Cisco Security Appliance Command Reference, Version 7.0
C Commands
Downloads: This chapterpdf (PDF - 2.62MB) The complete bookPDF (PDF - 18.73MB) | Feedback

C Commands

Table Of Contents

C Commands

cache-time

call-agent

capture

cd

certificate

chain

changeto

checkheaps

check-retransmission

checksum-verification

class (policy-map)

class-map

clear aaa local user fail-attempts

clear aaa local user lockout

clear aaa-server statistics

clear access-group

clear access-list

clear arp statistics

clear asp drop

clear asp table

clear blocks

clear capture

clear configure

clear configure aaa

clear configure aaa-server

clear configure access-group

clear configure access-list

clear configure alias

clear configure arp-inspection

clear configure asdm

clear configure auth-prompt

clear configure banner

clear configure ca certificate map

clear configure class-map

clear configure clock

clear configure command-alias

clear configure console

clear configure context

clear configure crypto

clear configure crypto ca trustpoint

clear configure crypto dynamic-map

clear configure crypto map

clear configure dhcpd

clear configure dhcprelay

clear configure dns

clear configure established

clear configure failover

clear configure filter

clear configure fips

clear configure firewall

clear configure fixup

clear configure fragment

clear configure ftp

clear configure ftp-map

clear configure global

clear configure group-policy

clear configure gtp-map

clear configure http

clear configure http-map

clear configure icmp

clear configure imap4s

clear configure interface

clear configure ip

clear configure ip audit

clear configure ip local pool

clear configure ip verify reverse-path

clear configure ipv6

clear configure isakmp

clear configure isakmp policy

clear configure logging

clear configure mac-address-table

clear configure mac-learn

clear configure mac-list

clear configure management-access

clear configure mgcp-map

clear configure mroute

clear configure mtu

clear configure multicast-routing

clear configure name

clear configure nat

clear configure ntp

clear configure object-group

clear configure passwd

clear configure pim

clear configure policy-map

clear configure pop3s

clear configure port-forward

clear configure prefix-list

clear configure priority-queue

clear configure privilege

clear configure rip

clear configure route

clear configure route-map

clear configure router

clear configure service-policy

clear configure smtps

clear configure snmp-map

clear configure snmp-server

clear configure ssh

clear configure ssl

clear configure static

clear configure sunrpc-server

clear configure sysopt

clear configure tcp-map

clear configure telnet

clear configure terminal

clear configure timeout

clear configure tunnel-group

clear configure url-block

clear configure url-cache

clear configure url-list

clear configure url-server

clear configure username

clear configure virtual

clear configure vpn-load-balancing

clear conn

clear console-output

clear counters

clear crashinfo

clear crypto accelerator statistics

clear crypto ca crls

clear [crypto] ipsec sa

clear crypto protocol statistics

clear dhcpd

clear dhcprelay statistics

clear dns-hosts cache

clear failover statistics

clear fragment

clear gc

clear igmp counters

clear igmp group

clear igmp traffic

clear interface

clear ip audit count

clear ip verify statistics

clear ipsec sa

clear ipv6 access-list counters

clear ipv6 neighbors

clear ipv6 traffic

clear isakmp sa

clear local-host

clear logging asdm

clear logging buffer

clear mac-address-table

clear memory delayed-free-poisoner

clear memory profile

clear memory tracking

clear mfib counters

clear module recover

clear ospf

clear pim counters

clear pim reset

clear pim topology

clear priority-queue statistics

clear resource usage

clear route

clear service-policy

clear service-policy inspect gtp

clear shun

clear sunrpc-server active

clear traffic

clear uauth

clear url-block block statistics

clear url-cache statistics

clear url-server

clear xlate

client-access-rule

client-firewall

client-update

clock set

clock summer-time

clock timezone

cluster encryption

cluster ip address

cluster key

cluster port

command-alias

command-queue

compatible rfc1583

config-register

configure factory-default

configure http

configure memory

configure net

configure terminal

config-url

console timeout

content-length

content-type-verification

context

copy

copy capture

crashinfo console disable

crashinfo force

crashinfo save disable

crashinfo test

crl

crl configure

crypto ca authenticate

crypto ca certificate chain

crypto ca certificate map

crypto ca crl request

crypto ca enroll

crypto ca export

crypto ca import

crypto ca trustpoint

crypto dynamic-map match address

crypto dynamic-map set nat-t-disable

crypto dynamic-map set peer

crypto dynamic-map set pfs

crypto dynamic-map set reverse route

crypto map set security-association lifetime

crypto dynamic-map set transform-set

crypto ipsec df-bit

crypto ipsec fragmentation

crypto ipsec security-association lifetime

crypto ipsec transform-set

crypto ipsec transform-set mode transport

crypto key generate dsa

crypto key generate rsa

crypto key zeroize

crypto map interface

crypto map ipsec-isakmp dynamic

crypto map match address

crypto map set connection-type

crypto map set inheritance

crypto map set nat-t-disable

crypto map set peer

crypto map set pfs

crypto map set phase1 mode

crypto map set reverse-route

crypto map set security-association lifetime

crypto map set transform-set

crypto map set trustpoint


C Commands


cache-time

To specify in minutes how long to allow a CRL to remain in the cache before considering it stale, use the cache-time command in ca-crl configuration mode. To return to the default value, use the no form of this command.

cache-time refresh-time

no cache-time

Syntax Description

refresh-time

Specifies the number of minutes to allow a CRL to remain in the cache. The range is 1 - 1440 minutes. If the NextUpdate field is not present in the CRL, the CRL is not cached.


Defaults

The default setting is 60 minutes.

Command Modes

The following table shows the modes in which you can enter the

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

CRL configuration


command:

Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example enters ca-crl configuration mode, and specifies a cache time refresh value of 10 minutes for trustpoint central:

hostname(configure)# crypto ca trustpoint central
hostname(ca-trustpoint)# crl configure
hostname(ca-crl)# cache-time 10
hostname(ca-crl)# 

Related Commands

Command
Description

crl configure

Enters crl configuration mode.

crypto ca trustpoint

Enters trustpoint configuration mode.

enforcenextupdate

Specifies how to handle the NextUpdate CRL field in a certificate.


call-agent

To specify a group of call agents, use the call-agent command in MGCP map configuration mode, which is accessible by using the mgcp-map command. To remove the configuration, use the no form of this command.

call-agent ip_address group_id

no call-agent ip_address group_id

Syntax Description

ip_address

The IP address of the gateway.

group_id

The ID of the call agent group, from 0 to 2147483647.


Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Use the call-agent command to specify a group of call agents that can manage one or more gateways. The call agent group information is used to open connections for the call agents in the group (other than the one a gateway sends a command to) so that any of the call agents can send the response. Call agents with the same group_id belong to the same group. A call agent may belong to more than one group. The group_id option is a number from 0 to 4294967295. The ip_address option specifies the IP address of the call agent.

Examples

The following example allows call agents 10.10.11.5 and 10.10.11.6 to control gateway 10.10.10.115, and allows call agents 10.10.11.7 and 10.10.11.8 to control both gateways 10.10.10.116 and 10.10.10.117:

hostname(config)# mgcp-map mgcp_inbound
hostname(config-mgcp-map)# call-agent 10.10.11.5 101
hostname(config-mgcp-map)# call-agent 10.10.11.6 101
hostname(config-mgcp-map)# call-agent 10.10.11.7 102
hostname(config-mgcp-map)# call-agent 10.10.11.8 102
hostname(config-mgcp-map)# gateway 10.10.10.115 101
hostname(config-mgcp-map)# gateway 10.10.10.116 102
hostname(config-mgcp-map)# gateway 10.10.10.117 102

Related Commands

Commands
Description

debug mgcp

Enables the display of debug information for MGCP.

mgcp-map

Defines an MGCP map and enables MGCP map configuration mode.

show mgcp

Displays MGCP configuration and session information.


capture

To enable packet capture capabilities for packet sniffing and network fault isolation, use the capture command. To disable packet capture capabilities, use the no form of this command (see the "Usage Guidelines" section for additional information about the no form of this command).

capture capture_name [access-list access_list_name] [buffer buf_size] [ethernet-type type] [interface interface_name] [packet-length bytes] [circular-buffer]

capture capture_name type asp-drop all [drop-code] [buffer buf_size] [circular-buffer] [packet-length bytes]

capture capture_name type isakmp [access-list access_list_name] [buffer buf_size] [circular-buffer] [interface interface_name] [packet-length bytes]

capture capture_name type raw-data [access-list access_list_name] [buffer buf_size] [circular-buffer] [ethernet-type type] [interface interface_name] [packet-length bytes]

capture capture_name type webvpn user webvpn-user [url url]

no capture capture_name

Syntax Description

access-list access_list_name

(Optional) Selects packets based on IP or higher fields for a specific access list identification.

all

Captures all the packets that the security appliance drops

buffer buf_size

(Optional) Defines the buffer size used to store the packet in bytes.

capture_name

Specifies the name of the packet capture.

circular-buffer

(Optional) Overwrites the buffer, starting from the beginning, when the buffer is full.

ethernet-type type

(Optional) Selects an Ethernet type to capture.

interface interface_name

(Optional) Specifies the interface on which to use packet capture, where interface_name is the name assigned to the interface by the nameif command.

packet-length bytes

(Optional) Sets the maximum number of bytes of each packet to store in the capture buffer.

type asp-drop drop-code

(Optional) Captures packets dropped for a reason. You can specify a particular reason by using the drop-code argument. Valid values for the drop-code argument are listed in the "Usage Guidelines" section, below.

type isakamp

(Optional) Captures encrypted and decrypted ISAKMP payloads.

type raw-data

(Optional) Captures inbound and outbound packets on one or more interfaces. This is the default.

type webvpn

(Optional) Captures WebVPN data for a specific WebVPN connection.

url url

(Optional) Specifies a URL for a WebVPN connection capture.

user webvpn-user

(Optional) Specifies a username for a WebVPN capture.


Defaults

The defaults are as follows:

The capture type is raw data.

The buffer size is 512 KB.

All the Ethernet types are accepted.

All the IP packets are matched.

The packet-length is 1518 bytes.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged mode

·

·

·

·

·


Command History

Release
Modification

6.2

Support for this command was introduced on the security appliance.

7.0

This commandwas modified to include several new keywords, most notably the type asp-drop, type isakmp, type raw-data, and type webvpn keywords.

7.2(4)

Added the all option to capture all packets that the security appliance drops.


Usage Guidelines

Capturing packets is useful when troubleshooting connectivity problems or monitoring suspicious activity. The security appliance can track packet information for traffic that passes through it, including management traffic and inspection engines. Packet information for all traffic that passes through the device can be captured.

With ISAKMP, the ISAKMP subsystem does not have access to the upper layer protocols. The capture is a pseudo capture, with the Physical, IP, and UDP layers combined together to satisfy a PCAP parser. The peer addresses are obtained from the SA exchange and are stored in the IP layer.

When selecting an Ethernet type to be included from capture, an exception occurs with the 802.1Q or VLAN type. The 802.1Q tag is automatically skipped and the inner Ethernet type is used for matching. By default, all the Ethernet types are accepted.

Once the byte buffer is full, packet capture stops.

To enable packet capturing, attach the capture to an interface with the interface optional argument. Multiple capture command statements attach the capture to multiple interfaces.

If you copy the buffer contents to a TFTP server in ASCII format, you will see only the headers, not the details and hexadecimal dump of the packets. To see the details and hexadecimal dump, you need to transfer the buffer in PCAP format and read it with TCPDUMP or Ethereal.

The ethernet-type and access-list optional keywords select the packets to store in the buffer. A packet must pass both the Ethernet and access list filters before the packet is stored in the capture buffer.

The circular-buffer keyword allows you to enable the capture buffer to overwrite itself, starting from the beginning, when the capture buffer is full.

Enter the no capture command with either the access-list or interface optional keyword unless you want to clear the capture itself. Entering no capture without optional keywords deletes the capture. If the access-list optional keyword is specified, the access list is removed from the capture and the capture is preserved. If the interface optional keyword is specified, the capture is detached from the specified interface and the capture is preserved.


Note The capture command is not saved to the configuration, and the capture command is not copied to the standby module during failover.


Use the copy capture: capture_name tftp://server/path [pcap] command to copy capture information to a remote TFTP server.

Use the https://securityappliance-ip-address/capture/capture_name[/pcap] command to see the packet capture information with a web browser.

If you specify the pcap optional keyword, then a libpcap-format file is downloaded to the web browser and can be saved using the web browser. (A libcap file can be viewed with TCPDUMP or Ethereal.)

When you enable WebVPN capture, the security appliance creates a pair of matching files:
capture name_ORIGINAL.000 and capture name_MANGLED.000. For each subsequent capture, the security appliance generates additional matching pairs of files and increments the file extensions. url is the URL prefix to match for data capture. Use the URL http://server/path to capture HTTP traffic to the server. Use https://server/path to capture HTTPS traffic to the server.


Note Enabling WebVPN capture affects the performance of the security appliance. Be sure to disable the capture after you generate the capture files that you need for troubleshooting.


type asp-drop Drop Codes

The following table lists valid values for the optional drop-code argument that can follow the type asp-drop keyword.

Drop Code
Description

acl-drop

Flow is denied by access rule.

all

All packet drop reasons.

bad-crypto

Bad crypto return in packet.

bad-ipsec-natt

Bad IPSEC NATT packet.

bad-ipsec-prot

IPSEC not AH or ESP.

bad-ipsec-udp

Bad IPSEC UDP packet.

bad-tcp-cksum

Bad TCP checksum.

bad-tcp-flags

Bad TCP flags.

buffer

Configure size of capture buffer, default is 512 KB.

circular-buffer

Overwrite buffer from beginning when full, default is non-circular.

conn-limit

Connection limit reached.

ctm-error

CTM returned error.

dns-guard-id-not-matched

DNS Guard id not matched.

dns-guard-out-of-app-id

DNS Guard out of app id.

dst-l2_lookup-fail

Dst MAC L2 Lookup Failed.

flow-expired

Expired flow.

fo-standby

Dropped by standby unit.

host-move-pkt

FP host move packet.

ifc-classify

Virtual firewall classification failed.

inspect-dns-id-not-matched

DNS Inspect id not matched.

inspect-dns-invalid-domain-label

DNS Inspect invalid domain label.

inspect-dns-invalid-pak

DNS Inspect invalid packet.

inspect-dns-out-of-app-id

DNS Inspect out of app id.

inspect-dns-pak-too-long

DNS Inspect packet too long.

inspect-icmp-error-different-embedded-conn

ICMP Error Inspect different embedded conn.

inspect-icmp-error-no-existing-conn

ICMP Error Inspect no existing conn.

inspect-icmp-out-of-app-id

ICMP Inspect out of app id.

inspect-icmp-seq-num-not-matched

ICMP Inspect seq num not matched.

inspect-icmpv6-error-invalid-pak

ICMPv6 Error Inspect invalid packet.

inspect-icmpv6-error-no-existing-conn

ICMPv6 Error Inspect no existing conn.

intercept-unexpected

Intercept unexpected packet.

interface-down

Interface is down.

invalid-app-length

Invalid app length.

invalid-encap

Invalid encapsulation.

invalid-ethertype

Invalid ethertype.

invalid-ip-addr

Invalid IP address.

invalid-ip-header

Invalid IP header.

invalid-ip-length

Invalid IP length.

invalid-ip-option

IP option configured drop.

invalid-tcp-hdr-length

Invalid tcp length.

invalid-tcp-pak

Invalid TCP packet.

invalid-udp-length

Invalid udp length.

ip-fragment

IP fragment (unsupported).

ips-fail-close

IPS card is down.

ips-request

IPS Module requested drop.

ipsec-clearpkt-notun

IPSEC Clear Pkt w/no tunnel.

ipsec-ipv6

IPSEC via IPV6.

ipsec-need-sa

IPSEC SA Not negotiated yet.

ipsec-spoof

IPSEC Spoof detected.

ipsec-tun-down

IPSEC tunnel is down.

ipsecudp-keepalive

IPSEC/UDP keepalive message.

ipv6_fp-security-failed

IPv6 fastpath security checks failed.

ipv6_sp-security-failed

IPv6 slowpath security checks failed.

l2_acl

FP L2 rule drop.

l2_same-lan-port

L2 Src/Dst same LAN port.

large-buf-alloc-fail

FP fp large buffer alloc failed.

loopback-buffer-full

Loopback buffer full.

lu-invalid-pkt

Invalid LU packet.

natt-keepalive

NAT-T keepalive message.

no-adjacency

No valid adjacency.

no-mcast-entry

FP no mcast entry.

no-mcast-intrf

FP no mcast output intrf.

no-punt-cb

No registered punt cb.

no-route

No route to host.

non-ip-pkt-in-routed-mode

Non-IP packet received in routed mode.

np-sp-invalid-spi

Invalid SPI.

packet-length

Configure maximum length to save from each packet, default is 68 bytes.

punt-rate-limit

Punt rate limit exceeded.

queue-removed

Queued packet dropped.

rate-exceeded

QoS rate exceeded.

rpf-violated

Reverse-path verify failed.

security-failed

Early security checks failed.

send-ctm-error

Send to CTM returned error.

sp-security-failed

Slowpath security checks failed.

tcp-3whs-failed

TCP failed 3 way handshake.

tcp-ack-syn-diff

TCP ACK in SYNACK invalid.

tcp-acked

TCP DUP and has been ACKed.

tcp-bad-option-len

Bad option length in TCP.

tcp-bad-option-list

TCP option list invalid.

tcp-bad-sack-allow

Bad TCP SACK ALLOW option.

tcp-bad-winscale

Bad TCP window scale value.

tcp-buffer-full

TCP packet buffer full.

tcp-conn-limit

TCP Connection limit reached.

tcp-data-past-fin

TCP data send after FIN.

tcp-discarded-ooo

TCP packet out of order.

tcp-dual-open

TCP Dual open denied.

tcp-fo-drop

TCP replicated flow pak drop.

tcp-invalid-ack

TCP invalid ACK.

tcp-mss-exceeded

TCP MSS was too large.

tcp-mss-no-syn

TCP MSS option on non-SYN.

tcp-not-syn

First TCP packet not SYN.

tcp-paws-fail

TCP packet failed PAWS test.

tcp-reserved-set

TCP reserved flags set.

tcp-rst-syn-in-win

TCP RST/SYN in window.

tcp-rstfin-ooo

TCP RST/FIN out of order.

tcp-seq-past-win

TCP packet SEQ past window.

tcp-seq-syn-diff

TCP SEQ in SYN/SYNACK.

tcp-syn-data

TCP SYN with data.

tcp-syn-ooo

TCP SYN on established conn.

tcp-synack-data

TCP SYNACK with data.

tcp-synack-ooo

TCP SYNACK on established conn.

tcp-tsopt-notallowed

TCP timestamp not allowed.

tcp-winscale-no-syn

TCP Window scale on non-SYN.

tcp_xmit_partial

TCP retransmission partial.

tfw-no-mgmt-ip-config

No management IP address configured for TFW.

unable-to-add-flow

Flow hash full.

unable-to-create-flow

Out of flow cache memory.

unimplemented

Slow path unimplemented.

unsupport-ipv6-hdr

Unsupported IPV6.

unsupported-ip-version

Unsupported IP version.


Examples

To enable packet capture, enter the following:

hostname(config)# capture captest interface inside
hostname(config)# capture captest interface outside

On a web browser, the capture contents for a capture named "mycapture" can be viewed at the following location:

https://171.69.38.95/capture/mycapture/pcap

To download a libpcap file (used in web browsers such as Internet Explorer or Netscape Navigator) to a local machine, enter the following:

https://171.69.38.95/capture/http/pcap

This example shows that the traffic is captured from an outside host at 171.71.69.234 to an inside HTTP server:

hostname(config)# access-list http permit tcp host 10.120.56.15 eq http host 171.71.69.234
hostname(config)# access-list http permit tcp host 171.71.69.234 host 10.120.56.15 eq http
hostname(config)# capture http access-list http packet-length 74 interface inside

This example shows how to capture ARP packets:

hostname(config)# capture arp ethernet-type arp interface outside

This example creates a WebVPN capture designated hr, which is configured to capture HTTP traffic for user2 visiting website wwwin.abcd.com/hr/people:

hostname# capture hr type webvpn user user2 url http://wwwin.abcd.com/hr/people
WebVPN capture started.
   capture name   hr
   user name      user2
   url            /http/0/wwwin.abcd.com/hr/people
hostname#

Related Commands

Command
Description

clear capture

Clears the capture buffer.

copy capture

Copies a capture file to a server.

show capture

Displays the capture configuration when no options are specified.


cd

To change the current working directory to the one specified, use the cd command in privileged EXEC mode.

cd [disk0: | disk1: | flash:] [path]

Syntax Description

disk0:

Specifies the internal Flash memory, followed by a colon.

disk1:

Specifies the removable, external Flash memory card, followed by a colon.

flash:

Specifies the internal Flash memory, followed by a colon. In the ASA 5500 series, the flash keyword is aliased to disk0.

path

(Optional) The absolute path of the directory to change to.


Defaults

If you do not specify a directory, the directory is changed to the root directory.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Examples

This example shows how to change to the "config" directory:

hostname# cd flash:/config/

Related Commands

Command
Description

pwd

Displays the current working directory.


certificate

To add the indicated certificate, use the certificate command in crypto ca certificate chain mode. When you use this command, the security appliance interprets the data included with it as the certificate in hexadecimal format. A quit string indicates the end of the certificate.

To delete the certificate, use the no form of the command.

certificate [ca | ra-encrypt | ra-sign | ra-general] certificate-serial-number

no certificate certificate-serial-number

Syntax Description

Syntax DescriptionSyntax Description

certificate-serial-number

Specifies the serial number of the certificate in hexadecimal format ending with the word quit.

ca

Indicates that the certificate is a certificate authority (CA) issuing certificate.

ra-encrypt

Indicates that the certificate is a registration authority (RA) key encipherment certificate used in SCEP.

ra-general

Indicates that the certificate is a registration authority (RA) certificate used for digital signing and key encipherment in SCEP messaging.

ra-sign

Indicates that the certificate is an registration authority (RA) digital signature certificate used in SCEP messaging.


Defaults

This command has no default values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Certificate chain configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

A certificate authority (CA) is an authority in a network that issues and manages security credentials and public key for message encryption. As part of a public key infrastructure, a CA checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA can then issue a certificate.

Examples

This example enters ca trustpoint mode for a trustpoint named central, then enters crypto ca certificate chain mode for central, and adds a CA certificate with a serial number 29573D5FF010FE25B45:

hostname(config)# crypto ca trustpoint central
hostname(ca-trustpoint)# crypto ca certificate chain central 
hostname(ca-cert-chain)# certificate ca 29573D5FF010FE25B45
  30820345 308202EF A0030201 02021029 572A3FF2 96EF854F D0D6732F E25B4530
  0D06092A 864886F7 0D010105 05003081 8F311630 1406092A 864886F7 0D010901
  16076140 622E636F 6D310B30 09060355 04061302 55533116 30140603 55040813
  0D6D6173 73616368 75736574 74733111 300F0603 55040713 08667261 6E6B6C69
  6E310E30 0C060355 040A1305 63697363 6F310F30 0D060355 040B1306 726F6F74
  6F75311C 301A0603 55040313 136D732D 726F6F74 2D736861 2D30362D 32303031
  301E170D 30313036 32363134 31313430 5A170D32 32303630 34313430 3133305A
  30818F31 16301406 092A8648 86F70D01 09011607 6140622E 636F6D31 0B300906
  03550406 13025553 31163014 06035504 08130D6D 61737361 63687573 65747473
  3111300F 06035504 07130866 72616E6B 6C696E31 0E300C06 0355040A 13056369
  73636F31 0F300D06 0355040B 1306726F 6F746F75 311C301A 06035504 0313136D
  732D726F 6F742D73 68612D30 362D3230 3031305C 300D0609 2A864886 F70D0101
  01050003 4B003048 024100AA 3EB9859B 8670A6FB 5E7D2223 5C11BCFE 48E6D3A8
  181643ED CF7E75EE E77D83DF 26E51876 97D8281E 9F58E4B0 353FDA41 29FC791B
  1E14219C 847D19F4 A51B7B02 03010001 A3820123 3082011F 300B0603 551D0F04
  04030201 C6300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604
  14E0D412 3ACC96C2 FBF651F3 3F66C0CE A62AB63B 323081CD 0603551D 1F0481C5
  3081C230 3EA03CA0 3A86386C 6461703A 2F2F7732 6B616476 616E6365 64737276
  2F436572 74456E72 6F6C6C2F 6D732D72 6F6F742D 7368612D 30362D32 3030312E
  63726C30 3EA03CA0 3A863868 7474703A 2F2F7732 6B616476 616E6365 64737276
  2F436572 74456E72 6F6C6C2F 6D732D72 6F6F742D 7368612D 30362D32 3030312E
  63726C30 40A03EA0 3C863A66 696C653A 2F2F5C5C 77326B61 6476616E 63656473
  72765C43 65727445 6E726F6C 6C5C6D73 2D726F6F 742D7368 612D3036 2D323030
  312E6372 6C301006 092B0601 04018237 15010403 02010130 0D06092A 864886F7
  0D010105 05000341 0056221E 03F377B9 E6900BF7 BCB3568E ADBA146F 3B8A71F3
  DF9EB96C BB1873B2 B6268B7C 0229D8D0 FFB40433 C8B3CB41 0E4D212B 2AEECD77
  BEA3C1FE 5EE2AB6D 91
  quit

Related Commands

Command
Description

clear configure crypto map

Clears all configuration for all crypto maps

show running-config crypto map

Displays the crypto map configuration.

crypto ca certificate chain

Enters certificate crypto ca certificate chain mode.

crypto ca trustpoint

Enters ca trustpoint mode.

show running-config crypto map

Displays all configuration for all the crypto maps


chain

To enable sending of a certificate chain, use the chain command in tunnel-group ipsec-attributes configuration mode. This action includes the root certificate and any subordinate CA certificates in the transmission. To return this command to the default, use the no form of this command.

chain

no chain

Syntax Description

This command has no arguments or keywords.

Defaults

The default setting for this command is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tunnel-group ipsec attributes configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

You can apply this attribute to all tunnel-group types.

Examples

The following example entered in config-ipsec configuration mode, enables sending a chain for an IPSec LAN-to-LAN tunnel group with the IP address of 209.165.200.225, which includes the root certificate and any subordinate CA certificates:

hostname(config)# tunnel-group 209.165.200.225 type IPSec_L2L
hostname(config)# tunnel-group 209.165.200.225 ipsec-attributes
hostname(config-ipsec)# chain
hostname(config-ipsec)# 

Related Commands

Command
Description

clear configure tunnel-group

Clears all configured tunnel groups.

show running-config tunnel-group

Shows the indicated certificate map entry.

tunnel-group-map default-group

Associates the certificate map entries created using the crypto ca certificate map command with tunnel groups.


changeto

To change between security contexts and the system, use the changeto command in privileged EXEC mode.

changeto {system | context name}

Syntax Description

context name

Changes to the context with the specified name.

system

Changes to the system execution space.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

If you log into the system execution space or the admin context, you can change between contexts and perform configuration and monitoring tasks within each context. The "running" configuration that you edit in configuration mode, or that is used in the copy or write commands, depends on which execution space you are in. When you are in the system execution space, the running configuration consists only of the system configuration; when you are in a context execution space, the running configuration consists only of that context. For example, you cannot view all running configurations (system plus all contexts) by entering the show running-config command. Only the current configuration appears.

Examples

The following example changes between contexts and the system in privileged EXEC mode:

hostname/admin# changeto system
hostname# changeto context customerA
hostname/customerA#

The following example changes between the system and the admin context in interface configuration mode. When you change between execution spaces, and you are in a configuration submode, the mode changes to the global configuration mode in the new execution space.

hostname(config-if)# changeto context admin
hostname/admin(config)#

Related Commands

Command
Description

admin-context

Sets a context to be the admin context.

context

Creates a security context in the system configuration and enters context configuration mode.

show context

Shows a list of contexts (system execution space) or information about the current context.


checkheaps

To configure checkheaps verification intervals, use the checkheaps command in global configuration mode. To set the value to the default, use the no form of this command. Checkheaps is a periodic process that verifies the sanity of the heap memory buffers (dynamic memory is allocated from the system heap memory region) and the integrity of the code region.

checkheaps {check-interval | validate-checksum} seconds

no checkheaps {check-interval | validate-checksum} [seconds]

Syntax Description

check-interval

Sets the buffer verification interval. The buffer verification process checks the sanity of the heap (allocated and freed memory buffers). During each invocation of the process, the security appliance checks the entire heap, validating each memory buffer. If there is a discrepancy, the security appliance issues either an "allocated buffer error" or a "free buffer error." If there is an error, the security appliance dumps traceback information when possible and reloads.

validate-checksum

Sets the code space checksum validation interval. When the security appliance first boots up, the security appliance calculates a hash of the entire code. Later, during the periodic check, the security appliance generates a new hash and compares it to the original. If there is a mismatch, the security appliance issues a "text checksum checkheaps error." If there is an error, the security appliance dumps traceback information when possible and reloads.

seconds

Sets the interval in seconds between 1 and 2147483.


Defaults

The default intervals are 60 seconds each.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example sets the buffer allocation interval to 200 seconds and the code space checksum interval to 500 seconds:

hostname(config)# checkheaps check-interval 200
hostname(config)# checkheaps validate-checksum 500

Related Commands

Command
Description

show checkheaps

Shows checkheaps statistics.


check-retransmission

To prevent against TCP retransmission style attacks, use the check-retransmission command in tcp-map configuration mode. To remove this specification, use the no form of this command.

check-retransmission

no check-retransmission

Syntax Description

This command has no arguments or keywords.

Defaults

The default is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tcp-map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.

Use the tcp-map command to enter tcp-map configuration mode. To prevent against TCP retransmission style attacks that arise from end-system interpretation of inconsistent retransmissions, use the check-retransmission command in tcp-map configuration mode.

The security appliance will make efforts to verify if the data in retransmits are the same as the original. If the data doesn't match, then the connection is dropped by the security appliance. When this feature is enabled, packets on the TCP connection are only allowed in order. For more details, see the queue-limit command.

Examples

The following example enables the TCP check-retransmission feature on all TCP flows:

hostname(config)# access-list TCP extended permit tcp any any
hostname(config)# tcp-map tmap
hostname(config-tcp-map)# check-retransmission
hostname(config)# class-map cmap
hostname(config-cmap)# match access-list TCP
hostname(config)# policy-map pmap
hostname(config-pmap)# class cmap
hostname(config-pmap)# set connection advanced-options tmap
hostname(config)# service-policy pmap global

Related Commands

Command
Description

class

Specifies a class map to use for traffic classification.

help

Shows syntax help for the policy-map, class, and description commands.

policy-map

Configures a policy; that is, an association of a traffic class and one or more actions.

set connection

Configures connection values.

tcp-map

Creates a TCP map and allows access to tcp-map configuration mode.


checksum-verification

To enable or disable TCP checksum verification, use the checksum-verification command in tcp-map configuration mode. To remove this specification, use the no form of this command.

checksum-verification

no checksum-verification

Syntax Description

This command has no arguments or keywords.

Defaults

Checksum verification is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tcp-map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.

Use the tcp-map command to enter tcp-map configuration mode. Use the checksum-verification command in tcp-map configuration mode to enable TCP checksum verification. If the check fails, the packet is dropped.

Examples

The following example enables TCP checksum verification on TCP connections from 10.0.0.0 to 20.0.0.0:

hostname(config)# access-list TCP1 extended permit tcp 10.0.0.0 255.0.0.0 20.0.0.0 
255.0.0.0
hostname(config)# tcp-map tmap
hostname(config-tcp-map)# checksum-verification

hostname(config)# class-map cmap
hostname(config-cmap)# match access-list TCP1

hostname(config)# policy-map pmap
hostname(config-pmap)# class cmap
hostname(config-pmap)# set connection advanced-options tmap

hostname(config)# service-policy pmap global

Related Commands

Command
Description

class

Specifies a class map to use for traffic classification.

help

Shows syntax help for the policy-map, class, and description commands.

policy-map

Configures a policy; that is, an association of a traffic class and one or more actions.

set connection

Configures connection values.

tcp-map

Creates a TCP map and allows access to tcp-map configuration mode.


class (policy-map)

To assign a class-map to a policy for traffic classification, use the class command in policy-map mode. To remove a class-map specification for a policy map, use the no form of this command.

class classmap-name

no class classmap-name

Syntax Description

classmap-name

The name for the class-map. The name can be up to 40 characters long.


Defaults

By default, "class class-default" always exists at the end of a policy map.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Policy-map


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Including the class-default, up to 63 class commands can be configured in a policy map.

The name "class-default" is a reserved name for default class, and it always exists; that is, you can include it in your configuration, but you cannot reconfigure or remove it using CLI. See the description of the class-map command for more information.

Use the class command to enter class mode, in which you can enter the following commands:

set connection

inspect

ips

priority

police

See the individual command descriptions for detailed information.

Examples

The following is an example of the class command in policy-map mode; note the change in the prompt:

hostname(config)# class-map localclass1
hostname(config-cmap)# match any
hostname(config-cmap)# exit
hostname(config)# policy-map localpolicy1
hostname(config-pmap)# class localclass1
hostname(config-pmap-c)# priority
hostname(config-pmap-c)# exit

The following is an example of a policy-map command, with its class commands, for a connection policy that limits connections to an HTTP server to a maximum of 256:

hostname(config)# access-list myhttp permit tcp any host 10.1.1.1
hostname(config)# class-map myhttp

hostname(config-cmap)# match access-list myhttp
hostname(config-cmap)# exit

hostname(config)# policy-map global-policy
hostname(config-pmap)# description This policy map defines a policy concerning connection 
to http server.
hostname(config-pmap)# class myhttp
hostname(config-pmap-c)# set connection conn-max 256

The following is an example of a policy-map command, with its class commands, for the outside interface (defined in the service-policy command). The class-map command specifies a class of traffic that has a destination IP address of 192.168.10.10:

hostname(config)# class-map outside-voip
hostname(config-cmap)# match dscp af11
hostname(config-cmap)# exit

hostname(config)# policy-map outside-policy
hostname(config-pmap)# description This policy map defines policies for the outside 
interface.
hostname(config-pmap)# class outside-voip
hostname(config-pmap-c)# priority
hostname(config-pmap-c)# exit
hostname(config-pmap)# exit
hostname(config)# service-policy outside-policy interface outside

Related Commands

Command
Description

clear configure policy-map

Removes all policy-map configuration, except for any policy-map that is in use in a service-policy command.

policy-map

Configures a policy; that is, an association of one or more traffic classes, each with one or more actions.

show running-config policy-map

Displays all current policy-map configurations.


class-map

To classify traffic for an interface when using Modular Policy Framework to configure a security feature, use the class-map command in global configuration mode. To delete a class map, use the no form of this command.

class-map class_map_name

no class-map class_map_name

Syntax Description

class_map_name

Text for the class map name; the text can be up to 40 characters in length. The name space for class-map is local to a security context. Therefore, the same name may be used in multiple security contexts. The maximum number of class-maps per security context is 255.


Defaults

The default class, class-default, always exists and cannot be configured or removed using the CLI. A default class, when used in a policy map, means "all other traffic.". The definition of class-default is:

class-map class-default
	match any

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The class-map command allows you to define a traffic class when using Modular Policy Framework to configure a security feature. Modular Policy Framework provides a consistent and flexible way to configure security appliance features in a manner similar to Cisco IOS software QoS CLI. Use the class-map, policy-map, and service-policy global configuration commands to configure a security feature using Modular Policy Framework.

Define a traffic class using the class-map global configuration command. Then create a policy map by associating the traffic class with one or more actions using the policy-map global configuration command. Finally, create a security policy by associating the policy map with one or more interfaces using the service-policy command.

A traffic class map contains, at most, one match command (with the exception of the match tunnel-group and match default-inspection-traffic commands). The match command identifies the traffic included in the traffic class. When a packet is matched against a class-map, the match result is either a match or a no match.

Use the class-map command to enter class-map configuration mode. From class-map configuration mode, you can define the traffic to include in the class using the match command. The following commands are available in class-map configuration mode:

description

Specifies a description for the class-map.

match access-list

Specifies the name of an access-list to be used as match criteria. When a packet does not match an entry in the access-list, the match result is a no-match. When a packet matches an entry in an access-list, and if it is a permit entry, the match result is a match. Otherwise, if it matches a deny access-list entry, the match result is no-match.

match port

Specifies to match traffic using a TCP/UDP destination port.

match precedence

Specifies to match the precedence value represented by the TOS byte in the IP header.

match dscp

Specifies to match the IETF-defined DSCP value in the IP header.

match rtp

Specifies to match an RTP port.

match tunnel-group

Specifies to match security related tunnel groups.

match flow ip destination-address

Specifies to match the IP destination address.

match default-inspection-traffic

Specifies to match default traffic for the inspect commands.


Examples

The following example shows how to define a traffic class of all TCP traffic to port 21 using a class map:

hostname(config)# class-map ftp-port
hostname(config-cmap)# match port tcp eq 21

Related Commands

Command
Description

clear configure class-map

Removes all of the traffic map definitions.

policy-map

Creates a policy map by associating the traffic class with one or more actions.

service-policy

Creates a security policy by associating the policy map with one or more interfaces.

show running-config class-map

Displays the information about the class map configuration.


clear aaa local user fail-attempts

To reset the number of failed user authentication attempts to zero without modifying the user's locked-out status, use the clear aaa local user fail-attempts command in privileged EXEC mode.

clear aaa local user authentication fail-attempts {username name | all}

Syntax Description

all

Resets the failed-attempts counter to 0 for all users.

name

Specifies a specific username for which the failed-attempts counter is reset to 0.

username

Indicates that the following parameter is a username, for which the failed-attempts counter is reset to 0.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Use this command when a user fails authentication a few times, but you want to reset to counter to zero, for example, when the configuration has recently been modified.

After the configured number of failed authentication attempts, the user is locked out of the system and cannot successfully log in until either a system administrator unlocks the username or the system reboots.

The number of failed attempts resets to zero and the lockout status resets to No when the user successfully authenticates or when the security appliance reboots.

Locking or unlocking a username results in a syslog message.

A system administrator with a privilege level of 15 cannot be locked out.

Examples

The following example shows use of the clear aaa local user authentication fail-attempts command to reset the failed-attempts counter to 0 for the username anyuser:

hostname(config)# clear aaa local user authentication fail-attempts username anyuser
hostname(config)#

The following example shows use of the clear aaa local user authentication fail-attempts command to reset the failed-attempts counter to 0 for all users:

hostname(config)# clear aaa local user authentication fail-attempts all
hostname(config)#

Related Commands

Command
Description

aaa local authentication attempts max-fail

Configures a limit on the number of failed user authentication attempts allowed.

clear aaa local user lockout

Resets the number of failed user authentication attempts to zero without modifying the user's locked-out status.

show aaa local user [locked]

Shows the list of usernames that are currently locked.


clear aaa local user lockout

To clear the lockout status of the specified users and set their failed-attempts counter to 0, use the clear aaa local user lockout command in privileged EXEC mode.

clear aaa local user lockout {username name | all}

Syntax Description

all

Resets the failed-attempts counter to 0 for all users.

name

Specifies a specific username for which the failed-attempts counter is reset to 0.

username

Indicates that the following parameter is a username, for which the failed-attempts counter is reset to 0.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

You can specify a single user by using the username option or all users with the all option.

This command affects only the status of users that are locked out.

The administrator cannot be locked out of the device.

Locking or unlocking a username results in a syslog message.

Examples

The following example shows use of the clear aaa local user lockout command to clear the lockout condition and reset the failed-attempts counter to 0 for the username anyuser:

hostname(config)# clear aaa local user lockout username anyuser
hostname(config)#

Related Commands

Command
Description

aaa local authentication attempts max-fail

Configures a limit on the number of failed user authentication attempts allowed.

clear aaa local user fail-attempts

Resets the number of failed user authentication attempts to zero without modifying the user's locked-out status.

show aaa local user [locked]

Shows the list of usernames that are currently locked.


clear aaa-server statistics

To reset the statistics for AAA servers, use the clear aaa-server statistics command in privilged EXEC mode.

clear aaa-server statistics [LOCAL | groupname [host hostname] | protocol protocol]

Syntax Description

LOCAL

(Optional) Clears statistics for the LOCAL user database.

groupname

(Optional) Clears statistics for servers in a group.

host hostname

(Optional) Clears statistics for a particular server in the group.

protocol protocol

(Optional) Clears statistics for servers of the specificed protocol:

kerberos

ldap

nt

radius

sdi

tacacs+


Defaults

Remove all AAA-server statistics across all groups.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was modified to adhere to CLI guidelines. In the protocol values, nt replaces the older nt-domain, and sdi replaces the older rsa-ace.


Examples

The following command shows how to reset the AAA statistics for a specific server in a group:

hostname(config)# clear aaa-server statistics svrgrp1 host 1.2.3.4

The following command shows how to reset the AAA statistics for an entire server group:

hostname(config)# clear aaa-server statistics svrgrp1

The following command shows how to reset the AAA statistics for all server groups:

hostname(config)# clear aaa-server statistics

The following command shows how to reset the AAA statistics for a particular protocol (in this case, TACACS+):

hostname(config)# clear aaa-server statistics protocol tacacs+

Related Commands

Command
Description

aaa-server protocol

Specifies and manages the grouping of AAA server connection data.

clear configure aaa-server

Removes all non-default aaa server groups or clear the specified group

show aaa-server

Displays AAA server statistics.

show running-config aaa-server

Displays the current AAA server configuration values.


clear access-group

To remove access groups from all the interfaces, use the clear access-group command.

clear access-group

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Prexisting

This command was preexisting.


Examples

The following example shows how to remove all access groups:

hostname(config)# clear access-group

Related Commands

Command
Description

access-group

Binds an access list to an interface.

show running-config access-group

Displays the current access group configuration.


clear access-list

To clear an access-list counter, use the clear access-list command in global configuration mode.

clear access-list [id] counters

Syntax Description

counters

Clears access list counters.

id

(Optional) Name or number of an access list.


Defaults

All the access list counters are cleared.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

When you enter the clear access-list command, all the access list counters are cleared if you do not specify an id.

Examples

The following example shows how to clear a specific access list counter:

hostname# clear access-list inbound counters

Related Commands

Command
Description

access-list extended

Adds an access list to the configuration and configures policy for IP traffic through the firewall.

access-list standard

Adds an access list to identify the destination IP addresses of OSPF routes, which can be used in a route map for OSPF redistribution.

clear configure access-list

Clears an access list from the running configuration.

show access-list

Displays the access list entries by number.

show running-config access-listt

Displays the access list configuration that is running on the security appliance.


clear arp statistics

To clear ARP statistics, use the clear arp statistics command in privileged EXEC mode.

clear arp statistics

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

The following example clears all ARP statistics:

hostname# clear arp statistics

Related Commands

Command
Description

arp

Adds a static ARP entry.

arp-inspection

For transparent firewall mode, inspects ARP packets to prevent ARP spoofing.

show arp statistics

Shows ARP statistics.

show running-config arp

Shows the current configuration of the ARP timeout.


clear asp drop

To clear accelerated security path drop statistics, use the clear asp drop command in privileged EXEC mode.

clear asp drop [flow type | frame type]

Syntax Description

flow

(Optional) Clears the dropped flow statistics.

frame

(Optional) Clears the dropped packet statistics.

type

(Optional) Clears the dropped flow or packets statistics for a particular process. See "Usage Guidelines" for a list of types.


Defaults

By default, this command clears all drop statistics.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Process types include the following:

acl-drop
audit-failure
closed-by-inspection
conn-limit-exceeded
fin-timeout
flow-reclaimed
fo-primary-closed
fo-standby
fo_rep_err
host-removed
inspect-fail
ips-fail-close
ips-request
ipsec-spoof-detect
loopback
mcast-entry-removed
mcast-intrf-removed
mgmt-lockdown
nat-failed
nat-rpf-failed
need-ike
no-ipv6-ipsec
non_tcp_syn
out-of-memory
parent-closed
pinhole-timeout
recurse
reinject-punt
reset-by-ips
reset-in
reset-oout
shunned
syn-timeout
tcp-fins
tcp-intecept-no-response
tcp-intercept-kill
tcp-intercept-unexpected
tcpnorm-invalid-syn
tcpnorm-rexmit-bad
tcpnorm-win-variation
timeout
tunnel-pending
tunnel-torn-down
xlate-removed

Examples

The following example clears all drop statistics:

hostname# clear asp drop

Related Commands

Command
Description

show asp drop

Shows the accelerated security path counters for dropped packets.


clear asp table

To clear the hit counters either in asp arp or classify tables, or both, use the clear asp table command in privileged EXEC mode.

clear asp table [arp | classify]

Syntax Description

arp

clears the hits counters in asp arp table only.

classify

clears the hits counters in asp classify tables only


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.2(4)

This command was introduced.


Usage Guidelines

There are only two options arp and classify having hits in the clear asp table command

Examples

The following example clears all drop statistics:

hostname# clear asp table

Warning: hits counters in asp arp and classify tables are cleared, which might impact the 
hits statistic of other modules and output of other "show" commands! hostname#clear asp 
table arp 
Warning: hits counters in asp arp table are cleared, which might impact the hits statistic 
of other modules and output of other "show" commands! hostname#clear asp table classify 
Warning: hits counters in classify tables are cleared, which might impact the hits 
statistic of other modules and output of other "show" commands! hostname(config)# clear 
asp table 
Warning: hits counters in asp tables are cleared, which might impact the hits statistics 
of other modules and output of other "show" commands! hostname# sh asp table arp 

Context: single_vf, Interface: inside 10.1.1.11 Active 00e0.8146.5212 hits 0 

Context: single_vf, Interface: identity :: Active 0000.0000.0000 hits 0 0.0.0.0 Active 
0000.0000.0000 hits 0 

Related Commands

Command
Description

show asp table arp

Shows the contents of the accelerated security path, which might help you troubleshoot a problem.


clear blocks

To reset the packet buffer counters such as the low watermark and history information, use the clear blocks command in privileged EXEC mode.

clear blocks

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Resets the low watermark counters to the current available blocks in each pool. Also clears the history information stored during the last buffer allocation failure.

Examples

The following example clears the blocks:

hostname# clear blocks

Related Commands

Command
Description

blocks

Increases the memory assigned to block diagnostics

show blocks

Shows the system buffer utilization.


clear capture

To clear the capture buffer, use the clear capture capture_name command.

clear capture capture_name

Syntax Description

capture_name

Name of the packet capture.


Defaults

This command has no default settings.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Priveleged Mode

·

·

·

·

·


Command History

Release
Modification

2.2(1)

Support for this command was introduced on the security appliance.


Usage Guidelines

The shortened form of the clear capture (for example, cl cap or clear cap) is not supported to prevent accidental destruction of all the packet captures.

Examples

This example shows how to clear the capture buffer for the capture buffer "trudy":

hostname(config)# clear capture trudy

Related Commands

Command
Description

capture

Enables packet capture capabilities for packet sniffing and network fault isolation.

show capture

Displays the capture configuration when no options are specified.


clear configure

To clear the running configuration, use the clear configure command in global configuration mode.

clear configure {primary | secondary | all | command}

Syntax Description

command

Clears the configuration for a specified command. For more information, see individual entries in this guide for each clear configure command command.

primary

Clears commands related to connectivity, including the following commands:

tftp-server

shun

route

ip address

mtu

failover

monitor-interface

boot

secondary

Clears commands not related to connectivity (that are cleared using the primary keyword).

all

Clears the entire running configuration.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

When you enter this command in a security context, you clear only the context configuration. If you enter this command in the system execution space, you clear the system running configuration as well as all context running configurations. Because you cleared all context entries in the system configuration (see the context command), the contexts are no longer running, and you cannot change to a context execution space.

Before clearing the configuration, make sure you save any changes to the boot config command (which specifies the startup configuration location) to the startup configuration; if you changed the startup configuration location only in the running configuration, then when you restart, the configuration loads from the default location.

Examples

The following example clears the entire running configuration:

hostname(config)# clear configure all

Related Commands

Command
Description

configure http

Merges a configuration file from the specified HTTP(S) URL with the running configuration.

configure memory

Merges the startup configuration with the running configuration.

configure net

Merges a configuration file from the specified TFTP URL with the running configuration.

configure factory-default

Adds commands you enter at the CLI to the running configuration.

show running-config

Shows the running configuration.


clear configure aaa

To clear the aaa configuration, use the clear configure aaa command in global configuration mode. The clear configure aaa command removes the AAA command statements from the configuration.

clear configure aaa

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was modified for consistency within the CLI.


Usage Guidelines

This command also resets the AAA parameters to their default values, if any.

There is no undo.

Examples

hostname(config)# clear configure aaa

Related Commands

Command
Description

aaa accounting

Enable, disable, or view the keeping of records about which network services a user has accessed.

aaa authentication

Enable or view LOCAL, TACACS+, or RADIUS user authentication, on a server designated by the aaa-server command, or ASDM user authentication

aaa authorization

Enable or disable user authorization for a LOCAL or a TACACS+ server designated by the aaa-server command, or for ASDM user authentication.

show running-config aaa

Display the AAA configuration.


clear configure aaa-server

To remove all AAA server groups or to clear the specified group, use the clear configure aaa-server command in global configuration mode.

clear configure aaa-server [server-tag]

clear configure aaa-server [server-tag] host server-ip

Syntax Description

server-ip

The IP address of the AAA server.

server-tag

(Optional) Symbolic name of the server group to be cleared.


Defaults

Remove all AAA server groups.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

You can specify a particular AAA server group or, by default, all AAA server groups.

Use the host keyword to specify a particular server within a server group.

This command also resets the AAA server parameters to their default values, if any.

Examples

hostname(config)# aaa-server svrgrp1 protocol sdi
hostname(config)# aaa-server svrgrp1 host 1.2.3.4
hostname(config-aaa-server)# timeout 9
hostname(config-aaa-server)# retry 7
hostname(config-aaa-server)# sdi-version sdi-5
hostname(config-aaa-server)# exit

Given the preceding configuration, the following command shows how to remove a specific server from a group:

hostname(config)# clear config aaa-server svrgrp1 host 1.2.3.4

The following command shows how to remove a server group:

hostname(config)# clear config aaa-server svrgrp1

The following command shows how to remove all server groups:

hostname(config)# clear config aaa-server

Related Commands

Command
Description

aaa-server host

Specifies and manages host-specific AAA server connection data.

aaa-server protocol

Allows you to configure AAA server parameters that are group-specific and common to all hosts.

show running-config aaa

Display the current maximum number of concurrent proxy connections allowed per user, along with other AAA configuration values.


clear configure access-group

To remove access groups from all the interfaces, use the clear configure access-group command.

clear configure access-group

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

Added keyword configure.


Examples

The following example shows how to remove all access groups:

hostname(config)# clear configure access-group

Related Commands

Command
Description

access-group

Binds an access list to an interface.

show running-config access-group

Displays the current access group configuration.


clear configure access-list

To clear an access list from the running configuration, use the clear configure access list command in global configuration mode.

clear configure access-list [id]

Syntax Description

id

(Optional) Name or number of an access list.


Defaults

All the access lists are cleared from the running configuration.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The clear configure access-list command automatically unbinds an access list from a crypto map command or interface. The unbinding of an access list from a crypto map command can lead to a condition that discards all packets because the crypto map commands referencing the access list are incomplete. To correct the condition, either define other access-list commands to complete the crypto map commands or remove the crypto map commands that pertain to the access-list command. Refer to the crypto map client command for more information.

Examples

This example shows how to clear the access lists from the running configuration:

hostname(config)# clear configure access-list

Related Commands

Command
Description

access-list extended

Adds an access list to the configuration and configures policy for IP traffic through the firewall.

access-list standard

Adds an access list to identify the destination IP addresses of OSPF routes, which can be used in a route map for OSPF redistribution.

clear access-list

Clears access list counters.

show access-list

Displays counters for an access list.

show running-config access-list

Displays the access list configuration running on the security appliance.


clear configure alias

To remove all alias commands from the configuration, use the clear configure alias command in global configuration mode.

clear configure alias

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

This example shows how to remove all alias commands from the configuration:

hostname(config)# clear configure alias

Related Commands

Command
Description

alias

Translates one address into another.

show running-config alias

Displays the overlapping addresses with dual NAT commands in the configuration.


clear configure arp-inspection

To clear the ARP inspection configuration, use the clear configure arp-inspection command in global configuration mode.

clear configure arp-inspection

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example clears the ARP inspection configuration:

hostname# clear configure arp-inspection

Related Commands

Command
Description

arp

Adds a static ARP entry.

arp-inspection

For transparent firewall mode, inspects ARP packets to prevent ARP spoofing.

firewall transparent

Sets the firewall mode to transparent.

show arp statistics

Shows ARP statistics.

show running-config arp

Shows the current configuration of the ARP timeout.


clear configure asdm

To remove all asdm commands from the running configuration, use the clear configure asdm command in global configuration mode.

clear configure asdm [location | group | image]

Syntax Description

group

(Optional) Clears only the asdm group commands from the running configuration.

image

(Optional) Clears only the asdm image command from the running configuration.

location

(Optional) Clears only the asdm location commands from the running configuration.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was changed from the clear pdm command to the clear configure asdm command.


Usage Guidelines

To view the asdm commands in the running configuration, use the show running-config asdm command.

Clearing the asdm image command from the configuration disables ASDM access. Clearing the asdm location and asdm group commands from the configuration causes ASDM to regenerate those commands the next time ASDM is accessed, but may disrupt active ASDM sessions.


Note On security appliances running in multiple context mode, the clear configure asdm image command is only available in the system execution space, while the clear configure asdm group and clear configure asdm location commands are only available in the user contexts.


Examples

The following example clears the asdm group commands from the running configuration:

hostname(config)# clear configure asdm group
hostname(config)#

Related Commands

Command
Description

asdm group

Used by ASDM to associate object group names with interfaces.

asdm image

Specifies the ASDM image file.

asdm location

Used by ASDM to record IP address to interface associations.

show running-config asdm

Displays the asdm commands in the running configuration.


clear configure auth-prompt

To remove the previously specified authentication prompt challenge text and revert to the default value, if any, use the clear configure auth-prompt command in global configuration mode.

clear configure auth-prompt

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was modified to conform with CLI standards.


Usage Guidelines

After you clear the authentication prompt, the prompt users see when they log in depends on the protocol they use:

Users who log in using HTTP see HTTP Authentication.

Users who log in using FTP see FTP Authentication.

Users who log in using Telnet see no prompt.

Examples

This example shows how to clear the auth-prompt:

hostname(config)# clear configure auth-prompt

Related Commands

auth-prompt

Sets the user authorization prompts.

show running-config auth-prompt

Displays the user authorization prompts.


clear configure banner

To remove all the banners, use the clear configure banner command in global configuration mode.

clear configure banner

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

2.2(1)

This command was introduced.


Examples

This example shows how to clear banners:

hostname(config)# clear configure banner

Related Commands

Command
Description

banner

Configures the session, login, or message-of-the-day banner.

show running-config banner

Displays all banners.


clear configure ca certificate map

To remove all certificate map entries or to remove a specified certificate map entry, use the clear configure ca configurate map command in global configuration mode.

clear configure ca certificate map [sequence-number]

Syntax Description

sequence-number

(Optional) Specifies a number for the certificate map rule you are removing. The range is 1 through 65535.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

 

:

Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example removes all certificate map entries.

hostname(config)# clear configure ca certificate map
hostname(config)#

Related Commands

Command
Description

crypto ca certificate map

Enters CA certificate map mode.


+

clear configure class-map

To remove all class maps, use the clear configure class-map command in global configuration mode.

clear configure class-map

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

Added keyword configure.


Usage Guidelines

To clear the class map for a specific class map name, use the no form of the class-map command.

Examples

The following example shows how to clear all configured class-maps:

hostname(config)# clear configure class-map


Related Commands

Command
Description

class-map

Applies a traffic class to an interface.

show running-config class-map

Displays the information about the class map configuration.


clear configure clock

To clear the clock configuration, use the clear configure clock command in global configuration mode.

clear configure clock

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was changed from clear clock.


Usage Guidelines

This command clears all clock configuration commands. The clock set command is not a configuration command, so this command does not reset the clock. To reset the clock, you need to set a new time for the clock set command.

Examples

The following example clears all clock commands:

hostname# clear configure clock

Related Commands

Command
Description

clock set

Manually sets the time.

clock summer-time

Sets the date range to show daylight savings time.

clock timezone

Sets the time zone.


clear configure command-alias

To remove all non-default command aliases, use the clear configure command-alias command in global configuration mode.

clear configure command-alias

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

This command has no usage guidelines.

Examples

The following example shows how to remove all non-default command aliases:

hostname(config)# clear configure command-alias

Related Commands

Command
Description

command-alias

Creates a command alias.

show running-config command-alias

Displays all non-default command aliases.


clear configure console

To reset the console connection settings to defaults, use the clear configure console command in global configuration mode.

clear configure console

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to reset the console connection settings to defaults:

hostname(config)# clear configure console

Related Commands

Command
Description

console timeout

Sets the idle timeout for a console connection to the security appliance.

show running-config console timeout

Displays the idle timeout for a console connection to the security appliance.


clear configure context

To clear all context configurations in the system configuration, use the clear configure context command in global configuration mode.

clear configure context [noconfirm]

Syntax Description

noconfirm

(Optional) Removes all contexts without prompting you for confirmation. This option is useful for automated scripts.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

This command lets you remove all contexts, including the admin context. The admin context cannot be removed using the no context command, but can be removed using the clear configure context command.

Examples

The following example removes all contexts from the system configuration, and does not confirm the deletion:

hostname(config)# clear configure context noconfirm

Related Commands

Command
Description

admin-context

Sets the admin context.

changeto

Changes between contexts or the system execution space.

context

Creates a security context in the system configuration and enters context configuration mode.

mode

Sets the context mode to single or multiple.

show context

Shows a list of contexts (system execution space) or information about the current context.


clear configure crypto

To remove the entire crypto configuration, including IPSec, crypto maps, dynamic crypto maps, CA trstpoints, all certificates, certificate map configurations, and ISAKMP, use the clear configure crypto command in global configuration. To remove specific configurations, use this command with keywords as shown in the syntax. Take caution when using this command.

clear configure crypto [ca | dynamic-map | ipsec | iskmp | map]

Syntax Description

ca

Removes certification authority policy.

dynamic-map

Removes dynamic crypto map configuration.

ipsec

Removes IPSec configuration.

isakmp

Removes ISAKMP configuration.

map

Removes crypto map configuration.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example issued in global configuration mode, removes all of the crypto configuration from the security appliance:

hostname(config)# clear configure crypto
hostname(config)# 

Related Commands

Command
Description

clear configure crypto dynamic-map

Clears all or specified crypto dynamic maps from the configuration.

clear configure crypto map

Clears all or specified crypto maps from the configuration.

clear configure isakmp policy

Clears all ISAKMP policy configuration.

show running-config crypto

Displays the entire crypto configuration, including IPSec, crypto maps, dynamic crypto maps, and ISAKMP.


clear configure crypto ca trustpoint

To remove all trustpoints from the configuration, use the clear configure crypto ca trustpoint command in global configuration.

clear configure crypto ca trustpoint

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example entered in global configuration mode, removes all trustpoints from the configuration:

hostname(config)# clear configure crypto ca trustpoint
hostname(config)# 

Related Commands

Command
Description

crypto ca trustpoint

Enters the trustpoint subconfiguration level for the indicated trustpoint.


clear configure crypto dynamic-map

To remove all or specified crypto dynamic maps from the configuration, use the clear configure crypto dynamic-map command in global configuration.

clear configure crypto dynamic-map dynamic-map-name dynamic-seq-num

Syntax Description

dynamic-map-name

Specifies the name of a specific crypto dynamic map.

dynamic-seq-num

Specifies the sequence number of the crypto dynamic map.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example entered in global configuration mode, removes the crypto dynamic map mymaps with sequence number 3 from the configuration:

hostname(config)# clear configure crypto dynamic-map mymaps 3
hostname(config)# 

Related Commands

Command
Description

clear configure crypto map

Clears the configuration of all or specified crypto maps.

Displays all the active configuration for all dynamic crypto maps.

show running-config crypto map

Displays all the active configuration for all crypto maps.


clear configure crypto map

To remove all or specified crypto maps from the configuration, use the clear configure crypto map command in global configuration.

clear configure crypto map map-name seq-num

Syntax Description

map-name

Specifies the name of a specific crypto map.

seq-num

Specifies the sequence number of the crypto map.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example entered in global configuration mode, removes the crypto map mymaps with sequence number 3 from the configuration:

hostname(config)# clear configure crypto map mymaps 3
hostname(config)# 

Related Commands

Command
Description

clear configure crypto dynamic-map

Clears the configuration of all or specified crypto dynamic maps.

crypto map interface

Applies a crypto map to an interface.

show running-config crypto map

Displays the active configuration for all crypto maps.

 

Displays the active configuration for all dynamic crypto maps.


clear configure dhcpd

To clear all of the DHCP server commands, binding, and statistics, use the clear configure dhcpd command in global configuration mode.

clear configure dhcpd

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was changed from clear dhcpd to clear configure dhcpd.


Usage Guidelines

The clear configure dhcpd command clears all of the dhcpd commands, bindings, and statistical information. To clear only the statistic counters or binding information, use the clear dhcpd command.

Examples

The following example shows how to clear all dhcpd commands:

hostname(config)# clear configure dhcpd

Related Commands

Command
Description

clear dhcpd

Clears the DHCP server bindings and statistic counters.

show running-config dhcpd

Displays the current DHCP server configuration.


clear configure dhcprelay

To clear all of the DHCP relay configuration, use the clear configure dhcprelay command in global configuration mode.

clear configure dhcprelay

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was changed from clear dhcprelay to clear configure dhcprelay.


Usage Guidelines

The clear configure dhcprelay command clears the DHCP relay statistics and configuration. To clear only the DHCP statistic counters, use the clear dhcprelay statistics command.

Examples

The following example shows how to clear the DHCP relay configuration:

hostname(config)# clear configure dhcprelay

Related Commands

Command
Description

clear dhcprelay statistics

Clears the DHCP relay agent statistic counters.

debug dhcprelay

Displays debug information for the DHCP relay agent.

show dhcprelay statistics

Displays DHCP relay agent statistic information.

show running-config dhcprelay

Displays the current DHCP relay agent configuration.


clear configure dns

To clear all DNS commands, use the clear configure dns command in global configuration mode.

clear configure dns

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example clears all DNS commands:

hostname(config)# clear configure dns

Related Commands

Command
Description

show running-config dns-server-group

Shows the currently running DNS configuration.


clear configure established

To remove all established commands, use the clear configure established command in global configuration mode.

clear configure established

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

The keyword configure was added.


Usage Guidelines

To remove an established connection created by the established command, enter the clear xlate command.

Examples

This example shows how to remove established commands:

hostname(config)# clear configure established

Related Commands

Command
Description

established

Permits return connections on ports that are based on an established connection.

show running-config established

Displays the allowed inbound connections that are based on established connections.

clear xlate

Clears the current translation and connection slot information.


clear configure failover

To remove failover commands from the configuration and restore the defaults, use the clear configure failover command in global configuration mode.

clear configure failover

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

Command was changed from clear failover to clear configure failover.


Usage Guidelines

This command clears all failover commands from the running configuration and restores the defaults. If you use the all keyword with the show running-config failover command, you will see the default failover configuration.

The clear configure failover command is not available in a security context in multiple configuration mode; you must enter the command in the system execution space.

Examples

The following example clears all failover commands from the configuration:

hostname(config)# clear configure failover
hostname(config)# show running-configuration failover
no failover

Related Commands

Command
Description

show running-config failover

Displays the failover commands in the running configuration.


clear configure filter

To clear URL, FTP, and HTTPS filtering configuration, use the clear configure filter command in global configuration mode.

clear configure filter

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The clear configure filter command clears the URL, FTP, and HTTPS filtering configuration.

Examples

The following example clears the URL, FTP, and HTTPS filtering configuration:

hostname# clear configure filter

Related Commands

Commands
Description

filter ftp

Identifies the FTP traffic to be filtered by a URL filtering server.

filter https

Identifies the HTTPS traffic to be filtered by a Websense server.

filter url

Directs traffic to a URL filtering server.

show running-config filter

Displays the filtering configuration.

url-server

Identifies an N2H2 or Websense server for use with the filter command.


clear configure fips

To clear the system or module FIPS configuration information stored in NVRAM, use the clear configure fips command.

clear configure fips

Syntax Description

fips

FIPS-2 compliance information


Defaults

This command has no default settings.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(4)

This command was introduced.


Examples

sw8-ASA(config)# clear configure fips

Related Commands

Command
Description

crashinfo console disable

Disables the reading, writing and configuration of crash write info to flash.

fips enable

Enables or disablea policy-checking to enforce FIPS compliance on the system or module.

fips self-test poweron

Executes power-on self-tests.

show crashinfo console

Reads, writes, and configures crash write to flash.

show running-config fips

Displays the FIPS configuration that is running on the security appliance.


clear configure firewall

To set the firewall mode to the default routed mode, use the clear configure firewall command in global configuration mode.

clear configure firewall

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example sets the firewall mode to the default:

hostname(config)# clear configure firewall

Related Commands

Command
Description

arp

Adds a static ARP entry.

firewall transparent

Sets the firewall mode to transparent.

show arp statistics

Shows ARP statistics.

show running-config arp

Shows the current configuration of the ARP timeout.


clear configure fixup

To clear the fixup configuration, use the clear configure fixup command in global configuration mode.

clear configure fixup

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

·

·

·

·

·


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The clear configure fixup command removes the fixup configuration.

Examples

The following example clears the fixup configuration:

hostname# clear configure fixup

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

policy-map

Associates a class map with specific security actions.


clear configure fragment

To reset all the IP fragment reassembly configurations to defaults, use the clear configure fragment command in global configuration mode.

clear configure fragment [interface]

Syntax Description

interface

(Optional) Specifies the security appliance interface.


Defaults

If an interface is not specified, the command applies to all interfaces.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

The configure keyword and optional interface argument were added. The command was also separated into two commands, clear fragment and clear configure fragment, to separate clearing of the configuration data from the operational data.


Usage Guidelines

The clear configure fragment command resets all the IP fragment reassembly configurations to defaults. In addition, the the chain, size, and timeout keywords are reset to their default values, which are as follows:

chain is 24 packets

size is 200

timeout is 5 seconds

Examples

This example shows how to reset all the IP fragment reassembly configurations to defaults:

hostname(config)# clear configure fragment

Related Commands

Command
Description

clear fragment

Clears the operational data of the IP fragment reassembly module.

fragment

Provides additional management of packet fragmentation and improves compatibility with NFS.

show fragment

Displays the operational data of the IP fragment reassembly module.

show running-config fragment

Displays the IP fragment reassembly configuration.


clear configure ftp

To clear the FTP configuration, use the clear configure ftp command in global configuration mode.

clear configure ftp

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The clear configure ftp command clears the FTP configuration.

Examples

The following example clears the FTP configuration:

hostname# clear configure filter

Related Commands

Commands
Description

filter ftp

Identifies the FTP traffic to be filtered by a URL filtering server.

filter https

Identifies the HTTPS traffic to be filtered by a Websense server.

filter url

Directs traffic to a URL filtering server.

show running-config filter

Displays the filtering configuration.

url-server

Identifies an N2H2 or Websense server for use with the filter command.


clear configure ftp-map

To clear the FTP map configuration, use the clear configure ftp-map command in global configuration mode.

clear configure ftp-map

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The clear configure ftp-map command removes the FTP map configuration.

Examples

The following example clears the FTP map configuration:

hostname# clear configure ftp-map

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

ftp-map

Defines an FTP map and enables FTP map configuration mode.

inspect ftp

Applies a specific FTP map to use for application inspection.

request-command deny

Specifies FTP commands to disallow.


clear configure global

To remove the global commands from the configuration, use the clear configure global command in global configuration mode.

clear configure global

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

Added keyword configure.


Examples

The following example shows how to remove the global commands from the configuration:

hostname(config)# clear configure global

Related Commands

Command
Description

global

Creates entries from a pool of global addresses.

show running-config global

Displays the global commands in the configuration.


clear configure group-policy

To remove the configuration for a particular group policy, use the clear configure group-policy command in global configuration mode, and append the name of the group policy. To remove all group-policy commands from the configuration except the default group policy, use this command without arguments.

clear configure group-policy [name]

Syntax Description

name

Specifies the name of the group policy.


Defaults

Remove all group-policy commands from the configuration, except the default group policy.

Command Modes

The following table shows the modes in which you can enter the command:

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to clear the configuration for the group policy named FirstGroup.

hostname(config)# clear configure group-policy FirstGroup

Related Commands

Command
Description

group-policy

Creates, edits, or removes a group policy.

group-policy attributes

Enters group-policy attributes mode, which lets you configure AVPs for a specified group policy.

show running-config group-policy

Displays the running configuration for a particular group policy or for all group policies.


clear configure gtp-map

To clear GTP map configuration, use the clear configure gtp-map command in global configuration mode.

clear configure gtp-map

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The clear configure gtp -map command removes the GTP map configuration.

Examples

The following example clears GTP map configuration:

hostname# clear configure gtp-map

Related Commands

Commands
Description

clear service-policy inspect gtp

Clears global GTP statistics.

debug gtp

Displays detailed information about GTP inspection.

gtp-map

Defines a GTP map and enables GTP map configuration mode.

inspect gtp

Applies a specific GTP map to use for application inspection.

show service-policy inspect gtp

Displays the GTP configuration.


clear configure http

To disable the HTTP server and to remove configured hosts that can access the HTTP server, use the clear configure http command in global configuration mode.

clear configure http

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to clear the HTTP configuration.

hostname(config)# clear configure http

Related Commands

Command
Description

http

Specifies hosts that can access the HTTP server by IP address and subnet mask. Specifies the security appliance interface through which the host accesses the HTTP server.

http authentication-certificate

Requires authentication via certificate from users who are establishing HTTPS connections to the security appliance.

http redirect

Specifies that the security appliance redirect HTTP connections to HTTPS.

http server enable

Enables the HTTP server.

show running-config http

Displays the hosts that can access the HTTP server, and whether or not the HTTP server is enabled.


clear configure http-map

To clear HTTP map configuration, use the clear configure http-map command in global configuration mode.

clear configure http-map

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

·

·

·

·

·


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The clear configure http-map command removes the HTTP map configuration.

Examples

The following example clears the HTTP map configuration:

hostname# clear configure http-map

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

debug http-map

Displays detailed information about traffic associated with an HTTP map.

http-map

Defines an HTTP map for configuring enhanced HTTP inspection.

inspect http

Applies a specific HTTP map to use for application inspection.

policy-map

Associates a class map with specific security actions.


clear configure icmp

To clear the configured access rules for ICMP traffic, use the clear configure icmp command in global configuration mode.

clear configure icmp

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The clear configure icmp command clears the configured access rules for ICMP traffic.

Examples

The following example clears the clear configured access rules for ICMP traffic:

hostname# clear configure icmp

Related Commands

Commands
Description

clear configure icmp

Clears the ICMP configuration.

debug icmp

Enables the display of debug information for ICMP.

show icmp

Displays ICMP configuration.

timeout icmp

Configures the idle timeout for ICMP.


clear configure imap4s

To remove all IMAP4S commands from the configuration, reverting to default values, use the clear configure imap4s command in global configuration mode.

clear configure imap4s

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to remove the IMAP4S configuration:

hostname(config)# clear configure imap4s
hostname(config)# 

Related Commands

Command
Description

show running-config imap4s

Displays the running configuration for IMAP4S.

imap4s

Creates or edits an IMAP4S e-mail proxy configuration.


clear configure interface

To clear the interface configuration, use the clear configure interface command in global configuration mode.

clear configure interface [physical_interface[.subinterface] | mapped_name | interface_name]

Syntax Description

interface_name

(Optional) Identifies the interface name set with the nameif command.

mapped_name

(Optional) In multiple context mode, identifies the mapped name if it was assigned using the allocate-interface command.

physical_interface

(Optional) Identifies the interface ID, such as gigabitethernet0/1. See the interface command for accepted values.

subinterface

(Optional) Identifies an integer between 1 and 4294967293 designating a logical subinterface.


Defaults

If you do not specify an interface, the security appliance clears all interface configuration.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was changed from clear interface. This command was also modified to include the new interface numbering scheme.


Usage Guidelines

When you clear the interface configuration for main physical interfaces, the security appliance uses the default settings.

You cannot use the interface name in the system execution space, because the nameif command is only available within a context. Similarly, if you mapped the interface ID to a mapped name using the allocate-interface command, you can only use the mapped name in a context.

Examples

The following example clears the GigabitEthernet0/1 configuration:

hostname(config)# clear configure interface gigabitethernet0/1

The following example clears the inside interface configuration:

hostname(config)# clear configure interface inside

The following example clears the int1 interface configuration in a context. "int1" is a mapped name.

hostname/contexta(config)# clear configure interface int1

The following example clears all interface configuration.

hostname(config)# clear configure interface

Related Commands

Command
Description

allocate-interface

Assigns interfaces and subinterfaces to a security context.

clear interface

Clears counters for the show interface command.

interface

Configures an interface and enters interface configuration mode.

show interface

Displays the runtime status and statistics of interfaces.


clear configure ip

To clear all IP addresses set by the ip address command, use the clear configure ip command in global configuration mode.

clear configure ip

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

Support for this command was introduced.


Usage Guidelines

In transparent firewall mode, this command clears the management IP address.

If you want to stop all current connections that use the old IP addresses, enter the clear xlate command. Otherwise, the connections time out as usual.

Examples

The following example clears all IP addresses:

hostname(config)# clear configure ip

Related Commands

Command
Description

allocate-interface

Assigns interfaces and subinterfaces to a security context.

clear configure interface

Clears all configuration for an interface.

interface

Configures an interface and enters interface configuration mode.

ip address

Sets the IP address for the interface.

show running-config interface

Displays the interface configuration.


clear configure ip audit

To clear the entire audit policy configuration, use the clear configure ip audit command in global configuration mode.

clear configure ip audit [configuration]

Syntax Description

configuration

(Optional) Yuo can enter this keyword, but the effect is the same without it.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was changed from clear ip audit.


Examples

The following example clears all ip audit commands:

hostname# clear configure ip audit

Related Commands

Command
Description

ip audit attack

Sets the default actions for packets that match an attack signature.

ip audit info

Sets the default actions for packets that match an informational signature.

ip audit interface

Assigns an audit policy to an interface.

ip audit name

Creates a named audit policy that identifies the actions to take when a packet matches an attack signature or an informational signature.

ip audit signature

Disables a signature.


clear configure ip local pool

To remove IP address pools, use the clear configure ip local pool command in global configuration mode.

clear ip local pool [poolname]

Syntax Description

poolname

(Optional) Specifies the name of the IP address pool.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example removes all IP address pools from the running configuration:

hostname(config)# clear config ip local pool
hostname(config)# 

Related Commands

Command
Description

clear configure ip local pool

Removes all ip local pools.

ip local pool

Configures an IP address pool.


clear configure ip verify reverse-path

To clear the ip verify reverse-path configuration, use the clear configure ip verify reverse-path command in global configuration mode.

clear configure ip verify reverse-path

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was changed from clear ip verify reverse-path.


Examples

The following example clears the ip verify reverse-path configuration for all interfaces:

hostname(config)# clear configure ip verify reverse-path

Related Commands

Command
Description

clear ip verify statistics

Clears the Unicast RPF statistics.

ip verify reverse-path

Enables the Unicast Reverse Path Forwarding feature to prevent IP spoofing.

show ip verify statistics

Shows the Unicast RPF statistics.

show running-config ip verify reverse-path

Shows the ip verify reverse-path configuration.


clear configure ipv6

To clear the global IPv6 commands from the running configuration, use the clear configure ipv6 command in global configuration mode.

clear configure ipv6 [route | access-list]

Syntax Description

route

(Optional) Clears the commands that statically define routes in the IPv6 routing table from the running configuration.

access-list

(Optional) Clears the IPv6 access list commands from the running configuration.


Defaults

Without keywords, this command clears all IPv6 commands from the running configuration.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

This command only clears the global IPv6 commands from the running configuration; it does not clear the IPv6 commands entered in interface configuration mode.

Examples

The following example shows how to clear statically defined IPv6 routes from the IPv6 routing table:

hostname(config)# clear configure ipv6 route
hostname(config)#

Related Commands

Command
Description

ipv6 route

Defines a static route in the IPv6 routing table.

show ipv6 route

Displays the contents of the IPv6 routing table.

show running-config ipv6

Displays the IPv6 commands in the running configuration.


clear configure isakmp

To remove all of the ISAKMP configuration, use the clear configure isakmp command in global configuration mode.

clear configure isakmp

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example issued in global configuration mode, removes all of the ISAKMP configuration from the security appliance:

hostname(config)# clear configure isakmp
hostname(config)# 

Related Commands

Command
Description

clear configure isakmp policy

Clears all ISAKMP policy configuration.

isakmp enable

Enables ISAKMP negotiation on the interface on which the IPSec peer communicates with the security appliance.

show isakmp stats

Displays runtime statistics.

show isakmp sa

Displays IKE runtime SA database with additional information.

show running-config isakmp

Displays all the active configuration.


clear configure isakmp policy

To remove all of the ISAKMP policy configuration, use the clear configure isakmp policy command in global configuration mode.

clear configure isakmp policy priority

Syntax Description

priority

Specifies the priority of the ISAKMP priority to be cleared.


Defaults

No default behaviour or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example removes the ISAKMP policy with priority 3 from the configuration:

hostname(config)# clear configure isakmp policy 3
hostname(config)# 

Related Commands

Command
Description

isakmp enable

Enables ISAKMP negotiation on the interface on which the IPSec peer communicates with the security appliance.

show isakmp stats

Displays runtime statistics.

show isakmp sa

Displays IKE runtime SA database with additional information.

show running-config isakmp

Displays all the active configuration.


clear configure logging

To clear the logging configuration, use the clear configure logging command in global configuration mode.

clear configure logging [disabled | level | rate-limit]

Syntax Description

disabled

(Optional) Indicates that all disabled system log messages should be re-enabled. When you use this option, no other logging configuration is cleared.

level

(Optional) Indicates that the severity level assignments for system log messages should be reset to their default values. When you use this option, no other logging configuration is cleared.

rate-limit

(Optional) Resets the logging rate limit.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.

7.0(4)

The rate-limit keyword was introduced.


Usage Guidelines

You can use the show running-config logging command to view all logging configuration. If you use the clear configure logging command without either the disabled or level keyword, all logging configuration is cleared.

Examples

The following example shows how to clear logging configuration. The output of the show logging command indicates that all logging features are disabled.

hostname(config)# clear configure logging
hostname(config)# show logging
Syslog logging: disabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Deny Conn when Queue Full: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: disabled

Related Commands

Command
Description

show logging

Displays the enabled logging options.

show running-config logging

Displays the logging-related portion of the running configuration.


clear configure mac-address-table

To clear the mac-address-table static and mac-address-table aging-time configuration, use the clear configure mac-address-table command in global configuration mode.

clear configure mac-address-table

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example clears the mac-address-table static and mac-address-table aging-time configuration:

hostname# clear configure mac-address-table

Related Commands

Command
Description

firewall transparent

Sets the firewall mode to transparent.

mac-address-table aging-time

Sets the timeout for dynamic MAC address entries.

mac-address-table static

Adds static MAC address entries to the MAC address table.

mac-learn

Disables MAC address learning for an interface.

show mac-address-table

Shows the MAC address table, including dynamic and static entries.


clear configure mac-learn

To clear the mac-learn configuration, use the clear configure mac-learn command in global configuration mode.

clear configure mac-learn

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example clears the mac-learn configuration:

hostname# clear configure mac-learn

Related Commands

Command
Description

firewall transparent

Sets the firewall mode to transparent.

mac-address-table static

Adds static MAC address entries to the MAC address table.

mac-learn

Disables MAC address learning for an interface.

show mac-address-table

Shows the MAC address table, including dynamic and static entries.


clear configure mac-list

To remove the indicated list of MAC addresses, previously specified the mac-list command, use the clear configure mac-list command in global configuration mode:

clear configure mac-list id

Syntax Description

id

A MAC address list name.


Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was modified to conform with CLI standards.


Usage Guidelines

To remove a list of MAC addresses, use the clear mac-list command.

Examples

The following example shows how to clear a MAC address list:

hostname(config)# clear configure mac-list firstmaclist

Related Commands

Command
Description

mac-list

Adds a list of MAC addresses using a first-match search.

show running-config mac-list

Displays the MAC addresses in the MAC address list indicated by the id value.


clear configure management-access

To remove the configuration of an internal interface for management access of the security appliance, use the clear configure management-access command in global configuration mode.

clear configure management-access

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

The keyword configure was added.


Usage Guidelines

The management-access command lets you define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The interface names are defined by the nameif command and displayed in quotes, " ", in the output of the show interface command.) The clear configure management-access command removes the configuration of the internal management interface specified with the management-access command.

Examples

The following example removes the configuration of an internal interface for management access of the security appliance:

hostname(config)# clear configure management-access 

Related Commands

Command
Description

management-access

Configures an internal interface for management access.

show running-config management-access

Displays the name of the internal interface configured for management access.


clear configure mgcp-map

To clear the MGCP map configuration, use the clear configure mgcp-map command in global configuration mode.

clear configure mgcp-map

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The clear configure mgcp-map clears the MGCP map configuration.

Examples

The following example clears clear the MGCP map configuration:

hostname# clear configure mgcp-map

Related Commands

Commands
Description

debug mgcp

Enables MGCP debug information.

mgcp-map

Defines an MGCP map and enables MGCP map configuration mode.

show conn

Displays the connection state for different connection types.

show mgcp

Displays information about MGCP sessions established through the security appliance.

timeout

Sets the maximum idle time duration for different protocols and session types.


clear configure mroute

To remove the mroute commands from the running configuration, use the clear configure mroute command in global configuration mode.

clear configure mroute

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to remove the mroute commands from the configuration:

hostname(config)# clear configure mroute
hostname(config)#

Related Commands

Command
Description

mroute

Configures a static multicast route.

show mroute

Displays IPv4 multicast routing table.

show running-config mroute

Displays the mroute commands in the running configuration.


clear configure mtu

To clear the configured maximum transmission unit values on all interfaces, use the clear configure mtu command in global configuration mode.

clear configure mtu

Syntax Description

This command has no arguments or keywords.

Defaults

Using the clear configure mtu command sets the maximum transmission unit to the default of 1500 for all ethernet interfaces.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

The following example clears the current maximum transmission unit values on all interfaces:

hostname(config)# clear configure mtu

Related Commands

Command
Description

mtu

Specifies the maximum transmission unit for an interface.

show running-config mtu

Displays the current maximum transmission unit block size.


clear configure multicast-routing

To remove the multicast-routing command from the running configuration, use the clear configure multicast-routing command in global configuration mode.

clear configure multicast-routing

Syntax Description

There are no keywords or arguments for this command.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The clear configure multicast-routing command removes the multicast-routing from the running configuration. The no multicast-routing command also removes the multicast-routing command from the running configuration.

Examples

The following example shows how to remove the multicast-routing command from the running configuration:

hostname(config)# clear configure multicast-routing

Related Commands

Command
Description

multicast-routing

Enables multicast routing on the security appliance.


clear configure name

To clear the list of names from the configuration, use the clear configure name command in global configuration mode.

clear configure name

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

The keyword configure was added.


Usage Guidelines

This command has no usage guidelines.

Examples

The following example shows how to clear the name list:

hostname(config)# clear configure name

Related Commands

Command
Description

name

Associates a name with an IP address.

show running-config name

Displays the list of names associated with IP addresses.


clear configure nat

To remove the NAT configuration, use the clear configure nat command in privileged EXEC mode.

clear configure nat

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

Added keyword configure.


Usage Guidelines

The following applies to transparent firewall mode:


Note In transparent firewall mode, only NAT id 0 is valid.


Examples

The following example shows how to remove the NAT configuration:

hostname(config)# clear configure nat

Related Commands

Command
Description

nat

Associates a network with a pool of global IP addresses.

show running-config nat

Displays a pool of global IP addresses that are associated with the network.


clear configure ntp

To clear the NTP configuration, use the clear configure ntp command in global configuration mode.

clear configure ntp

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was changed from clear ntp.


Examples

The following example clears all ntp commands:

hostname# clear configure ntp

Related Commands

Command
Description

ntp authenticate

Enables NTP authentication.

ntp authentication-key

Sets the NTP authentication key.

ntp server

Identifies an NTP server to set the time on the security appliance.

ntp trusted-key

Specifies the NTP trusted key.

show running-config ntp

Shows the NTP configuration.


clear configure object-group

To remove all the object group commands from the configuration, use the clear configure object-group command in global configuration mode.

clear configure object-group [{protocol | service | icmp-type | network}]

Syntax Description

icmp-type

(Optional) Clears all ICMP groups.

network

(Optional) Clears all network groups.

protocol

(Optional) Clears all protocol groups.

service

(Optional) Clears all service groups.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

The following example shows how to remove all the object-group commands from the configuration:

hostname(config)# clear configure object-group

Related Commands

Command
Description

group-object

Adds network object groups.

network-object

Adds a network object to a network object group.

object-group

Defines object groups to optimize your configuration.

port-object

Adds a port object to a service object group.

show running-config object-group

Displays the current object groups.


clear configure passwd

To clear the login password configuration and restore the default setting of "cisco," use the clear configure passwd command in global configuration mode.

clear configure {passwd | password}

Syntax Description

passwd | password

You can enter either command; they are aliased to each other.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was changed from clear passwd.


Examples

The following example clears the login password and restores it to the default of "cisco":

hostname(config)# clear configure passwd

Related Commands

Command
Description

enable

Enters privileged EXEC mode.

enable password

Sets the enable password.

passwd

Sets the login password.

show curpriv

Shows the currently logged in username and the user privilege level.

show running-config passwd

Shows the login password in encrypted form.


clear configure pim

To clear all of the global pim commands from the running configuration, use the clear configure pim command in global configuration mode.

clear configure pim

Syntax Description

There are no keywords or arguments for this command.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The clear configure pim command clears all of the pim commands from the running configuration. To clear PIM traffic counters and topology information, use the clear pim counters and the clear pim topology commands.

The clear configure pim command only clears the pim commands entered in global configuration mode; it does not clear the interface-specific pim commands.

Examples

The following example shows how to clear all pim commands from the running configuration:

hostname(config)# clear configure pim

Related Commands

Command
Description

clear pim topology

Clears the PIM topology table.

clear pim counters

Clears the PIM traffic counters.

show running-config pim

Displays the pim commands in the running configuration.


clear configure policy-map

To remove the policy-map specification from the configuration, use the clear configure policy-map command in global configuration mode.

clear configure policy-map

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

This example shows the clear configure policy-map command:

hostname(config)# clear configure policy-map

Related Commands

Command
Description

policy-map

Configures a policy; that is, an association of a traffic class and one or more actions.

show running-config policy-map

Displays the entire policy configuration.


clear configure pop3s

To remove all POP3S commands from the configuration, reverting to default values, use the clear configure pop3s command in global configuration mode.

clear configure pop3s

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to remove the POP3S configuration:

hostname(config)# clear configure pop3s
hostname(config)# 

Related Commands

Command
Description

show running-config pop3s

Displays the running configuration for POP3S.

pop3s

Creates or edits a POP3S e-mail proxy configuration.


clear configure port-forward

To remove a configured set of applications that WebVPN users access over forwarded TCP ports, use the clear configure port-forward command in global configuration mode. To remove all configured applications, use this command without the listname argument. To remove only the applications for a specific list, use this command with that listname.

clear configure port-forward [listname]

Syntax Description

listname

Groups the set of applications (forwarded TCP ports) WebVPN users can access. Maximum 64 characters.


Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to remove the portforwarding list called SalesGroupPorts.

hostname(config)# clear configure port-forward SalesGroupPorts

Related Commands

Command
Description

port-forward

Use this command in webvpn configuration mode to configure the set of applications that WebVPN users can access.

port-forward

Use this command in webvpn mode to enable WebVPN application access for a user or group policy.

show running-configuration port-forward

Displays the current set of configured port-forward commands.


clear configure prefix-list

To remove the prefix-list commands from the running configuration, use the clear configure prefix-list command in global configuration mode.

clear configure prefix-list [prefix-list-name]

Syntax Description

prefix-list-name

(Optional) The name of a prefix list. When a prefix list name is specified, only the commands for that prefix list are removed from the configuration.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was changed from clear prefix-list to clear configure prefix-list.


Usage Guidelines

The clear configure prefix-list command removes the prefix-list commands and the prefix-list description commands from the running configuration. If a prefix list name is specified, then the prefix-list command and prefix-list description command, if present, for that prefix list only are removed from the running configuration.

This command does not remove the no prefix-list sequence command from the running configuration.

Examples

The following example removes all prefix-list commands from the running configuration for a prefix list named MyPrefixList:

hostname# clear configure prefix-list MyPrefixList

Related Commands

Command
Description

show running-config prefix-list

Displays the prefix-list commands in the running configuration.


clear configure priority-queue

To remove the priority queue specification from the configuration, use the clear configure priority-queue command in global configuration mode.

clear configure priority queue interface-name

Syntax Description

interface-name

Specifies the name of the interface for which you want to show the priority queue details


This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

This example shows the use of the clear configure priority-queue command to remove the priority-queue configuration on the interface named test:

hostname(config)# clear configure priority-queue test

Related Commands

Command
Description

priority-queue

Configures priority queueing on an interface.

show running-config priority-queue

Displays the current priority-queue configuration for the named interface.


clear configure privilege

To remove the configured privilege levels for commands, use the clear configure privilege command in global configuration mode.

clear configure privilege

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was modified to conform to CLI guidelines.


Usage Guidelines

There is no undo.

Examples

This example shows how to reset the configured privilege levels for the commands:

hostname(config)# clear configure privilege

Related Commands

Command
Description

privilege

Configures the command privilege levels.

show curpriv

Displays current privilege level

show running-config privilege

Displays privilege levels for commands.


clear configure rip

To clear the rip commands from the running configuration, use the clear configure rip command in global configuration mode.

clear configure rip

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was changed from clear rip to clear configure rip.


Usage Guidelines

The clear configure rip command removes all rip commands from the configuration. Use the no form of the commands to clear specific commands.

Examples

The following example clears all RIP commands from the running configuration:

hostname(config)# clear configure rip

Related Commands

Command
Description

debug rip

Displays debug information for RIP.

rip

Configures RIP on the specified interface.

show running-config rip

Displays the RIP commands in the running configuration.


clear configure route

To remove the route commands from the configuration that do not contain the connect keyword, use the clear configure route command in global configuration mode.

clear configure route [interface_name ip_address [netmask gateway_ip]]

Syntax Description

gateway_ip

(Optional) Specifies the IP address of the gateway router (the next hop address for this route).

interface_name

(Optional) Internal or external network interface name.

ip_address

(Optional) Internal or external network IP address.

netmask

(Optional) Specifies a network mask to apply to the ip_address.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

Added keyword configure.


Usage Guidelines

Use 0.0.0.0 to specify a default route. You can abbreviate the 0.0.0.0 IP address as 0 and the 0.0.0.0 netmask as 0.

Examples

The following example shows how to remove the route commands from the configuration that do not contain the connect keyword:

hostname(config)# clear configure route


Related Commands

Command
Description

route

Specifies a static or default route for the an interface.

show route

Displays route information.

show running-config route

Displays configured routes.


clear configure route-map

To remove all of the route maps, use the clear configure route-map command in global configuration mode.

clear configure route-map

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Use the clear configure route-map command in global configuration mode to remove all route-map commands in the configuration. The route-map command is used to configure conditions of redistributing the routes from one routing protocol into another routing protocol.

To remove individual route-map commands, use the no route-map command.

Examples

The following example shows how to remove the conditions of redistributing routes from one routing protocol into another routing protocol:

hostname(config)# clear configure route-map


Related Commands

Command
Description

route-map

Defines the conditions for redistributing routes from one routing protocol into another.

show running-config route-map

Displays the information about the route map configuration.


clear configure router

To clear all router commands from the running configuration, use the clear configure router command in global configuration mode.

clear configure router [ospf id]

Syntax Description

id

The OSPF process ID.

ospf

Specifies that only OSPF commands are removed from the configuration.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was changed from the clear router command to the clear configure router command.


Examples

The following example clears all OSPF commands associated with OSPF process 1 from the running configuration:

hostname(config)# clear configure router ospf 1
hostname(config)#

Related Commands

Command
Description

show running-config router

Displays the commands in the global router configuration.


clear configure service-policy

To clear the service policy configuration for enabled policies, use the clear configure service-policy command in privileged EXEC mode.

clear configure service-policy

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

·

·

·

·

·


Command History

Release
Modification

PIX Version 7.0

This command was introduced.


Examples

The following is an example of the clear service-policy command:

hostname(config)# clear configure service-policy

Related Commands

Command
Description

show service-policy

Displays the service policy.

show running-config service-policy

Displays the service policies configured in the running configuration.

service-policy

Configures the service policy.

clear service-policy

Clears service policy statistics.


clear configure smtps

To remove all SMTPS commands from the configuration, reverting to default values, use the clear configure smtps command in global configuration mode.

clear configure smtps

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to remove the SMTPS configuration:

hostname(config)# clear configure smtps
hostname(config)# 

Related Commands

Command
Description

show running-configuration smtps

Displays the running configuration for SMTPS.

smtps

Creates or edits an SMTPS e-mail proxy configuration


clear configure snmp-map

To clear the SNMP map configuration, use the clear configure snmp-map command in global configuration mode.

clear configure snmp-map

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The clear configure snmp-map command removes the SNMP map configuration.

Examples

The following example clears the SNMP map configuration:

hostname# clear configure snmp-map

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

deny version

Disallows traffic using a specific version of SNMP.

inspect snmp

Enable SNMP application inspection.

snmp-map

Defines an SNMP map and enables SNMP map configuration mode.


clear configure snmp-server

To disable the Simple Network Management Protocol (SNMP) server, use the clear configure snmp-server command in global configuration mode.

clear configure snmp-server

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

·

·

·

·

·


Command History

Release
Modification

7.0

Support for this command was introduced on the security appliance.


Examples

This example shows how to disable the SNMP server:

hostname #clear snmp-server

Related Commands

Command
Description

snmp-server

Provides the security appliance event information through SNMP.

show snmp-server statistics

Displays information about the SNMP server configuration.


clear configure ssh

To clear all SSH commands from the running configuration, use the clear configure ssh command in global configuration mode.

clear configure ssh

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was changed from the clear ssh comma nd to the clear configure ssh comma nd.


Usage Guidelines

This command clears all SSH commands from the configuration. To clear specific commands, use the no form of those commands.

Examples

The following example clears all SSH commands from the configuration:

hostname(config)# clear configure ssh

Related Commands

Command
Description

show running-config ssh

Displays the current SSH commands in the running configuration.

ssh

Allows SSH connectivity to the security appliance from the specified client or network.

ssh scopy enable

Enables a secure copy server on the security appliance.

ssh timeout

Sets the timeout value for idle SSH sessions.

ssh version

Restricts the security appliance to using either SSH Version 1 or SSH Version 2.


clear configure ssl

To remove all SSL commands from the configuration, reverting to default values, use the clear config ssl command in global configuration mode.

clear config ssl

Defaults

By default:

Both the SSL client and SSL server versions are any.

SSL encryption is 3des-sha1 | des-sha1 | rc4-md5, in that order.

There is no trust point association; the security appliance uses the default RSA key-pair certificate.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to use the clear config ssl command:

hostname(config)# clear config ssl

Related Commands

Command
Description

show running-config ssl

Displays the current set of configured ssl commands.

ssl client-version

Specifies the SSL/TLS protocol version the security appliance uses when acting as a client.

ssl server-version

Specifies the SSL/TLS protocol version the security appliance uses when acting as a server

ssl trust-point

Specifies the certificate trust point that represents the SSL certificate for an interface


clear configure static

To remove all the static commands from the configuration, use the clear configure static command in global configuration mode.

clear configure static

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

The keyword configure was added.


Examples

This example shows how to remove all the static commands from the configuration:

hostname(config)# clear configure static

Related Commands

Command
Description

show running-config static

Displays all static commands in the configuration.

static

Configures a persistent one-to-one address translation rule by mapping a local IP address to a global IP address.


clear configure sunrpc-server

To clear the remote processor call services from the security appliance, use the clear configure sunrpc-server command in global configuration mode.

clear configure sunrpc-server [active]

Syntax Description

active

(Optional) Identifies the SunRPC services that are currently active on the security appliance.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The sunrpc-server command displays the configured router ospf commands.


Note If the highest-level IP address on the security appliance is a private address, this address is sent in hello packets and database definitions. To prevent this action, set the router-id ip_address to a global address.


Examples

The following example shows how to clear the SunRPC services from the security appliance:

hostname(config)# clear configure sunrpc-server active


Related Commands

Command
Description

sunrpc-server

Creates the SunRPC services table.

show running-config sunrpc-server

Displays the information about the SunRPC configuration.


clear configure sysopt

To clear the configuration for all sysopt commands, use the clear configure sysopt command in global configuration mode.

clear configure sysopt

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was changed from clear sysopt.


Examples

The following example clears all sysopt command configuration:

hostname(config)# clear configure sysopt

Related Commands

Command
Description

show running-config sysopt

Shows the sysopt command configuration.

sysopt connection permit-ipsec

Permits any packets that come from an IPSec tunnel without checking any ACLs for interfaces.

sysopt connection tcpmss

Overrides the maximum TCP segment size or ensures that the maximum is not less than a specified size.

sysopt connection timewait

Forces each TCP connection to linger in a shortened TIME_WAIT state after the final normal TCP close-down sequence.

sysopt nodnsalias

Disables alteration of the DNS A record address when you use the alias command.


clear configure tcp-map

To clear tcp-map configuration, use the clear configure tcp-map command in global configuration mode.

clear configure tcp-map

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to clear the TCP map configuration:

hostname(config)# clear configure tcp-map


Related Commands

Command
Description

tcp-map

Creates a TCP map and allows access to tcp-map configuration mode.

show running-config tcp-map

Displays the information about the TCP map configuration.


clear configure telnet

To remove the Telnet connection and idle timeout from the configuration, use the clear configure telnet command in global configuration mode.

clear configure telnet

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

The keyword configure was added.


Examples

This example shows how to remove the Telnet connection and the idle timeout from the security appliance configuration:

hostname(config)# clear configure telnet

Related Commands

Command
Description

show running-config telnet

Displays the current list of IP addresses that are authorized to use Telnet connections to the security appliance.

telnet

Adds Telnet access to the console and sets the idle timeout.


clear configure terminal

To clear the terminal display width setting, use the clear configure terminal command in global configuration mode.

clear configure terminal

Syntax Description

This command has no keywords or arguments.

Defaults

The default display width is 80 columns.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

The configure keyword was added.


Examples

The following example clears the display width:

hostname# clear configure terminal

Related Commands

Command
Description

terminal

Sets the terminal line parameters.

terminal width

Sets the terminal display width.

show running-config terminal

Displays the current terminal settings.


clear configure timeout

To restore the default idle time durations in the configuration, use the clear configure timeout command in global configuration mode.

clear configure timeout

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

This example shows how to remove the maximum idle time durations from the configuration:

hostname(config)# clear configure timeout

Related Commands

Command
Description

show running-config timeout

Displays the timeout value of the designated protocol.

timeout

Sets the maximum idle time duration.


clear configure tunnel-group

To remove all or specified tunnel groups from the configuration, use the clear config tunnel-group command in global configuration.

clear config tunnel-group [name]

Syntax Description

name

(Optional) Specifies the name of a tunnel group.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example entered in global configuration mode, removes the toengineering tunnel group from the configuration:

hostname(config)# clear config tunnel-group toengineering
hostname(config)# 

Related Commands

Command
Description

show running-config tunnel-group

Displays information about all or selected tunnel-groups.

tunnel-group

Enters tunnel-group subconfiguration mode for the specified type.


clear configure url-block

To clear clears URL pending block buffer and long URL support configuration, use the clear configure url-block command in global configuration mode.

clear configure url-block

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The clear configure url-block command clears URL pending block buffer and long URL support configuration.

Examples

The following example clears URL pending block buffer and long URL support configuration:

hostname# clear configure url-block

Related Commands

Commands
Description

clear url-block block statistics

Clears the block buffer usage counters.

show url-block

Displays information about the URL cache, which is used for buffering URLs while waiting for responses from an N2H2 or Websense filtering server.

url-block

Manage the URL buffers used for web server responses.

url-cache

Enables URL caching while pending responses from an N2H2 or Websense server and sets the size of the cache.

url-server

Identifies an N2H2 or Websense server for use with the filter command.


clear configure url-cache

To clear the URL cache, use the clear configure url-cache command in global configuration mode.

clear configure url-cache

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The clear configure url-cache command clears the URL cache.

Examples

The following example clears the URL cache:

hostname# clear configure url-cache

Related Commands

Commands
Description

clear url-cache statistics

Removes url-cache command statements from the configuration.

filter url

Directs traffic to a URL filtering server.

show url-cache statistics

Displays information about the URL cache, which is used for buffering URLs while waiting for responses from an N2H2 or Websense filtering server.

url-cache

Enables URL caching while pending responses from an N2H2 or Websense server and sets the size of the cache.

url-server

Identifies an N2H2 or Websense server for use with the scsc command.


clear configure url-list

To remove a configured set of URLs that WebVPN users can access , use the clear configure url-list command in global configuration mode. To remove all configured URLs, use this command without the listname argument. To remove only the URLs for a specific list, use this command with that listname.

clear configure url-list [listname]

Syntax Description

listname

Groups the set of URLs WebVPN users can access. Maximum 64 characters.


Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to remove the URL list called Marketing URLs.

hostname(config)# clear configure url-list Marketing URLs

Related Commands

Command
Description

show running-configuration url-list

Displays the current set of configured url-list commands.

url-list

Use this command in global configuration mode to configure the set of URLs that WebVPN users can access.

url-list

Use this command in webvpn mode that you access from group-policy or username mode to enable WebVPN URL access for a specific group policy or user.


clear configure url-server

To clear the URL filtering server configuration, use the clear configure url-server command in global configuration mode.

clear configure url-server

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The clear configure url-server command clears the URL filtering server configuration.

Examples

The following example URL filtering server configuration:

hostname# clear configure url-server

Related Commands

Commands
Description

clear url-server

Clears the URL filtering server statistics.

show url-server

Displays information about the URL cache, which is used for buffering URLs while waiting for responses from an N2H2 or Websense filtering server.

url-cache

Enables URL caching while pending responses from an N2H2 or Websense server and sets the size of the cache.

url-block

Manages the URL buffers used for web server responses while waiting for a filtering decision from the filtering server.

url-server

Identifies an N2H2 or Websense server for use with the filter command.


clear configure username

To clear the username database, use the clear configure username command. To clear the configuration for a particular user, use this command and append the username.

clear configure username [name]

Syntax Description

name

(Optional) Provides the name of the user.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The internal user authentication database consists of the users entered with the username command. The login command uses this database for authentication.

Examples

The following example shows how to clear the configuration for the user named anyuser:

hostname(config)# clear configure username anyuser

Related Commands

Command
Description

show running-config username

Displays the running configuration for a particular user or for all users.

username

Adds a user to the security appliance database.

username attributes

Lets you configure AVPs for specific users.


clear configure virtual

To remove the authentication virtual server from the configuration, use the clear configure virtual command in global configuration mode.

clear configure virtual

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was modified to conform to CLI guidelines.


Usage Guidelines

There is no undo.

Examples

This example shows the clear configure virtual command:

hostname(config)# clear configure virtual

Related Commands

Command
Description

show running-config virtual

Displays the IP address for the authentication virtual server.

virtual http

Allows separate authentication with the security appliance and with the HTTP server.

virtual telnet

Authenticates users with the virtual Telnet server for traffic types for which the security appliance does not supply an authentication prompt.


clear configure vpn-load-balancing

To remove the previously specified VPN load-balancing configuration, thus disabling VPN load-balancing, use the clear configure vpn load-balancing command in global configuration mode.

clear configure vpn load-balancing

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced


Usage Guidelines

The clear configure vpn load-balancing command also clears the following related commands: cluster encryption, cluster ip address, cluster key, cluster port, nat, participate, and priority.

Examples

The following command removes vpn load-balancing configuration statements from the configuration:

hostname(config)# clear configure vpn load-balancing

Related Commands

show running-config vpn load-balancing

Displays the current VPN load-balancing configuration.

vpn load-balancing

Enters vpn load-balancing mode.


clear conn

To clear a specific connection or multiple connections, use the clear conn command in privileged EXEC mode. This command supports IPv4 and IPv6 addresses.

clear conn [all] [protocol {tcp | udp}] [address src_ip[-src_ip] [netmask mask]] [port src_port[-src_port]] [address dest_ip[-dest_ip] [netmask mask]] [port dest_port[-dest_port]]

Syntax Description

address

(Optional) Clears connections with the specified source or destination IP address.

all

(Optional) Clears all connections that are to the device or from the device, in addition to through-traffic connections.

dest_ip

(Optional) Specifies the destination IP address (IPv4 or IPv6). To specify a range, separate the IP addresses with a dash (-), For example:

10.1.1.1-10.1.1.5

dest_port

(Optional) Specifies the destination port number. To specify a range, separate the port numbers with a dash (-), For example:

1000-2000

netmask mask

(Optional) Specifies a subnet mask for use with the given IP address.

port

(Optional) Clears connections with the specified source or destination port.

protocol {tcp | udp}

(Optional) Clears connections with the protocol tcp or udp.

src_ip

(Optional) Specifies the source IP address (IPv4 or IPv6). To specify a range, separate the IP addresses with a dash (-), For example:

10.1.1.1-10.1.1.5

src_port

(Optional) Specifies the source port number. To specify a range, separate the port numbers with a dash (-), For example:

1000-2000

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(8)

This command was introduced.


Usage Guidelines

When the security appliance creates a pinhole to allow secondary connections, this is shown as an incomplete conn by the show conn command. To clear this incomplete conn use the clear conn command.

Examples

The following example shows all connections, and then clears the management connection between 10.10.10.108:4168 and 10.0.8.112:22:

hostname# show conn all
TCP mgmt 10.10.10.108:4168 NP Identity Ifc 10.0.8.112:22, idle 0:00:00, bytes 3084, flags 
UOB

hostname# clear conn address 10.10.10.108 port 4168 address 10.0.8.112 port 22

Related Commands

Commands
Description

clear local-host

Clears all connections by a specific local host or all local hosts.

clear xlate

Clears a NAT session, and any connections using NAT.

show conn

Shows connection information.

show local-host

Displays the network states of local hosts.

show xlate

Shows NAT sessions.


s

clear console-output

To remove the currently captured console output, use the clear console-output command in privileged EXEC mode.

clear console-output

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

·

·

·

·

·


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

The following example shows how to remove the currently captured console output:

hostname# clear console-output

Related Commands

Command
Description

show console-output

Displays the captured console output.


clear counters

To clear the protocol stack counters, use the clear counters command in global configuration mode.

clear counters [all | context context-name | summary | top N ] [detail] [protocol protocol_name [:counter_name]] [ threshold N]

Syntax Description

all

(Optional) Clears all filter details.

context context-name

(Optional) Specifies the context name.

:counter_name

(Optional) Specifies a counter by name.

detail

(Optional) Clears detailed counters information.

protocol protocol_name

(Optional) Clears the counters for the specified protocol.

summary

(Optional) Clears the counter summary.

threshold N

(Optional) Clears the counters at or above the specified threshold. The range is 1 through 4294967295.

top N

(Optional) Clears the counters at or above the specified threshold. The range is 1 through 4294967295.


Defaults

clear counters summary detail

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

This example shows how to clear the protocol stack counters:

hostname(config)# clear counters

Related Commands

Command
Description

show counters

Displays the protocol stack counters.


clear crashinfo

To delete the contents of the crash file in Flash memory, enter the clear crashinfo command in privileged EXEC mode.

clear crashinfo

Syntax Description

This command has no arguments or keywords.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

This command has no usage guidelines.

Examples

The following command shows how to delete the crash file:

hostname# clear crashinfo

Related Commands

crashinfo force

Forces a crash of the security appliance.

crashinfo save disable

Disables crash information from writing to Flash memory.

crashinfo test

Tests the ability of the security appliance to save crash information to a file in Flash memory.

show crashinfo

Displays the contents of the crash file stored in Flash memory.


clear crypto accelerator statistics

To clear the the global and accelerator-specific statistics from the crypto accelerator MIB, use the clear crypto accelerator statistics command in global configuration and privileged EXEC modes.

clear crypto accelerator statistics

Syntax Description

This command has no keywords or variables.

Defaults

No default behavior or values.

Command Modes

The following table shows the mode in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example entered in global configuration mode, displays crypto accelerator statistics:

hostname(config)# clear crypto accelerator statistics
hostname(config)# 

Related Commands

Command
Description

clear crypto protocol statistics

Clears the protocol-specific statistics in the crypto accelerator MIB.

show crypto accelerator statistics

Displays the global and accelerator-specific statistics in the crypto accelerator MIB.

show crypto protocol statistics

Displays the protocol-specific statistics from the crypto accelerator MIB.


clear crypto ca crls

To remove the CRL cache of all CRLs associated with a specified trustpoint or to remove the CRL cache of all CRLs, use the clear crypto ca crls command in global configuration.

clear crypto ca crls [trustpointname]

Syntax Description

trustpointname

(Optional) The name of a trustpoint. If you do not specify a name, this command clears all CRLs cached on the system.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

 

Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example issued in global configuration mode, removes all of the CRL cache from all CRLs from the security appliance:

hostname(config)# clear crypto ca crls
hostname(config)# 

Related Commands

Command
Description

crypto ca crl request

Downloads the CRL based on the CRL configuration of the trustpoint.

show crypto ca crls

Displays all cached CRLs or CRLs cached for a specified trustpoint.


clear [crypto] ipsec sa

To remove the IPSec SA counters, entries, crypto maps or peer connections, use the clear [crypto] ipsec sa command in global configuration mode. To clear all IPSec SAs, use this command without arguments.

clear [crypto] ipsec sa [counters | entry {hostname | IP address} {esp | ah} {SPI}| map {map name} | peer {hostname | IP address}]

Be careful when using this command.

Syntax Description

ah

Authentication header.

counters

Clears all IPSec per SA statistics.

entry

Deletes the tunnel that matches the specified IP address/hostname, protocol and SPI value.

esp

Encryption security protocol.

hostname

Identified a hostname assigned to an IP address.

IP address

Identifies an IP address.

map

Deletes all tunnels associated with the specified crypto map as identified by map name.

map name

An alphanumeric string that identifies a crypto map. Max 64 characters.

peer

Deletes all IPSec SAs to a peer as identified by the specified hostname or IP address.

SPI

Identifies the Security Parameters Index (a hexidecimal number).

   

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example, issued in global configuration mode, removes all of the IPSec SAs from the security appliance:

hostname(config)# clear ipsec sa
hostname(config)# 

The next example, issued in global configuration mode, deletes SAs with a peer IP address of 10.86.1.1.

hostname(config)# clear ipsec peer 10.86.1.1

hostname(config)#

Related Commands

Command
Description

clear configure crypto map

Clears all or specified crypto maps from the configuration.

clear configure isakmp

Clears all ISAKMP policy configuration.

show ipsec sa

Displays information about IPSec SAs, including counters, entry, map name, peer IP address and hostname.

show running-config crypto

Displays the entire crypto configuration, including IPSec, crypto maps, dynamic crypto maps, and ISAKMP.


clear crypto protocol statistics

To clear the protocol-specific statistics in the crypto accelerator MIB, use the clear crypto protocol statistics command in global configuration or privileged EXEC modes.

clear crypto protocol statistics protocol

Syntax Description

protocol

Specifies the name of the protocol for which you want to clear statistics. Protocol choices are as follows:

ikev1—Internet Key Exchange version 1.

ipsec—IP Security Phase-2 protocols.

ssl—Secure Socket Layer.

other—Reserved for new protocols.

all—All protocols currently supported.

In online help for this command, other protocols may appear that will be supported in future releases.


Defaults

No default behavior or values.

Command Modes

The following table shows the mode in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
</