-
Cisco ASA 5500 Series Command Reference, 8.2
-
About This Guide
-
Using the Command Line Interface
- A through B Commands
- C Commands
- D through F Commands
- G through I Commands
- J through L Commands
- M through O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- show asdm sessions
-
show asp drop -- show curpriv
-
show ddns -- show ipv6 traffic
-
show isakmp sa -- show route
-
show running-config -- show running-config isakmp
-
show running-config ldap -- show running-config webvpn auto-signon
-
show service-policy -- show xlate
-
shun -- sysopt radius ignore-secret
-
- T through Z Commands
-
Feedback
Table Of Contents
mac address through multicast-routing Commands
match default-inspection-traffic
match flow ip destination-address
match third-party-registration
memory delayed-free-poisoner enable
memory delayed-free-poisoner validate
mac address through multicast-routing Commands
mac address
To specify the virtual MAC addresses for the active and standby units, use the mac address command in failover group configuration mode. To restore the default virtual MAC addresses, use the no form of this command.
mac address phy_if [active_mac] [standby_mac]
no mac address phy_if [active_mac] [standby_mac]
Syntax Description
Defaults
The defaults are as follows:
•
Active unit default MAC address: 00a0.c9physical_port_number.failover_group_id01.
•
Command Modes
The following table shows the modes in which you can enter the command:
Failover group configuration
•
•
—
—
•
Command History
Usage Guidelines
If the virtual MAC addresses are not defined for the failover group, the default values are used.
If you have more than one Active/Active failover pair on the same network, it is possible to have the same default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the interfaces of the other pairs because of the way the default virtual MAC addresses are determined. To avoid having duplicate MAC addresses on your network, make sure you assign each physical interface a virtual active and standby MAC address.
Examples
The following partial example shows a possible configuration for a failover group:
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# exithostname(config)# failover group 2hostname(config-fover-group)# secondaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# mac address e1 0000.a000.a011 0000.a000.a012hostname(config-fover-group)# exithostname(config)#Related Commands
failover group
Defines a failover group for Active/Active failover.
failover mac address
Specifies a virtual MAC address for a physical interface.
mac-address
To manually assign a private MAC address to an interface or subinterface, use the mac-address command in interface configuration mode. In multiple context mode, this command can assign a different MAC address to the interface in each context. To revert the MAC address to the default, use the no form of this command.
mac-address mac_address [standby mac_address]
no mac-address [mac_address [standby mac_address]]
Syntax Description
Defaults
The default MAC address is the burned-in MAC address of the physical interface. Subinterfaces inherit the physical interface MAC address. Some commands set the physical interface MAC address (including this command in single mode), so the inherited address depends on that configuration.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
•
—
Command History
7.2(1)
This command was introduced.
8.0(5)/8.2(2)
The use of A2 to start the MAC address was restricted when also used with the mac-address auto command.
Usage Guidelines
In multiple context mode, if you share an interface between contexts, you can assign a unique MAC address to the interface in each context. This feature lets the adaptive security appliance easily classify packets into the appropriate context. Using a shared interface without unique MAC addresses is possible, but has some limitations. See the Cisco ASA 5500 Series Configuration Guide using the CLI for more information.
You can assign each MAC address manually with this command, or you can automatically generate MAC addresses for shared interfaces in contexts using the mac-address auto command. If you automatically generate MAC addresses, you can use the mac-address command to override the generated address.
For single context mode, or for interfaces that are not shared in multiple context mode, you might want to assign unique MAC addresses to subinterfaces. For example, your service provider might perform access control based on the MAC address.
You can also set the MAC address using other commands or methods. The MAC address methods have the following priority:
1.
This command works for physical interfaces and subinterfaces. In multiple context mode, you set the MAC address within each context. This feature lets you set a different MAC address for the same interface in multiple contexts.
2.
This command applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
3.
This command applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
4.
This command applies to shared interfaces in contexts.
5.
This method applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
6.
Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
Examples
The following example configures the MAC address for GigabitEthernet 0/1.1:
hostname/contextA(config)# interface gigabitethernet0/1.1hostname/contextA(config-if)# nameif insidehostname/contextA(config-if)# security-level 100hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0hostname/contextA(config-if)# mac-address 030C.F142.4CDE standby 040C.F142.4CDEhostname/contextA(config-if)# no shutdownRelated Commands
mac-address auto
To automatically assign private MAC addresses to each shared context interface, use the mac-address auto command in global configuration mode. To disable automatic MAC addresses, use the no form of this command.
mac-address auto prefix prefix
no mac-address auto
Syntax Description
prefix prefix
Sets the prefix used as part of the MAC address. The prefix is a decimal value between 0 and 65535. This prefix is converted to a 4-digit hexadecimal number. The prefix ensures that each adaptive security appliance uses unique MAC addresses, so you can have multiple adaptive security appliances on a network segment, for example. See the "MAC Address Format" section for more information about how the prefix is used.
Defaults
Auto-generation is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
To allow contexts to share interfaces, we suggest that you assign unique MAC addresses to each shared context interface. The MAC address is used to classify packets within a context. If you share an interface, but do not have unique MAC addresses for the interface in each context, then the destination IP address is used to classify packets. The destination address is matched with the context NAT configuration, and this method has some limitations compared to the MAC address method. See the Cisco ASA 5500 Series Configuration Guide using the CLI for information about classifying packets.
In the rare circumstance that the generated MAC address conflicts with another private MAC address in your network, you can manually set the MAC address for the interface within the context. See the mac-address command to manually set the MAC address.
Default MAC Address
By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical interface use the same burned-in MAC address.
All auto-generated MAC addresses start with A2. The auto-generated MAC addresses are persistent across reloads.
Interaction with Manual MAC Addresses
If you manually assign a MAC address and also enable auto-generation, then the manually assigned MAC address is used. If you later remove the manual MAC address, the auto-generated address is used.
Because auto-generated addresses start with A2, you cannot start manual MAC addresses with A2 if you also want to use auto-generation.
Failover MAC Addresses
For use with failover, the adaptive security appliance generates both an active and standby MAC address for each interface. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption. See the "MAC Address Format" section for more information.
For upgrading failover units with the legacy version of the mac-address auto command before the prefix keyword was introduced, see the "Legacy MAC Address Format When Not Using the prefix Keyword" section.
MAC Address Format
The adaptive security appliance generates the MAC address using the following format:
A2xx.yyzz.zzzz
Where xx.yy is a user-defined prefix, and zz.zzzz is an internal counter generated by the adaptive security appliance. For the standby MAC address, the address is identical except that the internal counter is increased by 1.
For an example of how the prefix is used, if you set a prefix of 77, then the adaptive security appliance converts 77 into the hexadecimal value 004D (yyxx). When used in the MAC address, the prefix is reversed (xxyy) to match the adaptive security appliance native form:
A24D.00zz.zzzz
For a prefix of 1009 (03F1), the MAC address is:
A2F1.03zz.zzzz
When the MAC Address is Generated
When you configure a nameif command for the interface in a context, the new MAC address is generated immediately. If you enable this command after you configure context interfaces, then MAC addresses are generated for all interfaces immediately after you enter the command. If you use the no mac-address auto command, the MAC address for each interface reverts to the default MAC address. For example, subinterfaces of GigabitEthernet 0/1 revert to using the MAC address of GigabitEthernet 0/1.
Setting the MAC Address Uisng Other Methods
You can also set the MAC address using other commands or methods. The MAC address methods have the following priority:
1.
This command works for physical interfaces and subinterfaces. In multiple context mode, you set the MAC address within each context. This feature lets you set a different MAC address for the same interface in multiple contexts.
2.
This command applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
3.
This command applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
4.
This command applies to shared interfaces in contexts.
5.
This method applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
6.
Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
Viewing MAC Addresses in the System Configuration
To view the assigned MAC addresses from the system execution space, enter the show running-config all context command.
The all option is required to view the assigned MAC addresses. Although this command is user-configurable in global configuration mode only, the mac-address auto command appears as a read-only entry in the configuration for each context along with the assigned MAC address. Only allocated interfaces that are configured with a nameif command within the context have a MAC address assigned.
Note
Viewing MAC Addresses Within a Context
To view the MAC address in use by each interface within the context, enter the show interface | include (Interface)|(MAC) command.
Note
Legacy MAC Address Format When Not Using the prefix Keyword
Prior to Version 8.0(5), the mac-address auto command did not include the prefix keyword. This old version of the command is still accepted so you can perform upgrades between failover pairs; the command is not automatically converted when you upgrade so the commands continue to match between the upgraded and non-upgraded failover units. After you upgrade both units to the new software version, you should change this command to use the prefix keyword.
Without the prefix keyword, the MAC address is generated using the following format:
•
•
For platforms with no interface slots, the slot is always 0. The port is the interface port. The subid is an internal ID for the subinterface, which is not viewable. The contextid is an internal ID for the context, viewable with the show context detail command. For example, the interface GigabitEthernet 0/1.200 in the context with the ID 1 has the following generated MAC addresses, where the internal ID for subinterface 200 is 31:
•
•
This legacy MAC address generation method does not allow for persistent MAC addresses across reloads, does not allow for multiple adaptive security appliances on the same network segment (because unique MAC addresses are not guaranteed), and does not prevent overlapping MAC addresses with manually assigned MAC addresses.
Examples
The following example enables automatic MAC address generation with a prefix of 78:
hostname(config)# mac-address auto prefix 78The following output from the show running-config all context admin command shows the primary and standby MAC address assigned to the Management0/0 interface:
hostname# show running-config all context admincontext adminallocate-interface Management0/0mac-address auto Management0/0 a24d.0000.1440 a24d.0000.1441config-url disk0:/admin.cfgThe following output from the show running-config all context command shows all the MAC addresses (primary and standby) for all context interfaces. Note that because the GigabitEthernet0/0 and GigabitEthernet0/1 main interfaces are not configured with a nameif command inside the contexts, no MAC addresses have been generated for them.
hostname# show running-config all contextadmin-context admincontext adminallocate-interface Management0/0mac-address auto Management0/0 a2d2.0400.125a a2d2.0400.125bconfig-url disk0:/admin.cfg!context CTX1allocate-interface GigabitEthernet0/0allocate-interface GigabitEthernet0/0.1-GigabitEthernet0/0.5mac-address auto GigabitEthernet0/0.1 a2d2.0400.11bc a2d2.0400.11bdmac-address auto GigabitEthernet0/0.2 a2d2.0400.11c0 a2d2.0400.11c1mac-address auto GigabitEthernet0/0.3 a2d2.0400.11c4 a2d2.0400.11c5mac-address auto GigabitEthernet0/0.4 a2d2.0400.11c8 a2d2.0400.11c9mac-address auto GigabitEthernet0/0.5 a2d2.0400.11cc a2d2.0400.11cdallocate-interface GigabitEthernet0/1allocate-interface GigabitEthernet0/1.1-GigabitEthernet0/1.3mac-address auto GigabitEthernet0/1.1 a2d2.0400.120c a2d2.0400.120dmac-address auto GigabitEthernet0/1.2 a2d2.0400.1210 a2d2.0400.1211mac-address auto GigabitEthernet0/1.3 a2d2.0400.1214 a2d2.0400.1215config-url disk0:/CTX1.cfg!context CTX2allocate-interface GigabitEthernet0/0allocate-interface GigabitEthernet0/0.1-GigabitEthernet0/0.5mac-address auto GigabitEthernet0/0.1 a2d2.0400.11ba a2d2.0400.11bbmac-address auto GigabitEthernet0/0.2 a2d2.0400.11be a2d2.0400.11bfmac-address auto GigabitEthernet0/0.3 a2d2.0400.11c2 a2d2.0400.11c3mac-address auto GigabitEthernet0/0.4 a2d2.0400.11c6 a2d2.0400.11c7mac-address auto GigabitEthernet0/0.5 a2d2.0400.11ca a2d2.0400.11cballocate-interface GigabitEthernet0/1allocate-interface GigabitEthernet0/1.1-GigabitEthernet0/1.3mac-address auto GigabitEthernet0/1.1 a2d2.0400.120a a2d2.0400.120bmac-address auto GigabitEthernet0/1.2 a2d2.0400.120e a2d2.0400.120fmac-address auto GigabitEthernet0/1.3 a2d2.0400.1212 a2d2.0400.1213config-url disk0:/CTX2.cfg!Related Commands
mac-address-table aging-time
To set the timeout for MAC address table entries, use the mac-address-table aging-time command in global configuration mode. To restore the default value of 5 minutes, use the no form of this command.
mac-address-table aging-time timeout_value
no mac-address-table aging-time
Syntax Description
timeout_value
The time a MAC address entry stays in the MAC address table before timing out, between 5 and 720 minutes (12 hours). 5 minutes is the default.
Defaults
The default timeout is 5 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Usage Guidelines
No usage guidelines.
Examples
The following example sets the MAC address timeout to 10 minutes:
hostname(config)# mac-address-timeout aging time 10Related Commands
mac-address-table static
To add a static entry to the MAC address table, use the mac-address-table static command in global configuration mode. To remove a static entry, use the no form of this command. Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. You can add static MAC addresses to the MAC address table if desired. One benefit to adding static entries is to guard against MAC spoofing. If a client with the same MAC address as a static entry attempts to send traffic to an interface that does not match the static entry, then the adaptive security appliance drops the traffic and generates a system message.
mac-address-table static interface_name mac_address
no mac-address-table static interface_name mac_address
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Examples
The following example adds a static MAC address entry to the MAC address table:
hostname(config)# mac-address-table static inside 0010.7cbe.6101Related Commands
mac-learn
To disable MAC address learning for an interface, use the mac-learn command in global configuration mode. To reenable MAC address learning, use the no form of this command. By default, each interface automatically learns the MAC addresses of entering traffic, and the adaptive security appliance adds corresponding entries to the MAC address table. You can disable MAC address learning if desired.
mac-learn interface_name disable
no mac-learn interface_name disable
Syntax Description
interface_name
The interface on which you want to disable MAC learning.
disable
Disables MAC learning.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Examples
The following example disables MAC learning on the outside interface:
hostname(config)# mac-learn outside disableRelated Commands
mac-list
To specify a list of MAC addresses to be used to exempt MAC addresses from authentication and/or authorization, use the mac-list command in global configuration mode. To remove a MAC list entry, use the no form of this command.
mac-list id {deny | permit} mac macmask
no mac-list id {deny | permit} mac macmask
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable MAC address exemption from authentication and authorization, use the aaa mac-exempt command. You can only add one instance of the aaa mac-exempt command, so be sure that your MAC list includes all the MAC addresses you want to exempt. You can create multiple MAC lists, but you can only use one at a time.
Examples
The following example bypasses authentication for a single MAC address:
hostname(config)# mac-list abc permit 00a0.c95d.0282 ffff.ffff.ffffhostname(config)# aaa mac-exempt match abcThe following entry bypasses authentication for all Cisco IP Phones, which have the hardware ID 0003.E3:
hostname(config)# mac-list acd permit 0003.E300.0000 FFFF.FF00.0000hostname(config)# aaa mac-exempt match acdThe following example bypasses authentication for a a group of MAC addresses except for 00a0.c95d.02b2. Enter the deny statement before the permit statement, because 00a0.c95d.02b2 matches the permit statement as well, and if it is first, the deny statement will never be matched.
hostname(config)# mac-list 1 deny 00a0.c95d.0282 ffff.ffff.ffffhostname(config)# mac-list 1 permit 00a0.c95d.0000 ffff.ffff.0000hostname(config)# aaa mac-exempt match 1Related Commands
mail-relay
To configure a local domain name, use the mail-relay command in parameters configuration mode. To disable this feature, use the no form of this command.
mail-relay domain_name action {drop-connection | log}
no mail-relay domain_name action {drop-connection | log}
Syntax Description
domain_name
Specifies the domain name.
drop-connection
Closes the connection.
log
Generates a system log message.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a mail relay for a specific domain:
hostname(config)# policy-map type inspect esmtp esmtp_maphostname(config-pmap)# parametershostname(config-pmap-p)# mail-relay mail action drop-connectionRelated Commands
management-access
To allow management access to an interface other than the one from which you entered the adaptive security appliance when using VPN, use the management-access command in global configuration mode. To disable management access, use the no form of this command.
management-access mgmt_if
no management-access mgmt_if
Syntax Description
mgmt_if
Specifies the name of the management interface you want to access when entering the adaptive security appliance from another interface.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command allows you to connect to an interface other than the one you entered the adaptive security appliance from when using a full tunnel IPSec VPN or SSL VPN client (AnyConnect 2.x client, SVC 1.x) or across a site-to-site IPSec tunnel. For example, if you enter the adaptive security appliance from the outside interface, this command lets you connect to the inside interface using Telnet; or you can ping the inside interface when entering from the outside interface.
You can define only one management-access interface.
Note
Examples
The following example shows how to configure a firewall interface named "inside" as the management access interface:
hostname(config)# management-access insidehostname(config)# show running-config management-accessmanagement-access insideRelated Commands
management-only
To set an interface to accept management traffic only, use the management-only command in interface configuration mode. To allow through traffic, use the no form of this command.
management-only
no management-only
Syntax Description
This command has no arguments or keywords.
Defaults
The Management 0/0 interface on the ASA 5510 and higher adaptive security appliance is set to management-only mode by default.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
The ASA 5510 and higher adaptive security appliance includes a dedicated management interface called Management 0/0, which is meant to support traffic to the adaptive security appliance. However, you can configure any interface to be a management-only interface using the management-only command. Also, for Management 0/0, you can disable management-only mode so the interface can pass through traffic just like any other interface.
Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA 5510 and higher adaptive security appliance, you can use the Management 0/0 interface (either the physical interface or a subinterface) as a third interface for management traffic. The mode is not configurable in this case and must always be management-only. You can also set the IP address of this interface in transparent mode if you want this interface to be on a different subnet from the management IP address, which is assigned to the adaptive security appliance or context, and not to individual interfaces.
Examples
The following example disables management-only mode on the management interface:
hostname(config)# interface management0/0hostname(config-if)# no management-onlyThe following example enables management-only mode on a subinterface:
hostname(config)# interface gigabitethernet0/2.1hostname(config-subif)# management-onlyRelated Commands
map-name
To map a user-defined attribute name to a Cisco attribute name, use the map-name command in ldap-attribute-map configuration mode.
To remove this mapping, use the no form of this command.
map-name user-attribute-name Cisco-attribute-name
no map-name user-attribute-name Cisco-attribute-name
Syntax Description
Syntax DescriptionSyntax Description
Defaults
By default, no name mappings exist.
Command Modes
The following table shows the modes in which you can enter the command:
ldap-attribute-map configuration
•
•
•
•
—
Command History
Usage Guidelines
With the map-name command, you can map your own attribute names to Cisco attribute names. You can then bind the resulting attribute map to an LDAP server. Your typical steps would include:
1.
2.
3.
Note
Examples
The following example commands map a user-defined attribute name Hours to the Cisco attribute name cVPN3000-Access-Hours in the LDAP attribute map myldapmap:
hostname(config)# ldap attribute-map myldapmaphostname(config-ldap-attribute-map)# map-name Hours cVPN3000-Access-Hourshostname(config-ldap-attribute-map)#Within ldap-attribute-map mode, you can enter "?" to display the complete list of Cisco LDAP attribute names, as shown in the following example:
hostname(config-ldap-attribute-map)# map-name <name>ldap mode commands/options:cisco-attribute-names:cVPN3000-Access-HourscVPN3000-Allow-Network-Extension-ModecVPN3000-Auth-Service-TypecVPN3000-Authenticated-User-Idle-TimeoutcVPN3000-Authorization-RequiredcVPN3000-Authorization-Type::cVPN3000-X509-Cert-Datahostname(config-ldap-attribute-map)#Related Commands
map-value
To map a user-defined value to a Cisco LDAP value, use the map-value command in ldap-attribute-map configuration mode. To delete an entry within a map, use the no form of this command.
map-value user-attribute-name user-value-string Cisco-value-string
no map-value user-attribute-name user-value-string Cisco-value-string
Syntax Description
Defaults
By default, there are no user-defined values mapped to Cisco attributes.
Command Modes
The following table shows the modes in which you can enter the command:
ldap-attribute-map configuration
•
•
•
•
—
Command History
Usage Guidelines
With the map-value command, you can map your own attribute values to Cisco attribute names and values. You can then bind the resulting attribute map to an LDAP server. Your typical steps would include:
1.
2.
3.
Note
Examples
The following example, entered in ldap-attribute-map mode, sets the user-defined value of the user attribute Hours to a user-defined time policy named workDay and a Cisco-defined time policy named Daytime:
hostname(config)# ldap attribute-map myldapmaphostname(config-ldap-attribute-map)# map-value Hours workDay Daytimehostname(config-ldap-attribute-map)#Related Commands
mask
When using the Modular Policy Framework, mask out part of the packet that matches a match command or class map by using the mask command in match or class configuration mode. This mask action is available in an inspection policy map (the policy-map type inspect command) for application traffic; however, not all applications allow this action. For example, you can you use mask command for the DNS application inspection to mask a header flag before allowing the traffic through the adaptive security appliance. To disable this action, use the no form of this command.
mask [log]
no mask [log]
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Match and class configuration
•
•
•
•
—
Command History
Usage Guidelines
An inspection policy map consists of one or more match and class commands. The exact commands available for an inspection policy map depends on the application. After you enter the match or class command to identify application traffic (the class command refers to an existing class-map type inspect command that in turn includes match commands), you can enter the mask command to mask part of the packet that matches the match command or class command.
When you enable application inspection using the inspect command in a Layer 3/4 policy map (the policy-map command), you can enable the inspection policy map that contains this action, for example, enter the inspect dns dns_policy_map command where dns_policy_map is the name of the inspection policy map.
Examples
The following example masks the RD and RA flags in the DNS header before allowing the traffic through the adaptive security appliance:
hostname(config-cmap)# policy-map type inspect dns dns-map1hostname(config-pmap-c)# match header-flag RDhostname(config-pmap-c)# mask loghostname(config-pmap-c)# match header-flag RAhostname(config-pmap-c)# mask logRelated Commands
mask-banner
To obfuscate the server banner, use the mask-banner command in parameters configuration mode. To disable this feature, use the no form of this command.
mask-banner
no mask-banner
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to mask the server banner:
hostname(config)# policy-map type inspect esmtp esmtp_maphostname(config-pmap)# parametershostname(config-pmap-p)# mask-bannerRelated Commands
mask-syst-reply
To hide the FTP server response from clients, use the mask-syst-reply command in FTP map configuration mode, which is accessible by using the ftp-map command. To remove the configuration, use the no form of this command.
mask-syst-reply
no mask-syst-reply
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
FTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the mask-syst-reply command with strict FTP inspection to protect the FTP server system from clients. After enabling this command, the servers replies to the syst command are replaced by a series of Xs.
Examples
The following example causes the adaptive security appliance to replace the FTP server replies to the syst command with Xs:
hostname(config)# ftp-map inbound_ftphostname(config-ftp-map)# mask-syst-replyhostname(config-ftp-map)#
match access-list
When using the Modular Policy Framework, use an access list to identify traffic to which you want to apply actions by using the match access-list command in class-map configuration mode. To remove the match access-list command, use the no form of this command.
match access-list access_list_name
no match access-list access_list_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
Configuring Modular Policy Framework consists of four tasks:
1.
After you enter the class-map command, you can enter the match access-list command to identify the traffic. Alternatively, you can enter a different type of match command, such as the match port command. You can only include one match access-list command in the class map, and you cannot combine it with other types of match commands. The exception is if you define the match default-inspection-traffic command which matches the default TCP and UDP ports used by all applications that the adaptive security appliance can inspect, then you can narrow the traffic to match using a match access-list command. Because the match default-inspection-traffic command specifies the ports to match, any ports in the access list are ignored.
2.
3.
4.
Examples
The following example creates three Layer 3/4 class maps that match three access lists:
hostname(config)# access-list udp permit udp any anyhostname(config)# access-list tcp permit tcp any anyhostname(config)# access-list host_foo permit ip any 10.1.1.1 255.255.255.255hostname(config)# class-map all_udphostname(config-cmap)# description "This class-map matches all UDP traffic"hostname(config-cmap)# match access-list udphostname(config-cmap)# class-map all_tcphostname(config-cmap)# description "This class-map matches all TCP traffic"hostname(config-cmap)# match access-list tcphostname(config-cmap)# class-map to_serverhostname(config-cmap)# description "This class-map matches all traffic to server 10.1.1.1"hostname(config-cmap)# match access-list host_fooRelated Commands
match any
When using the Modular Policy Framework, match all traffic to which you want to apply actions by using the match any command in class-map configuration mode. To remove the match any command, use the no form of this command.
match any
no match any
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
Configuring Modular Policy Framework consists of four tasks:
1.
After you enter the class-map command, you can enter the match any command to identify all traffic. Alternatively, you can enter a different type of match command, such as the match port command. You cannot combine the match any command with other types of match commands.
2.
3.
4.
Examples
This example shows how to define a traffic class using a class map and the match any command:
hostname(config)# class-map cmaphostname(config-cmap)# match anyRelated Commands
match apn
To configure a match condition for an access point name in GTP messages, use the match apn command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] apn regex [regex_name | class regex_class_name]
no match [not] apn regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in a GTP class map or policy map. Only one entry can be entered in a GTP class map.
Examples
The following example shows how to configure a match condition for an access point name in an GTP inspection class map:
hostname(config-cmap)# match apn class gtp_regex_apnRelated Commands
match body
To configure a match condition on the length or length of a line of an ESMTP body message, use the match body command in class-map or policy-map configuration mode. To remove a configured section, use the no form of this command.
match [not] body [length | line length] gt bytes
no match [not] body [length | line length] gt bytes
Syntax Description
length
Specifies the length of an ESMTP body message.
line length
Specifies the length of a line of an ESMTP body message.
bytes
Specifies the number to match in bytes.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for a body line length in an ESMTP inspection policy map:
hostname(config)# policy-map type inspect esmtp esmtp_map
hostname(config-pmap)#match body line length gt 1000Related Commands
match called-party
To configure a match condition on the H.323 called party, use the match called-party command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] called-party [regex regex]
no match [not] match [not] called-party [regex regex]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for the called party in an H.323 inspection class map:
hostname(config-cmap)# match called-party regex caller1Related Commands
match calling-party
To configure a match condition on the H.323 calling party, use the match calling-party command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] calling-party [regex regex]
no match [not] match [not] calling-party [regex regex]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for the calling party in an H.323 inspection class map:
hostname(config-cmap)# match calling-party regex caller1Related Commands
match certificate
During the PKI certificate validation process, the adaptive security appliance checks certificate revocation status to maintain security. It can use either CRL checking or Online Certificate Status Protocol (OCSP) to accomplish this task. With CRL checking, the adaptive security appliance retrieves, parses, and caches Certificate Revocation Lists, which provide a complete list of revoked certificates. OCSP offers a more scalable method of checking revocation status in that it localizes certificate status on a Validation Authority, which it queries for the status of a specific certificate.
Certificate match rules let you configure OCSP URL overrides, which specify a URL to check for revocation status, rather than the URL in the AIA field of the remote user certificate. Match rules also let you configure trustpoints to use to validate OCSP responder certificates, which lets the adaptive security appliance validate responder certificates from any CA, including self-signed certificates and certificates external to the validation path of the client certificate.
To configure a certificate match rule, use the match certificate command in crypto ca trustpoint mode. To remove the rule from the configuration, use the no form of this command.
match certificate map-name override ocsp [trustpoint trustpoint-name] seq-num url URL
no match certificate map-name override ocsp
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
crypto ca trustpoint mode
•
•
•
•
•
Command History
Usage Guidelines
Be aware of the following tips when configuring OCSP:
•
•
•
•
•
•
Examples
The following example shows how to create a certificate match rule for a trustpoint called newtrust. The rule has a map name called mymap, sequence number of 4, a trustpoint called mytrust, and specifies a URL of 10.22.184.22.
hostname(config)# crypto ca trustpoint newtrusthostname(config-ca-trustpoint)# match certificate mymap override ocsp trustpoint mytrust 4 url 10.22.184.22hostname(config-ca-trustpoint)#The next example shows step-by-step how to configure a crypto ca certificate map, and then a match certificate rule to identify a trustpoint that contains a CA certificate to validate the responder certificate. This is necessary if the CA identified in the newtrust trustpoint does not issue an OCSP responder certificate.
Step 1
hostname(config)# crypto ca certificate map mymap 1 subject-name attr cn eq mycerthostname(config-ca-cert-map)# subject-name attr cn eq mycerthostname(config-ca-cert-map)#Step 2
hostname(config-ca-cert-map)# exithostname(config)# crypto ca trustpoint mytrusthostname(config-ca-trustpoint)# enroll terminalhostname(config-ca-trustpoint)# crypto ca authenticate mytrustEnter the base 64 encoded CA certificate.End with the word "quit" on a line by itselfMIIBnjCCAQcCBEPOpG4wDQYJKoZIhvcNAQEEBQAwFzEVMBMGA1UEAxQMNjMuNjcu NzIuMTg4MB4XDTA2MDExODIwMjYyMloXDTA5MDExNzIwMjYyMlowFzEVMBMGA1UE AxQMNjMuNjcuNzIuMTg4MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDnXUHv 7//x1xEAOYfUzJmH5sr/NuxAbA5gTUbYA3pcE0KZHt761N+/8xGxC3DIVB8u7T/b v8RqzqpmZYguveV9cLQK5tsxqW3DysMU/4/qUGPfkVZ0iKPCgpIAWmq2ojhCFPyx ywsDsjl6YamF8mpMoruvwOuaUOsAK6KO54vy0QIBAzANBgkqhkiG9w0BAQQFAAOB gQCSOihb2NH6mga2eLqEsFP1oVbBteSkEAm+NRCDK7ud1l3D6UC01EgtkJ81QtCk tvX2T2Y/5sdNW4gfueavbyqYDbk4yxCKaofPp1ffAD9rrUFQJM1uQX14wclPCcAN e7kR+rscOKYBSgVHrseqdB8+6QW5NF7f2dd+tSMvHtUMNw== quitINFO: Certificate has the following attributes:Fingerprint: 7100d897 05914652 25b2f0fc e773df42Do you accept this certificate? [yes/no]: yTrustpoint CA certificate accepted.% Certificate successfully importedStep 3
hostname(config)# crypto ca trustpoint newtrusthostname(config-ca-trustpoint)# enroll terminalhostname(config-ca-trustpoint)# crypto ca authenticate newtrustEnter the base 64 encoded CA certificate.End with the word "quit" on a line by itselfywsDsjl6YamF8mpMoruvwOuaUOsAK6KO54vy0QIBAzANBgkqhkiG9w0BAQQFAAOB gQCSOihb2NH6mga2eLqEsFP1oVbBteSkEAm+NRCDK7ud1l3D6UC01EgtkJ81QtCk AxQMNjMuNjcuNzIuMTg4MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDnXUHv 7//x1xEAOYfUzJmH5sr/NuxAbA5gTUbYA3pcE0KZHt761N+/8xGxC3DIVB8u7T/bgQCSOihb2NH6mga2eLqEsFP1oVbBteSkEAm+NRCDK7ud1l3D6UC01EgtkJ81QtCk tvX2T2Y/5sdNW4gfueavbyqYDbk4yxCKaofPp1ffAD9rrUFQJM1uQX14wclPCcAN NzIuMTg4MB4XDTA2MDExODIwMjYyMloXDTA5MDExNzIwMjYyMlowFzEVMBMGA1UE OPIBnjCCAQcCBEPOpG4wDQYJKoZIhvcNAQEEBQAwFzEVMBMGA1UEAxQMNjMuNjcu e7kR+rscOKYBSgVHrseqdB8+6QW5NF7f2dd+tSMvHtUMNw== quitINFO: Certificate has the following attributes:Fingerprint: 9508g897 82914638 435f9f0fc x9y2p42Do you accept this certificate? [yes/no]: yTrustpoint CA certificate accepted.% Certificate successfully importedhostname(config)# crypto ca trustpoint newtrusthostname(config-ca-trustpoint)# revocation-check ocsphostname(config-ca-trustpoint)# match certificate mymap override ocsp trustpoint mytrust 4 url 10.22.184.22Any connection that uses the newtrust trustpoint for client certificate authentication checks to see if the client certificate matches the attribute rules specified in the mymap certificate map. If so, the adaptive security appliance accesses the OCSP responder at 10.22.184.22 for certificate revocation status. It then uses the mytrust trustpoint to validate the responder certificate.
Note
Related Commands
match cmd
To configure a match condition on the ESMTP command verb, use the match cmd command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] cmd [verb verb | line length gt bytes | RCPT count gt recipients_number]
no match [not] cmd [verb verb | line length gt bytes | RCPT count gt recipients_number]
Syntax Description
verb verb
Specifies the ESMTP command verb.
line length gt bytes
Specifies the length of a line.
RCPT count gt recipients_number
Specifies the number of recipient email addresses.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition in an ESMTP inspection policy map for the verb (method) NOOP exchanged in the ESMTP transaction:
hostname(config-pmap)# match cmd verb NOOPRelated Commands
match default-inspection-traffic
To specify default traffic for the inspect commands in a class map, use the match default-inspection-traffic command in class-map configuration mode. To remove this specification, use the no form of this command.
match default-inspection-traffic
no match default-inspection-traffic
Syntax Description
This command has no arguments or keywords.
Defaults
See the Usage Guidelines section for the default traffic of each inspection.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
Using the match default-inspection-traffic command, you can match default traffic for the individual inspect commands. The match default-inspection-traffic command can be used in conjunction with one other match command, which is typically an access-list in the form of permit ip src-ip dst-ip.
The rule for combining a second match command with the match default-inspection-traffic command is to specify the protocol and port information using the match default-inspection-traffic command and specify all other information (such as IP addresses) using the second match command. Any protocol or port information specified in the second match command is ignored with respect to the inspect commands.
For instance, port 65535 specified in the example below is ignored:
hostname(config)# class-map cmaphostname(config-cmap)# match default-inspection-traffichostname(config-cmap)# match port 65535Default traffic for inspections are as follows:
Examples
The following example shows how to define a traffic class using a class map and the match default-inspection-traffic command:
hostname(config)# class-map cmaphostname(config-cmap)# match default-inspection-traffichostname(config-cmap)#Related Commands
match dns-class
To configure a match condition for the Domain System Class in a DNS Resource Record or Question section, use the match dns-class command in class-map or policy-map configuration mode. To remove a configured class, use the no form of this command.
match [not] dns-class {eq c_well_known | c_val} {range c_val1 c_val2}
no match [not] dns-class {eq c_well_known | c_val} {range c_val1 c_val2}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
By default, this command inspects all fields (questions and RRs) of a DNS message and matches the specified class. Both DNS query and response are examined.
The match can be narrowed down to the question portion of a DNS query by the following two commands: match not header-flag QR and match question.
This command can be configured within a DNS class map or policy map. Only one entry can be entered within a DNS class-map.
Examples
The following example shows how to configure a match condition for a DNS class in a DNS inspection policy map:
hostname(config)# policy-map type inspect dns preset_dns_maphostname(config-pmap)# match dns-class eq INRelated Commands
match dns-type
To configure a match condition for a DNS type, including Query type and RR type, use the match dns-type command in class-map or policy-map configuration mode. To remove a configured dns type, use the no form of this command.
match [not] dns-type {eq t_well_known | t_val} {range t_val1 t_val2}
no match [not] dns-type {eq t_well_known | t_val} {range t_val1 t_val2}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
By default, this command inspects all sections of a DNS message (questions and RRs) and matches the specified type. Both DNS query and response are examined.
The match can be narrowed down to the question portion of a DNS query by the following two commands: match not header-flag QR and match question.
This command can be configured within a DNS class map or policy map. Only one entry can be entered within a DNS class-map.
Examples
The following example shows how to configure a match condition for a DNS type in a DNS inspection policy map:
hostname(config)# policy-map type inspect dns preset_dns_maphostname(config-pmap)# match dns-type eq aRelated Commands
match domain-name
To configure a match condition for a DNS message domain name list, use the match domain-name command in class-map or policy-map configuration mode. To remove a configured section, use the no form of this command.
match [not] domain-name regex regex_id
match [not] domain-name regex class class_id
no match [not] domain-name regex regex_id
no match [not] domain-name regex class class_id
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command matches domain names in the DNS message against predefined list. Compressed domain names will be expanded before matching. The match condition can be narrowed down to a particular field in conjunction with other DNS match commands.
This command can be configured within a DNS class map or policy map. Only one entry can be entered within a DNS class-map.
Examples
The following example shows how to match the DNS domain name in a DNS inspection policy map:
hostname(config)# policy-map type inspect dns preset_dns_maphostname(config-pmap)# match domain-name regexRelated Commands
match dscp
To identify the IETF-defined DSCP value (in an IP header) in a class map, use the match dscp command in class-map configuration mode. To remove this specification, use the no form of this command.
match dscp {values}
no match dscp {values}
Syntax Description
values
Specifies up to eight different the IETF-defined DSCP values in the IP header. Range is 0 to 63.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
Using the match dscp command, you can match the IETF-defined DSCP values in the IP header.
Examples
The following example shows how to define a traffic class using a class map and the match dscp command:
hostname(config)# class-map cmaphostname(config-cmap)# match dscp af43 cs1 efhostname(config-cmap)#Related Commands
match ehlo-reply-parameter
To configure a match condition on the ESMTP ehlo reply parameter, use the match ehlo-reply-parameter command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] ehlo-reply-parameter parameter
no match [not] ehlo-reply-parameter parameter
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for an ehlo reply parameter in an ESMTP inspection policy map:
hostname(config)# policy-map type inspect esmtp esmtp_map
hostname(config-pmap)#match ehlo-reply-parameter authRelated Commands
match filename
To configure a match condition for a filename for FTP transfer, use the match filename command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] filename regex [regex_name | class regex_class_name]
no match [not] filename regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an FTP class map or policy map. Only one entry can be entered in a FTP class map.
Examples
The following example shows how to configure a match condition for an FTP transfer filename in an FTP inspection class map:
hostname(config)# class-map type inspect ftp match-all ftp_class1hostname(config-cmap)# description Restrict FTP users ftp1, ftp2, and ftp3 from accessing /roothostname(config-cmap)# match username regex class ftp_regex_userhostname(config-cmap)# match filename regex ftp-fileRelated Commands
match filetype
To configure a match condition for a filetype for FTP transfer, use the match filetype command in class-map or policy-map configuration mode. To remove the match condtion, use the no form of this command.
match [not] filetype regex [regex_name | class regex_class_name]
no match [not] filetype regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an FTP class map or policy map. Only one entry can be entered in a FTP class map.
Examples
The following example shows how to configure a match condition for an FTP transfer filetype in an FTP inspection policy map:
hostname(config-pmap)# match filetype class regex ftp-regex-filetypeRelated Commands
match flow ip destination-address
To specify the flow IP destination address in a class map, use the match flow ip destination-address command in class-map configuration mode. To remove this specification, use the no form of this command.
match flow ip destination-address
no match flow ip destination-address
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
To enable flow-based policy actions on a tunnel group, use the match flow ip destination-address and match tunnel-group commands with the class-map, policy-map, and service-policy commands. The criteria to define flow is the destination IP address. All traffic going to a unique IP destination address is considered a flow. Policy action is applied to each flow instead of the entire class of traffic. QoS action police is applied using the match flow ip destination-address command. Use match tunnel-group to police every tunnel within a tunnel group to a specified rate.
Examples
The following example shows how to enable flow-based policing within a tunnel group and limit each tunnel to a specified rate:
hostname(config)# class-map cmaphostname(config-cmap)# match tunnel-grouphostname(config-cmap)# match flow ip destination-addresshostname(config-cmap)# exithostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# police 56000hostname(config-pmap)# exithostname(config)# service-policy pmap globalhostname(config)#Related Commands
match header
To configure a match condition on the ESMTP header, use the match header command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] header [[length | line length] gt bytes | to-fields count gt to_fields_number]
no match [not] header [[length | line length] gt bytes | to-fields count gt to_fields_number]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for a header in an ESMTP inspection policy map:
hostname(config)# policy-map type inspect esmtp esmtp_map
hostname(config-pmap)#match header length gt 512Related Commands
match header-flag
To configure a match condition for a DNS header flag, use the match header-flag command in class-map or policy-map configuration mode. To remove a configured header flag, use the no form of this command.
match [not] header-flag [eq] {f_well_known | f_value}
no match [not] header-flag [eq] {f_well_known | f_value}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in a DNS class map or policy map. Only one entry can be entered in a DNS class map.
Examples
The following example shows how to configure a match condition for a DNS header flag in a DNS inspection policy map:
hostname(config)# policy-map type inspect dns preset_dns_maphostname(config-pmap)# match header-flag AARelated Commands
match im-subscriber
To configure a match condition for a SIP IM subscriber, use the match im-subscriber command in class-map or policy-map configuration mode. To remove the match condtion, use the no form of this command.
match [not] im-subscriber regex [regex_name | class regex_class_name]
no match [not] im-subscriber regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in a SIP class map or policy map. Only one entry can be entered in a SIP class map.
Examples
The following example shows how to configure a match condition for a SIP IM subscriber in a SIP inspection class map:
hostname(config-cmap)# match im-subscriber regex class im_senderRelated Commands
match invalid-recipients
To configure a match condition on the ESMTP invalid recipient address, use the match invalid-recipients command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] invalid-recipients count gt number
no match [not] invalid-recipients count gt number
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for invalid recipients count in an ESMTP inspection policy map:
hostname(config)# policy-map type inspect esmtp esmtp_map
hostname(config-pmap)#match invalid-recipients count gt 1000Related Commands
match ip address
To redistribute any routes that have a route address or match packet that is passed by one of the access lists specified, use the match ip address command in route-map configuration mode. To restore the default settings, use the no form of this command.
match ip address {acl...}
no match ip address {acl...}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
—
—
Command History
Usage Guidelines
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
Examples
The following example shows how to redistribute internal routes:
hostname(config)# route-map namehostname(config-route-map)# match ip address acl_dmz1 acl_dmz2Related Commands
match ip next-hop
To redistribute any routes that have a next-hop router address that is passed by one of the access lists specified, use the match ip next-hop command in route-map configuration mode. To remove the next-hop entry, use the no form of this command.
match ip next-hop {acl...} | prefix-list prefix_list
no match ip next-hop {acl...} | prefix-list prefix_list
Syntax Description
Defaults
Routes are distributed freely, without being required to match a next-hop address.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
—
—
Command History
Usage Guidelines
An ellipsis (...) in the command syntax indicates that your command input can include multiple values for the acl argument.
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can enter the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
When you are passing routes through a route map, a route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. To modify only some data, you must configure a second route map section and specify an explicit match.
Examples
The following example shows how to distribute routes that have a next-hop router address passed by access list acl_dmz1 or acl_dmz2:
hostname(config)# route-map namehostname(config-route-map)# match ip next-hop acl_dmz1 acl_dmz2Related Commands
match ip route-source
To redistribute routes that have been advertised by routers and access servers at the address that is specified by the ACLs, use the match ip route-source command in the route-map configuration mode. To remove the next-hop entry, use the no form of this command.
match ip route-source {acl...} | prefix-list prefix_list
no match ip route-source {acl...}
Syntax Description
Defaults
No filtering on a route source.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
—
—
Command History
Usage Guidelines
An ellipsis (...) in the command syntax indicates that your command input can include multiple values for the access-list-name argument.
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can enter the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. To modify only some data, you must configure a second route map section and specify an explicit match. The next-hop and source-router address of the route are not the same in some situations.
Examples
The following example shows how to distribute routes that have been advertised by routers and access servers at the addresses specified by ACLs acl_dmz1 and acl_dmz2:
hostname(config)# route-map namehostname(config-route-map)# match ip route-source acl_dmz1 acl_dmz2Related Commands
match login-name
To configure a match condition for a client login name for instant messaging, use the match login-name command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] login-name regex [regex_name | class regex_class_name]
no match [not] login-name regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an IM class map or policy map. Only one entry can be entered in a IM class map.
Examples
The following example shows how to configure a match condition for a client login name in an instant messaging class map:
hostname(config)# class-map type inspect im im_classhostname(config-cmap)# match login-name regex loginRelated Commands
match media-type
To configure a match condition on the H.323 media type, use the match media-type command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] media-type [audio | data | video]
no match [not] media-type [audio | data | video]
Syntax Description
audio
Specifies to match audio media type.
data
Specifies to match data media type.
video
Specifies to match video media type.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for audio media type in an H.323 inspection class map:
hostname(config-cmap)# match media-type audioRelated Commands
match message id
To configure a match condition for a GTP message ID, use the match message id command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] message id [message_id | range lower_range upper_range]
no match [not] message id [message_id | range lower_range upper_range]
Syntax Description
message_id
Specifies an alphanumeric identifier between 1 and 255.
range lower_range upper_range
Specifies a lower and upper range of IDs.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in a GTP class map or policy map. Only one entry can be entered in a GTP class map.
Examples
The following example shows how to configure a match condition for a message ID in a GTP inspection class map:
hostname(config-cmap)# match message id 33Related Commands
match message length
To configure a match condition for a GTP message ID, use the match message length command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] message length min min_length max max_length
no match [not] message length min min_length max max_length
Syntax Description
min min_length
Specifies a minimum message ID length. Value is between 1 and 65536.
max max_length
Specifies a maximum message ID length. Value is between 1 and 65536.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in a GTP class map or policy map. Only one entry can be entered in a GTP class map.
Examples
The following example shows how to configure a match condition for a message length in a GTP inspection class map:
hostname(config-cmap)# match message length min 8 max 200Related Commands
match message-path
To configure a match condition for the path taken by a SIP message as specified in the Via header field, use the match message-path command in class-map or policy-map configuration mode. To remove the match condtion, use the no form of this command.
match [not] message-path regex [regex_name | class regex_class_name]
no match [not] message-path regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in a SIP class map or policy map. Only one entry can be entered in a SIP class map.
Examples
The following example shows how to configure a match condition for the path taken by a SIP message in a SIP inspection class map:
hostname(config-cmap)# match message-path regex class sip_messageRelated Commands
match mime
To configure a match condition on the ESMTP mime encoding type, mime filename length, or mime file type, use the match mime command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] mime [encoding type | filename length gt bytes | filetype regex]
no match [not] mime [encoding type | filename length gt bytes | filetype regex]
Syntax Description
encoding type
Specifies to match on the encoding type.
filename length gt bytes
Specifies to match on the filename length.
filetype regex
Specifies to match on the file type.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for a mime filename length in an ESMTP inspection policy map:
hostname(config)# policy-map type inspect esmtp esmtp_map
hostname(config-pmap)#match mime filename length gt 255Related Commands
match peer-ip-address
To configure a match condition for the peer IP address for instant messaging, use the match peer-ip-address command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] peer-ip-address ip_address ip_address_mask
no match [not] peer-ip-address ip_address ip_address_mask
Syntax Description
ip_address
Specifies a hostname or IP address of the client or server.
ip_address_mask
Specifies the netmask for the client or server IP address.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an IM class map or policy map. Only one entry can be entered in a IM class map.
Examples
The following example shows how to configure a match condition for the peer IP address in an instant messaging class map:
hostname(config)# class-map type inspect im im_classhostname(config-cmap)# match peer-ip-address 10.1.1.0 255.255.255.0Related Commands
match peer-login-name
To configure a match condition for the peer login name for instant messaging, use the match peer-login-name command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] peer-login-name regex [regex_name | class regex_class_name]
no match [not] peer-login-name regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an IM class map or policy map. Only one entry can be entered in a IM class map.
Examples
The following example shows how to configure a match condition for the peer login name in an instant messaging class map:
hostname(config)# class-map type inspect im im_classhostname(config-cmap)# match peer-login-name regex peerloginRelated Commands
match port
When using the Modular Policy Framework, match the TCP or UDP ports to which you want to apply actions by using the match port command in class-map configuration mode. To remove the match port command, use the no form of this command.
match port {tcp | udp} {eq port | range beg_port end_port}
no match port {tcp | udp} {eq port | range beg_port end_port}
Syntax Description
eq port
Specifies a single port name or number.
range beg_port end_port
Specifies beginning and ending port range values between 1 and 65535.
tcp
Specifies a TCP port.
udp
Specifies a UDP port.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
Configuring Modular Policy Framework consists of four tasks:
1.
After you enter the class-map command, you can enter the matchport command to identify the traffic. Alternatively, you can enter a different type of match command, such as the match access-list command (the class-map type management command only allows the match port command). You can only include one match port command in the class map, and you cannot combine it with other types of match commands.
2.
3.
4.
Examples
The following example shows how to define a traffic class using a class map and the match port command:
hostname(config)# class-map cmaphostname(config-cmap)# match port tcp eq 8080Related Commands
match precedence
To specify a precedence value in a class map, use the match precedence command in class-map configuration mode. To remove this specification, use the no form of this command.
match precedence value
no match precedence value
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
Use the match precedence command to specify the value represented by the TOS byte in the IP header.
Examples
The following example shows how to define a traffic class using a class map and the match precedence command:
hostname(config)# class-map cmaphostname(config-cmap)# match precedence 1hostname(config-cmap)#Related Commands
match protocol
To configure a match condition for a specific instant messaging protocol, such as MSN or Yahoo, use the match protocol command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] protocol {msn-im | yahoo-im}
no match [not] protocol {msn-im | yahoo-im}
Syntax Description
msn-im
Specifies to match the MSN instant messaging protocol.
yahoo-im
Specifies to match the Yahoo instant messaging protocol.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an IM class map or policy map. Only one entry can be entered in a IM class map.
Examples
The following example shows how to configure a match condition for the Yahoo instant messaging protocol in an instant messaging class map:
hostname(config)# class-map type inspect im im_classhostname(config-cmap)# match protocol yahoo-imRelated Commands
match question
To configure a match condition for a DNS question or resource record, use the match question command in class-map or policy-map configuration mode. To remove a configured section, use the no form of this command.
match {question | {resource-record answer | authority | additional}}
no match {question | {resource-record answer | authority | additional}}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
By default, this command inspects the DNS header and matches the specified field. It can be used in conjunction with other DNS match commands to define inspection of a particular question or RR type..
This command can be configured within a DNS class map or policy map. Only one entry can be entered within a DNS class-map.
Examples
The following example shows how to configure a match condition for a DNS question in a DNS inspection policy map:
hostname(config)# policy-map type inspect dns preset_dns_maphostname(config-pmap)# match questionRelated Commands
match regex
To identify a regular expression in a regular expression class map, use the match regex command in class-map type regex configuration mode. To remove the regular expression from the class map, use the no form of this command.
match regex name
no match regex name
Syntax Description
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map type regex configuration
•
•
•
—
•
Command History
Usage Guidelines
The regex command can be used for various features that require text matching. You can group regular expressions in a regular expression class map using the class-map type regex command and then multiple match regex commands.
For example, you can configure special actions for application inspection using an inspection policy map (see the policy map type inspect command). In the inspection policy map, you can identify the traffic you want to act upon by creating an inspection class map containing one or more match commands or you can use match commands directly in the inspection policy map. Some match commands let you identify text in a packet using a regular expression; for example, you can match URL strings inside HTTP packets.
Examples
The following is an example of an HTTP inspection policy map and the related class maps. This policy map is activated by the Layer 3/4 policy map, which is enabled by the service policy.
hostname(config)# regex url_example example\.comhostname(config)# regex url_example2 example2\.comhostname(config)# class-map type regex match-any URLshostname(config-cmap)# match regex url_examplehostname(config-cmap)# match regex url_example2hostname(config-cmap)# class-map type inspect http match-all http-traffichostname(config-cmap)# match req-resp content-type mismatchhostname(config-cmap)# match request body length gt 1000hostname(config-cmap)# match not request uri regex class URLshostname(config-cmap)# policy-map type inspect http http-map1hostname(config-pmap)# class http-traffichostname(config-pmap-c)# drop-connection loghostname(config-pmap-c)# match req-resp content-type mismatchhostname(config-pmap-c)# reset loghostname(config-pmap-c)# parametershostname(config-pmap-p)# protocol-violation action loghostname(config-pmap-p)# policy-map testhostname(config-pmap)# class test [a Layer 3/4 class map not shown]hostname(config-pmap-c)# inspect http http-map1hostname(config-pmap-c)# service-policy test interface outsideRelated Commands
class-map type regex
Creates a regular expression class map.
regex
Adds a regular expression.
test regex
Tests a regular expression.
match regex
To identify a regular expression in a regular expression class map, use the match regex command in class-map type regex configuration mode. To remove the regular expression from the class map, use the no form of this command.
match regex name
no match regex name
Syntax Description
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map type regex configuration
•
•
•
—
•
Command History
Usage Guidelines
The regex command can be used for various features that require text matching. You can group regular expressions in a regular expression class map using the class-map type regex command and then multiple match regex commands.
For example, you can configure special actions for application inspection using an inspection policy map (see the policy map type inspect command). In the inspection policy map, you can identify the traffic you want to act upon by creating an inspection class map containing one or more match commands or you can use match commands directly in the inspection policy map. Some match commands let you identify text in a packet using a regular expression; for example, you can match URL strings inside HTTP packets.
Examples
The following is an example of an HTTP inspection policy map and the related class maps. This policy map is activated by the Layer 3/4 policy map, which is enabled by the service policy.
hostname(config)# regex url_example example\.comhostname(config)# regex url_example2 example2\.comhostname(config)# class-map type regex match-any URLshostname(config-cmap)# match regex url_examplehostname(config-cmap)# match regex url_example2hostname(config-cmap)# class-map type inspect http match-all http-traffichostname(config-cmap)# match req-resp content-type mismatchhostname(config-cmap)# match request body length gt 1000hostname(config-cmap)# match not request uri regex class URLshostname(config-cmap)# policy-map type inspect http http-map1hostname(config-pmap)# class http-traffichostname(config-pmap-c)# drop-connection loghostname(config-pmap-c)# match req-resp content-type mismatchhostname(config-pmap-c)# reset loghostname(config-pmap-c)# parametershostname(config-pmap-p)# protocol-violation action loghostname(config-pmap-p)# policy-map testhostname(config-pmap)# class test [a Layer 3/4 class map not shown]hostname(config-pmap-c)# inspect http http-map1hostname(config-pmap-c)# service-policy test interface outsideRelated Commands
class-map type regex
Creates a regular expression class map.
regex
Adds a regular expression.
test regex
Tests a regular expression.
match req-resp
To configure a match condition for both HTTP requests and responses, use the match req-resp command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] req-resp content-type mismatch
no match [not] req-resp content-type mismatch
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command enables the following checks:
•
•
•
If the message fails any of the above checks, the adaptive security appliance takes the configured action.
The following is the list of supported content types.
Some content-types in this list may not have a corresponding regular expression (magic number) so they cannot be verified in the body portion of the message. When this case occurs, the HTTP message will be allowed.
Examples
The following example shows how to restrict HTTP traffic based on the content type of the HTTP message in an HTTP policy map:
hostname(config)#policy-map type inspect http http_maphostname(config-pmap)#match req-resp content-type mismatchRelated Commands
match request-command
To restrict specific FTP commands, use the match request-command command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] request-command ftp_command [ftp_command...]
no match [not] request-command ftp_command [ftp_command...]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an FTP class map or policy map. Only one entry can be entered in a FTP class map.
Examples
The following example shows how to configure a match condition for a specific FTP command in an FTP inspection policy map:
hostname(config)# policy-map type inspect ftp ftp_map1hostname(config-pmap)# match request-command stouRelated Commands
match request-method
To configure a match condition for the SIP method type, use the match request-method command in class-map or policy-map configuration mode. To remove the match condtion, use the no form of this command.
match [not] request-method method_type
no match [not] request-method method_type
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in a SIP class map or policy map. Only one entry can be entered in a SIP class map.
Examples
The following example shows how to configure a match condition for the path taken by a SIP message in a SIP inspection class map:
hostname(config-cmap)# match request-method ackRelated Commands
match request method
To configure a match condition for HTTP requests, use the match request method command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] request {built-in-regex | regex {regex_name | class class_map_name}}
no match [not] request {built-in-regex | regex {regex_name | class class_map_name}}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
Examples
The following example shows how to define an HTTP inspection policy map that will allow and log any HTTP connection that attempts to access "www\.xyz.com/.*\.asp" or "www\.xyz[0-9][0-9]\.com" with methods "GET" or "PUT." All other URL/Method combinations will be silently allowed:
hostname(config)# regex url1 "www\.xyz.com/.*\.asphostname(config)# regex url2 "www\.xyz[0-9][0-9]\.com"hostname(config)# regex get "GET"hostname(config)# regex put "PUT"hostname(config)# class-map type regex match-any url_to_loghostname(config-cmap)# match regex url1hostname(config-cmap)# match regex url2hostname(config-cmap)# exithostname(config)# class-map type regex match-any methods_to_loghostname(config-cmap)# match regex gethostname(config-cmap)# match regex puthostname(config-cmap)# exithostname(config)# class-map type inspect http http_url_policyhostname(config-cmap)# match request uri regex class url_to_loghostname(config-cmap)# match request method regex class methods_to_loghostname(config-cmap)# exithostname(config)# policy-map type inspect http http_policyhostname(config-pmap)# class http_url_policyhostname(config-pmap-c)# logRelated Commands
match route-type
To redistribute routes of the specified type, use the match route-type command in route-map configuration mode. To remove the route type entry, use the no form of this command.
match route-type {local | internal | {external [type-1 | type-2]} | {nssa-external [type-1 | type-2]}}
no match route-type {local | internal | {external [type-1 | type-2]} | {nssa-external [type-1 | type-2]}}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
—
—
Command History
Usage Guidelines
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can enter the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. To modify only some data, you must configure a second route map section and specify an explicit match.
For OSPF, the external type-1 keywords match only type 1 external routes and the external type-2 keywords match only type 2 external routes.
Examples
The following example shows how to redistribute internal routes:
hostname(config)# route-map namehostname(config-route-map)# match route-type internalRelated Commands
match rtp
To specify a UDP port range of even-number ports in a class map, use the match rtp command in class-map configuration mode. To remove this specification, use the no form of this command.
match rtp starting_port range
no match rtp starting_port range
Syntax Description
starting_port
Specifies lower bound of even-number UDP destination port. Range is 2000-65535
range
Specifies range of RTP ports. Range is 0-16383.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
Use the match rtp command to match RTP ports (even UDP port numbers between the starting_port and the starting_port plus the range).
Examples
The following example shows how to define a traffic class using a class map and the match rtp command:
hostname(config)# class-map cmaphostname(config-cmap)# match rtp 20000 100hostname(config-cmap)#Related Commands
match sender-address
To configure a match condition on the ESMTP sender e-mail address, use the match sender-address command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] sender-address [length gt bytes | regex regex]
no match [not] sender-address [length gt bytes | regex regex]
Syntax Description
length gt bytes
Specifies to match on the sender e-mail address length.
regex regex
Specifies to match on the regular expression.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for the sender email address of length greater than 320 characters in an ESMTP inspection policy map:
hostname(config-pmap)# match sender-address length gt 320Related Commands
match server
To configure a match condition for an FTP server, use the match server command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] server regex [regex_name | class regex_class_name]
no match [not] server regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an FTP class map or policy map. Only one entry can be entered in a FTP class map.
The adaptive security appliance matches the server name based using the initial 220 server message that is displayed above the login prompt when connecting to an FTP server. The 220 server message might contain multiple lines. The server match is not based on the FQDN of the server name resolved through DNS.
Examples
The following example shows how to configure a match condition for an FTP server in an FTP inspection policy map:
hostname(config-pmap)# match server class regex ftp-serverRelated Commands
match service
To configure a match condition for a specific instant messaging service, use the match service command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] service {chat | file-transfer | games | voice-chat | webcam | conference}
no match [not] service {chat | file-transfer | games | voice-chat | webcam | conference}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an IM class map or policy map. Only one entry can be entered in a IM class map.
Examples
The following example shows how to configure a match condition for the chat service in an instant messaging class map:
hostname(config)# class-map type inspect im im_classhostname(config-cmap)# match service chatRelated Commands
match third-party-registration
To configure a match condition for the requester of a third-party registration, use the match third-party-registration command in class-map or policy-map configuration mode. To remove the match condtion, use the no form of this command.
match [not] third-party-registration regex [regex_name | class regex_class_name]
no match [not] third-party-registration regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in a SIP class map or policy map. Only one entry can be entered in a SIP class map.
The third-party registration match command is used to identify the user who can register others with a SIP registar or SIP proxy. It is identified by the From header field in the REGISTER message in the case of mismatching From and To values.
Examples
The following example shows how to configure a match condition for third-party registration in a SIP inspection class map:
hostname(config-cmap)# match third-party-registration regex class sip_registRelated Commands
match tunnel-group
To match traffic in a class map that belongs to a previously defined tunnel-group, use the match tunnel-group command in class-map configuration mode. To remove this specification, use the no form of this command.
match tunnel-group name
no match tunnel-group name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
To enable flow-based policy actions, use the match flow ip destination-address and match tunnel-group commands with the class-map, policy-map, and service-policy commands. The criteria to define flow is the destination IP address. All traffic going to a unique IP destination address is considered a flow. Policy action is applied to each flow instead of the entire class of traffic. QoS action police is applied using the police command. Use match tunnel-group along with match flow ip destination-address to police every tunnel within a tunnel group to a specified rate.
Examples
The following example shows how to enable flow-based policing within a tunnel group and limit each tunnel to a specified rate:
hostname(config)# class-map cmaphostname(config-cmap)# match tunnel-grouphostname(config-cmap)# match flow ip destination-addresshostname(config-cmap)# exithostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# police 56000hostname(config-pmap)# exithostname(config)# service-policy pmap globalRelated Commands
match uri
To configure a match condition for the URI in the SIP headers, use the match uri command in class-map or policy-map configuration mode. To remove the match condtion, use the no form of this command.
match [not] uri {sip | tel} length gt gt_bytes
no match [not] uri {sip | tel} length gt gt_bytes
Syntax Description
sip
Specifies a SIP URI.
tel
Specifies a TEL URI.
length gt gt_bytes
Specifies the maximum length of the URI. Value is between 0 and 65536.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in a SIP class map or policy map. Only one entry can be entered in a SIP class map.
Examples
The following example shows how to configure a match condition for the URI in the SIP message:
hostname(config-cmap)# match uri sip length gtRelated Commands
match url-filter
To configure a match condition for URL filtering in an RTSP message, use the match url-filter command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] url-filter regex [regex_name | class regex_class_name]
no match [not] url-filter regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an RTSP class map or policy map.
Examples
The following example shows how to configure a match condition for URL filtering in an RTSP inspection policy map:
hostname(config)# regex badurl www.url1.com/rtsp.avihostname(config)# policy-map type inspect rtsp rtsp-maphostname(config-pmap)# match url-filter regex badurlhostname(config-pmap-p)# drop-connectionRelated Commands
match username
To configure a match condition for an FTP username, use the match username command in class-map or policy-map configuration mode. To remove the match condtion, use the no form of this command.
match [not] username regex [regex_name | class regex_class_name]
no match [not] username regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an FTP class map or policy map. Only one entry can be entered in a FTP class map.
Examples
The following example shows how to configure a match condition for an FTP username in an FTP inspection class map:
hostname(config)# class-map type inspect ftp match-all ftp_class1hostname(config-cmap)# match username regex class ftp_regex_userRelated Commands
match version
To configure a match condition for a GTP message ID, use the match message length command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] version [version_id | range lower_range upper_range]
no match [not] version [version_id | range lower_range upper_range]
Syntax Description
vresion_id
Specifies a version between 0 and 255.
range lower_range upper_range
Specifies a lower and upper range of versions.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in a GTP class map or policy map. Only one entry can be entered in a GTP class map.
Examples
The following example shows how to configure a match condition for a message version in a GTP inspection class map:
hostname(config-cmap)# match version 1Related Commands
max-failed-attempts
To specify the number of failed attempts allowed for any given server in the server group before that server is deactivated, use the max-failed-attempts command in AAA-server group configuration mode. To remove this specification and revert to the default value, use the no form of this command:
max-failed-attempts number
no max-failed-attempts
Syntax Description
number
An integer in the range 1-5, specifying the number of failed connection attempts allowed for any given server in the server group specified in a prior aaa-server command.
Defaults
The default value of number is 3.
Command Modes
The following table shows the modes in which you can enter the command:
AAA-server group configuration
•
•
•
•
—
Command History
Usage Guidelines
You must have configured the AAA server/group before issuing this command.
Examples
hostname(config)#aaa-server svrgrp1 protocol tacacs+hostname(config-aaa-server-group)#max-failed-attempts 4hostname(config-aaa-server-group)#Related Commands
max-forwards-validation
To enable check on Max-forwards header field of 0, use the max-forwards-validation command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.
max-forwards-validation action {drop | drop-connection | reset | log} [log}
no max-forwards-validation action {drop | drop-connection | reset | log} [log}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Usage Guidelines
This command counts the number of hops to destination, which cannot be 0 before reaching the destination.
Examples
The following example shows how to enable max forwards validation in a SIP inspection policy map:
hostname(config)# policy-map type inspect sip sip_maphostname(config-pmap)# parametershostname(config-pmap-p)# max-forwards-validation action logRelated Commands
max-header-length
To restrict HTTP traffic based on the HTTP header length, use the max-header-length command in HTTP map configuration mode, which is accessible using the http-map command. To remove this command, use the no form of this command.
max-header-length {request bytes [response bytes] | response bytes} action {allow | reset | drop} [log]
no max-header-length {request bytes [response bytes] | response bytes} action {allow | reset | drop} [log]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
HTTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
After enabling the max-header-length command, the adaptive security appliance only allows messages having an HTTP header within the configured limit and otherwise takes the specified action. Use the action keyword to cause the adaptive security appliance to reset the TCP connection and optionally create a syslog entry.
Examples
The following example restricts HTTP requests to those with HTTP headers that do not exceed 100 bytes. If a header is too large, the adaptive security appliance resets the TCP connection and creates a syslog entry.
hostname(config)# http-map inbound_httphostname(config-http-map)# max-header-length request bytes 100 action log resethostname(config-http-map)#Related Commands
max-object-size
To set a maximum size for objects that the adaptive security appliance can cache for WebVPN sessions, use the max-object-size command in cache mode. To change the size, use the command again.
max-object-size integer range
Syntax Description
Defaults
1000 KB
Command Modes
The following table shows the modes in which you enter the command:
Cache mode
•
—
•
—
—
Command History
Usage Guidelines
The Maximum object size must be larger than the minimum object size. The adaptive security appliance calculates the size after compressing the object, if cache compression is enabled.
Examples
The following example shows how to set a maximum object size of 4000 KB:
hostname(config)#webvpnhostname(config-webvpn)#cachehostname(config-webvpn-cache)# max-object-size 4000hostname(config-webvpn-cache)#Related Commands
max-retry-attempts
To configure the number of times the adaptive security appliance retries a failed SSO authentication attempt before letting the request time out, use the max-retry-attempts command in the webvpn configuration mode for the specific SSO server type.
To return to the default value, use the no form of this command.
max-retry-attempts retries
no max-retry-attempts
Syntax Description
Syntax DescriptionSyntax Description
retries
The number of times the adaptive security appliance retries a failed SSO authentication attempt. The range is 1 to 5 retries.
Defaults
The default value for this command is 3.
Command Modes
The following table shows the modes in which you can enter the command:
config-webvpn-sso-saml
•
—
•
—
—
config-webvpn-sso-siteminder
•
—
•
—
—
Command History
Usage Guidelines
Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The adaptive security appliance currently supports the SiteMinder-type of SSO server and the SAML POST-type SSO server.
This command applies to both types of SSO Servers.
Once you have configured the adaptive security appliance to support SSO authentication, optionally you can adjust two timeout parameters:
•
•
Examples
The following example, entered in webvpn-sso-siteminder configuration mode, configures four authentication retries for the SiteMinder SSO server named my-sso-server:
hostname(config-webvpn)# sso-server my-sso-server type siteminderhostname(config-webvpn-sso-siteminder)# max-retry-attempts 4hostname(config-webvpn-sso-siteminder)#Related Commands
max-uri-length
To restrict HTTP traffic based on the length of the URI in the HTTP request message, use the max-uri-length command in HTTP map configuration mode, which is accessible using the http-map command. To remove this command, use the no form of this command.
max-uri-length bytes action {allow | reset | drop} [log]
no max-uri-length bytes action {allow | reset | drop} [log]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
HTTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
After enabling the max-uri-length command, the adaptive security appliance only allows messages having a URI within the configured limit and otherwise takes the specified action. Use the action keyword to cause the adaptive security appliance to reset the TCP connection and create a syslog entry.
URIs with a length less than or equal to the configured value will be allowed. Otherwise, the specified action will be taken.
Examples
The following example restricts HTTP requests to those with URIs that do not exceed 100 bytes. If a URI is too large, the adaptive security appliance resets the TCP connection and creates a syslog entry.
hostname(config)# http-map inbound_httphostname(config-http-map)# max-uri-length 100 action reset loghostname(config-http-map)#Related Commands
mcc
To identify the mobile country code and the mobile network code for IMSI prefix filtering, use the mcc command in GTP map configuration mode. To remove the configuration, use the no form of this command.
mcc country_code mnc network_code
no mcc country_code mnc network_code
Syntax Description
Defaults
By default, the adaptive security appliance does not check for valid MCC/MNC combinations.
Command Modes
The following table shows the modes in which you can enter the command:
GTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command is used for IMSI Prefix filtering. The MCC and MNC in the IMSI of the received packet is compared with the MCC/MNC configured with this command and is dropped if it does not match.
This command must be used to enable IMSI Prefix filtering. You can configure multiple instances to specify permitted MCC and MNC combinations. By default, the adaptive security appliance does not check the validity of MNC and MCC combinations, so you must verify the validity of the combinations configured. To find more information about MCC and MNC codes, see the ITU E.212 recommendation, Identification Plan for Land Mobile Stations.
Examples
The following example identifies traffic for IMSI Prefix filtering with an MCC of 111 and an MNC of 222:
hostname(config)# gtp-map qtp-policyhostname(config-gtpmap)# mcc 111 mnc 222hostname(config-gtpmap)#Related Commands
media-termination
To specify the media termination instance to use for media connections to the Phone Proxy feature, use the media-termination command in global configuration mode.
To remove the media-termination address from the Phone Proxy configuration, use the no form of this command.
media-termination instance_name
no media-termination instance_name
Syntax Description
instance_name
Specifies the name of the interface for which the media termination address is used. Only one media-termination address can be configured per interface.
Defaults
There are no default settings for this command.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The adaptive security appliance must have IP addresses for media termination that meet the following criteria:
For the media termination instance, you can configure a global media-termination address for all interfaces or configure a media-termination address for different interfaces. However, you cannot use a global media-termination address and media-termination addresses configured for each interface at the same time.
If you configure a media termination address for multiple interfaces, you must configure an address on each interface that the adaptive security appliance uses when communicating with IP phones.
The IP addresses are publicly routable addresses that are unused IP addresses within the address range on that interface.
See Cisco ASA 5500 Series Configuration Guide using the CLI for the complete list of prerequisites that you must follow when creating the media termination instance and configuring the media termination addresses.
Examples
The following example shows the use of the media-termination address command to specify the IP address to use for media connections:
hostname(config-phone-proxy)# media-termination mta_instance1Related Commands
media-type
To set the media type to copper or fiber Gigabit Ethernet, use the media-type command in interface configuration mode. The fiber SFP connector is available on the 4GE SSM for the ASA 5500 series adaptive security appliance. To restore the media type setting to the default, use the no form of this command.
media-type {rj45 | sfp}
no media-type [rj45 | sfp]
Syntax Description
rj45
(Default) Sets the media type to the copper RJ-45 connector.
sfp
Sets the media type to the fiber SFP connector.
Defaults
The default is rj45.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
•
Command History
Usage Guidelines
The sfp setting uses a fixed speed (1000 Mbps), so the speed command allows you to set whether the interface negotiates link parameters or not. The duplex command is not supported for sfp.
Examples
The following example sets the media type to SFP:
hostname(config)# interface gigabitethernet1/1hostname(config-if)# media-type sfphostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownRelated Commands
member
To assign a context to a resource class, use the member command in context configuration mode. To remove the context from the class, use the no form of this command.
member class_name
no member class_name
Syntax Description
Defaults
By default, the context is assigned to the default class.
Command Modes
The following table shows the modes in which you can enter the command:
Context configuration
•
•
—
—
•
Command History
Usage Guidelines
By default, all security contexts have unlimited access to the resources of the adaptive security appliance, except where maximum limits per context are enforced. However, if you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, for example, then you can configure resource management to limit the use of resources per context. The adaptive security appliance manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class.
Examples
The following example assigns the context test to the gold class:
hostname(config-ctx)# context testhostname(config-ctx)# allocate-interface gigabitethernet0/0.100 int1hostname(config-ctx)# allocate-interface gigabitethernet0/0.102 int2hostname(config-ctx)# allocate-interface gigabitethernet0/0.110-gigabitethernet0/0.115 int3-int8hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/test.cfghostname(config-ctx)# member goldRelated Commands
member-interface
To assign a physical interface to a redundant interface, use the member-interface command in interface configuration mode. This command is available only for the redundant interface type. You can assign two member interfaces to a redundant interface. To remove a member interface, use the no form of this command. You cannot remove both member interfaces from the redundant interface; the redundant interface requires at least one member interface.
member-interface physical_interface
no member-interface physical_interface
Syntax Description
physical_interface
Identifies the interface ID, such as gigabitethernet 0/1. See the interface command for accepted values. Both member interfaces must be the same physical type.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
•
Command History
Usage Guidelines
Both member interfaces must be of the same physical type. For example, both must be Ethernet.
You cannot add a physical interface to the redundant interface if you configured a name for it. You must first remove the name using the no nameif command.
Caution
The only configuration available to physical interfaces that are part of a redundant interface pair are physical parameters such as speed and duplex commands, the description command, and the shutdown command. You can also enter run-time commands like default and help.
If you shut down the active interface, then the standby interface becomes active.
To change the active interface, enter the redundant-interface command.
The redundant interface uses the MAC address of the first physical interface that you add. If you change the order of the member interfaces in the configuration, then the MAC address changes to match the MAC address of the interface that is now listed first. Alternatively, you can assign a MAC address to the redundant interface, which is used regardless of the member interface MAC addresses (see the mac-address command or the mac-address auto command). When the active interface fails over to the standby, the same MAC address is maintained so traffic is not disrupted.
Examples
The following example creates two redundant interfaces:
hostname(config)# interface redundant 1hostname(config-if)# member-interface gigabitethernet 0/0hostname(config-if)# member-interface gigabitethernet 0/1hostname(config-if)# interface redundant 2hostname(config-if)# member-interface gigabitethernet 0/2hostname(config-if)# member-interface gigabitethernet 0/3Related Commands
memberof
To specify a list of group-names that this user is a member of, use the memberof command in username attributes configuration mode. To remove this attribute from the configuration, use the no form of this command.
memberof group_1[,group_2,...group_n]
[no] memberof group_1[,group_2,...group_n]
Syntax Description
Defaults
No default behavior or value.
Command Modes
The following table shows the modes in which you can enter the command:
Username attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
Enter a comma separated list of group names to which this user belongs.
Usage Guidelines
The following table lists the commands belonging in this group and the tunnel-group type where you can configure them:
Examples
The following example entered in global configuration mode, creates a username called newuser, then specifies that newuser is a member of the DevTest and management groups.
hostname(config)# username newuser nopasswordhostname(config)# username newuser attributeshostname(config-username)# memberof DevTest,managementhostname(config-username)#Related Commands
memory delayed-free-poisoner enable
To enable the delayed free-memory poisoner tool, use the memory delayed-free-poisoner enable command in privileged EXEC mode. To disable the delayed free-memory poisoner tool, use the no form of this command. The delayed free-memory poisoner tool lets you monitor freed memory for changes after it has been released by an application.
memory delayed-free-poisoner enable
no memory delayed-free-poisoner enable
Syntax Description
This command has no arguments or keywords.
Defaults
The memory delayed-free-poisoner enable command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Enabling the delayed free-memory poisoner tool has a significant impact on memory usage and system performance. The command should only be used under the supervision of the Cisco TAC. It should not be run in a production environment during heavy system usage.
When you enable this tool, requests to free memory by the applications running on the adaptive security appliance are written to a FIFO queue. As each request is written to the queue, each associated byte of memory that is not required by lower-level memory management is "poisoned" by being written with the value 0xcc.
The freed memory requests remain in the queue until more memory is required by an application than is in the free memory pool. When memory is needed, the first freed memory request is pulled from the queue and the poisoned memory is validated.
If the memory is unmodified, it is returned to the lower-level memory pool and the tool reissues the memory request from the application that made the initial request. The process continues until enough memory for the requesting application is freed.
If the poisoned memory has been modified, then the system forces a crash and produces diagnostic output to determine the cause of the crash.
The delayed free-memory poisoner tool periodically performs validation on all of the elements of the queue automatically. Validation can also be started manually using the memory delayed-free-poisoner validate command.
The no form of the command causes all of the memory referenced by the requests in the queue to be returned to the free memory pool without validation and any statistical counters to be cleared.
Examples
The following example enables the delayed free-memory poisoner tool:
hostname# memory delayed-free-poisoner enableThe following is sample output when the delayed free-memory poisoner tool detects illegal memory reuse:
delayed-free-poisoner validate failed because adata signature is invalid at delayfree.c:328.heap region: 0x025b1cac-0x025b1d63 (184 bytes)memory address: 0x025b1cb4byte offset: 8allocated by: 0x0060b812freed by: 0x0060ae15Dumping 80 bytes of memory from 0x025b1c88 to 0x025b1cd7025b1c80: ef cd 1c a1 e1 00 00 00 | ........025b1c90: 23 01 1c a1 b8 00 00 00 15 ae 60 00 68 ba 5e 02 | #.........`.h.^.025b1ca0: 88 1f 5b 02 12 b8 60 00 00 00 00 00 6c 26 5b 02 | ..[...`.....l&[.025b1cb0: 8e a5 ea 10 ff ff ff ff cc cc cc cc cc cc cc cc | ................025b1cc0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc | ................025b1cd0: cc cc cc cc cc cc cc cc | ........An internal error occurred. Specifically, a programming assertion wasviolated. Copy the error message exactly as it appears, and get theoutput of the show version command and the contents of the configurationfile. Then call your technical support representative.assertion "0" failed: file "delayfree.c", line 191Table 19-2 describes the significant portion of the output.
Related Commands
memory delayed-free-poisoner validate
To force validation of all elements in the memory delayed-free-poisoner queue, use the memory delayed-free-poisoner validate command in privileged EXEC mode.
memory delayed-free-poisoner validate
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
You must enable the delayed free-memory poisoner tool using the memory delayed-free-poisoner enable command before issuing the memory delayed-free-poisoner validate command.
The memory delayed-free-poisoner validate command causes each element of the memory delayed-free-poisoner queue to be validated. If an element contains unexpected values, then the system forces a crash and produces diagnostic output to determine the cause of the crash. If no unexpected values are encountered, the elements remain in the queue and are processed normally by the tool; the memory delayed-free-poisoner validate command does not cause the memory in the queue to be returned to the system memory pool.
Note
Examples
The following example causes all elements in the memory delayed-free-poisoner queue to be validated:
hostname# memory delayed-free-poisoner validateRelated Commands
memory caller-address
To configure a specific range of program memory for the call tracing, or caller PC, to help isolate memory problems, use the memory caller-address command in privileged EXEC mode. The caller PC is the address of the program that called a memory allocation primitive. To remove an address range, use the no form of this command.
memory caller-address startPC endPC
no memory caller-address
Syntax Description
endPC
Specifies the end address range of the memory block.
startPC
Specifies the start address range of the memory block.
Defaults
The actual caller PC is recorded for memory tracing.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
—
•
•
Command History
Usage Guidelines
Use the memory caller-address command to isolate memory problems to a specific block of memory.
In certain cases the actual caller PC of the memory allocation primitive is a known library function that is used at many places in the program. To isolate individual places in the program, configure the start and end program address of the library function, thereby recording the program address of the caller of the library function.
Note
Examples
The following examples show the address ranges configured with the memory caller-address commands, and the resulting display of the show memory-caller address command:hostname# memory caller-address 0x00109d5c 0x00109e08hostname# memory caller-address 0x009b0ef0 0x009b0f14hostname# memory caller-address 0x00cf211c 0x00cf4464hostname# show memory-caller addressMove down stack frame for the addresses:pc = 0x00109d5c-0x00109e08pc = 0x009b0ef0-0x009b0f14pc = 0x00cf211c-0x00cf4464Related Commands
memory profile enable
To enable the monitoring of memory usage (memory profiling), use the memory profile enable command in privileged EXEC mode. To disable memory profiling, use the no form of this command.
memory profile enable peak peak_value
no memory profile enable peak peak_value
Syntax Description
Defaults
Memory profiling is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
—
•
•
Command History
Usage Guidelines
Before enabling memory profiling, you must first configure a memory text range to profile with the memory profile text command.
Some memory is held by the profiling system until you enter the clear memory profile command. See the output of the show memory status command.
Note
The following example enables memory profiling:
hostname# memory profile enableRelated Commands
memory profile text
Configures a text range of memory to profile.
show memory profile
Displays information about the memory usage (profiling) of the adaptive security appliance.
memory profile text
To configure a program text range of memory to profile, use the memory profile text command in privileged EXEC mode. To disable, use the no form of this command.
memory profile text {startPC endPC | all resolution}
no memory profile text {startPC endPC | all resolution}
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
—
•
•
Command History
Usage Guidelines
For a small text range, a resolution of "4" normally traces the call to an instruction. For a larger text range, a coarse resolution is probably enough for the first pass and the range could be narrowed down to a set of smaller regions in the next pass.
After entering the text range with the memory profile text command, you must then enter the memory profile enable command to begin memory profiling. Memory profiling is disabled by default.
Note
Examples
The following example shows how to configure a text range of memory to profile, with a resolution of 4:
hostname# memory profile text 0x004018b4 0x004169d0 4The following example displays the configuration of the text range and the status of memory profiling (OFF):
hostname# show memory profile InUse profiling: OFF Peak profiling: OFF Profile: 0x004018b4-0x004169d0(00000004)
Note
Related Commands
memory-size
To configure the amount of memory on the adaptive security appliance which the various components of WebVPN can access, use the memory-size command in webvpn mode. You can configure the amount of memory either as a as a set amount of memory in KB or as a percentage of total memory. To remove a configured memory size, use the no form of this command.
Note
memory-size {percent | kb} size
no memory-size [{percent | kb} size]
Syntax Description
Defaults
No default behavior or value.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn mode
•
—
•
—
—
Command History
Usage Guidelines
The configured amount of memory will be allocated immediately. Before configuring this command, check the amount of available memory by using show memory. If a percentage of total memory is used for configuration, ensure that the configured value is below the available percentage. If a Kilobyte value is used for configuration, ensure that the configured value is below the available amount of memory in Kilobytes.
Examples
The following example shows how to configure a WebVPN memory size of 30 per cent:
hostname(config)# webvpnhostname(config-webvpn)# memory-size percent 30hostname(config-webvpn)#hostname(config-webvpn)# reload
memory tracking enable
To enable the tracking of heap memory request, use the memory tracking enable command in privileged EXEC mode. To disable memory tracking, use the no form of this command.
memory tracking enable
no memory tracking enable
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
—
•
•
Command History
Usage Guidelines
Use the memory tracking enable command to track heap memory requests. To disable memory tracking, use the no form of this command.
Examples
The following example enables tracking heap memory requests:
hostname# memory tracking enableRelated Commands
merge-dacl
To merge a downloadable ACL with the ACL received in the Cisco AV pair from a RADIUS packet, use the merge-dacl command in aaa-server group configuration mode. To disable the merging of a downloadable ACL with the ACL received in the Cisco AV pair from a RADIUS packet, use the no form of this command.
merge dacl {before_avpair | after_avpair}
no merge dacl
Syntax Description
Defaults
The default setting is no merge dacl, which specifies that downloadable ACLs will not be merged with Cisco AV pair ACLs.
Command Modes
The following table shows the modes in which you can enter the command:
AAA-server group configuration
•
•
•
•
•
Command History
Usage Guidelines
If both an AV pair and a downloadable ACL are received, the AV pair has priority and is used.
Examples
The following example specifies that the downloadable ACL entries should be placed before the Cisco AV pair entries:
hostname(config)# aaa-server servergroup1 protocol radius
hostname(config-aaa-server-group)# merge-dacl before-avpair
Related Commands
message-length
To filter GTP packets that do not meet the configured maximum and minimum length, use the message-length command in GTP map configuration mode, which is accessed by using the gtp-map command. Use the no form to remove the command.
message-length min min_bytes max max_bytes
no message-length min min_bytes max max_bytes
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
GTP map configuration
·
·
·
·
No
Command History
Usage Guidelines
The length specified by this command is the sum of the GTP header and the rest of the message, which is the payload of the UDP packet.
Examples
The following example allows messages between 20 bytes and 300 bytes in length:
hostname(config)# gtp-map qtp-policyhostname(config-gtpmap)# permit message-length min 20 max 300hostname(config-gtpmap)#Related Commands
mfib forwarding
To reenable MFIB forwarding on an interface, use the mfib forwarding command in interface configuration mode. To disable MFIB forwarding on an interface, use the no form of this command.
mfib forwarding
no mfib forwarding
Syntax Description
This command has no arguments or keywords.
Defaults
The multicast-routing command enables MFIB forwarding on all interfaces by default.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
When you enable multicast routing, MFIB forwarding is enabled on all interfaces by default. Use the no form of the command to disable MFIB forwarding on a specific interface. Only the no form of the command appears in the running configuration.
When MFIB forwarding is disabled on an interface, the interface does not accept any multicast packets unless specifically configured through other methods. IGMP packets are also prevented when MFIB forwarding is disabled.
Examples
The following example disables MFIB forwarding on the specified interface:
hostname(config)# interface GigabitEthernet 0/0hostname(config-if)# no mfib forwardingRelated Commands
min-object-size
To set a minimum size for objects that the adaptive security appliance can cache for WebVPN sessions, use the min-object-size command in cache mode. To change the size, use the command again. To set no minimum object size, enter a value of zero (0).
min-object-size integer range
Syntax Description
Defaults
The default size is 0 KB.
Command Modes
The following table shows the modes in which you enter the command:
Cache mode
•
—
•
—
—
Command History
Usage Guidelines
The minimum object size must be smaller than the maximum object size. The adaptive security appliance calculates the size after compressing the object, if cache compression is enabled.
Examples
The following example shows how to set a maximum object size of 40 KB:
hostname(config)#webvpnhostname(config-webvpn)#cachehostname(config-webvpn-cache)# min-object-size 40hostname(config-webvpn-cache)#Related Commands
mkdir
To create a new directory, use the mkdir command in privileged EXEC mode.
mkdir [/noconfirm] [disk0: | disk1: | flash:]path
Syntax Description
Defaults
If you do not specify a path, the directory is created in the current working directory.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
If a directory with the same name already exists, then the new directory is not created.
Examples
The following example shows how to make a new directory called "backup":
hostname# mkdir backupRelated Commands
mobile-device portal
To change the clientless vpn access web portal from the mini-portal to the full-browser portal, for all mobile devices, use the mobile-device portal command from webvpn configuration mode. You will only need to make this configuration for smart phones running older operating systems such as Windows CE. You will not need to configure this option using modern smart phones as they use the full-browser portal by default.
mobile-device portal {full}
no mobile-device portal {full}
Syntax Description
mobile-device portal {full}
Changes the clientless vpn access portal from the mini-portal to the full-browser portal for all mobile devices.
Command Default
Before you run the command, the default behavior is that some mobile devices will get clientless vpn access through the mini-portal and some will use the full portal.
Command Modes
The following table shows the modes in which you can enter the command:
webvpn configuration
•
—
•
—
—
Command History
8.2(5)
We introduced this command simultaneously in 8.2(5) and 8.4(2).
8.4(2)
We introduced this command simultaneously in 8.2(5) and 8.4(2).
Usage Guidelines
Use this command only if you are recommended to do so by Cisco Technical Assistance Center (TAC).
Examples
Changes the clientless vpn access portal to a full-browser portal for all mobile devices.
hostname# config thostname(config)# webvpnhostname(config-webvpn)# mobile-device portal fullRelated Commands
mode
To set the security context mode to single or multiple, use the mode command in global configuration mode. You can partition a single adaptive security appliance into multiple virtual devices, known as security contexts. Each context behaves like an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone appliances. In single mode, the adaptive security appliance has a single configuration and behaves as a single device. In multiple mode, you can create multiple contexts, each with its own configuration. The number of contexts allowed depends on your license.
mode {single | multiple} [noconfirm]
Syntax Description
multiple
Sets multiple context mode.
noconfirm
(Optional) Sets the mode without prompting you for confirmation. This option is useful for automated scripts.
single
Sets the context mode to single.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
In multiple context mode, the adaptive security appliance includes a configuration for each context that identifies the security policy, interfaces, and almost all the options you can configure on a stand-alone device (see the config-url command to identify the context configuration location). The system administrator adds and manages contexts by configuring them in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the adaptive security appliance. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context.
When you change the context mode using the mode command, you are prompted to reboot.
The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If you need to copy your configuration to another device, set the mode on the new device to match using the mode command.
When you convert from single mode to multiple mode, the adaptive security appliance converts the running configuration into two files: a new startup configuration that comprises the system configuration, and admin.cfg that comprises the admin context (in the root directory of the internal Flash memory). The original running configuration is saved as old_running.cfg (in the root directory of the internal Flash memory). The original startup configuration is not saved. The adaptive security appliance automatically adds an entry for the admin context to the system configuration with the name "admin."
If you convert from multiple mode to single mode, you might want to first copy a full startup configuration (if available) to the adaptive security appliance; the system configuration inherited from multiple mode is not a complete functioning configuration for a single mode device.
Not all features are supported in multiple context mode. See the Cisco ASA 5500 Series Configuration Guide using the CLI for more information.
Examples
The following example sets the mode to multiple:
hostname(config)# mode multipleWARNING: This command will change the behavior of the deviceWARNING: This command will initiate a RebootProceed with change mode? [confirm] yConvert the system configuration? [confirm] yFlash Firewall mode: multiple****** --- SHUTDOWN NOW ---****** Message to all terminals:****** change modeRebooting....Booting system, please wait...The following example sets the mode to single:
hostname(config)# mode singleWARNING: This command will change the behavior of the deviceWARNING: This command will initiate a RebootProceed with change mode? [confirm] yFlash Firewall mode: single****** --- SHUTDOWN NOW ---****** Message to all terminals:****** change modeRebooting....Booting system, please wait...Related Commands
context
Configures a context in the system configuration and enters context configuration mode.
show mode
Shows the current context mode, either single or multiple.
monitor-interface
To enable health monitoring on a specific interface, use the monitor-interface command in global configuration mode. To disable interface monitoring, use the no form of this command.
monitor-interface if_name
no monitor-interface if_name
Syntax Description
Defaults
Monitoring of physical interfaces is enabled by default; monitoring of logical interfaces is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The number of interfaces that can be monitored for the adaptive security appliance is 250. Hello messages are exchanged during every interface poll frequency time period between the adaptive security appliance failover pair. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds).
Monitored failover interfaces can have the following status:
•
•
•
•
•
•
In Active/Active failover, this command is only valid within a context.
Examples
The following example enables monitoring on an interface named "inside":
hostname(config)# monitor-interface insidehostname(config)#Related Commands
more
To display the contents of a file, use the more command in privileged EXEC mode.
more {/ascii | /binary| /ebcdic | disk0: | disk1: | flash: | ftp: | http: | https: | system: | tftp:}filename
Syntax Description
Defaults
ASCII mode
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The more filesystem: command prompts you to enter the alias of the local directory or file systems.
Examples
The following example shows how to display the contents of a local file named "test.cfg":
hostname# more test.cfg: Saved: Written by enable_15 at 10:04:01 Apr 14 2005XXX Version X.X(X)nameif vlan300 outside security10enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedhostname testfixup protocol ftp 21fixup protocol h323 H225 1720fixup protocol h323 ras 1718-1719fixup protocol ils 389fixup protocol rsh 514fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol sip 5060fixup protocol skinny 2000namesaccess-list deny-flow-max 4096access-list alert-interval 300access-list 100 extended permit icmp any anyaccess-list 100 extended permit ip any anypager lines 24icmp permit any outsidemtu outside 1500ip address outside 172.29.145.35 255.255.0.0no asdm history enablearp timeout 14400access-group 100 in interface outside!interface outside!route outside 0.0.0.0 0.0.0.0 172.29.145.1 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absoluteaaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radiusaaa-server LOCAL protocol localsnmp-server host outside 128.107.128.179snmp-server location my_context, USAsnmp-server contact admin@my_context.comsnmp-server community publicno snmp-server enable trapsfloodguard enablefragment size 200 outsideno sysopt route dnattelnet timeout 5ssh timeout 5terminal width 511gdb enablemgcp command-queue 0Cryptochecksum:00000000000000000000000000000000: endRelated Commands
cd
Changes to the specified directory.
pwd
Displays the current working directory.
mount (CIFS)
To make a Common Internet File System (CIFS) accessible to the security appliance, use the mount command in global configuration mode. This command lets you enter config-mount-cifs configuration mode. To un-mount the CIFS network file system, use the no form of this command.
mount name type cifs server server-name share share status enable | status disable [domain domain-name ] username username password password
[no] mount name type cifs server server-name share share status enable | status disable [domain domain-name ] username username password password
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
config-mount-cifs configuration
•
•
•
—
•
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
The mount command uses the Installable File System (IFS) to mount the CIFS file system. IFS, a filesystem API, enables the security appliance to recognize and load drivers for file systems.
The mount command attaches the CIFS file system on the security appliance to the UNIX file tree. Conversely, the no mount command detaches it.
The mount-name specified in the mount command is used by other CLI commands to refer to the filesystem already mounted on the security appliance. For example, the database command, which sets up file storage for the Local Certificate Authority, needs the mount name of an existing mounted file system to save database files to non-flash storage.
The CIFS remote file-access protocol is compatible with the way applications share data on local disks and network file servers. Running over TCP/IP and using the Internet's global DNS, CIFS is an enhanced version of Microsoft's open, cross-platform Server Message Block (SMB) protocol, the native file-sharing protocol in the Windows operating systems.
Always exit from the root shell after using the mount command. The exit keyword in mount-cifs-config mode returns the user to global configuration mode.
In order to reconnect, remap your connections to storage.
Note
Examples
The following example mounts cifs://amer;chief:big-boy@myfiler02/my_share as the label, cifs_share:
hostname(config)#cifs_share type CIFS
hostname(config-pmap)#Related Commands
mount (FTP)
To make a File Transfer Protocol (FTP) file system accessible to the security appliance, use the mount name type ftp command in global configuration mode to enter Mount FTP configuration mode. The no mount name type ftp command is used to un-mount the FTP network file system.
[no] mount name type FTP server server-name path pathname status enable | status disable mode active | mode passive username username password password
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
config-mount-ftp
•
•
•
—
•
Global Configuration
•
•
•
—
•
Command History
Usage Guidelines
The mount name type ftp command uses the Installable File System (IFS) to mount the specified network file system. IFS, a filesystem API, enables the security appliance to recognize and load drivers for file systems.
To confirm that the FTP file system actually is mounted, use the dir all-filesystems instruction
The mount-name specified in the mount command is used when other CLI commands refer to the filesystem already mounted on the security appliance. For example, the database command, which sets up file storage for the Local Certificate Authority, needs the mount name of a mounted file system to save database files to non-flash storage.
Note
Note
Examples
This example mounts ftp://amor;chief:big-kid@myfiler02 as the label, my ftp:
hostname(config)#myftp type ftp server myfiler02a path status enable username chief password big-kidRelated Commands
debug webvpn
Logs WebVPN debug messages.
ftp mode passive
Controls interaction between the FTP client on the security appliance and the FTP server.
mroute
To configure a static multicast route, use the mroute command in global configuration mode. To remove a static multicast route, use the no form of this command.
mroute src smask {in_if_name [dense output_if_name] | rpf_addr} [distance]
no mroute src smask {in_if_name [dense output_if_name] | rpf_addr} [distance]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command lets you statically configure where multicast sources are located. The adaptive security appliance expects to receive multicast packets on the same interface as it would use to send unicast packets to a specific source. In some cases, such as bypassing a route that does not support multicast routing, multicast packets may take a different path than the unicast packets.
Static multicast routes are not advertised or redistributed.
Use the show mroute command displays the contents of the multicast route table. Use the show running-config mroute command to display the mroute commands in the running configuration.
Examples
The following example shows how configure a static multicast route using the mroute command:
hostname(config)# mroute 172.16.0.0 255.255.0.0 insideRelated Commands
mschapv2-capable
To enable MS-CHAPv2 authentication requests to the RADIUS server, use the mschapv2-capable command in aaa-server host configuration mode. To disable MS-CHAPv2, use the no form of this command.
mschapv2-capable
no mschapv2-capable
Syntax Description
This command has no arguments or keywords.
Defaults
MS-CHAPv2 is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server host configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable MS-CHAPv2 as the protocol used between the adaptive security appliance and the RADIUS server for a VPN connection, password management must be enabled in the tunnel-group general-attributes. Enabling password management generates an MS-CHAPv2 authentication request from the adaptive security appliance to the RADIUS server. See the description of the password-management command for details.
If you use double authentication and enable password management in the tunnel group, then the primary and secondary authentication requests include MS-CHAPv2 request attributes. If a RADIUS server does not support MS-CHAPv2, then you can configure that server to send a non-MS-CHAPv2 authentication request by using the no mschapv2-capable command.
Examples
The following example disables MS-CHAPv2 for the RADIUS server authsrv1.cisco.com:
hostname(config)# aaa-server rsaradius protocol radiushostname(config-aaa-server-group)# aaa-server rsaradius (management) host authsrv1.cisco.comhostname(config-aaa-server-host)# key secretpasswordhostname(config-aaa-server-host)# authentication-port 21812hostname(config-aaa-server-host)# accounting-port 21813hostname(config-aaa-server-host)# no mschapv2-capableRelated Commands
msie-proxy except-list
To configure Microsoft Internet Explorer browser proxy exception list settings for a local bypass on the client PC, enter the msie-proxy except-list command in group-policy configuration mode. To remove the attribute from the configuration, use the no form of the command.
msie-proxy except-list {value server[:port] | none}
no msie-proxy except-list
Syntax Description
Defaults
By default, msie-proxy except-list is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
The line containing the proxy server IP address or hostname and the port number must be less than 100 characters long.
Examples
The following example shows how to set a Microsoft Internet Explorer proxy exception list, consisting of the server at IP address 192.168.20.1, using port 880, for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# msie-proxy except-list value 192.168.20.1:880hostname(config-group-policy)#Related Commands
show running-configuration group-policy
Shows the value of the configured group-policy attributes.
clear configure group-policy
Removes all configured group-policy attributes.
msie-proxy local-bypass
To configure Microsoft Internet Explorer browser proxy local-bypass settings for a client PC, enter the msie-proxy local-bypass command in group-policy configuration mode. To remove the attribute from the configuration, use the no form of the command.
msie-proxy local-bypass {enable | disable}
no msie-proxy local-bypass {enable | disable}
Syntax Description
disable
Disables Microsoft Internet Explorer browser proxy local-bypass settings for a client PC.
enable
Enables Microsoft Internet Explorer browser proxy local-bypass settings for a client PC.
Defaults
By default, msie-proxy local-bypass is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Examples
The following example shows how to enable Microsoft Internet Explorer proxy local-bypass for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# msie-proxy local-bypass enablehostname(config-group-policy)#Related Commands
show running-configuration group-policy
Shows the value of the configured group-policy attributes.
clear configure group-policy
Removes all configured group-policy attributes.
msie-proxy lockdown
Enabling this feature hides the Connections tab in Microsoft Internet Explorer for the duration of an AnyConnect VPN session. Disabling the feature leaves the display of the Connections tab unchanged
To hide the Connections tab in Microsoft Internet Explorer for the duration of an AnyConnect VPN session or to leave it unchanged, use the msie-proxy lockdown command in group-policy configuration mode.
msie-proxy lockdown [enable | disable]
Syntax Description
disable
Leaves the Connections tab in Microsoft Internet Explorer unchanged.
enable
Hides the Connections tab in Microsoft Internet Explorer for the duration of an AnyConnect VPN session.
Defaults
The default value of this command in the default group policy is enable. Each group policy inherits its default values from the default group policy.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
•
•
—
—
Command History
Usage Guidelines
This command makes a temporary change to the user registry for the duration of the AnyConnect VPN session. This registry change hides the Connections tab from both Internet Explorer and the Microsoft Windows Control Panel > Internet Options application. When AnyConnect closes the VPN session, it returns the registry to the state it was in before the session.
You might enable this feature to prevent users from specifying a proxy service and changing LAN settings. Preventing user access to these settings enhances endpoint security during the AnyConnect session.
Examples
The following example hides the Connections tab for the duration of the AnyConnect session:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# msie-proxy lockdown enableThe following example leaves the Connections tab unchanged:
hostname(config-group-policy)# msie-proxy lockdown disableRelated Commands
msie-proxy method
To configure the browser proxy actions ("methods") for a client PC, enter the msie-proxy method command in group-policy configuration mode. To remove the attribute from the configuration, use the no form of the command.
msie-proxy method [auto-detect | no-modify | no-proxy | use-server | use-pac-url]
no msie-proxy method [auto-detect | no-modify | no-proxy | use-server | use-pac-url]
Note
Syntax Description
Defaults
The default method is use-server.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
The line containing the proxy server IP address or hostname and the port number can contain up to 100 characters.
The Safari browser does not support auto-detect. The Firefox and Safari browsers support the use of only one of these command options at a time. Microsoft Internet Explorer supports the following combinations of options for this command:
[no] msie-proxy method no-proxy
[no] msie-proxy method no-modify
[no] msie-proxy method [auto-detect] [use-server] [use-pac-url]
You can use a text editor to create a proxy auto-configuration (.pac) file for your browser. A .pac file is a JavaScript file that contains logic that specifies one or more proxy servers to be used, depending on the contents of the URL. The .pac file resides on a web server. When you specify use-pac-url, Internet Explorer uses the .pac file to determine the proxy settings. Use the msie-proxy pac-url command to specify the URL from which to retrieve the .pac file.
Examples
The following example shows how to configure auto-detect as the Microsoft Internet Explorer proxy setting for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# msie-proxy method auto-detecthostname(config-group-policy)#The following example configures the Microsoft Internet Explorer proxy setting for the group policy named FirstGroup to use the server QAserver, port 1001 as the server for the client PC:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# msie-proxy server QAserver:port 1001hostname(config-group-policy)# msie-proxy method use-serverhostname(config-group-policy)#Related Commands
msie-proxy pac-url
To tell a browser where to look for proxy information, enter the msie-proxy pac-url command in group-policy configuration mode. To remove the attribute from the configuration, use the no form of the command.
msie-proxy pac-url {none | value url}
no msie-proxy pac-url
Syntax Description
none
Specifies that there is no URL value.
value url
Specifies the URL of the website at which the browser can get the proxy auto-configuration file that defines the proxy server or servers to use.
Defaults
The default value is none.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
Requirements
To use the proxy auto-configuration feature, the remote user must use the Cisco AnyConnect VPN Client. To enable the use of the proxy auto-configuration URL, you must also configure the msie-proxy method command with the use-pac-url option.
Why Use This Command
Many network environments define HTTP proxies that connect a web browser to a particular network resource. The HTTP traffic can reach the network resource only if the proxy is specified in the browser and the client routes the HTTP traffic to the proxy. SSLVPN tunnels complicate the definition of HTTP proxies because the proxy required when tunneled to an enterprise network can differ from that required when connected to the Internet via a broadband connection or when on a third-party network.
In addition, companies with large networks might need to configure more than one proxy server and let users choose between them, based on transient conditions. By using .pac files, an administrator can author a single script file that determines which of numerous proxies to use for all client computers throughout the enterprise.
The following are some examples of how you might use a PAC file:
•
•
•
•
How to Use the Proxy Auto-Configuration Feature
You can use a text editor to create a proxy auto-configuration (.pac) file for your browser. A .pac file is a JavaScript file that contains logic that specifies one or more proxy servers to be used, depending on the contents of the URL. Use the msie-proxy pac-url command to specify the URL from which to retrieve the .pac file. Then, when you specify use-pac-url in the msie-proxy method command, the browser uses the .pac file to determine the proxy settings.
Examples
The following example shows how to configure a browser to get its proxy setting from the URL www.mycompanyserver.com for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# msie-proxy pac-url value http://www.mycompanyserver.comhostname(config-group-policy)#The following example disables the proxy auto-configuration feature for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# msie-proxy pac-url nonehostname(config-group-policy)#Related Commands
msie-proxy server
To configure a Microsoft Internet Explorer browser proxy server and port for a client PC, enter the msie-proxy server command in group-policy configuration mode. To remove the attribute from the configuration, use the no form of the command.
msie-proxy server {value server[:port] | none}
no msie-proxy server
Syntax Description
Defaults
By default, no msie-proxy server is specified.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
The line containing the proxy server IP address or hostname and the port number must be less than 100 characters long.
Examples
The following example shows how to configure the IP address 192.168.10.1 as a Microsoft Internet Explorer proxy server, using port 880, for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# msie-proxy server value 192.168.21.1:880hostname(config-group-policy)#Related Commands
show running-configuration group-policy
Shows the value of the configured group-policy attributes.
clear configure group-policy
Removes all configured group-policy attributes.
mtu
To specify the maximum transmission unit for an interface, use the mtu command in global configuration mode. To reset the MTU block size to 1500 for Ethernet interfaces, use the no form of this command. This command supports IPv4 and IPv6 traffic.
mtu interface_name bytes
no mtu interface_name bytes
Syntax Description
bytes
Number of bytes in the MTU; valid values are from 64 to 65,535 bytes.
interface_name
Internal or external network interface name.
Defaults
The default bytes is 1500 for Ethernet interfaces.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Usage Guidelines
The mtu command lets you to set the data size that is sent on a connection. Data that is larger than the MTU value is fragmented before being sent.
The adaptive security appliance supports IP path MTU discovery (as defined in RFC 1191), which allows a host to dynamically discover and cope with the differences in the maximum allowable MTU size of the various links along the path. Sometimes, the adaptive security appliance cannot forward a datagram because the packet is larger than the MTU that you set for the interface, but the "don't fragment" (DF) bit is set. The network software sends a message to the sending host, alerting it to the problem. The host has to fragment packets for the destination so that they fit the smallest packet size of all the links along the path.
The default MTU is 1500 bytes in a block for Ethernet interfaces (which is also the maximum). This value is sufficient for most applications, but you can pick a lower number if network conditions require it.
When using the Layer 2 Tunneling Protocol (L2TP), we recommend that you set the MTU size to 1380 to account for the L2TP header and IPSec header length.
Examples
This example shows how to specify the MTU for an interface:
hostname(config)# show running-config mtumtu outside 1500mtu inside 1500hostname(config)# mtu inside 8192hostname(config)# show running-config mtumtu outside 1500mtu inside 8192Related Commands
clear configure mtu
Clears the configured maximum transmission unit values on all interfaces.
show running-config mtu
Displays the current maximum transmission unit block size.
multicast boundary
To configure a multicast boundary for administratively-scoped multicast addresses, use the multicast boundary command in interface configuration mode. To remove the boundary, use the no form of this command. A multicast boundary restricts multicast data packet flows and enables reuse of the same multicast group address in different administrative domains.
multicast boundary acl [filter-autorp]
no multicast boundary acl [filter-autorp]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
Use this command to configure an administratively scoped boundary on an interface to filter multicast group addresses in the range defined by the acl argument. A standard access list defines the range of addresses affected. When this command is configured, no multicast data packets are allowed to flow across the boundary in either direction. Restricting multicast data packet flow enables reuse of the same multicast group address in different administrative domains.
If you configure the filter-autorp keyword, the administratively scoped boundary also examines Auto-RP discovery and announcement messages and removes any Auto-RP group range announcements from the Auto-RP packets that are denied by the boundary ACL. An Auto-RP group range announcement is permitted and passed by the boundary only if all addresses in the Auto-RP group range are permitted by the boundary ACL. If any address is not permitted, the entire group range is filtered and removed from the Auto-RP message before the Auto-RP message is forwarded.
Examples
The following example sets up a boundary for all administratively scoped addresses and filters the Auto-RP messages:
hostname(config)# access-list boundary_test deny 239.0.0.0 0.255.255.255hostname(config)# access-list boundary_test permit 224.0.0.0 15.255.255.255hostname(config)# interface GigabitEthernet0/3hostname(config-if)# multicast boundary boundary_test filter-autorpRelated Commands
multicast-routing
To enable IP multicast routing on the adaptive security appliance, use the multicast routing command in global configuration mode. To disable IP multicast routing, use the no form of this command.
multicast-routing
no multicast-routing
Syntax Description
This command has no arguments or keywords.
Defaults
The multicast-routing command enables PIM and IGMP on all interfaces by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The multicast-routing command enables PIM and IGMP on all interfaces.
Note
If the security appliance is the PIM RP, use the untranslated outside address of the security appliance as the RP address.
The number of entries in the multicast routing tables are limited by the amount of RAM on the system. Table 19-3 lists the maximum number of entries for specific multicast tables based on the amount of RAM on the security appliance. Once these limits are reached, any new entries are discarded.
Table 19-3 Entry Limits for Multicast Tables
1000
3000
5000
1000
3000
5000
3000
7000
12000
Examples
The following example enables IP multicast routing on the adaptive security appliance:
hostname(config)# multicast-routingRelated Commands
