-
Cisco Security Appliance Command Reference, Version 7.2
-
About this Guide
-
Using the Command Line Interface
-
aaa accounting command through accounting-server-group Commands
-
acl-netmask-convert through auto-update timeout Commands
-
backup interface through browse networks Commands
-
cache through clear compression Commands
-
clear conn through clear configure vpn-load-balancing Commands
-
clear console-output through clear xlate Commands
-
client-access-rule through crl-configure Commands
-
crypto ca authenticate through customization Commands
-
ddns through debug xdmcp Commands
-
default through duplex Commands
-
email through functions Commands
-
gateway through hw-module module shutdown Commands
-
icmp through imap4s Commands
-
inspect ctiqbe through inspect xdmcp Commands
-
intercept-dhcp through issuer-name Commands
-
java-trustpoint through kill Commands
-
l2tp tunnel hello through log-adj-changes Commands
-
logging asdm through logout message Commands
-
mac-address through multicast-routing Commands
-
name through override-account-disable Commands
-
packet-tracer through pwd Commands
-
queue-limit through router rip Commands
-
same-security-traffic through show asdm sessions Commands
-
show asp drop through show curpriv Commands
-
show ddns through show ipv6 traffic Commands
-
show isakmp sa through show route Commands
-
show running-config through show running-config isakmp Commands
-
show running-config ldap through show running-config webvpn auto-signon Commands
-
show service-policy through show xlate Commands
-
shun through sysopt radius ignore-secret Commands
-
tcp-map through tx-ring-limit Commands
-
urgent-flag through write terminal Commands
-
Table Of Contents
inspect ctiqbe through inspect xdmcp Commands
inspect ctiqbe through inspect xdmcp Commands
inspect ctiqbe
To enable CTIQBE protocol inspection, use the inspect ctiqbe command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To disable inspection, use the no form of this command.
inspect ctiqbe
no inspect ctiqbe
Defaults
This command is disabled by default.Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced in 7.0(1). It replaces the previously existing fixup command, which is now deprecated.
Usage Guidelines
The inspect ctiqbe command enables CTIQBE protocol inspection, which supports NAT, PAT, and bidirectional NAT. This enables Cisco IP SoftPhone and other Cisco TAPI/JTAPI applications to work successfully with Cisco CallManager for call setup across the security appliance.
The Telephony Application Programming Interface (TAPI) and Java Telephony Application Programming Interface (JTAPI) are used by many Cisco VoIP applications. Computer Telephony Interface Quick Buffer Encoding (CTIQBE) is used by Cisco TAPI Service Provider (TSP) to communicate with Cisco CallManager.
The following summarizes limitations that apply when using CTIQBE application inspection:
•
•
•
•
The following summarizes special considerations when using CTIQBE application inspection in specific scenarios:
•
•
•
Inspecting Signaling Messages
For inspecting signaling messages, the inspect ctiqbe command often needs to determine locations of the media endpoints (for example, IP phones).
This information is used to prepare access-control and NAT state for media traffic to traverse the firewall transparently without manual configuration.
In determining these locations, the inspect ctiqbe command does not use the tunnel default gateway route. A tunnel default gateway route is a route of the form route interface 0 0 metric tunneled. This route overrides the default route for packets that egress from IPSec tunnels. Therefore, if the inspect ctiqbe command is desired for VPN traffic, do not configure the tunnel default gateway route. Instead, us other static routing or dynamic routing.
Examples
You enable the CTIQBE inspection engine as shown in the following example, which creates a class map to match CTIQBE traffic on the default port (2748). The service policy is then applied to the outside interface.
hostname(config)# class-map ctiqbe-porthostname(config-cmap)# match port tcp eq 2748hostname(config-cmap)# exithostname(config)# policy-map ctiqbe_policyhostname(config-pmap)# class ctiqbe-porthostname(config-pmap-c)# inspect ctiqbehostname(config-pmap-c)# exithostname(config)# service-policy ctiqbe_policy interface outsideTo enable CTIQBE inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect dcerpc
To enable inspection of DCERPC traffic destined for the endpoint-mapper, use the inspect dcerpc command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect dcerpc [map_name]
no inspect dceprc [map_name]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
Usage Guidelines
The inspect dcerpc command enables or disables application inspection for the DCERPC protocol.
Examples
The following example shows how to define a DCERPC inspection policy map with the timeout configured for DCERPC pinholes.
hostname(config)# policy-map type inspect dcerpc dcerpc_maphostname(config-pmap)# timeout pinhole 0:10:00hostname(config)# class-map dcerpchostname(config-cmap)# match port tcp eq 135hostname(config)# policy-map global-policyhostname(config-pmap)# class dcerpchostname(config-pmap-c)# inspect dcerpc dcerpc_maphostname(config)# service-policy global-policy globalRelated Commands
inspect dns
To enable DNS inspection (if it has been previously disabled) or to configure DNS inspection parameters, use the inspect dns command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To disable DNS inspection, use the no form of this command.
inspect dns [map_name]
no inspect dns [map_name]
Syntax Description
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
Usage Guidelines
DNS guard tears down the DNS session associated with a DNS query as soon as the DNS reply is forwarded by the security appliance. DNS guard also monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query.
When DNS inspection is enabled, which it is the default, the security appliance performs the following additional tasks:
•
Note
•
•
•
•
A single connection is created for multiple DNS sessions, as long as they are between the same two hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs independently.
Because the app_id expires independently, a legitimate DNS response can only pass through the security appliance within a limited period of time and there is no resource build-up. However, if you enter the show conn command, you will see the idle timer of a DNS connection being reset by a new DNS session. This is due to the nature of the shared DNS connection and is by design.
How DNS Rewrite Works
When DNS inspection is enabled, DNS rewrite provides full support for NAT of DNS messages originating from any interface.
If a client on an inside network requests DNS resolution of an inside address from a DNS server on an outside interface, the DNS A-record is translated correctly. If the DNS inspection engine is disabled, the A-record is not translated.
DNS rewrite performs two functions:
•
•
As long as DNS inspection remains enabled, you can configure DNS rewrite using the alias, static, or nat commands. For details about the syntax and function of these commands, refer to the appropriate command page.
Note: When upgading, the command syntax is converted to the current syntax.
Examples
The following example shows how to set the maximum DNS message length:
hostname(config)# policy-map type inspect dns dns-inspecthostname(config-pmap)# parametershostname(config-pmap-p)# message-length maximum 1024Related Commands
inspect esmtp
To enable SMTP application inspection or to change the ports to which the security appliance listens, use the inspect esmtp command in class configuration mode. The class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect esmtp [map_name]
no inspect esmtp [map_name]
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
ESMTP application inspection provides improved protection against SMTP-based attacks by restricting the types of SMTP commands that can pass through the security appliance and by adding monitoring capabilities.
ESMTP is an enhancement to the SMTP protocol and is similar in most respects to SMTP. For convenience, the term SMTP is used in this document to refer to both SMTP and ESMTP. The application inspection process for extended SMTP is similar to SMTP application inspection and includes support for SMTP sessions. Most commands used in an extended SMTP session are the same as those used in an SMTP session but an ESMTP session is considerably faster and offers more options related to reliability and security, such as delivery status notification.
The inspect esmtp command includes the functionality previously provided by the fixup smtp command, and provides additional support for some extended SMTP commands. Extended SMTP application inspection adds support for eight extended SMTP commands, including AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML and VRFY. Along with the support for seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET), the security appliance supports a total of fifteen SMTP commands.
Other extended SMTP commands, such as ATRN, STARTLS, ONEX, VERB, CHUNKING, and private extensions and are not supported. Unsupported commands are translated into Xs, which are rejected by the internal server. This results in a message such as "500 Command unknown: 'XXX'." Incomplete commands are discarded.
The inspect esmtp command changes the characters in the server SMTP banner to asterisks except for the "2", "0", "0" characters. Carriage return (CR) and linefeed (LF) characters are ignored.
With SMTP inspection enabled, a Telnet session used for interactive SMTP waits for a valid command and the firewall esmtp state machine keeps the correct states for the session if the following rules are not observed: SMTP commands must be at least four characters in length; must be terminated with carriage return and line feed; and must wait for a response before issuing the next reply.
An SMTP server responds to client requests with numeric reply codes and optional human readable strings. SMTP application inspection controls and reduces the commands that the user can use as well as the messages that the server returns. SMTP inspection performs three primary tasks:
•
•
•
SMTP inspection monitors the command and response sequence for the following anomalous signatures:
•
•
•
•
•
•
•
Examples
You enable the SMTP inspection engine as shown in the following example, which creates a class map to match SMTP traffic on the default port (25). The service policy is then applied to the outside interface.
hostname(config)# class-map smtp-porthostname(config-cmap)# match port tcp eq 25hostname(config-cmap)# exithostname(config)# policy-map smtp_policyhostname(config-pmap)# class smtp-porthostname(config-pmap-c)# inspect esmtphostname(config-pmap-c)# exithostname(config)# service-policy smtp_policy interface outsideTo enable SMTP inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect ftp
To configure the port for FTP inspection or to enable enhanced inspection, use the inspect ftp command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect ftp [strict [map_name]]
no inspect ftp [strict [map_name]]
Syntax Description
map_name
The name of the FTP map.
strict
(Optional) Enables enhanced inspection of FTP traffic and forces compliance with RFC standards.
Caution
Defaults
The security appliance listens to port 21 for FTP by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the fixup command, which is now deprecated. The map_name option was added.
Usage Guidelines
The FTP application inspection inspects the FTP sessions and performs four tasks:
•
•
•
•
Note
FTP application inspection prepares secondary channels for FTP data transfer. The channels are allocated in response to a file upload, a file download, or a directory listing event and must be pre-negotiated. The port is negotiated through the PORT or PASV commands.
Note
Using the strict Option
The strict option prevents web browsers from sending embedded commands in FTP requests. Each ftp command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped. The strict option only lets an FTP server generate the 227 command and only lets an FTP client generate the PORT command. The 227 and PORT commands are checked to ensure they do not appear in an error string.
Caution
If the strict option is enabled, each ftp command and response sequence is tracked for the following anomalous activity:
•
•
•
•
•
•
•
•
•
Note
FTP Log Messages
FTP application inspection generates the following log messages:
•
•
•
•
•
In conjunction with NAT, the FTP application inspection translates the IP address within the application payload. This is described in detail in RFC 959.
Examples
The following example identifies FTP traffic, defines an FTP map, defines a policy, enables strict FTP inspection, and applies the policy to the outside interface:
hostname(config)# class-map ftp-porthostname(config-cmap)# match port tcp eq 21hostname(config-cmap)# exithostname(config)# ftp-map inbound_ftphostname(config-inbound_ftp)# request-command deny put stou appehostname(config-ftp-map)# exithostname(config)# policy-map inbound_policyhostname(config-pmap)# class ftp-porthostname(config-pmap-c)# inspect ftp strict inbound_ftphostname(config-pmap-c)# exithostname(config-pmap)# exithostname(config)# service-policy inbound_policy interface outsideTo enable strict FTP application inspection for all interfaces, use the global parameter in place of interface outside.
Note
Related Commands
inspect gtp
To enable or disable GTP inspection or to define a GTP map for controlling GTP traffic or tunnels, use the inspect gtp command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. Use the no form of this command to remove the command.
inspect gtp [map_name]
no inspect gtp [map_name]
Note
Syntax Description
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
Usage Guidelines
GTP is the tunnelling protocol for GPRS, and helps provide secure access over wireless networks. GPRS is a data network architecture that is designed to integrate with existing GSM networks. It offers mobile subscribers uninterrupted, packet-switched data services to corporate networks and the Internet. For an overview of GTP, refer to the "Applying Application Layer Protocol Inspection" chapter in the Cisco Security Appliance Command Line Configuration Guide.
Use the gtp-map command to identify a specific map to use for defining the parameters for GTP. When you enter this command, the system enters a configuration mode that lets you enter the different commands used for defining the specific map. The actions that you can specify for messages that fail the criteria set using the different configuration commands include drop and rate-limit. In addition to these actions, you can specify to log the event or not.
After defining the GTP map, you use the inspect gtp command to enable the map. Then you use the class-map, policy-map, and service-policy commands to define a class of traffic, to apply the inspect command to the class, and to apply the policy to one or more interfaces.
The well-known ports for GTP are as follows:
•
•
The following features are not supported in 7.0(1):
•
•
•
Inspecting Signaling Messages
For inspecting signaling messages, the inspect gtp command often needs to determine locations of the media endpoints (for example, IP phones).
This information is used to prepare access-control and NAT state for media traffic to traverse the firewall transparently without manual configuration.
In determining these locations, the inspect gtp command does not use the tunnel default gateway route. A tunnel default gateway route is a route of the form route interface 0 0 metric tunneled. This route overrides the default route for packets that egress from IPSec tunnels. Therefore, if the inspect gtp command is desired for VPN traffic, do not configure the tunnel default gateway route. Instead, us other static routing or dynamic routing.
Examples
The following example shows how to use access lists to identify GTP traffic, define a GTP map, define a policy, and apply the policy to the outside interface:
hostname(config)# access-list gtp-acl permit udp any any eq 3386hostname(config)# access-list gtp-acl permit udp any any eq 2123hostname(config)# class-map gtp-traffichostname(config)# match access-list gtp-aclhostname(config)# gtp-map gtp-policyhostname(config)# policy-map inspection_policyhostname(config-pmap)# class gtp-traffichostname(config-pmap-c)# inspect gtp gtp-policyhostname(config)# service-policy inspection_policy interface outside
Note
Related Commands
inspect h323
To enable H.323 application inspection or to change the ports to which the security appliance listens, use the inspect h323 command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect h323 {h225 | ras} [map_name]
no inspect h323 {h225 | ras} [map_name]
Syntax Description
h225
Enables H.225 signalling inspection.
map_name
(Optional) The name of the H.323 map.
ras
Enables RAS inspection.
Defaults
The default port assignments are as follows:
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
The inspect h323 command provides support for H.323 compliant applications such as Cisco CallManager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication Union (ITU) for multimedia conferences over LANs. The security appliance supports H.323 through Version 4, including the H.323 v3 feature Multiple Calls on One Call Signaling Channel.
With H.323 inspection enabled, the security appliance supports multiple calls on the same call signaling channel, a feature introduced with H.323 Version 3. This feature reduces call setup time and reduces the use of ports on the security appliance.
The two major functions of H.323 inspection are as follows:
•
•
How H.323 Works
The H.323 collection of protocols collectively may use up to two TCP connection and four to six UDP connections. FastStart uses only one TCP connection, and RAS uses a single UDP connection for registration, admissions, and status.
An H.323 client may initially establish a TCP connection to an H.323 server using TCP port 1720 to request Q.931 call setup. As part of the call setup process, the H.323 terminal supplies a port number to the client to use for an H.245 TCP connection. The H.245 connection is for call negotiation and media channel setup. In environments where H.323 gatekeeper is in use, the initial packet is transmitted using UDP.
H.323 inspection monitors the Q.931 TCP connection to determine the H.245 port number. If the H.323 terminals are not using FastStart, the security appliance dynamically allocates the H.245 connection based on the inspection of the H.225 messages.
Note
Within each H.245 message, the H.323 endpoints exchange port numbers that are used for subsequent UDP data streams. H.323 inspection inspects the H.245 messages to identify these ports and dynamically creates connections for the media exchange. Real-Time Transport Protocol (RTP) uses the negotiated port number, while RTP Control Protocol (RTCP) uses the next higher port number.
The H.323 control channel handles H.225 and H.245 and H.323 RAS. H.323 inspection uses the following ports.
•
•
•
If the ACF message from the gatekeeper goes through the security appliance, a pinhole will be opened for the H.225 connection. The H.245 signaling ports are negotiated between the endpoints in the H.225 signaling. When an H.323 gatekeeper is used, the security appliance opens an H.225 connection based on inspection of the ACF message. If | the security appliance does not see the ACF message, you might need to open an access list for the well-known H.323 port 1720 for the H.225 call signaling.
The security appliance dynamically allocates the H.245 channel after inspecting the H.225 messages and then hooks up to the H.245 channel to be fixed up as well. That means whatever H.245 messages pass through the security appliance pass through the H.245 application inspection, NATing embedded IP addresses and opening the negotiated media channels.
The H.323 ITU standard requires that a TPKT header, defining the length of the message, precede the H.225 and H.245, before being passed on to the reliable connection. Because the TPKT header does not necessarily need to be sent in the same TCP packet as the H.225/H.245 message, the security appliance must remember the TPKT length to process/decode the messages properly. The security appliance keeps a data structure for each connection and that data structure contains the TPKT length for the next expected message.
If the security appliance needs to NAT any IP addresses, then it will have to change the checksum, the UUIE (user-user information element) length, and the TPKT, if included in the TCP packet with the H.225 message. If the TPKT is sent in a separate TCP packet, then the security appliance will proxy ACK that TPKT and append a new TPKT to the H.245 message with the new length.
Note
Each UDP connection with a packet going through H.323 inspection is marked as an H.323 connection and will time out with the H.323 timeout as configured using the timeout command.
Limitations and Restrictions
The following are some of the known issues and limitations when using H.323 application inspection:
•
•
•
•
Inspecting Signaling Messages
For inspecting signaling messages, the inspect h323 command often needs to determine locations of the media endpoints (for example, IP phones).
This information is used to prepare access-control and NAT state for media traffic to traverse the firewall transparently without manual configuration.
In determining these locations, the inspect h323 command does not use the tunnel default gateway route. A tunnel default gateway route is a route of the form route interface 0 0 metric tunneled. This route overrides the default route for packets that egress from IPSec tunnels. Therefore, if the inspect h323 command is desired for VPN traffic, do not configure the tunnel default gateway route. Instead, us other static routing or dynamic routing.
Examples
You enable the H.323 inspection engine as shown in the following example, which creates a class map to match H.323 traffic on the default port (1720). The service policy is then applied to the outside interface.
hostname(config)# class-map h323-porthostname(config-cmap)# match port tcp eq 1720hostname(config-cmap)# exithostname(config)# policy-map h323_policyhostname(config-pmap)# class h323-porthostname(config-pmap-c)# inspect h323hostname(config-pmap-c)# exithostname(config)# service-policy h323_policy interface outsideTo enable H.323 inspection for all interfaces, use the global parameter in place of interface outside.
Related Commands
inspect http
To enable HTTP application inspection or to change the ports to which the security appliance listens, use the inspect http command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
inspect http [map_name]
no inspect http [map_name]
Syntax Description
Defaults
The default port for HTTP is 80.
Enhanced HTTP inspection is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Class configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced, replacing the fixup command, which is now deprecated.
Usage Guidelines
The inspect http command protects against specific attacks and other threats that may be associated with HTTP traffic. HTTP inspection performs enhanced HTTP inspection.
Enhanced HTTP inspection verifies that HTTP messages conform to RFC 2616, use RFC-defined methods or supported extension methods, and comply with various other criteria. In many cases, you can configure these criteria and the system response when the criteria are not met. The actions that you can specify for messages that fail the criteria set using the different configuration commands include allow, reset, or drop. In addition to these actions, you can specify to log the event or not.
The criteria that you can apply to HTTP messages include the following:
•
•
•
•
•
•
•
•
•
•
•
•
Note
To enable enhanced HTTP inspection, enter the inspect http http-map command. The rules that this applies to HTTP traffic are defined by the specific HTTP map, which you configure by entering the
