-
Cisco Security Appliance Command Reference, Version 7.2
-
About this Guide
-
Using the Command Line Interface
-
aaa accounting command through accounting-server-group Commands
-
acl-netmask-convert through auto-update timeout Commands
-
backup interface through browse networks Commands
-
cache through clear compression Commands
-
clear conn through clear configure vpn-load-balancing Commands
-
clear console-output through clear xlate Commands
-
client-access-rule through crl-configure Commands
-
crypto ca authenticate through customization Commands
-
ddns through debug xdmcp Commands
-
default through duplex Commands
-
email through functions Commands
-
gateway through hw-module module shutdown Commands
-
icmp through imap4s Commands
-
inspect ctiqbe through inspect xdmcp Commands
-
intercept-dhcp through issuer-name Commands
-
java-trustpoint through kill Commands
-
l2tp tunnel hello through log-adj-changes Commands
-
logging asdm through logout message Commands
-
mac-address through multicast-routing Commands
-
name through override-account-disable Commands
-
packet-tracer through pwd Commands
-
queue-limit through router rip Commands
-
same-security-traffic through show asdm sessions Commands
-
show asp drop through show curpriv Commands
-
show ddns through show ipv6 traffic Commands
-
show isakmp sa through show route Commands
-
show running-config through show running-config isakmp Commands
-
show running-config ldap through show running-config webvpn auto-signon Commands
-
show service-policy through show xlate Commands
-
shun through sysopt radius ignore-secret Commands
-
tcp-map through tx-ring-limit Commands
-
urgent-flag through write terminal Commands
-
Table Of Contents
packet-tracer through pwd Commands
password (crypto ca trustpoint)
packet-tracer through pwd Commands
packet-tracer
To enable packet tracing capabilities for packet sniffing and network fault isolation, use the packet-tracer command. To disable packet capture capabilities, use the no form of this command.
packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]
no packet-tracer
Syntax Description
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Priveleged mode
•
—
•
•
•
Command History
Usage Guidelines
In addition to capturing packets, it is possible to trace the lifespan of a packet through the security appliance to see if it is behaving as expected. The packet-tracer command lets you do the following:
•
•
•
•
•
The packet-tracer command provides detailed information about the packets and how they are processed by the security appliance. In the instance that a command from the configuration did not cause the packet to drop, the packet-tracer command will provide information about the cause in an easily readable manner. For example if a packet was dropped because of an invalid header validation, a message is displayed that says, "packet dropped due to bad ip header (reason)."
Examples
To enable packet tracing from inside host 10.2.25.3 to external host 209.165.202.158 with detailed information, enter the following:
hostname# packet-tracer input inside tcp 10.2.25.3 www 209.165.202.158 aol detailedRelated Commands
capture
Captures packet information, including trace packets.
show capture
Displays the capture configuration when no options are specified.
page style
To customize the WebVPN page displayed to WebVPN users when they connect to the security appliance, use the page style command in webvpn customization mode:
page style value
[no] page style value
To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
Syntax Description
Defaults
The default page style is background-color:white;font-family:Arial,Helv,sans-serif
Command Modes
The following table shows the modes in which you can enter the command:
webvpn customization
•
—
•
—
—
Command History
Usage Guidelines
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
The following example customizes the page style to large:
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# page style font-size:largeRelated Commands
logo
Customizes the logo on the WebVPN page.
title
Customizes the title of the WebVPN page
pager
To set the default number of lines on a page before the "---more---" prompt appears for Telnet sessions, use the pager command in global configuration mode.
pager [lines] lines
Syntax Description
Defaults
The default is 24 lines.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
This command changes the default pager line setting for Telnet sessions. If you want to temporarily change the setting only for the current session, use the terminal pager command.
If you Telnet to the admin context, then the pager line setting follows your session when you change to other contexts, even if the pager command in a given context has a different setting. To change the current pager setting, enter the terminal pager command with a new setting, or you can enter the pager command in the current context. In addition to saving a new pager setting to the context configuration, the pager command applies the new setting to the current Telnet session.
Examples
The following example changes the number of lines displayed to 20:
hostname(config)# pager 20Related Commands
parameters
To enter parameters configuration mode to set parameters for an inspection policy map, use the parameters command in policy-map configuration mode.
parameters
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Policy-map configuration
•
•
•
•
—
Command History
Usage Guidelines
Modular Policy Framework lets you configure special actions for many application inspections. When you enable an inspection engine using the inspect command in the Layer 3/4 policy map (the policy-map command), you can also optionally enable actions as defined in an inspection policy map created by the policy-map type inspect command. For example, enter the inspect dns dns_policy_map command where dns_policy_map is the name of the inspection policy map.
An inspection policy map may support one or more parameters commands. Parameters affect the behavior of the inspection engine. The commands available in parameters configuration mode depend on the application.
Examples
The following example shows how to set the maximum message length for DNS packets in the default inspection policy map:
hostname(config)# policy-map type inspect dns preset_dns_maphostname(config-pmap)# parametershostname(config-pmap-p)# message-length maximum 512Related Commands
participate
To force the device to participate in the virtual load-balancing cluster, use the participate command in VPN load-balancing mode. To remove a device from participation in the cluster, use the no form of this command.
participate
no participate
Syntax Description
This command has no arguments or keywords.
Defaults
The default behavior is that the device does not participate in the vpn load-balancing cluster.
Command Modes
The following table shows the modes in which you can enter the command:
VPN load-balancing
•
—
•
—
—
Command History
Usage Guidelines
You must first configure the interface using the interface and nameif commands, and use the vpn load-balancing command to enter VPN load-balancing mode. You must also have previously configured the cluster IP address using the cluster ip command and configured the interface to which the virtual cluster IP address refers.
This command forces this device to participate in the virtual load-balancing cluster. You must explicitly issue this command to enable participation for a device.
All devices that participate in a cluster must share the same cluster-specific values: ip address, encryption settings, encryption key, and port.
Note
If isakmp was enabled when you configured the cluster encryption command, but was disabled before you configured the participate command, you get an error message when you enter the participate command, and the local device will not participate in the cluster.Examples
The following is an example of a VPN load-balancing command sequence that includes a participate command that enables the current device to participate in the vpn load-balancing cluster:
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# interface lbprivate foohostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# participatehostname(config-load-balancing)#Related Commandshostname(config-load-balancing)# participate
passive-interface
To disable the transmission of RIP routing updates on an interface, use the passive-interface command in router configuration mode. To reenable RIP routing updates on an interface, use the no form of this command.
passive-interface [default | if_name]
no passive-interface {default | if_name}
Syntax Description
default
(Optional) Set all interfaces to passive mode.
if_name
(Optional) The interface on which RIP is set to passive mode.
Defaults
All interfaces are enabled for active RIP when RIP is enabled.
If an interface or the default keyword is not specified, the commands defaults to default and appears in the configuration as passive-interface default.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
Enables passive RIP on the interface. The interface listens for RIP routing broadcasts and uses that information to populate the routing tables but does not broadcast routing updates.
Examples
The following example sets the outside interface to passive RIP. The other interfaces on the security appliance send and receive RIP updates.
hostname(config)# router riphostname(config-router)# network 10.0.0.0hostname(config-router)# passive-interface outsideRelated Commands
passwd
To set the login password, use the passwd command in global configuration mode. To set the password back to the default of "cisco," use the no form of this command. You are prompted for the login password when you access the CLI as the default user using Telnet or SSH. After you enter the login password, you are in user EXEC mode.
{passwd | password} password [encrypted]
no {passwd | password} password
Syntax Description
Defaults
The default password is "cisco."
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
This login password is for the default user. If you configure CLI authentication per user for Telnet or SSH using the aaa authentication console command, then this password is not used.
Examples
The following example sets the password to Pa$$w0rd:
hostname(config)# passwd Pa$$w0rdThe following example sets the password to an encrypted password that you copied from another security appliance:
hostname(config)# passwd jMorNbK0514fadBh encryptedRelated Commands
password (crypto ca trustpoint)
To specify a challenge phrase that is registered with the CA during enrollment, use the password command in crypto ca trustpoint configuration mode. The CA typically uses this phrase to authenticate a subsequent revocation request. To restore the default setting, use the no form of the command.
password string
no password
Syntax Description
Defaults
The default setting is to not include a password.
Command Modes
The following table shows the modes in which you can enter the
Crypto ca trustpoint configuration
•
•
•
•
•
command:
Command History
Usage Guidelines
This command lets you specify the revocation password for the certificate before actual certificate enrollment begins. The specified password is encrypted when the updated configuration is written to NVRAM by the security appliance.
If this command is enabled, you will not be prompted for a password during certificate enrollment.
Examples
The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes a challenge phrase registered with the CA in the enrollment request for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# password zzxxyyhostname(ca-trustpoint)#Related Commands
crypto ca trustpoint
Enters trustpoint configuration mode.
default enrollment
Returns enrollment parameters to their defaults.
password-management
To enable password management, use the password-management command in tunnel-group general-attributes configuration mode. To disable password management, use the no form of this command. To reset the number of days to the default value, use the no form of the command with the password-expire-in-days keyword specified.
password-management [password-expire-in-days days]
no password-management
no password-management password-expire-in-days [days]
Syntax Description
Defaults
If you do not specify this command, no password management occurs. If you do not specify the password-expire-in-days keyword, the default length of time to start warning before the current password expires is 14 days.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general-attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can configure this attribute for IPSec remote access and WebVPN tunnel-groups.
When you configure this command, the security appliance notifies the remote user at login that the user's current password is about to expire or has expired. The security appliance then offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password. This command is valid for AAA servers that support such notification; that is, RADIUS, RADIUS with an NT server, and LDAP servers. The security appliance ignores this command if RADIUS or LDAP authentication has not been configured.
Note that this does not change the number of days before the password expires, but rather, the number of days ahead of expiration that the security appliance starts warning the user that the password is about to expire.
If you do specify the password-expire-in-days keyword, you must also specify the number of days.
Specifying this command with the number of days set to 0 disables this command. The security appliance does not notify the user of the pending expiration, but the user can change the password after it expires.
Examples
The following example sets the days before password expiration to begin warning the user of the pending expiration to 90 for the WebVPN tunnel group "testgroup":
hostname(config)# tunnel-group testgroup type webvpnhostname(config)# tunnel-group testgroup general-attributeshostname(config-tunnel-general)# password-management password-expire-in-days 90hostname(config-tunnel-general)#The following example uses the default value of 14 days before password expiration to begin warning the user of the pending expiration for the IPSec remote access tunnel group "QAgroup":
hostname(config)# tunnel-group QAgroup type ipsec-rahostname(config)# tunnel-group QAgroup general-attributeshostname(config-tunnel-general)# password-managementhostname(config-tunnel-general)#Related Commands
password-parameter
To specify the name of the HTTP POST request parameter in which a user password must be submitted for SSO authentication, use the password-parameter command in aaa-server- host configuration mode. This is an SSO with HTTP Forms command.
password-parameter string
Note
Syntax Description
Syntax DescriptionSyntax Description
string
The name of the password parameter included in the HTTP POST request. The maximum password length is 128 characters.
Defaults
There is no default value or behavior.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server-host configuration
•
—
•
—
—
Command History
Usage Guidelines
The WebVPN server of the security appliance uses an HTTP POST request to submit a single sign-on authentication request to an authenticating web server. The required command password-parameter specifies that the POST request must include a user password parameter for SSO authentication.
Note
Examples
The following example, entered in aaa-server-host configuration mode, specifies a password parameter named user_password:
hostname(config)# aaa-server testgrp1 host example.comhostname(config-aaa-server-host)# password-parameter user_passwordhostname(config-aaa-server-host)#Related Commands
password-prompt
To customize the password prompt of the WebVPN page login box that is displayed to WebVPN users when they connect to the security appliance, use the password-prompt command from webvpn customization mode:
password-prompt {text | style} value
[no] password-prompt {text | style} value
To remove the command from the configuration and cause the value to be inherited, use the no form of the command.
Syntax Description
Defaults
The default text of the password prompt is "PASSWORD:".
The default style of the password prompt is color:black;font-weight:bold;text-align:right.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn customization
•
—
•
—
—
Command History
Usage Guidelines
The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.
Here are some tips for making the most common changes to the WebVPN pages—the page colors:
•
•
•
Note
Examples
In the following example, the text is changed to "Corporate Password:", and the default style is changed with the font weight increased to bolder:
F1-asa1(config)# webvpnF1-asa1(config-webvpn)# customization ciscoF1-asa1(config-webvpn-custom)# password-prompt text Corporate Username:F1-asa1(config-webvpn-custom)# password-prompt style font-weight:bolderRelated Commands
group-prompt
Customizes the group prompt of the WebVPN page
username-prompt
Customizes the username prompt of the WebVPN page
password-storage
To let users store their login passwords on the client system, use the password-storage enable command in group-policy configuration mode or username configuration mode. To disable password storage, use the password-storage disable command.
To remove the password-storage attribute from the running configuration, use the no form of this command. This enables inheritance of a value for password-storage from another group policy.
password-storage {enable | disable}
no password-storage
Syntax Description
Defaults
Password storage is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Username
•
—
•
—
—
Command History
Usage Guidelines
Enable password storage only on systems that you know to be in secure sites.
This command has no bearing on interactive hardware client authentication or individual user authentication for hardware clients.
Examples
The following example shows how to enable password storage for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# password-storage enablepeer-id-validate
To specify whether to validate the identity of the peer using the peer's certificate, use the peer-id-validate command in tunnel-group ipsec-attributes mode. To return to the default value, use the no form of this command.
peer-id-validate option
no peer-id-validate
Syntax Description
option
Specifies one of the following options:
•
•
•
Defaults
The default setting for this command is req.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group ipsec attributes
•
—
•
—
—
Command History
Usage Guidelines
You can apply this attribute to all IPSec tunnel-group types.
Examples
The following example entered in config-ipsec configuration mode, requires validating the peer using the identity of the peer's certificate for the IPSec LAN-to-LAN tunnel group named 209.165.200.225:
hostname(config)# tunnel-group 209.165.200.225 type IPSec_L2Lhostname(config)# tunnel-group 209.165.200.225 ipsec-attributeshostname(config-tunnel-ipsec)
