-
Cisco Security Appliance Command Reference, Version 7.2
-
About this Guide
-
Using the Command Line Interface
-
aaa accounting command through accounting-server-group Commands
-
acl-netmask-convert through auto-update timeout Commands
-
backup interface through browse networks Commands
-
cache through clear compression Commands
-
clear configure through clear configure vpn-load-balancing Commands
-
clear conn through clear xlate Commands
-
client-access-rule through crl-configure Commands
-
crypto ca authenticate through customization Commands
-
ddns through debug xdmcp Commands
-
default through duplex Commands
-
email through functions Commands
-
gateway through hw-module module shutdown Commands
-
icmp through imap4s Commands
-
inspect ctiqbe through inspect xdmcp Commands
-
intercept-dhcp through issuer-name Commands
-
java-trustpoint through kill Commands
-
l2tp tunnel hello through log-adj-changes Commands
-
logging asdm through logout message Commands
-
mac-address through multicast-routing Commands
-
name through override-account-disable Commands
-
packet-tracer through pwd Commands
-
queue-limit through router rip Commands
-
same-security-traffic through show asdm sessions Commands
-
show asp drop through show curpriv Commands
-
show ddns through show ipv6 traffic Commands
-
show isakmp sa through show route Commands
-
show running-config through show running-config isakmp Commands
-
show running-config ldap through show running-config webvpn auto-signon Commands
-
show service-policy through show xlate Commands
-
shun through sysopt radius ignore-secret Commands
-
tcp-map through tx-ring-limit Commands
-
urgent-flag through write terminal Commands
-
Feedback
Table Of Contents
email through functions Commands
email through functions Commands
To include the indicated email address in the Subject Alternative Name extension of the certificate during enrollment, use the email command in crypto ca trustpoint configuration mode. To restore the default setting, use the no form of the command.
email address
no email
Syntax Description
Defaults
The default setting is not set.
Command Modes
The following table shows the modes in which you can enter the
Crypto ca trustpoint configuration
•
•
•
command:
Command History
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes the email address jjh@nhf.net in the enrollment request for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# email jjh@nhf.nethostname(ca-trustpoint)#Related Commands
enable
To enter privileged EXEC mode, use the enable command in user EXEC mode.
enable [level]
Syntax Description
Defaults
Enters privilege level 15 unless you are using command authorization, in which case the default level depends on the level configured for your username.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
•
•
•
•
Command History
Usage Guidelines
The default enable password is blank. See the enable password command to set the password.
To use privilege levels other than the default of 15, configure local command authorization (see the aaa authorization command command and specify the LOCAL keyword), and set the commands to different privilege levels using the privilege command. If you do not configure local command authorization, the enable levels are ignored, and you have access to level 15 regardless of the level you set. See the show curpriv command to view your current privilege level.
Levels 2 and above enter privileged EXEC mode. Levels 0 and 1 enter user EXEC mode.
Enter the disable command to exit privileged EXEC mode.
Examples
The following example enters privileged EXEC mode:
hostname> enablePassword: Pa$$w0rdhostname#The following example enters privileged EXEC mode for level 10:
hostname> enable 10Password: Pa$$w0rd10hostname#Related Commands
enable (webvpn)
To enable WebVPN or e-mail proxy access on a previously configured interface, use the enable command. For WebVPN, use this command in webvpn mode. For e-mail proxies (IMAP4S. POP3S, SMTPS), use this command in the applicable e-mail proxy mode. To disable WebVPN on an interface, use the no version of the command.
enable ifname
no enable
Syntax Description
ifname
Identifies the previously configured inteface. Use the nameif command to configure interfaces.
Defaults
WebVPN is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn
•
—
•
—
—
Imap4s
•
—
•
—
—
Pop3s
•
—
•
—
—
SMTPS
•
—
•
—
—
Command History
Examples
The following example shows how to enable WebVPN on the interface named Outside:
hostname(config)# webvpnhostname(config-webvpn)# enable OutsideThe following example shows how to configure POP3S e-mail proxy on the interface named Outside:
hostname(config)# pop3shostname(config-pop3s)# enable Outsideenable gprs
To enable GPRS with RADIUS accounting, use the enable gprs command in radius-accounting parameter configuration mode, which is accessed by using the inspect radius-accounting command. The security appliance will check for the 3GPP VSA 26-10415 in the Accounting-Request Stop messages in order to properly handle secondary PDP contexts.
This option is disabled by default. A GTP license is required to enable this feature.
enable gprs
no enable gprs
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
radius-accounting parameter configuration
•
•
•
•
—
Command History
Examples
The following example shows how to enable GPRS with RADIUS accounting:
hostname(config)# policy-map type inspect radius-accounting rahostname(config-pmap)# parametershostname(config-pmap-p)# enable gprsRelated Commands
inspect radius-accounting
Sets inspection for RADIUS accounting.
parameters
Sets parameters for an inspection policy map.
enable password
To set the enable password for privileged EXEC mode, use the enable password command in global configuration mode. To remove the password for a level other than 15, use the no form of this command. You cannot remove the level 15 password.
enable password password [level level] [encrypted]
no enable password level level
Syntax Description
Defaults
The default password is blank. The default level is 15.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The default password for enable level 15 (the default level) is blank. To reset the password to be blank, do not enter any text for the password.
For multiple context mode, you can create an enable password for the system configuration as well as for each context.
To use privilege levels other than the default of 15, configure local command authorization (see the aaa authorization command command and specify the LOCAL keyword), and set the commands to different privilege levels using the privilege command. If you do not configure local command authorization, the enable levels are ignored, and you have access to level 15 regardless of the level you set. See the show curpriv command to view your current privilege level.
Levels 2 and above enter privileged EXEC mode. Levels 0 and 1 enter user EXEC mode.
Examples
The following example sets the enable password to Pa$$w0rd:
hostname(config)# enable password Pa$$w0rdThe following example sets the enable password to Pa$$w0rd10 for level 10:
hostname(config)# enable password Pa$$w0rd10 level 10The following example sets the enable password to an encrypted password that you copied from another security appliance:
hostname(config)# enable password jMorNbK0514fadBh encryptedRelated Commands
encryption
To specify the encryption algorithm to use within an IKE policy, use the encryption command in crypto isakmp policy configuration mode. To reset the encryption algorithm to the default value, which is des, use the no form of this command.
encryption {aes | aes-192| aes-256 | des | 3des}
no encryption {aes | aes-192| aes-256 | des | 3des}
Syntax Description
Defaults
The default ISAKMP policy encryption is 3des.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto isakmp policy configuration
•
—
•
—
—
Command History
7.0(1)(1)
The isakmp policy encryption command was preexisting.
7.2.(1)
The encryption command replaces the isakmp policy encryption command.
Examples
The following example, entered in global configuration mode, shows use of the encryption command; it sets 128-bit key AES encryption as the algorithm to be used within the IKE policy with the priority number of 25.
hostname(config)# crypto isakmp policy 25hostname(config-isakmp-policy)# encryption aesThe following example, entered in global configuration mode, sets the 3DES algorithm to be used within the IKE policy with the priority number of 40.
hostname(config)# crypto isakmp policy 40hostname(config-isakmp-policy)# encryption 3desRelated Commands
endpoint
To add an endpoint to an HSI group for H.323 protocol inspection, use the endpoint command in hsi group configuration mode. To disable this feature, use the no form of this command.
endpoint ip_address if_name
no endpoint ip_address if_name
Syntax Description
ip_address
IP address of the endpoint to add. A maximum of ten endpoints per HSI group is allowed.
if_name
The interface through which the endpoint is connected to the security appliance.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
HSI group configuration
•
•
•
•
—
Command History
Examples
The following example shows how to add endpoints to an HSI group in an H.323 inspection policy map:
hostname(config-pmap-p)# hsi-group 10hostname(config-h225-map-hsi-grp)# endpoint 10.3.6.1 insidehostname(config-h225-map-hsi-grp)# endpoint 10.10.25.5 outsideRelated Commands
endpoint-mapper
To configure endpoint mapper options for DCERPC inspection, use the endpoint-mapper command in parameters configuration mode. To disable this feature, use the no form of this command.
endpoint-mapper [epm-service only] [lookup-operation [timeout value]]
no endpoint-mapper [epm-service only] [lookup-operation [timeout value]]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure the endpoint mapper in a DCERPC policy map:
hostname(config)# policy-map type inspect dcerpc dcerpc_maphostname(config-pmap)# parametershostname(config-pmap-p)# endpoint-mapper epm-service-onlyRelated Commands
enforcenextupdate
To specify how to handle the NextUpdate CRL field, use the enforcenextupdate command in ca-crl configuration mode. If set, this command requires CRLs to have a NextUpdate field that has not yet lapsed. If not used, the security appliance allows a missing or lapsed NextUpdate field in a CRL.
To permit a lapsed or missing NextUpdate field, use the no form of this command.
enforcenextupdate
no enforcenextupdate
Syntax Description
Defaults
The default setting is enforced (on).
Command Modes
The following table shows the modes in which you can enter the command:
CRL configuration
•
•
•
•
•
Command History
Examples
The following example enters ca-crl configuration mode, and requires CRLs to have a NextUpdate field that has not expired for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# enforcenextupdatehostname(ca-crl)#Related Commands
cache-time
Specifies a cache refresh time in minutes.
crl configure
Enters ca-crl configuration mode.
crypto ca trustpoint
Enters trustpoint configuration mode.
enrollment retry count
To specify a retry count, use the enrollment retry count command in Crypto ca trustpoint configuration mode. After requesting a certificate, the security appliance waits to receive a certificate from the CA. If the security appliance does not receive a certificate within the configured retry period, it sends another certificate request. The security appliance repeats the request until either it receives a response or reaches the end of the configured retry period.
To restore the default setting of the retry count, use the no form of the command.
enrollment retry count number
no enrollment retry count
Syntax Description
number
The maximum number of attempts to send an enrollment request. The valid range is 0, 1-100 retries.
Defaults
The default setting for number is 0 (unlimited).
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
—
Command History
Usage Guidelines
This command is optional and applies only when automatic enrollment is configured.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and configures an enrollment retry count of 20 retries within trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# enrollment retry count 20hostname(ca-trustpoint)#Related Commands
enrollment retry period
To specify a retry period, use the enrollment retry period command in crypto ca trustpoint configuration mode. After requesting a certificate, the security appliance waits to receive a certificate from the CA. If the security appliance does not receive a certificate within the specified retry period, it sends another certificate request.
To restore the default setting of the retry period, use the no form of the command.
enrollment retry period minutes
no enrollment retry period
Syntax Description
minutes
The number of minutes between attempts to send an enrollment request. the valid range is 1- 60 minutes.
Defaults
The default setting is 1 minute.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
•
Command History
Usage Guidelines
This command is optional and applies only when automatic enrollment is configured.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and configures an enrollment retry period of 10 minutes within trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# enrollment retry period 10hostname(ca-trustpoint)#Related Commands
enrollment terminal
To specify cut and paste enrollment with this trustpoint (also known as manual enrollment), use the enrollment terminal command in crypto ca trustpoint configuration mode. To restore the default setting of the command, use the no form of the command.
enrollment terminal
no enrollment terminal
Syntax Description
Defaults
The default setting is off.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
—
Command History
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and specifies the cut and paste method of CA enrollment for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# enrollment terminalhostname(ca-trustpoint)#Related Commands
enrollment url
To specify automatic enrollment (SCEP) to enroll with this trustpoint and to configure the enrollment URL, use the enrollment url command in crypto ca trustpoint configuration mode. To restore the default setting of the command, use the no form of the command.
enrollment url url
no enrollment url
Syntax Description
url
Specifies the name of the URL for automatic enrollment. The maximum length is 1K characters (effectively unbounded).
Defaults
The default setting is off.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
•
•
•
•
Command History
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and specifies SCEP enrollment at the URL https://enrollsite for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# enrollment url https://enrollsitehostname(ca-trustpoint)#Related Commands
eou allow
To enable clientless authentication, use the eou allow command in global configuration mode. To disable clientless authentication, use the no form of this command.
eou allow clientless
no eou allow clientless
Syntax Description
This command has no arguments or keywords.
Defaults
Clientless authentication is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command applies only to hosts that do not respond to EAPoUDP requests. It is effective only if all of the following are true:
•
•
Examples
The following example enables clientless authentication:
hostname(config)# eou allow clientlesshostname(config)#The following example disables clientless authentication:
hostname(config)# no eou allow clientlesshostname(config)#Related Commands
eou clientless
To change the username and password to be sent to the Access Control Server for clientless authentication, use the eou clientless command in global configuration mode. To use the default value, use the no form of this command.
eou clientless username username
eou clientless password password
To use the default value, use the no form of this command.
no eou clientless username
no eou clientless password
Syntax Description
Defaults
The default value for both the username and password attributes is "clientless".
Command Modes
The following table shows the modes in which you can enter the command:
global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command is effective only if all of the following are true:
•
•
•
Examples
The following example changes the username for clientless authentication to sherlock:
hostname(config)# eou clientless username sherlockhostname(config)#The following example changes the username for clientless authentication to the default value, clientless:
hostname(config)# no eou clientless usernamehostname(config)#The following example changes the password for clientless authentication to secret:
hostname(config)# eou clientless password secrethostname(config)#The following example changes the password for clientless authentication to the default value, clientless:
hostname(config)# no eou clientless passwordhostname(config)#Related Commands
eou initialize
To clear the resources assigned to one or more Network Admission Control sessions and initiate a new, unconditional posture validation for each of the sessions, use the eou initialize command in EXEC mode.
eou initialize {all | group tunnel-group | ip ip-address}
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
•
—
•
—
—
Command History
Usage Guidelines
Use this command if a change occurs in the posture of the remote peers or if the assigned access policies (that is, the downloaded ACLs) change, and you want to clear the resources assigned to the sessions. Entering this command purges the EAPoUDP associations and access policies (that is, the downloaded ACLs, if any) used for posture validation. The NAC default ACL is effective during the revalidations, so the session initializations can disrupt user traffic. This command does not affect peers that are exempt from posture validation.
Examples
The following example initializes all NAC sessions:
hostname# eou initialize allhostnameThe following example initializes all NAC sessions assigned to the tunnel group named tg1:
hostname# eou initialize group tg1hostnameThe following example initializes the NAC session for the endpoint with the IP address 209.165. 200.225:
hostname# eou initialize 209.165.200.225hostnameRelated Commands
eou max-retry
To change the number of times the security appliance resends an EAP over UDP message to the remote computer, use the eou max-retry command in global configuration mode. To use the default value, use the no form of this command.
eou max-retry retries
no eou max-retry
Syntax Description
retries
Limits the number of consecutive retries sent in response to retransmission timer expirations. Enter a value in the range 1 to 3.
Defaults
The default value is 3.
Command Modes
The following table shows the modes in which you can enter the command:
global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command is effective only if all of the following are true:
•
•
•
Examples
The following example limits the number of EAP over UDP retransmissions to 1:
hostname(config)# eou max-retry 1hostname(config)#The following example changes the number of EAP over UDP retransmissions to its default value, 3:
hostname(config)# no eou max-retryhostname(config)#Related Commands
debug eap
Enables logging of EAP events to debug NAC messaging.
debug eou
Enables logging of EAP over UDP (EAPoUDP) events to debug NAC messaging.
debug nac
Enables logging of NAC events.
eou port
To change the port number for EAP over UDP communication with the Cisco Trust Agent, use the eou port command in global configuration mode. To use the default value, use the no form of this command.
eou port port_number
no eou port
Syntax Description
Defaults
The default value is 21862.
Command Modes
The following table shows the modes in which you can enter the command:
global configuration
•
—
•
—
—
Command History
Examples
The following example changes the port number for EAP over UDP communication to 62445:
hostname(config)# eou port 62445hostname(config)#The following example changes the port number for EAP over UDP communication to its default value:
hostname(config)# no eou porthostname(config)#Related Commands
eou revalidate
To force immediate posture revalidation of one or more Network Admission Control sessions, use the eou revalidate command in EXEC mode.
eou revalidate {all | group tunnel-group | ip ip-address}
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
•
—
•
—
—
Command History
Usage Guidelines
Use this command if the posture of the peer or the assigned access policy (that is, the downloaded ACL, if any) has changed. The command initiates a new, unconditional posture validation. The posture validation and assigned access policy that were in effect before you entered the command remain in effect until the new posture validation succeeds or fails. This command does not affect peers that are exempt from posture validation.
Examples
The following example revalidates all NAC sessions:
hostname# eou revalidate allhostnameThe following example revalidates all NAC sessions assigned to the tunnel group named tg-1:
hostname# eou revalidate group tg-1hostnameThe following example revalidates the NAC session for the endpoint with the IP address 209.165. 200.225:
hostname# eou revalidate ip 209.165.200.225hostnameRelated Commands
eou timeout
To change the number of seconds to wait after sending an EAPoUDP message to the remote host, use the eou timeout command in global configuration mode. To use the default value, use the no form of this command.
eou timeout {hold-period | retransmit} seconds
no eou timeout {hold-period | retransmit}
Syntax Description
Defaults
The default value of the hold-period attribute is 180.
The default value of the retransmit attribute is 3.
Command Modes
The following table shows the modes in which you can enter the command:
global configuration
•
—
•
—
—
Command History
Examples
The following example changes the wait period before initiating a new EAP over UDP association to 120 seconds:
hostname(config)# eou timeout hold-period 120hostname(config)#The following example changes the wait period before initiating a new EAP over UDP association to its default value:
hostname(config)# no eou timeout hold-periodhostname(config)#The following example changes the retransmission timer to 6 seconds:
hostname(config)# eou timeout retransmit 6hostname(config)#The following example changes the retransmission timer to its default value:
hostname(config)# no eou timeout retransmithostname(config)#Related Commands
erase
To erase and reformat the file system, use the erase command in privileged EXEC mode. This command overwrites all files and erases the file system, including hidden system files, and then reinstalls the file system.
erase [disk0: | disk1: | flash:]
Syntax Description
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The erase command erases all data on the Flash memory using the OxFF pattern and then rewrites an empty file system allocation table to the device.
To delete all visible files (excluding hidden system files), enter the delete /recursive command, instead of the erase command.
Note
Note
Examples
The following example erases and reformats the file system:
hostname# erase flash:Related Commands
delete
Removes all visible files, excluding hidden system files.
format
Erases all files (including hidden system files) and formats the file system.
esp
To specify parameters for esp and AH tunnels for IPSec Pass Thru inspection, use the esp command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.
{esp | ah} [per-client-max num] [timeout time]
no {esp | ah} [per-client-max num] [timeout time]
Syntax Description
esp
Specifies parameters for esp tunnel.
ah
Specifies parameters for AH tunnel.
per-client-max num
Specifies maximum tunnels from one client.
timeout time
Specifies idle timeout for the esp tunnel.
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to permit UDP 500 traffic:
hostname(config)# access-list test-udp-acl extended permit udp any any eq 500hostname(config)# class-map test-udp-classhostname(config-pmap-c)# match access-list test-udp-aclhostname(config)# policy-map type inspect ipsec-pass-thru ipsec-maphostname(config-pmap)# parametershostname(config-pmap-p)# esp per-client-max 32 timeout 00:06:00hostname(config-pmap-p)# ah per-client-max 16 timeout 00:05:00hostname(config)# policy-map test-udp-policyhostname(config-pmap)# class test-udp-classhostname(config-pmap-c)# inspect ipsec-pass-thru ipsec-mapRelated Commands
established
To permit return connections on ports that are based on an established connection, use the established command in global configuration mode. To disable the established feature, use the no form of this command.
established est_protocol dest_port [source_port] [permitto protocol port [-port]] [permitfrom protocol port[-port]]
no established est_protocol dest_port [source_port] [permitto protocol port [-port]] [permitfrom protocol port[-port]]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
7.0(1)
The keywords to and from were removed from the CLI. Use the keywords permitto and permitfrom instead.
Usage Guidelines
The established command lets you permit return access for outbound connections through the security appliance. This command works with an original connection that is outbound from a network and protected by the security appliance and a return connection that is inbound between the same two devices on an external host. The established command lets you specify the destination port that is used for connection lookups. This addition allows more control over the command and provides support for protocols where the destination port is known, but the source port is unknown. The permitto and permitfrom keywords define the return inbound connection.
Caution
Examples
The following set of examples shows potential security violations could occur if you do not use the established command correctly.
This example shows that if an internal system makes a TCP connection to an external host on port 4000, then the external host could come back in on any port using any protocol:
hostname(config)# established tcp 4000 0You can specify the source and destination ports as 0 if the protocol does not specify which ports are used. Use wildcard ports (0) only when necessary.
hostname(config)# established tcp 0 0
Note
You can use the established command with the nat 0 command (where there are no global commands).
Note
The security appliance supports XDMCP with assistance from the established command.
Caution
XDMCP is on by default, but it does not complete the session unless you enter the established command as follows:
hostname(config)# established tcp 6000 0 permitto tcp 6000 permitfrom tcp 1024-65535Entering the established command enables the internal XDMCP-equipped (UNIX or ReflectionX) hosts to access external XDMCP-equipped XWindows servers. UDP/177-based XDMCP negotiates a TCP-based XWindows session, and subsequent TCP back connections are permitted. Because the source port(s) of the return traffic is unknown, specify the source_port field as 0 (wildcard). The dest_port should be 6000 + n, where n represents the local display number. Use this UNIX command to change this value:
hostname(config)# setenv DISPLAY hostname:displaynumber.screennumberThe established command is needed because many TCP connections are generated (based on user interaction) and the source port for these connections is unknown. Only the destination port is static. The security appliance performs XDMCP fixups transparently. No configuration is required, but you must enter the established command to accommodate the TCP session.
The following example shows a connection between two hosts using protocol A destined for port B from source port C. To permit return connections through the security appliance and protocol D (protocol D can be different from protocol A), the source port(s) must correspond to port F and the destination port(s) must correspond to port E.
hostname(config)# established A B C permitto D E permitfrom D FThe following example shows how a connection is started by an internal host to an external host using TCP destination port 6060 and any source port. The security appliance permits return traffic between the hosts through TCP destination port 6061 and any TCP source port.
hostname(config)# established tcp 6060 0 permitto tcp 6061 permitfrom tcp 0The following example shows how a connection is started by an internal host to an external host using UDP destination port 6060 and any source port. The security appliance permits return traffic between the hosts through TCP destination port 6061 and TCP source port 1024-65535.
hostname(config)# established udp 6060 0 permitto tcp 6061 permitfrom tcp 1024-65535The following example shows how a local host starts a TCP connection on port 9999 to a foreign host. The example allows packets from the foreign host on port 4242 back to local host on port 5454.
hostname(config)# established tcp 9999 permitto tcp 5454 permitfrom tcp 4242Related Commands
clear configure established
Removes all established commands.
show running-config established
Displays the allowed inbound connections that are based on established connections.
exceed-mss
To allow or drop packets whose data length exceedx the TCP maximum segment size set by the peer during a three-way handshake, use the exceed-mss command in tcp-map configuration mode. To remove this specification, use the no form of this command.
exceed-mss {allow | drop}
no exceed-mss {allow | drop}
Syntax Description
Defaults
Packets are allowed by default.
Command Modes
The following table shows the modes in which you can enter the command:
Tcp-map configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced.
7.2(4)
The default was changed from drop to allow.
Usage Guidelines
The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.
Use the tcp-map command to enter tcp-map configuration mode. Use the exceed-mss command in tcp-map configuration mode to drop TCP packets whose data length exceed the TCP maximum segment size set by the peer during a three-way handshake.
Examples
The following example drops flows on port 21 that have packets in excess of MSS:
hostname(config)# tcp-map tmaphostname(config-tcp-map)# exceed-mss drophostname(config)# class-map cmaphostname(config-cmap)# match port tcp eq ftphostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# set connection advanced-options tmaphostname(config)# service-policy pmap globalRelated Commands
exit
To exit the current configuration mode, or to logout from privileged or user EXEC modes, use the exit command.
exit
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
•
•
•
•
Command History
Usage Guidelines
You can also use the key sequence Ctrl Z to exit global configuration (and higher) modes. This key sequence does not work with privileged or user EXEC modes.
When you enter the exit command in privileged or user EXEC modes, you log out from the security appliance. Use the disable command to return to user EXEC mode from privileged EXEC mode.
Examples
The following example shows how to use the exit command to exit global configuration mode, and then logout from the session:
hostname(config)# exithostname# exitLogoffThe following example shows how to use the exit command to exit global configuration mode, and then use the disable command to exit privileged EXEC mode:
hostname(config)# exithostname# disablehostname>Related Commands
expiry-time
To configure an expiration time for caching objects without revalidating them, use the expiry-time command in cache mode. To reset the expiry time to a new value, use the command again. To remove the expiration time from the configuration and reset it to the default value, one minute, enter the no version of the command.
expiry-time time
no expiry-time
Syntax Description
time
The amount of time in minutes that the security appliance caches objects without revalidating them.
Defaults
One minute.
Command Modes
The following table shows the modes in which you enter the command:
Cache mode
•
—
•
—
—
Command History
Usage Guidelines
The expiration time is the amount of time in minutes that the security appliance caches an object without revalidating it. Revalidation consists of rechecking the content.
Examples
The following example shows how to set an expiration time of 13 minutes:
hostname(config)# webvpnhostname(config-webvpn)# cachehostname(config-webvpn-cache)#expiry-time 13hostname(config-webvpn-cache)#Related Commands
failover
To enable failover, use the failover command in global configuration mode. To disable failover, use the no form of this command.
failover
no failover
Syntax Description
This command has no arguments or keywords.
Defaults
Failover is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
Use the no form of this command to disable failover.
Caution
The ASA 5505 device allows only Stateless Failover, and only while not acting as an Easy VPN hardware client.
Examples
The following example disables failover:
hostname(config)# no failoverhostname(config)#Related Commands
failover active
To switch a standby security appliance or failover group to the active state, use the failover active command in privileged EXEC mode. To switch an active security appliance or failover group to standby, use the no form of this command.
failover active [group group_id]
no failover active [group group_id]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Use the failover active command to initiate a failover switch from the standby unit, or use the no failover active command from the active unit to initiate a failover switch. You can use this feature to return a failed unit to service, or to force an active unit offline for maintenance. If you are not using stateful failover, all active connections are dropped and must be reestablished by the clients after the failover occurs.
Switching for a failover group is available only for Active/Active failover. If you enter the failover active command on an Active/Active failover unit without specifying a failover group, all groups on the unit become active.
Examples
The following example switches the standby group 1 to active:
hostname# failover active group 1Related Commands
failover group
To configure an Active/Active failover group, use the failover group command in global configuration mode. To remove a failover group, use the no form of this command.
failover group num
no failover group num
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
You can define a maximum of 2 failover groups. The failover group command can only be added to the system context of devices configured for multiple context mode. You can create and remove failover groups only when failover is disabled.
Entering this command puts you in the failover group command mode. The primary, secondary, preempt, replication http, interface-policy, mac address, and polltime interface commands are available in the failover group configuration mode. Use the exit command to return to global configuration mode.
Note
When removing failover groups, you must remove failover group 1 last. Failover group 1 always contains the admin context. Any context not assigned to a failover group defaults to failover group 1. You cannot remove a failover group that has contexts explicitly assigned to it.
Note
Examples
The following partial example shows a possible configuration for two failover groups:
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# exithostname(config)# failover group 2hostname(config-fover-group)# secondaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# exithostname(config)#Related Commands
failover interface ip
To specify the IP address and mask for the failover interface and the Stateful Failover interface, use the failover interface ip command in global configuration mode. To remove the IP address, use the no form of this command.
failover interface ip if_name ip_address mask standby ip_address
no failover interface ip if_name ip_address mask standby ip_address
Syntax Description
Defaults
Nodefault behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
Failover and stateful failover interfaces are functions of Layer 3, even when the security appliance is operating in transparent firewall mode, and are global to the system.
In multiple context mode, you configure failover in the system context (except for the monitor-interface command).
This command must be part of the configuration when bootstrapping a security appliance for LAN failover.
Examples
The following example shows how to specify the IP address and mask for the failover interface:
hostname(config)# failover interface ip lanlink 172.27.48.1 255.255.255.0 standby 172.27.48.2Related Commands
failover interface-policy
To specify the policy for failover when monitoring detects an interface failure, use the failover interface-policy command in global configuration mode. To restore the default, use the no form of this command.
failover interface-policy num[%]
no failover interface-policy num[%]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
There is no space between the num argument and the optional % keyword.
If the number of failed interfaces meets the configured policy and the other security appliance is functioning properly, the security appliance marks itself as failed and a failover might occur (if the active security appliance is the one that fails). Only interfaces that are designated as monitored by the monitor-interface command count towards the policy.
Note
Examples
The following examples show two ways to specify the failover policy:
hostname(config)# failover interface-policy 20%hostname(config)# failover interface-policy 5Related Commands
failover key
To specify the key for encrypted and authenticated communication between units in a failover pair, use the failover key command in global configuration mode. To remove the key, use the no form of this command.
failover key {secret | hex key}
no failover key
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
7.0(1)(1)
This command was modified from failover lan key to failover key.
7.0(4)
This command was modified to include the hex key keyword and argument.
Usage Guidelines
To encrypt and authenticate failover communications between the units, you must configure both units with a shared secret or hexadecimal key. If you do not specify a failover key, failover communication is transmitted in the clear.
Note
Caution
Examples
The following example shows how to specify a shared secret for securing failover communication between units in a failover pair:
hostname(config)# failover key abcdefgThe following example shows how to specify a hexadecimal key for securing failover communication between two units in a failover pair:
hostname(config)# failover key hex 6a1ed228381cf5c68557cb0c32e614dcRelated Commands
show running-config failover
Displays the failover commands in the running configuration.
failover lan enable
To enable lan-based failover on the PIX security appliance, use the failover lan enable command in global configuration mode. To disable LAN-based failover, use the no form of this command.
failover lan enable
no failover lan enable
Syntax Description
This command has no arguments or keywords.
Defaults
Not enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
When LAN-based failover is disabled using the no form of this command, cable-based failover is used if the failover cable is installed. This command is available on the PIX security appliance only.
Caution
Examples
The following example enables LAN-based failover:
hostname(config)# failover lan enableRelated Commands
failover lan interface
To specify the interface used for failover communication, use the failover lan interface command in global configuration mode. To remove the failover interface, use the no form of this command.
failover lan interface if_name {phy_if[.sub_if] | vlan_if]}
no failover lan interface [if_name {phy_if[.sub_if] | vlan_if]}]
Syntax Description
Defaults
Not configured.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Preexisting
This command was modified to include the phy_if argument.
7.2(1)
This command was modified to include the vlan_if argument.
Usage Guidelines
LAN failover requires a dedicated interface for passing failover traffic. However you can also use the LAN failover interface for the Stateful Failover link.
Note
You can use any unused Ethernet interface on the device as the failover interface. You cannot specify an interface that is currently configured with a name. The failover interface is not configured as a normal networking interface; it exists only for failover communications. This interface should only be used for the failover link (and optionally for the state link). You can connect the LAN-based failover link by using a dedicated switch with no hosts or routers on the link or by using a crossover Ethernet cable to link the units directly.
Note
On systems running in multiple context mode, the failover link resides in the system context. This interface and the state link, if used, are the only interfaces that you can configure in the system context. All other interfaces are allocated to and configured from within security contexts.
Note
The no form of this command also clears the failover interface IP address configuration.
This command must be part of the configuration when bootstrapping a security appliance for LAN failover.
Examples
The following example configures the failover LAN interface on a PIX 500 series security appliance:
hostname(config)# failover lan interface folink Ethernet4The following example configures the failover LAN interface using a subinterface on an ASA 5500 series adaptive security appliance (except for the ASA 5505 adaptive security appliance):
hostname(config)# failover lan interface folink GigabitEthernet0/3.1The following example configures the failover LAN interface on the ASA 5505 adaptive security appliance:
hostname(config)# failover lan interface folink Vlan6Related Commands
failover lan unit
To configure the security appliance as either the primary or secondary unit in a LAN failover configuration, use the failover lan unit command in global configuration mode. To restore the default setting, use the no form of this command.
failover lan unit {primary | secondary}
no failover lan unit {primary | secondary}
Syntax Description
primary
Specifies the security appliance as a primary unit.
secondary
Specifies the security appliance as a secondary unit.
Defaults
Secondary.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
For Active/Standby failover, the primary and secondary designation for the failover unit refers to which unit becomes active at boot time. The primary unit becomes the active unit at boot time when the following occurs:
•
•
If the secondary unit is already active when the primary unit boots, the primary unit does not take control; it becomes the standby unit. In this case, you need to issue the no failover active command on the secondary (active) unit to force the primary unit back to active status.
For Active/Active failover, each failover group is assigned a primary or secondary unit preference. This preference determines on which unit in the failover pair the contexts in the failover group become active at startup when both units start simultaneously (within the failover polling period).
This command must be part of the configuration when bootstrapping a security appliance for LAN failover.
Examples
The following example sets the security appliance as the primary unit in LAN-based failover:
hostname(config)# failover lan unit primaryRelated Commands
failover lan enable
Enables LAN-based failover on the PIX security appliance.
failover lan interface
Specifies the interface used for failover communication.
failover link
To specify the Stateful Failover interface, use the failover link command in global configuration mode. To remove the Stateful Failover interface, use the no form of this command.
failover link if_name [phy_if]
no failover link
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Preexisting
This command was modified to include the phy_if argument.
7.0(4)
This command was modified to accept standard firewall interfaces.
Usage Guidelines
This command is not available on the ASA 5505 series adaptive security appliance, which does not support Stateful Failover.
The physical or logical interface argument is required when not sharing the failover communication or a standard firewall interface.
The failover link command enables Stateful Failover. Enter the no failover link command to disable Stateful Failover. If you are using a dedicated Stateful Failover interface, the no failover link command also clears the Stateful Failover interface IP address configuration.
To use Stateful Failover, you must configure a Stateful Failover link to pass all state information. You have three options for configuring a Stateful Failover link:
•
•
•
If you are using a dedicated Ethernet interface for the Stateful Failover link, you can use either a switch or a crossover cable to directly connect the units. If you use a switch, no other hosts or routers should be on this link.
Note
If you are using the failover link as the Stateful Failover link, you should use the fastest Ethernet interface available. If you experience performance problems on that interface, consider dedicating a separate interface for the Stateful Failover interface.
If you use a data interface as the Stateful Failover link, you will receive the following warning when you specify that interface as the Stateful Failover link:
******* WARNING ***** WARNING ******* WARNING ****** WARNING *********Sharing Stateful failover interface with regular data interface is nota recommended configuration due to performance and security concerns.******* WARNING ***** WARNING ******* WARNING ****** WARNING *********Sharing a data interface with the Stateful Failover interface can leave you vulnerable to replay attacks. Additionally, large amounts of Stateful Failover traffic may be sent on the interface, causing performance problems on that network segment.
Note
In multiple context mode, the Stateful Failover link resides in the system context. This interface and the failover interface are the only interfaces in the system context. All other interfaces are allocated to and configured from within security contexts.
In multiple context mode, the Stateful Failover interface resides in the system context. This interface and the failover interface are the only interfaces in the system context. All other interfaces are allocated to and configured from within security contexts.
Note
Caution
Examples
The following example shows how to specify a dedicated interface as the Stateful Failover interface. The interface in the example does not have an existing configuration.
hostname(config)# failover link stateful_if e4INFO: Non-failover interface config is cleared on Ethernet4 and its sub-interfacesRelated Commands
failover mac address
To specify the failover virtual MAC address for a physical interface, use the failover mac address command in global configuration mode. To remove the virtual MAC address, use the no form of this command.
failover mac address phy_if active_mac standby_mac
no failover mac address phy_if active_mac standby_mac
Syntax Description
Defaults
Not configured.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
The failover mac address command lets you configure virtual MAC addresses for an Active/Standby failover pair. If virtual MAC addresses are not defined, then when each failover unit boots it uses the burned-in MAC addresses for its interfaces and exchanges those addresses with its failover peer. The MAC addresses for the interfaces on the primary unit are used for the interfaces on the active unit.
However, if both units are not brought online at the same time and the secondary unit boots first and becomes active, it uses the burned-in MAC addresses for its own interfaces. When the primary unit comes online, the secondary unit will obtain the MAC addresses from the primary unit. This change can disrupt network traffic. Configuring virtual MAC addresses for the interfaces ensures that the secondary unit uses the correct MAC address when it is the active unit, even if it comes online before the primary unit.
The failover mac address command is unnecessary (and therefore cannot be used) on an interface configured for LAN-based failover because the failover lan interface command does not change the IP and MAC addresses when failover occurs. This command has no effect when the security appliance is configured for Active/Active failover.
When adding the failover mac address command to your configuration, it is best to configure the virtual MAC address, save the configuration to Flash memory, and then reload the failover pair. If the virtual MAC address is added when there are active connections, then those connections stop. Also, you must write the complete configuration, including the failover mac address command, to the Flash memory of the secondary security appliance for the virtual MAC addressing to take effect.
If the failover mac address is specified in the configuration of the primary unit, it should also be specified in the bootstrap configuration of the secondary unit.
Note
Examples
The following example configures the active and standby MAC addresses for the interface named intf2:
hostname(config)# failover mac address Ethernet0/2 00a0.c969.87c8 00a0.c918.95d8Related Commands
failover polltime
To specify the failover unit poll and hold times, use the failover polltime command in global configuration mode. To restore the default poll and hold times, use the no form of this command.
failover polltime [unit] [msec] time [holdtime [msec] time]
no failover polltime [unit] [msec] time [holdtime [msec] time]
Syntax Description
Defaults
The default values on the PIX security appliance are as follows:
•
•
The default values on the ASA security appliance are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
You cannot enter a holdtime value that is less than 3 times the unit poll time. With a faster poll time, the security appliance can detect failure and trigger failover faster. However, faster detection can cause unnecessary switch overs when the network is temporarily congested.
If a unit does not hear hello packet on the failover communication interface or cable for one polling period, additional testing occurs through the remaining interfaces. If there is still no response from the peer unit during the hold time, the unit is considered failed and, if the failed unit is the active unit, the standby unit takes over as the active unit.
You can include both failover polltime [unit] and failover polltime interface commands in the configuration.
Note
Examples
The following example changes the unit poll time frequency to 3 seconds:
hostname(config)# failover polltime 3The following example configures the security appliance to send a hello packet every 200 milliseconds and to fail over in 800 milliseconds if no hello packets are received on the failover interface within that time. The optional unit keyword is included in the command.
hostname(config)# failover polltime unit msec 200 holdtime msec 800Related Commands
failover polltime interface
To specify the data interface poll and hold times in an Active/Standby failover configuration, use the failover polltime interface command in global configuration mode. To restore the default poll and hold times, use the no form of this command.
failover polltime interface [msec] time [holdtime time]
no failover polltime interface [msec] time [holdtime time]
Syntax Description
Defaults
The default values are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
Use the failover polltime interface command to change the frequency that hello packets are sent out on data interfaces. This command is available for Active/Standby failover only. For Active/Active failover, use the polltime interface command in failover group configuration mode instead of the failover polltime interface command.
You cannot enter a holdtime value that is less than 5 times the interface poll time. With a faster poll time, the security appliance can detect failure and trigger failover faster. However, faster detection can cause unnecessary switchovers when the network is temporarily congested. Interface testing begins when a hello packet is not heard on the interface for over half the hold time.
You can include both failover polltime unit and failover polltime interface commands in the configuration.
Note
Examples
The following example sets the interface poll time frequency to 15 seconds:
hostname(config)# failover polltime interface 15The following example sets the interface poll time frequency to 500 milliseconds and the hold time to 5 seconds:
hostname(config)# failover polltime interface msec 500 holdtime 5Related Commands
failover reload-standby
To force the standby unit to reboot, use the failover reload-standby command in privileged EXEC mode.
failover reload-standby
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Use this command when your failover units do not synchronize. The standby unit restarts and resynchronizes to the active unit after it finishes booting.
Examples
The following example shows how to use the failover reload-standby command on the active unit to force the standby unit to reboot:
hostname# failover reload-standbyRelated Commands
write standby
Writes the running configuration to the memory on the standby unit.
failover replication http
To enable HTTP (port 80) connection replication, use the failover replication http command in global configuration mode. To disable HTTP connection replication, use the no form of this command.
failover replication http
no failover replication http
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Preexisting
This command was changed from failover replicate http to failover replication http.
Usage Guidelines
By default, the security appliance does not replicate HTTP session information when Stateful Failover is enabled. Because HTTP sessions are typically short-lived, and because HTTP clients typically retry failed connection attempts, not replicating HTTP sessions increases system performance without causing serious data or connection loss. The failover replication http command enables the stateful replication of HTTP sessions in a Stateful Failover environment, but could have a negative effect on system performance.
In Active/Active failover configurations, you control HTTP session replication per failover group using the replication http command in failover group configuration mode.
Examples
The following example shows how to enable HTTP connection replication:
hostname(config)# failover replication httpRelated Commands
replication http
Enables HTTP session replication for a specific failover group.
show running-config failover
Displays the failover commands in the running configuration.
failover reset
To restore a failed security appliance to an unfailed state, use the failover reset command in privileged EXEC mode.
failover reset [group group_id]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The failover reset command allows you to change the failed unit or group to an unfailed state. The failover reset command can be entered on either unit, but we recommend that you always enter the command on the active unit. Entering the failover reset command at the active unit will "unfail" the standby unit.
You can display the failover status of the unit with the show failover or show failover state commands.
There is no no version of this command.
In Active/Active failover, entering failover reset resets the whole unit. Specifying a failover group with the command resets only the specified group.
Examples
The following example shows how to change a failed unit to an unfailed state:
hostname# failover resetRelated Commands
failover interface-policy
Specifies the policy for failover when monitoring detects interface failures.
show failover
Displays information about the failover status of the unit.
failover timeout
To specify the failover reconnect timeout value for asymmetrically routed sessions, use the failover timeout command in global configuration mode. To restore the default timeout value, use the no form of this command.
failover timeout hh[:mm:[:ss]
no failover timeout [hh[:mm:[:ss]]
Syntax Description
Defaults
By default, hh, mm, and ss are 0, which prevents connections from reconnecting.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
This command is used in conjunction with the static command with the nailed option. The nailed option allows connections to be reestablished in a specified amount of time after bootup or a system goes active. The failover timeout command specifies that amount of time. If not configured, the connections cannot be reestablished. The failover timeout command does not affect the asr-group command.
Note
Enter the no form of this command restores the default value. Entering failover timeout 0 also restores the default value. When set to the default value, this command does not appear in the running configuration.
Examples
The following example switches the standby group 1 to active:
hostname(config)# failover timeout 12:30hostname(config)# show running-config failoverno failoverfailover timeout 12:30:00Related Commands
static
Configures a persistent one-to-one address translation rule by mapping a local IP address to a global IP address.
file-bookmarks
To customize the File Bookmarks title or the File Bookmarks links on the WebVPN Home page that is displayed to authenticated WebVPN users, use the file-bookmarks command from webvpn customization mode:
file-bookmarks {link {style value} | title {style value | text value}}
[no] file-bookmarks {link {style value} | title {style value | text value}}
To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
Syntax Description
Defaults
The default link style is color:#669999;border-bottom: 1px solid #669999;text-decoration:none.
The default title style is color:#669999;background-color:#99CCCC;font-weight:bold.
The default title text is "File Folder Bookmarks".
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn customization
•
—
•
—
—
Command History
Usage Guidelines
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
The following example customizes the File Bookmarks title to "Corporate File Bookmarks":
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# file-bookmarks title text Corporate File BookmarksRelated Commands
file-encoding
To specify the character encoding for pages from Common Internet File System servers, use the file-encoding command in webvpn configuration mode. The no form removes the value of the file-encoding attribute.
file-encoding {server-name | server-ip-addr} charset
no file-encoding {server-name | server-ip-addr}
Syntax Description
charset
String consisting of up to 40 characters, and equal to one of the valid character sets identified in http://www.iana.org/assignments/character-sets. You can use either the name or the alias of a character set listed on that page. Examples include iso-8859-1, shift_jis, and ibm850.
The string is case-insensitive. The command interpreter converts upper-case to lower-case in the security appliance configuration.
server-ip-addr
IP address, in dotted decimal notation, of the CIFS server for which you want to specify character encoding.
server-name
Name of the CIFS server for which you want to specify character encoding.
The security appliance retains the case you specify, although it ignores the case when matching the name to a server.
Defaults
Pages from all CIFS servers that do not have explicit file-encoding entries in the WebVPN configuration inherit the character encoding value from the character-encoding attribute.
Command Modes
The following table shows the modes in which you can enter the command:
webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
Enter file-encoding entries for all CIFS servers that require character encodings that differ from the value of the webvpn character-encoding attribute.
The WebVPN portal pages downloaded from the CIFS server to the WebVPN user encode the value of the WebVPN file-encoding attribute identifying the server, or if one does not, they inherit the value of the character-encoding attribute. The remote user's browser maps this value to an entry in its character encoding set to determine the proper character set to use. The WebVPN portal pages do not specify a value if WebVPN configuration does not specify a file-encoding entry for the CIFS server and the character-encoding attribute is not set. The remote browser uses its own default encoding if the WebVPN portal page does not specify the character encoding or if it specifies a character encoding value that the browser does not support.
The mapping of CIFS servers to their appropriate character encoding, globally with the webvpn character-encoding attribute, and individually with file-encoding overrides, provides for the accurate handling and display of CIFS pages when the proper rendering of file names or directory paths, as well as pages, are an issue.
Note
Examples
The following example sets the file-encoding attribute of the CIFS server named "CISCO-server-jp" to support Japanese Shift_JIS characters, removes the font family, and retains the default background color:
hostname(config)# webvpnhostname(config-webvpn)# file-encoding CISCO-server-jp shift_jisF1-asa1(config-webvpn)# customization DfltCustomizationF1-asa1(config-webvpn-custom)# page style background-color:whiteF1-asa1(config-webvpn-custom)#The following example sets the file-encoding attribute of the CIFS server 10.86.5.174 to support IBM860 (alias "CP860") characters:
hostname(config)# webvpnhostname(config-webvpn)# file-encoding 10.86.5.174 cp860hostname(config-webvpn)Related Commands
filter
To specify the name of the access list to use for WebVPN connections for this group policy or username, use the filter command in webvpn mode. To remove the access list, including a null value created by issuing the filter none command, use the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting filter values, use the filter value none command.
You configure ACLs to permit or deny various types of traffic for this user or group policy. You then use the filter command to apply those ACLs for WebVPN traffic.
filter {value ACLname | none}
no filter
Syntax Description
Defaults
WebVPN access lists do not apply until you use the filter command to specify them.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn mode
•
•
—
—
•
Command History
Usage Guidelines
WebVPN does not use ACLs defined in the vpn-filter command.
Examples
The following example shows how to set a filter that invokes an access list named acl_in for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# filter acl_inRelated Commands
filter activex
To remove ActiveX objects in HTTP traffic passing through the security appliance, use the filter activex command in global configuration mode. To remove the configuration, use the no form of this command.
filter activex | java <port> [-<port>] | except <local_ip> <mask> <foreign_ip> <foreign_mask>
no filter activex | java <port> [-<port>] | except <local_ip> <mask> <foreign_ip> <foreign_mask>
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
ActiveX objects may pose security risks because they can contain code intended to attack hosts and servers on a protected network. You can disable ActiveX objects with the filter activex command.
ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web page or other application. These controls include custom forms, calendars, or any of the extensive third-party forms for gathering or displaying information. As a technology, ActiveX creates many potential problems for network clients including causing workstations to fail, introducing network security problems, or being used to attack servers.
The filter activex command command blocks the HTML <object> commands by commenting them out within the HTML web page. ActiveX filtering of HTML files is performed by selectively replacing the <APPLET> and </APPLET> and <OBJECT CLASSID> and </OBJECT> tags with comments. Filtering of nested tags is supported by converting top-level tags to comments.
Caution
If the <object> or </object> HTML tags split across network packets or if the code in the tags is longer than the number of bytes in the MTU, the security appliance cannot block the tag.
ActiveX blocking does not occur when users access an IP address referenced by the alias command or for WebVPN traffic.
Note
Examples
The following example specifies that Activex objects are blocked on all outbound connections:
hostname(config)# filter activex 80 0 0 0 0This command specifies that the ActiveX object blocking applies to web traffic on port 80 from any local host and for connections to any foreign host.
Related Commands
\
filter ftp
To identify the FTP traffic to be filtered by a Websense or N2H2 server, use the filter ftp command in global configuration mode. To remove the configuration, use the no form of this command.
filter ftp <port> [-<port>] | except <local_ip> <mask> <foreign_ip> <foreign_mask> [allow] [interact-block]
no filter ftp <port> [-<port>] | except <local_ip> <mask> <foreign_ip> <foreign_mask> [allow] [interact-block]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The filter ftp command lets you identify the FTP traffic to be filtered by a Websense or N2H2 server.
After enabling this feature, when a user issues an FTP GET request to a server, the security appliance sends the request to the FTP server and to the Websense or N2H2 server at the same time. If the Websense or N2H2 server permits the connection, the security appliance allows the successful FTP return code to reach the user unchanged. For example, a successful return code is "250: CWD command successful."
If the Websense or N2H2 server denies the connection, the security appliance alters the FTP return code to show that the connection was denied. For example, the security appliance would change code 250 to "550 Requested file is prohibited by URL filtering policy." Websense only filters FTP GET commands and not PUT commands).
Use the interactive-block option to prevent interactive FTP sessions that do not provide the entire directory path. An interactive FTP client allows the user to change directories without typing the entire path. For example, the user might enter cd ./files instead of cd /public/files. You must identify and enable the URL filtering server before using these commands.
Examples
The following example shows how to enable FTP filtering:
hostname(config)# url-server (perimeter) host 10.0.1.1hostname(config)# filter ftp 21 0 0 0 0hostname(config)# filter ftp except 10.0.2.54 255.255.255.255 0 0Related Commands
filter https
To identify the HTTPS traffic to be filtered by a N2H2 or Websense server, use the filter https command in global configuration mode. To remove the configuration, use the no form of this command.
filter https <port> [-<port>] | except <local_ip> <mask> <foreign_ip> <foreign_mask> [allow]
no filter https <port> [-<port>] | except <local_ip> <mask> <foreign_ip> <foreign_mask> [allow]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The security appliance supports filtering of HTTPS and FTP sites using an external Websense or N2H2 filtering server.
HTTPS filtering works by preventing the completion of SSL connection negotiation if the site is not allowed. The browser displays an error message such as "The Page or the content cannot be displayed."
Because HTTPS content is encrypted, the security appliance sends the URL lookup without directory and filename information.
Examples
The following example filters all outbound HTTPS connections except those from the 10.0.2.54 host:
hostname(config)# url-server (perimeter) host 10.0.1.1hostname(config)# filter https 443 0 0 0 0hostname(config)# filter https except 10.0.2.54 255.255.255.255 0 0Related Commands
filter java
To remove Java applets from HTTP traffic passing through the security appliance, use the filter java command in global configuration mode. To remove the configuration, use the no form of this command.
filter java {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask]
no filter java {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
Java applets may pose security risks because they can contain code intended to attack hosts and servers on a protected network. You can remove Java applets with the filter java command.
The filter java command filters out Java applets that return to the security appliance from an outbound connection. The user still receives the HTML page, but the web page source for the applet is commented out so that the applet cannot execute. The filter java command does not filter WebVPN traffic.
If the applet or /applet HTML tags split across network packets or if the code in the tags is longer than the number of bytes in the MTU, the security appliance cannot block the tag. If Java applets are known to be in <object> tags, use the filter activex command to remove them.
Note
Examples
The following example specifies that Java applets are blocked on all outbound connections:
hostname(config)# filter java 80 0 0 0 0This command specifies that the Java applet blocking applies to web traffic on port 80 from any local host and for connections to any foreign host.
The following example blocks downloading of Java applets to a host on a protected network:
hostname(config)# filter java http 192.168.3.3 255.255.255.255 0 0This command prevents host 192.168.3.3 from downloading Java applets.
Related Commands
filter url
To direct traffic to a URL filtering server, use the filter url command in global configuration mode. To remove the configuration, use the no form of this command.
filter url <port> [-<port>] | except <local_ip> <mask> <foreign_ip> <foreign_mask> [allow] [cgi-truncate] [longurl-truncate | longurl-deny] [proxy-block]
no filter url <port> [-<port>] | except <local_ip> <mask> <foreign_ip> <foreign_mask> [allow] [cgi-truncate] [longurl-truncate | longurl-deny] [proxy-block]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The filter url command lets you prevent outbound users from accessing World Wide Web URLs that you designate using the N2H2 or Websense filtering application.
Note
The allow option to the filter url command determines how the security appliance behaves if the N2H2 or Websense server goes off line. If you use the allow option with the filter url command and the N2H2 or Websense server goes offline, port 80 traffic passes through the security appliance without filtering. Used without the allow option and with the server off line, the security appliance stops outbound port 80 (Web) traffic until the server is back on line, or if another URL server is available, passes control to the next URL server.
Note
The N2H2 or Websense server works with the security appliance to deny users from access to websites based on the company security policy.
Using the Filtering Server
Websense protocol Version 4 enables group and username authentication between a host and a security appliance. The security appliance performs a username lookup, and then Websense server handles URL filtering and username logging.
The N2H2 server must be a Windows workstation (2000, NT, or XP), running an IFP Server, with a recommended minimum of 512 MB of RAM. Also, the long URL support for the N2H2 service is capped at 3 KB, less than the cap for Websense.
Websense protocol Version 4 contains the following enhancements:
•
•
•
Information on Websense is available at the following website:
http://www.websense.com/
Configuration Procedure
Follow these steps to filter URLs:
Step 1
Step 2
Step 3
Step 4
Working with Long URLs
Filtering URLs up to 4 KB is supported for the Websense filtering server, and up to 3 KB for the N2H2 filtering server.
Use the longurl-truncate and cgi-truncate options to allow handling of URL requests longer than the maximum permitted size.
If a URL is longer than the maximum, and you do not enable the longurl-truncate or longurl-deny options, the security appliance drops the packet.
The longurl-truncate option causes the security appliance to send only the hostname or IP address portion of the URL for evaluation to the filtering server when the URL is longer than the maximum length permitted. Use the longurl-deny option to deny outbound URL traffic if the URL is longer than the maximum permitted.
Use the cgi-truncate option to truncate CGI URLs to include only the CGI script location and the script name without any parameters. Many long HTTP requests are CGI requests. If the parameters list is very long, waiting and sending the complete CGI request including the parameter list can use up memory resources and affect security appliance performance.
Buffering HTTP Responses
By default, when a user issues a request to connect to a specific website, the security appliance sends the request to the web server and to the filtering server at the same time. If the filtering server does not respond before the web content server, the response from the web server is dropped. This delays the web server response from the point of view of the web client.
By enabling the HTTP response buffer, replies from web content servers are buffered and the responses will be forwarded to the requesting user if the filtering server allows the connection. This prevents the delay that may otherwise occur.
To enable the HTTP response buffer, enter the following command:
url-block block block-buffer-limitReplace block-buffer with the maximum number of blocks that will be buffered. The permitted values are from 1 to 128, which specifies the number of 1550-byte blocks that can be buffered at one time.
Note
Examples
The following example filters all outbound HTTP connections except those from the 10.0.2.54 host:
hostname(config)# url-server (perimeter) host 10.0.1.1hostname(config)# filter url 80 0 0 0 0hostname(config)# filter url except 10.0.2.54 255.255.255.255 0 0The following example blocks all outbound HTTP connections destined to a proxy server that listens on port 8080:
hostname(config)# filter url 8080 0 0 0 0 proxy-blockRelated Commands
fips enable
To enable or disable policy-checking to enforce FIPS compliance on the system or module, use the fips enable command, or [no] fips enable command.
fips enable
[no] fips enable
Syntax Description
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
—
•
—
—
Command History
Usage Guidelines
To run in a FIPS-compliant mode of operation, you must apply both the fips enable command and the proper configuration specified in the Security Policy. The internal API allows the device to migrate towards enforcing proper configuration at run-time.
When "fips enable" is present in the startup-configuration, FIPS POST will run and print the following console message:
Copyright (c) 1996-2005 by Cisco Systems, Inc.Restricted Rights LegendUse, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013.Cisco Systems, Inc.170 West Tasman DriveSan Jose, California 95134-1706....Cryptochecksum (unchanged): 6c6d2f77 ef13898e 682c9f94 9c2d5ba9INFO: FIPS Power-On Self-Test in process. Estimated completion in 90 seconds.......................................................INFO: FIPS Power-On Self-Test complete.Type help or '?' for a list of available commands.sw8-5520>Examples
sw8-ASA(config)# fips enableRelated Commands
fips self-test poweron
To execute power-on self-tests, use the fips self-test powereon command.
fips self-test poweron
Syntax Description
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
Executing this command causes the device to run all self-tests required for FIPS 140-2 compliance. Tests are compreised of: cryptographic algorithm test, software integrity test and critical functions test.
Examples
sw8-5520(config)# fips self-test poweronRelated Commands
firewall transparent
To set the firewall mode to transparent mode, use the firewall transparent command in global configuration mode. To restore routed mode, use the no form of this command. A transparent firewall is a Layer 2 firewall that acts like a "bump in the wire," or a "stealth firewall," and is not seen as a router hop to connected devices.
firewall transparent
no firewall transparent
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode in the system configuration. This command also appears in each context configuration for informational purposes only; you cannot enter this command in a context.
When you change modes, the security appliance clears the configuration because many commands are not supported for both modes. If you already have a populated configuration, be sure to back up your configuration before changing the mode; you can use this backup for reference when creating your new configuration.
If you download a text configuration to the security appliance that changes the mode with the firewall transparent command, be sure to put the command at the top of the configuration; the security appliance changes the mode as soon as it reads the command and then continues reading the configuration you downloaded. If the command is later in the configuration, the security appliance clears all the preceding lines in the configuration.
Examples
The following example changes the firewall mode to transparent:
hostname(config)# firewall transparentRelated Commands
format
To erase all files and format the file system, use the format command in privileged EXEC mode. This command erases all files on the file system, including hidden system files, and reinstalls the file system.
format {disk0: | disk1: | flash:}
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The format command erases all data on the specified file system and then rewrites the FAT information to the device.
Caution
To delete all visible files (excluding hidden system files), enter the delete /recursive command, instead of the format command.
Note
To repair a corrupt file system, try entering the fsck command before entering the format command.
Note
To repair a corrupt file system, try entering the fsck command before entering the format command.Examples
This example shows how to format the Flash memory:
hostname# format flash:Related Commands
delete
Removes all user-visible files.
erase
Deletes all files and formats the Flash memory.
fsck
Repairs a corrupt file system.
forward interface
For models with a built-in switch, such as the ASA 5505 adaptive security appliance, use the no forward interface command in interface configuration mode to restrict one VLAN from initiating contact to one other VLAN. This command can be entered in the interface configuration mode for a VLAN interface only. To restore connectivity, use the forward interface command. You might need to restrict one VLAN depending on how many VLANs your license supports.
forward interface vlan number
no forward interface vlan number
Syntax Description
Defaults
By default, all interfaces can initiate traffic to all other interfaces.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
In routed mode, you can configure up to three active VLANs with the ASA 5505 adaptive security appliance Base license, and up to five active VLANs with the Security Plus license. An active VLAN is a VLAN with a nameif command configured. You can configure up to five inactive VLANs on the ASA 5505 adaptive security appliance for either license, but if you make them active, be sure to follow the guidelines for your license.
With the Base license, the third VLAN must be configured with the no forward interface command to restrict this VLAN from initiating contact to one other VLAN.
For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside work network, and a third VLAN assigned to your home network. The home network does not need to access the work network, so you can use the no forward interface command on the home VLAN; the work network can access the home network, but the home network cannot access the work network.
If you already have two VLAN interfaces configured with a nameif command, be sure to enter the no forward interface command before the nameif command on the third interface; the security appliance does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505 adaptive security appliance.
Examples
The following example configures three VLAN interfaces. The third home interface cannot forward traffic to the work interface.
hostname(config)# interface vlan 100hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address dhcphostname(config-if)# no shutdownhostname(config-if)# interface vlan 200hostname(config-if)# nameif workhostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface vlan 300hostname(config-if)# no forward interface vlan 200hostname(config-if)# nameif homehostname(config-if)# security-level 50hostname(config-if)# ip address 10.2.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/0hostname(config-if)# switchport access vlan 100hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/1hostname(config-if)# switchport access vlan 200hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/2hostname(config-if)# switchport access vlan 200hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/3hostname(config-if)# switchport access vlan 200hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/4hostname(config-if)# switchport access vlan 300hostname(config-if)# no shutdown...Related Commands
fqdn
To include the indicated FQDN in the Subject Alternative Name extension of the certificate during enrollment, use the fqdn command in crypto ca trustpoint configuration mode. To restore the default setting of the fqdn, use the no form of the command.
fqdn [fqdn | none]
no fqdn
Syntax Description
fqdn
Specifies the fully qualified domain name. The maximum length of fqdn is 64 characters.
none
Specifies no fully qualified domain name.
Defaults
The default setting does not include the FQDN.
Command Modes
The following table shows the modes in which you can enter the
Crypto ca trustpoint configuration
•
•
•
•
•
command:
Command History
Usage Guidelines
If you are configuring the security appliance to support authentication of a Nokia VPN Client using certificates, use the none keyword. See the crypto isakmp identity or isakmp identity command for more information on supporting certificate authentication of the Nokia VPN Client.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes the FQDN engineering in the enrollment request for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(config-ca-trustpoint)# fqdn engineeringhostname(config-ca-trustpoint)#Related Commands
fragment
To provide additional management of packet fragmentation and improve compatibility with NFS, use the fragment command in global configuration mode.
fragment {size | chain | timeout limit} [interface]
no fragment {size | chain | timeout limit} interface
Syntax Description
Defaults
The defaults are as follows:
•
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
By default, the security appliance accepts up to 24 fragments to reconstruct a full IP packet. Based on your network security policy, you should consider configuring the security appliance to prevent fragmented packets from traversing the security appliance by entering the fragment chain 1 interface command on each interface. Setting the limit to 1 means that all packets must be whole; that is, unfragmented.
If a large percentage of the network traffic through the security appliance is NFS, additional tuning might be necessary to avoid database overflow.
In an environment where the MTU size is small between the NFS server and client, such as a WAN interface, the chain keyword might require additional tuning. In this case, we recommend using NFS over TCP to improve efficiency.
Setting the size limit to a large value can make the security appliance more vulnerable to a DoS attack by fragment flooding. Do not set the size limit equal to or greater than the total number of blocks in the 1550 or 16384 pool.
The default values will limit DoS attacks caused by fragment flooding.
Examples
This example shows how to prevent fragmented packets on the outside and inside interfaces:
hostname(config)# fragment chain 1 outsidehostname(config)# fragment chain 1 insideContinue entering the fragment chain 1 interface command for each additional interface on which you want to prevent fragmented packets.
This example shows how to configure the fragment database on the outside interface to a maximum size of 2000, a maximum chain length of 45, and a wait time of 10 seconds:
hostname(config)# fragment size 2000 outsidehostname(config)# fragment chain 45 outsidehostname(config)# fragment timeout 10 outsideRelated Commands
frequency
To set the rate at which the selected SLA operation repeats, use the frequency command in SLA monitor protocol configuration mode. To restore the default value, use the no form of this command.
frequency seconds
no frequency
Syntax Description
seconds
The number of seconds between SLA probes. Valid values are from 1 to 604800 seconds. This value cannot be less than the timeout value.
Defaults
The default frequency is 60 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
SLA monitor protocol configuration
•
—
•
—
—
Command History
Usage Guidelines
An SLA operation repeats at a given frequency for the lifetime of the operation. For example, an ipIcmpEcho operation with a frequency of 60 seconds repeats by sending the echo request packets once every 60 seconds for the lifetime of the operation. For example, the default number of packets in an echo operation is 1. This packet is sent when the operation is started and is then sent again 60 seconds later.
If an individual SLA operation takes longer to execute than the specified frequency value, a statistics counter called "busy" is increased rather than immediately repeating the operation.
The value specified for the frequency command cannot be less than the value specified for the timeout command.
Examples
The following example configures an SLA operation with an ID of 123 and creates a tracking entry with the ID of 1 to track the reachability of the SLA. The frequency of the SLA operation is set to 3 seconds, and the timeout value us set to 1000 milliseconds.
hostname(config)# sla monitor 123hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outsidehostname(config-sla-monitor-echo)# timeout 1000hostname(config-sla-monitor-echo)# frequency 3hostname(config)# sla monitor schedule 123 life forever start-time nowhostname(config)# track 1 rtr 123 reachabilityRelated Commands
sla monitor
Defines an SLA monitoring operation.
timeout
Defines the amount of time the SLA operation waits for a response.
fsck
To perform a file system check and to repair corruptions, use the fsck command in privileged EXEC mode.
fsck [/no confirm]{disk0: | disk1: | flash:}
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The fsck command checks and attempts to repair corrupt file systems. Try using this command before resorting to more permanent procedures.
The /noconfirm keyword automatically repairs corruptions without seeking your confirmation first.
Examples
This example shows how to check the file system of the Flash memory:
hostname# fsck flash:Related Commands
ftp mode passive
To set the FTP mode to passive, use the ftp mode passive command in global configuration mode. To reset the FTP client to active mode, use the no form of this command.
ftp mode passive
no ftp mode passive
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
The ftp mode passive command sets the FTP mode to passive.The security appliance can use FTP to upload or download image files or configuration files to or from an FTP server. The ftp mode passive command controls how the FTP client on the security appliance interacts with the FTP server.
In passive FTP, the client initiates both the control connection and the data connection. Passive mode refers to the server state, in that the server is passively accepting both the control connection and the data connection, which are initiated by the client.
In passive mode, both destination and source ports are ephemeral ports (greater than 1023). The mode is set by the client, as the client issues the passive command to initiate the setup of the passive data connection. The server, which is the recipient of the data connection in passive mode, responds with the port number to which it is listening for the specific connection.
Examples
The following example sets the FTP mode to passive:
hostname(config)# ftp mode passiveRelated Commands
functions
To configure automatic downloading of the port forwarding java applet, Citrix support, file access, file browsing, file server entry, application of a webtype ACL, HTTP Proxy, MAPI Proxy, port forwarding, or URL entry over WebVPN for this user or group policy, use the functions command in webvpn mode, which you enter from group-policy or username mode. To remove a configured function, use the no form of this command.
To remove all configured functions, including a null value created by issuing the functions none command, use the no form of this command without arguments. The no option allows inheritance of a value from another group policy. To prevent inheriting function values, use the functions none command.
functions {auto-download | citrix | file-access | file-browsing | file-entry | filter | http-proxy | url-entry | mapi | port-forward | none}
no functions [auto-download | citrix | file-access | file-browsing | file-entry | filter | url-entry | mapi | port-forward]
Syntax Description
Defaults
Functions are disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn mode
•
—
•
—
—
Command History
7.1(1)
The auto-download and citrix keywords were added.
7.0(1)
This command was introduced.
Examples
The following example shows how to configure file access, file browsing, and MAPI Proxy for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# functions file-access file-browsing MAPIRelated Commands
