-
Cisco ASA 5500 Series Command Reference, 8.2
-
About This Guide
-
Using the Command Line Interface
- A through B Commands
- C Commands
- D through F Commands
- G through I Commands
- J through L Commands
- M through O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- show asdm sessions
-
show asp drop -- show curpriv
-
show ddns -- show ipv6 traffic
-
show isakmp sa -- show route
-
show running-config -- show running-config isakmp
-
show running-config ldap -- show running-config webvpn auto-signon
-
show service-policy -- show xlate
-
shun -- sysopt radius ignore-secret
-
- T through Z Commands
-
Feedback
Table Of Contents
gateway through hw-module module shutdown Commands
hic-fail-group-policy (deprecated)
hw-module module password-reset
gateway through hw-module module shutdown Commands
gateway
To specify which group of call agents are managing a particular gateway, use the gateway command in MGCP map configuration mode. To remove the configuration, use the no form of this command.
gateway ip_address [group_id]
Syntax Description
gateway
Specifies the group of call agents that are managing a particular gateway
ip_address
The IP address of the gateway.
group_id
The ID of the call agent group, from 0 to 2147483647.
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
MGCP map configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the gateway command to specify which group of call agents are managing a particular gateway. The IP address of the gateway is specified with the ip_address option. The group_id option is a number from 0 to 4294967295 that must correspond with the group_id of the call agents that are managing the gateway. A gateway may only belong to one group.
Examples
The following example allows call agents 10.10.11.5 and 10.10.11.6 to control gateway 10.10.10.115, and allows call agents 10.10.11.7 and 10.10.11.8 to control both gateways 10.10.10.116 and 10.10.10.117:
hostname(config)# mgcp-map mgcp_policyhostname(config-mgcp-map)# call-agent 10.10.11.5 101hostname(config-mgcp-map)# call-agent 10.10.11.6 101hostname(config-mgcp-map)# call-agent 10.10.11.7 102hostname(config-mgcp-map)# call-agent 10.10.11.8 102hostname(config-mgcp-map)# gateway 10.10.10.115 101hostname(config-mgcp-map)# gateway 10.10.10.116 102hostname(config-mgcp-map)# gateway 10.10.10.117 102Related Commands
global
To create a pool of mapped addresses for NAT, use the global command in global configuration mode. To remove the pool of addresses, use the no form of this command.
global (mapped_ifc) nat_id {mapped_ip[-mapped_ip] [netmask mask] | interface}
no global (mapped_ifc) nat_id {mapped_ip[-mapped_ip] [netmask mask] | interface}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
For dynamic NAT and PAT, you first configure a nat command identifying the real addresses on a given interface that you want to translate. Then you configure a separate global command to specify the mapped addresses when exiting another interface (in the case of PAT, this is one address). Each nat command matches a global command by comparing the NAT ID, a number that you assign to each command.
See the nat command for more information about dynamic NAT and PAT.
If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using clear xlate command. However, clearing the translation table disconnects all of the current connections.
Examples
For example, to translate the 10.1.1.0/24 network on the inside interface, enter the following command:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0hostname(config)# global (outside) 1 209.165.201.1-209.165.201.30To identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is exhausted, enter the following commands:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0hostname(config)# global (outside) 1 209.165.201.5hostname(config)# global (outside) 1 209.165.201.10-209.165.201.20To translate the lower security dmz network addresses so they appear to be on the same network as the inside network (10.1.1.0), for example, to simplify routing, enter the following commands:
hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dnshostname(config)# global (inside) 1 10.1.1.45To identify a single real address with two different destination addresses using policy NAT, enter the following commands:
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 255.255.255.224hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224hostname(config)# nat (inside) 1 access-list NET1 tcp 0 2000 udp 10000hostname(config)# global (outside) 1 209.165.202.129hostname(config)# nat (inside) 2 access-list NET2 tcp 1000 500 udp 2000hostname(config)# global (outside) 2 209.165.202.130To identify a single real address/destination address pair that use different ports using policy NAT, enter the following commands:
hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 80hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 23hostname(config)# nat (inside) 1 access-list WEBhostname(config)# global (outside) 1 209.165.202.129hostname(config)# nat (inside) 2 access-list TELNEThostname(config)# global (outside) 2 209.165.202.130Related Commands
group-alias
To create one or more alternate names by which the user can refer to a tunnel-group, use the group-alias command in tunnel-group webvpn configuration mode. To remove an alias from the list, use the no form of this command.
group-alias name [enable | disable]
no group-alias name
Syntax Description
Defaults
No default group alias, but if you do specify a group alias, that alias is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
The group alias that you specify here appears in the drop-down list on the login page. Each group can have multiple aliases or no alias. This command is useful when the same group is known by several common names, such as "Devtest" and "QA".
Examples
The following example shows the commands for configuring the webvpn tunnel group named "devtest" and establishing the aliases "QA" and "Fra-QA" for the group:
hostname(config)# tunnel-group devtest type webvpnhostname(config)# tunnel-group devtest webvpn-attributeshostname(config-tunnel-webvpn)# group-alias QAhostname(config-tunnel-webvpn)# group-alias Fra-QAhostname(config-tunnel-webvpn)#Related Commands
group-delimiter
To enable group-name parsing and specify the delimiter to be used when parsing group names from the user names that are received when tunnels are being negotiated, use the group-delimiter command in global configuration mode. To disable this group-name parsing, use the no form of this command.
group-delimiter delimiter
no group-delimiter
Syntax Description
Defaults
By default, no delimiter is specified, disabling group-name parsing.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The delimiter is used to parse tunnel group names from user names when tunnels are negotiated. By default, no delimiter is specified, disabling group-name parsing.
Examples
This example shows the group-delimiter command to change the group delimiter to the hash mark (#):
hostname(config)# group-delimiter #Related Commands
group-lock
To restrict remote users to access through the tunnel group only, issue the group-lock command in group-policy configuration mode or username configuration mode.
To remove the group-lock attribute from the running configuration, use the no form of this command. This option allows inheritance of a value from another group policy.
group-lock {value tunnel-grp-name | none}
no group-lock
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policyconfiguration
•
—
•
—
—
Username configuration
•
—
•
—
—
Usage Guidelines
To disable group-lock, use the group-lock none command.
Group-lock restricts users by checking if the group configured in the VPN Client is the same as the tunnel group to which the user is assigned. If it is not, the adaptive security appliance prevents the user from connecting. If you do not configure group-lock, the adaptive security appliance authenticates users without regard to the assigned group.
Command History
Examples
The following example shows how to set group lock for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# group-lock value tunnel group namegroup-object
To add network object groups, use the group-object command in protocol, network, service, and icmp-type configuration modes. To remove network object groups, use the no form of this command.
group-object obj_grp_id
no group-object obj_grp_id
Syntax Description
obj_grp_id
Identifies the object group (one to 64 characters) and can be any combination of letters, digits, and the "_", "-", "." characters.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Protocol, network, service, icmp-type configuration
•
•
•
•
—
Command History
Usage Guidelines
The group-object command is used with the object-group command to define an object that itself is an object group. It is used in protocol, network, service, and icmp-type configuration modes. This sub-command allows logical grouping of the same type of objects and construction of hierarchical object groups for structured configuration.
Duplicate objects are allowed in an object group if they are group objects. For example, if object 1 is in both group A and group B, it is allowed to define a group C which includes both A and B. It is not allowed, however, to include a group object which causes the group hierarchy to become circular. For example, it is not allowed to have group A include group B and then also have group B include group A.
The maximum allowed levels of a hierarchical object group is 10.
Note
Examples
The following example shows how to use the group-object command in network configuration mode eliminate the need to duplicate hosts:
hostname(config)# object-group network host_grp_1hostname(config-network)# network-object host 192.168.1.1hostname(config-network)# network-object host 192.168.1.2hostname(config-network)# exithostname(config)# object-group network host_grp_2hostname(config-network)# network-object host 172.23.56.1hostname(config-network)# network-object host 172.23.56.2hostname(config-network)# exithostname(config)# object-group network all_hostshostname(config-network)# group-object host_grp_1hostname(config-network)# group-object host_grp_2hostname(config-network)# exithostname(config)# access-list grp_1 permit tcp object-group host_grp_1 any eq ftphostname(config)# access-list grp_2 permit tcp object-group host_grp_2 any eq smtphostname(config)# access-list all permit tcp object-group all-hosts any eq wRelated Commands
group-policy
To create or edit a group policy, use the group-policy command in global configuration mode. To remove a group policy from the configuration, use the no form of this command.
group-policy name {internal [from group-policy_name] | external server-group server_group password server_password}
no group-policy name
Syntax Description
Defaults
No default behavior or values. See Usage Guidelines.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
A default group policy, named "DefaultGroupPolicy," always exists on the adaptive security appliance. However, this default group policy does not take effect unless you configure the adaptive security appliance to use it. For configuration instructions, see the Cisco ASA 5500 Series Configuration Guide using the CLI.
Use the group-policy attributes command to enter config-group-policy mode, in which you can configure any of the group-policy Attribute-Value Pairs. The DefaultGroupPolicy has these Attribute-Value Pairs:
In addition, you can configure webvpn-mode attributes for the group policy, either by entering the webvpn command in config-group-policy mode or by entering the group-policy attributes command and then entering the webvpn command in config-group-webvpn mode. See the description of the group-policy attributes command for details.
Examples
The following example shows how to create an internal group policy with the name "FirstGroup":
hostname(config)#group-policy FirstGroup internalThe next example shows how to create an external group policy with the name "ExternalGroup," the AAA server group "BostonAAA," and the password "12345678":
hostname(config)#group-policy ExternalGroup external server-group BostonAAA password 12345678Related Commands
group-policy attributes
To enter the config-group-policy mode, use the group-policy attributes command in global configuration mode. To remove all attributes from a group policy, user the no version of this command. In config-group-policy mode, you can configure Attribute-Value Pairs for a specified group policy or enter group-policy webvpn configuration mode to configure webvpn attributes for the group.
group-policy name attributes
no group-policy name attributes
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The syntax of the commands in attributes mode have the following characteristics in common:
•
•
•
A default group policy, named DefaultGroupPolicy, always exists on the adaptive security appliance. However, this default group policy does not take effect unless you configure the adaptive security appliance to use it. For configuration instructions, see the Cisco ASA 5500 Series Configuration Guide using the CLI.
The group-policy attributes command enters config-group-policy mode, in which you can configure any of the group-policy Attribute-Value Pairs. The DefaultGroupPolicy has these Attribute-Value Pairs:
In addition, you can configure webvpn-mode attributes for the group policy, by entering the group-policy attributes command and then entering the webvpn command in config-group-policy mode. See the description of the webvpn command (group-policy attributes and username attributes modes) for details.
Examples
The following example shows how to enter group-policy attributes mode for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)#Related Commands
group-prompt
To customize the group prompt of the WebVPN page login box that is displayed to WebVPN users when they connect to the security appliance, use the group-prompt command in webvpn customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of this command.
group-prompt {text | style} value
no group-prompt {text | style} value
Syntax Description
Defaults
The default text of the group prompt is "GROUP:".
The default style of the group prompt is color:black;font-weight:bold;text-align:right.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn customization configuration
•
—
•
—
—
Command History
Usage Guidelines
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
In the following example, the text is changed to "Corporate Group:", and the default style is changed with the font weight increased to bolder:
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# group-prompt text Corporate Group:F1-asa1(config-webvpn-custom)# group-prompt style font-weight:bolderRelated Commands
password-prompt
Customizes the password prompt of the WebVPN page.
username-prompt
Customizes the username prompt of the WebVPN page.
group-search-timeout
To specify the maximum time to wait for a response from an Active Directory server queried using the show ad-groups command, use the group-search-timeout command in AAA server host configuration mode. To remove the command from the configuration, use the no form of the command:
group-search-timeout seconds
no group-search-timeout seconds
Syntax Description
Defaults
The default is 10 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
aaa-server host configuration
•
—
•
—
—
Command History
Usage Guidelines
The show ad-groups command applies only to Active Directory servers using LDAP, and displays groups that are listed on an Active Directory server. Use the group-search-timeout command to adjust the time to wait for a response from the server.
Examples
The following example sets the timeout to 20 seconds:
hostname(config-aaa-server-host)#group-search-timeout 20Related Commands
group-url
To specify incoming URLs or IP addresses for the group, use the group-url command in tunnel-group webvpn configuration mode. To remove a URL from the list, use the no form of this command.
group-url url [enable | disable ]
no group-url url
Syntax Description
disable
Disables the URL, but does not remove it from the list.
enable
Enables the URL.
url
Specifies a URL or IP address for this tunnel group.
Defaults
There is no default URL or IP address, but if you do specify a URL or IP address, it is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
Specifying a group URL or IP address eliminates the need for the user to select a group at login. When a user logs in, the adaptive security appliance looks for the user's incoming URL/address in the tunnel-group-policy table. If it finds the URL/address and if group-url is enabled in the tunnel group, then the adaptive security appliance automatically selects the associated tunnel group and presents the user with only the username and password fields in the login window. This simplifies the user interface and has the added advantage of never exposing the list of groups to the user. The login window that the user sees uses the customizations configured for that tunnel group.
If the URL/address is disabled and group-alias is configured, then the dropdown list of groups is also displayed, and the user must make a selection.
You can configure multiple URLs/addresses (or none) for a group. Each URL/address can be enabled or disabled individually. You must use a separate group-url command for each URL/address specified. You must specify the entire URL/address, including either the http or https protocol.
You cannot associate the same URL/address with multiple groups. The adaptive security appliance verifies the uniqueness of the URL/address before accepting the URL/address for a tunnel group.
The following example shows the commands for configuring the webvpn tunnel group named "test" and establishing two group URLs, "http://www.cisco.com" and "https://supplier.com" for the group:
hostname(config)# tunnel-group test type webvpnhostname(config)# tunnel-group test webvpn-attributeshostname(config-tunnel-webvpn)# group-url http://www.cisco.comhostname(config-tunnel-webvpn)# group-url https://supplier.company.comhostname(config-tunnel-webvpn)#The following example enables the group URLs http://www.cisco.com and http://192.168.10.10 for the tunnel-group named RadiusServer:
hostname(config)# tunnel-group RadiusServer type webvpnhostname(config)# tunnel-group RadiusServer general-attributeshostname(config-tunnel-general)# authentication server-group RADIUShostname(config-tunnel-general)# accounting-server-group RADIUShostname(config-tunnel-general)# tunnel-group RadiusServer webvpn-attributeshostname(config-tunnel-webvpn)# group-alias "Cisco Remote Access" enablehostname(config-tunnel-webvpn)# group-url http://www.cisco.comenablehostname(config-tunnel-webvpn)# group-url http://192.168.10.10enablehostname(config-tunnel-webvpn)#Related Commands
h245-tunnel-block
To block H.245 tunneling in H.323, use the h245-tunnel-block command in parameters configuration mode. To disable this feature, use the no form of this command.
h245-tunnel-block action [drop-connection | log]
no h245-tunnel-block action [drop-connection | log]
Syntax Description
drop-connection
Drops the call setup connection when H.245 tunnel is detected.
log
Issues a log when H.245 tunnel is detected.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to block H.245 tunneling on an H.323 call:
hostname(config)# policy-map type inspect h323 h323_maphostname(config-pmap)# parametershostname(config-pmap-p)# h245-tunnel-block action drop-connectionRelated Commands
hello-interval
To specify the interval between EIGRP hello packets sent on an interface, use the hello-interval command in interface configuration mode. To return the hello interval to the default value, use the no form of this command.
hello-interval eigrp as-number seconds
no hello-interval eigrp as-number seconds
Syntax Description
as-number
The autonomous system number of the EIGRP routing process.
seconds
Specifies the interval between hello packets that are sent on the interface; valid values are from 1 to 65535 seconds.
Defaults
The default seconds is 5 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
The smaller the hello interval, the faster topological changes will be detected, but more routing traffic will ensue. This value must be the same for all routers and access servers on a specific network.
Examples
The following example sets the EIGRP hello interval to 10 seconds and the hold time to 30 seconds:
hostname(config-if)# hello-interval eigrp 100 10hostname(config-if)# hold-time eigrp 100 30Related Commands
help
To display help information for the command specified, use the help command in user EXEC mode.
help {command | ?}
Syntax Description
command
Specifies the command for which to display the CLI help.
?
Displays all commands that are available in the current privilege level and mode.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
•
•
•
•
Command History
Usage Guidelines
The help command displays help information about all commands. You can see help for an individual command by entering the help command followed by the command name. If you do not specify a command name and enter ? instead, all commands that are available in the current privilege level and mode display.
If you enable the pager command and when 24 lines display, the listing pauses, and the following prompt appears:
<--- More --->The More prompt uses syntax similar to the UNIX more command as follows:
•
•
•
Examples
The following example shows how to display help for the rename command:
hostname#help renameUSAGE:rename /noconfirm [{disk0:|disk1:|flash:}] <source path> [{disk0:|disk1:|flash:}] <destination path>DESCRIPTION:rename Rename a fileSYNTAX:/noconfirm No confirmation{disk0:|disk1:|flash:} Optional parameter that specifies the filesystem<source path> Source file path<destination path> Destination file pathhostname#The following examples shows how to display help by entering the command name and a question mark:
hostname(config)# enable ?usage: enable password <pwd> [encrypted]Help is available for the core commands (not the show, no, or clear commands) by entering ? at the command prompt:
hostname(config)# ?aaa Enable, disable, or view TACACS+ or RADIUSuser authentication, authorization and accounting...Related Commands
hic-fail-group-policy (deprecated)
To specify a group policy to grant a WebVPN user access rights that are different from the default group policy, use the hic-fail-group-policy command in tunnel-group-webvpn configuration mode. The no form of this command sets the group policy to the default group policy.
hic-fail-group-policy name
no hic-fail-group-policy
Syntax Description
Defaults
DfltGrpPolicy
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group-webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
This command is valid only for security appliances with Cisco Secure Desktop installed. Host integrity checking, also called System Detection, involves checking the remote PC for a minimal set of criteria that must be satisfied to apply a VPN feature policy. The adaptive security appliance uses the value of the hic-fail-group-policy attribute to limit access rights to remote CSD users as follows:
•
•
This attribute specifies the name of the failure group policy to be applied. Use a group policy to differentiate access rights from those associated with the default group policy.
Note
For more information, see the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators.
Examples
The following example creates a WebVPN tunnel group named "FirstGroup" and specifies the failure group policy with the name "group2":
hostname(config)#tunnel-group FirstGroup webvpnhostname(config)#tunnel-group FirstGroup webvpn-attributeshostname(config-tunnel-webvpn)#hic-fail-group-policy group2hostname(config-tunnel-webvpn)#Related Commands
hidden-parameter
To specify hidden parameters in the HTTP POST request that the adaptive security appliance submits to the authenticating web server for SSO authentication, use the hidden-parameter command in aaa-server-host configuration mode. To remove all hidden parameters from the running configuration, use the no form of this command.
hidden-parameter string
no hidden-parameter
Note
Syntax Description
Syntax DescriptionSyntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server-host configuration
•
—
•
—
—
Command History
Usage Guidelines
This is an SSO with HTTP Forms command.
The WebVPN server of the adaptive security appliance uses an HTTP POST request to submit a single sign-on authentication request to an authenticating web server. That request may require specific hidden parameters from the SSO HTML form—other then username and password—that are not visible to the user. You can discover hidden parameters that the web server expects in the POST request by using a HTTP header analyzer on a form received from the web server.
The command hidden-parameter lets you specify a hidden parameter the web server requires in the authentication POST request. If you use a header analyzer, you can copy and paste the whole hidden parameter string including any encoded URL parameters.
For ease of entry, you can enter a hidden parameter on multiple, sequential lines. The adaptive security appliance then concatenates the lines into a single hidden parameter. While the maximum characters per hidden-parameter line is 255 characters, you can enter fewer characters on each line.
Note
Examples
The following example shows a hidden parameter comprised of four form entries and their values, separated by &. Excerpted from the POST request, the four entries and their values are:
•
•
•
%3FEMCOPageCode%3DENG
•
SMENC=ISO-8859-1&SMLOCALE=US-EN&target=https%3A%2F%2Ftools.cisco.com%2Femco%2Fappdir%2FAreaRoot.do%3FEMCOPageCode%3DENG&smauthreason=0
hostname(config)# aaa-server testgrp1 host example.comhostname(config-aaa-server-host)# hidden-parameter SMENC=ISO-8859-1&SMLOCALE=US-EN&targehostname(config-aaa-server-host)# hidden-parameter t=https%3A%2F%2Ftools.cisco.com%2Femchostname(config-aaa-server-host)# hidden-parameter o%2Fappdir%2FAreaRoot.do%3FEMCOPageCohostname(config-aaa-server-host)# hidden-parameter de%3DENG&smauthreason=0hostname(config-aaa-server-host)#Related Commands
hidden-shares
To control the visibility of hidden shares for CIFS files, use the hidden-shares command in config-group-webvpn configuration mode. To remove the hidden shares option from the configuration, use the no form of this command.
hidden-shares {none | visible}
[no] hidden-shares {none | visible}
Syntax Description
none
Specifies that no configured hidden shares are visible or accessible to users.
visible
Reveals hidden shares, making them accessible to users.
Defaults
The default behavior for this command is none.
Command Modes
The following table shows the modes in which you can enter the command:
Group-webvpn configuration
•
•
•
•
—
Command History
Usage Guidelines
A hidden share is identified by a dollar sign ($) at the end of the share name. For example, drive C is shared as C$. With hidden shares, a shared folder is not displayed, and users are restricted from browsing or accessing these hidden resources.
The no form of the hidden-shares command removes the option from the configuration and disables hidden shares as a group policy attribute.
Examples
The following example makes visible WebVPN CIFS hidden-shares related to GroupPolicy2:
hostname(config)# webvpnhostname(config-group-policy)# group-policy GroupPolicy2 attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# hidden-shares visiblehostname(config-group-webvpn)#Related Commands
hold-time
To specify the hold time advertised by the adaptive security appliance in EIGRP hello packets, use the hold-time command in interface configuration mode. To return the hello interval to the default value, use the no form of this command.
hold-time eigrp as-number seconds
no hold-time eigrp as-number seconds
Syntax Description
as-number
The autonomous system number of the EIGRP routing process.
seconds
Specifies the hold time, in seconds. Valid values are from 1 to 65535 seconds.
Defaults
`The default seconds is 15 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
This value is advertised in the EIGRP hello packets sent by the adaptive security appliance. The EIGRP neighbors on that interface use this value to determine the availability of the adaptive security appliance. If they do not receive a hello packet from the adaptive security appliance during the advertised hold time, the EIGRP neighbors will consider the adaptive security appliance to be unavailable.
On very congested and large networks, the default hold time might not be sufficient time for all routers and access servers to receive hello packets from their neighbors. In this case, you may want to increase the hold time.
We recommend that the hold time be at least three times the hello interval. If the adaptive security appliance does not receive a hello packet within the specified hold time, routes through this neighbor are considered unavailable.
Increasing the hold time delays route convergence across the network.
Examples
The following example sets the EIGRP hello interval to 10 seconds and the hold time to 30 seconds:
hostname(config-if)# hello-interval eigrp 100 10hostname(config-if)# hold-time eigrp 100 30Related Commands
hello-interval
Specifies the interval between EIGRP hello packets sent on an interface.
homepage
To specify a URL for the web page that displays upon login for this WebVPN user or group policy, use the homepage command in webvpn mode, which you enter from group-policy or username mode. To remove a configured home page, including a null value created by issuing the homepage none command, use the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting a home page, use the homepage none command.
homepage {value url-string | none}
no homepage
Syntax Description
Defaults
There is no default home page.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn mode
•
—
•
—
—
Command History
Usage Guidelines
To specify a homepage URL for users associated with the group policy, enter a value for the url-string in this command. To inherit a home page from the default group policy, use the no form of the comand. Clientless users are immediately brought to this page after successful authentication. AnyConnect launches the default web browser to this URL upon successful establishment of the VPN connection. On Linux platforms, AnyConnect does not currently support this command and ignores it.
Examples
The following example shows how to specify www.example.com as the home page for the group policy named FirstGroup:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#webvpnhostname(config-group-webvpn)# homepage value http://www.example.comRelated Commands
webvpn
Use in group-policy configuration mode or in username configuration mode. Lets you enter webvpn mode to configure parameters that apply to group policies or usernames.
host
To specify a host to interact with using RADIUS accounting, use the host command in radius-accounting parameter configuration mode, which is accessed by using the parameters command in the policy-map type inspect radius-accounting submode. To disable specified host, use the no form of this command. This option is disabled by default.
host address [key secret]
no host address [key secret]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
radius-accounting parameter configuration
•
•
•
•
—
Command History
Usage Guidelines
Multiple instances of this command are allowed.
Examples
The following example shows how to specify a host with RADIUS accounting:
hostname(config)# policy-map type inspect radius-accounting rahostname(config-pmap)# parametershostname(config-pmap-p)# host 209.165.202.128 key cisco123Related Commands
inspect radius-accounting
Sets inspection for RADIUS accounting.
parameters
Sets parameters for an inspection policy map.
hostname
To set the adaptive security appliance hostname, use the hostname command in global configuration mode. To restore the default hostname, use the no form of this command. The hostname appears as the command line prompt, and if you establish sessions to multiple devices, the hostname helps you keep track of where you enter commands.
hostname name
no hostname [name]
Syntax Description
name
Specifies a hostname up to 63 characters. A hostname must start and end with a letter or digit, and have as interior characters only letters, digits, or a hyphen.
Defaults
The default hostname depends on your platform.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
7.0(1)
You can no longer use non-alphanumeric characters (other than a hyphen).
Usage Guidelines
For multiple context mode, the hostname that you set in the system execution space appears in the command line prompt for all contexts.
The hostname that you optionally set within a context does not appear in the command line, but can be used for the banner command $(hostname) token.
Examples
The following example sets the hostname to firewall1:
hostname(config)# hostname firewall1firewall1(config)#Related Commands
banner
Sets a login, message of the day, or enable banner.
domain-name
Sets the default domain name.
hsi
To add an HSI to an HSI group for H.323 protocol inspection, use the hsi command in hsi group configuration mode. To disable this feature, use the no form of this command.
hsi ip_address
no hsi ip_address
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
HSI group configuration
•
•
•
•
—
Command History
Examples
The following example shows how to add an HSI to an HSI group in an H.323 inspection policy map:
hostname(config-pmap-p)# hsi-group 10hostname(config-h225-map-hsi-grp)# hsi 10.10.15.11Related Commands
hsi-group
To define an HSI group for H.323 protocol inspection and to enter hsi group configuration mode, use the hsi-group command in parameters configuration mode. To disable this feature, use the no form of this command.
hsi-group group_id
no hsi-group group_id
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure an HSI group in an H.323 inspection policy map:
hostname(config-pmap-p)# hsi-group 10hostname(config-h225-map-hsi-grp)# hsi 10.10.15.11hostname(config-h225-map-hsi-grp)# endpoint 10.3.6.1 insidehostname(config-h225-map-hsi-grp)# endpoint 10.10.25.5 outsideRelated Commands
html-content-filter
To filter Java, ActiveX, images, scripts, and cookies for WebVPN sessions for this user or group policy, use the html-content-filter command in webvpn configuration mode. To remove a content filter, use the no form of this command.
html-content-filter {java | images | scripts | cookies | none}
no html-content-filter [java | images | scripts | cookies | none]
Syntax Description
Defaults
No filtering occurs.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
To remove all content filters, including a null value created by issuing the html-content-filter none command, use the no form of this command without arguments. The no option allows inheritance of a value from another group policy. To prevent inheriting an html content filter, use the html-content-filter none command.
Using the command a second time overrides the previous setting.
Examples
The following example shows how to set filtering of JAVA and ActiveX, cookies, and images for the group policy named FirstGroup:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#webvpnhostname(config-group-webvpn)# html-content-filter java cookies imagesRelated Commands
http
To specify hosts that can access the HTTP server internal to the adaptive security appliance, use the http command in global configuration mode. To remove one or more hosts, use the no form of this command. To remove the attribute from the configuration, use the no form of this command without arguments.
http ip_address subnet_mask interface_name
no http
Syntax Description
Defaults
No hosts can access the HTTP server.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example shows how to allow the host with the IP address of 10.10.99.1 and the subnet mask of 255.255.255.255 access to the HTTP server via the outside interface:
hostname(config)# http 10.10.99.1 255.255.255.255 outsideThe next example shows how to allow any host access to the HTTP server via the outside interface:
hostname(config)# http 0.0.0.0 0.0.0.0 outsideRelated Commands
http-comp
To enable compression of http data over a WebVPN connection for a specific group or user, use the http-comp command in the group-policy webvpn and username webvpn configuration modes. To remove the command from the configuration and cause the value to be inherited, use the no form of this command.
http-comp {gzip | none}
no http-comp {gzip | none}
Syntax Description
gzip
Specifies compression is enabled for the group or user.
none
Specifies compression is disabled for the group or user.
Defaults
By default, compression is set to gzip.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy webvpn configuration
•
—
•
—
—
Username webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
For WebVPN connections, the compression command configured from global configuration mode overrides the http-comp command configured in group policy and username webvpn configuration modes.
Examples
In the following example, compression is disabled for the group-policy sales:
hostname(config)# group-policy sales attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# http-comp noneRelated Commands
http-proxy
To configure the adaptive security appliance to use an external proxy server to handle HTTP requests, use the http-proxy command in webvpn configuration mode. To remove the HTTP proxy server from the configuration, use the no form of this command.
http-proxy {host [port] [exclude url] | pac pacfile} [username username {password password}]
no http-proxy
Syntax Description
Defaults
By default, no HTTP proxy server is configured.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration
•
—
•
—
—
Command History
8.0(2)
Added exclude, username, and password keywords.
7.0(1)
This command was introduced.
Usage Guidelines
Requiring Internet access via a server that the organization controls provides another opportunity for filtering to assure secure Internet access and administrative control.
The adaptive security appliance supports only one instance of the http-proxy command. If one instance of this command is already present in the running configuration and you enter another instance, the CLI overwrites the previous instance. The CLI lists any http-proxy commands in the running configuration if you enter the show running-config webvpn command. If the response does not list an http -proxy command, then none is present.
Examples
The following example shows how to configure use of an HTTP proxy server with an IP address of 209.165. 201.2 using the default port, 443:
hostname(config)#webvpnhostname(config-webvpn)# http-proxy 209.165.201.2hostname(config-webvpn)The following example shows how to configure use of the same proxy server, and send a username and password with each HTTP request:
hostname(config-webvpn)# http-proxy 209.165.201.2 jsmith password mysecretdonttellhostname(config-webvpn)The following example shows the same command, except when the adaptive security appliance receives the specific URL www.example.com in an HTTP request, it resolves the request instead of passing it on to the proxy server:
hostname(config-webvpn)# http-proxy 209.165.201.2 exclude www.example.com username jsmith password mysecretdonttellhostname(config-webvpn)The followiing example shows how to use the exclude option:
hostname(config-webvpn)# http-proxy 10.1.1.1 port 8080 exclude *.com username John pasword 12345678hostname(config-webvpn)The followiing example shows how to use the pac option:
hostname(config-webvpn)# http-proxy pac http://10.1.1.1/pac.jshostname(config-webvpn)Related Commands
http-proxy (dap)
To enable or disable HTTP proxy port forwarding, use the http-proxy command in
dap webvpn configuration mode.To remove the attribute from the configuration, use the no version of this command.http-proxy {enable | disable | auto-start}
no http-proxy
Syntax Description
auto-start
Enables and automatically starts HTTP proxy port forwarding for the DAP record.
enable/disable
Enables or disables HTTP proxy port forwarding for the DAP record.
Defaults
No default value or behaviors.
Command Modes
The following table shows the modes in which you can enter the command:
Dap-webvpn configuration
•
•
•
—
—
Command History
Usage Guidelines
The adaptive security appliance can apply attribute values from a variety of sources. It applies them according to the following hierarchy:
1.
2.
3.
4.
5.
It follows that DAP values for an attribute have a higher priority than those configured for a user, group policy, or tunnel group.
When you enable or disable an attribute for a DAP record, the adaptive security appliance applies that value and enforces it. For example, when you disable HTTP proxy in dap webvpn mode, the adaptive security appliance looks no further for a value. When you instead use the no value for the http-proxy command, the attribute is not present in the DAP record, so the adaptive security appliance moves down to the AAA attribute in the username, and if necessary, the group policy to find a value to apply.
Examples
The following example shows how to enable HTTP proxy port forwarding for the dynamic access policy record named Finance.
hostname (config)# dynamic-access-policy-recordFinancehostname(config-dynamic-access-policy-record)#webvpnhostname(config-dap-webvpn)#http-proxy enablehostname(config-dap-webvpn)#Related Commands
http redirect
To specify that the adaptive security appliance redirect HTTP connections to HTTPS, use the http redirect command in global configuration mode. To remove a specified http redirect command from the configuration, use the no form of this command. To remove all http redirect commands from the configuration, use the no form of this command without arguments.
http redirect interface [port]
no http redirect [interface]
Syntax Description
Defaults
HTTP redirect is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The interface requires an access list that permits HTTP. Otherwise the adaptive security appliance does not listen to port 80, or to any other port that you configure for HTTP.
If the http redirect command fails, the following message appears:
"TCP port <port_number> on interface <interface_name> is in use by another feature. Please choose a different port for the HTTP redirect service"Use a different port for the HTTP redirect service.
Examples
The following example shows how to configure HTTP redirect for the inside interface, keeping the default port 80:
hostname(config)# http redirect insideRelated Commands
http server enable
To enable the adaptive security appliance HTTP server, use the http server enable command in global configuration mode. To disable the HTTP server, use the no form of this command.
http server enable [port]
Syntax Descriptionno http server enable [port]
Defaults
The HTTP server is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example shows how to enable the HTTP server.
hostname(config)# http server enableRelated Commands
http server idle-timeout
To set an idle timeout for ASDM connections to the adaptive security appliance, use the http server idle-timeout command in global configuration mode. To disable the timeout, use the no form of this command.
http server idle-timeout [minutes]
no http server idle-timeout [minutes]
Syntax Descriptionno http server enable [port]
Defaults
The default setting is 20 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example sets the idle timeout for ASDM sessions to 500 minutes:
hostname(config)# http server idle-timeout 500Related Commands
http server session-timeout
To set a session timeout for ASDM connections to the adaptive security appliance, use the http server session-timeout command in global configuration mode. To disable the timeout, use the no form of this command.
http server session-timeout [minutes]
no http server session-timeout [minutes]
Syntax Descriptionno http server enable [port]
Defaults
The session timeout is disabled. ASDM connections have no session time limit.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example sets a session timeout for ASDM connections to 1000 minutes:
hostname(config)# http server session-timeout 1000Related Commands
https-proxy
To configure the adaptive security appliance to use an external proxy server to handle HTTPS requests, use the https-proxy command in webvpn configuration mode. To remove the HTTPS proxy server from the configuration, use the no form of this command.
https-proxy {host [port] [exclude url] | pac pacfile} [username username {password password}]
no https-proxy
Syntax Description
Defaults
By default, no HTTPS proxy server is configured.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration
•
—
•
—
—
Command History
7.3(0)
Added exclude, username, and password keywords.
7.0(1)
This command was introduced.
Usage Guidelines
Requiring Internet access via a server that the organization controls provides another opportunity for filtering to assure secure Internet access and administrative control.
The adaptive security appliance supports only one instance of the https-proxy command. If one instance of this command is already present in the running configuration and you enter another instance, the CLI overwrites the previous instance. The CLI lists any https-proxy commands in the running configuration if you enter the show running-config webvpn command. If the response does not list an https-proxy command, then none is present.
Examples
The following example shows how to configure use of an HTTPS proxy server with an IP address of 209.165. 201.2 using the default port, 443:
hostname(config)#webvpnhostname(config-webvpn)# https-proxy 209.165.201.2hostname(config-webvpn)The following example shows how to configure use of the same proxy server, and send a username and password with each HTTPS request:
hostname(config-webvpn)# https-proxy 209.165.201.2 jsmith password mysecretdonttellhostname(config-webvpn)The following example shows the same command, except when the adaptive security appliance receives the specific URL www.example.com in an HTTPS request, it resolves the request instead of passing it on to the proxy server:
hostname(config-webvpn)# https-proxy 209.165.201.2 exclude www.example.com username jsmith password mysecretdonttellhostname(config-webvpn)hostname(config-webvpn)# https-proxy 10.1.1.1 port 8080 exclude *.com username John pasword 12345678hostname(config-webvpn)The followiing example shows how to use the pac option:
hostname(config-webvpn)# https-proxy pac http://10.1.1.1/pac.jshostname(config-webvpn)Related Commands
hw-module module allow-ip
To configure host parameters on the SSC, use the hw-module module allow-ip command in privileged EXEC mode.
hw-module module slot_num allow-ip ip_address netmask
Syntax Description
allow-ip ip_ address
Specifies the allowed host IP address on the SSC.
netmask
Specifies the allowed host network mask on the SSC.
slot_num
Specifies the slot number, which is always 1.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
This command is only valid when the SSC status is Up. Default values that are currently in effect are provided. To obtain these values, use the show module details command. These settings are saved as part of the SSC configuration.
Examples
The following example shows how to configure host parameters on the SSC:
hostname# hw-module module 1 allow-ip 209.165.201.29 255.255.255.0Related Commands
hw-module module ip
Allows you to configure SSC management parameters.
show module
Shows SSC status information.
hw-module module ip
To configure SSC management parameters, use the hw-module module ip command in privileged EXEC mode.
hw-module module slot_num ip ip_address netmask gateway
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
This command is only valid when the SSC status is Up. Default values that are currently in effect are provided. To obtain these values, use the show module details command. These settings are saved as part of the SSC configuration.
Examples
The following example shows how to configure management parameters for the SSC:
hostname# hw-module module 1 ip 209.165.200.254 255.255.255.0 209.165.201.30Related Commands
hw-module module allow-ip
Allows you to configure SSC host parameters.
show module
Shows SSC status information.
hw-module module password-reset
To reset the password on the hardware module to the default value, "cisco," use the hw-module module password reset command in privileged EXEC mode.
hw-module module slot# password-reset
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
This command is only valid when the hardware module is in the Up state and supports password reset. On the AIP SSM, running this command results in rebooting of the module. The module is offline until the rebooting is finished, which may take several minutes. You can run the show module command to monitor the module state.
The command always prompts for confirmation. If the command succeeds, no other output appears. If the command fails, an error message appears that explains why the failure occurred. The possible error messages are as follows:
Unable to reset the password on the module in slot 1
Unable to reset the password on the module in slot 1 - unknown module state
Unable to reset the password on the module in slot 1 - no module installed
Failed to reset the password on the module in slot 1 - module not in Up state
Unable to reset the password on the module in slot 1 - unknown module type
The module is slot [n] does not support password reset
Unable to reset the password on the module in slot 1 - no application found
The SSM application version does not support password reset
Failed to reset the password on the module in slot 1
Examples
The following example resets a password on a hardware module in slot 1:
hostname (config)# hw-module module 1 password-resetReset the password on module in slot 1? [confirm] yRelated Commands
hw-module module recover
To load a recovery software image from a TFTP server to an intelligent SSM (for example, the AIP SSM), or to configure network settings to access the TFTP server, use the hw-module module recover command in privileged EXEC mode. You might need to recover an SSM using this command if, for example, the SSM is unable to load a local image. This command is not available for interface SSMs (for example, the 4GE SSM).
hw-module module 1 recover {boot | stop | configure [url tfp_url | ip port_ip_address | gateway gateway_ip_address | vlan vlan_id]}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
This command is only available when the SSM is in the Up, Down, Unresponsive, or Recovery state. See the show module command for state information.
Examples
The following example sets the SSM to download an image from a TFTP server:
hostname# hw-module module 1 recover configureImage URL [tftp://127.0.0.1/myimage]: tftp://10.1.1.1/ids-newimgPort IP Address [127.0.0.2]: 10.1.2.10Port Mask [255.255.255.254]: 255.255.255.0Gateway IP Address [1.1.2.10]: 10.1.2.254VLAN ID [0]: 100The following example recovers the SSM:
hostname# hw-module module 1 recover bootThe module in slot 1 will be recovered. This mayerase all configuration and all data on that device andattempt to download a new image for it.Recover module in slot 1? [confirm]Related Commands
hw-module module reload
To reload an intelligent SSM software (for example, the AIP SSM), use the hw-module module reload command in privileged EXEC mode. This command is not available for interface SSMs (for example, the 4GE SSM).
hw-module module 1 reload
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
This command is only valid when the SSM status is Up. See the show module command for state information.
This command differs from the hw-module module reset command, which also performs a hardware reset.
Examples
The following example reloads the SSM in slot 1:
hostname# hw-module module 1 reloadReload module in slot 1? [confirm] yReload issued for module in slot 1%XXX-5-505002: Module in slot 1 is reloading. Please wait...%XXX-5-505006: Module in slot 1 is Up.Related Commands
hw-module module reset
To shut down and reset the SSM hardware, use the hw-module module reset command in privileged EXEC mode.
hw-module module 1 reset
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
This command is only valid when the SSM status is Up, Down, Unresponsive, or Recover. See the show module command for state information.
When the SSM is in an Up state, the hw-module module reset command prompts you to shut down the software before resetting.
You can recover intelligent SSMs (for example, the AIP SSM) using the hw-module module recover command. If you enter the hw-module module reset while the SSM is in a Recover state, the SSM does not interrupt the recovery process. The hw-module module reset command performs a hardware reset of the SSM, and the SSM recovery continues after the hardware reset. You might want to reset the SSM during recovery if the SSM hangs; a hardware reset might resolve the issue.
This command differs from the hw-module module reload command, which only reloads the software and does not perform a hardware reset.
Examples
The following example resets an SSM in slot 1 that is in the Up state:
hostname# hw-module module 1 resetThe module in slot 1 should be shut down beforeresetting it or loss of configuration may occur.Reset module in slot 1? [confirm] yReset issued for module in slot 1%XXX-5-505001: Module in slot 1 is shutting down. Please wait...%XXX-5-505004: Module in slot 1 shutdown is complete.%XXX-5-505003: Module in slot 1 is resetting. Please wait...%XXX-5-505006: Module in slot 1 is Up.Related Commands
hw-module module shutdown
To shut down the SSM software, use the hw-module module shutdown command in privileged EXEC mode.
hw-module module 1 shutdown
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Shutting down the SSM software prepares the SSM to be safely powered off without losing configuration data.
This command is only valid when the SSM status is Up or Unresponsive. See the show module command for state information.
Examples
The following example shuts down an SSM in slot 1:
hostname# hw-module module 1 shutdownShutdown module in slot 1? [confirm] yShutdown issued for module in slot 1hostname#%XXX-5-505001: Module in slot 1 is shutting down. Please wait...%XXX-5-505004: Module in slot 1 shutdown is complete.Related Commands
