-
Cisco ASA 5500 Series Command Reference, 8.2
-
About This Guide
-
Using the Command Line Interface
- A through B Commands
- C Commands
- D through F Commands
- G through I Commands
- J through L Commands
- M through O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- show asdm sessions
-
show asp drop -- show curpriv
-
show ddns -- show ipv6 traffic
-
show isakmp sa -- show route
-
show running-config -- show running-config isakmp
-
show running-config ldap -- show running-config webvpn auto-signon
-
show service-policy -- show xlate
-
shun -- sysopt radius ignore-secret
-
- T through Z Commands
-
Feedback
Table Of Contents
tcp-map through type echo Commands
test dynamic-access-policy attributes
threat-detection scanning-threat
timeout (dns-server-group configuration mode)
tunnel-group general-attributes
tunnel-group webvpn-attributes
tunnel-group-map default-group
tcp-map through type echo Commands
tcp-map
To define a set of TCP normalization actions, use the tcp-map command in global configuration mode. The TCP normalization feature lets you specify criteria that identify abnormal packets, which the adaptive security appliance drops when they are detected. To remove the TCP map, use the no form of this command.
tcp-map map_name
no tcp-map map_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced.
7.2(4)/8.0(4)
The invalid-ack, seq-past-window, and synack-data subcommands were added.
Usage Guidelines
This feature uses Modular Policy Framework. First define the TCP normalization actions you want to take using the tcp-map command. The tcp-map command enters tcp-map configuration mode, where you can enter one or more commands to define the TCP normalization actions. Then define the traffic to which you want to apply the TCP map using the class-map command. Enter the policy-map command to define the policy, and enter the class command to reference the class map. In class configuration mode, enter the set connection advanced-options command to reference the TCP map. Finally, apply the policy map to an interface using the service-policy command. For more information about how Modular Policy Framework works, see the Cisco ASA 5500 Series Configuration Guide using the CLI.
The following commands are available in tcp-map configuration mode:
Examples
For example, to allow urgent flag and urgent offset packets for all traffic sent to the range of TCP ports between the well known FTP data port and the Telnet port, enter the following commands:
hostname(config)# tcp-map tmaphostname(config-tcp-map)# urgent-flag allowhostname(config-tcp-map)# class-map urg-classhostname(config-cmap)# match port tcp range ftp-data telnethostname(config-cmap)# policy-map pmaphostname(config-pmap)# class urg-classhostname(config-pmap-c)# set connection advanced-options tmaphostname(config-pmap-c)# service-policy pmap globalRelated Commands
tcp-options
To allow or clear the TCP options through the adaptive security appliance, use the tcp-options command in tcp-map configuration mode. To remove this specification, use the no form of this command.
tcp-options {selective-ack | timestamp | window-scale} {allow | clear}
no tcp-options {selective-ack | timestamp | window-scale} {allow | clear}
tcp-options range lower upper {allow | clear | drop}
no tcp-options range lower upper {allow | clear | drop}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Tcp-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.
Use the tcp-map command to enter tcp-map configuration mode. Use the tcp-options command in tcp-map configuration mode to clear selective-acknowledgement, window-scale, and timestamp TCP options. You can also clear or drop packets with options that are not very well defined.
Examples
The following example shows how to drop all packets with TCP options in the ranges of 6-7 and 9-255:
hostname(config)# access-list TCP extended permit tcp any anyhostname(config)# tcp-map tmaphostname(config-tcp-map)# tcp-options range 6 7 drophostname(config-tcp-map)# tcp-options range 9 255 drophostname(config)# class-map cmaphostname(config-cmap)# match access-list TCPhostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# set connection advanced-options tmaphostname(config)# service-policy pmap globalRelated Commands
telnet
To add Telnet access to the console and set the idle timeout, use the telnet command in global configuration mode. To remove Telnet access from a previously set IP address, use the no form of
this command.telnet {{hostname | IP_address mask interface_name} | {IPv6_address interface_name} | {timeout number}}
no telnet {{hostname | IP_address mask interface_name} | {IPv6_address interface_name} | {timeout number}}
Syntax Description
Defaults
By default, Telnet sessions left idle for five minutes are closed by the adaptive security appliance.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
7.0(1)
The variable IPv6_address was added. The no telnet timeout command was added too.
Usage Guidelines
The telnet command lets you specify which hosts can access the adaptive security appliance console with Telnet. You can enable Telnet to the adaptive security appliance on all interfaces. However, the adaptive security appliance enforces that all Telnet traffic to the outside interface be protected by IPSec. To enable a Telnet session to the outside interface, configure IPSec on the outside interface to include IP traffic that is generated by the adaptive security appliance and enable Telnet on the outside interface.
Use the no telnet command to remove Telnet access from a previously set IP address. Use the telnet timeout command to set the maximum time that a console Telnet session can be idle before being logged off by the adaptive security appliance. You cannot use the no telnet command with the telnet timeout command.
If you enter an IP address, you must also enter a netmask. There is no default netmask. Do not use the subnetwork mask of the internal network. The netmask is only a bit mask for the IP address. To limit access to a single IP address, use 255 in each octet; for example, 255.255.255.255.
If IPSec is operating, you can specify an unsecure interface name, which is typically, the outside interface. At a minimum, you might configure the crypto map command to specify an interface name with the telnet command.
Use the passwd command to set a password for Telnet access to the console. The default is cisco. Use the who command to view which IP addresses are currently accessing the adaptive security appliance console. Use the kill command to terminate an active Telnet console session.
If you use the aaa command with the console keyword, Telnet console access must be authenticated with an authentication server.
Note
Examples
This example shows how to permit hosts 192.168.1.3 and 192.168.1.4 to access the adaptive security appliance console through Telnet. In addition, all the hosts on the 192.168.2.0 network are given access.
hostname(config)# telnet 192.168.1.3 255.255.255.255 insidehostname(config)# telnet 192.168.1.4 255.255.255.255 insidehostname(config)# telnet 192.168.2.0 255.255.255.0 insidehostname(config)# show running-config telnet192.168.1.3 255.255.255.255 inside192.168.1.4 255.255.255.255 inside192.168.2.0 255.255.255.0 insideThis example shows how to change the maximum session idle duration:
hostname(config)# telnet timeout 10hostname(config)# show running-config telnet timeouttelnet timeout 10 minutesThis example shows a Telnet console login session (the password does not display when entered):
hostname# passwd: ciscoWelcome to the XXX...Type help or `?' for a list of available commands.hostname>You can remove individual entries with the no telnet command or all telnet command statements with the clear configure telnet command:hostname(config)# no telnet 192.168.1.3 255.255.255.255 insidehostname(config)# show running-config telnet192.168.1.4 255.255.255.255 inside192.168.2.0 255.255.255.0 insidehostname(config)# clear configure telnetRelated Commandsshow telnet
terminal
To allow syslog messages to show in the current Telnet session, use the terminal monitor command in privileged EXEC mode. To disable syslog messages, use the no form of this command.
terminal {monitor | no monitor}
Syntax Description
monitor
Enables the display of syslog messages in the current Telnet session.
no monitor
Disables the display of syslog messages in the current Telnet session.
Defaults
Syslog messages are disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Examples
This example shows how to display and disable syslog messages in the current session:
hostname# terminal monitorhostname# terminal no monitorRelated Commands
terminal pager
To set the number of lines on a page before the "---more---"
192.168.1.3 255.255.255.255 insideprompt appears for Telnet sessions, use the terminal pager command in privileged EXEC mode.terminal pager [lines] lines
Syntax Description
Defaults
The default is 24 lines.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
This command changes the pager line setting only for the current Telnet session. To save a new default pager setting to the configuration, use the pager command.
If you use Telnet to access the admin context, then the pager line setting follows your session when you change to other contexts, even if the pager command in a given context has a different setting. To change the current pager setting, enter the terminal pager command with a new setting, or you can enter the pager command in the current context. In addition to saving a new pager setting to the context configuration, the pager command applies the new setting to the current Telnet session.
Examples
The following example changes the number of lines displayed to 20:
hostname# terminal pager 20Related Commands
terminal width
To set the width for displaying information during console sessions, use the terminal width command in global configuration mode. To disable, use the no form of this command.
terminal width columns
no terminal width columns
Syntax Description
Defaults
The default display width is 80 columns.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Examples
This example shows how to terminal display width to 100 columns:
hostname# terminal width 100Related Commands
test aaa-server
To check whether the adaptive security appliance can authenticate or authorize users with a particular AAA server, use the test aaa-server command in privileged EXEC mode. Failure to reach the AAA server may be due to incorrect configuration on the adaptive security appliance, or the AAA server may be unreachable for other reasons, such as restrictive network configurations or server downtime.
test aaa-server {authentication server_tag [host ip_address] [username username] [password password] | authorization server_tag [host ip_address] [username username]}
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The test aaa-server command lets you verify that the adaptive security appliance can authenticate users with a particular AAA server, and for legacy VPN authorization, if you can authorize a user. This command lets you test the AAA server without having an actual user who attempts to authenticate or authorize. It also helps you isolate whether AAA failures are due to misconfiguration of AAA server parameters, a connection problem to the AAA server, or other configuration errors on the adaptive security appliance.
Examples
The following example configures a RADIUS AAA server named srvgrp1 on host 192.168.3.4, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures authentication port 1650. The test aaa-server command following the setup of the AAA server parameters indicates that the authentication test failed to reach the server.
hostname(config)#aaa-server svrgrp1 protocol radiushostname(config-aaa-server-group)#aaa-server svrgrp1 host 192.168.3.4hostname(config-aaa-server-host)#timeout 9hostname(config-aaa-server-host)#retry-interval 7hostname(config-aaa-server-host)#authentication-port 1650hostname(config-aaa-server-host)#exithostname(config)#test aaa-server authentication svrgrp1Server IP Address or name:192.168.3.4Username:bogusPassword:mypasswordINFO: Attempting Authentication test to IP address <192.168.3.4> (timeout: 10 seconds)ERROR: Authentication Rejected: UnspecifiedThe following is sample output from the test aaa-server command with a successful outcome:
hostname# test aaa-server authentication svrgrp1 host 192.168.3.4 username bogus password mypasswordINFO: Attempting Authentication test to IP address <10.77.152.85> (timeout: 12 seconds)INFO: Authentication SuccessfulRelated Commands
test dynamic-access-policy attributes
To enter the dap attributes mode, from Privileged EXEC mode, enter the
test dynamic-access-policy attributes command. Doing so lets you specify user and endpoint attribute value pairs.dynamic-access-policy attributes
Defaults
No default value or behaviors.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
—
Command History
Usage Guidelines
Normally the adaptive security appliance retrieves user authorization attributes from the AAA server and retrieves endpoint attributes from Cisco Secure Desktop, Host Scan, CNA or NAC. For the test command, you specify the user authorization and endpoint attributes in this attributes mode. The adaptive security appliance writes them to an attribute database that the DAP subsystem references when evaluating the AAA selection attributes and endpoint select attributes for a DAP record.
This feature lets you experiment with creating a DAP record.
Examples
The following example shows how to use the attributes command.
hostname #test dynamic-access-policy attributeshostname(config-dap-test-attr)#Related Commands
dynamic-access-policy-record
Creates a DAP record.
attributes
Enters attributes mode, in which you can specify user attribute value pairs.
display
Displays current attribute list.
test regex
To test a regular expression, use the test regex command in privileged EXEC mode.
test regex input_text regular_expression
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The test regex command tests a regular expression to make sure it matches what you think it will match.
If the regular expression matches the input text, you see the following message:
INFO: Regular expression match succeeded.If the regular expression does not match the input text, you see the following message:
INFO: Regular expression match failed.Examples
The following example tests input text against a regular expression:
hostname# test regex farscape scapeINFO: Regular expression match succeeded.hostname# test regex farscape scaperINFO: Regular expression match failed.Related Commands
test sso-server
To test an SSO server with a trial authentication request, use the test sso-server command in privileged EXEC mode.
test sso-server server-name username user-name
Syntax Description
Syntax DescriptionSyntax Description
server-name
Specifies the name of the SSO server being tested.
user-name
Specifies the name of a user on the SSO server being tested.
Defaults
No default values or behavior.
Command Modes
The following table shows the modes in which you can enter the command:
Command History
Usage Guidelines
Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The test sso-server command tests whether an SSO server is recognized and responding to authentication requests.
If the SSO server specified by the server-name argument is not found, the following error appears:
192.168.2.0 255.255.255.0 insideserver-name does not existIf the SSO server is found but the user specified by the user-name argument is not found, the authentication is rejected.
In the authentication, the adaptive security appliance acts as a proxy for the WebVPN user to the SSO server. The adaptive security appliance currently supports the SiteMinder SSO server (formerly Netegrity SiteMinder) and the SAML POST-type SSO server. This command applies to both types of SSO Servers.
Examples
The following example, entered in privileged EXEC mode, successfully tests an SSO server named my-sso-server using a username of Anyuser:
hostname# test sso-server my-sso-server username AnyuserINFO: Attempting authentication request to sso-server my-sso-server for user AnyuserINFO: STATUS: Successhostname#The following example shows a test of the same server, but the user, Anotheruser, is not recognized and the authentication fails:
hostname# test sso-server my-sso-server username AnotheruserINFO: Attempting authentication request to sso-server my-sso-server for user AnotheruserINFO: STATUS: Failedhostname#Related Commands
text-color
To set a color for text in the WebVPN title bar on the login, home page, and file access page, use the text-color command in webvpn mode. To remove a text color from the configuration and reset the default, use the no form of this command.
text-color [black | white | auto]
no text-color
Syntax Description
Defaults
The default text color for the title bars is white.
Command Modes
The following table shows the modes in which you can enter the command:
config-webvpn
•
—
•
—
—
Command History
Examples
The following example shows how to set the text color for title bars to black:
hostname(config)#webvpnhostname(config-webvpn)# text-color blackRelated Commands
secondary-text-color
Sets the secondary text color for the WebVPN login, home page, and file access page.
tftp-server
To specify the default TFTP server and path and filename for use with configure net or write net commands, use the tftp-server command in global configuration mode. To remove the server configuration, use the no form of this command. This command supports IPv4 and IPv6 addresses.
tftp-server interface_name server filename
no tftp-server [interface_name server filename]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The tftp-server command simplifies entering the configure net and write net commands. When you enter the configure net or write net commands, you can either inherit the TFTP server specified by the tftp-server command, or provide your own value. You can also inherit the path in the tftp-server command as-is, add a path and filename to the end of the tftp-server command value, or override the tftp-server command value.
The adaptive security appliance supports only one tftp-server command.
Examples
The following example shows how to specify a TFTP server and then read the configuration from the /temp/config/test_config directory:
hostname(config)# tftp-server inside 10.1.1.42 /temp/config/test_confighostname(config)# configure netRelated Commands
tftp-server address
To specify the TFTP servers in the cluster, use the tftp-server address command in phone-proxy configuration mode. To remove the TFTP server from the Phone Proxy configuration, use the no form of this command.
tftp-server address ip_address [port] interface interface
no tftp-server address ip_address [port] interface interface
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Phone-proxy configuration
•
—
•
—
—
Command History
Usage Guidelines
The Phone Proxy must have at least one CUCM TFTP server configured. Up to five TFTP servers can be configured for the Phone Proxy.
The TFTP server is assumed to be behind the firewall on the trusted network; therefore, the Phone Proxy intercepts the requests between the IP phones and TFTP server. The TFTP server must reside on the same interface as the CUCM.
Create the TFTP server using the internal IP address and specify the interface on which the TFTP server resides.
On the IP phones, the IP address of the TFTP server must be configured as follows:
•
•
If the service-policy is applied globally, a classification rule will be created to direct any TFTP traffic reaching the TFTP server on all ingress interfaces, except for the interface on which the TFTP server resides. When the service-policy is applied on a specific interface, a classification rule will be created to direct any TFTP traffic reaching the TFTP server on that specified interface to the phone-proxy module.
If a NAT rule is configured for the TFTP server, it must be configured prior to applying the service-policy so that the global address of the TFTP server is used when installing the classification rule.
Examples
The following example shows the use of the tftp-server address command to configure two TFTP servers for the Phone Proxy:
hostname(config)#phone-proxy asa_phone_proxyhostname(config-phone-proxy)#tftp-server address 192.168.1.2 in interface outsidehostname(config-phone-proxy)#tftp-server address 192.168.1.3 in interface outsidehostname(config-phone-proxy)#media-termination address 192.168.1.4 interface insidehostname(config-phone-proxy)#media-termination address 192.168.1.25 interface outsidehostname(config-phone-proxy)#tls-proxy asa_tlsphostname(config-phone-proxy)#ctl-file asactlhostname(config-phone-proxy)#cluster-mode nonsecureRelated Commands
threat-detection basic-threat
To enable basic threat detection, use the threat-detection basic-threat command in global configuration mode. To disable basic threat detection, use the no form of this command.
threat-detection basic-threat
no threat-detection basic-threat
Syntax Description
This command has no arguments or keywords.
Defaults
Basic threat detection is enabled by default. The following default rate limits are used:
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
8.0(2)
This command was introduced.
8.2(1)
The burst rate interval changed from 1/60th to 1/30th of the average rate.
Usage Guidelines
When you enable basic threat detection, the adaptive security appliance monitors the rate of dropped packets and security events due to the following reasons:
•
•
•
•
•
•
•
•
•
•
When the adaptive security appliance detects a threat, it immediately sends a system log message (733100) and alerts ASDM.
Basic threat detection affects performance only when there are drops or potential threats; even in this scenario, the performance impact is insignificant.
Table 31-1 in the "Defaults" section lists the default settings. You can view all these default settings using the show running-config all threat-detection command. You can override the default settings for each type of event by using the threat-detection rate command.
If an event rate is exceeded, then the adaptive security appliance sends a system message. The adaptive security appliance tracks two types of rates: the average event rate over an interval, and the burst event rate over a shorter burst interval. The burst event rate is 1/30th of the average rate interval or 10 seconds, whichever is higher. For each event received, the adaptive security appliance checks the average and burst rate limits; if both rates are exceeded, then the adaptive security appliance sends two separate system messages, with a maximum of one message for each rate type per burst period.
Examples
The following example enables basic threat detection, and changes the triggers for DoS attacks:
hostname(config)# threat-detection basic-threathostname(config)# threat-detection rate dos-drop rate-interval 600 average-rate 60 burst-rate 100Related Commands
threat-detection rate
When you enable basic threat detection using the threat-detection basic-threat command, you can change the default rate limits for each event type using the threat-detection rate command in global configuration mode. If you enable scanning threat detection using the threat-detection scanning-threat command, then this command with the scanning-threat keyword also sets the when a host is considered to be an attacker or a target; otherwise the default scanning-threat value is used for both basic and scanning threat detection. To return to the default setting, use the no form of this command.
threat-detection rate {acl-drop | bad-packet-drop | conn-limit-drop | dos-drop | fw-drop | icmp-drop | inspect-drop | interface-drop | scanning-threat | syn-attack} rate-interval rate_interval average-rate av_rate burst-rate burst_rate
no threat-detection rate {acl-drop | bad-packet-drop | conn-limit-drop | dos-drop | fw-drop | icmp-drop | inspect-drop | interface-drop | scanning-threat | syn-attack} rate-interval rate_interval average-rate av_rate burst-rate burst_rate
Syntax Description
Defaults
When you enable basic threat detection using the threat-detection basic-threat command, the following default rate limits are used:
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
8.0(2)
This command was introduced.
8.2(1)
The burst rate interval changed from 1/60th to 1/30th of the average rate.
Usage Guidelines
You can configure up to three different rate intervals for each event type.
When you enable basic threat detection, the adaptive security appliance monitors the rate of dropped packets and security events due to the event types described in the "Syntax Description" table.
When the adaptive security appliance detects a threat, it immediately sends a system log message (733100) and alerts ASDM.
Basic threat detection affects performance only when there are drops or potential threats; even in this scenario, the performance impact is insignificant.
Table 31-1 in the "Defaults" section lists the default settings. You can view all these default settings using the show running-config all threat-detection command.
If an event rate is exceeded, then the adaptive security appliance sends a system message. The adaptive security appliance tracks two types of rates: the average event rate over an interval, and the burst event rate over a shorter burst interval. For each event received, the adaptive security appliance checks the average and burst rate limits; if both rates are exceeded, then the adaptive security appliance sends two separate system messages, with a maximum of one message for each rate type per burst period.
Examples
The following example enables basic threat detection, and changes the triggers for DoS attacks:
hostname(config)# threat-detection basic-threathostname(config)# threat-detection rate dos-drop rate-interval 600 average-rate 60 burst-rate 100Related Commands
threat-detection scanning-threat
To enable scanning threat detection, use the threat-detection scanning-threat command in global configuration mode. To disable scanning threat detection, use the no form of this command.
threat-detection scanning-threat [shun
[except {ip-address ip_address mask | object-group network_object_group_id} | duration seconds]]no threat-detection scanning-threat [shun
[except {ip-address ip_address mask | object-group network_object_group_id} | duration seconds]]Syntax Description
Defaults
The default shun duration is 3600 seconds (1 hour).
The following default rate limits are used for scanning attack events:
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The scanning threat detection feature determines when a host is performing a scan. Unlike IPS scan detection that is based on traffic signatures, the adaptive security appliance scanning threat detection feature maintains an extensive database that contains host statistics that can be analyzed for scanning activity.
The host database tracks suspicious activity such as connections with no return activity, access of closed service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors.
Caution
You can configure the adaptive security appliance to send system log messages about an attacker or you can automatically shun the host. By default, the system log message 730101 is generated when a host is identified as an attacker.
The adaptive security appliance identifies attackers and targets when the scanning threat event rate is exceeded. The adaptive security appliance tracks two types of rates: the average event rate over an interval, and the burst event rate over a shorter burst interval. For each event detected that is considered to be part of a scanning attack, the adaptive security appliance checks the average and burst rate limits. If either rate is exceeded for traffic sent from a host, then that host is considered to be an attacker. If either rate is exceeded for traffic received by a host, then that host is considered to be a target. You can change the rate limits for scanning threat events using the threat-detection rate scanning-threat command.
To view hosts categorized as attackers or as targets, use the show threat-detection scanning-threat command.
To view shunned hosts, use the show threat-detection shun command. To release a host from being shunned, use the clear threat-detection shun command.
Examples
The following example enables scanning threat detection and automatically shuns hosts categorized as attackers, except for hosts on the 10.1.1.0 network. The default rate limits for scanning threat detection are also changed.
hostname(config)# threat-detection scanning-threat shun except ip-address 10.1.1.0 255.255.255.0hostname(config)# threat-detection rate scanning-threat rate-interval 1200 average-rate 10 burst-rate 20hostname(config)# threat-detection rate scanning-threat rate-interval 2400 average-rate 10 burst-rate 20Related Commands
threat-detection statistics
To enable scanning threat detection statistics, use the threat-detection statistics command in global configuration mode. To disable scanning threat detection statistics, use the no form of this command.
Caution
threat-detection statistics [access-list | host [number-of-rate {1 | 2 | 3} | port | protocol | tcp-intercept [rate-interval minutes] [burst-rate attacks_per_sec] [average-rate attacks_per_sec]]
no threat-detection statistics [access-list | host | port | protocol | tcp-intercept [rate-interval minutes] [burst-rate attacks_per_sec] [average-rate attacks_per_sec]]
Syntax Description
Defaults
Access list statistics are enabled by default. If you do not specify any options in this command, then you enable all options.
The default tcp-intercept rate-interval is 30 minutes. The default burst-rate is 400 per second. The default average-rate is 200 per second.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
If you do not specify any options in this command, then you enable all statistics. To enable only certain statistics, enter this command for each statistic type, and do not also enter the command without any options. You can enter threat-detection statistics (without any options) and then customize certain statistics by entering the command with statistics-specific options (for example, threat-detection statistics host number-of-rate 2). If you enter threat-detection statistics (without any options) and then enter a command for specific statistics, but without any statistic-specific options, then that command has no effect because it is already enabled.
If you enter the no form of this command, it removes all threat-detection statistics commands, including the threat-detection statistics access-list command, which is enabled by default.
View statistics using the show threat-detection statistics commands.
You do not need to enable scanning threat detection using the threat-detection scanning-threat command; you can configure detection and statistics separately.
Examples
The following example enables scanning threat detection and scanning threat statistics for all types except host:
hostname(config)# threat-detection scanning-threat shun except ip-address 10.1.1.0 255.255.255.0hostname(config)# threat-detection statistics access-listhostname(config)# threat-detection statistics porthostname(config)# threat-detection statistics protocolhostname(config)# threat-detection statistics tcp-interceptRelated Commands
threshold
To set the threshold value for over threshold events in SLA monitoring operations, use the threshold command in SLA monitor configuration mode. To restore the default value, use the no form of this command.
threshold milliseconds
no threshold
Syntax Description
milliseconds
Specifies the number of milliseconds for a rising threshold to be declared. Valid values are from 0 to 2147483647. This value should not be larger than the value set for the timeout.
Defaults
The default threshold is 5000 milliseconds.
Command Modes
The following table shows the modes in which you can enter the command:
SLA monitor configuration
•
—
•
—
—
Command History
Usage Guidelines
The threshold value is only used to indicate over threshold events, which do not affect reachability but may be used to evaluate the proper settings for the timeout command.
Examples
The following example configures an SLA operation with an ID of 123 and creates a tracking entry with the ID of 1 to track the reachability of the SLA. The frequency of the SLA operation is set to 10 seconds, the threshold to 2500 milliseconds, and the timeout value us set to 4000 milliseconds.
hostname(config)# sla monitor 123hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outsidehostname(config-sla-monitor-echo)# threshold 2500hostname(config-sla-monitor-echo)# timeout 4000hostname(config-sla-monitor-echo)# frequency 10hostname(config)# sla monitor schedule 123 life forever start-time nowhostname(config)# track 1 rtr 123 reachabilityRelated Commands
sla monitor
Defines an SLA monitoring operation.
timeout
Defines the amount of time the SLA operation waits for a response.
timeout
To set the global maximum idle time duration for various features, use the timeout command in global configuration mode. To set all timeouts to the default, use the no form of this command. To reset a single feature to its default, reenter the timeout command with the default value.
timeout {conn | floating-conn | h225 | h323 | half-closed | icmp | mgcp | mgcp-pat | sip | sip-disconnect | sip-invite | sip_media | sip-provisional-media | sunrpc | tcp-proxy-reassembly | udp | xlate} hh:mm:ss
timeout uauth hh:mm:ss [absolute | inactivity]
no timeout
Syntax Description
Defaults
The defaults are as follows:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration mode
•
•
•
•
—
Command History
Usage Guidelines
The timeout command lets you set global timeouts. For some features, the set connection timeout command takes precedence for traffic identified in the command.
You can enter multiple keywords and values after the timeout command.
The connection timer (conn) takes precedence over the translation timer (xlate); the translation timer works only after all connections have timed out.
Examples
The following example shows how to configure the maximum idle time durations:
hostname(config)# timeout uauth 0:5:0 absolute uauth 0:4:0 inactivityhostname(config)# show running-config timeouttimeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absolute uauth 0:04:00 inactivityRelated Commands
timeout (aaa-server host)
To configure the host-specific maximum response time, in seconds, allowed before giving up on establishing a connection with the AAA server, use the timeout command in aaa-server host mode. To remove the timeout value and reset the timeout to the default value of 10 seconds, use the no form of this command.
timeout seconds
no timeout
Syntax Description
Defaults
The default timeout value is 10 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
aaa-server host configuration
•
•
•
•
—
Command History
Usage Guidelines
This command is valid for all AAA server protocol types.
Use the timeout command to specify the length of time during which the adaptive security appliance attempts to make a connection to a AAA server. Use the retry-interval command to specify the amount of time the adaptive security appliance waits between connection attempts.
The timeout is the total amount of time that the adaptive security appliance spends trying to complete a transaction with a server. The retry interval determines how often the communication is retried during the timeout period. Thus, if the retry interval is greater than or equal to the timeout value, you will see no retries. If you want to see retries, the retry interval musts be less than thte timeout value.
Examples
The following example configures a RADIUS AAA server named "svrgrp1" on host 1.2.3.4 to use a timeout value of 30 seconds, with a retry interval of 10 seconds. Thus, the adaptive security appliance tries the communication attempt three times before giving up after 30 seconds.
hostname(config)#aaa-server svrgrp1 protocol radiushostname(config-aaa-server-group)#aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)#timeout 30hostname(config-aaa-server-host)#retry-interval 10hostname(config-aaa-server-host)#Related Commands
timeout (dns-server-group configuration mode)
To specify the amount of time to wait before trying the next DNS server, use the timeout command in dns-server-group configuration mode. To restore the default timeout, use the no form of this command.
timeout seconds
no timeout [seconds]
Syntax Description
Defaults
The default timeout is 2 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example sets the timeout to 1 second for the DNS server group "dnsgroup1":
hostname(config)# dns server-group dnsgroup1hostname(config-dns-server-group)# dns timeout 1Related Commands
timeout (gtp-map)
To change the inactivity timers for a GTP session, use the timeout command in GTP map configuration mode, which is accessed by using the gtp-map command. Use the no form of this command to set these intervals to their default values.
timeout {gsn | pdp-context | request | signaling | t3-response | tunnel } hh:mm:ss
no timeout {gsn | pdp-context | request | signaling | t3-response | tunnel } hh:mm:ss
Syntax Description
Defaults
The default is 30 minutes for gsn, pdp-context, and signaling.
The default for request is 1 minute.
The default for tunnel is 1 hour (in the case where a Delete PDP Context Request is not received).
Command Modes
The following table shows the modes in which you can enter the command:
GTP map configuration
·
·
·
·
—
Command History
Usage Guidelines
The Packet Data Protocol (PDP) context is identified by the Tunnel Identifier (TID), which is a combination of IMSI and NSAPI. Each MS can have up to 15 NSAPIs, allowing it to create multiple PDP contexts each with a different NSAPI, based on application requirements for varied QoS levels.
A GTP tunnel is defined by two associated PDP Contexts in different GSN nodes and is identified with a Tunnel ID. A GTP tunnel is necessary to forward packets between an external packet data network and a mobile station user.
Examples
The following example sets a timeout value for the request queue of 2 minutes:
hostname(config)# gtp-map gtp-policyhostname(config-gtpmap)# timeout request 00:02:00Related Commands
timeout (radius-accounting)
To change the inactivity timers for RADIUS accounting users, use the timeout command in radius-accounting parameter configuration mode, which is accessed by using the inspect radius-accounting command. Use the no form of this command to set these intervals to their default values.
timeout users hh:mm:ss
no timeout users hh:mm:ss
Syntax Description
Defaults
The default timeout for users is one hour.
Command Modes
The following table shows the modes in which you can enter the command:
radius-accounting parameter configuration
·
·
·
·
—
Command History
Examples
The following example sets a timeout value for the user of ten minutes:
hostname(config)# policy-map type inspect radius-accounting rahostname(config-pmap)# parametershostname(config-pmap-p)# timeout user 00:10:00Related Commands
inspect radius-accounting
Sets inspection for RADIUS accounting.
parameters
Sets parameters for an inspection policy map.
timeout (sla monitor)
To set the amount of time the SLA operation waits for a response to the request packets, use the timeout command in SLA monitor protocol configuration mode. To restore the default value, use the no form of this command.
timeout milliseconds
no timeout
Syntax Description
Defaults
The default timeout value is 5000 milliseconds.
Command Modes
The following table shows the modes in which you can enter the command:
SLA monitor protocol configuration
•
—
•
—
—
Command History
Usage Guidelines
Use the frequency command to set how often the SLA operation sends out the request packets and the timeout command to set how long the SLA operation waits to receive a response to those requests. The values specified for the timeout command cannot be greater than the value specified for the frequency command.
Examples
The following example configures an SLA operation with an ID of 123 and creates a tracking entry with the ID of 1 to track the reachability of the SLA. The frequency of the SLA operation is set to 10 seconds, the threshold to 2500 milliseconds, and the timeout value us set to 4000 milliseconds.
hostname(config)# sla monitor 123hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outsidehostname(config-sla-monitor-echo)# threshold 2500hostname(config-sla-monitor-echo)# timeout 4000hostname(config-sla-monitor-echo)# frequency 10hostname(config)# sla monitor schedule 123 life forever start-time nowhostname(config)# track 1 rtr 123 reachabilityRelated Commands
frequency
Specifies the rate at which the SLA operation repeats.
sla monitor
Defines an SLA monitoring operation.
timeout pinhole
To configure the timeout for DCERPC pinholes and override the global system pinhole timeout of two minutes, use the timeout pinhole command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.
timeout pinhole hh:mm:ss
no timeout pinhole
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure the pinhole timeout for pin hole connections in a DCERPC inspection policy map:
hostname(config)# policy-map type inspect dcerpc dcerpc_maphostname(config-pmap)# parametershostname(config-pmap-p)# timeout pinhole 0:10:00Related Commands
time-range
To enter time-range configuration mode and define a time range that you can attach to traffic rules, or an action, use the time-range command in global configuration mode. To disable, use the no form of this command.
time-range name
no time-range name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Creating a time range does not restrict access to the device. The time-range command defines the time range only. After a time range is defined, you can attach it to traffic rules or an action.
To implement a time-based ACL, use the time-range command to define specific times of the day and week. Then use the with the access-list extended time-range command to bind the time range to an ACL.
The time range relies on the system clock of the adaptive security appliance; however, the feature works best with NTP synchronization.
Examples
The following example creates a time range named "New_York_Minute" and enters time range configuration mode:
hostname(config)# time-range New_York_Minutehostname(config-time-range)#After you have created a time range and entered time-range configuration mode, you can define time range parameters with the absolute and periodic commands. To restore default settings for the time-range command absolute and periodic keywords, use the default command in time-range configuration mode.
To implement a time-based ACL, use the time-range command to define specific times of the day and week. Then use the with the access-list extended command to bind the time range to an ACL. The following example binds an ACL named "Sales" to a time range named "New_York_Minute":
hostname(config)# access-list Sales line 1 extended deny tcp host 209.165.200.225 host 209.165.201.1 time-range New_York_Minutehostname(config)#See the access-list extended command for more information about ACLs.
Related Commands
timeout secure-phones
To configure the idle timeout after which the secure-phone entry is removed from the Phone Proxy database, use the timeout secure-phones command in phone-proxy configuration mode. To set the timeout value back to the default of 5 minutes, use the no form of this command.
timeout secure-phones hh:mm:ss
no timeout secure-phones hh:mm:ss
Syntax Description
Defaults
The default value for secure phone timeout is 5 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
Since secure phones always request a CTL file upon bootup, the Phone Proxy creates a database that marks the phone as secure. The entries in the secure phone database are removed after a specified configured timeout (via the timeout secure-phones command). The entry's timestamp is updated for each registration refresh the Phone Proxy receives for SIP phones and KeepAlives for SCCP phones.
The default value for the timeout secure-phones command is 5 minutes. Specify a value that is greater than the maximum timeout value for SCCP KeepAlives and SIP Register refresh. For example, if the SCCP Keepalives are configured for 1 minute intervals and the SIP Register Refresh is configured for 3 minutes, configure this timeout value greater than 3 minutes.
Examples
The following example shows the use of the timeout secure-phones command to configure the Phone Proxy to timeout entries in the secure phone database after 3 minutes:
hostname(config)#phone-proxy asa_phone_proxyhostname(config-phone-proxy)#tftp-server address 192.168.1.2 in interface outsidehostname(config-phone-proxy)#tftp-server address 192.168.1.3 in interface outsidehostname(config-phone-proxy)#media-termination address 192.168.1.4hostname(config-phone-proxy)#tls-proxy asa_tlsphostname(config-phone-proxy)#ctl-file asactlhostname(config-phone-proxy)# timeout secure-phones 00:03:00Related Commands
timers lsa-group-pacing
To specify the interval at which OSPF link-state advertisements (LSAs) are collected into a group and refreshed, checksummed, or aged, use the timers lsa-group-pacing command in router configuration mode. To restore the default value, use the no form of this command.
timers lsa-group-pacing seconds
no timers lsa-group-pacing [seconds]
Syntax Description
seconds
The interval at which OSPF link-state advertisements (LSAs) are collected into a group and refreshed, checksummed, or aged. Valid values are from 10 to 1800 seconds.
Defaults
The default interval is 240 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
To change the interval at which the OSPF link-state advertisements (LSAs) are collected into a group and refreshed, checksummed, or aged, use the timers lsa-group-pacing seconds command. To return to the default timer values, use the no timers lsa-group-pacing command.
Examples
The following example sets the group processing interval of LSAs to 500 seconds:
hostname(config-router)# timers lsa-group-pacing 500hostname(config-router)#Related Commands
timers spf
To specify the shortest path first (SPF) calculation delay and hold time, use the timers spf command in router configuration mode. To restore the default values, use the no form of this command.
timers spf delay holdtime
no timers spf [delay holdtime]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
To configure the delay time between when the OSPF protocol receives a topology change and when it starts a calculation, and the hold time between two consecutive SPF calculations, use the timers spf command. To return to the default timer values, use the no timers spf command.
Examples
The following example sets the SPF calculation delay to 10 seconds and the SPF calculation hold time to 20 seconds:
hostname(config-router)# timers spf 10 20hostname(config-router)#Related Commands
title
To customize the title of the WebVPN page displayed to WebVPN users when they connect to the security appliance, use the title command from webvpn customization mode:
title {text | style} value
[no] title {text | style} value
To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
Syntax Description
Defaults
The default title text is "WebVPN Service".
The default title style is:
background-color:white;color:maroon;border-bottom:5px groove #669999;font-size:larger;
vertical-align:middle;text-align:left;font-weight:boldCommand Modes
The following table shows the modes in which you can enter the command:
Webvpn customization
•
—
•
—
—
Command History
Usage Guidelines
To have no title, use the title text command without a value argument.
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
In the following example, the title is customized with the text "Cisco WebVPN Service":
hostname(config)# webvpnhostname(config-webvpn)# customization ciscohostname(config-webvpn-custom)# title text Cisco WebVPN ServiceRelated Commands
logo
Customizes the logo on the WebVPN page.
page style
Customizes the WebVPN page using Cascading Style Sheet (CSS) parameters.
tls-proxy
To configure a TLS proxy instance in TLS configuration mode or to set the maximum sessions, use the tls-proxy command in global configuration mode. To remove the configuration, use the no form of this command.
tls-proxy [maximum-sessions max_sessions | proxy_name] [noconfirm]
no tls-proxy [maximum-sessions max_sessions | proxy_name] [noconfirm]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the tls-proxy command to enter TLS proxy configuration mode to create a TLS proxy instance, or to set the maximum sessions supported on the platform.
Examples
The following example shows how to create a TLS proxy instance:
hostname(config)# tls-proxy my_proxyhostname(config-tlsp)# server trust-point ccm_proxyhostname(config-tlsp)# client ldc issuer ldc_serverhostname(config-tlsp)# client ldc keypair phone_commonRelated Commands
tos
To define a type of service byte in the IP header of an SLA operation request packet, use the tos command in SLA monitor protocol configuration mode. To restore the default value, use the no form of this command.
tos number
no tos
Syntax Description
Defaults
The default type of service value is 0.
Command Modes
The following table shows the modes in which you can enter the command:
SLA monitor protocol configuration
•
—
•
—
—
Command History
Usage Guidelines
This field contains information such as delay, precedence, reliability, and so on. This is can be used by other routers on the network for policy routing and features such as Committed Access Rate.
Examples
The following example configures an SLA operation with an ID of 123 that uses an ICMP echo request/response time probe operation. It sets the payload size of the echo request packets to 48 bytes, the number of echo requests sent during an SLA operation to 5, and the type of service byte to 80.
hostname(config)# sla monitor 123hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outsidehostname(config-sla-monitor-echo)# num-packets 5hostname(config-sla-monitor-echo)# request-data-size 48hostname(config-sla-monitor-echo)# tos 80hostname(config-sla-monitor-echo)# timeout 4000hostname(config-sla-monitor-echo)# threshold 2500hostname(config-sla-monitor-echo)# frequency 10hostname(config)# sla monitor schedule 123 life forever start-time nowhostname(config)# track 1 rtr 123 reachabilityRelated Commands
traceroute
To determine the route packets will take to their destination, use the traceroute command.
traceroute destination_ip | hostname [source source_ip | source-interface] [numeric] [timeout timeout_value] [probe probe_num] [ttl min_ttl max_ttl] [port port_value] [use-icmp]
Syntax Description
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Priveleged EXEC
•
•
•
•
•
Command History
Usage Guidelines
The traceroute command prints the result of each probe sent. Every line of output corresponds to a TTL value in increasing order. The following are the output symbols printed by the traceroute command:
Examples
The following example shows traceroute output that results when a destination IP address has been specified:
hostname# traceroute 209.165.200.225Tracing the route to 209.165.200.2251 10.83.194.1 0 msec 10 msec 0 msec2 10.83.193.65 0 msec 0 msec 0 msec3 10.88.193.101 0 msec 10 msec 0 msec4 10.88.193.97 0 msec 0 msec 10 msec5 10.88.239.9 0 msec 10 msec 0 msec6 10.88.238.65 10 msec 10 msec 0 msec7 172.16.7.221 70 msec 70 msec 80 msec8 209.165.200.225 70 msec 70 msec 70 msecRelated Commands
track rtr
To track the reachability of an SLA operation, use the track rtr command in global configuration mode. To remove the SLA tracking, use the no form of this command.
track track-id rtr sla-id reachabilitity
no track track-id rtr sla-id reachabilitity
Syntax Description
Defaults
SLA tracking is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The track rtr command creates a tracking entry object ID and specifies the SLA used by that tracking entry.
Every SLA operation maintains an operation return-code value, which is interpreted by the tracking process. The return code may be OK, Over Threshold, or several other return codes. Table 31-4 displays the reachability state of an object with respect to these return codes.
Table 31-4 SLA Tracking Return Codes
Reachability
OK or Over Threshold
Up
Any other code
Down
Examples
The following example configures an SLA operation with an ID of 123 and creates a tracking entry with the ID of 1 to track the reachability of the SLA:
hostname(config)# sla monitor 123hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outsidehostname(config-sla-monitor-echo)# timeout 1000hostname(config-sla-monitor-echo)# frequency 3hostname(config)# sla monitor schedule 123 life forever start-time nowhostname(config)# track 1 rtr 123 reachabilityRelated Commands
route
Configures a static route.
sla monitor
Defines an SLA monitoring operation.
traffic-non-sip
To allow non-SIP traffic using the well-known SIP signaling port, use the traffic-non-sip command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.
traffic-non-sip
no traffic-non-sip
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to allow non-SIP traffic using the well-known SIP signaling port in a SIP inspection policy map:
hostname(config)# policy-map type inspect sip sip_maphostname(config-pmap)# parametershostname(config-pmap-p)# traffic-non-sipRelated Commands
transfer-encoding
To restrict HTTP traffic by specifying a transfer encoding type, use the transfer-encoding command in HTTP map configuration mode, which is accessible using the http-map command. To disable this feature, use the no form of this command.
transfer-encoding type {chunked | compress | deflate | gzip | identity | default} action {allow | reset | drop} [log]
no transfer-encoding type {chunked | compress | deflate | gzip | identity | default} action {allow | reset | drop} [log]
Syntax Description
Defaults
This command is disabled by default. When the command is enabled and a supported transfer encoding type is not specified, the default action is to allow the connection without logging. To change the default action, use the default keyword and specify a different default action.
Command Modes
The following table shows the modes in which you can enter the command:
HTTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
When you enable the transfer-encoding command, the adaptive security appliance applies the specified action to HTTP connections for each supported and configured transfer encoding type.
The adaptive security appliance applies the default action to all traffic that does not match the transfer encoding types on the configured list. The preconfigured default action is to allow connections without logging.
For example, given the preconfigured default action, if you specify one or more encoding types with the action of drop and log, the adaptive security appliance drops connections containing the configured encoding types, logs each connection, and allows all connections for the other supported encoding types.
If you want to configure a more restrictive policy, change the default action to drop (or reset) and log (if you want to log the event). Then configure each permitted encoding type with the allow action.
Enter the transfer-encoding command once for each setting you wish to apply. You use one instance of the transfer-encoding command to change the default action and one instance to add each encoding type to the list of configured transfer encoding types.
When you use the no form of this command to remove an application category from the list of configured application types, any characters in the command line after the application category keyword are ignored.
Examples
The following example provides a permissive policy, using the preconfigured default, which allows all supported application types that are not specifically prohibited.
hostname(config)# http-map inbound_httphostname(config-http-map)# transfer-encoding gzip drop loghostname(config-http-map)#In this case, only connections using GNU zip are dropped and the event is logged.
The following example provides a restrictive policy, with the default action changed to reset the connection and to log the event for any encoding type that is not specifically allowed.
hostname(config)# http-map inbound_httphostname(config-http-map)# port-misuse default action reset loghostname(config-http-map)# port-misuse identity allowhostname(config-http-map)#In this case, only connections using no transfer encoding are allowed. When HTTP traffic for the other supported encoding types is received, the adaptive security appliance resets the connection and creates a syslog entry.
Related Commands
trust-point
To specify the name of a trustpoint that identifies the certificate to be sent to the IKE peer, use the trust-point command in tunnel-group ipsec-attributes mode. To eliminate a trustpoint specification, use the no form of this command.
trust-point trust-point-name
no trust-point trust-point-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group ipsec attributes
•
—
•
—
—
Command History
Usage Guidelines
You can apply this attribute to all IPSec tunnel-group types.
Examples
The following example entered in config-ipsec configuration mode, configures a trustpoint for identifying the certificate to be sent to the IKE peer for the IPSec LAN-to-LAN tunnel group named 209.165.200.225:
hostname(config)# tunnel-group 209.165.200.225 type IPSec_L2Lhostname(config)# tunnel-group 209.165.200.225 ipsec-attributeshostname(config-tunnel-ipsec)# trust-point mytrustpointRelated Commands
trustpoint (SSO Server)
To specify the name of a trustpoint that identifies the certificate to be sent to the SAML POST-type SSO server, use the trustpoint command in config-webvpn-sso-saml mode. To eliminate a trustpoint specification, use the no form of this command.
trustpoint trustpoint-name
no trustpoint trustpoint-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Config webvpn sso saml
•
—
•
—
—
Command History
Usage Guidelines
Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The adaptive security appliance currently supports the SAML POST-type SSO server and the SiteMinder-type of SSO server.
This command applies only to SAML-type SSO Servers.
A trustpoint represents a Certificate Authority identity, based on a CA-issued certificate that can be relied upon as being valid without the need for validation testing, especially a public-key certificate used to provide the first public key in a certification path.
Examples
The following example enters config-webvpn-sso-saml mode and names a trustpoint for identifying the certificate to be sent to the SAML POST type SSO Server:
hostname(config-webvpn)# sso serverhostname(config-webvpn-sso-saml)# trustpoint mytrustpointRelated Commands
tsig enforced
To require a TSIG resource record to be present, use the tsig enforced command in parameters configuration mode. To disable this feature, use the no form of this command.
tsig enforced action {drop [log] | log}
no tsig enforced [action {drop [log] | log}]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Usage Guidelines
This command enables monitoring and enforcement of TSIG presence in DNS transactions.
Examples
The following example shows how to enable TSIG enforcement in a DNS inspection policy map:
hostname(config)# policy-map type inspect dns preset_dns_maphostname(config-pmap)# parametershostname(config-pmap-p)# tsig enforced action logRelated Commands
ttl-evasion-protection
To enable the Time-To-Live evasion protection, use the ttl-evasion-protection command in tcp-map configuration mode. To remove this specification, use the no form of this command.
ttl-evasion-protection
no ttl-evasion-protection
Syntax Description
This command has no arguments or keywords.
Defaults
TTL evasion protection offered by the adaptive security appliance is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Tcp-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.
Use the tcp-map command to enter tcp-map configuration mode. Use the ttl-evasion-protection command in tcp-map configuration mode to prevent attacks that attempt to evade security policy.
For instance, an attacker can send a packet that passes policy with a very short TTL. When the TTL goes to zero, a router between the adaptive security appliance and the endpoint drops the packet. It is at this point that the attacker can send a malicious packet with a long TTL that appears to the adaptive security appliance to be a retransmission and is passed. To the endpoint host, however, it is the first packet that has been received by the attacker. In this case, an attacker is able to succeed without security preventing the attack. Enabling this feature prevents such attacks.
Examples
The following example shows how to disable TTL evasion protection on flows from network 10.0.0.0 to 20.0.0.0:
hostname(config)# access-list TCP1 extended permit tcp 10.0.0.0 255.0.0.0 20.0.0.0 255.0.0.0hostname(config)# tcp-map tmaphostname(config-tcp-map)# no ttl-evasion-protectionhostname(config)# class-map cmaphostname(config-cmap)# match access-list TCP1hostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# set connection advanced-options tmaphostname(config)# service-policy pmap globalRelated Commands
tunnel-group
To create and manage the database of connection-specific records for IPSec and WebVPN tunnels, use the tunnel-group command in global configuration mode. To remove a tunnel group, use the no form of this command.
tunnel-group name type type
no tunnel-group name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
See Note.
•
—
—
Note
Command History
7.0(1)
This command was introduced.
7.1(1)
Added webvpn type.
8.0(2)
Added remote-access type and deprecated ipsec-ra and webvpn types.
Usage Guidelines
The adaptive security appliance has the following default tunnel groups:
•
•
•
You can change these groups, but not delete them. The adaptive security appliance uses these groups to configure default tunnel parameters for remote access and LAN-to-LAN tunnel groups when there is no specific tunnel group identified during tunnel negotiation.
After entering the tunnel-group command, you enter the appropriate following commands to configure specific attributes for a particular tunnel group. Each of these commands enters a configuration mode for configuring tunnel-group attributes.
•
•
•
•
Examples
The following examples are entered in global configuration mode. The first configures a remote access tunnel group. The group name is group1.
hostname(config)# tunnel-group group1 type remote-accesshostname(config)#The following example shows the tunnel-group command configuring the webvpn tunnel group named "group1". You enter this command in global configuration mode:
hostname(config)# tunnel-group group1 type webvpnhostname(config)#Related Commands
tunnel-group-preference
To change the VPN preference to a connection profile with a group URL that matches the one specified by the endpoint, use the tunnel-group-preference command in webvpn configuration mode. To remove the command from the configuration, use the no form.
tunnel-group-preference group-url
no tunnel-group-preference group-url
Syntax Description
This command has no arguments or keywords.
Command Default
By default, if the ASA matches a certificate field value specified in a connection profile to the field value of the certificate used by the endpoint, the ASA assigns that profile to the VPN connection. This command overrides the default behavior.
Command Modes
The following table shows the modes in which you can enter the command:
config-webvpn
•
—
•
—
—
Command History
Usage Guidelines
This command changes the preference of a connection profile during the connection profile selection process. It lets you rely on the group URL preference used by many older ASA software releases. If the endpoint specifies a group URL that is not present in a connection profile, but it specifies a certificate value that matches that of a connection profile, the ASA assigns that connection profile to the VPN session.
Although you enter this command in webvpn configuration mode, it changes the connection profile selection preference for all clientless and AnyConnect VPN connections negotiated by the ASA.
Examples
The following example changes the preference of a connection profile during the connection profile selection process:
hostname(config)# webvpnhostname(config-webvpn)# tunnel-group-preference group-urlhostname(config-webvpn)#Related Commands
tunnel-group general-attributes
To enter the general-attribute configuration mode, use the tunnel-group general-attributes command in global configuration mode. This mode is used to configure settings that are common to all supported tunneling protocols.
To remove all general attributes, use the no form of this command.
tunnel-group name general-attributes
no tunnel-group name general-attributes
Syntax Description
general-attributes
Specifies attributes for this tunnel-group.
name
Specifies the name of the tunnel-group.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general-attributes configuration
•
•
•
—
—
Command History
Usage Guidelines
The following table lists the commands belonging in this group and the tunnel-group type where you can configure them:
Examples
The following example entered in global configuration mode, creates a remote-access tunnel group for a remote-access connection using the IP address of the LAN-to-LAN peer, then enters general-attributes configuration mode for configuring tunnel-group general attributes. The name of the tunnel group is 209.165.200.225.
hostname(config)# tunnel-group 209.165.200.225 type remote-accesshostname(config)# tunnel-group 209.165.200.225 general-attributeshostname(config-tunnel-general)#The following example entered in global configuration mode, creates a tunnel group named" remotegrp" for an IPSec remote access connection, and then enters general configuration mode for configuring general attributes for the tunnel group named "remotegrp":
hostname(config)# tunnel-group remotegrp type ipsec_rahostname(config)# tunnel-group remotegrp generalhostname(config-tunnel-general)Related Commands
tunnel-group ipsec-attributes
To enter the ipsec-attribute configuration mode, use the tunnel-group ipsec-attributes command in global configuration mode. This mode is used to configure settings that are specific to the IPSec tunneling protocol.
To remove all IPSec attributes, use the no form of this command.
tunnel-group name ipsec-attributes
no tunnel-group name ipsec-attributes
Syntax Description
ipsec-attributes
Specifies attributes for this tunnel-group.
name
Specifies the name of the tunnel-group.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
The following commands belong in this group:
Examples
The following example entered in global configuration, creates a tunnel group for the IPSec remote-access tunnel group named remotegrp, and then specifies IPSec group attributes:
hostname(config)# tunnel-group remotegrp type ipsec_rahostname(config)# tunnel-group remotegrp ipsec-attributeshostname(config-tunnel-ipsec)Related Commands
tunnel-group ppp-attributes
To enter the ppp-attributes configuration mode and configure PPP settings that are used by L2TP over IPSec connections, use the tunnel-group ppp-attributes command in global configuration mode.
To remove all PPP attributes, use the no form of this command.
tunnel-group name ppp-attributes
no tunnel-group name ppp-attributes
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
authentication chap
PPPoE
authentication eap-proxy
PPPoE
authentication ms-chap-v1
PPPoE
authentication ms-chap-v2
PPPoE
authentication-pap
PPPoE
Examples
The following example creates the tunnel group telecommuters and enters ppp-attributes configuration mode:
hostname(config)# tunnel-group telecommuters type pppoehostname(config)# tunnel-group telecommuters ppp-attributeshostname(tunnel-group-ppp)#Related Commands
tunnel-group webvpn-attributes
To enter the webvpn-attribute configuration mode, use the tunnel-group webvpn-attributes command in global configuration mode. This mode configures settings that are common to WebVPN tunneling.
To remove all WebVPN attributes, use the no form of this command.
tunnel-group name webvpn-attributes
no tunnel-group name webvpn-attributes
Syntax Description
webvpn-attributes
Specifies WebVPN attributes for this tunnel-group.
name
Specifies the name of the tunnel-group.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
In addition to the general attributes, you can also configure the following attributes specific to WebVPN connections in webvpn-attribute mode:
•
•
•
•
•
•
•
•
See the individual command descriptions for complete information about configuring these attributes.
Examples
The following example entered in global configuration mode, creates a tunnel group for a WebVPN connection using the IP address of the LAN-to-LAN peer, then enters webvpn-configuration mode for configuring WebVPN attributes. The name of the tunnel group is 209.165.200.225.
hostname(config)# tunnel-group 209.165.200.225 type webvpnhostname(config)# tunnel-group 209.165.200.225 webvpn-attributeshostname(config-tunnel-webvpn)#The following example entered in global configuration mode, creates a tunnel group named" remotegrp" for a WebVPN connection, and then enters webvpn configuration mode for configuring WebVPN attributes for the tunnel group named "remotegrp":
hostname(config)# tunnel-group remotegrp type webvpnhostname(config)# tunnel-group remotegrp webvpn-attributeshostname(config-tunnel-webvpn)#Related Commands
tunnel-group-map default-group
The tunnel-group-map default-group command specifies the default tunnel-group to use if the name could not be determined using other configured methods.
Use the no form of this command to eliminate a tunnel-group-map.
tunnel-group-map [rule-index] default-group tunnel-group-name
no tunnel-group-map
Syntax Description
Syntax DescriptionSyntax Description
Defaults
The default value for the tunnel-group-map default-group is DefaultRAGroup.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
The tunnel-group-map commands configure the policy and rules by which certificate-based IKE sessions are mapped to tunnel groups. To associate the certificate map entries, created using the crypto ca certificate map command, with tunnel groups, use the tunnel-group-map command in global configuration mode. You can invoke this command multiple times as long as each invocation is unique and you do not reference a map index more than once.
The crypto ca certificate map command maintains a prioritized list of certificate mapping rules. There can be only one map. But this map can have up to 65535 rules. Refer to the documentation on the crypto ca certificate map command for more information.
The processing that derives the tunnel-group name from the certificate ignores entries in the certificate map that are not associated with a tunnel group (any map rule not identified by this command).
Examples
The following example entered in global configuration mode, specifies a default tunnel group to use when the name cannot be derived by other configured methods. The name of the tunnel group to use is group1:
hostname(config)# tunnel-group-map default-group group1hostname(config)#Related Commands
tunnel-group-map enable
The tunnel-group-map enable command configures the policy and rules by which certificate-based IKE sessions are mapped to tunnel groups. Use the no form of this command to restore the default values.
tunnel-group-map [rule-index] enable policy
no tunnel-group-map enable [rule-index]
Syntax Description
Syntax DescriptionSyntax Description
Defaults
The default values for the tunnel-group-map command are enable ou and default-group set to DefaultRAGroup.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
The crypto ca certificate map command maintains a prioritized list of certificate mapping rules. There can be only one map. But this map can have up to 65535 rules. Refer to the documentation on the crypto ca certificate map command for more information.
Examples
The following example enables mapping of certificate-based IKE sessions to a tunnel group based on the content of the phase1 IKE ID:
hostname(config)# tunnel-group-map enable ike-idhostname(config)#The following example enables mapping of certificate-based IKE sessions to a tunnel group based on the established IP address of the peer:
hostname(config)# tunnel-group-map enable peer-iphostname(config)#The following example enables mapping of certificate-based IKE sessions based on the organizational unit (OU) in the subject distinguished name (DN):
hostname(config)# tunnel-group-map enable ouhostname(config)#The following example enables mapping of certificate-based IKE sessions based on established rules:
hostname(config)# tunnel-group-map enable ruleshostname(config)#Related Commands
tunnel-limit
To specify the maximum number of GTP tunnels allowed to be active on the adaptive security appliance, use the tunnel limit command in GTP map configuration mode, which is accessed by using the gtp-map command. Use the no to set the tunnel limit back to its default.
tunnel-limit max_tunnels
no tunnel-limit max_tunnels
Syntax Description
max_tunnels
This is the maximum number of tunnels allowed. The ranges is from 1 to 4294967295 for the global overall tunnel limit.
Defaults
The default for the tunnel limit is 500.
Command Modes
The following table shows the modes in which you can enter the command:
GTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
New requests will be dropped once the number of tunnels specified by this command is reached.
Examples
The following example specifies a maximum of 10,000 tunnels for GTP traffic:
hostname(config)# gtp-map qtp-policyhostname(config-gtpmap)# tunnel-limit 10000Related Commands
tx-ring-limit
To specify the depth of the priority queues, use the tx-ring-limit command in priority-queue mode. To remove this specification, use the no form of this command.
tx-ring-limit number-of-packets
no tx-ring-limit number-of-packets
Syntax Description
Defaults
The tx-ring-limit command is disabled by default. The default transmit queue limit is defined based on the capacity of the module on which the interface resides. The three available modules are 10M (NIC_ETHER), 1G (NIC_GB_ENET), and 10G (NIX_10GB_ENET).
The following table specifies the trasnmit queue ranges and default values for each module type on the ASA platform:
10M
3-256
256
1G
3-512
512
10G
3-24576
24576
On the PIX platform, the default transmit queue limit is 128 packets and the transmit queue range is 3-128 packets.
Command Modes
The following table shows the modes in which you can enter the command:
Priority-queue
•
•
•
•
—
Command History
7.0(1)
This command was introduced.
8.3(2)
Changes were made to trasmit queue ranges and default values.
Usage Guidelines
The adaptive security appliance allows two classes of traffic: low-latency queuing (LLQ) for higher priority, latency sensitive traffic (such as voice and video) and best-effort, the default, for all other traffic. The adaptive security appliance recognizes priority traffic and enforces appropriate Quality of Service (QoS) policies. You can configure the size and depth of the priority queue to fine-tune the traffic flow.
You must use the priority-queue command to create the priority queue for an interface before priority queuing takes effect. You can apply one priority-queue command to any interface that can be defined by the nameif command.
The priority-queue command enters priority-queue mode, as shown by the prompt. In priority-queue mode, you can configure the maximum number of packets allowed in the transmit queue at any given time (tx-ring-limit command) and the number of packets of either type (priority or best -effort) allowed to be buffered before dropping packets (queue-limit command).
Note
The tx-ring-limit and the queue-limit that you specify affect both the higher priority low-latency queue and the best-effort queue. The tx-ring-limit is the number of either type of packets allowed into the driver before the driver pushes back to the queues sitting in front of the interface to let them buffer packets until the congestion clears. In general, you can adjust these two parameters to optimize the flow of low-latency traffic.
Because queues are not of infinite size, they can fill and overflow. When a queue is full, any additional packets cannot get into the queue and are dropped. This is tail drop. To avoid having the queue fill up, you can use the queue-limit command to increase the queue buffer size.
Note
On ASA Model 5505 (only), configuring priority-queue on one interface overwrites the same configuration on all other interfaces. That is, only the last applied configuration is present on all interfaces. Further, if the priority-queue configuration is removed from one interface, it is removed from all interfaces.
To work around this issue, configure the priority-queue command on only one interface. If different interfaces need different settings for the queue-limit and/or tx-ring-limit commands, use the largest of all queue-limits and smallest of all tx-ring-limits on any one interface (CSCsi13132).
On the ASA 5585-X, 10 Gigabit Ethernet interfaces use the largest of all queue-limits and the smallest of all tx-ring-limits on any 10 Gigabit Ethernet interface. Traffic on any 10 Gigabit Ethernet interface will be governed by the priority queue if at least one 10 Gigabit Ethernet interface has the priority queue configured.
Examples
The following example configures a priority queue for the interface named test, specifying a queue limit of 512packets and a transmit queue limit of 256 packets:
hostname(config)# priority-queue testhostname(priority-queue)# queue-limit 512hostname(priority-queue)# tx-ring-limit 256Related Commands
type echo
To configure the SLA operation as an echo response time probe operation, use the type echo command in SLA monitor configuration mode. To remove the type from teh SLA configuration, use the no form of this command.
type echo protocol ipIcmpEcho target interface if-name
no type echoprotocol ipIcmpEcho target interface if-name
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
SLA monitor configuration
•
•
•
•
—
Command History
Usage Guidelines
The default size of the payload of the ICMP packets is 28 bytes, creating a total ICMP packet size of 64 bytes. The payload size can be changed using the request-data-size command.
Examples
The following example configures an SLA operation with an ID of 123 that uses an ICMP echo request/response time probe operation. It creates a tracking entry with the ID of 1 to track the reachability of the SLA. The frequency of the SLA operation is set to 10 seconds, the threshold to 2500 milliseconds, and the timeout value us set to 4000 milliseconds.
hostname(config)# sla monitor 123hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outsidehostname(config-sla-monitor-echo)# threshold 2500hostname(config-sla-monitor-echo)# timeout 4000hostname(config-sla-monitor-echo)# frequency 10hostname(config)# sla monitor schedule 123 life forever start-time nowhostname(config)# track 1 rtr 123 reachabilityRelated Commands
