Cisco Security Appliance Command Reference, Version 7.0
T through Z Commands
Downloads: This chapterpdf (PDF - 0.97MB) The complete bookPDF (PDF - 18.73MB) | Feedback

T through Z Commands

Table Of Contents

T through Z Commands

tcp-map

tcp-options

telnet

terminal

terminal width

test aaa-server

text-color

tftp-server

timeout

timeout (aaa-server host)

timeout (gtp-map)

time-range

timers lsa-group-pacing

timers spf

title

title-color

transfer-encoding

trust-point

ttl-evasion-protection

tunnel-group

tunnel-group general-attributes

tunnel-group ipsec-attributes

tunnel-group-map default-group

tunnel-group-map enable

tunnel-limit

tx-ring-limit

urgent-flag

url

url-block

url-cache

url-list

url-list (webvpn)

url-server

user-authentication

user-authentication-idle-timeout

username

username attributes

username-prompt

virtual http

virtual telnet

vlan

vpn-access-hours

vpn-addr-assign

vpn-filter

vpn-framed-ip-address

vpn-framed-ip-netmask

vpn-group-policy

vpn-idle-timeout

vpn load-balancing

vpn-sessiondb logoff

vpn-sessiondb max-session-limit

vpn-session-timeout

vpn-simultaneous-logins

vpn-tunnel-protocol

webvpn

webvpn (group-policy, username)

who

window-variation

wins-server

write erase

write memory

write net

write standby

write terminal


T through Z Commands


tcp-map

To define a set of TCP normalization actions, use the tcp-map command in global configuration mode. The TCP normalization feature lets you specify criteria that identify abnormal packets, which the security appliance drops when they are detected. To remove the TCP map, use the no form of this command.

tcp-map map_name

no tcp-map map_name

Syntax Description

map_name

Specifies the TCP map name.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

This feature uses Modular Policy Framework. First define the TCP normalization actions you want to take using the tcp-map command. The tcp-map command enters tcp-map configuration mode, where you can enter one or more commands to define the TCP normalization actions. Then define the traffic to which you want to apply the TCP map using the class-map command. Enter the policy-map command to define the policy, and enter the class command to reference the class map. In class configuration mode, enter the set connection advanced-options command to reference the TCP map. Finally, apply the policy map to an interface using the service-policy command. For more information about how Modular Policy Framework works, see the Cisco Security Appliance Command Line Configuration Guide.

The following commands are available in tcp-map configuration mode:

check-retransmission

Enables and disables the retransmit data checks.

checksum-verification

Enables and disable checksum verification.

exceed-mss

Allows or drops packets that exceed MSS set by peer.

queue-limit

Configures the maximum number of out-of-order packets that can be queued for a TCP connection. This command is only available on the ASA 5500 series adaptive security appliance. On the PIX 500 series security appliance, the queue limit is 3 and cannot be changed.

reserved-bits

Sets the reserved flags policy in the security appliance.

syn-data

Allows or drops SYN packets with data.

tcp-options

Allows or clears the selective-ack, timestamps, or window-scale TCP options.

ttl-evasion-protection

Enables or disables the TTL evasion protection offered by the security appliance.

urgent-flag

Allows or clears the URG pointer through the security appliance.

window-variation

Drops a connection that has changed its window size unexpectedly.


Examples

For example, to allow urgent flag and urgent offset packets for all traffic sent to the range of TCP ports between the well known FTP data port and the Telnet port, enter the following commands:

hostname(config)# tcp-map tmap
hostname(config-tcp-map)# urgent-flag allow

hostname(config-tcp-map)# class-map urg-class
hostname(config-cmap)# match port tcp range ftp-data telnet

hostname(config-cmap)# policy-map pmap
hostname(config-pmap)# class urg-class
hostname(config-pmap-c)# set connection advanced-options tmap

hostname(config-pmap-c)# service-policy pmap global

Related Commands

Command
Description

class (policy-map)

Specifies a class map to use for traffic classification.

clear configure tcp-map

Clears the TCP map configuration.

policy-map

Configures a policy; that is, an association of a traffic class and one or more actions.

show running-config tcp-map

Displays the information about the TCP map configuration.

tcp-options

Allows or clears the selective-ack, timestamps, or window-scale TCP options.


tcp-options

To allow or clear the TCP options through the security appliance, use the tcp-options command in tcp-map configuration mode. To remove this specification, use the no form of this command.

tcp-options {selective-ack | timestamp | window-scale} {allow | clear}

no tcp-options {selective-ack | timestamp | window-scale} {allow | clear}

tcp-options range lower upper {allow | clear | drop}

no tcp-options range lower upper {allow | clear | drop}

Syntax Description

allow

Allows the TCP options through the TCP normalizer.

clear

Clears the TCP options through the TCP normalizer and allows the packet.

drop

Drops the packet.

lower

Lower bound ranges (6-7) and (9-255).

selective-ack

Sets the selective acknowledgement mechanism (SACK) option. The default is to allow the SACK option.

timestamp

Sets the timestamp option. Clearing the timestamp option will disable PAWS and RTT. The default is to allow the timestamp option.

upper

Upper bound range (6-7) and (9-255).

window-scale

Sets the window scale mechanism option. The default is to allow the window scale mechanism option.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tcp-map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.

Use the tcp-map command to enter tcp-map configuration mode. Use the tcp-options command in tcp-map configuration mode to clear selective-acknowledgement, window-scale, and timestamp TCP options. You can also clear or drop packets with options that are not very well defined.

Examples

The following example shows how to drop all packets with TCP options in the ranges of 6-7 and 9-255:

hostname(config)# access-list TCP extended permit tcp any any
hostname(config)# tcp-map tmap
hostname(config-tcp-map)# tcp-options range 6 7 drop
hostname(config-tcp-map)# tcp-options range 9 255 drop
hostname(config)# class-map cmap
hostname(config-cmap)# match access-list TCP
hostname(config)# policy-map pmap
hostname(config-pmap)# class cmap
hostname(config-pmap)# set connection advanced-options tmap
hostname(config)# service-policy pmap global

Related Commands

Command
Description

class

Specifies a class map to use for traffic classification.

help

Shows syntax help for the policy-map, class, and description commands.

policy-map

Configures a policy; that is, an association of a traffic class and one or more actions.

set connection

Configures connection values.

tcp-map

Creates a TCP map and allows access to tcp-map configuration mode.


telnet

To add Telnet access to the console and set the idle timeout, use the telnet command in global configuration mode. To remove Telnet access from a previously set IP address, use the no form of
this command.

telnet {{hostname | IP_address mask interface_name} | {IPv6_address interface_name} | {timeout number}}

no telnet {{hostname | IP_address mask interface_name} | {IPv6_address interface_name} | {timeout number}}

Syntax Description

hostname

Specifies the name of a host that can access the Telnet console of the security appliance.

interface_name

Specifies the name of the network interface to Telnet to.

IP_address

Specifies the IP address of a host or network authorized to log in to the security appliance.

IPv6_address

Specifies the IPv6 address/prefix authorized to log in to the security appliance.

mask

Specifies the netmask associated with the IP address.

timeout number

Number of minutes that a Telnet session can be idle before being closed by the security appliance; valid values are from 1 to 1440 minutes.


Defaults

By default, Telnet sessions left idle for five minutes are closed by the security appliance.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

The variable IPv6_address was added. The no telnet timeout command was added too.


Usage Guidelines

The telnet command lets you specify which hosts can access the security appliance console with Telnet. You can enable Telnet to the security appliance on all interfaces. However, the security appliance enforces that all Telnet traffic to the outside interface be protected by IPSec. To enable a Telnet session to the outside interface, configure IPSec on the outside interface to include IP traffic that is generated by the security appliance and enable Telnet on the outside interface.

Use the no telnet command to remove Telnet access from a previously set IP address. Use the telnet timeout command to set the maximum time that a console Telnet session can be idle before being logged off by the security appliance. You cannot use the no telnet command with the telnet timeout command.

If you enter an IP address, you must also enter a netmask. There is no default netmask. Do not use the subnetwork mask of the internal network. The netmask is only a bit mask for the IP address. To limit access to a single IP address, use 255 in each octet; for example, 255.255.255.255.

If IPSec is operating, you can specify an unsecure interface name, which is typically, the outside interface. At a minimum, you might configure the crypto map command to specify an interface name with the telnet command.

Use the passwd command to set a password for Telnet access to the console. The default is cisco. Use the who command to view which IP addresses are currently accessing the security appliance console. Use the kill command to terminate an active Telnet console session.

If you use the aaa command with the console keyword, Telnet console access must be authenticated with an authentication server.


Note If you have configured the aaa command to require authentication for security appliance Telnet console access and the console login request times out, you can gain access to the security appliance from the serial console by entering the security appliance username and the password that was set with the enable password command.


Examples

This example shows how to permit hosts 192.168.1.3 and 192.168.1.4 to access the security appliance console through Telnet. In addition, all the hosts on the 192.168.2.0 network are given access.

hostname(config)# telnet 192.168.1.3 255.255.255.255 inside
hostname(config)# telnet 192.168.1.4 255.255.255.255 inside
hostname(config)# telnet 192.168.2.0 255.255.255.0 inside
hostname(config)# show running-config telnet
192.168.1.3 255.255.255.255 inside
192.168.1.4 255.255.255.255 inside
192.168.2.0 255.255.255.0 inside

This example shows how to change the maximum session idle duration:

hostname(config)# telnet timeout 10
hostname(config)# show running-config telnet timeout
telnet timeout 10 minutes

This example shows a Telnet console login session (the password does not display when entered):

hostname# passwd: cisco

Welcome to the XXX
...
Type help or `?' for a list of available commands.
hostname>

You can remove individual entries with the no telnet command or all telnet command statements with the clear configure telnet command:
hostname(config)# no telnet 192.168.1.3 255.255.255.255 inside
hostname(config)# show running-config telnet
192.168.1.4 255.255.255.255 inside
192.168.2.0 255.255.255.0 inside
 
   
hostname(config)# clear configure telnet

Related Commandsshow telnet

Command
Description

clear configure telnet

Removes a Telnet connection from the configuration.

kill

Terminates a Telnet session.

show running-config telnet

Displays the current list of IP addresses that are authorized to use Telnet connections to the security appliance.

who

Displays active Telnet administration sessions on the security appliance.


terminal

To set the terminal line parameters, use the terminal command in privileged EXEC mode.

terminal {monitor | no monitor | pager lines [lines]}

Syntax Description

monitor

Enables the display of syslog messages on this terminal.

no monitor

Disables the display of syslog messages on this terminal.

pager lines lines

Sets the number of lines on a page before the "---more---" prompt appears. The default is 24 lines; 0 means no page limit. The range is 0 through 2147483647 lines.


Defaults

The default for terminal monitor pager is 24 lines, if the lines argument is unspecified.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

The pager lines commands were added.


Examples

This example shows how to enable logging and then disable logging only in the current session:

hostname# terminal monitor
hostname# terminal no monitor

Related Commands

Command
Description

clear configure terminal

Clears the terminal display width setting.

show running-config terminal

Displays the current terminal settings.

terminal width

Sets the terminal display width in global configuration mode.


terminal width

To set the width for displaying information during console sessions, use the terminal width command in global configuration mode. To disable, use the no form of this command.

terminal width columns

no terminal width columns

Syntax Description

columns

Specifies the terminal width in columns. The default is 80. The range is 40 to 511.


Defaults

The default display width is 80 columns.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

This example shows how to terminal display width to 100 columns:

hostname# terminal width 100

Related Commands

Command
Description

clear configure terminal

Clears the terminal display width setting.

show running-config terminal

Displays the current terminal settings.

terminal

Sets the terminal line parameters in privileged EXEC mode.


test aaa-server

Use the test aaa-server command to check whether the security appliance can authenticate or authorize users with a particular AAA server. Failure to reach the AAA server may be due to incorrect configuration on the security appliance, or the AAA server may be unreachable for other reasons, such as restrictive network configurations or server downtime.

test aaa-server {authentication | authorization} server-tag [host server-ip] [username username] [password password]

Syntax Description

authentication

Specifies that the security appliance should send a test authentication request.

authorization

Specifies that the security appliance should send a test authorization request.

host server-ip

Specifies The IP address of the AAA server.

password password

Specifies the password for the username given. The password argument is available only for authentication tests. Make sure the password is correct for the username entered; otherwise, the authentication test will fail.

server-tag

Specifies the symbolic name of the server group, as defined by the aaa-server protocol command.

username username

Specifies the username of the account used to test the AAA server settings. Make sure the username exists on the AAA server; otherwise, the test will fail.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(4)

This command was introduced.


Usage Guidelines

The test aaa-server command enables you to verify that the security appliance can authenticate and authorize users with a particular AAA server. Using this command simplifies verification of the configuration on the security appliance by removing the necessity of testing with a real supplicant. It also helps you isolate whether authentication and authorization failures are due to misconfiguration of AAA server parameters, a connection problem to the AAA server, or other configuration errors on the security appliance.

When you enter the command, you can omit the host and password keyword and argument pairs. The security appliance will prompt you for their values. If you are performing an authentication test, you can also omit the password keyword and argument pair and provide the password when the security appliance prompts you.

Examples

The following example configures a RADIUS AAA server named "srvgrp1" on host "192.168.3.4", sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures authentication port 1650. The test aaa-server command following the setup of the AAA server parameters indicates that the authentication test failed to reach the server.

hostname(config)# aaa-server svrgrp1 protocol radius
hostname(config-aaa-server-group)# aaa-server svrgrp1 host 192.168.3.4
hostname(config-aaa-server-host)# timeout 9
hostname(config-aaa-server-host)# retry-interval 7
hostname(config-aaa-server-host)# authentication-port 1650
hostname(config-aaa-server-host)# exit
hostname(config)# test aaa-server authentication svrgrp1
Server IP Address or name: 192.168.3.4
Username: bogus
Password: ******
INFO: Attempting Authentication test to IP address <192.168.3.4> (timeout: 10 seconds)
ERROR: Authentication Server not responding: No error

Related Commands

Command
Description

aaa-server host

Specifies parameters for a specific AAA server.

show running-config aaa-server

Displays AAA server statistics for all AAA servers, for a particular server group, for a particular server within a particular group, or for a particular protocol.


text-color

To set a color for text in the WebVPN title bar on the login, home page, and file access page, use the text-color command in webvpn mode. To remove a text color from the configuration and reset the default, use the no form of this command.

text-color [black | white | auto]

no text-color

Syntax Description

auto

Chooses black or white based on the settings for the secondary-color command. That is, if the secondary color is black, this value is white.

black

The default text color for title bars is white.

white

You can change the color to black.


Defaults

The default text color for the title bars is white.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Webvpn


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to set the text color for title bars to black:

hostname(config)# webvpn
hostname(config-webvpn)# text-color black

Related Commands

Command
Description

secondary-text-color

Sets the secondary text color for the WebVPN login, home page, and file access page.


tftp-server

To specify the default TFTP server and path and filename for use with configure net or write net commands, use the tftp-server command in global configuration mode. To remove the server configuration, use the no form of this command. This command supports IPv4 and IPv6 addresses.

tftp-server interface_name server filename

no tftp-server [interface_name server filename]

Syntax Description

interface_name

Specifies the gateway interface name. If you specify an interface other than the highest security interface, a warning message informs you that the interface is unsecure.

server

Sets the TFTP server IP address or name. You can enter an IPv4 or IPv6 address.

filename

Specifies the path and filename.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

The gateway interface is now required.


Usage Guidelines

The tftp-server command simplifies entering the configure net and write net commands. When you enter the configure net or write net commands, you can either inherit the TFTP server specified by the tftp-server command, or provide your own value. You can also inherit the path in the tftp-server command as is, add a path and filename to the end of the tftp-server command value, or override the tftp-server command value.

The security appliance supports only one tftp-server command.

Examples

This example shows how to specify a TFTP server and then read the configuration from the /temp/config/test_config directory:

hostname(config)# tftp-server inside 10.1.1.42 /temp/config/test_config
hostname(config)# configure net

Related Commands

Command
Description

configure net

Loads the configuration from the TFTP server and path you specify.

show running-config tftp-server

Displays the default TFTP server address and the directory of the configuration file.


timeout

To set the maximum idle time duration, use the timeout command in global configuration mode.

timeout [xlate | conn | udp | icmp | rpc | h225 | h323 | mgcp | mgcp-pat | sip | sip_media | uauth hh:mm:ss]

Syntax Description

conn

(Optional) Specifies the idle time after which a connection closes; the minimum duration is five minutes.

hh:mm:ss

Specifies the timeout.

h225 hh:mm:ss

(Optional) Specifies the idle time after which an H.225 signaling connection closes.

h323

(Optional) Specifies the idle time after which H.245 (TCP) and H.323 (UDP) media connections close. The default is five minutes.


Note Because the same connection flag is set on both H.245 and H.323 media connections, the H.245 (TCP) connection shares the idle timeout with the H.323 (RTP and RTCP) media connection.


half-closed

(Optional) Specifies the idle time after which a TCP half-closed connection will be freed.

icmp

(Optional) Specifies the idle time for ICMP.

mgcp hh:mm:ss

(Optional) Sets the idle time after which an MGCP media connection is removed.

mgcp-pat hh:mm:ss

(Optional) Sets the absolute interval after which an MGCP PAT translation is removed.

rpc

(Optional) Specifies the idle time until an RPC slot is freed; the minimum duration is one minute.

sip

(Optional) Modifies the SIP timer.

sip_media

(Optional) Modifies the SIP media timer, which is used for SIP RTP/RTCP with SIP UDP media packets, instead of the UDP inactivity timeout.

sunrpc

(Optional) Specifies the idle time after which a SUNRPC slot will be closed.

uauth

(Optional) Sets the duration before the authentication and authorization cache times out and the user has to reauthenticate the next connection.

udp

(Optional) Specifies the idle time until a UDP slot is freed; the minimum duration is one minute.

xlate

(Optional) Specifies the idle time until a translation slot is freed; the minimum value is one minute.


Defaults

The defaults are as follows:

conn hh:mm:ss is 1 hour (01:00:00).

h225 hh:mm:ss is 1 hour (01:00:00).

h323 hh:mm:ss is 5 minutes (00:05:00).

half-closed hh:mm:ss is 10 minutes (00:10:00).

icmp hh:mm:ss is 2 minutes (00:00:02)

mgcp hh:mm:ss is 5 minutes (00:05:00).

mgcp-pat hh:mm:ss is 5 minutes (00:05:00).

rpc hh:mm:ss is 10 minutes (00:10:00).

sip hh:mm: is 30 minutes (00:30:00).

sip_media hh:mm:ss is 2 minutes (00:02:00).

sunrpc hh:mm:ss is 10 minutes (00:10:00)

uauth timer is absolute.

udp hh:mm:ss is 2 minutes (00:02:00).

xlate hh:mm:ss is 3 hours (03:00:00).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration mode


Command History

Release
Modification

7.0

They keyword mgcp-pat was added.


Usage Guidelines

The timeout command lets you set the idle time for connection, translation UDP, and RPC slots. If the slot has not been used for the idle time specified, the resource is returned to the free pool. TCP connection slots are freed approximately 60 seconds after a normal connection close sequence.


Note Do not use the timeout uauth 0:0:0 command if passive FTP is used for the connection or if the virtual command is used for web authentication.


The connection timer takes precedence over the translation timer; the translation timer works only after all connections have timed out.

When setting the conn hh:mm:ss, use 0:0:0 to never time out a connection.

When setting the half-closed hh:mm:ss, use 0:0:0 to never time out a half-closed connection. 

When setting the h255 hh:mm:ss, h225 00:00:00 means to never tear down an H.225 signaling connection. A timeout value of h225 00:00:01 disables the timer and closes the TCP connection immediately after all calls are cleared.

The uauth hh:mm:ss duration must be shorter than the xlate keyword. Set to 0 to disable caching. Do not set to zero if passive FTP is used on the connections.

To disable the absolute keyword, set the uauth timer to 0 (zero).

Examples

The following example shows how to configure the maximum idle time durations:

hostname(config)# timeout uauth 0:5:00 absolute uauth 0:4:00 inactivity
hostname(config)# show running-config timeout
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00  
sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute uauth 0:04:00 inactivity

Related Commands

Command
Description

show running-config timeout

Displays the timeout value of the designated protocol.


timeout (aaa-server host)

To configure the host-specific maximum response time, in seconds, allowed before giving up on establishing a connection with the AAA server, use the timeout command in aaa-server host mode. To remove the timeout value and reset the timeout to the default value of 10 seconds, use the no form of this command.

timeout seconds

no timeout

Syntax Description

seconds

Specifies the timeout interval (1-60 seconds) for the request. This is the time after which the security appliance gives up on the request to the primary AAA server. If there is a standby AAA server, the security appliance sends the request to the backup server.


Defaults

The default timeout value is 10 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

aaa-server host configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

This command is valid for all AAA server protocol types.

Use the timeout command to specify the length of time during which the security appliance attempts to make a connection to a AAA server. Use the retry-interval command to specify the amount of time the security appliance waits between connection attempts.

The timeout is the total amount of time that the security appliance spends trying to complete a transaction with a server. The retry interval determines how often the communication is retried during the timeout period. Thus, if the retry interval is greater than or equal to the timeout value, you will see no retries. If you want to see retries, the retry interval musts be less than thte timeout value.

Examples

The following example configures a RADIUS AAA server named "svrgrp1" on host 1.2.3.4 to use a timeout value of 30 seconds, with a retry interval of 10 seconds. Thus, the security appliance tries the communication attempt three times before giving up after 30 seconds.

hostname(config)# aaa-server svrgrp1 protocol radius
hostname(config-aaa-server-group)# aaa-server svrgrp1 host 1.2.3.4
hostname(config-aaa-server-host)# timeout 30
hostname(config-aaa-server-host)# retry-interval 10
hostname(config-aaa-server-host)# exit
hostname(config)# 

Related Commands

Command
Description

aaa-server host

Enters aaa server host configuration mode so you can configure AAA server parameters that are host specific.

clear configure aaa-server

Removes all AAA command statements from the configuration.

show running-config aaa

Displays the current AAA configuration values.


timeout (gtp-map)

To change the inactivity timers for a GTP session, use the timeout command in GTP map configuration mode, which is accessed by using the gtp-map command. Use the no form of this command to set these intervals to their default values.

timeout {gsn | pdp-context | request | signaling | tunnel } hh:mm:ss

no timeout {gsn | pdp-context | request | signaling | tunnel } hh:mm:ss

Syntax Description

hh:mm:ss

This is the timeout where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. The value 0 means never tear down immediately.

gsn

Specifies the period of inactivity after which a GSN will be removed.

pdp-context

Specifies the maximum period of time allowed before beginning to receive the PDP context.

request

Specifies the the maximum period of time allowed before beginning to receive the GTP message.

signaling

Specifies the period of inactivity after which the GTP signaling will be removed.

tunnel

Specifies the the period of inactivity after which the GTP tunnel will be torn down.


Defaults

The default is 30 minutes for gsn, pdp-context, and signaling.

The default for request is 1 minute.

The default for tunnel is 1 minute (in the case where a Delete PDP Context Request is not received).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

GTP map configuration

·

·

·

·

No


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The Packet Data Protocol (PDP) context is identified by the Tunnel Identifier (TID), which is a combination of IMSI and NSAPI. Each MS can have up to 15 NSAPIs, allowing it to create multiple PDP contexts each with a different NSAPI, based on application requirements for varied QoS levels.

A GTP tunnel is defined by two associated PDP Contexts in different GSN nodes and is identified with a Tunnel ID. A GTP tunnel is necessary to forward packets between an external packet data network and a mobile station user.

Examples

The following example sets a timeout value for the request queue of 2 minutes:

hostname(config)# gtp-map gtp-policy
hostname(config-gtpmap)# timeout request 00:02:00

Related Commands

Commands
Description

clear service-policy inspect gtp

Clears global GTP statistics.

debug gtp

Displays detailed information about GTP inspection.

gtp-map

Defines a GTP map and enables GTP map configuration mode.

inspect gtp

Applies a specific GTP map to use for application inspection.

show service-policy inspect gtp

Displays the GTP configuration.


time-range

To enter time-range configuration mode and define a time range that you can attach to traffic rules, or an action, use the time-range command in global configuration mode. To disable, use the no form of this command.

time-range name

no time-range name

Syntax Description

name

Name of the time range. The name must be 64 characters or less.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Creating a time range does not restrict access to the device. The time-range command defines the time range only. After a time range is defined, you can attach it to traffic rules or an action.

To implement a time-based ACL, use the time-range command to define specific times of the day and week. Then use the with the access-list extended time-range command to bind the time range to an ACL.

The time range relies on the system clock of the security appliance; however, the feature works best with NTP synchronization.

Examples

The following example creates a time range named "New_York_Minute" and enters time range configuration mode:

hostname(config)# time-range New_York_Minute
hostname(config-time-range)#

After you have created a time range and entered time-range configuration mode, you can define time range parameters with the absolute and periodic commands. To restore default settings for the time-range command absolute and periodic keywords, use the default command in time-range configuration mode.

To implement a time-based ACL, use the time-range command to define specific times of the day and week. Then use the with the access-list extended command to bind the time range to an ACL. The following example binds an ACL named "Sales" to a time range named "New_York_Minute":

hostname(config)# access-list Sales line 1 extended deny tcp host 209.165.200.225 host 
209.165.201.1 time-range New_York_Minute
hostname(config)# 

See the access-list extended command for more information about ACLs.

Related Commands

Command
Description

absolute

Defines an absolute time when a time range is in effect.

access-list extended

Configures a policy for permitting or denying IP traffic through the security appliance.

default

Restores default settings for the time-range command absolute and periodic keywords.

periodic

Specifies a recurring (weekly) time range for functions that support the time-range feature.


timers lsa-group-pacing

To specify the interval at which OSPF link-state advertisements (LSAs) are collected into a group and refreshed, checksummed, or aged, use the timers lsa-group-pacing command in router configuration mode. To restore the default value, use the no form of this command.

timers lsa-group-pacing seconds

no timers lsa-group-pacing [seconds]

Syntax Description

seconds

The interval at which OSPF link-state advertisements (LSAs) are collected into a group and refreshed, checksummed, or aged. Valid values are from 10 to 1800 seconds.


Defaults

The default interval is 240 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Router configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

To change the interval at which the OSPF link-state advertisements (LSAs) are collected into a group and refreshed, checksummed, or aged, use the timers lsa-group-pacing seconds command. To return to the default timer values, use the no timers lsa-group-pacing command.

Examples

The following example sets the group processing interval of LSAs to 500 seconds:

hostname(config-router)# timers lsa-group-pacing 500
hostname(config-router)# 

Related Commands

Command
Description

router ospf

Enters router configuration mode.

show ospf

Displays general information about the OSPF routing processes.

timers spf

Specifies the shortest path first (SPF) calculation delay and hold time


timers spf

To specify the shortest path first (SPF) calculation delay and hold time, use the timers spf command in router configuration mode. To restore the default values, use the no form of this command.

timers spf delay holdtime

no timers spf [delay holdtime]

Syntax Description

delay

Specifies the delay time between when OSPF receives a topology change and when it starts a shortest path first (SPF) calculation in seconds, from 1 to 65535.

holdtime

The hold time between two consecutive SPF calculations in seconds; valid values are from 1 to 65535.


Defaults

The defaults are as follows:

delay is 5 seconds.

holdtime is 10 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Router configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

To configure the delay time between when the OSPF protocol receives a topology change and when it starts a calculation, and the hold time between two consecutive SPF calculations, use the timers spf command. To return to the default timer values, use the no timers spf command.

Examples

The following example sets the SPF calculation delay to 10 seconds and the SPF calculation hold time to 20 seconds:

hostname(config-router)# timers spf 10 20
hostname(config-router)#

Related Commands

Command
Description

router ospf

Enters router configuration mode.

show ospf

Displays general information about the OSPF routing processes.

timers lsa-group-pacing

Specifies the interval at which OSPF link-state advertisements (LSAs) are collected and refreshed, checksummed, or aged.


title

To set a title for WebVPN users to see on the browser and on the WebVPN title bar, use the title command in webvpn mode. To remove a title from the configuration and reset the default, use the no form of this command.

title [string]

no title

Syntax Description

string

(Optional) Specifies the HTML string in the browser title and on the WebVPN title bar. Maximum 255 characters.


Defaults

The default title is "WebVPN Service".

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Webvpn


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

To have no title, use the title command without a string.

Examples

The following example shows how to create the WebVPN title, "Our Company WebVPN Services":

hostname(config)# webvpn

hostname(config-webvpn)# title Our Company WebVPN Services

title-color

To set a color for the WebVPN title bar on the login, home page and file access page, use the title-color command in webvpn mode. To remove a title color from the configuration and reset the default, use the no form of this command.

title-color {color}

no title-color

Syntax Description

color

(Optional) Specifies the color. You can use a comma separated RGB value, an HTML color value, or the name of the color if recognized in HTML.

RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.

HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.

Name length maximum is 32 characters.


Defaults

The default title is HTML #999CC, a lavender shade.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Webvpn


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The number of HTML and RGB values recommended for use is 216, many fewer than the mathematical possibilities. Many displays can handle only 256 colors, and 40 of those look differently on MACs and PCs. For best results, check published HTML and RGB tables. To find tables online, enter RGB in a search engine.

Examples

The following example shows how to set an RGB color value of 153, 204, 255, which is sky blue:

hostname(config)# webvpn

hostname(config-webvpn)# title-color 153,204,255

Related Commands

Command
Description

secondary-color

Sets a secondary color for the WebVPN title bar on the login, home page and file access page.


transfer-encoding

To restrict HTTP traffic by specifying a transfer encoding type, use the transfer-encoding command in HTTP map configuration mode, which is accessible using the http-map command. To disable this feature, use the no form of this command.

transfer-encoding type {chunked | compress | deflate | gzip | identity | default} action {allow | reset | drop} [log]

no transfer-encoding type {chunked | compress | deflate | gzip | identity | default} action {allow | reset | drop} [log]

Syntax Description

action

Specifies the action taken when a connection using the specified transfer encoding type is detected.

allow

Allows the message.

chunked

Identifies the transfer encoding type in which the message body is transferred as a series of chunks.

compress

Identifies the transfer encoding type in which the message body is transferred using UNIX file compression.

default

Specifies the default action taken by the security appliance when the traffic contains a supported request method that is not on a configured list.

deflate

Identifies the transfer encoding type in which the message body is transferred using zlib format (RFC 1950) and deflate compression (RFC 1951).

drop

Closes the connection.

gzip

Identifies the transfer encoding type in which the message body is transferred using GNU zip (RFC 1952).

identity

Identifies connections in which the message body is no transfer encoding is performed.

log

(Optional) Generates a syslog.

reset

Sends a TCP reset message to client and server.

type

Specifies the type of transfer encoding to be controlled through HTTP application inspection.


Defaults

This command is disabled by default. When the command is enabled and a supported transfer encoding type is not specified, the default action is to allow the connection without logging. To change the default action, use the default keyword and specify a different default action.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

HTTP map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

When you enable the transfer-encoding command, the security appliance applies the specified action to HTTP connections for each supported and configured transfer encoding type.

The security appliance applies the default action to all traffic that does not match the transfer encoding types on the configured list. The preconfigured default action is to allow connections without logging.

For example, given the preconfigured default action, if you specify one or more encoding types with the action of drop and log, the security appliance drops connections containing the configured encoding types, logs each connection, and allows all connections for the other supported encoding types.

If you want to configure a more restrictive policy, change the default action to drop (or reset) and log (if you want to log the event). Then configure each permitted encoding type with the allow action.

Enter the transfer-encoding command once for each setting you wish to apply. You use one instance of the transfer-encoding command to change the default action and one instance to add each encoding type to the list of configured transfer encoding types.

When you use the no form of this command to remove an application category from the list of configured application types, any characters in the command line after the application category keyword are ignored.

Examples

The following example provides a permissive policy, using the preconfigured default, which allows all supported application types that are not specifically prohibited.

hostname(config)# http-map inbound_http
hostname(config-http-map)# transfer-encoding gzip drop log
hostname(config-http-map)# exit

In this case, only connections using GNU zip are dropped and the event is logged.

The following example provides a restrictive policy, with the default action changed to reset the connection and to log the event for any encoding type that is not specifically allowed.

hostname(config)# http-map inbound_http
hostname(config-http-map)# port-misuse default action reset log
hostname(config-http-map)# port-misuse identity allow
hostname(config-http-map)# exit

In this case, only connections using no transfer encoding are allowed. When HTTP traffic for the other supported encoding types is received, the security appliance resets the connection and creates a syslog entry.

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

debug appfw

Displays detailed information about traffic associated with enhanced HTTP inspection.

http-map

Defines an HTTP map for configuring enhanced HTTP inspection.

inspect http

Applies a specific HTTP map to use for application inspection.

policy-map

Associates a class map with specific security actions.


trust-point

To specify the name of a trustpoint that identifies the certificate to be sent to the IKE peer, use the trust-point command in tunnel-group ipsec-attributes mode. To eliminate a trustpoint specification, use the no form of this command.

trust-point trust-point-name

no trust-point trust-point-name

Syntax Description

trust-point-name

Specifies the name of the trustpoint to use.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tunnel-group ipsec attributes


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

You can apply this attribute to all tunnel-group types.

Examples

The following example entered in config-ipsec configuration mode, configures a trustpoint for identifying the certificate to be sent to the IKE peer for the IPSec LAN-to-LAN tunnel group named 209.165.200.225:

hostname(config)# tunnel-group 209.165.200.225 type IPSec_L2L
hostname(config)# tunnel-group 209.165.200.225 ipsec-attributes
hostname(config-ipsec)# trust-point mytrustpoint
hostname(config-ipsec)# 

Related Commands

Command
Description

clear configure tunnel-group

Clears all configured tunnel groups.

crypto ca trustpoint

Enters the trustpoint mode for the specified trustpoint.

show running-config tunnel-group

Shows the configuration for the indicated tunnel group or for all tunnel groups.

tunnel-group-map default-group

Associates the certificate map entries created using the crypto ca certificate map command with tunnel groups.


ttl-evasion-protection

To disable the Time-To-Live evasion protection, use the ttl-evasion-protection command in tcp-map configuration mode. To remove this specification, use the no form of this command.

ttl-evasion-protection

no ttl-evasion-protection

Syntax Description

This command has no arguments or keywords.

Defaults

TTL evasion protection offered by the security appliance is enabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tcp-map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.

Use the tcp-map command to enter tcp-map configuration mode. Use the ttl-evasion-protection command in tcp-map configuration mode to prevent attacks that attempt to evade security policy.

For instance, an attacker can send a packet that passes policy with a very short TTL. When the TTL goes to zero, a router between the security appliance and the endpoint drops the packet. It is at this point that the attacker can send a malicious packet with a long TTL that appears to the security appliance to be a retransmission and is passed. To the endpoint host, however, it is the first packet that has been received by the attacker. In this case, an attacker is able to succeed without security preventing the attack. Enabling this feature prevents such attacks.

Examples

The following example shows how to disable TTL evasion protection on flows from network 10.0.0.0 to 20.0.0.0:

hostname(config)# access-list TCP1 extended permit tcp 10.0.0.0 255.0.0.0 20.0.0.0 
255.0.0.0
hostname(config)# tcp-map tmap
hostname(config-tcp-map)# ttl-evasion-protection disable
hostname(config)# class-map cmap
hostname(config-cmap)# match access-list TCP1
hostname(config)# policy-map pmap
hostname(config-pmap)# class cmap
hostname(config-pmap)# set connection advanced-options tmap
hostname(config)# service-policy pmap global

Related Commands

Command
Description

class (policy-map)

Specifies a class map to use for traffic classification.

help

Shows syntax help for the policy-map, class, and description commands.

policy-map

Configures a policy; that is, an association of a traffic class and one or more actions.

set connection

Configures connection values.

tcp-map

Creates a TCP map and allows access to tcp-map configuration mode.


tunnel-group

To create and manage the database of connection-specific records for IPSec, use the tunnel-group command in global configuration mode. To remove a tunnel group, use the no form of this command.

tunnel-group name type type

no tunnel-group name

Syntax Description

name

Specifies the name of the tunnel group. This can be any string you choose. If the name is an IP address, it is usually the IP address of the peer.

type

Specifies the type of tunnel group:
ipsec-ra—IPSec remote access
ipsec-l2l—IPsec LAN-to-LAN


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration



Note The tunnel-group command is available in transparent firewall mode to allow configuration of a LAN-to-LAN tunnel group, but not a remote-access group. All the tunnel-group commands that are available for LAN-to-LAN are also available in transparent firewall mode.


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The security appliance has two default tunnel groups: DefaultRAGroup, which is the default IPSec remote-access tunnel group, and DefaultL2Lgroup, which is the default IPSec LAN-to-LAN tunnel group. You can change them but not delete them. The security appliance uses these groups to configure default tunnel parameters for remote access and LAN-to-LAN tunnel groups when there is no specific tunnel group identified during tunnel negotiation.

The tunnel-group command has the following commands. Each of these commands puts you in a configuration mode for configuring the attributes at the level of the configuration mode.

tunnel-group general-attributes

tunnel-group ipsec-attributes

Examples

The following example entered in global configuration mode, configures an IPSec LAN-to-LAN tunnel group. The name is the IP address of the LAN-to-LAN peer:

hostname(config)# tunnel-group 209.165.200.225 type ipsec-l2l
hostname(config)# 

Related Commands

Command
Description

clear configure tunnel-group

Clears all configured tunnel groups.

show running-config tunnel-group

Shows the tunnel group configuration for all tunnel groups or for a particular tunnel group.

tunnel-group map

Associates the certificate map entries created using the crypto ca certificate map command with tunnel groups.


tunnel-group general-attributes

To enter the general-attribute configuration mode, use the tunnel-group general-attributes command in global configuration mode. This mode is used to configure settings that are common to all supported tunneling protocols.

To remove all general attributes, use the no form of this command.

tunnel-group name general-attributes

no tunnel-group name general-attributes

Syntax Description

general-attributes

Specifies attributes for this tunnel-group.

name

Specifies the name of the tunnel-group.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The following table lists the commands belonging in this group and the tunnel-group type where you can configure them:

General Attribute
Availability by Tunnel-Group Type

accounting-server-group

IPSec RA, IPSec L2L

address-pool

IPSec RA

authentication-server-group

IPSec RA

authorization-server-group

IPSec RA

default-group-policy

IPSec RA, IPSec L2L

dhcp-server

IPSec RA

strip-group

IPSec RA

strip-realm

IPSec RA


Examples

The following example entered in global configuration mode, creates a tunnel group for an IPSec LAN-to-LAN connection using the IP address of the LAN-to-LAN peer, then enters general configuration mode for configuring general attributes. The name of the tunnel group is 209.165.200.225.

hostname(config)# tunnel-group 209.165.200.225 type IPSec_L2L
hostname(config)# tunnel-group 209.165.200.225 general
hostname(config-general)#

The following example entered in global configuration mode, creates a tunnel group named" remotegrp" for an IPSec remote access connection, and then enters general configuration mode for configuring general attributes for the tunnel group named "remotegrp":

hostname(config)# tunnel-group remotegrp type ipsec_ra
hostname(config)# tunnel-group remotegrp general
hostname(config-general)

Related Commands

Command
Description

crypto ca certificate map

Enters CA certificate map mode.

subject-name (crypto ca certificate map)

Identifies the DN from the CA certificate that is to be compared to the rule entry string.

tunnel-group-map default-group

Designates an existing tunnel-group name as the default tunnel group.


tunnel-group ipsec-attributes

To enter the ipsec-attribute configuration mode, use the tunnel-group ipsec-attributes command in global configuration mode. This mode is used to configure settings that are specific to the IPSec tunneling protocol.

To remove all IPSec attributes, use the no form of this command.

tunnel-group name ipsec-attributes

no tunnel-group name ipsec-attributes

Syntax Description

ipsec-attributes

Specifies attributes for this tunnel-group.

name

Specifies the name of the tunnel-group.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The following commands belong in this group:

IPSec Attribute
Availability by Tunnel-Group Type

authorization-dn-attributes

IPSec RA

authorization-required

IPSec RA

chain

IPSec RA, IPSec L2L

client-update

IPSec RA

isakmp keepalive

IPSec RA

peer-id-validate

IPSec RA, IPSec L2L

pre-shared-key

IPSec RA, IPSec L2L

radius-with-expiry

IPSec RA

trust-point

IPSec RA, IPSec L2L


Examples

The following example entered in global configuration, creates a tunnel group for the IPSec remote-access tunnel group named remotegrp, and then specifies IPSec group attributes:

hostname(config)# tunnel-group remotegrp type ipsec_ra
hostname(config)# tunnel-group remotegrp ipsec-attributes
hostname(config-ipsec)

Related Commands

Command
Description

clear configure tunnel-group

Clears all configured tunnel groups.

show running-config tunnel-group

Shows the tunnel group configuration for all tunnel groups or for a particular tunnel group.

tunnel-group-map default-group

Associates the certificate map entries created using the crypto ca certificate map command with tunnel groups.


tunnel-group-map default-group

The tunnel-group-map commands configure the policy and rules by which certificate-based IKE sessions are mapped to tunnel groups. To associate the certificate map entries, created using the crypto ca certificate map command, with tunnel groups, use the tunnel-group-map command in global configuration mode. You can invoke this command multiple times as long as each invocation is unique and you do not reference a map index more than once.

Use the no form of this command to eliminate a tunnel-group-map.

tunnel-group-map [rule-index] default-group tunnel-group-name

no tunnel-group-map

Syntax Description

Syntax DescriptionSyntax Description

default-group tunnel-group-name

Specifies a default tunnel group to use when the name cannot be derived by other configured methods. The tunnel-group name must already exist.

rule index

Optional. Refers to parameters specified by the crypto ca certificate map command. The values are 1 to 65535.


Defaults

The default value for the tunnel-group-map default-group is DefaultRAGroup.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The crypto ca certificate map command maintains a prioritized list of certificate mapping rules. There can be only one map. But this map can have up to 65535 rules. Refer to the documentation on the crypto ca certificate map command for more information.

The processing that derives the tunnel-group name from the certificate ignores entries in the certificate map that are not associated with a tunnel group (any map rule not identified by this command).

Examples

The following example entered in global configuration mode, specifies a default tunnel group to use when the name cannot be derived by other configured methods. The name of the tunnel group to use is group1:

hostname(config)# tunnel-group-map default-group group1
hostname(config)# 

Related Commands

Command
Description

crypto ca certificate map

Enters crypto ca certificate map mode.

subject-name (crypto ca certificate map)

Identifies the DN from the CA certificate that is to be compared to the rule entry string.

tunnel-group-map enable

Configures the policy and rules by which certificate-based IKE sessions are mapped to tunnel groups


tunnel-group-map enable

The tunnel-group-map enable command configures the policy and rules by which certificate-based IKE sessions are mapped to tunnel groups. Use the no form of this command to restore the default values.

tunnel-group-map [rule-index] enable policy

no tunnel-group-map enable [rule-index]

Syntax Description

Syntax DescriptionSyntax Description

policy

Specifies the policy for deriving the tunnel group name from the certificate. Policy can be one of the following:

ike-id—Indicates that if a tunnel-group is not determined based on a rule lookup or taken from the ou, then the certificate-based IKE sessions are mapped to a tunnel group based on the content of the phase1 IKE ID.

ou—Indicates that if a tunnel-group is not determined based on a rule lookup, then use the value of the organizational unit (OU) in the subject distinguished name (DN).

peer-ip—Indicates that if a tunnel-group is not determined based on a rule lookup or taken from the ou or ike-id methods, then use the established peer IP address.

rules—Indicates that the certificate-based IKE sessions are mapped to a tunnel group based on the certificate map associations configured by this command.

rule index

Optional. Refers to parameters specified by the crypto ca certificate map command. The values are 1 to 65535.


Defaults

The default values for the tunnel-group-map command are enable ou and default-group set to DefaultRAGroup.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The crypto ca certificate map command maintains a prioritized list of certificate mapping rules. There can be only one map. But this map can have up to 65535 rules. Refer to the documentation on the crypto ca certificate map command for more information.

Examples

The following example enables mapping of certificate-based IKE sessions to a tunnel group based on the content of the phase1 IKE ID:

hostname(config)# tunnel-group-map enable ike-id
hostname(config)# 

The following example enables mapping of certificate-based IKE sessions to a tunnel group based on the established IP address of the peer:

hostname(config)# tunnel-group-map enable peer-ip
hostname(config)# 

The following example enables mapping of certificate-based IKE sessions based on the organizational unit (OU) in the subject distinguished name (DN):

hostname(config)# tunnel-group-map enable ou
hostname(config)# 

The following example enables mapping of certificate-based IKE sessions based on established rules:

hostname(config)# tunnel-group-map enable rules
hostname(config)# 

Related Commands

Command
Description

crypto ca certificate map

Enters CA certificate map mode.

subject-name (crypto ca certificate map)

Identifies the DN from the CA certificate that is to be compared to the rule entry string.

tunnel-group-map default-group

Designates an existing tunnel-group name as the default tunnel group.


tunnel-limit

To specify the maximum number of GTP tunnels allowed to be active on the security appliance, use the tunnel limit command in GTP map configuration mode, which is accessed by using the gtp-map command. Use the no to set the tunnel limit back to its default.

tunnel-limit max_tunnels

no tunnel-limit max_tunnels

Syntax Description

max_tunnels

This is the maximum number of tunnels allowed. The ranges is from 1 to 4294967295 for the global overall tunnel limit.


Defaults

The default for the tunnel limit is 500.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

GTP map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

New requests will be dropped once the number of tunnels specified by this command is reached.

Examples

The following example specifies a maximum of 10,000 tunnels for GTP traffic:

hostname(config)# gtp-map qtp-policy
hostname(config-gtpmap)# tunnel-limit 10000 

Related Commands

Commands
Description

clear service-policy inspect gtp

Clears global GTP statistics.

debug gtp

Displays detailed information about GTP inspection.

gtp-map

Defines a GTP map and enables GTP map configuration mode.

inspect gtp

Applies a specific GTP map to use for application inspection.

show service-policy inspect gtp

Displays the GTP configuration.


tx-ring-limit

To specify the depth of the priority queues, use the tx-ring-limit command in priority-queue mode. To remove this specification, use the no form of this command.

tx-ring-limit number-of-packets

no tx-ring-limit number-of-packets

Syntax Description

number-of-packets

Specifies the maximum number of low-latency or normal priority packets allowed into the Ethernet transmit driver before the driver pushes back to the queues on the interface to let them buffer packets until the congestion clears. The range of tx-ring-limit values is 3 through 128 packets on the PIX platform and 3 through 256 packets on the ASA platform.


Defaults

The default tx-ring-limit is 128 packets.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Priority-queue


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The security appliance allows two classes of traffic: low-latency queuing (LLQ) for higher priority, latency sensitive traffic (such as voice and video) and best-effort, the default, for all other traffic. The security appliance recognizes priority traffic and enforces appropriate Quality of Service (QoS) policies. You can configure the size and depth of the priority queue to fine-tune the traffic flow.

You must use the priority-queue command to create the priority queue for an interface before priority queuing takes effect. You can apply one priority-queue command to any interface that can be defined by the nameif command.

The priority-queue command enters priority-queue mode, as shown by the prompt. In priority-queue mode, you can configure the maximum number of packets allowed in the transmit queue at any given time (tx-ring-limit command) and the number of packets of either type (priority or best -effort) allowed to be buffered before dropping packets (queue-limit command).


Note You must configure the priority-queue command in order to enable priority queueing for the interface.


The tx-ring-limit and the queue-limit that you specify affect both the higher priority low-latency queue and the best-effort queue. The tx-ring-limit is the number of either type of packets allowed into the driver before the driver pushes back to the queues sitting in front of the interface to let them buffer packets until the congestion clears. In general, you can adjust these two parameters to optimize the flow of low-latency traffic.

Because queues are not of infinite size, they can fill and overflow. When a queue is full, any additional packets cannot get into the queue and are dropped. This is tail drop. To avoid having the queue fill up, you can use the queue-limit command to increase the queue buffer size.


Note The upper limit of the range of values for the queue-limit and tx-ring-limit commands is determined dynamically at run time. To view this limit, enter help or ? on the command line. The key determinant is the memory needed to support the queues and the memory available on the device. The range of queue-limit values is 0 through 2048 packets. The range of tx-ring-limit values is 3 through 128 packets on the PIX platform and 3 through 256 packets on the ASA platform.


Examples

The following example configures a priority queue for the interface named test, specifying a queue limit of 2048 packets and a transmit queue limit of 256 packets.

hostname(config)# priority-queue test
hostname(priority-queue)# queue-limit 2048
hostname(priority-queue)# tx-ring-limit 256

Related Commands

Command
Description

clear configure priority-queue

Removes the current priority queue configuration on the named interface.

priority-queue

Configures priority queuing on an interface.

queue-limit

Specifies the maximum number of packets that can be enqueued to a priority queue before it drops data.

show priority-queue statistics

Shows the priority-queue statistics for the named interface.

show running-config priority-queue

Shows the current priority queue configuration. If you specify the all keyword, this command displays all the current priority-queue, queue-limit, and tx-ring-limit command configuration values.


urgent-flag

To allow or clear the URG pointer through the TCP normalizer, use the urgent-flag command in tcp-map configuration mode. To remove this specification, use the no form of this command.

urgent-flag {allow | clear}

no urgent-flag {allow | clear}

Syntax Description

allow

Allows the URG pointer through the TCP normalizer.

clear

Clears the URG pointer through the TCP normalizer.


Defaults

The urgent flag and urgent offset are clear by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tcp-map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the newTCP map using the policy-map command. Activate TCP inspection with service-policy commands.

Use the tcp-map command to enter tcp-map configuration mode. Use the urgent-flag command in tcp-map configuration mode to allow the urgent flag.

The URG flag is used to indicate that the packet contains information that is of higher priority than other data within the stream. The TCP RFC is vague about the exact interpretation of the URG flag, therefore, end systems handle urgent offsets in different ways, which may make the end system vulnerable to attacks. The default behavior is to clear the URG flag and offset.

Examples

The following example shows how to allow the urgent flag:

hostname(config)# tcp-map tmap
hostname(config-tcp-map)# urgent-flag allow
hostname(config)# class-map cmap
hostname(config-cmap)# match port tcp eq 513
hostname(config)# policy-map pmap
hostname(config-pmap)# class cmap
hostname(config-pmap)# set connection advanced-options tmap
hostname(config)# service-policy pmap global

Related Commands

Command
Description

class

Specifies a class map to use for traffic classification.

help

Shows syntax help for the policy-map, class, and description commands.

policy-map

Configures a policy; that is, an association of a traffic class and one or more actions.

set connection

Configures connection values.

tcp-map

Creates a TCP map and allows access to tcp-map configuration mode.


url

To maintain the list of static URLs for retrieving CRLs, use the url command in crl configure configuration mode. The crl configure configuration mode is accessible from the crypto ca trustpoint configuration mode. To delete an existing URL, use the no form of this command.

url index url

no url index url

Syntax Description

index

Specifies a value from 1 to 5 that determines the rank of each URL in the list. The security appliance tries the URL at index 1 first.

url

Specifies the URL from which to retrieve the CRL.


Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

CRL configure configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

You cannot overwrite existing URLs. To replace an existing URL, first delete it using the no form of this command.

Examples

The following example enters ca-crl configuration mode, and sets up an index 3 for creating and maintaining a list of URLs for CRL retrieval and configures the URL https://foobin.com from which to retrieve CRLs:

hostname(configure)# crypto ca trustpoint central
hostname(ca-trustpoint)# crl configure
hostname(ca-crl)# url 3 https://foobin.com
hostname(ca-crl)# 

Related Commands

Command
Description

crl configure

Enters ca-crl configuration mode.

crypto ca trustpoint

Enters trustpoint configuration mode.

policy

Specifies the source for retrieving CRLs.


url-block

The url-block commands can be used to manage the URL buffers used for web server responses while waiting for a filtering decision from the filtering server. The url-block commands are also used to manage filtering of long URLs. To remove the configuration, use the no form of this command.

url-block block block_buffer_limit

no url-block block block_buffer_limit

Websense only:

url-block url-mempool memory_pool_size

no url-block url-mempool memory_pool_siz

The numeric parameters for the url-block command are lower in multi-context mode than in single-context mode. For example:

Single-context:

url-block block block_buffer_limit—max is 128

url-block url-mempool memory_pool_size—max is 10240

Multi-context:

url-block block block_buffer_limit—max is 16

url-block url-mempool memory_pool_size—max is 512

Syntax Description

block block_buffer_limit

Creates an HTTP response buffer to store web server responses while waiting for a filtering decision from the filtering server. The permitted values are from 0 to 128, which specifies the number of 1550-byte blocks.

url-mempool memory_pool_size

For Websense URL filtering only. The size of the URL buffer memory pool in Kilobytes (KB). The permitted values are from 2  to 10240, which specifies a URL buffer memory pool from 2 KB to 10240 KB.


Note This is not supported on the UDP transport servers.


url-size long_url_size

For Websense URL filtering only. The maximum allowed URL size in KB. The permitted values are 2, 3, or 4, which specifies a maximum URL size of 2 KB, 3 KB, or 4KB.


Note This is not supported on the UDP transport servers.



Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

For Websense filtering servers, the url-block url-size command allows filtering of long URLs, up to 4 KB. For both Websense and N2H2 filtering servers, the url-block block command causes the security appliance to buffer packets received from a web server in response to a web client request while waiting for a response from the URL filtering server. This improves performance for the web client compared to the default security appliance behavior, which is to drop the packets and to require the web server to retransmit the packets if the connection is permitted.

If you use the url-block block command and the filtering server permits the connection, the security appliance sends the blocks to the web client from the HTTP response buffer and removes the blocks from the buffer. If the filtering server denies the connection, the security appliance sends a deny message to the web client and removes the blocks from the HTTP response buffer.

Use the url-block block command to specify the number of blocks to use for buffering web server responses while waiting for a filtering decision from the filtering server.

Use the url-block url-size command with the url-block url-mempool command to specify the maximum length of a URL to be filtered by a Websense filtering server and the maximum memory to assign to the URL buffer. Use these commands to pass URLs longer than 1159 bytes, up to a maximum of 4096 bytes, to the Websense server. The url-block url-size command stores URLs longer than 1159 bytes in a buffer and then passes the URL to the Websense server (through a TCP packet stream) so that the Websense server can grant or deny access to that URL.

Examples

The following example assigns 56 1550-byte blocks for buffering responses from the URL filtering server:

hostname#(config)# url-block block 56

Related Commands

Commands
Description

clear url-block block statistics

Clears the block buffer usage counters.

filter url

Directs traffic to a URL filtering server.

show url-block

Displays information about the URL cache, which is used for buffering URLs while waiting for responses from an N2H2 or Websense filtering server.

url-cache

Enables URL caching while pending responses from an N2H2 or Websense server and sets the size of the cache.

url-server

Identifies an N2H2 or Websense server for use with the filter command.


url-cache

To enable URL caching for URL responses received from an N2H2 or Websense server and to set the size of the cache, use the url-cache command in global configuration mode. To remove the configuration, use the no form of this command.

url-cache {dst |   src_dst} kbytes [kb]

no url-cache {dst |   src_dst} kbytes [kb]

Syntax Description

dst

Cache entries based on the URL destination address. Select this mode if all users share the same URL filtering policy on the N2H2 or Websense server.

size kbytes

Specifies a value for the cache size within the range 1 to 128 KB.

src_dst

Cache entries based on the both the source address initiating the URL request as well as the URL destination address. Select this mode if users do not share the same URL filtering policy on the N2H2 or Websense server.

statistics

Use the statistics option to display additional URL cache statistics, including the number of cache lookups and hit rate.


Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The url-cache command provides a configuration option to buffer the response from a web server if its response is faster than that from the N2H2 or Websense filtering service server. This prevents the web server response from being loaded twice.

Use the url-cache command to enable URL caching, set the size of the cache, and display cache statistics.

Caching stores URL access privileges in memory on the security appliance. When a host requests a connection, the security appliance first looks in the URL cache for matching access privileges instead of forwarding the request to the N2H2 or Websense server. Disable caching with the no url-cache command.


Note If you change settings on the N2H2 or Websense server, disable the cache with the no url-cache command and then re-enable the cache with the url-cache command.


Using the URL cache does not update the Websense accounting logs for Websense protocol Version 1. If you are using Websense protocol Version 1, let Websense run to accumulate logs so you can view the Websense accounting information. After you get a usage profile that meets your security needs, enable url-cache to increase throughput. Accounting logs are updated for Websense protocol Version 4 and for N2H2 URL filtering while using the url-cache command.

Examples

The following example caches all outbound HTTP connections based on the source and destination addresses:

hostname(config)# url-cache src_dst 128

Related Commands

Commands
Description

clear url-cache statistics

Removes url-cache command statements from the configuration.

filter url

Directs traffic to a URL filtering server.

show url-cache statistics

Displays information about the URL cache, which is used for URL responses received from an N2H2 or Websense filtering server.

url-server

Identifies an N2H2 or Websense server for use with the filter command.


url-list

To configure a set of URLs for WebVPN users to access, use the url-list command in global configuration mode. To configure a list with multiple URLs, use this command with the same listname multiple times, once for each URL. To remove an entire configured list, use the no url-list listname command. To remove a configured URL, use the no url-list listname url command.

To configure multiple lists, use this command multiple times, assigning a unique listname to each list.

url-list {listname displayname url}

no url-list listname

no url-list listname url

Syntax Description

displayname

Provides the text that displays on the WebVPN end user interface to identify the URL. Maximum 64 characters. The displayname must be unique for a given list. Spaces are allowed.

listname

Groups the set of URLs that WebVPN users can access. Maximum 64 characters. Maximum 64 characters. Semi-colons (;) ampersands (&), and less-than (<) characters are not allowed.

url

Specifies the link. Supported URL types are http, https and cifs.


Defaults

There is no default URL list.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration mode


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

You use the url-list command in global configuration mode to create one or more lists of URLs. To allow access to the URLs in a list for a specific group policy or user, use the listname you create here with the url-list command in webvpn mode.

Examples

The following example shows how to create a URL list called Marketing URLs that provides access to www.cisco.com, www.example.com, and www.example.org. The following table provides values that the example uses for each application.

listname
displayname
url

Marketing URLs

Cisco Systems

http://www.cisco.com

Marketing URLs

Example Company, Inc.

http://www.example.com

Marketing URLs

Example Organization

http://www.example.org


hostname(config)# url-list Marketing URLs Cisco Systems http://www.cisco.com
hostname(config)# url-list Marketing URLs Example Company, Inc. http://www.example.com
hostname(config)# url-list Marketing URLs Example Organization http://www.example.org

Related Commands

Command
Description

clear configuration url-list

Removes all url-list commands from the configuration. If you include the listname, the security appliance removes only the commands for that list.

url-list

Use this command in webvpn mode to permit a group policy or user to access a previously configured list of urls.

show running-configuration url-list

Displays the current set of configured urls.

webvpn

Use in group-policy configuration mode or in username configuration mode. Lets you enter webvpn mode to configure parameters that apply to group policies or usernames.

webvpn

Use in global configuration mode. Lets you configure global settings for WebVPN.


url-list (webvpn)

To apply a list of WebVPN servers and URLs to a particular user or group policy, use the url-list command in webvpn mode, which you enter from group-policy or username mode. To remove a list, including a null value created by using the url-list none command, use the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting a url list, use the url-list none command. Using the command a second time overrides the previous setting.

url-list {value name | none}

no url-list

Syntax Description

value name

Specifies the name of a previously configured list of urls. To configure such a list, use the url-list command in global configuration mode.

none

Sets a null value for url lists. Prevents inheriting a list from a default or specified group policy.


Defaults

There is no default URL list.

Command Modes

The following table shows the modes in which you enter the commands:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Webvpn mode


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Using the command a second time overrides the previous setting.

Before you can use the url-list command in webvpn mode to identify a URL list that you want to display on the WebVPN home page for a user or group policy, you must create the list. Use the url-list command in global configuration mode to create one or more lists.

Examples

The following example shows how to set a URL list called FirstGroupURLs for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# url-list value FirstGroupURLs

Related Commands

Command
Description

clear configure url-list [listname]

Removes all url-list commands from the configuration. If you include the listname, the security appliance removes only the commands for that list.

show running-configuration url-list

Displays the current set of configured url-list commands.

url-list

Use this command in webvpn mode, which you access in global configuration mode, to configure the set of URLs that WebVPN users can access.

webvpn

Lets you enter webvpn mode. which you access in group-policy configuration mode or in username configuration mode, to configure webvpn setting for a specific group policy or user.


url-server

To identify an N2H2 or Websense server for use with the filter command, use the url-server command. To remove the configuration, use the no form of this command.

N2H2

url-server (if_name) vendor n2h2 host local_ip [port number] [timeout seconds] [protocol {TCP | UDP [connections num_conns]}]

no url-server (if_name) vendor n2h2 host local_ip [port number] [timeout seconds] [protocol {TCP | UDP [connections num_conns]}]

Websense

url-server (if_name) vendor websense host local_ip [timeout seconds] [protocol {TCP | UDP | connections num_conns] | version]

no url-server (if_name) vendor websense host local_ip [timeout seconds] [protocol {TCP | UDP [connections num_conns] | version]

Syntax Description

N2H2

connections

Limits the maximum number of connections permitted.

num_conns

Specifies the maximum number of connections permitted.

host local_ip

The server that runs the URL filtering application.

if_name

(Optional) The network interface where the authentication server resides. If not specified, the default is inside.

port number

The N2H2 server port. The security appliance also listens for UDP replies on this port. The default port number is 4005.

protocol

The protocol can be configured using TCP or UDP keywords. The default is TCP.

timeout seconds

The maximum idle time permitted before the security appliance switches to the next server you specified. The default is 30 seconds.

vendor n2h2

Indicates URL filtering service vendor is N2H2.


Websense

connections

Limits the maximum number of connections permitted.

if_name

The network interface where the authentication server resides. If not specified, the default is inside.

host local_ip

The server that runs the URL filtering application.

timeout seconds

The maximum idle time permitted before the security appliance switches to the next server you specified. The default is 30 seconds.

protocol

The protocol can be configured using TCP or UDP keywords. The default is TCP protocol, Version 1.

vendor websense

Indicates URL filtering service vendor is Websense.

version

Specifies protocol Version 1 or 4. The default is TCP protocol Version 1. TCP can be configured using Version 1 or Version 4. UDP can be configured using Version 4 only.


Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The url-server command designates the server running the N2H2 or Websense URL filtering application. The limit is 16 URL servers; however, and you can use only one application at a time, either N2H2 or Websense. Additionally, changing your configuration on the security appliance does not update the configuration on the application server; this must be done separately, according to the vendor instructions.

The url-server command must be configured before issuing the filter command for HTTPS and FTP. If all URL servers are removed from the server list, then all filter commands related to URL filtering are also removed.

Once you designate the server, enable the URL filtering service with the filter url command.

Follow these steps to filter URLs:


Step 1 Designate the URL filtering application server with the appropriate form of the vendor-specific url-server command.

Step 2 Enable URL filtering with the filter command.

Step 3 (Optional) Use the url-cache command to enable URL caching to improve perceived response time.

Step 4 (Optional) Enable long URL and HTTP buffering support using the url-block command.

Step 5 Use the show url-block block statistics, show url-cache statistics, or the show url-server statistics commands to view run information.

For more information about Filtering by N2H2, visit N2H2's website at:

http://www.n2h2.com

For more information on Websense filtering services, visit the following website:

http://www.websense.com/


Examples

Using N2H2, the following example filters all outbound HTTP connections except those from the 10.0.2.54 host:

hostname(config)# url-server (perimeter) vendor n2h2 host 10.0.1.1
hostname(config)# filter url http 0 0 0 0
hostname(config)# filter url except 10.0.2.54 255.255.255.255 0 0

Using Websense, the following example filters all outbound HTTP connections except those from the 10.0.2.54 host:

hostname(config)# url-server (perimeter) vendor websense host 10.0.1.1 protocol TCP 
version 4
hostname(config)# filter url http 0 0 0 0
hostname(config)# filter url except 10.0.2.54 255.255.255.255 0 0

Related Commands

Commands
Description

clear url-server

Clears the URL filtering server statistics.

filter url

Directs traffic to a URL filtering server.

show url-block

Displays information about the URL cache, which is used for buffering URLs while waiting for responses from an N2H2 or Websense filtering server.

url-cache

Enables URL caching while pending responses from an N2H2 or Websense server and sets the size of the cache.

url-server

Identifies an N2H2 or Websense server for use with the filter command.


user-authentication

To enable user authentication, use the user-authentication enable command in group-policy configuration mode. To disable user authentication, use the user-authentication disable command. To remove the user authentication attribute from the running configuration, use the no form of this command. This option allows inheritance of a value for user authentication from another group policy.

When enabled, user authentication requires that individual users behind a hardware client authenticate to gain access to the network across the tunnel.

user-authentication {enable | disable}

no user-authentication

Syntax Description

disable

Disables user authentication.

enable

Enables user authentication.


Defaults

User authentication is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Individual users authenticate according to the order of authentication servers that you configure.

If you require user authentication on the primary security appliance, be sure to configure it on any backup servers as well.

Examples

The following example shows how to enable user authentication for the group policy named "FirstGroup":

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# user-authentication enable

Related Commands

Command
Description

ip-phone-bypass

Lets IP phones connect without undergoing user authentication. Secure unit authentication remains in effect.

leap-bypass

Lets LEAP packets from wireless devices behind a VPN client travel across a VPN tunnel prior to user authentication, when enabled. This lets workstations using Cisco wireless access point devices establish LEAP authentication. Then they authenticate again per user authentication.

secure-unit-authentication

Provides additional security by requiring the VPN client to authenticate with a username and password each time the client initiates a tunnel.

user-authentication-idle-timeout

Sets an idle timeout for individual users. If there is no communication activity on a user connection in the idle timeout period, the security appliance terminates the connection.


user-authentication-idle-timeout

To set an idle timeout for individual users behind hardware clients, use the user-authentication-idle-timeout command in group-policy configuration mode. To delete the idle timeout value, use the no form of this command. This option allows inheritance of an idle timeout value from another group policy. To prevent inheriting an idle timeout value, use the user-authentication-idle-timeout none command.

If there is no communication activity by a user behind a hardware client in the idle timeout period, the security appliance terminates the connection.

user-authentication-idle-timeout {minutes | none}

no user-authentication-idle-timeout

Syntax Description

minutes

Specifies the number of minutes in the idle timeout period. The range is from 1 through 35791394 minutes

none

Permits an unlimited idle timeout period. Sets idle timeout with a null value, thereby disallowing an idle timeout. Prevents inheriting an user authentication idle timeout value from a default or specified group policy.


Defaults

30 minutes.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The minimum is 1 minute, the default is 30 minutes, and the maximum is 10,080 minutes.

Examples

The following example shows how to set an idle timeout value of 45 minutes for the group policy named "FirstGroup":

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# user-authentication-idle-timeout 45

Related Commands

Command
Description

user-authentication

Requires users behind hardware clients to identify themselves to the security appliance before connecting.


username

To add a user to the security appliance database, enter the username command in global configuration mode. To remove a user, use the no version of this command with the username you want to remove. To remove all usernames, use the no version of this command without appending a username.

username {name} {nopassword | password password [encrypted]} [privilege priv_level]}

no username [name]

Syntax Description

encrypted

Indicates that the password is encrypted.

name

Provides the name of the user. The maximum length for the username ranges from 15 to 64 characters.

nopassword

Indicates that this user needs no password.

password password

Indicates that this user has a password, and provides the password.

privilege priv_level

Sets a privilege level for this user. The range is from 0 to 15, with lower numbers having less ability to use commands and administer the security appliance. The default privilege level is 2. The typical privilege level for a system administrator is 15.


Defaults

By default, VPN users that you add with this command have no attributes or group policy association. You must configure all values explicitly.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The internal user authentication database consists of the users entered with the username command. The login command uses this database for authentication.

Examples

The following example shows how to configure a user named anyuser with a n encrypted password of 12345678 and a privilege level of 12:

hostname(config)# username anyuser password 12345678 encrypted privilege 12

Related Commands

Command
Description

clear config username

Clears the configuration for a particular user or for all users.

show running-config username

Displays the running configuration for a particular suer or for all users.

username attributes

Enters username attributes mode, which lets you configure AVPs for specific users.


username attributes

To enter the username attributes mode, use the username attributes command in username configuration mode. To remove all attributes for a particular user, use the no form of this command and append the username. To remove all attributes for all users, use the no form of this command without appending a username. The attributes mode lets you configure AVPs for a specified user.

username {name} attributes

no username [name] attributes

Syntax Description

name

Provides the name of the user.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Username


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The internal user authentication database consists of the users entered with the username command. The login command uses this database for authentication.

The syntax of the commands in attributes mode have the following characteristics in common:

The no form removes the attribute from the running configuration.

The none keyword also removes the attribute from the running configuration. But it does so by setting the attribute to a null value, thereby preventing inheritance.

Boolean attributes have explicit syntax for enabled and disabled settings.

Examples

The following example shows how to enter username attributes configuration mode for a user named anyuser:

hostname(config)# username anyuser attributes

Related Commands

Command
Description

clear config username

Clears the username database.

show running-config username

Displays the running configuration for a particular user or for all users.

username

Adds a user to the security appliance database.


username-prompt

To configure the prompt for the username for initial login to WebVPN, use the username-prompt command in webvpn mode. To revert to the default, "Login:," use the no form of this command.

username-prompt [prompt]

no username-prompt

Syntax Description

prompt

((Optional) Specifies the string that prompts users to enter a username. Maximum 16 characters.


Defaults

The default prompt is "Login:"

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Webvpn


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to configure the password prompt, "Enter Username:":

hostname(config)# webvpn
hostname(config-webvpn)# password-prompt Enter Username:

virtual http

To configure a virtual HTTP server, use the virtual http command in global configuration mode. To disable the virtual server, use the no form of this command. When you use HTTP authentication on the security appliance, and the HTTP server also requires authentication, this command allows you to authenticate separately with the security appliance and with the HTTP server. Without virtual HTTP, the same username and password you used to authenticate with the security appliance is sent to the HTTP server; you are not prompted separately for the HTTP server username and password.

virtual http ip_address [warning]

no virtual http ip_address [warning]

Syntax Description

ip_address

Sets the IP address for the virtual HTTP server on the security appliance. Make sure this address is an unused address that is routed to the security appliance.

warning

(Optional) Notifies users that the HTTP connection needs to be redirected to the security appliance. This keyword applies only for text-based browsers, where the redirect cannot happen automatically.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

If you enable HTTP authentication (see the aaa authentication match command or the aaa authentication include command), then the security appliance prompts each user for a username and password so it can authenticate them with a AAA server. After the AAA server authenticates the user, the connection is allowed to continue to the HTTP server. However, the AAA server username and password is still included in the HTTP packet. If the HTTP server also has its own authentication mechanism, then the user is not prompted again for a username and password because there is already a username and password included in the packet. Assuming the username and password is not the same for the AAA and HTTP servers, then the HTTP authentication fails.

To allow a user to be prompted separately by the HTTP server, enable the virtual HTTP server on the security appliance using the virtual http command. This command redirects all HTTP connections that require AAA authentication to the virtual HTTP server on the security appliance. The security appliance prompts for the AAA server username and password. After the AAA server authenticates the user, the security appliance redirects the HTTP connection back to the original server, but it does not include the AAA server username and password. Because the username and password are not included in the HTTP packet, the HTTP server prompts the user separately for the HTTP server username and password.

For inbound users (from lower security to higher security), you must also include the virtual HTTP address as a destination interface in the access list applied to the source interface. Moreover, you must add a static command for the virtual HTTP IP address, even if NAT is not required (using the no nat-control command). An identity NAT command is typically used (where you translate the address to itself).

For outbound users, there is an explicit permit for traffic, but if you apply an access list to an inside interface, be sure to allow access to the virtual HTTP address. A static statement is not required.


Caution Do not set the timeout uauth command duration to 0 seconds when using the virtual http command, because this setting prevents HTTP connections to the real web server.

Examples

The following example shows how to enable virtual HTTP along with AAA authentication:

hostname(config)# virtual http 209.165.202.129
hostname(config)# access-list ACL-IN extended permit tcp any host 209.165.200.225 eq http
hostname(config)# access-list ACL-IN remark This is the HTTP server on the inside
hostname(config)# access-list ACL-IN extended permit tcp any host 209.165.202.129 eq http
hostname(config)# access-list ACL-IN remark This is the virtual HTTP address
hostname(config)# access-group ACL-IN in interface outside
hostname(config)# static (inside, outside) 209.165.202.129 209.165.202.129 netmask 
255.255.255.255
hostname(config)# access-list AUTH extended permit tcp any host 209.165.200.225 eq http
hostname(config)# access-list AUTH remark This is the HTTP server on the inside
hostname(config)# access-list AUTH extended permit tcp any host 209.165.202.129 eq http
hostname(config)# access-list AUTH remark This is the virtual HTTP address
hostname(config)# aaa authentication match AUTH outside tacacs+

Related Commands

Command
Description

clear configure virtual

Removes virtual command statements from the configuration.

show running-config virtual

Displays the IP address of the security appliance virtual server.

sysopt uauth allow-http-cache

When you enable the virtual http command, this command lets you use the username and password in the browser cache to reconnect to the virtual server.

virtual telnet

Provides a virtual Telnet server on the security appliance to let users authenticate with the security appliance before initiating other types of connections that require authentication.


virtual telnet

To configure a virtual Telnet server on the security appliance, use the virtual telnet command in global configuration mode. You might need to authenticate users with the virtual Telnet server if you require authentication for other types of traffic for which the security appliance does not supply an authentication prompt. To disable the server, use the no form of this command.

virtual telnet ip_address

no virtual telnet ip_address

Syntax Description

ip_address

Sets the IP address for the virtual Telnet server on the security appliance. Make sure this address is an unused address that is routed to the security appliance.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

Although you can configure network access authentication for any protocol or service (see the aaa authentication match or aaa authentication include command), you can authenticate directly with HTTP, Telnet, or FTP only. A user must first authenticate with one of these services before other traffic that requires authentication is allowed through. If you do not want to allow HTTP, Telnet, or FTP through the security appliance, but want to authenticate other types of traffic, you can configure virtual Telnet; the user Telnets to a given IP address configured on the security appliance, and the security appliance provides a Telnet prompt.

You must configure authentication for Telnet access to the virtual Telnet address as well as the other services you want to authenticate using the authentication match or aaa authentication include command.

When an unauthenticated user connects to the virtual Telnet IP address, the user is challenged for a username and password, and then authenticated by the AAA server. Once authenticated, the user sees the message "Authentication Successful." Then, the user can successfully access other services that require authentication.

For inbound users (from lower security to higher security), you must also include the virtual Telnet address as a destination interface in the access list applied to the source interface. Moreover, you must add a static command for the virtual Telnet IP address, even if NAT is not required (using the no nat-control command). An identity NAT command is typically used (where you translate the address to itself).

For outbound users, there is an explicit permit for traffic, but if you apply an access list to an inside interface, be sure to allow access to the virtual Telnet address. A static statement is not required.

To logout from the security appliance, reconnect to the virtual Telnet IP address; you are prompted to log out.

Examples

This example shows how to enable virtual Telnet along with AAA authentication for other services:

hostname(config)# virtual telnet 209.165.202.129
hostname(config)# access-list ACL-IN extended permit tcp any host 209.165.200.225 eq smtp
hostname(config)# access-list ACL-IN remark This is the SMTP server on the inside
hostname(config)# access-list ACL-IN extended permit tcp any host 209.165.202.129 eq 
telnet
hostname(config)# access-list ACL-IN remark This is the virtual Telnet address
hostname(config)# access-group ACL-IN in interface outside
hostname(config)# static (inside, outside) 209.165.202.129 209.165.202.129 netmask 
255.255.255.255
hostname(config)# access-list AUTH extended permit tcp any host 209.165.200.225 eq smtp
hostname(config)# access-list AUTH remark This is the SMTP server on the inside
hostname(config)# access-list AUTH extended permit tcp any host 209.165.202.129 eq telnet
hostname(config)# access-list AUTH remark This is the virtual Telnet address
hostname(config)# aaa authentication match AUTH outside tacacs+

Related Commands

Command
Description

clear configure virtual

Removes virtual command statements from the configuration.

show running-config virtual

Displays the IP address of the security appliance virtual server.

virtual http

When you use HTTP authentication on the security appliance, and the HTTP server also requires authentication, this command allows you to authenticate separately with the security appliance and with the HTTP server. Without virtual HTTP, the same username and password you used to authenticate with the security appliance is sent to the HTTP server; you are not prompted separately for the HTTP server username and password.


vlan

To assign a VLAN ID to a subinterface, use the vlan command in interface configuration mode. To remove a VLAN ID, use the no form of this command. Subinterfaces require a VLAN ID to pass traffic. VLAN subinterfaces let you configure multiple logical interfaces on a single physical interface. VLANs let you keep traffic separate on a given physical interface, for example, for multiple security contexts.

vlan id

no vlan

Syntax Description

id

Specifies an integer between 1 and 4094. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

7.0

This command was moved from a keyword of the interface command to an interface configuration mode command.


Usage Guidelines

You can only assign a single VLAN to a subinterface, and not to the physical interface. Each subinterface must have a VLAN ID before it can pass traffic. To change a VLAN ID, you do not need to remove the old VLAN ID with the no option; you can enter the vlan command with a different VLAN ID, and the security appliance changes the old ID.

You need to enable the physical interface with the no shutdown command to let subinterfaces be enabled. If you enable subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. Therefore, you cannot prevent traffic from passing through the physical interface by bringing down the interface. Instead, ensure that the physical interface does not pass traffic by leaving out the nameif command. If you want to let the physical interface pass untagged packets, you can configure the nameif command as usual.

The maximum number of subinterfaces varies depending on your platform. See the Cisco Security Appliance Command Line Configuration Guide for the maximum subinterfaces per platform.

Examples

The following example assigns VLAN 101 to a subinterface:

hostname(config)# interface gigabitethernet0/0.1
hostname(config-subif)# vlan 101
hostname(config-subif)# nameif dmz1
hostname(config-subif)# security-level 50
hostname(config-subif)# ip address 10.1.2.1 255.255.255.0
hostname(config-subif)# no shutdown

The following example changes the VLAN to 102:

hostname(config)# show running-config interface gigabitethernet0/0.1
interface GigabitEthernet0/0.1
   vlan 101
   nameif dmz1
   security-level 50
   ip address 10.1.2.1 255.255.255.0

hostname(config)# interface gigabitethernet0/0.1
hostname(config-interface)# vlan 102

hostname(config)# show running-config interface gigabitethernet0/0.1
interface GigabitEthernet0/0.1
   vlan 102
   nameif dmz1
   security-level 50
   ip address 10.1.2.1 255.255.255.0

Related Commands

Command
Description

allocate-interface

Assigns interfaces and subinterfaces to a security context.

interface

Configures an interface and enters interface configuration mode.

show running-config interface

Shows the current configuration of the interface.


vpn-access-hours

To associate a group policy with a configured time-range policy, use the vpn-access-hours command in group-policy configuration mode or username configuration mode. To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a time-range value from another group policy. To prevent inheriting a value, use the vpn-access-hours none command.

vpn-access hours value {time-range} | none

no vpn-access hours

Syntax Description

none

Sets VPN access hours to a null value, thereby allowing no time-range policy. Prevents inheriting a value from a default or specified group policy.

time-range

Specifies the name of a configured time-range policy.


Defaults

Unrestricted.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy

Username


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Examples

The following example shows how to associate the group policy named FirstGroup with a time-range policy called 824:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-access-hours 824

Related Commands

Command
Description

time-range

Sets days of the week and hours of the day for access to the network, including start and end dates.


vpn-addr-assign

To specify a method for assigning IP addresses to remote access clients, use the vpn-addr-assign command in global configuration mode. To remove the attribute from the configuration, use the no version of this command. To remove all configured Vpn address assignment methods from the security appliance, user the no version of this command. without arguments.

vpn-addr-assign {aaa | dhcp | local}

no vpn-addr-assign [aaa | dhcp | local]

Syntax Description

aaa

Obtains IP addresses from an external AAA authentication server.

dhcp

Obtains IP addresses via DHCP.

local

Assigns IP addresses from internal authentication server, and associates them with a tunnel group.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

If you choose DHCP, you must also use the dhcp-network-scope command to define the range of IP addresses that the DHCP server can use.

If you choose local, you must also use the ip-local-pool command to define the range of IP addresses to use. You then use the vpn-framed-ip-address and vpn-framed-netmask commands to assign IP addresses and netmasks to individual users.

If you choose AAA, you obtain IP addresses from either a previously configured RADIUS server.

Examples

The following example shows how to configure DHCP as the address assignment method:

hostname(config)# vpn-addr-assign dhcp

Related Commands

Command
Description

dhcp-network-scope

Specifies the range of IP addresses the security appliance DHCP server should use to assign addresses to users of a group policy.

ip-local-pool

Creates a local IP address pool.

vpn-framed-ip-address

Specifies the IP address to assign to a particular user.

vpn-framed-ip-netmask

Specifies the netmask to assign to a particular user.


vpn-filter

To specify the name of the ACL to use for VPN connections, use the vpn-filter command in group policy or username mode. To remove the ACL, including a null value created by issuing the vpn-filter none command, use the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting values, use the vpn-filter none command.

You configure ACLs to permit or deny various types of traffic for this user or group policy. You then use the vpn-filter command to apply those ACLs.

vpn-filter {value ACL name | none}

no vpn-filter

Syntax Description

none

Indicates that there is no access list. Sets a null value, thereby disallowing an access list. Prevents inheriting an access list from another group policy.

value ACL name

Provides the name of the previously configured access list.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy

Username


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

WebVPN does not use the ACL defined in the vpn-filter command.

Examples

The following example shows how to set a filter that invokes an access list named acl_vpn for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-filter value acl_vpn

Related Commands

Command
Description

access-list

Creates an access list, or uses a downloadable access list.


vpn-framed-ip-address

To specify the IP address to assign to a particular user, use the vpn-framed-ip-address command in username mode. To remove the IP address, use the no form of this command.

vpn-framed-ip-address {ip_address}

no vpn-framed-ip-address

Syntax Description

ip_address

Provides the IP address for this user.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Username


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to set an IP address of 10.92.166.7 for a user named anyuser:

hostname(config)# username anyuser attributes
hostname(config-username)# vpn-framed-ip-address 10.92.166.7

Related Commands

Command
Description

vpn-framed-ip-netmask

Provides the subnet mask for this user.


vpn-framed-ip-netmask

To specify the subnet mask to assign to a particular user, use the vpn-framed-ip-netmask command in username mode. To remove the subnet mask, use the no form of this command.

vpn-framed-ip-netmask {netmask}

no vpn-framed-ip-netmask

Syntax Description

netmask

Provides the subnet mask for this user.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Username


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to set a subnet mask of 255.255.255. 254 for a user named anyuser:

hostname(config)# username anyuser attributes
hostname(config-username)# vpn-framed-ip-netmask 255.255.255.254


Note If RADIUS only returns the subnet mask, the authentication uses the IP address from the local pool which has its own subnet netmask. It does not use the mask from RADIUS. To prevent this, return both the netmask and IP address from RADIUS.


Related Commands

Command
Description

vpn-framed-ip-address

Provides the IP address for this user.


vpn-group-policy

To have a user inherit attributes from a configured group policy, use the vpn-group-policy command in username configuration mode. To remove a group policy from a user configuration, use the no version of this command. Using this command lets users inherit attributes that you have not configured at the username level.

vpn-group-policy {group-policy name}

no vpn-group-policy {group-policy name}

Syntax Description

group-policy name

Provides the name of the group policy.


Defaults

By default, VPN users have no group policy association.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Username


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

You can override the value of an attribute in a group policy for a particular user by configuring it in username mode, if that attribute is available in username mode.

Examples

The following example shows how to configure a user named anyuser to use attributes from the group policy named FirstGroup:

hostname(config)# username anyuser attributes
hostname(config-username)# vpn-group-policy FirstGroup

Related Commands

Command
Description

group-policy

Adds a group policy to the security appliance database.

group-policy attributes

Enters group-policy attributes mode, which lets you configure AVPs for a group policy.

username

Adds a user to the security appliance database.

username attributes

Enters username attributes mode, which lets you configure AVPs for specific users.


vpn-idle-timeout

To configure a user timeout period use the vpn-idle-timeout command in group-policy configuration mode or in username configuration mode. If there is no communication activity on the connection in this period, the security appliance terminates the connection.

To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a time-out value from another group policy. To prevent inheriting a value, use the vpn-idle-timeout none command.

vpn-idle-timeout {minutes | none}

no vpn-idle-timeout

Syntax Description

minutes

Specifies the number of minutes in the timeout period. Use an integer between 1 and 35791394.

none

Permits an unlimited idle timeout period. Sets idle timeout with a null value, thereby disallowing an idle timeout. Prevents inheriting a value from a default or specified group policy.


Defaults

30 minutes.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy

Username


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to set a VPN idle timeout of 15 minutes for the group policy named "FirstGroup":

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-idle-timeout 30

Related Commands

group-policy

Creates or edits a group policy.

vpn-session-timeout

Configures the maximum amount of time allowed for VPN connections. At the end of this period of time, the security appliance terminates the connection.


vpn load-balancing

To enter vpn load-balancing mode, in which you can configure VPN load balancing and related functions, use the vpn load-balancing command in global configuration mode.

vpn load-balancing


Note Only ASA Models 5540 and 5520 support VPN load balancing. VPN load balancing also requires an active 3DES/AES license. The security appliance checks for the existence of this crypto license before enabling load balancing. If it does not detect an active 3DES or AES license, the security appliance prevents the enabling of load balancing and also prevents internal configuration of 3DES by the load balancing system unless the license permits this usage.


Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration mode


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Use the vpn load-balancing command to enter vpn load-balancing mode. The following commands are available in vpn load-balancing mode:

cluster encryption

cluster ip address

cluster key

cluster port

interface

nat

participate

priority

See the individual command descriptions for detailed information.

Examples

The following is an example of the vpn load-balancing command; note the change in the prompt:

hostname(config)# vpn load-balancing
hostname(config-load-balancing)#

The following is an example of a VPN load-balancing command sequence that includes an interface command that specifies the public interface of the cluster as "test" and the private interface of the cluster as "foo":

hostname(config)# interface GigabitEthernet 0/1
hostname(config-if)# ip address 209.165.202.159 255.255.255.0
hostname(config)# nameif test
hostname(config)# interface GigabitEthernet 0/2
hostname(config-if)# ip address 209.165.201.30 255.255.255.0
hostname(config)# nameif foo
hostname(config)# vpn load-balancing
hostname(config-load-balancing)# nat 192.168.10.10
hostname(config-load-balancing)# priority 9
hostname(config-load-balancing)# interface lbpublic test
hostname(config-load-balancing)# interface lbprivate foo
hostname(config-load-balancing)# cluster ip address 209.165.202.224
hostname(config-load-balancing)# cluster key 123456789
hostname(config-load-balancing)# cluster encryption
hostname(config-load-balancing)# cluster port 9023

hostname(config-load-balancing)# participate

Command
Description

clear configure vpn load-balancing

Removes the load-balancing runtime configuration and disables load balancing.

show running-config vpn load-balancing

Displays the the current VPN load-balancing virtual cluster configuration.

show vpn load-balancing

Displays VPN load-balancing runtime statistics.


vpn-sessiondb logoff

To log off all or selected VPN sessions, use the vpn-sessiondb logoff command in global configuration mode.

vpn-sessiondb logoff {remote | l2l | webvpn | email-proxy | protocol protocol-name | name username | ipaddress IPaddr | tunnel-group groupname | index indexnumber | all}

Syntax Description

all

Logs off all VPN sessions.

email-proxy

Logs off all e-mail proxy sessions.

index indexnumber

Logs off a single session by index number. Specify the index number for the session.

ipaddress IPaddr

Logs off sessions for the IP address hat you specify.

l2l

Logs off all LAN-to-LAN sessions.

name username

Logs off sessions for the username that you specify.

protocol protocol-name

Logs off sessions for protocols that you specify. The protocols include:

 

IKE

IMAP4S

IPSec

IPSecLAN2LAN

IPSecLAN2LANOverNatT

IPSecOverNatT

IPSecoverTCP

IPSecOverUDP

POP3S

SMTPS

userHTTPS

vcaLAN2LAN

remote

Logs off all remote-access sessions.

tunnel-group groupname

Logs off sessions for the tunnel group that you specify.

webvpn

Logs off all WebVPN sessions.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to log off all remote-access sessions:

hostname# vpn-sessiondb logoff remote

The next example shows how to log off all IPSec sessions:

hostname# vpn-sessiondb logoff protocol IPSec

vpn-sessiondb max-session-limit

To limit VPN sessions to a lower value than the security appliance allows, use the vpn-sessiondb max-session-limit command in global configuration mode. To remove the session limit, use the no version of this command. To overwrite the current setting, use the command again.

vpn-sessiondb max-session-limit {session-limit}

no vpn-sessiondb max-session-limit

Syntax Description

session-limit

Specifies the maximum number of VPN sessions permitted.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

This command applies to all types of VPN sessions, including WebVPN.

Examples

The following example shows how to set a maximum VPN session limit of 450:

hostname# vpn-sessiondb max-session-limit 450

vpn-session-timeout

To configure a maximum amount of time allowed for VPN connections, use the vpn-session-timeout command in group-policy configuration mode or in username configuration mode. At the end of this period of time, the security appliance terminates the connection.

To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a time-out value from another group policy. To prevent inheriting a value, use the vpn-session-timeout none command.

vpn-session-timeout {minutes | none}

no vpn-session-timeout

Syntax Description

minutes

Specifies the number of minutes in the timeout period. Use an integer between 1 and 35791394.

none

Permits an unlimited session timeout period. Sets session timeout with a null value, thereby disallowing a session timeout. Prevents inheriting a value from a default or specified group policy.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy

Username


Command History

Release
Modification

7.0

This command was introduced.


Examples

The following example shows how to set a VPN session timeout of 180 minutes for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-session-timeout 180

Related Commands

group-policy

Creates or edits a group policy.

vpn-idle-timeout

Configures the user timeout period. If there is no communication activity on the connection in this period, the security appliance terminates the connection.


vpn-simultaneous-logins

To configure the number of simultaneous logins permitted for a user, use the vpn-simultaneous-logins command in group-policy configuration mode or username configuration mode. To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a value from another group policy. Enter 0 to disable login and prevent user access.

vpn-simultaneous-logins {integer}

no vpn-simultaneous-logins

Syntax Description

integer

A number between 0 and 2147483647.


Defaults

The default is 3 simultaneous logins.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy

Username


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Enter 0 to disable login and prevent user access.

Examples

The following example shows how to allow a maximum of 4 simultaneous logins for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-simultaneous-logins 4

vpn-tunnel-protocol

To configure a VPN tunnel type (IPSec or WebVPN), use the vpn-tunnel-protocol command in group-policy configuration mode or username configuration mode. To remove the attribute from the running configuration, use the no form of this command.

vpn-tunnel-protocol {webvpn | IPSec}

no vpn-tunnel-protocol [webvpn | IPSec]

Syntax Description

IPSec

Negotiates an IPSec tunnel between two peers (a remote access client or another secure gateway). Creates security associations that govern authentication, encryption, encapsulation, and key management.

webvpn

Provides VPN services to remote users via an HTTPS-enabled web browser, and does not require a client


Defaults

IPSec.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy

Username


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Use this command to configure one or more tunneling modes. You must configure at least one tunneling mode for users to connect over a VPN tunnel.

Examples

The following example shows how to configure WebVPN and IPSec tunneling modes for the group policy named "FirstGroup":

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-tunnel-protocol webvpn
hostname(config-group-policy)# vpn-tunnel-protocol IPSec

webvpn

To enter webvpn mode, in global configuration mode, enter the webvpn command. To remove any commands entered with this command, use the no webvpn command. These webvpn commands apply to all WebVPN users.

These webvpn commands let you configure AAA servers, default group policies, default idle timeout, http and https proxies, and NBNS servers for WebVPN, as well as the appearance of WebVPN screens that end users see.

webvpn

no webvpn

Syntax Description

This command has no arguments or keywords.

Defaults

WebVPN is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

This WebVPN mode lets you configure global settings for WebVPN. WebVPN mode, which you enter from either group-policy mode or username mode, lets you customize a WebVPN configuration for specific users or group policies.

Examples

The following example shows how to enter WebVPN command mode:

hostname(config)# webvpn
hostname(config-webvpn)#

webvpn (group-policy, username)

To enter this webvpn mode, use the webvpn command in group-policy configuration mode or in username configuration mode. To remove all commands entered in webvpn mode, use the no form of this command. These webvpn commands apply to the username or group policy from which you configure them.

Webvpn commands for group policies and usernames define access to files, MAPI proxy, URLs and TCP applications over WebVPN. They also identify ACLs and types of traffic to filter.

webvpn

no webvpn

Syntax Description

This command has no arguments or keywords.

Defaults

WebVPN is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy

Username


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Webvpn mode, which you enter from global configuration mode, lets you configure global settings for WebVPN.

Webvpn mode, described in this section, and which you enter from group-policy or username mode, lets you customize a WebVPN configuration for specific users or group policies.

You do not need to configure WebVPN to use e-mail proxies.

WebVPN lets users establish a secure, remote-access VPN tunnel to the security appliance using a web browser. There is no need for either a software or hardware client. WebVPN provides easy access to a broad range of web resources and web-enabled applications from almost any computer on the Internet. WebVPN uses SSL and its successor, TLS1 to provide a secure connection between remote users and specific, supported internal resources that you configure at a central site. The security appliance recognizes connections that need to be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users.

Examples

The following example shows how to enter webvpn mode for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# webvpn
hostname(config-webvpn)#

Related Commands

Command
Description

filter

Identifies the access list to be used for WebVPN connections.

functions

Configures file access and file browsing, MAPI Proxy, and URL entry over WebVPN.

homepage

Sets the URL of the webpage that displays when WebVPN users log in.

html-content-filter

Identifies Java, ActiveX, images, scripts, and cookies to filter for WebVPN sessions.

port-forward

Enables WebVPN application access.

port-forward-name

Configures the display name that identifies TCP port forwarding to end users.

url-list

Identifies a list of servers and URLs that users can access via WebVPN.


who

To display active Telnet administration sessions on the security appliance, use the who command in privileged EXEC mode.

who [local_ip]

Syntax Description

local_ip

(Optional) Specifies to limit the listing to one internal IP address or network address, either IPv4 or IPv6.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The who command allows you to display the TTY_ID and IP address of each Telnet client that is currently logged into the security appliance.

Examples

This example shows the output of the who command when a client is logged into the security appliance through a Telnet session:

hostname# who
0: 100.0.0.2
hostname# who 100.0.0.2
0: 100.0.0.2
hostname#

Related Commands

Command
Description

kill

Terminate a Telnet session.

telnet

Adds Telnet access to the security appliance console and sets the idle timeout.


window-variation

To drop a connection with a window size variation, use the window-variation command in tcp-map configuration mode. To remove this specification, use the no form of this command.

window variation {allow-connection | drop-connection}

no window variation {allow-connection | drop-connection}

Syntax Description

allow-connection

Allows the connection.

drop-connection

Drops the connection.


Defaults

The default action is to allow the connection.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tcp-map configuration


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.

Use the tcp-map command to enter tcp-map configuration mode. Use the window-variation command in tcp-map configuration mode to drop all connections with a window size that has been shrunk.

The window size mechanism allows TCP to advertise a large window and to subsequently advertise a much smaller window without having accepted too much data. From the TCP specification, "shrinking the window" is strongly discouraged. When this condition is detected, the connection can be dropped.

Examples

The following example shows how to drop all connections with a varied window size:

hostname(config)# access-list TCP extended permit tcp any any
hostname(config)# tcp-map tmap
hostname(config-tcp-map)# window-variation drop-connection
hostname(config)# class-map cmap
hostname(config-cmap)# match access-list TCP
hostname(config)# policy-map pmap
hostname(config-pmap)# class cmap
hostname(config-pmap)# set connection advanced-options tmap
hostname(config)# service-policy pmap global

Related Commands

Command
Description

class

Specifies a class map to use for traffic classification.

help

Shows syntax help for the policy-map, class, and description commands.

policy-map

Configures a policy; that is, an association of a traffic class and one or more actions.

set connection

Configures connection values.

tcp-map

Creates a TCP map and allows access to tcp-map configuration mode.


wins-server

To set the IP address of the primary and secondary WINS servers, use the wins-server command in group-policy configuration mode. To remove the attribute from the running configuration, use the no form of this command. This option allows inheritance of a WINS server from another group policy. To prevent inheriting a server, use the wins-server none command.

wins-server value {ip_address} [ip_address] | none

no wins-server

Syntax Description

none

Sets wins-servers to a null value, thereby allowing no WINS servers. Prevents inheriting a value from a default or specified group policy.

value ip_address

Specifies the IP address of the primary and secondary WINS servers.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

Every time you issue the wins-server command you overwrite the existing setting. For example, if you configure WINS server x.x.x.x and then configure WINS server y.y.y.y, the second command overwrites the first, and y.y.y.y becomes the sole WINS server. The same holds true for multiple servers. To add a WINS server rather than overwrite previously configured servers, include the IP addresses of all WINS servers when you enter this command.

Examples

The following example shows how to configure WINS servers with the IP addresses 10.10.10.15, 10.10.10.30, and 10.10.10.45 for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# wins-server value 10.10.10.15 10.10.10.30 10.10.10.45

write erase

To erase the startup configuration, use the write erase command in privileged EXEC mode. The running configuration remains intact.

write erase

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

This command is not supported within a security context. Context startup configurations are identified by the config-url command in the system configuration. If you want to delete a context configuration, you can remove the file manually from the remote server (if specified) or clear the file from Flash memory using the delete command in the system execution space.

Examples

The following example erases the startup configuration:

hostname# write erase
Erase configuration in flash memory? [confirm] y

Related Commands

Command
Description

configure net

Merges a configuration file from the specified TFTP URL with the running configuration.

delete

Removes a file from Flash memory.

show running-config

Shows the running configuration.

write memory

Saves the running configuration to the startup configuration.


write memory

To save the running configuration to the startup configuration, use the write memory command in privileged EXEC mode.

write memory

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The running configuration is the configuration currently running in memory, including any changes you made at the command line. Changes are only preserved between reboots if you save them to the startup configuration, which is the configuration loaded into running memory at startup. The location of the startup configuration for single context mode and for the system in multiple context mode can be changed from the default location (a hidden file) to a location of your choosing using the boot config command. For multiple context mode, a context startup configuration is at the location specified by the config-url command in the system configuration.

In multiple context mode, this command saves only the current configuration; you cannot save all contexts with a single command. You must enter this command separately for the system and for each context. Context startup configurations can reside on external servers. In this case, the security appliance saves the configuration back to the server specified by the config-url command, except for HTTP and HTTPS URLs, which do not allow you to save the configuration back to the server. Because the system uses the admin context interfaces to access context startup configurations, the write memory command also uses the admin context interfaces. The write net command, however, uses the context interfaces to write a configuration to a TFTP server.

The write memory command is equivalent to the copy running-config startup-config command.

Examples

The following example saves the running configuration to the startup configuration:

hostname# write memory
Building configuration...
Cryptochecksum: e43e0621 9772bebe b685e74f 748e4454

19319 bytes copied in 3.570 secs (6439 bytes/sec)
[OK]
hostname# 

Related Commands

Command
Description

admin-context

Sets the admin context.

boot

Sets the boot image and startup configuration.

configure memory

Merges the startup configuration with the running configuration.

config-url

Specifies the location of the context configuration.

copy running-config startup-config

Copies the running configuration to the startup configuration.

write net

Copies the running configuration to a TFTP server.


write net

To save the running configuration to a TFTP server, use the write net command in privileged EXEC mode.

write net [server:[filename] | :filename]

Syntax Description

:filename

Specifies the path and filename. If you already set the filename using the tftp-server command, then this argument is optional.

If you specify the filename in this command as well as a name in the tftp-server command, the security appliance treats the tftp-server command filename as a directory, and adds the write net command filename as a file under the directory.

To override the tftp-server command value, enter a slash in front of the path and filename. The slash indicates that the path is not relative to the tftpboot directory, but is an absolute path. The URL generated for this file includes a double slash (//) in front of the filename path. If the file you want is in the tftpboot directory, you can include the path for the tftpboot directory in the filename path. If your TFTP server does not support this type of URL, use the copy running-config tftp command instead.

If you specified the TFTP server address using the tftp-server command, you can enter the filename alone preceded by a colon (:).

server:

Sets the TFTP server IP address or name. This address overrides the address you set in the tftp-server command, if present.

The default gateway interface is the highest security interface; however, you can set a different interface name using the tftp-server command.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The running configuration is the configuration currently running in memory, including any changes you made at the command line.

In multiple context mode, this command saves only the current configuration; you cannot save all contexts with a single command. You must enter this command separately for the system and for each context. The write net command uses the context interfaces to write a configuration to a TFTP server. The write memory command, however, uses the admin context interfaces to save to the startup configuration because the system uses the admin context interfaces to access context startup configurations.

The write net command is equivalent to the copy running-config tftp command.

Examples

The following example sets the TFTP server and filename in the tftp-server command:

hostname# tftp-server inside 10.1.1.1 /configs/contextbackup.cfg
hostname# write net

The following example sets the server and filename in the write net command. The tftp-server command is not populated.

hostname# write net 10.1.1.1:/configs/contextbackup.cfg

The following example sets the server and filename in the write net command. The tftp-server command supplies the directory name, and the server address is overridden.

hostname# tftp-server 10.1.1.1 configs
hostname# write net 10.1.2.1:context.cfg

Related Commands

Command
Description

configure net

Merges a configuration file from the specified TFTP URL with the running configuration.

copy running-config tftp

Copies the running configuration to a TFTP server.

show running-config

Shows the running configuration.

tftp-server

Sets a default TFTP server and path for use in other commands.

write memory

Saves the running configuration to the startup configuration.


write standby

To copy the security appliance or context running configuration to the failover standby unit, use the write standby command in privileged EXEC mode.

write standby

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

For Active/Standby failover, the write standby command writes the configuration stored in the RAM of the active failover unit to the RAM on the standby unit. Use the write standby command if the primary and secondary unit configurations have different information. Enter this command on the active unit.

For Active/Active failover, the write standby command behaves as follows:

If you enter the write standby command in the system execution space, the system configuration and the configurations for all of the security contexts on the security appliance is written to the peer unit. This includes configuration information for security contexts that are in the standby state. You must enter the command in the system execution space on the unit that has failover group 1 in the active state.

If you enter the write standby command in a security context, only the configuration for the security context is written to the peer unit. You must enter the command in the security context on the unit where the security context appears in the active state.


Note The write standby command replicates the configuation to the running configuration of the peer unit; it does not save the configuration to the startup configuration. To save the configuration changes to the startup configuration, use the copy running-config startup-config command on the same unit that you entered the write standby command. The command will be replicated to the peer unit and the configuration saved to the startup configuration.


When Stateful Failover is enabled, the write standby command also replicates state information to the standby unit after the configuration replication is complete.

Examples

The following example writes the current running configuration to the standby unit:

hostname# write standby
Building configuration...
[OK]
hostname# 

Related Commands

Command
Description

failover reload-standby

Forces the standby unit to reboot.


write terminal

To show the running configuration on the terminal, use the write terminal command in privileged EXEC mode.

write terminal

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

This command is equivalent to the show running-config command.

Examples

The following example writes the running configuration to the terminal:

hostname# write terminal
: Saved
:
ASA Version 7.0(0)61
multicast-routing
names
name 10.10.4.200 outside
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 10.86.194.60 255.255.254.0
 webvpn enable
...

Related Commands

Command
Description

configure net

Merges a configuration file from the specified TFTP URL with the running configuration.

show running-config

Shows the running configuration.

write memory

Saves the running configuration to the startup configuration.