Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 4.0
telnet -- tunnel-limit
Downloads: This chapterpdf (PDF - 626.0KB) The complete bookPDF (PDF - 16.33MB) | Feedback

telnet through tunnel-limit Commands

Table Of Contents

telnet through tunnel-limit Commands

telnet

terminal

terminal pager

terminal width

test aaa-server

test regex

tftp-server

timeout

timeout (aaa-server host)

timeout (gtp-map)

timeout pinhole

time-range

timers lsa-group-pacing

timers spf

traffic-non-sip

transfer-encoding

trust-point

tunnel-group

tunnel-group general-attributes

tunnel-group ipsec-attributes

tunnel-group-map default-group

tunnel-group-map enable

tunnel-limit


telnet through tunnel-limit Commands


telnet

To add Telnet access to the console and set the idle timeout, use the telnet command in global configuration mode. To remove Telnet access from a previously set IP address, use the no form of
this command.

telnet {{hostname | IP_address mask interface_name} | {IPv6_address interface_name} | {timeout number}}

no telnet {{hostname | IP_address mask interface_name} | {IPv6_address interface_name} | {timeout number}}

Syntax Description

hostname

Specifies the name of a host that can access the Telnet console of the FWSM.

interface_name

Specifies the name of the network interface to Telnet to.

IP_address

Specifies the IP address of a host or network authorized to log in to the FWSM.

IPv6_address

Specifies the IPv6 address/prefix authorized to log in to the FWSM.

mask

Specifies the netmask associated with the IP address.

timeout number

Number of minutes that a Telnet session can be idle before being closed by the FWSM; valid values are from 1 to 1440 minutes.


Defaults

By default, Telnet sessions left idle for five minutes are closed by the FWSM.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

3.1(1)

The variable IPv6_address was added. The no telnet timeout command was added.


Usage Guidelines

The telnet command lets you specify which hosts can access the FWSM console with Telnet. You can enable Telnet on all interfaces except the lowest security interface, which is considered to be the outside interface. If there is only one interface and the security level is set to below the maximum of 100, then Telnet will not be allowed. To allow Telnet in this case, you must increase the security level of the interface to 100, or add another interface with a lower security level then the current one.

Use the no telnet command to remove Telnet access from a previously set IP address. Use the telnet timeout command to set the maximum time that a console Telnet session can be idle before being logged off by the FWSM. You cannot use the no telnet command with the telnet timeout command.

If you enter an IP address, you must also enter a netmask. There is no default netmask. Do not use the subnetwork mask of the internal network. The netmask is only a bit mask for the IP address. To limit access to a single IP address, use 255 in each octet; for example, 255.255.255.255.

If IPSec is operating, you can specify an unsecure interface name, which is typically, the outside interface. At a minimum, you might configure the crypto map command to specify an interface name with the telnet command.

Use the passwd command to set a password for Telnet access to the console. The default is cisco. Use the who command to view which IP addresses are currently accessing the FWSM console. Use the kill command to terminate an active Telnet console session.

If you use the aaa command with the console keyword, Telnet console access must be authenticated with an authentication server.


Note If you have configured the aaa command to require authentication for FWSM Telnet console access and the console login request times out, you can gain access to the FWSM from the serial console by entering the FWSM username and the password that was set with the enable password command.


Examples

This example shows how to permit hosts 192.168.1.3 and 192.168.1.4 to access the FWSM console through Telnet. In addition, all the hosts on the 192.168.2.0 network are given access.

hostname(config)# telnet 192.168.1.3 255.255.255.255 inside
hostname(config)# telnet 192.168.1.4 255.255.255.255 inside
hostname(config)# telnet 192.168.2.0 255.255.255.0 inside
hostname(config)# show running-config telnet
192.168.1.3 255.255.255.255 inside
192.168.1.4 255.255.255.255 inside
192.168.2.0 255.255.255.0 inside
 
   

This example shows how to change the maximum session idle duration:

hostname(config)# telnet timeout 10
hostname(config)# show running-config telnet timeout
telnet timeout 10 minutes
 
   

This example shows a Telnet console login session (the password does not display when entered):

hostname# passwd: cisco
 
   
Welcome to the XXX
...
Type help or `?' for a list of available commands.
hostname>
 
   

You can remove individual entries with the no telnet command or all telnet command statements with the clear configure telnet command:

hostname(config)# no telnet 192.168.1.3 255.255.255.255 inside
hostname(config)# show running-config telnet
192.168.1.4 255.255.255.255 inside
192.168.2.0 255.255.255.0 inside
 
   
hostname(config)# clear configure telnet
 
   

Related Commandsshow telnet

Command
Description

clear configure telnet

Removes a Telnet connection from the configuration.

kill

Terminates a Telnet session.

show running-config telnet

Displays the current list of IP addresses that are authorized to use Telnet connections to the FWSM.

who

Displays active Telnet administration sessions on the FWSM.


terminal

To allow system log messages to show in the current Telnet session, use the terminal monitor command in privileged EXEC mode. To disable system log messages, use the terminal no monitor command.

terminal {monitor | no monitor}

Syntax Description

monitor

Enables the display of system log messages on the current Telnet session.

no monitor

Disables the display of system log messages on the current Telnet session.


Defaults

System log messages are disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

1.1(1)

This command was introduced.


Examples

This example shows how to enable logging and then disable logging only in the current session:

hostname# terminal monitor
hostname# terminal no monitor

Related Commands

Command
Description

clear configure terminal

Clears the terminal display width setting.

pager

Sets the number of lines to display in a Telnet session before the "---more---" prompt. This command is saved to the configuration.

show running-config terminal

Displays the current terminal settings.

terminal pager

Sets the number of lines to display in a Telnet session before the "---more---" prompt. This command is not saved to the configuration.

terminal width

Sets the terminal display width in global configuration mode.


terminal pager

To set the number of lines on a page before the "---more---" prompt appears for Telnet sessions, use the terminal pager command in privileged EXEC mode.

terminal pager [lines] lines

Syntax Description

[lines] lines

Sets the number of lines on a page before the "---more---" prompt appears. The default is 24 lines; 0 means no page limit. The range is 0 through 2147483647 lines. The lines keyword is optional and the command is the same with or without it.


Defaults

The default is 24 lines.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was changed from the pager command; the pager command is now a global configuration mode command.


Usage Guidelines

This command changes the pager line setting only for the current Telnet session. To save a new default pager setting to the configuration, use the pager command.

If you Telnet to the admin context or session to the system execution space, then the pager line setting follows your session when you change to other contexts, even if the pager command in a given context has a different setting. To change the current pager setting, enter the terminal pager command with a new setting, or you can enter the pager command in the current context. In addition to saving a new pager setting to the context configuration, the pager command applies the new setting to the current Telnet session.

Examples

The following example changes the number of lines displayed to 20:

hostname# terminal pager 20

Related Commands

Command
Description

clear configure terminal

Clears the terminal display width setting.

pager

Sets the number of lines to display in a Telnet session before the "---more---" prompt. This command is saved to the configuration.

show running-config terminal

Displays the current terminal settings.

terminal

Allows system log messsages to display on the Telnet session.

terminal width

Sets the terminal display width in global configuration mode.


terminal width

To set the width for displaying information during console sessions, use the terminal width command in global configuration mode. To disable, use the no form of this command.

terminal width columns

no terminal width columns

Syntax Description

columns

Specifies the terminal width in columns. The default is 80. The range is 40 to 511.


Defaults

The default display width is 80 columns.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Examples

This example shows how to terminal display width to 100 columns:

hostname# terminal width 100

Related Commands

Command
Description

clear configure terminal

Clears the terminal display width setting.

show running-config terminal

Displays the current terminal settings.

terminal

Sets the terminal line parameters in privileged EXEC mode.


test aaa-server

To check whether the FWSM can authenticate or authorize users with a particular AAA server, use the test aaa-server command in privileged EXEC mode. Failure to reach the AAA server may be due to incorrect configuration on the FWSM, or the AAA server may be unreachable for other reasons, such as restrictive network configurations or server downtime.

test aaa-server {authentication server_tag [host ip_address] [username username] [password password] | authorization server_tag [host ip_address] [username username]}

Syntax Description

authentication

Tests a AAA server for authentication capability.

authorization

Tests a AAA server for legacy VPN authorization capability.

host ip_address

Specifies the server IP address. If you do not specify the IP address in the command, you are prompted for it.

password password

Specifies the user password. If you do not specify the password in the command, you are prompted for it.

server_tag

Specifies the AAA server tag as set by the aaa-server command.

username username

Specifies the username of the account used to test the AAA server settings. Make sure the username exists on the AAA server; otherwise, the test will fail. If you do not specify the username in the command, you are prompted for it.


Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The test aaa-server command lets you verify that the FWSM can authenticate users with a particular AAA server, and for legacy VPN authorization, if you can authorize a user. This command lets you test the AAA server without having an actual user who attempts to authenticate or authorize. It also helps you isolate whether AAA failures are due to misconfiguration of AAA server parameters, a connection problem to the AAA server, or other configuration errors on the FWSM.

Examples

The following example configures a RADIUS AAA server named srvgrp1 on host 192.168.3.4, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures authentication port 1650. The test aaa-server command following the setup of the AAA server parameters indicates that the authentication test failed to reach the server.

hostname(config)# aaa-server svrgrp1 protocol radius
hostname(config-aaa-server-group)# aaa-server svrgrp1 host 192.168.3.4
hostname(config-aaa-server-host)# timeout 9
hostname(config-aaa-server-host)# retry-interval 7
hostname(config-aaa-server-host)# authentication-port 1650
hostname(config-aaa-server-host)# exit
hostname(config)# test aaa-server authentication svrgrp1
Server IP Address or name: 192.168.3.4
Username: bogus
Password: mypassword
INFO: Attempting Authentication test to IP address <192.168.3.4> (timeout: 10 seconds)
ERROR: Authentication Rejected: Unspecified

The following is sample output from the test aaa-server command with a successful outcome:

hostname# test aaa-server authentication svrgrp1 host 192.168.3.4 username bogus password 
mypassword
INFO: Attempting Authentication test to IP address <10.77.152.85> (timeout: 12 seconds)
INFO: Authentication Successful
 
   

Related Commands

Command
Description

aaa authentication console

Configures authentication for management traffic.

aaa authentication match

Configures authentication for through traffic.

aaa-server

Creates a AAA server group.

aaa-server host

Adds a AAA server to a server group.


test regex

To test a regular expression, use the test regex command in privileged EXEC mode.

test regex input_text regular_expression

Syntax Description

input_text

Specifies the text that you want to match with the regular expression.

regular_expression

Specifies the regular expression up to 100 characters in length. See the regex command for a list of metacharacters you can use in the regular expression.


Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

The test regex command tests a regular expression to make sure it matches what you think it will match.

If the regular expression matches the input text, you see the following message:

INFO: Regular expression match succeeded.
 
   

If the regular expression does not match the input text, you see the following message:

INFO: Regular expression match failed.
 
   

Examples

The following example tests input text against a regular expression:

hostname# test regex farscape scape
INFO: Regular expression match succeeded.
 
   
hostname# test regex farscape scaper
 
   
INFO: Regular expression match failed.

Related Commands

Command
Description

class-map type inspect

Creates an inspection class map to match traffic specific to an application.

policy-map

Creates a policy map by associating the traffic class with one or more actions.

policy-map type inspect

Defines special actions for application inspection.

class-map type regex

Creates a regular expression class map.

regex

Creates a regular expression.


tftp-server

To specify the default TFTP server and path and filename for use with configure net or write net commands, use the tftp-server command in global configuration mode. To remove the server configuration, use the no form of this command. This command supports IPv4 and IPv6 addresses.

tftp-server interface_name server filename

no tftp-server [interface_name server filename]

Syntax Description

interface_name

Specifies the gateway interface name. If you specify an interface other than the highest security interface, a warning message informs you that the interface is unsecure.

server

Sets the TFTP server IP address or name. You can enter an IPv4 or IPv6 address.

filename

Specifies the path and filename.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

3.1(1)

The gateway interface is now required.


Usage Guidelines

The tftp-server command simplifies entering the configure net and write net commands. When you enter the configure net or write net commands, you can either inherit the TFTP server specified by the tftp-server command, or provide your own value. You can also inherit the path in the tftp-server command as is, add a path and filename to the end of the tftp-server command value, or override the tftp-server command value.

The FWSM supports only one tftp-server command.


Note With the tftp-server command configured to define an interface, the copy command will attempt to copy files from the interface specified. You can override that interface in the copy command using the int keyword.


Examples

This example shows how to specify a TFTP server and then read the configuration from the /temp/config/test_config directory:

hostname(config)# tftp-server inside 10.1.1.42 /temp/config/test_config
hostname(config)# configure net

Related Commands

Command
Description

configure net

Loads the configuration from the TFTP server and path you specify.

show running-config tftp-server

Displays the default TFTP server address and the directory of the configuration file.


timeout

To set the maximum idle time duration, use the timeout command in global configuration mode.

timeout {xlate | conn | half-closed | udp | icmp | h225 | h323 | mgcp | mgcp-pat | sip | sip-disconnect | sip-invite | sip_media | sunrpc | uauth} hh:mm:ss

Syntax Description

conn

Specifies the idle time after which a connection closes; the minimum duration is five minutes.

hh:mm:ss

Specifies the timeout.

h225

Specifies the idle time after which an H.225 signaling connection closes.

h323

Specifies the idle time after which H.245 (TCP) and H.323 (UDP) media connections close. The default is five minutes.


Note Because the same connection flag is set on both H.245 and H.323 media connections, the H.245 (TCP) connection shares the idle timeout with the H.323 (RTP and RTCP) media connection.


half-closed

Specifies the idle time after which a TCP half-closed connection will be freed.

icmp

Specifies the idle time for ICMP.

mgcp

Sets the idle time after which an MGCP media connection is removed.

mgcp-pat

Sets the absolute interval after which an MGCP PAT translation is removed.

sip

Modifies the SIP timer.

sip-disconnect

Sets the idle time after which media is deleted and media xlates are closed. Range is from 1 to 10 minutes. Default is 2 minutes.

sip-invite

Sets the idle time after which pinholes for provisional responses and media xlates are closed. Range is from 1 to 30 minutes. Default is 3 minutes.

sip_media

Modifies the SIP media timer, which is used for SIP RTP/RTCP with SIP UDP media packets, instead of the UDP inactivity timeout.

sunrpc

Specifies the idle time after which a SUNRPC slot will be closed.

uauth

Sets the duration before the authentication and authorization cache times out and the user has to reauthenticate the next connection.

udp

Specifies the idle time until a UDP slot is freed; the minimum duration is one minute.

xlate

Specifies the idle time until a translation slot is freed; the minimum value is one minute.


Defaults

The defaults are as follows:

conn hh:mm:ss is 1 hour (01:00:00).

h225 hh:mm:ss is 1 hour (01:00:00).

h323 hh:mm:ss is 1 hour (01:00:00).

half-closed hh:mm:ss is 10 minutes (00:10:00).

icmp hh:mm:ss is 2 minutes (00:00:02).

mgcp hh:mm:ss is 5 minutes (00:05:00).

mgcp-pat hh:mm:ss is 5 minutes (00:05:00).

sip hh:mm:ss is 30 minutes (00:30:00).

sip-disconnect hh:mm:ss is 2 minutes (00:02:00).

sip-invite hh:mm:ss is 3 minutes (00:03:00).

sip_media hh:mm:ss is 2 minutes (00:02:00).

sunrpc hh:mm:ss is 10 minutes (00:10:00).

uauth timer is absolute.

udp hh:mm:ss is 2 minutes (00:02:00).

xlate hh:mm:ss is 3 hours (03:00:00).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced.

3.1(1)

The keyword mgcp-pat was added. The rpc keyword was changed to sunrpc.

3.2(1)

The keywords sip-disconnect and sip-invite were added.


Usage Guidelines

The timeout command lets you set the idle time for many processes. If the slot has not been used for the idle time specified, the resource is returned to the free pool. TCP connection slots are freed approximately 60 seconds after a normal connection close sequence.


Note Do not use the timeout uauth 0:0:0 command if passive FTP is used for the connection or if the virtual command is used for web authentication.


The connection timer takes precedence over the translation timer; the translation timer works only after all connections have timed out.

When setting the conn hh:mm:ss, use 0:0:0 to never time out a connection.

When setting the half-closed hh:mm:ss, use 0:0:0 to never time out a half-closed connection. 

When setting the h255 hh:mm:ss, h225 00:00:00 means to never tear down an H.225 signaling connection. A timeout value of h225 00:00:01 disables the timer and closes the TCP connection immediately after all calls are cleared.

The uauth hh:mm:ss duration must be shorter than the xlate keyword. Set to 0 to disable caching. Do not set to zero if passive FTP is used on the connections.

To disable the absolute keyword, set the uauth timer to 0 (zero).

Examples

The following example shows how to configure the maximum idle time durations:

hostname(config)# timeout uauth 0:5:00 absolute uauth 0:4:00 inactivity
hostname(config)# show running-config timeout
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00  
sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute uauth 0:04:00 inactivity

Related Commands

Command
Description

show running-config timeout

Displays the timeout value of the designated protocol.


timeout (aaa-server host)

To configure the host-specific maximum response time, in seconds, allowed before giving up on establishing a connection with the AAA server, use the timeout command in aaa-server host mode. To remove the timeout value and reset the timeout to the default value of 10 seconds, use the no form of this command.

timeout seconds

no timeout

Syntax Description

seconds

Specifies the timeout interval (1-60 seconds) for the request. This is the time after which the FWSM gives up on the request to the primary AAA server. If there is a standby AAA server, the FWSM sends the request to the backup server.


Defaults

The default timeout value is 10 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Aaa-server host configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

This command is valid for all AAA server protocol types.

Use the timeout command to specify the length of time during which the FWSM attempts to make a connection to a AAA server. Use the retry-interval command to specify the amount of time the FWSM waits between connection attempts.

The timeout is the total amount of time that the FWSM spends trying to complete a transaction with a server. The retry interval determines how often the communication is retried during the timeout period. Thus, if the retry interval is greater than or equal to the timeout value, you will see no retries. If you want to see retries, the retry interval musts be less than thte timeout value.

Examples

The following example configures a RADIUS AAA server named "svrgrp1" on host 1.2.3.4 to use a timeout value of 30 seconds, with a retry interval of 10 seconds. Thus, the FWSM tries the communication attempt three times before giving up after 30 seconds.

hostname(config)# aaa-server svrgrp1 protocol radius
hostname(config-aaa-server-group)# aaa-server svrgrp1 host 1.2.3.4
hostname(config-aaa-server-host)# timeout 30
hostname(config-aaa-server-host)# retry-interval 10
hostname(config-aaa-server-host)# exit
hostname(config)# 

Related Commands

Command
Description

aaa-server host

Enters aaa server host configuration mode so that you can configure AAA server parameters that are host-specific.

clear configure aaa-server

Removes all AAA command statements from the configuration.

show running-config aaa

Displays the current AAA configuration values.


timeout (gtp-map)

To change the inactivity timers for a GTP session, use the timeout command in GTP map configuration mode, which is accessed by using the gtp-map command. Use the no form of this command to set these intervals to their default values.

timeout {gsn | pdp-context | request | signaling | tunnel } hh:mm:ss

no timeout {gsn | pdp-context | request | signaling | tunnel } hh:mm:ss

Syntax Description

hh:mm:ss

This is the timeout where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. The value 0 means never tear down immediately.

gsn

Specifies the period of inactivity after which a GSN will be removed.

pdp-context

Specifies the maximum period of time allowed before beginning to receive the PDP context.

request

Specifies the the maximum period of time allowed before beginning to receive the GTP message.

signaling

Specifies the period of inactivity after which the GTP signaling will be removed.

tunnel

Specifies the the period of inactivity after which the GTP tunnel will be torn down.


Defaults

The default is 30 minutes for gsn, pdp-context, and signaling.

The default for request is 1 minute.

The default for tunnel is 1 minute (in the case where a Delete PDP Context Request is not received).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

GTP map configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The PDP context is identified by the TID, which is a combination of IMSI and NSAPI. Each MS can have up to 15 NSAPIs, allowing it to create multiple PDP contexts each with a different NSAPI, based on application requirements for varied QoS levels.

A GTP tunnel is defined by two associated PDP Contexts in different GSN nodes and is identified with a Tunnel ID. A GTP tunnel is necessary to forward packets between an external packet data network and a mobile station user.

Examples

The following example sets a timeout value for the request queue of 2 minutes:

hostname(config)# gtp-map gtp-policy
hostname(config-gtpmap)# timeout request 00:02:00
 
   

Related Commands

Commands
Description

clear service-policy inspect gtp

Clears global GTP statistics.

debug gtp

Displays detailed information about GTP inspection.

gtp-map

Defines a GTP map and enables GTP map configuration mode.

inspect gtp

Applies a specific GTP map to use for application inspection.

show service-policy inspect gtp

Displays the GTP configuration.


timeout pinhole

To configure the timeout for DCERPC pinholes and override the global system pinhole timeout of two minutes, use the timeout pinhole command in policy-map configuration mode. To disable this feature, use the no form of this command.

timeout pinhole hh:mm:ss

no timeout pinhole

Syntax Description

hh:mm:ss

The timeout for pinhole connections. Value is between 0:0:1 and 1193:0:0.


Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Policy-map configuration


Command History

Release
Modification

3.2(1)

This command was introduced.


Examples

The following example shows how to configure the pinhole timeout for pin hole connections in a DCERPC inspection map:

hostname(config)# policy-map type inspect dcerpc dcerpc_map
hostname(config-pmap)# timeout pinhole 0:10:00
 
   

Related Commands

Command
Description

clear configure dcerpc-map

Clears DCERPC map configuration.

endpoint-mapper

Configures options for the endpoint mapper traffic.

show running-config dcerpc-map

Display all current DCERPC map configurations.


time-range

To enter time-range configuration mode and define a time range that you can attach to traffic rules, or an action, use the time-range command in global configuration mode. To disable, use the no form of this command.

time-range name

no time-range name

Syntax Description

name

Name of the time range. The name must be 64 characters or less.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

Creating a time range does not restrict access to the device. The time-range command defines the time range only. After a time range is defined, you can attach it to traffic rules or an action.

To implement a time-based ACL, use the time-range command to define specific times of the day and week. Then use the with the access-list extended time-range command to bind the time range to an ACL.

The time range relies on the system clock of the FWSM; however, the feature works best with NTP synchronization.

Examples

The following example creates a time range named "New_York_Minute" and enters time range configuration mode:

hostname(config)# time-range New_York_Minute
hostname(config-time-range)#
 
   

After you have created a time range and entered time-range configuration mode, you can define time range parameters with the absolute and periodic commands. To restore default settings for the time-range command absolute and periodic keywords, use the default command in time-range configuration mode.

To implement a time-based ACL, use the time-range command to define specific times of the day and week. Then use the with the access-list extended command to bind the time range to an ACL. The following example binds an ACL named "Sales" to a time range named "New_York_Minute":

hostname(config)# access-list Sales line 1 extended deny tcp host 209.165.200.225 host 
209.165.201.1 time-range New_York_Minute
hostname(config)# 
 
   

See the access-list extended command for more information about ACLs.

Related Commands

Command
Description

absolute

Defines an absolute time when a time range is in effect.

access-list extended

Configures a policy for permitting or denying IP traffic through the FWSM.

default

Restores default settings for the time-range command absolute and periodic keywords.

periodic

Specifies a recurring (weekly) time range for functions that support the time-range feature.


timers lsa-group-pacing

To specify the interval at which OSPF link-state advertisements (LSAs) are collected into a group and refreshed, checksummed, or aged, use the timers lsa-group-pacing command in router configuration mode. To restore the default value, use the no form of this command.

timers lsa-group-pacing seconds

no timers lsa-group-pacing [seconds]

Syntax Description

seconds

The interval at which OSPF link-state advertisements (LSAs) are collected into a group and refreshed, checksummed, or aged. Valid values are from 10 to 1800 seconds.


Defaults

The default interval is 240 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Router configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

To change the interval at which the OSPF link-state advertisements (LSAs) are collected into a group and refreshed, checksummed, or aged, use the timers lsa-group-pacing seconds command. To return to the default timer values, use the no timers lsa-group-pacing command.

Examples

The following example sets the group processing interval of LSAs to 500 seconds:

hostname(config-router)# timers lsa-group-pacing 500
hostname(config-router)# 
 
   

Related Commands

Command
Description

router ospf

Enters router configuration mode.

show ospf

Displays general information about the OSPF routing processes.

timers spf

Specifies the shortest path first (SPF) calculation delay and hold time


timers spf

To specify the shortest path first (SPF) calculation delay and hold time, use the timers spf command in router configuration mode. To restore the default values, use the no form of this command.

timers spf delay holdtime

no timers spf [delay holdtime]

Syntax Description

delay

Specifies the delay time between when OSPF receives a topology change and when it starts a shortest path first (SPF) calculation in seconds, from 1 to 65535.

holdtime

The hold time between two consecutive SPF calculations in seconds; valid values are from 1 to 65535.


Defaults

The defaults are as follows:

delay is 5 seconds.

holdtime is 10 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Router configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

To configure the delay time between when the OSPF protocol receives a topology change and when it starts a calculation, and the hold time between two consecutive SPF calculations, use the timers spf command. To return to the default timer values, use the no timers spf command.

Examples

The following example sets the SPF calculation delay to 10 seconds and the SPF calculation hold time to 20 seconds:

hostname(config-router)# timers spf 10 20
hostname(config-router)#
 
   

Related Commands

Command
Description

router ospf

Enters router configuration mode.

show ospf

Displays general information about the OSPF routing processes.

timers lsa-group-pacing

Specifies the interval at which OSPF link-state advertisements (LSAs) are collected and refreshed, checksummed, or aged.


traffic-non-sip

To allow non-SIP traffic using the well-known SIP signaling port, use the traffic-non-sip command in parameters configuration mode. Parameters configuration mode is accessible from policy map configuration mode. To disable this feature, use the no form of this command.

traffic-non-sip

no traffic-non-sip

Syntax Description

This command has no arguments or keywords.

Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Parameters configuration


Command History

Release
Modification

4.0(1)

This command was introduced.


Examples

The following example shows how to allow non-SIP traffic using the well-known SIP signaling port in a SIP inspection policy map:

hostname(config)# policy-map type inspect sip sip_map
hostname(config-pmap)# parameters
hostname(config-pmap-p)# traffic-non-sip

Related Commands

Command
Description

class

Identifies a class map name in the policy map.

class-map type inspect

Creates an inspection class map to match traffic specific to an application.

policy-map

Creates a Layer 3/4 policy map.

show running-config policy-map

Display all current policy map configurations.


transfer-encoding

To restrict HTTP traffic by specifying a transfer encoding type, use the transfer-encoding command in HTTP map configuration mode, which is accessible using the http-map command. To disable this feature, use the no form of this command.

transfer-encoding type {chunked | compress | deflate | gzip | identity | default} action {allow | reset | drop} [log]

no transfer-encoding type {chunked | compress | deflate | gzip | identity | default} action {allow | reset | drop} [log]

Syntax Description

action

Specifies the action taken when a connection using the specified transfer encoding type is detected.

allow

Allows the message.

chunked

Identifies the transfer encoding type in which the message body is transferred as a series of chunks.

compress

Identifies the transfer encoding type in which the message body is transferred using UNIX file compression.

default

Specifies the default action taken by the FWSM when the traffic contains a supported request method that is not on a configured list.

deflate

Identifies the transfer encoding type in which the message body is transferred using zlib format (RFC 1950) and deflate compression (RFC 1951).

drop

Closes the connection.

gzip

Identifies the transfer encoding type in which the message body is transferred using GNU zip (RFC 1952).

identity

Identifies connections in which the message body is no transfer encoding is performed.

log

(Optional) Generates a syslog.

reset

Sends a TCP reset message to client and server.

type

Specifies the type of transfer encoding to be controlled through HTTP application inspection.


Defaults

This command is disabled by default. When the command is enabled and a supported transfer encoding type is not specified, the default action is to allow the connection without logging. To change the default action, use the default keyword and specify a different default action.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

HTTP map configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

When you enable the transfer-encoding command, the FWSM applies the specified action to HTTP connections for each supported and configured transfer encoding type.

The FWSM applies the default action to all traffic that does not match the transfer encoding types on the configured list. The preconfigured default action is to allow connections without logging.

For example, given the preconfigured default action, if you specify one or more encoding types with the action of drop and log, the FWSM drops connections containing the configured encoding types, logs each connection, and allows all connections for the other supported encoding types.

If you want to configure a more restrictive policy, change the default action to drop (or reset) and log (if you want to log the event). Then configure each permitted encoding type with the allow action.

Enter the transfer-encoding command once for each setting you wish to apply. You use one instance of the transfer-encoding command to change the default action and one instance to add each encoding type to the list of configured transfer encoding types.

When you use the no form of this command to remove an application category from the list of configured application types, any characters in the command line after the application category keyword are ignored.

Examples

The following example provides a permissive policy, using the preconfigured default, which allows all supported application types that are not specifically prohibited.

hostname(config)# http-map inbound_http
hostname(config-http-map)# transfer-encoding gzip drop log
 
   

In this case, only connections using GNU zip are dropped and the event is logged.

The following example provides a restrictive policy, with the default action changed to reset the connection and to log the event for any encoding type that is not specifically allowed.

hostname(config)# http-map inbound_http
hostname(config-http-map)# port-misuse default action reset log
hostname(config-http-map)# port-misuse identity allow
 
   

In this case, only connections using no transfer encoding are allowed. When HTTP traffic for the other supported encoding types is received, the FWSM resets the connection and creates a syslog entry.

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

debug appfw

Displays detailed information about traffic associated with enhanced HTTP inspection.

http-map

Defines an HTTP map for configuring enhanced HTTP inspection.

inspect http

Applies a specific HTTP map to use for application inspection.

policy-map

Associates a class map with specific security actions.


trust-point

To specify the name of a trustpoint that identifies the certificate to be sent to the IKE peer, use the trust-point command in tunnel-group ipsec-attributes mode. To eliminate a trustpoint specification, use the no form of this command.

trust-point trust-point-name

no trust-point trust-point-name

Syntax Description

trust-point-name

Specifies the name of the trustpoint to use.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tunnel-group ipsec-attributes configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

You can apply this attribute to all tunnel-group types.

Examples

The following example entered in config-ipsec configuration mode, configures a trustpoint for identifying the certificate to be sent to the IKE peer for the IPSec LAN-to-LAN tunnel group named 209.165.200.225:

hostname(config)# tunnel-group 209.165.200.225 type IPSec_L2L
hostname(config)# tunnel-group 209.165.200.225 ipsec-attributes
hostname(config-ipsec)# trust-point mytrustpoint
hostname(config-ipsec)# 

Related Commands

Command
Description

clear configure tunnel-group

Clears all configured tunnel groups.

crypto ca trustpoint

Enters the trustpoint mode for the specified trustpoint.

show running-config tunnel-group

Shows the configuration for the indicated tunnel group or for all tunnel groups.

tunnel-group-map default-group

Associates the certificate map entries created using the crypto ca certificate map command with tunnel groups.


tunnel-group

To create and manage the database of connection-specific records for IPSec, use the tunnel-group command in global configuration mode. To remove a tunnel group, use the no form of this command.

tunnel-group name type type

no tunnel-group name

Syntax Description

name

Specifies the name of the tunnel group. This can be any string you choose. If the name is an IP address, it is usually the IP address of the peer.

type

Specifies the type of tunnel group:
L2TP/IPSec— L2TP over IPSec
ipsec-ra—IPSec remote access
ipsec-l2l—IPsec LAN-to-LAN


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration



Note The tunnel-group command is available in transparent firewall mode to allow configuration of a LAN-to-LAN tunnel group, but nat a remote-access gorup. All the tunnel-group commands that are available for LAN-to-LAN are also available in transparent firewall mode.


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The FWSM has two default tunnel groups: DefaultRAGroup, which is the default IPSec remote-access tunnel group, and DefaultL2Lgroup, which is the default IPSec LAN-to-LAN tunnel group. You can change them but not delete them. The FWSM uses these groups to configure default tunnel parameters for remote access and LAN-to-LAN tunnel groups when there is no specific tunnel group identified during tunnel negotiation.

The tunnel-group command has the following commands. Each of these commands puts you in a configuration mode for configuring the attributes at the level of the configuration mode.

tunnel-group general-attributes

tunnel-group ipsec-attributes

tunnel-group ppp-attributes

Examples

The following example entered in global configuration mode, configures an IPSec LAN-to-LAN tunnel group. The name is the IP address of the LAN-to-LAN peer:

hostname(config)# tunnel-group 209.165.200.225 type ipsec-l2l
hostname(config)# 

Related Commands

Command
Description

clear configure tunnel-group

Clears all configured tunnel groups.

show running-config tunnel-group

Shows the tunnel group configuration for all tunnel groups or for a particular tunnel group.

tunnel-group map

Associates the certificate map entries created using the crypto ca certificate map command with tunnel groups.


tunnel-group general-attributes

To enter the general-attribute configuration mode, use the tunnel-group general-attributes command in global configuration mode. This mode is used to configure settings that are common to all supported tunneling protocols.

To remove all general attributes, use the no form of this command.

tunnel-group name general-attributes

no tunnel-group name general-attributes

Syntax Description

general-attributes

Specifies attributes for this tunnel-group.

name

Specifies the name of the tunnel-group.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The following table lists the commands belonging in this group and the tunnel-group type where you can configure them:

General Attribute
Availability by Tunnel-Group Type

accounting-server-group

IPSec RA, IPSec L2L, L2TP/IPSec

address-pool

IPSec RA, L2TP/IPSec

authentication-server-group

IPSec RA, L2TP/IPSec

authorization-server-group

IPSec RA, L2TP/IPSec

default-group-policy

IPSec RA, IPSec L2L, L2TP/IPSec

dhcp-server

IPSec RA, L2TP/IPSec

strip-group

IPSec RA, L2TP/IPSec

strip-realm

IPSec RA, L2TP/IPSec


Examples

The following example entered in global configuration mode, creates a tunnel group for an IPSec LAN-to-LAN connection using the IP address of the LAN-to-LAN peer, then enters general configuration mode for configuring general attributes. The name of the tunnel group is 209.165.200.225.

hostname(config)# tunnel-group 209.165.200.225 type IPSec_L2L
hostname(config)# tunnel-group 209.165.200.225 general
hostname(config-general)#
 
   

The following example entered in global configuration mode, creates a tunnel group named" remotegrp" for an IPSec remote access connection, and then enters general configuration mode for configuring general attributes for the tunnel group named "remotegrp":

hostname(config)# tunnel-group remotegrp type ipsec_ra
hostname(config)# tunnel-group remotegrp general
hostname(config-general)

Related Commands

Command
Description

clear configure tunnel-group

Clears all configured tunnel groups.

show running-config tunnel-group

Shows the configuration for the indicated tunnel group or for all tunnel groups.

tunnel-group-map default-group

Associates the certificate map entries created using the crypto ca certificate map command with tunnel groups.


tunnel-group ipsec-attributes

To enter the ipsec-attribute configuration mode, use the tunnel-group ipsec-attributes command in global configuration mode. This mode is used to configure settings that are specific to the IPSec tunneling protocol.

To remove all IPSec attributes, use the no form of this command.

tunnel-group name ipsec-attributes

no tunnel-group name ipsec-attributes

Syntax Description

ipsec-attributes

Specifies attributes for this tunnel-group.

name

Specifies the name of the tunnel-group.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The following commands belong in this group:

IPSec Attribute
Availability by Tunnel-Group Type

authorization-dn-attributes

IPSec RA

authorization-required

IPSec RA

chain

IPSec RA, IPSec L2L, L2TP/IPSec

client-update

IPSec RA

isakmp keepalive

IPSec RA

peer-id-validate

IPSec RA, IPSec L2L, L2TP/IPSec

pre-shared-key

IPSec RA, IPSec L2L, L2TP/IPSec

radius-with-expiry

IPSec RA

trust-point

IPSec RA, IPSec L2L, L2TP/IPSec


Examples

The following example entered in global configuration, creates a tunnel group for the IPSec remote-access tunnel group named remotegrp, and then specifies IPSec group attributes:

hostname(config)# tunnel-group remotegrp type ipsec_ra
hostname(config)# tunnel-group remotegrp ipsec-attributes
hostname(config-ipsec)
 
   

Related Commands

Command
Description

crypto ca certificate map

Enters CA certificate map mode.

subject-name (crypto ca certificate map)

Identifies the DN from the CA certificate that is to be compared to the rule entry string.

tunnel-group-map default-group

Designates an existing tunnel-group name as the default tunnel group.


tunnel-group-map default-group

The tunnel-group-map commands configure the policy and rules by which certificate-based IKE sessions are mapped to tunnel groups. To associate the certificate map entries, created using the crypto ca certificate map command, with tunnel groups, use the tunnel-group-map command in global configuration mode. You can invoke this command multiple times as long as each invocation is unique and you do not reference a map index more than once.

Use the no form of this command to eliminate a tunnel-group-map.

tunnel-group-map [rule-index] default-group tunnel-group-name

no tunnel-group-map [rule-index] default-group tunnel-group-name

Syntax Description

Syntax DescriptionSyntax Description

default-group tunnel-group-name

Specifies a default tunnel group to use when the name cannot be derived by other configured methods. The tunnel-group name must already exist.

rule index

(Optional) Refers to parameters specified by the crypto ca certificate map command. The values are 1 to 65535.


Defaults

The default value for the tunnel-group-map default-group is DefaultRAGroup.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The crypto ca certificate map command maintains a prioritized list of certificate mapping rules. There can be only one map. But this map can have up to 65535 rules. Refer to the documentation on the crypto ca certificate map command for more information.

The processing that derives the tunnel-group name from the certificate ignores entries in the certificate map that are not associated with a tunnel group (any map rule not identified by this command).

Examples

The following example entered in global configuration mode, specifies a default tunnel group to use when the name cannot be derived by other configured methods. The name of the tunnel group to use is group1.

hostname(config)# tunnel-group-map default-group group1
hostname(config)# 
 
   

Related Commands

Command
Description

crypto ca certificate map

Enters CA certificate map mode.

subject-name (crypto ca certificate map)

Identifies the DN from the CA certificate that is to be compared to the rule entry string.


tunnel-group-map enable

The tunnel-group-map enable command in global configuration mode configures the policy and rules by which certificate-based IKE sessions are mapped to tunnel groups. Use the no form of this command to restore the default values.

tunnel-group-map [rule-index] enable policy

no tunnel-group-map [rule-index] enable policy

Syntax Description

Syntax DescriptionSyntax Description

policy

Specifies the policy for deriving the tunnel group name from the certificate. Policy can be one of the following:

ike-id—Indicates that if a tunnel-group is not determined based on a rule lookup or taken from the organizational unit (OU), then the certificate-based IKE sessions are mapped to a tunnel group based on the content of the phase1 IKE ID.

ou—Indicates that if a tunnel-group is not determined based on a rule lookup, then use the value of the organizational unit (OU) in the subject distinguished name (DN).

peer-ip—Indicates that if a tunnel-group is not determined based on a rule lookup or taken from the OU or ike-id methods, then use the established peer IP address.

rules—Indicates that the certificate-based IKE sessions are mapped to a tunnel group based on the certificate map associations configured by this command.

rule index

(Optional) Refers to parameters specified by the crypto ca certificate map command. The values are 1 to 65535.


Defaults

The default values for the tunnel-group-map command are enable ou and default-group set to DefaultRAGroup.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

 

Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The crypto ca certificate map command maintains a prioritized list of certificate mapping rules. There can be only one map. But this map can have up to 65535 rules. Refer to the documentation on the crypto ca certificate map command for more information.

Examples

The following example enables mapping of certificate-based IKE sessions to a tunnel group based on the content of the phase1 IKE ID:

hostname(config)# tunnel-group-map enable ike-id
hostname(config)# 
 
   

The following example enables mapping of certificate-based IKE sessions to a tunnel group based on the established IP address of the peer:

hostname(config)# tunnel-group-map enable peer-ip
hostname(config)# 
 
   

The following example enables mapping of certificate-based IKE sessions based on the organizational unit (OU) in the subject distinguished name (DN):

hostname(config)# tunnel-group-map enable ou
hostname(config)# 
 
   

The following example enables mapping of certificate-based IKE sessions based on established rules:

hostname(config)# tunnel-group-map enable rules
hostname(config)# 
 
   

Related Commands

Command
Description

crypto ca certificate map

Enters CA certificate map mode.

subject-name (crypto ca certificate map)

Identifies the DN from the CA certificate that is to be compared to the rule entry string.


tunnel-limit

To specify the maximum number of GTP tunnels allowed to be active on the FWSM, use the tunnel limit command in GTP map configuration mode, which is accessed by using the gtp-map command. Use the no to set the tunnel limit back to its default.

tunnel-limit max_tunnels

no tunnel-limit max_tunnels

Syntax Description

max_tunnels

This is the maximum number of tunnels allowed. The ranges is from 1 to 4294967295 for the global overall tunnel limit.


Defaults

The default for the tunnel limit is 500.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

GTP map configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

New requests will be dropped once the number of tunnels specified by this command is reached.

Examples

The following example specifies a maximum of 10,000 tunnels for GTP traffic:

hostname(config)# gtp-map qtp-policy
hostname(config-gtpmap)# tunnel-limit 10000
 
   

Related Commands

Commands
Description

clear service-policy inspect gtp

Clears global GTP statistics.

debug gtp

Displays detailed information about GTP inspection.

gtp-map

Defines a GTP map and enables GTP map configuration mode.

inspect gtp

Applies a specific GTP map to use for application inspection.

show service-policy inspect gtp

Displays the GTP configuration.