-
Cisco Security Appliance Command Reference, Version 7.2
-
About this Guide
-
Using the Command Line Interface
-
aaa accounting command through accounting-server-group Commands
-
acl-netmask-convert through auto-update timeout Commands
-
backup interface through browse networks Commands
-
cache through clear compression Commands
-
clear conn through clear configure vpn-load-balancing Commands
-
clear console-output through clear xlate Commands
-
client-access-rule through crl-configure Commands
-
crypto ca authenticate through customization Commands
-
ddns through debug xdmcp Commands
-
default through duplex Commands
-
email through functions Commands
-
gateway through hw-module module shutdown Commands
-
icmp through imap4s Commands
-
inspect ctiqbe through inspect xdmcp Commands
-
intercept-dhcp through issuer-name Commands
-
java-trustpoint through kill Commands
-
l2tp tunnel hello through log-adj-changes Commands
-
logging asdm through logout message Commands
-
mac-address through multicast-routing Commands
-
name through override-account-disable Commands
-
packet-tracer through pwd Commands
-
queue-limit through router rip Commands
-
same-security-traffic through show asdm sessions Commands
-
show asp drop through show curpriv Commands
-
show ddns through show ipv6 traffic Commands
-
show isakmp sa through show route Commands
-
show running-config through show running-config isakmp Commands
-
show running-config ldap through show running-config webvpn auto-signon Commands
-
show service-policy through show xlate Commands
-
shun through sysopt radius ignore-secret Commands
-
tcp-map through tx-ring-limit Commands
-
urgent-flag through write terminal Commands
-
Table Of Contents
client-access-rule through crl configure Commands
client-access-rule through crl configure Commands
client-access-rule
To configure rules that limit the remote access client types and versions that can connect via IPSec through the security appliance, use the client-access-rule command in group-policy configuration mode. To delete a rule, use the no form of this command.
To delete all rules, use the no client-access-rule command with only the priority argument. This deletes all configured rules, including a null rule created by issuing the client-access-rule none command.
When there are no client access rules, users inherit any rules that exist in the default group policy. To prevent users from inheriting client access rules, use the client-access-rule none command. The result of doing so is that all client types and versions can connect.
client-access-rule priority {permit | deny} type type version version | none
no client-access-rule priority [{permit | deny} type type version version]
Syntax Description
Defaults
By default, there are no access rules.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
Construct rules according to these caveats:
•
•
•
•
•
•
•
Examples
The following example shows how to create client access rules for the group policy named FirstGroup. These rules permit VPN Clients running software version 4.1, while denying all VPN 3002 hardware clients:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# client-access-rule 1 d t VPN3002 v *hostname(config-group-policy)# client-access-rule 2 p * v 4.1client-firewall
To set personal firewall policies that the security appliance pushes to the VPN client during IKE tunnel negotiation, use the client-firewall command in group-policy configuration mode. To delete a firewall policy, use the no form of this command.
To delete all firewall policies, use the no client-firewall command without arguments. This deletes all configured firewall policies, including a null policy created by issuing the client-firewall none command.
When there are no firewall policies, users inherit any that exist in the default or other group policy. To prevent users from inheriting such firewall policies, use the client-firewall none command.
client-firewall none
client-firewall {opt | req} custom vendor-id num product-id num policy {AYT | CPP acl-in acl acl-out acl} [description string]
client-firewall {opt | req} zonelabs-integrity
Note
client-firewall {opt | req} zonelabs-zonealarm policy {AYT | CPP acl-in acl acl-out acl }
client-firewall {opt | req} zonelabs-zonealarmorpro policy {AYT | CPP acl-in acl acl-out acl }
client-firewall {opt | req} zonelabs-zonealarmpro policy {AYT | CPP acl-in acl acl-out acl }
client-firewall {opt | req} cisco-integrated acl-in acl acl-out acl}
client-firewall {opt | req} sygate-personal
client-firewall {opt | req} sygate-personal-pro
client-firewall {opt | req} sygate-personal-agent
client-firewall {opt | req} networkice-blackice
client-firewall {opt | req} cisco-security-agent
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Command History
7.0(1)
This command was introduced.
7.2(1)
The zonelabs-integrity firewall type was added.
Usage Guidelines
Only one instance of this command can be configured.
Examples
The following example shows how to set a client firewall policy that requires Cisco Intrusion Prevention Security Agent for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# client-firewall req cisco-security-agentclient-update
To issue a client-update for all active remote VPN software and hardware clients and security appliances configured as Auto Update clients, on all tunnel-groups or for a particular tunnel group, use the client-update command in privileged EXEC mode.
To configure and change client-update parameters at the global level, including VPN software and hardware clients and security appliances configured as Auto Update clients, use the client-update command in global configuration mode.
To configure and change client-update tunnel-group IPSec-attributes parameters for VPN software and hardware clients, use the client-update command in tunnel-group ipsec-attributes configuration mode.
If the client is already running a software version on the list of revision numbers, it does not need to update its software. If the client is not running a software version on the list, it should update.
To disable a client update, use the no form of this command.
Global configuration mode command:
client-update {enable | component {asdm | image} | device-id dev_string |
family family_name | type type} url url-string rev-nums rev-nums}no client-update {enable | component {asdm | image} | device-id dev_string |
family family_name | type type} url url-string rev-nums rev-nums}Tunnel-group ipsec-attributes mode command:
client-update type type url url-string rev-nums rev-nums
no client-update type type url url-string rev-nums rev-nums
Privileged EXEC mode command:
client-update {all | tunnel-group}
no client-update tunnel-group
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Command History
Usage Guidelines
In tunnel-group ipsec-attributes configuration mode, you can apply this attribute only to the IPSec remote-access tunnel-group type.
The client-update command lets you enable the update; specify the types and revision numbers of clients to which the update applies; provide a URL or IP address from which to get the update; and, in the case of Windows clients, optionally notify users that they should update their VPN client version. For Windows clients, you can provide a mechanism for users to accomplish that update. For VPN 3002 Hardware Client users, the update occurs automatically, with no notification. When the client type is another security appliance, this security appliance acts as an Auto Update server.
To configure the client-update mechanism, do the following steps:
Step 1
hostname(config)# client-update enablehostname(config)#Step 2
hostname(config)# client-update type windows url https://support/updates/ rev-nums 4.6.1hostname(config)#See the Examples section for an illustration of configuring a tunnel group for a VPN 3002 hardware client.
Note
Alternatively, for Windows clients and VPN3002 Hardware Clients, you can configure client update just for individual tunnel-groups, rather than for all clients of a particular type. (See Step 3.)
Note
Step 3
hostname(config)# tunnel-group remotegrp type ipsec-rahostname(config)# tunnel-group remotegrp ipsec-attributeshostname(config-tunnel-ipsec)# client-update type windows url https://support/updates/ rev-nums 4.6.1hostname(config-tunnel-ipsec)#See the Examples section for an illustration of configuring a tunnel group for a VPN 3002 hardware client. VPN 3002 clients update without user intervention, and users receive no notification message.
Step 4
hostname# client-update allhostname#If the user's client revision number matches one of the specified revision numbers, there is no need to update the client, and users receive no notification message. VPN 3002 clients update without user intervention and users receive no notification message.
Note
Examples
The following example, entered in global configuration mode, enables client update for all active remote clients on all tunnel groups:
hostname(config)# client-update enablehostname#The following example applies only to Windows (win9x, winnt, or windows). Entered in global configuration mode, it configures client update parameters for all Windows-based clients. It designates the revision number, 4.7 and the URL for retrieving the update, which is https://support/updates.
hostname(config)# client-update type windows url https://support/updates/ rev-nums 4.7hostname(config)#The following example applies only to VPN 3002 Hardware Clients. Entered in tunnel-group ipsec-attributes configuration mode, it configures client update parameters for the IPSec remote-access tunnel-group "salesgrp". It designates the revision number, 4.7 and uses the TFTP protocol for retrieving the updated software from the site with the IP address 192.168.1.1:
hostname(config)# tunnel-group salesgrp type ipsec-rahostname(config)# tunnel-group salesgrp ipsec-attributeshostname(config-tunnel-ipsec)# client-update type vpn3002 url tftp:192.168.1.1 rev-nums 4.7hostname(config-tunnel-ipsec)#The following example shows how to issue a client update for clients that are Cisco 5520 Adaptive Security Appliances configured as Auto Update clients:
hostname(config)# client-update type asa5520 component asdm url http://192.168.1.114/aus/asdm501.bin rev-nums 7.2(1)The following example, entered in privileged EXEC mode, sends a client-update notification to all connected remote clients in the tunnel group named "remotegrp" that need to update their client software. Clients in other groups do not get an update notification:
hostname# client-update remotegrphostname#Related Commands
clock set
To manually set the clock on the security appliance, use the clock set command in privileged EXEC mode.
clock set hh:mm:ss {month day | day month} year
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
—
•
Command History
Usage Guidelines
If you have not entered any clock configuration commands, the default time zone for the clock set command is UTC. If you change the time zone after you enter the clock set command using the clock timezone command, the time automatically adjusts to the new time zone. However, if you enter the clock set command after you establish the time zone with the clock timezone command, then enter the time appropriate for the new time zone and not for UTC. Similarly, if you enter the clock summer-time command after the clock set command, the time adjusts for daylight saving. If you enter the clock set command after the clock summer-time command, enter the correct time for daylight saving.
This command sets the time in the hardware chip, and does not save the time in the configuration file. This time endures reboots. Unlike the other clock commands, this command is a privileged EXEC command. To reset the clock, you need to set a new time for the clock set command.
Examples
The following example sets the time zone to MST, the daylight saving time to the default period in the U.S., and the current time for MDT to 1:15 p.m. on July 27, 2004:
hostname(config)# clock timezone MST -7hostname(config)# clock summer-time MDT recurringhostname(config)# exithostname# clock set 13:15:0 jul 27 2004hostname# show clock13:15:00.652 MDT Tue Jul 27 2004The following example sets the clock to 8:15 on July 27, 2004 in the UTC time zone, and then sets the time zone to MST and the daylight saving time to the default period in the U.S. The end time (1:15 in MDT) is the same as the previous example.
hostname# clock set 20:15:0 jul 27 2004hostname# configure terminalhostname(config)# clock timezone MST -7hostname(config)# clock summer-time MDT recurringhostname# show clock13:15:00.652 MDT Tue Jul 27 2004Related Commands
clock summer-time
Sets the date range to show daylight saving time.
clock timezone
Sets the time zone.
show clock
Shows the current time.
clock summer-time
To set the date range for daylight saving time for the display of the security appliance time, use the clock summer-time command in global configuration mode. To disable the daylight saving time dates, use the no form of this command.
clock summer-time zone recurring [week weekday month hh:mm week weekday month hh:mm] [offset]
no clock summer-time [zone recurring [week weekday month hh:mm week weekday month hh:mm] [offset]]
clock summer-time zone date {day month | month day} year hh:mm {day month | month day} year hh:mm [offset]
no clock summer-time [zone date {day month | month day} year hh:mm {day month | month day} year hh:mm [offset]]
Syntax Description
Defaults
The default offset is 60 minutes.
The default recurring date range is from 2:00 a.m. on the first Sunday in April to 2:00 a.m. on the last Sunday in October.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
For the Southern Hemisphere, the security appliance accepts the start month to be later in the year than the end month, for example, from October to March.
Examples
The following example sets the daylight saving date range for Australia:
hostname(config)# clock summer-time PDT recurring last Sunday October 2:00 last Sunday March 2:00Some countries start daylight saving on a specific date. In the following example, daylight saving time is configured to start on April 1, 2004, at 3 a.m. and end on October 1, 2004, at 4 a.m.
hostname(config)# clock summer-time UTC date 1 April 2004 3:00 1 October 2004 4:00Related Commands
clock set
Manually sets the clock on the security appliance.
clock timezone
Sets the time zone.
ntp server
Identifies an NTP server.
show clock
Shows the current time.
clock timezone
To set the time zone for the security appliance clock, use the clock timezone command in global configuration mode. To set the time zone back to the default of UTC, use the no form of this command. The clock set command or the time derived from an NTP server sets the time in UTC. You must set the time zone as an offset of UTC using this command.
clock timezone zone [-]hours [minutes]
no clock timezone [zone [-]hours [minutes]]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
To set daylight saving time, see the clock summer-time command.
Examples
The following example sets the time zone to Pacific Standard Time, which is -8 hours from UTC:
hostname(config)# clock timezone PST -8Related Commands
cluster encryption
To enable encryption for messages exchanged on the virtual load-balancing cluster, use the cluster encryption command in VPN load-balancing mode. To disable encryption, use the no form of this command.
cluster encryption
no cluster encryption
Note
Syntax Description
This command has no arguments or variables.
Defaults
Encryption is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
VPN load-balancing mode
•
—
•
—
—
Command History
Usage Guidelines
This command turns encryption on or off for messages exchanged on the virtual load-balancing cluster.
Before configuring the cluster encryption command, you must have first used the vpn load-balancing command to enter VPN load-balancing mode. You must also use the cluster key command to configure the cluster shared-secret key before enabling cluster encryption.
Note
Examples
The following is an example of a VPN load-balancing command sequence that includes a cluster encryption command that enables encryption for the virtual load-balancing cluster:
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# interface lbprivate foohostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# cluster key 123456789hostname(config-load-balancing)# cluster encryptionhostname(config-load-balancing)# participateRelated Commands
cluster key
Specifies the shared-secret key for the cluster.
vpn load-balancing
Enters VPN load-balancing mode.
cluster ip address
To set the IP address of the virtual load-balancing cluster, use the cluster ip address command in VPN load-balancing mode. To remove the IP address specification, use the no form of this command.
cluster ip address ip-address
no cluster ip address [ip-address]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
VPN load-balancing mode
•
—
•
—
—
Command History
Usage Guidelines
You must first use the vpn load-balancing command to enter VPN load-balancing mode and configure the interface to which the virtual cluster IP address refers.
The cluster ip address must be on the same subnet as the interface for which you are configuring the virtual cluster.
In the no form of the command, if you specify the optional ip-address value, it must match the existing cluster IP address before the no cluster ip address command can be completed.
Examples
The following is an example of a VPN load-balancing command sequence that includes a cluster ip address command that sets the IP address of the virtual load-balancing cluster to 209.165.202.224:
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# interface lbprivate foohostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# participateRelated Commands
interface
Sets the interfaces of the device.
nameif
Assigns a name to an interface.
vpn load-balancing
Enters VPN load-balancing mode.
cluster key
To set the shared secret for IPSec site-to-site tunnel exchanges on the virtual load-balancing cluster, use the cluster key command in VPN load-balancing mode. To remove this specification, use the no form of this command.
cluster key shared-secret
no cluster key [shared-secret]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
