-
Cisco Security Appliance Command Reference, Version 7.2
-
About this Guide
-
Using the Command Line Interface
-
aaa accounting command through accounting-server-group Commands
-
acl-netmask-convert through auto-update timeout Commands
-
backup interface through browse networks Commands
-
cache through clear compression Commands
-
clear conn through clear configure vpn-load-balancing Commands
-
clear console-output through clear xlate Commands
-
client-access-rule through crl-configure Commands
-
crypto ca authenticate through customization Commands
-
ddns through debug xdmcp Commands
-
default through duplex Commands
-
email through functions Commands
-
gateway through hw-module module shutdown Commands
-
icmp through imap4s Commands
-
inspect ctiqbe through inspect xdmcp Commands
-
intercept-dhcp through issuer-name Commands
-
java-trustpoint through kill Commands
-
l2tp tunnel hello through log-adj-changes Commands
-
logging asdm through logout message Commands
-
mac-address through multicast-routing Commands
-
name through override-account-disable Commands
-
packet-tracer through pwd Commands
-
queue-limit through router rip Commands
-
same-security-traffic through show asdm sessions Commands
-
show asp drop through show curpriv Commands
-
show ddns through show ipv6 traffic Commands
-
show isakmp sa through show route Commands
-
show running-config through show running-config isakmp Commands
-
show running-config ldap through show running-config webvpn auto-signon Commands
-
show service-policy through show xlate Commands
-
shun through sysopt radius ignore-secret Commands
-
tcp-map through tx-ring-limit Commands
-
urgent-flag through write terminal Commands
-
Table Of Contents
interface-dhcp through issuer-name Commands
interface (vpn load-balancing)
isakmp ikev1-user-authentication
interface-dhcp through issuer-name Commands
intercept-dhcp
To enable DHCP Intercept, use the intercept-dhcp enable command in group-policy configuration mode. To disable DHCP Intercept, use the intercept-dhcp disable command.
To remove the intercept-dhcp attribute from the running configuration, use the no intercept-dhcp command. This lets users inherit a DHCP Intercept configuration from the default or other group policy.
DHCP Intercept lets Microsoft XP clients use split-tunneling with the security appliance. The security appliance replies directly to the Microsoft Windows XP client DHCP Inform message, providing that client with the subnet mask, domain name, and classless static routes for the tunnel IP address. For Windows clients prior to XP, DHCP Intercept provides the domain name and subnet mask. This is useful in environments in which using a DHCP server is not advantageous.
intercept-dhcp netmask {enable | disable}
no intercept-dhcp
Syntax Description
disable
Disables DHCP Intercept.
enable
Enables DHCP Intercept.
netmask
Provides the subnet mask for the tunnel IP address.
Defaults
DHCP Intercept is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
A Microsoft XP anomaly results in the corruption of domain names if split tunnel options exceed 255 bytes. To avoid this problem, the security appliance limits the number of routes it sends to 27 to 40 routes, with the number of routes dependent on the classes of the routes.
Examples
The following example shows how to set DHCP Intercepts for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# intercept-dhcp enableinterface
To configure an interface and enter interface configuration mode, use the interface command in global configuration mode. In interface configuration mode, you can configure hardware settings, assign a name, assign a VLAN, assign an IP address, and configure many other settings, depending on the type of interface and the security context mode.
All models can configure parameters for physical interfaces. All models except for those with a built-in switch, such as the ASA 5505 adaptive security appliance, can create logical subinterfaces that are assigned to a VLAN. Models with a built-in switch include switch ports (called physical interfaces in this command) that you can assign to a VLAN interface; in this case, you do not create a subinterface for the VLAN, but instead create a VLAN interface independent of any physical interfaces. You can then assign one or more physical interfaces to the VLAN interface. To remove a subinterface or VLAN interface, use the no form of this command; you cannot remove a physical interface.
For physical interfaces (for all models):
interface {physical_interface | mapped_name}
For subinterfaces (not available for models with a built-in switch):
interface {physical_interface.subinterface | mapped_name}
no interface physical_interface.subinterface
For VLAN interfaces (for models with a built-in switch):
interface vlan number
no interface vlan number
Syntax Description
Defaults
By default, the security appliance automatically generates interface commands for all physical interfaces.
In multiple context mode, the security appliance automatically generates interface commands for all interfaces allocated to the context using the allocate-interface command.
All physical interfaces are shut down by default. Allocated interfaces in contexts are not shut down in the configuration. VLAN interfaces are not shut down by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it. VLAN interfaces are enabled by default.
For an enabled interface to pass traffic, configure the following interface configuration mode commands: nameif, and, for routed mode, ip address. For subinterfaces, configure the vlan command. For switch physical interfaces, assign the physical interface to the VLAN interface using the switchport access vlan command (for an access port) or the switch trunk allowed vlan command (for a trunk port). The security level is 0 (lowest) by default. See the security-level command for default levels for some interfaces or to change from the default of 0 so interfaces can communicate with each other.
In multiple context mode, you configure physical parameters, subinterfaces, and VLAN assignments in the system configuration only. You configure all other parameters in the context configuration only.
For models with a built-in switch, you configure physical parameters and switch parameters (including the VLAN assignment) for the physical interfaces only. You configure all other parameters for the VLAN interface.
For the ASA 5505 adaptive security appliance in transparent firewall mode, you can configure two active VLANs in the Base license and three active VLANs in the Security Plus license, one of which must be for failover. In routed mode, you can configure up to three active VLANs with the Base license, and up to 20 active VLANs with the Security Plus license. An active VLAN is a VLAN with a nameif command configured. With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN. You limit the third VLAN using the no forward interface command.
The ASA 5510 and higher adaptive security appliances include a dedicated management interface called Management 0/0, which is meant to support traffic to the security appliance. However, you can configure any interface to be a management-only interface using the management-only command. Also, for Management 0/0, you can disable management-only mode so the interface can pass through traffic just like any other interface.
Note
If you change interface settings, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.
Examples
The following example configures parameters for the physical interface in single mode:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# speed 1000hostname(config-if)# duplex fullhostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownThe following example configures parameters for a subinterface in single mode:
hostname(config)# interface gigabitethernet0/1.1hostname(config-subif)# vlan 101hostname(config-subif)# nameif dmz1hostname(config-subif)# security-level 50hostname(config-subif)# ip address 10.1.2.1 255.255.255.0hostname(config-subif)# no shutdownThe following example configures interface parameters in multiple context mode for the system configuration, and allocates the gigabitethernet 0/1.1 subinterface to contextA:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# speed 1000hostname(config-if)# duplex fullhostname(config-if)# no shutdownhostname(config-if)# interface gigabitethernet0/1.1hostname(config-subif)# vlan 101hostname(config-subif)# no shutdownhostname(config-subif)# context contextAhostname(config-ctx)# ...hostname(config-ctx)# allocate-interface gigabitethernet0/1.1The following example configures parameters in multiple context mode for the context configuration:
hostname/contextA(config)# interface gigabitethernet0/1.1hostname/contextA(config-if)# nameif insidehostname/contextA(config-if)# security-level 100hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0hostname/contextA(config-if)# no shutdownThe following example configures three VLAN interfaces. The third home interface cannot forward traffic to the work interface.
hostname(config)# interface vlan 100hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address dhcphostname(config-if)# no shutdownhostname(config-if)# interface vlan 200hostname(config-if)# nameif workhostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface vlan 300hostname(config-if)# no forward interface vlan 200hostname(config-if)# nameif homehostname(config-if)# security-level 50hostname(config-if)# ip address 10.2.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/0hostname(config-if)# switchport access vlan 100hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/1hostname(config-if)# switchport access vlan 200hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/2hostname(config-if)# switchport access vlan 200hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/3hostname(config-if)# switchport access vlan 200hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/4hostname(config-if)# switchport access vlan 300hostname(config-if)# no shutdown...The following example configures five VLAN interfaces, including the failover interface which is configured separately using the failover lan command:
hostname(config)# interface vlan 100hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface vlan 200hostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.2.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface vlan 300hostname(config-if)# nameif dmzhostname(config-if)# security-level 50hostname(config-if)# ip address 10.3.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface vlan 400hostname(config-if)# nameif backup-isphostname(config-if)# security-level 50hostname(config-if)# ip address 10.1.2.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# failover lan faillink vlan500hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2 255.255.255.0hostname(config)# interface ethernet 0/0hostname(config-if)# switchport access vlan 100hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/1hostname(config-if)# switchport access vlan 200hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/2hostname(config-if)# switchport access vlan 300hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/3hostname(config-if)# switchport access vlan 400hostname(config-if)# no shutdownhostname(config-if)# interface ethernet 0/4hostname(config-if)# switchport access vlan 500hostname(config-if)# no shutdownRelated Commands
interface (vpn load-balancing)
To specify a non-default public or private interface for VPN load-balancing in the VPN load-balancing virtual cluster, use the interface command in vpn load-balancing mode. To remove the interface specification and revert to thte default interface, use the no form of this command.
interface {lbprivate | lbpublic} interface-name]
no interface {lbprivate | lbpublic}
Syntax Description
Defaults
If you omit the interface command, the lbprivate interface defaults to inside, and the lbpublic interface defaults to outside.
Command Modes
The following table shows the modes in which you can enter the command:
vpn load-balancing
•
—
•
—
—
Command History
Usage Guidelines
You must have first used the vpn load-balancing command to enter vpn load-balancing mode.
You must also have previously used the interface, ip address and nameif commands to configure and assign a name to the interface that you are specifying in this command.
The no form of this command reverts the interface to its default.
Examples
The following is an example of a vpn load-balancing command sequence that includes an interface command that specifies the public interface of the cluster as "test" one that reverts the private interface of the cluster to the default (inside):
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# no interface lbprivatehostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# participateRelated Commandshostname(config-load-balancing)# participate
interface-policy
To specify the policy for failover when monitoring detects an interface failure, use the interface-policy command in failover group configuration mode. To restore the default values, use the no form of this command.
interface-policy num[%]
no interface-policy num[%]
Syntax Description
num
Specifies a number from 1 to 100 when used as a percentage, or 1 to the maximum number of interfaces.
%
(Optional) Specifies that the number num is a percentage of the monitored interfaces.
Defaults
If the failover interface-policy command is configured for the unit, then the default for the interface-policy failover group command assumes that value. If not, then num is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Failover group configuration
•
•
—
—
•
Command History
Usage Guidelines
There is no space between the num argument and the optional % keyword.
If the number of failed interfaces meets the configured policy and the other security appliance is functioning properly, the security appliance will mark itself as failed and a failover may occur (if the active security appliance is the one that fails). Only interfaces that are designated as monitored by the monitor-interface command count towards the policy.
Examples
The following partial example shows a possible configuration for a failover group:
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# interface-policy 25%hostname(config-fover-group)# exithostname(config)#Related Commands
interval maximum
To configure the maximum interval between update attempts by a DDNS update method, use the interval command in DDNS-update-method mode. To remove an interval for a DDNS update method from the running configuration, use the no form of this command.
interval maximum days hours minutes seconds
no interval maximum days hours minutes seconds
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
DDNS-update-method configuration
•
—
•
•
—
Command History
Usage Guidelines
The days, hours, minutes, and seconds are added together to arrive at the total interval.
Examples
The following example configures a method called ddns-2 to attempt an update every 3 minutes and 15 seconds:
hostname(config)# ddns update method ddns-2hostname(DDNS-update-method)# interval maximum 0 0 3 15Related Commands
invalid-ack
To set the action for packets with an invalid ACK, use the invalid-ack command in tcp-map configuration mode. To set the value back to the default, use the no form of this command. This command is part of the TCP normalization policy enabled using the set connection advanced-options command.
invalid-ack {allow | drop}
no invalid-ack
Syntax Description
Defaults
The default action is to drop packets with an invalid ACK.
Command Modes
The following table shows the modes in which you can enter the command:
Tcp-map configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable TCP normalization, use the Modular Policy Framework:
1.
a.
2.
3.
a.
b.
4.
You might see invalid ACKs in the following instances:
•
•
Note
Examples
The following example sets the security appliance to allow packets with an invalid ACK:
hostname(config)# tcp-map tmaphostname(config-tcp-map)# invalid-ack allowhostname(config)# class-map cmaphostname(config-cmap)# match anyhostname(config)# policy-map pmaphostname(config-pmap)# class cmaphostname(config-pmap)# set connection advanced-options tmaphostname(config)# service-policy pmap globalhostname(config)#Related Commands
ip address
To set the IP address for an interface (in routed mode) or for the management address (transparent mode), use the ip address command. For routed mode, enter this command in interface configuration mode. In transparent mode, enter this command in global configuration mode. To remove the IP address, use the no form of this command. This command also sets the standby address for failover.
ip address ip_address [mask] [standby ip_address]
no ip address [ip_address]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Global configuration
—
•
•
•
—
Command History
7.0(1)
For routed mode, this command was changed from a global configuration command to an interface configuration mode command.
Usage Guidelines
In single context routed firewall mode, each interface address must be on a unique subnet. In multiple context mode, if this interface is on a shared interface, then each IP address must be unique but on the same subnet. If the interface is unique, this IP address can be used by other contexts if desired.
A transparent firewall does not participate in IP routing. The only IP configuration required for the security appliance is to set the management IP address. This address is required because the security appliance uses this address as the source address for traffic originating on the security appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access. This address must be on the same subnet as the upstream and downstream routers. For multiple context mode, set the management IP address within each context.
The standby IP address must be on the same subnet as the main IP address.
Examples
The following example sets the IP addresses and standby addresses of two interfaces:
hostname(config)# interface gigabitethernet0/2hostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2hostname(config-if)# no shutdownhostname(config-if)# interface gigabitethernet0/3hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address 10.1.2.1 255.255.255.0 standby 10.1.2.2hostname(config-if)# no shutdownThe following example sets the management address and standby address of a transparent firewall:
hostname(config)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2Related Commands
ip address dhcp
To use DHCP to obtain an IP address for an interface, use the ip address dhcp command in interface configuration mode. To disable the DHCP client for this interface, use the no form of this command.
ip address dhcp [setroute]
no ip address dhcp
Syntax Description
setroute
(Optional) Allows the security appliance to use the default route supplied by the DHCP server.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
Reenter this command to reset the DHCP lease and request a new lease.
If you do not enable the interface using the no shutdown command before you enter the ip address dhcp command, some DHCP requests might not be sent.
Examples
The following example enables DHCP on the gigabitethernet0/1 interface:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# no shutdownhostname(config-if)# ip address dhcpRelated Commands
ip address pppoe
To enable PPPoE, use the ip address pppoe command in interface configuration mode. To disable PPPoE, use the no form of this command.
ip address [ip_address [mask]] pppoe [setroute]
no ip address [ip_address [mask]] pppoe
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
PPPoE combines two widely accepted standards, Ethernet and PPP, to provide an authenticated method of assigning IP addresses to client systems. ISPs deploy PPPoE because it supports high-speed broadband access using their existing remote access infrastructure and because it is easier for customers to use.
Before you set the IP address using PPPoE, configure the vpdn commands to set the username, password, and authentication protocol. If you enable this command on more than one interface, for example for a backup link to your ISP, then you can assign each interface to a different VPDN group if necessary using the pppoe client vpdn group command.
The maximum transmission unit (MTU) size is automatically set to 1492 bytes, which is the correct value to allow PPPoE transmission within an Ethernet frame.
Reenter this command to reset and restart the PPPoE session.
You cannot set this command at the same time as the ip address command or the ip address dhcp command.
Examples
The following example enables PPPoE on the Gigabitethernet 0/1 interface:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address pppoehostname(config-if)# no shutdownThe following example manually sets the IP address for a PPPoE interface:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address 10.1.1.1 255.255.255.0 pppoehostname(config-if)# no shutdownRelated Commands
