Cisco IOS Security Command Reference: Commands M to R
pac key through port-misuse
Downloads: This chapterpdf (PDF - 2.44MB) The complete bookPDF (PDF - 6.91MB) | The complete bookePub (ePub - 0.96MB) | The complete bookMobi (Mobi - 2.47MB) | Feedback

pac key through port-misuse

Contents

pac key through port-misuse

pac key

To specify the Protected Access Credential (PAC) encryption key, use the pac key command in RADIUS server configuration mode. To delete the PAC key, use the no form of this command.

pac key encryption-key

no pac key encryption-key

Syntax Description

encryption-key

The encryption-key can be 0 (specifies that an unencrypted key follows), 6 (specifies that an advanced encryption scheme [AES] encrypted key follows), 7 (specifies that a hidden key follows), or a line specifying the unencrypted (clear-text) server key.

Command Default

No PAC encryption key is specified.

Command Modes


RADIUS server configuration (config-radius-server)

Command History

Release

Modification

15.2(2)T

This command was introduced.

15.4(1)T

This command was modified. The 6 keyword was added.

Usage Guidelines

Both the radius server command, which enters RADIUS server configuration mode, and the aaa new-model command must be configured before accessing this command.

The configuration of the pac key command allows the PAC-Opaque, which is a variable length field, to be sent to the server during the Transport Layer Security (TLS) tunnel establishment phase. The PAC-Opaque can be interpreted only by the server to recover the required information for the server to validate the peer’s identity and authentication. For example, the PAC-Opaque may include the PAC-Key and the PAC’s peer identity. The PAC-Opaque format and contents are specific to the issuing PAC server.

In seed devices, the PAC-Opaque has to be provisioned so that all RADIUS exchanges can use this PAC-Opaque to enable automatic PAC provisioning for the server being used. All nonseed devices obtain the PAC-Opaque during the authentication phase of a link initialization.

Use the password encryption aes command to configure type 6 AES encrypted keys.

Examples

The following example shows how to configure the RADIUS server accounting and authentication parameters for PAC provisioning and the specification of the PAC key:

Device> enable
Device# configure terminal
Device(config)# aaa new-model
Device(config)# radius server
Device(config-radius-server)# address ipv4 10.0.0.1 acct-port 1813 auth-port 1812
Device(config-radius-server)# pac key 7 mypackey

Related Commands

Command

Description

aaa new-model

Enables new RADIUS and AAA access control commands and functions and disables old commands.

address ipv4

Configures the RADIUS server accounting and authentication parameters for PAC provisioning.

password encryption aes

Enables a type 6 encrypted preshared key.

radius server

Specifies the name for the RADIUS server configuration for PAC provisioning and enters RADIUS server configuration mode.

parameter

To specify parameters for an enrollment profile, use the parameter command in ca-profile-enroll configuration mode. To disable specified parameters, use the no form of this command.

parameter number { value value | prompt string }

no parameter number { value value | prompt string }

Syntax Description

number

User parameters. Valid values range from 1 to 8.

value value

To be used if the parameter has a constant value.

prompt string

To be used if the parameter is supplied after the crypto ca authenticate command or the crypto ca enroll command has been entered.

Note   

The value of the string argument does not have an effect on the value that is used by the router.

Command Default

No enrollment profile paramters are specified.

Command Modes


Ca-profile-enroll configuration

Command History

Release

Modification

12.2(13)ZH

This command was introduced.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.

Usage Guidelines

The parameter command can be used within an enrollment profile after the authentication commandcommandorthe enrollment command has been enabled.

Examples

The following example shows how to specify parameters for the enrollment profile named “E”:

crypto ca trustpoint Entrust
  enrollment profile E
  serial
crypto ca profile enrollment E
 authentication url  http://entrust:81
 authentication command  GET /certs/cacert.der
 enrollment url  http://entrust:81/cda-cgi/clientcgi.exe
 enrollment command  POST reference_number=$P2&authcode=$P1
&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQ
 parameter 1 value aaaa-bbbb-cccc
 parameter 2 value 5001

Related Commands

Command

Description

authentication command

Specifies the HTTP command that is sent to the CA for authentication.

crypto ca profile enrollment

Defines an enrollment profile.

enrollment command

Specifies the HTTP command that is sent to the CA for enrollment.

parameter-map type

To create or modify a parameter map, use the parameter-map typecommand in global configuration mode. To delete a parameter map from the configuration, use the no form of this command.

parameter-map type { inspect | urlfilter | protocol-info | consent } parameter-map-name

no parameter-map type { inspect | urlfilter | protocol-info | consent } parameter-map-name

Syntax Description

inspect

Defines an inspect type parameter map, which configures connection thresholds, timeouts, and other parameters pertaining to the inspect action.

urlfilter

Defines a URL-filter-specific parameter map.

protocol-info

Defines an application-specific parameter map.

Note   

Protocol-specific parameter maps can be created only for Instant Messenger (IM) applications (AOL, I Seek You (ICQ), MSN Messenger, Yahoo Messenger and Windows Messenger).

consent

Defines an authentication proxy consent parameter map.

parameter-map-name

Name of the parameter map.

Command Default

None

Command Modes


Global configuration (config)#

Command History

Release

Modification

12.4(6)T

This command was introduced.

12.4(9)T

The protocol-info keyword was added.

12.4(15)T

The consent keyword was added.

12.4(20)T

Support for ICQ and Windows Messenger was added.

Usage Guidelines

A parameter map allows you to specify parameters that control the behavior of actions and match criteria specified under a policy map and a class map, respectively.

There are currently four types of parameter maps:

  • Inspect parameter map

An inspect parameter map is optional. If you do not configure a parameter map, the software uses default parameters. Parameters associated with the inspect action apply to all nested actions (if any). If parameters are specified in both the top and lower levels, those in the lower levels override those in the top levels.

  • URL filter parameter map

A parameter map is required for URL filtering (via the URL filter action in a Layer 3 or Layer 4 policy map and the URL filter parameter map).

  • Protocol-specific parameter map

A parameter map is required for an IM application (Layer 7) policy map.

  • Authentication proxy consent-specific parameter map.

Examples

The following example shows how to configure an IM-based firewall policy. In this example, all Yahoo Messenger and ICQ traffic is allowed to pass through, while all MSN Messenger, AOL and Windows Messenger traffic is blocked. Also, parameter maps are defined to control all Yahoo Messenger and ICQ traffic on a more granular level.

!
!
parameter-map type protocol-info ymsgr-servers
 server name messenger.yahoo.akadns.net
 server name .*.yahoo.com snoop
 server ip 192.0.2.100
 server ip range 192.0.2.115 192.0.2.180
parameter-map type protocol-info icq-servers
 server name login.oscar.aol.com
 server name .*.aol.com snoop
 server ip 192.0.2.200
 server ip range 192.0.2.215 192.0.2.230
!
!
class-map type inspect match-all l4-cmap-ymsgr
 match protocol ymsgr ymsgr-servers
class-map type inspect ymsgr match-any l7-cmap-ymsgr
 match  service text-chat 
class-map type inspect match-all l4-cmap-icq
 match protocol icq icq-servers
class-map type inspect icq match-any l7-cmap-icq
 match  service text-chat 
 match  service any 
!
!
policy-map type inspect im l7-pmap-ymsgr
 class type inspect ymsgr l7-cmap-ymsgr
  allow
  log
policy-map type inspect im l7-pmap-icq
 class type inspect icq l7-cmap-icq
  allow
  log
policy-map type inspect to_internet
 class type inspect l4-cmap-ymsgr
  inspect 
  service-policy im l7-pmap-ymsgr
 class type inspect l4-cmap-icq
  inspect 
  service-policy im l7-pmap-icq
 class class-default
  drop
!
!

The following example shows a typical URL filter parameter map configuration:

parameter-map type urlfilter eng-filter-profile 
 server vendor n2h2 172.16.1.2 port 3128 outside log timeout 10 retrans 6
 max-request 80
 max-resp-pak 200
 cache 200
 exclusive-domain permit cisco.com
 exclusive-domain deny gaming.com

The following example shows a sample inspect type parameter map configuration:

parameter-map type inspect eng_network_profile 
 audit-trail on
 alert off
 max-incomplete low 2000
 max-incomplete high 3000
 one-minute low 5000
 one-minute high 8000
 udp idle-time 75
 dns-timeout 25
 tcp idle-time 90
 tcp finwait-time 20
 tcp synwait-time 10
 tcp block-non-session
 tcp max-incomplete host 2000 block-time 120

The following example shows how to define the consent-specific parameter map “consent_parameter_map” and a default consent parameter map:

parameter-map type consent consent_parameter_map 
 copy tftp://192.168.104.136/consent_page.html flash:consent_page.html 
 authorize accept identity consent_identity_policy 
 timeout file download 35791 
 file flash:consent_page.html 
 logging enabled 
 exit 
! 
parameter-map type consent default 
 copy tftp://192.168.104.136/consent_page.html flash:consent_page.html 
 authorize accept identity test_identity_policy 
 timeout file download 35791 
 file flash:consent_page.html 
 logging enabled 
 exit 

!

parameter-map type content-scan global


Note


Effective with Cisco IOS Release 15.4(2)T, the parameter-map type content-scan global command is replaced by the parameter-map type cws global command. See the parameter-map type cws global command for more information.

To configure a global content-scan parameter map and enter parameter-map type inspect configuration mode, use the parameter-map type content-scan global command in global configuration mode. To delete a global content-scan parameter map, use the no form of this command.

parameter-map type content-scan global

no parameter-map type content-scan global

Syntax Description

This command has no arguments or keywords.

Command Default

A global content-scan parameter map is not configured.

Command Modes

Global configuration (config)      

Command History

Release

Modification

15.2(1)T1

This command was introduced.

15.4(2)T

This command was replaced by the parameter-map type cws global command.

Usage Guidelines

When you configure the content-scan out command on an interface, the global content-scan parameter map is also applied to that interface.

Examples

The following example shows how to configure a global content-scan parameter map:

Device(config)# parameter-map type content-scan global
Device(config-profile)#
      

Related Commands

Command

Description

content-scan out

Enables content scanning on an egress interface.

parameter-map type cws global

To configure a global Cloud Web Security parameter map and enter parameter-map type inspect configuration mode, use the parameter-map type cws global command in global configuration mode. To delete a global Cloud Web Security parameter map, use the no form of this command.

parameter-map type cws global

no parameter-map type cws global

Syntax Description

This command has no arguments or keywords.

Command Default

A global content-scan parameter map is not configured.

Command Modes

Global configuration (config)

Command History

Release

Modification

15.4(2)T

This command was introduced. This command replaces the parameter-map type content-scan global command.

Usage Guidelines

When you configure the cws out command on an interface, the global Cloud Web Security parameter map is also applied to that interface.

Examples

The following example shows how to configure a global Cloud Web Security parameter map:

Device(config)# parameter-map type cws global
Device(config-profile)#

      

Related Commands

Command

Description

cws out

Enables Cloud Web Security content scanning on an egress interface.

parameter-map type inspect

To configure an inspect-type parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action, use the parameter-map type inspect command in global configuration mode. To delete an inspect-type parameter map, use the no form of this command.

parameter-map type inspect { parameter-map-name | global | default }

no parameter-map type inspect { parameter-map-name | global | default }

Syntax Description

parameter-map-name

Name of the inspect parameter map.

global

Defines a global inspect parameter map.

default

Defines a default inspect parameter map.

Command Default

No inspect-type parameter maps are set.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.4(6)T

This command was introduced.

15.1(1)T

This command was modified. The keywords global and default were added.

15.1(2)T

This command was modified. Support for IPv6 was added.

Cisco IOS XE Release 3.4S

This command was integrated into Cisco IOS XE Release 3.4S.

Usage Guidelines

After you enter the parameter-map type inspect command, you can enter the commands listed in the table below in parameter-map type inspect configuration mode.

Command

Description

alert {on | off}

Enables Cisco IOS stateful packet inspection alert messages.

audit-trail {on | off}

Enables and disables audit trail messages.

dns-timeout seconds

Specifies the Domain Name System (DNS) idle timeout.

gtp

Configures the inspection parameters for General Packet Radio Service (GPRS) Tunneling Protocol (GTP).

icmp idle-timeout seconds

Configures the timeout for Internet Control Message Protocol (ICMP) sessions.

max-incomplete {low | high} number-of-connections

Defines the number of existing half-open sessions that will cause the software to start and stop deleting half-open sessions.

one-minute {low | high} number-of-connections

Defines the rate of new half-open session initiation in one minute that will cause the system to start deleting half-open sessions and stop deleting half-open sessions.

tcp finwait-time seconds

Specifies how long a TCP session will be managed after the Cisco IOS firewall detects a FIN-exchange.

tcp idle-time seconds

Configures the timeout for TCP sessions.

tcp max-incomplete host threshold [block-time minutes}

Specifies threshold and blocking time values for TCP host-specific denial-of-service (DoS) detection and prevention.

tcp synwait-time seconds

Specifies how long the software will wait for a TCP session to reach the established state before dropping the session.

udp idle-time seconds

Configures the timeout of UDP sessions going through the firewall.

For more detailed information about these commands, see their individual command descriptions.

Examples

The following example shows a sample inspect parameter map with the Cisco IOS stateful packet inspection alert messages enabled:

parameter-map type inspect eng-network-profile 
 alert on 

The following example shows a sample inspect type parameter map configuration:

parameter-map type inspect eng_network_profile 
 audit-trail on
 alert on
 max-incomplete low unlimited
 max-incomplete high unlimited
 one-minute low unlimited
 one-minute high unlimited
 udp idle-time 30
 icmp idle-time 10
 dns-timeout 5
 tcp idle-time 3600
 tcp finwait-time 5
 tcp synwait-time 30
 tcp block-non-session
 tcp max-incomplete host 1-2147483647 block-time unlimited
 sessions maximum:2147483647

Related Commands

Command

Description

alert

Turns on Cisco IOS stateful packet inspection alert messages.

audit-trail

Turns audit trail messages on and off.

dns-timeout

Specifies the DNS idle timeout.

gtp

Configures the inspection parameters for GTP.

icmp idle-timeout

Configures the timeout for ICMP sessions.

inspect

Enables Cisco IOS stateful packet inspection.

max-incomplete

Defines the number of existing half-open sessions that will cause the software to start and stop deleting half-open sessions.

ipv6 routing-enforcement-header loose

Provides backward compatibility with the legacy IPv6 inspection.

one-minute

Defines the number of new unestablished sessions that will cause the system to start deleting half-open sessions and stop deleting half-open sessions.

tcp finwait-time

Specifies how long a TCP session will be managed after the Cisco IOS firewall detects a FIN exchange.

tcp idle-time

Configures the timeout for TCP sessions.

tcp max-incomplete host

Specifies the threshold and blocking time values for TCP host-specific DoS detection and prevention.

tcp synwait-time

Specifies how long the software will wait for a TCP session to reach the established state before dropping the session.

udp idle-time

Configures the timeout of UDP sessions going through the firewall.

parameter-map type inspect-global

To configure a global parameter map and enter parameter-map type inspect configuration mode, use the parameter-map type inspect-global command in global configuration mode. To delete a global parameter map, use the no form of this command.

parameter-map type inspect-global [ gtp ]

no parameter-map type inspect-global [ gtp ]

Syntax Description

gtp

(Optional) Specifies the General Packet Radio Service (GPRS) Tunneling Protocol (GTP).

Command Default

Global parameter maps are not configured.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Release 3.5S

This command was introduced.

Cisco IOS XE Release 3.7S

This command was modified. The gtp keyword was added.

Usage Guidelines

When you configure the parameter-map type inspect-global command, the default VPN routing and forwarding (VRF) instance gets bound to the default VRF. Use the parameter-map type inspect-global command to enter parameter-map type inspect configuration mode and make changes to existing configurations or to configure features like aggressive aging on the default VRF.

You cannot configure the parameter-map type inspect global command and the parameter-map type inspect-global command simultaneously. The device will accept only one of these commands.


Note


The parameter-map type inspect-global will replace the parameter-map type inspect global in a future release.


You need to configure the global VRF (also known as the default VRF) by using the parameter-map type inspect-global vrf command and the per-box (box refers to the entire firewall session table) configuration by using the per-box command, after configuring the parameter-map type inspect global command. However, when you configure the parameter-map type inspect-global command, the global VRF is bound to the inspect-VRF parameter map by default.

Examples

The following example shows how to configure a global parameter map and enter parameter-map type inspect configuration mode:

Device(config)# parameter-map type inspect-global
Device(config-profile)# 

Related Commands

Command

Description

aggressive-aging

Enables aggressive aging of half-opened firewall sessions.

alert

Enables stateful packet inspection alert messages.

inspect

Enables stateful packet inspection.

log

Logs the firewall activity for an inspect parameter map.

max-incomplete

Configures the half-opened session limit for a VRF.

parameter-map type inspect global

Defines a global inspect-type parameter map.

show parameter-map type inspect-global

Displays global parameter map information.

tcp syn-flood limit

Configures a limit to the number of TCP half-opened sessions before triggering SYN cookie processing for new SYN packets.

parameter-map type inspect-vrf

To configure an inspect VPN Routing and Forwarding (VRF)-type parameter map, use the parameter-map type inspect-vrf command in global configuration mode. To delete an inspect VRF type parameter map, use the no form of this command.

parameter-map type inspect-vrf vrf-pmap-name

no parameter-map type inspect-vrf vrf-pmap-name

Syntax Description

vrf-pmap-name

Name of the parameter map.

Command Default

An inspect VRF-type parameter map is not configured.

Command Modes


Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Release 3.3S

This command was introduced.

Examples

The following example shows how to configure an inspect VRF-type parameter map named inspect-pmap:

Router(config)# parameter-map type inspect-vrf inspect-pmap
 

Related Commands

Command

Description

parameter-map type

Creates or modifies a parameter map.

show parameter-map type inspect-vrf

Displays information about the configured inspect VRF-type parameter maps.

parameter-map type inspect-zone

To configure an inspect zone-type parameter map, use the parameter-map type inspect-zone command in global configuration mode. To remove an inspect zone type parameter map, use the no form of this command.

parameter-map type inspect-zone zone-pmap-name

no parameter-map type inspect-zone zone-pmap-name

Syntax Description

zone-pmap-name

Name of the parameter map.

Command Default

Inspect zone-type parameter maps are not configured.

Command Modes


Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Release 3.3S

This command was introduced.

Examples

The following example shows how to create an inspect zone-type parameter map named zone-pmap:

Router(config)# parameter-map type inspect-zone zone-pmap
 

Related Commands

Command

Description

parameter-map type

Creates or modifies a parameter map.

show parameter-map type inspect-zone

Displays information about the configured inspect zone-type parameter maps.

parameter-map type mitigation

To configure a mitigation type parameter map for Transitory Messaging Services (TMS), use the parameter-map command in global configuration mode. To remove the parameter map from the router configuration file, use the no form of this command.


Note


Effective with Cisco IOS Release 12.4(20)T, the parameter-map command is not available in Cisco IOS software.


parameter-map type mitigation name

no parameter-map type mitigation name

Syntax Description

name

The name of the mitigation type parameter map.

Command Default

A mitigation type parameter map is not configured.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.4(6)T

This command was introduced.

12.4(15)XZ

This command was integrated into Cisco IOS Release 12.4(15)XZ.

Usage Guidelines

The mitigation type parameter map is a container for TMS Rules Engine configuration parameters. The mitigation parameter map is configured on the consumer. Entering the parameter-map type mitigation command places the router in parameter-map configuration mode.

The mitigation type parameter map contains the next-hop variable in the mitigation type service policy (TMS Rules Engine configuration). The Rules Engine is a flexible mechanism that allows you to apply a rule on only a single consumer or to override an enforcement action sent from the controller. You can configure an enforcement action to route traffic to a null interface (black hole), route traffic to a specific interface for collection and analysis, or configure a nonstandard primitive.


Note


Nonstandard primitives are predefined in the threat definition file that is loaded on the controller.


Configuring a Mitigation Type Service Policy (TMS Rules Engine Configuration)

A mitigation type service policy is created by configuring and linking mitigation type parameter and class maps to a mitigation type policy map. The mitigation type class map is configured to define threat primitive and priority traffic matching conditions. The mitigation type parameter map is configured to apply a next-hop variable to the class of traffic. The class and parameter maps are attached to a mitigation type policy map. The mitigation type service policy is activated by attaching the mitigation type policy map to a TMS type policy map, which is attached to the global consumer process.

Examples

Examples

The following example configures the TMS Rules Engine to set the next hop variable to 192.168.1.1 for traffic that matches the mitigation class (priority 1 traffic and any primitive):

Router(config)# class-map type control mitigation match-all MIT_CLASS_1 
Router(config-cmap)# match primitive any 
Router(config-cmap)# match priority 1 
Router(config-cmap)# exit 
Router(config)# 
parameter-map type mitigation MIT_PAR_1 
Router(config-profile)# variable COLLECTION ipv4 192.168.1.1 
Router(config-profile)# exit 
Router(config)# policy-map type control mitigation MIT_POL_1 
Router(config-pmap)# class MIT_CLASS_1 
Router(config-pmap-c)# source parameter MIT_PAR_1 
Router(config-pmap-c)# end 

Examples

The following example configures the TMS Rules Engine to send priority 5 redirect threat mitigation traffic to a null interface (black hole):

Router(config)# parameter-map type mitigation MIT_PAR_2 
Router(config-profile)# variable RTBH NULL0 
Router(config-profile)# exit 
Router(config)# class-map type control mitigation match-all MIT_CLASS_2 
Router(config-cmap)# match priority 5 
Router(config-cmap)# match primitive redirect 
Router(config-cmap)# exit 
Router(config)# policy-map type control mitigation MIT_POL_2 
Router(config-pmap)# class MIT_CLASS_2 
Router(config-pmap-c)# source parameter MIT_PAR_2 
Router(config-pmap-c)# redirect route $RTBH 
Router(config-pmap-c)# end 

Related Commands

Command

Description

acl drop

Configures an ACL drop enforcement action in a TMS Rules Engine configuration.

class-map type control mitigation

Configures a mitigation type class map.

ignore (TMS)

Configures the TMS Rules Engine to ignore a mitigation enforcement action.

match primitive

Configures a primitive match in a mitigation type class map.

match priority

Configures the match priority level for a mitigation enforcement action.

policy-map type control mitigation

Configures a mitigation type policy map.

redirect route

Configures a redirect enforcement action in a mitigation type policy map.

source parameter

Attaches a mitigation type parameter map to a policy-map class configuration.

tms-class

Associates an interface with an ACL drop enforcement action.

variable

Defines the next-hop variable in a mitigation type parameter map.

parameter-map type ooo global

To configure an Out-of-Order (OoO) global parameter map for all firewall policies, use the parameter-map type ooo global command in global configuration mode. To remove an OoO global parameter map, use the no form of this command.

parameter-map type ooo global

no parameter-map type ooo global

Syntax Description

This command has no arguments or keywords.

Command Default

OoO global parameter maps are not configured for firewall policies.

Command Modes

Global configuration (config)

Command History

Release Modification

15.0(1)M

This command was introduced.

Usage Guidelines

OoO packet-processing support for the Common Classification Engine (CCE) firewall application and CCE adoptions of the Cisco Intrusion Prevention System (IPS) allows packets that arrive out of order to be copied and reassembled in the correct order. OoO packet processing reduces the need to retransmit dropped packets and reduces the bandwidth needed for the transmission of traffic on a network.

OoO packets are dropped when Cisco IPS and the zone-based policy firewall with Layer 4 inspection are enabled.

Examples

The following example shows how to configure an OoO global parameter map:

Device# configure terminal
Device(config)# parameter-map type ooo global
Device(config-profile)# 

Related Commands

show parameter-map type ooo global

Displays OoO global parameter-map information.

tcp reassembly

Changes the default parameters for OoO queue processing of TCP sessions.

tcp reassembly memory limit

Specifies the limit of the OoO queue size for TCP sessions.

parameter-map type protocol-info

To create or modify a protocol-specific parameter map and enter parameter-map type configuration mode, use the parameter-map type protocol-infocommand in global configuration mode. To delete a protocol-specific parameter map from the configuration, use the no form of this command.

parameter-map type protocol-info [ msrpc | sip | stun-ice ] parameter-map-name

no parameter-map type protocol-info [ msrpc | sip | stun-ice ] parameter-map-name

Syntax Description

msrpc

(Optional) Defines a Microsoft Remote Procedure Call (MSRPC) protocol-info parameter map.

sip

(Optional) Defines a Session Initiation Protocol (SIP) protocol-info parameter map.

stun-ice

(Optional) Defines a Session Traversal Utilities for Network Address Translation (NAT) and Interactive Connectivity Establishment (STUN-ICE) protocol-info parameter map.

parameter-map-name

Name of the parameter map.

Command Default

No protocol-specific parameter maps are created.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.4(11)T

This command was introduced.

15.0(1)M

This command was modified. The sip keyword was added.

15.1(4)M

This command was modified. The msrpc keyword was added.

Usage Guidelines

A protocol-specific parameter map allows you to specify the parameters that control the behavior of actions specified under a policy map and match criteria specified under a class map.

Protocol-specific parameter maps can be created for real-time voice, video, and text messaging applications (such as AOL, MSN Messenger, or Windows Messenger).

Examples

The following example shows a sample SIP protocol type parameter map configuration. In this example, the parameter map is configured to not open a media channel when attached to a SIP class map:

Router(config)# parameter-map type protocol-info sip pmap-sip
Router(config-profile)# disable open-media channel

The following example shows a sample STUN-ICE protocol type parameter map configuration. In this example, the parameter map is configured to not open a media channel when attached to a SIP class map:

Router(config)# parameter-map type protocol-info stun-ice
Router(config-profile)# disable open-media channel
Router(config-profile)# authorization agent-id 20 shared-secret 12345flower12345
 cat-window 15

The following example shows how to configure an Instant Messaging-based firewall policy. In this example, all Yahoo Messenger and I Seek You (ICQ) traffic is allowed to pass through, while all MSN Messenger, AOL, and Windows Messenger traffic is blocked. Also, parameter maps are defined to control all Yahoo Messenger and ICQ traffic on a more granular level.

Router(config)# parameter-map type protocol-info ymsgr-servers
Router(config-profile)# server name messenger.yahoo.akadns.net
Router(config-profile)# server name .*.yahoo.com snoop
Router(config-profile)# server ip 192.0.2.100
Router(config-profile)# server ip range 192.0.2.115 192.0.2.180
Router(config-profile)# exit
Router(config)# parameter-map type protocol-info icq-servers
Router(config-profile)# server name login.oscar.aol.com
Router(config-profile)# server name .*.aol.com snoop
Router(config-profile)# server ip 192.0.2.200
Router(config-profile)# server ip range 192.0.2.215 192.0.2.230
Router(config-profile)# exit
Router(config)# class-map type inspect match-all l4-cmap-ymsgr
Router(config-cmap)# match protocol ymsgr ymsgr-servers
Router(config-cmap)# exit
Router(config)# class-map type inspect ymsgr match-any l7-cmap-ymsgr
Router(config-cmap)# match  service text-chat
 
Router(config-cmap)# exit
Router(config)# class-map type inspect match-all l4-cmap-icq
Router(config-cmap)# match protocol icq icq-servers
Router(config-cmap)# exit
Router(config)# class-map type inspect icq match-any l7-cmap-icq
Router(config-cmap)# match  service text-chat 
Router(config-cmap)# match  service any
 
Router(config-cmap)# exit
Router(config)# policy-map type inspect im l7-pmap-ymsgr
Router(config-pmap)# class type inspect ymsgr l7-cmap-ymsgr
Router(config-pmap-c)# allow
Router(config-pmap-c)# log
Router(config-pmap-c)# exit
Router(config)# policy-map type inspect im l7-pmap-icq
Router(config-pmap)#class type inspect icq l7-cmap-icq
Router(config-pmap-c)# allow
Router(config-pmap-c)# log
Router(config-pmap-c)# exit
Router(config)# policy-map type inspect to_internet
Router(config-pmap)# class type inspect l4-cmap-ymsgr
Router(config-pmap-c)# inspect
 
Router(config-pmap-c)# service-policy im l7-pmap-ymsgr
Router(config-pmap-c)# exit
Router(config-pmap)# class type inspect l4-cmap-icq
Router(config-pmap-c)# inspect
 
Router(config-pmap-c)# service-policy im l7-pmap-icq
Router(config-pmap-c)# exit
Router(config-pmap)# class class-default
Router(config-pmap-c)# drop

Related Commands

Command

Description

disable open-media-channel

Prevents the creation of RTP or RTCP media channels when a SIP class map is used for SIP inspection.

parameter-map type inspect

Configures an inspect type parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action.

parameter-map type regex

To configure a parameter-map type to match a specific traffic pattern, use the parameter-map type regex command in global configuration mode. To delete a parameter-map type with a regular expression (regex), use the no form of this command.

parameter-map type regex parameter-map-name

no parameter-map type regex

Syntax Description

parameter-map-name

Name of the parameter map. The name can have a maximum of 228 alphanumeric characters.

Note   

The use of blank spaces is not recommended. The system interprets the first blank space as the end of the parameter-map name unless the string is delimited by quotation marks.

Command Default

A regex parameter map is not configured.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.4(9)T

This command was introduced.

Cisco IOS XE Release 3.2S

This command was integrated into Cisco IOS XE Release 3.2S.

Usage Guidelines

You can enter a regex to match text strings either literally as an exact string or by using metacharacters to match multiple variants of a text string. You can use a regex to match the content of certain application traffic; for example, you can match a uniform resource identifier (URI) string inside an HTTP packet using the match request regex command under an HTTP inspection class map.

Use Ctrl-V to ignore all of the special characters in the CLI, such as a question mark (?) or a tab. For example, type d[Ctrl-V]g to enter d?g in the configuration.

The table below lists the metacharacters that have special meanings.

Table 1 regex Metacharacters

Character

Description

Notes

.

Dot

Matches any single character. For example, d.g matches dog, dag, dtg, and any word that contains those characters.

( xxx )

Subexpression

A subexpression segregates characters from surrounding characters so that you can use other metacharacters on the subexpression. For example, d(o|a)g matches dog and dag, but do|ag matches do and ag. A subexpression can also be used with repeat quantifiers to differentiate the characters meant for repetition. For example, ab(xy){3}z matches abxyxyxyz.

|

Alternation

Matches either of the expressions that it separates. For example, dog|cat matches dog or cat.

?

Question mark

A quantifier that indicates that there are 0 or 1 of the previous expression. For example, lo?se matches lse or lose.

Note   

You must enter Ctrl-V and then the question mark or else the help function is invoked.

*

Asterisk

A quantifier that indicates that there are 0, 1, or any number of the previous expression. For example, lo*se matches lse, lose, loose, and so on.

+

Plus

A quantifier that indicates that there is at least one occurrence of the previous expression. For example, lo+se matches lose and loose, but not lse.

{ x }

Repeat quantifier

Repeat exactly x times. For example, ab(xy){3}z matches abxyxyxyz.

{ x ,}

Minimum repeat quantifier

Repeat at least x times. For example, ab(xy){2,}z matches abxyxyz, abxyxyxyz, and so on.

[ abc ]

Character class

Matches any character in the bracket. For example, [abc] matches a, b, or c.

[^ abc ]

Negated character class

Matches a single character that is not contained within brackets. For example, [^abc] matches any character other than a, b, or c; and [^A-Z] matches any single character that is not an uppercase letter.

[ a - c ]

Character range class

Matches any character in the specified range. [a-z] matches any lowercase letter. You can mix characters and ranges; for example, [abcq-z] matches a, b, c, q, r, s, t, u, v, w, x, y, z, and so does [a-cq-z].

Note   

The dash (-) character is literal only if it is the last or the first character within the brackets, [abc-] or [-abc].

Quotation marks

Preserves trailing or leading spaces in the string. For example, “test” preserves the leading space when it looks for a match.

^

Caret

Specifies the beginning of a line.

\

Escape character

When preceding a literal character, it matches the literal character. For example, \[matches the left square bracket.

char

Character

When the character is not a metacharacter, it matches the literal character.

\r

Carriage return

Matches a carriage return 0x0d.

\n

New line

Matches a new line 0x0a.

\t

Tab

Matches a tab 0x09.

\f

Formfeed

Matches a form feed 0x0c.

\x nn

Escaped hexadecimal number

Matches an ASCII character using hexadecimal numbers (exactly two digits).

\ nnn

Escaped octal number

Matches an ASCII character as an octal number (exactly three digits). For example, the character 040 represents a space.

Examples

The following example shows how to configure and apply a regex parameter map to an HTTP application firewall parameter-map type whose URI matches any of the following regular expressions:

  • “.*cmd.exe”

  • “.*money”

  • “.*shopping”

Router# configure terminal
Router(config)# parameter-map type regex uri-regex-cm
Router(config-profile)# pattern ".*cmd.exe"
Router(config-profile)# pattern ".*money"
Router(config-profile)# pattern ".*shopping"
Router(config-profile)# exit
Router(config)# class-map type inspect http uri-check-cm
Router(config-cmap)# match request uri regex uri-regex-cm
Router(config-cmap)# exit
Router(config)# policy-map type inspect http uri-check-pm
Router(config-pmap)# class type inspect http uri-check-cm
Router(config-pmap-c)# reset

The following example shows how to configure a regex parameter map whose case-insensitive pattern matches multiple variants of the string “hello”:

Router# configure terminal
Router(config)# parameter-map type regex body_regex
Router(config-profile)# pattern ".*[Hh][Ee][Ll][Ll][Oo]"
Router(config-profile)# end

Related Commands

Command

Description

class-map type inspect

Creates a Layer 3 and Layer 4 or a Layer 7 (application-specific) inspect-type class map.

class type inspect

Specifies the traffic (class) on which an action is to be performed.

match request regex

Configures an HTTP firewall policy to permit or deny HTTP traffic on the basis of request messages whose URI or arguments (parameters) match a defined regular expression.

parameter-map type

Creates or modifies a parameter map.

policy-map type inspect

Creates a Layer 3 and Layer 4 or a Layer 7 (application-specific) inspect-type policy map.

parameter-map type trend-global

To create or modify the parameter map for global parameters associated with a Trend Router Provisioning Server (TRPS) and to place the system in parameter map configuration mode, use the parameter-map type trend-global command in global configuration mode. To delete the global parameters associated with a TRPS from the configuration, use the no form of this command.

parameter-map type trend-global parameter-map-name

no parameter-map type trend-global parameter-map-name

Syntax Description

parameter-map-name

Name of the parameter map for the global parameters associated with the TRPS.

Command Default

No parameter map for the global TRPS parameters is created.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.4(15)XZ

This command was introduced.

12.4(20)T

This command was integrated into Cisco IOS Release 12.4(20)T.

15.1(2)T

This command was modified. The pipeline, on, and offkeywords were added.

Usage Guidelines

Use the parameter-map type trend-globalcommand to specify global parameters for the TRPS. You can specify only one trend-global parameter map on the system. To specify per-policy parameters, use the parameter-map type urlfpolicy command.

When you create or modify a global TRPS parameter map, use the following commands in parameter map configuration mode to set the values for the global TRPS parameters:

  • alert {on | off}--Turns on or off URL-filtering server alert messages that are displayed on the console. The default is on.

  • cache-entry-lifetime hours -- Specifies how long, in hours, an entry remains in the cache table. Cache entries remain in the table until the cache-entry-lifetime value for the entry expires or until the cache is full, whichever occurs first. When the cache is full, the entry is removed to make room for subsequent entries. The range is from 1 to 120. The default is 24.

  • cache-size maximum-memory kilobyte -- Specifies the maximum size of the categorization cache, in kilobytes. The range is from 0 to 128000. The default is 256.

  • exit --Exits from the parameter map.

  • no --Negates or sets default values for a command.

  • server {server-name | ip-address} [http-port port-number] [https-port port-number] [retrans retransmission-count] [timeout seconds] [pipeline {on | off}]--Specifies information about the TRPS. Use the server command in profile configuration mode.
    • http-port port-number--Specifies the HTTP port that is listening for requests. The range is from 1 to 65535. The default is 80.
    • https-port port-number--Specifies the HTTPS port that is listening for secure HTTP requests. The range is from 1 to 65535. The default is 443.
    • pipeline {on | off}--Turns on or off the TRPS pipeline requests. The default is on.
    • retrans retransmission-count--Specifies the number of times the router retransmits the lookup request when a response is not received from the TRPS. The range is from 1 to 5. The default is 3.
    • server {server-name | ip-address}--Specifies the domain name or the IP address of the server. The default is trps.trendmicro.com.
    • timeout seconds--Specifies the number of seconds that the router waits for a response from the TRPS. The range is from 1 to 300. The default is 60.

Examples

The following shows an example of how to specify global TRPS parameters in a parameter map named global-parameter-map:

parameter-map type trend-global global-parameter-map
 server server.example.com retrans 5 timeout 200
 cache-size maximum-memory 128000
 cache-entry-lifetime 1

Related Commands

Command

Description

alert

Turns on or off URL-filtering system alert messages that are displayed on the console.

cache-entry lifetime

Specifies how long an entry remains in the cache table.

cache-size maximum-memory

Specifies the size of the categorization cache.

parameter-map type urlfpolicy

Specifies per-policy URL filtering parameters.

server

Specifies information about the TRPS.

parameter-map type urlfilter


Note


This command is hidden in releases later than Cisco IOS Release 12.4(20)T, but it continues to work. The parameter-map type urlfpolicy command can also be used. This command is used to create URL filtering parameters for local, trend, Websense Internet filtering, and the N2H2 Internet blocking program. We recommend the use of the URL filter policy rather than the URL filter action for Cisco IOS Release 12.4(20)T. All the use-cases supported by URL filter as an action are also supported by URL filter policy.


To create or modify a parameter map for URL filtering parameters, use the parameter-map type urlfilter command in global configuration mode. To delete a URL filter parameter map, use the no form of this command.

parameter-map type urlfilter parameter-map-name

no parameter-map type urlfilter parameter-map-name

Syntax Description

parameter-map-name

Name of the URL parameter map.

Command Default

None

Command Modes


Global configuration (config)

Command History

Release

Modification

12.4(6)T

This command was introduced.

12.4(15)XZ

This command was removed.

Usage Guidelines

When you are creating or modifying a URL parameter map, you can enter the following subcommands after you enter the parameter-map type urlfilter command. For more detailed information about the subcommands, see their individual command descriptions by going to the “Command Reference” section on page 45.

  • alert {on | off}

Turns on or off URL-filtering system alert messages that are displayed on the console.

  • allow-mode {on | off}

Turns on or off the default mode (allow mode) of the filtering algorithm.

  • audit-trail {on | off}

Turns on or off the logging of URL information into the syslog server or router.

  • cache number-of-entries

Configures cache parameters.

  • exclusive-domain {deny | permit} domain-name

Adds or removes a domain name to or from the exclusive domain list so that the Cisco IOS firewall does not have to send lookup requests to the vendor server.

  • max-request number-of-requests

Specifies the maximum number of outstanding requests that can exist at any given time.

  • max-resp-pak number-of-responses

Specifies the maximum number of HTTP responses that the Cisco IOS firewall can keep in its packet buffer.

  • server vendor {n2h2 | websense} {ip-address | hostname [port port-number]} [outside] [log] [retrans retransmission-count] [timeout seconds]

Specifies a vendor server for URL filtering.

  • source-interface interface-name

Specifies the interface whose IP address will be used as the source IP address while making a TCP connection to the URL filter server (websense or N2h2).

Examples

The following example shows a sample URL parameter map:

parameter-map type urlfilter eng-network-profile 
 server vendor n2h2 10.64.64.22 port 4128 outside retrans 4 timeout 8

The following example shows a typical URL filter configuration:

parameter-map type urlfilter eng-network-profile 
 server vendor n2h2 10.64.65.22 port 3128 outside log retrans 6 timeout 10 
 max-request 80
 max-resp-pak 200
 cache 200
 exclusive-domain permit cisco.com
 exclusive-domain deny gaming.com

Related Commands

Command

Description

alert

Turns on or off URL-filtering system alert messages that are displayed on the console.

allow-mode

Turns on or off the default mode (allow mode) of the filtering algorithm.

audit-trail

Turns on or off the logging of URL information into the syslog server or router.

cache

Configures cache parameters.

exclusive-domain

Adds or removes a domain name to or from the exclusive domain list so that the Cisco IOS firewall does not have to send lookup requests to the vendor server.

max-request

Specifies the maximum number of outstanding requests that can exist at any given time.

max-resp-pak

Specifies the maximum number of HTTP responses that the Cisco IOS firewall can keep in its packet buffer.

server vendor

Specifies a vendor server for URL filtering.

parameter-map type urlfpolicy

To create or modify a parameter map for a URL filtering policy and to place the system in parameter map configuration mode, use the parameter-map type urlfpolicycommand in global configuration mode. To delete the parameter map for a URL filtering policy from the configuration, use the no form of this command.

parameter-map type urlfpolicy { local | trend | n2h2 | websense } parameter-map-name

no parameter-map type urlfpolicy { local | trend | n2h2 | websense } parameter-map-name

Syntax Description

local

Specifies that the parameters are for a local URL filtering policy.

trend

Specifies that the parameters are for a Trend Micro URL filtering policy.

n2h2

Specifies that the parameters are for a SmartFilter (previously N2H2) URL filtering policy.

websense

Specifies that the paramaters are for a Websense URL filtering policy.

parameter-map-name

The name of the parameter map for a URL filtering policy.

Command Default

No parameter maps for a URL filtering policy are created.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.4(15)XZ

This command was introduced.

Usage Guidelines

Use the parameter-map type urlfpolicycommand to create a paramater map for a URL filtering policy. The commands that you use to specify the paramaters for a filtering policy depend on the URL filtering server you are using.

The first table below defines the parameters for a local URL filtering policy.

The second table below defines the per-policy parameters for a Trend Micro URL filtering policy. These parameters are in addition to the global Trend Micro policy parameters specified with the parameter-map type trend-global command.

The third table below defines the per-policy parameters for SmartFilter (N2H2) and Websense URL filtering policies.

Table 2 Parameters for Local URL Filtering Policies

Syntax

Description

alert {on | off}

Turns on or off URL filtering alert messages that are displayed on the console. The default is off.

allow-mode {on | off}

Specifies whether to allow or block URL requests when the URL filtering process does not have connectivity to a URL filtering database. When allow-mode is on, all unmatched URL requests are allowed; when off, all unmatched URL requests are blocked. The default is off.

block-page {messagestring | redirect-urlurl }

Specifies the response to a blocked URL request.

  • message string --Specifies the message text to be displayed when a URL request is blocked.

  • redirect-url url --Specifies the URL of the web page to be displayed when a URL request is blocked.

exit

Exits from the parameter map.

no

Negates or sets default values for a command.

Table 3 Parameters for Trend Micro URL Filtering Policies

Syntax

Description

allow-mode {on | off}

Specifies whether to allow or block URL requests when the URL filtering process does not have connectivity to a URL filtering database. When allow-mode is on, all unmatched URL requests are allowed; when off, all unmatched URL requests are blocked. The default is off.

block-page {messagestring | redirect-urlurl }

Specifies the response to a blocked URL request.

  • message string --Specifies the message text to be displayed when a URL request is blocked.

  • redirect-url url --Specifies the URL of the web page to be displayed when a URL request is blocked.

exit

Exits from the parameter map.

max-request number-requests

Specifies the maximum number of pending requests. The range is from 1 to 2147483647. The default is 1000.

max-resp-pak number-responses

Specifies the number of HTTP responses that can be buffered. The range is from 0 and 20000. The default is 200.

no

Negates or sets default values for a command.

truncate hostname

Specifies that URLs be truncated at the end of the domain name.

Table 4 Parameters for SmartFilter and Websense URL Filtering Policies

Syntax

Description

alert {on | off}

Turns on or off URL filtering alert messages that are displayed on the console. The default is off.

allow-mode {on | off}

Specifies whether to allow or block URL requests when the URL filtering process does not have connectivity to a URL filtering database. When allow-mode is on, all unmatched URL requests are allowed; when off, all unmatched URL requests are blocked. The default is off.

block-page {messagestring | redirect-urlurl }

Specifies the response to a blocked URL request.

  • message string --Specifies the message text to be displayed when a URL request is blocked.

  • redirect-url url --Specifies the URL of the web page to be displayed when a URL request is blocked.

cache-entry-lifetime hours

Specifies how long, in hours, an entry remains in the cache table. The default is 24.

cache-size maximum-entries number-entries

Specifies the maximum number of entries that can be stored in the categorization cache. The default is 5000.

exit

Exits from the parameter map.

max-request number-requests

Specifies the maximum number of pending requests. The range is from 1 to 2147483647. The default is 1000.

max-resp-pak number-responses

Specifies the number of HTTP responses that can be buffered. The range is from 0 and 20000. The default is 200.

no

Negates or sets default values for a command.

server {server-name | ip-address} [source-interface interface-name][outside] [port port-number] [retrans retransmission-count] [timeout seconds]

Specifies the parameters for the URL filtering server.

  • server {server-name | ip-address}

Specifies the domain name or the IP address of the URL filtering server.

  • [source-interface interface-name]

Specifies the interface whose IP address will be used as the source IP address when a TCP connection is established between the system and the URL filtering server.

  • outside

Specifies whether the URL filtering server is outside the network.

  • port port-number

Specifies the port that is listening for requests. The range is from 1 to 65535. The default is 80.

  • retrans retransmission-count

Specifies the number of times the Cisco IOS firewall retransmits the lookup request when a response is not received from the Trend Router Provisioning Server (TRPS). The range is from 1 to 5. The default is 3.

  • timeout seconds

Specifies the number of seconds that the Cisco IOS firewall waits for a response from the TRPS. The range is from 1 to 300. The default is 60.

truncate {hostname | script-options}

Specifies that URLs be truncated.

  • hostname

Specifies that URLs be truncated at the end of the domain name.

  • script-options

Specifies that URLs be truncated at the left-most question mark in the URL.

urlf-server-log {on | off}

Enables sending information about HTTP requests to the URL filtering server’s log server. The information includes the URL, the hostname, the source IP address, and the destination IP address.

Examples

The following example shows a parameter map for a local URL filtering policy that does not send alert messages and displays the message "URL is blocked by local filters" when a URL is blocked:

parameter-map type urlfpolicy local local-param-map
 alert off
 block-page message "URL is blocked by local-filters"

The following example shows a configuration for global parameters and per-policy parameters for a Trend Micro URL filtering policy:

parameter-map type trend-global global-param-map
 server mytrps.trendmicro.com retrans 5 timeout 200
 cache-size maximum-memory 128000
 cache-entry-lifetime 1
parameter-map type urlfpolicy trend trend-param-map
 max-request 2147483647
 max-resp-pak 20000
 truncate hostname
 block-page message "group2 is blocked by trend"

The following example shows the configuration for per-policy parameters for a SmartFilter URL filtering policy:

parameter-map type urlfpolicy n2h2 n2h2-param-map
 server n2h2Server timeout 30
 max-request 2000
 max-resp-pak 2000
 source-interface Loopback0
 truncate script-parameters
 cache-size maximum-entries 100
 cache-entry-lifetime 1
 block-page redirect-url http://www.example.com

Related Commands

Command

Description

parameter-type trend-global

Specifies the global parameters associated with Trend Micro URL filtering policies.

parameter-map type urlf-glob

To create or modify a parameter map used to specify a list of domains, URL keywords, or URL metacharacters that should be allowed or blocked by local URL filtering, use the parameter-map type urlf-glob command in global configuration mode. To delete the parameter map, use the no form of this command.

parameter-map type urlf-glob parameter-map-name

no parameter-map type urlf-glob parameter-map-name

Syntax Description

parameter-map-name

Name of the parameter map for a local URL filtering policy.

Command Default

No URL filtering parameter maps are created.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.4(15)XZ

This command was introduced.

12.4(20)T

This command was integrated into Cisco IOS Release 12.4(20)T.

Usage Guidelines

The parameter-map type urlf-glob command can be used to create a parameter map for trusted domains, a parameter map for untrusted domains, and a parameter map for URL keywords. The following sub-commands are available in parameter map configuration mode to specify matching parameters when the parameter-map type urlf-glob command is issued:

  • exit--Exits from URL filtering parameter map configuration mode.

  • no--Negates or sets default values for a command.

  • pattern expression--Configures a matching pattern that refers to a domain name, URL keyword, URL metacharacter entry, or URL keyword and URL metacharacter combination. The characters /, {, and } are not allowed in the expression. The question mark (?) is not allowed because it is reserved for the help function in the command-line interface (CLI).

URL pattern matching is improved because the period (.) is interpreted as a dot, and not as a wildcard entry representing a single character, as is the case with regex regular expression pattern matching.

A URL keyword is a complete word that occurs after the domain name and that is between the forward slash (/) path delimiters. For example in the URL http://www.example.com/hack/123.html, only “hack” and “123.html” are treated as keywords. Anything in the host or domain name can be allowed or blocked using a domain name, and thus a URL keyword should be a word that comes after the domain name. The entire keyword in the URL must match the pattern. For example if you have pattern hack, the URL www.example.com/hacksite/123.html doesn't match the pattern. In order to match this URL, you must have hacksite.

URL metacharacters allow pattern matching of single characters or ranges of characters to URLs, similar to the way a UNIX style glob expression works. The URL metacharacters are presented in the table below.

Table 5 URL Metacharacters for URL Pattern Matching

Character

Description

*

Asterisk--matches any sequence of 0 or more characters.

[ abc ]

Character class--matches any character in the brackets. The character matching is case sensitive. For example, [abc] matches a, b, or c.

[ a - c ]

Character range class. Matches any character in the range. The character matching is case sensitive. [a-z] matches any lowercase letter. You can mix characters and ranges; for example, [abcq-z] matches a, b, c, q, r, s, t, u, v, w, x, y, z, and so does [a-cq-z].

Note   

The dash (-) character is literal only if it is the last or the first character within the brackets, [abc-] or [-abc].

[0-9]

Numerical range class. Matches any number in the brackets. For example [0-9] matches 0, 1, 2, 3, 4, 5, 6, 7, 8, or 9.

URL metacharacters are combined with domain names and URL keywords for pattern matching. For example, pattern *.example.com will match the domain name www.example.com and pattern www.[ey]xample.com can be used to block both www.example.com and www.yxample.com. Also, pattern www.example[0-9][0-9].com can be used to block www.example01.com, www.example33.com, and www.example99.com. An example of combining a keyword and metacharacter for pattern matching is using pattern hack* to block www.example.com/hacksite/123.html.

Examples

The following shows an example of specifying the parameter map for trusted domains:

Router(config)# parameter-map type urlf-glob trusted-domain-param
Router(config-profile)# pattern www.example.com
Router(config-profile)# pattern *.example2.com

The following shows an example of a parameter map specifying keywords to be blocked:

Router(config)# parameter-map type urlf-glob keyword-param
Router(config-profile)# pattern example1
Router(config-profile)# pattern example3

The following shows an example of a parameter map specifying URL metacharacters to be blocked:

Router(config)# parameter-map type urlf-glob metacharacter-param

Related Commands

Command

Description

class-map type urlfilter

Creates a class map that specifies the traffic to which a URL filtering policy applies.

pattern (parameter-map)

Configures a matching pattern that specifies a list of domains, URL keywords, or URL metacharacters that should be allowed or blocked by local URL filtering.

parameter map type webauth

To define a parameter map for web authentication, use the parameter-map type webauth command in global configuration mode. To delete a parameter map, use the no form of this command.

parameter map type webauth { parameter-map-name | global }

no parameter map type webauth { parameter-map-name | global }

Syntax Description

parameter-map-name

Parameter map name for web authentication.

global

Defines global parameters for web authentication.

Command Default

A parameter map for web authentication is not defined.

Command Modes

Global configuration (config)

Command History

Release Modification

This command was introduced.

Usage Guidelines

Use the parameter-map type webauth command to define a parameter map for web authentication. A parameter map allows you to specify parameters that control the behavior of actions configured under a policy map with the authenticate using webauth command.

A global parameter map contains system-wide parameters. This parameter map is not attached to the web authentication action and has parameters for both web authentication and consent. The global parameter map is automatically applied to the authentication action. If you explicitly apply a named parameter map, and there are parameters that are common to both the global and named parameter map, the global parameter map configuration takes precedence.

The configuration parameters supported for a global parameter map defined with the global keyword are different from the parameters supported for a named parameter map defined with the parameter-map-name argument.

Examples

The following example shows how to configure a parameter map named PMAP_2, which is used by the control policy named POLICY_1 to authenticate users:

(config)# parameter map type webauth global

parser view

To create or change a command-line interface (CLI) view and enter view configuration mode, use the parser view command in global configuration mode. To delete a view, use the no form of this command.

parser view view-name [inclusive]

no parser view view-name [inclusive]

Syntax Description

view-name

View name, which can include 1 to 30 alphanumeric characters.

The view-name argument must not have a number as the first character; otherwise, you will receive the following error message: “Invalid view name.”

inclusive

(Optional) Specifies that all commands are included by default.

Command Default

A CLI view does not exist.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.3(7)T

This command was introduced.

12.2(33)SRB

This command was integrated into Cisco IOS Release 12.2(33)SRB.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1.

12.2(33)SXI

This command was integrated into Cisco IOS Release 12.2(33)SXI.

15.4(1)T

This command was integrated into Cisco IOS Release 15.4(1)T.

15.4(1)S

This command was integrated into Cisco IOS Release 15.4(1)S.

Cisco IOS XE Release 3.11S

This command was integrated into Cisco IOS XE Release 3.11S.

Usage Guidelines

A CLI view is a set of operational commands and configuration capabilities that restrict user access to the CLI and configuration information; that is, a view allows users to define what commands are accepted and what configuration information is visible.

After you have issued the parser view command, you can configure the view via the secret 5 command and the commands command.

To invoke the parser view command, the system of the user must be set to root view. The root view can be enabled via the enable view command.

To create a view including all commands by default, use the inclusive keyword. An inclusive-exclusive command does not appear in other standard CLI views or in any other standard CLI inclusive views.

Note


To modify the standard CLI view settings, you must delete and re-create the CLI view without the inclusive keyword.

Examples

The following example shows how to configure two CLI views, “first” and “second”:

Device(config)# parser view first inclusive
Device(config-view)# secret 5 firstpass
Device(config-view)# command exec exclude show version
Device(config-view)# command exec exclude configure terminal
Device(config-view)# command exec exclude all show ip
Device(config-view)# exit
Device(config)# parser view second
Device(config-view)# secret 5 secondpass
Device(config-view)# command exec include-exclusive show ip interface
Device(config-view)# command exec include logout
Device(config-view)# exit

Related Commands

Command

Description

commands (view)

Adds commands to a CLI view.

secret 5

Associates a CLI view or a superview with a password.

parser view superview

To create a superview and enter view configuration mode, use the parser view superview command in global configuration mode. To delete a superview, use the no form of this command.

parser view superview-name superview

no parser view superview-name superview

Syntax Description

superview-name

Superview name, which can include 1 to 30 alphanumeric characters.

The superview-name argument must not have a number as the first character.

Command Default

A superview does not exist.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.3(11)T

This command was introduced.

12.2(33)SRB

This command was integrated into Cisco IOS Release 12.2(33)SRB.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1.

12.2(33)SXI

This command was integrated into Cisco IOS Release 12.2(33)SXI.

Usage Guidelines

A superview consists of one or more command-line interface (CLI) views, which allow users to define what commands are accepted and what configuration information is visible. Superviews allow a network administrator to easily assign all users within configured CLI views to a superview instead of having to assign multiple CLI views to a group of users.

Superviews contain the following characteristics:

  • A CLI view can be shared among multiple superviews.

  • Commands cannot be configured for a superview; that is, you must add commands to the CLI view and add that CLI view to the superview.

  • Users who are logged in to a superview can access all of the commands that are configured for any of the CLI views that are part of the superview.

  • Each superview has a password that is used to switch between superviews or from a CLI view to a superview.

Adding CLI Views to a Superview

You can add a view to a superview only after a password has been configured for the superview (via the secret 5 command). Thereafter, issue the view command in view configuration mode to add at least one CLI view to the superview.


Note


Before adding a CLI view to a superview, ensure that the CLI views that are added to the superview are valid views in the system; that is, the views have been successfully created via the parser view command.


Examples

The following example shows how to create a superview (su_view1) and enter view configuration mode; two CLI views (view_one, view_two) are added to the superview also:

Router> enable view
Router# configure terminal
Router(config)# parser view su_view1 superview
Router(config-view)# secret 5 secret
Router(config-view)# view view_one
Router(config-view)# view view_two

Related Commands

Command

Description

parser view

Creates or changes a CLI view and enters view configuration mode.

secret 5

Associates a CLI view or a superview with a password.

view

Adds a normal CLI view to a superview.

pass

To allow packets to be sent to the router without being inspected, use the pass command in policy-map-class configuration mode.

pass [log]

Syntax Description

log

(Optional) Logs the packets passed by the firewall pass policy.

Command Default

Traffic is not passed; that is, it is dropped.

Command Modes


Policy-map-class configuration

Command History

Release

Modification

12.4(6)T

This command was introduced.

Cisco IOS-XE 2.4

This command was integrated into Cisco IOS-XE Release 2.4. The log keyword was added.

Usage Guidelines

You can use this command only after entering the policy-map type inspect, class type inspect, and parameter-map type inspect commands.

Examples

The following example specifies that policy map p1 passes and logs the traffic:

policy-map type inspect p1 
 class type inspect c1 
  pass log

Related Commands

Command

Description

class type inspect

Specifies the traffic (class) on which an action is to be performed.

parameter-map type inspect

Configures an inspect parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action.

policy-map type inspect

Creates a Layer 3 or Layer 4 inspect type policy map.

log (parameter-map type)

Logs the firewall activity for an inspect parameter map.

passive

To move a group member directly into passive mode, use the passive command in crypto gdoi group configuration mode. To disable the passive mode setting, use the no form of this command.

passive

no passive

Syntax Description

This command has no arguments or keywords.

Command Default

The group member is in full crypto send and receive mode.

Command Modes


Crypto gdoi group configuration (crypto-gdoi-group)

Command History

Release

Modification

12.4(22)T

This command was introduced.

Cisco IOS XE Release 2.3

This command was implemented on the Cisco ASR 1000 series routers.

Usage Guidelines

By using the passive command, you avoid having to use the crypto gdoi gm ipsec direction inbound optionalprivileged EXEC command, which is not persistent after a router reload and can be overriden by key server configuration from a rekey.

Examples

The following example shows that the group member group1 is being moved to passive mode:

crypto gdoi group group1
 identity 2345
 passive
 server address ipv4 10.34.255.57

Related Commands

Command

Description

crypto gdoi gm

Changes the IPsec SA status of group members.

password (ca-trustpoint)

To specify the revocation password for the certificate, use the password command in ca-trustpoint configuration mode. To erase any stored passwords, use the no form of this command.

password string

no password

Syntax Description

string

Name of the password.

Command Default

You are prompted for the password during certificate enrollment.

Command Modes


Ca-trustpoint configuration

Command History

Release

Modification

12.2(8)T

This command was introduced.

12.4(24)T

Support for IPv6 Secure Neighbor Discovery (SeND) was added.

Usage Guidelines

Before you can issue the password command, you must enable the crypto ca trustpointcommand, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode.

This command allows you to specify the revocation password for the certificate before actual certificate enrollment begins. The specified password is encrypted when the updated configuration is written to NVRAM by the router.

If this command is enabled, you will not be prompted for a password during certificate enrollment.

Examples

The following example shows how to specify the password “revokeme” for the certificate request:

crypto ca trustpoint trustpoint1
 enrollment url http://trustpoint1.example.com/ 
 subject-name OU=Spiral Dept., O=example1.com
 ip-address ethernet-0
 auto-enroll regenerate
 password revokeme

Related Commands

Command

Description

crypto ca trustpoint

Declares the CA that your router should use.

password (config-filter)

To specify the password for an authentication, authorization, and accounting (AAA) cache filter server profile, use the password command in AAA cache filter server configuration mode. To remove the password, use the no form of this command.

password [ 0 | 6 | 7 ] password

no password

Syntax Description

0

(Optional) Specifies that an unencrypted password follows.

6

(Optional) Specifies that an advanced encryption scheme (AES) encrypted password follows.

7

(Optional) Specifies that a hidden password follows.

password

The unencrypted (clear text) shared password.

Command Default

A password is not specified.

Command Modes


AAA cache filter server configuration (config-filter)

Command History

Release

Modification

15.4(1)T

This command was introduced.

Usage Guidelines

Use the aaa new-model command to enable authentication, authorization, and accounting (AAA).

Before using the password command in AAA cache filter server configuration mode, the aaa cache filterserver command must be configured.

Examples

The following example shows how to specify the password "admin" for the AAA cache filter server:

Device> enable
Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa authorization cache filterserver default cache radius
Device(config)# aaa cache filterserver
Device(config-filter)# password 0 admin

Related Commands

Command

Description

aaa authorization cache filterserver

Enables AAA authorization caches and the downloading of ACL configurations from a RADIUS filter server.

aaa cache filterserver

Enables AAA filter server definitions.

aaa new-model

Enables the AAA access control model.

password (dot1x credentials)

To specify the password for an 802.1X credentials profile, use the password command in dot1x credentials configuration mode. To remove the password, use the no form of this command.

password [ 0 | 7 ] password

no password

Syntax Description

0

(Optional) A plain text password will follow. The default is 0.

7

(Optional) An encrypted password will follow. The default is 0.

password

The password.

Command Default

A password is not specified.

Command Modes


Dot1x credentials configuration

Command History

Release

Modification

12.4(6)T

This command was introduced.

Usage Guidelines

Before using this command, the dot1x credentials command must have been configured.

Examples

The following example shows which credentials profile should be used when configuring a supplicant. The password is “secret.”

dot1x credentials basic-user
 username router
 password secret
 description This credentials profile should be used for most configured ports

The credentials structure can be applied to an interface along with the dot1x pae supplicant command and keyword to enable supplicant functionality on that interface.

interface fastethernet 0/1
 dot1x credentials basic-user
 dot1x pae supplicant

Related Commands

Command

Description

dot1x credentials

Specifies the 802.1X credentials profile to be used.

password (line configuration)

To specify a password on a line, use the password command in line configuration mode. To remove the password, use the no form of this command.

password password

no password

Syntax Description

password

Character string that specifies the line password. The first character cannot be a number. The string can contain any alphanumeric characters, including spaces, up to 80 characters. You cannot specify the password in the format number-space-anything. The space after the number causes problems. For example, hello 21 is a legal password, but 21 hello is not. The password checking is case sensitive. For example, the password Secret is different than the password secret.

Command Default

No password is specified.

Command Modes


Line configuration

Command History

Release

Modification

10.0

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

When an EXEC process is started on a line with password protection, the EXEC prompts for the password. If the user enters the correct password, the EXEC prints its normal privileged prompt. The user can try three times to enter a password before the EXEC exits and returns the terminal to the idle state.

Examples

The following example removes the password from virtual terminal lines 1 to 4:

line vty 1 4
 no password

Related Commands

Command

Description

enable password

Sets a local password to control access to various privilege levels.

password 5


Note


Effective with Cisco IOS Release 12.3(14)T, this command is replaced by the secret command.


To associate a command-line interface (CLI) view or a superview with a password, use the password 5command in view configuration mode.

password 5 password

Syntax Description

password

Password for users to enter the CLI view or superview. A password can contain any combination of alphanumeric characters.

Note   

The password is case sensitive.

Command Default

A user cannot access a CLI view or superview.

Command Modes


View configuration

Command History

Release

Modification

12.3(7)T

This command was introduced.

12.3(11)T

This command was enhanced to support superviews.

12.3(14)T

This command was replaced by the secret command.

Usage Guidelines

A user cannot access any commands within the CLI view or superview until the password 5command has been issued.

Examples

The following example show how to configure two CLI views, “first” and “second” and associate each view with a password:

Router(config)# parser view first
00:11:40:%PARSER-6-VIEW_CREATED:view 'first' successfully created. 
Router(config-view)# password 5 firstpass
Router(config-view)# command exec include show version
Router(config-view)# command exec include configure terminal
Router(config-view)# command exec include all show ip
Router(config-view)# exit
Router(config)# parser view second
00:13:42:%PARSER-6-VIEW_CREATED:view 'second' successfully created.
Router(config-view)# password 5 secondpass
Router(config-view)# command exec include-exclusive show ip interface
Router(config-view)# command exec include logout
Router(config-view)# exit

Related Commands

Command

Description

parser view

Creates or changes a CLI view and enters view configuration mode.

password encryption aes

To enable a type 6 encrypted preshared key, use the password encryption aescommand in global configuration mode. To disable password encryption, use the no form of this command.

password encryption aes

no password encryption aes

Syntax Description

This command has no arguments or keywords.

Command Default

Preshared keys are not encrypted.

Command Modes


Global configuration

Command History

Release

Modification

12.3(2)T

This command was introduced.

12.2(18)SXD

This command was integrated into Cisco IOS Release 12.2(18)SXD.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

Usage Guidelines

You can securely store plain text passwords in type 6 format in NVRAM using a command-line interface (CLI). Type 6 passwords are encrypted. Although the encrypted passwords can be seen or retrieved, it is difficult to decrypt them to find out the actual password. Use the key config-key password-encryptioncommand with the password encryption aescommand to configure and enable the password (symmetric cipher Advanced Encryption Standard [AES] is used to encrypt the keys). The password (key) configured using the key config-key password-encryption command is the master encryption key that is used to encrypt all other keys in the router.

If you configure the password encryption aescommand without configuring the key config-key password-encryptioncommand, the following message is printed at startup or during any nonvolatile generation (NVGEN) process, such as when the show running-config or copy running-config startup-config commands have been configured:

“Can not encrypt password. Please configure a configuration-key with ‘key config-key’”

Note


For Cisco 836 routers, please note that support for Advanced Encryption Standard (AES) is available only on IP plus images.


Changing a Password

If the password (master key) is changed, or reencrypted, using the key config-key password-encryptioncommand), the list registry passes the old key and the new key to the application modules that are using type 6 encryption.

Deleting a Password

If the master key that was configured using the key config-key password-encryptioncommand is deleted from the system, a warning is printed (and a confirm prompt is issued) that states that all type 6 passwords will become useless. As a security measure, after the passwords have been encrypted, they will never be decrypted in the Cisco IOS software. However, passwords can be reencrypted as explained in the previous paragraph.


Caution


If the password configured using the key config-key password-encryptioncommand is lost, it cannot be recovered. The password should be stored in a safe location.


Unconfiguring Password Encryption

If you later unconfigure password encryption using the no password encryption aes command, all existing type 6 passwords are left unchanged, and as long as the password (master key) that was configured using the key config-key password-encryptioncommand exists, the type 6 passwords will be decrypted as and when required by the application.

Storing Passwords

Because no one can “read” the password (configured using the key config-key password-encryptioncommand), there is no way that the password can be retrieved from the router. Existing management stations cannot “know” what it is unless the stations are enhanced to include this key somewhere, in which case the password needs to be stored securely within the management system. If configurations are stored using TFTP, the configurations are not standalone, meaning that they cannot be loaded onto a router. Before or after the configurations are loaded onto a router, the password must be manually added (using the key config-key password-encryptioncommand). The password can be manually added to the stored configuration but is not recommended because adding the password manually allows anyone to decrypt all passwords in that configuration.

Configuring New or Unknown Passwords

If you enter or cut and paste cipher text that does not match the master key, or if there is no master key, the cipher text is accepted or saved, but an alert message is printed. The alert message is as follows:

“ciphertext>[for username bar>] is incompatible with the configured master key.”

If a new master key is configured, all the plain keys are encrypted and made type 6 keys. The existing type 6 keys are not encrypted. The existing type 6 keys are left as is.

If the old master key is lost or unknown, you have the option of deleting the master key using the no key config-key password-encryptioncommand. Deleting the master key using the no key config-key password-encryptioncommand causes the existing encrypted passwords to remain encrypted in the router configuration. The passwords will not be decrypted.

Examples

The following example shows that a type 6 encrypted preshared key has been enabled:

Router (config)# password encryption aes

Related Commands

Command

Description

key config-key password-encryption

Stores a type 6 encryption key in private NVRAM.

password logging

Provides a log of debugging output for a type 6 password operation.

password logging

To get a log of debugging output for a type 6 password operation, use the password loggingcommand in global configuration mode. To disable the debugging, use the no form of this command.

password logging

no password logging

Syntax Description

This command has no arguments or keywords.

Command Default

Debug logging is not enabled.

Command Modes


Global Configuration #

Command History

Release

Modification

12.3(2)T

This command was introduced.

12.2(18)SXD

This command was integrated into Cisco IOS Release 12.2(18)SXD.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

Examples

The following example shows that debug logging is configured:

Router# password logging

Related Commands

Command

Description

key config-key password-encryption

Stores an encryption key in private NVRAM.

password encryption aes

Enables a type 6 encrypted preshared key.

passthrou-domain-list name

To configure a domain name list of domains with DNS snooping, use the passthrou-domain-list name command in global configuration.

passthrou-domain-list name

Syntax Description

name

Configures the domain name list.

Command Default

None

Command Modes

Global configuration.

Command History

Release Modification

This command was introduced.

Examples

This example shows how to configure a domain name list of domains with DNS snooping:

(config)# passthrou-domain-list name abc
(config-fqdn-acl-domains)# match google

pattern (parameter-map)

To configure a matching pattern that specifies a list of domains, URL keywords, or URL metacharacters that must be allowed or blocked by the local URL filtering, use the pattern command in parameter-map type inspect configuration mode. To remove the matching pattern, use the no form of this command.

pattern expression

no pattern expression

Syntax Description

expression

Matching pattern argument that refers to a domain name, URL keyword, URL metacharacter entry, or a URL keyword and URL metacharacter combination.

Command Default

No pattern is created for the parameter map.

Command Modes

Parameter-map type inspect configuration (config-profile)

Command History

Release

Modification

12.4(15)XZ

This command was introduced.

12.4(20)T

This command was integrated into Cisco IOS Release 12.4(20)T.

Cisco IOS XE Release 3.2S

This command was integrated into Cisco IOS XE Release 3.2S.

Usage Guidelines

A matching pattern expression is configured for a parameter map created by the parameter-map type regex or the parameter-map type urlf-glob command.

In a pattern expression, the characters /, {, and } are not allowed. The question mark (?) character is not allowed because it is reserved for the CLI help function. The asterisk (*) character is not allowed at the beginning of a pattern.

For URL pattern matching, the period (.) character is interpreted as a dot and not as a wildcard entry that represents a single character, as is the case with regular expression pattern matching. Any character in the host or domain name can be allowed or blocked through URL filtering.

A URL keyword is a complete word that comes after the domain name and is between the forward slash (/) path delimiters. For example, in the URL http://www.example.com/hack/123.html, only “hack” is treated as a keyword. The entire keyword in the URL must match a pattern. For example, if you have configured a pattern named “hack,” the URL www.example.com/hacksite/123.html will not match the pattern. To match the URL, your pattern must have “hacksite.”

URL metacharacters allow pattern matching of single characters or ranges of characters to URLs, similar to the way a UNIX glob expression works. URL metacharacters are described in the following table.

Table 6 URL Metacharacters for URL Pattern Matching

Character

Description

*

Asterisk—matches any sequence of 0 or more characters.

[ abc ]

Character class—matches any character within brackets. The character matching is case sensitive. For example, [abc] matches a, b, or c.

[ a-c ]

Character range class—matches any character in a specified range. The character matching is case sensitive. For example, [a-z] matches any lowercase letter. You can also mix characters and ranges; for example, [abcq-z] matches a, b, c, q, r, s, t, u, v, w, x, y, z, and so does [a-cq-z].

Note   

The dash (-) character is matched only if it is the last or the first character within brackets. For example, [abc-] or [-abc].

[0-9]

Numerical range class—matches any number within brackets. For example, [0-9] matches 0, 1, 2, 3, 4, 5, 6, 7, 8, or 9.

URL metacharacters are combined with domain names and URL keywords for pattern matching. For example, pattern *.example.com will match the domain name www.example.com and pattern www.[ey]xample.com can be used to block both www.example.com and www.yxample.com. Also, you can use pattern www.example[0-9][0-9].com to block www.example01.com, www.example33.com, www.example99.com, and so on. You can combine a keyword and a metacharacter and create a matching pattern to block a URL. For example, you can use pattern hack* to block www.example.com/hacksite/123.html.

When you configure the parameter-map type regex command and then the pattern command, patterns that are specified in the pattern command are used as filters in General Packet Radio Service (GPRS) Tunneling Protocol (GTP) classes.

Examples

The following example shows how to configure a parameter map for trusted domains:

Device(config)# parameter-map type urlf-glob trusted-domain-param
Device(config-profile)# pattern www.example.com
Device(config-profile)# pattern *.example2.com

The following example shows how to configure a parameter map that specifies keywords that should be blocked:

Device(config)# parameter-map type urlf-glob keyword-param
Device(config-profile)# pattern example1
Device(config-profile)# pattern example3

The following example shows how to configure a parameter map that specifies the URL metacharacters to be blocked:

Device(config)# parameter-map type urlf-glob metacharacter-param
Device(config-profile)# pattern www.example[4-9].com

The following example shows how to specify a case-insensitive pattern that matches multiple variants of the string “hello”:

Device(config)# parameter-map type regex body-regex
Device(config-profile)# pattern ".*[Hh][Ee][Ll][Ll][Oo]"

The following example shows an error message that appears on the console when an asterisk (*) character is specified at the beginning of a pattern:

Device(config)# parameter-map type regex gtp-map
Device(config-profile)# pattern *.gprs.com
%Invalid first char + or * in regex pattern

Related Commands

Command

Description

class-map type urlfilter

Creates a class map that specifies the traffic to which a URL filtering policy applies.

parameter-map type regex

Configures a regex parameter map that matches a specific regular expression pattern and enters parameter-map type inspect configuration mode.

parameter-map type urlf-glob

Creates or modifies a parameter map that specifies a list of domains, URL keywords, or URL metacharacters that should be allowed or blocked by local URL filtering and enters parameter-map type inspect configuration mode.

peer

To define a static peer for the FlexVPN client, use the peer command in IKEv2 FlexVPN client profile configuration mode. To remove the peer, use the no form of this command.

peer sequence { ipv4-address | ipv6-address | fqdn fqdn-name [ dynamic | ipv6 ] } [ track track-number [ up | down ] ]

no peer sequence

Syntax Description

sequence

Sequence number of the peer.

ipv4-address

IPv4 address of the peer.

ipv6-address

IPv6 address of the peer.

fqdn fqdn-name

Assigns a fully qualified domain name (FQDN) to the peer.

dynamic

(Optional) Dynamically resolves the peer when it is chosen to connect.

ipv6

(Optional) Resolves the peer using the IPv6 address hostname.

track track-number

(Optional) Tracks the peer with the track number specified in the IKEv2 FlexVPN client profile.

up

(Optional) Implies that connection with the peer will be established only if track is in the up state.

down

(Optional) Implies that connection with the peer will be established only if track is in the down state.

Command Default

A static peer is not defined.

Command Modes

IKEv2 FlexVPN client profile configuration (config-ikev2-flexvpn)

Command History

Release

Modification

15.2(1)T

This command was introduced.

15.2(3)T

This command was modified. Support for IPv6 addresses and hostnames was added.

Cisco IOS XE Release 3.7S

This command was integrated into Cisco IOS XE Release 3.7S.

Usage Guidelines

Before you enable this command, you must configure the crypto ikev2 client flexvpn command.

Peers are ordered by preference; the lower the sequence number, the higher the preference. If a peer has the same priority as an existing peer, the old peer is overridden. Sequence numbering is ideal for easy management.

If a peer is referenced by FQDN, the peer is resolved during configuration unless the dynamic keyword is used to resolve the peer when the peer chooses to connect.

A peer address can be used only if it can be routed in the tunnel VRF of the tunnel interface.

Examples

The following example shows how to define a static peer:

Device(config)# crypto ikev2 client flexvpn client1
Device(config-ikev2-flexvpn)# peer 1 10.0.0.1

Related Commands

Command

Description

crypto ikev2 client flexvpn

Defines an IKEv2 FlexVPN client profile.

peer address ipv4

To configure a Group Domain of Interpretation (GDOI) redundant peer key server, use the peer address ipv4command in GDOI redundancy configuration mode. To remove the peer key server that was configured, use the no form of this command.

peer address ipv4 ip-address

no peer address ipv4 ip-address

Syntax Description

ip-address

IP address of the peer key server.

Command Default

(Redundancy does not function correctly if at least one peer is not configured under the local key server configuration on a key server.)

Command Modes


GDOI redundancy configuration (gdoi-coop-ks-config)

Command History

Release

Modification

12.4(11)T

This command was introduced.

Cisco IOS XE Release 2.3

This command was implemented on the Cisco ASR 1000 series routers.

Usage Guidelines

For redundancy between key servers to operate correctly, there have to be at least two key servers in a redundant group. Therefore, at least one other peer must be defined on a key server using the peer address ipv4 command. The local key server sets up an Internet Key Exchange (IKE) session with the peer that is defined using this command and proceeds to communicate using IKE informational messages to complete the election process using the specified IP address of the peer.

Examples

The following example shows that two peer key servers have been configured: 10.41.2.5 and 10.33.5.6.

address ipv4 10.1.1.1
redundancy
 local priority 10
 peer address ipv4 10.41.2.5
 peer address ipv4 10.33.5.6

Related Commands

Command

Description

address ipv4

Sets the source address, which is used as the source for packets originated by the local key server.

local priority

Sets the local key server priority.

redundancy

Enters GDOI redundancy configuration mode and allows for key server redundancy.

server local

Designates a device as a GDOI key server and enters GDOI local server configuration mode.

peer (IKEv2 keyring)

To define a peer or a peer group for the Internet Key Exchange Version 2 (IKEv2) keyring, use the peer command in IKEv2 keyring configuration mode. To remove the peer, use the no form of this command.

peer name

no peer name

Syntax Description

name

The peer name.

Command Default

A peer is not defined or configured.

Command Modes


IKEv2 keyring configuration (config-ikev2-keyring)

Command History

Release

Modification

15.1(1)T

This command was introduced.

Cisco IOS XE Release 3.3S

This command was integrated into Cisco IOS XE Release 3.3S.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

Usage Guidelines

Use this command to define the name of a peer or peer group. This command enters IKEv2 keyring peer configuration mode. A peer subblock identifies a peer or peer-group using identity, hostname or address statements. A peer subblock must have atleast one statement identifying a peer or peer group. A peer subblock can have a single statement of each type identifying a peer or peer group. A peer subblock can have a single key or key-pair.

Examples

The following example shows how to configure an IKEv2 keyring with multiple peer subblocks:

Router(config)# crypto ikev2 keyring keyring-1
Router(configikev2-keyring)# peer peer1
Router(config-ikev2-keyring-peer)# description peer1
 
Router(config-ikev2-keyring-peer)# address 10.0.0.1
Router(config-ikev2-keyring-peer)# pre-shared-key key-1
Router(configikev2-keyring)# peer peer2
Router(config-ikev2-keyring-peer)# description peer2
Router(config-ikev2-keyring-peer)# host peer1.example.com
Router(config-ikev2-keyring-peer)# pre-shared-key key-2
Router(configikev2-keyring)# peer peer3
Router(config-ikev2-keyring-peer)# description peer3
Router(config-ikev2-keyring-peer)# host peer3.example.com
Router(config-ikev2-keyring-peer)# identity key-id abc
Router(config-ikev2-keyring-peer)# address 10.0.0.3
Router(config-ikev2-keyring-peer)# pre-shared-key key-3

Related Commands

Command

Description

address (ikev2 keyring)

Specifies the IPv4 address or the range of the peers in IKEv2 keyring.

crypto ikev2 keyring

Defines an IKEv2 keyring.

description (ikev2 keyring)

Describes an IKEv2 peer or a peer group for the IKEv2 keyring.

hostname (ikev2 keyring)

Specifies the hostname for the peer in the IKEv2 keyring.

identity (ikev2 keyring)

Identifies the peer with IKEv2 types of identity.

pre-shared-key (ikev2 keyring)

Defines a preshared key for the IKEv2 peer.

peer reactivate

To enable the reactivate primary peer feature, use the peer reactivate command in IKEv2 FlexVPN client profile configuration mode. To disable the feature, use the no form of this command

peer reactivate

no peer reactivate

Command Default

The peer reactivate feature is disabled by default.

Command Modes


        IKEv2 FlexVPN client profile configuration (config-ikev2-flexvpn)
      

Command History

Release

Modification

15.2(1)T

This command was introduced.

Cisco IOS XE Release 3.7S

This command was integrated into Cisco IOS XE Release 3.7S.

Usage Guidelines

Before you enable this command, you must configure the crypto ikev2 client flexvpn command.

The peer reactivate feature provides the ability to establish connection with a new peer. If a FlexVPN client is connected to a peer with a lower priority and the track object comes UP for another peer associated with this track object having a higher priority, the existing session is brought down and the connection is established with the new peer.

For example, there are two peers: peer1 with sequence 0 associated with track1 and peer 2 with sequence 1. If the FlexVPN client is connected to peer 2 and track 1 associated with peer 1 comes up, FlexVPN client deletes the existing session and brings up a new session with peer1. If the peer reactivate feature is not configured, FlexVPN continues the session with peer 2 even though the track 1 associated with peer 1 comes up.


Note


If a session with peer reactivate feature is UP and the feature is deleted, the session is not terminated. However, if a session without peer reactivate is UP and the feature is enabled, the session is terminated.


Examples

The following example shows how to enable the peer reactivate feature:

Router(config)# crypto ikev2 client flexvpn client1
Router(config-ikev2-flexvpn)# peer reactivate

Related Commands

Command

Description

crypto ikev2 client flexvpn

Defines an IKEv2 FlexVPN client profile.

per-box aggressive-aging

To enable aggressive aging of all firewall sessions listed in the firewall session table (the "box"), use the per-box aggressive-aging command in parameter-map type inspect configuration mode. To disable the aggressive aging of global firewall sessions, use the no form of this command.

per-box aggressive-aging high { value low value | percent percent low percent percent }

no per-box aggressive-aging high { value low value | percent percent low percent percent }

Syntax Description

high

Specifies the high watermark for aggressive aging.

value

High watermark in absolute values. Valid values are from 1 to 4294967295.

low

Specifies the low watermark values for aggressive aging.

value

Low watermark in absolute values. Valid values are from 1 to 4294967295.

percent percent

Specifies the high watermark percentage for aggressive aging. Valid values are from 1 to 100.

low percent percent

Specifies the low watermark percentage for aggressive aging. Valid values are from 1 to 100.

Command Default

The aggressive aging of firewall sessions is not enabled.

Command Modes

Parameter-map type inspect configuration (config-profile)

Command History

Release

Modification

Cisco IOS XE Release 3.4S

This command was introduced.

Usage Guidelines

The Aggressive Aging feature allows the firewall to aggressively age out sessions to make room for new sessions. Per-box aggressive aging protects the firewall session table from getting filled. When you enable aggressive aging on a router, only active sessions on the router are deleted.

You must configure the parameter-map type inspect global command before you configure the per-box aggressive-aging command.

Examples

The following example shows how to enable the aggressive aging of firewall sessions:

 Router(config)# parameter-map type inspect global
 Router(config-profile)# per-box aggressive-aging high percent 75 low percent 35
 Router(config-profile)# end
      

Related Commands

Command

Description

max-incomplete aggressive-aging

Configures the aggressive aging of half-opened firewall sessions for inspect parameter maps.

parameter-map type inspect global

Configures a global parameter map and enters parameter-map type inspect configuration mode.

per-box max-incomplete

To configure the half-opened session limit for each session listed in the firewall session table (the "box"), use the per-box max-incomplete command in parameter-map type inspect configuration mode. To disable the configuration, use the no form of this command.

per-box max-incomplete [ icmp | tcp | udp ] number

no per-box max-incomplete [ icmp | tcp | udp ] number

Syntax Description

icmp

(Optional) Specifies the maximum half-opened Internet Control Message Protocol (ICMP) connections for the firewall session table.

tcp

(Optional) Specifies the maximum half-opened TCP connections for the firewall session table.

udp

(Optional) Specifies the maximum half-opened UDP connections for the firewall session table.

number

Number of half-opened sessions. Valid values are from 1 to 4294967295.

Command Default

The half-opened session limit is not set.

Command Modes

Parameter-map type inspect configuration (config-profile)

Command History

Release

Modification

Cisco IOS XE Release 3.4S

This command was introduced.

Usage Guidelines

A half-opened session is a session that has not reached the established state.

You must configure the parameter-map type inspect global command before you configure the per-box max-incomplete command.

Examples

The following example shows how to configure the maximum half-opened session limit to 3456:

Router(config)# parameter-map type inspect global
Router(config-profile)# per-box max-incomplete 3456
Router(config-profile)# end
      

Related Commands

Command

Description

max-incomplete (inspect-vrf)

Configures the half-opened session limit for a VRF.

parameter-map type inspect global

Configures a global parameter map and enters parameter-map type inspect configuration mode.

per-box max-incomplete aggressive-aging

To configure aggressive aging of half-opened firewall sessions listed in the firewall session table (the "box"), use the per-box max-incomplete aggressive-aging command in parameter-map type inspect configuration mode. To disable the configuration, use the no form of this command.

per-box max-incomplete number aggressive-aging high { value low value | percent percent low percent value }

no per-box max-incomplete number aggressive-aging high { value low value | percent percent low percent value }

Syntax Description

number

Number of half-opened sessions. Valid values are from 1 to 4294967295.

high

Specifies the high watermark for aggressive aging.

value

High watermark in absolute values. Valid values are from 1 to 4294967295.

low

Specifies the low watermark values for aggressive aging.

value

Low watermark in absolute values. Valid values are from 1 to 4294967295.

percent percent

Specifies the high watermark percentage for aggressive aging. Valid values are from 1 to 100.

low percent percent

Specifies the low watermark percentage for aggressive aging. Valid values are from 1 to 100.

Command Default

The aggressive aging of half-opened sessions is not configured.

Command Modes

Parameter-map type inspect configuration (config-profile)
      

Command History

Release

Modification

Cisco IOS XE Release 3.4S

This command was introduced.

Usage Guidelines

The Aggressive Aging feature allows the firewall to aggressively age out half-opened sessions to make room for new sessions. Per-box aggressive aging protects the firewall session table from getting filled with sessions. When you enable aggressive aging on a router, only active sessions on the router are deleted.

You must configure the parameter-map type inspect global command before you configure the per-box max-incomplete aggressive-aging command.

Examples

The following example shows how to configure aggressive aging of half-opened sessions in a firewall session table:

Router(config)# parameter-map type inspect global
Router(config-profile)# per-box max-incomplete 3456 aggressive-aging high 7890 low 5436
Router(config-profile)# end
      

Related Commands

Command

Description

max-incomplete aggressive-aging

Configures aggressive aging of half-opened firewall sessions for inspect parameter maps.

parameter-map type inspect global

Configures a global parameter map and enters parameter-map type inspect configuration mode.

per-box tcp syn-flood limit

To configure the TCP synchronization (SYN) flood limit for each session listed in the firewall session table (the "box), use the per-box tcp syn-flood limit command in parameter-map type inspect configuration mode. To disable the TCP SYN flood limit configuration, use the no form of this command.

per-box tcp syn-flood limit number

no per-box tcp syn-flood limit number

Syntax Description

number

The number of half-opened connections that triggers TCP SYN cookie protection. Valid values are from 1 to 4294967295.

Command Default

The TCP SYN flood limit is not configured.

Command Modes

Parameter-map type inspect configuration (config-profile)

Command History

Release

Modification

Cisco IOS XE Release 3.4S

This command was introduced.

Usage Guidelines

Per-box refers to the entire firewall session table.

TCP SYN-flooding attacks are a type of denial-of-service (DoS) attack. TCP SYN-flooding can take up all resources on a firewall or an end host, thereby causing denials of service to legitimate traffic. The Firewall TCP SYN Cookie feature protects the firewall from TCP SYN-flooding attacks. To prevent TCP SYN flooding on a firewall and the end hosts behind the firewall, configure the Firewall TCP SYN Cookie feature.

A half-opened session is a session that has not reached the established state.

You must configure the parameter-map type inspect global command before you configure the per-box tcp syn-flood limit command.

Examples

The following example shows how to configure the TCP SYN flood limit to 3400:

Router(config)# parameter-map type inspect global
Router(config-profile)# per-box tcp syn-flood limit 3400
Router(config-profile)# end
      

Related Commands

Command

Description

parameter-map type inspect global

Configures a global parameter map and enters parameter-map type inspect configuration mode.

permit

To set conditions in named IP access list or object group access control list (OGACL) that will permit packets, use the permit command in the appropriate configuration mode. To remove a condition from an IP access list or an OGACL, use the no form of this command.

permit protocol [ source-addr source-wildcard ] { any | host { address | name } | object-group object-group-name } { destination-addr destination-wildcard | any | host { address | name } | object-group object-group-name } [ dscp dscp-value | precendence precedence-value | fragments fragment-value | option option-value | reflect access-list-name | time-range time-range-value | ttl match-value ttl-value [ttl-value] | tos tos-value | timeout max-time | log [log-value] | log-input [log-input-value] ]

no permit protocol [ source-addr source-wildcard ] { any | host { address | name } | object-group object-group-name } { destination-addr destination-wildcard | any | host { address | name } | object-group object-group-name }

permit { tcp | udp } { source-addr source-wildcard | any | host source-addr | object-group source-obj-group } { destination-addr destination-wildcard | any | host dest-addr | object-group dest-obj-group | port-match-criteria { destination-addr destination-wildcard | any | host dest-addr | object-group dest-obj-group } } [ port-match-criteria port-number | fragments | ack | established | fin | psh | rst | syn | urg | match-all match-value | match-any match-value | dscp dscp-value | precendence precedence-value | option option-value | time-range time-range-value | ttl match-value ttl-value [ttl-value] | tos tos-value | log [log-value] | log-input [log-input-value] ]

no permit { tcp | udp } { source-addr source-wildcard | any | host source-addr | object-group source-obj-group } { destination-addr destination-wild-card | any | host dest-addr | object-group dest-obj-group | port-match-criteria { destination-addr destination-wild-card | any | host dest-addr | object-group dest-obj-group } }

Syntax Description

protocol

Name or number of a protocol; valid values are; valid values are ahp, eigrp, esp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, object-group, tcp, pcp, pim, udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including Internet Control Message Protocol (ICMP), TCP, and User Datagram Protocol (UDP), use the keyword ip. See the “Usage Guidelines” section for additional qualifiers.

source-addr

(Optional) Number of the network or host from which the packet is being sent in a 32-bit quantity in four-part, dotted-decimal format.

source-wildcard

(Optional) Wildcard bits to be applied to the source in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

any

Specifies any source or any destination host as an abbreviation for the source-addror destination-addr valueand the source-wildcard or destination-wildcard value of 0.0.0.0 255.255.255.255.

host address name

Specifies the source or destination address and name of a single host.

object-group object-group-name

Specifies the source or destination name of the object group.

destination-addr

Number of the network or host to which the packet is being sent in a 32-bit quantity in four-part, dotted-decimal format.

destination-wildcard

Wildcard bits to be applied to the destination in a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

object-group dest-addr-group-name

Specifies the destination address group name.

dscp dscp-value

(Optional) Matches the packets with the given Differentiated Services Code Point (DSCP) value; see the “Usage Guidelines” section for valid values.

precedence precedence-value

(Optional) Specifies the precedence filtering level for packets; valid values are a number from 0 to 7 or by a name. See the “Usage Guidelines” section for a list of valid names.

fragments fragment-value

(Optional) Applies the access list entry to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List or OGACL Processing of Fragments" and “Fragments and Policy Routing” sections in the “Usage Guidelines” section.

option option-value

(Optional) Matches the packets with the given IP options value number; see the “Usage Guidelines” section for valid values.

reflect access-list-name

(Optional) Create reflexive access list entry.

time-range time-range-value

(Optional) Specifies a time-range entry name.

ttl match-value ttl-value

(Optional) Specifies the match packets with given TTL value; see the “Usage Guidelines” section for valid values.

tos tos-value

(Optional) Specifies the service filtering level for packets; valid values are a number from 0 to 15 or by a name as listed in the “Usage Guidelines” section of the access-list(IP extended) command.

timeout max-time

Specifies the maximum time for a reflexive ACL to live; the valid values are from 1 to 2147483 seconds.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message for a standard list includes the access list number, whether the packet was permitted or denied, the source address, and the number of packets.

The message for an extended list includes the access list number; whether the packet was permitted or denied; the protocol; whether the protocol was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and port numbers and the user-defined cookie or router-generated hash value.

For both standard and extended lists, the message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from reloading because of too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.

After you specify the log keyword (and the associated word argument), you cannot specify any other keywords or settings for this command.

log-value

(Optional) User-defined cookie appended to the log message. The cookie:

  • cannot be more than characters

  • cannot start with hexadecimal notation (such as 0x)

  • cannot be the same as, or a subset of, the following keywords: reflect, fragment, time-range

  • must contain alphanumeric characters only

The user-defined cookie is appended to the access control entry (ACE) syslog entry and uniquely identifies the ACE, within the access control list, that generated the syslog entry.

log-input log-input-value

(Optional) Matches the log against this entry, including the input interface.

After you specify the log-input keyword (and the associated log-input-value argument), you cannot specify any other keywords or settings for this command.

tcp

Specifies the TCP protocol.

udp

Specifies the UDP protocol.

object-group source-obj-group

Specifies the source address group name.

port-match-criteria port-number

Matches only packets on a given port number; see the “Usage Guidelines” section for valid values.

Command Default

There are no specific conditions under which a packet passes the access list.

Command Modes


Standard access-list configuration (config-std-nacl)
Extended access-list configuration (config-ext-nacl)

Command History

Release

Modification

12.4(20)T

This command was introduced.

12.4(22)T

The word argument was added to the log and log-input keywords.

Usage Guidelines

Use this command following the ip access-list command to define the conditions under which a packet passes the access list.

In Cisco IOS 15.0(1)M and later Releases, to remove the log entry from the permit ip any any log command, use the permit ip any any command.

In releases earlier than Cisco IOS Release15.0(1)M, to remove the log option from the permit ip any any log command, use the no permit ip any any log and the permit ip any any commands.

In Cisco IOS 15.0(1)M and later releases, to remove the log entry and the user-defined cookie, use the permit ip any any [log-value] command.

In releases earlier than Cisco IOS Release 15.0(1)M, to remove the log entry and user-defined cookies, use the no permit ip any any log [log-value] and permit ip any any commands.

Access List or OGACL Processing of Fragments

The behavior of access-list entries regarding the use or lack of the fragments keyword are summarized in the table below:

Table 7 Access list or OGACL Processing of Fragments

If the Access-List Entry Has...

Then...

...no fragments keyword (the default behavior), and assuming all of the access-list entry information matches,

For an access-list entry containing only Layer 3 information:

  • The entry is applied to nonfragmented packets, initial fragments, and noninitial fragments.

For an access list entry containing Layer 3 and Layer 4 information:

  • The entry is applied to nonfragmented packets and initial fragments:
    • If the entry is a permitstatement, the packet or fragment is permitted.
    • If the entry is a denystatement, the packet or fragment is denied.
  • The entry is also applied to noninitial fragments in the following manner. Because noninitial fragments contain only Layer 3 information, only the Layer 3 portion of an access-list entry can be applied. If the Layer 3 portion of the access-list entry matches, and
    • If the entry is a permitstatement, the noninitial fragment is permitted.
    • If the entry is a deny statement, the next access-list entry is processed.
Note   

The deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.

...the fragments keyword, and assuming all of the access-list entry information matches,

Note   

The access-list entry is applied only to noninitial fragments. The fragments keyword cannot be configured for an access-list entry that contains any Layer 4 information.

Ensure that you do not add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragmentskeyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.

Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.


Note


The fragmentskeyword cannot solve all cases involving access lists and IP fragments.


Fragments and Policy Routing

Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.

By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended.

The source-addr and destination-addrarguments allow you to create an object group based on a source or destination group. The following keywords and arguments are available:

  • dscp dscp-value --(Optional) Matches the packets with the given DSCP value; the valid values are as follows:
    • 0 to 63--Differentiated services codepoint value
    • af11--Matches the packets with AF11 dscp (001010)
    • af12--Matches the packets with AF12 dscp (001100)
    • af13--Matches the packets with AF13 dscp (001110)
    • af21--Matches the packets with AF21 dscp (010010)
    • af22--Matches the packets with AF22 dscp (010100)
    • af23--Matches the packets with AF23 dscp (010110)
    • af31--Matches the packets with AF31 dscp (011010)
    • af32--Matches the packets with AF32 dscp (011100)
    • af33--Matches the packets with AF33 dscp (011110)
    • af41--Matches the packets with AF41 dscp (100010)
    • af42--Matches the packets with AF42 dscp (100100)
    • af43--Matches the packets with AF43 dscp (100110)
    • cs1--Matches the packets with CS1 (precedence 1) dscp (001000)
    • cs2--Matches the packets with CS2 (precedence 2) dscp (010000)
    • cs3--Matches the packets with CS3 (precedence 3) dscp (011000)
    • cs4--Matches the packets with CS4 (precedence 4) dscp (100000)
    • cs5--Matches the packets with CS5 (precedence 5) dscp (101000)
    • cs6--Matches the packets with CS6 (precedence 6) dscp (110000)
    • cs7--Matches the packets with CS7 (precedence 7) dscp (111000)
    • default--Matches the packets with default dscp (000000)
    • ef--Matches the packets with EF dscp (101110)
  • fragments --(Optional) Checks for noninitial fragments. See the table above.

  • log --(Optional) Logs the matches against this entry.

  • log-input --(Optional) Logs the matches against this entry, including the input interface.

  • option option-value --(Optional) Matches the packets with given IP Options value. The valid values are as follows:
    • 0 to 255--IP Options value.
    • add-ext--Matches the packets with Address Extension Option (147).
    • any-options--Matches the packets with ANY Option.
    • com-security--Matches the packets with Commercial Security Option (134).
    • dps--Matches the packets with Dynamic Packet State Option (151).
    • encode--Matches the packets with Encode Option (15).
    • eool--Matches the packets with End of Options (0).
    • ext-ip--Matches the packets with Extended IP Option (145).
    • ext-security--Matches the packets with Extended Security Option (133).
    • finn--Matches the packets with Experimental Flow Control Option (205).
    • imitd--Matches the packets with IMI Traffic Desriptor Option (144).
    • lsr--Matches the packets with Loose Source Route Option (131).
    • match-all--Matches the packets if all specified flags are present.
    • match-any--Matches the packets if any specified flag is present.
    • mtup--Matches the packets with MTU Probe Option (11).
    • mtur--Matches the packets with MTU Reply Option (12).
    • no-op--Matches the packets with No Operation Option (1).
    • psh--Match the packets on the PSH bit.
    • nsapa--Matches the packets with NSAP Addresses Option (150).
    • reflect--Creates reflexive access list entry.
    • record-route--Matches the packets with Record Route Option (7).
    • rst--Matches the packets on the RST bit.
    • router-alert--Matches the packets with Router Alert Option (148).
    • sdb--Matches the packets with Selective Directed Broadcast Option (149).
    • security--Matches the packets with Basic Security Option (130).
    • ssr--Matches the packets with Strict Source Routing Option (137).
    • stream-id--Matches the packets with Stream ID Option (136).
    • syn--Matches the packets on the SYN bit.
    • timestamp--Matches the packets with Time Stamp Option (68).
    • traceroute--Matches the packets with Trace Route Option (82).
    • ump--Matches the packets with Upstream Multicast Packet Option (152).
    • visa--Matches the packets with Experimental Access Control Option (142).
    • zsu--Matches the packets with Experimental Measurement Option (10).
  • precedence precedence-value --(Optional) Matches the packets with given precedence value; the valid values are as follows:
    • 0 to 7--Precedence value.
    • critical--Matches the packets with critical precedence (5).
    • flash--Matches the packets with flash precedence (3).
    • flash-override--Matches the packets with flash override precedence (4).
    • immediate--Matches the packets with immediate precedence (2).
    • internet--Matches the packets with internetwork control precedence (6).
    • network--Matches the packets with network control precedence (7).
    • priority--Matches the packets with priority precedence (1).
    • routine--Matches the packets with routine precedence (0).
  • reflect acl-name -- (Optional) Creates reflexive access list entry.

  • ttl match-value ttl-value -- (Optional) Specifies the match packets with given TTL value; the valid values are as follows:
    • eq--Matches packets on a given TTL number.
    • gt--Matches packets with a greater TTL number.
    • lt--Matches packets with a lower TTL number.
    • neq--Matches packets not on a given TTL number.
    • range--Matches packets in the range of TTLs.
  • time-range time-range-value --(Optional) Specifies a time-range entry name.

  • tos --(Optional) Matches the packets with given ToS value; the valid values are as follows:
    • 0 to 15--Type of service value.
    • max-reliability--Matches the packets with the maximum reliable ToS (2).
    • max-throughput--Matches the packets with the maximum throughput ToS (4).
    • min-delay--Matches the packets with the minimum delay ToS (8).
    • min-monetary-cost--Matches the packets with the minimum monetary cost ToS (1).
    • normal--Matches the packets with the normal ToS (0).
  • timeout max-time -- (Optional) Specifies the maximum time for a reflexive ACL to live; the valid values are from 1 to 2147483 seconds.

Examples

The following example shows how to create an access list that permits packets from the users in my_network_object_group if the protocol ports match the ports specified in my_network_object_group:

Router> enable
Router# configure terminal

Router(config)# ip access-list extended my_ogacl_policy

Router(config-ext-nacl)# permit tcp object-group my_network_object_group portgroup my_service_object_group any

The following example shows how to create an access list that permits packets from the users in my_network_object_group if the protocol ports match the ports specified in my_network_object_group. In addition, logging is enabled for the access list, and all syslog entries for this ACE include the word MyServiceCookieValue:

Router> enable
Router# configure terminal

Router(config)# ip access-list extended my_ogacl_policy

Router(config-ext-nacl)# permit tcp object-group my_network_object_group portgroup my_service_object_group any log MyServiceCookieValue

Related Commands

Command

Description

deny

Sets conditions in a named IP access list or OGACL that will deny packets.

ip access-group

Applies an ACL or OGACL to an interface or a service policy map.

ip access-list

Defines an IP access list or OGACL by name or number.

ip access-list logging hash-generation

Enables hash value generation for ACE syslog entries.

object-group network

Defines network object groups for use in OGACLs.

object-group service

Defines service object groups for use in OGACLs.

show ip access-list

Displays the contents of IP access lists or OGACLs.

show object-group

Displays information about object groups that are configured.

permit (Catalyst 6500 series switches)

To set conditions for a named IP access list, use the permit command in access-list configuration mode. To remove a condition from an access list, use the no form of this command.

permit protocol { source-addr source-wildcard | addrgroup object-group-name | any | host { address | name } } { destination-addr destination-wildcard | addrgroup object-group-name | any | host { address | name } }

permit { tcp | udp } { source-addr source-wildcard | addrgroup source-addr-group-name | any | host { address | name } destination-addr destination-wildcard | any | eq port | gt port | host { address | name } | lt port | neq port | portgroup srcport-groupname } { addrgroup dest-addr-groupname | destination | destination-addr destination-wildcard | any | eq port | gt port | host { address | name } | lt port | neq port | portgroup destport-groupname } [ dscp type | fragments | option option | precedence precedence | time-range time-range-name | tos tos | log [word] | log-input [word] ]

no permit protocol { source-addr source-wildcard | addrgroup object-group-name | any | host { address | name } } { destination-addr destination-wildcard | addrgroup object-group-name | any | host { address | name } }

no permit { tcp | udp } { source-addr source-wildcard | addrgroup source-addr-group-name | any | host { address | name } destination-addr destination-wildcard | any | eq port | gt port | host { address | name } | lt port | neq port | portgroup srcport-groupname } { addrgroup dest-addr-groupname | destination | destination-addr destination-wildcard | any | eq port | gt port | host { address | name } | lt port | neq port | portgroup destport-groupname } [ dscp type | fragments | option option | precedence precedence | time-range time-range-name | tos tos | log [word] | log-input [word] ]

Syntax Description

protocol

Name or number of a protocol; valid values are eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including Internet Control Message Protocol (ICMP), TCP, and User Datagram Protocol (UDP), use the keyword ip. See the “Usage Guidelines” section for additional qualifiers.

source-addr

Number of the network or host from which the packet is being sent in a 32-bit quantity in four-part, dotted-decimal format.

source-wildcard

Wildcard bits to be applied to source in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

addrgroup object-group-name

Specifies the source or destination name of the object group.

any

Specifies any source or any destination host as an abbreviation for the source-addror destination-addr valueand the source-wildcard or destination-wildcard value of 0.0.0.0 255.255.255.255.

host address

Specifies the source or destination address of a single host.

host name

Specifies the source or destination name of a single host.

tcp

Specifies the TCP protocol.

udp

Specifies the UDP protocol.

addrgroup source-addr-group-name

Specifies the source address group name.

destination-addr

Number of the network or host to which the packet is being sent in a 32-bit quantity in four-part, dotted-decimal format.

destination-wildcard

Wildcard bits to be applied to the destination in a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

eq port

Matches only packets on a given port number; see the “Usage Guidelines” section for valid values.

gt port

Matches only the packets with a greater port number; see the “Usage Guidelines” section for valid values.

lt port

Matches only the packets with a lower port number; see the “Usage Guidelines” section for valid values.

neq port

Matches only the packets that are not on a given port number; see the “Usage Guidelines” section for valid values.

portgroup srcport-group-name

Specifies the source port object group name.

addrgroup dest-addr-group-name

Specifies the destination address group name.

portgroup destport-group-name

Specifies the destination port object group name.

dscp type

(Optional) Matches the packets with the given Differentiated Services Code Point (DSCP) value; see the “Usage Guidelines” section for valid values.

fragments

(Optional) Applies the access list entry to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the “Access List Processing of Fragments” and “Fragments and Policy Routing” sections in the “Usage Guidelines” section.

option option

(Optional) Matches the packets with the given IP options value number; see the “Usage Guidelines” section for valid values.

precedence precedence

(Optional) Specifies the precedence filtering level for packets; valid values are a number from 0 to 7 or by a name. See the “Usage Guidelines” section for a list of valid names.

time-range time-range-name

(Optional) Specifies a time-range entry name.

tos tos

(Optional) Specifies the service filtering level for packets; valid values are a number from 0 to 15 or by a name as listed in the “Usage Guidelines” section of the access-list(IP extended) command.

option option

(Optional) Matches packets with the IP options value; see the “Usage Guidelines” section for the valid values.

fragments

(Optional) Applies the access list entry to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the “Access List Processing of Fragments” and “Fragments and Policy Routing” sections in the “Usage Guidelines” section.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message for a standard list includes the access list number, whether the packet was permitted or denied, the source address, and the number of packets, and if appropriate, the user-defined cookie or router-generated hash value.

The message for an extended list includes the access list number; whether the packet was permitted or denied; the protocol; whether the protocol was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers, and if appropriate, the user-defined cookie or router-generated hash value.

For both standard and extended lists, the message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from reloading due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.

After you specify the log keyword (and the associated word argument), you cannot specify any other keywords or settings for this command.

word

(Optional) User-defined cookie appended to the log message. The cookie:

  • cannot be more than characters

  • cannot start with hexadecimal notation (such as 0x)

  • cannot be the same as, or a subset of, the following keywords: reflect, fragment, time-range

  • must contain alphanumeric characters only

The user-defined cookie is appended to the access control entry (ACE) syslog entry and uniquely identifies the ACE, within the access control list, that generated the syslog entry.

log-input

(Optional) Matches the log against this entry, including the input interface.

After you specify the log-input keyword (and the associated word argument), you cannot specify any other keywords or settings for this command.

Command Default

There are no specific conditions under which a packet passes the named access list.

Command Modes


Access-list configuration (config-ext-nacl)

Command History

Release

Modification

12.2(33)SXH

This command was introduced.

12.4(22)T

The word argument was added to the log and log-input keywords.

Usage Guidelines

Use this command following the ip access-list command to define the conditions under which a packet passes the access list.

The portgroup keyword appears only when you configure an extended access list.

Access List Processing of Fragments

The behavior of access-list entries regarding the use or lack of the fragments keyword are summarized in the table below:

Table 8 Access list Processing of Fragments

If the Access-List Entry Has...

Then...

...no fragments keyword (the default behavior), and assuming all of the access-list entry information matches,

For an access-list entry containing only Layer 3 information:

  • The entry is applied to nonfragmented packets, initial fragments, and noninitial fragments.

For an access list entry containing Layer 3 and Layer 4 information:

  • The entry is applied to nonfragmented packets and initial fragments:
    • If the entry is a permitstatement, the packet or fragment is permitted.
    • If the entry is a denystatement, the packet or fragment is denied.
  • The entry is also applied to noninitial fragments in the following manner. Because noninitial fragments contain only Layer 3 information, only the Layer 3 portion of an access-list entry can be applied. If the Layer 3 portion of the access-list entry matches, and
    • If the entry is a permitstatement, the noninitial fragment is permitted.
    • If the entry is a deny statement, the next access-list entry is processed.
Note   

The deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.

...the fragments keyword, and assuming all of the access-list entry information matches,

Note   

The access-list entry is applied only to noninitial fragments.The fragments keyword cannot be configured for an access-list entry that contains any Layer 4 information.

Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragmentskeyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.

Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.


Note


The fragmentskeyword cannot solve all cases involving access lists and IP fragments.


Fragments and Policy Routing

Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.

By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended.

The portgroup srcport-groupname or portgroup destport-groupnamekeywords and arguments allow you to create an object group based on a source or destination group. The following keywords and arguments are available:

  • dscp value --(Optional) Matches the packets with the given DSCP value; the valid values are as follows:
    • 0 to 63--Differentiated services codepoint value
    • af11--Matches the packets with AF11 dscp (001010)
    • af12--Matches the packets with AF12 dscp (001100)
    • af13--Matches the packets with AF13 dscp (001110)
    • af21--Matches the packets with AF21 dscp (010010)
    • af22--Matches the packets with AF22 dscp (010100)
    • af23--Matches the packets with AF23 dscp (010110)
    • af31--Matches the packets with AF31 dscp (011010)
    • af32--Matches the packets with AF32 dscp (011100)
    • af33--Matches the packets with AF33 dscp (011110)
    • af41--Matches the packets with AF41 dscp (100010)
    • af42--Matches the packets with AF42 dscp (100100)
    • af43--Matches the packets with AF43 dscp (100110)
    • cs1--Matches the packets with CS1(precedence 1) dscp (001000)
    • cs2--Matches the packets with CS2(precedence 2) dscp (010000)
    • cs3--Matches the packets with CS3(precedence 3) dscp (011000)
    • cs4--Matches the packets with CS4(precedence 4) dscp (100000)
    • cs5--Matches the packets with CS5(precedence 5) dscp (101000)
    • cs6--Matches the packets with CS6(precedence 6) dscp (110000)
    • cs7--Matches the packets with CS7(precedence 7) dscp (111000)
    • default--Matches the packets with default dscp (000000)
    • ef--Matches the packets with EF dscp (101110)
  • fragments --(Optional) Checks for noninitial fragments. See the table “Access List Processing of Fragments.”

  • log --(Optional) Logs the matches against this entry.

  • log-input --(Optional) Logs the matches against this entry, including the input interface; the valid values are as follows:

  • option option --(Optional) Matches the packets with given IP Options value. The valid values are as follows:
    • 0 to 255--IP Options value.
    • add-ext--Matches the packets with Address Extension Option (147).
    • any-options--Matches the packets with ANY Option.
    • com-security--Matches the packets with Commercial Security Option (134).
    • dps--Matches the packets with Dynamic Packet State Option (151).
    • encode--Matches the packets with Encode Option (15).
    • eool--Matches the packets with End of Options (0).
    • ext-ip--Matches the packets with Extended IP Option (145).
    • ext-security--Matches the packets with Extended Security Option (133).
    • finn--Matches the packets with Experimental Flow Control Option (205).
    • imitd--Matches the packets with IMI Traffic Desriptor Option (144).
    • lsr--Matches the packets with Loose Source Route Option (131).
    • match-all--Matches the packets if all specified flags are present.
    • match-any--Matches the packets if any specified flag is present.
    • mtup--Matches the packets with MTU Probe Option (11).
    • mtur--Matches the packets with MTU Reply Option (12).
    • no-op--Matches the packets with No Operation Option (1).
    • psh--Match the packets on the PSH bit.
    • nsapa--Matches the packets with NSAP Addresses Option (150).
    • reflect--Creates reflexive access list entry.
    • record-route--Matches the packets with Record Route Option (7).
    • rst--Matches the packets on the RST bit.
    • router-alert--Matches the packets with Router Alert Option (148).
    • sdb--Matches the packets with Selective Directed Broadcast Option (149).
    • security--Matches the packets with Basic Security Option (130).
    • ssr--Matches the packets with Strict Source Routing Option (137).
    • stream-id--Matches the packets with Stream ID Option (136).
    • syn--Matches the packets on the SYN bit.
    • timestamp--Matches the packets with Time Stamp Option (68).
    • traceroute--Matches the packets with Trace Route Option (82).
    • ump--Matches the packets with Upstream Multicast Packet Option (152).
    • visa--Matches the packets with Experimental Access Control Option (142).
    • zsu--Matches the packets with Experimental Measurement Option (10).
  • precedence value --(Optional) Matches the packets with given precedence value; the valid values are as follows:
    • 0 to 7--Precedence value.
    • critical--Matches the packets with critical precedence (5).
    • flash--Matches the packets with flash precedence (3).
    • flash-override--Matches the packets with flash override precedence (4).
    • immediate--Matches the packets with immediate precedence (2).
    • internet--Matches the packets with internetwork control precedence (6).
    • network--Matches the packets with network control precedence (7).
    • priority--Matches the packets with priority precedence (1).
    • routine--Matches the packets with routine precedence (0).
  • reflect acl-name [timeout time]-- (Optional) Creates reflexive access list entry. The timeout time keyword and argument specify the maximum time for a reflexive ACL to live; the valid values are from 1 to 2147483 seconds.

  • time-range name --(Optional) Specifies a time-range entry name.

  • tos --(Optional) Matches the packets with given ToS value; the valid values are as follows:
    • 0 to15--Type of service value.
    • max-reliability--Matches the packets with the maximum reliable ToS (2).
    • max-throughput--Matches the packets with the maximum throughput ToS (4).
    • min-delay--Matches the packets with the minimum delay ToS (8).
    • min-monetary-cost--Matches the packets with the minimum monetary cost ToS (1).
    • normal--Matches the packets with the normal ToS (0).

Examples

The following example shows how to create an access list that permits packets from the users in myAG if the protocol ports match the ports specified in myPG:

Router(config)# ip access-list extended my-pbacl-policy

Router(config-ext-nacl)# permit tcp addrgroup myAG portgroup myPG any

The following example shows how to create an access list that permits packets from the users in myAG if the protocol ports match the ports specified in myPG. The access list is log enabled, and the cookie value is set to myCookie:

Router(config)# ip access-list extended my-pbacl-policy

Router(config-ext-nacl)# permit tcp addrgroup myAG portgroup myPG any log myCookie

Related Commands

Command

Description

deny (Catalyst 6500 series switches)

Sets conditions for a named IP access list.

ip access-group

Controls access to an interface.

ip access-list

Defines an IP access list by name.

ip access-list logging hash-generation

Enables hash value generation for ACE syslog entries.

show ip access-lists

Displays the contents of all current IP access lists.

permit (IP)

To set conditions to allow a packet to pass a named IP access list, use the permit command in access list configuration mode. To remove a permit condition from an access list, use the no form of this command.

[sequence-number] permit source [source-wildcard]

[sequence-number] permit protocol source source-wildcard destination destination-wildcard [ option option-name ] [ precedence precedence ] [ tos tos ] [ ttl operator value ] [ time-range time-range-name ] [fragments] [ log [user-defined-cookie] ]

no sequence-number

no permit source [source-wildcard]

no permit protocol source source-wildcard destination destination-wildcard [ option option-name ] [ precedence precedence ] [ tos tos ] [ ttl operator value ] [ time-range time-range-name ] [fragments] [ log [user-defined-cookie] ]

Internet Control Message Protocol (ICMP)

[sequence-number] permit icmp source source-wildcard destination destination-wildcard [ icmp-type [icmp-code] | icmp-message ] [ precedence precedence ] [ tos tos ] [ ttl operator value ] [ time-range time-range-name ] [fragments] [ log [user-defined-cookie] ]

Internet Group Management Protocol (IGMP)

[sequence-number] permit igmp source source-wildcard destination destination-wildcard [igmp-type] [ precedence precedence ] [ tos tos ] [ ttl operator value ] [ time-range time-range-name ] [fragments] [ log [user-defined-cookie] ]

Transmission Control Protocol (TCP)

[sequence-number] permit tcp source source-wildcard [ operator [port] ] destination destination-wildcard [ operator [port] ] [ established { match-any | match-all } { + | - } flag-name | precedence precedence | tos tos | ttl operator value | log | time-range time-range-name | fragments | log | [user-defined-cookie] ]

User Datagram Protocol (UDP)

[sequence-number] permit udp source source-wildcard [ operator [port] ] destination destination-wildcard [ operator [port] ] [ precedence precedence ] [ tos tos ] [ ttl operator value ] [ time-range time-range-name ] [fragments] [ log [user-defined-cookie] ]

Syntax Description

sequence-number

(Optional) Sequence number assigned to the permit statement. The sequence number causes the system to insert the statement in that numbered position in the access list.

source

Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

  • Use a 32-bit quantity in four-part dotted-decimal format.

  • Use the any keyword as an abbreviation for a source and source-wildcardof 0.0.0.0 255.255.255.255.

  • Use host sourceas an abbreviation for a sourceand source-wildcardof source0.0.0.0.

source-wildcard

(Optional) Wildcard bits to be applied to the source. There are three alternative ways to specify the source wildcard:

  • Use a 32-bit quantity in four-part dotted-decimal format. Place 1s in the bit positions that you want to ignore.

  • Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

  • Use host sourceas an abbreviation for a sourceand source-wildcardof source0.0.0.0.

protocol

Name or number of an Internet protocol. The protocol argument can be one of the keywords eigrp, gre, icmp, igmp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the ipkeyword.

Note   

When the icmp, igmp, tcp, and udp keywords are entered, they must be followed with the specific command syntax that is shown for the ICMP, IGMP, TCP, and UDP forms of the permit command.

Note   

To configure a packet filter to allow BGP traffic, use protocol tcp and specify the port number as 179 or bgp

destination

Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

  • Use a 32-bit quantity in four-part dotted-decimal format.

  • Use the anykeyword as an abbreviation for the destinationand destination-wildcardof 0.0.0.0 255.255.255.255.

  • Use host destination as an abbreviation for a destinationand destination-wildcard of destination 0.0.0.0.

destination-wildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:

  • Use a 32-bit quantity in four-part dotted-decimal format. Place 1s in the bit positions that you want to ignore.

  • Use the any keyword as an abbreviation for a destinationand destination-wildcard of 0.0.0.0 255.255.255.255.

  • Use host destination as an abbreviation for a destinationand destination-wildcard of destination 0.0.0.0.

option option-name

(Optional) Packets can be filtered by IP Options, as specified by a number from 0 to 255, or by the corresponding IP Option name, as listed in the table in the “Usage Guidelines” section.

precedence precedence

(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by a name.

tos tos

(Optional) Packets can be filtered by type of service (ToS) level, as specified by a number from 0 to 15, or by a name as listed in the “Usage Guidelines” section of the access-list(IP extended) command.

ttl operator-value

(Optional) Compares the TTL value in the packet to the TTL value specified in this permit statement.

  • The operator can be lt (less than), gt (greater than), eq (equal), neq (not equal), or range (inclusive range).

  • The value can range from 0 to 255.

  • If the operator is range, specify two values separated by a space.

  • For Release 12.0S, if the operator is eq or neq, only one TTL value can be specified.

  • For all other releases, if the operator is eq or neq, as many as 10 TTL values can be specified, separated by a space.

time-range time-range-name

(Optional) Name of the time range that applies to this permit statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.

fragments

(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments” and “Fragments and Policy Routing” sections in the “Usage Guidelines” section.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

After you specify the log keyword (and the associated word argument), you cannot specify any other keywords or settings for this command.

user-defined-cookie

(Optional) User-defined cookie appended to the log message. The cookie:

  • Cannot be more than 64 characters.

  • Cannot start with hexadecimal notation (such as 0x).

  • Cannot be the same as, or a subset of, the following keywords: fragment, reflect, time-range.

  • Must contain alphanumeric characters only.

The user-defined cookie is appended to the Allegro Crypto Engine (ACE) syslog entry and uniquely identifies the ACE, within the access control list, that generated the syslog entry.

icmp

Permits only ICMP packets. When you enter the icmp keyword, you must use the specific command syntax shown for the ICMP form of the permit command.

icmp-type

(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.

icmp-code

(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) ICMP packets can be filtered by an ICMP message type name or an ICMP message type and code name. The possible names are listed in the “Usage Guidelines” section of the access-list(IP extended) command.

igmp

Permits only IGMP packets. When you enter the igmp keyword, you must use the specific command syntax shown for the IGMP form of the permit command.

igmp-type

(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the “Usage Guidelines” section of the access-list(IP extended) command.

tcp

Permits only TCP packets. When you enter the tcp keyword, you must use the specific command syntax shown for the TCP form of the permit command.

operator

(Optional) Compares source or destination ports. Operators are eq (equal) , gt (greater than),lt (less than), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard arguments, it must match the source port. If the operator is positioned after the destination and destination-wildcard arguments, it must match the destination port.

The range operator requires two port numbers. Up to ten port numbers can be entered for the eq (equal) and neq (not equal) operators. All other operators require one port number.

port

(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the “Usage Guidelines” section of the access-list (IP extended) command.

TCP port names can be used only when filtering TCP. UDP port names can be used only when filtering UDP.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bit set. The nonmatching case is that of the initial TCP datagram to form a connection.

match-any | match-all

(Optional) For the TCP protocol only: A match occurs if the TCP datagram has certain TCP flags set or not set. You use the match-anykeyword to allow a match to occur if any of the specified TCP flags are present, or you can use the match-allkeyword to allow a match to occur only if all of the specified TCP flags are present. You must follow the match-anyand match-allkeywords with the +or -keyword and the flag-nameargument to match on one or more TCP flags.

+ | - flag-name

(Optional) For the TCP protocol only: The + keyword matches IP packets if their TCP headers contain the TCP flags that are specified by the flag-name argument. The - keyword matches IP packets that do not contain the TCP flags specified by the flag-name argument. You must follow the + and - keywords with the flag-name argument. TCP flag names can be used only when filtering TCP. Flag names for the TCP flags are as follows: ack, fin, psh, rst, syn, and urg.

udp

Permits only UDP packets. When you enter the udp keyword, you must use the specific command syntax shown for the UDP form of the permit command.

Command Default

There are no specific conditions under which a packet passes the named access list.

Command Modes


Access list configuration (config-ext-nacl)

Command History

Release

Modification

11.2

This command was introduced.

12.0(1)T

The time-range time-range-namekeyword and argument were added.

12.0(11)

The fragmentskeyword was added.

12.2(13)T

The igrp keyword was removed because the IGRP protocol was no longer available in Cisco IOS software.

12.2(14)S

The sequence-numberargument was added.

12.2(15)T

The sequence-numberargument was added.

12.3(4)T

The option option-name keyword and argument were added. The match-any, match-all, +,and -keywords and the flag-name argument were added.

12.3(7)T

Command functionality was modified to allow up to ten port numbers to be added after the eq and neq operators so that an access list entry can be created with noncontiguous ports.

12.4

The drip keyword was added to specify the TCP port number used for Optimized Edge Routing (OER) communication.

12.4(2)T

The ttl operator valuekeyword and arguments were added.

12.2(27)SBC

This command was integrated into Cisco IOS Release 12.2(27)SBC.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

12.4(22)T

The word argument was added to the log keyword.

Cisco IOS XE Release 3.2

This command was implemented on Cisco ASR 1000 Series Aggregation Services Routers.

Usage Guidelines

Use the permit command following the ip access-list command to define the conditions under which a packet passes the named access list.


Note


In Cisco IOS XE, an inclusive port range for users to access a network cannot be matched in the extended ACL using the permit command.


The time-range keyword allows you to identify a time range by name. The time-range, absolute, and periodic commands specify when this permit statement is in effect.

log Keyword

A log message includes the access list number or access list name, and whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and port numbers, and the user-defined cookie or router-generated hash value. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5-minute-interval). See the ip access-list log-update command for more information.

The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from reloading because of too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.

If you enable Cisco Express Forwarding and then create an access list that uses the log keyword, the packets that match the access list are not Cisco Express Forwarding switched. They are fast-switched. Logging disables Cisco Express Forwarding .

Access List Filtering of IP Options

Access control lists can be used to filter packets with IP Options to prevent routers from being saturated with spurious packets containing IP Options. To see a complete table of all IP Options, including ones currently not in use, refer to the latest Internet Assigned Numbers Authority (IANA) information that is available from its URL: www.iana.org.

Cisco IOS software allows you to filter packets according to whether they contain one or more of the legitimate IP Options by entering either the IP Option value or the corresponding name for the option-name argument as shown in the table below.

Table 9 IP Option Values and Names

IP Option Value or Name

Description

0 to 255

IP Options values.

add-ext

Match packets with Address Extension Option (147).

any-options

Match packets with any IP Option.

com-security

Match packets with Commercial Security Option (134).

dps

Match packets with Dynamic Packet State Option (151).

encode

Match packets with Encode Option (15).

eool

Match packets with End of Options (0).

ext-ip

Match packets with Extended IP Options (145).

ext-security

Match packets with Extended Security Option (133).

finn

Match packets with Experimental Flow Control Option (205).

imitd

Match packets with IMI Traffic Descriptor Option (144).

lsr

Match packets with Loose Source Route Option (131).

mtup

Match packets with MTU Probe Option (11).

mtur

Match packets with MTU Reply Option (12).

no-op

Match packets with No Operation Option (1).

nsapa

Match packets with NSAP Addresses Option (150).

psh

Match the packets on the PSH bit.

record-route

Match packets with Router Record Route Option (7).

reflect

Create reflexive access list entry.

router-alert

Match packets with Router Alert Option (148).

rst

Matche the packets on the RST bit.

sdb

Match packets with Selective Directed Broadcast Option (149).

security

Match packets with Base Security Option (130).

ssr

Match packets with Strict Source Routing Option (137).

stream-id

Match packets with Stream ID Option (136).

syn

Matches the packets on the SYN bit.

timestamp

Match packets with Time Stamp Option (68).

traceroute

Match packets with Trace Route Option (82).

ump

Match packets with Upstream Multicast Packet Option (152).

visa

Match packets with Experimental Access Control Option (142).

zsu

Match packets with Experimental Measurement Option (10).

Filtering IP Packets Based on TCP Flags

The access list entries that make up an access list can be configured to detect and drop unauthorized TCP packets by allowing only the packets that have very specific groups of TCP flags set or not set. Users can select any desired combination of TCP flags with which to filter TCP packets. Users can configure access list entries in order to allow matching on a flag that is set and on a flag that is not set. Use the + and - keywords with a flag name to specify that a match is made based on whether a TCP header flag has been set. Use the match-any and match-all keywords to allow the packet if any or all, respectively, of the flags specified by the + or - keyword and flag-name argument have been set or not set.

Permitting Optimized Edge Routing (OER) Communication

The drip keyword was introduced under the tcp keyword to support packet filtering in a network where OER is configured. The drip keyword specifies port 3949 that OER uses for internal communication. This option allows you to build a packet filter that permits communication between an OER master controller and border routers. The drip keyword is entered following the TCP source, destination addresses, and the eq operator. See the example in the “Examples” section.

Access List Processing of Fragments

The behavior of access list entries regarding the use or lack of use of the fragments keyword can be summarized as follows:

If the Access-List Entry Has ...

Then ...

... no fragments keyword (the default behavior), and assuming all of the access list entry information matches,

For an access list entry that contains only Layer 3 information, the entry is applied to nonfragmented packets, initial fragments, and noninitial fragments.

For an access list entry that contains Layer 3 and Layer 4 information:

  • The entry is applied to nonfragmented packets and initial fragments.
    • If the entry is a permitstatement, then the packet or fragment is permitted.
    • If the entry is a denystatement, then the packet or fragment is denied.
  • The entry is also applied to noninitial fragments in the following manner. Because noninitial fragments contain only Layer 3 information, only the Layer 3 portion of an access list entry can be applied. If the Layer 3 portion of the access list entry matches, and
    • If the entry is a permitstatement, then the noninitial fragment is permitted.
    • If the entry is a deny statement, then the next access list entry is processed.
Note   

The deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.

... the fragments keyword, and assuming all of the access list entry information matches,

The access list entry is applied only to noninitial fragments. The fragments keyword cannot be configured for an access list entry that contains any Layer 4 information.

Be aware that you should not add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragmentskeyword. The packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases in which there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.

Packet fragments of IP datagrams are considered individual packets, and each counts individually as a packet in access list accounting and access list violation counts.


Note


The fragmentskeyword cannot solve all cases that involve access lists and IP fragments.


Fragments and Policy Routing

Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list has entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy-routed, even if the first fragment is not policy-routed.

If you specify the fragments keyword in access list entries, a better match between the action taken for initial and noninitial fragments can be made, and it is more likely that policy routing will occur as intended.

Creating an Access List Entry with Noncontiguous Ports

For Cisco IOS Release 12.3(7)T and later releases, you can specify noncontiguous ports on the same access control entry, which greatly reduces the number of access list entries required for the same source address, destination address, and protocol. If you maintain large numbers of access list entries, we recommend that you consolidate them when possible by using noncontiguous ports. You can specify up to ten port numbers following the eq and neq operators.

Examples

The following example shows how to set conditions for a standard access list named Internetfilter:

ip access-list standard Internetfilter
 deny 192.168.34.0  0.0.0.255
 permit 172.16.0.0  0.0.255.255
 permit 10.0.0.0  0.255.255.255
! (Note: all other access implicitly denied).

The following example shows how to permit Telnet traffic on Mondays, Tuesdays, and Fridays from 9:00 a.m. to 5:00 p.m.:

time-range testing
 periodic Monday Tuesday Friday 9:00 to 17:00
!
ip access-list extended legal
 permit tcp any any eq telnet time-range testing
!
interface ethernet0
 ip access-group legal in

The following example shows how to set a permit condition for an extended access list named filter2. The access list entry specifies that a packet may pass the named access list only if it contains the NSAP Addresses IP Option, which is represented by the IP Option value nsapa.

ip access-list extended filter2
 permit ip any any option nsapa

The following example shows how to set a permit condition for an extended access list named kmdfilter1. The access list entry specifies that a packet can pass the named access list only if the RST IP flag has been set for that packet:

ip access-list extended kmdfilter1
 permit tcp any any match-any +rst

The following example shows how to set a permit condition for an extended access list named kmdfilter1. The access list entry specifies that a packet can pass the named access list if the RST TCP flag or the FIN TCP flag has been set for that packet:

ip access-list extended kmdfilter1
 permit tcp any any match-any +rst +fin

The following example shows how to verify the access list by using the show access-lists command and then to add an entry to an existing access list:

Router# show access-lists
Standard IP access list 1
2 permit 10.0.0.0, wildcard bits 0.0.255.255
5 permit 10.0.0.0, wildcard bits 0.0.255.255
10 permit 10.0.0.0, wildcard bits 0.0.255.255
20 permit 10.0.0.0, wildcard bits 0.0.255.255
ip access-list standard 1 
 15 permit 10.0.0.0 0.0.255.255

The following examples shows how to remove the entry with the sequence number of 20 from the access list:

ip access-list standard 1
 no 20
!Verify that the list has been removed.
Router# show access-lists
Standard IP access list 1
10 permit 0.0.0.0, wildcard bits 0.0.0.255
30 permit 0.0.0.0, wildcard bits 0.0.0.255
40 permit 0.4.0.0, wildcard bits 0.0.0.255

The following example shows how, if a user tries to enter an entry that is a duplicate of an entry already on the list, no changes occur. The entry that the user is trying to add is a duplicate of the entry already in the access list with a sequence number of 20.

Router# show access-lists 101
Extended IP access list 101
    10 permit ip host 10.0.0.0 host 10.5.5.34
    20 permit icmp any any
    30 permit ip host 10.0.0.0 host 10.2.54.2
    40 permit ip host 10.0.0.0 host 10.3.32.3 log
ip access-list extended 101
 100 permit icmp any any
Router# show access-lists 101
Extended IP access list 101
    10 permit ip host 10.3.3.3 host 10.5.5.34
    20 permit icmp any any
    30 permit ip host 10.34.2.2 host 10.2.54.2
    40 permit ip host 10.3.4.31 host 10.3.32.3 log

The following example shows what occurs if a user tries to enter a new entry with a sequence number of 20 when an entry with a sequence number of 20 is already in the list. An error message appears, and no change is made to the access list.

Router# show access-lists 101
Extended IP access lists 101
    10 permit ip host 10.3.3.3 host 10.5.5.34
    20 permit icmp any any
    30 permit ip host 10.34.2.2 host 10.2.54.2
    40 permit ip host 10.3.4.31 host 10.3.32.3 log
ip access-lists extended 101 
 20 permit udp host 10.1.1.1 host 10.2.2.2
%Duplicate sequence number. 
Router# show access-lists 101
Extended IP access lists 101
    10 permit ip host 10.3.3.3 host 10.5.5.34
    20 permit icmp any any
    30 permit ip host 10.34.2.2 host 10.2.54.2
    40 permit ip host 10.3.4.31 host 10.3.32.3 log

The following example shows several permit statements that can be consolidated into one access list entry with noncontiguous ports. The show access-lists command is entered to display a group of access list entries for the access list named aaa.

Router# show access-lists aaa
Extended IP access lists aaa
 10 permit tcp any eq telnet any eq 450
 20 permit tcp any eq telnet any eq 679
 30 permit tcp any eq ftp any eq 450 
 40 permit tcp any eq ftp any eq 679

Because the entries are all for the same permit statement and simply show different ports, they can be consolidated into one new access list entry. The following example shows the removal of the redundant access list entries and the creation of a new access list entry that consolidates the previously displayed group of access list entries:

ip access-list extended aaa
 no 10
 no 20
 no 30
 no 40
 permit tcp any eq telnet ftp any eq 450 679

The following example shows the creation of the consolidated access list entry:

Router# show access-lists aaa
Extended IP access list aaa
 10 permit tcp any eq telnet ftp any eq 450 679

The following access list filters IP packets containing Type of Service (ToS) level 3 with TTL values 10 and 20. It also filters IP packets with a TTL greater than 154 and applies that rule to noninitial fragments. It permits IP packets with a precedence level of flash and a TTL not equal to 1, and sends log messages about such packets to the console. All other packets are denied.

ip access-list extended canton
 deny ip any any tos 3 ttl eq 10 20
 deny ip any any ttl gt 154 fragments
 permit ip any any precedence flash ttl neq 1 log

The following example shows how to configure a packet filter, for any TCP source and destination, that permits communication between an OER master controller and border router:

ip access-list extended 100
 permit any any tcp eq drip 
 exit 

The following example shows how to set a permit condition for an extended access list named filter_logging. The access list entry specifies that a packet may pass the named access list only if it is of TCP protocol type and destined to host 10.5.5.5, all other packets are denied. In addition, the logging mechanism is enabled and one of the user defined cookies (Permit_tcp_to_10.5.5.5 or Deny_all) is appended to the appropriate syslog entry.

ip access-list extended filter_logging
 permit tcp any host 10.5.5.5 log Permit_tcp_to_10.5.5.5
 deny ip any any log Deny_all

The following example shows how to configure a packet filter for any TCP source and destination that permits inbound and outbound BGP traffic:

ip access-list extended 100 
 permit tcp any eq bgp any eq bgp

Related Commands

Command

Description

absolute

Specifies an absolute time when a time range is in effect.

access-list (IP extended)

Defines an extended IP access list.

access-list (IP standard)

Defines a standard IP access list.

deny (IP)

Sets conditions under which a packet does not pass a named IP access list.

ip access-group

Controls access to an interface.

ip access-list log-update

Sets the threshold number of packets that cause a logging message.

ip access-list logging hash-generation

Enables hash value generation for ACE syslog entries.

ip access-list resequence

Applies sequence numbers to the access list entries in an access list.

ip options

Drops or ignores IP Options packets that are sent to the router.

logging console

Sends system logging (syslog) messages to all available TTY lines and limits messages based on severity.

match ip address

Distributes any routes that have a destination network number address that is permitted by a standard or extended access list, or performs policy routing on packets.

periodic

Specifies a recurring (weekly) time range for functions that support the time-range feature.

show access-lists

Displays a group of access-list entries.

show ip access-list

Displays the contents of all current IP access lists.

time-range

Specifies when an access list or other feature is in effect.

permit (IPv6)

To set permit conditions for an IPv6 access list, use the permit command in IPv6 access list configuration mode. To remove the permit conditions, use the no form of this command.

permit protocol { source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth } [ operator [port-number] ] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth } [ operator [port-number] ] [ dest-option-type [ doh-number | doh-type ] ] [ dscp value ] [ flow-label value ] [fragments] [hbh] [log] [log-input] [mobility] [ mobility-type [ mh-number | mh-type ] ] [ reflect name [ timeout value ] ] [routing] [ routing-type routing-number ] [ sequence value ] [ time-range name ]

no permit protocol { source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth } [ operator [port-number] ] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth } [ operator [port-number] ] [ dest-option-type [ doh-number | doh-type ] ] [ dscp value ] [ flow-label value ] [fragments] [hbh] [log] [log-input] [mobility] [ mobility-type [ mh-number | mh-type ] ] [ reflect name [ timeout value ] ] [routing] [ routing-type routing-number ] [ sequence value ] [ time-range name ]

Internet Control Message Protocol

permit icmp { source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth } [ operator [port-number] ] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth } [ operator [port-number] ] [ icmp-type [icmp-code] | icmp-message ] [ dest-option-type [ doh-number | doh-type ] ] [ dscp value ] [ flow-label value ] [fragments] [hbh] [log] [log-input] [mobility] [ mobility-type [ mh-number | mh-type ] ] [routing] [ routing-type routing-number ] [ sequence value ] [ time-range name ]

Transmission Control Protocol

permit tcp { source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth } [ operator [port-number] ] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth } [ operator [port-number] ] [ack] [ dest-option-type [ doh-number | doh-type ] ] [ dscp value ] [established] [fin] [ flow-label value ] [fragments] [hbh] [log] [log-input] [mobility] [ mobility-type [ mh-number | mh-type ] ] [ neq { port | protocol } ] [psh] [ range { port | protocol } ] [ reflect name [ timeout value ] ] [routing] [ routing-type routing-number ] [rst] [ sequence value ] [syn] [ time-range name ] [urg]

User Datagram Protocol

permit udp { source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth } [ operator [port-number] ] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth } [ operator [port-number] ] [ dest-option-type [ doh-number | doh-type ] ] [ dscp value ] [ flow-label value ] [fragments] [hbh] [log] [log-input] [mobility] [ mobility-type [ mh-number | mh-type ] ] [ neq { port | protocol } ] [ range { port | protocol } ] [ reflect name [ timeout value ] ] [routing] [ routing-type routing-number ] [ sequence value ] [ time-range name ]

Syntax Description

protocol

Name or number of an Internet protocol. It can be one of the keywords ahp, esp, icmp, ipv6, pcp, sctp, tcp, udp, or hbh, or an integer in the range from 0 to 255 representing an IPv6 protocol number.

source-ipv6-prefix/prefix-length

The source IPv6 network or class of networks about which to set permit conditions.

This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

any

An abbreviation for the IPv6 prefix ::/0.

host source-ipv6-address

The source IPv6 host address about which to set permit conditions.

This source-ipv6-address argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

auth

Allows matching traffic against the presence of the authentication header in combination with any protocol.

operator [port-number]

(Optional) Specifies an operand that compares the source or destination ports of the specified protocol. Operands are lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source-ipv6-prefix/prefix-length argument, it must match the source port.

If the operator is positioned after the destination-ipv6-prefix/prefix-length argument, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

The optional port-number argument is a decimal number or the name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names can be used only when filtering TCP. UDP port names can be used only when filtering UDP.

destination-ipv6-prefix/ prefix-length

The destination IPv6 network or class of networks about which to set permit conditions.

This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

host destination-ipv6-address

The destination IPv6 host address about which to set permit conditions.

This destination-ipv6-address argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

dest-option-type

(Optional) Matches IPv6 packets against the destination extension header within each IPv6 packet header.

doh-number

(Optional) Integer in the range from 0 to 255 representing an IPv6 destination option extension header.

doh-type

(Optional) Destination option header types. The possible destination option header type and its corresponding doh-number value are home-address—201.

dscp value

(Optional) Matches a differentiated services codepoint value against the traffic class value in the Traffic Class field of each IPv6 packet header. The acceptable range is from 0 to 63.

flow-label value

(Optional) Matches a flow label value against the flow label value in the Flow Label field of each IPv6 packet header. The acceptable range is from 0 to 1048575.

fragments

(Optional) Matches non-initial fragmented packets where the fragment extension header contains a non-zero fragment offset. The fragments keyword is an option only if the operator [port-number] arguments are not specified. When this keyword is used, it also matches when the first fragment does not have Layer 4 information.

hbh

(Optional) Matches IPv6 packets against the hop-by-hop extension header within each IPv6 packet header.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list name and sequence number, whether the packet was permitted; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted in the prior 5-minute interval.

log-input

(Optional) Provides the same function as the log keyword, except that the logging message also includes the input interface.

mobility

(mobility) Matches IPv6 packets against the mobility extension header within each IPv6 packet header.

mobility-type

(Optional) Matches IPv6 packets against the mobility-type extension header within each IPv6 packet header. Either the mh-number or mh-type argument must be used with this keyword.

mh-number

(Optional) Integer in the range from 0 to 255 representing an IPv6 mobility header type.

mh-type

(Optional) Mobility header types. Possible mobility header types and their corresponding mh-number value are as follows:

  • 0—bind-refresh

  • 1—hoti

  • 2—coti

  • 3—hot

  • 4—cot

  • 5—bind-update

  • 6—bind-acknowledgment

  • 7—bind-error

reflect name

(Optional) Specifies a reflexive IPvì6 access list. Reflexive IPv6 access lists are created dynamically when an IPv6 packets matches a permit statement that contains the reflect keyword. The reflexive IPv6 access list mirrors the permit statement and times out automatically when no IPv6 packets match the permit statement. Reflexive IPv6 access lists can be applied to the TCP, UDP, SCTP, and ICMP for IPv6 packets.

timeout value

(Optional) Interval of idle time (in seconds) after which a reflexive IPv6 access list times out. The acceptable range is from 1 to 4294967295. The default is 180 seconds.

routing

(Optional) Matches source-routed packets against the routing extension header within each IPv6 packet header.

routing-type

(Optional) Matches IPv6 packets against the routing-type extension header within each IPv6 packet header. The routing-number argument must be used with this keyword.

routing-number

Integer in the range from 0 to 255 representing an IPv6 routing header type. Possible routing header types and their corresponding routing-number value are as follows:

  • 0—Standard IPv6 routing header

  • 2—Mobile IPv6 routing header

sequence value

(Optional) Specifies the sequence number for the access list statement. The acceptable range is from 1 to 4294967295.

time-range name

(Optional) Specifies the time range that applies to the permit statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.

icmp-type

(Optional) Specifies an ICMP message type for filtering ICMP packets. ICMP packets can be filtered by ICMP message type. The ICMP message type can be a number from 0 to 255, some of which include the following predefined strings and their corresponding numeric values:

  • 144—dhaad-request

  • 145—dhaad-reply

  • 146—mpd-solicitation

  • 147—mpd-advertisement

icmp-code

(Optional) Specifies an ICMP message code for filtering ICMP packets. ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) Specifies an ICMP message name for filtering ICMP packets. ICMP packets can be filtered by an ICMP message name or ICMP message type and code. The possible names are listed in the “Usage Guidelines” section.

ack

(Optional) For the TCP protocol only: acknowledgment (ACK) bit set.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

fin

(Optional) For the TCP protocol only: Fin bit set; no more data from sender.

neq {port | protocol}

(Optional) Matches only packets that are not on a given port number.

psh

(Optional) For the TCP protocol only: Push function bit set.

{range port | protocol}

(Optional) Matches only packets in the range of port numbers.

rst

(Optional) For the TCP protocol only: Reset bit set.

syn

(Optional) For the TCP protocol only: Synchronize bit set.

urg

(Optional) For the TCP protocol only: Urgent pointer bit set.

Command Default

No IPv6 access list is defined.

Command Modes


IPv6 access list configuration (config-ipv6-acl)#

Command History

Release

Modification

12.0(23)S

This command was introduced.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.4(2)T

The icmp-type argument was enhanced. The dest-option-type, mobility, mobility-type, and routing-type keywords were added. The doh-number, doh-type, mh-number, mh-type, and routing-number arguments were added.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(25)SG

This command was integrated into Cisco IOS Release 12.2(25)SG.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

Cisco IOS XE Release 2.1

This command was introduced on Cisco ASR 1000 series routers.

12.4(20)T

The auth keyword was added.

12.2(33)SRE

This command was integrated into Cisco IOS Release 12.2(33)SRE.

15.2(3)T

This command was modified. Support was added for the hbh keyword.

15.1(1)SY

This command was integrated into Cisco IOS Release 15.1(1)SY.

Cisco IOS XE Release 3.2SE

This command was integrated into Cisco IOS XE Release 3.2SE.

15.4(2)S

This command was implemented on the Cisco ASR 901 Series Aggregation Services Router.

Usage Guidelines

The permit (IPv6) command is similar to the permit (IP) command, except that it is IPv6-specific.

Use the permit (IPv6) command following the ipv6 access-list command to define the conditions under which a packet passes the access list or to define the access list as a reflexive access list.

Specifying IPv6 for the protocol argument matches against the IPv6 header of the packet.

By default, the first statement in an access list is number 10, and the subsequent statements are incremented by 10.

You can add permit, deny, remark, or evaluate statements to an existing access list without retyping the entire list. To add a new statement anywhere other than at the end of the list, create a new statement with an appropriate entry number that falls between two existing entry numbers to indicate where it belongs.

In Cisco IOS Release 12.2(2)T or later releases, 12.0(21)ST, and 12.0(22)S, IPv6 access control lists (ACLs) are defined and their deny and permit conditions are set by using the ipv6 access-list command with the deny and permit keywords in global configuration mode. In Cisco IOS Release 12.0(23)S or later releases, IPv6 ACLs are defined by using the ipv6 access-list command in global configuration mode and their permit and deny conditions are set by using the deny and permit commands in IPv6 access list configuration mode. Refer to the ipv6 access-list command for more information on defining IPv6 ACLs.


Note


In Cisco IOS Release 12.0(23)S or later releases, every IPv6 ACL has implicit permit icmp any any nd-na, permit icmp any any nd-ns, and deny ipv6 any any statements as its last match conditions. (The former two match conditions allow for ICMPv6 neighbor discovery.) An IPv6 ACL must contain at least one entry for the implicit deny ipv6 any any statement to take effect. The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, makes use of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.


Both the source-ipv6-prefix/prefix-length and destination-ipv6-prefix/prefix-length arguments are used for traffic filtering (the source prefix filters traffic based upon the traffic source; the destination prefix filters traffic based upon the traffic destination).


Note


IPv6 prefix lists, not access lists, should be used for filtering routing protocol prefixes.


The fragments keyword is an option only if the operator [port-number] arguments are not specified.

The following is a list of ICMP message names:

  • beyond-scope

  • destination-unreachable

  • echo-reply

  • echo-request

  • header

  • hop-limit

  • mld-query

  • mld-reduction

  • mld-report

  • nd-na

  • nd-ns

  • next-header

  • no-admin

  • no-route

  • packet-too-big

  • parameter-option

  • parameter-problem

  • port-unreachable

  • reassembly-timeout

  • renum-command

  • renum-result

  • renum-seq-number

  • router-advertisement

  • router-renumbering

  • router-solicitation

  • time-exceeded

  • unreachable

Defining Reflexive Access Lists

To define an IPv6 reflexive list, a form of session filtering, use the reflect keyword in the permit (IPv6) command. The reflect keyword creates an IPv6 reflexive access list and triggers the creation of entries in the reflexive access list. The reflect keyword must be an entry (condition statement) in an IPv6 access list.


Note


For IPv6 reflexive access lists to work, you must nest the reflexive access list using the evaluate command.


If you are configuring IPv6 reflexive access lists for an external interface, the IPv6 access list should be one that is applied to outbound traffic.

If you are configuring an IPv6 reflexive access list for an internal interface, the IPv6 access list should be one that is applied to inbound traffic.

IPv6 sessions that originate from within your network are initiated with a packet exiting your network. When such a packet is evaluated against the statements in the IPv6 access list, the packet is also evaluated against the IPv6 reflexive permit entry.

As with all IPv6 access list entries, the order of entries is important, because they are evaluated in sequential order. When an IPv6 packet reaches the interface, it will be evaluated sequentially by each entry in the access list until a match occurs.

If the packet matches an entry prior to the reflexive permit entry, the packet will not be evaluated by the reflexive permit entry, and no temporary entry will be created for the reflexive access list (session filtering will not be triggered).

The packet will be evaluated by the reflexive permit entry if no other match occurs first. Then, if the packet matches the protocol specified in the reflexive permit entry, the packet is forwarded and a corresponding temporary entry is created in the reflexive access list (unless the corresponding entry already exists, indicating that the packet belongs to a session in progress). The temporary entry specifies criteria that permit traffic into your network only for the same session.

Characteristics of Reflexive Access List Entries

The permit (IPv6) command with the reflect keyword enables the creation of temporary entries in the same IPv6 reflexive access list that was defined by the permit (IPv6) command. The temporary entries are created when an IPv6 packet exiting your network matches the protocol specified in the permit (IPv6) command. (The packet “triggers” the creation of a temporary entry.) These entries have the following characteristics:

  • The entry is a permit entry.

  • The entry specifies the same IP upper-layer protocol as the original triggering packet.

  • The entry specifies the same source and destination addresses as the original triggering packet, except that the addresses are swapped.

  • If the original triggering packet is TCP or UDP, the entry specifies the same source and destination port numbers as the original packet, except that the port numbers are swapped.

  • If the original triggering packet is a protocol other than TCP or UDP, port numbers do not apply, and other criteria are specified. For example, for ICMP, type numbers are used: The temporary entry specifies the same type number as the original packet (with only one exception: if the original ICMP packet is type 8, the returning ICMP packet must be type 0 to be matched).

  • The entry inherits all the values of the original triggering packet, with exceptions only as noted in the previous four bullets.

  • IPv6 traffic entering your internal network will be evaluated against the entry, until the entry expires. If an IPv6 packet matches the entry, the packet will be forwarded into your network.

  • The entry will expire (be removed) after the last packet of the session is matched.

  • If no packets belonging to the session are detected for a configured length of time (the timeout period), the entry will expire.

Examples

The following example configures two IPv6 access lists named OUTBOUND and INBOUND and applies both access lists to outbound and inbound traffic on Ethernet interface 0. The first and second permit entries in the OUTBOUND list permit all TCP and UDP packets from network 2001:ODB8:0300:0201::/64 to exit out of Ethernet interface 0. The entries also configure the temporary IPv6 reflexive access list named REFLECTOUT to filter returning (incoming) TCP and UDP packets on Ethernet interface 0. The first deny entry in the OUTBOUND list keeps all packets from the network FEC0:0:0:0201::/64 (packets that have the site-local prefix FEC0:0:0:0201 as the first 64 bits of their source IPv6 address) from exiting out of Ethernet interface 0. The third permit entry in the OUTBOUND list permits all ICMP packets to exit out of Ethernet interface 0.

The permit entry in the INBOUND list permits all ICMP packets to enter Ethernet interface 0. The evaluate command in the list applies the temporary IPv6 reflexive access list named REFLECTOUT to inbound TCP and UDP packets on Ethernet interface 0. When outgoing TCP or UDP packets are permitted on Ethernet interface 0 by the OUTBOUND list, the INBOUND list uses the REFLECTOUT list to match (evaluate) the returning (incoming) TCP and UDP packets. Refer to the evaluate command for more information on nesting IPv6 reflexive access lists within IPv6 ACLs.

ipv6 access-list OUTBOUND
 permit tcp 2001:0DB8:0300:0201::/64 any reflect REFLECTOUT
 permit udp 2001:0DB8:0300:0201::/64 any reflect REFLECTOUT
 deny FEC0:0:0:0201::/64 any
 permit icmp any any
ipv6 access-list INBOUND
 permit icmp any any
 evaluate REFLECTOUT
interface ethernet 0
 ipv6 traffic-filter OUTBOUND out
 ipv6 traffic-filter INBOUND in

Note


Given that a permit any any statement is not included as the last entry in the OUTBOUND or INBOUND access list, only TCP, UDP, and ICMP packets will be permitted out of and in to Ethernet interface 0 (the implicit deny all condition at the end of the access list denies all other packet types on the interface).


The following example shows how to allow the matching of any UDP traffic. The authentication header may be present.

permit udp any any sequence 10

The following example shows how to allow the matching of only TCP traffic if the authentication header is also present.

permit tcp any any auth sequence 20

The following example shows how to allow the matching of any IPv6 traffic where the authentication header is present.

permit ahp any any sequence 30 

Related Commands

Command

Description

deny (IPv6)

Sets deny conditions for an IPv6 access list.

evaluate (IPv6)

Nests an IPv6 reflexive access list within an IPv6 access list.

ipv6 access-list

Defines an IPv6 access list and enters IPv6 access list configuration mode.

ipv6 traffic-filter

Filters incoming or outgoing IPv6 traffic on an interface.

show ipv6 access-list

Displays the contents of all current IPv6 access lists.

permit (MAC ACL)

To set conditions for a MAC access list, use the permit command in MAC access-list extended configuration mode. To remove a condition from an access list, use the no form of this command.

permit { src_mac_mask | host name src_mac_name | any } { dest_mac_mask | host name dst_mac_name | any } [ { protocol_keyword | ethertype_number ethertype_mask } [ vlan vlan_ID ] [ cos cos_value ] ]

no permit { src_mac_mask | host name src_mac_name | any } { dest_mac_mask | host name dst_mac_name | any } [ { protocol_keyword | ethertype_number ethertype_mask } [ vlan vlan_ID ] [ cos cos_value ] ]

Syntax Description

src_mac_mask

Specifies the MAC address mask that identifies a selected block of source MAC addresses. A value of 1 represents a wildcard in that position.

host name src_mac_name

Specifies a source host that has been named using the mac host name command.

any

Specifies any source or any destination host as an abbreviation for the src_mac_maskor dest_mac_maskvalue of 1111.1111.1111, which declares all digits to be wildcards .

dest_mac_mask

Specifies the MAC address mask that identifies a selected block of destination MAC addresses.

host name dst_mac_name

Specifies a destination host that has been named using the mac host name command.

protocol_keyword

(Optional) Specifies a named protocol (for example, ARP).

ethertype_number

(Optional) The EtherType number specifies the protocol within the Ethernet packet.

ethertype_mask

(Optional) The EtherType mask allows a range of EtherTypes to be specified together. This is a hexadecimal number from 0 to FFFF. An EtherType mask of 0 requires an exact match of the EtherType.

vlan vlan_ID

(Optional) Specifies a VLAN.

cos cos_value

(Optional) Specifies the Layer 2 priority level for packets. The range is from 0 to 7.

Command Default

This command has no defaults.

Command Modes


MAC access-list extended configuration (config-ext-macl)

Command History

Release

Modification

12.2(33)SXI

This command was introduced.

15.1(2)SNG

This command was implemented on the Cisco ASR 901 Series Aggregation Services Routers.

Usage Guidelines

Use this command following the ip access-list command to define the conditions under which a packet passes the access list.

  • The vlan and cos keywords are not supported in MAC ACLs used for VACL filtering.

  • The vlan keyword for VLAN-based QoS filtering in MAC ACLs can be globally enabled or disabled and is disabled by default.

  • Enter MAC addresses as three 2-byte values in dotted hexadecimal format. For example, 0123.4567.89ab.

  • Enter MAC address masks as three 2-byte values in dotted hexadecimal format. Use 1 bits as wildcards. For example, to match an address exactly, use 0000.0000.0000 (can be entered as 0.0.0).

  • An entry without a protocol parameter matches any protocol.

  • Enter an EtherType and an EtherType mask as hexadecimal values from 0 to FFFF.

  • This list shows the EtherType values and their corresponding protocol keywords:
    • 0x0600--xns-idp--Xerox XNS IDP
    • 0x0BAD--vines-ip--Banyan VINES IP
    • 0x0baf--vines-echo--Banyan VINES Echo
    • 0x6000--etype-6000--DEC unassigned, experimental
    • 0x6001--mop-dump--DEC Maintenance Operation Protocol (MOP) Dump/Load Assistance
    • 0x6002--mop-console--DEC MOP Remote Console
    • 0x6003--decnet-iv--DEC DECnet Phase IV Route
    • 0x6004--lat--DEC Local Area Transport (LAT)
    • 0x6005--diagnostic--DEC DECnet Diagnostics
    • 0x6007--lavc-sca--DEC Local-Area VAX Cluster (LAVC), SCA
    • 0x6008--amber--DEC AMBER
    • 0x6009--mumps--DEC MUMPS
    • 0x0800--ip--Malformed, invalid, or deliberately corrupt IP frames
    • 0x8038--dec-spanning--DEC LANBridge Management
    • 0x8039--dsm--DEC DSM/DDP
    • 0x8040--netbios--DEC PATHWORKS DECnet NETBIOS Emulation
    • 0x8041--msdos--DEC Local Area System Transport
    • 0x8042--etype-8042--DEC unassigned
    • 0x809B--appletalk--Kinetics EtherTalk (AppleTalk over Ethernet)
    • 0x80F3--aarp--Kinetics AppleTalk Address Resolution Protocol (AARP)

Examples

This example shows how to create a MAC-Layer ACL named mac_layer that permits dec-phase-iv traffic with source address 0000.4700.0001 and destination address 0000.4700.0009, but denies all other traffic:

Router(config)# mac access-list extended mac_layer
 
Router(config-ext-macl)# permit 0000.4700.0001 0.0.0 0000.4700.0009 0.0.0 dec-phase-iv
 
Router(config-ext-macl)# deny any any
 

Related Commands

Command

Description

deny (MAC ACL)

Sets deny conditions for a named MAC access list.

mac access-list extended

Defines a MAC access list by name.

mac host

Assigns a name to a MAC address.

show mac access-group

Displays the contents of all current MAC access groups.

permit (reflexive)

To create a reflexive access list and to enable its temporary entries to be automatically generated, use the permitcommand in access-list configuration mode. To delete the reflexive access list (if only one protocol was defined) or to delete protocol entries from the reflexive access list (if multiple protocols are defined), use the no form of this command.

permit protocol source source-wildcard destination destination-wildcard reflect name [ timeout seconds ]

no permit protocol source-wildcard destination destination-wildcard reflect name

Syntax Description

protocol

Name or number of an IP protocol. It can be one of the keywords gre, icmp, ip, ipinip, nos, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including Internet Control Message Protocol, Transmission Control Protocol, and User Datagram Protocol), use the keyword ip.

source

Number of the network or host from which the packet is being sent. There are three other ways to specify the source:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section “Usage Guidelines”).

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

Wildcard bits (mask) to be applied to source. There are three other ways to specify the source wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section “Usage Guidelines”).

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

destination

Number of the network or host to which the packet is being sent. There are three other ways to specify the destination:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section “Usage Guidelines”).

  • Use host destinationas an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination- wildcard

Wildcard bits to be applied to the destination. There are three other ways to specify the destination wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255. This keyword is normally not recommended (see the section “Usage Guidelines”).

  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

reflect

Identifies this access list as a reflexive access list.

name

Specifies the name of the reflexive access list. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists. The name can be up to 64 characters long.

timeout seconds

(Optional) Specifies the number of seconds to wait (when no session traffic is being detected) before entries expire in this reflexive access list. Use a positive integer from 0 to 232-1. If not specified, the number of seconds defaults to the global timeout value.

Command Default

If this command is not configured, no reflexive access lists will exist, and no session filtering will occur.

If this command is configured without specifying a timeout value, entries in this reflexive access list will expire after the global timeout period.

Command Modes


Access-list configuration

Command History

Release

Modification

11.3

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

This command is used to achieve reflexive filtering, a form of session filtering.

For this command to work, you must also nest the reflexive access list using the evaluate command.

This command creates a reflexive access list and triggers the creation of entries in the same reflexive access list. This command must be an entry (condition statement) in an extended named IP access list.

If you are configuring reflexive access lists for an external interface, the extended named IP access list should be one which is applied to outbound traffic.

If you are configuring reflexive access lists for an internal interface, the extended named IP access list should be one which is applied to inbound traffic.

IP sessions that originate from within your network are initiated with a packet exiting your network. When such a packet is evaluated against the statements in the extended named IP access list, the packet is also evaluated against this reflexive permit entry.

As with all access list entries, the order of entries is important, because they are evaluated in sequential order. When an IP packet reaches the interface, it will be evaluated sequentially by each entry in the access list until a match occurs.

If the packet matches an entry prior to the reflexive permit entry, the packet will not be evaluated by the reflexive permit entry, and no temporary entry will be created for the reflexive access list (session filtering will not be triggered).

The packet will be evaluated by the reflexive permit entry if no other match occurs first. Then, if the packet matches the protocol specified in the reflexive permit entry, the packet is forwarded and a corresponding temporary entry is created in the reflexive access list (unless the corresponding entry already exists, indicating the packet belongs to a session in progress). The temporary entry specifies criteria that permits traffic into your network only for the same session.

Characteristics of Reflexive Access List Entries

This command enables the creation of temporary entries in the same reflexive access list that was defined by this command. The temporary entries are created when a packet exiting your network matches the protocol specified in this command. (The packet “triggers” the creation of a temporary entry.) These entries have the following characteristics:

  • The entry is a permit entry.

  • The entry specifies the same IP upper-layer protocol as the original triggering packet.

  • The entry specifies the same source and destination addresses as the original triggering packet, except the addresses are swapped.

  • If the original triggering packet is TCP or UDP, the entry specifies the same source and destination port numbers as the original packet, except the port numbers are swapped.

If the original triggering packet is a protocol other than TCP or UDP, port numbers do not apply, and other criteria are specified. For example, for ICMP, type numbers are used: the temporary entry specifies the same type number as the original packet (with only one exception: if the original ICMP packet is type 8, the returning ICMP packet must be type 0 to be matched).

  • The entry inherits all the values of the original triggering packet, with exceptions only as noted in the previous four bullets.

  • IP traffic entering your internal network will be evaluated against the entry, until the entry expires. If an IP packet matches the entry, the packet will be forwarded into your network.

  • The entry will expire (be removed) after the last packet of the session is matched.

  • If no packets belonging to the session are detected for a configurable length of time (the timeout period), the entry will expire.

Examples

The following example defines a reflexive access list tcptraffic, in an outbound access list that permits all Border Gateway Protocol and Enhanced Interior Gateway Routing Protocol traffic and denies all ICMP traffic. This example is for an external interface (an interface connecting to an external network).

First, the interface is defined and the access list is applied to the interface for outbound traffic.

interface Serial 1
 description Access to the Internet via this interface
 ip access-group outboundfilters out

Next, the outbound access list is defined and the reflexive access list tcptraffic is created with a reflexive permit entry.

ip access-list extended outboundfilters
 permit tcp any any reflect tcptraffic

Related Commands

Command

Description

evaluate

Nests a reflexive access list within an access list.

ip access-list

Defines an IP access list by name.

ip reflexive-list timeout

Specifies the length of time that reflexive access list entries will continue to exist when no packets in the session are detected.

permit (webvpn acl)

To set conditions to allow packets to pass a named Secure Sockets Layer Virtual Private Network (SSL VPN) access list, use the permit command in webvpn acl configuration mode. To remove a permit condition from an access list, use the no form of this command.

permit [ url [ any | url-string ] ] [ ip | tcp | udp | http | https | cifs ] [ any | source-ip source-mask ] [ any | destination-ip destination-mask ] time-range time-range-name [syslog]

no permit url [ any | url-string ] [ ip | tcp | udp | http | https | cifs ] [ any | source-ip source-mask ] [ any | destination-ip destination-mask ] time-range time-range-name [syslog]

Syntax Description

url

(Optional) Filtering rules are applied to a URL.

  • Use the any keyword as an abbreviation for any URL.

url-string

(Optional) URL string defined as follows: scheme://host[:port][/path]

  • scheme --Can be HTTP, Secure HTTPS (HTTPS), or Common Internet File System (CIFS). This field is required in the URL string.

  • host --Can be a hostname or a host IP (host mask). The host can have one wildcard (*).

  • port --Can be any valid port number (1-65535). It is possible to have multiple port numbers separated by a comma (,). The port range is expressed using a dash (-).

  • path --Can be any valid path string. In the path string, the $user is translated to the current user name.

ip

(Optional) Permits only IP packets. When you enter the ip keyword, you must use the specific command syntax shown for the IP form of the permit command.

tcp

(Optional) Permits only TCP packets. When you enter the tcp keyword, you must use the specific command syntax shown for the TCP form of the permit command.

udp

(Optional) Permitss only UDP packets. When you enter the udp keyword, you must use the specific command syntax shown for the UDP form of the permit command.

http

(Optional) Permits only HTTP packets. When you enter the http keyword, you must use the specific command syntax shown for the HTTP form of the permit command.

https

(Optional) Permits only HTTPS packets. When you enter the https keyword, you must use the specific command syntax shown for the HTTPS form of the permit command.

cifs

(Optional) Permits only CIFS packets. When you enter the cifskeyword, you must use the specific command syntax shown for the CIFS form of the permit command.

source-ip source-mask

(Optional) Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

  • Use a 32-bit quantity in four-part dotted-decimal format.

  • Use the any keyword as an abbreviation for a source and source mask of 0.0.0.0 255.255.255.255.

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

destination-ip destination-mask

(Optional) Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

  • Use a 32-bit quantity in four-part dotted-decimal format.

  • Use the any keyword as an abbreviation for a source and source mask of 0.0.0.0 255.255.255.255.

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

time-range time-range-name

Name of the time range that applies to this permit statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.

syslog

(Optional) System logging messages are generated.

Command Default

All packets are permitted.

Command Modes


Webvpn acl configuration

Command History

Release

Modification

12.4(11)T

This command was introduced.

Usage Guidelines

Use this command following the acl command (in webvpn context configuration mode) to specify conditions under which a packet can pass the named access list.

The time-range keyword allows you to identify a time range by name. The time-range, absolute, and periodic commands specify when this permit statement is in effect.

Examples

The following example shows that all packets from the URL “https://10.168.2.228:34,80-90,100-/public” are permitted to pass ACL “acl1”:

webvpn context context1
 acl acl1
  permit url “https://10.168.2.228:34,80-90,100-/public”

Related Commands

Command

Description

absolute

Specifies an absolute time for a time range.

deny (webvpn acl)

Sets conditions in a named SSL VPN access list that will deny packets.

periodic

Specifies a recurring (weekly) time range for functions that support the time-range feature.

time-range

Enables time-range configuration mode and defines time ranges for extended access lists.

pfs

To configure a server to notify the client of the central-site policy regarding whether PFS is required for any IP Security (IPsec) Security Association (SA), use the pfs command in global configuration mode or IKEv2 authorization policy configuration mode. To restore the default behavior, use the no form of this command.

pfs

no pfs

Syntax Description

This command has no arguments or keywords.

Command Default

The server will not notify the client of the central-site policy regarding whether PFS is required for any IPsec SA.

Command Modes


Global configuration (config)

IKEv2 authorization policy configuration (config-ikev2-author-policy)

Command History

Release

Modification

12.3(4)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.

Usage Guidelines

Before you use the pfs command, you must first configure the crypto isakmp client configuration group or crypto ikev2 authorization policy command.

An example of an attribute-value (AV) pair for the PFS attribute is as follows:

ipsec:pfs=1

Examples

The following example shows that the server has been configured to notify the client of the central-site policy regarding whether PFS is required for any IPsec SA:

crypto ikev2 authorization policy
 pfs

Related Commands

Command

Description

crypto ikev2 authorization policy

Specifies an IKEv2 authorization policy.

crypto isakmp client configuration group

Specifies to which group a policy profile will be defined.

pki-server

To specify the certificate server that is to be associated with the Trusted Transitive Introduction (TTI) exchange between the Secure Device Provisioning (SDP) petitioner and the SDP registrar, use the pki-servercommand in tti-registrar configuration mode. To change the specified certificate server, use the no form of this command.

pki-server label

no pki-server label

Syntax Description

label

Name of certificate server.

Command Default

A certificate server is not associated with the TTI exchange; thus, the petitioner and registrar will not be able to communicate.

Command Modes


tti-registrar configuration

Command History

Release

Modification

12.3(8)T

This command was introduced.

Usage Guidelines

Although any device that contains a crypto image can be the registrar, it is recommended that the registrar be either a Cisco IOS certificate server registration authority (RA) or a Cisco IOS certificate server root.

Examples

The following example shows how to associate the certificate server “cs1” with the TTI exchange:

crypto wui tti registrar
 pki-server cs1

Related Commands

Command

Description

crypto pki server

Enables a Cisco IOS certificate server and enters certificate server configuration mode.

crypto wui tti registrar

Configures a device to become an SDP registrar and enters tti-registrar configuration mode.

pki trustpoint

To use the PKI trustpoints in the Rivest, Shamir and Adleman (RSA) signature authentication method, use the pki trustpointcommand in IKEv2 profile configuration mode. To remove the trustpoint, use the no form of this command.

pki trust-point trustpoint-name [ sign | verify ]

no pki trust-point trustpoint-name [ sign | verify ]

Syntax Description

trustpoint-name

The trustpoint name as defined in the global configuration.

sign

(Optional) Uses certificates from the trustpoint to create a digital signature that is sent to the peer.

verify

(Optional) Uses certificates from the trustpoint to validate digital signatures received from thepeer.

Command Default

If there is no trustpoint defined in the IKEv2 profile configuration, the default is to validate the certificate using all the trustpoints that are defined in the global configuration.

Command Modes


IKEv2
profile configuration (config-ikev2-profile)

Command History

Release

Modification

15.1(1)T

This command was introduced.

Cisco IOS XE Release 3.3S

This command was integrated into Cisco IOS XE Release 3.3S.

15.2(4)S

This command was integrated into Cisco IOS Release 15.2(4)S.

Usage Guidelines

The pki trustpoint command specifies the trustpoints that are used with the RSA-signature authentication method. You can configure upto six truspoints.


Note


If the sign or verify keyword is not specified, the trustpoint is used for signing and verification.


Examples

The following example specifies two trustpoints, trustpoint-local for local authentication using sign and trustpoint-remote for remote verification using verify:

Router(config)# crypto ikev2 profile profile2
Router(config-ikev2-profile)# pki trustpoint trustpoint-local sign
Router(config-ikev2-profile)# pki trustpoint trustpoint-remote verify

Related Commands

Command

Description

crypto ikev2 profile

Defines an IKEv2 profile.

police (zone policy)

To limit traffic matching within a firewall (inspect) policy, use the police command in policy-map class configuration mode. To remove traffic limiting from the firewall policy configuration , use the no form of this command.

police rate bps [ burst size ]

no police rate bps [ burst size ]

Syntax Description

rate bps

Specifies the average rate in bits per second (bps). Valid values are 8000 to 128000000000 (or 128 Gbps).

Note   

Traffic limiting is in bps only; that is, packets per seconds (pps) and percent rates are not supported.

burst size

(Optional) Specifies the burst size in bytes. Valid values are 1000 to 2000000000 (2 Gb). The default normal burst size is 1500 bytes.

Command Default

Traffic limiting is disabled.

Command Modes


Policy-map class configuration  (config-pmap-c)

Command History

Release

Modification

12.4(9)T

This command was introduced.

15.0(1)SY

This command was modified. The maximum value for the bps and size arguments was increased.

Usage Guidelines

Issue the police command within an inspect policy to limit the number of concurrent connections allowed for applications such as Instant Messenger (IM) and peer-to-peer (P2P).

To effectively use the police command, you must also enable Cisco IOS stateful packet inspection within the inspect policy map. If you configure the police command without configuring the inspect action (via the inspect command), you will receive an error message and the police command will be rejected.

Because an inspect policy map can be applied only to a zone pair, and not an interface, the police action will be enforced on traffic that traverses the zone pair. (The direction is inherent to the specification of the zone pair.)

The police action is not allowed in policies that are attached to zone pairs involving a “self” zone. If you want to perform this task, you should use control plane policing.

Examples

The following example shows how to limit traffic matching with the inspect policy “p1”:

policy-map type inspect p1
 class type inspect c1
  inspect
  police rate 1000 burst 6100

The following example is sample output from the show policy-map type inspect zone-pair command, which can now be used to verify the police action configuration:

Router# show policy-map type inspect zone-pair
 
Zone-pair: zp
Service-policy inspect : test-udp
  Class-map: check-udp (match-all)
   Match: protocol udp
   Inspect
    Packet inspection statistics [process switch:fast switch]
    udp packets: [3:4454]
    Session creations since subsystem startup or last reset 92
 
   Current session counts (estab/half-open/terminating) [5:33:0]
    Maxever session counts (estab/half-open/terminating) [5:59:0]
    Last session created 00:00:06
    Last statistic reset never
    Last session creation rate 61
    Last half-open session total 33
   Police
   rate 8000 bps,1000 limit 
   conformed 2327 packets, 139620 bytes; actions: transmit
   exceeded 36601 packets, 2196060 bytes; actions: drop
   conformed 6000 bps, exceed 61000 bps
  Class-map: class-default (match-any)
   Match: any 
   Drop (default action)
   0 packets, 0 bytes

Related Commands

Command

Description

show policy-map type inspect zone-pair

Displays the runtime inspect type policy map statistics and other information such as sessions existing on a specified zone pair.

policy

To define the Central Policy Push (CPP) firewall policy push, use the policy command in global configuration mode. To remove the CPP policy that was configured, use the no form of this command.

policy { check-presence | central-policy-push access-list { in | out } { access-list-name | access-list-number } }

no policy { check-presence | central-policy-push access-list { in | out } { access-list-name | access-list-number } }

Syntax Description

check-presence

Instructs the server to check for the presence of the specified firewall as shown as firewall-type on the client.

central-policy-push

Pushes the CPP firewall policy push. The configuration following this keyword specifies the actual policy, such as the input and output access lists that have to be applied by the client firewall of the type firewall-type .

access-list in

Defines the inbound access list on the virtual private network (VPN) remote client.

access-list out

Defines the outbound access list on the VPN remote client.

access-list-name | access-list-number

Access list name or number.

Command Default

The CPP policy is not defined.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.4(6)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

Examples

The following example defines the CPP policy name as “hw-client-g-cpp.” The “Cisco-Security-Agent” policy type is mandatory. The CPP inbound list is “192” and the outbound list is “sample”:

crypto isakmp client firewall hw-client-g-cpp required Cisco-Security-Agent
 policy central-policy-push access-list in 192
 policy central-policy-push access-list out sample

policy check-presence:

The following example shows access lists that have been applied on a VPN remote client and later applied by the client firewall :

Examples

.
.
.
access-list 170 permit ip 172.18.124.0 0.0.0.255 any
access-list 170 permit ip 172.21.1.0 0.0.0.255 any
.
.
.

Examples

.
.
.
access-list 180 permit ip any 172.18.124.0 0.0.0.255
.
.
.

Inbound and outbound policies to be applied by the client firewall

.
.
. 
crypto isakmp client firewall test required cisco-integrated-client-firewall
  policy central-policy-push access-list in 170
  policy central-policy-push access-list out 180
.
.
.
crypto isakmp client configuration group vpngroup1
  firewall policy test
.
.
.

Related Commands

Command

Description

crypto isakmp client firewall

Defines the CPP) firewall push policy on a server.

policy dynamic identity

To configure identity port mapping (IPM) to allow dynamic authorization policy download from an authorization server based on the identity of the peer, use the policy dynamic identity command in Cisco TrustSec manual configuration mode. Use the no form of the command to remove a policy.

policy dynamic identity peer

no policy dynamic identity peer

Syntax Description

peer

The peer device name or symbolic name in the authentication server's policy database associated with the policy to be applied to the peer.

Command Default

No policy is defined and traffic passes through without applying an SGT.

Command Modes

Cisco TrustSec manual configuration (config-if-cts-manual)

Command History

Release

Modification

12.2(50)SY

This command was introduced on the Catalyst 6500 Series Switches.

15.1(1)SY

This command was integrated into Cisco IOS Release 15.1(1)SY.

Usage Guidelines

When manually configuring Cisco TrustSec on an interface, consider these usage guidelines and restrictions:
  • If no SAP parameters are defined, no Cisco TrustSec encapsulation or encryption is performed.

  • If the selected SAP mode allows SGT insertion and an incoming packet carries an SGT, the tagging policy is as follows:
    • If the policy static sgt command is configured, the packet is tagged with the SGT configured in the policy static command.
    • If the policy dynamic identity command is configured, the packet is not tagged.
  • If the selected SAP mode allows SGT insertion and an incoming packet carries an SGT, the tagging policy is as follows:
    • If the policy static sgt command is configured without the trusted keyword, the SGT is replaced with the SGT configured in the policy static command.
    • If the policy static sgt command is configured with the trusted keyword, no change is made to the SGT.
    • If the policy dynamic identity command is configured and the authorization policy downloaded from the authentication server indicates that the packet source is untrusted, the SGT is replaced with the SGT specified by the downloaded policy.
    • If thepolicy dynamic identity command is configured and the downloaded policy indicates that the packet source is trusted, no change is made to the SGT.

Examples

Device(config-if-cts-manual)# policy dynamic identity my_peer_device_name

Related Commands

Command

Description

policy static sgt

Configures a static authorization policy for a Cisco TrustSec security group.

policy group

To enter webvpn group policy configuration mode to configure a group policy, use the policy group command in webvpn context configuration mode. To remove the policy group from the router configuration file, use the no form of this command.

policy group name

no policy group name

Syntax Description

name

Name of the policy group.

Command Default

Webvpn group policy configuration mode is not entered, and a policy group is not configured.

Command Modes


Webvpn context configuration

Command History

Release

Modification

12.4(6)T

This command was introduced.

Usage Guidelines

The policy group is a container that defines the presentation of the portal and the permissions for resources that are configured for a group of end users. Entering the policy group command places the router in webvpn group policy configuration mode. After the group policy is configured, the policy group is attached to the SSL VPN context configuration by configuring the default-group-policy command.

Examples

The following example configures a policy group named ONE:

Router(config)# webvpn context context1
 
Router(config-webvpn-context)# policy group ONE
 
Router(config-webvpn-group)# exit
 
Router(config-webvpn-context)# default-group-policy ONE
 

Related Commands

Command

Description

banner

Configures a banner to be displayed after a successful login.

citrix enabled

Enables Citrix application support for end users in a policy group.

default-group-policy

Configures a default group policy for SSL VPN sessions.

filter citrix

Configures a Citrix application access filter.

filter tunnel

Configures a SSL VPN tunnel access filter.

functions

Enables a file access function or tunnel mode support in a group policy configuration.

hide-url-bar

Prevents the URL bar from being displayed on the SSL VPN portal page.

nbns-list (policy group)

Attaches a NBNS server list to a policy group configuration.

port-forward (policy group)

Attaches a port-forwarding list to a policy group configuration.

svc address-pool

Configures a pool of IP addresses to assign to end users in a policy group.

svc default-domain

Configures the domain for a policy group.

svc dns-server

Configures DNS servers for policy group end users.

svc dpd-interval

Configures the DPD timer value for the gateway or client.

svc homepage

Configures the URL of the web page that is displayed upon successful user login.

svc keep-client-installed

Configures the end user to keep Cisco AnyConnect VPN Client software installed when the SSL VPN connection is not enabled.

svc msie-proxy

Configures MSIE browser proxy settings for policy group end users.

svc msie-proxy server

Specifies a Microsoft Internet Explorer proxy server for policy group end users.

svc rekey

Configures the time and method that a tunnel key is refreshed for policy group end users.

svc split

Configures split tunneling for policy group end users.

svc wins-server

Configures configure WINS servers for policy group end users.

timeout

Configures the length of time that an end user session can remain idle or the total length of time that the session can remain connected.

url-list (policy group)

Attaches a URL list to policy group configuration.

webvpn context

Enters webvpn context configuration mode to configure the SSL VPN context.

policy static sgt

To configure a static authorization policy for a Cisco TrustSec security group, use the policy static sgt command in Cisco TrustSec manual configuration mode. Use the no form of the command to remove a policy.

policy static sgt tag [ trusted ]

no policy static sgt tag [ trusted ]

Syntax Description

tag

Specifies the SGT in decimal format. The range is 1 to 65533.

trusted

Optional. Indicates that ingress traffic on the interface with this SGT should not have its tag overwritten.

Command Default

No static policy is defined.

Command Modes

Cisco TrustSec manual configuration (config-if-cts-manual)

Command History

Release

Modification

12.2(50)SY

This command was introduced on the Catalyst 6500 Series Switches.

15.1(1)SY

This command was integrated into Cisco IOS Release 15.1(1)SY.

15.3(2)T

This command was integrated into Cisco IOS Release 15.3(2)T.

Usage Guidelines

When manually configuring Cisco TrustSec on an interface, consider these usage guidelines and restrictions:
  • If no SAP parameters are defined, no Cisco TrustSec encapsulation or encryption is performed.

  • If the selected SAP mode allows SGT insertion and an incoming packet carries an SGT, the tagging policy is as follows:
    • If the policy static sgt command is configured, the packet is tagged with the SGT configured in the policy static command.
    • If the policy dynamic identity command is configured, the packet is not tagged.
  • If the selected SAP mode allows SGT insertion and an incoming packet carries an SGT, the tagging policy is as follows:
    • If the policy static sgt command is configured without the trusted keyword, the SGT is replaced with the SGT configured in the policy static command.
    • If the policy static sgt command is configured with the trusted keyword, no change is made to the SGT.
    • If the policy dynamic identity command is configured and the authorization policy downloaded from the authentication server indicates that the packet source is untrusted, the SGT is replaced with the SGT specified by the downloaded policy.
    • If the policy dynamic identity command is configured and the downloaded policy indicates that the packet source is trusted, no change is made to the SGT.
If the policy static sgt command is not configured, traffic may be tagged according to IP-SGT bindings specified by the cts role-based sgt-map interface command or learned from SXP. Traffic may also pass through without applying an SGT if no IP-SGT binding is found.

Note


SAP is not supported on Cisco ASR 1000 Series Routers.


Examples

Device(config-if-cts-manual)# policy static sgt 7 trusted

Related Commands

Command

Description

policy dynamic identity

Configures identity port mapping (IPM) to allow dynamic authorization policy download from an authorization server based on the identity of the peer.

cts role-based sgt-map interface

Manually maps a source IP address to an SGT on either a host or a VRF.

policy-map type control mitigation

To configure a mitigation type policy map for Transitory Messaging Services (TMS), use the policy-map type control mitigation command in global configuration mode. To remove the policy map from the router configuration file, use the no form of this command.


Note


Effective with Cisco IOS Release 12.4(20)T, the policy-map type control mitigation command is not available in Cisco IOS software.


policy-map type control mitigation name

no policy-map type control mitigation name

Syntax Description

name

Name of the mitigation type policy map.

Command Default

A mitigation type policy map is not configured.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.4(6)T

This command was introduced.

12.4(15)XZ

This command was integrated into Cisco IOS Release 12.4(15)XZ.

Usage Guidelines

The mitigation type policy map is used to configure a mitigation type service policy (TMS Rules Engine configuration). The mitigation type policy map is configured on only the consumer. Entering the policy-map type control mitigation command places the router in policy-map configuration mode.

The mitigation type policy map is configured to bind mitigation type class and parameter maps together, creating a mitigation type service policy. The mitigation type class map is configured to match a class of traffic to a primitive and priority level. The mitigation type parameter map is configured to set the next-hop variable for a redirect mitigation enforcement action.

Attaching the Policy Map to the Global TMS process

The mitigation type service policy is activated by attaching the mitigation type policy map to the TMS type policy map in policy-map class configuration mode. The TMS type policy map is then attached to the global consumer configuration by configuring the service-policy command in consumer configuration mode.

Examples

Examples

The following example configures the Rules Engine to send priority 5 redirect threat mitigation traffic to a null interface (black hole):

Router(config)# parameter-map type mitigation MIT_PAR_1
 
Router(config-profile)# variable RTBH NULL0 
Router(config-profile)# exit 
Router(config)# class-map type control mitigation match-all MIT_CLASS_1 
Router(config-cmap)# match priority 5 
Router(config-cmap)# match primitive redirect 
Router(config-cmap)# exit 
Router(config)# policy-map type control mitigation MIT_POL_1 
Router(config-pmap)# class MIT_CLASS_1 
Router(config-pmap-c)# redirect route $RTBH 
Router(config-pmap-c)# end 

Examples

The following example creates a Rules Engine configuration and activates it under the global consumer process:

Router(config)# class-map type control mitigation match-all MIT_CLASS_2
 
Router(config-cmap)# match primitive block
 
Router(config-cmap)# match priority 1
 
Router(config-cmap)# exit 
Router(config)# parameter-map type mitigation MIT_PAR_2 
Router(config-profile)# variable COLLECTION ipv4 192.168.1.1 
Router(config-profile)# exit 
Router(config)# policy-map type control mitigation MIT_POL_2 
Router(config-pmap)# class MIT_CLASS_2 
Router(config-pmap-c)# redirect route 
Router(config-pmap-c)# source parameter MIT_PAR_2 
Router(config-pmap-c)# exit
 
Router(config-pmap)# exit
 
Router(config)# policy-map type control tms TMS_POL_1
 
Router(config-pmap)# class TMS_CLASS_1
 
Router(config-pmap-c)# mitigation TMS_PAR_1 
Router(config-pmap-c)# service-policy MIT_POL_2
 
Router(config-pmap-c)# exit
 
Router(config-pmap)# exit
 
Router(config)# tms consumer
 
Router(config-cons)# service-policy type tms TMS_POL_1 
Router(config-cons)# end 

Related Commands

Command

Description

acl drop

Configures an ACL drop enforcement action in a TMS Rules Engine configuration.

class-map type control mitigation

Configures a mitigation type class map.

ignore (TMS)

Configures the TMS Rules Engine to ignore a mitigation enforcement action.

match primitive

Configures a primitive match in a mitigation type class map.

match priority

Configures the match priority level for a mitigation enforcement action.

parameter-map type mitigation

Configures a mitigation type parameter map.

redirect route

Configures a redirect enforcement action in a mitigation type policy map.

service-policy (class-map)

Attaches a policy map to a class.

service-policy type tms

Binds a TMS type service policy to a global consumer process.

source parameter

Attaches a mitigation type parameter map to a policy-map class configuration.

tms-class

Associates an interface with an ACL drop enforcement action.

variable

Defines the next-hop variable in a mitigation type parameter map.

policy-map type control tms

To configure a Transitory Messaging Services (TMS) type policy map, use the policy-map type control tms command in global configuration mode. To remove the policy map from the router configuration file, use the no form of this command.


Note


Effective with Cisco IOS Release 12.4(20)T, the policy-map type control tms command is not available in Cisco IOS software.


policy-map type control tms name

no policy-map type control tms name

Syntax Description

name

The name of the TMS type policy map.

Command Default

A TMS type policy map is not configured.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.4(6)T

This command was introduced.

12.4(15)XZ

This command was integrated into Cisco IOS Release 12.4(15)XZ.

Usage Guidelines

The TMS type policy map is configured on the consumer. Entering the policy-map type control tms command places the router in policy-map configuration mode.

The TMS type policy map is configured to bind (or attach) TMS protocol configuration and TMS group members (routers and networking devices) to the global consumer process. The TMS type class map defines the TMS group or groups over which TMS is deployed. The TMS type parameter map defines TMS protocol specific parameters, such as operational timers and event logging.

Attaching the Policy Map to the Global TMS process

TMS type class and parameter maps are attached to the policy map to create a TMS type service policy. It is activated by configuring the service-policy type tms command under the global consumer process.


Note


The mitigation type service policy (TMS Rules Engine configuration) is activated by attaching the mitigation type policy map to the TMS type policy map in policy-map class configuration mode. The TMS type policy map is then attached to the global consumer configuration.


Examples

Examples

The following example configures a TMS type service policy and a mitigation type service policy (TMS Rules configuration) on a consumer:

Router(config)# class-map type control tms TMS_CLASS_1
 
Router(config-cmap)# match tidp-group 10 
Router(config-cmap)# exit
 
Router(config)# class-map type control mitigation match-all MIT_CLASS_2
 
Router(config-cmap)# match primitive block
 
Router(config-cmap)# match priority 1
 
Router(config-cmap)# exit
 
Router(config)# parameter-map type tms TMS_PAR_1
 
Router(config-profile)# controller ipv4 10.1.1.1
 
Router(config-profile)# logging tms events
 
Router(config-profile)# registration retry interval 60 
Router(config-profile)# registration retry count 5 
Router(config-profile)# exit
 
Router(config)# parameter-map type mitigation MIT_PAR_2
 
Router(config-profile)# variable COLLECTION ipv4 192.168.1.1
 
Router(config-profile)# exit
 
Router(config)# policy-map type control mitigation MIT_POL_2
 
Router(config-pmap)# class MIT_CLASS_2
 
Router(config-pmap-c)# redirect route
 
Router(config-pmap-c)# source parameter MIT_PAR_2 
Router(config-pmap-c)# exit
 
Router(config-pmap)# exit
 
Router(config)# policy-map type control tms TMS_POL_1
 
Router(config-pmap)# class TMS_CLASS_1
 
Router(config-pmap-c)# mitigation TMS_PAR_1
 
Router(config-pmap-c)# service-policy MIT_POL_2
 
Router(config-pmap-c)# exit
 
Router(config-pmap)# exit 
Router(config)# tms consumer 
Router(config-cons)# service-policy type tms TMS_POL_1 
Router(config-cons)# end
 

Related Commands

Command

Description

class-map type control mitigation

Configures a mitigation type class map.

class-map type control tms

Configures a TMS type class map.

parameter-map type mitigation

Configures a mitigation type parameter map.

parameter-map type tms

Configures a TMS type parameter map.

policy-map type control mitigation

Configures a mitigation type policy map.

service-policy (class-map)

Attaches a policy map to a class.

service-policy type tms

Binds a TMS type service policy to a global consumer process.

tms consumer

Configures a consumer process on a router or networking device.

tms controller

Configures a controller process on a router or networking device.

policy-map type inspect

To create a Layer 3 and Layer 4 or a Layer 7 (protocol-specific) inspect-type policy map, use the policy-map type inspect command in global configuration mode. To delete an inspect-type policy map, use the no form of this command.

Layer 3 and Layer 4 (Top Level) Policy Map Syntax

policy-map type inspect policy-map-name

no policy-map type inspect policy-map-name

Layer 7 (Application-Specific) Policy Map Syntax

policy-map type inspect protocol-name policy-map-name

no policy-map type inspect protocol-name policy-map-name

Syntax Description

policy-map-name

Name of the policy map. The name can be a maximum of 40 alphanumeric characters.

protocol-name

Layer 7 application-specific policy map. The supported protocols are as follows:

  • gtpv0 —General Packet Radio Service (GPRS) Tunnel Protocol Version 0 (GTPv0).

  • gtpv1—GTP Version 1 (GTPv1)

  • h323 —H.323 protocol, Version 4

  • http —HTTP

  • im —Instant Messenger (IM) protocol. For IM, the supported IM protocols include:
    • AOL Version 5 and later versions
    • I Seek You (ICQ) Version 2003b.5.56.1.3916.85
    • MSN Messenger Version 6.x and 7.x
    • Windows Messenger Version 5.1.0701
    • Yahoo Messenger Version 9.0 and later versions
  • imap —Internet Message Access Protocol (IMAP)

  • p2p —Peer-to-peer (P2P) protocol

  • pop3 —Post Office Protocol, Version 3 (POP3)

  • sip —Session Initiation Protocol (SIP)

  • smtp —Simple Mail Transfer Protocol (SMTP)

  • sunrpc —Sun Remote Procedure Call (SUNRPC)

Command Default

No policy map is configured.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.4(6)T

This command was introduced.

12.4(9)T

This command was modified. Support for the following protocols and keywords was added:

  • P2P protocol and the p2p keyword

  • IM protocol and the im keyword

12.4(15)XZ

This command was modified. Support for SIP was added.

12.4(20)T

This command was modified. Support was added for the ICQ and Windows Messenger IM protocols, and following keywords were added: icq, winmsgr.

Support was added for the H.323 VoIP protocol and the following keyword was added: h323.

15.1(2)T

This command was modified. Support for IPv6 was added.

Cisco IOS XE Release 3.4S

This command was modified. The following GTP keywords were added: gtpv0, gtpv1.

Usage Guidelines

Use the policy-map type inspect command to create a Layer 3 and Layer 4 inspect-type policy map or a Layer 7 application-specific inspect-type policy map. After you create a policy map, you should enter the class type inspect command (as appropriate for your configuration) to specify the traffic (class) on which an action is to be performed. The class was previously defined in a class map. Thereafter, you should enter the inspect command to enable Cisco IOS stateful packet inspection and to specify inspect-specific parameters in a parameter map.

Layer 3, Layer 4 (Top Level) Policy Maps

Top-level policy maps allow you to define high-level actions such as inspect, drop, pass, and urlfilter. You can attach the maps to a target (zone pair). The maps can contain “child” policies that are also known as application-specific Layer 7 policies.

Layer 7 (Application-Specific) Policy Maps

Application-specific policy maps are used to specify a policy for an application protocol. For example, if you want to drop HTTP traffic with Uniform Resource Identifier (URI) lengths exceeding 256 bytes, you must configure an HTTP policy map to do that. Application-specific policy maps cannot be attached directly to a target (zone pair). They must be configured as “child” policies in a top-level Layer 3 or Layer 4 policy map.

The following protocols are supported for Cisco IOS XE Release 3.4S.
  • GTPv0

  • GTPv1

  • HTTP

  • IMAP

  • Match-all Logical-AND all matching statements under this classmap

  • Match-any Logical-OR all matching statements under this classmap

  • POP3

  • SMTP

  • Sun RPC

Examples

The following example shows how to specify the traffic class (host) on which the drop action is to be performed:

policy-map type inspect mypolicy 
 class type inspect host 
 drop 

The following example shows how to configure a policy map named my-im-pmap policy map with two IM classes, AOL and Yahoo Messenger, and allow only text-chat messages to pass through. When any packet with a service other than text-chat is seen, the connection will be reset.

class-map type inspect aol match-any my-aol-cmap
 match service text-chat
!
class-map type inspect ymsgr match-any my-ysmgr-cmap
 match service any
!
policy-map type inspect im my-im-pmap
 class type inspect aol my-aol-cmap
 allow
 log
!
 class type inspect ymsgr my-ysmgr-cmap 
 reset 
 log

Related Commands

Command

Description

class type inspect

Specifies the traffic (class) on which an action is to be performed.

policy-map type inspect urlfilter

To create or modify a URL filter type inspect policy map, use the policy-map type inspect urlfilter command in global configuration mode. To delete a URL filter type inspect policy map, use the no form of this command.

policy-map type inspect urlfilter policy-map-name

no policy-map type inspect urlfilter policy-map-name

Syntax Description

policy-map-name

Name of the policy map.

Command Default

No policy map is created.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.4(15)XZ

This command was introduced.

12.4(20)T

This command was integrated into Cisco IOS Release 12.4(20)T.

Usage Guidelines

Use the policy-map type inspect urlfiltercommand to create a URL filter type inspect policy map. The policy map specifies the traffic (class type urlfilter) and the actions to be performed on that traffic for the specified URL filtering policy.

Before you create a URL filter type inspect policy map, use the following commands:

  • class-map type urlfilter command to configure the match criteria for the traffic.

  • parameter-map type urlfpolicy command to specify the parameters for the URL filtering server. If you are configuring a policy for a Trend Router Provisioning Server (TRPS), you must also specify the global filtering parameters with the parameter-map type trend-global command.

After you create a policy map, use the following commands to configure the URL filtering policy:

  • class type urlfilter [trend | n2h2 | websense ] class-name-- Specifies the class of traffic to which the policy applies. If you specify an optional URL filtering server, you must also use the parameter type urlfpolicy command to specify the appropriate per-policy parameters for that URL filtering server.

For each class, use one of the URL filtering action commands to specify how to handle a URL that matches the class map. The table below lists the URL filtering action commands.

Table 10 URL Filtering Action Commands

Command

Description

allow

Permits access to the requested URL.

log

Logs the URL request.

reset

Resets the HTTP connection at both ends.

server-specified action

Specifies that the traffic is handled by the URL filtering server. This action is valid only for Websense and N2H2 classes.

  • description string --Describes the policy.

  • exit --Exits the policy map.

  • no --Negates or sets the default value for a command.

  • parameter type urlfpolicy [trend | n2h2 | websense ]--Specifies what type of URL filtering this policy applies to: local (default), Trend Micro, SmartFilter, or Websense.

  • rename policy-map-name --Specifies a new name for the policy map.

Examples

The following example shows a how to create a URL filter type inspect policy for a Trend Micro URL filtering server. The policy logs URL requests that match the URL categories specified in the class drop-category, and then resets the connection, thus denying the request.

class-map type urlfilter trend match-any drop-category
 match url category Gambling
 match url category Personals-Dating
parameter-map type trend-global global-parameter-map
 server trend.example.com
parameter-map type urlfpolicy trend g1-trend-pm
 max-request 2147483647
 max-resp-pak 20000
 allow-mode on
 truncate hostname
 block-page message "group1: 10.10.10.0 is blocked by Trend."
policy-map type inspect urlfilter g1-trend-policy
 parameter type urlfpolicy trend g1-trend-parameter-map
 class type urlfilter trend drop-category
  log
 reset

The following example shows a filtering policy for a Websense URL filtering server. The policy logs and allows URL requests that are in the trusted domain class, logs and denies URL requests that are in the untrusted domain class, and logs and denies URL requests that are in the keyword class.

policy-map type inspect urlfilter websense-policy
 parameter type urlfpolicy websense websense-parameter-map
 class type urlfilter trusted-domain-class
  log
  allow
 class type urlfilter untrusted-domain-class
  log
  reset
 class type urlfilter keyword-class
  log
  reset

Related Commands

Command

Description

class-map type urlfilter

Specifies the class on which a policy action is to be performed.

class type urlfilter

Associates a URL filter class map with a URL filtering policy maps.

parameter-map type trend-global

Creates or modifies the parameter map for global TRPS parameters.

parameter-map type urlfpolicy

Creates or modifies a parameter map for a URL filtering policy.

pool (isakmp-group)

To define a local pool address, use the pool command in ISAKMP group configuration mode or IKEv2 authorization policy configuration mode. To remove a local pool from your configuration, use the no form of this command.

[ ipv6 ] pool name

no [ ipv6 ] pool name

Syntax Description

ipv6

(Optional) Specifies an IPv6 address pool. To specify an IPv4 address, execute the command without this keyword.

name

Name of the local address pool.

Command Default

No local pool address is defined.

Command Modes

ISAKMP group configuration (config-isakmp-group)

IKEv2 authorization policy configuration (config-ikev2-author-policy)

Command History

Release

Modification

12.2(8)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.

Cisco IOS XE Release 3.3S

This command was integrated into Cisco IOS XE Release 3.3S.

15.2(1)T

This command was modified. The ipv6 keyword was added.

Usage Guidelines

Use the pool command to refer to an IP local pool address, which defines a range of addresses that will be used to allocate an internal IP address to a client. Although a user must define at least one pool name, a separate pool may be defined for each group policy.


Note


This command must be defined and refer to a valid IP local pool address, or the client connection will fail.


You must enable the following commands before enabling the dns command:

  • crypto isakmp client configuration group --Specifies the group policy information that has to be defined or changed.

  • crypto ikev2 authorization policy --Specifies the local group policy authorization parameters.

Examples

The following example shows how to refer to the local pool address named dog:

crypto isakmp client configuration group cisco
  key cisco
  dns 10.2.2.2 10.3.2.3
  pool dog
  acl 199
!
ip local pool dog 10.1.1.1 10.1.1.254

Related Commands

Command

Description

acl

Configures split tunneling.

crypto ikev2 authorization policy

Specifies an IKEv2 authorization policy group.

crypto isakmp client configuration group

Specifies the DNS domain to which a group belongs.

ip local pool

Configures a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface.

port

To specify the port on which a device listens for RADIUS requests from configured RADIUS clients, use the port command in dynamic authorization local server configuration mode. To restore the default, use the no form of this command.

port port-number

no port port-number

Syntax Description

port-number

Port number. The default value is port 1700.

Command Default

The device listens for RADIUS requests on the default port (port 1700).

Command Modes

Dynamic authorization local server configuration (config-locsvr-da-radius)

Command History

Release

Modification

12.2(28)SB

This command was introduced.

Cisco IOS XE Release 2.6

This command was integrated into Cisco IOS XE Release 2.6.

Usage Guidelines

A device (such as a router) can be configured to allow an external policy server to dynamically send updates to the router. This functionality is facilitated by the CoA RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling a router and external policy server each to act as a RADIUS client and server. Use the port command to specify the ports on which the router will listen for requests from RADIUS clients.

Examples

The following example specifies port 1650 as the port on which the device listens for RADIUS requests:

aaa server radius dynamic-author
 client 10.0.0.1
 port 1650

Related Commands

Command

Description

aaa server radius dynamic-author

Configures a device as a AAA server to facilitate interaction with an external policy server.

port (IKEv2 cluster)

To define the port number to be used by a Internet Key Exchange Version 2 (IKEv2) cluster to connect to the master gateway in a Hot Standby Router Protocol (HSRP) group, use the port command in IKEv2 cluster configuration mode. To revert to the default port, use the no form of this command.

port port-number

no port

Syntax Description

port-number

Port number used by an IKEv2 cluster. The range is from 1 to 65535. The default is 2012.

Command Default

No port number is defined.

Command Modes

IKEv2 cluster configuration (config-ikev2-cluster)

Command History

Release

Modification

15.2(4)M

This command was introduced.

Usage Guidelines

You must enable the crypto ikev2 cluster command before enabling the port command.

Examples

In the following example, the IKEv2 CLB slaves connect to the CLB Master using the port number 2221:

Router(config)# crypto ikev2 cluster
Router(config-ikev2-cluster)# port 2221

Related Commands

Command

Description

crypto ikev2 cluster

Defines an IKEv2 cluster policy in an HSRP cluster.

port (TACACS+)

To specify the TCP port to be used for TACACS+ connections, use the portcommand in TACACS+ server configuration mode. To remove the TCP port, use the no form of this command.

port [number]

no port [number]

Syntax Description

number

(Optional) Specifies the port where the TACACS+ server receives access-request packets. The range is from 1 to 65535.

Command Default

If no port is configured, port 49 is used.

Command Modes


TACACS+ server configuration (config-server-tacacs)

Command History

Release

Modification

Cisco IOS XE Release 3.2S

This command was introduced.

Usage Guidelines

TCP port 49 is used if the number argument is not used when using the port command.

Examples

The following example shows how to specify TCP port 12:

Router (config)# tacacs server server1
Router(config-server-tacacs)# port 12

Related Commands

Command

Description

tacacs server

Configures the TACACS+ server for IPv6 or IPv4 and enters TACACS+ server configuration mode.

port-forward

To enter webvpn port-forward list configuration mode to configure a port-forwarding list, use the port-forward command in webvpn context configuration mode. To remove the port-forwarding list from the SSL VPN context configuration, use the no form of this command.

port-forward name

no port-forward name

Syntax Description

name

Name of the port-forwarding list.

Command Default

Webvpn port-forward list configuration mode is not entered, and a port-forwarding list is not configured.

Command Modes


Webvpn context configuration

Command History

Release

Modification

12.3(14)T

This command was introduced.

Usage Guidelines

The port-forward command is used to create the port-forwarding list. Application port number mapping (port forwarding) is configured with the local-port command in webvpn port-forward configuration mode.

A port-forwarding list is configured for thin client mode SSL VPN. Port forwarding extends the cryptographic functions of the SSL-protected browser to provide remote access to TCP-based applications that use well-known port numbers, such as POP3, SMTP, IMAP, Telnet, and SSH.

When port forwarding is enabled, the hosts file on the SSL VPN client is modified to map the application to the port number configured in the forwarding list. The application port mapping is restored to default when the user terminates the SSL VPN session.

Examples

The following example configures port forwarding for well-known e-mail application port numbers:

Router(config)# webvpn context context1
 
Router(config-webvpn-context)# port-forward EMAIL
 
Router(config-webvpn-port-fwd)# local-port 30016 remote-server mail.company.com remote-port 110 description POP3
 
Router(config-webvpn-port-fwd)# local-port 30017 remote-server mail.company.com remote-port 25 description SMTP
 
Router(config-webvpn-port-fwd)# local-port 30018 remote-server mail.company.com remote-port 143 description IMAP

Related Commands

Command

Description

local-port (WebVPN)

Remaps an application port number in a port-forwarding list.

webvpn context

Enters webvpn context configuration mode to configure the SSL VPN context.

port-forward (policy group)

To attach a port-forwarding list to a policy group configuration, use the port-forwardcommand in webvpn group policy configuration mode. To remove the port-forwarding list from the policy group configuration, use the no form of this command.

port-forward name [ auto-download [ http-proxy [ proxy-url homepage-url ] ] | http-proxy [ proxy-url homepage-url ] [auto-download] ]

no port-forward name [ auto-download [ http-proxy [ proxy-url homepage-url ] ] | http-proxy [ proxy-url homepage-url ] [auto-download] ]

Syntax Description

name

Name of the port-forwarding list that was configured in webvpn context configuration mode.

auto-download

(Optional) Allows for automatic download of the port-forwarding Java applet on the portal page of a website.

http-proxy

(Optional) Allows the Java applet to act as a proxy for the browser of the user.

proxy-url homepage-url

(Optional) Page at this URL address opens as the portal page of the user.

Command Default

A port-forwarding list is not attached to a policy group configuration.

Command Modes


Webvpn group policy configuration (config-webvpn-group)

Command History

Release

Modification

12.4(6)T

This command was introduced.

12.4(9)T

This command was modified. The auto-download keyword was added.

Usage Guidelines

The configuration of this command applies to only clientless access mode. In clientless mode, the remote user accesses the internal or corporate network using the web browser on the client machine.

Examples

The following example shows how to apply the port-forwarding list to the policy group configuration:

webvpn context context1 
 port-forward EMAIL 
  local-port 30016 remote-server mail.company.com remote-port 110 description POP3 
  local-port 30017 remote-server mail.company.com remote-port 25 description SMTP 
  local-port 30018 remote-server mail.company.com remote-port 143 description IMAP
  exit 
 policy group ONE 
 port-forward EMAIL auto-download

The following example shows that HTTP proxy has been configured. The page at URL “http://www.example.com” will automatically download as the home page of the user.

webvpn context myContext
 ssl authenticate verify all
 !
 !
 port-forward "email"
   local-port 20016 remote-server "ssl-server1.sslvpn-ios.com" remote-port 110 description "POP-ssl-server1"
 !
 policy group myPolicy
   port-forward "email" auto-download http-proxy proxy-url "http://www.example.com"
 inservice

Related Commands

Command

Description

local-port (WebVPN)

Remaps an application port number in a port-forwarding list.

policy group

Enters webvpn group policy configuration mode to configure a group policy.

port-forward

Enters webvpn port-forward list configuration mode to configure a port-forwarding list.

webvpn context

Enters webvpn context configuration mode to configure the SSL VPN context.

port-misuse

To permit or deny HTTP traffic through the firewall on the basis of specified applications in the HTTP message, use the port-misuse command in appfw-policy-http configuration mode. To disable this inspection parameter, use the no form of this command.

port-misuse { p2p | tunneling | im | default } action { reset | allow } [alarm]

no port-misuse { p2p | tunneling | im | default } action { reset | allow } [alarm]

Syntax Description

p2p

Peer-to-peer protocol applications subject to inspection: Kazaa and Gnutella.

tunneling

Tunneling applications subject to inspection: HTTPPort/HTTPHost, GNU Httptunnel, GotoMyPC, Firethru, Http-tunnel.com Client

im

Instant messaging protocol applications subject to inspection: Yahoo Messenger.

default

All applications are subject to inspection.

action

Applications detected within the HTTP messages that are outside of the specified application are subject to the specified action (reset or allow).

reset

Sends a TCP reset notification to the client or server if the HTTP message fails the mode inspection.

allow

Forwards the packet through the firewall.

alarm

(Optional) Generates system logging (syslog) messages for the given action.

Command Default

If this command is not enabled, HTTP messages are permitted through the firewall if any of the applications are detected within the message.

Command Modes


appfw-policy-http
configuration

Command History

Release

Modification

12.3(14)T

This command was introduced.

Examples

The following example shows how to define the HTTP application firewall policy “mypolicy.” This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule “firewall,” which will inspect all HTTP traffic entering the FastEthernet0/0 interface.

! Define the HTTP policy.
appfw policy-name mypolicy
 application http
  strict-http action allow alarm
  content-length maximum 1 action allow alarm
  content-type-verification match-req-rsp action allow alarm
  max-header-length request 1 response 1 action allow alarm
  max-uri-length 1 action allow alarm
  port-misuse default action allow alarm
  request-method rfc default action allow alarm
  request-method extension default action allow alarm
  transfer-encoding type default action allow alarm
!
!
! Apply the policy to an inspection rule. 
ip inspect name firewall appfw mypolicy
ip inspect name firewall http
!
!
! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.
interface FastEthernet0/0
 ip inspect firewall in
!
!