-
Cisco Security Appliance Command Reference, Version 7.2
-
About this Guide
-
Using the Command Line Interface
-
aaa accounting command through accounting-server-group Commands
-
acl-netmask-convert through auto-update timeout Commands
-
backup interface through browse networks Commands
-
cache through clear compression Commands
-
clear conn through clear configure vpn-load-balancing Commands
-
clear console-output through clear xlate Commands
-
client-access-rule through crl-configure Commands
-
crypto ca authenticate through customization Commands
-
ddns through debug xdmcp Commands
-
default through duplex Commands
-
email through functions Commands
-
gateway through hw-module module shutdown Commands
-
icmp through imap4s Commands
-
inspect ctiqbe through inspect xdmcp Commands
-
intercept-dhcp through issuer-name Commands
-
java-trustpoint through kill Commands
-
l2tp tunnel hello through log-adj-changes Commands
-
logging asdm through logout message Commands
-
mac-address through multicast-routing Commands
-
name through override-account-disable Commands
-
packet-tracer through pwd Commands
-
queue-limit through router rip Commands
-
same-security-traffic through show asdm sessions Commands
-
show asp drop through show curpriv Commands
-
show ddns through show ipv6 traffic Commands
-
show isakmp sa through show route Commands
-
show running-config through show running-config isakmp Commands
-
show running-config ldap through show running-config webvpn auto-signon Commands
-
show service-policy through show xlate Commands
-
shun through sysopt radius ignore-secret Commands
-
tcp-map through tx-ring-limit Commands
-
urgent-flag through write terminal Commands
-
Table Of Contents
mac address through multicast-routing Commands
match default-inspection-traffic
match flow ip destination-address
match third-party-registration
memory delayed-free-poisoner enable
memory delayed-free-poisoner validate
mac address through multicast-routing Commands
mac address
To specify the virtual MAC addresses for the active and standby units, use the mac address command in failover group configuration mode. To restore the default virtual MAC addresses, use the no form of this command.
mac address phy_if [active_mac] [standby_mac]
no mac address phy_if [active_mac] [standby_mac]
Syntax Description
Defaults
The defaults are as follows:
•
Active unit default MAC address: 00a0.c9physical_port_number.failover_group_id01.
•
Command Modes
The following table shows the modes in which you can enter the command:
Failover group configuration
•
•
—
—
•
Command History
Usage Guidelines
If the virtual MAC addresses are not defined for the failover group, the default values are used.
If you have more than one Active/Active failover pair on the same network, it is possible to have the same default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the interfaces of the other pairs because of the way the default virtual MAC addresses are determined. To avoid having duplicate MAC addresses on your network, make sure you assign each physical interface a virtual active and standby MAC address.
Examples
The following partial example shows a possible configuration for a failover group:
hostname(config)# failover group 1hostname(config-fover-group)# primaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# exithostname(config)# failover group 2hostname(config-fover-group)# secondaryhostname(config-fover-group)# preempt 100hostname(config-fover-group)# mac address e1 0000.a000.a011 0000.a000.a012hostname(config-fover-group)# exithostname(config)#Related Commands
failover group
Defines a failover group for Active/Active failover.
failover mac address
Specifies a virtual MAC address for a physical interface.
mac-address
To manually assign a private MAC address to an interface or subinterface, use the mac-address command in interface configuration mode. In multiple context mode, this command can assign a different MAC address to the interface in each context. To revert the MAC address to the default, use the no form of this command.
mac-address mac_address [standby mac_address]
no mac-address [mac_address [standby mac_address]]
Syntax Description
Defaults
The default MAC address is the burned-in MAC address of the physical interface. Subinterfaces inherit the physical interface MAC address. Some commands set the physical interface MAC address (including this command in single mode), so the inherited address depends on that configuration.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
•
—
Command History
Usage Guidelines
In multiple context mode, if you share an interface between contexts, you can assign a unique MAC address to the interface in each context. This feature lets the security appliance easily classify packets into the appropriate context. Using a shared interface without unique MAC addresses is possible, but has some limitations. See the Cisco Security Appliance Command Line Configuration Guide for more information.
You can assign each MAC address manually with this command, or you can automatically generate MAC addresses for shared interfaces in contexts using the mac-address auto command. If you automatically generate MAC addresses, you can use the mac-address command to override the generated address.
For single context mode, or for interfaces that are not shared in multiple context mode, you might want to assign unique MAC addresses to subinterfaces. For example, your service provider might perform access control based on the MAC address.
You can also set the MAC address using other commands or methods. The MAC address methods have the following priority:
1.
This command works for physical interfaces and subinterfaces. In multiple context mode, you set the MAC address within each context. This feature lets you set a different MAC address for the same interface in multiple contexts.
2.
This command applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
3.
This command applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
4.
This command applies to shared interfaces in contexts.
5.
This method applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
6.
Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
Examples
The following example configures the MAC address for GigabitEthernet 0/1.1:
hostname/contextA(config)# interface gigabitethernet0/1.1hostname/contextA(config-if)# nameif insidehostname/contextA(config-if)# security-level 100hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0hostname/contextA(config-if)# mac-address 030C.F142.4CDE standby 040C.F142.4CDEhostname/contextA(config-if)# no shutdownRelated Commands
mac-address auto
To automatically assign private MAC addresses to each shared context interface, use the mac-address auto command in global configuration mode. To disable automatic MAC addresses, use the no form of this command.
mac-address auto
no mac-address auto
Syntax Description
This command has no arguments or keywords.
Defaults
Auto-generation is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
To allow contexts to share interfaces, we suggest that you assign unique MAC addresses to each context interface. The MAC address is used to classify packets within a context. If you share an interface, but do not have unique MAC addresses for the interface in each context, then the destination IP address is used to classify packets. The destination address is matched with the context NAT configuration, and this method has some limitations compared to the MAC address method. See the Cisco Security Appliance Command Line Configuration Guide for information about classifying packets.
By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical interface use the same burned-in MAC address.
For use with failover, the security appliance generates both an active and standby MAC address for each interface. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption. Because the mac-address auto command only sets shared interfaces, you should still set virtual MAC addresses for unshared interfaces in an Active/Standby configuration using the mac-address or failover mac address command (Active/Active failover automatically assigns virtual MAC addresses to physical interfaces).
When you assign an interface to a context, the new MAC address is generated immediately. If you enable this command after you create context interfaces, then MAC addresses are generated for all interfaces immediately after you enter the command. If you use the no mac-address auto command, the MAC address for each interface reverts to the default MAC address. For example, subinterfaces of GigabitEthernet 0/1 revert to using the MAC address of GigabitEthernet 0/1.
The MAC address is generated using the following format:
•
•
For platforms with no interface slots, the slot is always 0. The port is the interface port. The subid is an internal ID for the subinterface, which is not viewable. The contextid is an internal ID for the context, viewable with the show context detail command. For example, the interface GigabitEthernet 0/1.200 in the context with the ID 1 has the following generated MAC addresses, where the internal ID for subinterface 200 is 31:
•
•
In the rare circumstance that the generated MAC address conflicts with another private MAC address in your network, you can manually set the MAC address for the interface within the context. See the mac-address command to manually set the MAC address.
You can also set the MAC address using other commands or methods. The MAC address methods have the following priority:
1.
This command works for physical interfaces and subinterfaces. In multiple context mode, you set the MAC address within each context. This feature lets you set a different MAC address for the same interface in multiple contexts.
2.
This command applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
3.
This command applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
4.
This command applies to shared interfaces in contexts.
5.
This method applies to physical interfaces. Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
6.
Subinterfaces inherit the MAC address of the physical interface unless set separately by the mac-address or mac-address auto command.
Examples
The following example enables automatic MAC address generation:
hostname(config)# mac-address autoRelated Commands
mac-address-table aging-time
To set the timeout for MAC address table entries, use the mac-address-table aging-time command in global configuration mode. To restore the default value of 5 minutes, use the no form of this command.
mac-address-table aging-time timeout_value
no mac-address-table aging-time
Syntax Description
timeout_value
The time a MAC address entry stays in the MAC address table before timing out, between 5 and 720 minutes (12 hours). 5 minutes is the default.
Defaults
The default timeout is 5 minutes.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Usage Guidelines
No usage guidelines.
Examples
The following example sets the MAC address timeout to 10 minutes:
hostname(config)# mac-address-timeout aging time 10Related Commands
mac-address-table static
To add a static entry to the MAC address table, use the mac-address-table static command in global configuration mode. To remove a static entry, use the no form of this command. Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. You can add static MAC addresses to the MAC address table if desired. One benefit to adding static entries is to guard against MAC spoofing. If a client with the same MAC address as a static entry attempts to send traffic to an interface that does not match the static entry, then the security appliance drops the traffic and generates a system message.
mac-address-table static interface_name mac_address
no mac-address-table static interface_name mac_address
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Examples
The following example adds a static MAC address entry to the MAC address table:
hostname(config)# mac-address-table static inside 0010.7cbe.6101Related Commands
mac-learn
To disable MAC address learning for an interface, use the mac-learn command in global configuration mode. To reenable MAC address learning, use the no form of this command. By default, each interface automatically learns the MAC addresses of entering traffic, and the security appliance adds corresponding entries to the MAC address table. You can disable MAC address learning if desired.
mac-learn interface_name disable
no mac-learn interface_name disable
Syntax Description
interface_name
The interface on which you want to disable MAC learning.
disable
Disables MAC learning.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
—
•
•
•
—
Command History
Examples
The following example disables MAC learning on the outside interface:
hostname(config)# mac-learn outside disableRelated Commands
mac-list
To specify a list of MAC addresses to be used to exempt MAC addresses from authentication and/or authorization, use the mac-list command in global configuration mode. To remove a MAC list entry, use the no form of this command.
mac-list id {deny | permit} mac macmask
no mac-list id {deny | permit} mac macmask
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable MAC address exemption from authentication and authorization, use the aaa mac-exempt command. You can only add one instance of the aaa mac-exempt command, so be sure that your MAC list includes all the MAC addresses you want to exempt. You can create multiple MAC lists, but you can only use one at a time.
Examples
The following example bypasses authentication for a single MAC address:
hostname(config)# mac-list abc permit 00a0.c95d.0282 ffff.ffff.ffffhostname(config)# aaa mac-exempt match abcThe following entry bypasses authentication for all Cisco IP Phones, which have the hardware ID 0003.E3:
hostname(config)# mac-list acd permit 0003.E300.0000 FFFF.FF00.0000hostname(config)# aaa mac-exempt match acdThe following example bypasses authentication for a a group of MAC addresses except for 00a0.c95d.02b2. Enter the deny statement before the permit statement, because 00a0.c95d.02b2 matches the permit statement as well, and if it is first, the deny statement will never be matched.
hostname(config)# mac-list 1 deny 00a0.c95d.0282 ffff.ffff.ffffhostname(config)# mac-list 1 permit 00a0.c95d.0000 ffff.ffff.0000hostname(config)# aaa mac-exempt match 1Related Commands
mail-relay
To configure a local domain name, use the mail-relay command in parameters configuration mode. To disable this feature, use the no form of this command.
mail-relay domain_name action {drop-connection | log}
no mail-relay domain_name action {drop-connection | log}
Syntax Description
domain_name
Specifies the domain name.
drop-connection
Closes the connection.
log
Generates a system log message.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Examples
The following example shows how to configure a mail relay for a specific domain:
hostname(config)# policy-map type inspect esmtp esmtp_maphostname(config-pmap)# parametershostname(config-pmap-p)# mail-relay mail action drop-connectionRelated Commands
management-access
To allow management access to an interface other than the onefrom which you entered the security appliance when using IPSec VPN, use the management-access command in global configuration mode. To disable, use the no form of this command.
management-access mgmt_if
no management-access mgmt_if
Syntax Description
mgmt_if
Specifies the name of the management interface you want to access when entering the security appliance from another interface.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command allows you to connect to an interface other than the one you entered the security appliance from when using IPSec VPN. For example, if you enter the security appliance from the outside interface, this command lets you connect to the inside interface using Telnet; or you can ping the inside interface when entering from the outside interface.
You can define only one management-access interface.
Examples
The following example shows how to configure a firewall interface named "inside" as the management access interface:
hostname(config)# management-access insidehostname(config)# show management-accessmanagement-access insideRelated Commands
management-only
To set an interface to accept management traffic only, use the management-only command in interface configuration mode. To allow through traffic, use the no form of this command.
management-only
no management-only
Syntax Description
This command has no arguments or keywords.
Defaults
The Management 0/0 interface on the ASA 5510 and higher adaptive security appliance is set to management-only mode by default.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
The ASA 5510 and higher adaptive security appliance includes a dedicated management interface called Management 0/0, which is meant to support traffic to the security appliance. However, you can configure any interface to be a management-only interface using the management-only command. Also, for Management 0/0, you can disable management-only mode so the interface can pass through traffic just like any other interface.
Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA 5510 and higher adaptive security appliance, you can use the Management 0/0 interface (either the physical interface or a subinterface) as a third interface for management traffic. The mode is not configurable in this case and must always be management-only. You can also set the IP address of this interface in transparent mode if you want this interface to be on a different subnet from the management IP address, which is assigned to the security appliance or context, and not to individual interfaces.
Examples
The following example disables management-only mode on the management interface:
hostname(config)# interface management0/0hostname(config-if)# no management-onlyThe following example enables management-only mode on a subinterface:
hostname(config)# interface gigabitethernet0/2.1hostname(config-subif)# management-onlyRelated Commands
map-name
To map a user-defined attribute name to a Cisco attribute name, use the map-name command in ldap-attribute-map configuration mode.
To remove this mapping, use the no form of this command.
map-name user-attribute-name Cisco-attribute-name
no map-name user-attribute-name Cisco-attribute-name
Syntax Description
Syntax DescriptionSyntax Description
Defaults
By default, no name mappings exist.
Command Modes
The following table shows the modes in which you can enter the command:
ldap-attribute-map configuration
•
•
•
•
—
Command History
Usage Guidelines
With the map-name command, you can create map yourown attribute names to Cisco attribute names. You can then bind the resulting attribute map to an LDAP server. Your typical steps would include:
1.
2.
3.
Note
Examples
The following example commands map a user-defined attribute name Hours to the Cisco attribute name cVPN3000-Access-Hours in the LDAP attribute map myldapmap:
hostname(config)# ldap attribute-map myldapmaphostname(config-ldap-attribute-map)# map-name Hours cVPN3000-Access-Hourshostname(config-ldap-attribute-map)#Within ldap-attribute-map mode, you can enter "?" to display the complete list of Cisco LDAP attribute names, as shown in the following example:
hostname(config-ldap-attribute-map)# map-name ?ldap mode commands/options:cisco-attribute-names:cVPN3000-Access-HourscVPN3000-Allow-Network-Extension-ModecVPN3000-Auth-Service-TypecVPN3000-Authenticated-User-Idle-TimeoutcVPN3000-Authorization-RequiredcVPN3000-Authorization-Type::cVPN3000-X509-Cert-Datahostname(config-ldap-attribute-map)#Related Commands
