-
Cisco Security Appliance Command Reference, Version 8.0
-
About This Guide
-
Using the Command Line Interface
- A through B Commands
- C Commands
- D through F Commands
- G through I Commands
- J through L Commands
- M through O Commands
- P though R Commands
-
S Commands
-
same-security-traffic -- show asdm sessions
-
show asp drop -- show curpriv
-
show ddns -- show ipv6 traffic
-
show isakmp sa -- show route
-
show running-config -- show running-config isakmp
-
show running-config ldap -- show running-config webvpn auto-signon
-
show service-policy -- show xlate
-
shun -- sysopt radius ignore-secret
-
- T through Z Commands
-
Table Of Contents
shun through sysopt radius ignore-secret Commands
smart-tunnel auto-signon enable
ssl certificate-authentication
sso-server value (group-policy webvpn)
sso-server value (username webvpn)
subject-name (crypto ca certificate map)
subject-name (crypto ca trustpoint)
svc profiles (group-policy or username attributes)
switchport trunk allowed vlans
sysopt connection preserve-vpn-flows
sysopt connection reclassify-vpn
shun through sysopt radius ignore-secret Commands
shun
To block connections from an attacking host, use the shun command in privileged EXEC mode. To disable a shun, use the no form of this command.
shun src_ip [dst_ip src_port dest_port [protocol]] [vlan vlan_id]
no shun src_ip [vlan vlan_id]
Syntax Description
Defaults
The default protocol is 0 (any protocol).
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
—
Command History
Usage Guidelines
The shun command lets you block connections from an attacking host. Packets matching the values in the command are dropped and logged until the blocking function is removed manually or by the Cisco IPS sensor. The blocking function of the shun command is applied whether or not a connection with the specified host address is currently active.
If you specify the destination address, source and destination ports, and the protocol, then you narrow the shun to connections that match those parameters.
You can only have one shun command per source IP address.
Because the shun command is used to block attacks dynamically, it is not displayed in the security appliance configuration.
Whenever an interface is removed, all shuns that are attached to that interface are also removed. If you add a new interface or replace the same interface (using the same name), then you must add that interface to the IPS sensor if you want the IPS sensor to monitor that interface.
Examples
The following example shows that the offending host (10.1.1.27) makes a connection with the victim (10.2.2.89) with TCP. The connection in the security appliance connection table reads as follows:
10.1.1.27, 555-> 10.2.2.89, 666 PROT TCPApply the shun command using the following options:
hostname# shun 10.1.1.27 10.2.2.89 555 666 tcpThe command deletes the connection from the security appliance connection table and also prevents packets from 10.1.1.27:555 to 10.2.2.89:666 (TCP) from going through the security appliance.
Related Commands
clear shun
Disables all the shuns that are currently enabled and clears the shun statistics.
show conn
Shows all active connections.
show shun
Displays the shun information.
Related Commands
shutdown
To disable an interface, use the shutdown command in interface configuration mode. To enable an interface, use the no form of this command.
shutdown
no shutdown
Syntax Description
This command has no arguments or keywords.
Defaults
All physical interfaces are shut down by default. Allocated interfaces in security contexts are not shut down in the configuration.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
•
•
Command History
7.0(1)
This command was moved from a keyword of the interface command to an interface configuration mode command.
Usage Guidelines
The default state of an interface depends on the type and the context mode.
In multiple context mode, all allocated interfaces are enabled by default, no matter what the state of the interface is in the system execution space. However, for traffic to pass through the interface, the interface also has to be enabled in the system execution space. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.
In single mode or in the system execution space, interfaces have the following default states:
•
•
•
Examples\
The following example enables a main interface:
hostname(config)# interface gigabitethernet0/2hostname(config-if)# speed 1000hostname(config-if)# duplex fullhostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownThe following example enables a subinterface:
hostname(config)# interface gigabitethernet0/2.1hostname(config-subif)# vlan 101hostname(config-subif)# nameif dmz1hostname(config-subif)# security-level 50hostname(config-subif)# ip address 10.1.2.1 255.255.255.0hostname(config-subif)# no shutdownThe following example shuts down the subinterface:
hostname(config)# interface gigabitethernet0/2.1hostname(config-subif)# vlan 101hostname(config-subif)# nameif dmz1hostname(config-subif)# security-level 50hostname(config-subif)# ip address 10.1.2.1 255.255.255.0hostname(config-subif)# shutdownRelated Commands
clear xlate
Resets all translations for existing connections, causing the connections to be reset.
interface
Configures an interface and enters interface configuration mode.
shutdown (ca-server mode)
To disable the local Certificate Authority (CA) server and render the enrollment interface inaccessible to users, use the shutdown command in CA server configuration mode. To enable the CA server, lock down the configuration from changes, and to render the enrollment interface accessible, use the no form of this command.
[ no ] shutdown
Syntax Description
This command has no arguments or keywords.
Defaults
Initially, by default, the CA server is shut down.
Command Modes
The following table shows the modes in which you can enter the command:
CA server configuration
•
—
•
—
—
Command History
Usage Guidelines
This command in CA server mode is similar to the shutdown command in interface mode. At setup time, the local CA server is shutdown by default and must be enabled using the no shutdown command. When you use the no shutdown command for the first time, you enable the CA server and generate the CA server certificate and keypair.
Note
To enable the CA server and lock down the current configuration with the no shutdown command, a 7-character password is required to encode and archive a PKCS12 file containing the CA certificate and keypair that is to be generated. The file is stored to the storage identified by a previously specified database path command.
Examples
The following example disables the local CA server and renders the enrollment interface inaccessible:
hostname(config)# crypto ca serverhostname(config-ca-server)# shutdownhostname(config-ca-server)#The following example enables the local CA server and makes the enrollment interface accessible:
hostname(config)# crypto ca serverhostname(config-ca-server)# no shutdownhostname(config-ca-server)#hostname(config-ca-server)# no shutdown% Some server settings cannot be changed after CA certificate generation.% Please enter a passphrase to protect the private key% or type Return to exitPassword: caserverRe-enter password: caserverKeypair generation process begin. Please wait...hostname(config-ca-server)#Related Commands
sla monitor
To create an SLA operation, use the sla monitor command in global configuration mode. To remove the SLA operation, use the no form of this command.
sla monitor sla_id
no sla monitor sla_id
Syntax Description
sla_id
Specifies the ID of the SLA being configured. If the SLA does not already exist, it is created. Valid values are from 1 to 2147483647.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The sla monitor command creates SLA operations and enters SLA Monitor configuration mode. Once you enter this command, the command prompt changes to hostname(config-sla-monitor)# to indicate that you are in SLA Monitor configuration mode. If the SLA operation already exists, and a type has already been defined for it, then the prompt appears as hostname(config-sla-monitor-echo)#. You can create a maximum of 2000 SLA operations. Only 32 SLA operations may be debugged at any time.
The no sla monitor command removes the specified SLA operation and the commands used to configure that operation.
After you configure an SLA operation, you must schedule the operation with the sla monitor schedule command. You cannot modify the configuration of the SLA operation after scheduling it. To modify the the configuration of a scheduled SLA operation, you must use the no sla monitor command to remove the selected SLA operation completely. Removing an SLA operation also removes the associated sla monitor schedule command. Then you can reenter the SLA operation configuration.
To display the current configuration settings of the operation, use the show sla monitor configuration command. To display operational statistics of the SLA operation, use the show sla monitor operation-state command. To see the SLA commands in the configuration, use the show running-config sla monitor command.
Examples
The following example configures an SLA operation with an ID of 123 and creates a tracking entry with the ID of 1 to track the reachability of the SLA:
hostname(config)# sla monitor 123hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outsidehostname(config-sla-monitor-echo)# timeout 1000hostname(config-sla-monitor-echo)# frequency 3hostname(config)# sla monitor schedule 123 life forever start-time nowhostname(config)# track 1 rtr 123 reachabilityRelated Commands
sla monitor schedule
To schedule an SLA operation, use the sla monitor schedule command in global configuration mode. To remove SLA operation schedule, and place the operation in the pending state, use the no form of this command.
sla monitor schedule sla-id [life {forever | seconds}] [start-time {hh:mm[:ss] [month day | day month] | pending | now | after hh:mm:ss}] [ageout seconds] [recurring]
no sla monitor schedule sla-id
Syntax Description
Defaults
The defaults are as follows:
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
When an SLA operation is in an active state, it immediately begins collecting information. The following time line shows the age-out process of the operation:
W----------------------X----------------------Y----------------------Z•
•
•
•
The age out process, if used, starts counting down at W, is suspended between X and Y, and is reset to its configured size are starts counting down again at Y. When an SLA operation ages out, the SLA operation configuration is removed from the running configuration. It is possible for the operation to age out before it executes (that is, Z can occur before X). To ensure that this does not happen, the difference between the operation configuration time and start time (X and W) must be less than the age-out seconds.
The recurring keyword is only supported for scheduling single SLA operations. You cannot schedule multiple SLA operations using a single sla monitor schedule command. The life value for a recurring SLA operation should be less than one day. The ageout value for a recurring operation must be "never" (which is specified with the value 0), or the sum of the life and ageout values must be more than one day. If the recurring option is not specified, the operations are started in the existing normal scheduling mode.
You cannot modify the configuration of the SLA operation after scheduling it. To modify the configuration of a scheduled SLA operation, you must use the no sla monitor command to remove the selected SLA operation completely. Removing an SLA operation also removes the associated sla monitor schedule command. Then you can reenter the SLA operation configuration.
Examples
The following example shows SLA operation 25 scheduled to begin actively collecting data at 3:00 p.m. on April 5. This operation will age out after 12 hours of inactivity. When this SLA operation ages out, all configuration information for the SLA operation is removed from the running configuration.
hostname(config)# sla monitor schedule 25 life 43200 start-time 15:00 apr 5 ageout 43200The following example shows SLA operation 1 schedule to begin collecting data after a 5-minute delay. The default life of one hour applies.
hostname(config)# sla monitor schedule 1 start after 00:05:00The following example shows SLA operation 3 scheduled to begin collecting data immediately and is scheduled to run indefinitely:
hostname(config)# sla monitor schedule 3 life forever start-time nowThe following example shows SLA operation 15 scheduled to begin automatically collecting data every day at 1:30 a.m.:
hostname(config)# sla monitor schedule 15 start-time 01:30:00 recurringRelated Commands
show sla monitor configuration
Displays the SLA configuration settings.
sla monitor
Defines an SLA monitoring operation.
smart-tunnel auto-signon enable
To enable smart tunnel auto sign-on in clientless (browser-based) SSL VPN sessions, use the smart-tunnel auto-signon enable command in group-policy webvpn configuration mode or username webvpn configuration mode.
[no] smart-tunnel auto-signon enable list [domain domain]
To remove the smart-tunnel auto-signon enable command from the group policy or username and inherit it from the default group-policy, use the no form of the command.
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
group-policy webvpn configuration mode
•
—
•
—
—
username webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
The smart-tunnel auto sign-on feature supports only applications communicating HTTP and HTTPS using the Microsoft WININET library. For example, Microsoft Internet Explorer uses the WININET dynamic linked library to communicate with web servers.
You must use the smart-tunnel auto-signon list command to create a list of servers first. You can assign only one list to a group policy or username.
Examples
The following commands enable the smart tunnel auto sign-on list named HR:
hostname(config-group-policy)# webvpnhostname(config-group-webvpn)# smart-tunnel auto-signon enable HRhostname(config-group-webvpn)The following command enables the smart tunnel auto sign-on list named HR and adds the domain named CISCO to the username during authentication:
hostname(config-group-webvpn)# smart-tunnel auto-signon enable HR domain CISCOThe following command removes the smart tunnel auto sign-on list named HR from the group policy and inherits the smart tunnel auto sign-on list command from the default group policy:
hostname(config-group-webvpn)# no smart-tunnel auto-signon enable HRRelated Command
s
smart-tunnel auto-signon list
To create a list of servers for which to automate the submission of credentials in smart tunnel connections, use the smart-tunnel auto-signon list command in webvpn configuration mode.
[no] smart-tunnel auto-signon list [use-domain] {ip ip-address [netmask] | host hostname-mask}
Use this command for each server you want to add to a list. To remove an entry from a list, use the no form of the command, specifying both the list and the IP address or hostname, as it appears in the security appliance configuration. To display the smart tunnel auto sign-on list entries, enter the show running-config webvpn smart-tunnel command in privileged EXEC mode.
To remove an entire list of servers from the security appliance configuration, use the no form of the command, specifying only the list.
no smart-tunnel auto-signon list
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
The smart-tunnel auto sign-on feature supports only applications communicating HTTP and HTTPS using the Microsoft WININET library. For example, Microsoft Internet Explorer uses the WININET dynamic linked library to communicate with web servers.
Following the population of a smart tunnel auto sign-on list, use the smart-tunnel auto-signon enable list command in group policy webvpn or username webvpn mode to assign the list.
Examples
The following command adds all hosts in the subnet and adds the Windows domain to the username if authentication requires it:
asa2(config-webvpn)# smart-tunnel auto-signon HR use-domain ip 192.32.22.56 255.255.255.0The following command removes that entry from the list:
asa2(config-webvpn)# no smart-tunnel auto-signon HR use-domain ip 192.32.22.56 255.255.255.0The command shown above also removes the list named HR if the entry removed is the only entry in the list. Otherwise, the following command removes the entire list from the security appliance configuration:
asa2(config-webvpn)# no smart-tunnel auto-signon HRThe following command adds all hosts in the domain to the smart tunnel auto sign-on list named intranet:
asa2(config-webvpn)# smart-tunnel auto-signon intranet host *.exampledomain.comThe following command removes that entry from the list:
asa2(config-webvpn)# no smart-tunnel auto-signon intranet host *.exampledomain.comRelated Command
s
smart-tunnel auto-start
To start smart tunnel access automatically upon user login in a clientless (browser-based) SSL VPN session, use the smart-tunnel auto-start command in group-policy webvpn configuration mode or username webvpn configuration mode.
smart-tunnel auto-start list
To remove the smart-tunnel command from the group policy or username and inherit the [no] smart-tunnel command from the default group-policy, use the no form of the command.
no smart-tunnel
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
group-policy webvpn configuration mode
•
—
•
—
—
username webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
This command requires that you use the smart-tunnel list command to create the list of applications first.
Examples
The following commands start smart tunnel access for a list of applications named apps1:
hostname(config-group-policy)# webvpnhostname(config-group-webvpn)# smart-tunnel auto-start apps1hostname(config-group-webvpn)The following commands remove the list named apps1 from the group policy and inherit the smart tunnel commands from the default group policy:
hostname(config-group-policy)# webvpnhostname(config-group-webvpn)# no smart-tunnelhostname(config-group-webvpn)Related Command
s
smart-tunnel disable
To prevent smart tunnel access through clientless (browser-based) SSL VPN sessions, use the smart-tunnel disable command in group-policy webvpn configuration mode or username webvpn configuration mode.
smart-tunnel disable
To remove a smart-tunnel command from the group policy or username and inherit the [no] smart-tunnel command from the default group-policy, use the no form of the command.
no smart-tunnel
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
group-policy webvpn configuration mode
•
—
•
—
—
username webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
By default, smart tunnels are not enabled, so the smart-tunnel disable command is necessary only if the (default) group policy or username configuration contains a smart-tunnel auto-start or smart-tunnel enable command that you do not want applied for the group policy or username in question.
Examples
The following commands prevent smart tunnel access:
hostname(config-group-policy)# webvpnhostname(config-group-webvpn)# smart-tunnel disablehostname(config-group-webvpn)Related Command
s
smart-tunnel enable
To enable smart tunnel access through clientless (browser-based) SSL VPN sessions, use the smart-tunnel enable command in group-policy webvpn configuration mode or username webvpn configuration mode.
smart-tunnel enable list
To remove the smart-tunnel command from the group policy or username and inherit the [no] smart-tunnel command from the default group-policy, use the no form of the command.
no smart-tunnel
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
group-policy webvpn configuration mode
•
—
•
—
—
username webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
The smart-tunnel enable command assigns a list of applications eligible for smart tunnel access to a group policy or username. It requires the user to start smart tunnel access manually, using the Application Access > Start Smart Tunnels button on the clientless-SSL-VPN portal page. Alternatively, you can use the smart-tunnel auto-start command to start smart tunnel access automatically upon user login.
Both commands require that you use the smart-tunnel list command to create the list of applications first.
Examples
The following commands enable the smart tunnel list named apps1:
hostname(config-group-policy)# webvpnhostname(config-group-webvpn)# smart-tunnel enable apps1hostname(config-group-webvpn)The following commands remove the list named apps1 from the group policy and inherit the smart tunnel list from the default group policy:
hostname(config-group-policy)# webvpnhostname(config-group-webvpn)# no smart-tunnelhostname(config-group-webvpn)Related Command
