Cisco Security Appliance Command Reference, Version 8.0
gateway -- hw-module module shutdown
Download this chapter
gateway -- hw-module module shutdowngateway -- hw-module module shutdown
Download the complete book
Cisco Security Appliance Command Reference Book, Version 8.0--Whole Book PDFCisco Security Appliance Command Reference Book, Version 8.0--Whole Book PDF (PDF - 23 MB)
give_us_feedback

Table Of Contents

gateway through hw-module module shutdown Commands

gateway

global

group-alias

group-delimiter

group-lock

group-object

group-policy

group-policy attributes

group-prompt

group-search-timeout

group-url

h245-tunnel-block

hello-interval

help

hic-fail-group-policy (deprecated)

hidden-parameter

hidden-shares

hold-time

homepage

host

hostname

hsi

hsi-group

html-content-filter

http

http-comp

http-proxy

http-proxy (dap)

http redirect

http server enable

https-proxy

hw-module module password-reset

hw-module module recover

hw-module module reload

hw-module module reset

hw-module module shutdown


gateway through hw-module module shutdown Commands

gateway

To specify which group of call agents are managing a particular gateway, use the gateway command in MGCP map configuration mode. To remove the configuration, use the no form of this command.

gateway ip_address [group_id]

Syntax Description

gateway

Specifies the group of call agents that are managing a particular gateway

ip_address

The IP address of the gateway.

group_id

The ID of the call agent group, from 0 to 2147483647.


Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

MGCP map configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

Use the gateway command to specify which group of call agents are managing a particular gateway. The IP address of the gateway is specified with the ip_address option. The group_id option is a number from 0 to 4294967295 that must correspond with the group_id of the call agents that are managing the gateway. A gateway may only belong to one group.

Examples

The following example allows call agents 10.10.11.5 and 10.10.11.6 to control gateway 10.10.10.115, and allows call agents 10.10.11.7 and 10.10.11.8 to control both gateways 10.10.10.116 and 10.10.10.117: 

hostname(config)# mgcp-map mgcp_policy

hostname(config-mgcp-map)# call-agent 10.10.11.5 101

hostname(config-mgcp-map)# call-agent 10.10.11.6 101

hostname(config-mgcp-map)# call-agent 10.10.11.7 102

hostname(config-mgcp-map)# call-agent 10.10.11.8 102

hostname(config-mgcp-map)# gateway 10.10.10.115 101

hostname(config-mgcp-map)# gateway 10.10.10.116 102

hostname(config-mgcp-map)# gateway 10.10.10.117 102

Related Commands

Commands
Description

debug mgcp

Enables the display of debug information for MGCP.

mgcp-map

Defines an MGCP map and enables MGCP map configuration mode.

show mgcp

Displays MGCP configuration and session information.


global

To create a pool of mapped addresses for NAT, use the global command in global configuration mode. To remove the pool of addresses, use the no form of this command.

global (mapped_ifc) nat_id {mapped_ip[-mapped_ip] [netmask mask] | interface}

no global (mapped_ifc) nat_id {mapped_ip[-mapped_ip] [netmask mask] | interface}

Syntax Description

interface

Uses the interface IP address as the mapped address. Use this keyword if you want to use the interface address, but the address is dynamically assigned using DHCP.

mapped_ifc

Specifies the name of the interface connected to the mapped IP address network.

mapped_ip[-mapped_ip]

Specifies the mapped address(es) to which you want to translate the real addresses when they exit the mapped interface. If you specify a single address, then you configure PAT. If you specify a range of addresses, then you configure dynamic NAT.

If the external network is connected to the Internet, each global IP address must be registered with the Network Information Center (NIC).

nat_id

Specifies an integer for the NAT ID. This ID is referenced by the nat command to associate a mapped pool with the real addresses to translate.

For regular NAT, this integer is between 1 and 2147483647. For policy NAT (nat id access-list), this integer is between 1 and 65535.

Do not specify a global command for NAT ID 0; 0 is reserved for identity NAT and NAT exemption, which do not use a global command.

netmask mask

(Optional) Specifies the network mask for the mapped_ip. This mask does not specify a network when paired with the mapped_ip; rather, it specifies the subnet mask assigned to the mapped_ip when it is assigned to a host. If you want to configure a range of addresses, you need to specify mapped_ip-mapped_ip.

If you do not specify a mask, then the default mask for the address class is used.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

8.0(2)

NAT is now supported in transparent firewall mode.


Usage Guidelines

For dynamic NAT and PAT, you first configure a nat command identifying the real addresses on a given interface that you want to translate. Then you configure a separate global command to specify the mapped addresses when exiting another interface (in the case of PAT, this is one address). Each nat command matches a global command by comparing the NAT ID, a number that you assign to each command.

See the nat command for more information about dynamic NAT and PAT.

If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using clear xlate command. However, clearing the translation table disconnects all of the current connections.

Examples

For example, to translate the 10.1.1.0/24 network on the inside interface, enter the following command: 

hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0

hostname(config)# global (outside) 1 209.165.201.1-209.165.201.30

To identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is exhausted, enter the following commands: 

hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0

hostname(config)# global (outside) 1 209.165.201.5

hostname(config)# global (outside) 1 209.165.201.10-209.165.201.20

To translate the lower security dmz network addresses so they appear to be on the same network as the inside network (10.1.1.0), for example, to simplify routing, enter the following commands: 

hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns

hostname(config)# global (inside) 1 10.1.1.45

To identify a single real address with two different destination addresses using policy NAT, enter the following commands: 

hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 
255.255.255.224

hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 
255.255.255.224

hostname(config)# nat (inside) 1 access-list NET1 tcp 0 2000 udp 10000

hostname(config)# global (outside) 1 209.165.202.129

hostname(config)# nat (inside) 2 access-list NET2 tcp 1000 500 udp 2000

hostname(config)# global (outside) 2 209.165.202.130

To identify a single real address/destination address pair that use different ports using policy NAT, enter the following commands: 

hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 
255.255.255.255 eq 80

hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 
255.255.255.255 eq 23

hostname(config)# nat (inside) 1 access-list WEB

hostname(config)# global (outside) 1 209.165.202.129

hostname(config)# nat (inside) 2 access-list TELNET

hostname(config)# global (outside) 2 209.165.202.130

Related Commands

Command
Description

clear configure global

Removes global commands from the configuration.

nat

Specifies the real addresses to translate.

show running-config global

Displays the global commands in the configuration.

static

Configures a one-to-one translation.


group-alias

To create one or more alternate names by which the user can refer to a tunnel-group, use the group-alias command in tunnel-group webvpn configuration mode. To remove an alias from the list, use the no form of this command.

group-alias name [enable | disable]

no group-alias name

Syntax Description

disable

Disables the group alias.

enable

Enables a previously disabled group alias.

name

Specifies the name of a tunnel group alias. This can be any string you choose, except that the string cannot contain spaces.


Defaults

No default group alias, but if you do specify a group alias, that alias is enabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Tunnel-group webvpn configuration


Command History

Release
Modification

7.1(1)

This command was introduced.


Usage Guidelines

The group alias that you specify here appears in the drop-down list on the login page. Each group can have multiple aliases or no alias. This command is useful when the same group is known by several common names, such as "Devtest" and "QA".

Examples

The following example shows the commands for configuring the webvpn tunnel group named "devtest" and establishing the aliases "QA" and "Fra-QA" for the group: 

hostname(config)# tunnel-group devtest type webvpn

hostname(config)# tunnel-group devtest webvpn-attributes

hostname(config-tunnel-webvpn)# group-alias QA

hostname(config-tunnel-webvpn)# group-alias Fra-QA

hostname(config-tunnel-webvpn)#

Related Commands

Command
Description

clear configure tunnel-group

Clears the entire tunnel-group database or the named tunnel group configuration.

show webvpn group-alias

Displays the aliases for the specified tunnel group or for all tunnel groups.

tunnel-group webvpn-attributes

Enters the tunnel-group webvpn configuration mode for configuring WebVPN tunnel-group attributes.


group-delimiter

To enable group-name parsing and specify the delimiter to be used when parsing group names from the user names that are received when tunnels are being negotiated, use the group-delimiter command in global configuration mode. To disable this group-name parsing, use the no form of this command.

group-delimiter delimiter

no group-delimiter

Syntax Description

delimiter

Specifies the character to use as the group-name delimiter.
Valid values are: @, #, and !.


Defaults

By default, no delimiter is specified, disabling group-name parsing.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

The delimiter is used to parse tunnel group names from user names when tunnels are negotiated. By default, no delimiter is specified, disabling group-name parsing.

Examples

This example shows the group-delimiter command to change the group delimiter to the hash mark (#): 

hostname(config)# group-delimiter #

Related Commands

Command
Description

clear configure group-delimiter

Clears the configured group delimiter.

show running-config group-delimiter

Displays the current group-delimiter value.

strip-group

Enables or disables strip-group processing.


group-lock

To restrict remote users to access through the tunnel group only, issue the group-lock command in group-policy configuration mode or username configuration mode.

To remove the group-lock attribute from the running configuration, use the no form of this command. This option allows inheritance of a value from another group policy.

group-lock {value tunnel-grp-name | none}

no group-lock

Syntax Description

none

Sets group-lock to a null value, thereby allowing no group-lock restriction. Prevents inheriting a group-lock value from a default or specified group policy.

value tunnel-grp-name

Specifies the name of an existing tunnel group that the security appliance requires for the user to connect.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policyconfiguration

Username configuration


Usage Guidelines

To disable group-lock, use the group-lock none command.

Group-lock restricts users by checking if the group configured in the VPN Client is the same as the tunnel group to which the user is assigned. If it is not, the security appliance prevents the user from connecting. If you do not configure group-lock, the security appliance authenticates users without regard to the assigned group.

Command History

Release
Modification

7.0(1)

This command was introduced.


Examples

The following example shows how to set group lock for the group policy named FirstGroup: 

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# group-lock value tunnel group name

group-object

To add network object groups, use the group-object command in protocol, network, service, and icmp-type configuration modes. To remove network object groups, use the no form of this command.

group-object obj_grp_id

no group-object obj_grp_id

Syntax Description

obj_grp_id

Identifies the object group (one to 64 characters) and can be any combination of letters, digits, and the "_", "-", "." characters.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Protocol, network, service, icmp-type configuration


Command History

Release
Modification

Preexisting

This command was preexisting.


Usage Guidelines

The group-object command is used with the object-group command to define an object that itself is an object group. It is used in protocol, network, service, and icmp-type configuration modes. This sub-command allows logical grouping of the same type of objects and construction of hierarchical object groups for structured configuration.

Duplicate objects are allowed in an object group if they are group objects. For example, if object 1 is in both group A and group B, it is allowed to define a group C which includes both A and B. It is not allowed, however, to include a group object which causes the group hierarchy to become circular. For example, it is not allowed to have group A include group B and then also have group B include group A.

The maximum allowed levels of a hierarchical object group is 10.

Examples

The following example shows how to use the group-object command in network configuration mode eliminate the need to duplicate hosts: 

hostname(config)# object-group network host_grp_1

hostname(config-network)# network-object host 192.168.1.1

hostname(config-network)# network-object host 192.168.1.2 

hostname(config-network)# exit

hostname(config)# object-group network host_grp_2

hostname(config-network)# network-object host 172.23.56.1

hostname(config-network)# network-object host 172.23.56.2

hostname(config-network)# exit

hostname(config)# object-group network all_hosts

hostname(config-network)# group-object host_grp_1

hostname(config-network)# group-object host_grp_2

hostname(config-network)# exit

hostname(config)# access-list grp_1 permit tcp object-group host_grp_1 any eq ftp

hostname(config)# access-list grp_2 permit tcp object-group host_grp_2 any eq smtp

hostname(config)# access-list all permit tcp object-group all-hosts any eq w

Related Commands

Command
Description

clear configure object-group

Removes all the object-group commands from the configuration.

network-object

Adds a network object to a network object group.

object-group

Defines object groups to optimize your configuration.

port-object

Adds a port object to a service object group.

show running-config object-group

Displays the current object groups.


group-policy

To create or edit a group policy, use the group-policy command in global configuration mode. To remove a group policy from the configuration, use the no form of this command.

group-policy name {internal [from group-policy_name] | external server-group server_group password server_password}

no group-policy name

Syntax Description

external server-group server_group

Specifies the group policy as external and identifies the AAA server group for the security appliance to query for attributes.

from group-policy_name

Initializes the attributes of this internal group policy to the values of a pre-existing group policy.

internal

Identifies the group policy as internal.

name

Specifies the name of the group policy. The name can be up to 64 characters long and cannot contain spaces.

password server_password

Provides the password to use when retrieving attributes from the external AAA server group. The password can be up to 128 characters long and cannot contain spaces.


Defaults

No default behavior or values. See Usage Guidelines.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0.1

This command was introduced.


Usage Guidelines

A default group policy, named "DefaultGroupPolicy," always exists on the security appliance. However, this default group policy does not take effect unless you configure the security appliance to use it. For configuration instructions, see the Cisco ASA 5500 Series Configuration Guide using the CLI.

Use the group-policy attributes command to enter config-group-policy mode, in which you can configure any of the group-policy Attribute-Value Pairs. The DefaultGroupPolicy has these Attribute-Value Pairs:

Attribute
Default Value

backup-servers

keep-client-config

banner

none

client-access-rules

none

client-firewall

none

default-domain

none

dns-server

none

group-lock

none

ip-comp

disable

ip-phone-bypass

disabled

ipsec-udp

disabled

ipsec-udp-port

10000

leap-bypass

disabled

nem

disabled

password-storage

disabled

pfs

disable

re-xauth

disable

secure-unit-authentication

disabled

split-dns

none

split-tunnel-network-list

none

split-tunnel-policy

tunnelall

user-authentication

disabled

user-authentication-idle-timeout

none

vpn-access-hours

unrestricted

vpn-filter

none

vpn-idle-timeout

30 minutes

vpn-session-timeout

none

vpn-simultaneous-logins

3

vpn-tunnel-protocol

IPSec WebVPN

wins-server

none


In addition, you can configure webvpn-mode attributes for the group policy, either by entering the webvpn command in config-group-policy mode or by entering the group-policy attributes command and then entering the webvpn command in config-group-webvpn mode. See the description of the group-policy attributes command for details.

Examples

The following example shows how to create an internal group policy with the name "FirstGroup": 

hostname(config)# group-policy FirstGroup internal

The next example shows how to create an external group policy with the name "ExternalGroup," the AAA server group "BostonAAA," and the password "12345678": 

hostname(config)# group-policy ExternalGroup external server-group BostonAAA password 
12345678

Related Commands

Command
Description

clear configure group-policy

Removes the configuration for a particular group policy or for all group policies.

group-policy attributes

Enters config-group-policy mode, which lets you configure attributes and values for a specified group policy or lets you enter webvpn mode to configure webvpn attributes for the group.

show running-config group-policy

Displays the running configuration for a particular group policy or for all group policies.

webvpn

Enters config-group-webvpn mode, in which you can configure the WebVPN attributes for the specified group.


group-policy attributes

To enter the config-group-policy mode, use the group-policy attributes command in global configuration mode. To remove all attributes from a group policy, user the no version of this command. In config-group-policy mode, you can configure Attribute-Value Pairs for a specified group policy or enter group-policy webvpn configuration mode to configure webvpn attributes for the group.

group-policy name attributes

no group-policy name attributes

Syntax Description

name

Specifies the name of the group policy.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

7.0.1

This command was introduced.


Usage Guidelines

The syntax of the commands in attributes mode have the following characteristics in common:

The no form removes the attribute from the running configuration, and enables inheritance of a value from another group policy.

The none keyword sets the attribute in the running configuration to a null value, thereby preventing inheritance.

Boolean attributes have explicit syntax for enabled and disabled settings.

A default group policy, named DefaultGroupPolicy, always exists on the security appliance. However, this default group policy does not take effect unless you configure the security appliance to use it. For configuration instructions, see the Cisco ASA 5500 Series Configuration Guide using the CLI.

The group-policy attributes command enters config-group-policy mode, in which you can configure any of the group-policy Attribute-Value Pairs. The DefaultGroupPolicy has these Attribute-Value Pairs:

Attribute
Default Value

backup-servers

keep-client-config

banner

none

client-access-rule

none

client-firewall

none

default-domain

none

dns-server

none

group-lock

none

ip-comp

disable

ip-phone-bypass

disabled

ipsec-udp

disabled

ipsec-udp-port

10000

leap-bypass

disabled

nem

disabled

password-storage

disabled

pfs

disable

re-xauth

disable

secure-unit-authentication

disabled

split-dns

none

split-tunnel-network-list

none

split-tunnel-policy

tunnelall

user-authentication

disabled

user-authentication-idle-timeout

none

vpn-access-hours

unrestricted

vpn-filter

none

vpn-idle-timeout

30 minutes

vpn-session-timeout

none

vpn-simultaneous-logins

3

vpn-tunnel-protocol

IPSec WebVPN

wins-server

none


In addition, you can configure webvpn-mode attributes for the group policy, by entering the group-policy attributes command and then entering the webvpn command in config-group-policy mode. See the description of the webvpn command (group-policy attributes and username attributes modes) for details.

Examples

The following example shows how to enter group-policy attributes mode for the group policy named FirstGroup: 

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)#

Related Commands

Command
Description

clear configure group-policy

Removes the configuration for a particular group policy or for all group policies.

group-policy

Creates, edits, or removes a group policy.

show running-config group-policy

Displays the running configuration for a particular group policy or for all group policies.

webvpn (group-policy attributes mode)

Enters config-group-webvpn mode, in which you can configure the WebVPN attributes for the specified group.


group-prompt

To customize the group prompt of the WebVPN page login box that is displayed to WebVPN users when they connect to the security appliance, use the group-prompt command in webvpn customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of this command.

group-prompt {text | style} value

no group-prompt {text | style} value

Syntax Description

text

Specifies you are changing the text.

style

Specifies you are changing the style.

value

The actual text to display (maximum 256 characters), or Cascading Style Sheet (CSS) parameters (maximum 256 characters).


Defaults

The default text of the group prompt is "GROUP:".

The default style of the group prompt is color:black;font-weight:bold;text-align:right.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Webvpn customization configuration


Command History

Release
Modification

7.1(1)

This command was introduced.


Usage Guidelines

The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.

Here are some tips for making the most common changes to the WebVPN pages—the page colors:

You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML.

RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.

HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.

Note To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.

Examples

In the following example, the text is changed to "Corporate Group:", and the default style is changed with the font weight increased to bolder: 

F1-asa1(config)# webvpn

F1-asa1(config-webvpn)# customization cisco

F1-asa1(config-webvpn-custom)# group-prompt text Corporate Group:

F1-asa1(config-webvpn-custom)# group-prompt style font-weight:bolder

Related Commands

Command
Description

password-prompt

Customizes the password prompt of the WebVPN page.

username-prompt

Customizes the username prompt of the WebVPN page.


group-search-timeout

To specify the maximum time to wait for a response from an Active Directory server queried using the show ad-groups command, use the group-search-timeout command in AAA server host configuration mode. To remove the command from the configuration, use the no form of the command:

group-search-timeout seconds

no group-search-timeout seconds

Syntax Description

seconds

The time to wait for a response from the Active Directory server, from 1 to 300 seconds.


Defaults

The default is 10 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

aaa-server host configuration


Command History

Release
Modification

8.0(4)

This command is introduced.


Usage Guidelines

The show ad-groups command applies only to Active Directory servers using LDAP, and displays groups that are listed on an Active Directory server. Use the group-search-timeout command to adjust the time to wait for a response from the server.

Examples

The following example sets the timeout to 20 seconds: 

hostname(config-aaa-server-host)#group-search-timeout 20

Related Commands

Command
Description

ldap-group-base-dn

Specifies a level in the Active Directory hierarchy where the server begins searching for groups that are used by dynamic group policies.

show ad-groups

Displays groups that are listed on an Active Directory server.



group-url

To specify incoming URLs or IP addresses for the group, use the group-url command in tunnel-group webvpn configuration mode. To remove a URL from the list, use the no form of this command.

group-url url [enable | disable ]

no group-url url

Syntax Description

disable

Disables the URL, but does not remove it from the list.

enable

Enables the URL.

url

Specifies a URL or IP address for this tunnel group.


Defaults

There is n