Table Of Contents
http authentication-certificate
interface (vpn load-balancing)
logging flash-maximum-allocation
G through L Commands
gateway
To specify which group of call agents are managing a particular gateway, use the gateway command in MGCP map configuration mode. To remove the configuration, use the no form of this command.
gateway ip_address [group_id]
Syntax Description
gateway
Specifies the group of call agents that are managing a particular gateway
ip_address
The IP address of the gateway.
group_id
The ID of the call agent group, from 0 to 2147483647.
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
MGCP map configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the gateway command to specify which group of call agents are managing a particular gateway. The IP address of the gateway is specified with the ip_address option. The group_id option is a number from 0 to 4294967295 that must correspond with the group_id of the call agents that are managing the gateway. A gateway may only belong to one group.
Examples
The following example allows call agents 10.10.11.5 and 10.10.11.6 to control gateway 10.10.10.115, and allows call agents 10.10.11.7 and 10.10.11.8 to control both gateways 10.10.10.116 and 10.10.10.117:
hostname(config)# mgcp-map mgcp_policyhostname(config-mgcp-map)# call-agent 10.10.11.5 101hostname(config-mgcp-map)# call-agent 10.10.11.6 101hostname(config-mgcp-map)# call-agent 10.10.11.7 102hostname(config-mgcp-map)# call-agent 10.10.11.8 102hostname(config-mgcp-map)# gateway 10.10.10.115 101hostname(config-mgcp-map)# gateway 10.10.10.116 102hostname(config-mgcp-map)# gateway 10.10.10.117 102Related Commands
global
To create a pool of mapped addresses for NAT, use the global command in global configuration mode. To remove the pool of addresses, use the no form of this command.
global (mapped_ifc) nat_id {mapped_ip[-mapped_ip] [netmask mask] | interface}
no global (mapped_ifc) nat_id {mapped_ip[-mapped_ip] [netmask mask] | interface}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
For dynamic NAT and PAT, you first configure a nat command identifying the real addresses on a given interface that you want to translate. Then you configure a separate global command to specify the mapped addresses when exiting another interface (in the case of PAT, this is one address). Each nat command matches a global command by comparing the NAT ID, a number that you assign to each command.
See the nat command for more information about dynamic NAT and PAT.
If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using clear xlate command. However, clearing the translation table disconnects all of the current connections.
Examples
For example, to translate the 10.1.1.0/24 network on the inside interface, enter the following command:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0hostname(config)# global (outside) 1 209.165.201.1-209.165.201.30To identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is exhausted, enter the following commands:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0hostname(config)# global (outside) 1 209.165.201.5hostname(config)# global (outside) 1 209.165.201.10-209.165.201.20To translate the lower security dmz network addresses so they appear to be on the same network as the inside network (10.1.1.0), for example, to simplify routing, enter the following commands:
hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dnshostname(config)# global (inside) 1 10.1.1.45To identify a single real address with two different destination addresses using policy NAT, enter the following commands:
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 255.255.255.224hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224hostname(config)# nat (inside) 1 access-list NET1 tcp 0 2000 udp 10000hostname(config)# global (outside) 1 209.165.202.129hostname(config)# nat (inside) 2 access-list NET2 tcp 1000 500 udp 2000hostname(config)# global (outside) 2 209.165.202.130To identify a single real address/destination address pair that use different ports using policy NAT, enter the following commands:
hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 80hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 23hostname(config)# nat (inside) 1 access-list WEBhostname(config)# global (outside) 1 209.165.202.129hostname(config)# nat (inside) 2 access-list TELNEThostname(config)# global (outside) 2 209.165.202.130Related Commands
group-delimiter
To enable group-name parsing and specify the delimiter to be used when parsing group names from the user names that are received when tunnels are being negotiated, use the group-delimiter command in global configuration mode. To disable this group-name parsing, use the no form of this command.
group-delimiter delimiter
no group-delimiter
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
By default, no delimiter is specified, disabling group-name parsing.
Examples
This example shows the group-delimiter command to change the group delimiter to the hash mark (#):
hostname(config)# group-delimiter #Related Commands
show running-config group-delimiter
Displays the current group-delimiter value.
strip-group
Enables or disables strip-group processing.
group-lock
To restrict remote users to access through the tunnel group only, issue the group-lock command in group-policy configuration mode or username configuration mode.
To remove the group-lock attribute from the running configuration, use the no form of this command. This option allows inheritance of a value from another group policy. To disable group-lock, use the group-lock none command.
Group-lock restricts users by checking if the group configured in the VPN Client is the same as the tunnel group to which the user is assigned. If it is not, the security appliance prevents the user from connecting. If you do not configure group-lock, the security appliance authenticates users without regard to the assigned group.
group-lock {value tunnel-grp-name | none}
no group-lock
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Username
•
—
•
—
—
Command History
Examples
The following example shows how to set group lock for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# group-lock value tunnel group name
group-object
To add network object groups, use the group-object command in protocol, network, service, and icmp-type configuration modes. To remove network object groups, use the no form of this command.
group-object obj_grp_id
no group-object obj_grp_id
Syntax Description
obj_grp_id
Identifies the object group (one to 64 characters) and can be any combination of letters, digits, and the "_", "-", "." characters.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Protocol, network, service, icmp-type configuration
•
•
•
•
—
Command History
Usage Guidelines
The group-object command is used with the object-group command to define an object that itself is an object group. It is used in protocol, network, service, and icmp-type configuration modes. This sub-command allows logical grouping of the same type of objects and construction of hierarchical object groups for structured configuration.
Duplicate objects are allowed in an object group if they are group objects. For example, if object 1 is in both group A and group B, it is allowed to define a group C which includes both A and B. It is not allowed, however, to include a group object which causes the group hierarchy to become circular. For example, it is not allowed to have group A include group B and then also have group B include group A.
The maximum allowed levels of a hierarchical object group is 10.
Examples
The following example shows how to use the group-object command in network configuration mode eliminate the need to duplicate hosts:
hostname(config)# object-group network host_grp_1hostname(config-network)# network-object host 192.168.1.1hostname(config-network)# network-object host 192.168.1.2hostname(config-network)# exithostname(config)# object-group network host_grp_2hostname(config-network)# network-object host 172.23.56.1hostname(config-network)# network-object host 172.23.56.2hostname(config-network)# exithostname(config)# object-group network all_hostshostname(config-network)# group-object host_grp_1hostname(config-network)# group-object host_grp_2hostname(config-network)# exithostname(config)# access-list grp_1 permit tcp object-group host_grp_1 any eq ftphostname(config)# access-list grp_2 permit tcp object-group host_grp_2 any eq smtphostname(config)# access-list all permit tcp object-group all-hosts any eq wRelated Commands
group-policy
To create or edit a group policy, use the group-policy command in global configuration mode. To remove a group policy from the configuration, use the no form of this command.
group-policy name {internal [from group-policy_name] | external server-group server_group password server_password}
no group-policy name
Syntax Description
Defaults
No default behavior or values. See Usage Guidelines.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
A default group policy, named "DefaultGroupPolicy," always exists on the security appliance. However, this default group policy does not take effect unless you configure the security appliance to use it. For configuration instructions, see the Cisco Security Appliance Command Line Configuration Guide.
The DefaultGroupPolicy has these AVPs:
Examples
The following example shows how to create an internal group policy with the name "FirstGroup":
hostname(config)# group-policy FirstGroup internalThe next example shows how to create an external group policy with the name "ExternalGroup," the AAA server group "BostonAAA," and the password "12345678":
hostname(config)# group-policy ExternalGroup external server-group BostonAAA password 12345678Related Commands
group-policy attributes
To enter the group-policy attributes mode, use the group-policy attributes command in global configuration mode. To remove all attributes from a group policy, user the no version of this command. The attributes mode lets you configure AVPs for a specified group policy.
group-policy name attributes
no group-policy name attributes
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The syntax of the commands in attributes mode have the following characteristics in common:
•
•
•
Examples
The following example shows how to enter group-policy attributes mode for the group policy named "FirstGroup":
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)#Related Commands
gtp-map
To identify a specific map to use for defining the parameters for GTP, use the gtp-map command in global configuration mode. To remove the map, use the no form of this command.
gtp-map map_name
no gtp-map map_name
Note
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
GPRS is a data network architecture that is designed to integrate with existing GSM networks. It offers mobile subscribers uninterrupted, packet-switched data services to corporate networks and the Internet. For an overview of GTP and how the security appliance ensures secure access over wireless networks, refer to the "Applying Application Layer Protocol Inspection" chapter in the Cisco Security Appliance Command Line Configuration Guide.
Use the gtp-map command to identify a specific map to use for defining the parameters for GTP. When you enter this command, the system enters a configuration mode that lets you enter the different commands used for defining the specific map. After defining the GTP map, you use the inspect gtp command to enable the map. Then you use the class-map, policy-map, and service-policy commands to define a class of traffic, to apply the inspect command to the class, and to apply the policy to one or more interfaces.
Examples
The following example shows how to use the gtp-map command to identify a specific map (gtp-policy) to use for defining the parameters for GTP:
hostname(config)# gtp-map qtp-policyhostname(config-gtpmap)#The following example shows how to use access lists to identify GTP traffic, define a GTP map, define a policy, and apply the policy to the outside interface:
hostname(config)# access-list gtp-acl permit udp any any eq 3386hostname(config)# access-list gtp-acl permit udp any any eq 2123hostname(config)# class-map gtp-traffichostname(config-cmap)# match access-list gtp-aclhostname(config-cmap)# exithostname(config)# gtp-map gtp-policyhostname(config-gtpmap)# request-queue 300hostname(config-gtpmap)# permit mcc 111 mnc 222hostname(config-gtpmap)# message-length min 20 max 300hostname(config-gtpmap)# drop message 20hostname(config-gtpmap)# tunnel-limit 10000hostname(config)# policy-map inspection_policyhostname(config-pmap)# class gtp-traffichostname(config-pmap-c)# inspect gtp gtp-policyhostname(config)# service-policy inspection_policy outsideRelated Commands
help
To display help information for the command specified, use the help command in user EXEC mode.
help {command | ?}
Syntax Description
command
Specifies the command for which to display the CLI help.
?
Displays all commands that are available in the current privilege level and mode.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
User EXEC
•
•
•
•
•
Command History
Usage Guidelines
The help command displays help information about all commands. You can see help for an individual command by entering the help command followed by the command name. If you do not specify a command name and enter ? instead, all commands that are available in the current privilege level and mode display.
If you enable the pager command and when 24 lines display, the listing pauses, and the following prompt appears:
<--- More --->The More prompt uses syntax similar to the UNIX more command as follows:
•
•
•
Examples
The following example shows how to display help for the rename command:
hostname# help renameUSAGE:rename /noconfirm [{disk0:|disk1:|flash:}] <source path> [{disk0:|disk1:|flash:}] <destination path>DESCRIPTION:rename Rename a fileSYNTAX:/noconfirm No confirmation{disk0:|disk1:|flash:} Optional parameter that specifies the filesystem<source path> Source file path<destination path> Destination file pathhostname#The following examples shows how to display help by entering the command name and a question mark:
hostname(config)# enable ?usage: enable password <pwd> [encrypted]Help is available for the core commands (not the show, no, or clear commands) by entering ? at the command prompt:
hostname(config)# ?aaa Enable, disable, or view TACACS+ or RADIUSuser authentication, authorization and accounting...Related Commands
homepage
To specify a URL for the web page that displays upon login for this WebVPN user or group policy, use the homepage command in webvpn mode, which you enter from group-policy or username mode. To remove a configured home page, including a null value created by issuing the homepage none command, use the no form of this command. The no option allows inheritance of a value from another group policy. To prevent inheriting a home page, use the homepage none command.
homepage {value url-string | none}
no homepage
Syntax Description
Defaults
There is no default home page.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn mode
•
—
•
—
—
Command History
Examples
The following example shows how to specify www.example.com as the home page for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# homepage value http://www.example.comRelated Commands
webvpn
Use in group-policy configuration mode or in username configuration mode. Lets you enter webvpn mode to configure parameters that apply to group policies or usernames.
hostname
To set the security appliance hostname, use the hostname command in global configuration mode. To restore the default hostname, use the no form of this command. The hostname appears as the command line prompt, and if you establish sessions to multiple devices, the hostname helps you keep track of where you enter commands.
hostname name
no hostname [name]
Syntax Description
name
Specifies a hostname up to 63 characters. A hostname must start and end with a letter or digit, and have as interior characters only letters, digits, or a hyphen.
Defaults
The default hostname depends on your platform.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
7.0(1)
You can no longer use non-alphanumeric characters (other than a hyphen).
Usage Guidelines
For multiple context mode, the hostname that you set in the system execution space appears in the command line prompt for all contexts.
The hostname that you optionally set within a context does not appear in the command line, but can be used for the banner command $(hostname) token.
Examples
The following example sets the hostname to firewall1:
hostname(config)# hostname firewall1firewall1(config)#Related Commands
banner
Sets a login, message of the day, or enable banner.
domain-name
Sets the default domain name.
html-content-filter
To filter Java, ActiveX, images, scripts, and cookies for WebVPN sessions for this user or group policy, use the html-content-filter command in webvpn mode, which you enter from group-policy or username mode. To remove a content filter, use the no form of this command. To remove all content filters, including a null value created by issuing the html-content-filter none command, use the no form of this command without arguments. The no option allows inheritance of a value from another group policy. To prevent inheriting an html content filter, use the html-content-filter none command.
html-content-filter {java | images | scripts | cookies | none}
no html-content-filter [java | images | scripts | cookies | none]
Syntax Description
Defaults
No filtering occurs.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn mode
•
—
•
—
—
Command History
Usage Guidelines
Using the command a second time overrides the previous setting.
Examples
The following example shows how to set filtering of JAVA and ActiveX, cookies, and images for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# webvpnhostname(config-group-webvpn)# html-content-filter java cookies imagesRelated Commands
http
To specify hosts that can access the HTTP server internal to the security appliance, use the http command in global configuration mode. To remove one or more hosts, use the no form of this command. To remove the attribute from the configuration, use the no form of this command without arguments.
http ip_address subnet_mask interface_name
no http
Syntax Description
Defaults
No hosts can access the HTTP server.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example shows how to allow the host with the IP address of 10.10.99.1 and the subnet mask of 255.255.255.255 access to the HTTP server via the outside interface:
hostname(config)# http 10.10.99.1 255.255.255.255 outsideThe next example shows how to allow any host access to the HTTP server via the outside interface:
hostname(config)# http 0.0.0.0 0.0.0.0 outsideRelated Commands
http authentication-certificate
To require authentication via certificate from users who are establishing HTTPS connections, use the http authentication-certificate command in global configuration mode. To remove the attribute from the configuration, use the no version of this command. To remove all http authentication-certificate commands from the configuration, use the no version without arguments.
The security appliance validates certificates against the PKI trust points. If a certificate does not pass validation, the security appliance closes the SSL connection.
http authentication-certificate interface
no http authentication-certificate [interface]
Syntax Description
interface
Specifies the interface on the security appliance that requires certificate authentication.
Defaults
HTTP certificate authentication is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
You can configure certificate authentication for each interface, such that connections on a trusted/inside interface do not have to provide a certificate. You can use the command multiple times to enable certificate authentication on multiple interfaces.
Validation occurs before the URL is known, so this affects both WebVPN and ASDM access.
The ASDM uses its own authentication method in addition to this value. That is, it requires both certificate and username/password authentication if both are configured, or just username/password if certificate authentication is disabled.
Examples
The following example shows how to require certificate authentication for clients connecting to the interfaces named outside and external:
hostname(config)# http authentication-certificate insidehostname(config)# http authentication-certificate externalRelated Commands
http redirect
To specify that the security appliance redirect HTTP connections to HTTPS, use the http redirect command in global configuration mode. To remove a specified http redirect command from the configuration, use the no version of this command. To remove all http redirect commands from the configuration, use the no version of this command without arguments.
http redirect interface [port]
no http redirect [interface]
Syntax Description
Defaults
HTTP redirect is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The interface requires an access list that permits HTTP. Otherwise the security appliance does not listen to port 80, or to any other port that you configure for HTTP.
Examples
The following example shows how to configure HTTP redirect for the inside interface, keeping the default port 80:
hostname(config)# http redirect insideRelated Commands
http server enable
To enable the security appliance HTTP server, use the http server enable command in global configuration mode. To disable the HTTP server, use the no form of this command.
http server enable
no http server enable
Defaults
The HTTP server is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example shows how to enable the HTTP server.
hostname(config)# http server enableRelated Commands
http-map
To create an HTTP map for applying enhanced HTTP inspection parameters, use the http-map command in global configuration mode. To remove the command, use the no form of this command.
http-map map_name
no http-map map_name
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The enhanced HTTP inspection feature, which is also known as an application firewall, verifies that HTTP messages conform to RFC 2616, use RFC-defined and supported extension methods, and comply with various other criteria. This can help prevent attackers from using HTTP messages for circumventing network security policy.
Note
In many cases, you can configure the criteria and how the security appliance responds when the criteria are not met. The criteria that you can apply to HTTP messages include the following:
•
•
•
•
•
•
•
•
•
•
Note
Table 5-2 summarizes the configuration commands available in HTTP map configuration mode. Click on an entry to open a command page that provides the detailed syntax for each command.
Examples
The following is sample output showing how to identify HTTP traffic, define an HTTP map, define a policy, and apply the policy to the outside interface.
hostname(config)# class-map http-porthostname(config-cmap)# match port tcp eq 80hostname(config-cmap)# exithostname(config)# http-map inbound_httphostname(config-http-map)# content-length min 100 max 2000 action reset loghostname(config-http-map)# content-type-verification match-req-rsp reset loghostname(config-http-map)# max-header-length request bytes 100 action log resethostname(config-http-map)# max-uri-length 100 action reset loghostname(config-http-map)# exithostname(config)# policy-map inbound_policyhostname(config-pmap)# class http-porthostname(config-pmap-c)# inspect http inbound_httphostname(config-pmap-c)# exithostname(config-pmap)# exithostname(config)# service-policy inbound_policy interface outsideThis example causes the security appliance to reset the connection and create a syslog entry when it detects any traffic that contain the following:
•
•
•
•
Related Commands
http-proxy
To configure an HTTP proxy server, use the http-proxy command in webvpn mode. To remove the HTTP proxy server from the configuration, use the no form of this command.
This is an external proxy server the security appliance uses for HTTP requests.
http-proxy address [port]
no http-proxy
Syntax Description
Defaults
No HTTP proxy server is configured by default.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn
•
—
•
—
—
Command History
Examples
The following example shows how to configure an HTTP proxy server with an IP address of 10.10.10.7 using port 80:
hostname(config)# webvpnhostname(config-webvpn)# http-proxy 10.10.10.7
https-proxy
To configure an HTTPS proxy server, use the https-proxy command in webvpn mode. To remove the HTTPS proxy server from the configuration, use the no form of this command.
This is an external proxy server the security appliance uses for HTTPS requests.
https-proxy address [port]
no https-proxy
Syntax Description
Defaults
No HTTPS proxy server is configured by default.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn
•
—
•
—
—
Command History
Examples
The following example shows how to configure an HTTPS proxy server with an IP address of 10.10.10.1 using port 443:
hostname(config)# webvpnhostname(config-webvpn)# https-proxy 10.10.10.1 443
hw-module module recover
To load a recovery software image from a TFTP server to an intelligent SSM (for example, the AIP SSM), or to configure network settings to access the TFTP server, use the hw-module module recover command in privileged EXEC mode. You might need to recover an SSM using this command if, for example, the SSM is unable to load a local image. This command is not available for interface SSMs (for example, the 4GE SSM).
hw-module module 1 recover {boot | stop | configure [url tfp_url | ip port_ip_address | gateway gateway_ip_address | vlan vlan_id]}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
This command is only available when the SSM is in the Up, Down, Unresponsive, or Recovery state. See the show module command for state information.
Examples
The following example sets the SSM to download an image from a TFTP server:
hostname# hw-module module 1 recover configureImage URL [tftp://127.0.0.1/myimage]: tftp://10.1.1.1/ids-newimgPort IP Address [127.0.0.2]: 10.1.2.10Port Mask [255.255.255.254]: 255.255.255.0Gateway IP Address [1.1.2.10]: 10.1.2.254VLAN ID [0]: 100The following example recovers the SSM:
hostname# hw-module module 1 recover bootThe module in slot 1 will be recovered. This mayerase all configuration and all data on that device andattempt to download a new image for it.Recover module in slot 1? [confirm]Related Commands
hw-module module reload
To reload an intelligent SSM software (for example, the AIP SSM), use the hw-module module reload command in privileged EXEC mode. This command is not available for interface SSMs (for example, the 4GE SSM).
hw-module module 1 reload
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
This command is only valid when the SSM status is Up. See the show module command for state information.
This command differs from the hw-module module reset command, which also performs a hardware reset.
Examples
The following example reloads the SSM in slot 1:
hostname# hw-module module 1 reloadReload module in slot 1? [confirm] yReload issued for module in slot 1%XXX-5-505002: Module in slot 1 is reloading. Please wait...%XXX-5-505006: Module in slot 1 is Up.Related Commands
hw-module module reset
To shut down and reset the SSM hardware, use the hw-module module reset command in privileged EXEC mode.
hw-module module 1 reset
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
This command is only valid when the SSM status is Up, Down, Unresponsive, or Recover. See the show module command for state information.
When the SSM is in an Up state, the hw-module module reset command prompts you to shut down the software before resetting.
You can recover intelligent SSMs (for example, the AIP SSM) using the hw-module module recover command. If you enter the hw-module module reset while the SSM is in a Recover state, the SSM does not interrupt the recovery process. The the hw-module module reset command performs a hardware reset of the SSM, and the SSM recovery continues after the hardware reset. You might want to reset the SSM during recovery if the SSM hangs; a hardware reset might resolve the issue.
This command differs from the hw-module module reload command which only reloads the software and does not perform a hardware reset.
Examples
The following example resets an SSM in slot 1 that is in the Up state:
hostname# hw-module module 1 resetThe module in slot 1 should be shut down beforeresetting it or loss of configuration may occur.Reset module in slot 1? [confirm] yReset issued for module in slot 1%XXX-5-505001: Module in slot 1 is shutting down. Please wait...%XXX-5-505004: Module in slot 1 shutdown is complete.%XXX-5-505003: Module in slot 1 is resetting. Please wait...%XXX-5-505006: Module in slot 1 is Up.Related Commands
hw-module module shutdown
To shut down the SSM software, use the hw-module module shutdown command in privileged EXEC mode.
hw-module module 1 shutdown
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Shutting down the SSM software prepares the SSM to be safely powered off without losing configuration data.
This command is only valid when the SSM status is Up or Unresponsive. See the show module command for state information.
Examples
The following example shuts down an SSM in slot 1:
hostname# hw-module module 1 shutdownShutdown module in slot 1? [confirm] yShutdown issued for module in slot 1hostname#%XXX-5-505001: Module in slot 1 is shutting down. Please wait...%XXX-5-505004: Module in slot 1 shutdown is complete.Related Commands
icmp
To configure access rules for ICMP traffic that terminates at a security appliance interface, use the icmp command. To remove the configuration, use the no form of this command.
icmp {permit | deny} ip_address net_mask [icmp_type] if_name
no icmp {permit | deny} ip_address net_mask [icmp_type] if_name
Syntax Description
Defaults
The default behavior of the security appliance is to allow all ICMP traffic to the security appliance interfaces. However, by default the security appliance does not respond to ICMP echo requests directed to a broadcast address. The security appliance also denies ICMP messages received at the outside interface for destinations on a protected interface.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The icmp command controls ICMP traffic that terminates on any security appliance interface. If no ICMP control list is configured, then the security appliance accepts all ICMP traffic that terminates at any interface, including the outside interface. However, by default, the security appliance does not respond to ICMP echo requests directed to a broadcast address.
The icmp deny command disables pinging to an interface, and the icmp permit command enables pinging to an interface. With pinging disabled, the security appliance cannot be detected on the network. This is also referred to as configurable proxy pinging.
Use the access-list extended or access-group commands for ICMP traffic that is routed through the security appliance for destinations on a protected interface.
We recommend that you grant permission for the ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic. See RFC 1195 and RFC 1435 for details about Path MTU Discovery.
If an ICMP control list is configured for an interface, then the security appliance first matches the specified ICMP traffic and then applies an implicit deny for all other ICMP traffic on that interface. That is, if the first matched entry is a permit entry, the ICMP packet continues to be processed. If the first matched entry is a deny entry or an entry is not matched, the security appliance discards the ICMP packet and generates a syslog message. An exception is when an ICMP control list is not configured; in that case, a permit statement is assumed.
Table 5-3 lists the supported ICMP type values.
Examples
The following example denies all ping requests and permits all unreachable messages at the outside interface:
hostname(config)# icmp permit any unreachable outsideThe following example permits host 172.16.2.15 or hosts on subnet 172.22.1.0/16 to ping the outside interface:
hostname(config)# icmp permit host 172.16.2.15 echo-reply outsidehostname(config)# icmp permit 172.22.1.0 255.255.0.0 echo-reply outsidehostname(config)# icmp permit any unreachable outsideRelated Commands
icmp-object
To add icmp-type object groups, use the icmp-object command in icmp-type configuration mode. To remove network object groups, use the no form of this command.
icmp-object icmp_type
no group-object icmp_type
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Icmp-type configuration
•
•
•
•
—
Command History
Usage Guidelines
The icmp-object command is used with the object-group command to define an icmp-type object. It is used in icmp-type configuration mode.
ICMP type numbers and names include:
Examples
The following example shows how to use the icmp-object command in icmp-type configuration mode:
hostname(config)# object-group icmp-type icmp_allowedhostname(config-icmp-type)# icmp-object echohostname(config-icmp-type)# icmp-object time-exceededhostname(config-icmp-type)# exitRelated Commands
id-cert-issuer
To indicate whether the system accepts peer certificates issued by the CA associated with this trustpoint, use the id-cert-issuer command in crypto ca trustpoint configuration mode. Use the no form of this command to disallow certificates that were issued by the CA associated with the trustpoint. This is useful for trustpoints that represent widely used root CAs.
id-cert-issuer
no id-cert-issuer
Syntax Description
This command has no arguments or keywords.
Defaults
The default setting is enabled (identity certificates are accepted).
Command Modes
The following table shows the modes in which you can enter the command
Crypto ca trustpoint configuration
•
•
•
•
—
:
Command History
Usage Guidelines
Use this command to limit certificate acceptance to those issued by the subordinate certificate of a widely used root certificate. If you do not allow this feature, the security appliance rejects any IKE peer certificate signed by this issuer.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and lets an administrator accept identity certificates signed by the issuer for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# id-cert-issuerhostname(ca-trustpoint)#Related Commands
igmp
To reinstate IGMP processing on an interface, use the igmp command in interface configuration mode. To disable IGMP processing on an interface, use the no form of this command.
igmp
no igmp
Syntax Description
This command has no arguments or keywords.
Defaults
Enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
Only the no form of this command appears in the running configuration.
Examples
The following example disables IGMP processing on the selected interface:
hostname(config-if)# no igmpRelated Commands
igmp access-group
To control the multicast groups that hosts on the subnet serviced by an interface can join, use the igmp access-group command in interface configuration mode. To disable groups on the interface, use the no form of this command.
igmp access-group acl
no igmp access-group acl
Syntax Description
Defaults
All groups are allowed to join on an interface.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
7.0
This command was moved to interface configuration mode. Earlier versions required you to enter multicast interface configuration mode, which is no longer available.
Examples
The following example limits hosts permitted by access list 1 to join the group:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# igmp access-group 1Related Commands
igmp forward interface
To enable forwarding of all IGMP host reports and leave messages received to the interface specified, use the igmp forward interface command in interface configuration mode. To remove the forwarding, use the no form of this command.
igmp forward interface if-name
no igmp forward interface if-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
7.0
This command was moved to interface configuration mode. Earlier versions required you to enter multicast interface configuration mode, which is no longer available.
Usage Guidelines
Enter this command on the input interface. This command is used for stub multicast routing and cannot be configured concurrently with PIM.
Examples
The following example forwards IGMP host reports from the current interface to the specified interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# igmp forward interface outsideRelated Commands
igmp join-group
To configure an interface to be a locally connected member of the specified group, use the igmp join-group command in interface configuration mode. To cancel membership in the group, use the no form of this command.
igmp join-group group-address
no igmp join-group group-address
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
7.0
This command was moved to interface configuration mode. Earlier versions required you to enter multicast interface configuration mode, which is no longer available.
Usage Guidelines
This command configures a security appliance interface to be a member of a multicast group. The igmp join-group command causes the security appliance to both accept and forward multicast packets destined for the specified multicast group.
To configure the security appliance to forward the multicast traffic without being a member of the multicast group, use the igmp static-group command.
Examples
The following example configures the selected interface to join the IGMP group 255.2.2.2:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# igmp join-group 225.2.2.2Related Commands
igmp static-group
Configure the interface to be a statically connected member of the specified multicast group.
igmp limit
To limit the number of IGMP states on a per-interface basis, use the igmp limit command in interface configuration mode. To restore the default limit, use the no form of this command.
igmp limit number
no igmp limit [number]
Syntax Description
Defaults
The default is 500.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Examples
The following example limits the number of hosts that can join on the interface to 250:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# igmp limit 250Related Commands
igmp query-interval
To configure the frequency at which IGMP host query messages are sent by the interface, use the igmp query-interval command in interface configuration mode. To restore the default frequency, use the no form of this command.
igmp query-interval seconds
no igmp query-interval seconds
Syntax Description
seconds
Frequency, in seconds, at which to send IGMP host query messages. Valid values range from 1 to 3600. The default is 125 seconds.
Defaults
The default query interval is 125 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
7.0
This command was moved to interface configuration mode. Earlier versions required you to enter multicast interface configuration mode, which is no longer available.
Usage Guidelines
Multicast routers send host query messages to discover which multicast groups have members on the networks attached to the interface. Hosts respond with IGMP report messages indicating that they want to receive multicast packets for specific groups. Host query messages are addressed to the all-hosts multicast group, which has an address of 224.0.0.1 TTL value of 1.
The designated router for a LAN is the only router that sends IGMP host query messages:
•
•
If the router hears no queries for the timeout period (controlled by the igmp query-timeout command), it becomes the querier.
Caution
Examples
The following example changes the IGMP query interval to 120 seconds:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# igmp query-interval 120Related Commands
igmp query-max-response-time
To specify the maximum response time advertised in IGMP queries, use the igmp query-max-response-time command in interface configuration mode. To restore the default response time value, use the no form of this command.
igmp query-max-response-time seconds
no igmp query-max-response-time [seconds]
Syntax Description
seconds
Maximum response time, in seconds, advertised in IGMP queries. Valid values are from 1 to 25. The default value is 10 seconds.
Defaults
10 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
7.0
This command was moved to interface configuration mode. Earlier versions required you to enter multicast interface configuration mode, which is no longer available.
Usage Guidelines
This command is valid only when IGMP Version 2 or 3 is running.
This command controls the period during which the responder can respond to an IGMP query message before the router deletes the group.
Examples
The following example changes the maximum query response time to 8 seconds:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# igmp query-max-response-time 8Related Commands
igmp query-timeout
To configure the timeout period before the interface takes over as the querier after the previous querier has stopped querying, use the igmp query-timeout command in interface configuration mode. To restore the default value, use the no form of this command.
igmp query-timeout seconds
no igmp query-timeout [seconds]
Syntax Description
Defaults
The default query interval is 255 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
This command requires IGMP Version 2 or 3.
Examples
The following example configures the router to wait 200 seconds from the time it received the last query before it takes over as the querier for the interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# igmp query-timeout 200Related Commands
igmp static-group
To configure the interface to be a statically connected member of the specified multicast group, use the igmp static-group command in interface configuration mode. To remove the static group entry, use the no form of this command.
igmp static-group group
no igmp static-group group
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
When configured with the igmp static-group command, the security appliance interface does not accept multicast packets destined for the specified group itself; it only forwards them. To configure the security appliance both accept and forward multicast packets for a speific multicast group, use the igmp join-group command. If the igmp join-group command is configured for the same group address as the igmp static-group command, the igmp join-group command takes precedence, and the group behaves like a locally joined group.
Examples
The following example adds the selected interface to the multicast group 239.100.100.101:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# igmp static-group 239.100.100.101Related Commands
igmp join-group
Configures an interface to be a locally connected member of the specified group.
igmp version
To configure which version of IGMP the interface uses, use the igmp version command in interface configuration mode. To restore version to the default, use the no form of this command.
igmp version {1 | 2}
no igmp version [1 | 2]
Syntax Description
Defaults
IGMP Version 2.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
7.0
This command was moved to interface configuration mode. Earlier versions required you to enter multicast interface configuration mode, which is no longer available.
Usage Guidelines
All routers on the subnet must support the same version of IGMP. Hosts can have any IGMP version (1 or 2) and the security appliance will correctly detect their presence and query them appropriately.
Some commands require IGMP Version 2, such as the igmp query-max-response-time and igmp query-timeout commands.
Examples
The following example configures the selected interface to use IGMP Version 1:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# igmp version 1Related Commands
ignore lsa mospf
To suppress the sending of syslog messages when the router receives link-state advertisement (LSA) Type 6 Multicast OSPF (MOSPF) packets, use the ignore lsa mospf command in router configuration mode. To restore the sending of the syslog messages, use the no form of this command.
ignore lsa mospf
no ignore lsa mospf
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
Type 6 MOSPF packets are unsupported.
Examples
The following example cause LSA Type 6 MOSPF packets to be ignored:
hostname(config-router)# ignore lsa mospfRelated Commands
imap4s
To enter IMAP4S configuration mode, use the imap4s command in global configuration mode. To remove any commands entered in IMAP4S command mode, use the no form of this command.
IMAP4 is a client/server protocol in which your Internet server receives and holds e-mail for you. You (or your e-mail client) can view just the heading and the sender of the letter and then decide whether to download the mail. You can also create and manipulate multiple folders or mailboxes on the server, delete messages, or search for certain parts or an entire note. IMAP requires continual access to the server during the time that you are working with your mail. IMAP4S lets you receive e-mail over an SSL connection.
imap4s
no imap4s
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Examples
The following example shows how to enter IMAP4S configuration mode:
hostname(config)# imap4shostname(config-imap4s)#Related Commands
clear configure imap4s
Removes the IMAP4S configuration.
show running-config imap4s
Displays the running configuration for IMAP4S.
inspect ctiqbe
To enable CTIQBE protocol inspection, use the inspect ctiqbe command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To disable inspection, use the no form of this command.
inspect ctiqbe
no inspect ctiqbe
Defaults
This command is disabled by default.Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0
This command was introduced in 7.0. It replaces the previously existing fixup command, which is now deprecated.
Usage Guidelines
The inspect ctiqbe command enables CTIQBE protocol inspection, which supports NAT, PAT, and bidirectional NAT. This enables Cisco IP SoftPhone and other Cisco TAPI/JTAPI applications to work successfully with Cisco CallManager for call setup across the security appliance.
The Telephony Application Programming Interface (TAPI) and Java Telephony Application Programming Interface (JTAPI) are used by many Cisco VoIP applications. Computer Telephony Interface Quick Buffer Encoding (CTIQBE) is used by Cisco TAPI Service Provider (TSP) to communicate with Cisco CallManager.
The following summarizes limitations that apply when using CTIQBE application inspection:
•
•
•
•
The following summarizes special considerations when using CTIQBE application inspection in specific scenarios:
•
•
•
Inspecting Signaling Messages
For inspecting signaling messages, the inspect ctiqbe command often needs to determine locations of the media endpoints (for example, IP phones).
This information is used to prepare access-control and NAT state for media traffic to traverse the firewall transparently without manual configuration.
In determining these locations, the inspect ctiqbe command does not use the tunnel default gateway route. A tunnel default gateway route is a route of the form route interface 0 0 metric tunneled. This route overrides the default route for packets that egress from IPSec tunnels. Therefore, if the inspect ctiqbe command is desired for VPN traffic, do not configure the tunnel default gateway route. Instead, us other static routing or dynamic routing.
Examples
You enable the CTIQBE inspection engine as shown in the following example, which creates a class map to match CTIQBE traffic on the default port (2748). The service policy is then applied to the outside interface.
hostname(config)# class-map ctiqbe-porthostname(config-cmap)# match port tcp eq 2748hostname(config-cmap)# exithostname(config)# policy-map ctiqbe_policyhostname(config-pmap)# class ctiqbe-porthostname(config-pmap-c)# inspect ctiqbehostname(config-pmap-c)# exithostname(config)# service-policy ctiqbe_policy interface outsideTo enable CTIQBE inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect cuseeme
To enable CU-SeeMe application inspection or to change the ports to which the security appliance listens, use the inspect cuseeme command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect cuseeme
no inspect cuseeme
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
The inspect cuseeme command provides application inspection for the CU-SeeMe application.
Use the port option to change the default port assignment from 389. Use the -port option to apply ILS inspection to a range of port numbers.
With CU-SeeMe clients, one user can connect directly to another (CU-SeeMe or other H.323 client) for person-to-person audio, video, and data collaboration. CU-SeeMe clients can conference in a mixed client environment that includes both CU-SeeMe clients and H.323-compliant clients from other vendors.
In the background, CU-SeeMe clients operate in two very different modes. When connected to another CU-SeeMe client or CU-SeeMe Conference Server, the client sends information in CU-SeeMe mode.
When connected to an H.323-compliant videoconferencing client from a different vendor, CU-SeeMe clients communicate using the H.323-standard format in H.323 mode.
CU-SeeMe is supported through H.323 inspection, as well as performing NAT on the CU-SeeMe control stream, which operates on UDP port 7648.
Examples
You enable the CU-SeeMe inspection engine as shown in the following example, which creates a class map to match CU-SeeMe traffic on the default port (7648). The service policy is then applied to the outside interface.
hostname(config)# class-map cuseeme-porthostname(config-cmap)# match port tcp eq 7648hostname(config-cmap)# exithostname(config)# policy-map cuseeme_policyhostname(config-pmap)# class cuseeme-porthostname(config-pmap-c)# inspect cuseemehostname(config-pmap-c)# exithostname(config)# service-policy cuseeme_policy interface outsideTo enable CU-SeeMe inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
=
inspect dns
To enable DNS inspection (if it has been previously disabled), use the inspect dns command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. Use the inspect dns command to specify the maximum DNS packet length. To disable DNS inspection, use the no form of this command.
inspect dns [maximum-length max_pkt_length]
no inspect dns [maximum-length max_pkt_length]
Syntax Description
Defaults
This command is enabled by default.
The default maximum-length for the DNS packet size is 512.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
DNS guard tears down the DNS session associated with a DNS query as soon as the DNS reply is forwarded by the security appliance. DNS guard also monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query.
When DNS inspection is enabled, which it is the default, the security appliance performs the following additional tasks:
•
Note
•
Note
•
•
•
A single connection is created for multiple DNS sessions, as long as they are between the same two hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs independently.
Because the app_id expires independently, a legitimate DNS response can only pass through the security appliance within a limited period of time and there is no resource build-up. However, if you enter the show conn command, you will see the idle timer of a DNS connection being reset by a new DNS session. This is due to the nature of the shared DNS connection and is by design.
How DNS Rewrite Works
When DNS inspection is enabled, DNS rewrite provides full support for NAT of DNS messages originating from any interface.
If a client on an inside network requests DNS resolution of an inside address from a DNS server on an outside interface, the DNS A-record is translated correctly. If the DNS inspection engine is disabled, the A-record is not translated.
DNS rewrite performs two functions:
•
•
As long as DNS inspection remains enabled, you can configure DNS rewrite using the alias, static, or nat commands. For details about the syntax and function of these commands, refer to the appropriate command page.
Examples
The following example changes the maximum DNS packet length to 1500 bytes. Although DNS inspection is enabled by default, you still need to create a traffic map to identify DNS traffic and then apply the policy map to the appropriate interface.
hostname(config)# class-map dns-porthostname(config-cmap)# match port udp eq 53hostname(config-cmap)# exithostname(config)# policy-map sample_policyhostname(config-pmap)# class dns-porthostname(config-pmap-c)# inspect dns maximum-length 1500hostname(config-pmap-c)# exithostname(config)# service-policy sample_policy interface outsideTo change the maximum DNS packet length for all interfaces, use the global parameter in place of interface outside.
The following example shows how to disable DNS:
hostname(config)# policy-map sample_policyhostname(config-pmap)# class dns-porthostname(config-pmap-c)# no inspect dnshostname(config-pmap-c)# exithostname(config)# service-policy sample_policy interface outsideRelated Commands
inspect esmtp
To enable SMTP application inspection or to change the ports to which the security appliance listens, use the inspect esmtp command in class configuration mode. The class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect esmtp
no inspect esmtp
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
ESMTP application inspection provides improved protection against SMTP-based attacks by restricting the types of SMTP commands that can pass through the security appliance and by adding monitoring capabilities.
ESMTP is an enhancement to the SMTP protocol and is similar is most respects to SMTP. For convenience, the term SMTP is used in this document to refer to both SMTP and ESMTP. The application inspection process for extended SMTP is similar to SMTP application inspection and includes support for SMTP sessions. Most commands used in an extended SMTP session are the same as those used in an SMTP session but an ESMTP session is considerably faster and offers more options related to reliability and security, such as delivery status notification.
The inspect esmtp command includes the functionality previously provided by the fixup smtp command, and provides additional support for some extended SMTP commands. Extended SMTP application inspection adds support for eight extended SMTP commands, including AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML and VRFY. Along with the support for seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET), the security appliance supports a total of fifteen SMTP commands.
Other extended SMTP commands, such as ATRN, STARTLS, ONEX, VERB, CHUNKING, and private extensions and are not supported. Unsupported commands are translated into Xs, which are rejected by the internal server. This results in a message such as "500 Command unknown: 'XXX'." Incomplete commands are discarded.
If you enter the inspect smtp command, the security appliance automatically converts the command into inspect esmtp, which is the configuration that will be shown if you enter the show running-config command.
The inspect esmtp command changes the characters in the server SMTP banner to asterisks except for the "2", "0", "0" characters. Carriage return (CR) and linefeed (LF) characters are ignored.
With SMTP inspection enabled, a Telnet session used for interactive SMTP may hang if the following rules are not observed: SMTP commands must be at least four characters in length; must be terminated with carriage return and line feed; and must wait for a response before issuing the next reply.
An SMTP server responds to client requests with numeric reply codes and optional human readable strings. SMTP application inspection controls and reduces the commands that the user can use as well as the messages that the server returns. SMTP inspection performs three primary tasks:
•
•
•
SMTP inspection monitors the command and response sequence for the following anomalous signatures:
•
•
•
•
•
•
•
Examples
You enable the SMTP inspection engine as shown in the following example, which creates a class map to match SMTP traffic on the default port (25). The service policy is then applied to the outside interface.
hostname(config)# class-map smtp-porthostname(config-cmap)# match port tcp eq 25hostname(config-cmap)# exithostname(config)# policy-map smtp_policyhostname(config-pmap)# class smtp-porthostname(config-pmap-c)# inspect esmtphostname(config-pmap-c)# exithostname(config)# service-policy smtp_policy interface outsideTo enable SMTP inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect ftp
To configure the port for FTP inspection or to enable enhanced inspection, use the inspect ftp command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect ftp [strict [map_name]]
no inspect ftp [strict [map_name]]
Syntax Description
map_name
The name of the FTP map.
strict
(Optional) Enables enhanced inspection of FTP traffic and forces compliance with RFC standards.
Caution
Defaults
The security appliance listens to port 21 for FTP by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0
This command was introduced, replacing the fixup command, which is now deprecated. The map_name option was added.
Usage Guidelines
The FTP application inspection inspects the FTP sessions and performs four tasks:
•
•
•
•
FTP application inspection prepares secondary channels for FTP data transfer. The channels are allocated in response to a file upload, a file download, or a directory listing event and must be pre-negotiated. The port is negotiated through the PORT or PASV commands.
Note
Using the strict Option
The strict option prevents web browsers from sending embedded commands in FTP requests. Each ftp command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped. The strict option only lets an FTP server generate the 227 command and only lets an FTP client generate the PORT command. The 227 and PORT commands are checked to ensure they do not appear in an error string.
Caution
If the strict option is enabled, each ftp command and response sequence is tracked for the following anomalous activity:
•
•
•
•
•
•
•
•
•
Note
FTP Log Messages
FTP application inspection generates the following log messages:
•
•
•
•
•
In conjunction with NAT, the FTP application inspection translates the IP address within the application payload. This is described in detail in RFC 959.
Examples
The following example identifies FTP traffic, defines an FTP map, defines a policy, enables strict FTP inspection, and applies the policy to the outside interface:
hostname(config)# class-map ftp-porthostname(config-cmap)# match port tcp eq 21hostname(config-cmap)# exithostname(config)# ftp-map inbound_ftphostname(config-inbound_ftp)# request-command deny put stou appehostname(config-ftp-map)# exithostname(config)# policy-map inbound_policyhostname(config-pmap)# class ftp-porthostname(config-pmap-c)# inspect ftp strict inbound_ftphostname(config-pmap-c)# exithostname(config-pmap)# exithostname(config)# service-policy inbound_policy interface outsideTo enable strict FTP application inspection for all interfaces, use the global parameter in place of interface outside.
Note
Related Commands
inspect gtp
To enable or disable GTP inspection or to define a GTP map for controlling GTP traffic or tunnels, use the inspect gtp command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. Use the no form of this command to remove the command.
inspect gtp [map_name]
no inspect gtp [map_name]
Note
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
Usage Guidelines
GTP is the tunnelling protocol for GPRS, and helps provide secure access over wireless networks. GPRS is a data network architecture that is designed to integrate with existing GSM networks. It offers mobile subscribers uninterrupted, packet-switched data services to corporate networks and the Internet. For an overview of GTP, refer to the "Applying Application Layer Protocol Inspection" chapter in the Cisco Security Appliance Command Line Configuration Guide.
Use the gtp-map command to identify a specific map to use for defining the parameters for GTP. When you enter this command, the system enters a configuration mode that lets you enter the different commands used for defining the specific map. The actions that you can specify for messages that fail the criteria set using the different configuration commands include allow, reset, or drop. In addition to these actions, you can specify to log the event or not.
After defining the GTP map, you use the inspect gtp command to enable the map. Then you use the class-map, policy-map, and service-policy commands to define a class of traffic, to apply the inspect command to the class, and to apply the policy to one or more interfaces.
The string gtp, used as a port value, is automatically converted to the port value 3386. The well-known ports for GTP are as follows:
•
•
The following features are not supported in 7.0:
•
•
•
Inspecting Signaling Messages
For inspecting signaling messages, the inspect gtp command often needs to determine locations of the media endpoints (for example, IP phones).
This information is used to prepare access-control and NAT state for media traffic to traverse the firewall transparently without manual configuration.
In determining these locations, the inspect gtp command does not use the tunnel default gateway route. A tunnel default gateway route is a route of the form route interface 0 0 metric tunneled. This route overrides the default route for packets that egress from IPSec tunnels. Therefore, if the inspect gtp command is desired for VPN traffic, do not configure the tunnel default gateway route. Instead, us other static routing or dynamic routing.
Examples
The following example shows how to use access lists to identify GTP traffic, define a GTP map, define a policy, and apply the policy to the outside interface:
hostname(config)# access-list gtp-acl permit udp any any eq 3386hostname(config)# access-list gtp-acl permit udp any any eq 2123hostname(config)# class-map gtp-traffichostname(config)# match access-list gtp-aclhostname(config)# gtp-map gtp-policyhostname(config)# policy-map inspection_policyhostname(config-pmap)# class gtp-traffichostname(config-pmap-c)# inspect gtp gtp-policyhostname(config)# service-policy inspection_policy interface outside
Note
Related Commands
inspect h323
To enable H.323 application inspection or to change the ports to which the security appliance listens, use the inspect h323 command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect h323 {h225 | ras }
no inspect h323 {h225 | ras }
Syntax Description
Defaults
The default port assignments are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
The inspect h323 command provides support for H.323 compliant applications such as Cisco CallManager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication Union (ITU) for multimedia conferences over LANs. The security appliance supports H.323 through Version 4, including the H.323 v3 feature Multiple Calls on One Call Signaling Channel.
With H.323 inspection enabled, the security appliance supports multiple calls on the same call signaling channel, a feature introduced with H.323 Version 3. This feature reduces call setup time and reduces the use of ports on the security appliance.
The two major functions of H.323 inspection are as follows:
•
•
How H.323 Works
The H.323 collection of protocols collectively may use up to two TCP connection and four to six UDP connections. FastStart uses only one TCP connection, and RAS uses a single UDP connection for registration, admissions, and status.
An H.323 client may initially establish a TCP connection to an H.323 server using TCP port 1720 to request Q.931 call setup. As part of the call setup process, the H.323 terminal supplies a port number to the client to use for an H.245 TCP connection. The H.245 connection is for call negotiation and media channel setup. In environments where H.323 gatekeeper is in use, the initial packet is transmitted using UDP.
H.323 inspection monitors the Q.931 TCP connection to determine the H.245 port number. If the H.323 terminals are not using FastStart, the security appliance dynamically allocates the H.245 connection based on the inspection of the H.225 messages.
Note
Within each H.245 message, the H.323 endpoints exchange port numbers that are used for subsequent UDP data streams. H.323 inspection inspects the H.245 messages to identify these ports and dynamically creates connections for the media exchange. Real-Time Transport Protocol (RTP) uses the negotiated port number, while RTP Control Protocol (RTCP) uses the next higher port number.
The H.323 control channel handles H.225 and H.245 and H.323 RAS. H.323 inspection uses the following ports.
•
•
•
If the ACF message from the gatekeeper goes through the security appliance, a pinhole will be opened for the H.225 connection. The H.245 signaling ports are negotiated between the endpoints in the H.225 signaling. When an H.323 gatekeeper is used, the security appliance opens an H.225 connection based on inspection of the ACF message. If | the security appliance does not see the ACF message, you might need to open an access list for the well-known H.323 port 1720 for the H.225 call signaling.
The security appliance dynamically allocates the H.245 channel after inspecting the H.225 messages and then hooks up to the H.245 channel to be fixed up as well. That means whatever H.245 messages pass through the security appliance pass through the H.245 application inspection, NATing embedded IP addresses and opening the negotiated media channels.
The H.323 ITU standard requires that a TPKT header, defining the length of the message, precede the H.225 and H.245, before being passed on to the reliable connection. Because the TPKT header does not necessarily need to be sent in the same TCP packet as the H.225/H.245 message, the security appliance must remember the TPKT length to process/decode the messages properly. The security appliance keeps a data structure for each connection and that data structure contains the TPKT length for the next expected message.
If the security appliance needs to NAT any IP addresses, then it will have to change the checksum, the UUIE (user-user information element) length, and the TPKT, if included in the TCP packet with the H.225 message. If the TPKT is sent in a separate TCP packet, then the security appliance will proxy ACK that TPKT and append a new TPKT to the H.245 message with the new length.
Note
Each UDP connection with a packet going through H.323 inspection is marked as an H.323 connection and will time out with the H.323 timeout as configured using the timeout command.
Limitations and Restrictions
The following are some of the known issues and limitations when using H.323 application inspection:
•
•
•
Inspecting Signaling Messages
For inspecting signaling messages, the inspect h323 command often needs to determine locations of the media endpoints (for example, IP phones).
This information is used to prepare access-control and NAT state for media traffic to traverse the firewall transparently without manual configuration.
In determining these locations, the inspect h323 command does not use the tunnel default gateway route. A tunnel default gateway route is a route of the form route interface 0 0 metric tunneled. This route overrides the default route for packets that egress from IPSec tunnels. Therefore, if the inspect h323 command is desired for VPN traffic, do not configure the tunnel default gateway route. Instead, us other static routing or dynamic routing.
Examples
You enable the H.323 inspection engine as shown in the following example, which creates a class map to match H.323 traffic on the default port (1720). The service policy is then applied to the outside interface.
hostname(config)# class-map h323-porthostname(config-cmap)# match port tcp eq 1720hostname(config-cmap)# exithostname(config)# policy-map h323_policyhostname(config-pmap)# class h323-porthostname(config-pmap-c)# inspect h323hostname(config-pmap-c)# exithostname(config)# service-policy h323_policy interface outsideTo enable H.323 inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect http
To enable HTTP application inspection or to change the ports to which the security appliance listens, use the inspect http command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect http [map_name]
no inspect http [map_name]
Syntax Description
Defaults
The default port for HTTP is 80.
Enhanced HTTP inspection is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
The inspect http command protects against specific attacks and other threats that may be associated with HTTP traffic. HTTP inspection performs several functions:
•
•
•
The latter two features are configured in conjunction with the filter command.
Enhanced HTTP inspection verifies that HTTP messages conform to RFC 2616, use RFC-defined methods or supported extension methods, and comply with various other criteria. In many cases, you can configure these criteria and the system response when the criteria are not met. The actions that you can specify for messages that fail the criteria set using the different configuration commands include allow, reset, or drop. In addition to these actions, you can specify to log the event or not.
The criteria that you can apply to HTTP messages include the following:
•
•
•
•
•
•
•
•
•
•
•
•
Note
To enable enhanced HTTP inspection, enter the inspect http http-map command. The rules that this applies to HTTP traffic are defined by the specific HTTP map, which you configure by entering the http-map command and HTTP map configuration mode commands.
Note
Examples
The following example shows how to identify HTTP traffic, define an HTTP map, define a policy, and apply the policy to the outside interface:
hostname(config)# class-map http-porthostname(config-cmap)# match port tcp eq 80hostname(config-cmap)# exithostname(config)# http-map inbound_httphostname(config-http-map)# content-length min 100 max 2000 action reset loghostname(config-http-map)# content-type-verification match-req-rsp reset loghostname(config-http-map)# max-header-length request bytes 100 action log resethostname(config-http-map)# max-uri-length 100 action reset loghostname(config-http-map)# exithostname(config)# policy-map inbound_policyhostname(config-pmap)# class http-porthostname(config-pmap-c)# inspect http inbound_httphostname(config-pmap-c)# exithostname(config-pmap)# exithostname(config)# service-policy inbound_policy interface outsideThis example causes the security appliance to reset the connection and create a syslog entry when it detects any traffic that contain the following:
•
•
•
•
Related Commands
inspect icmp
To configure the ICMP inspection engine, use the inspect icmp command in class configuration mode. Class configuration mode is accessible from policy map configuration mode.
inspect icmp
no inspect icmp
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
The ICMP inspection engine allows ICMP traffic to be inspected like TCP and UDP traffic. Without the ICMP inspection engine, we recommend that you do not allow ICMP through the security appliance in an ACL. Without stateful inspection, ICMP can be used to attack your network. The ICMP inspection engine ensures that there is only one response for each request, and that the sequence number is correct
When ICMP inspection is disabled, which is the default configuration, ICMP echo reply messages are denied from a lower security interface to a higher security interface, even if it is in response to an ICMP echo request.
Examples
You enable the ICMP application inspection engine as shown in the following example, which creates a class map to match ICMP traffic using the ICMP protocol ID, which is 1 for IPv4 and 58 for IPv6. The service policy is then applied to the outside interface.
hostname(config)# class-map icmp-classhostname(config-cmap)# match default-inspection-traffichostname(config-cmap)# exithostname(config)# policy-map icmp_policyhostname(config-pmap)# class icmp-classhostname(config-pmap-c)# inspect icmphostname(config-pmap-c)# exithostname(config)# service-policy icmp_policy interface outsideTo enable ICMP inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect icmp error
To enable application inspection for ICMP error messages, use the inspect icmp error command in class configuration mode. Class configuration mode is accessible from policy map configuration mode.
inspect icmp error
no inspect icmp error
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
Use the inspect icmp error command to create xlates for intermediate hops that send ICMP error messages, based on the static/NAT configuration. By default, the security appliance hides the IP addresses of intermediate hops. However, using the inspect icmp error command makes the intermediate hop IP addresses visible. The security appliance overwrites the packet with the translated IP addresses.
When enabled, the ICMP error inspection engine makes the following changes to the ICMP packet:
•
•
•
–
–
–
When an ICMP error message is retrieved, whether ICMP error inspection is enabled or not, the ICMP payload is scanned to retrieve the five-tuple (src ip , dest ip, src port, dest port, and ip protocol) from the original packet. A lookup is performed, using the retrieved five-tuple, to determine the original address of the client and to locate an existing session associated with the specific five-tuple. If the session is not found, the ICMP error message is dropped.
Examples
You enable the ICMP error application inspection engine as shown in the following example, which creates a class map to match ICMP traffic using the ICMP protocol ID, which is 1 for IPv4 and 58 for IPv6. The service policy is then applied to the outside interface.
hostname(config)# class-map icmp-classhostname(config-cmap)# match default-inspection-traffichostname(config-cmap)# exithostname(config)# policy-map icmp_policyhostname(config-pmap)# class icmp-classhostname(config-pmap-c)# inspect icmp errorhostname(config-pmap-c)# exithostname(config)# service-policy icmp_policy interface outsideTo enable ICMP error inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect ils
To enable ILS application inspection or to change the ports to which the security appliance listens, use the inspect ils command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect ils
no inspect ils
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
The inspect ils command provides NAT support for Microsoft NetMeeting, SiteServer, and Active Directory products that use LDAP to exchange directory information with an ILS server.
Use the port option to change the default port assignment from 389. Use the -port option to apply ILS inspection to a range of port numbers.
The security appliance supports NAT for ILS, which is used to register and locate endpoints in the ILS or SiteServer Directory. PAT cannot be supported because only IP addresses are stored by an LDAP database.
For search responses, when the LDAP server is located outside, NAT should be considered to allow internal peers to communicate locally while registered to external LDAP servers. For such search responses, xlates are searched first, and then DNAT entries to obtain the correct address. If both of these searches fail, then the address is not changed. For sites using NAT 0 (no NAT) and not expecting DNAT interaction, we recommend that the inspection engine be turned off to provide better performance.
Additional configuration may be necessary when the ILS server is located inside the security appliance border. This would require a hole for outside clients to access the LDAP server on the specified port, typically TCP 389.
Because ILS traffic only occurs on the secondary UDP channel, the TCP connection is disconnected after the TCP inactivity interval. By default, this interval is 60 minutes and can be adjusted using the timeout command.
ILS/LDAP follows a client/server model with sessions handled over a single TCP connection. Depending on the client's actions, several of these sessions may be created.
During connection negotiation time, a BIND PDU is sent from the client to the server. Once a successful BIND RESPONSE from the server is received, other operational messages may be exchanged (such as ADD, DEL, SEARCH, or MODIFY) to perform operations on the ILS Directory. The ADD REQUEST and SEARCH RESPONSE PDUs may contain IP addresses of NetMeeting peers, used by H.323 (SETUP and CONNECT messages) to establish the NetMeeting sessions. Microsoft NetMeeting v2.X and v3.X provides ILS support.
The ILS inspection performs the following operations:
•
•
•
•
•
•
•
ILS inspection has the following limitations:
•
•
•
Note
Examples
You enable the ILS inspection engine as shown in the following example, which creates a class map to match ILS traffic on the default port (389). The service policy is then applied to the outside interface.
hostname(config)# class-map ils-porthostname(config-cmap)# match port tcp eq 389hostname(config-cmap)# exithostname(config)# policy-map ils_policyhostname(config-pmap)# class ils-porthostname(config-pmap-c)# inspect ilshostname(config-pmap-c)# exithostname(config)# service-policy ils_policy interface outsideTo enable ILS inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect ipsec-pass-thru
To enable ESP inspection, use the inspect ipsec-pass-thru command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect ipsec-pass-thru
no inspect ipsec-pass-thru
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
