Cisco Security Appliance Command Reference, Version 7.0
M through R Commands
Downloads: This chapterpdf (PDF - 2.01MB) The complete bookPDF (PDF - 18.73MB) | Feedback

M through R Commands

Table Of Contents

M through R Commands

mac address

mac-address-table aging-time

mac-address-table static

mac-learn

mac-list

management-access

management-only

mask-syst-reply

match access-list

match any

match default-inspection-traffic

match dscp

match flow ip destination-address

match interface

match ip address

match ip next-hop

match ip route-source

match metric

match port

match precedence

match route-type

match rtp

match tunnel-group

max-failed-attempts

max-header-length

max-uri-length

mcc

media-type

memory caller-address

memory delayed-free-poisoner enable

memory delayed-free-poisoner validate

memory profile enable

memory profile text

memory tracking enable

message-length

mgcp-map

mkdir

mode

monitor-interface

more

mroute

mtu

multicast-routing

name

nameif

names

name-separator

nat

nat (vpn load-balancing)

nat-control

nbns-server

neighbor

nem

network area

network-object

nt-auth-domain-controller

ntp authenticate

ntp authentication-key

ntp server

ntp trusted-key

object-group

ospf authentication

ospf authentication-key

ospf cost

ospf database-filter

ospf dead-interval

ospf hello-interval

ospf message-digest-key

ospf mtu-ignore

ospf network point-to-point non-broadcast

ospf priority

ospf retransmit-interval

ospf transmit-delay

outstanding

participate

passwd

password (crypto ca trustpoint)

password-prompt

password-storage

peer-id-validate

perfmon

periodic

permit errors

permit response

pfs

pim

pim accept-register

pim dr-priority

pim hello-interval

pim join-prune-interval

pim old-register-checksum

pim rp-address

pim spt-threshold infinity

ping

police

policy

policy-map

polltime interface

pop3s

port

port-forward

port-forward (webvpn)

port-forward-name

port-misuse

port-object

preempt

prefix-list

prefix-list description

prefix-list sequence-number

pre-shared-key

primary

priority

priority (vpn load balancing)

priority-queue

privilege

protocol http

protocol ldap

protocol scep

protocol-object

pwd

queue-limit (priority-queue)

queue-limit (tcp-map)

quit

radius-common-pw

radius-with-expiry

reactivation-mode

redistribute

reload

remote-access threshold session-threshold-exceeded

rename

replication http

request-command deny

request-method

request-queue

reserved-bits

retry-interval

re-xauth

rip

rmdir

route

route-map

router-id

router ospf


M through R Commands


mac address

To specify the virtual MAC addresses for the active and standby units, use the mac address command in failover group configuration mode. To restore the default virtual MAC addresses, use the no form of this command.

mac address phy_if [active_mac] [standby_mac]

no mac address phy_if [active_mac] [standby_mac]

Syntax Description

phy_if

The physical name of the interface to set the MAC address.

active_mac

The virtual MAC address for the active unit. The MAC address must be entered in h.h.h format, where h is a 16-bit hexadecimal number.

standby_mac

The virtual MAC address for the standby unit. The MAC address must be entered in h.h.h format, where h is a 16-bit hexadecimal number.


Defaults

The defaults are as follows:

Active unit default MAC address: 00a0.c9physical_port_number.failover_group_id01.

Standby unit default MAC address: 00a0.c9physical_port_number.failover_group_id02.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Failover group configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

If the virtual MAC addresses are not defined for the failover group, the default values are used.

If you have more than one Active/Active failover pair on the same network, it is possible to have the same default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the interfaces of the other pairs because of the way the default virtual MAC addresses are determined. To avoid having duplicate MAC addresses on your network, make sure you assign each physical interface a virtual active and standby MAC address.

Examples

The following partial example shows a possible configuration for a failover group:

hostname(config)# failover group 1 
hostname(config-fover-group)# primary
hostname(config-fover-group)# preempt 100
hostname(config-fover-group)# exit
hostname(config)# failover group 2
hostname(config-fover-group)# secondary
hostname(config-fover-group)# preempt 100
hostname(config-fover-group)# mac address e1 0000.a000.a011 0000.a000.a012 
hostname(config-fover-group)# exit
hostname(config)#

Related Commands

Command
Description

failover group

Defines a failover group for Active/Active failover.

failover mac address

Specifies a virtual MAC address for a physical interface.


mac-address-table aging-time

To set the timeout for MAC address table entries, use the mac-address-table aging-time command in global configuration mode. To restore the default value of 5 minutes, use the no form of this command.

mac-address-table aging-time timeout_value

no mac-address-table aging-time

Syntax Description

timeout_value

The time a MAC address entry stays in the MAC address table before timing out, between 5 and 720 minutes (12 hours). 5 minutes is the default.


Defaults

The default timeout is 5 minutes.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

No usage guidelines.

Examples

The following example sets the MAC address timeout to 10 minutes:

hostname(config)# mac-address-timeout aging time 10

Related Commands

Command
Description

arp-inspection

Enables ARP inspection, which compares ARP packets to static ARP entries.

firewall transparent

Sets the firewall mode to transparent.

mac-address-table static

Adds static MAC address entries to the MAC address table.

mac-learn

Disables MAC address learning.

show mac-address-table

Shows the MAC address table, including dynamic and static entries.


mac-address-table static

To add a static entry to the MAC address table, use the mac-address-table static command in global configuration mode. To remove a static entry, use the no form of this command. Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. You can add static MAC addresses to the MAC address table if desired. One benefit to adding static entries is to guard against MAC spoofing. If a client with the same MAC address as a static entry attempts to send traffic to an interface that does not match the static entry, then the security appliance drops the traffic and generates a system message.

mac-address-table static interface_name mac_address

no mac-address-table static interface_name mac_address

Syntax Description

interface_name

The source interface.

mac_address

The MAC address you want to add to the table.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example adds a static MAC address entry to the MAC address table:

hostname(config)# mac-address-table static inside 0010.7cbe.6101

Related Commands

Command
Description

arp

Adds a static ARP entry.

firewall transparent

Sets the firewall mode to transparent.

mac-address-table aging-time

Sets the timeout for dynamic MAC address entries.

mac-learn

Disables MAC address learning.

show mac-address-table

Shows MAC address table entries.


mac-learn

To disable MAC address learning for an interface, use the mac-learn command in global configuration mode. To reenable MAC address learning, use the no form of this command. By default, each interface automatically learns the MAC addresses of entering traffic, and the security appliance adds corresponding entries to the MAC address table. You can disable MAC address learning if desired.

mac-learn interface_name disable

no mac-learn interface_name disable

Syntax Description

interface_name

The interface on which you want to disable MAC learning.

disable

Disables MAC learning.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example disables MAC learning on the outside interface:

hostname(config)# mac-learn outside disable

Related Commands

Command
Description

clear configure mac-learn

Sets the mac-learn configuration to the default.

firewall transparent

Sets the firewall mode to transparent.

mac-address-table static

Adds static MAC address entries to the MAC address table.

show mac-address-table

Shows the MAC address table, including dynamic and static entries.

show running-config mac-learn

Shows the mac-learn configuration.


mac-list

To specify a list of MAC addresses to be used for MAC-based authentication, use the mac-list command in global configuration mode. To disable the use of a list of MAC addresses, use the no form of this command. The mac-list command adds a list of MAC addresses using a first-match search.

mac-list id deny | permit mac macmask

no mac-list id deny | permit mac macmask

Syntax Description

deny

Indicates that traffic matching these criteria is not included in the MAC list and is subject to both authentication and authorization.

id

Specifies a hexadecimal MAC access list number.

mac

Specifies the source MAC address in 12-digit hexadecimal form; that is, nnnn.nnnn.nnnn

macmask

Specifies and applies the netmask to mac and allows the grouping of MAC addresses.

permit

Indicates that traffic matching these criteria is included in the MAC list and is exempt from both authentication and authorization.


Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

To group a set of MAC addresses, enter the mac-list command as many times as needed with the same id value. Configure the MAC access list number using the mac-list command before using the aaa mac-exempt command.

Only AAA exemption is provided. Authorization is automatically exempted for MAC addresses for which authentication is exempted. Other types of AAA with mac-list are not supported.

Examples

The following example shows how to configure a MAC address list:

hostname(config)# mac-list adc permit 00a0.cp5d.0282 ffff.ffff.ffff
hostname(config)# mac-list adc deny 00a1.cp5d.0282 ffff.ffff.ffff
hostname(config)# mac-list ac permit 0050.54ff.0000 ffff.ffff.0000
hostname(config)# mac-list ac deny 0061.54ff.b440 ffff.ffff.ffff
hostname(config)# mac-list ac deny 0072.54ff.b440 ffff.ffff.ffff

Related Commands

Command
Description

aaa authentication

Enable, disable, or view LOCAL, TACACS+, or RADIUS user authentication, on a server designated by the aaa-server command, or ASDM user authentication.

aaa authorization

Enable or disable LOCAL or TACACS+ user authorization services.

aaa mac-exempt

Exempt a list of MAC addresses from authentication and authorization.

clear configure mac-list

Remove a list of MAC addresses previously specified the mac-list command with the indicated MAC list number.

show running-config mac-list

Display a list of MAC addresses previously specified in the mac-list command with the indicated MAC list number.


management-access

To enable access to an internal management interface of the security appliance, use the management-access command in global configuration mode. To disable, use the no form of this command.

management-access mgmt_if

no management-access mgmt_if

Syntax Description

mgmt_if

The name of the internal management interface.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

 

   

Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The management-access command lets you define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The interface names are defined by the nameif command and displayed in quotes, " ", in the output of the show interface command.)

The management-access command is supported for the following through an IPSec VPN tunnel only, and you can define only one management interface globally:

SNMP polls to the mgmt_if

HTTPS requests to the mgmt_if

ASDM access to the mgmt_if

Telnet access to the mgmt_if

SSH access to the mgmt_if

Ping to the mgmt_if

Syslog polls to the mgmt_if

NTP requests the mgmt_if

Examples

The following example shows how to configure a firewall interface named "inside" as the management access interface:

hostname(config)# management-access inside
hostname(config)# show management-access
management-access inside

Related Commands

Command
Description

clear configure management-access

Removes the configuration of an internal interface for management access of the security appliance.

show management-access

Displays the name of the internal interface configured for management access.


management-only

To set an interface to accept management traffic only, use the management-only command in interface configuration mode. To allow through traffic, use the no form of this command.

management-only

no management-only

Syntax Description

This command has no arguments or keywords.

Defaults

The Management 0/0 interface on the ASA 5500 series adaptive security appliance is set to management-only mode by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The ASA adaptive security appliance includes a dedicated management interface called Management 0/0, which is meant to support traffic to the security appliance. However, you can configure any interface to be a management-only interface using the management-only command. Also, for Management 0/0, you can disable management-only mode so the interface can pass through traffic just like any other interface.


Note Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA adaptive security appliance, you can use the dedicated management interface (either the physical interface or a subinterface) as a third interface for management traffic. The mode is not configurable in this case and must always be management-only.


Examples

The following example disables management-only mode on the management interface:

hostname(config)# interface management0/0
hostname(config-if)# no management-only

The following example enables management-only mode on a subinterface:

hostname(config)# interface gigabitethernet0/2.1
hostname(config-subif)# management-only

Related Commands

Command
Description

interface

Configures an interface and enters interface configuration mode.


mask-syst-reply

To hide the FTP server response from clients, use the mask-syst-reply command in FTP map configuration mode, which is accessible by using the ftp-map command. To remove the configuration, use the no form of this command.

mask-syst-reply

no mask-syst-reply

Syntax Description

This command has no arguments or keywords.

Defaults

This command is enabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

FTP map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Use the mask-syst-reply command with strict FTP inspection to protect the FTP server system from clients. After enabling this command, the servers replies to the syst command are replaced by a series of Xs.

Examples

The following example causes the security appliance to replace the FTP server replies to the syst command with Xs:

hostname(config)# ftp-map inbound_ftp
hostname(config-ftp-map)# mask-syst-reply
hostname(config-ftp-map)# exit

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

functions

Defines an FTP map and enables FTP map configuration mode.

inspect ftp

Applies a specific FTP map to use for application inspection.

policy-map

Associates a class map with specific security actions.

request-command deny

Specifies FTP commands to disallow.


match access-list

To identify traffic using an access list in a class map, use the match access-list command in class-map configuration mode. To remove the access list, use the no form of this command.

match access-list {acl-id...}

no match access-list {acl-id...}

Syntax Description

acl-id

Specifies the name of an ACL to be used as match criteria. When a packet does not match an entry in the ACL, the match result is a no-match. When a packet matches an entry in an ACL, and if it is a permit entry, the match result is a match. Otherwise, if it matches a deny ACL entry, the match result is no-match.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Class-map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.

After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.

You can specify one or more access lists to identify specific types of traffic using the match access-list command. The permit statement in an access control entry causes the traffic to be included, while a deny statement causes the traffic to be excluded from the traffic class map.

Examples

The following example shows how to define a traffic class using a class map and the match access-list command:

hostname(config)# access-list ftp_acl extended permit tcp any any eq 21
hostname(config)# class-map ftp_port
hostname(config-cmap)# match access-list ftp_acl

Related Commands

Command
Description

class-map

Applies a traffic class to an interface.

clear configure class-map

Removes of the traffic map definitions.

match any

Includes all traffic in the class map.

match port

Identifies a specific port number in a class map.

show running-config class-map

Displays the information about the class map configuration.


match any

To include all traffic in a class map, use the match any command in class-map configuration mode. To remove this specification, use the no form of this command.

match any

no match any

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Class-map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.

After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.

All packets will be matched using the match any command (as in the default class map, class-default).

Examples

This example shows how to define a traffic class using a class map and the match any command:

hostname(config)# class-map cmap
hostname(config-cmap)# match any

Related Commands

Command
Description

class-map

Applies a traffic class to an interface.

clear configure class-map

Removes all of the traffic map definitions.

match access-list

Identifies access list traffic in a class map.

match rtp

Identifies a specific RTP port in a class map.

show running-config class-map

Displays the information about the class map configuration.


match default-inspection-traffic

To specify default traffic for the inspect commands in a class map, use the match default-inspection-traffic command in class-map configuration mode. To remove this specification, use the no form of this command.

match default-inspection-traffic

no match default-inspection-traffic

Syntax Description

This command has no arguments or keywords.

Defaults

See the Usage Guidelines section for the default traffic of each inspection.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Class-map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.

After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.

Using the match default-inspection-traffic command, you can match default traffic for the individual inspect commands. The match default-inspection-traffic command can be used in conjunction with one other match command, which is typically an access-list in the form of permit ip src-ip dst-ip.

The rule for combining a second match command with the match default-inspection-traffic command is to specify the protocol and port information using the match default-inspection-traffic command and specify all other information (such as IP addresses) using the second match command. Any protocol or port information specified in the second match command is ignored with respect to the inspect commands.

For instance, port 65535 specified in the example below is ignored:

hostname(config)# class-map cmap
hostname(config-cmap)# match default-inspection-traffic
hostname(config-cmap)# match port 65535

Default traffic for inspections are as follows:

Inspection Type

Protocol Type

Source Port

Destination Port

ctiqbe

tcp

N/A

1748

dns

udp

53

53

ftp

tcp

N/A

21

gtp

udp

2123,3386

2123,3386

h323 h225

tcp

N/A

1720

h323 ras

udp

N/A

1718-1719

http

tcp

N/A

80

icmp

icmp

N/A

N/A

ils

tcp

N/A

389

mgcp

udp

2427,2727

2427,2727

netbios

udp

137-138

N/A

rpc

udp

111

111

rsh

tcp

N/A

514

rtsp

tcp

N/A

554

sip

tcp,udp

N/A

5060

skinny

tcp

N/A

2000

smtp

tcp

N/A

25

sqlnet

tcp

N/A

1521

tftp

udp

N/A

69

xdmcp

udp

177

177


Examples

The following example shows how to define a traffic class using a class map and the match default-inspection-traffic command:

hostname(config)# class-map cmap
hostname(config-cmap)# match default-inspection-traffic

Related Commands

Command
Description

class-map

Applies a traffic class to an interface.

clear configure class-map

Removes all of the traffic map definitions.

match access-list

Identifies access list traffic within a class map.

match any

Includes all traffic in the class map.

show running-config class-map

Displays the information about the class map configuration.


match dscp

To identify the IETF-defined DSCP value (in an IP header) in a class map, use the match dscp command in class-map configuration mode. To remove this specification, use the no form of this command.

match dscp {values}

no match dscp {values}

Syntax Description

values

Specifies up to eight different the IETF-defined DSCP values in the IP header. Range is 0 to 63.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Class-map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.

After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.

Using the match dscp command, you can match the IETF-defined DSCP values in the IP header.

Examples

The following example shows how to define a traffic class using a class map and the match dscp command:

hostname(config)# class-map cmap
hostname(config-cmap)# match dscp af43 cs1 ef

Related Commands

Command
Description

class-map

Applies a traffic class to an interface.

clear configure class-map

Removes all of the traffic map definitions.

match access-list

Identifies access list traffic within a class map.

match port

Specifies the TCP/UDP ports as the comparison criteria for packets received on that interface.

show running-config class-map

Displays the information about the class map configuration.


match flow ip destination-address

To specify the flow IP destination address in a class map, use the match flow ip destination-address command in class-map configuration mode. To remove this specification, use the no form of this command.

match flow ip destination-address

no match flow ip destination-address

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Class-map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.

After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.

To enable flow-based policy actions on a tunnel group, use the match flow ip destination-address and match tunnel-group commands with the class-map, policy-map, and service-policy commands. The criteria to define flow is the destination IP address. All traffic going to a unique IP destination address is considered a flow. Policy action is applied to each flow instead of the entire class of traffic. QoS action police is applied using the match flow ip destination-address command. Use match tunnel-group to police every tunnel within a tunnel group to a specified rate.

Examples

The following example shows how to enable flow-based policing within a tunnel group and limit each tunnel to a specified rate:

hostname(config)# class-map cmap
hostname(config-cmap)# match tunnel-group
hostname(config-cmap)# match flow ip destination-address
hostname(config-cmap)# exit
hostname(config)# policy-map pmap
hostname(config-pmap)# class cmap
hostname(config-pmap)# police 56000
hostname(config-pmap)# exit
hostname(config)# service-policy pmap global

Related Commands

Command
Description

class-map

Applies a traffic class to an interface.

clear configure class-map

Removes all of the traffic map definitions.

match access-list

Identifies access list traffic within a class map.

show running-config class-map

Displays the information about the class map configuration.

tunnel-group

Creates and manages the database of connection-specific records for VPN.


match interface

To distribute any routes that have their next hop out one of the interfaces specified, use the match interface command in route-map configuration mode. To remove the match interface entry, use the no form of this command.

match interface interface-name...

no match interface interface-name...

Syntax Description

interface-name

Name of the interface (not the physical interface). Multiple interface names can be specified.


Defaults

No match interfaces are defined.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Route-map configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

An ellipsis (...) in the command syntax indicates that your command input can include multiple values for the interface-type interface-number arguments.

The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.

The match route-map configuration command has multiple formats. You can give the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions that are given with the set commands. The no forms of the match commands remove the specified match criteria. If there is more than one interface specified in the match command. then the no match interface interface-name can be used to remove a single interface.

A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. If you want to modify only some data, you must configure a second route map section and specify an explicit match.

Examples

The following example shows that the routes with their next hop outside is distributed:

hostname(config)# route-map name 
hostname(config-route-map)# match interface outside

Related Commands

Command
Description

match ip next-hop

Distributes any routes that have a next-hop router address that is passed by one of the access lists specified.

match ip route-source

Redistributes routes that have been advertised by routers and access servers at the address that is specified by the access lists.

match metric

Redistributes routes with the metric specified.

route-map

Defines the conditions for redistributing routes from one routing protocol into another.

set metric

Specifies the metric value in the destination routing protocol for a route map.


match ip address

To redistribute any routes that have a route address or match packet that is passed by one of the access lists specified, use the match ip address command in route-map configuration mode. To restore the default settings, use the no form of this command.

match ip address {acl...}

no match ip address {acl...}

Syntax Description

acl

Name an access list. Multiple access lists can be specified.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Route-map configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.

Examples

The following example shows how to redistribute internal routes:

hostname(config)# route-map name 
hostname(config-route-map)# match ip address acl_dmz1 acl_dmz2

Related Commands

Command
Description

match interface

Distributes distribute any routes that have their next hop out one of the interfaces specified,

match ip next-hop

Distributes any routes that have a next-hop router address that is passed by one of the access lists specified.

match metric

Redistributes routes with the metric specified.

route-map

Defines the conditions for redistributing routes from one routing protocol into another.

set metric

Specifies the metric value in the destination routing protocol for a route map.


match ip next-hop

To redistribute any routes that have a next-hop router address that is passed by one of the access lists specified, use the match ip next-hop command in route-map configuration mode. To remove the next-hop entry, use the no form of this command.

match ip next-hop {acl...} | prefix-list prefix_list

no match ip next-hop {acl...} | prefix-list prefix_list

Syntax Description

acl

Name of an ACL. Multiple ACLs can be specified.

prefix-list prefix_list

Name of prefix list.


Defaults

Routes are distributed freely, without being required to match a next-hop address.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Route-map configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

An ellipsis (...) in the command syntax indicates that your command input can include multiple values for the acl argument.

The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.

The match route-map configuration command has multiple formats. You can enter the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.

When you are passing routes through a route map, a route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. To modify only some data, you must configure a second route map section and specify an explicit match.

Examples

The following example shows how to distribute routes that have a next-hop router address passed by access list acl_dmz1 or acl_dmz2:

hostname(config)# route-map name
hostname(config-route-map)# match ip next-hop acl_dmz1 acl_dmz2

Related Commands

Command
Description

match interface

Distributes distribute any routes that have their next hop out one of the interfaces specified.

match ip next-hop

Distributes any routes that have a next-hop router address that is passed by one of the access lists specified.

match metric

Redistributes routes with the metric specified.

route-map

Defines the conditions for redistributing routes from one routing protocol into another.

set metric

Specifies the metric value in the destination routing protocol for a route map.


match ip route-source

To redistribute routes that have been advertised by routers and access servers at the address that is specified by the ACLs, use the match ip route-source command in the route-map configuration mode. To remove the next-hop entry, use the no form of this command.

match ip route-source {acl...} | prefix-list prefix_list

no match ip route-source {acl...}

Syntax Description

acl

Name of an ACL. Multiple ACLs can be specified.

prefix_list

Name of prefix list.


Defaults

No filtering on a route source.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Route-map configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

An ellipsis (...) in the command syntax indicates that your command input can include multiple values for the access-list-name argument.

The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.

The match route-map configuration command has multiple formats. You can enter the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.

A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. To modify only some data, you must configure a second route map section and specify an explicit match. The next-hop and source-router address of the route are not the same in some situations.

Examples

The following example shows how to distribute routes that have been advertised by routers and access servers at the addresses specified by ACLs acl_dmz1 and acl_dmz2:

hostname(config)# route-map name 
hostname(config-route-map)# match ip route-source acl_dmz1 acl_dmz2

Related Commands

Command
Description

match interface

Distributes distribute any routes that have their next hop out one of the interfaces specified.

match ip next-hop

Distributes any routes that have a next-hop router address that is passed by one of the ACLs specified.

match metric

Redistributes routes with the metric specified.

route-map

Defines the conditions for redistributing routes from one routing protocol into another.

set metric

Specifies the metric value in the destination routing protocol for a route map.


match metric

To redistribute routes with the metric specified, use the match metric command in route-map configuration mode. To remove the entry, use the no form of this command.

match metric number

no match metric number

Syntax Description

number

Route metric, which can be an IGRP five-part metric; valid values are from 0 to 4294967295.


Defaults

No filtering on a metric value.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Route-map configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.

The match route-map configuration command has multiple formats. The match commands can be given in any order, and all match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.

A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. To modify only some data, you must configure a second route map section and specify an explicit match.

Examples

The following example shows how to redistribute routes with the metric 5:

hostname(config)# route-map name
hostname(config-route-map)# match metric 5

Related Commands

Command
Description

match interface

Distributes distribute any routes that have their next hop out one of the interfaces specified,

match ip next-hop

Distributes any routes that have a next-hop router address that is passed by one of the access lists specified.

route-map

Defines the conditions for redistributing routes from one routing protocol into another.

set metric

Specifies the metric value in the destination routing protocol for a route map.


match port

To identify a specific port number in a class map, use the match port command in class-map configuration mode. To remove this specification, use the no form of this command.

match port {tcp | udp} {eq eq_id | range beg_id end_id}

no match port {tcp | udp} {eq eq_id | range beg_id end_id}

Syntax Description

eq eq_id

Specifies a port name.

range beg_id end_id

Specifies beginning and ending port range values (1-65535).

tcp

Specifies a TCP port.

udp

Specifies a UDP port.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Class-map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.

After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.

Use the match port command to specify a range of ports.

Examples

The following example shows how to define a traffic class using a class map and the match port command:

hostname(config)# class-map cmap
hostname(config-cmap)# match port tcp eq 8080

Related Commands

Command
Description

class-map

Applies a traffic class to an interface.

clear configure class-map

Removes all of the traffic map definitions.

match access-list

Identifies access list traffic within a class map.

match any

Includes all traffic in the class map.

show running-config class-map

Displays the information about the class map configuration.


match precedence

To specify a precedence value in a class map, use the match precedence command in class-map configuration mode. To remove this specification, use the no form of this command.

match precedence value

no match precedence value

Syntax Description

value

Specifies up to four precedence values separated by a space. Range is 0 to 7.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Class-map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.

After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.

Use the match precedence command to specify the value represented by the TOS byte in the IP header.

Examples

The following example shows how to define a traffic class using a class map and the match precedence command:

hostname(config)# class-map cmap
hostname(config-cmap)# match precedence 1

Related Commands

Command
Description

class-map

Applies a traffic class to an interface.

clear configure class-map

Removes all of the traffic map definitions.

match access-list

Identifies access list traffic within a class map.

match any

Includes all traffic in the class map.

show running-config class-map

Displays the information about the class map configuration.


match route-type

To redistribute routes of the specified type, use the match route-type command in route-map configuration mode. To remove the route type entry, use the no form of this command.

match route-type {local | internal | {external [type-1 | type-2]} | {nssa-external [type-1 | type-2]}}

no match route-type {local | internal | {external [type-1 | type-2]} | {nssa-external [type-1 | type-2]}}

Syntax Description

local

Locally generated BGP routes.

internal

OSPF intra-area and interarea routes or EIGRP internal routes.

external

OSPF external routes or EIGRP external routes.

type-1

(Optional) Specifies the route type 1.

type-2

(Optional) Specifies the route type 2.

nssa-external

Specifies the external NSSA.


Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Route-map configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.

The match route-map configuration command has multiple formats. You can enter the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.

A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. To modify only some data, you must configure a second route map section and specify an explicit match.

For OSPF, the external type-1 keywords match only type 1 external routes and the external type-2 keywords match only type 2 external routes.

Examples

The following example shows how to redistribute internal routes:

hostname(config)# route-map name 
hostname(config-route-map)# match route-type internal 

Related Commands

Command
Description

match interface

Distributes distribute any routes that have their next hop out one of the interfaces specified,

match ip next-hop

Distributes any routes that have a next-hop router address that is passed by one of the access lists specified.

match metric

Redistributes routes with the metric specified.

route-map

Defines the conditions for redistributing routes from one routing protocol into another.

set metric

Specifies the metric value in the destination routing protocol for a route map.


match rtp

To specify a UDP port range of even-number ports in a class map, use the match rtp command in class-map configuration mode. To remove this specification, use the no form of this command.

match rtp starting_port range

no match rtp starting_port range

Syntax Description

starting_port

Specifies lower bound of even-number UDP destination port. Range is 2000-65535

range

Specifies range of RTP ports. Range is 0-16383.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Class-map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.

After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.

Use the match rtp command to match RTP ports (even UDP port numbers between the starting_port and the starting_port plus the range).

Examples

The following example shows how to define a traffic class using a class map and the match rtp command:

hostname(config)# class-map cmap
hostname(config-cmap)# match rtp 20000 100

Related Commands

Command
Description

class-map

Applies a traffic class to an interface.

clear configure class-map

Removes all of the traffic map definitions.

match access-list

Identifies access list traffic within a class map.

match any

Includes all traffic in the class map.

show running-config class-map

Displays the information about the class map configuration.


match tunnel-group

To match traffic in a class map that belongs to a previously defined tunnel-group, use the match tunnel-group command in class-map configuration mode. To remove this specification, use the no form of this command.

match tunnel-group name

no match tunnel-group name

Syntax Description

name

Text for the tunnel group name.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Class-map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.

After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.

To enable flow-based policy actions, use the match flow ip destination-address and match tunnel-group commands with the class-map, policy-map, and service-policy commands. The criteria to define flow is the destination IP address. All traffic going to a unique IP destination address is considered a flow. Policy action is applied to each flow instead of the entire class of traffic. QoS action police is applied using the police command. Use match tunnel-group along with match flow ip destination-address to police every tunnel within a tunnel group to a specified rate.

Examples

The following example shows how to enable flow-based policing within a tunnel group and limit each tunnel to a specified rate:

hostname(config)# class-map cmap
hostname(config-cmap)# match tunnel-group
hostname(config-cmap)# match flow ip destination-address
hostname(config-cmap)# exit
hostname(config)# policy-map pmap
hostname(config-pmap)# class cmap
hostname(config-pmap)# police 56000
hostname(config-pmap)# exit
hostname(config)# service-policy pmap global

Related Commands

Command
Description

class-map

Applies a traffic class to an interface.

clear configure class-map

Removes all of the traffic map definitions.

match access-list

Identifies access list traffic within a class map.

show running-config class-map

Displays the information about the class map configuration.

tunnel-group

Creates and manages the database of connection-specific records for IPSec and L2TP,


max-failed-attempts

To specify the number of failed attempts allowed for any given server in the server group before that server is deactivated, use the max-failed-attempts command in AAA-sersver group mode. To remove this specification and revert to the default value, use the no form of this command:

max-failed-attempts number

no max-failed-attempts

Syntax Description

number

An integer in the range 1-5, specifying the number of failed connection attempts allowed for any given server in the server group specified in a prior aaa-server command.


Defaults

The default value of number is 3.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

AAA-server group


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

You must have configured the AAA server/group before issuing this command.

Examples

hostname(config)# aaa-server svrgrp1 protocol tacacs+
hostname(config-aaa-server-group)# max-failed-attempts 4

Related Commands

Command
Description

aaa-server server-tag protocol protocol

Enters AAA server group configuration mode so you can configure AAA server parameters that are group-specific and common to all hosts in the group.

clear configure aaa-server

Removes all AAA server configuration.

show running-config aaa

Displays AAA server statistics for all AAA servers, for a particular server group, for a particular server within a particular group, or for a particular protocol


max-header-length

To restrict HTTP traffic based on the HTTP header length, use the max-header-length command in HTTP map configuration mode, which is accessible using the http-map command. To remove this command, use the no form of this command.

max-header-length {request bytes [response bytes] | response bytes} action {allow | reset | drop} [log]

no max-header-length {request bytes [response bytes] | response bytes} action {allow | reset | drop} [log]

Syntax Description

action

The action taken when a message fails this command inspection.

allow

Allow the message.

drop

Closes the connection.

bytes

Number of bytes, range is 1 to 65535.

log

(Optional) Generate a syslog.

request

Request message.

reset

Send a TCP reset message to client and server.

response

(Optional) Response message.


Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

HTTP map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

After enabling the max-header-length command, the security appliance only allows messages having an HTTP header within the configured limit and otherwise takes the specified action. Use the action keyword to cause the security appliance to reset the TCP connection and optionally create a syslog entry.

Examples

The following example restricts HTTP requests to those with HTTP headers that do not exceed 100 bytes. If a header is too large, the security appliance resets the TCP connection and creates a syslog entry.

hostname(config)# http-map inbound_http
hostname(config-http-map)# max-header-length request bytes 100 action log reset
hostname(config-http-map)# exit

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

debug appfw

Displays detailed information about traffic associated with enhanced HTTP inspection.

http-map

Defines an HTTP map for configuring enhanced HTTP inspection.

inspect http

Applies a specific HTTP map to use for application inspection.

policy-map

Associates a class map with specific security actions.


max-uri-length

To restrict HTTP traffic based on the length of the URI in the HTTP request message, use the max-uri-length command in HTTP map configuration mode, which is accessible using the http-map command. To remove this command, use the no form of this command.

max-uri-length bytes action {allow | reset | drop} [log]

no max-uri-length bytes action {allow | reset | drop} [log]

Syntax Description

action

The action taken when a message fails this command inspection.

allow

Allow the message.

drop

Closes the connection.

bytes

Number of bytes, range is 1 to 65535.

log

(Optional) Generate a syslog.

reset

Send a TCP reset message to client and server.


Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

HTTP map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

After enabling the max-uri-length command, the security appliance only allows messages having a URI within the configured limit and otherwise takes the specified action. Use the action keyword to cause the security appliance to reset the TCP connection and create a syslog entry.

URIs with a length less than or equal to the configured value will be allowed. Otherwise, the specified action will be taken.

Examples

The following example restricts HTTP requests to those with URIs that do not exceed 100 bytes. If a URI is too large, the security appliance resets the TCP connection and creates a syslog entry.

hostname(config)# http-map inbound_http
hostname(config-http-map)# max-uri-length 100 action reset log
hostname(config-http-map)# exit

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

debug appfw

Displays detailed information about traffic associated with enhanced HTTP inspection.

http-map

Defines an HTTP map for configuring enhanced HTTP inspection.

inspect http

Applies a specific HTTP map to use for application inspection.

policy-map

Associates a class map with specific security actions.


mcc

To identify the mobile country code and the mobile network code for IMSI prefix filtering, use the mcc command in GTP map configuration mode. To remove the configuration, use the no form of this command.

mcc country_code mnc network_code

no mcc country_code mnc network_code

Syntax Description

country_code

A non-zero, three-digit value identifying the mobile country code. One or two-digit entries will be prepended by 0 to create a three-digit value.

network_code

A two or three-digit value identifying the network code.


Defaults

By default, the security appliance does not check for valid MCC/MNC combinations.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

GTP map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

This command is used for IMSI Prefix filtering. The MCC and MNC in the IMSI of the received packet is compared with the MCC/MNC configured with this command and is dropped if it does not match.

This command must be used to enable IMSI Prefix filtering. You can configure multiple instances to specify permitted MCC and MNC combinations. By default, the security appliance does not check the validity of MNC and MCC combinations, so you must verify the validity of the combinations configured. To find more information about MCC and MNC codes, see the ITU E.212 recommendation, Identification Plan for Land Mobile Stations.

Examples

The following example identifies traffic for IMSI Prefix filtering with an MCC of 111 and an MNC of 222:

hostname(config)# gtp-map qtp-policy
hostname(config-gtpmap)# mcc 111 mnc 222

Related Commands

Commands
Description

clear service-policy inspect gtp

Clears global GTP statistics.

debug gtp

Displays detailed information about GTP inspection.

gtp-map

Defines a GTP map and enables GTP map configuration mode.

inspect gtp

Applies a specific GTP map to use for application inspection.

show service-policy inspect gtp

Displays the GTP configuration.


media-type

To set the media type to copper or fiber Gigabit Ethernet, use the media-type command in interface configuration mode. The fiber SFP connector is available on the 4GE SSM for the ASA 5500 series adaptive security appliance. To restore the media type setting to the default, use the no form of this command.

media-type {rj45 | sfp}

no media-type [rj45 | sfp]

Syntax Description

rj45

(Default) Sets the media type to the copper RJ-45 connector.

sfp

Sets the media type to the fiber SFP connector.


Defaults

The default is rj45.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.0(4)

This command was introduced.


Usage Guidelines

The sfp setting uses a fixed speed (1000 Mbps), so the speed command allows you to set whether the interface negotiates link parameters or not. The duplex command is not supported for sfp.

Examples

The following example sets the media type to SFP:

hostname(config)# interface gigabitethernet1/1
hostname(config-if)# media-type sfp
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown

Related Commands

Command
Description

interface

Configures an interface and enters interface configuration mode.

show interface

Displays the runtime status and statistics of interfaces.

show running-config interface

Shows the interface configuration.

speed

Sets the interface speed.


memory caller-address

To configure a specific range of program memory for the call tracing, or caller PC, to help isolate memory problems, use the memory caller-address command in privileged EXEC mode. The caller PC is the address of the program that called a memory allocation primitive. To remove an address range, use the no form of this command.

memory caller-address startPC endPC

no memory caller-address

Syntax Description

endPC

Specifies the end address range of the memory block.

startPC

Specifies the start address range of the memory block.


Defaults

The actual caller PC is recorded for memory tracing.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Use the memory caller-address command to isolate memory problems to a specific block of memory.

In certain cases the actual caller PC of the memory allocation primitive is a known library function that is used at many places in the program. To isolate individual places in the program, configure the start and end program address of the library function, thereby recording the program address of the caller of the library function.


Note The security appliance might experience a temporary reduction in performance when caller-address tracing is enabled.


Examples

The following examples show the address ranges configured with the memory caller-address commands, and the resulting display of the show memory-caller address command:
hostname# memory caller-address 0x00109d5c 0x00109e08 
hostname# memory caller-address 0x009b0ef0 0x009b0f14 
hostname# memory caller-address 0x00cf211c 0x00cf4464 

hostname# show memory-caller address
Move down stack frame for the addresses:
pc = 0x00109d5c-0x00109e08 
pc = 0x009b0ef0-0x009b0f14 
pc = 0x00cf211c-0x00cf4464 

Related Commands

Command
Description

memory profile enable

Enables the monitoring of memory usage (memory profiling).

memory profile text

Configures a text range of memory to profile.

show memory

Displays a summary of the maximum physical memory and current free memory available to the operating system.

show memory binsize

Displays summary information about the chunks allocated for a specific bin size.

show memory profile

Displays information about the memory usage (profiling) of the security appliance.

show memory-caller address

Displays the address ranges configured on the security appliance.


memory delayed-free-poisoner enable

To enable the delayed free-memory poisoner tool, use the memory delayed-free-poisoner enable command in privileged EXEC mode. To disable the delayed free-memory poisoner tool, use the no form of this command. The delayed free-memory poisoner tool lets you monitor freed memory for changes after it has been released by an application.

memory delayed-free-poisoner enable

no memory delayed-free-poisoner enable

Syntax Description

This command has no arguments or keywords.

Defaults

The memory delayed-free-poisoner enable command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

Enabling the delayed free-memory poisoner tool has a significant impact on memory usage and system performance. The command should only be used under the supervision of the Cisco TAC. It should not be run in a production environment during heavy system usage.

When you enable this tool, requests to free memory by the applications running on the security appliance are written to a FIFO queue. As each request is written to the queue, each associated byte of memory that is not required by lower-level memory management is "poisoned" by being written with the value 0xcc.

The freed memory requests remain in the queue until more memory is required by an application than is in the free memory pool. When memory is needed, the first freed memory request is pulled from the queue and the poisoned memory is validated.

If the memory is unmodified, it is returned to the lower-level memory pool and the tool reissues the memory request from the application that made the initial request. The process continues until enough memory for the requesting application is freed.

If the poisoned memory has been modified, then the system forces a crash and produces diagnostic output to determine the cause of the crash.

The delayed free-memory poisoner tool periodically performs validation on all of the elements of the queue automatically. Validation can also be started manually using the memory delayed-free-poisoner validate command.

The no form of the command causes all of the memory referenced by the requests in the queue to be returned to the free memory pool without validation and any statistical counters to be cleared.

Examples

The following example enables the delayed free-memory poisoner tool:

hostname# memory delayed-free-poisoner enable

The following is sample output when the delayed free-memory poisoner tool detects illegal memory reuse:

delayed-free-poisoner validate failed because a
        data signature is invalid at delayfree.c:328.

    heap region:    0x025b1cac-0x025b1d63 (184 bytes)
    memory address: 0x025b1cb4
    byte offset:    8
    allocated by:   0x0060b812
    freed by:       0x0060ae15

Dumping 80 bytes of memory from 0x025b1c88 to 0x025b1cd7
025b1c80:                         ef cd 1c a1 e1 00 00 00  |          ........
025b1c90: 23 01 1c a1 b8 00 00 00 15 ae 60 00 68 ba 5e 02  |  #.........`.h.^.
025b1ca0: 88 1f 5b 02 12 b8 60 00 00 00 00 00 6c 26 5b 02  |  ..[...`.....l&[.
025b1cb0: 8e a5 ea 10 ff ff ff ff cc cc cc cc cc cc cc cc  |  ................
025b1cc0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  |  ................
025b1cd0: cc cc cc cc cc cc cc cc                          |  ........

An internal error occurred.  Specifically, a programming assertion was
violated.  Copy the error message exactly as it appears, and get the
output of the show version command and the contents of the configuration
file.  Then call your technical support representative.

assertion "0" failed: file "delayfree.c", line 191

Table 6-1 describes the significant portion of the output.

Table 6-1 Illegal Memory Usage Output Description

Field
Description

heap region

The address region and size of the region of memory available for use by the requesting application. This is not the same as the requested size, which may be smaller given the manner in which the system may parcel out memory at the time the memory request was made.

memory address

The location in memory where the fault was detected.

byte offset

The byte offset is relative to the beginning of the heap region and can be used to find the field that was modified if the result was used to hold a data structure starting at this address. A value of 0 or that is larger than the heap region byte count may indicate that the problem is an unexpected value in the lower level heap package.

allocated by/freed by

Instruction addresses where the last malloc/calloc/realloc and free calls where made involving this particular region of memory.

Dumping...

A dump of one or two regions of memory, depending upon how close the detected fault was to the beginning of the region of heap memory. The next eight bytes after any system heap header is the memory used by this tool to hold a hash of various system header values plus the queue linkage. All other bytes in the region until any system heap trailer is encountered should be set to 0xcc.


Related Commands

Command
Description

clear memory delayed-free-poisoner

Clears the delayed free-memory poisoner tool queue and statistics.

memory delayed-free-poisoner validate

Forces validation of the elements in the delayed free-memory poisoner tool queue.

show memory delayed-free-poisoner

Displays a summary of the delayed free-memory poisoner tool queue usage.


memory delayed-free-poisoner validate

To force validation of all elements in the memory delayed-free-poisoner queue, use the memory delayed-free-poisoner validate command in privileged EXEC mode.

memory delayed-free-poisoner validate

Syntax Description

This command has no arguments or keywords.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

You must enable the delayed free-memory poisoner tool using the memory delayed-free-poisoner enable command before issuing the memory delayed-free-poisoner validate command.

The memory delayed-free-poisoner validate command causes each element of the memory delayed-free-poisoner queue to be validated. If an element contains unexpected values, then the system forces a crash and produces diagnostic output to determine the cause of the crash. If no unexpected values are encountered, the elements remain in the queue and are processed normally by the tool; the memory delayed-free-poisoner validate command does not cause the memory in the queue to be returned to the system memory pool.


Note The delayed free-memory poisoner tool periodically performs validation on all of the elements of the queue automatically.


Examples

The following example causes all elements in the memory delayed-free-poisoner queue to be validated:

hostname# memory delayed-free-poisoner validate

Related Commands

Command
Description

clear memory delayed-free-poisoner

Clears the delayed free-memory poisoner tool queue and statistics.

memory delayed-free-poisoner enable

Enables the delayed free-memory poisoner tool.

show memory delayed-free-poisoner

Displays a summary of the delayed free-memory poisoner tool queue usage.


memory profile enable

To enable the monitoring of memory usage (memory profiling), use the memory profile enable command in privileged EXEC mode. To disable memory profiling, use the no form of this command.

memory profile enable peak peak_value

no memory profile enable peak peak_value

Syntax Description

peak_value

Specifies the memory usage threshold at which a snapshot of the memory usage is saved to the peak usage buffer. The contents of this buffer could be analyzed at a later time to determine the peak memory needs of the system.


Defaults

Memory profiling is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Before enabling memory profiling, you must first configure a memory text range to profile with the memory profile text command.

Some memory is held by the profiling system until you enter the clear memory profile command. See the output of the show memory status command.


Note The security appliance might experience a temporary reduction in performance when memory profiling is enabled.


The following example enables memory profiling:

hostname# memory profile enable

Related Commands

Command
Description

memory profile text

Configures a text range of memory to profile.

show memory profile

Displays information about the memory usage (profiling) of the security appliance.


memory profile text

To configure a program text range of memory to profile, use the memory profile text command in privileged EXEC mode. To disable, use the no form of this command.

memory profile text {startPC endPC | all resolution}

no memory profile text {startPC endPC | all resolution}

Syntax Description

all

Specifies the entire text range of the memory block.

endPC

Specifies the end text range of the memory block.

resolution

Specifies the resolution of tracing for the source text region.

startPC

Specifies the start text range of the memory block.


Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

For a small text range, a resolution of "4" normally traces the call to an instruction. For a larger text range, a coarse resolution is probably enough for the first pass and the range could be narrowed down to a set of smaller regions in the next pass.

After entering the text range with the memory profile text command, you must then enter the memory profile enable command to begin memory profiling. Memory profiling is disabled by default.


Note The security appliance might experience a temporary reduction in performance when memory profiling is enabled.


Examples

The following example shows how to configure a text range of memory to profile, with a resolution of 4:

hostname# memory profile text 0x004018b4 0x004169d0 4

The following example displays the configuration of the text range and the status of memory profiling (OFF):

hostname# show memory profile 
InUse profiling: OFF  
Peak profiling: OFF  
Profile:  
0x004018b4-0x004169d0(00000004) 

Note To begin memory profiling, you must enter the memory profile enable command. Memory profiling is disabled by default.


Related Commands

Command
Description

clear memory profile

Clears the buffers held by the memory profiling function.

memory profile enable

Enables the monitoring of memory usage (memory profiling).

show memory profile

Displays information about the memory usage (profiling) of the security appliance.

show memory-caller address

Displays the address ranges configured on the security appliance.


memory tracking enable

To enable the tracking of heap memory request, use the memory tracking enable command in privileged EXEC mode. To disable memory tracking, use the no form of this command.

memory tracking enable

no memory tracking enable

Syntax Description

This command has no arguments or keywords.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(8)

This command was introduced.


Usage Guidelines

Use the memory tracking enable command to track heap memory requests. To disable memory tracking, use the no form of this command.

Examples

The following example enables tracking heap memory requests:

hostname# memory tracking enable 

Related Commands

Command
Description

clear memory tracking

Clears all currently gathered information.

show memory tracking

Shows currently allocated memory.

show memory tracking address

Lists the size, location, and topmost caller function of each currently allocated piece memory tracked by the tool.

show memory tracking dump

This command shows the size, location, partial callstack, and a memory dump of the given memory address.

show memory tracking detail

Shows various internal details to be used in gaining insight into the tool's internal behavior.


message-length

To filter GTP packets that do not meet the configured maximum and minimum length, use the message-length command in GTP map configuration mode, which is accessed by using the gtp-map command. Use the no form to remove the command.

message-length min min_bytes max max_bytes

no message-length min min_bytes max max_bytes

Syntax Description

max

Specifies the maximum number of bytes allowed in the UDP payload.

max_bytes

The maximum number of bytes in the UDP payload. The range is from 1 to 65536

min

Specifies the minimum number of bytes allowed in the UDP payload

min_bytes

The minimum number of bytes in the UDP payload. The range is from 1 to 65536


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

GTP map configuration

·

·

·

·

No


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The length specified by this command is the sum of the GTP header and the rest of the message, which is the payload of the UDP packet.

Examples

The following example allows messages between 20 bytes and 300 bytes in length:

hostname(config)# gtp-map qtp-policy
hostname(config-gtpmap)# permit message-length min 20 max 300

Related Commands

Commands
Description

clear service-policy inspect gtp

Clears global GTP statistics.

debug gtp

Displays detailed information about GTP inspection.

gtp-map

Defines a GTP map and enables GTP map configuration mode.

inspect gtp

Applies a specific GTP map to use for application inspection.

show service-policy inspect gtp

Displays the GTP configuration.


mgcp-map

To identify a specific map for defining the parameters for MGCP inspection, use the mgcp-map command in global configuration mode. To remove the map, use the no form of this command.

mgcp-map map_name

no mgcp-map map_name

Syntax Description

map_name

The name of the MGCP map. The maximum number of characters is 64.


Defaults

The default for the MGCP command queue is 200.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Use the mgcp-map command to identify a specific map to use for defining the parameters for MGCP inspection. When you enter this command, the system enters a configuration mode that lets you enter the different commands used for defining the specific map. After defining the MGCP map, you use the inspect mgcp command to enable the map. You use Modular Policy Framework to apply the inspect command to a defined class of traffic and to apply the policy to a specific interface. The following are the commands available in MGCP map configuration mode.

call-agent—Specifies a group of call agents.

command-queue—Specifies the maximum number of MGCP commands that can be queued.

gateway—Specifies the group of call agents that are managing a particular gateway.

no—Negates a command or sets a parameter to its default value.

Examples

The following example shows how to use the mgcp-map command to identify a specific map (mgcp-policy) to use for defining the parameters for MGCP inspection.

hostname(config)# mgcp-map mgcp-policy
hostname(config-mgcp-policy)# 

The following example shows how to identify MGCP traffic, define a MGCP map, define a policy, and apply the policy to the outside interface.

You enable the MGCP inspection engine as shown in the following example, which creates a class map to match MGCP traffic on the default port (2427). The service policy is then applied to the outside interface.

hostname(config)# class-map mgcp-port
hostname(config-cmap)# match port tcp eq 2427
hostname(config-cmap)# exit
hostname(config)# mgcp-map mgcp_inbound
hostname(config-mgcp-map)# call-agent 10.10.11.5 101
hostname(config-mgcp-map)# call-agent 10.10.11.6 101
hostname(config-mgcp-map)# call-agent 10.10.11.7 102
hostname(config-mgcp-map)# call-agent 10.10.11.8 102
hostname(config-mgcp-map)# gateway 10.10.10.115 101
hostname(config-mgcp-map)# gateway 10.10.10.116 102
hostname(config-mgcp-map)# gateway 10.10.10.117 102
hostname(config-mgcp-map)# command-queue 150
hostname(config)# policy-map mgcp_policy
hostname(config)# mgcp-map mgcp_
hostname(config-pmap)# class mgcp-port
hostname(config-pmap-c)# inspect mgcp mgcp_inbound
hostname(config-pmap-c)# exit
hostname(config)# service-policy mgcp_policy interface outside

To enable MGCP inspection for all interfaces, use the global parameter in place of interface outside.

Related Commands

Commands
Description

debug mgcp

Enables the display of debug information for MGCP.

show mgcp

Displays MGCP configuration and session information.

timeout mgcp

Configures the idle timeout after which an MGCP media connection will be closed.

timeout mgcp-pat

Configures the idle timeout after which an MGCP PAT xlate will be removed.


mkdir

To create a new directory, use the mkdir command in privileged EXEC mode.

mkdir [/noconfirm] [disk0: | disk1: | flash:]path

Syntax Description

noconfirm

(Optional) Suppresses the confirmation prompt.

disk0:

(Optional) Specifies the internal Flash memory, followed by a colon.

disk1:

(Optional) Specifies the external Flash memory card, followed by a colon.

flash:

(Optional) Specifies the internal Flash memory, followed by a colon. In the ASA 5500 series, the flash keyword is aliased to disk0.

path

The name and path of the directory to create.


Defaults

If you do not specify a path, the directory is created in the current working directory.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

If a directory with the same name already exists, then the new directory is not created.

Examples

This example shows how to make a new directory called "backup":

hostname# mkdir backup

Related Commands

Command
Description

cd

Changes the current working directory to the one specified.

dir

Displays the directory contents.

rmdir

Removes the specified directory.

pwd

Display the current working directory.


mode

To set the security context mode to single or multiple, use the mode command in global configuration mode. You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context behaves like an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone appliances. In single mode, the security appliance has a single configuration and behaves as a single device. In multiple mode, you can create multiple contexts, each with its own configuration. The number of contexts allowed depends on your license.

mode {single | multiple} [noconfirm]

Syntax Description

multiple

Sets multiple context mode.

noconfirm

(Optional) Sets the mode without prompting you for confirmation. This option is useful for automated scripts.

single

Sets the context mode to single.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

In multiple context mode, the security appliance includes a configuration for each context that identifies the security policy, interfaces, and almost all the options you can configure on a stand-alone device (see the config-url command to identify the context configuration location). The system administrator adds and manages contexts by configuring them in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the security appliance. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context.

When you change the context mode using the mode command, you are prompted to reboot.

The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If you need to copy your configuration to another device, set the mode on the new device to match using the mode command.

When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files: a new startup configuration that comprises the system configuration, and admin.cfg that comprises the admin context (in the root directory of the internal Flash memory). The original running configuration is saved as old_running.cfg (in the root directory of the internal Flash memory). The original startup configuration is not saved. The security appliance automatically adds an entry for the admin context to the system configuration with the name "admin."

If you convert from multiple mode to single mode, you might want to first copy a full startup configuration (if available) to the security appliance; the system configuration inherited from multiple mode is not a complete functioning configuration for a single mode device.

Not all features are supported in multiple context mode. See the Cisco Security Appliance Command Line Configuration Guide for more information.

Examples

The following example sets the mode to multiple:

hostname(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm] y
Convert the system configuration? [confirm] y
Flash Firewall mode: multiple

***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
***   change mode

Rebooting....

Booting system, please wait... 

The following example sets the mode to single:

hostname(config)# mode single
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm] y
Flash Firewall mode: single

***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
***   change mode



Rebooting....

Booting system, please wait...

Related Commands

Command
Description

context

Configures a context in the system configuration and enters context configuration mode.

show mode

Shows the current context mode, either single or multiple.


monitor-interface

To enable health monitoring on a specific interface, use the monitor-interface command in global configuration mode. To disable interface monitoring, use the no form of this command.

monitor-interface if_name

no monitor-interface if_name

Syntax Description

if_name

Specifies the name of the interface being monitored.


Defaults

Monitoring of physical interfaces is enabled by default; monitoring of logical interfaces is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The number of interfaces that can be monitored for the security appliance is 250. Hello messages are exchanged during every interface poll frequency time period between the security appliance failover pair. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds).

Monitored failover interfaces can have the following status:

Unknown—Initial status. This status can also mean the status cannot be determined.

Normal—The interface is receiving traffic.

Testing—Hello messages are not heard on the interface for five poll times.

Link Down—The interface or VLAN is administratively down.

No Link—The physical link for the interface is down.

Failed—No traffic is received on the interface, yet traffic is heard on the peer interface.

In Active/Active failover, this command is only valid within a context.

Examples

The following example enables monitoring on an interface named "inside":

hostname(config)# monitor-interface inside
hostname(config)# 

Related Commands

Command
Description

failover interface-policy

Specifies the number or percentage of monitored interface that must fail for failover to occur.

failover polltime

Specifies the interval between hello messages on an interface (Active/Standby failover).

polltime interface

Specifies the interval between hello messages on an interface (Active/Active failover).


more

To display the contents of a file, use the more command.

more {/ascii | /binary| /ebcdic | disk0: | disk1: | flash: | ftp: | http: | https: | system: | tftp:}filename

Syntax Description

/ascii

(Optional) Displays a binary file in binary mode and an ASCII file in binary mode.

/binary

(Optional) Displays any file in binary mode.

/ebcdic

(Optional) Displays binary files in EBCDIC.

disk0:

(Optional) Displays a file on the internal Flash memory.

disk1:

(Optional) Displays a file on the external Flash memory card.

flash:

(Optional) Specifies the internal Flash memory, followed by a colon. In the ASA 5500 series, the flash keyword is aliased to disk0.

ftp:

(Optional) Displays a file on an FTP server.

http:

(Optional) Displays a file on a web site.

https:

(Optional) Displays a file on a secure web site.

system:

(Optional) Displays the file system.

tftp:

(Optional) Displays a file on a TFTP server.

filename

Specifies the name of the file to display.


Defaults

ACSII mode

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The more filesystem: command prompts you to enter the alias of the local directory or file systems.

Examples

This example shows how to display the contents of a local file named "test.cfg":

hostname# more test.cfg
: Saved
: Written by enable_15 at 10:04:01 Apr 14 2005

XXX Version X.X(X)
nameif vlan300 outside security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname test
fixup protocol ftp 21
fixup protocol h323 H225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list deny-flow-max 4096
access-list alert-interval 300
access-list 100 extended permit icmp any any
access-list 100 extended permit ip any any
pager lines 24
icmp permit any outside
mtu outside 1500
ip address outside 172.29.145.35 255.255.0.0
no asdm history enable
arp timeout 14400
access-group 100 in interface outside
!
interface outside
!
route outside 0.0.0.0 0.0.0.0 172.29.145.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h3
23 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
snmp-server host outside 128.107.128.179
snmp-server location my_context, USA
snmp-server contact admin@my_context.com
snmp-server community public
no snmp-server enable traps
floodguard enable
fragment size 200 outside
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 511
gdb enable
mgcp command-queue 0
Cryptochecksum:00000000000000000000000000000000
: end

Related Commands

Command
Description

cd

Changes to the specified directory.

pwd

Displays the current working directory.


mroute

To configure a static multicast route, use the mroute command in global configuration mode. To remove a static multicast route, use the no form of this command.

mroute src smask in_if_name [dense output_if_name] [distance]

no mroute src smask in_if_name [dense output_if_name] [distance]

Syntax Description

dense output_if_name

(Optional) The interface name for dense mode output.

The dense output_if_name keyword and argument pair is only supported for SMR stub multicast routing (igmp forwarding).

distance

(Optional) The administrative distance of the route. Routes with lower distances have preference. The default is 0.

in_if_name

Specifies the incoming interface name for the mroute.

smask

Specifies the multicast source network address mask.

src

Specifies the IP address of the multicast source.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

This command lets you statically configure where multicast sources are located. The security appliance expects to receive multicast packets on the same interface as it would use to send unicast packets to a specific source. In some cases, such as bypassing a route that does not support multicast routing, multicast packets may take a different path than the unicast packets.

Static multicast routes are not advertised or redistributed.

Use the show mroute command displays the contents of the multicast route table. Use the show running-config mroute command to display the mroute commands in the running configuration.

Examples

The following example shows how configure a static multicast route using the mroute command:

hostname(config)# mroute 172.16.0.0 255.255.0.0 inside

Related Commands

Command
Description

clear configure mroute

Removes the mroute commands from the configuration.

show mroute

Displays the IPv4 multicast routing table.

show running-config mroute

Displays the mroute commands in the configuration.


mtu

To specify the maximum transmission unit for an interface, use the mtu command in global configuration mode. To reset the MTU block size to 1500 for Ethernet interfaces, use the no form of this command. This command supports IPv4 and IPv6 traffic.

mtu interface_name  bytes

no mtu interface_name  bytes

Syntax Description

bytes

Number of bytes in the MTU; valid values are from 64 to 65,535 bytes.

interface_name

Internal or external network interface name.


Defaults

The default bytes is 1500 for Ethernet interfaces.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The mtu command lets you to set the data size that is sent on a connection. Data that is larger than the MTU value is fragmented before being sent.

The security appliance supports IP path MTU discovery (as defined in RFC 1191), which allows a host to dynamically discover and cope with the differences in the maximum allowable MTU size of the various links along the path. Sometimes, the security appliance cannot forward a datagram because the packet is larger than the MTU that you set for the interface, but the "don't fragment" (DF) bit is set. The network software sends a message to the sending host, alerting it to the problem. The host has to fragment packets for the destination so that they fit the smallest packet size of all the links along the path.

The default MTU is 1500 bytes in a block for Ethernet interfaces (which is also the maximum). This value is sufficient for most applications, but you can pick a lower number if network conditions require it.

When using the Layer 2 Tunneling Protocol (L2TP), we recommend that you set the MTU size to 1380 to account for the L2TP header and IPSec header length.

Examples

This example shows how to specify the MTU for an interface:

hostname(config)# show running-config mtu
mtu outside 1500
mtu inside 1500
hostname(config)# mtu inside 8192
hostname(config)# show running-config mtu
mtu outside 1500
mtu inside 8192

Related Commands

Command
Description

clear configure mtu

Clears the configured maximum transmission unit values on all interfaces.

show running-config mtu

Displays the current maximum transmission unit block size.


multicast-routing

To enable IP multicast routing on the security appliance, use the multicast routing command in global configuration mode. To disable IP multicast routing, use the no form of this command.

multicast-routing

no multicast-routing

Syntax Description

This command has no arguments or keywords.

Defaults

The multicast-routing command enables PIM and IGMP on all interfaces by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The multicast-routing command enables PIM and IGMP on all interfaces.


Note PIM is not supported with PAT. The PIM protocol does not use ports and PAT only works with protocols that use ports.

If the security appliance is the PIM RP, use the untranslated outside address of the security appliance as the RP address.


The number of entries in the multicast routing tables are limited by the amount of RAM on the system. Table 6-1 lists the maximum number of entries for specific multicast tables based on the amount of RAM on the security appliance. Once these limits are reached, any new entries are discarded.

Table 6-2 Entry Limits for Multicast Tables

Table
16 MB
128 MB
128+ MB
MFIB

1000

3000

5000

IGMP Groups

1000

3000

5000

PIM Routes

3000

7000

12000


Examples

The following example enables IP multicast routing on the security appliance:

hostname(config)# multicast-routing

Related Commands

Command
Description

igmp

Enables IGMP on an interface.

pim

Enables PIM on an interface.


name

To associate a name with an IP address, use the name command in global configuration mode. To disable the use of the text names but not remove them from the configuration, use the no form of this command.

name ip_address name

no name ip_address [name]

Syntax Description

ip_address

Specifies an IP address of the host that is named.

name

Specifies the name assigned to the IP address. Use characters a to z, A to Z, 0 to 9, a dash, and an underscore. The name must be 63 characters or less. Also, the name cannot start with a number.


Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

To enable the association of a name with an IP address, use the names command. You can associate only one name with an IP address.

You must first use the names command before you use the name command. Use the name command immediately after you use the names command and before you use the write memory command.

The name command lets you identify a host by a text name and map text strings to IP addresses. The no name command allows you to disable the use of the text names but does not remove them from the configuration. Use the clear configure name command to clear the list of names from the configuration.

If you are using both ASDM and the command line to manage the security appliance, when you add a name command using the command line interface you should also add an asdm location command specifying the same IP address. If you do not, ASDM will not display the named object. For example, the following commands will cause the 10.1.1.0 network, named "finance", to appear in the Hosts/Networks list in ASDM:

hostname(config)# name finance 10.1.1.0
hostname(config)# asdm location 10.1.1.0 255.255.255.0 inside

To disable displaying name values, use the no names command.

Both the name and names commands are saved in the configuration.

The name command does not support assigning a name to a network mask. For example, this command would be rejected:

hostname(config)# name 255.255.255.0 class-C-mask

Note None of the commands in which a mask is required can process a name as an accepted network mask.


Examples

This example shows that the names command allows you to enable use of the name command. The name command substitutes sa_inside for references to 192.168.42.3 and sa_outside for 209.165.201.3. You can use these names with the ip address commands when assigning IP addresses to the network interfaces. The no names command disables the name command values from displaying. Subsequent use of the names command again restores the name command value display.

hostname(config)# names
hostname(config)# name 192.168.42.3 sa_inside
hostname(config)# name 209.165.201.3 sa_outside

hostname(config-if)# ip address inside sa_inside 255.255.255.0
hostname(config-if)# ip address outside sa_outside 255.255.255.224

hostname(config)# show ip address
System IP Addresses:
inside ip address sa_inside mask 255.255.255.0
outside ip address sa_outside mask 255.255.255.224

hostname(config)# no names
hostname(config)# show ip address
System IP Addresses:
inside ip address 192.168.42.3 mask 255.255.255.0
outside ip address 209.165.201.3 mask 255.255.255.224

hostname(config)# names
hostname(config)# show ip address
System IP Addresses:
inside ip address sa_inside mask 255.255.255.0
outside ip address sa_outside mask 255.255.255.224

Related Commands

Command
Description

clear configure name

Clears the list of names from the configuration.

names

Enables the association of a name with an IP address.

show running-config name

Displays the names associated with an IP address.


nameif

To provide a name for an interface, use the nameif command in interface configuration mode. To remove the name, use the no form of this command. The interface name is used in all configuration commands on the security appliance instead of the interface type and ID (such as gigabitethernet0/1), and is therefore required before traffic can pass through the interface.

nameif name

no nameif

Syntax Description

name

Sets a name up to 48 characters in length. The name is not case-sensitive.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.0

This command was changed from a global configuration command to an interface configuration mode command.


Usage Guidelines

For subinterfaces, you must assign a VLAN with the vlan command before you enter the nameif command.

You can change the name by reentering this command with a new value. Do not enter the no form, because that command causes all commands that refer to that name to be deleted.

Examples

The following example configures the names for two interfaces to be "inside" and "outside:"

hostname(config)# interface gigabitethernet0/1
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface gigabitethernet0/0
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address 10.1.2.1 255.255.255.0
hostname(config-if)# no shutdown

Related Commands

Command
Description

clear xlate

Resets all translations for existing connections, causing the connections to be reset.

interface

Configures an interface and enters interface configuration mode.

security-level

Sets the security level for the interface.

vlan

Assigns a VLAN ID to a subinterface.


names

To enable the association of a name with an IP address, use the names command in global configuration mode. You can associate only one name with an IP address. To disable displaying name values, use the no names command.

names

no names

Syntax Description

This command has no arguments or keywords.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The names command is used to enable the association of a name with an IP address that you configured with the name command. The order in which you enter the name or names commands is irrelevant.

Examples

The following example shows how to enable the association of a name with an IP address:

hostname(config)# names

Related Commands

Command
Description

clear configure name

Clears the list of names from the configuration.

name

Associates a name with an IP address.

show running-config name

Displays a list of names associated with IP addresses.

show running-config names

Displays the IP address-to-name conversions.


name-separator

To specify a character as a delimiter between the e-mail and VPN username and password, use the name-separator command in the applicable e-mail proxy mode. To revert to the default, ":", use the no version of this command.

name-separator [symbol]

no name-separator

Syntax Description

symbol

(Optional) The character that separates the e-mail and VPN usernames and passwords. Choices are "@," (at) "|" (pipe), ":"(colon), "#" (hash), "," (comma), and ";" (semi-colon).


Defaults

The default is ":" (colon).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Pop3s

Imap4s

Smtps


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The name separator must be different from the server separator.

Examples

The following example shows how to set a hash (#) as the name separator for POP3S:

hostname(config)# pop3s
hostname(config-pop3s)# name-separator #

Related Commands

Command
Description

server-separator

Separates the e-mail and server names.


nat

To identify addresses on one interface that are translated to mapped addresses on another interface, use the nat command in global configuration mode. This command configures dynamic NAT or PAT, where an address is translated to one of a pool of mapped addresses. To remove the nat command, use the no form of this command.

For regular dynamic NAT:

nat (real_ifc) nat_id real_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit] [norandomseq]]] [udp udp_max_conns]

no nat (real_ifc) nat_id real_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit] [norandomseq]]] [udp udp_max_conns]

For policy dynamic NAT and NAT exemption:

nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [[tcp] tcp_max_conns [emb_limit] [norandomseq]]] [udp udp_max_conns]

no nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [[tcp] tcp_max_conns [emb_limit] [norandomseq]]] [udp udp_max_conns]

Syntax Description

access-list access_list_name

Identifies the local addresses and destination addresses using an extended access list, also known as policy NAT. Create the access list using the access-list command. You can optionally specify the local and destination ports in the access list using the eq operator. If the NAT ID is 0, then the access list specifies addresses that are exempt from NAT. NAT exemption is not the same as policy NAT; you cannot specify the port addresses, for example.

Note Access list hit counts, as shown by the show access-list command, do not increment for NAT exemption access lists.

dns

(Optional) Rewrites the A record, or address record, in DNS replies that match this command. For DNS replies traversing from a mapped interface to a real interface, the A record is rewritten from the mapped value to the real value. Inversely, for DNS replies traversing from a real interface to a mapped interface, the A record is rewritten from the real value to the mapped value.

If your NAT statement includes the address of a host that has an entry in a DNS server, and the DNS server is on a different interface from a client, then the client and the DNS server need different addresses for the host; one needs the global address and one needs the local address.The translated host needs to be on the same interface as either the client or the DNS server. Typically, hosts that need to allow access from other interfaces use a static translation, so this option is more likely to be used with the static command.

emb_limit

(Optional) Specifies the maximum number of embryonic connections per host. The default is 0, which means unlimited embryonic connections.

Limiting the number of embryonic connections protects you from a DoS attack. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination.

This option does not apply to outside NAT. The TCP intercept feature applies only to hosts or servers on a higher security level. If you set the embryonic limit for outside NAT, the embryonic limit is ignored.

real_ifc

Specifies the name of the interface connected to the real IP address network.

real_ip

Specifies the real address that you want to translate. You can use 0.0.0.0 (or the abbreviation 0) to specify all addresses.

mask

(Optional) Specifies the subnet mask for the real addresses. If you do not enter a mask, then the default mask for the IP address class is used.

nat_id

Specifies an integer for the NAT ID. For regular NAT, this integer is between 1 and 2147483647. For policy NAT (nat id access-list), this integer is between 1 and 65535.

Identity NAT (nat 0) and NAT exemption (nat 0 access-list) use the NAT ID of 0.

This ID is referenced by the global command to associate a global pool with the real_ip.

norandomseq

(Optional) Disables TCP ISN randomization protection. Each TCP connection has two ISNs: one generated by the client and one generated by the server. The security appliance randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions.

Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new connection and potentially hijacking the new session.

TCP initial sequence number randomization can be disabled if required. For example:

If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both firewalls to be performing this action, even though this action does not affect the traffic.

If you use eBGP multi-hop through the security appliance, and the eBGP peers are using MD5. Randomization breaks the MD5 checksum.

You use a WAAS device that requires the security appliance not to randomize the sequence numbers of connections.

outside

(Optional) If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT.

tcp tcp_max_conns

Specifies the maximum number of simultaneous TCP and UDP connections for the entire subnet. The default is 0, which means unlimited connections. (Idle connections are closed after the idle timeout specified by the timeout conn command.)

This option does not apply to outside NAT. The security appliance only tracks connections from a higher security interface to a lower security interface.

udp udp_max_conns

(Optional) Used with the udp keyword to set the maximum number of simultaneous UDP connections the real_ip hosts are each allowed to use.


Defaults

The default value for tcp_max_conns, emb_limit, and udp_max_conns is 0 (unlimited), which is the maximum available.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

For dynamic NAT and PAT, you first configure a nat command identifying the real addresses on a given interface that you want to translate. Then you configure a separate global command to specify the mapped addresses when exiting another interface (in the case of PAT, this is one address). Each nat command matches a global command by comparing the NAT ID, a number that you assign to each command.

The security appliance translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues. The exception is when you enable NAT control using the nat-control command. NAT control requires that packets traversing from a higher security interface (inside) to a lower security interface (outside) match a NAT rule, or else processing for the packet stops. NAT is not required between same security level interfaces even if you enable NAT control. You can optionally configure NAT if desired.

Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the destination network. The mapped pool can include fewer addresses than the real group. When a host you want to translate accesses the destination network, the security appliance assigns it an IP address from the mapped pool. The translation is added only when the real host initiates the connection. The translation is in place only for the duration of the connection, and a given user does not keep the same IP address after the translation times out (see the timeout xlate command). Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic NAT (or PAT, even if the connection is allowed by an access list), and the security appliance rejects any attempt to connect to a real host address directly. See the static command for reliable access to hosts.

Dynamic NAT has these disadvantages:

If the mapped pool has fewer addresses than the real group, you could run out of addresses if the amount of traffic is more than expected.

Use PAT if this event occurs often, because PAT provides over 64,000 translations using ports of a single address.

You have to use a large number of routable addresses in the mapped pool; if the destination network requires registered addresses, such as the Internet, you might encounter a shortage of usable addresses.

The advantage of dynamic NAT is that some protocols cannot use PAT. For example, PAT does not work with IP protocols that do not have a port to overload, such as GRE version 0. PAT also does not work with some applications that have a data stream on one port and the control path on another and are not open standard, such as some multimedia applications.

PAT translates multiple real addresses to a single mapped IP address. Specifically, the security appliance translates the real address and source port (real socket) to the mapped address and a unique port above 1024 (mapped socket). Each connection requires a separate translation, because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.

After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout is not configurable.

PAT lets you use a single mapped address, thus conserving routable addresses. You can even use the security appliance interface IP address as the PAT address. PAT does not work with some multimedia applications that have a data stream that is different from the control path.


Note For the duration of the translation, a remote host can initiate a connection to the translated host if an access list allows it. Because the address (both real and mapped) is unpredictable, a connection to the host is unlikely. However in this case, you can rely on the security of the access list.


If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If you do not want to perform NAT for some hosts, then you can bypass NAT for those hosts (alternatively, you can disable NAT control). You might want to bypass NAT, for example, if you are using an application that does not support NAT. You can use the static command to bypass NAT, or one of the following options:

Identity NAT (nat 0 command)—When you configure identity NAT (which is similar to dynamic NAT), you do not limit translation for a host on specific interfaces; you must use identity NAT for connections through all interfaces. Therefore, you cannot choose to perform normal translation on real addresses when you access interface A, but use identity NAT when accessing interface B. Regular dynamic NAT, on the other hand, lets you specify a particular interface on which to translate the addresses. Make sure that the real addresses for which you use identity NAT are routable on all networks that are available according to your access lists.

For identity NAT, even though the mapped address is the same as the real address, you cannot initiate a connection from the outside to the inside (even if the interface access list allows it). Use static identity NAT or NAT exemption for this functionality.

NAT exemption (nat 0 access-list command)—NAT exemption allows both translated and remote hosts to initiate connections. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption does let you specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT), so you have greater control using NAT exemption. However unlike policy NAT, NAT exemption does not consider the ports in the access list.

Policy NAT lets you identify real addresses for address translation by specifying the source and destination addresses in an extended access list. You can also optionally specify the source and destination ports. Regular NAT can only consider the real addresses. For example, you can translate the real address to mapped address A when it accesses server A, but translate the real address to mapped address B when it accesses server B.

When you specify the ports in policy NAT for applications that require application inspection for secondary channels (FTP, VoIP, etc.), the security appliance automatically translates the secondary ports.


Note All types of NAT support policy NAT except for NAT exemption. NAT exemption uses an access list to identify the real addresses, but differs from policy NAT in that the ports are not considered. You can accomplish the same result as NAT exemption using static identity NAT, which does support policy NAT.


You can alternatively configure maximum connections, maximum embryonic connections, and TCP sequence randomization using the set connection commands. If you configure these settings for the same traffic using both methods, then the security appliance uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the security appliance disables TCP sequence randomization.

If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using clear xlate command. However, clearing the translation table disconnects all of the current connections.

Examples

For example, to translate the 10.1.1.0/24 network on the inside interface, enter the following command:

hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.1-209.165.201.30

To identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is exhausted, enter the following commands:

hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.5
hostname(config)# global (outside) 1 209.165.201.10-209.165.201.20

To translate the lower security dmz network addresses so they appear to be on the same network as the inside network (10.1.1.0), for example, to simplify routing, enter the following commands:

hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns
hostname(config)# global (inside) 1 10.1.1.45

To identify a single real address with two different destination addresses using policy NAT, enter the following commands:

hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 
255.255.255.224
hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 
255.255.255.224
hostname(config)# nat (inside) 1 access-list NET1 tcp 0 2000 udp 10000
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list NET2 tcp 1000 500 udp 2000
hostname(config)# global (outside) 2 209.165.202.130

To identify a single real address/destination address pair that use different ports using policy NAT, enter the following commands:

hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 
255.255.255.255 eq 80
hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 
255.255.255.255 eq 23
hostname(config)# nat (inside) 1 access-list WEB
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list TELNET
hostname(config)# global (outside) 2 209.165.202.130

Related Commands

Command
Description

access-list deny-flow-max

Specifies the maximum number of concurrent deny flows that can be created.

clear configure nat

Removes the NAT configuration.

global

Creates entries from a pool of global addresses.

interface

Creates and configures an interface.

show running-config nat

Displays a pool of global IP addresses that are associated with the network.


nat (vpn load-balancing)

To set the IP address to which NAT translates the IP address of this device, use the nat command in VPN load-balancing mode. To disable this NAT translation, use the no form of this command.

nat ip-address

no nat [ip-adddress]

Syntax Description

ip-address

The IP address to which you want this NAT to translate the IP address of this device.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

VPN load-balancing


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

You must first use the vpn load-balancing command to enter VPN load-balancing mode.

In the no nat form of the command, if you specify the optional ip-address value, the IP address must match the existing NAT IP address in the running configuration.

Examples

The following is an example of a VPN load-balancing command sequence that includes a nat command that sets the NAT-translated address to 192.168.10.10:

hostname(config)# interface GigabitEthernet 0/1
hostname(config-if)# ip address 209.165.202.159 255.255.255.0
hostname(config)# nameif test
hostname(config)# interface GigabitEthernet 0/2
hostname(config-if)# ip address 209.165.201.30 255.255.255.0
hostname(config)# nameif foo
hostname(config)# vpn load-balancing
hostname(config-load-balancing)# nat 192.168.10.10
hostname(config-load-balancing)# priority 9
hostname(config-load-balancing)# interface lbpublic test
hostname(config-load-balancing)# interface lbprivate foo
hostname(config-load-balancing)# cluster ip address 209.165.202.224
hostname(config-load-balancing)# cluster port 9023
hostname(config-load-balancing)# participate

Related Commandshostname(config-load-balancing)# participate

Command
Description

vpn load-balancing

Enter VPN load-balancing mode.


nat-control

To enforce NAT control, use the nat-control command in global configuration mode. To disable NAT control, which allows inside hosts to communicate with outside networks without configuring a NAT rule, use the no form of this command.

nat-control

no nat-control

Syntax Description

This command has no arguments or keywords.

Defaults

NAT control is disabled by default (no nat-control command).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

If nat-control is enabled, you must configure a NAT rule before an inside host can communicate with any outside networks. The no nat-control command allows inside hosts to communicate with outside networks without configuring a NAT rule. Only hosts that undergo NAT need to have a NAT rule configured.

The difference between the no nat-control command and the nat 0 (identity NAT) command is that identity NAT requires that traffic be initiated from the local host. The no nat-control command does not have this requirement, nor does it require a static command to allow communication to inside hosts.

Disabling NAT control is similar to the same security level communication feature, which allows communication between two interfaces of the same security level without configuring a NAT rule, except that the NAT control feature is between hosts instead of interfaces.

No new NAT functionality is provided with this feature. All existing NAT functionality remains the same.


Note In multiple context mode, the packet classifier relies on the NAT configuration in some cases to assign packets to contexts. If you do not perform NAT because NAT control is disabled, then the classifier might require changes in your network configuration.


If you want the added security of NAT control but do not want to translate inside addresses in some cases, you can apply a NAT exemption (nat 0 access-list) or identity NAT (nat 0 or static) rule on those addresses.

When NAT control is disabled with the no-nat control command, and a NAT and a global command pair are configured for an interface, the real IP addresses cannot go out on other interfaces unless you define those destinations with the nat 0 access-list command.

For example, the following NAT is the that one you want performed when going to the outside network:

nat (inside) 1 0.0.0.0 0.0.0.0
global (ouside) 1 209.165.201.2

The above configuration catches everything on the inside network, so if you do not want to translate inside addresses when they go to the DMZ, then you need to match that traffic for NAT exemption, as shown in the following example:

access-list EXEMPT extended permit ip any 192.168.1.0 255.255.255.0
access-list EXEMPT remark This matches any traffic going to DMZ1
access-list EXEMPT extended permit ip any 10.1.1.0 255.255.255.0
access-list EXEMPT remark This matches any traffic going to DMZ1
nat (inside) 0 access-list EXEMPT

Alternately, you can perform NAT translation on all interfaces:

nat (inside) 1 0.0.0.0 0.0.0.0
gloval (outside) 1 209.165.201.2
global (dmz1) 1 192.168.1.230
global (dmz2) 1 10.1.1.230

The following table compares the results between nat-control and no nat-control:

Condition
nat-control
no nat-control

no inside NAT rule

no outside NAT rule

deny

continue

inside NAT rule

no outside NAT rule
(no dynamic outside NAT)

continue

continue

inside NAT rule

no outside NAT rule
(dynamic outside NAT)1

deny

continue

1 Dynamic outside NAT is enabled at an interface if a nat command with the keyword outside is associated with the interface


Two NAT policies are used to perform address translation on each packet that traverses the security appliance, an inside NAT policy and an outside NAT policy. If the nat-control command is enabled, each inside address must have an inside NAT rule before communication is permitted through the security appliance. Additionally, if outside dynamic NAT is enabled on an interface, each outside address must have an outside NAT rule before communication is permitted through the security appliance.

If the no nat-control command is configured and no NAT policy matches, an address rewrite is not performed and processing continues. The default is NAT control disabled (no nat-control command).

Note: To ensure backward compatibility, the nat-control command is automatically enabled if the startup configuration is six or lower.

Examples

The following example enables nat-control:

hostname(config)# nat-control

Related Commands

Command
Description

nat

Defines an address on one interface that is translated to a global address on another interface.

show running-config nat-control

Shows the NAT configuration requirement.


nbns-server

To configure an NBNS server, use the nbns-server command in webvpn mode. To remove the NBNS server from the configuration, use the no form of this command.

The security appliance queries NBNS servers to map NetBIOS names to IP addresses. WebVPN requires NetBIOS to access or share files on remote systems.

nbns-server {ipaddr or hostname} [master] [timeout timeout] [retry retries]

no nbns-server

Syntax Description

hostname

Specifies the hostname for the NBNS server.

ipaddr

Specifies the IP address for the NBNS server.

master

Indicates that this is a master browser, rather than a WINS server.

retry

Indicates that a retry value follows.

retries

Specifies the number of times to retry queries to NBNS servers. The security appliance recycles through the list of servers the number of times you specify here before sending an error message. The default value is 2; the range is 1 to 10.

timeout

Indicates that a timeout value follows.

timeout

Specifies the amount of time the security appliance waits before sending the query again, to the same server if there is only one, or another server if there are multiple NBNS servers. The default timeout is 2 seconds; the range is 1 to 30 seconds.


Defaults

No NBNS server is configured by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Webvpn


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Maximum of 3 server entries. The first server you configure is the primary server, and the others are backups, for redundancy.

Use the no option to remove the matching entry from the configuration.

Examples

The following example shows how to configure an NBNS server that is a master browser with an IP address of 10.10.10.19, a timeout value of 10 seconds, and 8 retries. It also shows how to configure an NBNS WINS server with an IP address of 10.10.10.24, a timeout value of 15 seconds, and 8 retries.

hostname(config)# webvpn
hostname(config-webvpn)# nbns-server 10.10.10.19 master timeout 10 retry 8
hostname(config-webvpn)# nbns-server 10.10.10.24 timeout 15 retry 8

neighbor

To define a static neighbor on a point-to-point, non-broadcast network, use the neighbor command in router configuration mode. To remove the statically defined neighbor from the configuration, use the no form of this command. The neighbor command is used to advertise OSPF routes over VPN tunnels.

neighbor ip_address [interface name]

no neighbor ip_address [interface name]

Syntax Description

interface name

(Optional) The interface name, as specified by the nameif command, through which the neighbor can be reached.

ip_address

IP address of the neighbor router.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Router configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

One neighbor entry must be included for each known non-broadcast network neighbor. The neighbor address must be on the primary address of the interface.

The interface option needs to be specified when the neighbor is not on the same network as any of the directly connected interfaces of the system. Additionally, a static route must be created to reach the neighbor.`

Examples

The following example defines a neighbor router with an address of 192.168.1.1:

hostname(config-router)# neighbor 192.168.1.1

Related Commands

Command
Description

router ospf

Enters router configuration mode.

show running-config router

Displays the commands in the global router configuration.


nem

To enable network extension mode for hardware clients, use the nem enable command in group-policy configuration mode. To disable NEM, use the nem disable command. To remove the NEM attribute from the running configuration, use the no form of this command. This option allows inheritance of a value from another group policy.

nem {enable | disable}

no nem

Syntax Description

disable

Disables Network Extension Mode.

enable

Enables Network Extension Mode.


Defaults

Network extension mode is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy


Usage Guidelines

Network Extension mode lets hardware clients present a single, routable network to the remote private network over the VPN tunnel. IPSec encapsulates all traffic from the private network behind the hardware client to networks behind the security appliance. PAT does not apply. Therefore, devices behind the security appliance have direct access to devices on the private network behind the hardware client over the tunnel, and only over the tunnel, and vice versa. The hardware client must initiate the tunnel, but after the tunnel is up, either side can initiate data exchange.

Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to set NEM for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# nem enable

network area

To define the interfaces on which OSPF runs and to define the area ID for those interfaces, use the network area command in router configuration mode. To disable OSPF routing for interfaces defined with the address/netmask pair, use the no form of this command.

network addr mask area area_id

no network addr mask area area_id

Syntax Description

addr

IP address.

area area_id

Specifies the area that is to be associated with the OSPF address range. The area_id can be specified in either IP address format or in decimal format. When specified in decimal format, valid values range from 0 to 4294967295.

mask

The network mask.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Router configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

For OSPF to operate on the interface, the address of the interface must be covered by the network area command. If the network area command does not cover the IP address of the interface, it will not enable OSPF over that interface.

There is no limit to the number of network area commands you can use on the security appliance.

Examples

The following example enables OSPF on the 192.168.1.1 interface and assigns it to area 2:

hostname(config-router)# network 192.168.1.1 255.255.255.0 area 2

Related Commands

Command
Description

router ospf

Enters router configuration mode.

show running-config router

Displays the commands in the global router configuration.


network-object

To add a network object to a network object group, use the network-object command in network configuration mode. To remove network objects, use the no form of this command.

network-object host host_addr | host_name

no network-object host host_addr | host_name

network-object net_addr netmask

no network-object net_addr netmask

Syntax Description

host_addr

Host IP address (if the host name is not already defined using the name command).

host_name

Host name (if the host name is defined using the name command.

net_addr

Network address; used with netmask to define a subnet object.

netmask

Netmask; used with net_addr to define a subnet object.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Network configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The network-object command is used with the object-group command to define a host or a subnet object in network configuration mode.

Examples

The following example shows how to use the network-object command in network configuration mode to create a new network object group:

hostname(config)# object-group network sjj_eng_ftp_servers
hostname(config-network)# network-object host sjj.eng.ftp
hostname(config-network)# network-object host 172.16.56.195 
hostname(config-network)# network-object 192.168.1.0 255.255.255.224 
hostname(config-network)# group-object sjc_eng_ftp_servers
hostname(config-network)# quit
hostname(config)#

Related Commands

Command
Description

clear configure object-group

Removes all the object-group commands from the configuration.

group-object

Adds network object groups.

object-group

Defines object groups to optimize your configuration.

port-object

Adds a port object to a service object group.

show running-config object-group

Displays the current object groups.


nt-auth-domain-controller

To specify the name of the NT Primary Domain Controller for this server, use the nt-auth-domain-controller command in AAA-server host mode. To remove this specification, use the no form of this command:

nt-auth-domain-controller string

no nt-auth-domain-controller

Syntax Description

string

Specify the name, up to 16 characters long, of the Primary Domain Controller for this server.


Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

AAA-server host


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

This command is valid only for NT Authentication AAA servers. You must have first used the aaa-server host command to enter host configuration mode. The name in the string variable must match the NT entry on the server itself.

Examples

The following example configures the name of the NT Primary Domain Controller for this server as "primary1".

hostname(config)# aaa-server svrgrp1 protocol nt
hostname(configaaa-sesrver-group)# aaa-server svrgrp1 host 1.2.3.4
hostname(config-aaa-server-host)# nt-auth-domain-controller primary1

Related Commands

Command
Description

aaa server host

Enters AAA server host configuration mode so you can configure AAA server parameters that are host-specific.

clear configure aaa-server

Remove all AAA command statements from the configuration.

show running-config aaa-server

Displays AAA server statistics for all AAA servers, for a particular server group, for a particular server within a particular group, or for a particular protocol


ntp authenticate

To enable authentication with an NTP server, use the ntp authenticate command in global configuration mode. To disable NTP authentication, use the no form of this command.

ntp authenticate

no ntp authenticate

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

If you enable authentication, the security appliance only communicates with an NTP server if it uses the correct trusted key in the packets (see the ntp trusted-key command). The security appliance also uses an authentication key to synchronize with the NTP server (see the ntp authentication-key command).

Examples

The following example configures the security appliance to synchronize only to systems that provide authentication key 42 in their NTP packets:

hostname(config)# ntp authenticate
hostname(config)# ntp authentication-key 42 md5 aNiceKey
hostname(config)# ntp trusted-key 42

Related Commands

Command
Description

ntp authentication-key

Sets an encrypted authentication key to synchronize with an NTP server.

ntp server

Identifies an NTP server.

ntp trusted-key

Provides a key ID for the security appliance to use in packets for authentication with an NTP server.

show ntp associations

Shows the NTP servers with which the security appliance is associated.

show ntp status

Shows the status of the NTP association.


ntp authentication-key

To set a key to authenticate with an NTP server, use the ntp authentication-key command in global configuration mode. To remove the key, use the no form of this command.

ntp authentication-key key_id md5 key

no ntp authentication-key key_id [md5 key]

Syntax Description

key_id

Identifies a key ID between 1 and 4294967295. You must specify this ID as a trusted key using the ntp trusted-key command.

md5

Specifies the authentication algorithm as MD5, which is the only algorithm supported.

key

Sets the key value as a string up to 32 characters in length.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

To use NTP authentication, also configure the ntp authenticate command.

Examples

The following example enables authentications, identifies trusted key IDs 1 and 2, and sets authentication keys for each trusted key ID:

hostname(config)# ntp authenticate
hostname(config)# ntp trusted-key 1
hostname(config)# ntp trusted-key 2
hostname(config)# ntp authentication-key 1 md5 aNiceKey
hostname(config)# ntp authentication-key 2 md5 aNiceKey2

Related Commands

Command
Description

ntp authenticate

Enables NTP authentication.

ntp server

Identifies an NTP server.

ntp trusted-key

Provides a key ID for the security appliance to use in packets for authentication with an NTP server.

show ntp associations

Shows the NTP servers with which the security appliance is associated.

show ntp status

Shows the status of the NTP association.


ntp server

To identify an NTP server to set the time on the security appliance, use the ntp server command in global configuration mode. To remove the server, use the no form of this command. You can identify multiple servers; the security appliance uses the most accurate server. In multiple context mode, set the NTP server in the system configuration only.

ntp server ip_address [key key_id] [source interface_name] [prefer]

no ntp server ip_address [key key_id] [source interface_name] [prefer]

Syntax Description

ip_address

Sets the IP address of the NTP server.

key key_id

If you enable authentication using the ntp authenticate command, sets the trusted key ID for this server. See also the ntp trusted-key command.

source interface_name

Identifies the outgoing interface for NTP packets if you do not want to use the default interface in the routing table. Because the system does not include any interfaces in multiple context mode, specify an interface name defined in the admin context.

prefer

Sets this NTP server as the preferred server if multiple servers have similar accuracy. NTP uses an algorithm to determine which server is the most accurate and synchronizes to that one. If servers are of similar accuracy, then the prefer keyword specifies which of those servers to use. However, if a server is significantly more accurate than the preferred one, the security appliance uses the more accurate one. For example, the security appliance uses a server of stratum 2 over a server of stratum 3 that is preferred.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was modified to make the source interface optional.


Examples

The following example identifies two NTP servers and enables authentication for the key IDs 1 and 2:

hostname(config)# ntp server 10.1.1.1 key 1 prefer
hostname(config)# ntp server 10.2.1.1 key 2
hostname(config)# ntp authenticate
hostname(config)# ntp trusted-key 1
hostname(config)# ntp trusted-key 2
hostname(config)# ntp authentication-key 1 md5 aNiceKey
hostname(config)# ntp authentication-key 2 md5 aNiceKey2

Related Commands

Command
Description

ntp authenticate

Enables NTP authentication.

ntp authentication-key

Sets an encrypted authentication key to synchronize with an NTP server.

ntp trusted-key

Provides a key ID for the security appliance to use in packets for authentication with an NTP server.

show ntp associations

Shows the NTP servers with which the security appliance is associated.

show ntp status

Shows the status of the NTP association.


ntp trusted-key

To specify an authentication key ID to be a trusted key, which is required for authentication with an NTP server, use the ntp trusted-key command in global configuration mode. To remove the trusted key, use the no form of this command. You can enter multiple trusted keys for use with multiple servers.

ntp trusted-key key_id

no ntp trusted-key key_id

Syntax Description

key_id

Sets a key ID between 1 and 4294967295.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

To use NTP authentication, also configure the ntp authenticate command. To synchronize with a server, set the authentication key for the key ID using the ntp authentication-key command.

Examples

The following example enables authentications, identifies trusted key IDs 1 and 2, and sets authentication keys for each trusted key ID:

hostname(config)# ntp authenticate
hostname(config)# ntp trusted-key 1
hostname(config)# ntp trusted-key 2
hostname(config)# ntp authentication-key 1 md5 aNiceKey
hostname(config)# ntp authentication-key 2 md5 aNiceKey2

Related Commands

Command
Description

ntp authenticate

Enables NTP authentication.

ntp authentication-key

Sets an encrypted authentication key to synchronize with an NTP server.

ntp server

Identifies an NTP server.

show ntp associations

Shows the NTP servers with which the security appliance is associated.

show ntp status

Shows the status of the NTP association.


object-group

To define object groups that you can use to optimize your configuration, use the object-group command in global configuration mode. Use the no form of this command to remove object groups from the configuration. This command supports IPv4 and IPv6 addresses.

object-group {protocol | network | icmp-type} obj_grp_id

no object-group {protocol | network | icmp-type} obj_grp_id

object-group service obj_grp_id {tcp | udp | tcp-udp}

no object-group service obj_grp_id {tcp | udp | tcp-udp}

Syntax Description

icmp-type

Defines a group of ICMP types such as echo and echo-reply. After entering the main object-group icmp-type command, add ICMP objects to the ICMP type group with the icmp-object and the group-object commands.

network

Defines a group of hosts or subnet IP addresses. After entering the main object-group network command, add network objects to the network group with the network-object and the group-object commands.

obj_grp_id

Identifies the object group (one to 64 characters) and can be any combination of letters, digits, and the "_", "-", "." characters.

protocol

Defines a group of protocols such as TCP and UDP. After entering the main object-group protocol command, add protocol objects to the protocol group with the protocol-object and the group-object commands.

service

Defines a group of TCP/UDP port specifications such as "eq smtp" and "range 2000 2010." After entering the main object-group service command, add port objects to the service group with the port-object and the group-object commands.

tcp

Specifies that service group is used for TCP.

tcp-udp

Specifies that service group can be used for TCP and UDP.

udp

Specifies that service group is used for UDP.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Objects such as hosts, protocols, or services can be grouped, and then you can issue a single command using the group name to apply to every item in the group.

When you define a group with the object-group command and then use any security appliance command, the command applies to every item in that group. This feature can significantly reduce your configuration size.

Once you define an object group, you must use the object-group keyword before the group name in all applicable security appliance commands as follows:

hostname# show running-config object-group group_name

where group_name is the name of the group.

This example shows the use of an object group once it is defined:

hostname(config)# access-list access_list_name permit tcp any object-group group_name

In addition, you can group access list command arguments:

Individual Arguments
Object Group Replacement

protocol

object-group protocol

host and subnet

object-group network

service

object-group service

icmp_type

object-group icmp_type


You can group commands hierarchically; an object group can be a member of another object group.

To use object groups, you must do the following:

Use the object-group keyword before the object group name in all commands as follows:

hostname(config)# access-list acl permit tcp object-group remotes object-group locals 
object-group eng_svc

where remotes and locals are sample object group names.

The object group must be nonempty.

You cannot remove or empty an object group if it is currently being used in a command.

After you enter a main object-group command, the command mode changes to its corresponding mode. The object group is defined in the new mode. The active mode is indicated in the command prompt format. For example, the prompt in the configuration terminal mode appears as follows:

hostname(config)#

where hostname is the name of the security appliance.

However, when you enter the object-group command, the prompt appears as follows:

hostname(config-type)#

where hostname is the name of the security appliance, and type is the object-group type.

Use the exit, quit, or any valid config-mode commands such as access-list to close an object-group mode and exit the object-group main command.

The show running-config object-group command displays all defined object groups by their grp_id when the show running-config object-group grp_id command is entered, and by their group type when you enter the show running-config object-group grp_type command. When you enter the show running-config object-group command without an argument, all defined object groups are shown.

Use the clear configure object-group command to remove a group of previously defined object-group commands. Without an argument, the clear configure object-group command lets you to remove all defined object groups that are not being used in a command. The grp_type argument removes all defined object groups that are not being used in a command for that group type only.

You can use all other security appliance commands in an object-group mode, including the show running-config and clear configure commands.

Commands within the object-group mode appear indented when displayed or saved by the show running-config object-group, write, or config commands.

Commands within the object-group mode have the same command privilege level as the main command.

When you use more than one object group in an access-list command, the elements of all object groups that are used in the command are linked together, starting with the elements of the first group with the elements of the second group, then the elements of the first and second groups together with the elements of the third group, and so on.

The starting position of the description text is the character right after the white space (a blank or a tab) following the description keyword.

Examples

The following example shows how to use the object-group icmp-type mode to create a new icmp-type object group:

hostname(config)# object-group icmp-type icmp-allowed
hostname(config-icmp-type)# icmp-object echo
hostname(config-icmp-type)# icmp-object time-exceeded
hostname(config-icmp-type)# exit

The following example shows how to use the object-group network command to create a new network object group:

hostname(config)# object-group network sjc_eng_ftp_servers
hostname(config-network)# network-object host sjc.eng.ftp.servcers 
hostname(config-network)# network-object host 172.23.56.194 
hostname(config-network)# network-object 192.1.1.0 255.255.255.224 
hostname(config-network)# exit

The following example shows how to use the object-group network command to create a new network object group and map it to an existing object-group:

hostname(config)# object-group network sjc_ftp_servers
hostname(config-network)# network-object host sjc.ftp.servers 
hostname(config-network)# network-object host 172.23.56.195 
hostname(config-network)# network-object 193.1.1.0 255.255.255.224 
hostname(config-network)# group-object sjc_eng_ftp_servers 
hostname(config-network)# exit

The following example shows how to use the object-group protocol mode to create a new protocol object group:

hostname(config)# object-group protocol proto_grp_1
hostname(config-protocol)# protocol-object udp
hostname(config-protocol)# protocol-object ipsec
hostname(config-protocol)# exit

hostname(config)# object-group protocol proto_grp_2
hostname(config-protocol)# protocol-object tcp
hostname(config-protocol)# group-object proto_grp_1
hostname(config-protocol)# exit

The following example shows how to use the object-group service mode to create a new port (service) object group:

hostname(config)# object-group service eng_service tcp
hostname(config-service)# group-object eng_www_service
hostname(config-service)# port-object eq ftp
hostname(config-service)# port-object range 2000 2005
hostname(config-service)# exit

The following example shows how to add and remove a text description to an object group:

hostname(config)# object-group protocol protos1
hostname(config-protocol)# description This group of protocols is for our internal network

hostname(config-protocol)# show running-config object-group id protos1
object-group protocol protos1
description: This group of protocols is for our internal network

hostname(config-protocol)# no description
hostname(config-protocol)# show running-config object-group id protos1
object-group protocol protos1

The following example shows how to use the group-object mode to create a new object group that consists of previously defined objects:

hostname(config)# object-group network host_grp_1
hostname(config-network)# network-object host 192.168.1.1
hostname(config-network)# network-object host 192.168.1.2
hostname(config-network)# exit

hostname(config)# object-group network host_grp_2
hostname(config-network)# network-object host 172.23.56.1
hostname(config-network)# network-object host 172.23.56.2
hostname(config-network)# exit

hostname(config)# object-group network all_hosts
hostname(config-network)# group-object host_grp_1
hostname(config-network)# group-object host_grp_2
hostname(config-network)# exit

hostname(config)# access-list grp_1 permit tcp object-group host_grp_1 any eq ftp
hostname(config)#access-list grp_2 permit tcp object-group host_grp_2 any eq smtp
hostname(config)#access-list all permit tcp object-group all_hosts any eq www

Without the group-object command, you need to define the all_hosts group to include all the IP addresses that have already been defined in host_grp_1 and host_grp_2. With the group-object command, the duplicated definitions of the hosts are eliminated.

The following examples show how to use object groups to simplify the access list configuration:

hostname(config)# object-group network remote
hostname(config-network)# network-object host kqk.suu.dri.ixx
hostname(config-network)# network-object host kqk.suu.pyl.gnl

hostname(config)# object-group network locals
hostname(config-network)# network-object host 172.23.56.10
hostname(config-network)# network-object host 172.23.56.20
hostname(config-network)# network-object host 172.23.56.194
hostname(config-network)# network-object host 172.23.56.195

hostname(config)# object-group service eng_svc ftp
hostname(config-service)# port-object eq www
hostname(config-service)# port-object eq smtp
hostname(config-service)# port-object range 25000 25100

This grouping enables the access list to be configured in 1 line instead of 24 lines, which would be needed if no grouping is used. Instead, with the grouping, the access list configuration is as follows:

hostname(config)# access-list acl permit tcp object-group remote object-group locals 
object-group eng_svc


Note The show running-config object-group and write commands allow you to display the access list as configured with the object group names. The show access-list command displays the access list entries that are expanded out into individual entries without their object groupings.


Related Commands

Command
Description

clear configure object-group

Removes all the object group commands from the configuration.

group-object

Adds network object groups.

network-object

Adds a network object to a network object group.

port-object

Adds a port object to a service object group.

show running-config object-group

Displays the current object groups.


ospf authentication

To enable the use of OSPF authentication, use the ospf authentication command in interface configuration mode. To restore the default authentication stance, use the no form of this command.

ospf authentication [message-digest | null]

no ospf authentication

Syntax Description

message-digest

(Optional) Specifies to use OSPF message digest authentication.

null

(Optional) Specifies to not use OSPF authentication.


Defaults

By default, OSPF authentication is not enabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Before using the ospf authentication command, configure a password for the interface using the ospf authentication-key command. If you use the message-digest keyword, configure the message-digest key for the interface with the ospf message-digest-key command.

For backward compatibility, authentication type for an area is still supported. If the authentication type is not specified for an interface, the authentication type for the area will be used (the area default is null authentication).

When this command is used without any options, simple password authentication is enabled.

Examples

The following example shows how to enable simple password authentication for OSPF on the selected interface:

hostname(config-if)# ospf authentication
hostname(config-if)# 

Related Commands

Command
Description

ospf authentication-key

Specifies the password used by neighboring routing devices.

ospf message-digest-key

Enables MD5 authentication and specifies the MD5 key.


ospf authentication-key

To specify the password used by neighboring routing devices, use the ospf authentication-key command in interface configuration mode. To remove the password, use the no form of this command.

ospf authentication-key password

no ospf authentication-key

Syntax Description<

password

Assigns an OSPF authentication password for use by neighboring routing devices. The password must be less than 9 characters. You can include blank space between two characters. Spaces at the beginning or end of the password are ignored.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The password created by this command is used as a key that is inserted directly into the OSPF header when routing protocol packets are originated. A separate password can be assigned to each network on a per-interface basis. All neighboring routers on the same network must have the same password to be able to exchange OSPF information.

ExamplesNote

The following example shows how to specify a password for OSPF authentication:

hostname(config-if)# ospf authentication-key ThisMyPW

Related Commands

Command
Description

area authentication

Enables OSPF authentication for the specified area.

ospf authentication

Enables the use of OSPF authentication.


ospf cost

To specify the cost of sending a packet through the interface, use the ospf cost command in interface configuration mode. To reset the interface cost to the default value, use the no form of this command.

ospf cost interface_cost

no ospf cost

Syntax Description

interface_cost

The cost (a link-state metric) of sending a packet through an interface. This is an unsigned integer value from 0 to 65535. 0 represents a network that is directly connected to the interface, and the higher the interface bandwidth, the lower the associated cost to send packets across that interface. In other words, a large cost value represents a low bandwidth interface and a small cost value represents a high bandwidth interface.

The OSPF interface default cost on the security appliance is 10. This default differs from Cisco IOS software, where the default cost is 1 for fast Ethernet and Gigabit Ethernet and 10 for 10BaseT. This is important to take into account if you are using ECMP in your network.


Defaults

The default interface_cost is 10.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The ospf cost command lets you explicitly specify the cost of sending a packet on an interface. The interface_cost parameter is an unsigned integer value from 0 to 65535.

The no ospf cost command allows you to reset the path cost to the default value.

Examples

The following example show how to specify the cost of sending a packet on the selected interface:

hostname(config-if)# ospf cost 4

Related Commands

Command
Description

show running-config interface

Displays the configuration of the specified interface.


ospf database-filter

To filter out all outgoing LSAs to an OSPF interface during synchronization and flooding, use the ospf database-filter command in interface configuration mode. To restore the LSAs, use the no form of this command.

ospf database-filter all out

no ospf database-filter all out

Syntax Description

all out

Filters all outgoing LSAs to an OSPF interface.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The ospf database-filter command filters outgoing LSAs to an OSPF interface. The no ospf database-filter all out command restores the forwarding of LSAs to the interface.

Examples

The following example shows how to use the ospf database-filter command to filter outgoing LSAs:

hostname(config-if)# ospf database-filter all out

Related Commands

Command
Description

show interface

Displays interface status information.


ospf dead-interval

To specify the interval before neighbors declare a router down, use the ospf dead-interval command in interface configuration mode. To restore the default value, use the no form of this command.

ospf dead-interval seconds

no ospf dead-interval

Syntax Description

seconds

The length of time during which no hello packets are seen. The default for seconds is four times the interval set by the ospf hello-interval command (which ranges from 1 to 65535).


Defaults

The default value for seconds is four times the interval set by the ospf hello-interval command.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The ospf dead-interval command lets you set the dead interval before neighbors to declare the router down (the length of time during which no hello packets are seen). The seconds argument specifies the dead interval and must be the same for all nodes on the network. The default for seconds is four times the interval set by the ospf hello-interval command from 1 to 65535.

The no ospf dead-interval command lets restores the default interval value.

Examples

The following example sets the OSPF dead interval to 1 minute:

hostname(config-if)# ospf dead-interval 60

Related Commands

Command
Description

ospf hello-interval

Specifies the interval between hello packets sent on an interface.

show ospf interface

Displays OSPF-related interface information.


ospf hello-interval

To specify the interval between hello packets sent on an interface, use the ospf hello-interval command in interface configuration mode. To return the hello interval to the default value, use the no form of this command.

ospf hello-interval seconds

no ospf hello-interval

Syntax Description

seconds

Specifies the interval between hello packets that are sent on the interface; valid values are from 1 to 65535 seconds.


Defaults

The default value for hello-interval seconds is 10 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

This value is advertised in the hello packets. The smaller the hello interval, the faster topological changes will be detected, but more routing traffic will ensue. This value must be the same for all routers and access servers on a specific network.

Examples

The following example sets the OSPF hello interval to 5 seconds:

hostname(config-if)# ospf hello-interval 5

Related Commands

Command
Description

ospf dead-interval

Specifies the interval before neighbors declare a router down.

show ospf interface

Displays OSPF-related interface information.


ospf message-digest-key

To enable OSPF MD5 authentication, use the ospf message-digest-key command in interface configuration mode. To remove an MD5 key, use the no form of this command.

ospf message-digest-key key-id md5 key

no ospf message-digest-key

Syntax Description

key-id

Enables MD5 authentication and specifies the numerical authentication key ID number; valid values are from 1 to 255.

md5 key

Alphanumeric password of up to 16 bytes. You can include spaces between key characters. Spaces at the beginning or end of the key are ignored. MD5 authentication verifies the integrity of the communication, authenticates the origin, and checks for timeliness.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The ospf message-digest-key command lets you enable MD5 authentication. The no form of the command let you remove an old MD5 key. key_id is a numerical identifier from 1 to 255 for the authentication key. key is an alphanumeric password of up to 16 bytes. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness.

Examples

The following example shows how to specify an MD5 key for OSPF authentication:

hostname(config-if)# ospf message-digest-key 3 md5 ThisIsMyMd5Key

Related Commands

Command
Description

area authentication

Enables OSPF area authentication.

ospf authentication

Enables the use of OSPF authentication.


ospf mtu-ignore

To disable OSPF maximum transmission unit (MTU) mismatch detection on receiving database packets, use the ospf mtu-ignore command in interface configuration mode. To restore MTU mismatch detection, use the no form of this command.

ospf mtu-ignore

no ospf mtu-ignore

Syntax Description

This command has no arguments or keywords.

Defaults

By default, ospf mtu-ignore is enabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

OSPF checks whether neighbors are using the same MTU on a common interface. This check is performed when neighbors exchange Database Descriptor (DBD) packets. If the receiving MTU in the DBD packet is higher than the IP MTU configured on the incoming interface, OSPF adjacency will not be established.The ospf mtu-ignore command disables OSPF MTU mismatch detection on receiving DBD packets. It is enabled by default.

Examples

The following example shows how to disable the ospf mtu-ignore command:

hostname(config-if)# ospf mtu-ignore

Related Commands

Command
Description

show interface

Displays interface status information.


ospf network point-to-point non-broadcast

To configure the OSPF interface as a point-to-point, non-broadcast network, use the ospf network point-to-point non-broadcast command in interface configuration mode. To remove this command from the configuration, use the no form of this command. The ospf network point-to-point non-broadcast command lets you to transmit OSPF routes over VPN tunnels.

ospf network point-to-point non-broadcast

no ospf network point-to-point non-broadcast

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

When the interface is specified as point-to-point, the OSPF neighbors have to be manually configured; dynamic discovery is not possible. To manually configure OSPF neighbors, use the neighbor command in router configuration mode.

When an interface is configured as point-to-point, the following restrictions apply:

You can define only one neighbor for the interface.

You need to define a static route pointing to the crypto endpoint.

The interface cannot form adjacencies unless neighbors are configured explicitly.

If OSPF over the tunnel is running on the interface, regular OSPF with an upstream router cannot be run on the same interface.

You should bind the crypto-map to the interface before specifying the OSPF neighbor to ensure that the OSPF updates are passed through the VPN tunnel. If you bind the crypto-map to the interface after specifying the OSPF neighbor, use the clear local-host all command to clear OSPF connections so the OSPF adjacencies can be established over the VPN tunnel.

Examples

The following example shows how to configure the selected interface as a point-to-point, non-broadcast interface:

hostname(config-if)# ospf network point-to-point non-broadcast
hostname(config-if)#

Related Commands

Command
Description

neighbor

Specifies manually configured OSPF neighbors.

show interface

Displays interface status information.


ospf priority

To change the OSPF router priority, use the ospf priority command in interface configuration mode. To restore the default priority, use the no form of this command.

ospf priority number

no ospf priority [number]

Syntax Description

number

Specifies the priority of the router; valid values are from 0 to 255.


Defaults

The default value for number is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

When two routers attached to a network both attempt to become the designated router, the one with the higher router priority takes precedence. If there is a tie, the router with the higher router ID takes precedence. A router with a router priority set to zero is ineligible to become the designated router or backup designated router. Router priority is configured only for interfaces to multiaccess networks (in other words, not to point-to-point networks).

Examples

The following example shows how to change the OSPF priority on the selected interface:

hostname(config-if)# ospf priority 4
hostname(config-if)# 

Related Commands

Command
Description

show ospf interface

Displays OSPF-related interface information.


ospf retransmit-interval

To specify the time between LSA retransmissions for adjacencies belonging to the interface, use the ospf retransmit-interval command in interface configuration mode. To restore the default value, use the no form of this command.

ospf retransmit-interval seconds

no ospf retransmit-interval [seconds]

Syntax Description

seconds

Specifies the time between LSA retransmissions for adjacent routers belonging to the interface; valid values are from 1 to 65535 seconds.


Defaults

The default value of retransmit-interval seconds is 5 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

When a router sends an LSA to its neighbor, it keeps the LSA until it receives the acknowledgment message. If the router receives no acknowledgment, it will re-send the LSA.

The setting of this parameter should be conservative, or needless retransmission will result. The value should be larger for serial lines and virtual links.

Examples

The following example shows how to change the retransmit interval for LSAs:

hostname(config-if)# ospf retransmit-interval 15
hostname(config-if)# 

Related Commands

Command
Description

show ospf interface

Displays OSPF-related interface information.


ospf transmit-delay

To set the estimated time required to send a link-state update packet on the interface, use the ospf transmit-delay command in interface configuration mode. To restore the default value, use the no form of this command.

ospf transmit-delay seconds

no ospf transmit-delay [seconds]

Syntax Description

seconds

Sets the estimated time required to send a link-state update packet on the interface. The default value is 1 second with a range from 1 to 65535 seconds.


Defaults

The default value of seconds is 1 second.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

LSAs in the update packet must have their ages incremented by the amount specified in the seconds argument before transmission. The value assigned should take into account the transmission and propagation delays for the interface.

If the delay is not added before transmission over a link, the time in which the LSA propagates over the link is not considered. This setting has more significance on very low-speed links.

Examples

The following example sets the transmit delay to 3 seconds for the selected interface:

hostname(config-if)# ospf restransmit-delay 3
hostname(config-if)#

Related Commands

Command
Description

show ospf interface

Displays OSPF-related interface information.


outstanding

To limit the number of unauthenticated e-mail proxy sessions, use the outstanding command in the applicable e-mail proxy mode. To remove the attribute from the configuration, use the no version of this command, which permits an unlimited number of unauthenticated sessions. Use this command to limit DOS attacks on the e-mail ports.

E-mail proxy connections have three states:

1. A new e-mail connection enters the "unauthenticated" state.

2. When the connection presents a username, it enters the "authenticating" state.

3. When the security appliance authenticates the connection, it enters the "authenticated" state.

If the number of connections in the unauthenticated state exceeds the configured limit, the security appliance terminates the oldest unauthenticated connection, preventing overload. It does not terminate authenticated connections.

outstanding {number}

no outstanding

Syntax Description

number

The number of unauthenticated sessions permitted. The range is from 1 to 1000.


Defaults

The default is 20.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Pop3s

Imap4s

Smtps


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to set a limit of 12 unauthenticated sessions for POP3S e-mail proxy.

hostname(config)# pop3s
hostname(config-pop3s)# outstanding 12

participate

To force the device to participate in the virtual load-balancing cluster, use the participate command in VPN load-balancing mode. To remove a device from participation in the cluster, use the no form of this command.

participate

no participate

Syntax Description

This command has no arguments or keywords.

Defaults

The default behavior is that the device does not participate in the vpn load-balancing cluster.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

VPN load-balancing


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

You must first configure the interface using the interface and nameif commands, and use the vpn load-balancing command to enter VPN load-balancing mode. You must also have previously configured the cluster IP address using the cluster ip command and configured the interface to which the virtual cluster IP address refers.

This command forces this device to participate in the virtual load-balancing cluster. You must explicitly issue this command to enable participation for a device.

All devices that participate in a cluster must share the same cluster-specific values: ip address, encryption settings, encryption key, and port.


Note When using encryption, you must have previously configured the command isakmp enable inside, where inside designates the load-balancing inside interface. If isakmp is not enabled on the load-balancing inside interface, you get an error message when you try to configure cluster encryption.

If isakmp was enabled when you configured the cluster encryption command, but was disabled before you configured the participate command, you get an error message when you enter the participate command, and the local device will not participate in the cluster.


Examples

The following is an example of a VPN load-balancing command sequence that includes a participate command that enables the current device to participate in the vpn load-balancing cluster:

hostname(config)# interface GigabitEthernet 0/1
hostname(config-if)# ip address 209.165.202.159 255.255.255.0
hostname(config)# nameif test
hostname(config)# interface GigabitEthernet 0/2
hostname(config-if)# ip address 209.165.201.30 255.255.255.0
hostname(config)# nameif foo
hostname(config)# vpn load-balancing
hostname(config-load-balancing)# interface lbpublic test
hostname(config-load-balancing)# interface lbprivate foo
hostname(config-load-balancing)# cluster ip address 209.165.202.224
hostname(config-load-balancing)# participate
hostname(config-load-balancing)# 

Related Commandshostname(config-load-balancing)# participate

Command
Description

vpn load-balancing

Enter VPN load-balancing mode.


passwd

To set the login password, use the passwd command in global configuration mode. To set the password back to the default of "cisco," use the no form of this command. You are prompted for the login password when you access the CLI as the default user using Telnet or SSH. After you enter the login password, you are in user EXEC mode.

{passwd | password} password [encrypted]

no {passwd | password} password

Syntax Description

encrypted

(Optional) Specifies that the password is in encrypted form. The password is saved in the configuration in encrypted form, so you cannot view the original password after you enter it. If for some reason you need to copy the password to another security appliance but do not know the original password, you can enter the passwd command with the encrypted password and this keyword. Normally, you only see this keyword when you enter the show running-config passwd command.

passwd | password

You can enter either command; they are aliased to each other.

password

Sets the password as a case-sensitive string of up to 80 characters. The password must not contains spaces.


Defaults

The default password is "cisco."

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

This login password is for the default user. If you configure CLI authentication per user for Telnet or SSH using the aaa authentication console command, then this password is not used.

Examples

The following example sets the password to Pa$$w0rd:

hostname(config)# passwd Pa$$w0rd

The following example sets the password to an encrypted password that you copied from another security appliance:

hostname(config)# passwd jMorNbK0514fadBh encrypted

Related Commands

Command
Description

clear configure passwd

Clears the login password.

enable

Enters privileged EXEC mode.

enable password

Sets the enable password.

show curpriv

Shows the currently logged in username and the user privilege level.

show running-config passwd

Shows the login password in encrypted form.


password (crypto ca trustpoint)

To specify a challenge phrase that is registered with the CA during enrollment, use the password command in crypto ca trustpoint configuration mode. The CA typically uses this phrase to authenticate a subsequent revocation request. To restore the default setting, use the no form of the command.

password string

no password

Syntax Description

string

Specifies the name of the password as a character string. The first character cannot be a number. The string can contain any alphanumeric characters, including spaces, up to 80 characters. You cannot specify the password in the format number-space-anything. The space after the number causes problems. For example, "hello 21" is a legal password, but "21 hello" is not. The password checking is case sensitive. For example, the password "Secret" is different from the password "secret".


Defaults

The default setting is to not include a password.

Command Modes

The following table shows the modes in which you can enter the

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Crypto ca trustpoint configuration


command:

Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

This command lets you specify the revocation password for the certificate before actual certificate enrollment begins. The specified password is encrypted when the updated configuration is written to NVRAM by the security appliance.

If this command is enabled, you will not be prompted for a password during certificate enrollment.

Examples

The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes a challenge phrase registered with the CA in the enrollment request for trustpoint central:

hostname(config)# crypto ca trustpoint central
hostname(ca-trustpoint)# password zzxxyy
hostname(ca-trustpoint)# 

Related Commands

Command
Description

crypto ca trustpoint

Enters trustpoint configuration mode.

default enrollment

Returns enrollment parameters to their defaults.


password-prompt

To configure the prompt that requests the password for initial login to WebVPN, use the password-prompt command in webvpn mode. To revert to the default, "Password:," use the no form of this command.

password-prompt [prompt]

no password-prompt

Syntax Description

prompt

(Optional) Specifies the string that prompts users to enter a password. Maximum 16 characters.


Defaults

The default prompt is "Password:"

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Webvpn


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to configure the password prompt, "Enter Password:"

hostname(config)# webvpn
hostname(config-webvpn)# password-prompt Enter Password:

password-storage

To let users store their login passwords on the client system, use the password-storage enable command in group-policy configuration mode or username configuration mode. To disable password storage, use the password-storage disable command.

To remove the password-storage attribute from the running configuration, use the no form of this command. This enables inheritance of a value for password-storage from another group policy.

password-storage {enable | disable}

no password-storage

Syntax Description

disable

Disables password storage.

enable

Enables password storage.


Defaults

Password storage is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy

Username


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Enable password storage only on systems that you know to be in secure sites.

This command has no bearing on interactive hardware client authentication or individual user authentication for hardware clients.

Examples

The following example shows how to enable password storage for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# password-storage enable

peer-id-validate

To specify whether to validate the identity of the peer using the peer's certificate, use the peer-id-validate command in tunnel-group ipsec-attributes mode. To return to the default value, use the no form of this command.

peer-id-validate option

no peer-id-validate

Syntax Description

option

Specifies one of the following options:

req: required

cert: if supported by certificate

nocheck: do not check


Defaults

The default setting for this command is req.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tunnel-group ipsec attributes


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

You can apply this attribute to all tunnel-group types.

Examples

The following example entered in config-ipsec configuration mode, requires validating the peer using the identity of the peer's certificate for the IPSec LAN-to-LAN tunnel group named 209.165.200.225:

hostname(config)# tunnel-group 209.165.200.225 type IPSec_L2L
hostname(config)# tunnel-group 209.165.200.225 ipsec-attributes
hostname(config-ipsec)# peer-id-validate req
hostname(config-ipsec)# 

Related Commands

Command
Description

clear configure tunnel-group

Clears all configured tunnel groups.

show running-config tunnel-group

Shows the configuration for the indicated tunnel group or for all tunnel groups.

tunnel-group-map default-group

Associates the certificate map entries created using the crypto ca certificate map command with tunnel groups.


perfmon

To display performance information, use the perfmon command in privileged EXEC mode.

perfmon {verbose | interval seconds | quiet | settings}

Syntax Description

verbose

Displays performance monitor information at the security appliance console.

interval seconds

Specifies the number of seconds before the performance display is refreshed on the console.

quiet

Disables the performance monitor displays.

settings

Displays the interval and whether it is quiet or verbose.


Defaults

The seconds is 120 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

·

·

·

·

 

Command History

Release
Modification

7.0

Support for this command was introduced on the security appliance.


Usage Guidelines

The perfmon command allows you to monitor the performance of the security appliance. Use the show perfmon command to display the information immediately. Use the perfmon verbose command to display the information every 2 minutes continuously. Use the perfmon interval seconds command with the perfmon verbose command to display the information continuously every number of seconds that you specify.

An example of the performance information is displayed as follows:

PERFMON STATS:

Current

Average

Xlates

33/s

  20/s

Connections

  110/s

10/s

TCP Conns

50/s

42/s

WebSns Req  

4/s

2/s

TCP Fixup

20/s

15/s

HTTP Fixup

5/s

5/s

FTP Fixup

7/s

4/s

AAA Authen

10/s

5/s

AAA Author

9/s

5/s

AAA Account

3/s

3/s


This information lists the number of translations, connections, Websense requests, address translations (called "fixups"), and AAA transactions that occur each second.

Examples

This example shows how to display the performance monitor statistics every 30 seconds on the security appliance console:

hostname(config)# perfmon interval 120
hostname(config)# perfmon quiet
hostname(config)# perfmon settings
interval: 120 (seconds)
quiet

Related Commands

Command
Description

show perfmon

Displays performance information.


periodic

To specify a recurring (weekly) time range for functions that support the time-range feature, use the periodic command in time-range configuration mode. To disable, use the no form of this command.

periodic days-of-the-week time to [days-of-the-week] time

no periodic days-of-the-week time to [days-of-the-week] time

Syntax Description

days-of-the-week

(Optional) The first occurrence of this argument is the starting day or day of the week that the associated time range is in effect. The second occurrence is the ending day or day of the week the associated statement is in effect.

This argument is any single day or combinations of days: Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, and Sunday. Other possible values are:

daily—Monday through Sunday

weekdays—Monday through Friday

weekend—Saturday and Sunday

If the ending days of the week are the same as the starting days of the week, you can omit them.

time

Specifies the time in the format HH:MM. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m.

to

Entry of the to keyword is required to complete the range "from start-time to end-time."


Defaults

If a value is not entered with the periodic command, access to the security appliance as defined with the time-range command is in effect immediately and always on.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Time-range configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

To implement a time-based ACL, use the time-range command to define specific times of the day and week. Then use the with the access-list extended time-range command to bind the time range to an ACL.

The periodic command is one way to specify when a time range is in effect. Another way is to specify an absolute time period with the absolute command. Use either of these commands after the time-range global configuration command, which specifies the name of the time range. Multiple periodic entries are allowed per time-range command.

If the end days-of-the-week value is the same as the start value, you can omit them.

If a time-range command has both absolute and periodic values specified, then the periodic commands are evaluated only after the absolute start time is reached, and are not further evaluated after the absolute end time is reached.

The time-range feature relies on the system clock of the security appliance; however, the feature works best with NTP synchronization.

Examples

Some examples follow:

If you want:
Enter this:

Monday through Friday, 8:00 a.m. to 6:00 p.m. only

periodic weekdays 8:00 to 18:00

Every day of the week, from 8:00 a.m. to 6:00 p.m. only

periodic daily 8:00 to 18:00

Every minute from Monday 8:00 a.m. to Friday 8:00 p.m.

periodic monday 8:00 to friday 20:00

All weekend, from Saturday morning through Sunday night

periodic weekend 00:00 to 23:59

Saturdays and Sundays, from noon to midnight

periodic weekend 12:00 to 23:59


The following example shows how to allow access to the security appliance on Monday through Friday, 8:00 a.m. to 6:00 p.m. only:

hostname(config-time-range)# periodic weekdays 8:00 to 18:00
hostname(config-time-range)#

The following example shows how to allow access to the security appliance on specific days (Monday, Tuesday, and Friday), 10:30 a.m. to 12:30 p.m.:

hostname(config-time-range)# periodic Monday Tuesday Friday 10:30 to 12:30
hostname(config-time-range)#

Related Commands

Command
Description

absolute

Defines an absolute time when a time range is in effect.

access-list extended

Configures a policy for permitting or denying IP traffic through the security appliance.

default

Restores default settings for the time-range command absolute and periodic keywords.

time-range

Defines access control to the security appliance based on time.


permit errors

To allow invalid GTP packets or packets that otherwise would fail parsing and be dropped, use the permit errors command in GTP map configuration mode, which is accessed by using the gtp-map command. Use the no form of this command to remove the command.

permit errors

no permit errors

Syntax Description

This command has no arguments or keywords.

Defaults

By default, all invalid packets or packets that failed, during parsing, are dropped.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

GTP map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Use the permit errors command in GTP map configuration mode to allow any packets that are invalid or encountered an error during inspection of the message to be sent through the security appliance instead of being dropped.

Examples

The following example permits traffic containing invalid packets or packets that failed, during parsing:

hostname(config)# gtp-map qtp-policy
hostname(config-gtpmap)# permit errors

Related Commands

Commands
Description

clear service-policy inspect gtp

Clears global GTP statistics.

gtp-map

Defines a GTP map and enables GTP map configuration mode.

inspect gtp

Applies a specific GTP map to use for application inspection.

permit response

Supports load-balancing GSNs.

show service-policy inspect gtp

Displays the GTP configuration.


permit response

To support load-balancing GSNs, use the permit response command in GTP map configuration mode, which is accessed by using the gtp-map command. The permit response command supports load-balancing GSNs by allowing GTP responses from a different GSN than the response was sent to. Use the no form of this command to remove the command.

permit response to-object-group to_obj_group_id from-object-group from_obj_group_id

no permit response to-object-group to_obj_group_id from-object-group from_obj_group_id

Syntax Description

from-object-group from_obj_group_id

Specifies the name of the object-group configured with the object-group command which can send responses to the set of GSNs in the object-group specified by the to_obj_group_id argument. The security appliance supports only object-groups containing network-objects with IPv4 addresses. IPv6 addresses are currently not supported with GTP.

to-object-group to_obj_group_id

Specifies the name of the object-group configured with the object-group command which can receive responses from the set of GSNs in the object-group specified by the from_obj_group_id argument. The security appliance supports only object-groups containing network-objects with IPv4 addresses. IPv6 addresses are currently not supported with GTP.


Defaults

By default, the security appliance drops GTP responses from GSNs other than the host to which the request was sent.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

GTP map configuration


Command History

Release
Modification

7.0(4)

This command was introduced.


Usage Guidelines

Use the permit response command in GTP map configuration mode to support load-balancing GSNs. The permit response command configures the GTP map to allow GTP responses from a different GSN than the response was sent to.

You identify the pool of load-balancing GSNs as a network object. Likewise, you identify the SGSN as a network object. If the GSN responding belongs to the same object group as the GSN that the GTP request was sent to and if the SGSN is in a object group that the responding GSN is permitted to send a GTP response to, the security appliance permits the response.

Examples

The following example permits GTP responses from any host on the 192.168.32.0 network to the host with the IP address 192.168.112.57:

hostname(config)# object-group network gsnpool32
hostname(config-network)# network-object 192.168.32.0 255.255.255.0
hostname(config)# object-group network sgsn1 
hostname(config-network)# network-object host 192.168.112.57
hostname(config-network)# exit 
hostname(config)# gtp-map qtp-policy
hostname(config-gtpmap)# permit response to-object-group sgsn1 from-object-group gsnpool32

Related Commands

Commands
Description

clear service-policy inspect gtp

Clears global GTP statistics.

gtp-map

Defines a GTP map and enables GTP map configuration mode.

inspect gtp

Applies a specific GTP map to use for application inspection.

permit errors

Allow invalid GTP packets.

show service-policy inspect gtp

Displays the GTP configuration.


pfs

To enable PFS, use the pfs enable command in group-policy configuration mode. To disable PFS, use the pfs disable command. To remove the PFS attribute from the running configuration, use the no form of this command. This option allows inheritance of a value for PFS from another group policy.

In IPSec negotiations, PFS ensures that each new cryptographic key is unrelated to any previous key.

pfs {enable | disable}

no pfs

Syntax Description

disable

Disables PFS.

enable

Enables PFS.


Defaults

PFS is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The PFS setting on the VPN Client and the security appliance must match.

Examples

The following example shows how to set PFS for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# pfs enable

pim

To re-enable PIM on an interface, use the pim command in interface configuration mode. To disable PIM, use the no form of this command.

pim

no pim

Syntax Description

This command has no arguments or keywords.

Defaults

The multicast-routing command enables PIM on all interfaces by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The multicast-routing command enables PIM on all interfaces by default. Only the no form of the pim command is saved in the configuration.


Note PIM is not supported with PAT. The PIM protocol does not use ports and PAT only works with protocols that use ports.


Examples

The following example disables PIM on the selected interface:

hostname(config-if)# no pim

Related Commands

Command
Description

multicast-routing

Enables multicast routing on the security appliance.


pim accept-register

To configure the security appliance to filter PIM register messages, use the pim accept-register command in global configuration mode. To remove the filtering, use the no form of this command.

pim accept-register {list acl | route-map map-name}

no pim accept-register

Syntax Description

list acl

Specifies an access list name or number. Use only standard host ACLs with this command; extended ACLs are not supported.

route-map map-name

Specifies a route-map name. Use standard host ACLs in the referenced route-map; extended ACLs are not supported.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

This command is used to prevent unauthorized sources from registering with the RP. If an unauthorized source sends a register message to the RP, the security appliance will immediately send back a register-stop message.

Examples

The following example restricts PIM register messages to those from sources defined in the access list named "no-ssm-range":

hostname(config)# pim accept-register list no-ssm-range

Related Commands

Command
Description

multicast-routing

Enables multicast routing on the security appliance.


pim dr-priority

To configure the neighbor priority on the security appliance used for designated router election, use the pim dr-priority command in interface configuration mode. To restore the default priority, use the no form of this command.

pim dr-priority number

no pim dr-priority

Syntax Description

number

A number from 0 to 4294967294. This number is used to determine the priority of the device when determining the designated router. Specifying 0 prevents the security appliance from becoming the designated router.


Defaults

The default value is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The device with the largest priority value on an interface becomes the PIM designated router. If multiple devices have the same designated router priority, then the device with the highest IP address becomes the DR. If a device does not include the DR-Priority Option in hello messages, it is regarded as the highest-priority device and becomes the designated router. If multiple devices do not include this option in their hello messages, then the device with the highest IP address becomes the designated router.

Examples

The following example sets the DR priority for the interface to 5:

hostname(config-if)# pim dr-priority 5

Related Commands

Command
Description

multicast-routing

Enables multicast routing on the security appliance.


pim hello-interval

To configure the frequency of the PIM hello messages, use the pim hello-interval command in interface configuration mode. To restore the hello-interval to the default value, use the no form of this command.

pim hello-interval seconds

no pim hello-interval [seconds]

Syntax Description

seconds

The number of seconds that the security appliance waits before sending a hello message. Valid values range from 1 to 3600 seconds. The default value is 30 seconds.


Defaults

30 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example sets the PIM hello interval to 1 minute:

hostname(config-if)# pim hello-interval 60

Related Commands

Command
Description

multicast-routing

Enables multicast routing on the security appliance.


pim join-prune-interval

To configure the PIM join/prune interval, use the pim join-prune-interval command in interface configuration mode. To restore the interval to the default value, use the no form of this command.

pim join-prune-interval seconds

no pim join-prune-interval [seconds]

Syntax Description

seconds

The number of seconds that the security appliance waits before sending a join/prune message. Valid values range from 10 to 600 seconds. 60 seconds is the default.


Defaults

60 seconds

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example sets the PIM join/prune interval to 2 minutes:

hostname(config-if)# pim join-prune-interval 120

Related Commands

Command
Description

multicast-routing

Enables multicast routing on the security appliance.


pim old-register-checksum

To allow backward compatibility on a rendezvous point (RP) that uses old register checksum methodology, use the pim old-register-checksum command in global configuration mode. To generate PIM RFC-compliant registers, use the no form of this command.

pim old-register-checksum

no pim old-register-checksum

Syntax Description

This command has no arguments or keywords.

Defaults

The security appliance generates PIM RFC-compliant registers.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The security appliance software accepts register messages with checksum on the PIM header and only the next 4 bytes rather than using the Cisco IOS method—accepting register messages with the entire PIM message for all PIM message types. The pim old-register-checksum command generates registers compatible with Cisco IOS software.

Examples

The following example configures the security appliance to use the old checksum calculations:

hostname(config)# pim old-register-checksum

Related Commands

Command
Description

multicast-routing

Enables multicast routing on the security appliance.


pim rp-address

To configure the address of a PIM rendezvous point (RP), use the pim rp-address command in global configuration mode. To remove an RP address, use the no form of this command.

pim rp-address ip_address [acl] [bidir]

no pim rp-address ip_address

Syntax Description

acl

(Optional) The name or number of a standard access list that defines which multicast groups the RP should be used with. Do not use a host ACL with this command.

bidir

(Optional) Indicates that the specified multicast groups are to operate in bidirectional mode. If the command is configured without this option, the specified groups operate in PIM sparse mode.

ip_address

IP address of a router to be a PIM RP. This is a unicast IP address in four-part dotted-decimal notation.


This command has no arguments or keywords.

Defaults

No PIM RP addresses are configured.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

All routers within a common PIM sparse mode (PIM-SM) or bidir domain require knowledge of the well-known PIM RP address. The address is statically configured using this command.


Note The security appliance does not support Auto-RP; you must use the pim rp-address command to specify the RP address.


You can configure a single RP to serve more than one group. The group range specified in the access list determines the PIM RP group mapping. If the an access list is not specified, the RP for the group is applied to the entire IP multicast group range (224.0.0.0/4).


Note The security appliance always advertises the bidir capability in the PIM hello messages regardless of the actual bidir configuration.


Examples

The following example sets the PIM RP address to 10.0.0.1 for all multicast groups:

hostname(config)# pim rp-address 10.0.0.1

Related Commands

Command
Description

pim accept-register

Configures candidate RPs to filter PIM register messages.


pim spt-threshold infinity

To change the behavior of the last hop router to always use the shared tree and never perform a shortest-path tree (SPT) switchover, use the pim spt-threshold infinity command in global configuration mode. To restore the default value, use the no form of this command.

pim spt-threshold infinity [group-list acl]

no pim spt-threshold

Syntax Description

group-list acl

(Optional) Indicates the source groups restricted by the access list. The acl argument must specify a standard ACL; extended ACLs are not supported.


Defaults

The last hop PIM router switches to the shortest-path source tree by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

If the group-list keyword is not used, this command applies to all multicast groups.

Examples

The following example causes the last hop PIM router to always use the shared tree instead of switching to the shortest-path source tree:

hostname(config)# pim spt-threshold infinity

Related Commands

Command
Description

multicast-routing

Enables multicast routing on the security appliance.


ping

To determine if other IP addresses are visible from the security appliance, use the ping command in privileged EXEC mode.

ping [if_name] host [data pattern] [repeat count] [size bytes] [timeout seconds] [validate]

Syntax Description

data pattern

(Optional) Specifies the 16-bit data pattern in hexidecimal.

host

Specifies the IPv4 or IPv6 address or name of the host to ping.

if_name

(Optional) Specifies the interface name, as configured by the nameif command, by which the host is accessible. If not supplied, then the host is resolved to an IP address and then the routing table is consulted to determine the destination interface.

repeat count

(Optional) Specifies the number of times to repeat the ping request.

size bytes

(Optional) Specifies the datagram size in bytes.

timeout seconds

(Optional) Specifies the the number of seconds to wait before timing out the ping request.

validate

(Optional) Specifies to validate reply data.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The ping command allows you to determine if the security appliance has connectivity or if a host is available on the network. If the security appliance has connectivity, ensure that the icmp permit any interface command is configured. This configuration is required to allow the security appliance to respond and accept messages generated from the ping command. The ping command output shows if the response was received. If a host is not responding, when you enter the ping command, a message similar to the following displays:

hostname(config)# ping 10.1.1.1 
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

Use the show interface command to ensure that the security appliance is connected to the network and is passing traffic. The address of the specified if_name is used as the source address of the ping.

If you want internal hosts to ping external hosts, you must do one of the following:

Create an ICMP access-list command for an echo reply; for example, to give ping access to all hosts, use the access-list acl_grp permit icmp any any command and bind the access-list command to the interface that you want to test using the access-group command.

Configure the ICMP inspection engine using the inspect icmp command. For example, adding the inspect icmp command to the class default_inspection class for the global service policy allows echo replies through the security appliance for echo requests initiated by internal hosts.

You can also perform an extended ping, which allows you to enter the keywords one line at a time.

If you are pinging through the security appliance between hosts or routers, but the pings are not successful, use the capture command to monitor the success of the ping.

The security appliance ping command does not require an interface name. If you do not specify an interface name, the security appliance checks the routing table to find the address that you specify. You can specify an interface name to indicate through which interface the ICMP echo requests are sent.

Examples

The following example shows how to determine if other IP addresses are visible from the security appliance:

hostname# ping 171.69.38.1
Sending 5, 100-byte ICMP Echos to 171.69.38.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

The following is an example of an extended ping:

hostname# ping
Interface: outside
Target IP address: 171.69.38.1
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Sending 5, 100-byte ICMP Echos to 171.69.38.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Related Commands

Command
Description

capture

Captures packets at an interface

icmp

Configures access rules for ICMP traffic that terminates at an interface.

show interface

Displays information about the VLAN configuration.


police

To apply strict scheduling priority for this class, use the police command in class mode. To remove the rate-limiting requirement, use the no form of this command.

police [output] conform-rate {conform-burst | conform-action {drop | transmit} | exceed-action {drop | transmit}}

no police

Syntax Description

conform-action

The action to take when the rate is less than the conform-burst value.

conform-burst

A value in the range 1000-512000000, specifying the maximum number of instantaneous bytes allowed in a sustained burst before throttling to the conforming rate value.

conform-rate

The rate limit for this traffic flow; this is a value in the range 8000-2000000000, specifying the maximum speed (bits per second) allowed.

drop

Drop the packet.

exceed-action

Take this action when the rate is between the conform-rate value and the conform-burst value.

output

Enables policing of traffic flowing in the output direction.

transmit

Transmit the packet.


Defaults

No default behavior or variables.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Class


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

You must have configured the policy-map command and the class command before issuing the police command.


Note The police command merely enforces the maximum speed and burst rate, forcing them to the conforming rate value. It does not enforce the conform-action or the exceed-action specification if these are present.


Policing traffic in the inbound direction is not supported.

You cannot enable both priority and policing together.

If a service policy is applied or removed from an interface that has existing VPN client/LAN-to-LAN or non-tunneled traffic already established, the QoS policy is not applied or removed from the traffic stream. To apply or remove the QoS policy for such connections, you must clear (that is, drop) the connections and re-establish them.

Examples

The following is an example of a police command that sets the conform rate to 100,000 bits per second, a burst value of 2,000,000 bytes, and specifies that traffic that exceeds the burst rate will be dropped:

hostname(config)# policy-map localpolicy1
hostname(config-pmap)# class firstclass class
hostname(config-pmap-c)# police 100000 20000 exceed-action drop
hostname(config-pmap-c)# class class-default
hostname(config-pmap-c)# police 1000000 200000 exceed-action drop
hostname(config-pmap-c)# exit

Related Commands

class

Specifies a class-map to use for traffic classification.

clear configure policy-map

Remove all policy-map configuration, except that if a policy-map is in use in a service-policy command, that policy-map is not removed.

policy-map

Configures a policy; that is, an association of a traffic class and one or more actions.

show running-config policy-map

Display all current policy-map configurations.


policy

To specify the source for retrieving the CRL, use the policy command in ca-crl configuration mode.

policy {static | cdp | both}

Syntax Description

both

Specifies that if obtaining a CRL using the CRL distribution point fails, retry using static CDPs up to a limit of five.

cdp

Uses the CDP extension embedded within the certificate being checked. In this case, the security appliance retrieves up to five CRL distributions points from the CDP extension of the certificate being verified and augments their information with the configured default values, if necessary. If the security appliance attempt to retrieve a CRL using the primary CDP fails, it retries using the next available CDP in the list. This continues until either the security appliance retrieves a CRL or exhausts the list.

static

Uses up to five static CRL distribution points. If you specify this option, specify also the LDAP or HTTP URLs with the protocol command.


Defaults

The default setting is cdp.

Command Modes

The following table shows the modes in which you can enter the

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

CRL configuration


command:

Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example enters ca-crl configuration mode, and configures CRL retrieval to occur using the CRL distribution point extension in the certificate being checked or if that fails, to use static CDPs:

hostname(configure)# crypto ca trustpoint central
hostname(ca-trustpoint)# crl configure
hostname(ca-crl)# policy both
hostname(ca-crl)# 

Related Commands

Command
Description

crl configure

Enters ca-crl configuration mode.

crypto ca trustpoint

Enters trustpoint configuration mode.

url

Creates and maintains a list of static URLs for retrieving CRLs.


policy-map

To configure a policy, use the policy-map command in global configuration mode. To remove a policy, use the no form of this command.

policy-map name

no policy-map name

Syntax Description

name

The name for this policy-map. The name can be up to 40 characters long.


Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced in this release.


Usage Guidelines

A policy-map command configures a policy, which is an association of a traffic class with one or more security-related actions. A traffic class is a set of traffic that is identifiable by its packet content. For example, TCP traffic with a port value of 23 can be classified as a Telnet traffic class. A policy consists of a class command and its associated actions. A policy map can specify multiple policies. A service-policy command activates a policy map globally on all interfaces or on a single targeted interface.

The policy-map command lets you classify traffic and then apply feature-specific actions to it.

The maximum number of policy maps is 64.

Use the policy-map command to enter policy-map mode, in which you can enter class and description commands. See the individual command descriptions for detailed information.

The order in which different types of actions in a policy-map are performed is independent of the order in which the actions appear in these command descriptions.

Examples

The following is an example of the policy-map command; note the change in the prompt:

hostname(config)# policy-map localpolicy1
hostname(config-pmap)# 

The following is an example of a policy-map command for connection policy:

hostname(config)# access-list http-server permit tcp any host 10.1.1.1
hostname(config)# class-map http-server

hostname(config-cmap)# match access-list http-server
hostname(config-cmap)# exit

hostname(config)# policy-map global-policy global
hostname(config-pmap)# description This policy map defines a policy concerning connection 
to http server.
hostname(config-pmap)# class http-server
hostname(config-pmap-c)# set connection conn-max 256

The following is an example of a policy-map command for the "outside" interface:

hostname(config)# class-map outside-voip
hostname(config-cmap)# match ip rtp 2000 100
hostname(config-cmap)# exit

hostname(config)# policy-map outside-policy
hostname(config-pmap)# description This policy map defines policies for the outside 
interface.
hostname(config-pmap)# class outside-voip
hostname(config-pmap-c)# priority
hostname(config-pmap-c)# exit
hostname(config-pmap)# 

Related Commands

Command
Description

class

Specifies a class-map for traffic classification.

clear configure policy-map

Remove all policy-map configuration, except that if a policy-map is in use in a service-policy command, that policy-map is not removed.

description

Specifies a description for the policy-map.

help policy-map

Shows syntax help for the policy-map command.

show running-config policy-map

Display all current policy-map configurations.


polltime interface

To specify the interval between hello packets on the interface, use the polltime interface command in failover group configuration mode. To restore the default value, use the no form of this command.

polltime interface time

no polltime interface time

Syntax Description

time

Amount of time between hello messages.


Defaults

The default is 15 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Failover group configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Use the polltime interface command to change the frequency that hello packets are sent out on an interfaces associated with the current failover group. with a faster poll time, the security appliance can detect failure and trigger failover faster. However, faster detection can cause unnecessary switchovers when the network is temporarily congested.

Five missed consecutive interface hello packets cause interface testing.

This command is available for Active/Active failover only.

Examples

The following partial example shows a possible configuration for a failover group:

hostname(config)# failover group 1 
hostname(config-fover-group)# primary
hostname(config-fover-group)# preempt 100
hostname(config-fover-group)# polltime interface 20
hostname(config-fover-group)# exit
hostname(config)#

Related Commands

Command
Description

failover group

Defines a failover group for Active/Active failover.

failover polltime

Configures the time between hello packets on monitored interfaces.


pop3s

To enter POP3S configuration mode, use the pop3s command in global configuration mode. To remove any commands entered in POP3S command mode, use the no version of this command.

POP3 is a client/server protocol in which your Internet server receives and holds e-mail for you. Periodically, you (or your client e-mail receiver) check your mail-box on the server and download any mail. This standard protocol is built into most popular e-mail products. POP3S lets you receive e-mail over an SSL connection.

pop3s

no pop3

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to enter POP3S configuration mode:

hostname(config)# pop3s
hostname(config-pop3s)#

Related Commands

Command
Description

clear configure pop3s

Removes the POP3S configuration.

show running-config pop3s

Displays the running configuration for POP3S.