Table Of Contents

default through duplex Commands

default

default (crl configure)

default (time-range)

default enrollment

default-domain

default-group-policy

default-group-policy (webvpn)

default-idle-timeout

default-information originate (OSPF)

default-information originate (RIP)

delete

deny-message (group-policy webvpn configuration mode)

deny version

description

dhcp client route distance

dhcp client route track

dhcp-client update dns

dhcpd address

dhcpd auto_config

dhcpd dns

dhcpd domain

dhcpd enable

dhcpd lease

dhcpd option

dhcpd ping_timeout

dhcpd update dns

dhcpd wins

dhcprelay enable

dhcprelay server

dhcprelay setroute

dhcprelay timeout

dialog

dir

disable

disable (cache)

distance ospf

distribute-list in

distribute-list out

dns domain-lookup

dns-group (tunnel-group webvpn configuration mode)

dns-guard

dns name-server

dns retries

dns-server

dns server-group

dns timeout

domain-name

downgrade

drop

drop-connection

duplex

default through duplex Commands

---

default

To restore default settings for the time-range command absolute and periodic keywords, use the default command in time-range configuration mode.

default {absolute | periodic days-of-the-week time to [days-of-the-week] time}

Syntax Description

absolute	Defines an absolute time when a time range is in effect.
days-of-the-week	(Optional) The first occurrence of this argument is the starting day or day of the week that the associated time range is in effect. The second occurrence is the ending day or day of the week the associated statement is in effect. This argument is any single day or combinations of days: Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, and Sunday. Other possible values are: •daily—Monday through Sunday •weekdays—Monday through Friday •weekend—Saturday and Sunday If the ending days of the week are the same as the starting days of the week, you can omit them.
periodic	Specifies a recurring (weekly) time range for functions that support the time-range feature.
time	Specifies the time in the format HH:MM. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m.
to	Entry of the to keyword is required to complete the range "from start-time to end-time."

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Time-range configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

If the end days-of-the-week value is the same as the start value, you can omit them.

If a time-range command has both absolute and periodic values specified, then the periodic commands are evaluated only after the absolute start time is reached, and are not further evaluated after the absolute end time is reached.

The time-range feature relies on the system clock of the security appliance; however, the feature works best with NTP synchronization.

Examples

The following example shows how to restore the default behavior of the absolute keyword:

hostname(config-time-range)# default absolute

Related Commands

Command	Description
absolute	Defines an absolute time when a time range is in effect.
periodic	Specifies a recurring (weekly) time range for functions that support the time-range feature.
time-range	Defines access control to the security appliance based on time.

default (crl configure)

To return all CRL parameters to their system default values, use the default command in crl configure configuration mode. The crl configure configuration mode is accessible from the crypto ca trustpoint configuration mode. These parameters are used only when the LDAP server requires them.

default

Syntax Description

This command has no arguments or keywords.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Crl configure configuration	·		·

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Invocations of this command do not become part of the active configuration.

Examples

The following example enters ca-crl configuration mode, and returns CRL command values to their defaults:

hostname(config)# crypto ca trustpoint central

hostname(ca-trustpoint)# crl configure

hostname(ca-crl)# default

hostname(ca-crl)# 

Related Commands

Command	Description
crl configure	Enters crl configure configuration mode.
crypto ca trustpoint	Enters trustpoint configuration mode.
protocol ldap	Specifies LDAP as a retrieval method for CRLs.

default (time-range)

To restore default settings for the absolute and periodic commands, use the default command in time-range configuration mode.

default {absolute | periodic days-of-the-week time to [days-of-the-week] time}

Syntax Description

absolute	Defines an absolute time when a time range is in effect.
days-of-the-week	The first occurrence of this argument is the starting day or day of the week that the associated time range is in effect. The second occurrence is the ending day or day of the week the associated statement is in effect. This argument is any single day or combinations of days: Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, and Sunday. Other possible values are: •daily—Monday through Sunday •weekdays—Monday through Friday •weekend—Saturday and Sunday If the ending days of the week are the same as the starting days of the week, you can omit them.
periodic	Specifies a recurring (weekly) time range for functions that support the time-range feature.
time	Specifies the time in the format HH:MM. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m.
to	Entry of the to keyword is required to complete the range "from start-time to end-time."

Defaults

There are no default settings for this command.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Time-range configuration	·	·	·	·

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

If the end days-of-the-week value is the same as the start value, you can omit them.

If a time-range command has both absolute and periodic values specified, then the periodic commands are evaluated only after the absolute start time is reached, and are not further evaluated after the absolute end time is reached.

The time-range feature relies on the system clock of the security appliance; however, the feature works best with NTP synchronization.

Examples

The following example shows how to restore the default behavior of the absolute keyword:

hostname(config-time-range)# default absolute

Related Commands

Command	Description
absolute	Defines an absolute time when a time range is in effect.
periodic	Specifies a recurring (weekly) time range for functions that support the time-range feature.
time-range	Defines access control to the security appliance based on time.

default enrollment

To return all enrollment parameters to their system default values, use the default enrollment command in crypto ca trustpoint configuration mode.

default enrollment

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Crypto ca trustpoint configuration	·	·	·	·	·

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

Invocations of this command do not become part of the active configuration.

Examples

The following example enters crypto ca trustpoint configuration mode for trustpoint central, and returns all enrollment parameters to their default values within trustpoint central:

hostname<config># crypto ca trustpoint central

hostname<ca-trustpoint># default enrollment

hostname<ca-trustpoint># 

Related Commands

Command	Description
clear configure crypto ca trustpoint	Removes all trustpoints.
crl configure	Enters crl configuration mode.
crypto ca trustpoint	Enters trustpoint configuration mode.

default-domain

To set a default domain name for users of the group policy, use the default-domain command in group-policy configuration mode. To delete a domain name, use the no form of this command.

To delete all default domain names, use the no default-domain command without arguments. This deletes all configured default domain names, including a null list created by issuing the default-domain none command. To prevent users from inheriting a domain name, use the default-domain none command.

The security appliance passes the default domain name to the IPSec client to append to DNS queries that omit the domain field. This domain name applies only to tunneled packets. When there are no default domain names, users inherit the default domain name in the default group policy.

default-domain {value domain-name | none}

no default-domain [domain-name]

Syntax Description

none	Indicates that there is no default domain name. Sets a default domain name with a null value, thereby disallowing a default domain name. Prevents inheriting a default domain name from a default or specified group policy.
value domain-name	Identifies the default domain name for the group.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Group-policy	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

You can use only alphanumeric characters, hyphens (-), and periods (.) in default domain names.

Examples

The following example shows how to set a default domain name of FirstDomain for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# default-domain value FirstDomain

Related Commands

Command	Description
split-dns	Provides a list of domains to be resolved through the split tunnel.
split-tunnel-network-list	Identifies the access list the security appliance uses to distinguish networks that require tunneling and those that do not.
split-tunnel-policy	Lets an IPSec client conditionally direct packets over an IPSec tunnel in encrypted form, or to a network interface in cleartext form

default-group-policy

To specify the set of attributes that the user inherits by default, use the default-group-policy command in tunnel-group general-attributes configuration mode. To eliminate a default group policy name, use the no form of this command.

default-group-policy group-name

no default-group-policy group-name

Syntax Description

group-name

Specifies the name of the default group.

Defaults

The default group name is DfltGrpPolicy.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Tunnel-group general attributes configuration	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.
7.1(1)	The default-group-policy command in webvpn configuration mode was deprecated. The default-group-policy command in tunnel-group general-attributes mode replaces it.

Usage Guidelines

In Release 7.1(1), if you enter this command in webvpn configuration mode, it is transformed to the same command in tunnel-group general-attributes mode.

The default group policy DfltGrpPolicy comes with the initial configuration of the security appliance. You can apply this attribute to all tunnel-group types.

Examples

The following example entered in config-general configuration mode, specifies a set of attributes for users to inherit by default for an IPSec LAN-to-LAN tunnel group named "standard-policy". This set of commands defines the accounting server, the authentication server, the authorization server and the address pools.

hostname(config)# tunnel-group standard-policy type ipsec-ra

hostname(config)# tunnel-group standard-policy general-attributes

hostname(config-tunnel-general)# default-group-policy first-policy

hostname(config-tunnel-general)# accounting-server-group aaa-server123

hostname(config-tunnel-general)# address-pool (inside) addrpool1 addrpool2 addrpool3

hostname(config-tunnel-general)# authentication-server-group aaa-server456

hostname(config-tunnel-general)# authorization-server-group aaa-server78

hostname(config-tunnel-general)# 

Related Commands

Command	Description
clear-configure tunnel-group	Clears all configured tunnel groups.
group-policy	Creates or edits a group policy
show running-config tunnel group	Shows the tunnel group configuration for all tunnel groups or for a particular tunnel group.
tunnel-group general-attributes	Specifies the general attributes for the named tunnel-group.

default-group-policy (webvpn)

To specify the name of the group policy to use when the WebVPN or e-mail proxy configuration does not specify a group policy, use the default-group-policy command. WebVPN, IMAP4S, POP3S, and SMTPS sessions require either a specified or a default group policy. For WebVPN, use this command in webvpn mode. For e-mail proxy, use this command in the applicable e-mail proxy mode. To remove the attribute from the configuration, use the no version of this command.

default-group-policy groupname

no default-group-policy

Syntax Description

groupname

Identifies the previously configured group policy to use as the default group policy. Use the group-policy command in configuration mode to configure a group policy.

Defaults

A default group policy, named DfltGrpPolicy, always exists on the security appliance. This default-group-policy command lets you substitute a group policy that you create as the default group policy for WebVPN and e-mail proxy sessions. An alternative is to edit the DfltGrpPolicy.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Webvpn	•	—	•	—	—
Imap4s	•	—	•	—	—
Pop3s	•	—	•	—	—
Smtps	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.
7.1(1)	This command was deprecated in webvpn configuration mode and moved to tunnel-group general-attributes configuration mode.

Usage Guidelines

In Release 7.1(1), if you enter this command in webvpn configuration mode, it is transformed to the same command in tunnel-group general-attributes mode.

You can edit, but not delete the system DefaultGroupPolicy. It has the following AVPs:

Attribute	Default Value
wins-server	none
dns-server	none
dhcp-network-scope	none
vpn-access-hours	unrestricted
vpn-simultaneous-logins	3
vpn-idle-timeout	30 minutes
vpn-session-timeout	none
vpn-filter	none
vpn-tunnel-protocol	WebVPN
ip-comp	disable
re-xauth	disable
group-lock	none
pfs	disable
client-access-rules	none
banner	none
password-storage	disabled
ipsec-udp	disabled
ipsec-udp-port	0
backup-servers	keep-client-config
split-tunnel-policy	tunnelall
split-tunnel-network-list	none
default-domain	none
split-dns	none
intercept-dhcp	disable
client-firewall	none
secure-unit-authentication	disabled
user-authentication	disabled
user-authentication-idle-timeout	none
ip-phone-bypass	disabled
leap-bypass	disabled
nem	disabled
webvpn attributes:
filter	none
functions	disabled
homepage	none
html-content-filter	none
port-forward	disabled
port-forward-name	none
url-list	mpme

Examples

The following example shows how to specify a default group policy called WebVPN7 for WebVPN:

hostname(config)# webvpn

hostname(config-webvpn)# default-group-policy WebVPN7

default-idle-timeout

To set a default idle timeout value for WebVPN users, use the default-idle-timeout command in webvpn mode. To remove the default idle timeout value from the configuration and reset the default, use the no form of this command.

The default idle timeout prevents stale sessions.

default-idle-timeout seconds

no default-idle-timeout

Syntax Description

seconds

Specifies the number of seconds for the idle time out. The minimum is 60 seconds, maximum is 1 day (86400 seconds).

Defaults

1800 seconds (30 minutes).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Webvpn	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The security appliance uses the value you set here if there is no idle timeout defined for a user, if the value is 0, or if the value does not fall into the valid range.

We recommend that you set this command to a short time period. This is because a browser set to disable cookies (or one that prompts for cookies and then denies them) can result in a user not connecting but nevertheless appearing in the sessions database. If the maximum number of connections permitted is set to one (vpn-simultaneous-logins command), the user cannot log back in because the database indicates that the maximum number of connections already exists. Setting a low idle timeout removes such phantom sessions quickly, and lets a user log in again.

Examples

The following example shows how to set the default idle timeout to 1200 seconds (20 minutes):

hostname(config)# webvpn

hostname(config-webvpn)# default-idle-timeout 1200

Related Commands

Command	Description
vpn-simultaneous-logins	Sets the maximum number of simultaneous VPN sessions permitted. Use in group-policy or username mode.

default-information originate (OSPF)

To generate a default external route into an OSPF routing domain, use the default-information originate command in router configuration mode. To disable this feature, use the no form of this command.

default-information originate [always] [metric value] [metric-type {1 | 2}] [route-map name]

no default-information originate [[always] [metric value] [metric-type {1 | 2}] [route-map name]]

Syntax Description

always	(Optional) Always advertises the default route regardless of whether the software has a default route.
metric value	(Optional) Specifies the OSPF default metric value from 0 to 16777214.
metric-type {1 | 2}	(Optional) External link type associated with the default route advertised into the OSPF routing domain. Valid values are as follows: •1—Type 1 external route. •2—Type 2 external route.
route-map name	(Optional) Name of the route map to apply.

Defaults

The default values are as follows:

•metric value is 1.

•metric-type is 2.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Router configuration	•	—	•	—	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

Using the no form of this command with optional keywords and arguments only removes the optional information from the command. For example, entering no default-information originate metric 3 removes the metric 3 option from the command in the running configuration. To remove the complete command from the running configuration, use the no form of the command without any options: no default-information originate.

Examples

The following example shows how to use the default-information originate command with an optional metric and metric type:

hostname(config-router)# default-information originate always metric 3 metric-type 2

hostname(config-router)#

Related Commands

Command	Description
router ospf	Enters router configuration mode.
show running-config router	Displays the commands in the global router configuration.

default-information originate (RIP)

To generate a default route into an RIP, use the default-information originate command in router configuration mode. To disable this feature, use the no form of this command.

default-information originate [route-map name]

no default-information originate [route-map name]]

Syntax Description

route-map name

(Optional) Name of the route map to apply. The routing process generates the default route if the route map is satisfied.

Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Router configuration	•	—	•	—	—

Command History

Release	Modification
7.2(1)	This command was Introduced.

Usage Guidelines

The route map referenced in the default-information originate command cannot use an extended access list; it can use a standard access list.

Examples

The following example shows how generate a default route into RIP:

hostname(config)# router rip

hostname(config-router)# network 10.0.0.0

hostname(config-router)# default-information originate

Related Commands

Command	Description
router rip	Enters router configuration mode for the RIP routing process.
show running-config router	Displays the commands in the global router configuration.

delete

To delete a file in the disk partition, use the delete command in privileged EXEC mode.

delete [/noconfirm] [/recursive] [flash:]filename

Syntax Description

/noconfirm	(Optional) Specifies not to prompt for confirmation.
/recursive	(Optional) Deletes the specified file recursively in all subdirectories.
filename	Specifies the name of the file to delete.
flash:	Specifies the nonremovable internal Flash, followed by a colon.

Defaults

If you do not specify a directory, the directory is the current working directory by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Privileged EXEC	•	•	•	—	•

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

The file is deleted from the current working directory if a path is not specified. Wildcards are supported when deleting files. When deleting files, you are prompted with the filename and you must confirm the deletion.

The following example shows how to delete a file named test.cfg in the current working directory:

hostname# delete test.cfg

Related Commands

Command	Description
cd	Changes the current working directory to the one specified.
rmdir	Removes a file or directory.
show file	Displays the specified file.

deny-message (group-policy webvpn configuration mode)

To change the message delivered to a remote user who logs into WebVPN successfully, but has no VPN privileges, use the deny-message value command in tunnel-group webvpn configuration mode.

The no deny-message value command removes the string, so that the remote user does not receive a message.

The no deny-message none command removes the attribute from the tunnel group policy configuration. The policy inherits the attribute value.

deny-message value "string"

no deny-message value

no deny-message none

Syntax Description

string

Up to 491 alphanumeric characters, including special characters, spaces, and punctuation.

Defaults

The default deny message is: "Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information."

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Group-policy webvpn configuration	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.
7.1(1)	This command moved from tunnel-group webvpn configuration mode to group-policy webvpn configuration mode.

Usage Guidelines

Before entering this command, you must enter the group-policy name attributes in global configuration mode, then the webvpn command. (This assumes you already have created the policy name.)

When typing the string in the deny-message value command, continue typing even if the command wraps.

The text appears on the remote user's browser upon login, independent of the tunnel policy used for the VPN session.

Examples

The first command in the following example creates an internal group policy named group2. The subsequent commands modify the deny message associated with that policy.

hostname(config)# group-policy group2 internal

hostname(config)# group-policy group2 attributes

hostname(config-group-policy)# webvpn

hostname(config-group-webvpn)# deny-message value "Your login credentials are OK. However, 
you have not been granted rights to use the VPN features. Contact your administrator for 
more information."

hostname(config-group-webvpn)

Related Commands

Command	Description
clear configure group-policy	Removes all group-policy configuration.
group-policy	Creates a group policy.
group-policy attributes	Enters the group-policy attribute configuration mode.
show running-config group-policy [name]	Displays the running group policy configuration (for the policy named).
webvpn (group-policy or username configuration mode)	Enters group-pollicy webvpn configuration mode.

deny version

To deny a specific version of SNMP traffic, use the deny version command in SNMP map configuration mode, which is accessible by entering the snmp-map command from global configuration mode. To disable this command, use the no version of the command.

deny version version

deny version version

Syntax Description

version

Specifies the version of SNMP traffic that the security appliance drops. The permitted values are 1, 2, 2c, and 3.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
SNMP map configuration	•	•