Table Of Contents
match default-inspection-traffic
match flow ip destination-address
memory delayed-free-poisoner enable
memory delayed-free-poisoner validate
ospf network point-to-point non-broadcast
password (crypto ca trustpoint)
remote-access threshold session-threshold-exceeded
M through R Commands
mac address
To specify the virtual MAC addresses for the active and standby units, use the mac address command in failover group configuration mode. To restore the default virtual MAC addresses, use the no form of this command.
mac address phy_if [active_mac] [standby_mac]
no mac address phy_if [active_mac] [standby_mac]
Syntax Description
Defaults
The defaults are as follows:
•
Active unit default MAC address: 00a0.c9physical_port_number.failover_group_id01.
•
Command Modes
The following table shows the modes in which you can enter the command:
Failover group configuration
•
•
—
—
•
Command History
Usage Guidelines
If the virtual MAC addresses are not defined for the failover group, the default values are used.
If you have more than one Active/Active failover pair on the same network, it is possible to have the same default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the interfaces of the other pairs because of the way the default virtual MAC addresses are determined. To avoid having duplicate MAC addresses on your network, make sure you assign each physical interface a virtual active and standby MAC address.
Examples
The following partial example shows a possible configuration for a failover group:
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# exithostname(config)# failover group 2hostname(config-fover-group)# secondaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# mac address e1 0000.a000.a011 0000.a000.a012hostname(config-fover-group)# exithostname(config)#Related Commands
failover group
Defines a failover group for Active/Active failover.
failover mac address
Specifies a virtual MAC address for a physical interface.
mac-address-table aging-time
To set the timeout for MAC address table entries, use the mac-address-table aging-time command in global configuration mode. To restore the default value of 5 minutes, use the no form of this command.
mac-address-table aging-time timeout_value
no mac-address-table aging-time
Syntax Description
timeout_value
The time a MAC address entry stays in the MAC address table before timing out, between 5 and 720 minutes (12 hours). 5 minutes is the default.
Defaults
The default timeout is 5 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Usage Guidelines
No usage guidelines.
Examples
The following example sets the MAC address timeout to 10 minutes:
hostname(config)# mac-address-timeout aging time 10Related Commands
mac-address-table static
To add a static entry to the MAC address table, use the mac-address-table static command in global configuration mode. To remove a static entry, use the no form of this command. Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. You can add static MAC addresses to the MAC address table if desired. One benefit to adding static entries is to guard against MAC spoofing. If a client with the same MAC address as a static entry attempts to send traffic to an interface that does not match the static entry, then the security appliance drops the traffic and generates a system message.
mac-address-table static interface_name mac_address
no mac-address-table static interface_name mac_address
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Examples
The following example adds a static MAC address entry to the MAC address table:
hostname(config)# mac-address-table static inside 0010.7cbe.6101Related Commands
mac-learn
To disable MAC address learning for an interface, use the mac-learn command in global configuration mode. To reenable MAC address learning, use the no form of this command. By default, each interface automatically learns the MAC addresses of entering traffic, and the security appliance adds corresponding entries to the MAC address table. You can disable MAC address learning if desired.
mac-learn interface_name disable
no mac-learn interface_name disable
Syntax Description
interface_name
The interface on which you want to disable MAC learning.
disable
Disables MAC learning.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Examples
The following example disables MAC learning on the outside interface:
hostname(config)# mac-learn outside disableRelated Commands
mac-list
To specify a list of MAC addresses to be used for MAC-based authentication, use the mac-list command in global configuration mode. To disable the use of a list of MAC addresses, use the no form of this command. The mac-list command adds a list of MAC addresses using a first-match search.
mac-list id deny | permit mac macmask
no mac-list id deny | permit mac macmask
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
To group a set of MAC addresses, enter the mac-list command as many times as needed with the same id value. Configure the MAC access list number using the mac-list command before using the aaa mac-exempt command.
Only AAA exemption is provided. Authorization is automatically exempted for MAC addresses for which authentication is exempted. Other types of AAA with mac-list are not supported.
Examples
The following example shows how to configure a MAC address list:
hostname(config)# mac-list adc permit 00a0.cp5d.0282 ffff.ffff.ffffhostname(config)# mac-list adc deny 00a1.cp5d.0282 ffff.ffff.ffffhostname(config)# mac-list ac permit 0050.54ff.0000 ffff.ffff.0000hostname(config)# mac-list ac deny 0061.54ff.b440 ffff.ffff.ffffhostname(config)# mac-list ac deny 0072.54ff.b440 ffff.ffff.ffffRelated Commands
management-access
To enable access to an internal management interface of the security appliance, use the management-access command in global configuration mode. To disable, use the no form of this command.
management-access mgmt_if
no management-access mgmt_if
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
Command History
Usage Guidelines
The management-access command lets you define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The interface names are defined by the nameif command and displayed in quotes, " ", in the output of the show interface command.)
The management-access command is supported for the following through an IPSec VPN tunnel only, and you can define only one management interface globally:
•
•
•
•
•
•
•
•
Examples
The following example shows how to configure a firewall interface named "inside" as the management access interface:
hostname(config)# management-access insidehostname(config)# show management-accessmanagement-access insideRelated Commands
management-only
To set an interface to accept management traffic only, use the management-only command in interface configuration mode. To allow through traffic, use the no form of this command.
management-only
no management-only
Syntax Description
This command has no arguments or keywords.
Defaults
The Management 0/0 interface on the ASA 5500 series adaptive security appliance is set to management-only mode by default.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
The ASA adaptive security appliance includes a dedicated management interface called Management 0/0, which is meant to support traffic to the security appliance. However, you can configure any interface to be a management-only interface using the management-only command. Also, for Management 0/0, you can disable management-only mode so the interface can pass through traffic just like any other interface.
Note
Examples
The following example disables management-only mode on the management interface:
hostname(config)# interface management0/0hostname(config-if)# no management-onlyThe following example enables management-only mode on a subinterface:
hostname(config)# interface gigabitethernet0/2.1hostname(config-subif)# management-onlyRelated Commands
mask-syst-reply
To hide the FTP server response from clients, use the mask-syst-reply command in FTP map configuration mode, which is accessible by using the ftp-map command. To remove the configuration, use the no form of this command.
mask-syst-reply
no mask-syst-reply
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
FTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the mask-syst-reply command with strict FTP inspection to protect the FTP server system from clients. After enabling this command, the servers replies to the syst command are replaced by a series of Xs.
Examples
The following example causes the security appliance to replace the FTP server replies to the syst command with Xs:
hostname(config)# ftp-map inbound_ftphostname(config-ftp-map)# mask-syst-replyhostname(config-ftp-map)# exit
match access-list
To identify traffic using an access list in a class map, use the match access-list command in class-map configuration mode. To remove the access list, use the no form of this command.
match access-list {acl-id...}
no match access-list {acl-id...}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
You can specify one or more access lists to identify specific types of traffic using the match access-list command. The permit statement in an access control entry causes the traffic to be included, while a deny statement causes the traffic to be excluded from the traffic class map.
Examples
The following example shows how to define a traffic class using a class map and the match access-list command:
hostname(config)# access-list ftp_acl extended permit tcp any any eq 21hostname(config)# class-map ftp_porthostname(config-cmap)# match access-list ftp_aclRelated Commands
match any
To include all traffic in a class map, use the match any command in class-map configuration mode. To remove this specification, use the no form of this command.
match any
no match any
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
All packets will be matched using the match any command (as in the default class map, class-default).
Examples
This example shows how to define a traffic class using a class map and the match any command:
hostname(config)# class-map cmaphostname(config-cmap)# match anyRelated Commands
match default-inspection-traffic
To specify default traffic for the inspect commands in a class map, use the match default-inspection-traffic command in class-map configuration mode. To remove this specification, use the no form of this command.
match default-inspection-traffic
no match default-inspection-traffic
Syntax Description
This command has no arguments or keywords.
Defaults
See the Usage Guidelines section for the default traffic of each inspection.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
Using the match default-inspection-traffic command, you can match default traffic for the individual inspect commands. The match default-inspection-traffic command can be used in conjunction with one other match command, which is typically an access-list in the form of permit ip src-ip dst-ip.
The rule for combining a second match command with the match default-inspection-traffic command is to specify the protocol and port information using the match default-inspection-traffic command and specify all other information (such as IP addresses) using the second match command. Any protocol or port information specified in the second match command is ignored with respect to the inspect commands.
For instance, port 65535 specified in the example below is ignored:
hostname(config)# class-map cmaphostname(config-cmap)# match default-inspection-traffichostname(config-cmap)# match port 65535Default traffic for inspections are as follows:
Examples
The following example shows how to define a traffic class using a class map and the match default-inspection-traffic command:
hostname(config)# class-map cmaphostname(config-cmap)# match default-inspection-trafficRelated Commands
match dscp
To identify the IETF-defined DSCP value (in an IP header) in a class map, use the match dscp command in class-map configuration mode. To remove this specification, use the no form of this command.
match dscp {values}
no match dscp {values}
Syntax Description
values
Specifies up to eight different the IETF-defined DSCP values in the IP header. Range is 0 to 63.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
Using the match dscp command, you can match the IETF-defined DSCP values in the IP header.
Examples
The following example shows how to define a traffic class using a class map and the match dscp command:
hostname(config)# class-map cmaphostname(config-cmap)# match dscp af43 cs1 efRelated Commands
match flow ip destination-address
To specify the flow IP destination address in a class map, use the match flow ip destination-address command in class-map configuration mode. To remove this specification, use the no form of this command.
match flow ip destination-address
no match flow ip destination-address
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
To enable flow-based policy actions on a tunnel group, use the match flow ip destination-address and match tunnel-group commands with the class-map, policy-map, and service-policy commands. The criteria to define flow is the destination IP address. All traffic going to a unique IP destination address is considered a flow. Policy action is applied to each flow instead of the entire class of traffic. QoS action police is applied using the match flow ip destination-address command. Use match tunnel-group to police every tunnel within a tunnel group to a specified rate.
Examples
The following example shows how to enable flow-based policing within a tunnel group and limit each tunnel to a specified rate:
hostname(config)# class-map cmaphostname(config-cmap)# match tunnel-grouphostname(config-cmap)# match flow ip destination-addresshostname(config-cmap)# exithostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# police 56000hostname(config-pmap)# exithostname(config)# service-policy pmap globalRelated Commands
match interface
To distribute any routes that have their next hop out one of the interfaces specified, use the match interface command in route-map configuration mode. To remove the match interface entry, use the no form of this command.
match interface interface-name...
no match interface interface-name...
Syntax Description
interface-name
Name of the interface (not the physical interface). Multiple interface names can be specified.
Defaults
No match interfaces are defined.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
—
—
Command History
Usage Guidelines
An ellipsis (...) in the command syntax indicates that your command input can include multiple values for the interface-type interface-number arguments.
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can give the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions that are given with the set commands. The no forms of the match commands remove the specified match criteria. If there is more than one interface specified in the match command. then the no match interface interface-name can be used to remove a single interface.
A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. If you want to modify only some data, you must configure a second route map section and specify an explicit match.
Examples
The following example shows that the routes with their next hop outside is distributed:
hostname(config)# route-map namehostname(config-route-map)# match interface outsideRelated Commands
match ip address
To redistribute any routes that have a route address or match packet that is passed by one of the access lists specified, use the match ip address command in route-map configuration mode. To restore the default settings, use the no form of this command.
match ip address {acl...}
no match ip address {acl...}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
—
—
Command History
Usage Guidelines
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
Examples
The following example shows how to redistribute internal routes:
hostname(config)# route-map namehostname(config-route-map)# match ip address acl_dmz1 acl_dmz2Related Commands
match ip next-hop
To redistribute any routes that have a next-hop router address that is passed by one of the access lists specified, use the match ip next-hop command in route-map configuration mode. To remove the next-hop entry, use the no form of this command.
match ip next-hop {acl...} | prefix-list prefix_list
no match ip next-hop {acl...} | prefix-list prefix_list
Syntax Description
Defaults
Routes are distributed freely, without being required to match a next-hop address.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
—
—
Command History
Usage Guidelines
An ellipsis (...) in the command syntax indicates that your command input can include multiple values for the acl argument.
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can enter the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
When you are passing routes through a route map, a route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. To modify only some data, you must configure a second route map section and specify an explicit match.
Examples
The following example shows how to distribute routes that have a next-hop router address passed by access list acl_dmz1 or acl_dmz2:
hostname(config)# route-map namehostname(config-route-map)# match ip next-hop acl_dmz1 acl_dmz2Related Commands
match ip route-source
To redistribute routes that have been advertised by routers and access servers at the address that is specified by the ACLs, use the match ip route-source command in the route-map configuration mode. To remove the next-hop entry, use the no form of this command.
match ip route-source {acl...} | prefix-list prefix_list
no match ip route-source {acl...}
Syntax Description
Defaults
No filtering on a route source.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
—
—
Command History
Usage Guidelines
An ellipsis (...) in the command syntax indicates that your command input can include multiple values for the access-list-name argument.
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can enter the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. To modify only some data, you must configure a second route map section and specify an explicit match. The next-hop and source-router address of the route are not the same in some situations.
Examples
The following example shows how to distribute routes that have been advertised by routers and access servers at the addresses specified by ACLs acl_dmz1 and acl_dmz2:
hostname(config)# route-map namehostname(config-route-map)# match ip route-source acl_dmz1 acl_dmz2Related Commands
match metric
To redistribute routes with the metric specified, use the match metric command in route-map configuration mode. To remove the entry, use the no form of this command.
match metric number
no match metric number
Syntax Description
Defaults
No filtering on a metric value.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
—
—
Command History
Usage Guidelines
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. The match commands can be given in any order, and all match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. To modify only some data, you must configure a second route map section and specify an explicit match.
Examples
The following example shows how to redistribute routes with the metric 5:
hostname(config)# route-map namehostname(config-route-map)# match metric 5Related Commands
match port
To identify a specific port number in a class map, use the match port command in class-map configuration mode. To remove this specification, use the no form of this command.
match port {tcp | udp} {eq eq_id | range beg_id end_id}
no match port {tcp | udp} {eq eq_id | range beg_id end_id}
Syntax Description
eq eq_id
Specifies a port name.
range beg_id end_id
Specifies beginning and ending port range values (1-65535).
tcp
Specifies a TCP port.
udp
Specifies a UDP port.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
Use the match port command to specify a range of ports.
Examples
The following example shows how to define a traffic class using a class map and the match port command:
hostname(config)# class-map cmaphostname(config-cmap)# match port tcp eq 8080Related Commands
match precedence
To specify a precedence value in a class map, use the match precedence command in class-map configuration mode. To remove this specification, use the no form of this command.
match precedence value
no match precedence value
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
Use the match precedence command to specify the value represented by the TOS byte in the IP header.
Examples
The following example shows how to define a traffic class using a class map and the match precedence command:
hostname(config)# class-map cmaphostname(config-cmap)# match precedence 1Related Commands
match route-type
To redistribute routes of the specified type, use the match route-type command in route-map configuration mode. To remove the route type entry, use the no form of this command.
match route-type {local | internal | {external [type-1 | type-2]} | {nssa-external [type-1 | type-2]}}
no match route-type {local | internal | {external [type-1 | type-2]} | {nssa-external [type-1 | type-2]}}
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Route-map configuration
•
—
•
—
—
Command History
Usage Guidelines
The route-map global configuration command and the match and set configuration commands allow you to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has match and set commands that are associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria that is enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. You can enter the match commands in any order. All match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
A route map can have several parts. Any route that does not match at least one match clause relating to a route-map command is ignored. To modify only some data, you must configure a second route map section and specify an explicit match.
For OSPF, the external type-1 keywords match only type 1 external routes and the external type-2 keywords match only type 2 external routes.
Examples
The following example shows how to redistribute internal routes:
hostname(config)# route-map namehostname(config-route-map)# match route-type internalRelated Commands
match rtp
To specify a UDP port range of even-number ports in a class map, use the match rtp command in class-map configuration mode. To remove this specification, use the no form of this command.
match rtp starting_port range
no match rtp starting_port range
Syntax Description
starting_port
Specifies lower bound of even-number UDP destination port. Range is 2000-65535
range
Specifies range of RTP ports. Range is 0-16383.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
Use the match rtp command to match RTP ports (even UDP port numbers between the starting_port and the starting_port plus the range).
Examples
The following example shows how to define a traffic class using a class map and the match rtp command:
hostname(config)# class-map cmaphostname(config-cmap)# match rtp 20000 100Related Commands
match tunnel-group
To match traffic in a class map that belongs to a previously defined tunnel-group, use the match tunnel-group command in class-map configuration mode. To remove this specification, use the no form of this command.
match tunnel-group name
no match tunnel-group name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
To enable flow-based policy actions, use the match flow ip destination-address and match tunnel-group commands with the class-map, policy-map, and service-policy commands. The criteria to define flow is the destination IP address. All traffic going to a unique IP destination address is considered a flow. Policy action is applied to each flow instead of the entire class of traffic. QoS action police is applied using the police command. Use match tunnel-group along with match flow ip destination-address to police every tunnel within a tunnel group to a specified rate.
Examples
The following example shows how to enable flow-based policing within a tunnel group and limit each tunnel to a specified rate:
hostname(config)# class-map cmaphostname(config-cmap)# match tunnel-grouphostname(config-cmap)# match flow ip destination-addresshostname(config-cmap)# exithostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# police 56000hostname(config-pmap)# exithostname(config)# service-policy pmap globalRelated Commands
max-failed-attempts
To specify the number of failed attempts allowed for any given server in the server group before that server is deactivated, use the max-failed-attempts command in AAA-sersver group mode. To remove this specification and revert to the default value, use the no form of this command:
max-failed-attempts number
no max-failed-attempts
Syntax Description
number
An integer in the range 1-5, specifying the number of failed connection attempts allowed for any given server in the server group specified in a prior aaa-server command.
Defaults
The default value of number is 3.
Command Modes
The following table shows the modes in which you can enter the command:
AAA-server group
•
•
•
•
—
Command History
Usage Guidelines
You must have configured the AAA server/group before issuing this command.
Examples
hostname(config)# aaa-server svrgrp1 protocol tacacs+hostname(config-aaa-server-group)# max-failed-attempts 4Related Commands
max-header-length
To restrict HTTP traffic based on the HTTP header length, use the max-header-length command in HTTP map configuration mode, which is accessible using the http-map command. To remove this command, use the no form of this command.
max-header-length {request bytes [response bytes] | response bytes} action {allow | reset | drop} [log]
no max-header-length {request bytes [response bytes] | response bytes} action {allow | reset | drop} [log]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
HTTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
After enabling the max-header-length command, the security appliance only allows messages having an HTTP header within the configured limit and otherwise takes the specified action. Use the action keyword to cause the security appliance to reset the TCP connection and optionally create a syslog entry.
Examples
The following example restricts HTTP requests to those with HTTP headers that do not exceed 100 bytes. If a header is too large, the security appliance resets the TCP connection and creates a syslog entry.
hostname(config)# http-map inbound_httphostname(config-http-map)# max-header-length request bytes 100 action log resethostname(config-http-map)# exitRelated Commands
max-uri-length
To restrict HTTP traffic based on the length of the URI in the HTTP request message, use the max-uri-length command in HTTP map configuration mode, which is accessible using the http-map command. To remove this command, use the no form of this command.
max-uri-length bytes action {allow | reset | drop} [log]
no max-uri-length bytes action {allow | reset | drop} [log]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
HTTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
After enabling the max-uri-length command, the security appliance only allows messages having a URI within the configured limit and otherwise takes the specified action. Use the action keyword to cause the security appliance to reset the TCP connection and create a syslog entry.
URIs with a length less than or equal to the configured value will be allowed. Otherwise, the specified action will be taken.
Examples
The following example restricts HTTP requests to those with URIs that do not exceed 100 bytes. If a URI is too large, the security appliance resets the TCP connection and creates a syslog entry.
hostname(config)# http-map inbound_httphostname(config-http-map)# max-uri-length 100 action reset loghostname(config-http-map)# exitRelated Commands
mcc
To identify the mobile country code and the mobile network code for IMSI prefix filtering, use the mcc command in GTP map configuration mode. To remove the configuration, use the no form of this command.
mcc country_code mnc network_code
no mcc country_code mnc network_code
Syntax Description
Defaults
By default, the security appliance does not check for valid MCC/MNC combinations.
Command Modes
The following table shows the modes in which you can enter the command:
GTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
This command is used for IMSI Prefix filtering. The MCC and MNC in the IMSI of the received packet is compared with the MCC/MNC configured with this command and is dropped if it does not match.
This command must be used to enable IMSI Prefix filtering. You can configure multiple instances to specify permitted MCC and MNC combinations. By default, the security appliance does not check the validity of MNC and MCC combinations, so you must verify the validity of the combinations configured. To find more information about MCC and MNC codes, see the ITU E.212 recommendation, Identification Plan for Land Mobile Stations.
Examples
The following example identifies traffic for IMSI Prefix filtering with an MCC of 111 and an MNC of 222:
hostname(config)# gtp-map qtp-policyhostname(config-gtpmap)# mcc 111 mnc 222Related Commands
media-type
To set the media type to copper or fiber Gigabit Ethernet, use the media-type command in interface configuration mode. The fiber SFP connector is available on the 4GE SSM for the ASA 5500 series adaptive security appliance. To restore the media type setting to the default, use the no form of this command.
media-type {rj45 | sfp}
no media-type [rj45 | sfp]
Syntax Description
rj45
(Default) Sets the media type to the copper RJ-45 connector.
sfp
Sets the media type to the fiber SFP connector.
Defaults
The default is rj45.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
•
Command History
Usage Guidelines
The sfp setting uses a fixed speed (1000 Mbps), so the speed command allows you to set whether the interface negotiates link parameters or not. The duplex command is not supported for sfp.
Examples
The following example sets the media type to SFP:
hostname(config)# interface gigabitethernet1/1hostname(config-if)# media-type sfphostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownRelated Commands
memory caller-address
To configure a specific range of program memory for the call tracing, or caller PC, to help isolate memory problems, use the memory caller-address command in privileged EXEC mode. The caller PC is the address of the program that called a memory allocation primitive. To remove an address range, use the no form of this command.
memory caller-address startPC endPC
no memory caller-address
Syntax Description
endPC
Specifies the end address range of the memory block.
startPC
Specifies the start address range of the memory block.
Defaults
The actual caller PC is recorded for memory tracing.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
—
•
•
Command History
Usage Guidelines
Use the memory caller-address command to isolate memory problems to a specific block of memory.
In certain cases the actual caller PC of the memory allocation primitive is a known library function that is used at many places in the program. To isolate individual places in the program, configure the start and end program address of the library function, thereby recording the program address of the caller of the library function.
Note
Examples
The following examples show the address ranges configured with the memory caller-address commands, and the resulting display of the show memory-caller address command:hostname# memory caller-address 0x00109d5c 0x00109e08hostname# memory caller-address 0x009b0ef0 0x009b0f14hostname# memory caller-address 0x00cf211c 0x00cf4464hostname# show memory-caller addressMove down stack frame for the addresses:pc = 0x00109d5c-0x00109e08pc = 0x009b0ef0-0x009b0f14pc = 0x00cf211c-0x00cf4464Related Commands
memory delayed-free-poisoner enable
To enable the delayed free-memory poisoner tool, use the memory delayed-free-poisoner enable command in privileged EXEC mode. To disable the delayed free-memory poisoner tool, use the no form of this command. The delayed free-memory poisoner tool lets you monitor freed memory for changes after it has been released by an application.
memory delayed-free-poisoner enable
no memory delayed-free-poisoner enable
Syntax Description
This command has no arguments or keywords.
Defaults
The memory delayed-free-poisoner enable command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
Enabling the delayed free-memory poisoner tool has a significant impact on memory usage and system performance. The command should only be used under the supervision of the Cisco TAC. It should not be run in a production environment during heavy system usage.
When you enable this tool, requests to free memory by the applications running on the security appliance are written to a FIFO queue. As each request is written to the queue, each associated byte of memory that is not required by lower-level memory management is "poisoned" by being written with the value 0xcc.
The freed memory requests remain in the queue until more memory is required by an application than is in the free memory pool. When memory is needed, the first freed memory request is pulled from the queue and the poisoned memory is validated.
If the memory is unmodified, it is returned to the lower-level memory pool and the tool reissues the memory request from the application that made the initial request. The process continues until enough memory for the requesting application is freed.
If the poisoned memory has been modified, then the system forces a crash and produces diagnostic output to determine the cause of the crash.
The delayed free-memory poisoner tool periodically performs validation on all of the elements of the queue automatically. Validation can also be started manually using the memory delayed-free-poisoner validate command.
The no form of the command causes all of the memory referenced by the requests in the queue to be returned to the free memory pool without validation and any statistical counters to be cleared.
Examples
The following example enables the delayed free-memory poisoner tool:
hostname# memory delayed-free-poisoner enableThe following is sample output when the delayed free-memory poisoner tool detects illegal memory reuse:
delayed-free-poisoner validate failed because adata signature is invalid at delayfree.c:328.heap region: 0x025b1cac-0x025b1d63 (184 bytes)memory address: 0x025b1cb4byte offset: 8allocated by: 0x0060b812freed by: 0x0060ae15Dumping 80 bytes of memory from 0x025b1c88 to 0x025b1cd7025b1c80: ef cd 1c a1 e1 00 00 00 | ........025b1c90: 23 01 1c a1 b8 00 00 00 15 ae 60 00 68 ba 5e 02 | #.........`.h.^.025b1ca0: 88 1f 5b 02 12 b8 60 00 00 00 00 00 6c 26 5b 02 | ..[...`.....l&[.025b1cb0: 8e a5 ea 10 ff ff ff ff cc cc cc cc cc cc cc cc | ................025b1cc0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc | ................025b1cd0: cc cc cc cc cc cc cc cc | ........An internal error occurred. Specifically, a programming assertion wasviolated. Copy the error message exactly as it appears, and get theoutput of the show version command and the contents of the configurationfile. Then call your technical support representative.assertion "0" failed: file "delayfree.c", line 191Table 6-1 describes the significant portion of the output.
Related Commands
memory delayed-free-poisoner validate
To force validation of all elements in the memory delayed-free-poisoner queue, use the memory delayed-free-poisoner validate command in privileged EXEC mode.
memory delayed-free-poisoner validate
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
You must enable the delayed free-memory poisoner tool using the memory delayed-free-poisoner enable command before issuing the memory delayed-free-poisoner validate command.
The memory delayed-free-poisoner validate command causes each element of the memory delayed-free-poisoner queue to be validated. If an element contains unexpected values, then the system forces a crash and produces diagnostic output to determine the cause of the crash. If no unexpected values are encountered, the elements remain in the queue and are processed normally by the tool; the memory delayed-free-poisoner validate command does not cause the memory in the queue to be returned to the system memory pool.
Note
Examples
The following example causes all elements in the memory delayed-free-poisoner queue to be validated:
hostname# memory delayed-free-poisoner validateRelated Commands
memory profile enable
To enable the monitoring of memory usage (memory profiling), use the memory profile enable command in privileged EXEC mode. To disable memory profiling, use the no form of this command.
memory profile enable peak peak_value
no memory profile enable peak peak_value
Syntax Description
Defaults
Memory profiling is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
—
•
•
Command History
Usage Guidelines
Before enabling memory profiling, you must first configure a memory text range to profile with the memory profile text command.
Some memory is held by the profiling system until you enter the clear memory profile command. See the output of the show memory status command.
Note
The following example enables memory profiling:
hostname# memory profile enableRelated Commands
memory profile text
Configures a text range of memory to profile.
show memory profile
Displays information about the memory usage (profiling) of the security appliance.
memory profile text
To configure a program text range of memory to profile, use the memory profile text command in privileged EXEC mode. To disable, use the no form of this command.
memory profile text {startPC endPC | all resolution}
no memory profile text {startPC endPC | all resolution}
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
—
•
•
Command History
Usage Guidelines
For a small text range, a resolution of "4" normally traces the call to an instruction. For a larger text range, a coarse resolution is probably enough for the first pass and the range could be narrowed down to a set of smaller regions in the next pass.
After entering the text range with the memory profile text command, you must then enter the memory profile enable command to begin memory profiling. Memory profiling is disabled by default.
Note
Examples
The following example shows how to configure a text range of memory to profile, with a resolution of 4:
hostname# memory profile text 0x004018b4 0x004169d0 4The following example displays the configuration of the text range and the status of memory profiling (OFF):
hostname# show memory profile InUse profiling: OFF Peak profiling: OFF Profile: 0x004018b4-0x004169d0(00000004)
Note
Related Commands
memory tracking enable
To enable the tracking of heap memory request, use the memory tracking enable command in privileged EXEC mode. To disable memory tracking, use the no form of this command.
memory tracking enable
no memory tracking enable
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
—
•
•
Command History
Usage Guidelines
Use the memory tracking enable command to track heap memory requests. To disable memory tracking, use the no form of this command.
Examples
The following example enables tracking heap memory requests:
hostname# memory tracking enableRelated Commands
message-length
To filter GTP packets that do not meet the configured maximum and minimum length, use the message-length command in GTP map configuration mode, which is accessed by using the gtp-map command. Use the no form to remove the command.
message-length min min_bytes max max_bytes
no message-length min min_bytes max max_bytes
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
GTP map configuration
·
·
·
·
No
Command History
Usage Guidelines
The length specified by this command is the sum of the GTP header and the rest of the message, which is the payload of the UDP packet.
Examples
The following example allows messages between 20 bytes and 300 bytes in length:
hostname(config)# gtp-map qtp-policyhostname(config-gtpmap)# permit message-length min 20 max 300Related Commands
mgcp-map
To identify a specific map for defining the parameters for MGCP inspection, use the mgcp-map command in global configuration mode. To remove the map, use the no form of this command.
mgcp-map map_name
no mgcp-map map_name
Syntax Description
Defaults
The default for the MGCP command queue is 200.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the mgcp-map command to identify a specific map to use for defining the parameters for MGCP inspection. When you enter this command, the system enters a configuration mode that lets you enter the different commands used for defining the specific map. After defining the MGCP map, you use the inspect mgcp command to enable the map. You use Modular Policy Framework to apply the inspect command to a defined class of traffic and to apply the policy to a specific interface. The following are the commands available in MGCP map configuration mode.
•
•
•
•
Examples
The following example shows how to use the mgcp-map command to identify a specific map (mgcp-policy) to use for defining the parameters for MGCP inspection.
hostname(config)# mgcp-map mgcp-policyhostname(config-mgcp-policy)#The following example shows how to identify MGCP traffic, define a MGCP map, define a policy, and apply the policy to the outside interface.
You enable the MGCP inspection engine as shown in the following example, which creates a class map to match MGCP traffic on the default port (2427). The service policy is then applied to the outside interface.
hostname(config)# class-map mgcp-porthostname(config-cmap)# match port tcp eq 2427hostname(config-cmap)# exithostname(config)# mgcp-map mgcp_inboundhostname(config-mgcp-map)# call-agent 10.10.11.5 101hostname(config-mgcp-map)# call-agent 10.10.11.6 101hostname(config-mgcp-map)# call-agent 10.10.11.7 102hostname(config-mgcp-map)# call-agent 10.10.11.8 102hostname(config-mgcp-map)# gateway 10.10.10.115 101hostname(config-mgcp-map)# gateway 10.10.10.116 102hostname(config-mgcp-map)# gateway 10.10.10.117 102hostname(config-mgcp-map)# command-queue 150hostname(config)# policy-map mgcp_policyhostname(config)# mgcp-map mgcp_hostname(config-pmap)# class mgcp-porthostname(config-pmap-c)# inspect mgcp mgcp_inboundhostname(config-pmap-c)# exithostname(config)# service-policy mgcp_policy interface outsideTo enable MGCP inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
mkdir
To create a new directory, use the mkdir command in privileged EXEC mode.
mkdir [/noconfirm] [disk0: | disk1: | flash:]path
Syntax Description
Defaults
If you do not specify a path, the directory is created in the current working directory.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
If a directory with the same name already exists, then the new directory is not created.
Examples
This example shows how to make a new directory called "backup":
hostname# mkdir backupRelated Commands
mode
To set the security context mode to single or multiple, use the mode command in global configuration mode. You can partition a single security appliance into multiple virtual devices, known as security contexts. Each context behaves like an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone appliances. In single mode, the security appliance has a single configuration and behaves as a single device. In multiple mode, you can create multiple contexts, each with its own configuration. The number of contexts allowed depends on your license.
mode {single | multiple} [noconfirm]
Syntax Description
multiple
Sets multiple context mode.
noconfirm
(Optional) Sets the mode without prompting you for confirmation. This option is useful for automated scripts.
single
Sets the context mode to single.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
In multiple context mode, the security appliance includes a configuration for each context that identifies the security policy, interfaces, and almost all the options you can configure on a stand-alone device (see the config-url command to identify the context configuration location). The system administrator adds and manages contexts by configuring them in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the security appliance. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context.
When you change the context mode using the mode command, you are prompted to reboot.
The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If you need to copy your configuration to another device, set the mode on the new device to match using the mode command.
When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files: a new startup configuration that comprises the system configuration, and admin.cfg that comprises the admin context (in the root directory of the internal Flash memory). The original running configuration is saved as old_running.cfg (in the root directory of the internal Flash memory). The original startup configuration is not saved. The security appliance automatically adds an entry for the admin context to the system configuration with the name "admin."
If you convert from multiple mode to single mode, you might want to first copy a full startup configuration (if available) to the security appliance; the system configuration inherited from multiple mode is not a complete functioning configuration for a single mode device.
Not all features are supported in multiple context mode. See the Cisco Security Appliance Command Line Configuration Guide for more information.
Examples
The following example sets the mode to multiple:
hostname(config)# mode multipleWARNING: This command will change the behavior of the deviceWARNING: This command will initiate a RebootProceed with change mode? [confirm] yConvert the system configuration? [confirm] yFlash Firewall mode: multiple****** --- SHUTDOWN NOW ---****** Message to all terminals:****** change modeRebooting....Booting system, please wait...The following example sets the mode to single:
hostname(config)# mode singleWARNING: This command will change the behavior of the deviceWARNING: This command will initiate a RebootProceed with change mode? [confirm] yFlash Firewall mode: single****** --- SHUTDOWN NOW ---****** Message to all terminals:****** change modeRebooting....Booting system, please wait...Related Commands
context
Configures a context in the system configuration and enters context configuration mode.
show mode
Shows the current context mode, either single or multiple.
monitor-interface
To enable health monitoring on a specific interface, use the monitor-interface command in global configuration mode. To disable interface monitoring, use the no form of this command.
monitor-interface if_name
no monitor-interface if_name
Syntax Description
Defaults
Monitoring of physical interfaces is enabled by default; monitoring of logical interfaces is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The number of interfaces that can be monitored for the security appliance is 250. Hello messages are exchanged during every interface poll frequency time period between the security appliance failover pair. The failover interface poll time is 3 to 15 seconds. For example, if the poll time is set to 5 seconds, testing begins on an interface if 5 consecutive hellos are not heard on that interface (25 seconds).
Monitored failover interfaces can have the following status:
•
•
•
•
•
•
In Active/Active failover, this command is only valid within a context.
Examples
The following example enables monitoring on an interface named "inside":
hostname(config)# monitor-interface insidehostname(config)#Related Commands
more
To display the contents of a file, use the more command.
more {/ascii | /binary| /ebcdic | disk0: | disk1: | flash: | ftp: | http: | https: | system: | tftp:}filename
Syntax Description
Defaults
ACSII mode
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
The more filesystem: command prompts you to enter the alias of the local directory or file systems.
Examples
This example shows how to display the contents of a local file named "test.cfg":
hostname# more test.cfg: Saved: Written by enable_15 at 10:04:01 Apr 14 2005XXX Version X.X(X)nameif vlan300 outside security10enable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptedhostname testfixup protocol ftp 21fixup protocol h323 H225 1720fixup protocol h323 ras 1718-1719fixup protocol ils 389fixup protocol rsh 514fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol sip 5060fixup protocol skinny 2000namesaccess-list deny-flow-max 4096access-list alert-interval 300access-list 100 extended permit icmp any anyaccess-list 100 extended permit ip any anypager lines 24icmp permit any outsidemtu outside 1500ip address outside 172.29.145.35 255.255.0.0no asdm history enablearp timeout 14400access-group 100 in interface outside!interface outside!route outside 0.0.0.0 0.0.0.0 172.29.145.1 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absoluteaaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radiusaaa-server LOCAL protocol localsnmp-server host outside 128.107.128.179snmp-server location my_context, USAsnmp-server contact admin@my_context.comsnmp-server community publicno snmp-server enable trapsfloodguard enablefragment size 200 outsideno sysopt route dnattelnet timeout 5ssh timeout 5terminal width 511gdb enablemgcp command-queue 0Cryptochecksum:00000000000000000000000000000000: endRelated Commands
cd
Changes to the specified directory.
pwd
Displays the current working directory.
mroute
To configure a static multicast route, use the mroute command in global configuration mode. To remove a static multicast route, use the no form of this command.
mroute src smask in_if_name [dense output_if_name] [distance]
no mroute src smask in_if_name [dense output_if_name] [distance]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command lets you statically configure where multicast sources are located. The security appliance expects to receive multicast packets on the same interface as it would use to send unicast packets to a specific source. In some cases, such as bypassing a route that does not support multicast routing, multicast packets may take a different path than the unicast packets.
Static multicast routes are not advertised or redistributed.
Use the show mroute command displays the contents of the multicast route table. Use the show running-config mroute command to display the mroute commands in the running configuration.
Examples
The following example shows how configure a static multicast route using the mroute command:
hostname(config)# mroute 172.16.0.0 255.255.0.0 insideRelated Commands
mtu
To specify the maximum transmission unit for an interface, use the mtu command in global configuration mode. To reset the MTU block size to 1500 for Ethernet interfaces, use the no form of this command. This command supports IPv4 and IPv6 traffic.
mtu interface_name bytes
no mtu interface_name bytes
Syntax Description
bytes
Number of bytes in the MTU; valid values are from 64 to 65,535 bytes.
interface_name
Internal or external network interface name.
Defaults
The default bytes is 1500 for Ethernet interfaces.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Usage Guidelines
The mtu command lets you to set the data size that is sent on a connection. Data that is larger than the MTU value is fragmented before being sent.
The security appliance supports IP path MTU discovery (as defined in RFC 1191), which allows a host to dynamically discover and cope with the differences in the maximum allowable MTU size of the various links along the path. Sometimes, the security appliance cannot forward a datagram because the packet is larger than the MTU that you set for the interface, but the "don't fragment" (DF) bit is set. The network software sends a message to the sending host, alerting it to the problem. The host has to fragment packets for the destination so that they fit the smallest packet size of all the links along the path.
The default MTU is 1500 bytes in a block for Ethernet interfaces (which is also the maximum). This value is sufficient for most applications, but you can pick a lower number if network conditions require it.
When using the Layer 2 Tunneling Protocol (L2TP), we recommend that you set the MTU size to 1380 to account for the L2TP header and IPSec header length.
Examples
This example shows how to specify the MTU for an interface:
hostname(config)# show running-config mtumtu outside 1500mtu inside 1500hostname(config)# mtu inside 8192hostname(config)# show running-config mtumtu outside 1500mtu inside 8192Related Commands
clear configure mtu
Clears the configured maximum transmission unit values on all interfaces.
show running-config mtu
Displays the current maximum transmission unit block size.
multicast-routing
To enable IP multicast routing on the security appliance, use the multicast routing command in global configuration mode. To disable IP multicast routing, use the no form of this command.
multicast-routing
no multicast-routing
Syntax Description
This command has no arguments or keywords.
Defaults
The multicast-routing command enables PIM and IGMP on all interfaces by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The multicast-routing command enables PIM and IGMP on all interfaces.
Note
If the security appliance is the PIM RP, use the untranslated outside address of the security appliance as the RP address.The number of entries in the multicast routing tables are limited by the amount of RAM on the system. Table 6-1 lists the maximum number of entries for specific multicast tables based on the amount of RAM on the security appliance. Once these limits are reached, any new entries are discarded.
Table 6-2 Entry Limits for Multicast Tables
1000
3000
5000
1000
3000
5000
3000
7000
12000
Examples
The following example enables IP multicast routing on the security appliance:
hostname(config)# multicast-routingRelated Commands
name
To associate a name with an IP address, use the name command in global configuration mode. To disable the use of the text names but not remove them from the configuration, use the no form of this command.
name ip_address name
no name ip_address [name]
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable the association of a name with an IP address, use the names command. You can associate only one name with an IP address.
You must first use the names command before you use the name command. Use the name command immediately after you use the names command and before you use the write memory command.
The name command lets you identify a host by a text name and map text strings to IP addresses. The no name command allows you to disable the use of the text names but does not remove them from the configuration. Use the clear configure name command to clear the list of names from the configuration.
If you are using both ASDM and the command line to manage the security appliance, when you add a name command using the command line interface you should also add an asdm location command specifying the same IP address. If you do not, ASDM will not display the named object. For example, the following commands will cause the 10.1.1.0 network, named "finance", to appear in the Hosts/Networks list in ASDM:
hostname(config)# name finance 10.1.1.0hostname(config)# asdm location 10.1.1.0 255.255.255.0 insideTo disable displaying name values, use the no names command.
Both the name and names commands are saved in the configuration.
The name command does not support assigning a name to a network mask. For example, this command would be rejected:
hostname(config)# name 255.255.255.0 class-C-mask
Note
Examples
This example shows that the names command allows you to enable use of the name command. The name command substitutes sa_inside for references to 192.168.42.3 and sa_outside for 209.165.201.3. You can use these names with the ip address commands when assigning IP addresses to the network interfaces. The no names command disables the name command values from displaying. Subsequent use of the names command again restores the name command value display.
hostname(config)# nameshostname(config)# name 192.168.42.3 sa_insidehostname(config)# name 209.165.201.3 sa_outsidehostname(config-if)# ip address inside sa_inside 255.255.255.0hostname(config-if)# ip address outside sa_outside 255.255.255.224hostname(config)# show ip addressSystem IP Addresses:inside ip address sa_inside mask 255.255.255.0outside ip address sa_outside mask 255.255.255.224hostname(config)# no nameshostname(config)# show ip addressSystem IP Addresses:inside ip address 192.168.42.3 mask 255.255.255.0outside ip address 209.165.201.3 mask 255.255.255.224hostname(config)# nameshostname(config)# show ip addressSystem IP Addresses:inside ip address sa_inside mask 255.255.255.0outside ip address sa_outside mask 255.255.255.224Related Commands
nameif
To provide a name for an interface, use the nameif command in interface configuration mode. To remove the name, use the no form of this command. The interface name is used in all configuration commands on the security appliance instead of the interface type and ID (such as gigabitethernet0/1), and is therefore required before traffic can pass through the interface.
nameif name
no nameif
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
•
—
Command History
7.0
This command was changed from a global configuration command to an interface configuration mode command.
Usage Guidelines
For subinterfaces, you must assign a VLAN with the vlan command before you enter the nameif command.
You can change the name by reentering this command with a new value. Do not enter the no form, because that command causes all commands that refer to that name to be deleted.
Examples
The following example configures the names for two interfaces to be "inside" and "outside:"
hostname(config)# interface gigabitethernet0/1hostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface gigabitethernet0/0hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address 10.1.2.1 255.255.255.0hostname(config-if)# no shutdownRelated Commands
names
To enable the association of a name with an IP address, use the names command in global configuration mode. You can associate only one name with an IP address. To disable displaying name values, use the no names command.
names
no names
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The names command is used to enable the association of a name with an IP address that you configured with the name command. The order in which you enter the name or names commands is irrelevant.
Examples
The following example shows how to enable the association of a name with an IP address:
hostname(config)# namesRelated Commands
name-separator
To specify a character as a delimiter between the e-mail and VPN username and password, use the name-separator command in the applicable e-mail proxy mode. To revert to the default, ":", use the no version of this command.
name-separator [symbol]
no name-separator
Syntax Description
symbol
(Optional) The character that separates the e-mail and VPN usernames and passwords. Choices are "@," (at) "|" (pipe), ":"(colon), "#" (hash), "," (comma), and ";" (semi-colon).
Defaults
The default is ":" (colon).
Command Modes
The following table shows the modes in which you can enter the command:
Pop3s
•
—
•
—
—
Imap4s
•
—
•
—
—
Smtps
•
—
•
—
—
Command History
Usage Guidelines
The name separator must be different from the server separator.
Examples
The following example shows how to set a hash (#) as the name separator for POP3S:
hostname(config)# pop3shostname(config-pop3s)# name-separator #Related Commands
nat
To identify addresses on one interface that are translated to mapped addresses on another interface, use the nat command in global configuration mode. This command configures dynamic NAT or PAT, where an address is translated to one of a pool of mapped addresses. To remove the nat command, use the no form of this command.
For regular dynamic NAT:
nat (real_ifc) nat_id real_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit] [norandomseq]]] [udp udp_max_conns]
no nat (real_ifc) nat_id real_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit] [norandomseq]]] [udp udp_max_conns]
For policy dynamic NAT and NAT exemption:
nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [[tcp] tcp_max_conns [emb_limit] [norandomseq]]] [udp udp_max_conns]
no nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [[tcp] tcp_max_conns [emb_limit] [norandomseq]]] [udp udp_max_conns]
Syntax Description
Defaults
The default value for tcp_max_conns, emb_limit, and udp_max_conns is 0 (unlimited), which is the maximum available.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
For dynamic NAT and PAT, you first configure a nat command identifying the real addresses on a given interface that you want to translate. Then you configure a separate global command to specify the mapped addresses when exiting another interface (in the case of PAT, this is one address). Each nat command matches a global command by comparing the NAT ID, a number that you assign to each command.
The security appliance translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues. The exception is when you enable NAT control using the nat-control command. NAT control requires that packets traversing from a higher security interface (inside) to a lower security interface (outside) match a NAT rule, or else processing for the packet stops. NAT is not required between same security level interfaces even if you enable NAT control. You can optionally configure NAT if desired.
Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the destination network. The mapped pool can include fewer addresses than the real group. When a host you want to translate accesses the destination network, the security appliance assigns it an IP address from the mapped pool. The translation is added only when the real host initiates the connection. The translation is in place only for the duration of the connection, and a given user does not keep the same IP address after the translation times out (see the timeout xlate command). Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic NAT (or PAT, even if the connection is allowed by an access list), and the security appliance rejects any attempt to connect to a real host address directly. See the static command for reliable access to hosts.
Dynamic NAT has these disadvantages:
•
Use PAT if this event occurs often, because PAT provides over 64,000 translations using ports of a single address.
•
The advantage of dynamic NAT is that some protocols cannot use PAT. For example, PAT does not work with IP protocols that do not have a port to overload, such as GRE version 0. PAT also does not work with some applications that have a data stream on one port and the control path on another and are not open standard, such as some multimedia applications.
PAT translates multiple real addresses to a single mapped IP address. Specifically, the security appliance translates the real address and source port (real socket) to the mapped address and a unique port above 1024 (mapped socket). Each connection requires a separate translation, because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.
After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout is not configurable.
PAT lets you use a single mapped address, thus conserving routable addresses. You can even use the security appliance interface IP address as the PAT address. PAT does not work with some multimedia applications that have a data stream that is different from the control path.
Note
If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If you do not want to perform NAT for some hosts, then you can bypass NAT for those hosts (alternatively, you can disable NAT control). You might want to bypass NAT, for example, if you are using an application that does not support NAT. You can use the static command to bypass NAT, or one of the following options:
•
For identity NAT, even though the mapped address is the same as the real address, you cannot initiate a connection from the outside to the inside (even if the interface access list allows it). Use static identity NAT or NAT exemption for this functionality.
•
Policy NAT lets you identify real addresses for address translation by specifying the source and destination addresses in an extended access list. You can also optionally specify the source and destination ports. Regular NAT can only consider the real addresses. For example, you can translate the real address to mapped address A when it accesses server A, but translate the real address to mapped address B when it accesses server B.
When you specify the ports in policy NAT for applications that require application inspection for secondary channels (FTP, VoIP, etc.), the security appliance automatically translates the secondary ports.
Note
You can alternatively configure maximum connections, maximum embryonic connections, and TCP sequence randomization using the set connection commands. If you configure these settings for the same traffic using both methods, then the security appliance uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the security appliance disables TCP sequence randomization.
If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using clear xlate command. However, clearing the translation table disconnects all of the current connections.
Examples
For example, to translate the 10.1.1.0/24 network on the inside interface, enter the following command:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0hostname(config)# global (outside) 1 209.165.201.1-209.165.201.30To identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is exhausted, enter the following commands:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0hostname(config)# global (outside) 1 209.165.201.5hostname(config)# global (outside) 1 209.165.201.10-209.165.201.20To translate the lower security dmz network addresses so they appear to be on the same network as the inside network (10.1.1.0), for example, to simplify routing, enter the following commands:
hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dnshostname(config)# global (inside) 1 10.1.1.45To identify a single real address with two different destination addresses using policy NAT, enter the following commands:
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 255.255.255.224hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224hostname(config)# nat (inside) 1 access-list NET1 tcp 0 2000 udp 10000hostname(config)# global (outside) 1 209.165.202.129hostname(config)# nat (inside) 2 access-list NET2 tcp 1000 500 udp 2000hostname(config)# global (outside) 2 209.165.202.130To identify a single real address/destination address pair that use different ports using policy NAT, enter the following commands:
hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 80hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 23hostname(config)# nat (inside) 1 access-list WEBhostname(config)# global (outside) 1 209.165.202.129hostname(config)# nat (inside) 2 access-list TELNEThostname(config)# global (outside) 2 209.165.202.130Related Commands
nat (vpn load-balancing)
To set the IP address to which NAT translates the IP address of this device, use the nat command in VPN load-balancing mode. To disable this NAT translation, use the no form of this command.
nat ip-address
no nat [ip-adddress]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
VPN load-balancing
•
—
•
—
—
Command History
Usage Guidelines
You must first use the vpn load-balancing command to enter VPN load-balancing mode.
In the no nat form of the command, if you specify the optional ip-address value, the IP address must match the existing NAT IP address in the running configuration.
Examples
The following is an example of a VPN load-balancing command sequence that includes a nat command that sets the NAT-translated address to 192.168.10.10:
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# nat 192.168.10.10hostname(config-load-balancing)# priority 9hostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# interface lbprivate foohostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# cluster port 9023hostname(config-load-balancing)# participateRelated Commandshostname(config-load-balancing)# participate
nat-control
To enforce NAT control, use the nat-control command in global configuration mode. To disable NAT control, which allows inside hosts to communicate with outside networks without configuring a NAT rule, use the no form of this command.
nat-control
no nat-control
Syntax Description
This command has no arguments or keywords.
Defaults
NAT control is disabled by default (no nat-control command).
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
If nat-control is enabled, you must configure a NAT rule before an inside host can communicate with any outside networks. The no nat-control command allows inside hosts to communicate with outside networks without configuring a NAT rule. Only hosts that undergo NAT need to have a NAT rule configured.
The difference between the no nat-control command and the nat 0 (identity NAT) command is that identity NAT requires that traffic be initiated from the local host. The no nat-control command does not have this requirement, nor does it require a static command to allow communication to inside hosts.
Disabling NAT control is similar to the same security level communication feature, which allows communication between two interfaces of the same security level without configuring a NAT rule, except that the NAT control feature is between hosts instead of interfaces.
No new NAT functionality is provided with this feature. All existing NAT functionality remains the same.
Note
If you want the added security of NAT control but do not want to translate inside addresses in some cases, you can apply a NAT exemption (nat 0 access-list) or identity NAT (nat 0 or static) rule on those addresses.
When NAT control is disabled with the no-nat control command, and a NAT and a global command pair are configured for an interface, the real IP addresses cannot go out on other interfaces unless you define those destinations with the nat 0 access-list command.
For example, the following NAT is the that one you want performed when going to the outside network:
nat (inside) 1 0.0.0.0 0.0.0.0global (ouside) 1 209.165.201.2The above configuration catches everything on the inside network, so if you do not want to translate inside addresses when they go to the DMZ, then you need to match that traffic for NAT exemption, as shown in the following example:
access-list EXEMPT extended permit ip any 192.168.1.0 255.255.255.0access-list EXEMPT remark This matches any traffic going to DMZ1access-list EXEMPT extended permit ip any 10.1.1.0 255.255.255.0access-list EXEMPT remark This matches any traffic going to DMZ1nat (inside) 0 access-list EXEMPTAlternately, you can perform NAT translation on all interfaces:
nat (inside) 1 0.0.0.0 0.0.0.0gloval (outside) 1 209.165.201.2global (dmz1) 1 192.168.1.230global (dmz2) 1 10.1.1.230The following table compares the results between nat-control and no nat-control:
