-
Cisco Security Appliance Command Reference, Version 8.0
-
About This Guide
-
Using the Command Line Interface
- A through B Commands
- C Commands
- D through F Commands
- G through I Commands
- J through L Commands
- M through O Commands
- P though R Commands
-
S Commands
-
same-security-traffic -- show asdm sessions
-
show asp drop -- show curpriv
-
show ddns -- show ipv6 traffic
-
show isakmp sa -- show route
-
show running-config -- show running-config isakmp
-
show running-config ldap -- show running-config webvpn auto-signon
-
show service-policy -- show xlate
-
shun -- sysopt radius ignore-secret
-
- T through Z Commands
-
Feedback
Table Of Contents
client access rule through crl configure Commands
client-types (crypto ca trustpoint)
client access rule through crl configure Commands
client-access-rule
To configure rules that limit the remote access client types and versions that can connect via IPSec through the security appliance, use the client-access-rule command in group-policy configuration mode. To delete a rule, use the no form of this command.
To delete all rules, use the no client-access-rule command with only the priority argument. This deletes all configured rules, including a null rule created by issuing the client-access-rule none command.
When there are no client access rules, users inherit any rules that exist in the default group policy. To prevent users from inheriting client access rules, use the client-access-rule none command. The result of doing so is that all client types and versions can connect.
client-access-rule priority {permit | deny} type type version version | none
no client-access-rule priority [{permit | deny} type type version version]
Syntax Description
Defaults
By default, there are no access rules.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
Construct rules according to these caveats:
•
•
•
•
•
•
•
Examples
The following example shows how to create client access rules for the group policy named FirstGroup. These rules permit VPN Clients running software version 4.1, while denying all VPN 3002 hardware clients:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# client-access-rule 1 d t VPN3002 v *hostname(config-group-policy)# client-access-rule 2 p * v 4.1client (ctl-provider)
To specify clients allowed to connect to the Certificate Trust List provider, or to specify a username and password for client authentication, use the client command in CTL provider configuration mode. To remove the configuration, use the no form of this command.
client [[interface if_name] ipv4_addr] | [username user_name password password [encrypted]]
no client [[interface if_name] ipv4_addr] | [username user_name password password [encrypted]]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
CTL provider configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the client command in CTL provider configuration mode to specify the clients allowed to connect to the CTL provider, and to set the username and password for client authentication. More than one command may be issued to define multiple clients. The username and password must match the CCM Administrator's username and password for the CallManager cluster.
Examples
The following example shows how to create a CTL provider instance:
hostname(config)# ctl-provider my_ctlhostname(config-ctl-provider)# client interface inside 172.23.45.1hostname(config-ctl-provider)# client username CCMAdministrator password XXXXXX encryptedhostname(config-ctl-provider)# export certificate ccm_proxyhostname(config-ctl-provider)# ctl installRelated Commands
client (tls-proxy)
To configure trustpoints, keypairs, and cipher suites, use the client command in TLS proxy configuration mode. To remove the configuration, use the no form of this command.
client [cipher-suite cipher_suite] | [ldc [issuer ca_tp_name | key-pair key_label]]
no client [cipher-suite cipher_suite] | [ldc [issuer ca_tp_name | key-pair key_label]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
TLS proxy configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the client command in TLS proxy configuration mode to control the TLS handshake parameters for the security appliance as the TLS client role in TLS proxy. This includes cipher suite configuration, or to set the local dynamic certificate issuer or keypair. The local CA to issue client dynamic certificates is defined by the crypto ca trustpoint command and the trustpoint must have proxy-ldc-issuer configured, or the default local CA server (LOCAL-CA-SERVER).
The keypair value must have been generated with the crypto key generate command.
For client proxy (the proxy acts as a TLS client to the server), the user-defined cipher suite replaces the default cipher suite, or the one defined by the ssl encryption command. You can use this command to achieve difference ciphers between the two TLS sessions. You should use AES ciphers with the CallManager server.
Examples
The following example shows how to create a TLS proxy instance:
hostname(config)# tls-proxy my_proxyhostname(config-tlsp)# server trust-point ccm_proxyhostname(config-tlsp)# client ldc issuer ldc_serverhostname(config-tlsp)# client ldc keypair phone_commonRelated Commands
client-firewall
To set personal firewall policies that the security appliance pushes to the VPN client during IKE tunnel negotiation, use the client-firewall command in group-policy configuration mode. To delete a firewall policy, use the no form of this command.
To delete all firewall policies, use the no client-firewall command without arguments. This deletes all configured firewall policies, including a null policy created by issuing the client-firewall none command.
When there are no firewall policies, users inherit any that exist in the default or other group policy. To prevent users from inheriting such firewall policies, use the client-firewall none command.
client-firewall none
client-firewall {opt | req} custom vendor-id num product-id num policy {AYT | CPP acl-in acl acl-out acl} [description string]
client-firewall {opt | req} zonelabs-integrity
Note
client-firewall {opt | req} zonelabs-zonealarm policy {AYT | CPP acl-in acl acl-out acl }
client-firewall {opt | req} zonelabs-zonealarmorpro policy {AYT | CPP acl-in acl acl-out acl }
client-firewall {opt | req} zonelabs-zonealarmpro policy {AYT | CPP acl-in acl acl-out acl }
client-firewall {opt | req} cisco-integrated acl-in acl acl-out acl}
client-firewall {opt | req} sygate-personal
client-firewall {opt | req} sygate-personal-pro
client-firewall {opt | req} sygate-personal-agent
client-firewall {opt | req} networkice-blackice
client-firewall {opt | req} cisco-security-agent
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
7.0(1)
This command was introduced.
7.2(1)
The zonelabs-integrity firewall type was added.
Usage Guidelines
Only one instance of this command can be configured.
Examples
The following example shows how to set a client firewall policy that requires Cisco Intrusion Prevention Security Agent for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# client-firewall req cisco-security-agentclient trust-point
To specify the proxy trustpoint certificate to be presented during TLS handshake when configuring the TLS Proxy for Cisco Unified Presence Server (CUPS), use the client trust-point command in tls-proxy configuration mode. To remove the proxy trustpoint certificate, use the no form of this command.
client trust-point proxy_trustpoint
no client trust-point [proxy_trustpoint]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
TLS proxy configuration
•
•
•
•
—
Command History
Usage Guidelines
The client trust-point command specifies the trustpoint and associated certificate that the security appliance uses in the TLS handshake when the security appliance assumes the role of the TLS client. The certificate must be owned by the security appliance (identity certificate).
The certificate can be self-signed, enrolled with a certificate authority, or from an imported credential. The client trust-point command has precedence over the global ssl trust-point command.
Examples
The following example shows the use of the client trust-point command to specify the use of trustpoint "ent_y_proxy" in the TLS handshake with the TLS server. The handshake is likely to be originated from entity Y to entity X where the TLS server resides. The ASA functions as the TLS proxy for entity Y.
hostname(config-tlsp)# client trust-point ent_y_proxyRelated Commands
client-types (crypto ca trustpoint)
To specify the client connection types for which this trustpoint can be used to validate the certificates associated with a user connection, use the client-types command in crypto ca trustpoint configuration mode. To specify that the trustpoint cannot be used for the named connection, use the no form of the command.
[no] client-types {ssl | ipsec}
Syntax Description
Defaults
No default value or behavior.
Command Modes
The following table shows the modes in which you can enter the command:
Command History
Crypto ca trustpoint configuration
•
•
•
•
—
Usage Guidelines
When there are multiple trustpoints associated with the same CA certificate, only one of the trustpoints can be configured for a specific client type. However, one of the trustpoints can be configured for one client type and the other trustpoint with another client-type.
If there is a trustpoint associated with the same CA certificate that is already configured with a client type, the new trustpoint is not allowed to be configured with the same client-type setting. The no form of the command clears the setting so that trustpoint cannot be used for any client validation.
Remote-access VPNs can use Secure Sockets Layer (SSL) VPN, IP Security (IPSec), or both, depending on deployment requirements, to permit access to virtually any network application or resource.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint, central, and designates it an SSL trustpoint:
hostname(config)# crypto ca trustpoint centralhostname(config-ca-trustpoint)# client-types sslhostname(config-ca-trustpoint)#The following example enters crypto ca trustpoint configuration mode for trustpoint, checkin1,anddesignated it as an IPsec trustpoint.
hostname(config)# crypto ca trustpoint checkin1hostname(config-ca-trustpoint)# client-types ipsechostname(config-ca-trustpoint)#Related Commands
client-update
To issue a client-update for all active remote VPN software and hardware clients and security appliances configured as Auto Update clients, on all tunnel-groups or for a particular tunnel group, use the client-update command in privileged EXEC mode.
To configure and change client-update parameters at the global level, including VPN software and hardware clients and security appliances configured as Auto Update clients, use the client-update command in global configuration mode.
To configure and change client-update tunnel-group IPSec-attributes parameters for VPN software and hardware clients, use the client-update command in tunnel-group ipsec-attributes configuration mode.
If the client is already running a software version on the list of revision numbers, it does not need to update its software. If the client is not running a software version on the list, it should update.
To disable a client update, use the no form of this command.
Global configuration mode command:
client-update {enable | component {asdm | image} | device-id dev_string |
family family_name | type type} url url-string rev-nums rev-nums}no client-update {enable | component {asdm | image} | device-id dev_string |
family family_name | type type} url url-string rev-nums rev-nums}Tunnel-group ipsec-attributes mode command:
client-update type type url url-string rev-nums rev-nums
no client-update type type url url-string rev-nums rev-nums
Privileged EXEC mode command:
client-update {all | tunnel-group}
no client-update tunnel-group
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command History
Usage Guidelines
In tunnel-group ipsec-attributes configuration mode, you can apply this attribute only to the IPSec remote-access tunnel-group type.
The client-update command lets you enable the update; specify the types and revision numbers of clients to which the update applies; provide a URL or IP address from which to get the update; and, in the case of Windows clients, optionally notify users that they should update their VPN client version. For Windows clients, you can provide a mechanism for users to accomplish that update. For VPN 3002 Hardware Client users, the update occurs automatically, with no notification. When the client type is another security appliance, this security appliance acts as an Auto Update server.
To configure the client-update mechanism, do the following steps:
Step 1
hostname(config)# client-update enablehostname(config)#Step 2
hostname(config)# client-update type windows url https://support/updates/ rev-nums 4.6.1hostname(config)#See the Examples section for an illustration of configuring a tunnel group for a VPN 3002 hardware client.
Note
Alternatively, for Windows clients and VPN3002 Hardware Clients, you can configure client update just for individual tunnel-groups, rather than for all clients of a particular type. (See Step 3.)
Note
Step 3
hostname(config)# tunnel-group remotegrp type ipsec-rahostname(config)# tunnel-group remotegrp ipsec-attributeshostname(config-tunnel-ipsec)# client-update type windows url https://support/updates/ rev-nums 4.6.1hostname(config-tunnel-ipsec)#See the Examples section for an illustration of configuring a tunnel group for a VPN 3002 hardware client. VPN 3002 clients update without user intervention, and users receive no notification message.
Step 4
hostname# client-update allhostname#If the user's client revision number matches one of the specified revision numbers, there is no need to update the client, and users receive no notification message. VPN 3002 clients update without user intervention and users receive no notification message.
Note
Examples
The following example, entered in global configuration mode, enables client update for all active remote clients on all tunnel groups:
hostname(config)# client-update enablehostname#The following example applies only to Windows (win9x, winnt, or windows). Entered in global configuration mode, it configures client update parameters for all Windows-based clients. It designates the revision number, 4.7 and the URL for retrieving the update, which is https://support/updates.
hostname(config)# client-update type windows url https://support/updates/ rev-nums 4.7hostname(config)#The following example applies only to VPN 3002 Hardware Clients. Entered in tunnel-group ipsec-attributes configuration mode, it configures client update parameters for the IPSec remote-access tunnel-group "salesgrp". It designates the revision number, 4.7 and uses the TFTP protocol for retrieving the updated software from the site with the IP address 192.168.1.1:
hostname(config)# tunnel-group salesgrp type ipsec-rahostname(config)# tunnel-group salesgrp ipsec-attributeshostname(config-tunnel-ipsec)# client-update type vpn3002 url tftp:192.168.1.1 rev-nums 4.7hostname(config-tunnel-ipsec)#The following example shows how to issue a client update for clients that are Cisco 5520 Adaptive Security Appliances configured as Auto Update clients:
hostname(config)# client-update type asa5520 component asdm url http://192.168.1.114/aus/asdm501.bin rev-nums 7.2(1)The following example, entered in privileged EXEC mode, sends a client-update notification to all connected remote clients in the tunnel group named "remotegrp" that need to update their client software. Clients in other groups do not get an update notification:
hostname# client-update remotegrphostname#Related Commands
clock set
To manually set the clock on the security appliance, use the clock set command in privileged EXEC mode.
clock set hh:mm:ss {month day | day month} year
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
If you have not entered any clock configuration commands, the default time zone for the clock set command is UTC. If you change the time zone after you enter the clock set command using the clock timezone command, the time automatically adjusts to the new time zone. However, if you enter the clock set command after you establish the time zone with the clock timezone command, then enter the time appropriate for the new time zone and not for UTC. Similarly, if you enter the clock summer-time command after the clock set command, the time adjusts for daylight saving. If you enter the clock set command after the clock summer-time command, enter the correct time for daylight saving.
This command sets the time in the hardware chip, and does not save the time in the configuration file. This time endures reboots. Unlike the other clock commands, this command is a privileged EXEC command. To reset the clock, you need to set a new time for the clock set command.
Examples
The following example sets the time zone to MST, the daylight saving time to the default period in the U.S., and the current time for MDT to 1:15 p.m. on July 27, 2004:
hostname(config)# clock timezone MST -7hostname(config)# clock summer-time MDT recurringhostname(config)# exithostname# clock set 13:15:0 jul 27 2004hostname# show clock13:15:00.652 MDT Tue Jul 27 2004The following example sets the clock to 8:15 on July 27, 2004 in the UTC time zone, and then sets the time zone to MST and the daylight saving time to the default period in the U.S. The end time (1:15 in MDT) is the same as the previous example.
hostname# clock set 20:15:0 jul 27 2004hostname# configure terminalhostname(config)# clock timezone MST -7hostname(config)# clock summer-time MDT recurringhostname# show clock13:15:00.652 MDT Tue Jul 27 2004Related Commands
clock summer-time
Sets the date range to show daylight saving time.
clock timezone
Sets the time zone.
show clock
Shows the current time.
clock summer-time
To set the date range for daylight saving time for the display of the security appliance time, use the clock summer-time command in global configuration mode. To disable the daylight saving time dates, use the no form of this command.
clock summer-time zone recurring [week weekday month hh:mm week weekday month hh:mm] [offset]
no clock summer-time [zone recurring [week weekday month hh:mm week weekday month hh:mm] [offset]]
clock summer-time zone date {day month | month day} year hh:mm {day month | month day} year hh:mm [offset]
no clock summer-time [zone date {day month | month day} year hh:mm {day month | month day} year hh:mm [offset]]
Syntax Description
Defaults
The default offset is 60 minutes.
The default recurring date range is from 2:00 a.m. on the second Sunday in March to 2:00 a.m. on the first Sunday in November.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
8.0(2)
The default recurring date range was changed to 2:00 a.m. on the second Sunday in March to 2:00 a.m. on the first Sunday in November.
Usage Guidelines
For the Southern Hemisphere, the security appliance accepts the start month to be later in the year than the end month, for example, from October to March.
Examples
The following example sets the daylight saving date range for Australia:
hostname(config)# clock summer-time PDT recurring last Sunday October 2:00 last Sunday March 2:00Some countries start daylight saving on a specific date. In the following example, daylight saving time is configured to start on April 1, 2004, at 3 a.m. and end on October 1, 2004, at 4 a.m.
hostname(config)# clock summer-time UTC date 1 April 2004 3:00 1 October 2004 4:00Related Commands
clock set
Manually sets the clock on the security appliance.
clock timezone
Sets the time zone.
ntp server
Identifies an NTP server.
show clock
Shows the current time.
clock timezone
To set the time zone for the security appliance clock, use the clock timezone command in global configuration mode. To set the time zone back to the default of UTC, use the no form of this command. The clock set command or the time derived from an NTP server sets the time in UTC. You must set the time zone as an offset of UTC using this command.
clock timezone zone [-]hours [minutes]
no clock timezone [zone [-]hours [minutes]]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
To set daylight saving time, see the clock summer-time command.
Examples
The following example sets the time zone to Pacific Standard Time, which is -8 hours from UTC:
hostname(config)# clock timezone PST -8Related Commands
cluster-ctl-file
To use trustpoints that are already created from an existing CTL file stored in Flash memory, use the cluster-ctl-file command in CTL file configuration mode. To remove the CTL file configuration so that you can create a new CTL file, use the no form of this command.
cluster-ctl-file filename_path
no cluster-ctl-file filename_path
Syntax Description
filename_path
Specifies the path and filename of the CTL file stored on disk or stored in Flash memory.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
CTL-file configuration
•
—
•
—
—
Command History
Usage Guidelines
When this command is configured, the Phone Proxy parses the CTL file stored in Flash memory and installs the trustpoints from that CTL file and uses that file from Flash in the creation of the new CTL file.
Examples
The following example shows the use of the cluster-ctl-file command to parse the CTL file stored in Flash memory to install the trustpoints from that file:
hostname(config-ctl-file)# cluster-ctl-file disk0:/old_ctlfile.tlvRelated Commands
cluster encryption
To enable encryption for messages exchanged on the virtual load-balancing cluster, use the cluster encryption command in vpn load-balancing configuration mode. To disable encryption, use the no form of this command.
cluster encryption
no cluster encryption
Note
Syntax Description
This command has no arguments or variables.
Defaults
Encryption is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Vpn load-balancing configuration
•
—
•
—
—
Command History
Usage Guidelines
This command turns encryption on or off for messages exchanged on the virtual load-balancing cluster.
Before configuring the cluster encryption command, you must have first used the vpn load-balancing command to enter VPN load-balancing mode. You must also use the cluster key command to configure the cluster shared-secret key before enabling cluster encryption.
Note
Examples
The following is an example of a VPN load-balancing command sequence that includes a cluster encryption command that enables encryption for the virtual load-balancing cluster:
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# interface lbprivate foohostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# cluster key 123456789hostname(config-load-balancing)# cluster encryptionhostname(config-load-balancing)# participateRelated Commands
cluster key
Specifies the shared-secret key for the cluster.
vpn load-balancing
Enters VPN load-balancing mode.
cluster ip address
To set the IP address of the virtual load-balancing cluster, use the cluster ip address command in vpn load-balancing configuration mode. To remove the IP address specification, use the no form of this command.
cluster ip address ip-address
no cluster ip address [ip-address]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Vpn load-balancing configuration
•
—
•
—
—
Command History
Usage Guidelines
You must first use the vpn load-balancing command to enter vpn load-balancing configuration mode and configure the interface to which the virtual cluster IP address refers.
The cluster ip address must be on the same subnet as the interface for which you are configuring the virtual cluster.
In the no form of the command, if you specify the optional ip-address value, it must match the existing cluster IP address before the no cluster ip address command can be completed.
Examples
The following example shows a VPN load-balancing command sequence that includes a cluster ip address command that sets the IP address of the virtual load-balancing cluster to 209.165.202.224:
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# interface lbprivate foohostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# participateRelated Commands
interface
Sets the interfaces of the device.
nameif
Assigns a name to an interface.
vpn load-balancing
Enters VPN load-balancing mode.
cluster key
To set the shared secret for IPSec site-to-site tunnel exchanges on the virtual load-balancing cluster, use the cluster key command in vpn load-balancing configuration mode. To remove this specification, use the no form of this command.
cluster key shared-secret
no cluster key [shared-secret]
Syntax Description
shared-secret
A 3- through 17-character string defining the shared secret for the VPN load-balancing cluster. Special characters can appear in the string, but not spaces.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Vpn load-balancing configuration
•
—
•
—
—
Command History
Usage Guidelines
You must first use the vpn load-balancing command to enter vpn load-balancing configuration mode. The secret defined in the cluster key command is also used for cluster encryption.
You must use the cluster key command to configure the shared secret before enabling cluster encryption.
If you specify a value for shared-secret in the no cluster key form of the command, the shared secret value must match the existing configuration.
Examples
The following example shows a VPN load-balancing command sequence that includes a cluster key command that sets the shared secret of the virtual load-balancing cluster to 123456789:
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# interface lbprivate foohostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# cluster key 123456789hostname(config-load-balancing)# cluster encryptionhostname(config-load-balancing)# participateRelated Commands
cluster-mode
To specify the security mode of the cluster, use the cluster-mode command in phone-proxy configuration mode. To set the security mode of the cluster to the default mode, use the no form of this command.
cluster-mode [mixed | nonsecure]
no cluster-mode [mixed | nonsecure]
Syntax Description
mixed
Specifies the cluster mode to be in mixed mode when configuring the Phone Proxy feature.
nonsecure
Specifies the cluster mode to be in nonsecure mode when configuring the Phone Proxy feature.
Defaults
The default cluster mode is nonsecure.
Command Modes
The following table shows the modes in which you can enter the command:
Phone-proxy configuration
•
—
•
—
—
Command History
Usage Guidelines
When you are configuring the Phone Proxy to run in mixed-mode clusters (both secure and nonsecure modes), you must also configure the LDC issuer in case some phones are configured to be in authenticated or encrypted mode:
hostname(config)# crypto key generate rsa label ldc_signer_key modulus 1024hostname(config)# crypto key generate rsa label phone_common modulus 1024hostname(config)# tls-proxy my_proxyhostname(config-tlsp)# server trust-point internal_PP_myctlhostname(config-tlsp)# client ldc issuer ldc_serverhostname(config-tlsp)# client ldc keypair phone_commonExamples
The following example shows the use of the cluster-mode command to set the security mode of the Phone Proxy to mixed (the IP phones will operate in secure and nonsecure modes):
hostname(config-phone-proxy)# cluster-mode mixedRelated Commands
phone-proxy
Configures the Phone Proxy instance.
tls-proxy
Configures the TLS proxy instance.
cluster port
To set the UDP port for the virtual load-balancing cluster, use the cluster port command in vpn load-balancing configuration mode. To remove the port specification, use the no form of this command.
cluster port port
no cluster port [port]
Syntax Description
Defaults
The default cluster port is 9023.
Command Modes
The following table shows the modes in which you can enter the command:
Vpn load-balancing configuration
•
—
•
—
—
Command History
Usage Guidelines
You must first use the vpn load-balancing command to enter vpn load-balancing configuration mode.
You can specify any valid UDP port number. The range is 1-65535.
If you specify a value for port in the no cluster port form of the command, the port number specified must match the existing configured port number.
Examples
The following example shows a VPN load-balancing command sequence that includes a cluster port address command that sets the UDP port for the virtual load-balancing cluster to 9023:
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# interface lbprivate foohostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# cluster port 9023hostname(config-load-balancing)# participateRelated Commands
command-alias
To create an alias for a command, use the command-alias command in global configuration mode. To remove the alias, use the no form of this command. When you enter the command alias, the original command is invoked. You might want to create command aliases to provide shortcuts for long commands, for example.
command-alias mode command_alias original_command
no command-alias mode command_alias original_command
Syntax Description
Defaults
By default, the following user EXEC mode aliases are configured:
h for help
lo for logout
p for ping
s for show
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
You can create an alias for the first part of any command and still enter the additional keywords and arguments as normal.
When you use CLI help, command aliases are indicated by an asterisk (*), and displayed in the following format:
*command-alias=original-commandFor example, the lo command alias displays along with other privileged EXEC mode commands that start with "lo," as follows:
hostname# lo?*lo=logout login logoutYou can use the same alias in different modes. For example, you can use "happy" in privileged EXEC mode and configuration mode to alias different commands, as follows:
hostname(config)# happy?configure mode commands/options:*happy="username crichton password test"exec mode commands/options:*happy=enableTo list only commands and omit aliases, begin your input line with a space. Also, to circumvent command aliases, use a space before entering the command. In the following example, the alias happy is not shown, because there is a space before the happy? command.
hostname(config)# alias exec test enablehostname(config)# exithostname# happy?ERROR: % Unrecognized commandAs with commands, you can use CLI help to display the arguments and keywords that can follow a command alias.
You must enter the complete command alias. Shortened aliases are not accepted. In the following example, the parser does not recognize the command hap as indicating the alias happy:
hostname# hap% Ambiguous command: "hap"Examples
The following example shows how to create a command alias named "save" for the copy running-config startup-config command:
hostname(config)# command-alias exec save copy running-config startup-confighostname(config)# exithostname# saveSource filename [running-config]?Cryptochecksum: 50d131d9 8626c515 0c698f7f 613ae54e2209 bytes copied in 0.210 secshostname#Related Commands
clear configure command-alias
Clears all non-default command aliases.
show running-config command-alias
Displays all non-default command aliases configured.
command-queue
To specify the maximum number of MGCP commands that are queued while waiting for a response, use the command-queue command in mgcp-map configuration mode. To remove the configuration, use the no form of this command.
command-queue limit
no command-queue limit
Syntax Description
Defaults
This command is disabled by default.
The default for the MGCP command queue is 200.
Command Modes
The following table shows the modes in which you can enter the command:
Mgcp-map configuration
·
·
·
·
—
Command History
Usage Guidelines
Use the command-queue command to specify the maximum number of MGCP commands that are queued while waiting for a response. The range of allowed values is from 1 to 4294967295. The default is 200. When the limit has been reached and a new command arrives, the command that has been in the queue for the longest time is removed.
Examples
The following example limits the MGCP command queue to 150 commands:
hostname(config)# mgcp-map mgcp_policyhostname(config-mgcp-map)#command-queue 150Related Commands
compatible rfc1583
To restore the method that is used to calculate the summary route costs per RFC 1583, use the compatible rfc1583 command in router configuration mode. To disable RFC 1583 compatibility, use the no form of this command.
compatible rfc1583
no compatible rfc1583
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
Only the no form of this command appears in the configuration.
Examples
The following example shows how to disable RFC 1583-compatible route summary cost calculation:
hostname(config-router)# no compatible rfc1583hostname(config-router)#Related Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
compression
To enable compression for SVC connections and WebVPN connections, use the compression command from global configuration mode. To remove the command from the configuration, use the no form of the command.
compression {all | svc | http-comp}
no compression {all | svc | http-comp}
Syntax Description
all
Specifies enabling all available compression techniques.
svc
Specifies compression for SVC connections.
http-comp
Specifies compression for WebVPN connections.
Defaults
The default is all. All available compression techniques are enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
For SVC connections, the compression command configured from global configuration mode overrides the svc compression command configured in group policy webvpn and username webvpn modes.
For example, if you enter the svc compression command for a certain group from group policy webvpn mode, and then you enter no compression command from global configuration mode, you override the svc compression command settings that you configured for the group.
Conversely, if you turn compression back on with the compression command from global configuration mode, any group settings take effect, and those settings ultimately determine the compression behavior.
If you disable compression with the no compression command, only new connections are affected. Active connections remain unaffected.
Examples
In the following example, compression is turned on for SVC connections:
hostname(config)# compression svcIn the next example, compression is disabled for SVC and WebVPN connections:
hostname(config)# no compression svc http-compRelated Commands
config-register
To set the configuration register value that is used the next time you reload the security appliance, use the config-register command in global configuration mode. To set the value back to the default, use the no form of this command. This command is only supported on the ASA 5500 adaptive security appliance. The configuration register value determines which image to boot from as well as other boot parameters.
config-register hex_value
no config-register
Syntax Description
hex_value
Sets the configuration register value as a hexadecimal number from 0x0 to 0xFFFFFFFF. This number represents 32 bits and each hexadecimal character represents 4 bits. Each bit controls a different characteristic. However, bits 32 through 20 are either reserved for future use, cannot be set by the user, or are not currently used by the security appliance; therefore, you can ignore the three characters that represent those bits, because they are always set to 0. The relevent bits are represented by 5 hexadecimal characters: 0xnnnnn.
You do not need to include preceding 0s. You do need to include trailing 0s. For example, 0x2001 is equivalent to 0x02001; but 0x10000 requires all the zeros. See Table 8-1 for more information about available values for the relevant bits.
Defaults
The default value is 0x1, which boots from the local image and startup configuration.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
The five characters are numbered from 0 to 4 from right to left, which is standard for hexadecimal and binary numbers. You can select one value for each character, and mix and match values as appropriate. For example, you can select either 0 or 2 for character number 3. Some values take priority if they conflict with other values. For example, if you set 0x2011, which sets the security appliance to both boot from the TFTP server and to boot from the local image, the security appliance boots from the TFTP server. Because this value also stipulates that if the TFTP boot fails, the security appliance should boot directly into ROMMON, then the action that specifies to boot from the default image is ignored.
A value of 0 means no action unless otherwise specified.
Table 8-1 lists the actions associated with each hexadecimal character; choose one value for each character:
Table 8-1 Configuration Register Values
0x
0
0
01
02
02
1
Disables the 10 second ROMMON countdown during startup. Normally, you can press Escape during the countdown to enter ROMMON.
2
If you set the security appliance to boot from a TFTP server, and the boot fails, then this value boots directly into ROMMON.
1
Boots from the TFTP server image as specified in the ROMMON Boot Parameters (which is the same as the boot system tftp command, if present). This value takes precedence over a value set for character 1.
1
Boots the image specified by the first boot system local_flash command. If that image does not load, the security appliance tries to boot each image specified by subsequent boot system commands until it boots successfully.
3, 5, 7, 9
Boots the image specified by a particular boot system local_flash command. Value 3 boots the image specified in the first boot system command, value 5 boots the second image, and so on.
If the image does not boot successfully, the security appliance does not attempt to fall back to other boot system command images (this is the difference between using value 1 and value 3). However, the security appliance has a failsafe feature that in the event of a boot failure attempts to boot from any image found in the root directory of internal Flash memory. If you do not want the failsafe feature to take effect, store your images in a different directory than root.
43
Ignores the startup configuration and loads the default configuration.
2, 4, 6, 8
From ROMMON, if you enter the boot command without any arguments, then the security appliance boots the image specified by a particular boot system local_flash command. Value 3 boots the image specified in the first boot system command, value 5 boots the second image, and so on. This value does not automatically boot an image.
5
Performs both actions above.
1 Reserved for future use.
2 If character numbers 0 and 1 are not set to automatically boot an image, then the security appliance boots directly into ROMMON.
3 If you disable password recovery using the service password-recovery command, then you cannot set the configuration register to ignore the startup configuration.
The configuration register value is not replicated to a standby unit, but the following warning is displayed when you set the configuration register on the active unit:
WARNING The configuration register is not synchronized with the standby, their values may not match.You can also set the configuration register value in ROMMON using the confreg command.
Examples
The following example sets the configuration register to boot from the default image:
hostname(config)# config-register 0x1Related Commands
boot
Sets the boot image and startup configuration.
service password-recovery
Enables or disables password recovery.
configure factory-default
To restore the configuration to the factory default, use the configure factory-default command in global configuration mode. The factory default configuration is the configuration applied by Cisco to new security appliances. This command is supported on all platforms except for the PIX 525 and PIX 535 security appliances.
configure factory-default [ip_address [mask]]
Syntax Description
ip_address
Sets the IP address of the management or inside interface, instead of using the default address, 192.168.1.1. See the "Usage Guidelines" sections for more information about which interface is configured for your model.
mask
Sets the subnet mask of the interface. If you do not set a mask, the security appliance uses the mask appropriate for the IP address class.
Defaults
The default IP address and mask are 192.168.1.1 and 255.255.255.0.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
7.2(1)
A factory default configuration was added for the ASA 5505 adaptive security appliance.
Usage Guidelines
For the PIX 515/515E and the ASA 5510 and higher security appliances, the factory default configuration automatically configures an interface for management so you can connect to it using ASDM, with which you can then complete your configuration. For the ASA 5505 adaptive security appliance, the factory default configuration automatically configures interfaces and NAT so that the security appliance is ready to use in your network.
This command is available only for routed firewall mode; transparent mode does not support IP addresses for interfaces, and setting the interface IP address is one of the actions this command takes. This command is also only available in single context mode; a security appliance with a cleared configuration does not have any defined contexts to automatically configure using this command.
This command clears the current running configuration and then configures several commands.
If you set the IP address in the configure factory-default command, then the http command uses the subnet you specify. Similarly, the dhcpd address command range consists of addresses within the subnet that you specify.
After you restore the factory default configuration, save it to internal Flash memory using the write memory command. The write memory command saves the running configuration to the default location for the startup configuration, even if you previously configured the boot config command to set a different location; when the configuration was cleared, this path was also cleared.
Note
To configure additional settings that are useful for a full configuration, see the setup command.
ASA 5505 Adaptive Security Appliance Configuration
The default factory configuration for the ASA 5505 adaptive security appliance configures the following:
•
•
•
•
•
•
•
The configuration consists of the following commands:
interface Ethernet 0/0switchport access vlan 2no shutdowninterface Ethernet 0/1switchport access vlan 1no shutdowninterface Ethernet 0/2switchport access vlan 1no shutdowninterface Ethernet 0/3switchport access vlan 1no shutdowninterface Ethernet 0/4switchport access vlan 1no shutdowninterface Ethernet 0/5switchport access vlan 1no shutdowninterface Ethernet 0/6switchport access vlan 1no shutdowninterface Ethernet 0/7switchport access vlan 1no shutdowninterface vlan2nameif outsideno shutdownip address dhcp setrouteinterface vlan1nameif insideip address 192.168.1.1 255.255.255.0security-level 100no shutdownglobal (outside) 1 interfacenat (inside) 1 0 0http server enablehttp 192.168.1.0 255.255.255.0 insidedhcpd address 192.168.1.2-192.168.1.254 insidedhcpd auto_config outsidedhcpd enable insidelogging asdm informationalASA 5510 and Higher Adaptive Security Appliance Configuration
The default factory configuration for the ASA 5510 and higher adaptive security appliance configures the following:
•
•
•
The configuration consists of the following commands:
interface management 0/0ip address 192.168.1.1 255.255.255.0nameif managementsecurity-level 100no shutdownasdm logging informational 100asdm history enablehttp server enablehttp 192.168.1.0 255.255.255.0 managementdhcpd address 192.168.1.2-192.168.1.254 managementdhcpd lease 3600dhcpd ping_timeout 750dhcpd enable managementPIX 515/515E Security Appliance Configuration
The default factory configuration for the PIX 515/515E security appliance configures the following:
•
•
•
The configuration consists of the following commands:
interface ethernet 1ip address 192.168.1.1 255.255.255.0nameif managementsecurity-level 100no shutdownasdm logging informational 100asdm history enablehttp server enablehttp 192.168.1.0 255.255.255.0 managementdhcpd address 192.168.1.2-192.168.1.254 managementdhcpd lease 3600dhcpd ping_timeout 750dhcpd enable managementExamples
The following example resets the configuration to the factory default, assigns the IP address 10.1.1.1 to the interface, and then saves the new configuration as the startup configuration:
hostname(config)# configure factory-default 10.1.1.1 255.255.255.0Based on the inside IP address and mask, the DHCP addresspool size is reduced to 253 from the platform limit 256WARNING: The boot system configuration will be cleared.The first image found in disk0:/ will be used to boot thesystem on the next reload.Verify there is a valid image on disk0:/ or the system willnot boot.Begin to apply factory-default configuration:Clear all configuration...hostname(config)#hostname(config)# copy running-config startup-configRelated Commands
configure http
To merge a configuration file from an HTTP(S) server with the running configuration, use the configure http command in global configuration mode. This command supports IPv4 and IPv6 addresses.
configure http[s]://[user[:password]@]server[:port]/[path/]filename
Syntax Description
Defaults
For HTTP, the default port is 80. For HTTPS, the default port is 443.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
A merge adds all commands from the new configuration to the running configuration, and overwrites any conflicting commands with the new versions. For example, if a command allows multiple instances, the new commands are added to the existing commands in the running configuration. If a command allows only one instance, the new command overwrites the command in the running configuration. A merge never removes commands that exist in the running configuration but are not set in the new configuration.
This command is the same as the copy http running-config command. For multiple context mode, that command is only available in the system execution space, so the configure http command is an alternative for use within a context.
Examples
The following example copies a configuration file from an HTTPS server to the running configuration:
hostname(config)# configure https://user1:pa$$w0rd@10.1.1.1/configs/newconfig.cfgRelated Commands
configure memory
To merge the startup configuration with the running configuration, use the configure memory command in global configuration mode.
configure memory
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
A merge adds all commands from the new configuration to the running configuration, and overwrites any conflicting commands with the new versions. For example, if a command allows multiple instances, the new commands are added to the existing commands in the running configuration. If a command allows only one instance, the new command overwrites the command in the running configuration. A merge never removes commands that exist in the running configuration but are not set in the new configuration.
If you do not want to merge the configurations, you can clear the running configuration, which disrupts any communications through the security appliance, and then enter the configure memory command to load the new configuration.
This command is equivalent to the copy startup-config running-config command.
For multiple context mode, a context startup configuration is at the location specified by the config-url command.
Examples
The following example copies the startup configuration to the running configuration:
hostname(config)# configure memoryRelated Commands
configure net
To merge a configuration file from a TFTP server with the running configuration, use the configure net command in global configuration mode. This command supports IPv4 and IPv6 addresses.
configure net [server:[filename] | :filename]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
A merge adds all commands from the new configuration to the running configuration, and overwrites any conflicting commands with the new versions. For example, if a command allows multiple instances, the new commands are added to the existing commands in the running configuration. If a command allows only one instance, the new command overwrites the command in the running configuration. A merge never removes commands that exist in the running configuration but are not set in the new configuration.
This command is the same as the copy tftp running-config command. For multiple context mode, that command is only available in the system execution space, so the configure net command is an alternative for use within a context.
Examples
The following example sets the server and filename in the tftp-server command, and then overrides the server using the configure net command. The same filename is used.
hostname(config)# tftp-server inside 10.1.1.1 configs/config1hostname(config)# configure net 10.2.2.2:The following example overrides the server and the filename. The default path to the filename is /tftpboot/configs/config1. The /tftpboot/ part of the path is included by default when you do not lead the filename with a slash (/). Because you want to override this path, and the file is also in tftpboot, include the tftpboot path in the configure net command.
hostname(config)# tftp-server inside 10.1.1.1 configs/config1hostname(config)# configure net 10.2.2.2:/tftpboot/oldconfigs/config1The following example sets the server only in the tftp-server command. The configure net command specifies only the filename.
hostname(config)# tftp-server inside 10.1.1.1hostname(config)# configure net :configs/config1Related Commands
configure terminal
To configure the running configuration at the command line, use the configure terminal command in privileged EXEC mode. This command enters global configuration mode, which lets you enter commands that change the configuration.
configure terminal
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Examples
The following example enters global configuration mode:
hostname# configure terminalhostname(config)#Related Commands
config-url
To identify the URL from which the system downloads the context configuration, use the config-url command in context configuration mode.
config-url url
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Context configuration
•
•
—
—
•
Command History
Usage Guidelines
When you add a context URL, the system immediately loads the context so that it is running.
Note
The filename does not require a file extension, although we recommend using ".cfg".
The admin context file must be stored on the internal Flash memory.
If you download a context configuration from an HTTP or HTTPS server, you cannot save changes back to these servers using the copy running-config startup-config command. You can, however, use the copy tftp command to copy the running configuration to a TFTP server.
If the system cannot retrieve the context configuration file because the server is unavailable, or the file does not yet exist, the system creates a blank context that is ready for you to configure with the command-line interface.
To change the URL, reenter the config-url command with a new URL.
The security appliance merges the new configuration with the current running configuration. Reentering the same URL also merges the saved configuration with the running configuration. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. You might get errors, or you might have unexpected results. If the running configuration is blank (for example, if the server was unavailable and the configuration was never downloaded), then the new configuration is used. If you do not want to merge the configurations, you can clear the running configuration, which disrupts any communications through the context, and then reload the configuration from the new URL.
Examples
The following example sets the admin context to be "administrator," creates a context called "administrator" on the internal Flash memory, and then adds two contexts from an FTP server:
hostname(config)# admin-context administratorhostname(config)# context administratorhostname(config-ctx)# allocate-interface gigabitethernet0/0.1hostname(config-ctx)# allocate-interface gigabitethernet0/1.1hostname(config-ctx)# config-url flash:/admin.cfghostname(config-ctx)# context testhostname(config-ctx)# allocate-interface gigabitethernet0/0.100 int1hostname(config-ctx)# allocate-interface gigabitethernet0/0.102 int2hostname(config-ctx)# allocate-interface gigabitethernet0/0.110-gigabitethernet0/0.115 int3-int8hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/test.cfghostname(config-ctx)# context samplehostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int1hostname(config-ctx)# allocate-interface gigabitethernet0/1.212 int2hostname(config-ctx)# allocate-interface gigabitethernet0/1.230-gigabitethernet0/1.235 int3-int8hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/sample.cfgRelated Commands
console timeout
To set the idle timeout for a console connection to the security appliance, use the console timeout command in global configuration mode. To disable, use the no form of this command.
console timeout number
no console timeout [number]
Syntax Description
Defaults
The default timeout is 0, which means the console session will not time out.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The console timeout command sets the timeout value for any authenticated, enable mode, or configuration mode user session to the security appliance. The console timeout command does not alter the Telnet or SSH timeouts; these access methods maintain their own timeout values.
The no console timeout command resets the console timeout value to the default timeout of 0, which means that the console will not time out.
Examples
The following example shows how to set the console timeout to 15 minutes:
hostname(config)# console timeout 15Related Commands
content-length
To restrict HTTP traffic based on the length of the HTTP message body, use the content-length command in http-map configuration mode. To remove this command, use the no form of this command.
content-length { min bytes [max bytes] | max bytes] } action {allow | reset | drop} [log]
no content-length { min bytes [max bytes] | max bytes] } action {allow | reset | drop} [log]
Syntax Description
Defaults
This command is disabled by default.Command Modes
The following table shows the modes in which you can enter the command:
Http-map configuration
•
•
•
•
—
Command History
Usage Guidelines
After enabling the content-length command, the security appliance only allows messages within the configured range and otherwise takes the specified action. Use the action keyword to cause the security appliance to reset the TCP connection and create a syslog entry.
Examples
The following example restricts HTTP traffic to messages 100 bytes or larger and not exceeding 2000 bytes. If a message is outside this range, the security appliance resets the TCP connection and creates a syslog entry.
hostname(config)# http-map inbound_httphostname(config-http-map)# content-length min 100 max 2000 action reset loghostname(config-http-map)# exitRelated Commands
context
To create a security context in the system configuration and enter context configuration mode, use the context command in global configuration mode. To remove a context, use the no form of this command. In context configuration mode, you can identify the configuration file URL and interfaces that a context can use.
context name
no context name [noconfirm]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
If you do not have an admin context (for example, if you clear the configuration) then the first context you add must be the admin context. To add an admin context, see the admin-context command. After you specify the admin context, you can enter the context command to configure the admin context.
You can only remove a context by editing the system configuration. You cannot remove the current admin context using the no form of this command; you can only remove it if you remove all contexts using the clear configure context command.
Examples
The following example sets the admin context to be "administrator," creates a context called "administrator" on the internal Flash memory, and then adds two contexts from an FTP server:
hostname(config)# admin-context administratorhostname(config)# context administratorhostname(config-ctx)# allocate-interface gigabitethernet0/0.1hostname(config-ctx)# allocate-interface gigabitethernet0/1.1hostname(config-ctx)# config-url flash:/admin.cfghostname(config-ctx)# context testhostname(config-ctx)# allocate-interface gigabitethernet0/0.100 int1hostname(config-ctx)# allocate-interface gigabitethernet0/0.102 int2hostname(config-ctx)# allocate-interface gigabitethernet0/0.110-gigabitethernet0/0.115 int3-int8hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/test.cfghostname(config-ctx)# context samplehostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int1hostname(config-ctx)# allocate-interface gigabitethernet0/1.212 int2hostname(config-ctx)# allocate-interface gigabitethernet0/1.230-gigabitethernet0/1.235 int3-int8hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/sample.cfgRelated Commands
copy
To copy a file from one location to another, use the copy command in privileged EXEC mode.
copy [/noconfirm | /pcap] {url | running-config | startup-config} {running-config | startup-config | url}
Syntax Description
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
7.0(1)
This command was introduced.
7.2(1)
Added support for DNS names.
8.0(2)
Added the smb: URL option
Usage Guidelines
When you copy a configuration to the running configuration, you merge the two configurations. A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. You might get errors, or you might have unexpected results.
Examples
The following example shows how to copy a file from the disk to a TFTP server in the system execution space:
hostname(config)# copy disk0:my_context/my_context.cfg tftp://10.7.0.80/my_context/my_context.cfgThe following example shows how to copy a file from one location on the disk to another location on the disk. The name of the destination file can be either the name of the source file or a different name.
hostname(config)# copy disk0:my_context.cfg disk:my_context/my_context.cfgThe following example shows how to copy an ASDM file from a TFTP server to the internal Flash memory:
hostname(config)# copy tftp://10.7.0.80/asdm700.bin disk0:asdm700.binThe following example shows how to copy the running configuration in a context to a TFTP server:
hostname(config)# copy running-config tftp://10.7.0.80/my_context/my_context.cfgThe copy command supports DNS names as well as IP addresses as shown in this version of the preceding example:
hostname(config)# copy running-config tftp://www.example.com/my_context/my_context.cfgRelated Commands
copy capture
To copy a capture file to a server, use the copy capture command in privileged EXEC mode.
copy [/noconfirm] [/pcap] capture: [context_name/]buffer_name url
Syntax Description
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Examples
The following example shows the prompts that are provided when you enter the copy capture command without specifying the full path:
hostname(config)# copy capture:abc tftpAddress or name of remote host [171.68.11.129]?Source file name [username/cdisk]?copying capture to tftp://171.68.11.129/username/cdisk:[yes|no|again]? y!!!!!!!!!!!!!You can specify the full path as follows:
hostname(config)# copy capture:abc tftp:171.68.11.129/tftpboot/abc.capIf the TFTP server is already configured, the location or filename can be unspecified as follows:
hostname(config)# tftp-server outside 171.68.11.129 tftp/cdiskhostname(config)# copy capture:abc tftp:/tftp/abc.capRelated Commands
cpu profile activate
To start CPU profile collection information, use the cpu profile activate command in privileged EXEC mode.
cpu profile activate n-samples
Syntax Description
n-samples
Allocates memory for storing n number of samples. Values are 1 to 100000, and 1000 is the default.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
The show cpu profile command can be used in conjunction with the cpu profile activate command to display information that can be collected and used by the TAC to aid in troubleshooting CPU issues. The information displayed by the show cpu profile command is in hexadecimal.
Examples
The following example activates the profiler and instructs it to store 5000 samples.
hostname# cpu profile activate 5000Activated CPU profiling for 5000 samples.Use the show cpu profile command to see the results.
Note
hostname# show cpu profileCPU profiling started: 07:54:40.888 PDT Fri Sep 1 2006 CPU profiling currently in progress, 1640 out of 5000 samples collected.Once it is complete, the show cpu profile command output will provide the results. Copy this information and provide to the TAC to be decoded.
hostname# show cpu profileCPU profiling started: 07:54:40.888 PDT Fri Sep 1 2006 Profiling finished, 5000 samples:00c483f5 00115283 002199d3 001151d1 002199e5 00116258 002199fc 00115230 0021984e 002198f6 00c48496 00219803 004a55b1 002198b1 00c484d9 00c4847200116258 00c48401 002199f3 00c48401 00c484b2 004a5580 0011520a 002198b400116258 00219807 0011520a 00116258 002198a9 00116258 00219a2e 00112009 0021989c 00fff023 008be861 0011525e 002198be 0021984e 00115277 00219807 002199d0 00114a6d 002198af 0011520a 00115260 00115274 004a55a6 00c4847200c48472 00c48496 002199f9 002198ad 00c484c4 004a55a6 00115260 002198f4 0011528e 002198e0 00c484bb 00c48496 00c484a6 002199f3 00219810 001161d6 .Related Commands
show cpu profile
Displays the cpu profile activation information for use with the TAC.
crashinfo console disable
To read, write, and configure crash write to flash, use the crashinfo console disable command in global configuration mode.
crashinfo console disable
no crashinfo console disable
Syntax Description
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
This command lets you suppress crashinfo from being output to the console. The crashinfo may contain sensitive information that is not appropriate for viewing by all users connected to the device. In conjunction with this command, you should also ensure crashinfo is written to flash, which can be examined after the device reboots. This command effects output for crashinfo and checkheaps, which is saved to flash and should be sufficient for troubleshooting.
Examples
hostname(config)# crashinfo console disableRelated Commands
crashinfo force
To force the security appliance to crash, use the crashinfo force command in privileged EXEC mode.
crashinfo force [page-fault | watchdog]
Syntax Description
page-fault
(Optional) Forces a crash of the security appliance as a result of a page fault.
watchdog
(Optional) Forces a crash of the security appliance as a result of watchdogging.
Defaults
The security appliance saves the crash information file to flash memory by default.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
You can use the crashinfo force command to test the crash output generation. In the crash output, there is nothing that differentiates a real crash from a crash resulting from the crashinfo force page-fault or crashinfo force watchdog command (because these are real crashes). The security appliance reloads after the crash dump is complete.
Caution
Examples
The following example shows the warning that displays when you enter the crashinfo force page-fault command:
hostname# crashinfo force page-faultWARNING: This command will force the XXX to crash and reboot.Do you wish to proceed? [confirm]:If you enter a carriage return (by pressing the Return or Enter key on your keyboard), "Y", or "y" the security appliance crashes and reloads; any of these responses are interpreted as confirmation. Any other character is interpreted as a no, and the security appliance returns to the command-line prompt.
Related Commands
crashinfo save disable
To disable crash information from writing to Flash memory, use the crashinfo save command in global configuration mode. To allow the crash information to be written to Flash memory, and return to the default behavior, use the no form of this command.
crashinfo save disable
no crashinfo save disable
Syntax Description
This command has no default arguments or keywords.
Defaults
The security appliance saves the crash information file to Flash memory by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
7.0(1)
The crashinfo save enable command was deprecated and is no longer a valid option. Use the no crashinfo save disable command instead.
Usage Guidelines
Crash information writes to Flash memory first, and then to your console.
Note
Use the no crashinfo save disable command to re-enable saving the crash information to Flash memory.
Examples
hostname(config)# crashinfo save disableRelated Commands
crashinfo test
To test the ability of the security appliance to save crash information to a file in flash memory, use the crashinfo test command in privileged EXEC mode.
crashinfo test
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
If a previous crash information file already exists in flash memory, that file is overwritten.
Note
Examples
The following example shows the output of a crash information file test.
hostname# crashinfo testRelated Commands
crl
To specify CRL configuration options, use the crl command in crypto ca trustpoint configuration mode.
crl {required | optional | nocheck}
Syntax Description
Defaults
The default value is nocheck.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
—
•
—
—
Command History
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and requires that a CRL be available for a peer certificate to be validated for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl requiredhostname(ca-trustpoint)#Related Commands
clear configure crypto ca trustpoint
Removes all trustpoints.
crypto ca trustpoint
Enters trustpoint submode.
crl configure
Enters crl configuration mode.
crl configure
To enter CRL configuration mode, use the crl configure command in crypto ca trustpoint configuration mode.
crl configure
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpoint configuration
•
—
•
—
—
Command History
Examples
The following example enters crl configuration mode within trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)#Related Commands
clear configure crypto ca trustpoint
Removes all trustpoints.
crypto ca trustpoint
Enters trustpoint configuration mode.
