-
Cisco IOS Security Command Reference, Release 12.3 T
-
Introduction
-
Security Commands: aaa accounting through access-template
-
Security Commands: accounting through clear ip ips statistics
-
Security Commands: clear ip sdee through crypto isakmp nat keepalive
-
Security Commands: crypto key decrypt rsa through ctype
-
Security Commands: D through evaluate
-
Security Commands: fingerprint through ip ips signature disable
-
Security Commands: ip port-map through issuer name
-
Security Commands: keepalive (isakmp profile) through outgoing
-
Security Commands: parameter through quit
-
Security Commands: radius-server attribute 11 direction default through rsa-pubkey
-
Security Commands: save-password through show crypto ipsec transform-set
-
Security Commands: show crypto isakmp key through subject-name
-
Security Commands: tacacs-server administration through xauth userid mode
-
Table Of Contents
ip security ignore-authorities
ip security implicit-labelling
ip source-track export-interval
ip source-track syslog-interval
ip tcp intercept connection-timeout
ip tcp intercept finrst-timeout
ip tcp intercept max-incomplete high
ip tcp intercept max-incomplete low
ip tcp intercept one-minute high
ip tcp intercept one-minute low
ip tcp intercept watch-timeout
ip traffic-export apply profile
ip trigger-authentication (global)
ip trigger-authentication (interface)
ip verify unicast source reachable-via
ip vrf forwarding (server-group)
ip port-map
To establish port-to-application mapping (PAM), use the ip port-map command in global configuration mode. To delete user-defined PAM entries, use the no form of this command.
ip port-map appl-name port [tcp | udp] [ port_num | from begin_port_num to end_port_num] [list acl-num] [description description_string]
no ip port-map appl-name port [tcp | udp] [ port_num | from begin_port_num to end_port_num] [list acl-num] [description description_string]
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
The ip port-map command associates TCP or User Datagram Protocol (UDP) port numbers with applications or services, establishing a table of default port mapping information at the firewall. This information is used to support network environments that run services using ports that are different from the registered or well-known ports associated with a service or application.
When you issue the no form of the command, include all the parameters needed to remove the entry matching that specific set of parameters. For example, if you issued no ip port-map appl-name, then all entries for that application are removed.
The port mapping information in the PAM table is of one of three types:
•
System-defined
•
•
System-Defined Port Mapping
Initially, PAM creates a set of system-defined entries in the mapping table using well-known or registered port mapping information set up during the system start-up. The Cisco IOS Firewall Context-Based Access Control (CBAC) feature requires the system-defined port mapping information to function properly.
You can delete or modify system-defined port mapping information. Use the no form of the command for deletion and the regular form of the command to remap information to another application.
You can also add new port numbers to system-defined applications. However, for some system-defined applications like HTTP and Simple Mail Transfer Protocol (SMTP), in which the firewall inspects deeper into packets, their protocol (UDP or TCP) cannot be changed from that defined in the system. In those instances, error messages display.
Table 26 lists some default system-defined services and applications in the PAM table. (Use the show ip port-map command for the complete list.)
Note
User-Defined Port Mapping
Network applications that use nonstandard ports require user-defined entries in the mapping table. Use the ip port-map command to create default user-defined entries in the PAM table. These entries automatically appear as an option for the ip inspect name command to facilitate the creation of inspection rules.
You can specify up to five separate port numbers for each port-map in a single entry. You can also specify a port range in a single entry. However, you may not specify both single port numbers and port ranges in the same entry.
Note
Use the no form of the ip port-map command to delete user-defined entries from the PAM table. To remove a single mapping, use the no form of the command with all its parameters.
To overwrite an existing user-defined port mapping, use the ip port-map command to associate another service or application with the specific port.
Multiple commands for the same application name are cumulative.
If you assign the same port number to a new application, the new entry replaces the existing entry and it no longer appears in the running configuration. You receive a message about the remapping.
You cannot specify a port number that is in a range assigned to another application; however, you can specify a range that takes over one singly allocated port, or fully overlaps another range.
You cannot specify overlapping port ranges.
Host-Specific Port Mapping
User-defined entries in the mapping table can include host-specific mapping information, which establishes port mapping information for specific hosts or subnets. In some environments, it might be necessary to override the default port mapping information for a specific host or subnet, including a system-defined default port mapping information. Use the list acl-num option for the ip port-map command to specify an ACL for a host or subnet that uses PAM.
Note
Examples
The following example provides examples for adding and removing user-defined PAM configuration entries at the firewall.
In the following example, nonstandard port 8000 is established as the user-defined default port for HTTP services:
ip port-map http port 8000The following example shows PAM entries that establish a range of nonstandard ports for HTTP services:
ip port-map http 8001ip port-map http 8002ip port-map http 8003ip port-map http 8004In the following example the command fails because it tries to map port 21, which is the system-defined default port for FTP, with HTTP:
ip port-map http port 21In the following example, a specific host uses port 8000 for FTP services. ACL 10 identifies the server address (192.168.32.43), while port 8000 is mapped with FTP services:
access-list 10 permit 192.168.32.43ip port-map ftp port 8000 list 10In the following example, port 21, which is normally reserved for FTP services, is mapped to the RealAudio application for the hosts in list 10. In this configuration, hosts in list 10 do not recognize FTP activity on port 21.
ip port-map realaudio port 21 list 10In the following example, the ip port-map command fails and generates an error message:
ip port-map netshow port 21Command fail: the port 21 has already been defined for ftp by the system.No change can be made to the system defined port mappings.In the following example, the no form of this command deletes user-defined entries from the PAM table. It has no effect on the system-defined port mappings. This command deletes the host-specific port mapping of FTP.
no ip port-map ftp port 1022 list 10
Note
In the following example, the command fails because it tries to delete the system-defined default port for HTTP:
no ip port-map http port 80In the following example, a specific host uses port 8000 for FTP services. ACL 10 identifies the server address (192.168.32.43), while port 8000 is mapped with FTP services.
access-list 10 permit 192.168.32.43ip port-map ftp port 8000 list 10In the following example, a specific subnet runs HTTP services on port 8080. ACL 50 identifies the subnet, while the PAM entry maps port 8080 with HTTP services.
access-list 50 permit 192.168.92.0ip port-map http 8080 list 50In the following example, a specific host runs HTTP services on port 25, which is the system-defined port number for SMTP services. This requires a host-specific PAM entry that overrides the system-defined default port mapping for HTTP, which is port 80. ACL 15 identifies the host address (192.168.33.43), while port 25 is mapped with HTTP services.
access-list 15 permit 192.168.33.43ip port-map http port 25 list 15In the following example, the same port number is required by different services running on different hosts. Port 8000 is required for HTTP services by host 192.168.3.4, while port 8000 is required for FTP services by host 192.168.5.6. ACL 10 and ACL 20 identify the specific hosts, while PAM maps the ports with the services for each ACL.
access-list 10 permit 192.168.3.4access-list 20 permit 192.168.5.6ip port-map http port 8000 list 10ip port-map http ftp 8000 list 20In the following example, five separate port numbers are specified:
ip port-map user-my-app port tcp 8085 8087 8092 8093 8094In the following example, multiple commands for the same application name are cumulative and both ports map to the myapp application:
ip port-map user-myapp port tcp 3400ip port-map user-myapp port tcp 3500In the following example, the same port number is assigned to a new application. The new entry replaces the existing entry, meaning that port 5670 gets mapped to user-my-new-app and its mapping to myapp is removed. As a result, the first command no longer appears in the running configuration and you receive a message about the remapping.
ip port-map user-myapp port tcp 5670ip port-map user-my-new-app port tcp 5670In the following example, the second command assigns port 8085 to user-my-new-app because you cannot specify a port number that is in a range assigned to another application. As a result, the first command no longer appears in the running configuration, and you receive a message about the port being moved from one application to another.
ip port-map user-my-app port tcp 8085ip port-map user-my-new-app port tcp from 8080 to 8090Similarly, in the following example the second command assigns port range 8080 to 8085 to user-my-new-app and the first command no longer appears in the running configuration. You receive a message about the remapping.
ip port-map user-my-app port tcp from 8080 to 8085ip port-map user-my-new-app port tcp from 8080 to 8090Related Commands
ip radius source-interface
To force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets, use the ip radius source-interface command in global configuration mode. To prevent RADIUS from using the IP address of a specified interface for all outgoing RADIUS packets, use the no form of this command.
ip radius source-interface subinterface-name [vrf vrf-name]
no ip radius source-interface
Syntax Description
subinterface-name
Name of the interface that RADIUS uses for all of its outgoing packets.
vrf vrf-name
(Optional) Per Virtual Route Forwarding (VRF) configuration.
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to set the IP address of a subinterface to be used as the source address for all outgoing RADIUS packets. The IP address is used as long as the subinterface is in the up state. In this way, the RADIUS server can use one IP address entry for every network access client instead of maintaining a list of IP addresses.
This command is especially useful in cases where the router has many subinterfaces and you want to ensure that all RADIUS packets from a particular router have the same IP address.
The specified subinterface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in the down state, then RADIUS reverts to the default. To avoid this, add an IP address to the subinterface or bring the subinterface to the up state.
Use the vrf vrf-name keyword and argument to configure this command per VRF, which allows multiple disjoined routing or forwarding tables, where the routes of a user have no correlation with the routes of another user.
Examples
The following example shows how to configure RADIUS to use the IP address of subinterface s2 for all outgoing RADIUS packets:
ip radius source-interface s2The following example shows how to configure RADIUS to use the IP address of subinterface Ethernet0 for VRF definition:
ip radius source-interface Ethernet 0 vrf waterRelated Commands
ip reflexive-list timeout
To specify the length of time that reflexive access list entries will continue to exist when no packets in the session are detected, use the ip reflexive-list timeout command in global configuration mode. To reset the timeout period to the default timeout, use the no form of this command.
ip reflexive-list timeout seconds
no ip reflexive-list timeout
Syntax Description
Defaults
300 seconds
Command Modes
Global configuration
Command History
Usage Guidelines
This command is used with reflexive filtering, a form of session filtering.
This command specifies when a reflexive access list entry will be removed after a period of no traffic for the session (the timeout period).
With reflexive filtering, when an IP upper-layer session begins from within your network, a temporary entry is created within the reflexive access list, and a timer is set. Whenever a packet belonging to this session is forwarded (inbound or outbound) the timer is reset. When this timer counts down to zero without being reset, the temporary reflexive access list entry is removed.
The timer is set to the timeout period. Individual timeout periods can be defined for specific reflexive access lists, but for reflexive access lists that do not have individually defined timeout periods, the global timeout period is used. The global timeout value is 300 seconds by default; however, you can change the global timeout to a different value at any time using this command.
This command does not take effect for reflexive access list entries that were already created when the command is entered; this command only changes the timeout period for entries created after the command is entered.
Examples
The following example sets the global timeout period for reflexive access list entries to 120 seconds:
ip reflexive-list timeout 120The following example returns the global timeout period to the default of 300 seconds:
no ip reflexive-list timeoutRelated Commands
ip scp server enable
To enable the router to securely copy files from a remote workstation, use the ip scp server enable command in global configuration mode. To disable secure copy functionality (the default), use the no form of this command.
ip scp server enable
no ip scp server enable
Syntax Description
This command has no arguments or keywords.
Defaults
The secure copy function is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to enable secure copying of files from systems using the Secure Shell (SSH) application. This secure copy function is accomplished by an addition to the copy command in the Cisco IOS software, which takes care of using the secure copy protocol (scp) to copy to and from a router while logged in to the router itself. Because copying files is generally a restricted operation in the Cisco IOS software, a user attempting to copy such files needs to be at the correct enable level.
The Cisco IOS software must also allow files to be copied to or from itself from a remote workstation running the SSH application (which is supported by both the Microsoft Windows and UNIX operating systems). To get this information, the Cisco IOS software must have authentication and authorization configured in the authentication, authorization, and accounting (AAA) feature. SSH already relies on AAA authentication to authenticate the user username and password. Scp adds the requirement that AAA authorization be turned on so that the operating system can determine whether or not the user is at the correct privilege level.
Examples
The following example shows a typical configuration that allows the router to securely copy files from a remote workstation. Because scp relies on AAA authentication and authorization to function properly, AAA must be configured.
aaa new-modelaaa authentication login default tac-group tacacs+aaa authorization exec default localusername user1 privilege 15 password 0 labip scp server enableThe following example shows how to use scp to copy a system image from Flash memory to a server that supports SSH:
Router# copy flash:c4500-ik2s-mz.scp scp://user1@host1/Address or name of remote host [host1]?Destination username [user1]?Destination filename [c4500-ik2s-mz.scp]?Writing c4500-ik2s-mz.scpPassword:!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Note
Related Commands
ip sdee events
To set the maximum number of Security Device Event Exchange (SDEE) events that can be stored in the event buffer, use the ip sdee events command in global configuration mode. To change the buffer size or return to the default buffer size, use the no form of this command.
ip sdee events events
no ip sdee events events
Syntax Description
Defaults
200 events
Command Modes
Global configuration
Command History
Usage Guidelines
When SDEE notification is enabled (via the ip ips notify sdee command), 200 hundred events can automatically be stored in the buffer. When SDEE notification is disabled, all stored events are lost. A new buffer is allocated when the notifications are reenabled.
When specifying the size of an events buffer, note the following functionality:
•
•
•
Examples
The following example shows how to set the maximum buffer events size to 500:
configure terminalip ips notify sdeeip sdee events 500Related Commands
ip sdee subscriptions
To set the maximum number of Security Device Event Exchange (SDEE) subscriptions that can be open simultaneously, use the ip sdee subscriptions command in global configuration mode. To change the current selection or return to the default, use the no form of this command.
ip sdee subscriptions subscriptions
no ip sdee subscriptions subscriptions
Syntax Description
Defaults
1 subscription
Command Modes
Global configuration
Command History
Usage Guidelines
After you have enabled SDEE to receive and process events from Intrusion Prevention System (IPS) unless SDEE, you can issue the ip sdee subscriptions command to modify the number of allowed open SDEE subscriptions.
Examples
The following example shows how to change the number of allowed open subscriptions to 2:
configure terminalip ips notify sdeeip sdee events 500ip sdee subscriptions 2Related Commands
ip security add
To add a basic security option to all outgoing packets, use the ip security add command in interface configuration mode. To disable the adding of a basic security option to all outgoing packets, use the no form of this command.
ip security add
no ip security add
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled, when the security level of the interface is "Unclassified Genser" (or unconfigured). Otherwise, the default is enabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
If an outgoing packet does not have a security option present, this interface configuration command will add one as the first IP option. The security label added to the option field is the label that was computed for this packet when it first entered the router. Because this action is performed after all the security tests have been passed, this label will either be the same or will fall within the range of the interface.
Examples
The following example adds a basic security option to each packet leaving Ethernet interface 0:
interface ethernet 0ip security addRelated Commands
ip security aeso
To attach Auxiliary Extended Security Options (AESOs) to an interface, use the ip security aeso command in interface configuration mode. To disable AESO on an interface, use the no form of this command.
ip security aeso source compartment-bits
no ip security aeso source compartment-bits
Syntax Description
source
Extended Security Option (ESO) source. This can be an integer from 0 to 255.
compartment-bits
Number of compartment bits in hexadecimal.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
Compartment bits are specified only if this AESO is to be inserted in a packet. On every incoming packet at this level on this interface, these AESOs should be present.
Beyond being recognized, no further processing of AESO information is performed. AESO contents are not checked and are assumed to be valid if the source is listed in the configurable AESO table.
Configuring any per-interface extended IP Security Option (IPSO) information automatically enables ip security extended-allowed (disabled by default).
Examples
The following example defines the Extended Security Option source as 5 and sets the compartments bits to 5:
interface ethernet 0ip security aeso 5 5Related Commands
ip security dedicated
To set the level of classification and authority on the interface, use the ip security dedicated command in interface configuration mode. To reset the interface to the default classification and authorities, use the no form of this command.
ip security dedicated level authority [authority...]
no ip security dedicated level authority [authority...]
Syntax Description
level
Degree of sensitivity of information. The level keywords are listed in Table 27.
authority
Organization that defines the set of security levels that will be used in a network. The authority keywords are listed in Table 28.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
All traffic entering the system on this interface must have a security option that exactly matches this label. Any traffic leaving via this interface will have this label attached to it.
The following definitions apply to the descriptions of the IP Security Option (IPSO) in this section:
•
•
Table 28 IPSO Authority Keywords and Bit Patterns
Genser
1000 0000
Siop-Esi
0100 0000
DIA
0010 0000
NSA
0001 0000
DOE
0000 1000
•
Examples
The following example sets a confidential level with Genser authority:
ip security dedicated confidential GenserRelated Commands
ip security eso-info
To configure system-wide defaults for extended IP Security Option (IPSO) information, use the ip security eso-info command in global configuration mode. To return to the default settings, use the no form of this command.
ip security eso-info source compartment-size default-bit
no ip security eso-info source compartment-size default-bit
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
This command configures Extended Security Option (ESO) information, including Auxiliary Extended Security Option (AESO). Transmitted compartment information is padded to the size specified by the compartment-size argument.
Examples
The following example sets system-wide defaults for source, compartment size, and the default bit value:
ip security eso-info 100 5 1Related Commands
ip security eso-max
Specifies the maximum sensitivity level for an interface.
ip security eso-min
Configures the minimum sensitivity level for an interface.
ip security eso-max
To specify the maximum sensitivity level for an interface, use the ip security eso-max command in interface configuration mode. To return to the default, use the no form of this command.
ip security eso-max source compartment-bits
no ip security eso-max source compartment-bits
Syntax Description
source
Extended Security Option (ESO) source. This is an integer from 1 to 255.
compartment-bits
Number of compartment bits in hexadecimal.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
The command is used to specify the maximum sensitivity level for a particular interface. Before the per-interface compartment information for a particular Network-Level Extended Security Option (NLESO) source can be configured, the ip security eso-info global configuration command must be used to specify the default information.
On every incoming packet on the interface, these Extended Security Options should be present at the minimum level and should match the configured compartment bits. Every outgoing packet must have these ESOs.
On every packet transmitted or received on this interface, any NLESO sources present in the IP header should be bounded by the minimum sensitivity level and bounded by the maximum sensitivity level configured for the interface.
When transmitting locally generated traffic out this interface, or adding security information (with the ip security add command), the maximum compartment bit information can be used to construct the NLESO sources placed in the IP header.
A maximum of 16 NLESO sources can be configured per interface. Due to IP header length restrictions, a maximum of 9 of these NLESO sources appear in the IP header of a packet.
Examples
In the following example, the specified ESO source is 240 and the compartment bits are specified as 500:
interface ethernet 0ip security eso-max 240 500Related Commands
ip security eso-info
Configures system-wide defaults for extended IPSO information.
ip security eso-min
Configures the minimum sensitivity level for an interface.
ip security eso-min
To configure the minimum sensitivity for an interface, use the ip security eso-min command in interface configuration mode. To return to the default, use the no form of this command.
ip security eso-min source compartment-bits
no ip security eso-min source compartment-bits
Syntax Description
source
Extended Security Option (ESO) source. This is an integer from 1 to 255.
compartment-bits
Number of compartment bits in hexadecimal.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
The command is used to specify the minimum sensitivity level for a particular interface. Before the per-interface compartment information for a particular Network Level Extended Security Option (NLESO) source can be configured, the ip security eso-info global configuration command must be used to specify the default information.
On every incoming packet on this interface, these Extended Security Options should be present at the minimum level and should match the configured compartment bits. Every outgoing packet must have these ESOs.
On every packet transmitted or received on this interface, any NLESO sources present in the IP header should be bounded by the minimum sensitivity level and bounded by the maximum sensitivity level configured for the interface.
When transmitting locally generated traffic out this interface, or adding security information (with the ip security add command), the maximum compartment bit information can be used to construct the NLESO sources placed in the IP header.
A maximum of 16 NLESO sources can be configured per interface. Due to IP header length restrictions, a maximum of 9 of these NLESO sources appear in the IP header of a packet.
Examples
In the following example, the specified ESO source is 5, and the compartment bits are specified as 5:
interface ethernet 0ip security eso-min 5 5Related Commands
ip security eso-info
Configures system-wide defaults for extended IPSO information.
ip security eso-max
Specifies the maximum sensitivity level for an interface.
ip security extended-allowed
To accept packets on an interface that has an extended security option present, use the ip security extended-allowed command in interface configuration mode. To restore the default, use the no form of this command.
ip security extended-allowed
no ip security extended-allowed
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
Packets containing extended security options are rejected.
Examples
The following example allows interface Ethernet 0 to accept packets that have an extended security option present:
interface ethernet 0ip security extended-allowedRelated Commands
ip security first
To prioritize the presence of security options on a packet, use the ip security first command in interface configuration mode. To prevent packets that include security options from moving to the front of the options field, use the no form of this command.
ip security first
no ip security first
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
If a basic security option is present on an outgoing packet, but it is not the first IP option, then the packet is moved to the front of the options field when this interface configuration comm
