Table Of Contents

interface-dhcp through issuer-name Commands

intercept-dhcp

interface

interface (vpn load-balancing)

interface-policy

internal-password

interval maximum

invalid-ack

ip address

ip address dhcp

ip address pppoe

ip-address-privacy

ip audit attack

ip audit info

ip audit interface

ip audit name

ip audit signature

ip-comp

ip local pool

ip-phone-bypass

ips

ipsec-udp

ipsec-udp-port

ip verify reverse-path

ipv6 access-list

ipv6 address

ipv6 enable

ipv6 enforce-eui64

ipv6 icmp

ipv6 local pool

ipv6 nd dad attempts

ipv6 nd ns-interval

ipv6 nd prefix

ipv6 nd ra-interval

ipv6 nd ra-lifetime

ipv6 nd reachable-time

ipv6 nd suppress-ra

ipv6 neighbor

ipv6 route

ipv6-address-pool (tunnel-group general attributes mode)

ipv6-address-pools

ipv6-vpn-filter

isakmp am-disable

isakmp disconnect-notify

isakmp enable

isakmp identity

isakmp ikev1-user-authentication

isakmp ipsec-over-tcp

isakmp keepalive

isakmp nat-traversal

isakmp policy authentication

isakmp policy encryption

isakmp policy group

isakmp policy hash

isakmp policy lifetime

isakmp reload-wait

issuer

issuer-name

interface-dhcp through issuer-name Commands

---

intercept-dhcp

To enable DHCP Intercept, use the intercept-dhcp enable command in group-policy configuration mode. To disable DHCP Intercept, use the intercept-dhcp disable command. To remove the intercept-dhcp attribute from the running configuration and allow the users to inherit a DHCP Intercept configuration from the default or other group policy, use the no intercept-dhcp command.

intercept-dhcp netmask {enable | disable}

no intercept-dhcp

Syntax Description

disable	Disables DHCP Intercept.
enable	Enables DHCP Intercept.
netmask	Provides the subnet mask for the tunnel IP address.

Defaults

DHCP Intercept is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Group-policy configuration	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

A Microsoft XP anomaly results in the corruption of domain names if split tunnel options exceed 255 bytes. To avoid this problem, the security appliance limits the number of routes it sends to 27 to 40 routes, with the number of routes dependent on the classes of the routes.

DHCP Intercept lets Microsoft XP clients use split-tunneling with the security appliance. The security appliance replies directly to the Microsoft Windows XP client DHCP Inform message, providing that client with the subnet mask, domain name, and classless static routes for the tunnel IP address. For Windows clients prior to XP, DHCP Intercept provides the domain name and subnet mask. This is useful in environments in which using a DHCP server is not advantageous.

Examples

The following example shows how to set DHCP Intercepts for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# intercept-dhcp enable

interface

To configure an interface and enter interface configuration mode, use the interface command in global configuration mode. In interface configuration mode, you can configure hardware settings (for physical interfaces), assign a name, assign a VLAN, assign an IP address, and configure many other settings, depending on the type of interface and the security context mode.

In multiple context mode, you might need to specify the mapped name if one was assigned using the allocate-interface command.

All models can configure parameters for physical interfaces.

All models except for those with a built-in switch, such as the ASA 5505 adaptive security appliance, can create logical redundant interfaces.

All models except for those with a built-in switch, such as the ASA 5505 adaptive security appliance, can create logical subinterfaces that are assigned to a VLAN. Models with a built-in switch include switch ports (called physical interfaces in this command) that you can assign to a VLAN interface; in this case, you do not create a subinterface for the VLAN, but instead create a VLAN interface independent of any physical interfaces. You can then assign one or more physical interfaces to the VLAN interface.

To remove a redundant interface, subinterface, or VLAN interface, use the no form of this command; you cannot remove a physical interface or a mapped interface.

For physical interfaces (for all models):

interface physical_interface

For redundant interfaces (not available for models with a built-in switch):

interface redundant number

no interface redundant number

For subinterfaces (not available for models with a built-in switch):

interface {physical_interface | redundant number}.subinterface

no interface {physical_interface | redundant number}.subinterface

For VLAN interfaces (for models with a built-in switch):

interface vlan number

no interface vlan number

For multiple context mode when a mapped name is assigned:

interface mapped_name

Syntax Description

mapped_name	In multiple context mode, specifies the mapped name if it was assigned using the allocate-interface command.
physical_interface	Specifies the physical interface type, slot, and port number as type[slot/]port. A space between the type and slot/port is optional. The physical interface types include the following: •ethernet •gigabitethernet •management (for ASA 5500 only) For the PIX 500 series security appliance, enter the type followed by the port number, for example, ethernet0. For the ASA 5500 series adaptive security appliance, enter the type followed by slot/port, for example, gigabitethernet 0/1. Interfaces that are built into the chassis are assigned to slot 0, while interfaces on the 4GE SSM (or a built-in 4GE SSM) are assigned to slot 1. The management interface is a Fast Ethernet interface designed for management traffic only, and is specified as management 0/0. You can, however, use it for through traffic if desired (see the management-only command). In transparent firewall mode, you can use the management interface in addition to the two interfaces allowed for through traffic. You can also add subinterfaces to the management interface to provide management in each security context for multiple context mode. See the hardware documentation that came with your model to identify the interface type, slot, and port number.
redundant number	Specifies a logical redundant interface, where number is between 1 and 8. A redundant interface pairs an active and a standby physical interface (see the member-interface command). When the active interface fails, the standby interface becomes active and starts passing traffic. All security appliance configuration refers to the logical redundant interface instead of the member physical interfaces. A space between redundant and the ID is optional.
subinterface	Specifies an integer between 1 and 4294967293 designating a logical subinterface. The maximum number of subinterfaces varies depending on your security appliance model. Subinterfaces are not available for models with a built-in switch, such as the ASA 5505 adaptive security appliance. See the Cisco ASA 5500 Series Configuration Guide using the CLI for the maximum subinterfaces (or VLANs) per platform. An interface with one or more VLAN subinterfaces is automatically configured as an 802.1Q trunk.
vlan number	For models with a built-in switch, specifies a VLAN ID number between 1 and 4090.

Defaults

By default, the security appliance automatically generates interface commands for all physical interfaces.

In multiple context mode, the security appliance automatically generates interface commands for all interfaces allocated to the context using the allocate-interface command.

The default state of an interface depends on the type and the context mode.

In multiple context mode, all allocated interfaces are enabled by default, no matter what the state of the interface is in the system execution space. However, for traffic to pass through the interface, the interface also has to be enabled in the system execution space. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

In single mode or in the system execution space, interfaces have the following default states:

•Physical interfaces—Disabled.

•Redundant Interfaces—Enabled. However, for traffic to pass through the redundant interface, the member physical interfaces must also be enabled.

•Subinterfaces—Enabled. However, for traffic to pass through the subinterface, the physical interface must also be enabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	•

Command History

Release	Modification
7.0(1)	This command was modified to allow for new subinterface naming conventions and to change arguments to be separate commands under interface configuration mode.
7.2(1)	The interface vlan command was added to support a built-in switch, as on the ASA 5505 adaptive security appliance.
8.0(2)	The interface redundant command was added.

Usage Guidelines

For an enabled interface to pass traffic, configure the following interface configuration mode commands: nameif, and, for routed mode, ip address. For subinterfaces, also configure the vlan command. For switch physical interfaces, assign the physical interface to the VLAN interface using the switchport access vlan command.

If you change interface settings, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.

Default Security Level

The default security level is 0. If you name an interface "inside" and you do not set the security level explicitly using the security-level command, then the security appliance sets the security level to 100.

Multiple Context Mode Guidelines

•Configure the context interfaces from within each context.

•Configure context interfaces that you already assigned to the context in the system configuration. Other interfaces are not available.

•Configure Ethernet settings, redundant interfaces, and subinterfaces in the system configuration. No other configuration is available. The exception is for failover interfaces, which are configured in the system configuration. Do not configure failover interfaces with this command.

Transparent Firewall Guidelines

Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA 5510 and higher adaptive security appliances, you can use the Management 0/0 interface (either the physical interface or a subinterface) as a third interface for management traffic. The mode is not configurable in this case and must always be management-only.

Subinterface Guidelines

•Maximum Subinterfaces—To determine how many subinterfaces are allowed for your platform, see the license information in the Cisco ASA 5500 Series Configuration Guide using the CLI.

•Preventing Untagged Packets on the Physical Interface—If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. This property is also true for the active physical interface in a redundant interface pair. Because the physical or redundant interface must be enabled for the subinterface to pass traffic, ensure that the physical or redundant interface does not pass traffic by leaving out the nameif command. If you want to let the physical or redundant interface pass untagged packets, you can configure the nameif command as usual.

Redundant Interface Guidelines

•Failover Guidelines:

–If you want to use a redundant interface for the failover or state link, then you must configure the redundant interface as part of the basic configuration on the secondary unit in addition to the primary unit.

–If you use a redundant interface for the failover or state link, you must put a switch or hub between the two units; you cannot connect them directly. Without the switch or hub, you could have the active port on the primary unit connected directly to the standby port on the secondary unit.

–You can monitor redundant interfaces for failover using the monitor-interface command; be sure to reference the logical redundant interface name.

–When the active interface fails over to the standby interface, this activity does not cause the redundant interface to appear to be failed when being monitored for device-level failover. Only when both physical interfaces fail does the redundant interface appear to be failed.

•Redundant Interface MAC Address—The redundant interface uses the MAC address of the first physical interface that you add. If you change the order of the member interfaces in the configuration, then the MAC address changes to match the MAC address of the interface that is now listed first. Alternatively, you can assign a MAC address to the redundant interface, which is used regardless of the member interface MAC addresses (see the mac-address command or the mac-address auto command). When the active interface fails over to the standby, the same MAC address is maintained so traffic is not disrupted.

•Physical Interface Guidelines—Follow these guidelines when adding member interfaces:

–Both member interfaces must be of the same physical type. For example, both must be Ethernet.

–You cannot add a physical interface to the redundant interface if you configured a name for it. You must first remove the name using the no nameif command.

---

Caution If you are using a physical interface already in your configuration, removing the name will clear any configuration that refers to the interface.

---

–The only configuration available to physical interfaces that are part of a redundant interface pair are physical parameters such as speed and duplex commands, the description command, and the shutdown command. You can also enter run-time commands like default and help.

–If you shut down the active interface, then the standby interface becomes active.

Built-in Switch Guidelines

For models with a built-in switch, you configure physical parameters and switch parameters (including the VLAN assignment) for the physical interfaces only. You configure all other parameters for the VLAN interface.

For the ASA 5505 adaptive security appliance in transparent firewall mode, you can configure two active VLANs in the Base license and three active VLANs in the Security Plus license, one of which must be for failover. In routed mode, you can configure up to three active VLANs with the Base license, and up to five active VLANs with the Security Plus license. An active VLAN is a VLAN with a nameif command configured. You can configure as many VLANs as you want as long as you limit the number of active VLANs to comply with your license. With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN. You limit the third VLAN using the no forward interface command. With the Security Plus license, you can configure three VLAN interfaces for normal traffic, one VLAN interface for failover, and one VLAN interface as a backup link to your ISP. However, the failover VLAN interface is not configured using the interface vlan command. After you assign a physical interface to the failover VLAN ID, use the failover lan commands to create and configure the VLAN interface. The backup link to the ISP must be identified by the backup interface command under the primary VLAN configuration. This interface does not pass through traffic unless the primary interface fails. See the backup interface command for more information.

Management-Only Interface

The ASA 5510 and higher adaptive security appliances include a dedicated management interface called Management 0/0, which is meant to support traffic to the security appliance. However, you can configure any interface to be a management-only interface using the management-only command. Also, for Management 0/0, you can disable management-only mode so the interface can pass through traffic just like any other interface.

Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA 5510 and higher adaptive security appliances, you can use the Management 0/0 interface (either the physical interface or a subinterface) as a third interface for management traffic. The mode is not configurable in this case and must always be management-only.

Examples

The following example configures parameters for the physical interface in single mode:

hostname(config)# interface gigabitethernet0/1

hostname(config-if)# speed 1000

hostname(config-if)# duplex full

hostname(config-if)# nameif inside

hostname(config-if)# security-level 100

hostname(config-if)# ip address 10.1.1.1 255.255.255.0

hostname(config-if)# no shutdown

The following example configures parameters for a subinterface in single mode:

hostname(config)# interface gigabitethernet0/1.1

hostname(config-subif)# vlan 101

hostname(config-subif)# nameif dmz1

hostname(config-subif)# security-level 50

hostname(config-subif)# ip address 10.1.2.1 255.255.255.0

hostname(config-subif)# no shutdown

The following example configures interface parameters in multiple context mode for the system configuration, and allocates the gigabitethernet 0/1.1 subinterface to contextA:

hostname(config)# interface gigabitethernet0/1

hostname(config-if)# speed 1000

hostname(config-if)# duplex full

hostname(config-if)# no shutdown

hostname(config-if)# interface gigabitethernet0/1.1

hostname(config-subif)# vlan 101

hostname(config-subif)# no shutdown

hostname(config-subif)# context contextA

hostname(config-ctx)# ...

hostname(config-ctx)# allocate-interface gigabitethernet0/1.1

The following example configures parameters in multiple context mode for the context configuration:

hostname/contextA(config)# interface gigabitethernet0/1.1

hostname/contextA(config-if)# nameif inside

hostname/contextA(config-if)# security-level 100

hostname/contextA(config-if)# ip address 10.1.2.1 255.255.255.0

hostname/contextA(config-if)# no shutdown

The following example configures three VLAN interfaces. The third home interface cannot forward traffic to the work inteface.

hostname(config)# interface vlan 100

hostname(config-if)# nameif outside

hostname(config-if)# security-level 0

hostname(config-if)# ip address dhcp

hostname(config-if)# no shutdown

hostname(config-if)# interface vlan 200

hostname(config-if)# nameif work

hostname(config-if)# security-level 100

hostname(config-if)# ip address 10.1.1.1 255.255.255.0

hostname(config-if)# no shutdown

hostname(config-if)# interface vlan 300

hostname(config-if)# no forward interface vlan 200

hostname(config-if)# nameif home

hostname(config-if)# security-level 50

hostname(config-if)# ip address 10.2.1.1 255.255.255.0

hostname(config-if)# no shutdown

hostname(config-if)# interface ethernet 0/0

hostname(config-if)# switchport access vlan 100

hostname(config-if)# no shutdown

hostname(config-if)# interface ethernet 0/1

hostname(config-if)# switchport access vlan 200

hostname(config-if)# no shutdown

hostname(config-if)# interface ethernet 0/2

hostname(config-if)# switchport access vlan 200

hostname(config-if)# no shutdown

hostname(config-if)# interface ethernet 0/3

hostname(config-if)# switchport access vlan 200

hostname(config-if)# no shutdown

hostname(config-if)# interface ethernet 0/4

hostname(config-if)# switchport access vlan 300

hostname(config-if)# no shutdown

...

The following example configures five VLAN interfaces, including the failover interface which is configured separately using the failover lan command:

hostname(config)# interface vlan 100

hostname(config-if)# nameif outside

hostname(config-if)# security-level 0

hostname(config-if)# ip address 10.1.1.1 255.255.255.0

hostname(config-if)# no shutdown

hostname(config-if)# interface vlan 200

hostname(config-if)# nameif inside

hostname(config-if)# security-level 100

hostname(config-if)# ip address 10.2.1.1 255.255.255.0

hostname(config-if)# no shutdown

hostname(config-if)# interface vlan 300

hostname(config-if)# nameif dmz

hostname(config-if)# security-level 50

hostname(config-if)# ip address 10.3.1.1 255.255.255.0

hostname(config-if)# no shutdown

hostname(config-if)# interface vlan 400

hostname(config-if)# nameif backup-isp

hostname(config-if)# security-level 50

hostname(config-if)# ip address 10.1.2.1 255.255.255.0

hostname(config-if)# no shutdown

hostname(config-if)# failover lan faillink vlan500

hostname(config)# failover interface ip faillink 10.4.1.1 255.255.255.0 standby 10.4.1.2 
255.255.255.0

hostname(config)# interface ethernet 0/0

hostname(config-if)# switchport access vlan 100

hostname(config-if)# no shutdown

hostname(config-if)# interface ethernet 0/1

hostname(config-if)# switchport access vlan 200

hostname(config-if)# no shutdown

hostname(config-if)# interface ethernet 0/2

hostname(config-if)# switchport access vlan 300

hostname(config-if)# no shutdown

hostname(config-if)# interface ethernet 0/3

hostname(config-if)# switchport access vlan 400

hostname(config-if)# no shutdown

hostname(config-if)# interface ethernet 0/4

hostname(config-if)# switchport access vlan 500

hostname(config-if)# no shutdown

The following example creates two redundant interfaces:

hostname(config)# interface redundant 1

hostname(config-if)# member-interface gigabitethernet 0/0

hostname(config-if)# member-interface gigabitethernet 0/1

hostname(config-if)# interface redundant 2

hostname(config-if)# member-interface gigabitethernet 0/2

hostname(config-if)# member-interface gigabitethernet 0/3

Related Commands

Command	Description
allocate-interface	Assigns interfaces and subinterfaces to a security context.
member-interface	Assigns interfaces to a redundant interface.
clear interface	Clears counters for the show interface command.
show interface	Displays the runtime status and statistics of interfaces.
vlan	Assigns a VLAN to a subinterface.

interface (vpn load-balancing)

To specify a non-default public or private interface for VPN load-balancing in the VPN load-balancing virtual cluster, use the interface command in vpn load-balancing mode. To remove the interface specification and revert to thte default interface, use the no form of this command.

interface {lbprivate | lbpublic} interface-name]

no interface {lbprivate | lbpublic}

Syntax Description

interface-name	The name of the interface to be configured as the public or private interface for the VPN load-balancing cluster.
lbprivate	Specifies that this command configures the private interface for VPN load-balancing.
lbpublic	Specifies that this command configures the public interface for VPN load-balancing.

Defaults

If you omit the interface command, the lbprivate interface defaults to inside, and the lbpublic interface defaults to outside.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
vpn load-balancing	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

You must have first used the vpn load-balancing command to enter vpn load-balancing mode.

You must also have previously used the interface, ip address and nameif commands to configure and assign a name to the interface that you are specifying in this command.

The no form of this command reverts the interface to its default.

Examples

The following is an example of a vpn load-balancing command sequence that includes an interface command that specifies the public interface of the cluster as "test" one that reverts the private interface of the cluster to the default (inside):

hostname(config)# interface GigabitEthernet 0/1

hostname(config-if)# ip address 209.165.202.159 255.255.255.0

hostname(config)# nameif test

hostname(config)# interface GigabitEthernet 0/2

hostname(config-if)# ip address 209.165.201.30 255.255.255.0

hostname(config)# nameif foo

hostname(config)# vpn load-balancing

hostname(config-load-balancing)# interface lbpublic test

hostname(config-load-balancing)# no interface lbprivate

hostname(config-load-balancing)# cluster ip address 209.165.202.224

hostname(config-load-balancing)# participate

Related Commandshostname(config-load-balancing)# participate

Command	Description
vpn load-balancing	Enter VPN load-balancing mode.

interface-policy

To specify the policy for failover when monitoring detects an interface failure, use the interface-policy command in failover group configuration mode. To restore the default values, use the no form of this command.

interface-policy num[%]

no interface-policy num[%]

Syntax Description

num	Specifies a number from 1 to 100 when used as a percentage, or 1 to the maximum number of interfaces.
%	(Optional) Specifies that the number num is a percentage of the monitored interfaces.

Defaults

If the failover interface-policy command is configured for the unit, then the default for the interface-policy failover group command assumes that value. If not, then num is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Failover group configuration	•	•	—	—	•

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

There is no space between the num argument and the optional % keyword.

If the number of failed interfaces meets the configured policy and the other security appliance is functioning properly, the security appliance will mark itself as failed and a failover may occur (if the active security appliance is the one that fails). Only interfaces that are designated as monitored by the monitor-interface command count towards the policy.

Examples

The following partial example shows a possible configuration for a failover group:

hostname(config)# failover group 1 

hostname(config-fover-group)# primary

hostname(config-fover-group)# preempt 100

hostname(config-fover-group)# interface-policy 25%

hostname(config-fover-group)# exit

hostname(config)#

Related Commands

Command	Description
failover group	Defines a failover group for Active/Active failover.
failover interface-policy	Configures the interface monitoring policy.
monitor-interface	Specifies the interfaces being monitored for failover.

internal-password

To display an additional password field on the clientless SSL VPN portal page, use the internal-password command in webvpn configuration mode. This additional password is used by the security appliance to authenticate users to file servers for which SSO is allowed.

To disable the ability to use an internal password, use the no version of the command.

internal-password enable

no internal password

Syntax Description

enable

Enables use of an internal password.

Defaults

The default is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Webvpn configuration mode	•	—	•	—	—

Command History

Release	Modification
8.0(2)	This command was introduced.

Usage Guidelines

If enabled, end users type a second password when logging in to a clientless SSL VPN session. The Clientless SSL VPN server sends an SSO authentication request, including the username and password, to the authenticating server using HTTPS. If the authenticating server approves the authentication request, it returns an SSO authentication cookie to the Clientless SSL VPN server. This cookie is kept on the security appliance on behalf of the user and used to authenticate the user to secure websites within the domain protected by the SSO server.

The internal password feature is useful if you require that the internal password be different from the SSL VPN password. In particular, you can use one-time passwords for authentication to the security appliance, and another password for internal sites.

Examples

The following example shows how to enable the internal password:

hostname(config)# webvpn

hostname(config-webvpn)# internal password enable

hostname(config-webvpn)#

Related Commands

Command	Description
webvpn	Enters webvpn configuration mode, which lets you configure attributes for clientless SSLVPN connections.

interval maximum

To configure the maximum interval between update attempts by a DDNS update method, use the interval command in DDNS-update-method mode. To remove an interval for a DDNS update method from the running configuration, use the no form of this command.

interval maximum days hours minutes seconds

no interval maximum days hours minutes seconds

Syntax Description

days	Specifies the number of days between update attempts with a range of 0 to 364.
hours	Specifies the number of hours between update attempts with a range of 0 to 23.
minutes	Specifies the number of minutes between update attempts with a range of 0 to 59.
seconds	Specifies the number of seconds between update attempts with a range of 0 to 59.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
DDNS-update-method configuration	•	—	•	•	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

The days, hours, minutes, and seconds are added together to arrive at the total interval.

Examples

The following example configures a method called ddns-2 to attempt an update every 3 minutes and 15 seconds:

hostname(config)# ddns update method ddns-2

hostname(DDNS-update-method)# interval maximum 0 0 3 15

Related Commands

Command	Description
ddns (DDNS-update- method mode)	Specifies a DDNS update method type for a created DDNS method.
ddns update (interface config mode)	Associates a dynamic DNS (DDNS) update method with a security appliance interface or a DDNS update hostname.
ddns update method (global config mode)	Creates a method for dynamically updating DNS resource records.
dhcp-client update dns	Configures the update parameters that the DHCP client passes to the DHCP server.
dhcpd update dns	Enables a DHCP server to perform dynamic DNS updates.

invalid-ack

To set the action for packets with an invalid ACK, use the invalid-ack command in tcp-map configuration mode. To set the value back to the default, use the no form of this command. This command is part of the TCP normalization policy enabled using the set connection advanced-options command.

invalid-ack {allow | drop}

no invalid-ack

Syntax Description

allow	Allows packets with an invalid ACK.
drop	Drops packets with an invalid ACK.

Defaults

The default action is to drop packets with an invalid ACK.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Tcp-map configuration	•	•	•	•	—

Command History

Release	Modification
7.2(4)/8.0(4)	This command was introduced.

Usage Guidelines

To enable TCP normalization, use the Modular Policy Framework:

1. tcp-map—Identifies the TCP normalization actions.

a. invalid-ack—In tcp-map configuration mode, you can enter the invalid-ack command and many others.

2. class-map—Identify the traffic on which you want to perform TCP normalization.

3. policy-map—Identify the actions associated with each class map.

a. class—Identify the class map on which you want to perform actions.

b. set connection advanced-options—Identify the tcp-map you created.

4. service-policy—Assigns the policy map to an interface or globally.

You might see invalid ACKs in the following instances:

•In the TCP connection SYN-ACK-received status, if the ACK number of a received TCP packet is not exactly same as the sequence number of the next TCP packet sending out, it is an invalid ACK.

•Whenever the ACK number of a received TCP packet is greater than the sequence number of the next TCP packet sending out, it is an invalid ACK.

---

Note TCP packets with an invalid ACK are automatically allowed for WAAS connections.

---

Examples

The following example sets the security appliance to allow packets with an invalid ACK:

hostname(config)# tcp-map tmap

hostname(config-tcp-map)# invalid-ack allow

hostname(config)# class-map cmap

hostname(config-cmap)# match any

hostname(config)# policy-map pmap

hostname(config-pmap)# class cmap

hostname(config-pmap)# set connection advanced-options tmap

hostname(config)# service-policy pmap global

hostname(config)#

Related Commands

Command	Description
class-map	Identifies traffic for a service policy.
policy-map	dentifies actions to apply to traffic in a service policy.
set connection advanced-options	Enables TCP normalization.
service-policy	Applies a service policy to interface(s).
show running-config tcp-map	Shows the TCP map configuration.
tcp-map	Creates a TCP map and allows access to tcp-map configuration mode.

ip address

To set the IP address for an interface (in routed mode) or for the management address (transparent mode), use the ip address command. For routed mode, enter this command in interface configuration mode. In transparent mode, enter this command in global configuration mode. To remove the IP address, use the no form of this command. This command also sets the standby address for failover.

ip address ip_address [mask] [standby ip_address]

no ip address [ip_address]

Syntax Description

ip_address	The IP address for the interface (routed mode) or the management IP address (transparent mode).
mask	(Optional) The subnet mask for the IP address. If you do not set the mask, the security appliance uses the default mask for the IP address class.
standby ip_address	(Optional) The IP address for the standby unit for failover.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Interface configuration	•	—	•	•	—
Global configuration	—	•	•	•	—

Command History

Release	Modification
7.0(1)	For routed mode, this command was changed from a global configuration command to an interface configuration mode command.

Usage Guidelines

In single context routed firewall mode, each interface address must be on a unique subnet. In multiple context mode, if this interface is on a shared interface, then each IP address must be unique but on the same subnet. If the interface is unique, this IP address can be used by other contexts if desired.

A transparent firewall does not participate in IP routing. The only IP configuration required for the security appliance is to set the management IP address. This address is required because the security appliance uses this address as the source address for traffic originating on the security appliance, such as system messages or communications with AAA servers. You can also use this address for remote management access. This address must be on the same subnet as the upstream and downstream routers. For multiple context mode, set the management IP address within each context.

The standby IP address must be on the same subnet as the main IP address.

Examples

The following example sets the IP addresses and standby addresses of two interfaces:

hostname(config)# interface gigabitethernet0/2

hostname(config-if)# nameif inside

hostname(config-if)# security-level 100

hostname(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

hostname(config-if)# no shutdown

hostname(config-if)# interface gigabitethernet0/3

hostname(config-if)# nameif outside

hostname(config-if)# security-level 0

hostname(config-if)# ip address 10.1.2.1 255.255.255.0 standby 10.1.2.2

hostname(config-if)# no shutdown