-
Cisco ASA Series Command Reference
-
About this Guide
-
Using the Command Line Interface
- A through B Commands
-
C Commands
-
cache -- clear compression
-
clear configure -- clear configure http
-
clear configure flow-export-- clear configure zonelabs-integrity
-
clear conn -- clear isakmp sa
-
clear local-host -- clear xlate
-
client-access-rule -- crl-configure
-
crypto ca authenticate -- crypto ipsec ikev1 transform-set mode transport
-
crypto isakmp disconnect-notify -- cxsc auth-proxy port
-
-
D through F Commands
-
database path -- debug cxsc
-
debug dap -- debug http-map
-
debug icmp -- debug ospfv3
-
debug parser cache -- debug xml
-
default -- dhcp-server
-
dhcpd address -- distribute-list out
-
dns domain-lookup -- dynamic-filter whitelist
-
eigrp log-neighbor-changes -- export webvpn webcontent
-
failover -- fallback
-
file-bookmarks -- functions
-
- G through I Commands
- J through L Commands
- M through O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- shape
-
show aaa kerberos -- show asdm sessions
-
show asp cluster counter -- show asp table vpn-context
-
show blocks -- show cpu
-
show crashinfo -- show curpriv
-
show ddns update interface -- show environment
-
show failover -- show ipsec stats traffic
-
show ipv6 access-list -- show ipv6
-
show isakmp ipsec-over-tcp stats -- show ospf virtual-links
-
show nac-policy -- show ospf virtual-links
-
show pager -- show route
-
show running-config -- show running-config ctl-provider
-
show running-config ddns -- show running-config isakmp
-
show running-config ipv6 router -- show running-config router
-
show running-config same-security-traffic -- show running-config xlate
-
show scansafe -- show switch vlan
-
show tcpstat -- show traffic
-
show uauth -- show xlate
-
shun -- snmp-server user
-
software-version -- storage-objects
-
subject-name -- sysopt radius ignore-secret
-
- T through Z Commands
-
Cisco IOS Commands for the ASASM
-
Feedback
Table Of Contents
mac address through match dscp Commands
match certificate allow expired-certificate
match certificate skip revocation-check
match default-inspection-traffic
mac address through match dscp Commands
mac address
To specify the virtual MAC addresses for the active and standby units, use the mac address command in failover group configuration mode. To restore the default virtual MAC addresses, use the no form of this command.
mac address phy_if [active_mac] [standby_mac]
no mac address phy_if [active_mac] [standby_mac]
Syntax Description
Defaults
The defaults are as follows:
•
Active unit default MAC address: 00a0.c9physical_port_number.failover_group_id01.
•
Command Modes
The following table shows the modes in which you can enter the command:
Failover group configuration
•
•
—
—
•
Command History
Usage Guidelines
If the virtual MAC addresses are not defined for the failover group, the default values are used.
If you have more than one Active/Active failover pair on the same network, it is possible to have the same default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the interfaces of the other pairs because of the way the default virtual MAC addresses are determined. To avoid having duplicate MAC addresses on your network, make sure you assign each physical interface a virtual active and standby MAC address.
You can also set the MAC address using other commands or methods, but we recommend using only one method. If you set the MAC address using multiple methods, the MAC address used depends on many variables, and might not be predictable.
Examples
The following partial example shows a possible configuration for a failover group:
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# exithostname(config)# failover group 2hostname(config-fover-group)# secondaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# mac address e1 0000.a000.a011 0000.a000.a012hostname(config-fover-group)# exithostname(config)#Related Commands
failover group
Defines a failover group for Active/Active failover.
failover mac address
Specifies a virtual MAC address for a physical interface.
mac-address
To manually assign a private MAC address to an interface or subinterface, use the mac-address command in interface configuration mode. In multiple context mode, this command can assign a different MAC address to the interface in each context. For an individual interface in a cluster, you can assign a cluster pool of MAC addresses. To revert the MAC address to the default, use the no form of this command.
mac-address {mac_address [standby mac_address] | cluster-pool pool_name}
no mac-address [mac_address [standby mac_address] | cluster-pool pool_name]
Syntax Description
Defaults
The default MAC address is the burned-in MAC address of the physical interface. Subinterfaces inherit the physical interface MAC address. Some commands set the physical interface MAC address (including this command in single mode), so the inherited address depends on that configuration.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
•
—
Command History
Usage Guidelines
In multiple context mode, if you share an interface between contexts, you can assign a unique MAC address to the interface in each context. This feature lets the ASA easily classify packets into the appropriate context. Using a shared interface without unique MAC addresses is possible, but has some limitations. See the CLI configuration guide for more information.
You can assign each MAC address manually with this command, or you can automatically generate MAC addresses for shared interfaces in contexts using the mac-address auto command. If you automatically generate MAC addresses, you can use the mac-address command to override the generated address.
For single context mode, or for interfaces that are not shared in multiple context mode, you might want to assign unique MAC addresses to subinterfaces. For example, your service provider might perform access control based on the MAC address.
You can also set the MAC address using other commands or methods, but we recommend using only one method. If you set the MAC address using multiple methods, the MAC address used depends on many variables, and might not be predictable.
Examples
The following example configures the MAC address for GigabitEthernet 0/1.1:
hostname/contextA(config)# interface gigabitethernet0/1.1hostname/contextA(config-if)# nameif insidehostname/contextA(config-if)# security-level 100hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0hostname/contextA(config-if)# mac-address 030C.F142.4CDE standby 040C.F142.4CDEhostname/contextA(config-if)# no shutdownRelated Commands
mac-address auto
To automatically assign private MAC addresses to each shared context interface, use the mac-address auto command in global configuration mode. To disable automatic MAC addresses, use the no form of this command.
mac-address auto [prefix prefix]
no mac-address auto
Syntax Description
Defaults
Automatic MAC address generation is enabled—Uses an autogenerated prefix. The ASA autogenerates the prefix based on the last two bytes of the interface (ASA 5500) or backplane (ASASM) MAC address. You cannot use the legacy auto-generation method (without a prefix).
If you disable MAC address generation, see the following default MAC addresses:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
To allow contexts to share interfaces, we suggest that you assign unique MAC addresses to each shared context interface. The MAC address is used to classify packets within a context. If you share an interface, but do not have unique MAC addresses for the interface in each context, then the destination IP address is used to classify packets. The destination address is matched with the context NAT configuration, and this method has some limitations compared to the MAC address method. See the CLI configuration guide for information about classifying packets.
In the rare circumstance that the generated MAC address conflicts with another private MAC address in your network, you can manually set the MAC address for the interface within the context. See the mac-address command to manually set the MAC address.
Interaction with Manual MAC Addresses
If you manually assign a MAC address and also enable auto-generation, then the manually assigned MAC address is used. If you later remove the manual MAC address, the auto-generated address is used.
Because auto-generated addresses start with A2, you cannot start manual MAC addresses with A2 if you also want to use auto-generation.
Failover MAC Addresses
For use with failover, the ASA generates both an active and standby MAC address for each interface. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption. See the "MAC Address Format Using a Prefix" section for more information.
For upgrading failover units with the legacy version of the mac-address auto command before the prefix keyword was introduced, see the "MAC Address Format Without a Prefix (Legacy Method)" section.
MAC Address Format Using a Prefix
The ASA generates the MAC address using the following format:
A2xx.yyzz.zzzz
Where xx.yy is a user-defined prefix or an autogenerated prefix based on the last two bytes of the interface (ASA 5500) or backplane (ASASM) MAC address, and zz.zzzz is an internal counter generated by the ASA. For the standby MAC address, the address is identical except that the internal counter is increased by 1.
For an example of how the prefix is used, if you set a prefix of 77, then the ASA converts 77 into the hexadecimal value 004D (yyxx). When used in the MAC address, the prefix is reversed (xxyy) to match the ASA native form:
A24D.00zz.zzzz
For a prefix of 1009 (03F1), the MAC address is:
A2F1.03zz.zzzz
MAC Address Format Without a Prefix (Legacy Method)
This method may be used if you use failover and you upgraded to Version 8.6 or later; in this case, you have to manually enable the prefix method.
Without a prefix, the MAC address is generated using the following format:
•
•
For platforms with no interface slots, the slot is always 0. The port is the interface port. The subid is an internal ID for the subinterface, which is not viewable. The contextid is an internal ID for the context, viewable with the show context detail command. For example, the interface GigabitEthernet 0/1.200 in the context with the ID 1 has the following generated MAC addresses, where the internal ID for subinterface 200 is 31:
•
•
This MAC address generation method does not allow for persistent MAC addresses across reloads, does not allow for multiple ASAs on the same network segment (because unique MAC addresses are not guaranteed), and does not prevent overlapping MAC addresses with manually assigned MAC addresses. We recommend using a prefix with the MAC address generation to avoid these issues.
When the MAC Address is Generated
When you configure a nameif command for the interface in a context, the new MAC address is generated immediately. If you enable this command after you configure context interfaces, then MAC addresses are generated for all interfaces immediately after you enter the command. If you use the no mac-address auto command, the MAC address for each interface reverts to the default MAC address. For example, subinterfaces of GigabitEthernet 0/1 revert to using the MAC address of GigabitEthernet 0/1.
Setting the MAC Address Uisng Other Methods
You can also set the MAC address using other commands or methods, but we recommend using only one method. If you set the MAC address using multiple methods, the MAC address used depends on many variables, and might not be predictable.
Viewing MAC Addresses in the System Configuration
To view the assigned MAC addresses from the system execution space, enter the show running-config all context command.
The all option is required to view the assigned MAC addresses. Although this command is user-configurable in global configuration mode only, the mac-address auto command appears as a read-only entry in the configuration for each context along with the assigned MAC address. Only allocated interfaces that are configured with a nameif command within the context have a MAC address assigned.
Note
Viewing MAC Addresses Within a Context
To view the MAC address in use by each interface within the context, enter the show interface | include (Interface)|(MAC) command.
Note
Examples
The following example enables automatic MAC address generation with a prefix of 78:
hostname(config)# mac-address auto prefix 78The following output from the show running-config all context admin command shows the primary and standby MAC address assigned to the Management0/0 interface:
hostname# show running-config all context admincontext adminallocate-interface Management0/0mac-address auto Management0/0 a24d.0000.1440 a24d.0000.1441config-url disk0:/admin.cfgThe following output from the show running-config all context command shows all the MAC addresses (primary and standby) for all context interfaces. Note that because the GigabitEthernet0/0 and GigabitEthernet0/1 main interfaces are not configured with a nameif command inside the contexts, no MAC addresses have been generated for them.
hostname# show running-config all contextadmin-context admincontext adminallocate-interface Management0/0mac-address auto Management0/0 a2d2.0400.125a a2d2.0400.125bconfig-url disk0:/admin.cfg!context CTX1allocate-interface GigabitEthernet0/0allocate-interface GigabitEthernet0/0.1-GigabitEthernet0/0.5mac-address auto GigabitEthernet0/0.1 a2d2.0400.11bc a2d2.0400.11bdmac-address auto GigabitEthernet0/0.2 a2d2.0400.11c0 a2d2.0400.11c1mac-address auto GigabitEthernet0/0.3 a2d2.0400.11c4 a2d2.0400.11c5mac-address auto GigabitEthernet0/0.4 a2d2.0400.11c8 a2d2.0400.11c9mac-address auto GigabitEthernet0/0.5 a2d2.0400.11cc a2d2.0400.11cdallocate-interface GigabitEthernet0/1allocate-interface GigabitEthernet0/1.1-GigabitEthernet0/1.3mac-address auto GigabitEthernet0/1.1 a2d2.0400.120c a2d2.0400.120dmac-address auto GigabitEthernet0/1.2 a2d2.0400.1210 a2d2.0400.1211mac-address auto GigabitEthernet0/1.3 a2d2.0400.1214 a2d2.0400.1215config-url disk0:/CTX1.cfg!context CTX2allocate-interface GigabitEthernet0/0allocate-interface GigabitEthernet0/0.1-GigabitEthernet0/0.5mac-address auto GigabitEthernet0/0.1 a2d2.0400.11ba a2d2.0400.11bbmac-address auto GigabitEthernet0/0.2 a2d2.0400.11be a2d2.0400.11bfmac-address auto GigabitEthernet0/0.3 a2d2.0400.11c2 a2d2.0400.11c3mac-address auto GigabitEthernet0/0.4 a2d2.0400.11c6 a2d2.0400.11c7mac-address auto GigabitEthernet0/0.5 a2d2.0400.11ca a2d2.0400.11cballocate-interface GigabitEthernet0/1allocate-interface GigabitEthernet0/1.1-GigabitEthernet0/1.3mac-address auto GigabitEthernet0/1.1 a2d2.0400.120a a2d2.0400.120bmac-address auto GigabitEthernet0/1.2 a2d2.0400.120e a2d2.0400.120fmac-address auto GigabitEthernet0/1.3 a2d2.0400.1212 a2d2.0400.1213config-url disk0:/CTX2.cfg!Related Commands
mac-address pool
To add a MAC address pool for use on an individual interface in an ASA cluster, use the mac-address pool command in global configuration mode. To remove an unused pool, use the no form of this command.
mac-address pool name start_mac_address - end_mac_address
no mac-address pool name [start_mac_address - end_mac_address]
Syntax Description
name
Names the pool up to 63 characters in length.
start_mac_address - end_mac_address
Specifies the first MAC address and the last MAC address. Note to add a space around the dash (-).
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
You can use the pool in the mac-address cluster-pool command in interface configuration mode. It is not common to manually configure MAC addresses for an interface, but if you have special needs to do so, then this pool is used to assign a unique MAC address to each interface.
Examples
The following example adds a MAC address pool with 8 MAC addresses, and assigns it to the gigabitethernet 0/0 interface:
hostname(config)# mac-address pool pool1 000C.F142.4CD1 - 000C.F142.4CD7hostname(config)# interface gigabitethernet 0/0hostname(config-ifc)# mac-address cluster-pool pool1Related Commands
interface
Configures an interface.
mac-address
Configures a MAC address for an interface.
mac-address-table aging-time
To set the timeout for MAC address table entries, use the mac-address-table aging-time command in global configuration mode. To restore the default value of 5 minutes, use the no form of this command.
mac-address-table aging-time timeout_value
no mac-address-table aging-time
Syntax Description
timeout_value
The time a MAC address entry stays in the MAC address table before timing out, between 5 and 720 minutes (12 hours). 5 minutes is the default.
Defaults
The default timeout is 5 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Usage Guidelines
No usage guidelines.
Examples
The following example sets the MAC address timeout to 10 minutes:
hostname(config)# mac-address-timeout aging time 10Related Commands
mac-address-table static
To add a static entry to the MAC address table, use the mac-address-table static command in global configuration mode. To remove a static entry, use the no form of this command. Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. You can add static MAC addresses to the MAC address table if desired. One benefit to adding static entries is to guard against MAC spoofing. If a client with the same MAC address as a static entry attempts to send traffic to an interface that does not match the static entry, then the ASA drops the traffic and generates a system message.
mac-address-table static interface_name mac_address
no mac-address-table static interface_name mac_address
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Examples
The following example adds a static MAC address entry to the MAC address table:
hostname(config)# mac-address-table static inside 0010.7cbe.6101Related Commands
mac-learn
To disable MAC address learning for an interface, use the mac-learn command in global configuration mode. To reenable MAC address learning, use the no form of this command. By default, each interface automatically learns the MAC addresses of entering traffic, and the ASA adds corresponding entries to the MAC address table. You can disable MAC address learning if desired.
mac-learn interface_name disable
no mac-learn interface_name disable
Syntax Description
interface_name
The interface on which you want to disable MAC learning.
disable
Disables MAC learning.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Examples
The following example disables MAC learning on the outside interface:
hostname(config)# mac-learn outside disableRelated Commands
mac-list
To specify a list of MAC addresses to be used to exempt MAC addresses from authentication and/or authorization, use the mac-list command in global configuration mode. To remove a MAC list entry, use the no form of this command.
mac-list id {deny | permit} mac macmask
no mac-list id {deny | permit} mac macmask
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable MAC address exemption from authentication and authorization, use the aaa mac-exempt command. You can only add one instance of the aaa mac-exempt command, so be sure that your MAC list includes all the MAC addresses you want to exempt. You can create multiple MAC lists, but you can only use one at a time.
Examples
The following example bypasses authentication for a single MAC address:
hostname(config)# mac-list abc permit 00a0.c95d.0282 ffff.ffff.ffffhostname(config)# aaa mac-exempt match abcThe following entry bypasses authentication for all Cisco IP Phones, which have the hardware ID 0003.E3:
hostname(config)# mac-list acd permit 0003.E300.0000 FFFF.FF00.0000hostname(config)# aaa mac-exempt match acdThe following example bypasses authentication for a a group of MAC addresses except for 00a0.c95d.02b2. Enter the deny statement before the permit statement, because 00a0.c95d.02b2 matches the permit statement as well, and if it is first, the deny statement will never be matched.
hostname(config)# mac-list 1 deny 00a0.c95d.0282 ffff.ffff.ffffhostname(config)# mac-list 1 permit 00a0.c95d.0000 ffff.ffff.0000hostname(config)# aaa mac-exempt match 1Related Commands
mail-relay
To configure a local domain name, use the mail-relay command in parameters configuration mode. To disable this feature, use the no form of this command.
mail-relay domain_name action {drop-connection | log}
no mail-relay domain_name action {drop-connection | log}
Syntax Description
domain_name
Specifies the domain name.
drop-connection
Closes the connection.
log
Generates a system log message.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a mail relay for a specific domain:
hostname(config)# policy-map type inspect esmtp esmtp_maphostname(config-pmap)# parametershostname(config-pmap-p)# mail-relay mail action drop-connectionRelated Commands
management-access
To allow management access to an interface other than the one from which you entered the ASA when using VPN, use the management-access command in global configuration mode. To disable management access, use the no form of this command.
management-access mgmt_if
no management-access mgmt_if
Syntax Description
mgmt_if
Specifies the name of the management interface you want to access when entering the ASA from another interface.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
Command History
Usage Guidelines
This command allows you to connect to an interface other than the one you entered the ASA from when using a full tunnel IPsec VPN or SSL VPN client (AnyConnect 2.x client, SVC 1.x) or across a site-to-site IPsec tunnel. You can use Telnet, SSH, Ping, or ASDM to connect to an ASA interface.
You can define only one management-access interface.
Note
Examples
The following example shows how to configure a firewall interface named "inside" as the management access interface:
hostname(config)# management-access insidehostname(config)# show running-config management-accessmanagement-access insideRelated Commands
management-only
To set an interface to accept management traffic only, use the management-only command in interface configuration mode. To allow through traffic, use the no form of this command.
management-only
no management-only
Syntax Description
This command has no arguments or keywords.
Defaults
The Management n/n interface, if available for your model, is set to management-only mode by default.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
Some models include a dedicated management interface called Management n/n, which is meant to support traffic to the ASA. However, you can configure any interface to be a management-only interface using the management-only command. Also, for Management n/n, you can disable management-only mode so the interface can pass through traffic just like any other interface.
Note
In transparent firewall mode, in addition to the maximum allowed through-traffic interfaces, you can also use the Management interface (either the physical interface, a subinterface (if supported for your model), or an EtherChannel interface comprised of Management interfaces (if you have multiple Management interfaces)) as a separate management interface. You cannot use any other interface types as management interfaces.
If your model does not include a Management interface, you must manage the transparent firewall from a data interface.
In multiple context mode, you cannot share any interfaces, including the Management interface, across contexts. To provide management per context, you can create subinterfaces of the Management interface and allocate a Management subinterface to each context. Note that the ASA 5512-X through ASA 5555-X do not allow subinterfaces on the Management interface, so for per-context management, you must connect to a data interface.
The management interface is not part of a normal bridge group. Note that for operational purposes, it is part of a non-configurable bridge group.
Examples
The following example disables management-only mode on the Management interface:
hostname(config)# interface management0/0hostname(config-if)# no management-onlyThe following example enables management-only mode on a subinterface:
hostname(config)# interface gigabitethernet0/2.1hostname(config-subif)# management-onlyRelated Commands
map-name
To map a user-defined attribute name to a Cisco attribute name, use the map-name command in ldap-attribute-map configuration mode.
To remove this mapping, use the no form of this command.
map-name user-attribute-name Cisco-attribute-name
no map-name user-attribute-name Cisco-attribute-name
Syntax Description
Syntax DescriptionSyntax Description
Defaults
By default, no name mappings exist.
Command Modes
The following table shows the modes in which you can enter the command:
ldap-attribute-map configuration
•
•
•
•
—
Command History
Usage Guidelines
With the map-name command, you can map your own attribute names to Cisco attribute names. You can then bind the resulting attribute map to an LDAP server. Your typical steps would include:
1.
2.
3.
Note
Examples
The following example commands map a user-defined attribute name Hours to the Cisco attribute name cVPN3000-Access-Hours in the LDAP attribute map myldapmap:
hostname(config)# ldap attribute-map myldapmaphostname(config-ldap-attribute-map)# map-name Hours cVPN3000-Access-Hourshostname(config-ldap-attribute-map)#Within ldap-attribute-map configuration mode, you can enter "?" to display the complete list of Cisco LDAP attribute names:
hostname(config-ldap-attribute-map)# map-name <name>ldap mode commands/options:cisco-attribute-names:cVPN3000-Access-HourscVPN3000-Allow-Network-Extension-ModecVPN3000-Auth-Service-TypecVPN3000-Authenticated-User-Idle-TimeoutcVPN3000-Authorization-RequiredcVPN3000-Authorization-Type::cVPN3000-X509-Cert-Datahostname(config-ldap-attribute-map)#Related Commands
map-value
To map a user-defined value to a Cisco LDAP value, use the map-value command in ldap-attribute-map configuration mode. To delete an entry within a map, use the no form of this command.
map-value user-attribute-name user-value-string Cisco-value-string
no map-value user-attribute-name user-value-string Cisco-value-string
Syntax Description
Defaults
By default, there are no user-defined values mapped to Cisco attributes.
Command Modes
The following table shows the modes in which you can enter the command:
ldap-attribute-map configuration
•
•
•
•
—
Command History
Usage Guidelines
With the map-value command, you can map your own attribute values to Cisco attribute names and values. You can then bind the resulting attribute map to an LDAP server. Your typical steps would include:
1.
2.
3.
Note
Examples
The following example, entered in ldap-attribute-map configuration mode, sets the user-defined value of the user attribute Hours to a user-defined time policy named workDay and a Cisco-defined time policy named Daytime:
hostname(config)# ldap attribute-map myldapmaphostname(config-ldap-attribute-map)# map-value Hours workDay Daytimehostname(config-ldap-attribute-map)#Related Commands
mapping-service
To configure a mapping service for the Cisco Intercompany Media Engine proxy, use the mapping-service command in UC-IME configuration mode. To remove the mapping service from the proxy, use the no form of this command.
mapping-service listening-interface interface [listening-port port] uc-ime-interface interface
no mapping-service listening-interface interface [listening-port port] uc-ime-interface interface
Syntax Description
Defaults
By default the mapping-service for off-path deployments of the Cisco Intercompany Media Engine proxy listens on TCP port 8060.
Command Modes
The following table shows the modes in which you can enter the command:
UC-IME configuration
•
—
•
—
—
Command History
Usage Guidelines
For an off-path deployment of the Cisco Intercompany Media Engine proxy on the ASA, adds the mapping service to the proxy configuration. To configure the mapping service, you must specify the outside interface (remote enterprise side) on which to listen for mapping requests and the interface that connects to the remote Cisco UCM.
Note
You configure the mapping service when the Cisco Intercompany Media Engine proxy is configured for an off-path deployment.
In an off path deployment, inbound and outbound Cisco Intercompany Media Engine calls pass through an adaptive security appliance enabled with the Cisco Intercompany Media Engine proxy. The adaptive security appliance is located in the DMZ and configured to support primarily Cisco Intercompany Media Engine. Normal Internet-facing traffic does not flow through this ASA.
For all inbound calls, the signaling is directed to the ASA because destined Cisco UCMs are configured with the global IP address on the ASA. For outbound calls, the called party could be any IP address on the Internet; therefore, the ASA is configured with a mapping service that dynamically provides an internal IP address on the ASA for each global IP address of the called party on the Internet.
Cisco UCM sends all outbound calls directly to the mapped internal IP address on the adaptive security appliance instead of the global IP address of the called party on the Internet. The ASA then forwards the calls to the global IP address of the called party.
Examples
The following example shows ...:
hostname(config)#uc-ime offpath_uc-ime_proxyhostname(config-uc-ime)# media-termination ime-media-termhostname(config-uc-ime)# ucm address 192.168.10.30 trunk-security-mode non-securehostname(config-uc-ime)# ticket epoch 1 password password1234hostname(config-uc-ime)# fallback monitoring timer 120hostname(config-uc-ime)# fallback hold-down timer 30hostname(config-uc-ime)# mapping-service listening-interface inside listening-port 8060 uc-ime-interface outsideRelated Commands
mask
When using the Modular Policy Framework, mask out part of the packet that matches a match command or class map by using the mask command in match or class configuration mode. This mask action is available in an inspection policy map (the policy-map type inspect command) for application traffic; however, not all applications allow this action. For example, you can you use mask command for the DNS application inspection to mask a header flag before allowing the traffic through the ASA. To disable this action, use the no form of this command.
mask [log]
no mask [log]
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Match and class configuration
•
•
•
•
—
Command History
Usage Guidelines
An inspection policy map consists of one or more match and class commands. The exact commands available for an inspection policy map depends on the application. After you enter the match or class command to identify application traffic (the class command refers to an existing class-map type inspect command that in turn includes match commands), you can enter the mask command to mask part of the packet that matches the match command or class command.
When you enable application inspection using the inspect command in a Layer 3/4 policy map (the policy-map command), you can enable the inspection policy map that contains this action, for example, enter the inspect dns dns_policy_map command where dns_policy_map is the name of the inspection policy map.
Examples
The following example masks the RD and RA flags in the DNS header before allowing the traffic through the ASA:
hostname(config-cmap)# policy-map type inspect dns dns-map1hostname(config-pmap-c)# match header-flag RDhostname(config-pmap-c)# mask loghostname(config-pmap-c)# match header-flag RAhostname(config-pmap-c)# mask logRelated Commands
mask-banner
To obfuscate the server banner, use the mask-banner command in parameters configuration mode. To disable this feature, use the no form of this command.
mask-banner
no mask-banner
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to mask the server banner:
hostname(config)# policy-map type inspect esmtp esmtp_maphostname(config-pmap)# parametershostname(config-pmap-p)# mask-bannerRelated Commands
mask-syst-reply
To hide the FTP server response from clients, use the mask-syst-reply command in FTP map configuration mode, which is accessible by using the ftp-map command. To remove the configuration, use the no form of this command.
mask-syst-reply
no mask-syst-reply
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
FTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the mask-syst-reply command with strict FTP inspection to protect the FTP server system from clients. After enabling this command, the servers replies to the syst command are replaced by a series of Xs.
Examples
The following example causes the ASA to replace the FTP server replies to the syst command with Xs:
hostname(config)# ftp-map inbound_ftphostname(config-ftp-map)# mask-syst-replyhostname(config-ftp-map)#
match access-list
When using the Modular Policy Framework, use an access list to identify traffic to which you want to apply actions by using the match access-list command in class-map configuration mode. To remove the match access-list command, use the no form of this command.
match access-list access_list_name
no match access-list access_list_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
Configuring Modular Policy Framework consists of four tasks:
1.
After you enter the class-map command, you can enter the match access-list command to identify the traffic. Alternatively, you can enter a different type of match command, such as the match port command. You can only include one match access-list command in the class map, and you cannot combine it with other types of match commands. The exception is if you define the match default-inspection-traffic command which matches the default TCP and UDP ports used by all applications that the ASA can inspect, then you can narrow the traffic to match using a match access-list command. Because the match default-inspection-traffic command specifies the ports to match, any ports in the access list are ignored.
2.
3.
4.
Examples
The following example creates three Layer 3/4 class maps that match three access lists:
hostname(config)# access-list udp permit udp any anyhostname(config)# access-list tcp permit tcp any anyhostname(config)# access-list host_foo permit ip any 10.1.1.1 255.255.255.255hostname(config)# class-map all_udphostname(config-cmap)# description "This class-map matches all UDP traffic"hostname(config-cmap)# match access-list udphostname(config-cmap)# class-map all_tcphostname(config-cmap)# description "This class-map matches all TCP traffic"hostname(config-cmap)# match access-list tcphostname(config-cmap)# class-map to_serverhostname(config-cmap)# description "This class-map matches all traffic to server 10.1.1.1"hostname(config-cmap)# match access-list host_fooRelated Commands
match any
When using the Modular Policy Framework, match all traffic to which you want to apply actions by using the match any command in class-map configuration mode. To remove the match any command, use the no form of this command.
match any
no match any
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
Configuring Modular Policy Framework consists of four tasks:
1.
After you enter the class-map command, you can enter the match any command to identify all traffic. Alternatively, you can enter a different type of match command, such as the match port command. You cannot combine the match any command with other types of match commands.
2.
3.
4.
Examples
This example shows how to define a traffic class using a class map and the match any command:
hostname(config)# class-map cmaphostname(config-cmap)# match anyRelated Commands
match apn
To configure a match condition for an access point name in GTP messages, use the match apn command in class-map or policy-map configuration mode. To remove the match condition, use the no form of this command.
match [not] apn regex [regex_name | class regex_class_name]
no match [not] apn regex [regex_name | class regex_class_name]
Syntax Description
regex_name
Specifies a regular expression.
class regex_class_name
Specifies a regular expression class map.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in a GTP class map or policy map. Only one entry can be entered in a GTP class map.
Examples
The following example shows how to configure a match condition for an access point name in an GTP inspection class map:
hostname(config-cmap)# match apn class gtp_regex_apnRelated Commands
match body
To configure a match condition on the length or length of a line of an ESMTP body message, use the match body command in class-map or policy-map configuration mode. To remove a configured section, use the no form of this command.
match [not] body [length | line length] gt bytes
no match [not] body [length | line length] gt bytes
Syntax Description
length
Specifies the length of an ESMTP body message.
line length
Specifies the length of a line of an ESMTP body message.
bytes
Specifies the number to match in bytes.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for a body line length in an ESMTP inspection policy map:
hostname(config)# policy-map type inspect esmtp esmtp_map
hostname(config)#match body line length gt 1000Related Commands
match called-party
To configure a match condition on the H.323 called party, use the match called-party command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] called-party [regex regex]
no match [not] match [not] called-party [regex regex]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for the called party in an H.323 inspection class map:
hostname(config-cmap)# match called-party regex caller1Related Commands
match calling-party
To configure a match condition on the H.323 calling party, use the match calling-party command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] calling-party [regex regex]
no match [not] match [not] calling-party [regex regex]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition for the calling party in an H.323 inspection class map:
hostname(config-cmap)# match calling-party regex caller1Related Commands
match certificate
To configure a certificate match rule, use the match certificate command in crypto ca trustpoint configuration mode. To remove the rule from the configuration, use the no form of this command.
match certificate map-name override ocsp [trustpoint trustpoint-name] seq-num url URL
no match certificate map-name override ocsp
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
crypto ca trustpoint configuration
•
•
•
•
•
Command History
Usage Guidelines
During the PKI certificate validation process, the ASA checks certificate revocation status to maintain security by using either CRL checking or Online Certificate Status Protocol (OCSP). With CRL checking, the ASA retrieves, parses, and caches CRLs, which provide a complete list of revoked certificates. OCSP offers a more scalable method of checking revocation status bdecause OCSP localizes certificate status on a validation authority, which it queries for the status of a specific certificate.
Certificate match rules let you configure OCSP URL overrides, which specify a URL to check for revocation status, rather than the URL in the AIA field of the remote user certificate. Match rules also let you configure trustpoints to use to validate OCSP responder certificates, which let the ASA validate responder certificates from any CA, including self-signed certificates and certificates external to the validation path of the client certificate.
When configuring OCSP, be aware of the following requirements:
•
•
•
•
•
•
Examples
The following example shows how to create a certificate match rule for a trustpoint called newtrust. The rule has a map name called mymap, a sequence number of 4, a trustpoint called mytrust, and specifies a URL of 10.22.184.22.
hostname(config)# crypto ca trustpoint newtrusthostname(config-ca-trustpoint)# match certificate mymap override ocsp trustpoint mytrust 4 url 10.22.184.22hostname(config-ca-trustpoint)#The following example shows how to configure a crypto ca certificate map, and then a match certificate rule to identify a trustpoint that contains a CA certificate to validate the responder certificate. This certificate is necessary if the CA identified in the newtrust trustpoint does not issue an OCSP responder certificate.
Step 1
hostname(config)# crypto ca certificate map mymap 1 subject-name attr cn eq mycerthostname(config-ca-cert-map)# subject-name attr cn eq mycerthostname(config-ca-cert-map)#Step 2
hostname(config-ca-cert-map)# exithostname(config)# crypto ca trustpoint mytrusthostname(config-ca-trustpoint)# enroll terminalhostname(config-ca-trustpoint)# crypto ca authenticate mytrustEnter the base 64 encoded CA certificate.End with the word "quit" on a line by itselfMIIBnjCCAQcCBEPOpG4wDQYJKoZIhvcNAQEEBQAwFzEVMBMGA1UEAxQMNjMuNjcu NzIuMTg4MB4XDTA2MDExODIwMjYyMloXDTA5MDExNzIwMjYyMlowFzEVMBMGA1UE AxQMNjMuNjcuNzIuMTg4MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDnXUHv 7//x1xEAOYfUzJmH5sr/NuxAbA5gTUbYA3pcE0KZHt761N+/8xGxC3DIVB8u7T/b v8RqzqpmZYguveV9cLQK5tsxqW3DysMU/4/qUGPfkVZ0iKPCgpIAWmq2ojhCFPyx ywsDsjl6YamF8mpMoruvwOuaUOsAK6KO54vy0QIBAzANBgkqhkiG9w0BAQQFAAOB gQCSOihb2NH6mga2eLqEsFP1oVbBteSkEAm+NRCDK7ud1l3D6UC01EgtkJ81QtCk tvX2T2Y/5sdNW4gfueavbyqYDbk4yxCKaofPp1ffAD9rrUFQJM1uQX14wclPCcAN e7kR+rscOKYBSgVHrseqdB8+6QW5NF7f2dd+tSMvHtUMNw== quitINFO: Certificate has the following attributes:Fingerprint: 7100d897 05914652 25b2f0fc e773df42Do you accept this certificate? [yes/no]: yTrustpoint CA certificate accepted.% Certificate successfully importedStep 3
hostname(config)# crypto ca trustpoint newtrusthostname(config-ca-trustpoint)# enroll terminalhostname(config-ca-trustpoint)# crypto ca authenticate newtrustEnter the base 64 encoded CA certificate.End with the word "quit" on a line by itselfywsDsjl6YamF8mpMoruvwOuaUOsAK6KO54vy0QIBAzANBgkqhkiG9w0BAQQFAAOB gQCSOihb2NH6mga2eLqEsFP1oVbBteSkEAm+NRCDK7ud1l3D6UC01EgtkJ81QtCk AxQMNjMuNjcuNzIuMTg4MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQDnXUHv 7//x1xEAOYfUzJmH5sr/NuxAbA5gTUbYA3pcE0KZHt761N+/8xGxC3DIVB8u7T/bgQCSOihb2NH6mga2eLqEsFP1oVbBteSkEAm+NRCDK7ud1l3D6UC01EgtkJ81QtCk tvX2T2Y/5sdNW4gfueavbyqYDbk4yxCKaofPp1ffAD9rrUFQJM1uQX14wclPCcAN NzIuMTg4MB4XDTA2MDExODIwMjYyMloXDTA5MDExNzIwMjYyMlowFzEVMBMGA1UE OPIBnjCCAQcCBEPOpG4wDQYJKoZIhvcNAQEEBQAwFzEVMBMGA1UEAxQMNjMuNjcu e7kR+rscOKYBSgVHrseqdB8+6QW5NF7f2dd+tSMvHtUMNw== quitINFO: Certificate has the following attributes:Fingerprint: 9508g897 82914638 435f9f0fc x9y2p42Do you accept this certificate? [yes/no]: yTrustpoint CA certificate accepted.% Certificate successfully importedhostname(config)# crypto ca trustpoint newtrusthostname(config-ca-trustpoint)# revocation-check ocsphostname(config-ca-trustpoint)# match certificate mymap override ocsp trustpoint mytrust 4 url 10.22.184.22Any connection that uses the newtrust trustpoint for client certificate authentication checks to see if the client certificate matches the attribute rules specified in the mymap certificate map. If so, the ASA accesses the OCSP responder at 10.22.184.22 for certificate revocation status, then then uses the mytrust trustpoint to validate the responder certificate.
Note
Related Commands
match certificate allow expired-certificate
To allow an administrator to exempt certain certificates from expiration checking, use the match certificate allow expired-certificate command in ca-trustpool configuration mode. To disable the exemption of certain certificates, use the no form of this command.
match certificate <map> allow expired-certificate
no match certificate <map> allow expired-certificate
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Ca-trustpool configuration
•
•
•
—
—
Command History
Usage Guidelines
The trustpool match commands leverage the certificate map objects to configure certificate specific exceptions or overrides to the global trustpool policy. The match rules are written relative to the certificate that is being validated.
Related Commands
match certificate skip revocation check
Exempts certain certificates from revocation checking.
match certificate skip revocation-check
To allow an administrator to exempt certain certificates from revocation checking, use the match certificate skip revocation-check command in ca-trustpool configuration mode. To disable the exemption from revocation checking, use the no form of this command.
match certificate map skip revocation-check
no match certificate map skip revocation-check
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Ca-trustpool configuration
•
•
•
—
—
Command History
Usage Guidelines
The trustpool match commands leverage the certificate map objects to configure certificate specific exceptions or overrides to the global trustpool policy. The match rules are written relative to the certificate that is being validated.
Examples
The following example shows skipping the validity check for the certificate with the Subject DN common name of "mycompany123."
crypto ca certificate map mycompany 1 subject-name attr cn eq mycompany123crypto ca trustpool policy match certificate mycompany skip revocation-checkRelated Commands
match certificate allow expired-certificate
Exempts certain certificates from expiration checking.
match cmd
To configure a match condition on the ESMTP command verb, use the match cmd command in policy-map configuration mode. To disable this feature, use the no form of this command.
match [not] cmd [verb verb | line length gt bytes | RCPT count gt recipients_number]
no match [not] cmd [verb verb | line length gt bytes | RCPT count gt recipients_number]
Syntax Description
verb verb
Specifies the ESMTP command verb.
line length gt bytes
Specifies the length of a line.
RCPT count gt recipients_number
Specifies the number of recipient email addresses.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy map configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a match condition in an ESMTP inspection policy map for the verb (method) NOOP exchanged in the ESMTP transaction:
hostname(config-pmap)# match cmd verb NOOPRelated Commands
match default-inspection-traffic
To specify default traffic for the inspect commands in a class map, use the match default-inspection-traffic command in class-map configuration mode. To remove this specification, use the no form of this command.
match default-inspection-traffic
no match default-inspection-traffic
Syntax Description
This command has no arguments or keywords.
Defaults
See the Usage Guidelines section for the default traffic of each inspection.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
Using the match default-inspection-traffic command, you can match default traffic for the individual inspect commands. The match default-inspection-traffic command can be used in conjunction with one other match command, which is typically an access-list in the form of permit ip src-ip dst-ip.
The rule for combining a second match command with the match default-inspection-traffic command is to specify the protocol and port information using the match default-inspection-traffic command and specify all other information (such as IP addresses) using the second match command. Any protocol or port information specified in the second match command is ignored with respect to the inspect commands.
For instance, port 65535 specified in the example below is ignored:
hostname(config)# class-map cmaphostname(config-cmap)# match default-inspection-traffichostname(config-cmap)# match port 65535Default traffic for inspections are as follows:
Examples
The following example shows how to define a traffic class using a class map and the match default-inspection-traffic command:
hostname(config)# class-map cmaphostname(config-cmap)# match default-inspection-traffichostname(config-cmap)#Related Commands
match dns-class
To configure a match condition for the Domain System Class in a DNS Resource Record or Question section, use the match dns-class command in class-map or policy-map configuration mode. To remove a configured class, use the no form of this command.
match [not] dns-class {eq c_well_known | c_val} {range c_val1 c_val2}
no match [not] dns-class {eq c_well_known | c_val} {range c_val1 c_val2}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
By default, this command inspects all fields (questions and RRs) of a DNS message and matches the specified class. Both DNS query and response are examined.
The match can be narrowed down to the question portion of a DNS query by the following two commands: match not header-flag QR and match question.
This command can be configured within a DNS class map or policy map. Only one entry can be entered within a DNS class-map.
Examples
The following example shows how to configure a match condition for a DNS class in a DNS inspection policy map:
hostname(config)# policy-map type inspect dns preset_dns_maphostname(config-pmap)# match dns-class eq INRelated Commands
match dns-type
To configure a match condition for a DNS type, including Query type and RR type, use the match dns-type command in class-map or policy-map configuration mode. To remove a configured dns type, use the no form of this command.
match [not] dns-type {eq t_well_known | t_val} {range t_val1 t_val2}
no match [not] dns-type {eq t_well_known | t_val} {range t_val1 t_val2}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
By default, this command inspects all sections of a DNS message (questions and RRs) and matches the specified type. Both DNS query and response are examined.
The match can be narrowed down to the question portion of a DNS query by the following two commands: match not header-flag QR and match question.
This command can be configured within a DNS class map or policy map. Only one entry can be entered within a DNS class-map.
Examples
The following example shows how to configure a match condition for a DNS type in a DNS inspection policy map:
hostname(config)# policy-map type inspect dns preset_dns_maphostname(config-pmap)# match dns-type eq aRelated Commands
match domain-name
To configure a match condition for a DNS message domain name list, use the match domain-name command in class-map or policy-map configuration mode. To remove a configured section, use the no form of this command.
match [not] domain-name regex regex_id
match [not] domain-name regex class class_id
no match [not] domain-name regex regex_id
no match [not] domain-name regex class class_id
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map or policy map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command matches domain names in the DNS message against predefined list. Compressed domain names will be expanded before matching. The match condition can be narrowed down to a particular field in conjunction with other DNS match commands.
This command can be configured within a DNS class map or policy map. Only one entry can be entered within a DNS class-map.
Examples
The following example shows how to match the DNS domain name in a DNS inspection policy map:
hostname(config)# policy-map type inspect dns preset_dns_maphostname(config-pmap)# match domain-name regexRelated Commands
match dscp
To identify the IETF-defined DSCP value (in an IP header) in a class map, use the match dscp command in class-map configuration mode. To remove this specification, use the no form of this command.
match dscp {values}
no match dscp {values}
Syntax Description
values
Specifies up to eight different the IETF-defined DSCP values in the IP header. Range is 0 to 63.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
Using the match dscp command, you can match the IETF-defined DSCP values in the IP header.
Examples
The following example shows how to define a traffic class using a class map and the match dscp command:
hostname(config)# class-map cmaphostname(config-cmap)# match dscp af43 cs1 efhostname(config-cmap)#Related Commands
