Cisco Security Appliance Command Reference, Version 7.1
tcp-map through tx-ring-limit Commands
Download this chapter
tcp-map through tx-ring-limit Commandstcp-map through tx-ring-limit Commands
Download the complete book
Cisco Security Appliance Command Reference Book, Version 7.1 --Whole Book PDFCisco Security Appliance Command Reference Book, Version 7.1 --Whole Book PDF (PDF - 16 MB)
give_us_feedback

Table Of Contents

tcp-map through tx-ring-limit Commands

tcp-map

tcp-options

telnet

terminal

terminal pager

terminal width

test aaa-server

test sso-server

text-color

tftp-server

timeout

timeout (aaa-server host)

timeout (gtp-map)

timeout (dns-server-group configuration mode)

timers lsa-group-pacing

timers spf

title

transfer-encoding

trust-point

ttl-evasion-protection

tunnel-group

tunnel-group general-attributes

tunnel-group ipsec-attributes

tunnel-group webvpn-attributes

tunnel-group-map default-group

tunnel-group-map enable

tunnel-limit

tx-ring-limit


tcp-map through tx-ring-limit Commands

tcp-map

To define a set of TCP normalization actions, use the tcp-map command in global configuration mode. The TCP normalization feature lets you specify criteria that identify abnormal packets, which the security appliance drops when they are detected. To remove the TCP map, use the no form of this command.

tcp-map map_name

no tcp-map map_name

Syntax Description

map_name

Specifies the TCP map name.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

This feature uses Modular Policy Framework. First define the TCP normalization actions you want to take using the tcp-map command. The tcp-map command enters tcp-map configuration mode, where you can enter one or more commands to define the TCP normalization actions. Then define the traffic to which you want to apply the TCP map using the class-map command. Enter the policy-map command to define the policy, and enter the class command to reference the class map. In class configuration mode, enter the set connection advanced-options command to reference the TCP map. Finally, apply the policy map to an interface using the service-policy command. For more information about how Modular Policy Framework works, see the Cisco Security Appliance Command Line Configuration Guide.

The following commands are available in tcp-map configuration mode:

check-retransmission

Enables and disables the retransmit data checks.

checksum-verification

Enables and disable checksum verification.

exceed-mss

Allows or drops packets that exceed MSS set by peer.

queue-limit

Configures the maximum number of out-of-order packets that can be queued for a TCP connection. This command is only available on the ASA 5500 series adaptive security appliance. On the PIX 500 series security appliance, the queue limit is 3 and cannot be changed.

reserved-bits

Sets the reserved flags policy in the security appliance.

syn-data

Allows or drops SYN packets with data.

tcp-options

Allows or clears the selective-ack, timestamps, or window-scale TCP options.

ttl-evasion-protection

Enables or disables the TTL evasion protection offered by the security appliance.

urgent-flag

Allows or clears the URG pointer through the security appliance.

window-variation

Drops a connection that has changed its window size unexpectedly.


Examples

For example, to allow urgent flag and urgent offset packets for all traffic sent to the range of TCP ports between the well known FTP data port and the Telnet port, enter the following commands: 

hostname(config)# tcp-map tmap

hostname(config-tcp-map)# urgent-flag allow


hostname(config-tcp-map)# class-map urg-class

hostname(config-cmap)# match port tcp range ftp-data telnet


hostname(config-cmap)# policy-map pmap

hostname(config-pmap)# class urg-class

hostname(config-pmap-c)# set connection advanced-options tmap


hostname(config-pmap-c)# service-policy pmap global

Related Commands

Command
Description

class (policy-map)

Specifies a class map to use for traffic classification.

clear configure tcp-map

Clears the TCP map configuration.

policy-map

Configures a policy; that is, an association of a traffic class and one or more actions.

show running-config tcp-map

Displays the information about the TCP map configuration.

tcp-options

Allows or clears the selective-ack, timestamps, or window-scale TCP options.


tcp-options

To allow or clear the TCP options through the security appliance, use the tcp-options command in tcp-map configuration mode. To remove this specification, use the no form of this command.

tcp-options {selective-ack | timestamp | window-scale} {allow | clear}

no tcp-options {selective-ack | timestamp | window-scale} {allow | clear}

tcp-options range lower upper {allow | clear | drop}

no tcp-options range lower upper {allow | clear | drop}

Syntax Description

allow

Allows the TCP options through the TCP normalizer.

clear

Clears the TCP options through the TCP normalizer and allows the packet.

drop

Drops the packet.

lower

Lower bound ranges (6-7) and (9-255).

selective-ack

Sets the selective acknowledgement mechanism (SACK) option. The default is to allow the SACK option.

timestamp

Sets the timestamp option. Clearing the timestamp option will disable PAWS and RTT. The default is to allow the timestamp option.

upper

Upper bound range (6-7) and (9-255).

window-scale

Sets the window scale mechanism option. The default is to allow the window scale mechanism option.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tcp-map configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.

Use the tcp-map command to enter tcp-map configuration mode. Use the tcp-options command in tcp-map configuration mode to clear selective-acknowledgement, window-scale, and timestamp TCP options. You can also clear or drop packets with options that are not very well defined.

Examples

The following example shows how to drop all packets with TCP options in the ranges of 6-7 and 9-255: 

hostname(config)# access-list TCP extended permit tcp any any

hostname(config)# tcp-map tmap

hostname(config-tcp-map)# tcp-options range 6 7 drop

hostname(config-tcp-map)# tcp-options range 9 255 drop

hostname(config)# class-map cmap

hostname(config-cmap)# match access-list TCP

hostname(config)# policy-map pmap

hostname(config-pmap)# class cmap

hostname(config-pmap)# set connection advanced-options tmap

hostname(config)# service-policy pmap global

hostname(config)#

Related Commands

Command
Description

class

Specifies a class map to use for traffic classification.

policy-map

Configures a policy; that is, an association of a traffic class and one or more actions.

set connection

Configures connection values.

tcp-map

Creates a TCP map and allows access to tcp-map configuration mode.


telnet

To add Telnet access to the console and set the idle timeout, use the telnet command in global configuration mode. To remove Telnet access from a previously set IP address, use the no form of
this command.

telnet {{hostname | IP_address mask interface_name} | {IPv6_address interface_name} | {timeout number}}

no telnet {{hostname | IP_address mask interface_name} | {IPv6_address interface_name} | {timeout number}}

Syntax Description

hostname

Specifies the name of a host that can access the Telnet console of the security appliance.

interface_name

Specifies the name of the network interface to Telnet to.

IP_address

Specifies the IP address of a host or network authorized to log in to the security appliance.

IPv6_address

Specifies the IPv6 address/prefix authorized to log in to the security appliance.

mask

Specifies the netmask associated with the IP address.

timeout number

Number of minutes that a Telnet session can be idle before being closed by the security appliance; valid values are from 1 to 1440 minutes.


Defaults

By default, Telnet sessions left idle for five minutes are closed by the security appliance.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

The variable IPv6_address was added. The no telnet timeout command was added too.


Usage Guidelines

The telnet command lets you specify which hosts can access the security appliance console with Telnet. You can enable Telnet to the security appliance on all interfaces. However, the security appliance enforces that all Telnet traffic to the outside interface be protected by IPSec. To enable a Telnet session to the outside interface, configure IPSec on the outside interface to include IP traffic that is generated by the security appliance and enable Telnet on the outside interface.

Use the no telnet command to remove Telnet access from a previously set IP address. Use the telnet timeout command to set the maximum time that a console Telnet session can be idle before being logged off by the security appliance. You cannot use the no telnet command with the telnet timeout command.

If you enter an IP address, you must also enter a netmask. There is no default netmask. Do not use the subnetwork mask of the internal network. The netmask is only a bit mask for the IP address. To limit access to a single IP address, use 255 in each octet; for example, 255.255.255.255.

If IPSec is operating, you can specify an unsecure interface name, which is typically, the outside interface. At a minimum, you might configure the crypto map command to specify an interface name with the telnet command.

Use the passwd command to set a password for Telnet access to the console. The default is cisco. Use the who command to view which IP addresses are currently accessing the security appliance console. Use the kill command to terminate an active Telnet console session.

If you use the aaa command with the console keyword, Telnet console access must be authenticated with an authentication server.

Note If you have configured the aaa command to require authentication for security appliance Telnet console access and the console login request times out, you can gain access to the security appliance from the serial console by entering the security appliance username and the password that was set with the enable password command.

Examples

This example shows how to permit hosts 192.168.1.3 and 192.168.1.4 to access the security appliance console through Telnet. In addition, all the hosts on the 192.168.2.0 network are given access. 

hostname(config)# telnet 192.168.1.3 255.255.255.255 inside

hostname(config)# telnet 192.168.1.4 255.255.255.255 inside

hostname(config)# telnet 192.168.2.0 255.255.255.0 inside

hostname(config)# show running-config telnet

192.168.1.3 255.255.255.255 inside

192.168.1.4 255.255.255.255 inside

192.168.2.0 255.255.255.0 inside

This example shows how to change the maximum session idle duration: 

hostname(config)# telnet timeout 10

hostname(config)# show running-config telnet timeout

telnet timeout 10 minutes

This example shows a Telnet console login session (the password does not display when entered): 

hostname# passwd: cisco


Welcome to the XXX

...

Type help or `?' for a list of available commands.

hostname>

You can remove individual entries with the no telnet command or all telnet command statements with the clear configure telnet command: 
hostname(config)# no telnet 192.168.1.3 255.255.255.255 inside

hostname(config)# show running-config telnet

192.168.1.4 255.255.255.255 inside

192.168.2.0 255.255.255.0 inside

hostname(config)# clear configure telnet

Related Commandsshow telnet

Command
Description

clear configure telnet

Removes a Telnet connection from the configuration.

kill

Terminates a Telnet session.

show running-config telnet

Displays the current list of IP addresses that are authorized to use Telnet connections to the security appliance.

who

Displays active Telnet administration sessions on the security appliance.


terminal

To allow system log messages to show in the current Telnet session, use the terminal monitor command in privileged EXEC mode. To disable system log messages, use the terminal no monitor command.

terminal {monitor | no monitor}

Syntax Description

monitor

Enables the display of system log messages on the current Telnet session.

no monitor

Disables the display of system log messages on the current Telnet session.


Defaults

System log messages are disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

This example shows how to enable logging and then disable logging only in the current session: 

hostname# terminal monitor

hostname# terminal no monitor

Related Commands

Command
Description

clear configure terminal

Clears the terminal display width setting.

pager

Sets the number of lines to display in a Telnet session before the "---more---" prompt. This command is saved to the configuration.

show running-config terminal

Displays the current terminal settings.

terminal pager

Sets the number of lines to display in a Telnet session before the "---more---" prompt. This command is not saved to the configuration.

terminal width

Sets the terminal display width in global configuration mode.


terminal pager

To set the number of lines on a page before the "---more---" prompt appears for Telnet sessions, use the terminal pager command in privileged EXEC mode.

terminal pager [lines] lines

Syntax Description

[lines] lines

Sets the number of lines on a page before the "---more---" prompt appears. The default is 24 lines; 0 means no page limit. The range is 0 through 2147483647 lines. The lines keyword is optional and the command is the same with or without it.


Defaults

The default is 24 lines.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

This command changes the pager line setting only for the current Telnet session. To save a new default pager setting to the configuration, use the pager command.

If you Telnet to the admin context, then the pager line setting follows your session when you change to other contexts, even if the pager command in a given context has a different setting. To change the current pager setting, enter the terminal pager command with a new setting, or you can enter the pager command in the current context. In addition to saving a new pager setting to the context configuration, the pager command applies the new setting to the current Telnet session.

Examples

The following example changes the number of lines displayed to 20: 

hostname# terminal pager 20

Related Commands

Command
Description

clear configure terminal

Clears the terminal display width setting.

pager

Sets the number of lines to display in a Telnet session before the "---more---" prompt. This command is saved to the configuration.

show running-config terminal

Displays the current terminal settings.

terminal

Allows system log messsages to display on the Telnet session.

terminal width

Sets the terminal display width in global configuration mode.


terminal width

To set the width for displaying information during console sessions, use the terminal width command in global configuration mode. To disable, use the no form of this command.

terminal width columns

no terminal width columns

Syntax Description

columns

Specifies the terminal width in columns. The default is 80. The range is 40 to 511.


Defaults

The default display width is 80 columns.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Examples

This example shows how to terminal display width to 100 columns: 

hostname# terminal width 100

Related Commands

Command
Description

clear configure terminal

Clears the terminal display width setting.

show running-config terminal

Displays the current terminal settings.

terminal

Sets the terminal line parameters in privileged EXEC mode.


test aaa-server

Use the test aaa-server command to check whether the security appliance can authenticate or authorize users with a particular AAA server. Failure to reach the AAA server may be due to incorrect configuration on the security appliance, or the AAA server may be unreachable for other reasons, such as restrictive network configurations or server downtime.

test aaa-server {authentication | authorization} server-tag [host server-ip] [username username] [password password]

Syntax Description

authentication

Specifies that the security appliance should send a test authentication request.

authorization

Specifies that the security appliance should send a test authorization request.

host server-ip

Specifies The IP address of the AAA server.

password password

Specifies the password for the username given. The password argument is available only for authentication tests. Make sure the password is correct for the username entered; otherwise, the authentication test will fail.

server-tag

Specifies the symbolic name of the server group, as defined by the aaa-server protocol command.

username username

Specifies the username of the account used to test the AAA server settings. Make sure the username exists on the AAA server; otherwise, the test will fail.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(4)

This command was introduced.


Usage Guidelines

The test aaa-server command enables you to verify that the security appliance can authenticate and authorize users with a particular AAA server. Using this command simplifies verification of the configuration on the security appliance by removing the necessity of testing with a real supplicant. It also helps you isolate whether authentication and authorization failures are due to misconfiguration of AAA server parameters, a connection problem to the AAA server, or other configuration errors on the security appliance.

When you enter the command, you can omit the host and password keyword and argument pairs. The security appliance will prompt you for their values. If you are performing an authentication test, you can also omit the password keyword and argument pair and provide the password when the security appliance prompts you.

Examples

The following example configures a RADIUS AAA server named srvgrp1 on host 192.168.3.4, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures authentication port 1650. The test aaa-server command following the setup of the AAA server parameters indicates that the authentication test failed to reach the server. 

hostname(config)# aaa-server svrgrp1 protocol radius

hostname(config-aaa-server-group)# aaa-server svrgrp1 host 192.168.3.4

hostname(config-aaa-server-host)# timeout 9

hostname(config-aaa-server-host)# retry-interval 7

hostname(config-aaa-server-host)# authentication-port 1650

hostname(config-aaa-server-host)# exit

hostname(config)# test aaa-server authentication svrgrp1

Server IP Address or name: 192.168.3.4

Username: bogus

Password: ******

INFO: Attempting Authentication test to IP address <192.168.3.4> (timeout: 10 seconds)

ERROR: Authentication Server not responding: No error

Related Commands

Command
Description

aaa-server host

Specifies parameters for a specific AAA server.

show running-config aaa-server

Displays AAA server statistics for all AAA servers, for a particular server group, for a particular server within a particular group, or for a particular protocol.


test sso-server

To test an SSO server with a trial authentication request, use the test sso-server command in privileged EXEC mode. This is an SSO with CA SiteMinder command.

test sso-server server-name username user-name

Syntax Description

Syntax DescriptionSyntax Description

server-name

Specifies the name of the SSO server being tested.

user-name

Specifies the name of a user on the SSO server being tested.


Defaults

No default values or behavior.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.1(1)

This command was introduced.


Usage Guidelines

Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without reentering a username and password more than once. The test sso-server command tests whether an SSO server is recognized and responding to authentication requests.

If the SSO server specified by the server-name argument is not found, the following error appears:

ERROR: sso-server server-name does not exist

If the SSO server is found but the user specified by the user-name argument is not found, the authentication is rejected.

Examples

The following example, entered in privileged EXEC mode, successfully tests an SSO server named my-sso-server using a username of Anyuser: 

hostname# test sso-server my-sso-server username Anyuser

INFO: Attempting authentication request to sso-server my-sso-server for user Anyuser

INFO: STATUS: Success

hostname#

The following example shows a test of the same server, but the user Anyuser is not recognized and the authentication fails: 

hostname# test sso-server my-sso-server username Anyuser

INFO: Attempting authentication request to sso-server my-sso-server for user Anyuser

INFO: STATUS: Failed

hostname#

Related Commands

Command
Description

max-retry-attempts

Configures the number of times the security appliance retries a failed SSO authentication attempt.

policy-server-secret

Creates a secret key used to encrypt authentication requests to an SSO server.

request-timeout

Specifies the number of seconds before a failed SSO authentication attempt times out.

show webvpn sso-server

Displays the operating statistics for an SSO server.

sso-server

Creates a single sign-on server.

web-agent-url

Specifies the SSO server URL to which the security appliance makes SSO authentication requests.


text-color

To set a color for text in the WebVPN title bar on the login, home page, and file access page, use the text-color command in webvpn mode. To remove a text color from the configuration and reset the default, use the no form of this command.

text-color [black | white | auto]

no text-color

Syntax Description

auto

Chooses black or white based on the settings for the secondary-color command. That is, if the secondary color is black, this value is white.

black

The default text color for title bars is white.

white

You can change the color to black.


Defaults

The default text color for the title bars is white.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Webvpn


Command History

Release
Modification

7.0(1)

This command was introduced.


Examples

The following example shows how to set the text color for title bars to black: 

hostname(config)# webvpn

hostname(config-webvpn)# text-color black

Related Commands

Command
Description

secondary-text-color

Sets the secondary text color for the WebVPN login, home page, and file access page.


tftp-server

To specify the default TFTP server and path and filename for use with configure net or write net commands, use the tftp-server command in global configuration mode. To remove the server configuration, use the no form of this command. This command supports IPv4 and IPv6 addresses.

tftp-server interface_name server filename

no tftp-server [interface_name server filename]

Syntax Description

interface_name

Specifies the gateway interface name. If you specify an interface other than the highest security interface, a warning message informs you that the interface is unsecure.

server

Sets the TFTP server IP address or name. You can enter an IPv4 or IPv6 address.

filename

Specifies the path and filename.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

The gateway interface is now required.


Usage Guidelines

The tftp-server command simplifies entering the configure net and write net commands. When you enter the configure net or write net commands, you can either inherit the TFTP server specified by the tftp-server command, or provide your own value. You can also inherit the path in the tftp-server command as is, add a path and filename to the end of the tftp-server command value, or override the tftp-server command value.

The security appliance supports only one tftp-server command.

Examples

This example shows how to specify a TFTP server and then read the configuration from the /temp/config/test_config directory: 

hostname(config)# tftp-server inside 10.1.1.42 /temp/config/test_config

hostname(config)# configure net

Related Commands

Command
Description

configure net

Loads the configuration from the TFTP server and path you specify.

show running-config tftp-server

Displays the default TFTP server address and the directory of the configuration file.


timeout

To set the maximum idle time duration, use the timeout command in global configuration mode.

timeout [xlate | conn | udp | icmp | rpc | h225 | h323 | mgcp | mgcp-pat | sip | sip_media | uauth hh:mm:ss]

Syntax Description

conn

(Optional) Specifies the idle time after which a connection closes; the minimum duration is five minutes.

hh:mm:ss

Specifies the timeout.

h225 hh:mm:ss

(Optional) Specifies the idle time after which an H.225 signaling connection closes.

h323

(Optional) Specifies the idle time after which H.245 (TCP) and H.323 (UDP) media connections close. The default is five minutes.

Note Because the same connection flag is set on both H.245 and H.323 media connections, the H.245 (TCP) connection shares the idle timeout with the H.323 (RTP and RTCP) media connection.

half-closed

(Optional) Specifies the idle time after which a TCP half-closed connection will be freed.

icmp

(Optional) Specifies the idle time for ICMP.

mgcp hh:mm:ss

(Optional) Sets the idle time after which an MGCP media connection is removed.

mgcp-pat hh:mm:ss

(Optional) Sets the absolute interval after which an MGCP PAT translation is removed.

rpc

(Optional) Specifies the idle time until an RPC slot is freed; the minimum duration is one minute.

sip

(Optional) Modifies the SIP timer.

sip_media

(Optional) Modifies the SIP media timer, which is used for SIP RTP/RTCP with SIP UDP media packets, instead of the UDP inactivity timeout.

sunrpc

(Optional) Specifies the idle time after which a SUNRPC slot will be closed.

uauth

(Optional) Sets the duration before the authentication and authorization cache times out and the user has to reauthenticate the next connection.

udp

(Optional) Specifies the idle time until a UDP slot is freed; the minimum duration is one minute.

xlate

(Optional) Specifies the idle time until a translation slot is freed; the minimum value is one minute.


Defaults

The defaults are as follows:

conn hh:mm:ss is 1 hour (01:00:00).

h225 hh:mm:ss is 1 hour (01:00:00).

h323 hh:mm:ss is 5 minutes (00:05:00).

half-closed hh:mm:ss is 10 minutes (00:10:00).

icmp hh:mm:ss is 2 minutes (00:00:02)

mgcp hh:mm:ss is 5 minutes (00:05:00).

mgcp-pat hh:mm:ss is 5 minutes (00:05:00).