-
Cisco ASA Series Command Reference
-
About this Guide
-
Using the Command Line Interface
- A through B Commands
-
C Commands
-
cache -- clear compression
-
clear configure -- clear configure http
-
clear configure flow-export-- clear configure zonelabs-integrity
-
clear conn -- clear isakmp sa
-
clear local-host -- clear xlate
-
client-access-rule -- crl-configure
-
crypto ca authenticate -- crypto ipsec ikev1 transform-set mode transport
-
crypto isakmp disconnect-notify -- cxsc auth-proxy port
-
-
D through F Commands
-
database path -- debug cxsc
-
debug dap -- debug http-map
-
debug icmp -- debug ospfv3
-
debug parser cache -- debug xml
-
default -- dhcp-server
-
dhcpd address -- distribute-list out
-
dns domain-lookup -- dynamic-filter whitelist
-
eigrp log-neighbor-changes -- export webvpn webcontent
-
failover -- fallback
-
file-bookmarks -- functions
-
- G through I Commands
- J through L Commands
- M through O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- shape
-
show aaa kerberos -- show asdm sessions
-
show asp cluster counter -- show asp table vpn-context
-
show blocks -- show cpu
-
show crashinfo -- show curpriv
-
show ddns update interface -- show environment
-
show failover -- show ipsec stats traffic
-
show ipv6 access-list -- show ipv6
-
show isakmp ipsec-over-tcp stats -- show ospf virtual-links
-
show nac-policy -- show ospf virtual-links
-
show pager -- show route
-
show running-config -- show running-config ctl-provider
-
show running-config ddns -- show running-config isakmp
-
show running-config ipv6 router -- show running-config router
-
show running-config same-security-traffic -- show running-config xlate
-
show scansafe -- show switch vlan
-
show tcpstat -- show traffic
-
show uauth -- show xlate
-
shun -- snmp-server user
-
software-version -- storage-objects
-
subject-name -- sysopt radius ignore-secret
-
- T through Z Commands
-
Cisco IOS Commands for the ASASM
-
Feedback
Table Of Contents
retries through rtp-min-port rtp-max-port Commands
revert webvpn AnyConnect-customization
revert webvpn plug-in protocol
revert webvpn translation-table
retries through rtp-min-port rtp-max-port Commands
retries
To specify the number of times to retry the list of DNS servers when the ASA does not receive a response, use the dns retries command in global configuration mode. To restore the default setting, use the no form of this command.
retries number
no retries [number]
Syntax Description
Defaults
The default number of retries is 2.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Add DNS servers using the name-server command.
This command replaces the dns name-server command.
Examples
The following example sets the number of retries to 0. The ASA tries each server only once.
hostname(config)# dns server-group dnsgroup1hostname(config-dns-server-group)# dns retries 0Related Commands
retry-count
To set the value for the number of consecutive polling failures to the Cloud Web Security proxy server before determining the server is unreachable, enter the retry-count command in scansafe general-options configuration mode. To restore the default, use the no form of this command.
retry-count value
no retry-count [value]
Syntax Description
Command Default
The default value is 5.
Command Modes
The following table shows the modes in which you can enter the command:
Scansafe general-options configuration
•
•
•
—
•
Command History
Usage Guidelines
When you subscribe to the Cisco Cloud Web Security service, you are assigned a primary Cloud Web Security proxy server and backup proxy server.
If any client is unable to reach the primary server, then the ASA starts polling the tower to determine availability. (If there is no client activity, the ASA polls every 15 miniutes.) If the proxy server is unavailable after a configured number of retries (the default is 5; this setting is configurable), the server is declared unreachable, and the backup proxy server becomes active.
If a client or the ASA can reach the server at least twice consecutively before the retry count is reached, the polling stops and the tower is determined to be reachable.
After a failover to the backup server, the ASA continues to poll the primary server. If the primary server becomes reachable, then the ASA returns to using the primary server.
Examples
The following example configures a retry value of 7:
scansafe general-optionsserver primary ip 180.24.0.62 port 8080retry-count 7Related Commands
retry-interval
To configure the amount of time between retry attempts for a particular AAA server designated in a previous aaa-server host command, use the retry-interval command in aaa-server host mode. To reset the retry interval to the default value, use the no form of this command.
retry-interval seconds
no retry-interval
Syntax Description
seconds
Specify the retry interval (1-10 seconds) for the request. This is the time the ASA waits before retrying a connection request.
Defaults
The default retry interval is 10 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
AAA-server host
•
•
•
•
—
Command History
Usage Guidelines
Use the retry-interval command to specify or reset the number of seconds the ASA waits between connection attempts. Use the timeout command to specify the length of time during which the ASA attempts to make a connection to a AAA server.
Examples
The following examples show the retry-interval command in context.
hostname(config)#aaa-server svrgrp1 protocol radiushostname(config-aaa-server-group)#aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)#timeout 7hostname(config-aaa-server-host)#retry-interval 9hostname(config-aaa-server-host)#Related Commands
reval-period
To specify the interval between each successful posture validation in a NAC Framework session, use the reval-period command in nac-policy-nac-framework configuration mode. To remove the command from the NAC Framework policy, use the no form of this command.
reval-period seconds
no reval-period [seconds]
Syntax Description
Defaults
The default value is 36000.
Command Modes
The following table shows the modes in which you can enter the command:
nac-policy-nac-framework configuration
•
—
•
—
—
Command History
7.3(0)
"nac-" removed from command name. Command moved from group-policy configuration mode to nac-policy-nac-framework configuration mode.
7.2(1)
This command was introduced.
Usage Guidelines
The ASA starts the revalidation timer after each successful posture validation. The expiration of this timer triggers the next unconditional posture validation. The ASA maintains posture validation during revalidation. The default group policy becomes effective if the Access Control Server is unavailable during posture validation or revalidation.
Examples
The following example changes the revalidation timer to 86400 seconds:
hostname(config-nac-policy-nac-framework)# reval-period 86400hostname(config-nac-policy-nac-framework)The following example removes the revalidation timer from the NAC policy:
hostname(config-nac-policy-nac-framework)# no reval-periodhostname(config-nac-policy-nac-framework)Related Commands
revert webvpn all
To remove all web-related data (customization, plug-in, translation table, URL list, and web content) from the ASA flash memory, enter the revert webvpn all command in privileged EXEC mode.
revert webvpn all
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC mode
•
—
•
—
—
Command History
Usage Guidelines
Use the revert webvpn all command to disable and remove all web-related information (customization, plug-in, translation table, URL list, and web content) from the flash memory of the ASA. Removal of all web-related data returns default settings when applicable.
Examples
The following command removes all of the web-related configuration data from the ASA:
hostname# revert webvpn allhostnameRelated Commands
show import webvpn (option)
Displays various imported WebVPN data and plug-ins. currently present in flash memory on the ASA.
revert webvpn AnyConnect-customization
To remove a file from the ASA that customizes the AnyConnect client GUI, use the revert webvpn AnyConnect-customization command in privileged EXEC mode.
revert webvpn AnyConnect-customization type type platform platform name name
Syntax Description
Defaults
There is no default behavior for this command.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
—
•
—
—
Command History
Usage Guidelines
For detailed procedures for customizing the AnyConnect client GUI, see the AnyConnect VPN Client Administrator Guide.
Examples
The following example removes the Cisco logo that was previously imported as a resource file to customize the AnyConnect GUI:
hostname# revert webvpn AnyConnect-customization type resource platform win name cisco_logo.gifRelated Commands
revert webvpn customization
To remove a customization object from the ASA cache memory, enter the revert webvpn customization command in privileged EXEC mode.
revert webvpn customization name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC mode
•
—
•
—
—
Command History
Usage Guidelines
Use the revert webvpn customization command to remove Clientless SSL VPN support for the specified customization and to remove it from the cache memory on the ASA. Removal of a customization object returns default settings when applicable. A customization object contains the configuration parameters for a specific, named portal page.
Version 8.0 software extends the functionality for configuring customization, and the new process is incompatible with previous versions. During the upgrade to 8.0 software, the security appliance preserves a current configuration by using old settings to generate new customization objects. This process occurs only once, and is more than a simple transformation from the old format to the new one because the old values are only a partial subset of the new ones.
Note
Examples
The following command removes the customization object named GroupB:
hostname# revert webvpn customization groupbhostnameRelated Commands
revert webvpn plug-in protocol
To remove a plug-in from the flash device of the ASA, enter the revert webvpn plug-in protocol command in privileged EXEC mode.
revert plug-in protocol protocol
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC mode
•
—
•
—
—
Command History
Usage Guidelines
Use the revert webvpn plug-in protocol command to disable and remove Clientless SSL VPN support for the specified Java-based client application, as well as to remove it from the flash drive of the ASA.
Examples
The following command removes support for RDP:
hostname# revert webvpn plug-in protocol rdphostnameRelated Commands
revert webvpn translation-table
To remove a translation table from the ASA flash memory, enter the revert webvpn translation-table command in privileged EXEC mode.
revert webvpn translation-table translationdomain language
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC mode
•
—
•
—
—
Command History
Usage Guidelines
Use the revert webvpn translation-table command to disable and remove an imported translation table and to remove it from the flash memory on the ASA. Removal of a translation table returns default settings when applicable.
Examples
The following command removes the AnyConnect translation table, Dutch:
hostname# revert webvpn translation-table anyconnect dutchhostnameRelated Commands
revert webvpn url-list
To remove a URL list from the ASA, enter the revert webvpn url-list command in privileged EXEC mode.
revert webvpn url-list template name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC mode
•
—
•
—
—
Command History
Usage Guidelines
Use the revert webvpn url-list command to disable and remove a current URL list from the flash drive of the ASA. Removal of a url-list returns default settings when applicable.
The template argument used with the revert webvpn url-list command specifies the name of a previously configured list of URLs. To configure such a list, use the url-list command in global configuration mode.
Examples
The following command removes the URL list, servers2:
hostname# revert webvpn url-list servers2hostnameRelated Commands
revert webvpn webcontent
To remove a specified web object from a location in the ASA flash memory, enter the revert webvpn webcontent command in privileged EXEC mode.
revert webvpn webcontent filename
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC mode
•
—
•
—
—
Command History
Usage Guidelines
Use the revert webvpn content command to disable and remove a file containing the web content and to remove it from the flash memory of the ASA. Removal of web content returns default settings when applicable.
Examples
The following command removes the web content file, ABCLogo, from the ASA flash memory:
hostname# revert webvpn webcontent abclogohostnameRelated Commands
revocation-check
To define whether revocation checking is needed for the trustpool policy, use the revocation-check command in crypto ca trustpool configuration mode. To restore the default revocation checking method, which is none, use the no form of this command.
revocation-check {[crl] [ocsp] [none] }
no revocation-check {[crl] [ocsp] [none]}
Syntax Description
Defaults
The default value is none.
Command Modes
The following table shows the modes in which you can enter the command:
Crypto ca trustpool configuration mode
•
•
•
—
—
Command History
Usage Guidelines
The signer of the OCSP response is usually the OCSP server (responder) certificate. After receiving the response, devices try to verify the responder certificate.
Normally a CA sets the lifetime of its OCSP responder certificate to a relatively short period to minimize the chance of compromising its security. The CA includes an ocsp-no-check extension in the responder certificate that indicates it does not need revocation status checking. But if this extension is not present, the device tries to check the certificate revocation status using the revocation methods you configure for the trustpoint with this revocation-check command.The OCSP responder certificate must be verifiable if it does not have an ocsp-no-check extension since the OCSP revocation check fails unless you also set the none option to ignore the status check.
Note
The ASA tries the methods in the order in which you configure them, trying the second and third methods only if the previous method returns an error (for example, server down), instead of finding the status as revoked.
You can set a revocation checking method in the client certificate validating trustpoint and also configure no revocation checking (revocation-check none) in the responder certificate validating trustpoint. See the match certificate command for a configuration example.
If you have configured the ASA with the revocation-check crl none command, when a client connects to the ASA, it automatically starts downloading the CRL because it has not been cached, then validates the certificate, and finishes downloading the CRL. In this case, if the CRL is not cached, the ASA validates the certificate before downloading the CRL.
Examples
hostname(config-ca-trustpoint)# revocation-check ?crypto-ca-trustpoint mode commands/options:crl Revocation check by CRLnone Ignore revocation checkocsp Revocation check by OCSP(config-ca-trustpoint)#Related Commands
rewrite
To disable content rewriting a particular application or type of traffic over a WebVPN connection, use the rewrite command in webvpn mode. To eliminate a rewrite rule, use the no form of this command with the rule number, which uniquely identifies the rule. To eliminate all rewriting rules, use the no form of the command without the rule number.
By default, the ASA rewrites, or transforms, all WebVPN traffic.
rewrite order integer {enable | disable} resource-mask string [name resource name]
no rewrite order integer {enable | disable} resource-mask string [name resource name]
Syntax Description
Defaults
The default is to rewrite everything.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
The ASA performs content rewriting for applications to insure that they render correctly over WebVPN connections. Some applications do not require this processing, such as external public websites. For these applications, you might choose to turn off content rewriting.
You can turn off content rewriting selectively by using the rewrite command with the disable option to let users browse specific sites directly without going through the ASA. This is similar to split-tunneling in IPsec VPN connections.
You can use this command multiple times. The order in which you configure entries is important because the ASA searches rewrite rules by order number and applies the first rule that matches.
Examples
The following example shows how to configure a rewrite rule, order number of 1, that turns off content rewriting for URLS from cisco.com domains:
hostname(config-webpn)# rewrite order 2 disable resource-mask *cisco.com/*Related Commands
apcf
Specifies nonstandard rules to use for a particular application.
proxy-bypass
Configures minimal content rewriting for a particular application.
re-xauth
To require that IPsec users reauthenticate on IKE rekey, issue the re-xauth enable command in group-policy configuration mode. To disable user reauthentication on IKE rekey, use the re-xauth disable command.
To remove the re-xauth attribute from the running configuration, use the no form of this command. This enables inheritance of a value for reauthentication on IKE rekey from another group policy.
re-xauth {enable [extended] | disable}
no re-xauth
Syntax Description
Defaults
Reauthentication on IKE rekey is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group policy configuration
•
—
•
—
—
Command History
Usage Guidelines
Reauthentication on IKE rekey applies only to IPsec connections.
If you enable reauthentication on IKE rekey, the ASA prompts the user to enter a username and password during initial Phase 1 IKE negotiation and also prompts for user authentication whenever an IKE rekey occurs. Reauthentication provides additional security.
The user has 30 seconds to enter credentials, and up to three attempts before the SA expires at approximately two minutes and the tunnel terminates. Use the extended keyword to allow users to reenter authentication credentials until the maximum lifetime of the configured SA.
To check the configured rekey interval, in monitoring mode, issue the show crypto ipsec sa command to view the security association lifetime in seconds and lifetime in kilobytes of data.
Note
Examples
The following example shows how to enable reauthentication on rekey for the group policy named FirstGroup:
hostname(config) #group-policy FirstGroup attributeshostname(config-group-policy)# re-xauth enablerip send version
To specify the RIP version used to send RIP updates on an interface, use the rip send version command in interface configuration mode. To restore the defaults, use the no form of this command.
rip send version {[1] [2]}
no rip send version
Syntax Description
Defaults
The ASA sends RIP Version 1 packets.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
You can override the global RIP send version setting on a per-interface basis by entering the rip send version command on an interface.
If you specify RIP version 2, you can enable neighbor authentication and use MD5-based encryption to authenticate the RIP updates.
Examples
The following example configures the ASA to send and receive RIP Versions 1 and 2 packets on the specified interface:
hostname(config)# interface GigabitEthernet0/3hostname(config-if)# rip send version 1 2hostname(config-if)# rip receive version 1 2Related Commands
rip receive version
To specify the version of RIP accepted on an interface, use the rip receive version command in interface configuration mode. To restore the defaults, use the no form of this command.
version {[1] [2]}
no version
Syntax Description
Defaults
The ASA accepts Version 1 and Version 2 packets.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
You can override the global setting on a per-interface basis by entering the rip receive version command on an interface.
If you specify RIP version 2, you can enable neighbor authentication and use MD5-based encryption to authenticate the RIP updates.
Examples
The following example configures the ASA to receive RIP Versions 1 and 2 packets the specified interface:
hostname(config)# interface GigabitEthernet0/3hostname(config-if)# rip send version 1 2hostname(config-if)# rip receive version 1 2Related Commands
rip authentication mode
To specify the type of authentication used in RIP Version 2 packets, use the rip authentication mode command in interface configuration mode. To restore the default authentication method, use the no form of this command.
rip authentication mode {text | md5}
no rip authentication mode
Syntax Description
md5
Uses MD5 for RIP message authentication.
text
Uses clear text for RIP message authentication (not recommended).
Defaults
Clear text authentication is used by default.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
If you specify RIP version 2, you can enable neighbor authentication and use MD5-based encryption to authenticate the RIP updates.
Use the show interface command to view the rip authentication commands on an interface.
Examples
The following examples shows RIP authentication configured on interface GigabitEthernet0/3:
hostname(config)# interface Gigabit0/3hostname(config-if)# rip authentication mode md5hostname(config-if)# rip authentication key thisismykey key_id 5Related Commands
rip authentication key
To enable authentication of RIP Version 2 packets and specify the authentication key, use the rip authentication key command in interface configuration mode. To disable RIP Version 2 authentication, use the no form of this command.
rip authentication key [0 | 8] string key_id id
no rip authentication key
Syntax Description
Defaults
RIP authentication is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
If you specify RIP version 2, you can enable neighbor authentication and use MD5-based encryption to authenticate the RIP updates. When you enable neighbor authentication, you must ensure that the key and key_id arguments are the same as those used by neighbor devices that provide RIP version 2 updates. The key is a text string of up to 16 characters.
Use the show interface command to view the rip authentication commands on an interface.
Examples
The following examples shows RIP authentication configured on interface GigabitEthernet0/3:
hostname(config)# interface Gigabit0/3hostname(config-if)# rip authentication mode md5hostname(config-if)# rip authentication key 8 yWIvi0qJAnGK5MRWQzrhIohkGP1wKb 5Related Commands
rip receive version
To specify the version of RIP accepted on an interface, use the rip receive version command in interface configuration mode. To restore the defaults, use the no form of this command.
version {[1] [2]}
no version
Syntax Description
Defaults
The ASA accepts Version 1 and Version 2 packets.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
You can override the global setting on a per-interface basis by entering the rip receive version command on an interface.
If you specify RIP version 2, you can enable neighbor authentication and use MD5-based encryption to authenticate the RIP updates.
Examples
The following example configures the ASA to receive RIP Versions 1 and 2 packets the specified interface:
hostname(config)# interface GigabitEthernet0/3hostname(config-if)# rip send version 1 2hostname(config-if)# rip receive version 1 2Related Commands
rip send version
To specify the RIP version used to send RIP updates on an interface, use the rip send version command in interface configuration mode. To restore the defaults, use the no form of this command.
rip send version {[1] [2]}
no rip send version
Syntax Description
Defaults
The ASA sends RIP Version 1 packets.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
You can override the global RIP send version setting on a per-interface basis by entering the rip send version command on an interface.
If you specify RIP version 2, you can enable neighbor authentication and use MD5-based encryption to authenticate the RIP updates.
Examples
The following example configures the ASA to send and receive RIP Versions 1 and 2 packets on the specified interface:
hostname(config)# interface GigabitEthernet0/3hostname(config-if)# rip send version 1 2hostname(config-if)# rip receive version 1 2Related Commands
rmdir
To remove the existing directory, use the rmdir command in privileged EXEC mode.
rmdir [/noconfirm] [disk0: | disk1: | flash:]path
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command.
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
If the directory is not empty, the rmdir command fails.
Examples
The following example shows how to remove an existing directory named "test":
hostname# rmdir testRelated Commands
dir
Displays the directory contents.
mkdir
Creates a new directory.
pwd
Displays the current working directory.
show file
Displays information about the file system.
route
To enter a static or default route for the specified interface, use the route command in global configuration mode. To remove routes from the specified interface, use the no form of this command.
route interface_name ip_address netmask gateway_ip [[metric] [track number] | tunneled]
no route interface_name ip_address netmask gateway_ip [[metric] [track number] | tunneled]
Syntax Description
Defaults
The metric default is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the route command to enter a default or static route for an interface. To enter a default route, set ip_address and netmask to 0.0.0.0, or use the shortened form of 0. All routes that are entered using the route command are stored in the configuration when it is saved.
You can define a separate default route for tunneled traffic along with the standard default route. When you create a default route with the tunneled option, all traffic from a tunnel terminating on the ASA that cannot be routed using learned or static routes, is sent to this route. For traffic emerging from a tunnel, this route overrides over any other configured or learned default routes.
The following restrictions apply to default routes with the tunneled option:
•
•
•
You cannot define more than one default route with the tunneled option; ECMP for tunneled traffic is not supported.
Create static routes to access networks that are connected outside a router on any interface. For example, the ASA sends all packets that are destined to the 192.168.42.0 network through the 192.168.1.5 router with the following static route command.
hostname(config)# route dmz 192.168.42.0 255.255.255.0 192.168.1.5 1After you enter the IP address for each interface, the ASA creates a CONNECT route in the route table. This entry is not deleted when you use the clear route or clear configure route commands.
If the route command uses the IP address from one of the interfaces on the ASA as the gateway IP address, the ASA will ARP for the destination IP address in the packet instead of ARPing for the gateway IP address.
Examples
The following example shows how to specify one default route command for an outside interface:
hostname(config)# route outside 0 0 209.165.201.1 1The following example shows how to add these static route commands to provide access to the networks:
hostname(config)# route dmz1 10.1.2.0 255.0.0.0 10.1.1.4 1hostname(config)# route dmz1 10.1.3.0 255.0.0.0 10.1.1.4 1The following example uses an SLA operation to install a default route to the 10.1.1.1 gateway on the outside interface. The SLA operation monitors the availability of that gateway. If the SLA operation fails, then the backup route on the DMZ interface is used.
hostname(config)# sla monitor 123hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outsidehostname(config-sla-monitor-echo)# timeout 1000hostname(config-sla-monitor-echo)# frequency 3hostname(config)# sla monitor schedule 123 life forever start-time nowhostname(config)# track 1 rtr 123 reachabilityhostname(config)# route outside 0.0.0.0 0.0.0.0 10.1.1.1 track 1hostname(config)# route dmz 0.0.0.0 0.0.0.0 10.2.1.1 254Related Commands
route-map
To define the conditions for redistributing routes from one routing protocol into another, use the route-map command in global configuration mode. To remove a map, use the no form of this command.
route-map map_tag [permit | deny] [seq_num]
no route-map map_tag [permit | deny] [seq_num]
Syntax Description
Defaults
The defaults are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
The route-map command lets you redistribute routes.
The route-map global configuration command and the match and set configuration commands define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria that are the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions, which are the redistribution actions to perform if the criteria enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can enter the match commands in any order, and all match commands must pass to cause the route to be redistributed according to the set actions given with the set commands. The no form of the match commands removes the specified match criteria.
Use route maps when you want detailed control over how routes are redistributed between routing processes. You specify the destination routing protocol with the router ospf global configuration command. You specify the source routing protocol with the redistribute router configuration command.
When you pass routes through a route map, a route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored; the route is not advertised for outbound route maps and is not accepted for inbound route maps. To modify only some data, you must configure a second route map section with an explicit match specified.
The seq_number argument is as follows:
1.
2.
3.
If the no route-map map-tag command is specified (with no seq-num argument), the whole route map is deleted (all route-map entries with the same map-tag text).
If the match criteria are not met, and you specify the permit keyword, the next route map with the same map_tag is tested. If a route passes none of the match criteria for the set of route maps sharing the same name, it is not redistributed by that set.
Examples
The following example shows how to configure a route map in OSPF routing:
hostname(config)# route-map maptag1 permit 8hostname(config-route-map)# set metric 5hostname(config-route-map)# match metric 5hostname(config-route-map)# show running-config route-maproute-map maptag1 permit 8set metric 5match metric 5hostname(config-route-map)# exithostname(config)#Related Commands
router-alert
To define an action when the Router Alert IP option occurs in a packet with IP Options inspection, use the router-alert command in parameters configuration mode. To disable this feature, use the no form of this command.
router-alert action {allow | clear}
no router-alert action {allow | clear}
Syntax Description
allow
Instructs the ASA to allow a packet containing the Router Alert IP option to pass.
clear
Instructs the ASA to clear the Router Alert IP option from a packet and then allow the packet to pass.
Defaults
By default, IP Options inspection, drops packets containing the Router Alert IP option.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an IP Options inspection policy map.
You can configure IP Options inspection to control which IP packets with specific IP options are allowed through the ASA. Configuring this inspection instructs the ASA to allow a packet to pass or to clear the specified IP options and then allow the packet to pass.
The Router Alert (RTRALT) or IP Option 20 notifies transit routers to inspect the contents of the packet even when the packet is not destined for that router. This inspection is valuable when implementing RSVP and similar protocols require relatively complex processing from the routers along the packets delivery path.
Examples
The following example shows how to set up an action for protocol violation in a policy map:
hostname(config)# policy-map type inspect ip-options ip-options_maphostname(config-pmap)# parametershostname(config-pmap-p)# eool action allowhostname(config-pmap-p)# nop action allowhostname(config-pmap-p)# router-alert action allowRelated Commands
router-id
To use a fixed router ID, use the router-id command in router configuration mode for OSPFv2 or IPv6 router configuration mode for OSPFv3. To reset OSPF to use the previous router ID behavior, use the no form of this command.
router-id id
no router-id [id]
Syntax Description
Defaults
If not specified, the highest-level IP address on the ASA is used as the router ID.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
•
—
IPv6 router configuration
•
—
•
•
—
Command History
Usage Guidelines
By default, the ASA uses the highest-level IP address on an interface that is covered by a network command in the OSPF configuration. If the highest-level IP address is a private address, then that address is sent in hello packets and database definitions. To use a specific router ID, use the router-id command to specify a global address for the router ID.
Router IDs must be unique within an OSPF routing domain. If two routers in the same OSPF domain are using the same router ID, routing may not work correctly.
You should enter the router-id command before entering network commands in an OSPF configuration. This prevents possible conflicts with the default router ID generated by the ASA. If you do have a conflict, you will receive the message:
ERROR: router-id id in use by ospf process pidTo enter the conflicting ID, remove the network command that contains the IP address causing the conflict, enter the router-id command, and then re-enter the network command.
Clustering
In Layer 2 clustering, you either need to configure the router-id id command or leave the router ID blank, provided all units receive the same router ID.
Examples
The following example sets the router ID to 192.168.1.1:
hostname(config-rtr)# router-id 192.168.1.1hostname(config-rtr)#Related Commands
router ospf
Enters router configuration mode.
show ospf
Displays general information about the OSPFv2 routing processes.
router-id cluster-pool
To specify the router ID cluster pool for a Layer 3 clustering deployment, use the router-id cluster-pool command in router configuration mode for OSPFv2 or IPv6 router configuration mode for OSPFv3.
router-id cluster-pool hostname | A.B.C.D ip_pool
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
IPv6 router configuration
•
—
•
•
—
Command History
Usage Guidelines
Router IDs must be unique within an OSPFv2 or OSPFv3 routing domain in clustering. If two routers in the same OSPFv2 or OSPFv3 domain are using the same router ID, routing in clustering may not work correctly.
In Layer 2 clustering, you either need to configure the router-id id command or leave the router ID blank, provided all units receive the same router ID.
When a Layer 3 cluster interface is configured, each unit must have a unique interface IP address. To make sure that each unit has a unique interface IP address, you can configure a local pool of IP addresses for OSPFv2 or OSPFv3 with the router-id cluster-pool command.
Examples
The following example shows how to configure an IP address pool when Layer 3 clustering is configured for OSPFv2:
hostname(config)# ip local pool rpool 1.1.1.1-1.1.1.4hostname(config)# router ospf 1hostname(config-rtr)# router-id cluster-pool rpoolhostname(config-rtr)# network 17.5.0.0 255.255.0.0 area 1hostname(config-rtr)# log-adj-changesThe following example shows how to configure an IP address pool when Layer 3 clustering is configured for OSPFv3:
hostname(config)# ipv6 router ospf 2hostname(config-rtr)# router-id cluster-pool rpoolhostname(config-rtr)# interface gigabitEthernet0/0hostname(config-rtr)# nameif insidehostname(config-rtr)# security-level 0hostname(config-rtr)# ip address 17.5.33.1 255.255.0.0 cluster-pool inside_poolhostname(config-rtr)# ipv6 address 8888::1/64 cluster-pool p6hostname(config-rtr)# ipv6 nd suppress-rahostname(config-rtr)# ipv6 ospf 2 area 0.0.0.0Related Commands
router eigrp
To start an EIGRP routing process and configure parameters for that process, use the router eigrp command in global configuration mode. To disable EIGRP routing, use the no form of this command.
router eigrp as-number
no router eigrp as-number
Syntax Description
as-number
Autonomous system number that identifies the routes to the other EIGRP routers. It is also used to tag the routing information. Valid values are from 1 to 65535.
Defaults
EIGRP routing is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The router eigrp command creates an EIGRP routing process or enters router configuration mode for an existing EIGRP routing process. You can only create a single EIGRP routing process on the ASA.
Use the following router configuration mode commands to configure the EIGRP routing processes:
•
•
•
•
•
•
•
•
•
•
•
•
•
Use the following interface configuration mode commands to configure interface-specific EIGRP parameters:
•
•
•
•
•
•
•
Examples
The following example shows how to enter the configuration mode for the EIGRP routing process with the autonomous system number 100:
hostname(config)# router eigrp 100hostname(config-rtr)#Related Commands
router ospf
To start an OSPF routing process and configure parameters for that process, use the router ospf command in global configuration mode. To disable OSPF routing, use the no form of this command.
router ospf pid
no router ospf pid
Syntax Description
pid
Internally used identification parameter for an OSPF routing process; valid values are from 1 to 65535. The pid does not need to match the ID of OSPF processes on other routers.
Defaults
OSPF routing is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
The router ospf command is the global configuration command for OSPF routing processes running on the ASA. Once you enter the router ospf command, the command prompt appears as (config-router)#, indicating that you are in router configuration mode.
When using the no router ospf command, you do not need to specify optional arguments unless they provide necessary information. The no router ospf command terminates the OSPF routing process specified by its pid. You assign the pid locally on the ASA. You must assign a unique value for each OSPF routing process.
The router ospf command is used with the following OSPF-specific commands to configure OSPF routing processes:
•
•
•
•
•
•
•
•
•
•
•
•
•
Examples
The following example shows how to enter the configuration mode for the OSPF routing process numbered 5:
hostname(config)# router ospf 5hostname(config-rtr)#Related Commands
router rip
To start a RIP routing process and configure parameters for that process, use the router rip command in global configuration mode. To disable the RIP routing process, use the no form of this command.
router rip
no router rip
Syntax Description
This command has no arguments or keywords.
Defaults
RIP routing is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The router rip command is the global configuration command for configuring the RIP routing processes on the ASA. You can only configure one RIP process on the ASA. The no router rip command terminates the RIP routing process and removes all router configuration for that process.
When you enter the router rip command, the command prompt changes to hostname(config-router)#, indicating that you are in router configuration mode.
The router rip command is used with the following router configuration commands to configure RIP routing processes:
•
•
•
•
•
•
•
•
Additionally, you can use the following commands in interface configuration mode to configure RIP properties on a per-interface basis:
•
•
•
•
RIP is not supported in transparent mode. By default, the ASA denies all RIP broadcast and multicast packets. To permit these RIP messages to pass through an ASA operating in transparent mode you must define access list entries to permit this traffic. For example, to permit RIP version 2 traffic through the ASA, create an access list entry such as the following:
hostname(config)# access-list myriplist extended permit ip any host 224.0.0.9
To permit RIP version 1 broadcasts, create an access list entry such as the following:
hostname(config)# access-list myriplist extended permit udp any any eq rip
Apply these access list entries to the appropriate interface using the access-group command.
You can enable both RIP and OSPF routing on the ASA at the same time.
Examples
The following example shows how to enter the configuration mode for the OSPF routing process numbered 5:
hostname(config)# router riphostname(config-rtr)# network 10.0.0.0hostname(config-rtr)# version 2Related Commands
rtp-conformance
To check RTP packets flowing on the pinholes for protocol conformance in H.323 and SIP, use the rtp-conformance command in parameters configuration mode. To disable this feature, use the no form of this command.
rtp-conformance [enforce-payloadtype]
no rtp-conformance [enforce-payloadtype]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to check RTP packets flowing on the pinholes for protocol conformance on an H.323 call:
hostname(config)# policy-map type inspect h323 h323_maphostname(config-pmap)# parametershostname(config-pmap-p)# rtp-conformanceRelated Commands
rtp-min-port rtp-max-port
To configure the rtp-min-port and rtp-max-port limits for the phone proxy feature, use the rtp-min-port port1 rtp-max-port port2 command in phone-proxy configuration mode.
To remove the rtp-min-port and rtp-max-port limits from the phone proxy configuration, use the no form of this command.
rtp-min-port port1 rtp-maxport port2
no rtp-min-port port1 rtp-maxport port2
Syntax Description
Defaults
By default, the port1 value for the rtp-min-port keyword is 16384 and the port2 value for the rtp-max-port keyword is 32767.
Command Modes
The following table shows the modes in which you can enter the command:
Phone-proxy configuration
•
—
•
—
—
Command History
Usage Guidelines
Configure the RTP port range for the media termination point when you need to scale the number of calls that the Phone Proxy supports.
Examples
The following example shows the use of the media-termination address command to specify the IP address to use for media connections:
hostname(config-phone-proxy)#rtp-min-port 2001 rtp-maxport 32770Related Commands
