Table Of Contents

default through dynamic-access-policy-record Commands

default (crl configure)

default (interface)

default (time-range)

default-acl

default enrollment

default-domain

default-group-policy

default-group-policy (webvpn)

default-idle-timeout

default-information (EIGRP)

default-information originate (OSPF)

default-information originate (RIP)

default-language

default-metric

delay

delete

deny-message (group-policy webvpn configuration mode)

deny version

description

dhcp client route distance

dhcp client route track

dhcp-client broadcast-flag

dhcp-client client-id

dhcp-client update dns

dhcp-network-scope

dhcp-server

dhcpd address

dhcpd auto_config

dhcpd dns

dhcpd domain

dhcpd enable

dhcpd lease

dhcpd option

dhcpd ping_timeout

dhcpd update dns

dhcpd wins

dhcprelay enable

dhcprelay server

dhcprelay setroute

dhcprelay timeout

dialog

dir

disable

disable (cache)

disable service-settings

display

distance eigrp

distance ospf

distribute-list in

distribute-list out

dns domain-lookup

dns-group (tunnel-group webvpn configuration mode)

dns-guard

dns retries

dns-server

dns server-group

dns timeout

domain-name

domain-name (dns server-group)

downgrade

download-max-size

drop

drop-connection

dtls port

duplex

dynamic-access-policy-config

dynamic-access-policy-record

default through dynamic-access-policy-record Commands

---

default (crl configure)

To return all CRL parameters to their system default values, use the default command in crl configure configuration mode. The crl configure configuration mode is accessible from the crypto ca trustpoint configuration mode. These parameters are used only when the LDAP server requires them.

default

Syntax Description

This command has no arguments or keywords.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Crl configure configuration	·		·

Command History

Release	Modification
7.0	This command was introduced.

Usage Guidelines

Invocations of this command do not become part of the active configuration.

Examples

The following example enters ca-crl configuration mode, and returns CRL command values to their defaults:

hostname(config)# crypto ca trustpoint central

hostname(ca-trustpoint)# crl configure

hostname(ca-crl)# default

hostname(ca-crl)# 

Related Commands

Command	Description
crl configure	Enters crl configure configuration mode.
crypto ca trustpoint	Enters trustpoint configuration mode.
protocol ldap	Specifies LDAP as a retrieval method for CRLs.

default (interface)

To return an interface command to its system default value, use the default command in interface configuration mode.

default command

Syntax Description

command

Specifies the command that you want to set to the default. For example: default activation key

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Interface configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

This command is a run-time command; when you enter it, it does not become part of the active configuration.

Examples

The following example enters interface configuration mode, and returns the security level to its default:

hostname(config)# interface gigabitethernet 0/0

hostname(config-if)# default security-level

Related Commands

Command	Description
interface	Enters interface configuration mode.

default (time-range)

To restore default settings for the absolute and periodic commands, use the default command in time-range configuration mode.

default {absolute | periodic days-of-the-week time to [days-of-the-week] time}

Syntax Description

absolute	Defines an absolute time when a time range is in effect.
days-of-the-week	The first occurrence of this argument is the starting day or day of the week that the associated time range is in effect. The second occurrence is the ending day or day of the week the associated statement is in effect. This argument is any single day or combinations of days: Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, and Sunday. Other possible values are: •daily—Monday through Sunday •weekdays—Monday through Friday •weekend—Saturday and Sunday If the ending days of the week are the same as the starting days of the week, you can omit them.
periodic	Specifies a recurring (weekly) time range for functions that support the time-range feature.
time	Specifies the time in the format HH:MM. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m.
to	Entry of the to keyword is required to complete the range "from start-time to end-time."

Defaults

There are no default settings for this command.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Time-range configuration	·	·	·	·

Command History

Release	Modification
7.0	This command was introduced.

Usage Guidelines

If the end days-of-the-week value is the same as the start value, you can omit them.

If a time-range command has both absolute and periodic values specified, then the periodic commands are evaluated only after the absolute start time is reached, and are not further evaluated after the absolute end time is reached.

The time-range feature relies on the system clock of the security appliance; however, the feature works best with NTP synchronization.

Examples

The following example shows how to restore the default behavior of the absolute keyword:

hostname(config-time-range)# default absolute

Related Commands

Command	Description
absolute	Defines an absolute time when a time range is in effect.
periodic	Specifies a recurring (weekly) time range for functions that support the time-range feature.
time-range	Defines access control to the security appliance based on time.

default-acl

To specify the ACL to be used as the default ACL for NAC Framework sessions that fail posture validation, use the default-acl command in nac-policy-nac-framework configuration mode. To remove the command from the NAC policy, use the no form of the command.

[no] default-acl acl-name

Syntax Description

acl-name

Names the access control list to be applied to the session.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
nac-policy-nac-framework configuration	•	—	•	—	—

Command History

Release	Modification
7.3(0)	"nac-" removed from command name. Command moved from group-policy configuration mode to nac-policy-nac-framework configuration mode.
7.2(1)	This command was introduced.

Usage Guidelines

Each group policy points to a default ACL to be applied to hosts that match the policy and are eligible for NAC. The security appliance applies the NAC default ACL before posture validation. Following posture validation, the security appliance replaces the default ACL with the one obtained from the Access Control Server for the remote host. It retains the default ACL if posture validation fails.

The security appliance also applies the NAC default ACL if clientless authentication is enabled (which is the default setting).

Examples

The following example identifies acl-1 as the ACL to be applied before posture validation succeeds:

hostname(config-group-policy)# default-acl acl-1

hostname(config-group-policy)

The following example inherits the ACL from the default group policy.

hostname(config-group-policy)# no default-acl

hostname(config-group-policy)

Related Commands

Command	Description
nac-policy	Creates and accesses a Cisco NAC policy, and specifies its type.
nac-settings	Assigns a NAC policy to a group policy.
debug nac	Enables logging of NAC Framework events
show vpn-session_summary.db	Displays the number IPSec, WebVPN, and NAC sessions.
show vpn-session.db	Displays information about VPN sessions, including NAC results.

default enrollment

To return all enrollment parameters to their system default values, use the default enrollment command in crypto ca trustpoint configuration mode.

default enrollment

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Crypto ca trustpoint configuration	·	·	·	·	·

Command History

Release	Modification
7.0	This command was introduced.

Usage Guidelines

Invocations of this command do not become part of the active configuration.

Examples

The following example enters crypto ca trustpoint configuration mode for trustpoint central, and returns all enrollment parameters to their default values within trustpoint central:

hostname<config># crypto ca trustpoint central

hostname<ca-trustpoint># default enrollment

hostname<ca-trustpoint># 

Related Commands

Command	Description
clear configure crypto ca trustpoint	Removes all trustpoints.
crl configure	Enters crl configuration mode.
crypto ca trustpoint	Enters trustpoint configuration mode.

default-domain

To set a default domain name for users of the group policy, use the default-domain command in group-policy configuration mode. To delete a domain name, use the no form of this command.

default-domain {value domain-name | none}

no default-domain [domain-name]

Syntax Description

none	Indicates that there is no default domain name. Sets a default domain name with a null value, thereby disallowing a default domain name. Prevents inheriting a default domain name from a default or specified group policy.
value domain-name	Identifies the default domain name for the group.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Group-policy configuration	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

To prevent users from inheriting a domain name, use the default-domain none command.

The security appliance passes the default domain name to the IPSec client to append to DNS queries that omit the domain field. This domain name applies only to tunneled packets. When there are no default domain names, users inherit the default domain name in the default group policy.

You can use only alphanumeric characters, hyphens (-), and periods (.) in default domain names.

Examples

The following example shows how to set a default domain name of FirstDomain for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# default-domain value FirstDomain

Related Commands

Command	Description
split-dns	Provides a list of domains to be resolved through the split tunnel.
split-tunnel-network-list	Identifies the access list the security appliance uses to distinguish networks that require tunneling and those that do not.
split-tunnel-policy	Lets an IPSec client conditionally direct packets over an IPSec tunnel in encrypted form, or to a network interface in cleartext form.

default-group-policy

To specify the set of attributes that the user inherits by default, use the default-group-policy command in tunnel-group general-attributes configuration mode. To eliminate a default group policy name, use the no form of this command.

default-group-policy group-name

no default-group-policy group-name

Syntax Description

group-name

Specifies the name of the default group.

Defaults

The default group name is DfltGrpPolicy.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Tunnel-group general-attributes configuration	•	—	•	—	—

Command History

Version	Modification
7.0(1)	This command was introduced.
7.1(1)	The default-group-policy command in webvpn configuration mode was deprecated. The default-group-policy command in tunnel-group general-attributes mode replaces it.

Usage Guidelines

In Version 7.1(1), if you enter this command in webvpn configuration mode, it is transformed to the same command in tunnel-group general-attributes mode.

The default group policy DfltGrpPolicy comes with the initial configuration of the security appliance. You can apply this attribute to all tunnel-group types.

Examples

The following example entered in config-general configuration mode, specifies a set of attributes for users to inherit by default for an IPSec LAN-to-LAN tunnel group named "standard-policy". This set of commands defines the accounting server, the authentication server, the authorization server and the address pools.

hostname(config)# tunnel-group standard-policy type ipsec-ra

hostname(config)# tunnel-group standard-policy general-attributes

hostname(config-tunnel-general)# default-group-policy first-policy

hostname(config-tunnel-general)# accounting-server-group aaa-server123

hostname(config-tunnel-general)# address-pool (inside) addrpool1 addrpool2 addrpool3

hostname(config-tunnel-general)# authentication-server-group aaa-server456

hostname(config-tunnel-general)# authorization-server-group aaa-server78

hostname(config-tunnel-general)# 

Related Commands

Command	Description
clear-configure tunnel-group	Clears all configured tunnel groups.
group-policy	Creates or edits a group policy
show running-config tunnel group	Shows the tunnel group configuration for all tunnel groups or for a particular tunnel group.
tunnel-group general-attributes	Specifies the general attributes for the named tunnel-group.

default-group-policy (webvpn)

To specify the name of the group policy to use when the WebVPN or e-mail proxy configuration does not specify a group policy, use the default-group-policy command in various configuration modes. To remove the attribute from the configuration, use the no version of this command.

default-group-policy groupname

no default-group-policy

Syntax Description

groupname

Identifies the previously configured group policy to use as the default group policy. Use the group-policy command to configure a group policy.

Defaults

A default group policy, named DfltGrpPolicy, always exists on the security appliance. This default-group-policy command lets you substitute a group policy that you create as the default group policy for WebVPN and e-mail proxy sessions. An alternative is to edit the DfltGrpPolicy.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Webvpn configuration	•	—	•	—	—
Imap4s configuration	•	—	•	—	—
Pop3s configuration	•	—	•	—	—
Smtps configuration	•	—	•	—	—

Command History

Version	Modification
7.0(1)	This command was introduced.
7.1(1)	This command was deprecated in webvpn configuration mode and moved to tunnel-group general-attributes configuration mode.

Usage Guidelines

WebVPN, IMAP4S, POP3S, and SMTPS sessions require either a specified or a default group policy. For WebVPN, use this command in webvpn mode. For e-mail proxy, use this command in the applicable e-mail proxy mode.

In Version 7.1(1), if you enter this command in webvpn configuration mode, it is transformed to the same command in tunnel-group general-attributes mode.

You can edit, but not delete the system DefaultGroupPolicy. It has the following AVPs:

Attribute	Default Value
wins-server	none
dns-server	none
dhcp-network-scope	none
vpn-access-hours	unrestricted
vpn-simultaneous-logins	3
vpn-idle-timeout	30 minutes
vpn-session-timeout	none
vpn-filter	none
vpn-tunnel-protocol	WebVPN
ip-comp	disable
re-xauth	disable
group-lock	none
pfs	disable
client-access-rules	none
banner	none
password-storage	disabled
ipsec-udp	disabled
ipsec-udp-port	0
backup-servers	keep-client-config
split-tunnel-policy	tunnelall
split-tunnel-network-list	none
default-domain	none
split-dns	none
intercept-dhcp	disable
client-firewall	none
secure-unit-authentication	disabled
user-authentication	disabled
user-authentication-idle-timeout	none
ip-phone-bypass	disabled
leap-bypass	disabled
nem	disabled
webvpn attributes:
filter	none
functions	disabled
homepage	none
html-content-filter	none
port-forward	disabled
port-forward-name	none
url-list	mpme

Examples

The following example shows how to specify a default group policy called WebVPN7 for WebVPN:

hostname(config)# webvpn

hostname(config-webvpn)# default-group-policy WebVPN7

default-idle-timeout

To set a default idle timeout value for WebVPN users, use the default-idle-timeout command in webvpn configuration mode. To remove the default idle timeout value from the configuration and reset the default, use the no form of this command.

The default idle timeout prevents stale sessions.

default-idle-timeout seconds

no default-idle-timeout

Syntax Description

seconds

Specifies the number of seconds for the idle time out. The minimum is 60 seconds, maximum is 1 day (86400 seconds).

Defaults

1800 seconds (30 minutes).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Webvpn configuration	•	—	•	—	—

Command History

Release	Modification
7.0	This command was introduced.

Usage Guidelines

The security appliance uses the value you set here if there is no idle timeout defined for a user, if the value is 0, or if the value does not fall into the valid range.

We recommend that you set this command to a short time period. This is because a browser set to disable cookies (or one that prompts for cookies and then denies them) can result in a user not connecting but nevertheless appearing in the sessions database. If the maximum number of connections permitted is set to one (vpn-simultaneous-logins command), the user cannot log back in because the database indicates that the maximum number of connections already exists. Setting a low idle timeout removes such phantom sessions quickly, and lets a user log in again.

Examples

The following example shows how to set the default idle timeout to 1200 seconds (20 minutes):

hostname(config)# webvpn

hostname(config-webvpn)# default-idle-timeout 1200

Related Commands

Command	Description
vpn-simultaneous-logins	Sets the maximum number of simultaneous VPN sessions permitted. Use in group-policy or username mode.

default-information (EIGRP)

To control the candidate default route information for the EIGRP routing process, use the default-information command in router configuration mode. To suppress EIGRP candidate default route information in incoming or outbound updates, use the no form of this command.

default-information {in | out} [acl-name]

no default-information {in | out}

Syntax Description

acl-name	(Optional) Named standard access list.
in	Configures EIGRP to accept exterior default routing information.
out	Configures EIGRP to advertise external routing information.

Defaults

Exterior routes are accepted and sent.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Router configuration	•	—	•	—	—

Command History

Release	Modification
8.0(2)	This command was introduced.

Usage Guidelines

Only the no form of the command or default-information commands with an access list specified will appear in the running configuration because, by default, the candidate default routing information is accepted and sent. The no form of the command does not take an acl-name argument.

Examples

The following example disables the receipt of exterior or candidate default route information:

hostname(config)# router eigrp 100

hostname(config-router)# no default-information in

Related Commands

Command	Description
router eigrp	Creates an EIGRP routing process and enters configuration mode for that process.

default-information originate (OSPF)

To generate a default external route into an OSPF routing domain, use the default-information originate command in router configuration mode. To disable this feature, use the no form of this command.

default-information originate [always] [metric value] [metric-type {1 | 2}] [route-map name]

no default-information originate [[always] [metric value] [metric-type {1 | 2}] [route-map name]]

Syntax Description

always	(Optional) Always advertises the default route regardless of whether the software has a default route.
metric value	(Optional) Specifies the OSPF default metric value from 0 to 16777214.
metric-type {1 | 2}	(Optional) External link type associated with the default route advertised into the OSPF routing domain. Valid values are as follows: •1—Type 1 external route. •2—Type 2 external route.
route-map name	(Optional) Name of the route map to apply.

Defaults

The default values are as follows:

•metric value is 1.

•metric-type is 2.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Router configuration	•	—	•	—	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

Using the no form of this command with optional keywords and arguments only removes the optional information from the command. For example, entering no default-information originate metric 3 removes the metric 3 option from the command in the running configuration. To remove the complete command from the running configuration, use the no form of the command without any options: no default-information originate.

Examples

The following example shows how to use the default-information originate command with an optional metric and metric type:

hostname(config-router)# default-information originate always metric 3 metric-type 2

hostname(config-router)#

Related Commands

Command	Description
router ospf	Enters router configuration mode.
show running-config router	Displays the commands in the global router configuration.

default-information originate (RIP)

To generate a default route into RIP, use the default-information originate command in router configuration mode. To disable this feature, use the no form of this command.

default-information originate [route-map name]

no default-information originate [route-map name]]

Syntax Description

route-map name

(Optional) Name of the route map to apply. The routing process generates the default route if the route map is satisfied.

Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Router configuration	•	—	•	—	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

The route map referenced in the default-information originate command cannot use an extended access list; it can use a standard access list.

Examples

The following example shows how generate a default route into RIP:

hostname(config)# router rip

hostname(config-router)# network 10.0.0.0

hostname(config-router)# default-information originate

Related Commands

Command	Description
router rip	Enters router configuration mode for the RIP routing process.
show running-config router	Displays the commands in the global router configuration.

default-language

To set the default language displayed on the Clientless SSL VPN pages, use the default-language command from webvpn configuration mode.

default-language language

Syntax Description

language

Specifies the name of a previously-imported translation table.

Defaults

The default language is en-us (English spoken in the United States).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
webvpn configuration	•	—	•	—	—

Command History

Release	Modification
8.0(2)	This command was introduced.

Usage Guidelines

The security appliance provides language translation for the portal and screens displayed to users that initiate browser-based, clientless SSL VPN connections, as well as the user interface displayed to AnyConnect VPN Client users.

The default language is displayed to the Clientless SSL VPN user when they initially connect to the security appliance, before logging in. Thereafter, the language displayed is affected by the tunnel group or group policy settings and any customization that they reference.

Examples

The following example changes the default language to Chinese:with the name Sales:

hostname(config-webvpn)# default-language zh

Related Commands

Command	Description
import webvpn translation-table	Imports a translation table.
revert	Removes translation tables from cache memory.
show import webvpn translation-table	Displays information about imported translation tables.

default-metric

To specify the EIGRP metrics for redistributed routes, use the default-metric command in router configuration mode. To restore the default values, use the no form of this command.

default-metric bandw