-
Cisco Security Appliance Command Reference, Version 7.1
-
About this Guide
-
Using the Command Line Interface
-
aaa accounting through accounting-server-group
-
acl-netmask-convert through auto-update timeout Commands
-
backup-servers through browse networks Commands
-
cache through clear compression Commands
-
clear configure through clear configure vpn-load-balancing Commands
-
clear console-output through clear xlate Commands
-
client-access-rule through crl-configure Commands
-
crypto ca authenticate through customization Commands
-
debug aaa through debug xdmcp Commands
-
default through duplex Commands
-
email through functions Commands
-
gateway through hw-module module shutdown Commands
-
icmp through imap4s Commands
-
inspect ctiqbe through inspect xdmcp Commands
-
interface-dhcp through issuer-name Commands
-
join-failover-group through kill Commands
-
ldap-attribute-map through log-adj-changes Commands
-
logging asdm through logout message Commands
-
mac-address through multicast-routing Commands
-
name through override-account-disable Commands
-
page style through pwd Commands
-
queue-limit through routerospf Commands
-
same-security-traffic through show asdm sessions Commands
-
show asp drop through show curpriv Commands
-
show debug through show ipv6 traffic Commands
-
show isakmp sa through show route Commands
-
show running-config through show running-config isakmp Commands
-
show running-config ldap through show running-config webvpn auto-signon Commands
-
show service-policy through show webvpn svc Commands
-
shun through sysopt uauth allow-http-cache Commands
-
tcp-map through tx-ring-limit Commands
-
urgent-flag through write terminal Commands
-
Table Of Contents
mac address through multicast-routing Commands
match default-inspection-traffic
match flow ip destination-address
memory delayed-free-poisoner enable
memory delayed-free-poisoner validate
mac address through multicast-routing Commands
mac address
To specify the virtual MAC addresses for the active and standby units, use the mac address command in failover group configuration mode. To restore the default virtual MAC addresses, use the no form of this command.
mac address phy_if [active_mac] [standby_mac]
no mac address phy_if [active_mac] [standby_mac]
Syntax Description
Defaults
The defaults are as follows:
•
Active unit default MAC address: 00a0.c9physical_port_number.failover_group_id01.
•
Command Modes
The following table shows the modes in which you can enter the command:
Failover group configuration
•
•
—
—
•
Command History
Usage Guidelines
If the virtual MAC addresses are not defined for the failover group, the default values are used.
If you have more than one Active/Active failover pair on the same network, it is possible to have the same default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the interfaces of the other pairs because of the way the default virtual MAC addresses are determined. To avoid having duplicate MAC addresses on your network, make sure you assign each physical interface a virtual active and standby MAC address.
Examples
The following partial example shows a possible configuration for a failover group:
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# exithostname(config)# failover group 2hostname(config-fover-group)# secondaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# mac address e1 0000.a000.a011 0000.a000.a012hostname(config-fover-group)# exithostname(config)#Related Commands
failover group
Defines a failover group for Active/Active failover.
failover mac address
Specifies a virtual MAC address for a physical interface.
mac-address-table aging-time
To set the timeout for MAC address table entries, use the mac-address-table aging-time command in global configuration mode. To restore the default value of 5 minutes, use the no form of this command.
mac-address-table aging-time timeout_value
no mac-address-table aging-time
Syntax Description
timeout_value
The time a MAC address entry stays in the MAC address table before timing out, between 5 and 720 minutes (12 hours). 5 minutes is the default.
Defaults
The default timeout is 5 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Usage Guidelines
No usage guidelines.
Examples
The following example sets the MAC address timeout to 10 minutes:
hostname(config)# mac-address-timeout aging time 10Related Commands
mac-address-table static
To add a static entry to the MAC address table, use the mac-address-table static command in global configuration mode. To remove a static entry, use the no form of this command. Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. You can add static MAC addresses to the MAC address table if desired. One benefit to adding static entries is to guard against MAC spoofing. If a client with the same MAC address as a static entry attempts to send traffic to an interface that does not match the static entry, then the security appliance drops the traffic and generates a system message.
mac-address-table static interface_name mac_address
no mac-address-table static interface_name mac_address
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Examples
The following example adds a static MAC address entry to the MAC address table:
hostname(config)# mac-address-table static inside 0010.7cbe.6101Related Commands
mac-learn
To disable MAC address learning for an interface, use the mac-learn command in global configuration mode. To reenable MAC address learning, use the no form of this command. By default, each interface automatically learns the MAC addresses of entering traffic, and the security appliance adds corresponding entries to the MAC address table. You can disable MAC address learning if desired.
mac-learn interface_name disable
no mac-learn interface_name disable
Syntax Description
interface_name
The interface on which you want to disable MAC learning.
disable
Disables MAC learning.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Examples
The following example disables MAC learning on the outside interface:
hostname(config)# mac-learn outside disableRelated Commands
mac-list
To specify a list of MAC addresses to be used for MAC-based authentication, use the mac-list command in global configuration mode. To disable the use of a list of MAC addresses, use the no form of this command. The mac-list command adds a list of MAC addresses using a first-match search.
mac-list id deny | permit mac macmask
no mac-list id deny | permit mac macmask
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
To group a set of MAC addresses, enter the mac-list command as many times as needed with the same id value. Configure the MAC access list number using the mac-list command before using the aaa mac-exempt command.
Only AAA exemption is provided. Authorization is automatically exempted for MAC addresses for which authentication is exempted. Other types of AAA with mac-list are not supported.
Examples
The following example shows how to configure a MAC address list:
hostname(config)# mac-list adc permit 00a0.cp5d.0282 ffff.ffff.ffffhostname(config)# mac-list adc deny 00a1.cp5d.0282 ffff.ffff.ffffhostname(config)# mac-list ac permit 0050.54ff.0000 ffff.ffff.0000hostname(config)# mac-list ac deny 0061.54ff.b440 ffff.ffff.ffffhostname(config)# mac-list ac deny 0072.54ff.b440 ffff.ffff.ffffRelated Commands
management-access
To enable access to an internal management interface of the security appliance, use the management-access command in global configuration mode. To disable, use the no form of this command.
management-access mgmt_if
no management-access mgmt_if
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
Command History
Usage Guidelines
The management-access command lets you define an internal management interface using the IP address of the firewall interface specified in mgmt_if. (The interface names are defined by the nameif command and displayed in quotes, " ", in the output of the show interface command.)
The management-access command is supported for the following through an IPSec VPN tunnel only, and you can define only one management interface globally:
•
•
•
•
•
•
•
•
Examples
The following example shows how to configure a firewall interface named "inside" as the management access interface:
hostname(config)# management-access insidehostname(config)# show management-accessmanagement-access insideRelated Commands
management-only
To set an interface to accept management traffic only, use the management-only command in interface configuration mode. To allow through traffic, use the no form of this command.
management-only
no management-only
Syntax Description
This command has no arguments or keywords.
Defaults
The Management 0/0 interface on the ASA 5500 series adaptive security appliance is set to management-only mode by default.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
The ASA adaptive security appliance includes a dedicated management interface called Management 0/0, which is meant to support traffic to the security appliance. However, you can configure any interface to be a management-only interface using the management-only command. Also, for Management 0/0, you can disable management-only mode so the interface can pass through traffic just like any other interface.
Note
Examples
The following example disables management-only mode on the management interface:
hostname(config)# interface management0/0hostname(config-if)# no management-onlyThe following example enables management-only mode on a subinterface:
hostname(config)# interface gigabitethernet0/2.1hostname(config-subif)# management-onlyRelated Commands
map-name
To map a user-defined attribute name to a Cisco attribute name, use the map-name command in ldap-attribute-map configuration mode.
To remove this mapping, use the no form of this command.
map-name user-attribute-name Cisco-attribute-name
no map-name user-attribute-name Cisco-attribute-name
Syntax Description
Syntax DescriptionSyntax Description
Defaults
By default, no name mappings exist.
Command Modes
The following table shows the modes in which you can enter the command:
ldap-attribute-map configuration
•
•
•
•
—
Command History
Usage Guidelines
With the map-name command, you can create map yourown attribute names to Cisco attribute names. You can then bind the resulting attribute map to an LDAP server. Your typical steps would include:
1.
2.
3.
Note
Examples
The following example commands map a user-defined attribute name Hours to the Cisco attribute name cVPN3000-Access-Hours in the LDAP attribute map myldapmap:
hostname(config)# ldap attribute-map myldapmaphostname(config-ldap-attribute-map)# map-name Hours cVPN3000-Access-Hourshostname(config-ldap-attribute-map)#Within ldap-attribute-map mode, you can enter "?" to display the complete list of Cisco LDAP attribute names, as shown in the following example:
hostname(config-ldap-attribute-map)# map-name ?ldap mode commands/options:cisco-attribute-names:cVPN3000-Access-HourscVPN3000-Allow-Network-Extension-ModecVPN3000-Auth-Service-TypecVPN3000-Authenticated-User-Idle-TimeoutcVPN3000-Authorization-RequiredcVPN3000-Authorization-Type::cVPN3000-X509-Cert-Datahostname(config-ldap-attribute-map)#Related Commands
map-value
To map a user-defined value to a Cisco LDAP attribute, use the map-value command in ldap-attribute-map mode.
To delete an entry within a map, use the no form of this command.
map-value user-attribute-name user-value-string Cisco-value-string
no map-value user-attribute-name user-value-string Cisco-value-string
Syntax Description
Defaults
By default, there are no user-defined values mapped to Cisco attributes.
Command Modes
The following table shows the modes in which you can enter the command:
ldap-attribute-map configuration
•
•
•
•
—
Command History
Usage Guidelines
With the map-value command, you can map your own attribute values to Cisco attribute names and values. You can tthen bind the resulting attribute map to an LDAP server. Your typical steps would include:
1.
2.
3.
Note
Examples
The following example, entered in ldap-attribute-map mode, sets the user-defined value of the user attribute Hours to a user-defined time policy named workDay and a Cisco-defined time policy named Daytime:
hostname(config)# ldap attribute-map myldapmaphostname(config-ldap-attribute-map)# map-value Hours workDay Daytimehostname(config-ldap-attribute-map)#Related Commands
mask-syst-reply
To hide the FTP server response from clients, use the mask-syst-reply command in FTP map configuration mode, which is accessible by using the ftp-map command. To remove the configuration, use the no form of this command.
mask-syst-reply
no mask-syst-reply
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
FTP map configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the mask-syst-reply command with strict FTP inspection to protect the FTP server system from clients. After enabling this command, the servers replies to the syst command are replaced by a series of Xs.
Examples
The following example causes the security appliance to replace the FTP server replies to the syst command with Xs:
hostname(config)# ftp-map inbound_ftphostname(config-ftp-map)# mask-syst-replyhostname(config-ftp-map)#
match access-list
To identify traffic using an access list in a class map, use the match access-list command in class-map configuration mode. To remove the access list, use the no form of this command.
match access-list {acl-id...}
no match access-list {acl-id...}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
You can specify one or more access lists to identify specific types of traffic using the match access-list command. The permit statement in an access control entry causes the traffic to be included, while a deny statement causes the traffic to be excluded from the traffic class map.
Examples
The following example shows how to define a traffic class using a class map and the match access-list command:
hostname(config)# access-list ftp_acl extended permit tcp any any eq 21hostname(config)# class-map ftp_porthostname(config-cmap)# match access-list ftp_aclhostname(config-cmap)#Related Commands
match any
To include all traffic in a class map, use the match any command in class-map configuration mode. To remove this specification, use the no form of this command.
match any
no match any
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
All packets will be matched using the match any command (as in the default class map, class-default).
Examples
This example shows how to define a traffic class using a class map and the match any command:
hostname(config)# class-map cmaphostname(config-cmap)# match anyhostname(config-cmap)#Related Commands
match default-inspection-traffic
To specify default traffic for the inspect commands in a class map, use the match default-inspection-traffic command in class-map configuration mode. To remove this specification, use the no form of this command.
match default-inspection-traffic
no match default-inspection-traffic
Syntax Description
This command has no arguments or keywords.
Defaults
See the Usage Guidelines section for the default traffic of each inspection.
Command Modes
The following table shows the modes in which you can enter the command:
Class-map configuration
•
•
•
•
—
Command History
Usage Guidelines
The match commands are used to identify the traffic included in the traffic class for a class map. They include different criteria to define the traffic included in a class-map. Define a traffic class using the class-map global configuration command as part of configuring a security feature using Modular Policy Framework. From class-map configuration mode, you can define the traffic to include in the class using the match command.
After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.
Using the match default-inspection-traffic command, you can match default traffic for the individual inspect commands. The match default-inspection-traffic command can be used in conjunction with one other match command, which is typically an access-list in the form of permit ip src-ip dst-ip.
The rule for combining a second match command with the match default-inspection-traffic command is to specify the protocol and port information using the match default-inspection-traffic command and specify all other information (such as IP addresses) using the second match command. Any protocol or port information specified in the second match command is ignored with respect to the inspect commands.
For instance, port 65535 specified in the example below is ignored:
hostname(config)# class-map cmap
