:
hostname(config)# policy-map localpolicy1hostname(config-pmap)# class firstclasshostname(config-pmap-c)# priorityhostname(config-pmap-c)# class class-defaulthostname(config-pmap-c)#Related Commands
priority (vpn load balancing)
To set the priority of the local device participating in the virtual load-balancing cluster, use the priority command in VPN load-balancing mode. To revert to the default priority specification, use the no form of this command.
priority priority
no priority
Syntax Description
Defaults
The default priority depends on the model number of the device:
Command Modes
The following table shows the modes in which you can enter the command:
VPN load-balancing
—
—
•
—
—
Command History
Usage Guidelines
You must first use the vpn load-balancing command to enter VPN load-balancing mode.
This command sets the priority of the local device participating in the virtual load-balancing cluster.
The priority must be an integer in the range of 1 (lowest) to 10 (highest).
The priority is used in the master-election process as one way to determine which of the devices in a VPN load-balancing cluster becomes the master or primary device for the cluster. See Cisco Security Appliance Command Line Configuration Guide for details about the master-election process.
The no form of the command reverts the priority specification to the default value.
Examples
The following is an example of a VPN load-balancing command sequence that includes a priority command that sets the priority of the current device to 9:
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# priority 9hostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# interface lbprivate foohostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# participateRelated Commandshostname(config-load-balancing)# participate
priority-queue
To configure priority queuing on an interface, use the priority-queue command in global configuration mode. To remove this specification, use the no form of this command.
priority-queue interface-name
no priority queue interface-name
Syntax Description
interface-name
Specifies the name of the physical interface on which you want to enable priority queuing.
Defaults
By default, priority queuing is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
The security appliance allows two classes of traffic: low-latency queuing (LLQ) for higher priority, latency sensitive traffic (such as voice and video) and best-effort, the default, for all other traffic. The security appliance recognizes priority traffic and enforces appropriate Quality of Service (QoS) policies. You can configure the size and depth of the priority queue to fine-tune the traffic flow.
For priority queuing to occur, you must create a priority queue for a named, physical interface. To create the priority queue, use the priority-queue command in global configuration mode. You can apply one priority-queue command to each physical interface defined by the nameif command. You cannot apply a priority-queue command to a VLAN interface.
The priority-queue command enters priority-queue mode, as shown by the prompt. In priority-queue mode, you can configure the maximum number of packets allowed in the transmit queue at any given time (tx-ring-limit command) and the number of packets of either type (priority or best -effort) allowed to be buffered before dropping packets (queue-limit command).
The tx-ring-limit and the queue-limit values that you specify affect both the higher priority low-latency queue and the best-effort queue. The tx-ring-limit is the number of either type of packets allowed into the driver before the driver pushes back to the queues sitting in front of the interface to let them buffer packets until the congestion clears. In general, you can adjust these two parameters to optimize the flow of low-latency traffic.
Because queues are not of infinite size, they can fill and overflow. When a queue is full, any additional packets cannot get into the queue and are dropped. This is tail drop. To avoid having the queue fill up, you can use the queue-limit command to increase the queue buffer size.
Note
If a service policy is applied or removed from an interface that has existing VPN client/LAN-to-LAN or non-tunneled traffic already established, the QoS policy is not applied or removed from the traffic stream. To apply or remove the QoS policy for such connections, you must clear (that is, drop) the connections and re-establish them.
You cannot enable both priority and policing together.
Examples
The following example configures a priority queue for the interface named test, specifying a queue limit of 30,000 packets and a transmit queue limit of 256 packets.
hostname(config)# priority-queue testhostname(priority-queue)# queue-limit 30000hostname(priority-queue)# tx-ring-limit 256hostname(priority-queue)#Related Commands
privilege
To configure the command privilege levels, use the privilege command in global configuration mode. To disallow the configuration, use the no form of this command.
privilege [ show | clear | configure ] level level [ mode {enable | configure}] command command
no privilege [ show | clear | configure ] level level [ mode {enable | configure}] command command
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
The privilege command lets you set user-defined privilege levels for the security appliance commands. In particular, this command is useful for setting different privilege levels for related configuration, show, and clear commands. Make sure that you verify privilege level changes in your commands with your security policies before using the new privilege levels.
When commands and users have privilege levels set, the two are compared to determine if a given user can execute a given command. If the user's privilege level is lower than the privilege level of the command, the user is prevented from executing the command.
To change between privilege levels, use the login command to access another privilege level and the appropriate logout, exit, or quit command to exit that level.
The mode enable and mode configure keywords are for commands with both enable and configure modes.
Lower privilege level numbers are lower privilege levels.
Note
Examples
This example shows how to set the privilege level "5" for an individual user as follows:
username intern1 password pass1 privilege 5This example shows how to define a set of show commands with the privilege level "5" as follows:
hostname(config)# privilege show level 5 command aliashostname(config)# privilege show level 5 command applyhostname(config)# privilege show level 5 command arphostname(config)# privilege show level 5 command auth-prompthostname(config)# privilege show level 5 command blockshostname(config)#This example shows how to apply privilege level 11 to a complete AAA authorization configuration:
hostname(config)# privilege configure level 11 command aaahostname(config)# privilege configure level 11 command aaa-serverhostname(config)# privilege configure level 11 command access-grouphostname(config)# privilege configure level 11 command access-listhostname(config)#privilege configure level 11 command activation-keyhostname(config)#privilege configure level 11 command agehostname(config)# privilege configure level 11 command aliashostname(config)# privilege configure level 11 command applyhostname(config)#Related Commands
protocol http
To specify HTTP as a permitted distribution point protocol for retrieving a CRL, use the protocol http command in ca-crl configuration mode. Subject to permission, the content of the CRL distribution point determines the retrieval method (HTTP, LDAP, and/or SCEP).
To remove HTTP as the permitted method of CRL retrieval, use the no form of this command.
protocol http
no protocol http
Syntax Description
Defaults
The default setting is to permit HTTP.
Command Modes
The following table shows the modes in which you can enter the
CRL configuration
•
•
•
•
•
command:
Command History
Usage Guidelines
If you use this command, be sure to assign HTTP rules to the public interface filter.
Examples
The following example enters ca-crl configuration mode, and permits HTTP as a distribution point protocol for retrieving a CRL for trustpoint central:
hostname(configure)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# protocol httphostname(ca-crl)#Related Commands
protocol ldap
To specify LDAP as a distribution point protocol for retrieving a CRL, use the protocol ldap command in ca-crl configuration mode. Subject to permission, the content of the CRL distribution point determines the retrieval method (HTTP, LDAP, and/or SCEP).
To remove the LDAP protocol as the permitted method of CRL retrieval, use the no form of this command.
protocol ldap
no protocol ldap
Syntax Description
Defaults
The default setting is to permit LDAP.
Command Modes
The following table shows the modes in which you can enter the
CRL configuration
•
•
•
•
•
command:
Command History
Examples
The following example enters ca-crl configuration mode, and permits LDAP as a distribution point protocol for retrieving a CRL for trustpoint central:
hostname(configure)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# protocol ldaphostname(ca-crl)#Related Commands
protocol scep
To specify SCEP as a distribution point protocol for retrieving a CRL, use the protocol scep command in crl configure mode. Subject to permission, the content of the CRL distribution point determines the retrieval method (HTTP, LDAP, and/or SCEP).
To remove the SCEP protocol as the permitted method of CRL retrieval, use the no form of this command.
protocol scep
no protocol scep
Syntax Description
Defaults
The default setting is to permit SCEP.
Command Modes
The following table shows the modes in which you can enter the
CRL configuration
•
•
•
•
•
command:
Command History
Examples
The following example enters ca-crl configuration mode, and permits SCEP as a distribution point protocol for retrieving a CRL for trustpoint central:
hostname(configure)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# protocol scephostname(ca-crl)#Related Commands
protocol-object
To add a protocol object to a protocol object group, use the protocol-object command in protocol configuration mode. To remove port objects, use the no form of this command.
protocol-object protocol
no protocol-object protocol
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Protocol configuration
•
•
•
•
—
Command History
Usage Guidelines
The protocol-object command is used with the object-group command to define a protocol object in protocol configuration mode.
You can specify an IP protocol name or number using the protocol argument. The udp protocol number is 17, the tcp protocol number is 6, and the egp protocol number is 47.
Examples
The following example shows how to define protocol objects:
hostname(config)# object-group protocol proto_grp_1hostname(config-protocol)# protocol-object udphostname(config-protocol)# protocol-object tcphostname(config-protocol)# exithostname(config)# object-group protocol proto_grphostname(config-protocol)# protocol-object tcphostname(config-protocol)# group-object proto_grp_1hostname(config-protocol)# exithostname(config)#Related Commands
proxy-bypass
To configure the security appliance to perform minimal content rewriting, and to specify the types of content to rewrite, external links and/or XML, use the proxy-bypass command in webvpn mode. To disable proxy bypass, use the no form of the command.
proxy-bypass interface interface name {port port number| path-mask path mask} target url [rewrite {link | xml | none}]
no proxy-bypass interface interface name {port port number| path-mask path mask} target url [rewrite {link | xml | none}]
Syntax Descriptionl
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn mode
•
—
•
—
—
Command History
Usage Guidelines
Use proxy bypass for applications and web resources that work better with minimum content rewriting. The proxy-bypass command determines how to treat specific web applications that travel through the security appliance.
You can use this command multiple times. The order in which you configure entries is unimportant. The interface and path mask or interface and port uniquely identify a proxy bypass rule.
If you configure proxy bypass using ports rather than path masks, depending on your network configuration, you might need to change your firewall configuration to allow these ports access to the security appliance. Use path masks to avoid this restriction. Be aware, however, that path masks can change, so you might need to use multiple pathmask statements to exhaust the possibilities.
A path is everything in a URL after the .com or .org or other types of domain name. For example, in the URL www.mycompany.com/hrbenefits, hrbenefits is the path. Similarly, for the URL www.mycompany.com/hrinsurance, hrinsurance is the path. If you want to use proxy bypass for all hr sites, you can avoid using the command multiple times by using the * wildcard as follows: /hr*.
Examples
The following example shows how to configure the security appliance to use port 20001 for proxy bypass over the webvpn interface, using HTTP and its default port 80, to forward traffic to mycompany.site.com and to rewrite XML content.
hostname(config)# webvpnhostname(config-webvpn)# proxy-bypass interface webvpn port 20001 target http://mycompany.site.com rewrite xmlhostname(config-webvpn)#The next example shows how to configure the security appliance to use the path mask mypath/* for proxy bypass on the outside interface, using HTTP and its default port 443 to forward traffic to mycompany.site.com, and to rewrite XML and link content.
hostname(config)# webvpnhostname(config-webvpn)# proxy-bypass interface outside path-mask /mypath/* target https://mycompany.site.com rewrite xml,linkhostname(config-webvpn)#Related Commands-
apcf
Specifies nonstandard rules to use for a particular application
rewrite
Determines whether traffic travels through the security appliance.
pwd
To display the current working directory, use the pwd command in privileged EXEC mode.
pwd
Syntax Description
This command has no arguments or keywords.
Defaults
The root directory (/) is the default.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
This command is similar in functionality to the dir command.
Examples
The following example shows how to display the current working directory:
hostname# pwdflash:Related Commands
cd
Changes the current working directory to the one specified.
dir
Displays the directory contents.
more
Displays the contents of a file.
