-
Cisco Security Appliance Command Reference, Version 7.2
-
About this Guide
-
Using the Command Line Interface
-
aaa accounting command through accounting-server-group Commands
-
acl-netmask-convert through auto-update timeout Commands
-
backup interface through browse networks Commands
-
cache through clear compression Commands
-
clear configure through clear configure vpn-load-balancing Commands
-
clear conn through clear xlate Commands
-
client-access-rule through crl-configure Commands
-
crypto ca authenticate through customization Commands
-
ddns through debug xdmcp Commands
-
default through duplex Commands
-
email through functions Commands
-
gateway through hw-module module shutdown Commands
-
icmp through imap4s Commands
-
inspect ctiqbe through inspect xdmcp Commands
-
intercept-dhcp through issuer-name Commands
-
java-trustpoint through kill Commands
-
l2tp tunnel hello through log-adj-changes Commands
-
logging asdm through logout message Commands
-
mac-address through multicast-routing Commands
-
name through override-account-disable Commands
-
packet-tracer through pwd Commands
-
queue-limit through router rip Commands
-
same-security-traffic through show asdm sessions Commands
-
show asp drop through show curpriv Commands
-
show ddns through show ipv6 traffic Commands
-
show isakmp sa through show route Commands
-
show running-config through show running-config isakmp Commands
-
show running-config ldap through show running-config webvpn auto-signon Commands
-
show service-policy through show xlate Commands
-
shun through sysopt radius ignore-secret Commands
-
tcp-map through tx-ring-limit Commands
-
urgent-flag through write terminal Commands
-
Table Of Contents
shun through sysopt radius ignore-secret Commands
sso-server value (config-group-webvpn)
sso-server value (config-username-webvpn)
subject-name (crypto ca certificate map)
subject-name (crypto ca trustpoint)
shun through sysopt radius ignore-secret Commands
shun
To enable a dynamic response to an attacking host by preventing new connections and disallowing packets from any existing connection, use the shun command in privileged EXEC mode. To disable a shun that is based on the src_ip, the actual address that is used by the security appliance for shun lookups, use the no form of this command.
shun src_ip [dst_ip src_port dest_port [protocol]] [vlan vlan_id]
no shun src_ip [vlan vlan_id]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The shun command allows you to apply a blocking function to the interface receiving the attack. Packets containing the IP source address of the attacking host are dropped and logged until the blocking function is removed manually or by the Cisco IPS master module. No traffic from the IP source address is allowed to traverse the security appliance. Any remaining connections time out as part of the normal architecture. The blocking function of the shun command is applied whether or not a connection with the specified host address is currently active.
If you use the shun command only with the source IP address of the host, then the default is 0. No further traffic from the offending host is allowed.
Because the shun command is used to block attacks dynamically, it is not displayed in the security appliance configuration.
Whenever an interface is removed, all shuns that are attached to that interface are also removed. If you add a new interface or replace the same interface (same name), then you must add that interface to the IPS Sensor if you want the IPS Sensor to monitor that interface.
Examples
The following example shows that the offending host (10.1.1.27) makes a connection with the victim (10.2.2.89) with TCP. The connection in the security appliance connection table reads as follows:
10.1.1.27, 555-> 10.2.2.89, 666 PROT TCPIf you applied the shun command in the following way:
hostname# shun 10.1.1.27 10.2.2.89 555 666 tcpthe preceding command deletes the connection from the security appliance connection table and also prevents packets from 10.1.1.27 from going through the security appliance. The offending host can be inside or outside of the security appliance.
Related Commands
clear shun
Disables all the shuns that are currently enabled and clears the shun statistics.
show shun
Displays the shun information.
shutdown
To disable an interface, use the shutdown command in interface configuration mode. To enable an interface, use the no form of this command.
shutdown
no shutdown
Syntax Description
This command has no arguments or keywords.
Defaults
All physical interfaces are shut down by default. Allocated interfaces in security contexts are not shut down in the configuration.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
•
•
Command History
7.0(1)
This command was moved from a keyword of the interface command to an interface configuration mode command.
Usage Guidelines
By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface. For multiple context mode, if you allocate a physical interface or subinterface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.
Examples\
The following example enables a main interface:
hostname(config)# interface gigabitethernet0/2hostname(config-if)# speed 1000hostname(config-if)# duplex fullhostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownThe following example enables a subinterface:
hostname(config)# interface gigabitethernet0/2.1hostname(config-subif)# vlan 101hostname(config-subif)# nameif dmz1hostname(config-subif)# security-level 50hostname(config-subif)# ip address 10.1.2.1 255.255.255.0hostname(config-subif)# no shutdownThe following example shuts down the subinterface:
hostname(config)# interface gigabitethernet0/2.1hostname(config-subif)# vlan 101hostname(config-subif)# nameif dmz1hostname(config-subif)# security-level 50hostname(config-subif)# ip address 10.1.2.1 255.255.255.0hostname(config-subif)# shutdownRelated Commands
clear xlate
Resets all translations for existing connections, causing the connections to be reset.
interface
Configures an interface and enters interface configuration mode.
sla monitor
To create an SLA operation, use the sla monitor command in global configuration mode. To remove the SLA operation, use the no form of this command.
sla monitor sla_id
no sla monitor sla_id
Syntax Description
sla_id
Specifies the ID of the SLA being configured. If the SLA does not already exist, it is created. Valid values are from 1 to 2147483647.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The sla monitor command creates SLA operations and enters SLA Monitor configuration mode. Once you enter this command, the command prompt changes to hostname(config-sla-monitor)# to indicate that you are in SLA Monitor configuration mode. If the SLA operation already exists, and a type has already been defined for it, then the prompt appears as hostname(config-sla-monitor-echo)#. You can create a maximum of 2000 SLA operations. Only 32 SLA operations may be debugged at any time.
The no sla monitor command removes the specified SLA operation and the commands used to configure that operation.
After you configure an SLA operation, you must schedule the operation with the sla monitor schedule command. You cannot modify the configuration of the SLA operation after scheduling it. To modify the the configuration of a scheduled SLA operation, you must use the no sla monitor command to remove the selected SLA operation completely. Removing an SLA operation also removes the associated sla monitor schedule command. Then you can reenter the SLA operation configuration.
To display the current configuration settings of the operation, use the show sla monitor configuration command. To display operational statistics of the SLA operation, use the show sla monitor operation-state command. To see the SLA commands in the configuration, use the show running-config sla monitor command.
Examples
The following example configures an SLA operation with an ID of 123 and creates a tracking entry with the ID of 1 to track the reachability of the SLA:
hostname(config)# sla monitor 123hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outsidehostname(config-sla-monitor-echo)# timeout 1000hostname(config-sla-monitor-echo)# frequency 3hostname(config)# sla monitor schedule 123 life forever start-time nowhostname(config)# track 1 rtr 123 reachabilityRelated Commands
sla monitor schedule
To schedule an SLA operation, use the sla monitor schedule command in global configuration mode. To remove SLA operation schedule, and place the operation in the pending state, use the no form of this command.
sla monitor schedule sla-id [life {forever | seconds}] [start-time {hh:mm[:ss] [month day | day month] | pending | now | after hh:mm:ss}] [ageout seconds] [recurring]
no sla monitor schedule sla-id
Syntax Description
Defaults
The defaults are as follows:
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
When an SLA operation is in an active state, it immediately begins collecting information. The following time line shows the age-out process of the operation:
W----------------------X----------------------Y----------------------Z•
•
•
•
The age out process, if used, starts counting down at W, is suspended between X and Y, and is reset to its configured size are starts counting down again at Y. When an SLA operation ages out, the SLA operation configuration is removed from the running configuration. It is possible for the operation to age out before it executes (that is, Z can occur before X). To ensure that this does not happen, the difference between the operation configuration time and start time (X and W) must be less than the age-out seconds.
The recurring keyword is only supported for scheduling single SLA operations. You cannot schedule multiple SLA operations using a single sla monitor schedule command. The life value for a recurring SLA operation should be less than one day. The ageout value for a recurring operation must be "never" (which is specified with the value 0), or the sum of the life and ageout values must be more than one day. If the recurring option is not specified, the operations are started in the existing normal scheduling mode.
You cannot modify the configuration of the SLA operation after scheduling it. To modify the configuration of a scheduled SLA operation, you must use the no sla monitor command to remove the selected SLA operation completely. Removing an SLA operation also removes the associated sla monitor schedule command. Then you can reenter the SLA operation configuration.
Examples
The following example shows SLA operation 25 scheduled to begin actively collecting data at 3:00 p.m. on April 5. This operation will age out after 12 hours of inactivity. When this SLA operation ages out, all configuration information for the SLA operation is removed from the running configuration.
hostname(config)# sla monitor schedule 25 life 43200 start-time 15:00 apr 5 ageout 43200The following example shows SLA operation 1 schedule to begin collecting data after a 5-minute delay. The default life of one hour applies.
hostname(config)# sla monitor schedule 1 start after 00:05:00The following example shows SLA operation 3 scheduled to begin collecting data immediately and is scheduled to run indefinitely:
hostname(config)# sla monitor schedule 3 life forever start-time nowThe following example shows SLA operation 15 scheduled to begin automatically collecting data every day at 1:30 a.m.:
hostname(config)# sla monitor schedule 15 start-time 01:30:00 recurringRelated Commands
show sla monitor configuration
Displays the SLA configuration settings.
sla monitor
Defines an SLA monitoring operation.
smtps
To enter SMTPS configuration mode, use the smtps command in global configuration mode. To remove any commands entered in SMTPS command mode, use the no version of this command. SMTPS is a TCP/IP protocol that lets you to send e-mail over an SSL connection.
smtps
no smtps
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Examples
The following example shows how to enter SMTPS configuration mode:
hostname(config)# smtpshostname(config-smtps)#Related Commands
clear configure smtps
Removes the SMTPS configuration.
show running-config smtps
Displays the running configuration for SMTPS.
smtp-server
To configure an SMTP server, use the smtp-server command in global configuration mode. To remove the attribute from the configuration, use the no version of this command.
The security appliance includes an internal SMTP client that the Events system can use to notify external entities that a certain event has occurred. You can configure SMTP servers to receive these event notices, and then forward them to specified e-mail addresses. The SMTP facility is active only when you enable E-mail events an the security appliance.
smtp-server {primary_server} [backup_server]
no smtp-server
Syntax Description
Defaults
No SMTP server is configured by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
—
—
•
Command History
Usage Guidelines
Examples
The following example shows how to set an SMTP server with an IP address of 10.1.1.24, and a backup SMTP server with an IP address of 10.1.1.34:
hostname(config)# smtp-server 10.1.1.24 10.1.1.34Related Commands
snmp-map
To identify a specific map for defining the parameters for SNMP inspection, use the snmp-map command in global configuration mode. To remove the map, use the no form of this command.
snmp-map map_name
no snmp-map map_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Use the snmp-map command to identify a specific map to use for defining the parameters for SNMP inspection. When you enter this command, the system enters the SNMP map configuration mode, which lets you enter the different commands used for defining the specific map. After defining the SNMP map, you use the inspect snmp command to enable the map. Then you use the class-map, policy-map, and service-policy commands to define a class of traffic, to apply the inspect command to the class, and to apply the policy to one or more interfaces.
Examples
The following example shows how to identify SNMP traffic, define a SNMP map, define a policy, and apply the policy to the outside interface.
hostname(config)# access-list snmp-acl permit tcp any any eq 161hostname(config)# access-list snmp-acl permit tcp any any eq 162hostname(config)# class-map snmp-porthostname(config-cmap)# match access-list snmp-aclhostname(config-cmap)# exithostname(config)# snmp-map inbound_snmphostname(config-snmp-map)# deny version 1hostname(config-snmp-map)# exithostname(config)# policy-map inbound_policyhostname(config-pmap)# class snmp-porthostname(config-pmap-c)# inspect snmp inbound_snmphostname(config-pmap-c)#Related Commands
snmp-server community
To set the SNMP community string, use the snmp-server community command in global configuration mode. To remove the community string, use the no form of this command.
snmp-server community text
no snmp-server community [text]
Syntax Description
Defaults
By default, the community string is public.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The SNMP community string is a shared secret among the SNMP management station and the network nodes being managed. The security appliance uses the key to determine if the incoming SNMP request is valid. For example, you could designate a site with a community string and then configure the routers, security appliance, and the management station with this same string. The security appliance uses this string and does not respond to requests with an invalid community string.
Examples
The following example sets the community string to wallawallabingbang:
hostname(config)# snmp-server community wallawallabingbangRelated Commands
snmp-server contact
To set the SNMP contact name, use the snmp-server contact command in global configuration mode. To remove the contact name, use the no form of this command.
snmp-server contact text
no snmp-server contact [text]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Examples
The following example sets the contact as Pat Johnson:
hostname(config)# snmp-server contact Pat JohnsonRelated Commands
snmp-server enable
To enable the SNMP server on the security appliance, use the snmp-server enable command in global configuration mode. To disable SNMP, use the no form of this command.
snmp-server enable
no snmp-server enable
Syntax Description
This command has no arguments or keywords.
Defaults
By default, the SNMP server is enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
This command lets you enable and disable SNMP easily, without having to configure and reconfigure the SNMP traps or other configuration.
Examples
The following example enables SNMP, configures the SNMP host and traps, and then sends traps as system messages.
hostname(config)# snmp-server enablehostname(config)# snmp-server community wallawallabingbanghostname(config)# snmp-server location Building 42, Sector 54hostname(config)# snmp-server contact Sherlock Holmeshostname(config)# snmp-server host perimeter 10.1.2.42hostname(config)# snmp-server enable traps allhostname(config)# logging history 7hostname(config)# logging enableRelated Commands
snmp-server enable traps
To enable the security appliance to send traps to the NMS, use the snmp-server enable traps command in global configuration mode. To disable traps, use the no form of this command.
snmp-server enable traps [all | syslog | snmp [trap] [...] | entity [trap] [...] | ipsec [trap] [...] | remote-access [trap]]
no snmp-server enable traps [all | syslog | snmp [trap] [...] | entity [trap] [...] | ipsec [trap] [...] | remote-access [trap]]
Syntax Description
Defaults
The default configuration has all snmp traps enabled (snmp-server enable traps snmp authentication linkup linkdown coldstart). You can disable these traps using the no form of this command with the snmp keyword. However, the clear configure snmp-server command restores the default enabling of SNMP traps.
If you enter this command and do not specify a trap type, then the default is syslog. (The default snmp traps continue to be enabled along with the syslog trap.)
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Enter this command for each feature type to enable individual traps or sets of traps, or enter the all keyword to enable all traps.
To send traps to the NMS, enter the logging history command, and enable logging using the logging enable command.
Examples
The following example enables SNMP, configures the SNMP host and traps, and then sends traps as system messages.
hostname(config)# snmp-server enablehostname(config)# snmp-server community wallawallabingbanghostname(config)# snmp-server location Building 42, Sector 54hostname(config)# snmp-server contact Sherlock Holmeshostname(config)# snmp-server host perimeter 10.1.2.42hostname(config)# snmp-server enable traps allhostname(config)# logging history 7hostname(config)# logging enableRelated Commands
snmp-server host
To specify the NMS that can use SNMP on the security appliance, use the snmp-server host command in global configuration mode. To disable the NSM, use the no form of this command.
snmp-server host interface_name ip_address [trap | poll] [community text] [version {1 | 2c}] [udp-port port]
no snmp-server host interface_name ip_address [trap | poll] [community text] [version {1 | 2c}] [udp-port port]
Syntax Description